Anthem breach: Vendors never let a good crisis go to waste

Given this week’s news of a potentially huge security breach at insurance provider Anthem, security vendors of all types are eager to give advice, and, oh, get their company names in front of affected consumers or (better yet) other big companies spooked by what happened to Anthem.

The [company]Anthem[/company] breach, in which hackers accessed names, addresses, birth dates, medical ID numbers and social security numbers of customers, could affect up to 80 million people.

So, what could Anthem do better going forward? According to what showed up in my inbox, it should apply file-level protection (Varonis), use fraud detection and behavioral analysis (NuData Security), apply cloud-based security (Zscalar) and speed up disclosure and response (Co3 Systems and Incident Response Management Systems). You get the picture.

Given that no one outside of Anthem, its vendors and maybe the hackers, actually knows what systems it had in place, it seems rather presumptuous for security vendors to insert themselves as would-be saviors, but such is the way of corporate PR.

And now for the real victims

So now that we know what security companies thinks other customer-facing vendors should do — which is basically, “buy our stuff” what about the  poor schlubs whose information was stolen? What are they supposed to do? Well there was the usual advice from the National Consumers League and others.

People should be more suspicious than usual of email from unknown people — bad guys use email to launch phishing attacks. Don’t open messages from anyone you don’t know; don’t click on links in email unless you’re sure where it will take you (hover over the link to see if the URL looks legit); don’t respond to odd email if you happen to open it. Stop reusing passwords across sites or, better yet, get a password manager. Use two-factor authentication. Yaddayaddayadda.

If you suspect credit card fraud, get your credit reports or credit score updates (Credit Karma is a good and free service), although, as NBC reported, the credit agencies will not catch medical identity theft. In that scenario, a person’s purloined medical ID number could be used at hospitals, ERs and pharmacies to get care and drugs, “racking up charges and wrecking victims’ medical records.”

The best way to detect medical ID theft is to scrupulously check your Explanation of Benefits documents each and every time. And make sure to shred all medical documents.

At this point, given all the breaches at Target, Home Depot, JPMorgan Chase and now Anthem, it’s probably safe to assume that some of your information is already “out there,” so do as much as you can yourself to protect your assets. No vendor is going to do it for you.

Another big data breach, this time at insurance company Anthem

Anthem, the nation’s second largest insurance provider, was hit by hackers who stole lots of customer data including names, birth dates, medical IDs, social security numbers, snail-mail and e-mail addresses, and employment information —  but allegedly no credit card or medical information, the company said. Although with all that other information out there, that may not be much comfort.

In a letter to customers, Anthem CEO Joseph Swedish acknowledged that his own information was stolen but said there is no evidence that credit card or medical information were compromised. [company]Anthem[/company], formerly known as [company]Wellpoint[/company], posted more information here for customers.

Little is known about which of the company’s databases or applications were hijacked, but Anthem said all of its businesses were affected. And there was the usual butt-covering: Swedish said the company “immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation.” Anthem also characterized the breach as a result of “a very sophisticated external cyber attack.” But, seriously, what else would they say? As a couple wiseguys on Twitter put it: “It’s better than saying you left the front door open.” Or the keys on the visor.

Anthem also said it hired Mandiant, a sort of cybersecurity SWAT team, to assess its systems and recommend solutions. Cybersecurity specialist Brian Krebs has more on the potential impact.

The topic of the breach came up during a call earlier today during which the White House discussed its interim report on big data opportunties with reporters. The gist was that Anthem appeared to have notified authorities within 30 days of finding the problem, which is what the White House would stipulate in bills it is formulating.

The security of healthcare data is of particular concern — and preserving patient privacy was the impetus behind HIPAA and other regulations. But, as Gigaom pointed out earlier this year, that data security may be as much fiction as fact.

The benefits of consolidating digital patient data in one place so that a patient or her doctors can access it spells convenience for authorized users, but that data conglomeration also offers a compelling target for bad guys.

At this point it would be natural for a given consumer to feel both spooked and jaded by these security snafus. Last year alone, there were major breaches at Target, Home Depot, and JPMorgan Chase, affecting hundreds of millions of people in aggregate.

Yik Yak shown no slack in intern hack attack

Getting hacked seems to be a rite of passage for social media companies. It’s sign that they’ve grown big enough to attract the attention of the hacking community.

Right on schedule, anonymous local chatting app Yik Yak has been hit with a big security breach, a mere two weeks after closing its $62 million round led by Sequoia. An intern from a security firm figured out how to unearth people’s real life identities and take control of their accounts.

I reached out to Yik Yak for comment and a spokesperson said, “Upon being informed of the issue, Yik Yak acted immediately to address and remedy the situation.” The company released an updated app last week that fixes the hole, before SilverSky Labs, a security firm, disclosed the flaw on Monday.

Yik Yak is huge in U.S. colleges, where people within a two mile radius of each other can post anonymous, public messages to a feed.

A young intern at SilverSky Labs decided to test Yik Yak’s system given recent privacy controversies in the anonymous app space (see: Whisper). It didn’t take long to crack the app’s code — just a few days. “This attack is not particularly sophisticated,” Brandon Edwards, VP of SilverSky Labs, told me. “A lot of the tools [we used] are common place in network analysis.”

Intern Sanford Moskowitz figured out that although Yik Yak encrypted the messages sent over its network, it also communicated with third party service providers that didn’t do so. Therein lay the weakness, allowing Moskowitz to find unique Yik Yak user ID numbers (different from the publicly facing username).

Since Yik Yak doesn’t require passwords, anyone with this person’s user ID number could tamper with the Yik Yak app to log into said user’s account, see their content, and post under their identity. They could also use the ID to figure out someone’s real-life identity, by running it through Wireshark and linking it to the person’s smartphone cues. For example, if you’re logged into other social networks that have your name, a hacker could trace that through your Yik Yak ID.

Until recently, Yik Yak had been the bastard child of the Secret-Whisper triangle, largely forgotten by Silicon Valley. But with its star is on the rise, its days of anonymity are over. Its systems are now under scrutiny, from investors, press, and hackers alike.

Target confirms PIN data was stolen in mega-breach

The massive Black Friday data breach that caused Target(s tgt) to keep call centers open on Christmas to support the 40 million customers affected might not be over just yet. CNNMoney has announced via Twitter that debit card PIN data was also stolen in the attack. This means that customers who purchased items in Target stores between November 27 and December 15 could have their entire bank accounts compromised, not just debit/credit transactions. It’s not the news Target customers want to hear, but it does show how deep this breach really goes.

iCloud breach highlights some hard truths about the consumer cloud

The hard truth for consumers is that using cloud services means they’re often at the mercy of their cloud providers’ security practices, perhaps even their HR practices. However, unless they’re willing to abstain from the cloud altogether, trusting their providers is often all consumers can do.