The Utah Department Of Technology Services

Published Date: 02 Nov 2017

In April 2012, Global Payments Inc., located in Atlanta, Georgia, announced a breach in its card data processing system. Global Payments is one of the biggest processors of Visa and MasterCard card transactions and also processes a number of transactions for Discover Financial and American Express. The breach allowed hackers to gain around 1.5 million card numbers. While this seems like a huge amount of cars, it is only a fraction of the one billion cards in use in North America, where the incident occurred.

Fortunately, for the unlucky people whose card numbers were stolen, they were not liable for any unauthorised transactions on their cards. This incident raised concerns about the safety of card payments systems. Global Payments is essentially the ‘middleman’ in card transactions. They authorise a charge and then pass on transaction details to companies like Visa and MasterCard. Global Payments stated that while the information stolen can be used to create counterfeit cards, personal information such as names, addresses and social security numbers were not compromised.

Visa was the first company to act against Global Payments when they removed Global Payments from their list of approved service providers. This means Global Payments will end up paying Visa more for processing transactions in the future.

Utah Department of Technology Services

In April 2012, Utah Department of Technology Services announced that they were a victim of a data breach. A weak password is to blame for the cause of this data breach. On March 30th 2012, a hacker from Eastern Europe illegally accessed a Utah Department of Technology Services (DTS) server containing social security numbers for the Medicaid claims. The breach involved both Medicaid patients as well as recipients of Children’s Health Insurance Plan, which is a means-tested insurance plan for children who are not covered by another health insurance plan.

The Utah Department of Health (UDOH) originally believed that 24,000 claims had been accessed, but the number is now about 780,000 according to UDOH. The department reported that 280,000 people had their social security numbers stolen and about 500,000 others had personal information such as names, dates of birth and addresses compromised. DTS discovered the breach on April 2nd and reported it to the public on April 4th. Following, the breach, a Utah Governor requested an evaluation of all procedures for state security and data storage. He also called for an "around the clock" effort to identify and notify all victims of the breach. Outside firms were hired by UDOH and Utah Department of Administrative Services to carry out a forensic analysis to identify victims.

These servers also store the name of physicians, national provider identifiers, addresses, tax identification numbers and medical billing information, according to UDOH. UDOH set up a hotline and a website for the latest information on the breach. The Utah government is offering one year of credit-monitoring services to patients who had their social security numbers stolen.

Yahoo!

On July 12, 2012 there was a security breach at yahoo that exposed 450,000 usernames and passwords. This was done using a web portal (A site that brings information together from different sources) called Associated Content. The company failed to take basic precautions to protect the data.

Instead of storing the passwords cryptographically, the passwords were left in plain text which made it easy for the hackers to read. Only 5 percent of the stolen data had been valid because Yahoo had notified users and companies whose user accounts may have been compromised. The portal allowed people registering with Yahoo to use credentials from other sites to log in. These were identified as Google’s Gmail, Microsoft’s Hotmail, AOL, Comcast and Verizon.

2,200 of the stolen passwords were simply just "123456". This was part of the problem as Yahoo did not require stronger passwords. A group of hackers known as D33Ds took credit for the breach and told everyone on their website that it was a warning saying "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call and not as a threat". They claimed to have used a method known as SQL injection to access the database on the server hosting the site. SQL injection involves sending commands through a URL to break a poorly secured site.

LinkedIn

On the June 6th 2012 the social networking site LinkedIn was hacked resulting in 6.5 million accounts being stolen by Russian cyber criminals. Owners of the hacked accounts were no longer able to access their accounts, and the website repeatedly encouraged its users to change their passwords after the incident.

The stolen passwords were encrypted but were decrypted and uploaded onto a Russian password decryption forum. By the 6th of June thousands of passwords were available online in plain text. LinkedIn director Vincente Silveira would not confirm how many of these passwords were posted on the forum but stated that compromised passwords will need to be reset and those users trying to log into LinkedIn will notice their passwords need to be reset. LinkedIn apologised immediately after the breach and asked all of its users to change their passwords.

Numerous reports state that LinkedIn had been using the Secure Hashing Algorithm -1(SHA-1) format to protect passwords. Experts claim that this offers less protection than a technique known as "salted hashing" which they have recommended that the site use. "Salting" the hashes involves combining the hashed password with another combination and then hashing it for a second time. Katie Szpyrka, a member of LinkedIn from Illinois, USA, filed a $5 million lawsuit against LinkedIn complaining that the company did not keep their promise to keep their connections and databases secure.

Bank of Ireland/AIB

On the 10th of July 2012 Gardaí were notified of the discovery of thousands of email addresses and passwords on a specialist hacker’s website, many of which belong to bank and civil service employees who work for the HSE, AIB, and private companies. The potentially sensitive information was found last week by a digital data protection company known as Databackup.ie, which then contacted the Garda Computer Crime Investigation Unit.

It is understood that the list was subscribers of an online company which has been out of business for the last number of years. It appears once the company went out of business it was unaware that the list of information regarding its client base remained live on the server. The passwords stolen were for the site that had gone out of business but Bank of Ireland were worried because it is common for people to use the same passwords across several accounts, including work log-ins. No hackers have claimed responsibility for the data leak and An Garda Siochana are still investigating.

Threat Types

Company

Breach

Global Payments

Integrity violation, illegitimate use

LinkedIn

Information Leakage, Integrity Violation

Yahoo

Information Leakage, Integrity Violation

Utah DTS

Integrity violation, illegitimate use

Bank of Ireland/AIB

Information Leakage, Integrity Violation

Security Services

Security services are measures which can be put into place to address a threat.

The security services related to our breaches are:

Data Confidentiality

Confidentiality is the term used to prevent disclosure of information to unauthorised individuals or systems. The goal of data confidentiality is authentication methods like user IDs and passwords that uniquely identify a system's users, and control methods that limit each identified user's access to the data system's resources. Protections against malicious software are also important to confidentiality. Examples of malicious software (malware) are spyware, spam and phishing attacks. Data confidentiality is necessary for maintaining the privacy of people whose personal information is stored in the system.

Data Integrity

Data Integrity is the maintenance and assurance that all your data is accurate and consistent. It is an important feature of the database system.  Data that has integrity is maintained during any operation, such as transfer, storage or retrieval. Data Integrity provides guidelines for data retention. It shows what can be done with data after its validity expires. In order to achieve data integrity there are rules that are constantly and routinely applied to all data entering the system. The stricter Data Integrity the company provides the less error reports they will encounter. Having a well-controlled and well defined data-integrity system increases stability, performance, re-usability, and maintainability.

Access Control

Access Control is the prevention of unauthorised use of a resource. The two mechanisms of access control are locks and login credentials. Access control can be physical or computer based.

There can be many different types of physical access control. A company can have security guards protecting their server. They can give their employees electronic key cards (for access to different parts of the company) which can be programmed to restrict access to some employees e.g.: general workers probably wouldn’t be given access to the server room where members of the I.T department would have access to it. By doing this, if anything goes wrong, the company will have an idea of who did it as most of these keys will keep the data of who entered the room as what time. Aside from electronic keys there could be a pass code on a door which only a certain amount of people know. A common security risk about this is the legitimate user may be followed through the door. A way to combat this is to make the legitimate user aware of people trying to do this by implementing security awareness training. Another common risk would be the door being forced open. Fully implemented access control systems also have forced door monitoring alarms which protect the room from intruders.

For computer security, the general access control includes authorisation, authentication, access approval and audit. This is where the system makes a decision to grant or deny access. During this the system compares the authorisation policy with the request to determine whether the request will be granted or denied. This can be related to a database where only some users are granted access to edit or delete parts of the database.

In the case of Global Payments Inc, data confidentiality should have been in place to protect against this breach. The system should enforce confidentiality by encrypting the card numbers during transmission, by limiting the places where it might appear, and restricting access to the places where it is stored. Luckily, no personal information was compromised in this attack which means that Global Payments had some but not sufficient security in place to protect their customer’s personal information. To prevent this happening in the future they would have to encrypt credit card numbers.

Utah Department of Technology Services also lacked in data confidentiality. They should not have had such a weak password on a server that contained such personal information. Utah DTS should have been prepared for attacks on their system, and all of their customer’s personal information should have been encrypted, not left in plaintext. By not encrypting their information, they will have broken the trust of their customers and will likely get a bad reputation for something that could have been easily avoided. With encryption in place, the hackers would not have been able to decrypt the ciphertext. Only those with the algorithm and access to this system could decrypt this information. The solution to this problem would be to encrypt personal information, have a strong, very complex password on the server and restrict access to the server.

The first mistake made by Yahoo! is that they failed to encrypt their passwords on their server. This made is extremely easy for the hackers to read. They failed to protect Data Confidentiality and Data Integrity which they should have kept more secure. Because of this hackers were able to access their data and do whatever they liked with it.

Like Yahoo! LinkedIn needed to keep Data Confidentiality secure which will prevent external parties to access their data. Although they had their passwords encrypted they used an encryption algorithm which was easy for hackers to crack. They need to improve their encryption methods and have a stricter Access Control allowing only certain people to access their server. This should also prevent Data falling into the wrong hands.

In the case of Bank of Ireland Data Confidentiality was not maintained which resulted in the loss of thousands of bank employees email addresses and passwords. Although the company that left the email addresses and passwords were unaware of the list still on their server, they still should have had the list encrypted to prevent anyone reading it. They should also have had digital signatures and public key encryption to establish authenticity and non-repudiation.

Mechanisms

Security services make use of mechanisms to counter security attacks. Each security service has a corresponding mechanism. The mechanisms related to our security breaches are:

Encryption

Data confidentiality corresponds to encryption (sometimes but less commonly referred to as encipherment). Encryption is the process of encoding messages or information in such a way that hackers cannot read it, but that authorised parties can. The message or information (plain text) is encrypted using an encryption algorithm called a cipher, which then turns this information into an unreadable ciphertext. The cipher text has the same information as the plain text, but a mechanism is needed to decrypt the information as it is not readable by humans or computers otherwise. The cipher requires a key (crypto variable) to operate. Encryption is varied depending on the key, which changes how the algorithm works. To encrypt a message, a key must be determined depending on how the algorithm works. Decrypting the cipher text into plain text should be nearly impossible without knowledge of the key. Ciphers are split into categories depending on how they work. They can either work on fixed size blocks of symbols (which are called block ciphers), or they can work on a continuous stream of symbols (stream ciphers). They are also split into symmetric and asymmetric key algorithms. Symmetric meaning the same key is used for encryption and decryption. Asymmetric meaning a different key is used for both encryption and decryption. Symmetric algorithms require the key to be known by both the recipient and sender, but no one else. However, asymmetric algorithms require the encryption key to be slightly different to the decryption key, although they are closely related. When keys cannot be determined from one another, the asymmetric algorithm possesses the public and private key property and one of the keys can be made public, and confidentiality will not be compromised.

Digital Signature

A digital signature is a mathematical scheme for proving the authenticity of a digital message or document. Digital signatures are often used to implement electronic signatures (any electronic data that carries a signature) but not all electronic signatures use digital signatures. Digital signatures use a type of asymmetric cryptography. For messages sent through a non-secure channel, a properly implemented digital signature gives the receiver reason to believe that the message was sent by the legitimate sender. Digital signatures are equal to traditional handwritten signatures in many aspects, but successfully implemented digital signatures are far more difficult to forge than handwritten signatures. Digital signatures are crypto-graphical, and must be implemented properly to ensure they work successfully. Digital signatures also provide non-repudiation, meaning that the signer cannot claim they did not sign a message, while also claiming their private key remains secret.

Firewall

A firewall can be both software and hardware based and is used to keep networks secure. It analyses data packets from incoming or outgoing network traffic and determines whether they should be allowed through or not. A network firewall separates an internal network that is trusted and another network that cannot be trusted. Most routers contain firewall components and many firewalls can perform basic routing functions.

Conclusion

In conclusion all businesses should have a strong firewall and proxy to keep unwanted people out. They should have a strong antivirus software package and use strong passwords which should be changed on a regular basis. They should enforce physical security precautions on all employees. They should have CCTV in all restricted zones. All businesses should also have a security guard. All companies who store customer’s personal information on their servers should have all this information encrypted to ensure it remains confidential. Digital signatures should be used where possible, these allow the receiver to believe that messages received are from a legitimate sender.