Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  December 17, 2013 2:00am-4:01am EST

2:00 am
data points about someone all at once, it is easier to monetize that. to what extent can you drive up the cost of that. besides, if we assume that data breaches are still going to happen at some level, what is the next step in to try to increase the cost of actually getting the money out of the data you have acquired? >> i'm going to speak for my law enforcement background here and not necessarily from the verizon brand. what is interesting about the evolution of the infrastructure is that it is built upon a certain mindset. that mindset has been embedded within that culture for well over a decade. in order to operate within that environment you have to have certain skills, you have to have a certain respect for the community, if you will. it polices itself. as that evolution and mindset has been permeated, it is not a
2:01 am
large group of individuals. we are not fighting, at least that are affecting the payment system when we talk about identity theft, it is a very small number. it is not a large group of individuals. it is those that have honed their skills. >> can you give a number on that? >> i would like to not. because i don't want to give any kind of indication to the criminal. at the end of the day i would say it is less than a few thousand, if you will. but that is important to understand because i can his team and law enforcement are having successes every year, we focus on -- but i think we understand the importance of that one or two arrests a year of that high-level criminal because we don't truly understand what it means. and we look at data breach statistics i could map from 2008 until now changes in the statistics and the methods of the bad guy and how they have to attack organizations and their shifts and the cat and mouse
2:02 am
game every year in the data breach report that we produced. there are statistical changes of how bad guys are having to go after the data they want based upon those arrests. i think that is an important part. even though statistically there are things that are occurring year-over-year as far as security organizations, their weaknesses and vulnerabilities that exist, the bad guy still has to find different ways and we see this changes year-over- year in the statistics. click so i guess to get back to the economic angle there's a , i guess certain amount of competition in the market. maybe that explains the cost -- >> they are about renewable process and return on their investment just like any other business. if they find a vulnerability they can leverage that vulnerability across a specific sector or a piece of software. >> and is on to the next thing. >> just to jump in this is an , embarrassing story. on one of the first talks i gave after my phd i started to make the case that cyber crime isn't a law enforcement issue.
2:03 am
i gave it at an interpol conference so it didn't go over very well. i got a good education shortly thereafter. i think there are some things we can look at. we are seeing a change in the as things evolve, curve of what the loss is. for example, for payment card fraud, a lot more people are getting notifications because there are a lot more cards out there. when you talk to the processors a lot of those are test cases. they're trying to find out is this a good card and that triggers an alert and once you get a phone call from your credit card company you're going to say yes when javelin calls you. so we need to understand the when we are talking about the data when we are talking about the and the different types. similarly organizations, banks , have been interested in understanding the value of their own internal credentials, protecting their brands against phishing, they go after phishing websites that are their brands. but it wasn't until recently
2:04 am
that the banks are going after money mule sites, huge network of websites that are trying to recruit individuals to act as patsies. these are the runners that we talked about. the banks have said hey, this affects our business we have to go after this as well. i think it is important to draw a distinction between how you raise the cost of the payment card sector versus the broader more complicated frauds that do require the sophistication that andy talked about. >> so this question is for zach. in july the u.s. attorney's office in new jersey announced biggest data bus in history involving the theft of more than 160 million credit card numbers, which statistically some of you must have been the victim of that. hundreds of millions of dollars in losses. was this is a big difference in the scale of what they're doing? >> the short answer is yes.
2:05 am
it goes back to something that andy said earlier which is that the population of people who are really sophisticated is shockingly small. i think there's a perception out there that every other eastern european teenager in a sweatshirt is able to pull data out of the cloud and essentially terrorize americans and western europeans. it is not the case. if you really want to engage in this kind of high-level long- term activity, it is extremely difficult. you need a tremendous amount of skills, but even more importantly you need a group of people who have a division of labor. what separated this crew out from your run-of-the-mill group are a few things.
2:06 am
the biggest thing was patience. these guys were willing to wait for six months or a year after infiltrating to hang out essentially in the systems and exfiltrate any data so that the systems would not necessarily see brand-new code and then immediate exfiltration and look to see once the change, what took place just now that allowed the exfiltration? so they waited. if you are desperate for cash and only looking for a quick hit, you're not going to take that time. the first difference between these guys and almost anybody else was that they're willing to wait, they're willing to be patient. second, they had this division of labor where they had specific people who were skilled at the initial hack.
2:07 am
then there were people who were skilled at exfiltration and finally there are people who are skilled at monetization. most groups, most gangs don't have that kind of really specific division of labor. the other thing that should be pointed out is that the case we announced in july was really a continuation of the albert gonzalez case. albert gonzalez case was an amazing case for a number of reasons and andy worked on it. i was still in high school, i think. [laughter] it was amazing for one reason -- it was an amazing case that resulted in the longest sentence in cyber history. albert gonzalez is serving 20 years right now. it was amazing for one reason
2:08 am
that robert gonzalez was caught initially. he flipped and began cooperating at a very high level and at the same time that he was cooperating at a high-level on the one hand he was hacking at an extremely high level on the other hand simultaneously. he is quite a character. he was caught again and his arrest really spurred on this heartland case which was still producing results as of july of this year. andy can probably give more details on exactly how the case went down. >> this next question is something we've gotten familiar with in my home. if you have a credit card long enough you will get a nice letter notifying you that there has been a data breach and you should check your credit report, inform your bank, change your passwords.
2:09 am
i think i got two of those a few years back. do any of the steps that are recommended in those letters, do they actually do anything? i have to say i don't know that we actually did any extra checking of credit reports. our finances seem normal, from then on it seems like nothing happened. is that advice constructive? >> personally i think the answer is yes. i think that anything you do helps. there are real-world analogies that work. so thieves are looking for soft targets on the subway, soft targets if they're burglarizing houses and they're looking for soft targets if they are engaging in identity theft in data breaches. if you change your passwords on a regular basis, if you use longer passwords, if you use to -- 2-step up education, any of
2:10 am
those things are going to put you ahead of 99.9% of the population. nothing is going to stop the most sophisticated person perhaps from obtaining your data, but if you get to the next step and it is time for monetization and your information is a little more difficult to obtain why would , they spend the time if you're just a regular person, to obtain it as opposed to going down the line and finding the person whose password is 1234? which is not a good idea. so all those things work. longer passwords, changing your password, the head of the fbi's cyber unit in new jersey had the -- a very cheap idea that would be extremely useful and extremely effective. he said anybody can go out these days and buy a laptop or desktop
2:11 am
for 300 bucks. you buy a laptop for 300 bucks, you set it up in your house and the only thing you do on the computer is your online banking. the only thing. you don't check "the new york anything your gmail or you turn the computer off and . you're not using it. that would make your bank information a lot more secure. i would say -- >> i would say get a linux cd and do your banking off that and you don't even need to get an extra computer. >> sure. does that make you 100% secure? no. >> because the bank would have a data breach. >> yeah, but does that make you a heck of a lot more secure than anybody else? absolutely. there are the steps that you can take and the answer for each one of them is yes. >> i would agree with the fact that it is valuable. we all play a role in protecting data and if you look at this on a broader level, all this revolves around the active
2:12 am
criminal. anything that we can do, a dash to protect ourselves, right? and also give some sort of assistant to law enforcement and their efforts to try to combat this crime and these threats. every major data breach that we read about in the news that resulted in identity theft leads back to the street on some level. if you report something that happens to you, then law force -- then law enforcement can take action, and eventually that all adds up to give law enforcement more information and leads to work off of. albert gonzalez's original arrest was at an atm in new jersey or new york. everything goes back to the street. i think we forget because it is hard to demystify ciber. it is hard to put a face to cyber. it is being conducted by real humans with real skills and they all live and walk. they could be anywhere at any time. i think it is important that we look at this -- those steps are reactive steps. if we can take the steps
2:13 am
proactively, that make it was much more of a fighting chance -- that may give us as individuals and certainly organizations around the world are now at a point where they are doing the same for themselves. they realize that the results of their security and the other efforts at the put in to this are now -- they affect the livelihoods of others and they are taking security very seriously around the world. hart has done some interesting >> next question is to abigail. research. two numbers. only 11% of teens say they felt you found that personally vulnerable to identity theft and only 20% of teens say they had posted all of the following -- whole name, date of birth, self- portraits, name of their school and e-mail address. do you think they are more or less vulnerable to id theft than in the past? >> the gentlemen here would know more in terms of the law enforcement side and the technology side but in terms of the behaviors and what teens say they are doing, i think just the virtue of the fact that they are
2:14 am
so many more platforms are using and so many opportunities for them to be sharing information about themselves and they are doing so would suggest to me that the threat to -- that the threats are greater than they were in the past. interestingly, teens -- the issue of identity theft is on the radar. people have talked to them about it, the idea that the security of the personal information is something that they are cognizant of and that they say is a concern for them, but there is a disconnect because they are teenagers. they don't see that they have anything worth stealing. they don't personally feel vulnerable. they make a distinction between themselves and their parents and recognize that when someone is an adult they perhaps to have something that can be stolen and they mostly focus on credit card fraud, the idea of credit or a credit history is not something that teens really are aware of much less even in focus groups we did we try to talk about that a little bit and it just kind of
2:15 am
goes over the head. it is more concrete for them if you have a credit card and some one can steal that number and you are on the hook for whatever they have charged, that is more concrete. i do think that there is an awareness there and the question is, the ftc's report showed that 18 to 29-year-old people where particularly the prevalence of identity theft was higher there and these folks may know more about this figures, the question i would have is there is an awareness there but they don't feel vulnerable now but there's clearly room to educate kids and parents about what teenagers can do. there are some things they are doing. for instance, using a variety of passwords. about 54% of teens say yes they do that. on is the most helpful thing the other hand, they recognize that is the most helpful thing they could do to protect their information. there are a lot of them that are
2:16 am
doing it. the focus groups say still not doing it. the focus groups say that is complicated and burdensome and the idea of a dual authentication -- what, i logged onto facebook 20 times a day and i have to do that every time? there is this convenience factor which overrides any particular personal vulnerability they feel. i do think there's a question of buti do think there's a question of are they going to age into adulthood when they go on to college and out into the real world and start to take out loans for their education or credit cards. are they going to bring an awareness of the issue that i don't think was there as much for previous generations. whether they take the steps to protect their information as needed in a more comprehensive and complete way will remain to be seen. i think the threat is greater now, but there is an opportunity because they seem more aware of it and they recognize that once they become adults, once again a -- once they get a credit card, for instance, then they are
2:17 am
particularly vulnerable. will that play out in terms of their actual behaviors. >> to avoid having to seem like a what is wrong with kids these days, i might as well share this anecdote from i own past. -- from my own past when i was a . college student, the laws in the district of columbia were looser. i made a fake id based on my college id and my college id had my social security number on it. this was 1989, which is then put on a fake id, too. because sure, why not. i think today's kids are little smarter than i was. >> could i just paid you back off of one thing? this is above my pay grade, but as a federal employee, most things are. look, the harsh reality if you want to call it harsh is that security and convenience are in constant tension. and we recognize that. corporations need to recognize that because there are sometimes that corporations perhaps make it easier to access your data
2:18 am
than it should be based upon their understanding and their history. they want to provide their customers with the most convenient and best possible interface they can. they're afraid that if there -- if their services are harder to use than their competitors, then people will migrate to their competitors. but we are all responsible. everybody is responsible for taking the steps that they can to make themselves more secure. who wants to change a password every two weeks? the dual to do identification? but we should at least recognize it is a pain, that as a starting point that these two things are in tension with one another. >> i think if they recognize the personal vulnerability more, that tension would be greater
2:19 am
and they might have a harder time always going down the road of convenience. one thing that is interesting, we did ask kids if their social security number is available online. 75% or more said what their name was other school memoirs. but only two or four percent said that the social security number was. in this focus we said, kids clearly have been told not to carry the card with you and never give the number out. i think it is also worth noting that they don't know their social security numbers so it is not something they're going to share off the top of the head. they have heard this message and that is something that they don't really understand why it is important, but they recognize it but telling them that is something you shouldn't share with anyone. >> if i could add one last thing, i think it is important as we talk about vulnerability,
2:20 am
it comes down to the motivation of the attacker. certainly the more data we put out, whether you are an adult or teenager, we don't all know where that data goes, right? it does come down to some extent to what the attacker wants. >> the next question may speak to that. this one is to allen. he did a paper in 2011 on identity and consumer trust suggesting that what is under threat is not credentials but the whole identity layer of the internet. this is never part of the original architecture but it throughorganically linkedin, facebook, foursquare, whatever. how well can you protect your identity while documenting yourself through these different portals? >> this is why i hate the term identity theft. steal abigail's water bottle, we as a society
2:21 am
have two things. heray alan if you steal water bottle we're going to find a piece of your anatomy and chop it off. but we also say abigail why did you leave your water bottle next to this guy who looks like alan. come on. thattuitively understand we have a responsibility to mitigate theft. it can't all be law enforcement. don't park in that neighborhood, lock your doors, have insurance. these are all things we intuitively understand as part of the theft model. is what we are talking about more of the case of me going to can't have myg water bottle please? here's my is this card. -- here is my business card. if you want to stop me you can go after me with a big knife or
2:22 am
what can we do to empower andy to make better decisions about whether or not the person claiming to be abigail is abigail. there are a couple of implications for that. one is to compare the payment andstries response to fraud the broader response to fraud or the more complicated frauds. we have consumer protection laws that were fought against by the early credit card companies. now they turn out to be their best friend because consumers weren't afraid to adopt credit cards in america. now it is inconvenient. we have to go back and said did make a purchase but most of the responsibility rests on the banks who are in the decision to align responsibility. question of opening up new lines of credit or
2:23 am
obtaining access to goods and services which require things like social security numbers for mother information, which by the way, if i see your social security number i can tell when and where you were born. why isn't anyone looking and saying hey that person as a teenager they can't possibly have a mortgage with that number. we need to figure out how we put these protections in at the decision-making process. unfortunately, there is a financial conflict of interest. these same people who are responsible for making the decisions about how and when to grant credit are also -- also have a vested economic interest in ensuring a consistent availability of their services to make that decision. you have people proposing that maybe teenagers should have a lock on their ability to take out a large line of credit.
2:24 am
that seems like a no-brainer. using the nudge-based regulation saying let's make it harder for everyone to get a line of credit. be harder to get, so we are raising the cost to the attacker. fraudal risk is when does get high enough? when our criminals getting systematic enough that they are actually going to rake the authentication systems that we use now? that is username and password right now. when the back and fraud protection fails to keep up, you are going to have decision- makers who are going to say , whenhere is my progress that -- when that fraud rate gets too high, as a society we will lose some very important infrastructure that has made a lot of things cheaper and easier. -- a fewext question
2:25 am
years ago the advice you get was requestreotypical i.t. that you blog with a different password and change your password every two weeks. case? think that is the if it is not, what else is going to take to ensure that it is not so simple to take over my account and act as may? >> i can take a stab at that. 76% of all data breaches that we , the attacker leveraged weak or stolen credentials. to factor identification solves that statistic. that would be one mitigating employ thatou can come all a
2:26 am
thisctor technique. points back to how i can become you without interacting with you. 95% of all state-sponsored acts had a statestigated affiliation. leveraged fishing. thatrtnered with a company contributed to our report last year and they found -- what they do is fishing education -- phishing education. in reality, an attacker really only
2:27 am
need to send you or your organization seven to eight e- mails to have a very high success rate. we start talking about return on their investments for them and knowing that the lack of two authentication continues to work, we need to employ some strategy that helps them change that behavior. >> i'm looking through the apps anmy phone and i have authenticator which works great for my google account and wordpress blog. i have it turned on for facebook and twitter. my bank will send me a code if it sees me login from an unusual place. the problem is when i don't have that option. i may fire those customer -- i am afios customer. does verizon have a department
2:28 am
you hope that the provider has a data about you offers it or will offer it sometime soon. knowing a lot about the burden involved in setting this up internally. you think this is going to be a commonplace thing right after you set your username and password, give us your mobile phone number so we can have that? as a companywe take great strides in security efforts to protect our consumer data and the privacy of our customers a that. -- our customer's eta. we take a look at what is happening in the threat landscape, what is failing around the world and how we can offer solutions to mitigate that. is workthe things we do on developing stronger authentication infrastructure. strategies to of
2:29 am
our mobile device. that is an important problem that we are committed to solving. stud to step authentication -- i have to enter the code. facebook will only ask me to submit the code if it is a strange block from a new computer. for that to work, these companies need to know a lot about you, same as your credit card company knows about where you stand. are we as a society ready to put that trust and say yes you should be peaking at what i'm doing all the time so you know when something, a login that is supposed to meet me is probably to be meat is supposed is probably not. example say that for
2:30 am
the steps that banks take when you apply for a credit card online. i'm sure you know and some of you don't come if you apply online, the bank places a cookie on the machine that applied for that credit card online. now, it is on a case a charge case, an indicted case. we took down about 25 people in new jersey and new york and pennsylvania, mostly around the northeast, who had applied for tens of thousands of fraudulent credit cards. this is one of the -- this is not a tremendously sophisticated fraud. they had a huge network, dozens or hundreds of people working for them and they would apply for credit cards online, receive
2:31 am
-- trekked credit cards to address his geneticist they controlled, have runners go out, click credit cards, use them for really decent. of time, elliptic credit slowly .- held up the credit slowly a tremendous amount of the evidence that we have been able to obtain is to say from this that 44 credit cards were applied for from the single machine. that is extremely helpful to the eventual prosecution. we query wire was on the 43rd of fourth application from the same anhine there wasn't automatic rejection. maybe the bank that it was a start up founder and is trying >> the same applies in
2:32 am
stolen identity refund fraud. either no if you know about that, but this is something that affects all of us directly because it is money that is stolen directly from the u.s. treasury. stolen identity refund fraud is the theft of real people social security numbers and the filing of tax returns using the social security number of real people. the thieves direct -- they fill out tax returns that indicate that the applicant is due a refund. they direct the refund checks to addresses a control, again runners got collect the checks and deposit them into accounts that the thieves control and spend the money. you might be shocked to hear that stolen identity refund fraud cost united states treasury $2 billion a year, every year.
2:33 am
to me, that was a shocking amount. a lot of the stolen identity refund fraud is centered on puerto rican citizens because they have social security numbers but they're not required dofile 1040s unless they work in the continental united states. you have big pool of sources. members that will not already have a 1040s filed. ring in a case that i worked on with about 14 arrests and about $65 million in real losses to the united states treasury. that -- again, the irs knows where the online tax refund applications -- sorry, are being filed
2:34 am
from. they can tell you that 56 1040s were filed from the same computer. we had one in the bronx that have filed hundreds of tax refund applications. that thereu can tell are hundreds of applications being filed from a computer, why would you accept anything beyond the first? if you want to say tol, h and r block is going file hundreds of applications from one computer, then fine, all text repairs should have to register with the irs and say that this ip is -- i think that this is all a continuum. corporations and the government, we are moving towards greater security and it is the cat and mouse game referred to before, but lots of steps can be taken that would make us more secure and make it a lot more difficult , thenetize, i think
2:35 am
fraudulent information. >> indifference between public and private responses to id theft is something we talked about. it does seem that if you compare the loss prevention routine that -- youcard issuers wonder if the irs is as good at catching fraud as american express. what would we have? to what extent could you improve that given that more effective irs enforcement gets people upset a little bit? >> that is exactly right. issue. it wasces said earlier to really effectively monetize ace surface identity refund scheme. people have to really need to work together. you need crooked postal workers.
2:36 am
the postall see is service is beginning to track this stuff. you will see that 700 tax refund checks fought gently obtained are delivered along the same mail route. so what does that mean? reactiveis stuff is so because we first see that, then you have to start at the bottom with a mail carrier. you try to arrest a mail carrier and flip the mail carrier and then you get to the next up and the next up. the people at the top of the pyramid are really sophisticated. but you have to get to all the other layers -- >> assist starting to sound like an episode of the wire. >> yeah, it is hard. our case was a great case. not to take too much credit, but it was a $65 million case. 2 billionm is a
2:37 am
dollar problem. people like me who are on the line are not going to be the ones who will solve that problem systematically. that is the reality of the situation. >> one of the reasons why we do the data breach report is that most organizations are protecting themselves in their it. we try to bring in evidence- based risk approach to the problem. it is hard for individuals to understand until they understand what reality is. we have the true knowledge of the problem in the threat landscape and it is important to understand our attacker. in the effort of attribution, law enforcement gives us methodologies and things like that that help us understand and demystify the threat. but as security professionals we have to look at what are the products that we sell, what are the methods we use and what folder abilities are we creating ? all of us have to take ownership in understanding what folder abilities we introduce, what is a threat landscape and how does
2:38 am
that landscape apply back to our self? constantly going through that process. on an individual basis, as an organization, if you develop software applications, if you protect fortune 500 security determiners, whatever that might be heard >> the next question governs the study the federal government did in 2007. which if any have you seen as being most effective in lowering identity theft rates? i like the red flag rules which grew out of this. it basically is a lightweight approach to regulation. it doesn't prescribe particular processes. it also doesn't prescribe -- you have to hire a consultant to give you a process which is the
2:39 am
starting smile. arbanesh is the sergey model. set ofe to have a plan something bad happens to your organization we are going to come and look to make sure you actually did have a plan and were looking for bad news. that is a very nice lightweight model of the government identifying risks without being overly prescriptive in a way because information systems vary so much across companies. you can have a one-size-fits-all model. >> abigail? >> i think it comes to as we evolve and look at the landscape and it is constantly changing.
2:40 am
with the changing model being able to point to yourself third i tried to tell organizations that your best intelligence -- a lot of the threats and things that happen on the street happen to us that we don't know about. are forthe efforts here us to look at ourselves and internally. if you look at data breach notifications, 86% of all victims were notified by somebody else. part.k that is important with the reflect portion, that is a big part. understanding the landscape outside of us and pushing it act in. >> i will say that the recommendation i liked was don't use social security numbers so often. i had to
2:41 am
provide my whole ssn very sometimes you can't get around it. >> there is an important tong -- an important point make with regard to how we build systems. a social security numbers absolutely critical. we need them in the have to use them. but we have to treat them as an identifier. you know me as alan friedman. that is not a secret. the distinction is that we have also decided to say well, it is also an authenticator. we use the same thing as an identifier, how the computer looks you up in the system and there's only one you. we also say we assume you're the only one who uses it and therefore use it as an authenticator. that is the real danger of where we switched and in fact if you plot your sources a your card number, your card, it says on for not for use
2:42 am
identification purposes. we have decided to do that, but we also need further layers in the authentication system to help provide that support. study, yoursting sources security numbers were predictable. it is a function of where and when you're born, the first five digits. there is a wonderful study that basically went from taking a picture of you to actually been 60 to 70%ess was accuracy the first five digits of you so security number by ,oing facial recognition mapping it to online social network profiles. if you are hometown and birthday, then you have got a .ood chance at guessing that demonstrates how we can't assume that the data we have is private anymore.
2:43 am
>> numb thinking of what a clear picture of my face at posted on linkedin and twitter. all of us here. so much as change in terms of ways of finding information about people and dated collected on our purchases and activities online, if we invited for identity thieves, i did check your licenses you could be identity thieves, what would they say are the biggest changes they have seen in their own business model, how they go about their work such as it is? >> i would say that i want to look for centralized data storage. i want to be able to leverage and get more return on my investment. i'm going to focus on the easy prey, but today i still have to have an extra in those
2:44 am
relationships with large-scale infrastructure providers in the underground to help facilitate my criminal activity. >> like foolproof hosting and what not? >> i have to navigate the landscape within the underground . i am going to be completely cognizant of the relationships i maintain and i will continue to do research on organizations that do research. i may have very sophisticated means, by a m naik and share them with you fight on have to because i can save those tools in my toolbox and arsenal for a later date when i needed. when i come up against a security team is more secure and defense adept. >> abigail? >> i don't know enough about the backend of it, but in terms of
2:45 am
the many opportunities that people have to share that information and are encouraged to do so and can provide them a lot of value, it seems that there is more and more that is , there's a lot more you can land upon i would think. i don't know the backend. >> it does point to the whole challenge question method of -- you can research a lot of that stuff pretty easily. allan? >> we not giant password files. you can actually run all of the password set of ever been used for zappa was. at the garden-variety retail local level where you see a more insidious crime, there have been two things that have changed.
2:46 am
one, fake ids have become a global business, predominantly driven by american university , see you can get large amounts of very good quality ideas instead of having to rely on one guy in a basement, there's someone with a plant in china who will make them for you. also, there is anecdotal evidence of successful criminals using some of the defenses that we have set up as an autoimmune attack. if you are a clever criminal who is trying to really exploit a small number of people's game, you for large will start affirmatively mr. orng that the real mrs. is the identity thief and in timel come up things and give you more time to extract value and get away. >> here are a couple things that are interesting.
2:47 am
first, i think that just in the last five years at the federal level there is a lot more federal law enforcement attention in. -- attention being paid to cyber. the secret service has a long- standing dedication to it. all the other agencies that we deal with are now much more cyber aware and are setting up more squads to do cyber. that would make me nervous as an identity thief. what would make me happier is that obviously there has been an explosion and this will continue. there has been an explosion in the amount of data that exists. that is going to continue, perhaps geometrically perhaps not heard certainly there'll be more data online tomorrow than there is today. it is an obvious point. is going to continue.
2:48 am
one thing that is interesting to me and the folks i work with is seems as though there is less of the sort of original hacker mentality among cyber beeves, whereas it used to that the thrill of the chase was of a shared use tho ethos that it did to get in and show your skills improve yourself to the community are in. let's not fool ourselves, these folks aren't communities. they know about one another. it is a much more tightknit community than you might think, at least at higher levels. it used to be that you get in,
2:49 am
get out, demonstrate that you could ask filter data, but i don't think it was as organized monetizingcation to reaches as there is now. unfortunately cyber criminals have become more professional. i think that is a trend we have been trying to deal with and will continue to, because it has gotten away from the -- at enough it ever was an idealistic group, but certainly there is more dedication to getting paid than there used to be. capitalist. good >> effected at a couple of things to this. as we talk about the landscape from the criminal's perspective, the russian government has come out recently and has publicly stated that if you are a russian cyber criminal and you're outside -- and you are
2:50 am
hacking outside of russia, you should not travel. that is something that is been publicly put up a russian government. they're saying hey the law enforcement around the world is working together. goes forhe same security organizations around the world heard companies in the financial sector are realizing we can't fight these adversaries on our own anymore. .o that is an important part as a bad guy i was all say to the group that i really focus and a study the regulatory environment globally. i change my operations based on the regulatory requirements of .ertain countries i tracked iressa bad guys around the world that i understand how they are arrested so i can understand how law enforcement is doing what they do around the world. i think that is an important part right there. there are students of their craft further honing their skills based upon lessons
2:51 am
learned by those who fail. do withto the way we the data breach report. want to share those lessons because you don't know. there will be skepticism around how they may have been arrested but until they read an affidavit that is publicly available or they have talked to another cyber criminal in a conversation, they are not truly going to know. that information travels very quickly amongst the underground. they communicate in a manner that is much more effective and most teamshan communicate in the private sector. >> there has been a lot of chatter about real names policies at places like andbook, google plus certainly when i first got online there's no such thing. your aol account to be whatever. your compuserve user name wasn't even your choice, it was a random string of numbers.
2:52 am
now it is much easier to just give out who exactly is your talking to. particularlyom you him abigail. how our average consumers dealing with the fact that they are making it easier for people to figure out who they are irl while still online and still interact with all these interesting sites and services that were not an option back in the day? say they areainly using their privacy settings and are aware of them, but there are 10% todayaren't and use privacy settings under accounts. the majority said that they had them on all their accounts, but there is certainly room there to increase usage of the settings among teens. are made aware of those and are doing other things in terms various passwords and
2:53 am
of writer passwords as i mentioned before. did a survey of parents and teens, parents have a bit of a disconnect. parents and they know more about what 13's are doing then the teens say they know. parents are using parental controls. they had a majority, but there is room for that. parents are only concerned about identity theft but particularly about stranger danger and the personal safety of their kids. a lot of the delays at their monitoring relate to that in onto theirgging children's accounts, looking at the browser history and other things. the parentsy, actually underestimated teens concern about identity theft. they cut their teens agree more concerned about reputational damage if someone posts a picture of them they didn't like or said something about them that they didn't like.
2:54 am
clearly parents radar and they recognize their kids are focused on it, but they may not understand or agree it to the degree the children are aware. the challenger highlighting is that they are encouraged to give a lot of information and have a balanced what is a and what is part of the experience versus maintaining the privacy of their information. just conversations in the service we have done would suggest that there are some challenges they are having in navigating that. there is always a clear -- a social security number is a clear red line. i think they don't necessarily think about the web of information that could be available, particularly across platforms. if we had done a survey of the identity thieves themselves, and have learned a lot about how they use that word but you guys obviously no one more about that.
2:55 am
so tumbler, for example. the tumbler community is very active and popular particularly among counterculture and minority groups, is popular and ofbased on a culture pseudonymity, a reverse of what people are doing. twitter is seen as a private network, limited and very actively controlled drive c settings heard whereas facebook is seen as a popular global everyone you have ever met gets on facebook. the fascinating studies i've seen on teens show that they really do care
2:56 am
about privacy. they care passionately about privacy, for a teenager, privacy is about hiding information from the parents. so that is the main issue and it is a question of control. , the most dangerous thing that i have seen in terms of security behavior is password sharing is seen as a sign of intimacy. that 2/10-t you know graders care about each other is that they share their passwords. that is a very dangerous habit. one hopes that like many of the things we do and we are teenagers it is grown out of. teens, itsurvey of says that they have shared their password with someone other than the parent. behaviors that might not be protecting that identity. tonow it is your opportunity
2:57 am
quiz these fine folks. somewhere out there is someone with a microphone. please raise your hand and it will be -- a microphone will make its way to you. >> high, susan grant, consumer federation of america. if breaches are the main source of identity theft and fraud these days, should there be a breacht says that entities have to pay damages to preach victims automatically? actual a set amount or damages, whichever is greater as incentivize holders of data to secure better? >> there's certainly a whole market emerging around cybersecurity liability insurance very as i continue to
2:58 am
mature and grow, not to push liability on one arty or another, organizations are looking at what my liability is bewhat i'm going to responsible for based on the set of circumstances i deal with. you will see that market continue to evolve over time. i know the government is doing a lot of work and research on that. ,> on the question of this every year, every security company sells what they were selling last year but now protects you against a different thread. three years ago it was due to loss prevention. i think there is an active set of incentives for organizations to minimize data breach. it is the only area where we are seeing cyber insurance actually thriving where companies are understanding what their exposure is. there's a very real consequence. rich notification is not free.
2:59 am
-- breach notification is not free. counsel get the attention of senior management to invest in mitigation and insurance. the real challenge is creating an environment where you have insurance, not just pushing the risk onto another party, but actually internalizing that the insurers are in turn working with companies to minimize the overall ability of loss. i don't -- >> i don't want to advocate one way or the other, but one thing i think we should consider, if we were thinking but a law like that is who it might impact the most, because we c.l. otter breaches that are not against a verizon or not against and at&t, companies that have tremendous amounts of resources dedicated to breach prevention, but some of the most effective breaches we have seen now and a growing trend are
3:00 am
attacks against point-of-sale terminals for very small businesses. restaurantchinese has a credit card terminal. there's information stored on those and when that is breached it is not as though this chinese restaurant has a tremendous amount of excess cash to be able to try to mitigate those risks. if there was automatic liability, you might be hurting the little guy a lot more than -- you might miss incentivize him.
3:01 am
3:02 am
3:03 am
3:04 am
3:05 am
3:06 am
3:07 am
3:08 am
3:09 am
3:10 am
3:11 am
3:12 am
3:13 am
3:14 am
3:15 am
3:16 am
3:17 am
3:18 am
3:19 am
3:20 am
3:21 am
3:22 am
3:23 am
3:24 am
3:25 am
3:26 am
3:27 am
3:28 am
3:29 am
3:30 am
3:31 am
3:32 am
3:33 am
3:34 am
3:35 am
3:36 am
3:37 am
3:38 am
3:39 am
3:40 am
3:41 am
3:42 am
3:43 am
3:44 am
3:45 am
3:46 am
3:47 am
3:48 am
3:49 am
3:50 am
3:51 am
3:52 am
3:53 am
3:54 am
3:55 am
3:56 am
3:57 am
3:58 am
3:59 am
4:00 am