Security News, Vulnerabilities, Data Breaches, Website Security
Posts tagged hacking
Credit Card Theft Put Miami on the Map
Aug 19th
Miami is a fun place to live and work (there are actually people who work here). Its a great vacation spot, people enjoy the nightlife and now we have something else to crow about. The largest credit theft ring was based here!
According to Bloomberg, “Albert Gonzalez, a 28-year-old Miami resident, and two hackers living “in or near Russia” were indicted yesterday by a federal grand jury in Newark, New Jersey, for stealing data from Heartland Payment Systems Inc., 7-Eleven Inc., Delhaize Group’s Hannaford Brothers Co. and two unidentified national retailers.”
It always amazes me when really smart computer folks insist on hacking from the US. Why not just head down the the Caribbean and hack from there, let likely to get caught.
My question about this is whats the value of regulations such as PCI or HIPAA. A PCI Security Audit and Hipaa Security policy are supposed to prevent this type of thing when the companies being hacked usually come out after the fact and say they were compliant?
Privacyrights.org has this list of breaches in the month of August alone. I wonder what the compliance or network security audit was like for these companies? I dont suppose there really is a good answer to what to do about compliant companies getting breached. They will just keep giving you a year of free credit monitoring I guess.
| Aug. 1, 2009 | Williams Cos. Inc. (Tulsa, OK) |
A laptop containing personal and compensation information for more than 4,400 current and former employees was stolen from a worker’s vehicle. The computer had names, birth dates, Social Security numbers and compensation data for every Williams employee since Jan. 1, 2007. | 4,400 |
| Aug. 3, 2009 | National Finance Center (Washington DC) |
An employee with the National Finance Center mistakenly sent an Excel spreadsheet containing the employees’ personal information to a co-worker via e-mail in an unencrypted form. The names and Social Security numbers of at least 27,000 Commerce Department employees were exposed. | 27,000 |
| Aug. 4, 2009 | New Hampshire Department of Corrections (Laconia,NH) |
A 64-page list containing the names and Social Security numbers of about 1,000 employees of the state Department of Corrections ended up under the mattress of a minimum security prisoner. The prison contracts with vendors to shred documents and investigators are trying to find out why documents were not destroyed. | 1,000 |
| Aug. 11, 2009 | Bank of America Corp. (Charlotte, NC) |
Charlotte-based BofA (NYSE:BAC) and Citigroup (NYSE:C) each recently issued replacement cards to consumers, telling them that their account numbers may have been compromised. Account information from certain Bank of America debit cards may have been compromised at an undisclosed third-party location. Bank officials are not certain if this is a new breach or a previously disclosed one. | Unknown |
| Aug. 11, 2009 | Citigroup Inc. (New York City, NY) |
Citigroup (NYSE:C) each recently issued replacement cards to consumers, telling them that their account numbers may have been compromised. Citigroup told credit-card customers in Massachusetts “your account number may have been illegally obtained as a result of a merchant database compromise and could be at risk for unauthorized use.” Bank officials are not certain if this is a new breach or a previously disclosed one. | Unknown |
| Aug. 11, 2009 | University of California-Berkeley School of Journalism (Berkeley, CA) |
Campus officials discovered during a computer security check that a hacker had gained access to the journalism school’s primary Web server. The server contained much of the same material visible on the public face of the Web site. However, the server also contained a database with Social Security numbers and/or dates of birth belonging to 493 individuals who applied for admission to the journalism school between September 2007 and May 2009. | 493 |
| Aug. 13, 2009 | National Guard Bureau (Arlington, VA) |
An Army contractor had a laptop stolen containing personal information on 131,000 soldiers. on the stolen laptop contained personal information on soldiers enrolled in the Army National Guard Bonus and Incentives Program. The data includes names, Social Security numbers, incentive payment amounts and payment dates. | 131,000 |
| Aug. 14, 2009 | American Express (New York, NY) |
Some American Express card members’ accounts may have been compromised by an employee’s recent theft of data. The former employee has been arrested and the company is investigating how the data was obtained. American Express declined to disclose any more details about the incident. The company has put additional fraud monitoring and protection controls on the accounts at issue. | Unknown |
| Aug. 14, 2009 | Calhoun Area Career Center (Battle Creek, MI) |
Personal information from 455 students at Calhoun Area Career Center during the 2005-2006 school year was available online for more than three years. The information included names, Social Security numbers, 2006 addresses and telephone numbers, birth dates and school information. There were about 1,000 students at the career center during that time, but an investigation by the Calhoun County Intermediate School district found that information for 455 students was available. | 455 |
| Aug. 15, 2009 | Northern Kentucky University (Highland Heights, KY) |
A Northern Kentucky University employee’s laptop computer – which contained personal information about some current and former students — was stolen from a restricted area. The personal information stored on the employee’s computer included Social Security numbers of at least 200 current and former students. | 200 |
Gary Bahadur
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=35eba444-2f1a-45f5-96c1-29393cdf719c)
Web Security Testing has come of age
Jul 20th
Website security is the one of the most dangerous places for a company. If you look at a layered security approach, we start out with the internal network. There we have host security, patch management, host IDS and other server based technologies. Next we have the network security layers, network intrusion detection, network monitoring and firewall protection. So if we have the internal servers secured, the network protection place, what is left is that an attacker can possibly get into a secure environment?
The website is the open frontdoor to many companies. Security education for both the developers of website applications and the users of web sites is sadly lacking. If we look at most of the compliance regulations such as HIPAA or PCI, there is a component of education required, but most companies do not spend the time to provide more than a written manual that no one reads. In those same regulations, there are requirements for a Secure Development Lifecycle strategy, but how many web application developers actually follow a strict methodology?
So on Linkedin, I asked the quesion “what are the Web security tools” that are favored by the security community (www.linkedin.com/gbaha). These can provide some help and insight for those looking to conduct some security testing. Some are paid and some are free. Here is the list in no particular order.
1) Foundstone http://www.foundstone.com
2) Acunetix WVS http://www.acunetix.com
3) Scrawlr https://h30406.www3.hp.com/
4) N-Stalker http://www.nstalker.com/
5) Nikto http://cirt.net/nikto2
6) Scarab http://www.owasp.org
7) WebInspect http://www.hp.com
Fiddler - http://www.fiddlertool.com
9) Samurai Web Testing Framework – http://samurai.inguardians.com/
10) FireCAT - http://www.security-database.com
11) W3af http://w3af.sourceforge.net/
12) CORE Impact http://www.coresecurity.com/content/web-app-pro
13) Appscan http://www-01.ibm.com/software/awdtools/appscan/
Having listed these and of course there a re a number of other tools, we can begin to secure the environment. (Please send me any comments on other tools you like). Running a tools is a first and easy step you can take to close that open web door (Webdoor, I am going to try and coin that phrase). If you can target tactical prablems, get them fixed quickly, you can then tackle the strategic problems that led to your web vulnerabilities.
The basic steps you want to take in website security are:
1) Vulnerability testing
2) Secure Code Review
3) Architecture review
4) Monitoring and Logging
5) Consistent Testing (monthly) and Validation of Controls
Do not get lax when it comes to Web security. Its a bit black magic and a lot of hard work but as its the “webdoor” try and keep it closed.
Gary Bahadur
http://twitter.com/kraasecurity
US to set out cyber security plan -Baha to the rescue
May 29th
Why did it takes us over 2 decades to really approach the cybersecurity topic. When I started in informatio security in in 1994, it was the wild west. People were creating processes, developing security frameworks and growing a whole new industry. I like to think I played some part in being on the early team at PriceWaterhouse and we had the first ever corporate “Hacking Lab” in NJ to test our clients security weaknesses. Those were Good time. Now we are just in Regular times.
So what can we expect from the Czar?
The White House must take the cybersecurity lead. The current approach to cybersecurity is untenable, said Hathaway at RSA in April.
Well that was obvious. When you have hackers runing around American corporations and in and out of government agencies, I would agree that is “untenable”.
Here is my plan for cybersecurity:
1) Put ME in charge of the whole thing.
Good plan right?
My point is you have to have someone with a practical approach. You to address this both straategically and tactically. Tactically in the short term and strategic in the long term.
We know government cant get out of its own way, so let the private sector have more say in how this is done. Simple way to start:
1) Have a time line, say 2 year to have every government and quasi government computer defined in a risk classification scheme.
2) Conduct continuous vulnerability assessment of the High and Medium risk systems.
3) MUST have Patch management for all systems.
4) Encrypt any data leaving a secure internal system
5) Figure out what Data Loss Prevention means!
6) FUND Cybersecurity like its part of the Defense Budget.
Baha – new Cybersecurity Czar
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
+++++++++++++++++++++++++++++++++++
BBC
US President Barack Obama is to set out plans for securing American computer networks against cyber attacks.
In a speech that follows a 60-day review, Mr Obama is expected to announce the creation of a cyber security office in the White House. Both US government and military bodies have reported repeated interference from hackers in recent years.
In a separate development, the Pentagon is to create a new military command for cyber space, the New York Times said. Mr Obama will not discuss the Pentagon plan during Friday’s announcement, the newspaper said.
But he is expected to sign a classified order to establish the military command in coming weeks, it reported, citing officials.
Healthcare Security- Identity Theft and Hacker ransom
May 7th
I hope no one is actually shocked by this story. Records are stolen everyday. Typically, the hackers will sell the information in the underground somewhere is Eastern Europe or Asia. The fact that someone is asking for ransom, and so publicly it actually a good thing in my opinion. Why is it good you ask? (I assume you are asking that, vulcan mind meld and all that..) Maybe the industry (meaning all industries) need a sensational story to get real change in their IT Security environments.
When the Heartland data breach happened, it was interesting but the general public didnt find it sexy enough. A ransom note, publicly done makes for good drama. Equate it to the Somali pirates. They really broke in the news because of the weapons they captured. This might be the “weapons” story that gets the general public asking about security of the places they use on the Internet.
Identity theft is on the rise. Most companies never do a web application security assessment. They almost never do a database security review. If the hacker can break in through your web portal but your database of customer data is encrypted, well your last line of defense can save your hide.
So what are some things you can do to protect your website?
1) Conduct a web application security assessment. You should probably do this twice a year or anytime you make any significant changes to the application.
2) Conduct an architecture review. If your network architecture has holes in it, a hacker can find away around the application and perhaps get to the data through a different port.
3) Conduct a host security diagnostic review. If the hacker can get on the system and take advantage of an operating system weakness, you will still be compromised
4) Conduct a database security review. Your last line of defense, make sure the data in encrypted, access is completely authenticated and IDS on the database to flag and stop inappropriate access
5) Hire someone smart to do your security assessment.
Gary Bahadur
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
+++++++++++++++++++++++++++++++++++++++++++++++
The Channel Wire
May 06, 2009
Recent Comments