|
- Shared Links -
World's leading
technical professional
networking site
Tracking and reporting of
security vulnerabilities and
breaches of personal
information
|
The following are only a few of the breaches that occurred in 2009.
Jan Feb Mar Apr May June Jul Aug Sep Oct Nov Dec
|
Oct 2, 2009
U..S. Governments
Largest Potential
Security Breach Over
70 Million Veterans.
|
U.S. Government Largest Potential Security Breach of 70 Million Vets
National Archives and Records Administration - NARA - The breach developed from a failed disk drive that was replaced on a server. The failed drive that was removed contained 70 million vets personal information and was apparently sent out to a vendor for recycling without destroying the data stored. Information from the NARA according to several of the sites covering the story listed below, the hard drive was used on the eVetRecs, a system that vets use to request copies of their health and discharge papers.
The drive failed last November and the agency returned it to GMRI, the contractor that sold it to them for repair. GMRI did not repair the drive and passed it to another firm for recycling according to Wired on-line. According to Hank Bellomy the NARA's IT manager he reported the incident to the inspector general, stating that this move puts more than 70 million vets at risk for ID theft.
Quoted from Wired.com Ryan Singel - “NARA does not believe that a breach of PII (personally identifiable
information) occurred, and therefore does not believe that notification
is necessary or appropriate at this time,” NARA told Wired.com in an
e-mailed background paper
(pdf). “This view could change if the inspector general's investigation
of this incident later determines that GMRI or their subcontractors
took some illegal or unethical action that may have compromised
sensitive data contained on the inoperable November 2008 disk drive.”
The story is also covered in:
Wired.com Ryan Singel
Bloggers News Network - Robert Siciliano
Dark Reading - Tim Wilson
Personal Comment from JT:
The real issue is just how much is this information worth to the underground - hundreds of thousands to even millions. From the NARA's response they are not even going to support free credit checks or any type of monitoring! Wow!. The error was neglect to follow security policies already in place. Once again the question arises why wasn't the data encrypted?
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
Sept 25, 2009
Hackers Breach
Chapil Hill Server,
Compromise 200,000+
Women's Research
Information
|
Hackers Break Into Chapel Hill Research Server and Compromise Over 230,000 Women
Chapel Hill - NC- A hacker or hackers have breached the security of a research server containing personal data of 236,000 Women enrolled in a UNC Chapel Hill research study. The data included SSN of at least 163,000 enrolled. Mathew Mauro, chairman of the UNC Department of Radiology Stated that the intrusion was detected in late July, however computer forensics experts say it could have happened two years ago. "There is no direct evidence that any information has been removed,"
Mauro said. "But we can't say for sure." The server had all the required security measures in place and was one of two servers that held more than 662,000 women from the Carolina Mammography Registry used to analyze mammography data submitted by radiologists across North Carolina.
The story covered by Eric Ferreri of the Charlotte Observer as well as Jaikumar Vijayan from Computer World
Personal Comment from JT:
There are several questions that always arise when a server has been breached, the main one is why wasn't the data encrypted? To shed some light on this issue it is not that simple to encrypted server data. Because of this risk management falls into the arena and in most cases wins out due to cost and upgrades required for this to be implemented. Several lost or stolen laptops have been stated to have encryption, however while working on the data, many of the commercial off-the-shelf (COTS) programs
decrypt the data to be worked on and put it in a working file on the drive. In that case even though there is an original encrypted file the current work-in-progress is exposed and unencrypted.
For full disk encryption programs on the market, they all vary in performance and methodology. Some only encrypt the File Attribution Table (FAT) or the NTFS directory which locates the actual positioning of the data clusters on then hard drive. This is the poorest of the methodologies since the actual file data is not encrypted, however it does allows faster access to the actual data since only a small amount of pointer
information is decrypted to access the data on the drive. On the other end of the disk encryption arena we have full disk encryption which has a serious performance degradation issue since all the data on the disk is encrypted and has to be decrypted for access. For large data files this adds access time, however security is maximized if the laptop is lost or stolen.
For servers to encrypt all data would require that all those accessing the data must have the decrypting and encrypting program to read/add/modify the data as well a some form or identity verification. The encryption dilemma arises in risk management where the probability of loss and liability are heavily weighed and since most locations that store personal ID information have yet to be accountable to the
victims with a cash outlay it moves in favor of not encrypting the data. There have been cases when the courts have turned the tide on accountability Citizen Financial vs Marsha and Michael Shames-Yeakel and Maine Firm Sues Bank for $588,000 cyber Heist but these are
only a couple and have very little effect to make a serious impact to change the accountability laws. Many advocates are pursuing this avenue to protect the privacy of the public and allow damages to be awarded to those who disregard individual privacy rights of private information stored on accessible media. I believe it is a long hard road that must be traveled if we are to maintain our freedoms as well as value in commerce.
Further links to the above law suite cases:
Citizen Financial followup by Kelly Jackson Higgins of Dark Reading.com
Bank Sued for failing to protect Internet Banking account BankingInsuranceSecurityies.com
Maine Firm Sues Bank by Jeremy Kirk, IDG News Service on NetworkWorld.com
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
Sept 5, 2009
Mitsubishi's Unit
Digital Direct Inc.
Servers Hacked,
52,000 Credit Cards
Compromised.
|
Mitsubishi Corp Unit Digital Direct Inc. Server Hacked Compromising Credit Card Data on 52,000 Clients.
Miisubishi Corp - Japan - An Internet shopping unit of Mitsubishi, Digital Direct Inc., reported that its servers were hacked of which 52,000 clients credit card data may have been compromised. Digital Direct released a statement (the statement is in Japanese) regarding the incident. The Company stated that it has informed customers and authorities
and has suspended operations on the Website in order to make changes to the system.
The Story is covered by Bloomberg.com - Chris Cooper and Yuki Hagiwara Sept 5, 2009 The DatalossDB has also incorporated this into its database.
Personal Comment from JT:
Generally this site only includes MITM (Man-In-The-Middle) breaches that occur in the USA, however since Digital Direct, Inc is a world wide credit card processing unit of Mitsubishi which has many USA customers we decided to list it since it was a MITM hack from another country.
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
Aug 25, 2009
UMASS Servers Hack
Reveals 20 years of
Personal Information.
|
UMASS Amherst Server Hacked Revealing Personal Records of both College and Health Services From 1982 to 2002
Amherst MA - Hackers once again breached the servers of University of Massachusetts Amherst and obtained access to hundreds of thousands of records. The breach occurred from September 15 to October 27, 2008 with the most activity occurring September 15th and 16th. When the breach happened is assumed to be in September nearly one year ago. The information contained SSN and credit card information. UMASS spokesperson Patrick Callahan told the Worcester Telegram & Gazette the reason for the 11 month delay in notifying the public was due to an ongoing investigation to determine what information was contained on the servers.
To give an approximation of the size of UMASS and associated campus in the fall 2008 school year there were 398,539 resident and non-resident alumni combined according to the UMASS FACTS 2008-2009. The school stated that over half of its alumni are associated with the UMASS Health Services. When adding up the numbers from the Fact Sheet from 2000-2002 enrollments this makes
the breach as part of the high profile breaches that will approach a million individuals in one way or another. UMASS posted the breach on its website with just the information on what to do for yourself and what it will cost you to inform the credit reporting agencies in place. Fortunately UMASS website did leave contact information for the individuals effected to request compensation for their lack of security measures.
UMASS Also had their medical services server hacked back in April of 2008 as well; Lesly Tanner of CBS3 Springfield also covered that story.
This story has been covered by several news sites on-line: Priyanka Dayal of the Worcester Telegram & Gazette - Angela Moscaritolo of SC Magazine - Lesly Tanner of CBS3 Springfield to name a few.
Personal Comment from JT:
It is expected that the depth of this breach will slowly be revealed as time passes. Recently the Madison Hotel & Resorts released information of a breach from November 2008 to May 2009 as a result of the Albert Gonzalez investigation. On the curious side as to what is on the servers, hopefully they were secured and therefore it should only contain secured information. There are two main scenarios here, 1. a secured network breach,
2. an unsecured network breach. Either of these breaches make all the servers on the breached network vulnerable which begs to ask the questions how many servers were compromised and what technology was used to access them. The hack attack back in April 2008 at UMASS Medical Services revealed that there were over 100 servers on the network. There have been several breaches
at UMASS over the years and it is not unreasonable to expect that after each breach security policies and measures would be corrected. We are still looking into this issue and will update this record when we receive more confirmed information.
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
Aug 17, 2009
Largest Security Hack
Of The Year
|
Miami Man Arrested For Hacking Over 100 Million Credit Cards Data From Retail Servers
Quoted from DEVLIN BARRETT Associated Press:
"Federal prosecutors today charged a Miami man with the largest case of credit and debit card data theft ever in the United States, accusing the one-time government informant of trying to gain access to 130 million accounts. Albert
Gonzalez, 28, broke his own record for identity theft by hacking into
retail networks, according to prosecutors, though they say his illicit
computer exploits ended when he went to jail on charges stemming from a
previous case.
WASHINGTON (AP) -- Federal prosecutors on Monday
charged a Miami man with the largest case of credit and debit card data
theft ever in the United States, accusing the one-time government
informant of swiping 130 million accounts on top of 40 million he stole
previously.
Albert Gonzalez, 28, broke his
own record for identity theft by hacking into retail networks,
according to prosecutors, though they say his illicit computer exploits
ended when he went to jail on charges stemming from an earlier case. Gonzalez
is a former informant for the U.S. Secret Service who helped the agency
hunt hackers, authorities say. The agency later found out that he had
also been working with criminals and feeding them information on
ongoing investigations, even warning off at least one individual,
according to authorities.
Gonzalez, who is
already in jail awaiting trial in a hacking case, was indicted Monday
in New Jersey and charged with conspiring with two other unnamed
suspects to steal the private information. Prosecutors say the goal was
to sell the stolen data to others. Prosecutors
say Gonzalez, who is known online as "soupnazi," targeted customers of
convenience store giant 7-Eleven Inc. and supermarket chain Hannaford
Brothers, Co. Inc. He also targeted Heartland Payment Systems, a New
Jersey-based card payment processor."
The story is also covered in the Gaurdian.CO.UK and Thaindian News by Joda Thongnopnua
Personal Comment from JT:
It is expected that the depth of this breach will slowly be revealed as time passes. Recently the Madison Hotel & Resorts released information of a breach from November 2008 to May 2009 as a result of the Albert Gonzalez investigation.
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
Aug 14, 2009
Calhoun County MI
Security Breach
|
Calhoun County Career Center MI, Posted Personal Information On An Unsecured Website Server For Several Years
Quoted From BATTLE
CREEK, Mich. (NEWSCHANNEL 3) – "People who were looking for help getting
their career off the ground in Battle Creek could be at risk for
identity theft."
The data was collected during 2005 and 2006 which included SSN, Data of Birth, Name and Address and other information and stored on a database. The school stated that someone working on the project also ran a private website and stored a copy of the database on that unsecured websites server leaving it open to anyone doing a web search on the Internet. A letter was sent to the individuals on
the database stating "that from the fall of
2005 to the spring of 2009, anyone searching the Internet could have
accessed that database and that personal data." The story was also covered by the Chicago Times via the Associated Press
Personal Comment from JT:
Having the data accessible for several years on this individuals webserver shows that companies are not only ignorant of security policies but are lacking the integrity required to be handling this type of information. I personally find it difficult to accept that with all the publicity that ID theft has had over the past several years that this database was not noticed, removed and that the individual failed or just neglected to remove the database. This makes it even more
negligent not only for the school but for the employee copying private information from the school and putting it on an unsecured webserver with or without the schools knowledge. This is just reckless endangerment.
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
Aug 8, 2009
Amuse, Hacked, Over
10,000 Credit Cards
Along With Other
Information.
|
Amuse Inc, Hacked From Outside the Country and Looses Over 30,000 Credit Card Numbers
Quoted From Nikkei Source "TOKYO (Nikkei)--Amuse Inc. a production company managing big-name artists such as the Southern All
Stars, has lost about 10,000 credit card numbers and other customer
information in a possible hacker attack, The Nikkei learned Friday.
Sources say the information -- which also included names, street
addresses, ages, occupations and e-mail addresses -- belonged to
customers who bought products from Amuse's Web site and to members of
artist fan clubs. About 100,000 pieces of information were likely lost,
according to the sources. Some of the leaked credit card numbers appear
to have since been used illegally.
Amuse's system may have been infiltrated by hackers. The company
has halted credit card transactions on its site. It plans to assess the
extent of any credit card fraud and says specific actions could be
announced as early as next week."
The story was also covered at Bloomburg.com by Gregory Turk who sources state that Amuse says over 30,000 credit cards stolen during the hack and suspects a server in China as the possible hacking source.
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
July 25, 2009
Network Solutions
E-accounts Hacked,
500,000+ Accounts
Compromised.
|
Network Solutions Gets Hacked And Exposes Over 500,000 Credit And Debit Card Accounts.
Network Solutions, Reston VA - The data breach was from March 12th to June 8th and took forensic investigators until July 13 to crack the hackers code to trace the amount of time the breach existed. The company discovered the breach in early June. Spokeswoman
Susan Wade During said that Network Solutions processed over 4300 merchant websites belonging mostly to small businesses.
The breach exposed details of more than 500,000 credit and debit cards when hackers penetrated a system that was used for e-commerce services by planting software to redirect transactions to a rogue server. Network Solutions are working with undisclosed law enforcement agencies to figure out whop is responsible for the breach. In all 573,928 accounts information may have been siphoned in the attack that would effect different merchant websites at different times during the breach.
The story, covered by Dan Goodin in San Francisco is published in The Register. The incident is also published on Network Solutions website as well.
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
July 16, 2009
Electric Utilities,
SCADA Networks Still
Ignoring Cyber Security
WArninggs
|
Lawmakers: Electric Utilities Still Vulnerable And Ignoring Cyber Security Warnings
Quoted parts from ComputerWorld : July 16, 2009
IDG News Service - "The U.S. electrical grid
remains vulnerable to cyber and electromagnetic pulse attacks despite
years of warnings, several U.S. lawmakers said today".
In an article published in ComputerWorld July 21, 2009 by Grant Gross - "The electric industry has pushed against federal cybersecurity
standards and some utilities appear to be avoiding industry
self-regulatory efforts by declining to designate their facilities or
equipment as critical assets that need special protection, said U.S.
Rep. Yvette Clarke, a New York Democrat and chairwoman of the House
Homeland Security Committee's Subcommittee on Emerging Threats,
Cybersecurity, and Science and Technology".
"This effort seems to
epitomize the head-in-the-sand mentality that seems to permeate broad
sections of the electric industry," Clarke said. The U.S.
electric grid is an "obvious target" for enemies of the nation, and a
major outage would affect all aspects of everyday life, Clarke said
during a hearing. "We simply cannot afford to lose broad sections of
our grid for days, weeks or months," she said.
Editors note from (Sal Tuzzo)
To balance the playing ground from the Lawmakers demands, many times it is easier to say fix it than it is to really understand the actual complexities of the electric grid industry and why it appears that they are ignoring the Lawmakers. The cybersecurity industry is in a Risk Management mode instead of a solutions mode. Our research into the SCADA industry shows a diversity of hardware, custom programs and patches for a variety of smaller to larger power utility companies throughout the nations
municipalities. To just say obey the new laws without federal funding first is inappropriate at the least and exceeds to the ridiculous at the extreme. The podcast below explains the main reasons why the cybersecurity laws have not been implemented and probably will not happen for some time as long as the requirements are to replace the entire system. Another very important reason is that up until now there has not been
an available solution to the main causes of SCADA security breaches. The electric industry is a public utility and is accountable to itself without government ownership or strongarm tactics and is dependent on its own revenues for upgrades and advances. The economy today without doubt puts a halt on all new advancements and equipment replacement and to add to this delemma, the utility rates are governed limiting the amount of resources available. Our research
shows that full hardware replacement of these networks will cause more disruptions, open more vulnerabilities
that hackers are more familiar with, as well as subject the network to constant patches which would cause havoc to the reliability of these systems, with the end result being public disruption. Our research also shows that over 80% of the breaches uncovered are from Man-In-The-Middle (MITM) attacks which are attributed to third party software or custom patches implemented in order to solve other power distribution issues for reliability of service. Adding security by replacing these systems with modern
hardware is not as simple as changing the locks on the door.
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
July 16, 2009
LexisNexis Data Breach
Effects 13,000 people,
Has Mafia Ties
|
LexisNexis Notifies 13,000 That Data Has Been Accessed By Individual Tied to Organized Crime
Quoted from the Dayton Daily News: July 16, 2009
"MIAMI TWP., Montgomery County — LexisNexis has notified more than 13,000 consumers that a Florida man with ties to the Mafia may have accessed their personal information."
Lee Klein, 39, of Boynton Beach, and 10 other were charged with racketeering in U.S. District Court of Southern Florida in May. Information from the federal indictment states that Klein was part of the group working for Thomas Fiore who is an associate of the Bonanno crime family.
"The indictment alleges that Klein illegally used “information obtained from computer databases in order to acquire identification information regarding potential victims of extortion” and people suspected by Fiore’s criminal organization of being involved with law enforcement. "
IDG News Service reported that LexisNexis sent out a letter last month warning people that Klein may have used his access to databases of LexisNexis company Seisint “in order to perpetrate certain crimes.”
The full story is covered by Tom Beyerlein of the Dayton Daily News, the original story covered by Robert McMillan of PCWorld
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
July 16, 2009
San Diego Medical
Center Breach
Compromises
30,000 Patients
|
San Diego Medical Center - Hackers Breached Security Exposing 30,000 Patients Medical Records
The Associated Press July 16, 2009
SAN DIEGO: San Diego medical center notified 30,000 patients that a hacker(s) breached the center's computers and gained access to patients' personal information database. The 30,000 letters were set out by the University of California, San Diego's Moores Cancer Center after the records were accessed late last month.
Spokeswoman for the center, DeAnn Marshall says " the computer servers have information such as patients' names, birth dates and diagnosis and treatment dates. She says most patient information did not include Social Security numbers and there is no evidence any of the information has been viewed." The hospital says patients' medical records are stored in separate servers and were not breached. Marshall says authorities are investigating. The story was covered by Mercury News and the San Diego Union Tribune by Angelica Martinez
4thDTTM Security's roadmap includes cell and PDA security to eliminate these vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch the presentation below for more information.
More Media News
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
June 30, 2009
Laptop With Names
and SSN Shows Up
In Local Computer
Repair Business
|
Laptop With 6000 Sutter-Health Names and SSN Shows Up At A Local Computer Service Business
Sacramento CA. - Several thousand of Sutter Health current and former employees will be getting a letter soon stating that their private ID information has been compromised. Officials from the company's Sierra region were contacted by a local computer repair business stating that they had a computer with private information on its hard drive unencrypted. "The repair people did the right thing and told us they had our laptop" said Sutter Communications Coordinator Kami Lloyd.
Sutter Health sent out a letter to individuals that stated an employee had possession of a company laptop since 2007 but late last month it showed up at a computer repair business. The technicians returned the hard drive to Sutter when they realized where it came from.
The letter also pointed out that the data was accessed by the repair business although the repair business wrote a certified letter stating that it did not retain any information on the hard drive. Sutter did advise employees to contact their credit reporting agencies and put a fraud alerts on their credit files. Kroll Inc TheftSmart services were offered to all involved at no cost for one year.
Now that who ever else read the data knows that there is a one year moratorium on the information it goes into the hackers holding bin. What happens after that ? Yes, the victim is responsible for all damages or gets a lawyer who will probably get paid regardless of who wins the law suit. The story was coverd by News!0 ABC.
At least Sutter has learned from its error and is making provisions to encrypt all data and set a security policy to save all data to a network drive.
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
June 24, 2009
FLASH Drive and
Laptop and GPS
Stolen
|
Stolen Flash Drive with 2828 Names, SSN and Personal ID Information From Florida Department of Revenue.
The names, addresses and Social Security numbers of over 2800 individuals were stolen from a flash
drive along with a laptop, a cell phone and a GPS device from an unlocked car at the home of a
Florida Department of Revenue employee in Marietta, GA on April 9th. Officer Jennifer Murphy
stated that have been no arrests at this time and the stolen items have not been recovers to date.
The files were password protected and not encrypted. According to the departments CIO Walter
Boyd, there is no evidence any of the identities have been stolen. This is just another example of
not keeping information on the server database protected from this type of activity.
Several larger companies have developed security policies with laptops that encrypt he entire disk
as well as keeping critical information on a server and not allowing the information to be
replicated to a laptop. This alone would prevent a high percentage of breaches. The story is covered in the
Gainesville Sun.]
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
June 14, 2009
Cornell Computer
Compromises
45000+ Peoples ID
|
Cornell University Security Breach Compromises Over 45,000 Students and Staff
Another stolen computer breach, this time from Cornell University that contained the Social
Security, names and other information was stolen from and unsecured location. The computer was
issued to a member of the Cornell technical staff and used to correct transmission errors found in
the processing of files. The computer should have been in a secured area and the staff member
violated Cornell's security policy stated by University officials. The story was covered by the
Associated Press and WVBR Radio FM website.
The people effected were 22,546 current and former students along with 22,731 current and former
faculty totaling 45,277 in the Cornell community. The difficulty is that once your ID is stolen it
is never truly recovered, the breach is only the beginning. The information is always out there in
some hackers dark box of tricks. As with many breaches we see the ID theft happen any time from immediate to several months to years after depending on how much the criminals plan to take
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
June 14, 2009
RI Coffee House
Wireless Network
Hacked
|
Computer Hackers Victimize Portsmouth Coffee House Customers
In August 2008 the Secret Service paid a visit to the new owners of the Custom Coffee House in
Portsmouth, RI and not for a social visit to get coffee. They informed the owners that hackers had broken into
their wireless network and were stealing customers credit and debit card information. It was stated that
about 50 customers had been compromised so far. The time frame goes back as far as May 2008 according to Police
Chief Lance Herbert. The breach was noticed when victims received charges on their statements that they
did not make and started reporting them. It has also been stated that the hackers have charged nearly $50,000
in unauthorized charges so far. The whereabouts or suspects are still unknown at this time.
This is not the first time that hackers compromised a wireless network, TJX (TJ Max) in January 2007 was the
largest breach in history to date.
A lot has changed since then with WEP, WPA and AES security features incorporated into the wireless routers
today. It also appears that these features have either been bypassed or compromised in some way. Typically
hackers attack the POS terminal application software and install some kind of key/data logging software then just
monitor the network for transactions. For clarity this was not the case with TJX, the hackers just monitored the
wireless network from the parking lot. The full story in the
Providence Journal.
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
June 5, 2009
Virginia University
Security Breach
effect 17,000 +
|
Virginia Commonwealth University Security Breach involves Stolen Computer
Virginia Commonwealth University notified more than 17,000 individuals of a stolen computer security breach from the
school library containing their names, Social Security numbers and test scores, which may have been exposed. The
incident happened in mid April and the individual was caught without the computer in his possession, however admitted
taking the computer. The University stated that it will still notify government agencies and credit-reporting companies.
The university stated that it stopped using Social Security numbers to identify students in January 2007.
Information on the computer also contained test scores from October 2005 to the present.
The incident was covered in the
Richmond-Times
and the Washington Post.
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
May 28, 2009
Aetna Insurance
Security Breach
effect 65,000 +
|
Aetna Insurance Security Breach Effects Over 60,000 From Offsite Service Provider
Aetna Insurance company reported a
security breach earlier this month
when people started receiving spham messages that appeared to be originated from Aetna. An Aetna investigation
revealed that their job application Website had been breached. To be on the safe side Atnea contacted 65,000
current and former employees about the breach and to inform them that their Social Security Numbers (SSN)
may have been compromised. Aetna spokeswoman Cynthia Michener said the Website, which is maintained by an offsite
vendor, holds about 450,000 applicants information and that the SSN's were not stored on that job application
Website server. Aetna is offering free credit monitoring and it is not clear at this time if the SSN's were
obtained from this breach.
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
May 21, 2009
Hackers Pay Top
Money for
Nokia's 1100
Cell phones
|
Nokia's 1100 Cell Phone Prone To ID Theft Of Banking And Message Transactions
People selling their old cell phones are to watch out. Criminals pay high money for old
cell phones only to reprogram them and use them for criminal activities against you.
Cell phones that are used for financial and messaging transactions contain an mTAN (mobile
Transaction Authentication Number) that allow Mobil transactions as banking and other
personal identifiable transactions. To date the Nokia's 1100 phones have been found to be
reprogrammed allowing interception of SMS (Short Message Service) messages.
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
May 14, 2009
Financial District
WiFi Network
Hackers
Utopia
|
AirTight Networks Wireless Vulnerability of Financial District Report
A study of the Wireless networks used in the financial districts in the USA and the UK by
AirTight Networks.
The criteria for the report Visited 7 financial districts (6 in US, 1 in UK), Scanned WiFi signal for 5 minutes
at randomly selected location, 3632 APs scanned, 547 Clients scanned. WiFi signals were picked up at 30
randomly selected points in:New York, Chicago, Boston, Wilmington, DE, Philadelphia, San Francisco and London.
The sampling of the WiFi trace reveals a lot about network security posture in each location. The
results show that 57% of WiFi networks are either OPEN or using weak (WEP) encryption.
The full Report.
Also posted on
Security Focus.
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
May 8, 2009
UC Berkeley
Health Services
Database
Hacked
|
Hackers attack Campus Databases, Steal Social Security Numbers, Other Data
The University of California, Berkeley uncovered a security breach on Friday, May
8 that infiltrated the computer databases in the campus's health services center.
Immediately the University began notifying students, alumni and others that their
personal information may have been stolen by hackers that have breached the system.
The databases contained individuals' Social Security numbers, health insurance
information and non-treatment medical information, immunization type records and names
of some of the physicians they may have seen for diagnoses or treatment.. The
full story is on the Berkeley website.
What is interesting is that the breach was identified as active from
October 8, 2008 until April 9, 2009 when it was uncovered by administrators performing
routine maintenance. One would hope that the month wait to notify the university and
others from time of discovery was for investigative reasons to try and catch the hacker.
Security Focus Reports
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
May 7, 2009
Heartland Security
Breach Costs
$Millions
|
Heartland Security Breach Costing Millions and Still Rising
A Princetom N.J. base provider, Heartland Payment Systems, is still battling a
security breach
that was announced last January reaching global proportions. Heartland has paid out
$12.5 Million so far in fines and lawyers fees, however the victims are still waiting to see
if, when and how this will effect their personal information. Several media outlets are
following this story, the
Washington Post
and
NetworkWorld,
outlining the severity of this breach and stating that it could be the largest to date. The effects of these
breaches are not only devastating to those identities that have been stolen, it also leaves
the remaining victims with a thorn in their side for a long time. It is interesting to note that
businesses are fined (however, losses are tax deductible) and lawyers get paid, but the
victims and taxpayers foot the bill for it all.
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
May 4, 2009
Health Database
held hostage
|
Hackers Break Into Virginia Health Professions Database, Demands Ransom
The Commonwealth of Virginia's Department of Health Professions Database was compromised
by hackers allegedly stealing healthcare data on nearly 8.3 million patients according
to a news release by the Washington Post. The hacker demanded a $10 million ransom for
the data along with a threat to release millions of Americans medical and personal
information if not paid. A message was left on Wikileaks.org claiming to have taken 8.26
million patient medical records along with almost 36 million prescriptions, according to
SecurityFix blog of the Washington Post. The website is
Virginia Department of Health Professions.
Also released on
Security Focus.
More Media News
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
April 15, 2009
Global Security
Data Breaches
|
Verizon Business Investigation 2009 Data Breach Report
Published by the
Verizon Business Investigation Team the 2009 Data Breach Report finds a significant
rise in targeted attacks and organized crime involvement. The report shows
organized crime was responsible for over 90% of the 285 Million breaches reported. Reporting
these type of information to the public allows us to be aware of the seriousness of
security and social behavior in this technology age. We as a society have to learn
how to protect our information from being open to the public and being used for criminal
activity at our expense. Loosing private information is much worse as someone
breaking into your home and stealing your property. In this free republic the
presumption innocence law works for the predator, in ID theft you are presumed assumed
allegedly of stealing your own goods and have to prove that someone stole your identity
first. The cost of this is not just money, it also includes a good proportion of
the victims of ID theft never fully recover. There are so many reports and studies that
just keep confirming that the security technologies and policies in place today are
still ineffective.
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
The full report is 2009 Data IP Breach
Other sources of data breaches
Data Loss Database
Download complete excel spreadsheet of the data breaches.
|
|
March 8, 2009
Small Businesses
under Siege
|
Small Business Secrets Under Siege
Brett Kingstone and the Security Executive Council explain how economic espionage costs
the U.S. economy billions of dollars annually while destroying small businesses and
technological innovation. Taken from
Security Info Watch.com full article.
American small business is the prime target for stealing technology and know-how from
these small businesses. It cost the USA almost $1 trillion each year from stolen
products and technology. This is happening around the world as well.
4thDTTM Security's roadmap includes cell and PDA security to eliminate these
vulnerabilities directly and permanently and eliminate the Man-In-The-Middle. See the white paper or watch our presentation for more information.
|
|
