IT-Harvest

Data Protection Weekly for February 16, 2009

February 21st, 2009

Join Richard Stiennon with Safend for a Webinar on March 3
Retaining confidential data in competitive times
Richard Stiennon on Data Loss Prevention
Register here

1.) Heartland data breach aftershocks continue

The fallout from the major data breach announced in January from Heartland Payment Systems isn’t over. At least 250,000 merchants use the New Jersey-based payment processor, making it the fifth largest payment processor in the country. Millions of credit and debit card transactions were compromised in 2008 due to malicious software installed by hackers. I was recently informed by my bank that my account may have been compromised, and I was issued a new debit card. The aftershocks continue, with banks large and small reporting impacts.

2.) Kaspersky Lab pours cold water on claims of data breach by hacker

Officials at anti-virus vendor Kaspersky Lab are adamant that no data was stolen during a hack of its U.S. support site over the weekend. According to Kaspersky Lab, on Feb. 6, a hacker exploited a flaw on the Web site to launch a SQL injection attack. After Kaspersky officials received word of the breach Feb. 7, they took down the vulnerable site and replaced it. The security company maintained in a press conference Feb. 9 that no data had been leaked. However, the anonymous hacker behind the attack publicized table names purportedly taken from a Kaspersky database the hacker accessed.

3.) Don’t be a data loss victim

Somebody was siphoning customer financial data from a chain of gas station/convenience stores. The perpetrator covered his tracks so well that that the company which owned the stores didn’t even know it had a data breach until customers began complaining about experiencing fraud just days after using a credit card or writing a check at one of the stores. Verizon’s Business Investigative Response team was called in to try to unravel the mystery and track down the hacker. The team, led by managing principal Bryan Sartin, took forensic images of the systems at several store locations and did an in-depth analysis of the information.
4.) Seven ways to stop data breaches

The experts all say that data security goes beyond the use of technology. Nevertheless, there are numerous tools and techniques that IT professionals can use to improve their organization’s stance on data security.

5.) FAA says info on 45,000 workers stolen in data breach

The Federal Aviation Administration disclosed that it is investigating a data breach in which the personal data of about 45,000 employees and retirees was apparently stolen from a server at the agency.The compromise resulted from an intrusion into the system that was storing the data, the FAA said in a brief statement. There are no indications that any of the servers used for air traffic control or other operation systems were similarly broken into, the agency said, adding that it has contacted law enforcement authorities and will notify the affected individuals via mail.

6.) Six ways to protect your identity in a data breach

There’s an old Chinese proverb that says whoever steals an egg will steal an ox. Fast forward to the 21st century, replace “egg” with a credit card number and “ox” with your Social SecurityHow to protect your identity in a data breach number, and you’ve tapped into one of the biggest threats to the information age — identity theft. Identity theft — the act of having your personal and financial information stolen from you, often by cyber-means — is a burgeoning problem.

7.) Public Greets Massive Data Breach With Collective Yawn

Data breach laws in 44 states require companies to report the loss or theft of personal data, and such laws no doubt prompted Heartland’s revelation at 2008breach.com. But hundreds of other breaches slip by unnoticed by most consumers. Though intended to spur companies to follow strong security practices to safeguard sensitive data, the laws don’t seem to be achieving their purpose.

8.) With Great Amounts of Data Comes Great Responsibility

Keeping your customers’ data safe and secure means protecting against threats from both the outside as well as the inside. Implement layered security, monitor network traffic, and encrypt all sensitive data, recommends ESET’s Jeff Debrosse.

9.) Largest Coordinated ATM Rip-off Ever Nets $9+ Million in 30 Minutes

With only 100 compromised ATM cards thieves were able to grab $9 million bucks from the banking system in a new style of attack. Law enforcement sources told Fox 5 it’s one of the most frightening well-coordinated heists they’ve ever seen. “We’ve seen similar attempts to defraud a bank through ATM machines but not, not anywhere near the scale we have here,” FBI Agent Ross Rice told Fox 5. “We’ve never seen one this well coordinated,” the FBI said. How did the hackers steal $9 million in one 30-minute time period using only 100 ATM cards you ask? That shouldn’t be possible given the daily limits (usually about $500/day) placed on all ATM cards. Well it turns out that the hackers applied military like precision to old ATM Scam techniques and added a touch of devious ingenuity to pull this one off. Here is a look at how the theft was perpetrated.

10.) Survey: 40% of hard drives bought on eBay hold personal data

A New York computer forensics firm found that 40% of the hard disk drives it recently purchased in bulk orders from eBay contained personal, private and sensitive information — everything from corporate financial data to the Web-surfing history and downloads of a man with a foot fetish.

11.) Medical data leakage rampant on P2P networks

The risk of patient information disclosures on peer-to-peer (P2P) networks is much higher than if a health care worker loses a laptop or removable storage device, according to new Dartmouth College research. Over a two-week period, Dartmouth College researchers, in collaboration with P2P monitoring vendor Tiversa, searched file-sharing networks for key terms associated with the top ten publicly traded health care firms in the country, and discovered numerous sensitive documents – for example, a spreadsheet from an AIDS clinic with 232 client names, including Social Security numbers, addresses and birthdates.

12.) BitDefender partner site hit by hackers

Hackers elicited customer details from a Portuguese partner site associated with the security company BitDefender, the second intrusion in recent days targeting computer security companies. The hackers used a form of a SQL injection attack to reveal personal details and e-mail addresses. SQL injection, one of the most common types of attacks, involves inputting commands into Web-based forms or URLs in order to return data held in back-end databases.

13.) A down economy increases threat of data walking out the door

Moving into 2009, the number of layoffs and unemployed has multiplied as a result of the falling economy. Corporate data is at risk now more than ever and companies need to be sure they have reliable protection in place. As companies are forced to make layoffs, disgruntled employees may act maliciously and take sensitive company data with them as they leave. Out-of-work employees worried about finding a position in a bleak job market may also act out of desperation and steal confidential company information to get a leg up on the competition for hard-to-find jobs. It is also possible that companies hiring are accepting or even requesting internal data of their competitors as part of the hiring process.

14.) HP, IBM push new OASIS encryption key standard

A group of industry vendors, led by IBM, HP and EMC, is proposing a new standard to make their encryption management software work together. Called the Key Management Interoperability Protocol (KMIP), the standard is being proposed through OASIS (Organization for the Advancement of Structured Information Standards), the consortium best known for its development of Web-services standards. On Thursday, OASIS is expected to announce that it has created a KMIP Technology Committee to produce the final specification for the standard.

15.) First arrests made in Heartland data breach case

Three men have been arrested in Tallahasee, Fla., in connection with the Heartland Payment Systems data breach, authorities said. The men, Tony Acreus, Jeremy Frazier and Timothy Johns, each were charged with multiple counts of credit card fraud, police said. The arrests were part of a larger investigation into the breach, possibly the largest of all time, which was first disclosed in January.

16.) The Internet we have is just fine

Thanks to the New York Times and John Markoff for raising the question “Do we need a new Internet?” in a Valentine’s day article. The premise of the question is that the threats from hackers, cyber criminals, and even nation states have made the Internet a completely unsafe place. “Unless we’re willing to rethink today’s Internet,” says Nick McKeown, a Stanford engineer involved in building a new Internet, “we’re just waiting for a series of public catastrophes.” For all of the vulnerabilities in operating systems, applications, Internet protocols, and infrastructure my resounding answer to Mr. Markoff’s question is NO!

Entry Filed under: DPW Issues