1.) Heartland data breach aftershocks continue

The fallout from the major data breach announced in January from Heartland Payment Systems isn’t over. At least 250,000 merchants use the New Jersey-based payment processor, making it the fifth largest payment processor in the country. Millions of credit and debit card transactions were compromised in 2008 due to malicious software installed by hackers. I was recently informed by my bank that my account may have been compromised, and I was issued a new debit card. The aftershocks continue, with banks large and small reporting impacts.

2.) Kaspersky Lab pours cold water on claims of data breach by hacker

Officials at anti-virus vendor Kaspersky Lab are adamant that no data was stolen during a hack of its U.S. support site over the weekend. According to Kaspersky Lab, on Feb. 6, a hacker exploited a flaw on the Web site to launch a SQL injection attack. After Kaspersky officials received word of the breach Feb. 7, they took down the vulnerable site and replaced it. The security company maintained in a press conference Feb. 9 that no data had been leaked. However, the anonymous hacker behind the attack publicized table names purportedly taken from a Kaspersky database the hacker accessed.

3.) Don’t be a data loss victim

Somebody was siphoning customer financial data from a chain of gas station/convenience stores. The perpetrator covered his tracks so well that that the company which owned the stores didn’t even know it had a data breach until customers began complaining about experiencing fraud just days after using a credit card or writing a check at one of the stores. Verizon’s Business Investigative Response team was called in to try to unravel the mystery and track down the hacker. The team, led by managing principal Bryan Sartin, took forensic images of the systems at several store locations and did an in-depth analysis of the information.
4.) Seven ways to stop data breaches

The experts all say that data security goes beyond the use of technology. Nevertheless, there are numerous tools and techniques that IT professionals can use to improve their organization’s stance on data security.

5.) FAA says info on 45,000 workers stolen in data breach

The Federal Aviation Administration disclosed that it is investigating a data breach in which the personal data of about 45,000 employees and retirees was apparently stolen from a server at the agency.The compromise resulted from an intrusion into the system that was storing the data, the FAA said in a brief statement. There are no indications that any of the servers used for air traffic control or other operation systems were similarly broken into, the agency said, adding that it has contacted law enforcement authorities and will notify the affected individuals via mail.

6.) Six ways to protect your identity in a data breach

There’s an old Chinese proverb that says whoever steals an egg will steal an ox. Fast forward to the 21st century, replace “egg” with a credit card number and “ox” with your Social SecurityHow to protect your identity in a data breach number, and you’ve tapped into one of the biggest threats to the information age — identity theft. Identity theft — the act of having your personal and financial information stolen from you, often by cyber-means — is a burgeoning problem.

7.) Public Greets Massive Data Breach With Collective Yawn

Data breach laws in 44 states require companies to report the loss or theft of personal data, and such laws no doubt prompted Heartland’s revelation at 2008breach.com. But hundreds of other breaches slip by unnoticed by most consumers. Though intended to spur companies to follow strong security practices to safeguard sensitive data, the laws don’t seem to be achieving their purpose.

8.) With Great Amounts of Data Comes Great Responsibility

Keeping your customers’ data safe and secure means protecting against threats from both the outside as well as the inside. Implement layered security, monitor network traffic, and encrypt all sensitive data, recommends ESET’s Jeff Debrosse.

9.) Largest Coordinated ATM Rip-off Ever Nets $9+ Million in 30 Minutes

With only 100 compromised ATM cards thieves were able to grab $9 million bucks from the banking system in a new style of attack. Law enforcement sources told Fox 5 it’s one of the most frightening well-coordinated heists they’ve ever seen. “We’ve seen similar attempts to defraud a bank through ATM machines but not, not anywhere near the scale we have here,” FBI Agent Ross Rice told Fox 5. “We’ve never seen one this well coordinated,” the FBI said. How did the hackers steal $9 million in one 30-minute time period using only 100 ATM cards you ask? That shouldn’t be possible given the daily limits (usually about $500/day) placed on all ATM cards. Well it turns out that the hackers applied military like precision to old ATM Scam techniques and added a touch of devious ingenuity to pull this one off. Here is a look at how the theft was perpetrated.

10.) Survey: 40% of hard drives bought on eBay hold personal data

A New York computer forensics firm found that 40% of the hard disk drives it recently purchased in bulk orders from eBay contained personal, private and sensitive information — everything from corporate financial data to the Web-surfing history and downloads of a man with a foot fetish.

11.) Medical data leakage rampant on P2P networks

The risk of patient information disclosures on peer-to-peer (P2P) networks is much higher than if a health care worker loses a laptop or removable storage device, according to new Dartmouth College research. Over a two-week period, Dartmouth College researchers, in collaboration with P2P monitoring vendor Tiversa, searched file-sharing networks for key terms associated with the top ten publicly traded health care firms in the country, and discovered numerous sensitive documents – for example, a spreadsheet from an AIDS clinic with 232 client names, including Social Security numbers, addresses and birthdates.

12.) BitDefender partner site hit by hackers

Hackers elicited customer details from a Portuguese partner site associated with the security company BitDefender, the second intrusion in recent days targeting computer security companies. The hackers used a form of a SQL injection attack to reveal personal details and e-mail addresses. SQL injection, one of the most common types of attacks, involves inputting commands into Web-based forms or URLs in order to return data held in back-end databases.

13.) A down economy increases threat of data walking out the door

Moving into 2009, the number of layoffs and unemployed has multiplied as a result of the falling economy. Corporate data is at risk now more than ever and companies need to be sure they have reliable protection in place. As companies are forced to make layoffs, disgruntled employees may act maliciously and take sensitive company data with them as they leave. Out-of-work employees worried about finding a position in a bleak job market may also act out of desperation and steal confidential company information to get a leg up on the competition for hard-to-find jobs. It is also possible that companies hiring are accepting or even requesting internal data of their competitors as part of the hiring process.

14.) HP, IBM push new OASIS encryption key standard

A group of industry vendors, led by IBM, HP and EMC, is proposing a new standard to make their encryption management software work together. Called the Key Management Interoperability Protocol (KMIP), the standard is being proposed through OASIS (Organization for the Advancement of Structured Information Standards), the consortium best known for its development of Web-services standards. On Thursday, OASIS is expected to announce that it has created a KMIP Technology Committee to produce the final specification for the standard.

15.) First arrests made in Heartland data breach case

Three men have been arrested in Tallahasee, Fla., in connection with the Heartland Payment Systems data breach, authorities said. The men, Tony Acreus, Jeremy Frazier and Timothy Johns, each were charged with multiple counts of credit card fraud, police said. The arrests were part of a larger investigation into the breach, possibly the largest of all time, which was first disclosed in January.

16.) The Internet we have is just fine

Thanks to the New York Times and John Markoff for raising the question “Do we need a new Internet?” in a Valentine’s day article. The premise of the question is that the threats from hackers, cyber criminals, and even nation states have made the Internet a completely unsafe place. “Unless we’re willing to rethink today’s Internet,” says Nick McKeown, a Stanford engineer involved in building a new Internet, “we’re just waiting for a series of public catastrophes.” For all of the vulnerabilities in operating systems, applications, Internet protocols, and infrastructure my resounding answer to Mr. Markoff’s question is NO!

Is your loading dock your biggest data leak?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
blancco2

Once your new equipment has been commissioned and brought on line, do you have control of the data that is still on the old equipment? After all of the effort to protect network and equipment, data protection during equipment disposal or change of ownership is too often overlooked.

www.blancco.com

White House powned by Chinese
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It is just too embarrassing. The Financial Times is reporting that the Chinese government has hacked successfully into the White House on several occasions. Chinese hackers have penetrated the White House computer network on multiple occasions, and obtained e-mails between government officials, a senior US official told the Financial Times. On top of the major hack on the Pentagon announced in 2007 this is just more evidence that the Chinese are engaging in a concerted effort to glean information from the US. Of course, Whitehall, the German Chancelary, France, India, Australia, and New Zealand have all been hacked as well. It might be time for the US to lodge a complaint with the Chinese government.

Read on…

Ex-AMD employee allegedly stole $1B Intel secrets
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A former Intel Corp. engineer has been charged with stealing trade secrets worth $1 billion from the chip maker while he worked for its main rival, Advanced Micro Devices Inc. Federal prosecutors in Massachusetts alleged this week in a five-count indictment that Biswamohan Pani, 33, illegally downloaded more than a dozen confidential documents from Intel’s computer system in California during a four-day stretch in June. He had already resigned from Santa Clara, Calif.-based Intel, but remained on the payroll and still had access to the company’s computers while he burned unused vacation days.

Read on…

Express Scripts demonstrates best practices in handling a data breach incident
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Express Scripts, one of the largest pharmacy benefit management companies in North America, Sunday announced that it has received a letter from an unknown person or persons trying to extort money from the company by threatening to expose millions of the company’s patients’ records. Extortion is an old, old methodology for extracting funds from victims. In the cyber crime arena it has a history that pre-dates the Internet. During the twenty years before the Internet was commercialized over $600 million was paid to extortionists who stole account data from UK banks. They were either employees of those banks or had bribed insiders to print out account records. The banks would pay the extortion demands in order to avoid embarrassment and potential loss of brand. Banks of course rely on their brand of providing a safe and secure home for your money.

Read on…

Data security threats worst at home, expert says
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The threats to data security are most severe at home, a Seattle security expert told the Secure World Detroit conference at the Ford Conference and Events Center in Dearborn Wednesday. Gordon Mitchell, president of Future Focus Inc., told the audience of a couple of hundred IT security professionals how to “become a counterspy in three easy lessons.” Mitchell said good counterspies must figure out what information is valuable, think about who could be a spy, think likea spy would and protect the information. Companies and institutions are constantly surrounded by people who are spying on them, Michell said. The strategies can range from the sophisticated to the simple — like the biotech client that actually had an employee listening to board meetings by using a drinking glass up against a wall.

Read on…

Programmer charged for sniffer used in TJX breach
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A New York programmer is charged with helping a group of hackers break into corporate networks to pilfer corporate data. Stephen Watt, 25, was charged in U.S. District Court with providing a modified sniffer program used to monitor and capture data, including customers credit and credit card information, as it traveled across corporate computer networks. Watt’s indictment is believed to be tied to the massive data security breach at TJX Cos. Inc. as well as several other retailers.

Read on…

British Government computer system shut down after data breach
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When you hand over important details to the government, you expect a certain level of protection of that data. Unfortunately, it’s probably safer to give your details to a stranger in the street than trust the British Government to take care of them. The latest data breach saw a memory stick containing details of 12 million people found outside a pub.

Read on…

.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
safend2

Don’t let reductions in your workforce turn into yet another reason for critical data to walk out the door. Join Richard Stiennon, Chief Research Analyst, IT-Harvest, and Susan Callahan, SVP of Safend to learn how to protect your critical information during times of retrenchment and cut backs.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reduce data breach risks with secure USB flash drives
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Imagine yourself in this position. It’s Monday morning, and your task is to go to your lead executive to let him know that an ambitious employee who wanted to get some work done over the weekend just reported that her USB flash drive was either lost or stolen from her desk. The drive contains downloaded medical and financial records for 1,200 patients with HIV, AIDS and other medical conditions.

Read on…

After laptop theft, Baylor Health warns of possible data compromise
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HealthTexas Provider Network Inc., a subsidiary of Dallas-based Baylor Health Care System, is notifying about 7,400 patients of the potential compromise of their Social Security numbers and other personal information after a laptop containing the data was stolen in September. It is also contacting an additional 100,000 people whose records on the laptop contained a “limited amount” of health information — though not Social Security numbers, Baylor said in a statement yesterday.

Read on…

Up to 40,000 kids’ identities stolen from Phoenix DES in burglary
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Up to 40,000 children’s identities were stored on Department of Economic Security hard drives that were stolen from a storage unit in October. Now all those families may be at risk of identity theft. This affects anyone who has applied for or been accepted to DES’s “Early Intervention Program” over the past several years. This has the parents of those 40,000 children seriously concerned about their well-being.

Read on…

NC government computer with personal info stolen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A North Carolina health department’s stolen laptop contained personal information about some residents who are receiving government services. The Department of Health and Human Services said Wednesday the computer belonging to the Division of Aging and Adult Services employee was stolen on Oct. 25 in Atlanta.

Read on…

Avoiding costly data breach notifications
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Privacy Organizations spend serious money dealing with data breach notifications-millions of dollars that could be better spent on improving security procedures or technology, according to Bart A. Lazar, a partner with the law firm of Seyfarth Shaw. The CIO and the legal department can try and limit the risks associated with incident response while conserving resources, says Lazar. He offers five tips that shouldn’t break the bank.

Read on…

Preventing security breaches
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A security breach is the last thing you want to have to deal with in any enterprise. If sensitive company data leaked outside, you’d already be past worrying about hardening firewalls and strengthening perimeters-by then it’s too late. According to Michael Rothschild, senior manager of enterprise solutions at Juniper Networks, “outside-in” attacks have been eclipsed by insider threats this year, which opens up a whole new attack vector (bypassing the perimeter security strategy). Rothschild says today’s hackers go far beyond hacking to attain notoriety and hack for profit instead. This puts corporate data, customer data, applications, and, indeed, the organization at risk.

Read on…

Card breaches shake faith in e-payments
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the past three months, all three of my payments cards — one credit card and two debit cards — have been compromised. That means somewhere, in some database, various fraudsters have my name and enough card details to attempt a shopping spree anywhere in the world. The cards have all been replaced by the issuers and, luckily, I never discovered any fraudulent transactions. The card breaches are particularly disturbing since I cover computer security. So what happened? I still have no clue. Investigating a card breach as a consumer, or a journalist, is a black hole.

Read on…

A&M-CC student data exposed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For the fourth time in two years and the second time in three months, a security breach at Texas A&M University-Corpus Christi has exposed students’ or former students’ Social Security numbers, university officials said Friday. Through an Internet search on the university’s Web site Monday, a student viewed a document that listed admissions applicants from 2005, A&M-Corpus Christi spokesman Marshall Collins said. The page listed 1,430 names and Social Security numbers.

Read on…

Charlottesville voter information at risk
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
After a bold break in at a voting precinct, the personal information for every registered voter in the city of Charlottesville is on the line. Two laptops containing voter registration information were stolen from a building at Tonsler Park in Charlottesville sometime after the polls closed Tuesday night. Charlottesville police say someone threw a cinder block through the door of the building and made off with the laptops.

Read on…

Clients’ data missing, Harvard Law warns
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Harvard Law School is alerting thousands of clients from a legal services clinic after a computer tape containing their Social Security numbers, addresses, and financial information was lost in September. The personal information, dating back 10 years, belonged to about 21,000 people who sought help through the school’s legal services center in Jamaica Plain, Robert London, a school spokesman, said yesterday. About 8,000 records of present and former clients contained Social Security numbers; another 13,000 had other identification information.

Read on…

Contact Information
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
email: news@it-harvest.com
advertising inquiries: karen@it-harvest.com
web: http://www.it-harvest.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

IT-Harvest is the publisher of the popular security blog ThreatChaos.com, a destination site for security news, our analysts’ insights, video productions and more to come!

For more information on any of these services or to schedule a call with an analyst contact Richard Montoya, Sales Director.

Email: richard.montoya@it-harvest.com
Phone: 203-826-7056

Skype: Stiennon
Twitter: www.twitter.com/stiennon
email: Richard Stiennon at richard@it-harvest.com
phone: 650-388-6402

Business: Karen Ethier karent@it-harvest.com

For more information on any of these services or to schedule a call with an analyst contact Richard Montoya, Sales Director.

Email: richard.montoya@it-harvest.com
Phone: 203-826-7056

Analyst Access. One of the most effective ways to interact with IT-Harvest is through an annual contract that provides continuous access to our analysts. Clients have the analysts’ cell phone number and can engage the analyst through email, IM, and phone. Monthly email updates to clients make them aware of editorial calendars, industry movements, and marketing guidance.

Speaking engagements. These may take the form of a key note address to a sales kick-off meeting, customer advisory board, or prospect breakfast seminar. We have engaged in multi-city speaking tours on six continents. Talk to us about how we use our industry demand tools to drive attendance!

Webinars. The best way to draw attendance and engage with your prospects is to hire a knowledgeable, exciting speaker with a world wide reputation. IT-Harvest can provide that speaker and also help drive attendance with a custom outreach program.

Strategic engagement days. Bring the analyst to your facility for a day of give and take. Your product marketing team, executives, and sales leadership can benefit from an outsider’s perspective on your company direction.

Video product data sheets. This is a new service offering. Have an industry renowned analyst create a 10-12 minute video introduction to your product.

Video case study. Instead of a white paper your prospects can view a 12-15 minute case study produced by IT-Harvest. We go to one of your customer’s sites and interview the decision maker about the particular problem you solved for them. It is a compelling way to get prospects’ attention, educate them on your value proposition, and generate actionable leads.

For more information on any of these services or to schedule a call with an analyst contact Richard Montoya, Sales Director.

Email: richard.montoya@it-harvest.com
Phone: 203-826-7056