Wednesday, January 21, 2009

We have a new BIGGEST! One of my students reported that her Credit Union will replace her credit card but the CU provided little information as to why.

http://it.slashdot.org/article.pl?sid=09%2F01%2F20%2F1930252&from=rss

Largest Data Breach Disclosed During Inauguration

Posted by kdawson on Tuesday January 20, @02:44PM from the debit-cards-at-risk dept. Security The Almighty Buck

rmogull writes

"Brian Krebs over at the Washington Post just published a story that Heartland Payment Systems disclosed what may be the largest data breach in history. Today. During the inauguration. Heartland processes over 100 million transactions a month, mostly from small to medium-sized businesses, and doesn't know how many cards were compromised. The breach was discovered after tracing fraud in the system back to Heartland, and involved malicious software snooping their internal network. I've written some additional analysis on this and similar breaches. It's interesting that the biggest breaches now involve attacks installing malicious software to sniff data — including TJX, Hannaford, Cardsystems, and now Heartland Payment Systems."

One bit of good news out of this massive breach is that, according to Heartland's CFO, "The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address." [Are they saying the hackers didn't get your home address? Why would that make much difference? Bob] Heartland just put up a press release on the breach.

[From the article:

Robert Baldwin, Heartland's president and chief financial officer, said the company … began receiving fraudulent activity reports late last year from MasterCard and Visa

Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. [But apparently not until last week! Bob] But Baldwin said it wasn't until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company's payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients.

Baldwin said Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised.

The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.

Baldwin said it was not appropriate for Heartland to offer affected consumers credit protection or other identity theft protection services. [Certainly not affordable. Bob]

Avivah Litan, a fraud analyst with Gartner Inc., questioned the timing of Heartland's disclosure -- a day in which many Americans and news outlets are glued to coverage of Barack Obama's inauguration as the nation's 44th president.

"This looks like the biggest breach ever disclosed, and they're doing it on inauguration day?" Litan said. "I can't believe they waited until today to disclose. That seems very deceptive."


Related

http://www.digitaltransactions.net/newsstory.cfm?newsid=2063

PCI’s Shield Suffers Another Blow As Heartland Reports a Hack

This latest breach happened despite the fact that a qualified Payment Card Industry data-security standard, or PCI, assessor found Heartland in compliance with the card networks’ security standards last April, according to Baldwin.

After bringing in outside investigators and immediately reporting the breach to the U.S. Secret Service and U.S. Justice Department upon confirming it last week, [Why not last year, when Visa told them about it? Bob] Heartland in a news release today described the incident as the possible work of “a widespread global cyber fraud operation.”

Visa Inc. and MasterCard Inc. first alerted Heartland of suspicious transactions late in the fall, according to Baldwin.

Asked when the malware was planted, Baldwin says, “we have some strong suspicions, but at this point it’s still speculative. [Translation: We don't know. Bob]

The breach could be large, according to Avivah Litan, a technology and security analyst at Stamford, Conn.-based Gartner Inc. “Very credible sources tell me this could be at least as big as TJX,” she says, refusing to identify the sources.


Related

http://www.networkworld.com/community/node/37510

Banks warn customers as debit-card processor acknowledges breach ... "Larger than TJX?"

By Paul McNamara on Tue, 01/20/09 - 10:03am.

… "We really don't have too many more details, but have noticed that credit unions in at least five states from Florida to Oregon have placed 'alerts' on their Web sites about a 'possible breach,' " says Kelly Todd, who helps maintain the Open Security Foundation's DataLossDB.

According to this story from the TimesTribune.com in Kentucky, Forcht Bank is among those taking steps to protect its customers.

This story over the weekend in the Kennebec Journal tells of 1,500 customers of the Kennebec Savings Bank in Augusta, Maine being notified that their card information had been compromised. The bank was replacing cards only upon request.

Here police in Salem, Oregon report a rash of actually compromised debit-card accounts held by the Oregon Territory Federal Credit Union.

A flashing "Debit Card Alert" message on the homepage of Franciscan Skemp Credit Union in Wisconsin leads to this detailed warning (.pdf).

While there are indications that the malicious software had compromised Heartland's network as long ago as mid-May (Baldwin would not confirm that), he said it was "just last week" that forensic examinations definitively pinpointed Heartland as the source of the breach.



Trivial in comparison?

http://www.databreaches.net/?p=773

VOIP hacked to the tune of $120k

Posted January 20th, 2009 by admin

Slightly o/t, but for the second time in one month, we’re seeing reports of phone system hacks leaving businesses with huge bills.

[From article one:

A Canadian computer security firm got worse than a lump of coal in its stocking this year -- it got a $50,000 phone bill after someone hi-jacked its phone system and made hundreds of calls to Bulgaria over two weeks.

[From article two:

A small business has a $120,000 phone bill after criminals hacked into its internet phone system and used it to make 11,000 international calls in just 46 hours.



More detail on an old story.

http://it.slashdot.org/article.pl?sid=09%2F01%2F20%2F2258217&from=rss

Details Emerge On the 2006 Hacking of Congress

Posted by kdawson on Wednesday January 21, @08:08AM from the by-party-or-parties-unknown dept.

The National Journal just published an article with details about the hacking of Congress in 2006, possibly by agents in China, though the attack's origin is uncertain. The article notes the difficult work of the House Information Systems Security Office, which must set security policies and then try to enforce them on a population of the equivalent of C-level executives. The few members who have called attention to the issue of Congressional cyber-security have been advised to shut up about it, by whom the reporter did not discover.

"Armed with this information about how the virus worked, the security officers scanned the House network again. This time, they found more machines that seemed to match the profile — they, too, were infected. Investigators found at least one infected computer in a member's district office, indicating that the virus had traveled through the House network and may have breached machines far away from Washington. Eventually, the security office determined that eight members' offices were affected; in most of the offices, the virus had invaded only one machine, but in some offices, it hit multiple computers. It also struck seven committee offices, including Commerce; Transportation and Infrastructure; Homeland Security; and Ways and Means; plus the Commission on China, which monitors human rights and laws in China."



Oh yeah, this happened too...

http://www.bespacific.com/mt/archives/020355.html

January 20, 2009

Text and Video of President Obama's Inaugural Address

CNN: "Barack Obama was sworn in as the 44th president of the United States and the nation's first African-American president Tuesday. This is a transcript of his prepared speech." The video link is here.

No comments: