Via Threatpost.com -
There is a serious security issue with a variety of HTC Android phones that enables any app with Internet permissions to access a huge amount of private data on the device, including call logs, email addresses, SMS messages, last known GPS location and more. The problem was introduced via an update to the HTC phones that installed a tool called HTCLogger that collects the data.
The issue was discovered late last week and researchers developed a proof-of-concept app that shows how much data any arbitrary app can access on the affected devices, which include the EVO 4G, EVO3D, Thunderbolt and others. The leak of what should be private data is enabled by the presence of the HTCLogger tool, according to a report on the Android Police site, and any app installed on an affected device that has Internet permissions can then access the data cache via a local port. Many Android apps have the android.permission.INTERNET permission by default.
[...]
HTC did not immediately respond to a request for comment on the issue.
The list of functions and information that the HTCLogger app can access is long, and includes both coarse and fine location data, network information, IP address, WiFi state, detailed data on the OS version and kernel, account information on the device, system logs and other data. The HTC tool was apparently meant as a way for developers to get detailed information about what is causing problems on a device. However, as the Android Police research shows, that data also can be accessed by a long list of other apps and used for other purposes.
The problem only affects HTC Android phones with the stock Sense firmware installed. Users who have rooted their phones may be able to delete the logging tool themselves. The file is located at /system/app/HtcLoggers.apk, according to the Android Police report.
-------------------------------------------------------------------
It would seem that HTC totally screwed up and didn't consider the security impact of their new application development helper tool.
Showing posts with label Data Loss. Show all posts
Showing posts with label Data Loss. Show all posts
Monday, October 3, 2011
Friday, July 8, 2011
FBI: Employee Passed Chicago Mercantile Exchange Secrets to China
Via Threatpost.com -
A 10 year employee of CME Group in Chicago is alleged to have stolen trade secrets and proprietary source code used to run trading systems for the Chicago Mercantile Exchange, according to a criminal complaint filed in U.S. District Court in Illinois.
The complaint, dated June 30, 2011 and signed by FBI Special Agent Joanne Cullinan, alleges that Chunlai Yang, 49, downloaded "thousands of files" containing "source code and proprietary algorithms" used by CME to run its trading systems. The files were downloaded from a company-owned source code repository maintained by CME to Yang's work computer, then copied them to removable "thumb" drives. The complaint also cites personal e-mail correspondence between Yang and an official in China that contained proprietary CME information.
[...]
Yang was born and educated in China, but received his Ph.D in physics in the U.S and is a naturalized U.S. citizen. He had been working at CME since 2000.
[...]
Forensic analysis of his hard drive and active monitoring of his activities suggests that Yang was perusing CME's ClearCase source code repository for sensitive documents, then offloading them to portable media. The evidence against him includes screen captures showing Yang in the act of copying source code files to removable drives from his laptop.
Evidence presented in the complaint, including e-mail messages, suggest that Yang was preparing to leave CME and set up a new company, East China Technology Innovation Park Co. Ltd." in mainland China, with Yang and two other individuals listed as sole directors and shareholders. The purpose of the company, according to e-mail messages obtained by CME, was to increase the trading volume at the Zhangjiagang chemical electronic trading market and build a futures exchange using software provided by Yang's new company.
A 10 year employee of CME Group in Chicago is alleged to have stolen trade secrets and proprietary source code used to run trading systems for the Chicago Mercantile Exchange, according to a criminal complaint filed in U.S. District Court in Illinois.
The complaint, dated June 30, 2011 and signed by FBI Special Agent Joanne Cullinan, alleges that Chunlai Yang, 49, downloaded "thousands of files" containing "source code and proprietary algorithms" used by CME to run its trading systems. The files were downloaded from a company-owned source code repository maintained by CME to Yang's work computer, then copied them to removable "thumb" drives. The complaint also cites personal e-mail correspondence between Yang and an official in China that contained proprietary CME information.
[...]
Yang was born and educated in China, but received his Ph.D in physics in the U.S and is a naturalized U.S. citizen. He had been working at CME since 2000.
[...]
Forensic analysis of his hard drive and active monitoring of his activities suggests that Yang was perusing CME's ClearCase source code repository for sensitive documents, then offloading them to portable media. The evidence against him includes screen captures showing Yang in the act of copying source code files to removable drives from his laptop.
Evidence presented in the complaint, including e-mail messages, suggest that Yang was preparing to leave CME and set up a new company, East China Technology Innovation Park Co. Ltd." in mainland China, with Yang and two other individuals listed as sole directors and shareholders. The purpose of the company, according to e-mail messages obtained by CME, was to increase the trading volume at the Zhangjiagang chemical electronic trading market and build a futures exchange using software provided by Yang's new company.
Wednesday, April 6, 2011
Mobile Apps Invading Your Privacy
Via Veracode ZeroDay Labs Blog -
An article in the Wall Street Journal, dated April 5, 2011, disclosed that Federal prosecutors in New Jersey are investigating numerous smart phone application manufacturers for allegedly, illegally obtaining and distributing personal private information to third party advertisement groups. The allegations state that mobile applications are gathering data such as GPS location, device identifiers, gender, and even user age without proper notice or authorization from the end user. The Journal tested 101 applications and found that 56 of them transmitted the device unique identifier off the device, while 47 transmitted the phone’s location. Five of the tested applications leaked personal information such as user gender and age.
Analysis
The folks at the Veracode research team decided to spend a bit of our time today breaking apart one of the accused applications to see what could be found within the code. Given what was written in the Journal article, we thought it would be most interesting to take an in-depth look through the Pandora application for the Android platform. A quote from the article states the following about the Pandora application:
Conclusion
So what does this mean to the end user? It means your personal information is being transmitted to advertising agencies in mass quantities. As more and more “free” applications attempt to monetize their offerings, we will likely see more of your personal information being shuttled out to marketing and advertising data aggregation firms. The application developers may not even be aware of the privacy violations they are introducing by using third party advertising libraries. They may merely think they are getting $x per ad impression, not that the ad library is leaking significant information about the user.
In isolation some of this data is uninteresting, but when compiled into a single unifying picture, it can provide significant insight into a persons life. Consider for a moment that your current location is being tracked while you are at your home, office, or significant other’s house. Couple that with your gender and age and then with your geolocated IP address. When all that is placed into a single basket, it’s pretty easy to determine who someone is, what they do for a living, who they associate with, and any number of other traits about them. I don’t know about you, but that feels a little Orwellian to me.
An article in the Wall Street Journal, dated April 5, 2011, disclosed that Federal prosecutors in New Jersey are investigating numerous smart phone application manufacturers for allegedly, illegally obtaining and distributing personal private information to third party advertisement groups. The allegations state that mobile applications are gathering data such as GPS location, device identifiers, gender, and even user age without proper notice or authorization from the end user. The Journal tested 101 applications and found that 56 of them transmitted the device unique identifier off the device, while 47 transmitted the phone’s location. Five of the tested applications leaked personal information such as user gender and age.
Analysis
The folks at the Veracode research team decided to spend a bit of our time today breaking apart one of the accused applications to see what could be found within the code. Given what was written in the Journal article, we thought it would be most interesting to take an in-depth look through the Pandora application for the Android platform. A quote from the article states the following about the Pandora application:
In Pandora’s case, both the Android and iPhone versions of its app transmitted information about a user’s age, gender, and location, as well as unique identifiers for the phone, to various advertising networks. Pandora gathers the age and gender information when a user registers for the service.[...]
Conclusion
So what does this mean to the end user? It means your personal information is being transmitted to advertising agencies in mass quantities. As more and more “free” applications attempt to monetize their offerings, we will likely see more of your personal information being shuttled out to marketing and advertising data aggregation firms. The application developers may not even be aware of the privacy violations they are introducing by using third party advertising libraries. They may merely think they are getting $x per ad impression, not that the ad library is leaking significant information about the user.
In isolation some of this data is uninteresting, but when compiled into a single unifying picture, it can provide significant insight into a persons life. Consider for a moment that your current location is being tracked while you are at your home, office, or significant other’s house. Couple that with your gender and age and then with your geolocated IP address. When all that is placed into a single basket, it’s pretty easy to determine who someone is, what they do for a living, who they associate with, and any number of other traits about them. I don’t know about you, but that feels a little Orwellian to me.
Friday, October 22, 2010
Wikileaks Hacked By “Very Skilled” Attackers Prior To Iraq Doc Release
Via Fobes.com (Firewall Blog) -
Someone is trying to spring a leak in Wikileaks.
As the whistle-blower organization prepared earlier this week for a Saturday press conference that some believe will announce a major release of secret data regarding the Iraq war, a staffer wrote Wednesday on the organization’s twitter feed that its “communications infrastructure is currently under attack,” adding the cryptic message “Project BO move to coms channel S. Activate Reston5.”
A Wikileaks source who asks to remain anonymous now says that the organization’s XMPP server in Amsterdam, used to host its encrypted instant messaging communications, was compromised earlier this week by an unknown attacker, and the chat service had to be relocated to another server in Germany. “The server got attacked, hacked, and the private keys got out,” says the source. “We needed new private keys. Now it’s back online and secure.”
The source added that the attack represented the first breach in Wikileaks’ history, and that “the people who are behind it are very skilled,” declining to comment further on the details of the hack.
[...]
Aside from digital sabotage, the site has also faced financial sniping. Wikileaks had one of its accounts frozen by the donation-collecting company Moneybookers, and claims the freeze was a result of the organization being placed on a U.S. government watchlist and an Australian government blacklist.
F0r whatever reason, the organization’s administrator have their guard up. On Tuesday, the site’s twitter feed recommended that followers copy the encrypted “insurance” file that it posted to the site in July.
-------------------------------------------------------------------------------------------------------
WikiLeaks’ 400,000 Iraq War Documents Reveal Torture, Civilian Deaths
http://www.wired.com/threatlevel/2010/10/wikileaks-press/
WikiLeaks Show WMD Hunt Continued in Iraq – With Surprising Results
http://www.wired.com/dangerroom/2010/10/wikileaks-show-wmd-hunt-continued-in-iraq-with-surprising-results/
--------------------------------------------------------------------------------------------------------
For the Iraq War Logs, Wikileaks used a reverse approach to redaction (basically whitelisting). Everything in all reports was deemed harmful and redacted until proven otherwise, according to WikiLeaks' Kristinn Hrafnsson.
Someone is trying to spring a leak in Wikileaks.
As the whistle-blower organization prepared earlier this week for a Saturday press conference that some believe will announce a major release of secret data regarding the Iraq war, a staffer wrote Wednesday on the organization’s twitter feed that its “communications infrastructure is currently under attack,” adding the cryptic message “Project BO move to coms channel S. Activate Reston5.”
A Wikileaks source who asks to remain anonymous now says that the organization’s XMPP server in Amsterdam, used to host its encrypted instant messaging communications, was compromised earlier this week by an unknown attacker, and the chat service had to be relocated to another server in Germany. “The server got attacked, hacked, and the private keys got out,” says the source. “We needed new private keys. Now it’s back online and secure.”
The source added that the attack represented the first breach in Wikileaks’ history, and that “the people who are behind it are very skilled,” declining to comment further on the details of the hack.
[...]
Aside from digital sabotage, the site has also faced financial sniping. Wikileaks had one of its accounts frozen by the donation-collecting company Moneybookers, and claims the freeze was a result of the organization being placed on a U.S. government watchlist and an Australian government blacklist.
F0r whatever reason, the organization’s administrator have their guard up. On Tuesday, the site’s twitter feed recommended that followers copy the encrypted “insurance” file that it posted to the site in July.
-------------------------------------------------------------------------------------------------------
WikiLeaks’ 400,000 Iraq War Documents Reveal Torture, Civilian Deaths
http://www.wired.com/threatlevel/2010/10/wikileaks-press/
WikiLeaks Show WMD Hunt Continued in Iraq – With Surprising Results
http://www.wired.com/dangerroom/2010/10/wikileaks-show-wmd-hunt-continued-in-iraq-with-surprising-results/
--------------------------------------------------------------------------------------------------------
For the Iraq War Logs, Wikileaks used a reverse approach to redaction (basically whitelisting). Everything in all reports was deemed harmful and redacted until proven otherwise, according to WikiLeaks' Kristinn Hrafnsson.
Tuesday, July 13, 2010
Thousands of Laptops Stolen During Nine-hour Heist
Via Yahoo News! (AP) -
Thousands of laptops have been stolen from the Florida office of a private contractor for the U.S. military's Special Operations Command.
Surveillance cameras caught up to seven people loading the computers into two trucks for nine hours.
U.S. Special Operations Command coordinates the activities of elite units from the Army, Navy, Air Force and Marines. A spokeswoman said Tuesday that none of the stolen laptops contained military information or software.
The Virginia-based company iGov was awarded a $450 million contract earlier this year to supply mobile technology services linking special operations troops worldwide. A company executive says iGov is cooperating with authorities and the March 6 break-in at its Tampa facility remains under investigation.
Thousands of laptops have been stolen from the Florida office of a private contractor for the U.S. military's Special Operations Command.
Surveillance cameras caught up to seven people loading the computers into two trucks for nine hours.
U.S. Special Operations Command coordinates the activities of elite units from the Army, Navy, Air Force and Marines. A spokeswoman said Tuesday that none of the stolen laptops contained military information or software.
The Virginia-based company iGov was awarded a $450 million contract earlier this year to supply mobile technology services linking special operations troops worldwide. A company executive says iGov is cooperating with authorities and the March 6 break-in at its Tampa facility remains under investigation.
Wednesday, April 14, 2010
Brokerage Firm Fined $375,000 for Unsecured Data
Via Threat Level -
Brokerage firm DA Davidson has agreed to pay a fine of $375,000 for failing to protect confidential client data from Latvian hackers who breached the company in 2007 in an online extortion scheme.
The hackers used a SQL injection attack to obtain access to the company’s database on Dec. 25 and 26, 2007.
The Financial Industry Regulatory Authority, which announced the fine agreement on Monday, said although the attack activity was reflected in the brokerage’s server logs, administrators failed to examine those logs. The intruders obtained data on about 192,000 customers, according to the press release announcing the fine. (Previous reports indicated that more than 300,000 customer files were stolen). The data included customer account numbers, Social Security numbers, names, addresses, dates of birth and other private information.
The company discovered the breach only after receiving an extortion e-mail from one of the hackers on Jan. 16, 2008, which contained an attachment with the records of 20,000 customers as proof of the intrusion. DA Davidson contacted the Secret Service, and the subsequent investigation led to four suspects, three of whom are Latvian nationals, who were extradited from the Netherlands to face charges in Montana.
--------------------------------
More here.
Brokerage firm DA Davidson has agreed to pay a fine of $375,000 for failing to protect confidential client data from Latvian hackers who breached the company in 2007 in an online extortion scheme.
The hackers used a SQL injection attack to obtain access to the company’s database on Dec. 25 and 26, 2007.
The Financial Industry Regulatory Authority, which announced the fine agreement on Monday, said although the attack activity was reflected in the brokerage’s server logs, administrators failed to examine those logs. The intruders obtained data on about 192,000 customers, according to the press release announcing the fine. (Previous reports indicated that more than 300,000 customer files were stolen). The data included customer account numbers, Social Security numbers, names, addresses, dates of birth and other private information.
The company discovered the breach only after receiving an extortion e-mail from one of the hackers on Jan. 16, 2008, which contained an attachment with the records of 20,000 customers as proof of the intrusion. DA Davidson contacted the Secret Service, and the subsequent investigation led to four suspects, three of whom are Latvian nationals, who were extradited from the Netherlands to face charges in Montana.
--------------------------------
More here.
Friday, March 12, 2010
GCHQ Loses Top Secret Laptops
Via The Register UK -
It is the secretive heart of government information security, dispensing advice and setting standards throughout officialdom, but GCHQ's "cavalier" in-house policies have come under fire in a report revealing it lost 35 laptops.
The Government Communications Headquarters (GCHQ) is a British intelligence agency responsible for providing signals intelligence (SIGINT) and information assurance to the UK government and armed forces.
It is the secretive heart of government information security, dispensing advice and setting standards throughout officialdom, but GCHQ's "cavalier" in-house policies have come under fire in a report revealing it lost 35 laptops.
Three of the missing machines were certified to hold Top Secret material, according to the annual report of the Intelligence and Security Committee (ISC).
The losses date back to before 2005, and GCHQ said it now believes the resulting risk is low and it has no evidence that secret material was compromised. Seven out of 35 have since been recovered.
The losses are nevertheless likely to be viewed as very embarrassing at the intelligence agency's Cheltenham HQ. The ISC, a cross-party group of senior MPs that reports to the Prime Minister rather than Parliament, said processes for logging the allocation and location of laptops had been "haphazard" and "not sufficiently robust".
Iain Lobban, director of GCHQ since July 2008, admitted to the ISC that agency laptop policies were lax.
"Historically, we just checked them in and checked them out and updated the records when they went through our... laptop control process," he said.
"I think perhaps some people perhaps took slightly hasty decisions without due process."
Lobban said an internal review had resulted in new procedures that not only allocate laptops, but also annually audit their location.
The Government Communications Headquarters (GCHQ) is a British intelligence agency responsible for providing signals intelligence (SIGINT) and information assurance to the UK government and armed forces.
Saturday, February 27, 2010
Wyndham Hotels Hacked Again
Via PCWorld.com -
Hackers broke into computer systems at Wyndham Hotels & Resorts recently, stealing sensitive customer data.
The break-in occurred between late October 2009 and January 2010, when it was finally discovered. It affected an undisclosed number of company franchisees and hotel properties that Wyndham manages. Wyndham has acknowledged the incident in a note posted to its Web site.
"A hacker intruded on our systems and accessed customers information from a limited number of franchised and managed properties," the company said. "The hacker was able to move some information to an off-site URL before we discovered the intrusion."
Hackers were able to steal data required for credit card fraud, the company said, including "guest names and card numbers, expiration dates and other data from the card's magnetic stripe."
Wyndham did not say how many hotels were hacked or how many customers were affected. The company did not return messages seeking comment Friday.
This is the third data breach reported by Wyndham in the past year. Last February, Wyndham said that hackers stole tens of thousands of credit card numbers between July and August 2008.
In that case, criminals hacked into a Wyndham franchisee and then stole data from a central company server.
Wyndham, which operates Days Inn, Ramada and Super 8 motels, warned customers of a second breach in August 2009.
The company has not yet notified victims of this latest incident, but expects to begin doing so by the end of March, when it has concluded the investigation.
Hackers broke into computer systems at Wyndham Hotels & Resorts recently, stealing sensitive customer data.
The break-in occurred between late October 2009 and January 2010, when it was finally discovered. It affected an undisclosed number of company franchisees and hotel properties that Wyndham manages. Wyndham has acknowledged the incident in a note posted to its Web site.
"A hacker intruded on our systems and accessed customers information from a limited number of franchised and managed properties," the company said. "The hacker was able to move some information to an off-site URL before we discovered the intrusion."
Hackers were able to steal data required for credit card fraud, the company said, including "guest names and card numbers, expiration dates and other data from the card's magnetic stripe."
Wyndham did not say how many hotels were hacked or how many customers were affected. The company did not return messages seeking comment Friday.
This is the third data breach reported by Wyndham in the past year. Last February, Wyndham said that hackers stole tens of thousands of credit card numbers between July and August 2008.
In that case, criminals hacked into a Wyndham franchisee and then stole data from a central company server.
Wyndham, which operates Days Inn, Ramada and Super 8 motels, warned customers of a second breach in August 2009.
The company has not yet notified victims of this latest incident, but expects to begin doing so by the end of March, when it has concluded the investigation.
Wednesday, December 23, 2009
Paper-Based Breaches Just As Damaging
Via Darkreading.com -
IT tends to forget about things that aren't electronic. But you remember that stuff called paper, right? Have you considered that printed documents are just as damaging to a company's reputation should they get into the wrong hands as electronic data stored in an Excel spreadsheet or database server?
I'll be the first to admit I rarely think about paper. And I hardly ever think about printers unless it's during a penetration test and insecure printers on the network allow me to pivot and gain further access into a target's network. Lessons from my friends' stories about all of the information they've found during dumpster diving should be enough of a reminder, but it was a recent blog entry from Brian Krebs that really drove the point home.
"Paper-based Data Breaches on the Rise" is a great read and contains some surprising statistics. For example, "at least 27 percent of the data breaches disclosed publicly in 2009 stemmed from collections of sensitive consumer information printed on paper that were lost, stolen, inadvertently distributed, or improperly disposed of."
I would have never guessed the number of paper-based breaches to be that high, but, again, people simply don't think of data on paper being at risk like data on computers. But data on paper is just another form of data that needs to be protected by information security policies.
Note that I said "information security" and not "information technology security." That's because people get hung up on the technology part and forget they need to secure ALL information, not just what resides on servers, laptops, and smartphones. And it's not only IT people glossing over the threat of paper breaches: Turns out most state data breach laws focus only on electronic breaches, and so do federal breach notification measures that are in the works.
Securing sensitive information on paper is one of those issues that IT people don't consider because it's not electronic, and, well, paper just isn't sexy. Next time you're putting together plans for a penetration test, make sure you add to your list the tasks of finding unsecured filing cabinets full of sensitive information, dumpster diving, and reviewing print jobs -- I'm betting you'll be surprised at what you find.
IT tends to forget about things that aren't electronic. But you remember that stuff called paper, right? Have you considered that printed documents are just as damaging to a company's reputation should they get into the wrong hands as electronic data stored in an Excel spreadsheet or database server?
I'll be the first to admit I rarely think about paper. And I hardly ever think about printers unless it's during a penetration test and insecure printers on the network allow me to pivot and gain further access into a target's network. Lessons from my friends' stories about all of the information they've found during dumpster diving should be enough of a reminder, but it was a recent blog entry from Brian Krebs that really drove the point home.
"Paper-based Data Breaches on the Rise" is a great read and contains some surprising statistics. For example, "at least 27 percent of the data breaches disclosed publicly in 2009 stemmed from collections of sensitive consumer information printed on paper that were lost, stolen, inadvertently distributed, or improperly disposed of."
I would have never guessed the number of paper-based breaches to be that high, but, again, people simply don't think of data on paper being at risk like data on computers. But data on paper is just another form of data that needs to be protected by information security policies.
Note that I said "information security" and not "information technology security." That's because people get hung up on the technology part and forget they need to secure ALL information, not just what resides on servers, laptops, and smartphones. And it's not only IT people glossing over the threat of paper breaches: Turns out most state data breach laws focus only on electronic breaches, and so do federal breach notification measures that are in the works.
Securing sensitive information on paper is one of those issues that IT people don't consider because it's not electronic, and, well, paper just isn't sexy. Next time you're putting together plans for a penetration test, make sure you add to your list the tasks of finding unsecured filing cabinets full of sensitive information, dumpster diving, and reviewing print jobs -- I'm betting you'll be surprised at what you find.
Thursday, December 10, 2009
Verizon: Data Breaches Getting More Sophisticated
Via Wired.com -
Methods of stealing data are becoming increasingly sophisticated, but attackers are still gaining initial access to networks through known, preventable vulnerabilities, according to a report released by Verizon Business on Wednesday.
“The attackers still usually get in the network through some relatively mundane attacks,” said Wade Baker, research and intelligence principal for Verizon Business’s RISK Team, in an interview. ”But once they’re in, they’re getting more and more adept at getting the data they want and getting it effectively and silently. And we seem to be on a plateau in terms of our ability to detect [them].”
For example, while companies have been expanding their use of encryption to protect bank card data in transit and in storage, hackers countered with RAM scrapers that grab data during the few seconds it’s unencrypted and transactions are being authorized.
“A paper was published about the theoretical possibility of this about three years ago,” Baker said. “But 2008 was the first time we saw [the attacks] live and active. It is a fairly sophisticated attack to be able to grab data from memory.”
The attacks are detailed in a new report issued by Verizon’s RISK Team, which conducts forensic investigations for companies that experience a breach. The report supplements the company’s 2009 Data Breach Investigations report, released in April. That report also indicated that thieves were conducting “more targeted, cutting-edge, complex” attacks, but provided few details.
The supplement provides case studies, involving anonymous Verizon clients, that describe some of the tools and methods hackers used to compromise the more than 285 million sensitive records that were breached in 90 forensic cases Verizon handled last year.
In one case, for example, a simple SQL injection attack opened the door for intruders to breach the entire network of an unidentified consumer banking institution. Once inside, the attackers got into the hardware security modules (HSMs) for the bank’s ATM system, from which they were able to grab account numbers and PINs.
[...]
Another card processor was also breached through a SQL injection attack. In this case, the attackers installed “an extensive array” of packet sniffers on the processor’s network to map it out and locate card data. Then they installed keystroke loggers to record administrative passwords to get into the core payment system and installed other sniffers that siphoned millions of transactions records.
[...]
Another Verizon case involving POS systems affected a number of unrelated supermarkets across the country that were all breached through an attack originating from a single IP address in South Asia.
The attacker used legitimate credentials to gain access, but rather than having the same default credentials, the systems used different logins and passwords. Verizon discovered that the supermarkets had all hired the same third-party firm to manage their POS systems. It turned out that an attacker had hacked the firm and stolen its customer list, which identified the unencrypted log-in credentials the firm used to access the POS system at each supermarket.
Tuesday, November 24, 2009
Employees Willing To Steal Data
Via Dark Reading -
Employees know it's illegal to steal company data, but they're prepared to do it anyway. Companies know their employees are a chief threat to their data, but most aren't doing much about it.
These are the takeaways from two separate studies published today by security vendors Cyber-Ark and Actimize. Taken together, the studies paint a sobering picture of the state of trust and security within the corporate walls.
In its study, Cyber-Ark surveyed some 600 workers in the financial districts of New York and London and found that most workers are not shy about taking work home -- and keeping it for their own use.
Eighty-five percent of the respondents to the Cyber-Ark survey said they know it is illegal to download company data for personal use, but 41 percent said they already have taken sensitive data with them to a new position. About a third of respondents said they would share sensitive information with friends or family in order to help them land a job.
Almost half of the respondents (48 percent) admitted if they were fired tomorrow they would take company information with them, Cyber-Ark says. Thirty-nine percent of people would download company/competitive information if they got wind that their job were at risk. A quarter of workers said the recession has made them feel less loyal toward their employers.
Of those who plan to take competitive or sensitive corporate data, 64 percent said they would do so "just in case" the data might prove useful or advantageous in the future. Twenty-seven percent said they would use the data to negotiate their new position, while 20 percent plan to use it as a tool in their new job.
Customer and contact lists were the top priority for employees to steal, registering 29 percent of the respondents. Plans and proposals were next (18 percent), with product information bringing up the rear (11 percent). Thirteen percent of savvy thieves said they would take access and password codes so they could get into the network once they've left the company and continue downloading information and accessing data.
Wednesday, November 4, 2009
Judge Penalizes Lawyer for Leaking Personal Data in Brief
Via The Register UK -
A judge has chastised a lawyer for including the social security numbers and birthdays of 179 individuals in an electronic court brief, ordering him to pay a $5,000 sanction and provide credit monitoring.
US District Judge Michael J. Davis said he was meting out the penalty under his "inherent power," meaning no one in the court case had filed a motion requesting he do so. In an order issued late last month, he said the move was designed to prevent attorney Vincent J. Moccio from repeating the carelessness again.
The court is deeply concerned with the harmful and widespread ramifications associated with negligent and inattentive electronic filing of court documents," he wrote. "Although electronic filing significantly improves the efficiency and accessibility of our court system, it also elevates the likelihood of identity theft and damage to personal privacy when lawyers fail to follow federal and local rules."
Davis ordered Moccio to send the individuals a letter informing them that their private information had been made public and that unless they objected within seven days, they would automatically begin receiving a year's worth of credit monitoring services fee of charge. He also ordered the attorney to pay $5,000 to a Saint Paul, Minnesota, food bank.
Moccio is scheduled to appear in court next October to report on the status of the credit reports.
------------------------
Well done Mr. Davis...well done.
A judge has chastised a lawyer for including the social security numbers and birthdays of 179 individuals in an electronic court brief, ordering him to pay a $5,000 sanction and provide credit monitoring.
US District Judge Michael J. Davis said he was meting out the penalty under his "inherent power," meaning no one in the court case had filed a motion requesting he do so. In an order issued late last month, he said the move was designed to prevent attorney Vincent J. Moccio from repeating the carelessness again.
The court is deeply concerned with the harmful and widespread ramifications associated with negligent and inattentive electronic filing of court documents," he wrote. "Although electronic filing significantly improves the efficiency and accessibility of our court system, it also elevates the likelihood of identity theft and damage to personal privacy when lawyers fail to follow federal and local rules."
Davis ordered Moccio to send the individuals a letter informing them that their private information had been made public and that unless they objected within seven days, they would automatically begin receiving a year's worth of credit monitoring services fee of charge. He also ordered the attorney to pay $5,000 to a Saint Paul, Minnesota, food bank.
Moccio is scheduled to appear in court next October to report on the status of the credit reports.
------------------------
Well done Mr. Davis...well done.
Tuesday, October 27, 2009
Security Flaws Discovered In Calif. EDD Website
Via cbs5.com -
It's one of the most serious security breaches one computer expert has ever seen. CBS 5 Investigates has discovered a state-run web site may be putting hundreds of thousands of Californians at risk of identity theft.
It started off with a tip from a viewer, a local job seeker who noticed a computer glitch. Once CBS 5 started looking closer at the glitch, it was a gaping hole.
For laid off workers such as Tom Diederich of Pacifica, it's a requirement: To get unemployment benefits you have to post your resume on CalJOBS, the state's job site. "I filled out my employment history and I saved it," said Diederich, who bookmarked it for future reference.
But the next day when he clicked back in he said, "I saw someone else's information. I saw their name, where they live, their email, their phone number. I was shocked, really.
And the next time, again? "I got a different person's information," said Diederich. "There was probably about 5 or 6 different times that I have seen it. It was more frightening because I said 'Who's seeing my information?'"
So how big of a problem is that? Expert Pam Dixon with the World Privacy Forum said, "That is not okay!" Because she said resumes are a gold mine for criminals.
[...]
BS 5 asked UC Berkeley computer science professor and privacy expert, Doug Tygar to take a look at Diederich's problem. He said, "I consider that to be a serious security breach."
But it turns out, not the only one. Because just moments after beginning his examination of that website, using Diederich's web link, Tygar was able to get into the site, and look at other applicants' supposedly private data. "I was able to access other people's personal information including their address, their phone numbers, email, personal details," Tygar said.
All by just changing a few numbers in the URL. In fact, Tygar even found he was able to go in and change information on peoples' resumes. "I would in fact have been able to go through and change that if i were a malicious attacker," he said.
Tygar said a hacker looking for identities to steal could have thousands of resumes at his disposal. "They are giving the information out to people who they shouldn't."
It's one of the most serious security breaches one computer expert has ever seen. CBS 5 Investigates has discovered a state-run web site may be putting hundreds of thousands of Californians at risk of identity theft.
It started off with a tip from a viewer, a local job seeker who noticed a computer glitch. Once CBS 5 started looking closer at the glitch, it was a gaping hole.
For laid off workers such as Tom Diederich of Pacifica, it's a requirement: To get unemployment benefits you have to post your resume on CalJOBS, the state's job site. "I filled out my employment history and I saved it," said Diederich, who bookmarked it for future reference.
But the next day when he clicked back in he said, "I saw someone else's information. I saw their name, where they live, their email, their phone number. I was shocked, really.
And the next time, again? "I got a different person's information," said Diederich. "There was probably about 5 or 6 different times that I have seen it. It was more frightening because I said 'Who's seeing my information?'"
So how big of a problem is that? Expert Pam Dixon with the World Privacy Forum said, "That is not okay!" Because she said resumes are a gold mine for criminals.
[...]
BS 5 asked UC Berkeley computer science professor and privacy expert, Doug Tygar to take a look at Diederich's problem. He said, "I consider that to be a serious security breach."
But it turns out, not the only one. Because just moments after beginning his examination of that website, using Diederich's web link, Tygar was able to get into the site, and look at other applicants' supposedly private data. "I was able to access other people's personal information including their address, their phone numbers, email, personal details," Tygar said.
All by just changing a few numbers in the URL. In fact, Tygar even found he was able to go in and change information on peoples' resumes. "I would in fact have been able to go through and change that if i were a malicious attacker," he said.
Tygar said a hacker looking for identities to steal could have thousands of resumes at his disposal. "They are giving the information out to people who they shouldn't."
Sunday, October 18, 2009
PayChoice Suffers Another Data Breach
Via Security Fix -
Payroll services provider PayChoice took its Web-based service offline for the second time in a month on Wednesday in response to yet another data breach caused by hackers.
Moorestown, N.J. based PayChoice, provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations. On Thursday morning, the company sent a notice to its customers saying it had once again closed onlineemployer.com - the portal for PayChoice's online payroll service -- this time after some clients began noticing bogus employees being added to their payroll.
"After investigation, we determined that valid user credentials for an Online Employer user were used in an unauthorized manner to add these fictitious employees in an attempt to have payments made to fraudulent bank accounts," the company said in an e-mail alert to their clients sent Thursday.
This week's attack appears to be the second stage of a sophisticated cyber assault launched last month against PayChoice customers. In that attack, hackers broke into the company's servers and stole customer user names and passwords. The attackers then included that information in e-mails to PayChoice's customers warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to onlineemployer.com. The supposed plug-in offered in that e-mail was instead malicious software designed to steal the victim's user names and passwords.
The statement sent to customers Thursday said that in this week's attack the thieves appear to have stolen login IDs and passwords by exploiting a weakness in the Web site component that allows customers to change their onlineemployer.com password. PayChoice also said it has disabled the change password capability on the site until it can eliminate the vulnerability, and that it had modified all login IDs to prevent access to the site using potentially compromised credentials.
In response to questions, the company sent an e-mailed statement, attributed to PayChoice chief executive Robert Digby.
"On Thursday, PayChoice deployed additional security measures to protect client data after the company identified a key mechanism used by online attackers. PayChoice's Online Employer site was briefly taken off line after the company discovered a security breach that occurred on October 14. PayChoice reopened the site with limited functions as it continues to tighten the security based on forensic findings from Wednesday's attack," Digby wrote. "PayChoice has communicated directly with its clients with precautionary recommendations and will update them as more information is available."
Steve Friedl, a blogger and security expert who writes the Unixwiz blog and is also a consultant for Evolution Payroll - a PayChoice competitor - said the timing of this latest attack was notable: Friedl said most of the payroll industry leaders -- including PayChoice -- are busy exhibiting and attending talks at a major industry conference in Park City, Utah this week.
"The timing is impeccable," Friedl said. "Paychoice and many of their licensees are at a major payroll conference in Utah, so it's a ripe time to slip something by a short-staffed operation."
Payroll services provider PayChoice took its Web-based service offline for the second time in a month on Wednesday in response to yet another data breach caused by hackers.
Moorestown, N.J. based PayChoice, provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations. On Thursday morning, the company sent a notice to its customers saying it had once again closed onlineemployer.com - the portal for PayChoice's online payroll service -- this time after some clients began noticing bogus employees being added to their payroll.
"After investigation, we determined that valid user credentials for an Online Employer user were used in an unauthorized manner to add these fictitious employees in an attempt to have payments made to fraudulent bank accounts," the company said in an e-mail alert to their clients sent Thursday.
This week's attack appears to be the second stage of a sophisticated cyber assault launched last month against PayChoice customers. In that attack, hackers broke into the company's servers and stole customer user names and passwords. The attackers then included that information in e-mails to PayChoice's customers warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to onlineemployer.com. The supposed plug-in offered in that e-mail was instead malicious software designed to steal the victim's user names and passwords.
The statement sent to customers Thursday said that in this week's attack the thieves appear to have stolen login IDs and passwords by exploiting a weakness in the Web site component that allows customers to change their onlineemployer.com password. PayChoice also said it has disabled the change password capability on the site until it can eliminate the vulnerability, and that it had modified all login IDs to prevent access to the site using potentially compromised credentials.
In response to questions, the company sent an e-mailed statement, attributed to PayChoice chief executive Robert Digby.
"On Thursday, PayChoice deployed additional security measures to protect client data after the company identified a key mechanism used by online attackers. PayChoice's Online Employer site was briefly taken off line after the company discovered a security breach that occurred on October 14. PayChoice reopened the site with limited functions as it continues to tighten the security based on forensic findings from Wednesday's attack," Digby wrote. "PayChoice has communicated directly with its clients with precautionary recommendations and will update them as more information is available."
Steve Friedl, a blogger and security expert who writes the Unixwiz blog and is also a consultant for Evolution Payroll - a PayChoice competitor - said the timing of this latest attack was notable: Friedl said most of the payroll industry leaders -- including PayChoice -- are busy exhibiting and attending talks at a major industry conference in Park City, Utah this week.
"The timing is impeccable," Friedl said. "Paychoice and many of their licensees are at a major payroll conference in Utah, so it's a ripe time to slip something by a short-staffed operation."
Monday, October 5, 2009
US. Government Suffers 'Largest Release Of Personally Identifiable Information Ever'
Via Dark Reading -
A defective hard drive containing the personal information of some 70 million U.S. military personnel was returned to a contractor for repair and recycling -- without being erased first, according to a news report.
According to a report in Wired.com, the inspector general of the National Archives and Records Administration is investigating a potential data breach of a hard drive that helped power eVetRecs, the system veterans use to request copies of their health records and discharge papers.
When the drive failed last November, the agency returned the drive to the contractor, GMRI, which sold it to them, for repair. GMRI determined it couldn't be fixed, and ultimately passed it to another firm to be recycled. But Hank Bellomy, a NARA IT manager who reported the incident to the inspector general, told Wired.com that the drive was not properly erased.
"This is the single largest release of personally identifiable information by the government ever," Bellomy told Wired.com. "When the USDA did the same thing, they provided credit monitoring for all their employees. We leaked 70 million records, and no one has heard a word of it."
NARA says the lost drive is not a problem because its contractors signed privacy promises in their contracts. A spokesperson told Wired.com that the agency "does not believe that a breach of PII occurred," according to the report.
The drive was part of a RAID array of six drives containing an Oracle database that held detailed records on 76 million veterans, including millions of Social Security numbers dating to 1972, the report says.
----------------------------------
While the DoD clearly didn't follow its own data wiping process here...and for that it should be shamed / punished. But what are the real chance of this date leaking?
In my mind, they are small. What do you think?
A defective hard drive containing the personal information of some 70 million U.S. military personnel was returned to a contractor for repair and recycling -- without being erased first, according to a news report.
According to a report in Wired.com, the inspector general of the National Archives and Records Administration is investigating a potential data breach of a hard drive that helped power eVetRecs, the system veterans use to request copies of their health records and discharge papers.
When the drive failed last November, the agency returned the drive to the contractor, GMRI, which sold it to them, for repair. GMRI determined it couldn't be fixed, and ultimately passed it to another firm to be recycled. But Hank Bellomy, a NARA IT manager who reported the incident to the inspector general, told Wired.com that the drive was not properly erased.
"This is the single largest release of personally identifiable information by the government ever," Bellomy told Wired.com. "When the USDA did the same thing, they provided credit monitoring for all their employees. We leaked 70 million records, and no one has heard a word of it."
NARA says the lost drive is not a problem because its contractors signed privacy promises in their contracts. A spokesperson told Wired.com that the agency "does not believe that a breach of PII occurred," according to the report.
The drive was part of a RAID array of six drives containing an Oracle database that held detailed records on 76 million veterans, including millions of Social Security numbers dating to 1972, the report says.
----------------------------------
While the DoD clearly didn't follow its own data wiping process here...and for that it should be shamed / punished. But what are the real chance of this date leaking?
In my mind, they are small. What do you think?
Wednesday, September 16, 2009
UK Post Code Database Mirrored on Pirate Bay
UK government database of all 1,841,177 UK post codes together with lattitude and longitude, grid references, county, district, ward, NHS codes and regions, Ordnance Survey reference, and date of introduction. The database was last updated on July 8, 2009 and is over 100,000 pages in size.
The file has literally tens of thousands of potential applications from ecology and political campaigns to medical statistics and courier services.
Selected parts of the database can be licensed, for a fee, from the Royal Mail, but the full database has been denied to the public domain, probably as an effort by the Royal Mail to undermine competition in the postal sector.
The database is structured as a plain text file, with each entry taking one line and with distinct fields seperated by commas. The very first line specifies the order of the 17 fields of information about each post code.
The original file is 241Mb. It has been compressed down to 20Mb with the free "bzip2" program, which is needed to uncompress the file to its original state.
http://thepiratebay.org/torrent/5090599/UK_government_database_of_all_1_841_177_post_codes
The file has literally tens of thousands of potential applications from ecology and political campaigns to medical statistics and courier services.
Selected parts of the database can be licensed, for a fee, from the Royal Mail, but the full database has been denied to the public domain, probably as an effort by the Royal Mail to undermine competition in the postal sector.
The database is structured as a plain text file, with each entry taking one line and with distinct fields seperated by commas. The very first line specifies the order of the 17 fields of information about each post code.
The original file is 241Mb. It has been compressed down to 20Mb with the free "bzip2" program, which is needed to uncompress the file to its original state.
http://thepiratebay.org/torrent/5090599/UK_government_database_of_all_1_841_177_post_codes
Thursday, September 10, 2009
SQL Injection Exposes Sensitive Details on Military Personnel
Via The Register UK -
Programming errors on a website that helps commuters carpool to work are exposing sensitive information of workers for hundreds of employers in Southern California, including at least one military installation.
The bugs, discovered last month on RideMatch.info, allow hackers access to a variety of personal information, including individuals' names, home addresses, phone numbers, the times they commute to and from work, and in some cases employee numbers. The SQL injection vulnerability remained active at time of writing, more than two weeks after it was reported to a developer who runs the website.
"There's sensitive data there that definitely shouldn't be on the internet," said Kristian Hermansen, a security researcher who identified the vulnerability after receiving an email from his employer saying he was required by law to provide the information. "The reason I am bringing this to your attention is that the issue is not being fixed by the admins and most companies don't even know that their employees' personal and corporate information, like employee ID [number and] login ID, may have been compromised."
Programming errors on a website that helps commuters carpool to work are exposing sensitive information of workers for hundreds of employers in Southern California, including at least one military installation.
The bugs, discovered last month on RideMatch.info, allow hackers access to a variety of personal information, including individuals' names, home addresses, phone numbers, the times they commute to and from work, and in some cases employee numbers. The SQL injection vulnerability remained active at time of writing, more than two weeks after it was reported to a developer who runs the website.
"There's sensitive data there that definitely shouldn't be on the internet," said Kristian Hermansen, a security researcher who identified the vulnerability after receiving an email from his employer saying he was required by law to provide the information. "The reason I am bringing this to your attention is that the issue is not being fixed by the admins and most companies don't even know that their employees' personal and corporate information, like employee ID [number and] login ID, may have been compromised."
The form Hermansen was required to complete asked for a wealth of personal information, including his typical work hours, the times he begins work on each workday, and his employee ID. "The state can impose monetary penalties on companies that fail to complete this survey," an email sent by Hermansen's employer warned.
The website is a joint project developed by transit authorities in five regional governments in Southern California. Individuals enter their work and home addresses and the time they leave from each, and the website pairs them up with others with home and office locations and commute times that are suitable for carpools. Hermansen said virtually all of the data is accessible to anyone who knows how to exploit the vulnerability.
His tests revealed that at least one military institution was among the employers that used the website. The Register agreed to withhold the institution' identity because of the potential sensitivity of the matter.
Friday, August 21, 2009
Eight Indicted For $22M Identity Theft Scam Against AT&T, T-Mobile
Via Darkreading.com -
Eight defendants were arraigned in a Brooklyn court yesterday for allegedly using the stolen identities of AT&T, T-Mobile, and Asurion customers to steal some $22 million worth of wireless equipment and services.
An indictment was unsealed in Brooklyn federal court yesterday morning charging Courtney Beckford, Gabe Beizem, Rawl Davis, Lennox Lambert, Marsha Montayne, Saul Serrano, Ron Shealey, and Rohan Stewart, with conspiracy to commit mail fraud and wire fraud. Beizem, Montayne, and Stewart were also charged with wire fraud and aggravated identity theft.
According to the indictment, between February 2005 and July 2009, Beizem -- an owner of Got Wireless (aka USA Wireless), a former authorized AT&T and T-Mobile dealer that operated in Brooklyn -- obtained dealer access codes for AT&T's and T-Mobile's online customer databases. Stewart, the owner of KP Wireless -- an authorized T-Mobile wireless device dealer operating in West Palm Beach, Florida -- also obtained dealer access codes for T-Mobile's customer database.
Using these access codes, Beizem, Stewart, and Montayne, and others, allegedly obtained existing customer information from the customer databases, including customers' names, addresses, and personal identifying information, the indictment says. Montayne, and others, then fraudulently assumed the identities of existing customers and obtained new wireless devices without payment and without the customers' permission.
[...]
As a result of these fraudulent requests, AT&T and T-Mobile shipped new or replacement wireless devices for express mail delivery by FedEx, DHL or UPS, according to the indictment. The FedEx and DHL shipments from AT&T were generally shipped to addresses along the routes of private express mail drivers whom Beckford, Davis, Lambert, and Stewart, and others, allegedly recruited and paid to divert the packages.
FedEx and DHL drivers, including Serrano and Shealey, then allegedly scanned the packages into their respective carrier's computerized tracking systems as "delivered" to the stated delivery addresses, but actually diverted the packages to Beckford, Davis, Lambert, and Stewart, and others. UPS shipments from T-Mobile were shipped directly to addresses connected to the defendants and their associates.
Beckford, Beizem, Davis, and Montayne, and others, allegedly then sold the fraudulently obtained wireless devices to others. When charges were incurred on these devices, they were billed to existing AT&T and T-Mobile customers' accounts. When the customers reported or confirmed the fraud on their accounts to AT&T and T-Mobile, the companies absorbed the losses, which included the cost of the devices, insurance payments, shipping costs, and wireless service and other calling charges.
Eight defendants were arraigned in a Brooklyn court yesterday for allegedly using the stolen identities of AT&T, T-Mobile, and Asurion customers to steal some $22 million worth of wireless equipment and services.
An indictment was unsealed in Brooklyn federal court yesterday morning charging Courtney Beckford, Gabe Beizem, Rawl Davis, Lennox Lambert, Marsha Montayne, Saul Serrano, Ron Shealey, and Rohan Stewart, with conspiracy to commit mail fraud and wire fraud. Beizem, Montayne, and Stewart were also charged with wire fraud and aggravated identity theft.
According to the indictment, between February 2005 and July 2009, Beizem -- an owner of Got Wireless (aka USA Wireless), a former authorized AT&T and T-Mobile dealer that operated in Brooklyn -- obtained dealer access codes for AT&T's and T-Mobile's online customer databases. Stewart, the owner of KP Wireless -- an authorized T-Mobile wireless device dealer operating in West Palm Beach, Florida -- also obtained dealer access codes for T-Mobile's customer database.
Using these access codes, Beizem, Stewart, and Montayne, and others, allegedly obtained existing customer information from the customer databases, including customers' names, addresses, and personal identifying information, the indictment says. Montayne, and others, then fraudulently assumed the identities of existing customers and obtained new wireless devices without payment and without the customers' permission.
[...]
As a result of these fraudulent requests, AT&T and T-Mobile shipped new or replacement wireless devices for express mail delivery by FedEx, DHL or UPS, according to the indictment. The FedEx and DHL shipments from AT&T were generally shipped to addresses along the routes of private express mail drivers whom Beckford, Davis, Lambert, and Stewart, and others, allegedly recruited and paid to divert the packages.
FedEx and DHL drivers, including Serrano and Shealey, then allegedly scanned the packages into their respective carrier's computerized tracking systems as "delivered" to the stated delivery addresses, but actually diverted the packages to Beckford, Davis, Lambert, and Stewart, and others. UPS shipments from T-Mobile were shipped directly to addresses connected to the defendants and their associates.
Beckford, Beizem, Davis, and Montayne, and others, allegedly then sold the fraudulently obtained wireless devices to others. When charges were incurred on these devices, they were billed to existing AT&T and T-Mobile customers' accounts. When the customers reported or confirmed the fraud on their accounts to AT&T and T-Mobile, the companies absorbed the losses, which included the cost of the devices, insurance payments, shipping costs, and wireless service and other calling charges.
New Details, and Lessons, on Heartland Breach
Via securosis.com -
Thanks to an anonymous reader, we may have some additional information on how the Heartland breach occurred. Keep in mind that this isn't fully validated information, but it does correlate with other information we've received, including public statements by Heartland officials.
Patch management isn't new...and it is so critically important, yet many many companies still don't take it serious.
One of the factors that can greatly affect any patch management process is inventory control.
Inventory control is rarely talked about in the realm of patch management, but they go hand-in-hand.
After all, you can't patch what you don't see...
Thanks to an anonymous reader, we may have some additional information on how the Heartland breach occurred. Keep in mind that this isn't fully validated information, but it does correlate with other information we've received, including public statements by Heartland officials.
On Monday we correlated the Heatland breach with a joint FBI/USSS bulletin that contained some in-depth details on the probable attack methodology. In public statements (and private rumors) it's come out that Heartland was likely breached via a regular corporate system, and that hole was then leveraged to cross over to the better-protected transaction network.
According to our source, this is exactly what happened. SQL injection was used to compromise a system outside the transaction processing network segment. They used that toehold to start compromising vulnerable systems, including workstations. One of these internal workstations was connected by VPN to the transaction processing datacenter, which allowed them access to the sensitive information. These details were provided in a private meeting held by Heartland in Florida to discuss the breach with other members of the payment industry.
As with the SQL injection itself, we've seen these kinds of VPN problems before. The first NAC products I ever saw were for remote access -- to help reduce the number of worms/viruses coming in from remote systems.
I'm not going to claim there's an easy fix (okay, there is, patch your friggin' systems), but here are the lessons we can learn from this breach:
- The PCI assessment likely focused on the transaction systems, network, and datacenter. With so many potential remote access paths, we can't rely on external hardening alone to prevent breaches. For the record, I also consider this one of the top SCADA problems.
- Patch and vulnerability management is key -- for the bad guys to exploit the VPN connected system, something had to be vulnerable (note -- the exception being social engineering a system 'owner' into installing the malware manually).
- We can't slack on vulnerability management -- time after time this turns out to be the way the bad guys take control once they've busted through the front door with SQL injection. You need an ongoing, continuous patch and vulnerability management program. This is in every freaking security checklist out there, and is more important than firewalls, application security, or pretty much anything else.
- The bad guys will take the time to map out your network. Once they start owning systems, unless your transaction processing is absolutely isolated, odds are they'll find a way to cross network lines.
- Don't assume non-sensitive systems aren't targets. Especially if they are externally accessible.
Okay -- when you get down to it, all five of those points are practically the same thing.
Here's what I'd recommend:
- Vulnerability scan everything. I mean everything, your entire public and private IP space.
- Focus on security patch management -- seriously, do we need any more evidence that this is the single most important IT security function?
- Minimize sensitive data use and use heavy egress filtering on the transaction network, including some form of DLP. Egress filter any remote access, since that basically blows holes through any perimeter you might think you have.
- Someone will SQL inject any public facing system, and some of the internal ones. You'd better be testing and securing any low-value, public facing system since the bad guys will use that to get inside and go after the high value ones. Vulnerability assessments are more than merely checking patch levels.
Patch management isn't new...and it is so critically important, yet many many companies still don't take it serious.
One of the factors that can greatly affect any patch management process is inventory control.
Inventory control is rarely talked about in the realm of patch management, but they go hand-in-hand.
After all, you can't patch what you don't see...
Monday, July 6, 2009
When a Parent Steals Your Identity
Via MSN Money -
Danielle, 28, thought her credit was pretty good when she went to buy a new car a couple of years ago. And it would have been, had her credit report not been littered with unpaid accounts opened by her mother in Danielle's name.
Danielle, 28, thought her credit was pretty good when she went to buy a new car a couple of years ago. And it would have been, had her credit report not been littered with unpaid accounts opened by her mother in Danielle's name.
Now Danielle, a graduate student who also works full time, is struggling to pay off more than $20,000 in credit card debt her mother incurred. The older woman, who survived a bout with cancer, insists she would have been able to pay the bills had she not become ill and gets angry when Danielle mentions the debt.
"I feel bad bringing it up," Danielle said. "I feel like the bad guy."
Parents are supposed to protect their children from harm, but some inflict long-lasting financial and emotional damage by using them to commit identity theft.
Some, such as Danielle's mother, victimize offspring who are old enough to establish credit in their own right. Others use the Social Security numbers of their minor children to set up fraudulent accounts that the victims might not discover for years.
"When we first started hearing about it, we were shocked and horrified," said Beth Givens, the head of the Privacy Rights Clearinghouse in San Diego. "It turns out it is more common than you might think."
Linda Foley, the founder of the Identity Theft Resource Center, also in San Diego, said she almost never heard about parent perpetrators when she and her husband established the center a decade ago. These days, though, they get several complaints a week from victims or from other adults who have uncovered the crimes.
"It just keeps getting bigger," said Foley, who fears the recession and rising unemployment will tempt more parents to cross the line.
Subscribe to:
Posts (Atom)