Thursday, April 14, 2011

This is a biggie, but still too early to know what the hacker got.

http://it.slashdot.org/story/11/04/13/1925244/WordPress-Hacked-Attackers-Get-Root-Access?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

WordPress Hacked, Attackers Get Root Access

"A hacker has gained access to WordPress.com servers and site source code was exposed including passwords/API keys for Twitter and Facebook accounts. From the official blog post: 'Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partner's code. Beyond that, however, it appears information disclosed was limited.'"


(Related)

http://thefastertimes.com/tech/2011/04/13/cyber-attack-compromises-18-million-wordpress-blogs/

Cyber Attack Compromises 18 Million WordPress Blogs


(Related)

http://cybersecurityreport.nextgov.com/2011/04/wordpress_insecurity_compromised_blog_puts_government_and_commercial_clients_at_risk.php?oref=latest_posts

WordPress Hack Puts Government and Commercial Clients at Risk



Smaller, but a typical breach announcement for my Computer Security students.

http://www.databreaches.net/?p=17736

PA: Theft Of College Computers May Result In Breach Of Personal Data

April 13, 2011 by admin

WFMZ-TV alerts us to a breach at Albright College in Reading, PA. Although there does not appear to be any easy-to-find notice on the college’s web site at the time of this publication, WFMZ reports:

Albright College in Reading is putting its current, prospective, and former students on alert about a possible breach of their confidential information following a theft of several computers.

According to a letter distributed by Albright on Wednesday, the computers were stolen from the school’s financial aid office in February.

College officials said they held off in publicizing the thefts because they first had to hire a risk management firm to sift through the data that was on the computers. [Translation: We don't know what is on those computers... Bob]

“The information on the stolen computers includes name, address, date of birth, and Social Security number, may include data supplied by students or parents, and may affect not only the supplying parties but also spouses or joint account holders, among others,” Gregory E. Eichhorn, vice president for enrollment management and dean of admission at Albright, said in the letter.

Albright said as many as 10,000 people could be affected by the thefts, include current and prospective students, graduates, college faculty, and staff.

Read more on WFMZ-TV.

Great thanks to Bart Porter of Redemtech for alerting me to this breach.



Another “all too typical” breach

http://www.cbc.ca/news/canada/edmonton/story/2011/04/13/edmonton-school-board-employee-privacy-breach.html

School board loses memory stick with employee data

In a massive privacy breach, a USB memory stick containing information, including resumes and employment records of about 7,000 employees, was lost on March 22.

The stick was used by a school board computer technician working in human resources to download the data, but then he lost it. [Computer Techies do not need data. The only reason to do this is to backup the data – required only when the network backups have failed. Bob]

… Provincial privacy commissioner Frank Work said the school board violated its own policies.

"First of all, according to school board policy, you're not supposed to use an unencrypted stick," said Work." They did."

"Second of all … they're supposed to keep a list of what they download … onto a portable device, like a stick. They did not. And the third way they breached their own policy was they had kept too much information too long."

… But he said there is no point in penalizing the board financially because it has already spent thousands of taxpayer dollars to sort out the mess.



Computer crime, a growth industry …

http://www.databreaches.net/?p=17755

Aussie data breaches doubled in 2011

April 13, 2011 by admin

Darren Pauli reports:

The number of Australian data breaches reported to forensic investigators has already doubled those experienced in 2010, even though it’s only April.

Some of the worst breaches have cost businesses many hundreds of thousands of dollars, and involved significant loss of credit card information and customer information.

Yet it seems that none of the breaches handled by forensic investigators Verizon and Klein&Co have been reported by the media.

“The old adage that all press is good press has been thoroughly dispelled,” Verizon investigative response director Mark Goudie said. “None of the cases have been reported by media to my knowledge.”

Most of the breaches, which this year were twice as numerous as those reported over same time in 2010, succeeded through basic information security bungles such as the use of lax passwords and default user access rights, Goudie said.

Klein&Co has already handled more than a third of the number of severe credit card breaches this year than it handled in 2010.

“This year we’ve handled between ten to 15 [credit card] breaches. We handled 33 during the whole of 2010,” director Nick Klein said.

He said the major banks and card issuers have reported similar increases.

Read more on ZDNet (AU). It sounds like Australians should be protesting loudly that they need legislation requiring mandatory data breach notification.



This should make all “electronic filers” a bit nervous... (or was it a Third Party breach?)

http://blogs.forbes.com/williampbarrett/2011/04/13/massive-identity-theft-with-help-from-the-irs/

Massive Identity Theft With Help From The IRS

Someone has hijacked the tax identity of more than 2,300 tiny or defunct nonprofits, apparently taking advantage of a hole in a new electronic Internal Revenue Service filing system to list the same person as a charitable official at the same mail box drop in Las Vegas.

… Yet a would-be charitable donor consulting one of the official IRS databases would find all listed as valid and most with the ability to offer tax deductibility for contributions. It doesn’t take a lot of thought to imagine the mischief or even fraud that could be caused by use of this official agency imprimatur in what looks like a massive case of identity theft.

… News of this problem breaks at a bad time for the agency. The deadline for personal tax returns is Monday and IRS officials are encouraging taxpayers to file electronically, which saves the feds huge amounts of money.

… The agency outsources the electronic annual reporting requirement of small nonprofits–generally, those with less than $25,000 in revenue–to the Urban Institute, a well-known Washington nonprofit and think tank that was an early advocate of charitable transparency. Thomas Pollak, an Urban Institute official who oversees the system, said he was unaware of the problem until Forbes called. He confirmed that a random check of nonprofits with the word “ministries” in their name and the Las Vegas zip code of the N. Rainbow Blvd address–89107–showed William Alexander listed as the responsible charitable official.

A search on Melissa Data of nonprofits in that zip code produced 2,370 listings.



Big Brother cometh?

http://www.gsnmagazine.com/node/22997?c=access_control_identification

Privacy groups decry San Francisco ID scan proposal

A plan by the City of San Francisco’s Entertainment Commission that would require nightclub and concert goers to have their personal identification scanned at events in the city, then stored for 15 days on the city’s databases, drew protests from privacy rights groups on April 12.

The information would be available to law enforcement without a warrant, subpoena or court order, said the groups.

A rash of shootings in and around nightclubs in the city in 2010 prompted Mayor Gavin Newsom to look for ways to stem the violence. In September, Newsom’s office proposed scanning nightclub patrons' IDs, along with installing metal detectors, security cameras, increased outside lighting and an added police presence at the clubs.



Law Enforcement in Cyberspace... A whole new approach to crime on the Internet?

http://www.databreaches.net/?p=17750

DOJ takes steps to take down Coreflood botnet that infected 2.3 million computers

April 13, 2011 by admin

Today the Department of Justice and FBI announced the filing of a civil complaint, the execution of criminal seizure warrants, and the issuance of a temporary restraining order as part of the most complete and comprehensive enforcement action ever taken by U.S authorities to disable an international botnet.

The botnet is a network of hundreds of thousands of computers infected with a malicious software program known as Coreflood, which installs itself by exploiting a vulnerability in computers running Windows operating systems. Coreflood allows infected computers to be controlled remotely for the purpose of stealing private personal and financial information from unsuspecting computer users, including users on corporate computer networks, and using that information to steal funds.

The U.S. Attorney’s Office for the District of Connecticut filed a civil complaint against 13 “John Doe” defendants, alleging that the defendants engaged in wire fraud, bank fraud and illegal interception of electronic communications. In addition, search warrants were obtained for computer servers throughout the country , and a seizure warrant was obtained in U.S. District Court for the District of Connecticut for 29 domain names. Finally, the government obtained a temporary restraining order (TRO), authorizing the government to respond to signals sent from infected computers in the United States in order to stop the Coreflood software from running, thereby preventing further harm to hundreds of thousands of unsuspecting users of infected computers in the United States.

“The seizure of the Coreflood servers and Internet domain names is expected to prevent criminals from using Coreflood or computers infected by Coreflood for their nefarious purposes,” said U.S. Attorney David B. Fein for the District of Connecticut. “I want to commend our industry partners for their collaboration with law enforcement to achieve this great result.”

Coreflood steals usernames, passwords and other private personal and financial information allegedly used by the defendants for a variety of criminal purposes, including stealing funds from the compromised accounts. In one example described in court filings, through the illegal monitoring of Internet communications between the user and the user’s bank, Coreflood was used to take over an online banking session and caused the fraudulent transfer of funds to a foreign account.

In the enforcement actions announced today, five C & C servers that remotely controlled hundreds of thousands of infected computers were seized, as were 29 domain names used by the Coreflood botnet to communicate with the C & C servers. As authorized by the TRO, the government replaced the illegal C & C servers with substitute servers to prevent Coreflood from causing further injury to the owners and users of infected computers and other third parties.

The Coreflood malware on a victim’s computer is programmed to request directions and commands from C & C servers on a routine basis. New versions of the malware are introduced using the C & C servers on a regular basis, in an effort to stay ahead of security software and other virus updates. If the C & C servers do not respond, the existing Coreflood malware continues to run on the victim’s computer, collecting personal and financial information. The TRO authorizes the government to respond to these requests from infected computers in the United States with a command that temporarily stops the malware from running on the infected computer. During that time, the defendants will not be able to introduce different versions of the Coreflood malware onto the infected computers. By limiting the defendants ability to control the botnet, computer security providers will be given time to update their virus signatures and malicious software removal tools so that all victims can have a reliable tool available to them that removes the latest version of the malware from an infected computer.

While this enforcement action completely disabled the existing Coreflood botnet by seizing control from the criminals who ran it, this does not mean that Coreflood malware or similar forms of malware have been removed from the Internet entirely.

The law enforcement actions announced today are the result of an ongoing criminal investigation by the FBI’s New Haven Division, in coordination with the U.S. Marshals Service. Additional assistance was provided by Microsoft, the Internet Systems Consortium and other private industry partners. The matter is being prosecuted by the U.S. Attorney’s Office for the District of Connecticut, led by Assistant U.S. Attorney Edward Chang, and attorneys from the Computer Crime and Intellectual Property Section in the Justice Department’s Criminal Division.



“Hey, we just write the laws, we don't understand them!”

http://www.pogowasright.org/?p=22388

Sens. Franken, Blumenthal Ask Justice Department to Clarify, Enforce Data Privacy Law

April 13, 2011 by Dissent

Yesterday, U.S. Sens. Al Franken (D-Minn.) and Richard Blumenthal (D-Conn.) asked the U.S. Department of Justice (DOJ) to clarify its interpretation of a critical federal law that protects the private and personal data of Americans. Recently, servers owned by Epsilon Data Management were hacked, exposing the names and e-mail addresses of millions of American consumers. Separately, public securities filings disclosed a broad investigation by the U.S. Attorney’s Office of New Jersey into alleged privacy breaches by several popular applications or “apps” for smartphones.

These incidents are likely to be investigated under the Computer Fraud and Abuse Act (CFAA). Sens. Franken and Blumenthal, both members of the Senate Judiciary Committee, have asked the DOJ to clarify its interpretation of the CFAA so that consumers know their privacy rights and law enforcement officials know how to best enforce the law. They also asked the DOJ to update its manuals to reflect that smartphones and other personal devices are recognized as “computers” under the CFAA. Finally, they asked the DOJ to provide insight into how the Senate can strengthen existing privacy protections.

We write to the Department to clarify how it determines the scope of authorization under the CFAA in the absence of a written policy or agreement addressing the issue,” the senators wrote in their letter. “We further ask that the Department communicate this interpretation to consumers, prosecutors, and industry stakeholders. We believe that a clear statement on the application of the CFAA in these circumstances will help consumers know their rights, help industry develop new products and services, and help law enforcement take action against bad actors.”

Earlier this year, Sen. Franken was named chairman of the Senate Subcommittee on Privacy, Technology, and the Law. Last year, he pressed U.S. Attorney General Eric Holder to incorporate an analysis of geotags into an updated stalking victimization study connected to the National Crime Victimization Survey. Last month, Sen. Franken led several of his Senate colleagues in urging Facebook to reverse proposed plans that would allow the disclosure of users’ home addresses and phone numbers to third parties.

The full text of Sens. Franken and Blumenthal’s letter can be read here.

Source: Senator Richard Blumenthal



The downside of Copyright protection. Your limited license just got a bit more limited...

http://games.slashdot.org/story/11/04/14/0418222/DRM-Broke-emDragon-Age-Originsem-For-Days?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

DRM Broke Dragon Age: Origins For Days

"Ars Technica reports that a server problem with the DRM authentication servers has caused Dragon Age: Origins players to be locked out of any saved games that include downloadable content. Quoting: 'Thanks to a combination of DRM idiocy and technical and communications failures on the part of EA and Bioware, I (along with thousands of fellow EA/Bioware customers) spent my free time this past weekend needlessly trapped in troubleshooting hell, in a vain attempt to get my single-player game to load. The problem, it turns out, was the Bioware's DRM authorization servers.'"

An update to the article indicates the problems have finally been resolved.



For my Computer Security students. This sounds too easy. But before you think it will solve the unencrypted laptop problem, remember that free software that does the same thing has been available for years...

http://www.computerworld.com/s/article/9215787/Toshiba_releases_self_erasing_drives

Toshiba releases self-erasing drives

Toshiba Wednesday unveiled its first family of self-encrypting hard disk drives (HDDs) that can also erase data when connected to an unknown host.



For my Ethical Hackers (who carry their toolkit everywhere...)

http://www.makeuseof.com/tag/codysafe-application-launcher-powerful-companion-portable-apps-windows/

CodySafe: An Application Launcher & Powerful Companion For Your Portable Apps [Windows]



Build your own Cloud...

http://news.slashdot.org/story/11/04/13/2110255/VMware-Releases-Open-Source-Cloud-Foundry?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

VMware Releases Open Source Cloud Foundry

"VMware shook the cloud world with an announcement that it was releasing an open source platform-as-a-service called Cloud Foundry. Not surprisingly, the new cloud platform takes direct aim at Microsoft's Azure and Google's Google Apps platforms. Cloud Foundry is made up of several technologies and products that VMware has acquired over the recent past and is released under an Apache 2 license. While VMware isn't the first-and-only player to launch an open source cloud initiative (Red Hat has DeltaCloud, Rackspace and Dell have OpenStack), some believe that with VMware now in the open source cloud business, pressure could be mounting for Microsoft and Google to release versions of their cloud that could be hosted somewhere other than their own data centers."



How different things would have been...

http://www.makeuseof.com/tech-fun/moses-internet/

If Moses Had The Internet


No comments: