Wednesday, June 27, 2007
SecureWorks finds stolen data cache, variants of Prg trojan
SecureWorks finds stolen data cache, variants of Prg trojan
Frank Washkuch Jr. Jun 26 2007 18:18
Researchers at SecureWorks have discovered several caches of stolen data containing the personal and financial information of 10,000 corporate and home PC users, as well as new variants of the Prg trojan.
The caches contain bank and credit union, credit card and Social Security numbers, usernames and passwords, according to SecureWorks officials.
Researcher Don Jackson said that hackers are working around encryption standards.
"When data is located, it is always encrypted to keep others from ‘leeching.’ New variants of the trojan have new ways of encrypting that data, making old analysis tools obsolete," said Jackson. "New encryption methods must be reverse-engineered from raw machine code."
The company said that the trojan’s variants have the ability to lift sensitive data from PCs before that data is encrypted and sent to SSL-protected sites. Numerous hacker groups have launched attacks using the malware, according to SecureWorks.
Jackson told SCMagazine.com today that the trojan highlights the trend of increased use of malware-creation kits.
Earlier this month, trojans controlled by Russian gangs attacked mostly Italian victims in a large-scale operation aided by the MPACK kit.
"It’s being posted on hacker sites in the underground, and people just buy it and use it," he said, adding that the kits "allow people to send out these variants pretty quickly."
Frank Washkuch Jr. Jun 26 2007 18:18
Researchers at SecureWorks have discovered several caches of stolen data containing the personal and financial information of 10,000 corporate and home PC users, as well as new variants of the Prg trojan.
The caches contain bank and credit union, credit card and Social Security numbers, usernames and passwords, according to SecureWorks officials.
Researcher Don Jackson said that hackers are working around encryption standards.
"When data is located, it is always encrypted to keep others from ‘leeching.’ New variants of the trojan have new ways of encrypting that data, making old analysis tools obsolete," said Jackson. "New encryption methods must be reverse-engineered from raw machine code."
The company said that the trojan’s variants have the ability to lift sensitive data from PCs before that data is encrypted and sent to SSL-protected sites. Numerous hacker groups have launched attacks using the malware, according to SecureWorks.
Jackson told SCMagazine.com today that the trojan highlights the trend of increased use of malware-creation kits.
Earlier this month, trojans controlled by Russian gangs attacked mostly Italian victims in a large-scale operation aided by the MPACK kit.
"It’s being posted on hacker sites in the underground, and people just buy it and use it," he said, adding that the kits "allow people to send out these variants pretty quickly."
Labels: SecureWorks
Experts: Apple's iPhone a possible security nightmare for enterprises
Experts: Apple's iPhone a possible security nightmare for enterprises
Jim Carr Jun 26 2007 00:44
When Apple's iPhone hits the streets this week, two things are likely: It'll be widely successful - as Apple's other consumer products have been - and it'll pose unknown risks to enterprise networks wherever it shows up.
One security researcher has gone so far as to call the iPhone a "nightmare for security teams."
Andrew Storms, director of security operations for nCircle, said in his blog, "As the iPhone currently stands, it has no place in the enterprise network simply because it lacks enterprise security controls."
Apple's new consumer product "will be a problem, trying to figure out who is using it," said Neel Mehta, a team lead with IBM's Internet Security Systems advanced research team. He said that enterprises must "look for technology rather than putting in policies or banning the iPhone" from their systems if they wish to minimize the potential loss of data via the USB-connected device.
Enterprises should place the iPhone "on the list of storage devices not allowed in classified or highly sensitive areas," he said. While both Mehta and Storms point to the potential loss of intellectual property via the iPhone, they say it poses no more threat than any other USB-connected device such as the smart phones already on the market and in use by employees.
Features the iPhone has that other smart phones do not have are Apple's Mac OS X operating system and a full version of the Safari browser. Although OS X is considered to be more secure than Windows, the iPhone version is a smaller version.
The browsers on smart phones have fewer features than Safari will on the iPhone, making them "less of a target" for malware than the iPhone, Storms said.
Apple is also planning to release the iPhone without a software development kit (SDK), meaning the company expects developers to create applications for the iPhone via Web 2.0-based technologies such as Ajax to run on the Safari browser.
This has positive and negative implications, according to Storms.
On one hand, the lack of an SDK means third-party vendors can't develop security applications - anti-virus, firewall and virtual private network (VPN) - for the iPhone, noted Storms. On the other, however, it also "restricts malware developers in their efforts to develop malware applications" for the iPhone, he said.
Jim Carr Jun 26 2007 00:44
When Apple's iPhone hits the streets this week, two things are likely: It'll be widely successful - as Apple's other consumer products have been - and it'll pose unknown risks to enterprise networks wherever it shows up.
One security researcher has gone so far as to call the iPhone a "nightmare for security teams."
Andrew Storms, director of security operations for nCircle, said in his blog, "As the iPhone currently stands, it has no place in the enterprise network simply because it lacks enterprise security controls."
Apple's new consumer product "will be a problem, trying to figure out who is using it," said Neel Mehta, a team lead with IBM's Internet Security Systems advanced research team. He said that enterprises must "look for technology rather than putting in policies or banning the iPhone" from their systems if they wish to minimize the potential loss of data via the USB-connected device.
Enterprises should place the iPhone "on the list of storage devices not allowed in classified or highly sensitive areas," he said. While both Mehta and Storms point to the potential loss of intellectual property via the iPhone, they say it poses no more threat than any other USB-connected device such as the smart phones already on the market and in use by employees.
Features the iPhone has that other smart phones do not have are Apple's Mac OS X operating system and a full version of the Safari browser. Although OS X is considered to be more secure than Windows, the iPhone version is a smaller version.
The browsers on smart phones have fewer features than Safari will on the iPhone, making them "less of a target" for malware than the iPhone, Storms said.
Apple is also planning to release the iPhone without a software development kit (SDK), meaning the company expects developers to create applications for the iPhone via Web 2.0-based technologies such as Ajax to run on the Safari browser.
This has positive and negative implications, according to Storms.
On one hand, the lack of an SDK means third-party vendors can't develop security applications - anti-virus, firewall and virtual private network (VPN) - for the iPhone, noted Storms. On the other, however, it also "restricts malware developers in their efforts to develop malware applications" for the iPhone, he said.
Labels: iPhone
Fly At Your Own Risk: More Security Breaches Found
Fly At Your Own Risk: More Security Breaches Found
Dave Savini
Reporting
(CBS) CHICAGO “Fly At Your Own Risk” is a CBS 2 continuing undercover investigation at O’Hare Airport, and it just got even more alarming. 2 Investigator Dave Savini reports on exclusive details.
Officials at O'Hare International Airport are refusing to interview with CBS 2 about our latest findings. The 2 Investigators have found more security breaches and a failure by authorities to investigate.
O'Hare is one of the busiest airports in the nation, and may be one of the most vulnerable.
The 2 Investigators have learned that 47 more employee access badges are missing, bringing the total we've discovered to 3,807 – the biggest security failure involving access badges ever to be exposed.
"Doesn't surprise me,” said Marcia Pinkston. “I am surprised you didn't find more."
Airport employees are allowed to go through a back gate. All they have to do is show their access badge. They are not searched.
"It's really scary just thinking that anyone can go into secure areas of O’Hare,” Pinkston said.
The latest missing badges belong to employees of Mesa Airlines, which operates flights for United Express. One of them belonged to Pinkston, who worked as a flight attendant.
She says she was fired for complaining about security. She says the airline never asked her to return her access badge and for months she could have used it to gain access to airplanes.
"Just anybody can go in there,” she said.
Last month, Pinkston told CBS 2 about other security failures, including employees sharing security codes or "piggybacking" by following someone through open doors to gain access to secure areas.
At the time, The Transportation Security Administration vowed to investigate.
But Pinkston tells CBS 2 that no one from TSA has contacted her even after she made allegations about piggybacking and code sharing.
She said it makes her feel "that they're just not doing their job."
Paul Maniscalco was New York City's chief paramedic in charge of EMS response to the 1993 attack on the World Trade Center. He's now a terrorism expert at George Washington University.
"You would think by 2007 we would have our arms around this issue,” he said. "When your investigation indicated that we had cards missing, unaccountability for the cards, people piggybacking, it was alarming."
Mansicalco says the threat of airport employees is real and points to numerous incidents including one in March at Orlando’s airport when two employees smuggled drugs and guns on to a plane, and earlier this month in New York at JFK Airport a former cargo worker was charged with plotting to blow up fuel tanks
"There is no security,” Pinkston said. “As long as you work there you can do whatever you want."
Thanks to the CBS 2 investigation, the Department of Aviation fined Mesa Airlines $47,000 because of the missing badges. That’s the first time any airline has been fined for this issue. The TSA has refused to say why they have not interviewed our whistleblower, Marcia Pinkston.
Mesa Airlines said the fine is just a proposal and did not want to comment.
Dave Savini
Reporting
(CBS) CHICAGO “Fly At Your Own Risk” is a CBS 2 continuing undercover investigation at O’Hare Airport, and it just got even more alarming. 2 Investigator Dave Savini reports on exclusive details.
Officials at O'Hare International Airport are refusing to interview with CBS 2 about our latest findings. The 2 Investigators have found more security breaches and a failure by authorities to investigate.
O'Hare is one of the busiest airports in the nation, and may be one of the most vulnerable.
The 2 Investigators have learned that 47 more employee access badges are missing, bringing the total we've discovered to 3,807 – the biggest security failure involving access badges ever to be exposed.
"Doesn't surprise me,” said Marcia Pinkston. “I am surprised you didn't find more."
Airport employees are allowed to go through a back gate. All they have to do is show their access badge. They are not searched.
"It's really scary just thinking that anyone can go into secure areas of O’Hare,” Pinkston said.
The latest missing badges belong to employees of Mesa Airlines, which operates flights for United Express. One of them belonged to Pinkston, who worked as a flight attendant.
She says she was fired for complaining about security. She says the airline never asked her to return her access badge and for months she could have used it to gain access to airplanes.
"Just anybody can go in there,” she said.
Last month, Pinkston told CBS 2 about other security failures, including employees sharing security codes or "piggybacking" by following someone through open doors to gain access to secure areas.
At the time, The Transportation Security Administration vowed to investigate.
But Pinkston tells CBS 2 that no one from TSA has contacted her even after she made allegations about piggybacking and code sharing.
She said it makes her feel "that they're just not doing their job."
Paul Maniscalco was New York City's chief paramedic in charge of EMS response to the 1993 attack on the World Trade Center. He's now a terrorism expert at George Washington University.
"You would think by 2007 we would have our arms around this issue,” he said. "When your investigation indicated that we had cards missing, unaccountability for the cards, people piggybacking, it was alarming."
Mansicalco says the threat of airport employees is real and points to numerous incidents including one in March at Orlando’s airport when two employees smuggled drugs and guns on to a plane, and earlier this month in New York at JFK Airport a former cargo worker was charged with plotting to blow up fuel tanks
"There is no security,” Pinkston said. “As long as you work there you can do whatever you want."
Thanks to the CBS 2 investigation, the Department of Aviation fined Mesa Airlines $47,000 because of the missing badges. That’s the first time any airline has been fined for this issue. The TSA has refused to say why they have not interviewed our whistleblower, Marcia Pinkston.
Mesa Airlines said the fine is just a proposal and did not want to comment.
Labels: O'Hare International Airport
Friday, June 22, 2007
Retailers grapple with PCI DSS compliance
Compliance News
Retailers grapple with PCI DSS compliance
Most merchants took more than a year to reach compliance, and the vast majority of small merchants are not compliant at all
6.15.07 Most large retailers are compliant with the Payment Card Industry Data Security Standard (PCI DSS), but only 19 percent of small ones are, according to a recent survey.
Of the compliant merchants, nearly half said reaching compliance took more than a year, 16 percent said it took between 18 and 24 months, and 5 percent said it took more than two years.
Only 9 percent said that less than six months of effort were required.
The biggest challenge that was generally reported was the problem of monitoring access to systems that housed card holder data.
Retailers grapple with PCI DSS compliance
Most merchants took more than a year to reach compliance, and the vast majority of small merchants are not compliant at all
6.15.07 Most large retailers are compliant with the Payment Card Industry Data Security Standard (PCI DSS), but only 19 percent of small ones are, according to a recent survey.
Of the compliant merchants, nearly half said reaching compliance took more than a year, 16 percent said it took between 18 and 24 months, and 5 percent said it took more than two years.
Only 9 percent said that less than six months of effort were required.
The biggest challenge that was generally reported was the problem of monitoring access to systems that housed card holder data.
Credit union bills TJX $590,000 for data breach costs
Compliance News
Credit union bills TJX $590,000 for data breach costs
Acquiring bank offloads costs of new cards and reputation damage onto noncompliant merchant
6.7.07 In another development in the TJX data breach case, a Massachusetts credit union has billed the company $590,000 in expenses it occurred as a result of hackers stealing data from the TJX system.
HarborOne Credit Union in Brockton, MA, said it had to replace 9,000 cards at a cost of $90,000 as a direct result of the incident.
The credit union also calculated that the incident cost it $500,000 in brand and reputational damage.
The credit union invoiced TJX in April but has not received any acknowledgment.
Credit union bills TJX $590,000 for data breach costs
Acquiring bank offloads costs of new cards and reputation damage onto noncompliant merchant
6.7.07 In another development in the TJX data breach case, a Massachusetts credit union has billed the company $590,000 in expenses it occurred as a result of hackers stealing data from the TJX system.
HarborOne Credit Union in Brockton, MA, said it had to replace 9,000 cards at a cost of $90,000 as a direct result of the incident.
The credit union also calculated that the incident cost it $500,000 in brand and reputational damage.
The credit union invoiced TJX in April but has not received any acknowledgment.
Labels: TJX Companies Inc.
Tuesday, June 19, 2007
Bank data on stolen tape
Bank data on stolen tape
Ongoing analysis determines that governments, school districts among those who may be affected
Sunday, June 17, 2007 3:43 AM
By Mark Niquette
THE COLUMBUS DISPATCH
David Foster Dispatch
Gov. Ted Strickland has issued an executive order to develop a program to encrypt sensitive data. The information on the stolen tape was not encrypted.
Data in jeopardy
Types of data confirmed to be on a stolen state backup computer tape so far:
The names and Social Security numbers of all 64,467 non-university state employees.
Names, Social Security numbers, addresses and phone numbers of 53,797 state employees enrolled in the state's pharmacy-benefits management program, plus the names and Social Security numbers of 75,532 dependents. Officials don't think medical information is included.
Bank-account information for school districts and local governments to receive payments from the state. Officials are assuming that all local governments and school districts are included.
Medicaid provider names, tax identification numbers, addresses and bank-account information to receive payments from the state. There are 159,708 records, but officials think many are duplicates because there only are about 77,000 state Medicaid providers.
The names, Social Security numbers and retirement-account numbers for the 1,031 state employees who are part of the State Teachers' Retirement System. This includes current employees and those who have retired since Dec. 21, 2005, who paid into the system.
The banking information, addresses and phone numbers of the 28,362 state employees and vendors who receive electronic payment of expense reimbursements from the state.
Source: Gov. Ted Strickland
Whom to contact
Employees whose names and Social Security numbers were on a stolen computer storage tape are encouraged to go to www.ohio.gov/idprotect or call for recorded information at 1-888-644-6648. The Web site will have any updates regarding enrollment in the free identity-theft protection program the state is providing for one year.
If employees have additional questions, they may also contact their human-resources office or 1-800-267-4474 and 1-877-742-5622 to speak with a customer service representative. The call center will be open as follows:
Today -- 10 a.m to 4 p.m.
Starting Monday -- 8 a.m. to 5 p.m.
Bank-account information for local governments, school districts and certain state employees and vendors was among the data on a computer backup tape stolen from an intern's car last week, Gov. Ted Strickland announced yesterday.
The stolen tape also contains bank-account numbers for Medicaid providers, retirement account numbers for teachers, plus Social Security numbers for more than 75,000 dependents of state employees, the governor said.
And there could be more: Strickland said the state knows other sensitive data is on the tape and an analysis continues. He has scheduled a news briefing today to report any new findings.
"We will continue to inform Ohioans if more sensitive information is found to be included on the data device as soon as that information is confirmed," he said.
Administration officials aren't speculating about what risk having the bank-account information or other data confirmed to be on the tape so far may pose if it is accessed.
Strickland continued to say yesterday that there is no evidence the data has been used, and that it's unlikely the tape could be accessed without specialized knowledge or equipment.
But even the possibility of having such information fall into the wrong hands -- especially in combination with other personal data -- is a concern, said Mike Adelman, vice president of state government relations for the Ohio Bankers League.
"Clearly, that is a pretty serious matter," he said. "Banks work really hard to protect that information, and any sort of breach like this will have to put us (at) heightened awareness."
In the meantime, the State Highway Patrol said yesterday there are no new leads in the investigation into the theft, and a toll-free tip line has been established to report any information about the stolen tape or thief (1-877-OHS-INTEL or 614-799-3555).
Strickland called a news conference Friday to announce that the data tape had been stolen June 10 from the car of a 22-year-old state intern who was assigned to take it home for safekeeping but apparently left it in his unlocked car.
At the time, the governor said he was confident that the only sensitive information on the tape was the names and Social Security numbers of all 64,467 non-university state employees.
But Strickland then announced about 11:15 p.m. Friday that additional analysis of another backup tape found that personal data for employees enrolled in the state's pharmacy-benefits management program and their dependents also were on the stolen tape.
That includes names, Social Security numbers, addresses and phone numbers of 53,797 employees enrolled in the program as well as the names and Social Security numbers of 75,532 dependents, the governor said.
The state is offering free identity-theft monitoring and protection services to state employees and has extended it to cover dependents.
Strickland said yesterday that he reported what he thought to be accurate information Friday morning in good faith, but that he was notified Friday night that the situation was worse.
"Obviously, I feel badly this has happened," the governor said. "I am trying to deal with this in a way that is transparent and is responsive to what it is we can do to mitigate any harm that could be done."
Budget Director J. Pari Sabety said that from Monday, when the theft was discovered, through Thursday morning, two state workers performed an automated search of a second backup tape using keywords to identify sensitive information.
But on Friday, when 10 state workers started examining the files and the raw computer data directly, they began discovering other types of personal data.
That process continues, and 18 workers now are poring over the data, said Ron Sylvester, a spokesman for the Ohio Department of Administrative Services. It's not clear when the analysis will be complete, he said.
Strickland said yesterday he doesn't want to make a "scapegoat" out of the intern, Jared A. Ilovar.
He was one of four workers who took the backup data home each night on a rotating basis from a temporary worksite for the Ohio Administrative Knowledge System, the state's new $158 million payroll and accounting system.
The policy, established in 2002 before Strickland took office, called for keeping one backup tape on site and having a second backup taken off site in case of a fire or other disaster.
But Ilovar apparently left the tape in his unlocked car in the parking lot at his Hilliard apartment. Hilliard Sgt. James M. Redmond has said the break-in appears to have been random.
Greg Knieriemen, vice president of Chi Corp., a suburban Cleveland company that specializes in data storage, backup and protection, said any protocol sending backup copies home with an employee is "way out of date."
Knieriemen, whose firm's clients include the state of Nevada and Ohio State University, also disputed Strickland's claim that it would be difficult to access personal information on the stolen tape. Without a high level of encryption, the information on the tape could be readily retrieved, he said.
"Everything that's tape-formatted, if it's not encrypted, can be read by basic computer software," Knieriemen said. "If it wasn't encrypted, (Strickland's) statement is pretty much a stretch."
The state has confirmed that the data on the stolen tape is not encrypted, and Strickland has issued an executive order calling for the development of a new protocol to encrypt sensitive data.
Strickland also has asked the Ohio Inspector General to investigate both the circumstances surrounding the theft and the state's response.
But that's not much comfort for state employees concerned about identity theft.
"Of course I'm worried," Benjamin Odita, an employee at the Department of Mental Retardation and Developmental Disabilities, said on Friday. "There should be sufficient security in place. Somebody is slipping."
Dispatch Senior Editor Joe Hallett and reporter Alan Johnson contributed to this story.
Ongoing analysis determines that governments, school districts among those who may be affected
Sunday, June 17, 2007 3:43 AM
By Mark Niquette
THE COLUMBUS DISPATCH
David Foster Dispatch
Gov. Ted Strickland has issued an executive order to develop a program to encrypt sensitive data. The information on the stolen tape was not encrypted.
Data in jeopardy
Types of data confirmed to be on a stolen state backup computer tape so far:
The names and Social Security numbers of all 64,467 non-university state employees.
Names, Social Security numbers, addresses and phone numbers of 53,797 state employees enrolled in the state's pharmacy-benefits management program, plus the names and Social Security numbers of 75,532 dependents. Officials don't think medical information is included.
Bank-account information for school districts and local governments to receive payments from the state. Officials are assuming that all local governments and school districts are included.
Medicaid provider names, tax identification numbers, addresses and bank-account information to receive payments from the state. There are 159,708 records, but officials think many are duplicates because there only are about 77,000 state Medicaid providers.
The names, Social Security numbers and retirement-account numbers for the 1,031 state employees who are part of the State Teachers' Retirement System. This includes current employees and those who have retired since Dec. 21, 2005, who paid into the system.
The banking information, addresses and phone numbers of the 28,362 state employees and vendors who receive electronic payment of expense reimbursements from the state.
Source: Gov. Ted Strickland
Whom to contact
Employees whose names and Social Security numbers were on a stolen computer storage tape are encouraged to go to www.ohio.gov/idprotect or call for recorded information at 1-888-644-6648. The Web site will have any updates regarding enrollment in the free identity-theft protection program the state is providing for one year.
If employees have additional questions, they may also contact their human-resources office or 1-800-267-4474 and 1-877-742-5622 to speak with a customer service representative. The call center will be open as follows:
Today -- 10 a.m to 4 p.m.
Starting Monday -- 8 a.m. to 5 p.m.
Bank-account information for local governments, school districts and certain state employees and vendors was among the data on a computer backup tape stolen from an intern's car last week, Gov. Ted Strickland announced yesterday.
The stolen tape also contains bank-account numbers for Medicaid providers, retirement account numbers for teachers, plus Social Security numbers for more than 75,000 dependents of state employees, the governor said.
And there could be more: Strickland said the state knows other sensitive data is on the tape and an analysis continues. He has scheduled a news briefing today to report any new findings.
"We will continue to inform Ohioans if more sensitive information is found to be included on the data device as soon as that information is confirmed," he said.
Administration officials aren't speculating about what risk having the bank-account information or other data confirmed to be on the tape so far may pose if it is accessed.
Strickland continued to say yesterday that there is no evidence the data has been used, and that it's unlikely the tape could be accessed without specialized knowledge or equipment.
But even the possibility of having such information fall into the wrong hands -- especially in combination with other personal data -- is a concern, said Mike Adelman, vice president of state government relations for the Ohio Bankers League.
"Clearly, that is a pretty serious matter," he said. "Banks work really hard to protect that information, and any sort of breach like this will have to put us (at) heightened awareness."
In the meantime, the State Highway Patrol said yesterday there are no new leads in the investigation into the theft, and a toll-free tip line has been established to report any information about the stolen tape or thief (1-877-OHS-INTEL or 614-799-3555).
Strickland called a news conference Friday to announce that the data tape had been stolen June 10 from the car of a 22-year-old state intern who was assigned to take it home for safekeeping but apparently left it in his unlocked car.
At the time, the governor said he was confident that the only sensitive information on the tape was the names and Social Security numbers of all 64,467 non-university state employees.
But Strickland then announced about 11:15 p.m. Friday that additional analysis of another backup tape found that personal data for employees enrolled in the state's pharmacy-benefits management program and their dependents also were on the stolen tape.
That includes names, Social Security numbers, addresses and phone numbers of 53,797 employees enrolled in the program as well as the names and Social Security numbers of 75,532 dependents, the governor said.
The state is offering free identity-theft monitoring and protection services to state employees and has extended it to cover dependents.
Strickland said yesterday that he reported what he thought to be accurate information Friday morning in good faith, but that he was notified Friday night that the situation was worse.
"Obviously, I feel badly this has happened," the governor said. "I am trying to deal with this in a way that is transparent and is responsive to what it is we can do to mitigate any harm that could be done."
Budget Director J. Pari Sabety said that from Monday, when the theft was discovered, through Thursday morning, two state workers performed an automated search of a second backup tape using keywords to identify sensitive information.
But on Friday, when 10 state workers started examining the files and the raw computer data directly, they began discovering other types of personal data.
That process continues, and 18 workers now are poring over the data, said Ron Sylvester, a spokesman for the Ohio Department of Administrative Services. It's not clear when the analysis will be complete, he said.
Strickland said yesterday he doesn't want to make a "scapegoat" out of the intern, Jared A. Ilovar.
He was one of four workers who took the backup data home each night on a rotating basis from a temporary worksite for the Ohio Administrative Knowledge System, the state's new $158 million payroll and accounting system.
The policy, established in 2002 before Strickland took office, called for keeping one backup tape on site and having a second backup taken off site in case of a fire or other disaster.
But Ilovar apparently left the tape in his unlocked car in the parking lot at his Hilliard apartment. Hilliard Sgt. James M. Redmond has said the break-in appears to have been random.
Greg Knieriemen, vice president of Chi Corp., a suburban Cleveland company that specializes in data storage, backup and protection, said any protocol sending backup copies home with an employee is "way out of date."
Knieriemen, whose firm's clients include the state of Nevada and Ohio State University, also disputed Strickland's claim that it would be difficult to access personal information on the stolen tape. Without a high level of encryption, the information on the tape could be readily retrieved, he said.
"Everything that's tape-formatted, if it's not encrypted, can be read by basic computer software," Knieriemen said. "If it wasn't encrypted, (Strickland's) statement is pretty much a stretch."
The state has confirmed that the data on the stolen tape is not encrypted, and Strickland has issued an executive order calling for the development of a new protocol to encrypt sensitive data.
Strickland also has asked the Ohio Inspector General to investigate both the circumstances surrounding the theft and the state's response.
But that's not much comfort for state employees concerned about identity theft.
"Of course I'm worried," Benjamin Odita, an employee at the Department of Mental Retardation and Developmental Disabilities, said on Friday. "There should be sufficient security in place. Somebody is slipping."
Dispatch Senior Editor Joe Hallett and reporter Alan Johnson contributed to this story.
Ohio welfare recipients' data also at risk
Ohio welfare recipients' data also at risk
Expert to review stolen computer device
By MATT REED
Associated Press Writer
COLUMBUS - The state has hired a computer security expert who specializes in civil and criminal cases to determine the likelihood of someone getting access to the data on a stolen backup storage device, Gov. Ted Strickland said Sunday.
Matthew Curtin, 34, will begin Monday reviewing what's already known is on the device, whose theft was revealed on Friday.
ADVERTISEMENT
Also on Sunday, Strickland said the device contained the names and case numbers of the state's 84,000 welfare recipients, who face "a remote threat of identity theft," and the names and federal tax identification number of vendors that receive payroll deduction payments from the state - about 1,200 records. Sixteen of those records contain banking information, he said.
Strickland said the Ohio Department of Commerce on Monday would send letters to banks, credit unions and other financial institutions alerting them that customers' information may have been compromised.
Previously, it was revealed the device contained the names and Social Security numbers of all 64,000 state employees. It also contained bank account information about the state's school districts and Medicaid providers and information about 53,797 people enrolled in the state's pharmacy benefits management program and the names and Social Security numbers of about 75,532 dependents.
Strickland again said that he has no reason to believe the information has been compromised because getting it requires special equipment and expertise. He also has issued an executive order to change the procedures for handling state data. Strickland and Curtin said the analysis of what's on the device should be finished on Monday.
"The analysis of the data is nearly complete, but we have several additional files that are so complex that it will take some time," Strickland said at a Statehouse news conference on Sunday - his third in three days.
Curtin founded Interhack Corp. in Columbus 10 years ago. "We make the bad guys give up," the company says on its Web site. Curtin said he would have a better idea on how someone could get access to information on the device on Monday.
"We've just, just gotten started," Curtin said Sunday. "By tomorrow, I'll have some insight and have my hands around it."
The State Highway Patrol also announced Sunday that a post office box had been established in Columbus in hopes that the storage device would be returned anonymously.
The device - listed in a police report from suburban Hilliard as being worth $15 - was reported stolen along with a $200 radar detector, out of the car of 22-year-old Jared Ilovar, a college senior making $10.50 an hour in his state job. Ilovar is an intern with the Office of Management and Budget assigned to work on the state's $158 million payroll and accounting system. Telephone and e-mail messages seeking comment were left for Ilovar.
Strickland said Ilovar mistakenly left the device in a vehicle parked outside an apartment when it was supposed to be taken into his home as part of a protocol in place since 2002.
Sol Bermann, chief privacy officer at state Office of Information Technology, called Curtin one of the country's foremost data security experts.
"It's a third-party validation of our work. It's important that someone double-checks for us so that nothing is missed."
The state is expected to pay $50,000 to Curtin, who said he doesn't know how long his investigation will take.
Expert to review stolen computer device
By MATT REED
Associated Press Writer
COLUMBUS - The state has hired a computer security expert who specializes in civil and criminal cases to determine the likelihood of someone getting access to the data on a stolen backup storage device, Gov. Ted Strickland said Sunday.
Matthew Curtin, 34, will begin Monday reviewing what's already known is on the device, whose theft was revealed on Friday.
ADVERTISEMENT
Also on Sunday, Strickland said the device contained the names and case numbers of the state's 84,000 welfare recipients, who face "a remote threat of identity theft," and the names and federal tax identification number of vendors that receive payroll deduction payments from the state - about 1,200 records. Sixteen of those records contain banking information, he said.
Strickland said the Ohio Department of Commerce on Monday would send letters to banks, credit unions and other financial institutions alerting them that customers' information may have been compromised.
Previously, it was revealed the device contained the names and Social Security numbers of all 64,000 state employees. It also contained bank account information about the state's school districts and Medicaid providers and information about 53,797 people enrolled in the state's pharmacy benefits management program and the names and Social Security numbers of about 75,532 dependents.
Strickland again said that he has no reason to believe the information has been compromised because getting it requires special equipment and expertise. He also has issued an executive order to change the procedures for handling state data. Strickland and Curtin said the analysis of what's on the device should be finished on Monday.
"The analysis of the data is nearly complete, but we have several additional files that are so complex that it will take some time," Strickland said at a Statehouse news conference on Sunday - his third in three days.
Curtin founded Interhack Corp. in Columbus 10 years ago. "We make the bad guys give up," the company says on its Web site. Curtin said he would have a better idea on how someone could get access to information on the device on Monday.
"We've just, just gotten started," Curtin said Sunday. "By tomorrow, I'll have some insight and have my hands around it."
The State Highway Patrol also announced Sunday that a post office box had been established in Columbus in hopes that the storage device would be returned anonymously.
The device - listed in a police report from suburban Hilliard as being worth $15 - was reported stolen along with a $200 radar detector, out of the car of 22-year-old Jared Ilovar, a college senior making $10.50 an hour in his state job. Ilovar is an intern with the Office of Management and Budget assigned to work on the state's $158 million payroll and accounting system. Telephone and e-mail messages seeking comment were left for Ilovar.
Strickland said Ilovar mistakenly left the device in a vehicle parked outside an apartment when it was supposed to be taken into his home as part of a protocol in place since 2002.
Sol Bermann, chief privacy officer at state Office of Information Technology, called Curtin one of the country's foremost data security experts.
"It's a third-party validation of our work. It's important that someone double-checks for us so that nothing is missed."
The state is expected to pay $50,000 to Curtin, who said he doesn't know how long his investigation will take.
Labels: Ohio Dept of Commerce
It just keeps happening
It just keeps happening
Won’t they ever learn?
Last week, a backup computer storage device containing the names and Social Security numbers of all 64,000 state employees was stolen from a state worker’s car.
The worker, an intern for the Office of Budget and Management, mistakenly left the computer device in a car outside an apartment. The device, one of two backup storage devices, is given to employees to take home for safekeeping on a rotating basis.
Gov. Ted Strickland said Friday that worker privacy wasn’t threatened because it would take special equipment to access the data. Strickland said he has ordered an end to the practice of employees taking the devices home for safekeeping.
The state will provide its workers with free access to identity protection services for the next year – at a cost to the taxpayers of $660,000.
Sadly, incidents like this seem to be happening with alarming regularity. Last year, officials at Ohio University learned that security breaches there exposed to data theft 173,000 files containing Social Security numbers, names, medical records and home addresses of employees and alumni. In March, hackers stole the personal information of 14,000 current and former faculty and staff members at Ohio State University.
And last year, a laptop computer was stolen from the home of an employee of the Veterans Administration which contained personal information on 26.5 million active-duty military personnel and veterans. The VA employee wasn’t authorized to take the data home.
We find it outrageous that the government – at both the state and federal level – seems to have a cavalier attitude toward protecting the personal information of people in this country. Identity theft is a growing concern in the United States. It doesn’t help that careless behavior by government employees abets the problem.
We think it’s time all levels of government implement stricter procedures in handling the sensitive data in its possession to protect people – be they students, employees, veterans or the general public – from identity theft.
Won’t they ever learn?
Last week, a backup computer storage device containing the names and Social Security numbers of all 64,000 state employees was stolen from a state worker’s car.
The worker, an intern for the Office of Budget and Management, mistakenly left the computer device in a car outside an apartment. The device, one of two backup storage devices, is given to employees to take home for safekeeping on a rotating basis.
Gov. Ted Strickland said Friday that worker privacy wasn’t threatened because it would take special equipment to access the data. Strickland said he has ordered an end to the practice of employees taking the devices home for safekeeping.
The state will provide its workers with free access to identity protection services for the next year – at a cost to the taxpayers of $660,000.
Sadly, incidents like this seem to be happening with alarming regularity. Last year, officials at Ohio University learned that security breaches there exposed to data theft 173,000 files containing Social Security numbers, names, medical records and home addresses of employees and alumni. In March, hackers stole the personal information of 14,000 current and former faculty and staff members at Ohio State University.
And last year, a laptop computer was stolen from the home of an employee of the Veterans Administration which contained personal information on 26.5 million active-duty military personnel and veterans. The VA employee wasn’t authorized to take the data home.
We find it outrageous that the government – at both the state and federal level – seems to have a cavalier attitude toward protecting the personal information of people in this country. Identity theft is a growing concern in the United States. It doesn’t help that careless behavior by government employees abets the problem.
We think it’s time all levels of government implement stricter procedures in handling the sensitive data in its possession to protect people – be they students, employees, veterans or the general public – from identity theft.
Computer Breach Exposes Students' Social Security Numbers
Computer Breach Exposes Students' Social Security Numbers
Monday, June 18, 5:44 p.m.
By Andy Hirsch
The News-Item confirms one of its employees gained unauthorized access to the Shamokin Area School District's computer database. It is the same system that stores student's personal information, including social security numbers. That newspaper employee brought the security flaw to the attention of school officials.
"Oh my god, people's identities are shot," Sol Bidding said, describing his first reaction when he learned of the breach. It leaves open the idea that anyone could have hacked their way into the system.
Superintendent James Zack sent a letter home to parents stating "Your son/daughter/student's Standardized Assessment scores, local assessment scores and Social Security numbers were contained in the system. We are writing to you so that you can take steps to protect yourself from the possibility of identity theft."
"It kind of scares me because these are kids. This may cost them the rest of their life to get out of what damage may be done, or could be done," Bidding added.
Lisa Tillett has four children in the district. She's also a second grade substitute teacher there. She said she'll keep a eye out for fraudulent activity.
"It's a little strange. You don't expect that to happen to you, that somebody would do that and use your social security number and possibly steal something," Tillett said.
Some students are also concerned about just who had access to their personal information.
"I'm worried about it," Kayla Barkow, who will be in tenth grade next year, said. "But I'm not going to let it get to me until I find out if anything happens to it."
Investigators said it was too early to know if any information was actually stolen. School officials pointed out there is no evidence that it was. They also said they've strengthened the security to the system to make sure something like this doesn't happen again.
"Please know something is being done right now to protect this end of it," Bidding said.
Late this afternoon the publisher of The News-Item released a written statement regarding the breach that read "we acknowledge that an employee of The News-Item is involved in this matter. The person identified and alerted school officials to a security flaw involving the district's web site. The person is cooperating and assisting police with their investigation."
Monday, June 18, 5:44 p.m.
By Andy Hirsch
The News-Item confirms one of its employees gained unauthorized access to the Shamokin Area School District's computer database. It is the same system that stores student's personal information, including social security numbers. That newspaper employee brought the security flaw to the attention of school officials.
"Oh my god, people's identities are shot," Sol Bidding said, describing his first reaction when he learned of the breach. It leaves open the idea that anyone could have hacked their way into the system.
Superintendent James Zack sent a letter home to parents stating "Your son/daughter/student's Standardized Assessment scores, local assessment scores and Social Security numbers were contained in the system. We are writing to you so that you can take steps to protect yourself from the possibility of identity theft."
"It kind of scares me because these are kids. This may cost them the rest of their life to get out of what damage may be done, or could be done," Bidding added.
Lisa Tillett has four children in the district. She's also a second grade substitute teacher there. She said she'll keep a eye out for fraudulent activity.
"It's a little strange. You don't expect that to happen to you, that somebody would do that and use your social security number and possibly steal something," Tillett said.
Some students are also concerned about just who had access to their personal information.
"I'm worried about it," Kayla Barkow, who will be in tenth grade next year, said. "But I'm not going to let it get to me until I find out if anything happens to it."
Investigators said it was too early to know if any information was actually stolen. School officials pointed out there is no evidence that it was. They also said they've strengthened the security to the system to make sure something like this doesn't happen again.
"Please know something is being done right now to protect this end of it," Bidding said.
Late this afternoon the publisher of The News-Item released a written statement regarding the breach that read "we acknowledge that an employee of The News-Item is involved in this matter. The person identified and alerted school officials to a security flaw involving the district's web site. The person is cooperating and assisting police with their investigation."
Labels: Shamokin Area School District
Hackers access personal info on faculty members at Univ. of Virginia
June 11, 2007 (Computerworld) -- About 6,000 current and former University of Virginia (UVa) faculty members are being notified that their names, Social Security numbers and birth dates may have been stolen by computer hackers between May 2005 and April 19 of this year.
In an announcement on Friday, the Charlottesville-based college said the security breach was discovered in an unidentified computer program. The statement said that no credit card, bank account or salary information was accessed, and no data involving students or nonfaculty employees was accessed.
The breach was fixed and the application was secured, according to the school, which said it is taking precautions to minimize future security risks on its systems.
The hackers accessed the personal information within a "special-purpose Web application," according to UVa. "The faculty information, which had been mistakenly included in the application's database, was not intended for public distribution."
"This information could not be accessed through everyday Web browsing," James Hilton, the university's CIO, said in a statement. "To find it required a relatively sophisticated and intentional attack on the database."
The university's Information Technology and Communications division learned of the breach during its ongoing Social Security number remediation efforts, according to the school. The database was removed on April 20, 2007, after an initial internal review was completed. Then, on May 22, programmers who maintain the Web site found that a hacker had defaced a page on the site. After securing the page, a more detailed review uncovered previous breaches dating back to 2005, the school said.
Investigators found that hackers broke into the system on 54 separate days between May 20, 2005, and April 19, 2007, accessing the records of 5,735 faculty members.
Shirley Payne, director for security and policy in the school's IT department, said she could not identify the exact Web application that was breached, but said "human error" allowed the data table containing the personal information to be included in a database linked to the application. "It really was not intended to provide this type of information, to deliver up this kind of information," Payne said. The data table was not viewable through a Web search but was accessed by hackers who entered the database and eventually found the linked data table, she said.
No suspects have been identified, and the incidents remain under investigation by the university's police department with assistance from the FBI and UVa's IT department.
The stolen data includes information on former faculty members who taught at the school from 1990 to 2003, as well as 2,100 current faculty members. Other information might have been included in some of the records, such as race, marital status, hire date, tenure date, tenure status, departmental affiliation, address, place of birth, employment history and academic matriculation.
All current faculty whose records were exposed have been notified, according to the university, while former faculty members who were affected are still being contacted by postal mail and e-mail. The university is offering one year of free credit monitoring to those affected. A special telephone hot line and Web site have also been established to provide additional information and assistance.
"We sincerely regret the distress this causes to our colleagues," Hilton said. "This theft adds greater urgency to our ongoing effort to remove from databases Social Security numbers and other personal information that could be accessed through the Internet and later potentially abused. The university is continually modifying its systems and practices to enhance the security of sensitive information and training its employees in data protection."
A letter from Hilton explaining what happened is also posted on the school's Web site.
In an announcement on Friday, the Charlottesville-based college said the security breach was discovered in an unidentified computer program. The statement said that no credit card, bank account or salary information was accessed, and no data involving students or nonfaculty employees was accessed.
The breach was fixed and the application was secured, according to the school, which said it is taking precautions to minimize future security risks on its systems.
The hackers accessed the personal information within a "special-purpose Web application," according to UVa. "The faculty information, which had been mistakenly included in the application's database, was not intended for public distribution."
"This information could not be accessed through everyday Web browsing," James Hilton, the university's CIO, said in a statement. "To find it required a relatively sophisticated and intentional attack on the database."
The university's Information Technology and Communications division learned of the breach during its ongoing Social Security number remediation efforts, according to the school. The database was removed on April 20, 2007, after an initial internal review was completed. Then, on May 22, programmers who maintain the Web site found that a hacker had defaced a page on the site. After securing the page, a more detailed review uncovered previous breaches dating back to 2005, the school said.
Investigators found that hackers broke into the system on 54 separate days between May 20, 2005, and April 19, 2007, accessing the records of 5,735 faculty members.
Shirley Payne, director for security and policy in the school's IT department, said she could not identify the exact Web application that was breached, but said "human error" allowed the data table containing the personal information to be included in a database linked to the application. "It really was not intended to provide this type of information, to deliver up this kind of information," Payne said. The data table was not viewable through a Web search but was accessed by hackers who entered the database and eventually found the linked data table, she said.
No suspects have been identified, and the incidents remain under investigation by the university's police department with assistance from the FBI and UVa's IT department.
The stolen data includes information on former faculty members who taught at the school from 1990 to 2003, as well as 2,100 current faculty members. Other information might have been included in some of the records, such as race, marital status, hire date, tenure date, tenure status, departmental affiliation, address, place of birth, employment history and academic matriculation.
All current faculty whose records were exposed have been notified, according to the university, while former faculty members who were affected are still being contacted by postal mail and e-mail. The university is offering one year of free credit monitoring to those affected. A special telephone hot line and Web site have also been established to provide additional information and assistance.
"We sincerely regret the distress this causes to our colleagues," Hilton said. "This theft adds greater urgency to our ongoing effort to remove from databases Social Security numbers and other personal information that could be accessed through the Internet and later potentially abused. The university is continually modifying its systems and practices to enhance the security of sensitive information and training its employees in data protection."
A letter from Hilton explaining what happened is also posted on the school's Web site.
Labels: Univ. of Virginia
Monday, June 11, 2007
TJX faces five more breach-related state lawsuits
TJX faces five more breach-related state lawsuits
Five additional states have filed lawsuits against TJX over the massive data breach that exposed some 45.7 million credit card numbers to hackers, the retailer reported on Thursday in a federal regulatory filing.
Framingham, Mass.-based TJX, which operates more than 2,000 locations, including hundreds of Marshall’s and T.J. Maxx stores, was named in lawsuits in Illinois, Michigan, Ohio, Texas and Missouri, according to the filing with the Securities and Exchange Commission (SEC). The company previously has been named in lawsuits in Massachusetts, Alabama and California and in Puerto Rico and six Canadian provinces.
The plaintiffs mostly contend in the lawsuits that TJX exhibited "negligence" related to the intrusions in which thieves quietly pilfered sensitive customer data for two years until TJX detected the breach last December.
A company spokesperson did not return a telephone call for comment. CEO Carol Meyrowitz apologized for the breach to a number of stockholders at the company’s annual shareholders meeting earlier this week.
Some of the new lawsuits also name Cincinnati-based Fifth Third Bank, the credit card processor for TJX, as a defendant. A bank spokesperson could not immediately be reached for comment.
The banks responsible for issuing the credit and debit cards must cover the millions of dollars of costs associated with the breach, according to most state laws. But by filing the lawsuits, banks and customers are calling for TJX to be held liable, Diana Kelley, an analyst with the Burton Group, told SCMagazine.com today.
"They’re saying, ‘We’d like somebody to absorb the costs of this. We didn’t do anything improper, yet we’re incurring huge fees for the replacement of these cards and the notifications to cardholders.'"
Kelley said Minnesota has approved a law that shifts the burden to the merchants in the event of a data breach, and Massachusetts and Texas are considering similar measures.
"I’m looking at this as a watershed moment," she said. "I do think we will look back [at TJX] and say, ‘This really started to change things.’"
The SEC filing also reported that TJX is the subject of a 37-state attorneys general investigation studying whether the company violated any laws related to consumer protection. TJX is not believed to have been Payment Card Industry (PCI) compliant because Visa has since said it is not aware of any compliant companies ever being breached.
At least one financial institution is not waiting for a court to decide whether TJX is responsible to absorb fees. According to media reports, Brockton, Mass.-based HarborOne Credit Union has billed the company for $590,000 – $90,000 to replace credit cards and $500,000 for alleged brand reputation damage.
Meanwhile, TXJ on Thursday reported 2007 sales are up three percent compared to the same 17-week period last year.
Five additional states have filed lawsuits against TJX over the massive data breach that exposed some 45.7 million credit card numbers to hackers, the retailer reported on Thursday in a federal regulatory filing.
Framingham, Mass.-based TJX, which operates more than 2,000 locations, including hundreds of Marshall’s and T.J. Maxx stores, was named in lawsuits in Illinois, Michigan, Ohio, Texas and Missouri, according to the filing with the Securities and Exchange Commission (SEC). The company previously has been named in lawsuits in Massachusetts, Alabama and California and in Puerto Rico and six Canadian provinces.
The plaintiffs mostly contend in the lawsuits that TJX exhibited "negligence" related to the intrusions in which thieves quietly pilfered sensitive customer data for two years until TJX detected the breach last December.
A company spokesperson did not return a telephone call for comment. CEO Carol Meyrowitz apologized for the breach to a number of stockholders at the company’s annual shareholders meeting earlier this week.
Some of the new lawsuits also name Cincinnati-based Fifth Third Bank, the credit card processor for TJX, as a defendant. A bank spokesperson could not immediately be reached for comment.
The banks responsible for issuing the credit and debit cards must cover the millions of dollars of costs associated with the breach, according to most state laws. But by filing the lawsuits, banks and customers are calling for TJX to be held liable, Diana Kelley, an analyst with the Burton Group, told SCMagazine.com today.
"They’re saying, ‘We’d like somebody to absorb the costs of this. We didn’t do anything improper, yet we’re incurring huge fees for the replacement of these cards and the notifications to cardholders.'"
Kelley said Minnesota has approved a law that shifts the burden to the merchants in the event of a data breach, and Massachusetts and Texas are considering similar measures.
"I’m looking at this as a watershed moment," she said. "I do think we will look back [at TJX] and say, ‘This really started to change things.’"
The SEC filing also reported that TJX is the subject of a 37-state attorneys general investigation studying whether the company violated any laws related to consumer protection. TJX is not believed to have been Payment Card Industry (PCI) compliant because Visa has since said it is not aware of any compliant companies ever being breached.
At least one financial institution is not waiting for a court to decide whether TJX is responsible to absorb fees. According to media reports, Brockton, Mass.-based HarborOne Credit Union has billed the company for $590,000 – $90,000 to replace credit cards and $500,000 for alleged brand reputation damage.
Meanwhile, TXJ on Thursday reported 2007 sales are up three percent compared to the same 17-week period last year.
Labels: TJX Companies Inc.
Tuesday, June 05, 2007
Computer hackers steal Carson funds
Computer hackers steal Carson funds
Cyber-thieves make off with $45,000 after shifting nearly $450,000 from the city's coffers.
By Hector Becerra, Times Staff Writer
June 1, 2007
If Carson Treasurer Karen Avilla had had a nagging feeling she was being watched whenever she got on her laptop computer, she would have been right.
Cyber-thieves were able to shift nearly $450,000 from the city's general fund last week by using a program that was able to mimic the computer strokes made by Carson's financial officer. Each time Avilla logged on to her city-provided laptop in the morning, someone was — virtually — looking over her shoulder, recording every single keystroke.
Armed with the spyware program, the hackers obtained bank passwords. They wired $90,000 to a "Diego Smith" in North Carolina. One day later, on May 24, the thieves got bolder and wired $358,000 from the city's bank account to a bank in Kalamazoo, Mich.
Avilla and her deputy discovered the theft just in time to have all but $45,000 of the funds frozen. But the experience left city leaders rattled.
"As I sat there with the detectives and the forensic folks from the bank, I thought, 'I don't even want to touch a computer,' " Avilla said Thursday. "I felt violated. It made me think, 'Who's out there?' "
The crime raised concerns about the security of municipal coffers, especially when wireless networks are used. Although such city hacking cases have been isolated, some experts said many municipalities lack the large information technology staffs and large budgets for computer security.
"If you go after a local municipality, they're more likely to have fewer people dedicated to computer security," said Eric Schultze, chief security architect for Shavlik Technologies in Minnesota and a widely cited expert in anti-hacking circles.
Avilla said she still doesn't know how her computer was targeted. She said she doubts it had the latest security software patch protections — something sheriff's detectives and bank investigators told her is essential in safeguarding her computer.
She said that as soon as word got out, Carson fielded calls from officials in other cities, asking how they could protect themselves.
South Gate City Manager Gary Milliman said he has seen all sorts of fraud perpetrated against cities in 32 years, but nothing like this. "I think it's a concern," Milliman said. "It's something we're going to check into to make sure there isn't a vulnerability in our system."
Earlier this year, the finance director of the Northern California city of Willows discovered that a hacker had taken $4,000 from a city fund. Avilla said cities may not always notice smaller thefts.
"One thousand dollars. You think a bank is going to bat an eye?" Avilla said. "It's not an inexpensive enterprise to have a full team that goes around checking every laptop ever used. I think we can use more IT folks, but when a lot of these departments were created, a few people had computers. Now everyone does. On top of that, almost everyone has a laptop."
Experts said that without up-to-date security software, such a computer could be especially vulnerable if people who use it visit websites that contain spyware.
But hackers also send mass e-mails which, if opened on vulnerable computers, can allow installation of "keystroke loggers."
"It automatically sends all keystrokes logged to a hacker, via e-mail or another form of communication," Schultze said. "So a hacker sitting halfway around the world can log into your bank account, enter your user name and do what they want to do."
Kevin Overcash, vice president of product management for Breach Security in Carlsbad, Calif., said that when organizations started installing a lot of wireless networks, hackers devised ways to breach them through what is called "drive-by hacking."
In trying to provide a service to their residents — by allowing them to check their water bills via the Web, for example — municipalities sometimes make themselves vulnerable, he said.
"That kind of access opens you up to hackers. It opens the door for people to have access to data if you do not have good security," Overcash said.
Avilla said she noticed a problem when she found she was unable to log on to the city's bank account. She thought she must have been typing the password incorrectly.
On May 22, the bank gave her a new password. But unbeknownst to her, the cyber thieves got that password as soon as she tapped it into her computer.
On May 24, Avilla and her deputy checked bank balances and discovered the previous day's $90,000 wire transfer to someone in Wilson, N.C. Avilla checked with the bank and discovered the $358,000 transfer that day through National City Bank in Kalamazoo.
"I thought, 'We got a problem,' " Avilla said.
She called the bank and filed a police report, leading to the freezing of the city's funds. No one has been arrested, authorities said.
L.A. County Sheriff's Capt. Todd Rogers said the department's high-tech crimes unit is on the case. The Secret Service is also helping in the investigation, he said.
Avilla said the experience has made her angry and determined to seek legislation that would address the problem. "There's got to be more than one way to fight this," she said. "They get us in so many ways. There's got to be a way for us to get them."
--------------------------------------------------------------------------------
hector.becerra@latimes.com
Cyber-thieves make off with $45,000 after shifting nearly $450,000 from the city's coffers.
By Hector Becerra, Times Staff Writer
June 1, 2007
If Carson Treasurer Karen Avilla had had a nagging feeling she was being watched whenever she got on her laptop computer, she would have been right.
Cyber-thieves were able to shift nearly $450,000 from the city's general fund last week by using a program that was able to mimic the computer strokes made by Carson's financial officer. Each time Avilla logged on to her city-provided laptop in the morning, someone was — virtually — looking over her shoulder, recording every single keystroke.
Armed with the spyware program, the hackers obtained bank passwords. They wired $90,000 to a "Diego Smith" in North Carolina. One day later, on May 24, the thieves got bolder and wired $358,000 from the city's bank account to a bank in Kalamazoo, Mich.
Avilla and her deputy discovered the theft just in time to have all but $45,000 of the funds frozen. But the experience left city leaders rattled.
"As I sat there with the detectives and the forensic folks from the bank, I thought, 'I don't even want to touch a computer,' " Avilla said Thursday. "I felt violated. It made me think, 'Who's out there?' "
The crime raised concerns about the security of municipal coffers, especially when wireless networks are used. Although such city hacking cases have been isolated, some experts said many municipalities lack the large information technology staffs and large budgets for computer security.
"If you go after a local municipality, they're more likely to have fewer people dedicated to computer security," said Eric Schultze, chief security architect for Shavlik Technologies in Minnesota and a widely cited expert in anti-hacking circles.
Avilla said she still doesn't know how her computer was targeted. She said she doubts it had the latest security software patch protections — something sheriff's detectives and bank investigators told her is essential in safeguarding her computer.
She said that as soon as word got out, Carson fielded calls from officials in other cities, asking how they could protect themselves.
South Gate City Manager Gary Milliman said he has seen all sorts of fraud perpetrated against cities in 32 years, but nothing like this. "I think it's a concern," Milliman said. "It's something we're going to check into to make sure there isn't a vulnerability in our system."
Earlier this year, the finance director of the Northern California city of Willows discovered that a hacker had taken $4,000 from a city fund. Avilla said cities may not always notice smaller thefts.
"One thousand dollars. You think a bank is going to bat an eye?" Avilla said. "It's not an inexpensive enterprise to have a full team that goes around checking every laptop ever used. I think we can use more IT folks, but when a lot of these departments were created, a few people had computers. Now everyone does. On top of that, almost everyone has a laptop."
Experts said that without up-to-date security software, such a computer could be especially vulnerable if people who use it visit websites that contain spyware.
But hackers also send mass e-mails which, if opened on vulnerable computers, can allow installation of "keystroke loggers."
"It automatically sends all keystrokes logged to a hacker, via e-mail or another form of communication," Schultze said. "So a hacker sitting halfway around the world can log into your bank account, enter your user name and do what they want to do."
Kevin Overcash, vice president of product management for Breach Security in Carlsbad, Calif., said that when organizations started installing a lot of wireless networks, hackers devised ways to breach them through what is called "drive-by hacking."
In trying to provide a service to their residents — by allowing them to check their water bills via the Web, for example — municipalities sometimes make themselves vulnerable, he said.
"That kind of access opens you up to hackers. It opens the door for people to have access to data if you do not have good security," Overcash said.
Avilla said she noticed a problem when she found she was unable to log on to the city's bank account. She thought she must have been typing the password incorrectly.
On May 22, the bank gave her a new password. But unbeknownst to her, the cyber thieves got that password as soon as she tapped it into her computer.
On May 24, Avilla and her deputy checked bank balances and discovered the previous day's $90,000 wire transfer to someone in Wilson, N.C. Avilla checked with the bank and discovered the $358,000 transfer that day through National City Bank in Kalamazoo.
"I thought, 'We got a problem,' " Avilla said.
She called the bank and filed a police report, leading to the freezing of the city's funds. No one has been arrested, authorities said.
L.A. County Sheriff's Capt. Todd Rogers said the department's high-tech crimes unit is on the case. The Secret Service is also helping in the investigation, he said.
Avilla said the experience has made her angry and determined to seek legislation that would address the problem. "There's got to be more than one way to fight this," she said. "They get us in so many ways. There's got to be a way for us to get them."
--------------------------------------------------------------------------------
hector.becerra@latimes.com
Labels: Carson
ChoicePoint settles with 44 states over 2005 breach
ChoicePoint settles with 44 states over 2005 breach
Dan Kaplan Jun 1 2007 18:03
ChoicePoint, the data broker hit with the largest fine in Federal Trade Commission (FTC) history, has now settled with 44 states over a 2005 breach that compromised the personal information of 163,000 people.
The Atlanta-based company agreed to pay $500,000 to the states, in addition to adopting new security controls, including more stringent credentialing requirements when considering new clients - businesses, government agencies or nonprofits - who want access to ChoicePoint’s stockpile of consumer information.
The agreement, announced Thursday by the attorneys general of a number of states, is the most recent fallout resulting from ChoicePoint’s failure to adequately protect private information from hackers posing as customers, who illegally accessed a database.
Matt Furman, a ChoicePoint spokesman, told SCMagazine.com today that the settlement - which resulted out of an investigation launched by the attorneys general of 43 states and the District of Columbia - is another voluntary step the company is taking to rid itself of the stigma caused by the breach. The ChoicePoint incident is widely considered the watershed event in information disclosure.
"It's consistent with our efforts to make our security procedures even stronger," Furman said. "We want to make sure customers are who they say they are."
Attorneys general said the agreement will help further protect the nation's citizens.
"This settlement should set a new standard for any company entrusted with private, personally identifiable information," Connecticut Attorney General Richard Blumenthal said in a statement. "Data collection firms hold the key to our financial worlds – data that can irreversibly unlock our personal vault and expose us to identity theft."
The FTC has identified about 1,400 ChoicePoint fraud victims, who will be reimbursed for costs associated with identity theft. Early last year, the agency slapped ChoicePoint with a record $15 million penalty for shoddy data protection - $5 million of which will go to customer redress.
"Identity theft is one of the nation’s fastest growing criminal enterprises," Texas Attorney General Greg Abbott said Thursday in a statement. "With businesses and consumers losing billions of dollars each year, law enforcement must aggressively crack down on identity theft."
A ChoicePoint spokesman could not immediately be reached for comment.
Dan Kaplan Jun 1 2007 18:03
ChoicePoint, the data broker hit with the largest fine in Federal Trade Commission (FTC) history, has now settled with 44 states over a 2005 breach that compromised the personal information of 163,000 people.
The Atlanta-based company agreed to pay $500,000 to the states, in addition to adopting new security controls, including more stringent credentialing requirements when considering new clients - businesses, government agencies or nonprofits - who want access to ChoicePoint’s stockpile of consumer information.
The agreement, announced Thursday by the attorneys general of a number of states, is the most recent fallout resulting from ChoicePoint’s failure to adequately protect private information from hackers posing as customers, who illegally accessed a database.
Matt Furman, a ChoicePoint spokesman, told SCMagazine.com today that the settlement - which resulted out of an investigation launched by the attorneys general of 43 states and the District of Columbia - is another voluntary step the company is taking to rid itself of the stigma caused by the breach. The ChoicePoint incident is widely considered the watershed event in information disclosure.
"It's consistent with our efforts to make our security procedures even stronger," Furman said. "We want to make sure customers are who they say they are."
Attorneys general said the agreement will help further protect the nation's citizens.
"This settlement should set a new standard for any company entrusted with private, personally identifiable information," Connecticut Attorney General Richard Blumenthal said in a statement. "Data collection firms hold the key to our financial worlds – data that can irreversibly unlock our personal vault and expose us to identity theft."
The FTC has identified about 1,400 ChoicePoint fraud victims, who will be reimbursed for costs associated with identity theft. Early last year, the agency slapped ChoicePoint with a record $15 million penalty for shoddy data protection - $5 million of which will go to customer redress.
"Identity theft is one of the nation’s fastest growing criminal enterprises," Texas Attorney General Greg Abbott said Thursday in a statement. "With businesses and consumers losing billions of dollars each year, law enforcement must aggressively crack down on identity theft."
A ChoicePoint spokesman could not immediately be reached for comment.
Labels: ChoicePoint
