8.1.1 Data Storage

Nearly every organization relies on outside service providers that store and process data on their behalf. This includes attorneys, accountants, sales and marketing firms, IT providers, and more. When one of these service providers is breached, it jeopardizes the data of customers, as well.

The “Panama Papers” breach is a perfect example. At 2.6 TB, it was the largest data leak in history when it was first publicized in 2016. The documents were stolen from the Panamanian law firm Mossack Fonesca, which specialized in offshore financial services. The law firm’s records contained the dirty secrets of many prominent world leaders, including politicians, celebrities, and business moguls, dating as far back as the 1970s. The exposed data contained more than 11.5 million documents (including emails, contracts, bank statements, databases, and more). “This is pretty much every document from this firm over a 40-year period,” said Gerald Ryle, the director of the International Consortium of Investigative Journalists (ICIJ).⁸

8. J. Garside, H. Watt, and D. Pegg, “The Panama Papers: How the World’s Rich and Famous Hide Their Money Offshore,” Guardian, April 13, 2016, https://www.theguardian.com/news/2016/apr/03/the-panama-papers-how-the-worlds-rich-and-famous-hide-their-money-offshore; Andy Greenberg, “How Reporters Pulled Off the Panama Papers, the Biggest Leak in Whistleblower,” Wired, April 4, 2016, https://www.wired.com/2016/04/reporters-pulled-off-panama-papers-biggest-leak-whistleblower-history.

The Panama Papers exposure breach was a wake-up call for the legal industry, which had largely skirted cybersecurity oversight up to that point. Suddenly, attorneys in firms around the world imagined the nightmare scenario where all their client data was leaked. Clients began scrutinizing firms more carefully, asking tough questions about their cybersecurity programs. Many organizations suddenly ramped up their supplier vetting programs, requiring law firms and other service providers to produce the results of security assessments and demonstrate that they were appropriately controlling risk.

8.1.2 Remote Access

Many suppliers have remote access to a customer’s systems. In some cases, this access is fairly limited, for the purposes of submitting invoices or time sheets. However, as illustrated by the case of Target’s HVAC vendor, Fazio Mechanical (described in Chapter 7, “Retailgeddon”), even limited access to IT resources can allow criminals to leap from one network to another and cause a data breach.

Some suppliers have extensive remote access to their customers’ networks, in order to provide IT services or support equipment that they installed. Unfortunately, this access can be abused by criminals who steal the supplier’s credentials or pivot through its network. For example, healthcare providers Athens Orthopedic and Midwest Orthopedic discovered they were breached in 2016, when a criminal gang held their data for ransom. According to the Midwest Orthopedic patient notification letter, “hackers . . . likely gained access into our secured database system through a third party contractor.”¹⁰ The Athens Orthopedic press release stated that “[t]he breach occurred when a hacker used the credentials of an outside contractor who performed certain services for the Clinic.”¹¹

10. “Local Medical Group Involved in Computer Hack Identified,” Daily Journal Online, July 27, 2016, http://dailyjournalonline.com/news/local/local-medical-group-involved-in-computer-hack-identified/article_1dfafa55-d3d5-54ba-98cf-bdccafeed7a0.html.

11. Athens Orthopedic Clinic, “Important News for Patients,” accessed January 18, 2018, http://athensorthopedicclinic.com/important-news-patients.

Criminals may be able to use one hacked supplier to trivially breach many customers, using stolen passwords or targeted phishing attacks. Passwords stored in plain text files are, unfortunately, a common sight on computers of many service providers since they are an easy way to manage credentials for numerous customer networks. Suppliers may not have a better system for tracking and managing passwords for multiple customer accounts. The results can be devastating for the customers they serve.

Athens Orthopedic and Midwest Orthopedic are examples of how one supplier’s insecurity can place many customers at risk of a breach. Security researcher “Dissent Doe” received a tip linking both clinics’ data breaches to an “inadequately secured Quest Records LLC file on Dropbox,” which contained passwords for all of the supplier’s customer networks. Quest Records, in turn, admitted that it had suffered a “data security incident” and stated that the organization was cooperating with the FBI.

“[H]ow many other clients of Quest Records LLC may have had their patient information hacked or may still be at risk?” wrote Dissent, noting that “at least two previously unnamed entities are investigating whether that vendor’s breach resulted in compromise of their patient information.”¹²

12. Dissent, “Quest Records LLC Breach Linked to TheDarkOverlord Hacks; More Entities Investigate If They’ve Been Hacked,” DataBreaches.net (blog), August 15, 2016, https://www.databreaches.net/quest-records-llc-breach-linked-to-thedarkoverlord-hacks-more-entities-investigate-if-theyve-been-hacked.

8.1.3 Physical Access

Long before the term “data breaches” existed, suppliers introduced security risks due to physical access. Cleaning staff often have unsupervised access to sensitive information after regular staff have gone home. Security guards, delivery personnel, and other providers may have greater access to information than most people realize, often during times they are largely unsupervised. Daytime employees may forget that third parties have extensive access to their desks and cabinets at night and leave sensitive information unlocked or visible.

In a classic example of a physical data breach, police arrested seven members of an identity-theft ring in March 2010, after they stole the identities of up to 250 patients of Northwestern Medical Faculty Foundation in Chicago. A janitor who worked at night stole personal information from patient files and passed it along to her conspirators. According to Cook County Sheriff Tom Dart, the thieves would then “go online and either apply for credit cards or request that person’s credit report be mailed.” Ultimately, the criminals made more than $300,000 of fraudulent purchases using patient accounts, including furniture, electronics, appliances, and jewelery.

8.2.1 Software Vulnerabilities

Software is ubiquitous and global. All software has bugs; some bugs lead to vulnerabilities; and some vulnerabilities lead to data breaches. Many software products are deployed on a massive scale, meaning that a single software vulnerability can result in a data breach of countless organizations around the world.

8.2.2 Hardware Risks

Hardware devices, too, can be used to spread malware. For example, in 2015, Kaspersky Labs revealed that a shadowy organization known as the “Equation Group” (widely rumored to be the NSA’s hacking team) had hacked popular hard drive firmware manufactured by Seagate, Western Digital, IBM, Toshiba, Samsung, and others. Infected drives were found in more than 30 countries. Targets included “government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists.”¹⁷

17. Joseph Menn, “Russian Researchers Expose Breakthrough U.S. Spying Program,” Reuters, February 16, 2015, https://www.reuters.com/article/us-usa-cyberspying/russian-researchers-expose-breakthrough-u-s-spying-program-idUSKBN0LK1QV20150216.

Once installed in a hard drive’s firmware, the malware was capable of persisting even through hard drive reformatting and reinstallation. “The hardware will be able to infect the computer over and over,” said Kaspersky researcher Costin Raiu. Furthermore, the malware could prevent disk sectors from being deleted or return malicious code instead of normal instructions upon boot.¹⁸

18. Kaspersky Labs, “Kaspersky Lab Discovers Equation Group: The Crown Creator of Cyber-Espionage,” press release, February 16, 2015, https://usa.kaspersky.com/about/press-releases/2015_equation-group-the-crown-creator-ofcyber-espionage.

According to the researchers, one Equation Group hard drive worm was designed to map air-gapped networks and save data for exfiltration in a hidden area of the infected hard drive. When the hard drive was connected to a system that had access to the Internet, the worm would upload data to the attacker’s command-and-control server.

In order to create the malware, Raiu insisted that the Equation Group must have had access to the manufacturers’ proprietary source code. “There is zero chance that someone could rewrite the [hard drive] operating system using public information,” he said. The NSA could have gained access to source code in a variety of ways, including through U.S. government software audits. The revelation also reignited concerns about the Aurora attacks in which the source code of major manufacturers was exposed.¹⁹

19. Menn, “Russian Researchers.”

8.2.3 Hacking Technology Companies

Operation Aurora and subsequent attacks on Silicon Valley demonstrated that technology companies themselves could be targeted, raising the spectre that popular software could be compromised and used to gain access to many other organizations. Indeed, Operation Aurora seemed to indicate a new strategy for nation-state cyberwarfare, where technology suppliers were specifically targeted as part of long-term, well-funded, multistage attacks.

The effectiveness of this strategy was demonstrated shortly thereafter, when a breach of the popular security company, RSA, was linked directly to subsequent, successful hacks of the defense sector. At the time, RSA was the leading provider of two-factor authentication tokens. Its “SecurID” products were used to protect login interfaces used by 40 million organizations around the world, including U.S. Department of Defense (DoD) contractors and corporate banking customers. Since hardware tokens were more costly and labor-intensive to use than single-factor authentication, users of RSA’s SecureID product typically had high-value accounts and were therefore willing to invest more in cybersecurity defense.²⁰

20. Riva Richmond, “The RSA Hack: How They Did It,” Bits (blog), New York Times, April 2, 2011, https://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it.

RSA announced that it had been hacked in March 2011—but not in so many words. Then-CEO Art Coviello published an “Open Letter to RSA Customers” on the company’s website. The letter’s generic title belied its dramatic revelation: The renowned security company had been breached. Exactly what the attackers pilfered was a mystery; Coviello’s letter vaguely revealed that the attackers “extracted” data that was related to the SecurID product line. Customers were left to wonder whether the core SecurID intellectual property had been compromised—and whether their own systems could be at risk as a result.²¹

21. Dan Goodin, “RSA Breach Leaks Data for Hacking SecurID Tokens,” Register, March 18, 2011, https://www.theregister.co.uk/2011/03/18/rsa_breach_leaks_securid_data.

In a painful blow, U.S. defense contractor Lockheed Martin was hacked two months later—and publicly blamed RSA. Lockheed confirmed to the press that its forensic analysts had concluded that the RSA breach was a “direct contributing factor” to the subsequent breach, allowing attackers to calculate or guess the six-digit one-time PIN that served as the second factor of authentication for a user’s login.²² Shortly thereafter, another major DoD contractor, L-3 Communciations, announced that it, too, had been targeted by attackers who were “leveraging the compromised information” from the RSA attacks.²³ It became painfully clear to the world that RSA’s two-factor authentication products were compromised.

22. Christopher Drew, “Stolen Data Is Tracked to Hacking at Lockheed,” New York Times, June 3, 2011, http://www.nytimes.com/2011/06/04/technology/04security.html.

23. Kevin Poulsen, “Second Defense Contractor L-3 ‘Actively Targeted’ with RSA Secured Hacks,” Wired, May 3, 2011, https://www.wired.com/2011/05/l-3.

The future looked grim for RSA, as customers lost confidence in the company’s flagship product line. Within days, RSA released another “Open Letter,” offering to replace or monitor tokens for “customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.”²⁴

24. Art Coviello, “Open Letter to RSA SecurID Customers,” RSA, 2011, https://web.archive.org/web/20110701042640/ www.rsa.com/node.aspx?id=3891.

This desperate move came at an enormous expense. “It was hell to live through what we did,” said President Tom Heiser, months later. The company had to increase its production sevenfold in order to meet the demand for replacement tokens. The monitoring program alone cost $66 million.²⁵ RSA’s outreach team implemented a crisis communications strategy, in which it contacted more than 60,000 customers, including more than 15,000 customers reached by phone, and more than 5,000 customers reached by conference calls and in-person meetings.

25. Hayley Tsukayama, “Cyber Attack on RSA Cost EMC $66 Million,” Washington Post, July 26, 2011, https://www.washingtonpost.com/blogs/post-tech/post/cyber-attack-on-rsa-cost-emc-66-million/2011/07/26/gIQA1ceKbI_blog.html.

At the same time, highly targeted military units, government agencies, DoD contractors, and financial institutions scrambled to reissue tokens for all of their users—and meanwhile worked to manage their exposure.²⁶

26. Nelson D. Schwartz and Christopher Drew, “RSA Faces Angry Users After Breach,” New York Times, June 7, 2011, http://www.nytimes.com/2011/06/08/business/08security.html.

8.2.4 Suppliers of Suppliers

The technology supply chain isn’t really so much of a chain; it’s more of a complex web, with technology providers highly dependent upon each other. Risk flows throughout the system in a nonlinear way. Aurora illustrated this poignantly; the tech giants were hacked using vulnerabilities in software they relied upon, which was in turn produced by other tech giants.

Software configuration management (SCM) systems are one example of a popular product that many tech giants rely on. Major software developers use SCM systems to manage and secure their source code repositories. The security of these systems is critical since source code is one of the crown jewels for many tech companies. Attackers who gain access to a tech company’s source code can potentially make counterfeit or competing products, identify zero-day vulnerabilities to be used in future attacks, or insert backdoors for distribution to the victim’s customers.

After the Aurora attacks, researchers from McAfee pointed out the importance of SCM systems in establishing risk throughout the entire software supply chain. A handful of SCM vendors are used by many tech giants. The researchers conducted a security analysis of the popular Perforce software, used by Fortune 1,000 companies.

Their findings were eye-opening. McAfee’s researchers found major vulnerabilities in the widely used SCM software, including authentication bypass issues, lack of encryption, and other serious security issues.²⁷ The software giants’ reliance on the same, widely deployed, vulnerable code management software introduced risks throughout the technology supply chain that most people had never considered before.

27. McAfee Labs and McAfee Foundstone Professional Service, “Protecting Your Critical Assets: Lessons Learned from ‘Operation Aurora’” (white paper, McAfee, Santa Clara, CA, 2010), https://www.wired.com/images_blogs/threatlevel/2010/03/operationaurora_wp_0310_fnl.pdf.

8.3.1 Weapons Turned

Cybercriminals greedily gobbled up the newly available hacking tools and incorporated them into the latest malware. Within weeks of the Shadow Brokers’ releases, more than 200,000 computers worldwide were already infected with malware based on the leaked cyberweapons. “Created at huge expense to American taxpayers, those cyberweapons have now been picked up by hackers from North Korea to Russia and shot back at the United States and its allies,” reported Joseph Cox of Motherboard magazine.³⁰

30. Joseph Cox, “Your Government’s Hacking Tools Are Not Safe,” Motherboard, April 14, 2017, https://motherboard.vice.com/enus/article/d7bvxa/your-governments-hacking-tools-are-not-safe.

The leaked exploits weren’t quite zero-days; Microsoft had released an update in March that patched the last four vulnerabilities. (Many speculated that Microsoft received an early heads up about the leaked material and rushed to close the holes in their software.) Still, multitudes of organizations didn’t have time to test and deploy the new patches before virulent new malware emerged. Many systems remained vulnerable months and years later.

“The bloodbath will continue,” said security professional Dan Tentler, CEO of Phobos Group. “It’s going to get worse.”

8.3.2 Calls for Disarmament

Tech companies were infuriated by the revelation that the NSA had stockpiled vulnerabilities rather than disclosing them to vendors. These vulnerabilities could be leveraged not just by the NSA but by any attacker that similarly uncovered them. Furthermore, when stockpiles of cyberweapons were leaked, as occurred with the NSA’s cache, there was no easy way to deploy a fix that would protect the masses. The whole world was more vulnerable as a result.

Microsoft, as the manufacturer of the world’s most popular operating system for PCs, stood in the crossfire of nation-state attacks. The worst of the NSA’s leaked exploits affected the Windows platform, which undoubtedly caused massive headaches (and financial consequences) for Microsoft.

At the RSA conference in February 2017, Microsoft’s president and chief legal counsel, Brad Smith, called on governments around the world to protect civilians from cyberweapons.

“What we need now is a Digital Geneva Convention,” Smith said. “We need a convention that will call on the world’s governments to pledge that they will not engage in cyberattacks on the private sector, that they will not target civilian infrastructure, whether it’s of the electrical or the economic or the political variety. We need governments to pledge that, instead, they will work with the private sector to respond to vulnerabilities, that they will not stockpile vulnerabilities, and they will take additional measures.”³¹

31. Brad Smith, Transcript of Keynote Address at the RSA Conference 2017 “The Need for a Digital Geneva Convention” (Moscone Center, San Francisco, CA, February 14, 2007), 10, https://blogs.microsoft.com/wp-content/uploads/2017/03/Transcript-of-Brad-Smiths-Keynote-Address-at-the-RSA-Conference-2017.pdf.

Smith laid out a six-point plan for such a convention:³²

32. Smith, “Need for a Digital Geneva Convention.”

1. No targeting of tech companies, private sector, or critical infrastructure.

2. Assist private sector efforts to detect, contain, respond to, and recover from events.

3. Report vulnerabilities to vendors rather than stockpile, sell, or exploit them.

4. Exercise restraint in developing cyberweapons and ensure that any developed are limited, precise, and not reusable.

5. Commit to nonproliferation activities to cyberweapons.

6. Limit offensive operation to avoid a mass event.

Despite the pressure from Silicon Valley, the call for disarmament did not appear to result in any significant cyber arms control agreement. The stockpiling of cyberweapons—and risk of breaches—continued.