Monday, September 28, 2009
Construction firm sues after $588,000 online theft
Construction firm sues after $588,000 online theft
Jeremy Kirk
September 24, 2009 (IDG News Service) A construction company in Maine is suing its bank after about $588,000 disappeared from its accounts, alleging the bank failed to spot suspicious account activity before it was too late.
Over a week-long period in May, fraudsters made six transfers from the online bank accounts of Patco Construction Company, a family-owned developer in Sanford, Maine, according a copy of the lawsuit on the Washington Post's Web site.
The money went to so-called "mules," or people who have agreed to receive the funds and then further transfer it to the fraudsters. The hefty withdrawals exceeded the amount of money Patco had in its account, which was used solely for payroll.
To make matters worse for Patco, its bank -- People's United Bank, or Ocean Bank of Delaware -- drew $223,237 on the company's line of credit to cover the withdrawals. Ocean Bank now wants Patco to pay that money back with interest, the lawsuit said.
After the bad transfer came to light, Ocean Bank did recover or block $243,406, but Patco is still on the hook for $345,444.
The fraudsters had a lot of key information needed to do the transfers, conducted through the ACH (Automated Clearing House) Network, used by institutions to handle direct deposits, checks, bill payments and cash transfers between businesses and individuals.
The ACH system has proved vulnerable to fraud as of late, due to its age and a lack of controls in the underlying transfer system, investigators have said.
Several Patco employees were authorized to use the account. They logged in with a company ID and password and also their own ID and password, the suit said. For transfers over $1,000, the employees then had to answer two challenge questions. Since most of their transfers exceeded that amount, the challenge questions were used often.
Apparently the fraudsters were able to collect that security information. They could have done that by infecting computers used to perform transfers with spyware, often installed through social engineering techniques or by exploiting vulnerabilities in out-of-date software.
Patco argues that Ocean Bank did not offer two-factor authentication, which often involves the use of a token that displays a one-time password or a verification telephone call.
Patco also said the transfers were initiated from IP (Internet Protocol) addresses that had never been used by Patco, the transfers far exceeded what the company normally performed and were on days other than Friday, when the company paid its employees by direct deposit.
"None of these transactions triggered any suspicious activity alerts on the part of Ocean Bank," the lawsuit alleges.
One of Patco's owners, Mark Patterson, did received a notification on May 13 that one of the ACH transfers was rejected due to an invalid account number supplied by the scammers.
Patco notified the bank the next morning, but the bank already started the day's ACH transfers and $111,963 floated away. Some of that amount was recovered.
Jeremy Kirk
September 24, 2009 (IDG News Service) A construction company in Maine is suing its bank after about $588,000 disappeared from its accounts, alleging the bank failed to spot suspicious account activity before it was too late.
Over a week-long period in May, fraudsters made six transfers from the online bank accounts of Patco Construction Company, a family-owned developer in Sanford, Maine, according a copy of the lawsuit on the Washington Post's Web site.
The money went to so-called "mules," or people who have agreed to receive the funds and then further transfer it to the fraudsters. The hefty withdrawals exceeded the amount of money Patco had in its account, which was used solely for payroll.
To make matters worse for Patco, its bank -- People's United Bank, or Ocean Bank of Delaware -- drew $223,237 on the company's line of credit to cover the withdrawals. Ocean Bank now wants Patco to pay that money back with interest, the lawsuit said.
After the bad transfer came to light, Ocean Bank did recover or block $243,406, but Patco is still on the hook for $345,444.
The fraudsters had a lot of key information needed to do the transfers, conducted through the ACH (Automated Clearing House) Network, used by institutions to handle direct deposits, checks, bill payments and cash transfers between businesses and individuals.
The ACH system has proved vulnerable to fraud as of late, due to its age and a lack of controls in the underlying transfer system, investigators have said.
Several Patco employees were authorized to use the account. They logged in with a company ID and password and also their own ID and password, the suit said. For transfers over $1,000, the employees then had to answer two challenge questions. Since most of their transfers exceeded that amount, the challenge questions were used often.
Apparently the fraudsters were able to collect that security information. They could have done that by infecting computers used to perform transfers with spyware, often installed through social engineering techniques or by exploiting vulnerabilities in out-of-date software.
Patco argues that Ocean Bank did not offer two-factor authentication, which often involves the use of a token that displays a one-time password or a verification telephone call.
Patco also said the transfers were initiated from IP (Internet Protocol) addresses that had never been used by Patco, the transfers far exceeded what the company normally performed and were on days other than Friday, when the company paid its employees by direct deposit.
"None of these transactions triggered any suspicious activity alerts on the part of Ocean Bank," the lawsuit alleges.
One of Patco's owners, Mark Patterson, did received a notification on May 13 that one of the ACH transfers was rejected due to an invalid account number supplied by the scammers.
Patco notified the bank the next morning, but the bank already started the day's ACH transfers and $111,963 floated away. Some of that amount was recovered.
Misdirected spyware infects Ohio hospital
Misdirected spyware infects Ohio hospital
Robert McMillan
September 17, 2009 (IDG News Service) It was a bad idea from the start, but even as bad ideas go, this one went horribly wrong.
A 38-year-old Avon Lake, Ohio, man is set to plead guilty to federal charges after spyware he allegedly meant to install on the computer of a woman he'd had a relationship with ended up infecting computers at Akron Children's Hospital.
In late February 2008, Scott Graham shelled out $115 for a spyware program called SpyAgent and sent it to the woman, according to a plea agreement filed in the U.S. District Court for the Northeastern District of Ohio.
He allegedly sent the spyware to the woman's Yahoo e-mail address, hoping that it would give him a way to monitor what she was doing on her PC. But instead, she opened the spyware on a computer in the hospital's pediatric cardiac surgery department, creating a regulatory nightmare for the hospital.
The complaint does not explain how Graham managed to convince the woman to install the program, but clever attackers often trick their victims into clicking on files by saying that they are interesting videos or some kind of useful software.
Between March 19 and March 28 the spyware sent more than 1,000 screen captures to Graham via e-mail. They included details of medical procedures, diagnostic notes and other confidential information relating to 62 hospital patients. He was also able to obtain e-mail and financial records of four other hospital employees as well, the plea agreement states.
Graham, who is set to formally enter a guilty plea on Sept. 30 to one count of illegally intercepting electronic communications, will pay $33,000 to the hospital for damages caused by the incident. He faces a maximum sentence of five years in prison.
"While Scott Graham does take responsibility for his conduct, it was never his intention to harm any organization or entity," said his attorney, Ian Friedman, in a telephone interview. "He had to learn the hard way that what may be advertised on the Internet doesn't necessary produce what's promised."
Products such as SpyAgent are marketed as legitimate tools to help employers or worried parents keep track of what's going on with their computers, but they can easily be misused to spy on innocent victims, said Eric Howes, director of research services with antivirus company Sunbelt Software.
His company flags SpyAgent as a "commercial keylogger."
"Our enterprise customers are concerned about these kinds of tools being used in an unauthorized fashion on their networks," Howes said. "They have completely legitimate uses, but if I went home and found a copy of [this type of software] on my computer, I would be concerned. "
Still Howes faulted the hospital's IT staff for allowing someone to download spyware from Yahoo mail and install it on their systems. "That points to a security failing at that hospital, but then they aren't that different from 99% of companies out there," he said.
Many companies block workers from accessing personal Web sites such as Yahoo or Facebook.
The U.S. attorney prosecuting this case, Robert Kern, did not return messages seeking comment. A spokeswoman with the Akron Children's Hospital was unaware of the case and unable to comment.
Robert McMillan
September 17, 2009 (IDG News Service) It was a bad idea from the start, but even as bad ideas go, this one went horribly wrong.
A 38-year-old Avon Lake, Ohio, man is set to plead guilty to federal charges after spyware he allegedly meant to install on the computer of a woman he'd had a relationship with ended up infecting computers at Akron Children's Hospital.
In late February 2008, Scott Graham shelled out $115 for a spyware program called SpyAgent and sent it to the woman, according to a plea agreement filed in the U.S. District Court for the Northeastern District of Ohio.
He allegedly sent the spyware to the woman's Yahoo e-mail address, hoping that it would give him a way to monitor what she was doing on her PC. But instead, she opened the spyware on a computer in the hospital's pediatric cardiac surgery department, creating a regulatory nightmare for the hospital.
The complaint does not explain how Graham managed to convince the woman to install the program, but clever attackers often trick their victims into clicking on files by saying that they are interesting videos or some kind of useful software.
Between March 19 and March 28 the spyware sent more than 1,000 screen captures to Graham via e-mail. They included details of medical procedures, diagnostic notes and other confidential information relating to 62 hospital patients. He was also able to obtain e-mail and financial records of four other hospital employees as well, the plea agreement states.
Graham, who is set to formally enter a guilty plea on Sept. 30 to one count of illegally intercepting electronic communications, will pay $33,000 to the hospital for damages caused by the incident. He faces a maximum sentence of five years in prison.
"While Scott Graham does take responsibility for his conduct, it was never his intention to harm any organization or entity," said his attorney, Ian Friedman, in a telephone interview. "He had to learn the hard way that what may be advertised on the Internet doesn't necessary produce what's promised."
Products such as SpyAgent are marketed as legitimate tools to help employers or worried parents keep track of what's going on with their computers, but they can easily be misused to spy on innocent victims, said Eric Howes, director of research services with antivirus company Sunbelt Software.
His company flags SpyAgent as a "commercial keylogger."
"Our enterprise customers are concerned about these kinds of tools being used in an unauthorized fashion on their networks," Howes said. "They have completely legitimate uses, but if I went home and found a copy of [this type of software] on my computer, I would be concerned. "
Still Howes faulted the hospital's IT staff for allowing someone to download spyware from Yahoo mail and install it on their systems. "That points to a security failing at that hospital, but then they aren't that different from 99% of companies out there," he said.
Many companies block workers from accessing personal Web sites such as Yahoo or Facebook.
The U.S. attorney prosecuting this case, Robert Kern, did not return messages seeking comment. A spokeswoman with the Akron Children's Hospital was unaware of the case and unable to comment.
Bank Sends Sensitive E-mail to Wrong Gmail Address, Sues Google
Bank Sends Sensitive E-mail to Wrong Gmail Address, Sues Google
By Kim Zetter September 21, 2009 | 8:20 pm | Categories: Breaches A Wyoming bank sent an e-mail containing sensitive customer data to the wrong Gmail account, and now wants Google to reveal the identity of the account holder who received the data.
According to a court document in the case, in August a customer of the Rocky Mountain Bank asked a bank employee to send certain loan statements to a representative of the customer. The employee, however, inadvertently sent the e-mail to the wrong Gmail address. Additionally, the employee had attached a sensitive file to the e-mail that should not have been sent at all.
The attachment contained confidential information on 1,325 individual and business customers that included their names, addresses, tax identification or Social Security numbers and loan information.
After realizing what he’d done, the employee “tried to recall the e-mail without success.”
When that didn’t work, the employee sent a second e-mail to the recipient instructing the person to delete the e-mail and attachment “in its entirety” without opening or reviewing it. The employee also asked the recipient to contact the employee to “discuss his or her actions.”
Silence ensued.
That’s when the bank sued Google to identify the recalcitrant recipient.
Google said it wouldn’t comply without a court order, and even if it does receive a court order, its policy is to notify an account holder and give the person a chance to object to the disclosure of his or her identity. The court is considering the bank’s request.
In the meantime, Rocky Mountain Bank filed a motion last week to seal the entire case until the court decides whether to force Google to reveal the recipient’s name, saying it didn’t want its customers to learn about the breach, because it would create panic and result in a surge of inquiries from customers.
It wants the information under seal until it can determine from Google whether the Gmail account in question is active or dormant, and whether the sensitive customer information is actually at risk of being abused.
A federal judge in San Jose, California denied the bank’s request to seal on Friday.
“An attempt by a bank to shield information about an unauthorized disclosure of confidential customer information until it can determine whether or not that information has been further disclosed and/or misused does not constitute a compelling reason that overrides the public’s common law right of access to court filings,” wrote Judge Ronald Whyte in his ruling, noting that the bank doesn’t have to wait to advise customers that an unauthorized disclosure of information occurred.
The initial complaint filed against Google is currently under seal because the judge has asked the bank to redact the Gmail account from its filings. But the judge’s response to the request for a seal is not itself sealed and it’s within this document that details about the breach are revealed (.pdf).
By Kim Zetter September 21, 2009 | 8:20 pm | Categories: Breaches A Wyoming bank sent an e-mail containing sensitive customer data to the wrong Gmail account, and now wants Google to reveal the identity of the account holder who received the data.
According to a court document in the case, in August a customer of the Rocky Mountain Bank asked a bank employee to send certain loan statements to a representative of the customer. The employee, however, inadvertently sent the e-mail to the wrong Gmail address. Additionally, the employee had attached a sensitive file to the e-mail that should not have been sent at all.
The attachment contained confidential information on 1,325 individual and business customers that included their names, addresses, tax identification or Social Security numbers and loan information.
After realizing what he’d done, the employee “tried to recall the e-mail without success.”
When that didn’t work, the employee sent a second e-mail to the recipient instructing the person to delete the e-mail and attachment “in its entirety” without opening or reviewing it. The employee also asked the recipient to contact the employee to “discuss his or her actions.”
Silence ensued.
That’s when the bank sued Google to identify the recalcitrant recipient.
Google said it wouldn’t comply without a court order, and even if it does receive a court order, its policy is to notify an account holder and give the person a chance to object to the disclosure of his or her identity. The court is considering the bank’s request.
In the meantime, Rocky Mountain Bank filed a motion last week to seal the entire case until the court decides whether to force Google to reveal the recipient’s name, saying it didn’t want its customers to learn about the breach, because it would create panic and result in a surge of inquiries from customers.
It wants the information under seal until it can determine from Google whether the Gmail account in question is active or dormant, and whether the sensitive customer information is actually at risk of being abused.
A federal judge in San Jose, California denied the bank’s request to seal on Friday.
“An attempt by a bank to shield information about an unauthorized disclosure of confidential customer information until it can determine whether or not that information has been further disclosed and/or misused does not constitute a compelling reason that overrides the public’s common law right of access to court filings,” wrote Judge Ronald Whyte in his ruling, noting that the bank doesn’t have to wait to advise customers that an unauthorized disclosure of information occurred.
The initial complaint filed against Google is currently under seal because the judge has asked the bank to redact the Gmail account from its filings. But the judge’s response to the request for a seal is not itself sealed and it’s within this document that details about the breach are revealed (.pdf).
Scammers gain access to Downeast Energy's cash, clients
Scammers gain access to Downeast Energy's cash, clients
The e-mail scam costs the company up to $150,000, and may have exposed customers' bank data.
By DAVID HENCH, Staff Writer
September 15, 2009
A sophisticated e-mail scam cost a Brunswick-based heating fuel company as much as $150,000 and potentially exposed hundreds of customers' checking account information, the company said Monday – a day when the U.S. Senate's Homeland Security Committee held hearings on cybersecurity.
Downeast Energy and Building Supply learned last week that scammers, apparently in Eastern Europe, had gained access to the bank account the company uses to let customers pay for fuel with electronic transfers from their checking accounts.
"We are continuing to work closely with law enforcement and our bank to ensure that our account is secured, but more importantly to protect our customers," said company President John Peters.
The scam started with an innocent-looking e-mail to a Downeast employee that purported to be from the company's bank. A link on the e-mail, which appeared to be from KeyBank, took the employee to a Web site that was identical to the bank's.
When the company's bank-issued user name and password were entered, the information was sent to the scammers, who used it to steal the money.
Federal officials say Internet criminals are increasingly targeting small and mid-sized companies.
As large companies have gained more sophisticated computer network protection, cybercriminals have adapted and gone after smaller businesses that lack such security, Michael Merritt, assistant director of the Secret Service's office of investigations, told the Senate Homeland Security and Governmental Affairs Committee.
Phil Reitinger, deputy undersecretary in the Department of Homeland Security, said a recent study suggested that as many as 87 percent of data breaches could be avoided with simple to intermediate preventive measures.
Sen. Susan Collins, R-Maine, ranking member on the committee, said that cybercrime has cost the national economy nearly $8 billion.
Data relating to more than 130 million credit and debit cards was stolen from corporations, including the Maine-based Hannaford Bros. supermarket chain.
At Monday's hearing, Collins advocated for legislation to ensure sharing of information about vulnerabilities between government and the private sector.
"As these latest incidents underscore the time has come to move on from simply planning to action," she said.
Peters said lax computer protection was not the problem for Downeast Energy.
"We have spent, and continue to spend on a regular basis, tens of thousands of dollars a year to get the appropriate electronic surveillance systems," he said, noting that the company hires a consultant to try to hack into its systems. "This breach was the result of human error."
The company will consider additional safeguards, he said, such as further restricting employees' access to bank passwords and requiring duplicate authorizations for certain transactions.
State law requires companies to notify customers and the Attorney General's Office about such breaches.
The breach was discovered early last week, and Downeast Energy mailed letters to all 800 affected customers by Friday. Customers probably started receiving letters Monday.
The personal information to which the thieves had access included customers' names, banks and checking account numbers. It did not include telephone numbers or home addresses, or any information associated with credit or debit cards, Peters said.
Customers who might have been affected are encouraged to contact their banks to determine whether additional steps should be taken to secure their accounts. So far, no customers have reported unauthorized account access resulting from the data breach, Peters said.
The loss of $150,000 should not affect the company's operations, Peters said.
"We're very well capitalized," he said. "I don't want anybody to think $150,000 isn't a significant amount of money, but it isn't going to affect the way Downeast Energy does business."
There is no chance Downeast can recover the money, he said.
Peters said he favors some of the recommendations coming from Collins' committee. As important a tool as the Internet has become, he said, people should confirm with a telephone call any computer link requesting sensitive information.
Chris Pinkham, president of the Maine Association of Community Banks, said customers must constantly be aware of the potential for sensitive information to be stolen.
"The bad guys are good at being bad guys," he said. "We can spend a lot of money and time on training and technology, but it really is a partnership with customers, and we need them to be as vigilant as they possibly can be."
Pinkham said no legitimate financial institution will ask for sensitive personal information by telephone or e-mail.
– The Associated Press contributed to this report.
Staff Writer David Hench can be contacted at 791-6327 or at: dhench@pressherald.com
Copyright © 2009 MaineToday Media, Inc.
The e-mail scam costs the company up to $150,000, and may have exposed customers' bank data.
By DAVID HENCH, Staff Writer
September 15, 2009
A sophisticated e-mail scam cost a Brunswick-based heating fuel company as much as $150,000 and potentially exposed hundreds of customers' checking account information, the company said Monday – a day when the U.S. Senate's Homeland Security Committee held hearings on cybersecurity.
Downeast Energy and Building Supply learned last week that scammers, apparently in Eastern Europe, had gained access to the bank account the company uses to let customers pay for fuel with electronic transfers from their checking accounts.
"We are continuing to work closely with law enforcement and our bank to ensure that our account is secured, but more importantly to protect our customers," said company President John Peters.
The scam started with an innocent-looking e-mail to a Downeast employee that purported to be from the company's bank. A link on the e-mail, which appeared to be from KeyBank, took the employee to a Web site that was identical to the bank's.
When the company's bank-issued user name and password were entered, the information was sent to the scammers, who used it to steal the money.
Federal officials say Internet criminals are increasingly targeting small and mid-sized companies.
As large companies have gained more sophisticated computer network protection, cybercriminals have adapted and gone after smaller businesses that lack such security, Michael Merritt, assistant director of the Secret Service's office of investigations, told the Senate Homeland Security and Governmental Affairs Committee.
Phil Reitinger, deputy undersecretary in the Department of Homeland Security, said a recent study suggested that as many as 87 percent of data breaches could be avoided with simple to intermediate preventive measures.
Sen. Susan Collins, R-Maine, ranking member on the committee, said that cybercrime has cost the national economy nearly $8 billion.
Data relating to more than 130 million credit and debit cards was stolen from corporations, including the Maine-based Hannaford Bros. supermarket chain.
At Monday's hearing, Collins advocated for legislation to ensure sharing of information about vulnerabilities between government and the private sector.
"As these latest incidents underscore the time has come to move on from simply planning to action," she said.
Peters said lax computer protection was not the problem for Downeast Energy.
"We have spent, and continue to spend on a regular basis, tens of thousands of dollars a year to get the appropriate electronic surveillance systems," he said, noting that the company hires a consultant to try to hack into its systems. "This breach was the result of human error."
The company will consider additional safeguards, he said, such as further restricting employees' access to bank passwords and requiring duplicate authorizations for certain transactions.
State law requires companies to notify customers and the Attorney General's Office about such breaches.
The breach was discovered early last week, and Downeast Energy mailed letters to all 800 affected customers by Friday. Customers probably started receiving letters Monday.
The personal information to which the thieves had access included customers' names, banks and checking account numbers. It did not include telephone numbers or home addresses, or any information associated with credit or debit cards, Peters said.
Customers who might have been affected are encouraged to contact their banks to determine whether additional steps should be taken to secure their accounts. So far, no customers have reported unauthorized account access resulting from the data breach, Peters said.
The loss of $150,000 should not affect the company's operations, Peters said.
"We're very well capitalized," he said. "I don't want anybody to think $150,000 isn't a significant amount of money, but it isn't going to affect the way Downeast Energy does business."
There is no chance Downeast can recover the money, he said.
Peters said he favors some of the recommendations coming from Collins' committee. As important a tool as the Internet has become, he said, people should confirm with a telephone call any computer link requesting sensitive information.
Chris Pinkham, president of the Maine Association of Community Banks, said customers must constantly be aware of the potential for sensitive information to be stolen.
"The bad guys are good at being bad guys," he said. "We can spend a lot of money and time on training and technology, but it really is a partnership with customers, and we need them to be as vigilant as they possibly can be."
Pinkham said no legitimate financial institution will ask for sensitive personal information by telephone or e-mail.
– The Associated Press contributed to this report.
Staff Writer David Hench can be contacted at 791-6327 or at: dhench@pressherald.com
Copyright © 2009 MaineToday Media, Inc.
Thursday, September 17, 2009
Heartland on Defense at Senate Hearing
Heartland on Defense at Senate Hearing
Senator 'Astonished" That Breach Lasted So Long
Eric Chabrow, Managing Editor
September 14, 2009
The ranking member of the Senate Homeland Security and Governmental Affairs Committee told the chief executive of Heartland Payment Systems that she was "astonished" a breach of the company's information system lasted for nearly 1½ years without being detected.
At a panel hearing Monday on protecting industry against growing cyber threats, Sen. Susan Collins, R.-Maine, asked Heartland CEO Robert Carr to explain how this delay happened. Carr responded that a breach is usually detected when the processing payer is notified of fraudulent use of cards, and that didn't occur until the end of 2008.
"Isn't there software in the systems to detect such a breach?" Collins asked.
"There is, and the cyber criminals are very good at masking themselves," Carr replied. "To be able to scan systems to determine what the malware is, you have to understand something about the attack vector, and you need to know something about the malware to find it. All of us in the industry go through annual assessments, but the bad guys are working together to get around all those assessment."
Carr told the panel Heartland is taking two major steps to prevent this type of breach to reoccur. Working through the Financial Services Information Sharing and Analysis Center, Heartland and other payment processors established Payments Processing Information Sharing, a forum for sharing information about fraud, threats, vulnerabilities and risk mitigation practices.
He also said Heartland is working to deploy end-to-end encryption, known as E3, to render data unreadable to outsiders from the point of card swipe. "Our goal is to completely remove payment account numbers of credit and debit cards and magnetic stripe data such as expiration date, service codes and other data, so that it is never accessible in a usable format in the merchant and processor systems," Carr said.
Authorities allege that Albert Gonzalez, who pleaded guilty last month to attacks on retailers TJX, Barnes and Noble, Office Max and Dave & Buster, was responsible for the Heartland breach as well as others. The Heartland breach, revealed in January, affected some 130 million credit cards.
Carr couldn't quantify the loss to customers, banks and others of the breach, characterizing the attacks as a "significant compromise," and told the committee Heartland took a $32 million charge against earnings to cover costs for forensic examination, legal services and potential settlement for claims.
Asked by panel chairman Joseph Lieberman, I-Conn., if he wished he had done something different to prevent the breach, Carr replied that he should have worked with industry partners sooner to develop a defense from hackers, something the industry is now doing. "I wish we had done that earlier," he said.
Senator 'Astonished" That Breach Lasted So Long
Eric Chabrow, Managing Editor
September 14, 2009
The ranking member of the Senate Homeland Security and Governmental Affairs Committee told the chief executive of Heartland Payment Systems that she was "astonished" a breach of the company's information system lasted for nearly 1½ years without being detected.
At a panel hearing Monday on protecting industry against growing cyber threats, Sen. Susan Collins, R.-Maine, asked Heartland CEO Robert Carr to explain how this delay happened. Carr responded that a breach is usually detected when the processing payer is notified of fraudulent use of cards, and that didn't occur until the end of 2008.
"Isn't there software in the systems to detect such a breach?" Collins asked.
"There is, and the cyber criminals are very good at masking themselves," Carr replied. "To be able to scan systems to determine what the malware is, you have to understand something about the attack vector, and you need to know something about the malware to find it. All of us in the industry go through annual assessments, but the bad guys are working together to get around all those assessment."
Carr told the panel Heartland is taking two major steps to prevent this type of breach to reoccur. Working through the Financial Services Information Sharing and Analysis Center, Heartland and other payment processors established Payments Processing Information Sharing, a forum for sharing information about fraud, threats, vulnerabilities and risk mitigation practices.
He also said Heartland is working to deploy end-to-end encryption, known as E3, to render data unreadable to outsiders from the point of card swipe. "Our goal is to completely remove payment account numbers of credit and debit cards and magnetic stripe data such as expiration date, service codes and other data, so that it is never accessible in a usable format in the merchant and processor systems," Carr said.
Authorities allege that Albert Gonzalez, who pleaded guilty last month to attacks on retailers TJX, Barnes and Noble, Office Max and Dave & Buster, was responsible for the Heartland breach as well as others. The Heartland breach, revealed in January, affected some 130 million credit cards.
Carr couldn't quantify the loss to customers, banks and others of the breach, characterizing the attacks as a "significant compromise," and told the committee Heartland took a $32 million charge against earnings to cover costs for forensic examination, legal services and potential settlement for claims.
Asked by panel chairman Joseph Lieberman, I-Conn., if he wished he had done something different to prevent the breach, Carr replied that he should have worked with industry partners sooner to develop a defense from hackers, something the industry is now doing. "I wish we had done that earlier," he said.
Chase Bank Notifies Customers of Breach
Chase Bank Notifies Customers of Breach
Backup Tape Reported Missing from Vendor Storage Facility
Linda McGlasson, Managing Editor
September 11, 2009
Chase Bank has sent out data breach notification letters to an undisclosed number of customers after a computer tape with customers' personal information was reported missing from a third-party vendor's storage facility.
Tom Kelly, spokesperson for New York-based Chase, the commercial/consumer banking arm of financial giant JPMorgan Chase, says the vendor -- which he would not name -- confirmed it received and maintained the tape, and that its offsite facility had been searched thoroughly after the tape disappeared. Kelly would not say if the data on the tape was encrypted, but says its data can be read only with special equipment and software. "We have no evidence to indicate any of the information has been viewed or used inappropriately," Kelly says.
A local ABC News station in Louisville, KY first reported the missing data tape and the notification letters being sent in August. Kelly says the notification letters are being sent out in batches, but would not say how long the tape has been missing, nor what type of customers' information (credit or banking) was on the tape. The electronic files, according to the notification letter, may have included names, addresses and Social Security numbers, but did not include any banking or financial information.
Affected customers are being offered a free one-year subscription to the bank's identity protection program, Kelly says.
For more information on 2009 data breaches involving financial institutions, see this interactive timeline
Backup Tape Reported Missing from Vendor Storage Facility
Linda McGlasson, Managing Editor
September 11, 2009
Chase Bank has sent out data breach notification letters to an undisclosed number of customers after a computer tape with customers' personal information was reported missing from a third-party vendor's storage facility.
Tom Kelly, spokesperson for New York-based Chase, the commercial/consumer banking arm of financial giant JPMorgan Chase, says the vendor -- which he would not name -- confirmed it received and maintained the tape, and that its offsite facility had been searched thoroughly after the tape disappeared. Kelly would not say if the data on the tape was encrypted, but says its data can be read only with special equipment and software. "We have no evidence to indicate any of the information has been viewed or used inappropriately," Kelly says.
A local ABC News station in Louisville, KY first reported the missing data tape and the notification letters being sent in August. Kelly says the notification letters are being sent out in batches, but would not say how long the tape has been missing, nor what type of customers' information (credit or banking) was on the tape. The electronic files, according to the notification letter, may have included names, addresses and Social Security numbers, but did not include any banking or financial information.
Affected customers are being offered a free one-year subscription to the bank's identity protection program, Kelly says.
For more information on 2009 data breaches involving financial institutions, see this interactive timeline
Monday, September 14, 2009
Internet Security Trends 2009: An Interim Update
Internet Security Trends 2009: An Interim Update
By Zulfikar Ramzan
September 2, 2009 02:38 PM ET
CSO - The effects of cybercrime are far reaching. It would be a difficult task to find someone who has never been affected by malicious Internet activity, or who does not at the very least know someone who has been negatively impacted by cybercriminals. Advances in Internet technology and services continue to open up innumerable opportunities for learning, networking and increasing productivity. However, malware authors, spammers and phishers are also rapidly adopting new and varied attack vectors. If the Internet is to become a safer place, it is imperative to understand the trends and developments taking place in the Internet threat landscape and maintain online security best practices.
In December 2008, Symantec researchers predicted a number of security trends to watch out for in 2009. Now that we are into the second half of the year, it's time to check in on those predictions to see not only how they have panned out, but also what other developments have occurred. What follows is an update on the predictions Symantec made late last year, as well as a few new trends that our analysts have seen develop in the first half of 2009.
A Trends Predictions Check Up
Attackers take advantage of the economic crisis
The global economic recession has been one of the most noticeably exploited bases for attack in 2009. Its impact has been far-reaching and the computer industry is far from immune to its affects. Schemes and scams targeting victims of the recession and touting solutions to its problems are prevalent. Some of the threats are new and some have been around for awhile. These scams include:
* Home foreclosure scams
* Scams targeting people seeking mortgages or refinancing
* Scams exploiting the U.S. economic stimulus packages
* Scams targeting the unemployed with offers almost too good to resist
* Attacks seeking to exploit users of classifieds and online job placement boards
* "Work at home" schemes
Social networking becomes an even more popular attack vector
There's no question that online social networking continues to rise in popularity due to the numerous conveniences and opportunities it provides. There's also no question that social networking provides phishers with a lot more bait than they used to have. Threats can come from all sorts of avenues within a social networking site. Games, links and notifications are the low-hanging fruit for phishers to use as they lead people into dangerous territory. As society picks up one end of the social networking stick, it finds that it inevitably picks up the security problems on the other end.
By Zulfikar Ramzan
September 2, 2009 02:38 PM ET
CSO - The effects of cybercrime are far reaching. It would be a difficult task to find someone who has never been affected by malicious Internet activity, or who does not at the very least know someone who has been negatively impacted by cybercriminals. Advances in Internet technology and services continue to open up innumerable opportunities for learning, networking and increasing productivity. However, malware authors, spammers and phishers are also rapidly adopting new and varied attack vectors. If the Internet is to become a safer place, it is imperative to understand the trends and developments taking place in the Internet threat landscape and maintain online security best practices.
In December 2008, Symantec researchers predicted a number of security trends to watch out for in 2009. Now that we are into the second half of the year, it's time to check in on those predictions to see not only how they have panned out, but also what other developments have occurred. What follows is an update on the predictions Symantec made late last year, as well as a few new trends that our analysts have seen develop in the first half of 2009.
A Trends Predictions Check Up
Attackers take advantage of the economic crisis
The global economic recession has been one of the most noticeably exploited bases for attack in 2009. Its impact has been far-reaching and the computer industry is far from immune to its affects. Schemes and scams targeting victims of the recession and touting solutions to its problems are prevalent. Some of the threats are new and some have been around for awhile. These scams include:
* Home foreclosure scams
* Scams targeting people seeking mortgages or refinancing
* Scams exploiting the U.S. economic stimulus packages
* Scams targeting the unemployed with offers almost too good to resist
* Attacks seeking to exploit users of classifieds and online job placement boards
* "Work at home" schemes
Social networking becomes an even more popular attack vector
There's no question that online social networking continues to rise in popularity due to the numerous conveniences and opportunities it provides. There's also no question that social networking provides phishers with a lot more bait than they used to have. Threats can come from all sorts of avenues within a social networking site. Games, links and notifications are the low-hanging fruit for phishers to use as they lead people into dangerous territory. As society picks up one end of the social networking stick, it finds that it inevitably picks up the security problems on the other end.
Man pleads guilty in Wal-Mart card phishing scheme
Man pleads guilty in Wal-Mart card phishing scheme
By Robert McMillan
September 9, 2009 03:44 PM ET
IDG News Service - A Sacramento, Calif., man has pleaded guilty to charges for his role in an international scam that netted sensitive information on tens of thousands of Internet users and then used that data to open fraudulent Wal-Mart credit cards.
Tien "Tim" Truong Nguyen pleaded guilty to fraud and identity theft charges on Tuesday, the day before his case was set to go to trial.
Prosecutors say that, working in concert with Romanian cyber-criminals, Nguyen set up phishing Web sites and supplied others with stolen information that was then used to set up fake Wal-Mart instant credit accounts in stores throughout northern California.
Operated by GE Capital, the kiosks run a credit check on the Wal-Mart customer and then spit out instant credit coupons -- typically for $1,000 to $2,000 -- that can be used in the stores.
By setting up hundreds of these instant credit lines, Nguyen's two alleged co-conspirators, Stefani Ruland and Ryan Price, netted close to $193,000 in just under two months, prosecutors say. A Wal-Mart investigator uncovered the scam in September 2006, after an anonymous tipster told him that Ruland and Price had a garage full of stolen Wal-Mart items in their Sheridan, Calif., home.
Ruland is serving a prison sentence for her role in the scam; Price is awaiting trial, prosecutors said.
After meeting Price and Ruland over the Internet, Nguyen began giving them credit information in exchange for methamphetamine, prosecutors said in court filings.
"Nguyen said that he did identity theft 'because it was so easy,'" the filings state. He told investigators that "he wanted to quit identity theft, but resumed it if he was smoking methamphetamine; and that the drug gave him the drive to do identity theft."
When Nguyen was arrested on Jan. 26, 2007, police found credit card numbers, bank account numbers and stolen information belonging to tens of thousands of people on his computer. They also found templates for making fake Web sites. Targets included eBay and a number of smaller regional financial institutions, such as Florida's Fairwinds Credit Union, Washington's Heritage Bank and the Honolulu City and County Employee's Credit Union. , now known as Aloha Pacific.
Many of Nguyen's victims were PayPal users who responded to fake e-mails or pop-up windows that asked them for personal information, authorities said. EBay owns PayPal, an online payment service.
The case "shows that information can be obtained in Sacramento and be used to carry out fraud in very far-reaching ways," said Robin Taylor, an assistant U.S. attorney who prosecuted the case.
Nguyen's guilty plea comes as part of a larger Department of Justice crackdown on Romanian phishers. In March, a federal judge in Connecticut handed down a four-year prison sentence to Ovidiu-Ionut Nicola-Roman, a 23-year-old Romanian, for his role in an international phishing scam. The FBI has spent the past six years strengthening connections with Romanian police and lawmakers. Last year, federal authorities arrested nearly 60 people in the U.S. and Romania as part of a phishing dragnet operation.
Taylor said consumers who are worried about identity theft can take some basic steps, such as flagging their accounts with credit-reporting agencies, so that they know when someone tries to take out credit in their name; exercising caution online; and keeping their Social Security numbers private.
Nguyen, who has three previous felony convictions dating back to 1999, is set to be sentenced on Nov. 19.
By Robert McMillan
September 9, 2009 03:44 PM ET
IDG News Service - A Sacramento, Calif., man has pleaded guilty to charges for his role in an international scam that netted sensitive information on tens of thousands of Internet users and then used that data to open fraudulent Wal-Mart credit cards.
Tien "Tim" Truong Nguyen pleaded guilty to fraud and identity theft charges on Tuesday, the day before his case was set to go to trial.
Prosecutors say that, working in concert with Romanian cyber-criminals, Nguyen set up phishing Web sites and supplied others with stolen information that was then used to set up fake Wal-Mart instant credit accounts in stores throughout northern California.
Operated by GE Capital, the kiosks run a credit check on the Wal-Mart customer and then spit out instant credit coupons -- typically for $1,000 to $2,000 -- that can be used in the stores.
By setting up hundreds of these instant credit lines, Nguyen's two alleged co-conspirators, Stefani Ruland and Ryan Price, netted close to $193,000 in just under two months, prosecutors say. A Wal-Mart investigator uncovered the scam in September 2006, after an anonymous tipster told him that Ruland and Price had a garage full of stolen Wal-Mart items in their Sheridan, Calif., home.
Ruland is serving a prison sentence for her role in the scam; Price is awaiting trial, prosecutors said.
After meeting Price and Ruland over the Internet, Nguyen began giving them credit information in exchange for methamphetamine, prosecutors said in court filings.
"Nguyen said that he did identity theft 'because it was so easy,'" the filings state. He told investigators that "he wanted to quit identity theft, but resumed it if he was smoking methamphetamine; and that the drug gave him the drive to do identity theft."
When Nguyen was arrested on Jan. 26, 2007, police found credit card numbers, bank account numbers and stolen information belonging to tens of thousands of people on his computer. They also found templates for making fake Web sites. Targets included eBay and a number of smaller regional financial institutions, such as Florida's Fairwinds Credit Union, Washington's Heritage Bank and the Honolulu City and County Employee's Credit Union. , now known as Aloha Pacific.
Many of Nguyen's victims were PayPal users who responded to fake e-mails or pop-up windows that asked them for personal information, authorities said. EBay owns PayPal, an online payment service.
The case "shows that information can be obtained in Sacramento and be used to carry out fraud in very far-reaching ways," said Robin Taylor, an assistant U.S. attorney who prosecuted the case.
Nguyen's guilty plea comes as part of a larger Department of Justice crackdown on Romanian phishers. In March, a federal judge in Connecticut handed down a four-year prison sentence to Ovidiu-Ionut Nicola-Roman, a 23-year-old Romanian, for his role in an international phishing scam. The FBI has spent the past six years strengthening connections with Romanian police and lawmakers. Last year, federal authorities arrested nearly 60 people in the U.S. and Romania as part of a phishing dragnet operation.
Taylor said consumers who are worried about identity theft can take some basic steps, such as flagging their accounts with credit-reporting agencies, so that they know when someone tries to take out credit in their name; exercising caution online; and keeping their Social Security numbers private.
Nguyen, who has three previous felony convictions dating back to 1999, is set to be sentenced on Nov. 19.
TJX agrees to settle another breach lawsuit for $525,000
TJX agrees to settle another breach lawsuit for $525,000
Two-and-a-half years later, the retailer is still handling fallout from data compromise
By Jaikumar Vijayan
September 3, 2009 01:47 PM ET
Computerworld - TJX Companies Inc. has agreed to pay $525,000 to settle a lawsuit brought by several banks in connection with the massive data breach disclosed by the retailer in January 2007.
The money will reimburse AmeriFirst Bank, HarborOne Credit Union, SELCO Community Credit Union, and Trustco Bank a portion of the expenses they incurred in connection with the breach, TJX said in a statement. As part of the agreement, the banks will drop all other claims against TJX. The discount retailer admit no wrongdoing.
The settlement money is part of the $118 million the company had set aside in the second quarter of 2007 to cover breach related costs.
In January 2007, TJX, based in Framingham, Mass.-based, disclosed that unknown intruders had broken into its network and stolen data on more than 45 million credit and debit cards. At that time, the breach was considered the biggest ever involving payment card data.
Since then a breach at Heartland Payment Systems, which resulted in the compromise of an estimated 100 million cards. Even so, the TJX incidnet remains one of the costliest breaches on record.
The latest settlement is one of several others that TJX has entered into since the breach. In June, TJX said it would pay nearly $10 million to settle lawsuits filed brought by attorneys general in 41 states. Under that agreement, TJX also agreed to implement measures for boosting security around card holder data. In November 2007, the company announced it would pay up to $40.9 million to Visa USA Inc. card issuers who may have been affected by the breach.
Soon after the breach, the company said it expected to spend in the range of $150 million on various items including lawsuit settlements. Some analysts said that figure might be closer to $200 million, with one Forrester Reseach analyst predicting it could reach $1 billion over the next several years.
Last week, Albert Gonzalez, 28, of Miami agreed to plead guilty to masterminding the attacks on TJX and several other retailers including Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. He faces between 15 and 25 years in prison.
Two-and-a-half years later, the retailer is still handling fallout from data compromise
By Jaikumar Vijayan
September 3, 2009 01:47 PM ET
Computerworld - TJX Companies Inc. has agreed to pay $525,000 to settle a lawsuit brought by several banks in connection with the massive data breach disclosed by the retailer in January 2007.
The money will reimburse AmeriFirst Bank, HarborOne Credit Union, SELCO Community Credit Union, and Trustco Bank a portion of the expenses they incurred in connection with the breach, TJX said in a statement. As part of the agreement, the banks will drop all other claims against TJX. The discount retailer admit no wrongdoing.
The settlement money is part of the $118 million the company had set aside in the second quarter of 2007 to cover breach related costs.
In January 2007, TJX, based in Framingham, Mass.-based, disclosed that unknown intruders had broken into its network and stolen data on more than 45 million credit and debit cards. At that time, the breach was considered the biggest ever involving payment card data.
Since then a breach at Heartland Payment Systems, which resulted in the compromise of an estimated 100 million cards. Even so, the TJX incidnet remains one of the costliest breaches on record.
The latest settlement is one of several others that TJX has entered into since the breach. In June, TJX said it would pay nearly $10 million to settle lawsuits filed brought by attorneys general in 41 states. Under that agreement, TJX also agreed to implement measures for boosting security around card holder data. In November 2007, the company announced it would pay up to $40.9 million to Visa USA Inc. card issuers who may have been affected by the breach.
Soon after the breach, the company said it expected to spend in the range of $150 million on various items including lawsuit settlements. Some analysts said that figure might be closer to $200 million, with one Forrester Reseach analyst predicting it could reach $1 billion over the next several years.
Last week, Albert Gonzalez, 28, of Miami agreed to plead guilty to masterminding the attacks on TJX and several other retailers including Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. He faces between 15 and 25 years in prison.
CNET employees notified after data breach
CNET employees notified after data breach
Burglars wreak havoc at contractor's office
Robert McMillan Today’s Top Stories or Other Privacy Stories
Efficient Root-cause Analysis in the face of IT Complexity
Business case for migrating from Solaris to Linux: An Novell Webcast featuring an IDC Analyst and Sesame Workshop
Complimentary Webcast: Taking a Strategic Approach to Enterprise Mobility
Trend Micro Endpoint Security Platform
How to Tame Digital Content
Adobe Acrobat 9 Discovery Kit
Computerworld Technology Briefing: IT SERVICE MANAGEMENT
RIM/Lotus Collaboration and Mobility: More than Business Value
Enterprise Management Flyover: A high-level view on mission-critical IT management
Sign up to receive Resource Alerts
June 24, 2008 (IDG News Service) -- More than 6,500 CNET Networks Inc. employees and relatives are being notified of a possible data breach after burglars stole computer systems from the offices of the company that administers the Internet publisher's benefit plans.
CNET was one of several clients affected when burglars broke into the Walnut Creek, Calif., offices of Colt Express Outsourcing Services Inc., stealing equipment "which contains the human resources data of several of their clients, including CNET Networks," Jose Martin, CNET's senior vice president of human resources, said in a June letter notifying employees of the incident.
The computers contained names, birth dates, Social Security numbers and employment information of the beneficiaries of CNET's health insurance plans.
It was unclear which other Colt Express clients were affected by the breach. Its other customers have included BroadVision, JDS Uniphase and 24 Hour Fitness.
The company's CEO, Samuel Colt III, did not return a call seeking comment Monday, but in a letter to CNET (download PDF), published on the Web site of the attorney general for the state of Maryland, he said that local police were investigating the matter.
Data breaches such as Colt's must be reported to the Maryland attorney general when they affect state residents. State laws typically require such notification when an unencrypted computer is lost or stolen. According to Privacy Rights Clearinghouse, more than 230 million records have been exposed in this fashion in the U.S. over the past three and a half years.
Four days after the break-in, Colt Express installed an alarm system, and the company is "looking into what additional steps may be taken to provide enhanced security," Colt wrote in his letter.
Customers looking for free credit-monitoring services from Colt Express should not get their hopes up, however.
Colt's letter included some marketing materials for Kroll, a company that helps companies respond to data breaches, but the information was provided "only out of courtesy and to give you an idea of the types of services available," Colt said.
"By this letter and enclosures, we are providing you with all the information we believe you need and that we are able to give you," Colt added. "We do not have the resources financially and otherwise to assist you further."
Hurt by a downturn in business late last year, Colt is now in the process of going out of business, he said.
Affected CNET employees can sign up for one year of free credit monitoring from Equifax Inc., Martin said.
Burglars wreak havoc at contractor's office
Robert McMillan Today’s Top Stories or Other Privacy Stories
Efficient Root-cause Analysis in the face of IT Complexity
Business case for migrating from Solaris to Linux: An Novell Webcast featuring an IDC Analyst and Sesame Workshop
Complimentary Webcast: Taking a Strategic Approach to Enterprise Mobility
Trend Micro Endpoint Security Platform
How to Tame Digital Content
Adobe Acrobat 9 Discovery Kit
Computerworld Technology Briefing: IT SERVICE MANAGEMENT
RIM/Lotus Collaboration and Mobility: More than Business Value
Enterprise Management Flyover: A high-level view on mission-critical IT management
Sign up to receive Resource Alerts
June 24, 2008 (IDG News Service) -- More than 6,500 CNET Networks Inc. employees and relatives are being notified of a possible data breach after burglars stole computer systems from the offices of the company that administers the Internet publisher's benefit plans.
CNET was one of several clients affected when burglars broke into the Walnut Creek, Calif., offices of Colt Express Outsourcing Services Inc., stealing equipment "which contains the human resources data of several of their clients, including CNET Networks," Jose Martin, CNET's senior vice president of human resources, said in a June letter notifying employees of the incident.
The computers contained names, birth dates, Social Security numbers and employment information of the beneficiaries of CNET's health insurance plans.
It was unclear which other Colt Express clients were affected by the breach. Its other customers have included BroadVision, JDS Uniphase and 24 Hour Fitness.
The company's CEO, Samuel Colt III, did not return a call seeking comment Monday, but in a letter to CNET (download PDF), published on the Web site of the attorney general for the state of Maryland, he said that local police were investigating the matter.
Data breaches such as Colt's must be reported to the Maryland attorney general when they affect state residents. State laws typically require such notification when an unencrypted computer is lost or stolen. According to Privacy Rights Clearinghouse, more than 230 million records have been exposed in this fashion in the U.S. over the past three and a half years.
Four days after the break-in, Colt Express installed an alarm system, and the company is "looking into what additional steps may be taken to provide enhanced security," Colt wrote in his letter.
Customers looking for free credit-monitoring services from Colt Express should not get their hopes up, however.
Colt's letter included some marketing materials for Kroll, a company that helps companies respond to data breaches, but the information was provided "only out of courtesy and to give you an idea of the types of services available," Colt said.
"By this letter and enclosures, we are providing you with all the information we believe you need and that we are able to give you," Colt added. "We do not have the resources financially and otherwise to assist you further."
Hurt by a downturn in business late last year, Colt is now in the process of going out of business, he said.
Affected CNET employees can sign up for one year of free credit monitoring from Equifax Inc., Martin said.
A Chronology of Data Breaches
http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP
Radisson Reports Computer Systems Breached
Radisson Reports Computer Systems Breached
Federal authorities are investigating a report from the Radisson hotel chain that someone illegally accessed its computer systems. According to Radisson Hotels & Resorts, the situation affects only a limited number of its 400 hotels.
Federal law enforcement is investigating a hack that compromised computer systems at Radisson Hotels & Resorts hotels throughout the United States and Canada.
Officials at Radisson, part of Carlson, revealed that its computer systems were accessed without authorization between November 2008 and May 2009. The company did not say which of its hotels was hit or how many, but in a statement Radisson Chief Operating Officer Fredrik Korallus described the number as "limited."
Resource Library:
In an open letter to customers, Korallus said, "Working with law enforcement and forensic investigators, Radisson is conducting a thorough review of the potentially affected computer systems, and has implemented additional security measures designed to prevent a recurrence of such an attack and to protect the privacy of Radisson's valued guests."
According to the hotel chain, the accessed computer systems contained guest information, including names, credit and debit card numbers, and the expiration date on the cards. Social Security numbers are not included in the records. At this point, it is unknown whether particular names or other information were in fact accessed or taken.
According to the company, it became aware of the data breach after receiving information from payment card companies and payment card processors.
To help concerned customers, the company created a toll-free telephone number, 866-584-9255, and Web page to provide customers with information and assistance. Radisson will offer a free year of credit monitoring to customers who stayed at its hotel during the time period in question if the guest enrolls by Nov. 18. Call the number above for more information about eligibility.
Federal authorities are investigating a report from the Radisson hotel chain that someone illegally accessed its computer systems. According to Radisson Hotels & Resorts, the situation affects only a limited number of its 400 hotels.
Federal law enforcement is investigating a hack that compromised computer systems at Radisson Hotels & Resorts hotels throughout the United States and Canada.
Officials at Radisson, part of Carlson, revealed that its computer systems were accessed without authorization between November 2008 and May 2009. The company did not say which of its hotels was hit or how many, but in a statement Radisson Chief Operating Officer Fredrik Korallus described the number as "limited."
Resource Library:
In an open letter to customers, Korallus said, "Working with law enforcement and forensic investigators, Radisson is conducting a thorough review of the potentially affected computer systems, and has implemented additional security measures designed to prevent a recurrence of such an attack and to protect the privacy of Radisson's valued guests."
According to the hotel chain, the accessed computer systems contained guest information, including names, credit and debit card numbers, and the expiration date on the cards. Social Security numbers are not included in the records. At this point, it is unknown whether particular names or other information were in fact accessed or taken.
According to the company, it became aware of the data breach after receiving information from payment card companies and payment card processors.
To help concerned customers, the company created a toll-free telephone number, 866-584-9255, and Web page to provide customers with information and assistance. Radisson will offer a free year of credit monitoring to customers who stayed at its hotel during the time period in question if the guest enrolls by Nov. 18. Call the number above for more information about eligibility.
FTC Finalizes Rules On Health Care Breach Disclosure
FTC Finalizes Rules On Health Care Breach Disclosure
Organizations will be required to notify patients of breaches, even if they are not bound by HIPAA
By Tim Wilson
Aug. 18, 2009
The Federal Trade Commission yesterday issued a final rule that will require Web-based businesses to notify consumers when the security of their electronic health information has been breached.
The new rule was put into place by Congress as part of the American Recovery and Reinvestment Act of 2009. The rule applies to both vendors of personal health records " which provide online repositories that people can use to keep track of their health information " and entities that offer third-party applications for personal health records.
Many organizations that offer these types of services are not subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA), the FTC explained. Under the Recovery Act, the Department of Health and Human Services has been assigned to conduct a study and report by February 2010 on potential privacy, security, and breach-notification requirements for vendors of personal health records and related entities that are not subject to HIPAA.
In the meantime, the Recovery Act requires the FTC to issue a rule requiring these entities to notify consumers if the security of their health information is breached. The Commission announced a proposed rule in April 2009, collected public comments until June 1, and issued the final rule yesterday.
The Final Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers.
The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must also notify the FTC.
Organizations will be required to notify patients of breaches, even if they are not bound by HIPAA
By Tim Wilson
Aug. 18, 2009
The Federal Trade Commission yesterday issued a final rule that will require Web-based businesses to notify consumers when the security of their electronic health information has been breached.
The new rule was put into place by Congress as part of the American Recovery and Reinvestment Act of 2009. The rule applies to both vendors of personal health records " which provide online repositories that people can use to keep track of their health information " and entities that offer third-party applications for personal health records.
Many organizations that offer these types of services are not subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA), the FTC explained. Under the Recovery Act, the Department of Health and Human Services has been assigned to conduct a study and report by February 2010 on potential privacy, security, and breach-notification requirements for vendors of personal health records and related entities that are not subject to HIPAA.
In the meantime, the Recovery Act requires the FTC to issue a rule requiring these entities to notify consumers if the security of their health information is breached. The Commission announced a proposed rule in April 2009, collected public comments until June 1, and issued the final rule yesterday.
The Final Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers.
The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must also notify the FTC.
WPA encryption
An article in today’s Network World reported that researchers have broken WPA encryption in less than 60 seconds. While the vulnerability has been known for some time, this is the first time that a practical attack has been used to compromise WPA. The attack was developed by Toshihiro Ohigashi of Hiroshima University and Masakatu Morii of Kobe University, who plan to discuss further details at a technical conference set for Sept. 25 in Hiroshima.
In November 2008 researchers showed how WPA could be broken but now the Japanese researchers have put the rubber to the road and actually demonstrated the attack is viable and can be used in the real world.
For those who are on WPA2, it should be noted that this attack is not considered effective. Unfortunately, many companies in the payment card industry are still using WEP, and many more have upgraded to WPA only to find that neither technology is now secure.
In November 2008 researchers showed how WPA could be broken but now the Japanese researchers have put the rubber to the road and actually demonstrated the attack is viable and can be used in the real world.
For those who are on WPA2, it should be noted that this attack is not considered effective. Unfortunately, many companies in the payment card industry are still using WEP, and many more have upgraded to WPA only to find that neither technology is now secure.
Password hackers are slippery to collar
Password hackers are slippery to collar
Federal law, resources struggle to catch up with firms that steal passwords
By Tom Jackman
The Washington Post
updated 5:56 a.m. ET, Mon., Sept . 7, 2009
WASHINGTON - When Elaine Cioni found out that her married boyfriend had other girlfriends, she became obsessed, federal prosecutors say. So she turned to YourHackerz.com.
And for only $100, YourHackerz.com provided Cioni, then living in Northern Virginia, with the password to her boyfriend's AOL e-mail account, court records show. For another $100, she got her boyfriend's wife's e-mail password. And then the passwords of at least one other girlfriend and the boyfriend's two children. None had any clue what Cioni was doing, they would later testify.
Cioni, however, went further and began making harassing phone calls to her boyfriend and his family, using a "spoofing" service to disguise her voice as a man's. This attracted the attention of federal authorities, who prosecuted Cioni, 53, in Alexandria last year for unauthorized access to computers, among other crimes. She was convicted and is serving a 15-month sentence.
But such services as YourHackerz.com are still active and plentiful, with clever names like "piratecrackers.com" and "hackmail.net." They boast of having little trouble hacking into such Web-based e-mail systems as AOL, Yahoo, Gmail, Facebook and Hotmail, and they advertise openly.
And, experts said, there doesn't appear to be much anyone can do about it.
"This is an important point that people haven't grasped," said Peter Eckersley, a staff technologist for the Electronic Frontier Foundation in San Francisco. "We've been using e-mail for years, and it's been insecure all that time. . . . If you have any hacker who is competent and spends the time and targets you, he's going to get you."
Just a misdemeanor
Federal law prohibits hacking into e-mail, but without further illegal activity, it's only a misdemeanor, noted Orin Kerr, a law professor at George Washington University and a former trial attorney in the Justice Department's computer crime section.
"The feds usually don't have the resources to investigate and prosecute misdemeanors," Kerr said. "And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace."
Every state has laws roughly similar to the federal computer laws, Kerr said, and rate the offenses as misdemeanors.
Not long after Gov. Sarah Palin of Alaska was named the Republican nominee for vice president last year, someone hacked into her personal Yahoo e-mail accounts. And as the election neared, someone at George Mason University hacked into the e-mail of the school's provost and sent a schoolwide e-mail saying the election date had been changed.
"Web Based email password hacking or cracking is one of our all time favourite and unique hobby," write the folks at YourHackerz.com. It's not clear where YourHackerz.com is located, but experts suspect that most of the businesses are based overseas. "We will provide you with the original Passwords. No questions asked whatsoever. Payment only after you are CONVINCED. 100% guarantee of Cracking. Total privacy of your information. No legal hassles."
At SlickHackers.com, they boast, "We are professionals interested in helping serious people for whom an email password would mean saving their marriage, knowing the truth, preventing a fraud, protecting their family/job/interests only when conventional ways and normal procedures do not work."
Proof and payment
All the services advertise that they will e-mail a screenshot of the target's in-box or even send an e-mail from the target's e-mail as proof that they've cracked the password. The customer then sends payment. One service, whose fee is only 20 British pounds (about $33), then responds with the script from a scene from a Shakespeare play, with the stolen password hidden in the copy.
E-mail inquiries to several of these services did not elicit any responses.
The FBI cannot police the Internet, a spokesman said. "The FBI is aware of these illegal services," spokesman Paul Bresson said, "and we have been successful in the past in identifying criminal activity and working with prosecutors to bring indictments. Users of these services should know that just because a product is marketed on the Internet doesn't mean it's legal."
But agents must be made aware of specific illegal acts occurring in this country before they can pursue a provider, Bresson said. They can't investigate an online service without evidence of a particular crime in the United States.
"This kind of thing has been on the radar of law enforcement already," said Alissa Cooper of the Center for Democracy and Technology in Washington. But with many of the hackers overseas, "in practice it takes a lot of resources and time to build up relationships with [law enforcement] in other countries. They're starting to do that in the cybersecurity realm."
Numerous ways to steal passwords
Experts said there are numerous ways to steal someone's e-mail password, from simply guessing at family names or pet names to high-tech infiltration. The most common way is to send the target a link to a greeting card or something else they might specifically be interested in. When the target opens the link, software is installed on his or her computer that snatches the password the next time it's typed in and sends it to the hacker. Web-based e-mail, such as Google's gmail and Yahoo, can also be attacked through bugs in the Web browser, Eckersley said.
"The unfortunate news is there's rather less of computer security than we would want," Eckersley said. "We think of a computer as being incredibly sophisticated. But as it does more, it actually becomes less secure."
Another problem is that many computer users are not terribly computer savvy. "As human beings, we don't have good intuitions about the internal workings of computers. Ninety percent of us make the wrong decision when something pops up about accepting an unauthorized certificate. It's really saying, 'Do you want to be hacked?' "
How to avoid detection
The Electronic Frontier Foundation published a brochure this summer for people wanting to avoid government detection in international hot spots, including Iran and Burma, but the tips apply universally, Eckersley said. Beware of malware, such as viruses, worms and keystroke loggers. Choose the least risky communication channels. Use encryption. Use different passwords for everything. Eckersley said changing operating systems and carrying all important data on portable disks is another step, if a burdensome one.
The tips are available on the EFF's Web site.
But "if you're an ordinary person and afraid you have an ex-lover who wants to hack you," Eckersley advised, "you're probably better off not using computers for the kinds of communications you want to keep secret."
Once authorities decide to follow a hacker, it's not difficult to determine the source. An FBI agent investigating Cioni simply subpoenaed her phone and e-mail records from the various providers, which showed that she had used e-mail and PayPal to enlist YourHackerz in her quest. A search of her computer found fragments of her targets' e-mail in-boxes.
Then, according to testimony at her trial, when she called her boyfriend, she mentioned material that could be known only by those who had read her boyfriend's e-mail.
Federal law, resources struggle to catch up with firms that steal passwords
By Tom Jackman
The Washington Post
updated 5:56 a.m. ET, Mon., Sept . 7, 2009
WASHINGTON - When Elaine Cioni found out that her married boyfriend had other girlfriends, she became obsessed, federal prosecutors say. So she turned to YourHackerz.com.
And for only $100, YourHackerz.com provided Cioni, then living in Northern Virginia, with the password to her boyfriend's AOL e-mail account, court records show. For another $100, she got her boyfriend's wife's e-mail password. And then the passwords of at least one other girlfriend and the boyfriend's two children. None had any clue what Cioni was doing, they would later testify.
Cioni, however, went further and began making harassing phone calls to her boyfriend and his family, using a "spoofing" service to disguise her voice as a man's. This attracted the attention of federal authorities, who prosecuted Cioni, 53, in Alexandria last year for unauthorized access to computers, among other crimes. She was convicted and is serving a 15-month sentence.
But such services as YourHackerz.com are still active and plentiful, with clever names like "piratecrackers.com" and "hackmail.net." They boast of having little trouble hacking into such Web-based e-mail systems as AOL, Yahoo, Gmail, Facebook and Hotmail, and they advertise openly.
And, experts said, there doesn't appear to be much anyone can do about it.
"This is an important point that people haven't grasped," said Peter Eckersley, a staff technologist for the Electronic Frontier Foundation in San Francisco. "We've been using e-mail for years, and it's been insecure all that time. . . . If you have any hacker who is competent and spends the time and targets you, he's going to get you."
Just a misdemeanor
Federal law prohibits hacking into e-mail, but without further illegal activity, it's only a misdemeanor, noted Orin Kerr, a law professor at George Washington University and a former trial attorney in the Justice Department's computer crime section.
"The feds usually don't have the resources to investigate and prosecute misdemeanors," Kerr said. "And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace."
Every state has laws roughly similar to the federal computer laws, Kerr said, and rate the offenses as misdemeanors.
Not long after Gov. Sarah Palin of Alaska was named the Republican nominee for vice president last year, someone hacked into her personal Yahoo e-mail accounts. And as the election neared, someone at George Mason University hacked into the e-mail of the school's provost and sent a schoolwide e-mail saying the election date had been changed.
"Web Based email password hacking or cracking is one of our all time favourite and unique hobby," write the folks at YourHackerz.com. It's not clear where YourHackerz.com is located, but experts suspect that most of the businesses are based overseas. "We will provide you with the original Passwords. No questions asked whatsoever. Payment only after you are CONVINCED. 100% guarantee of Cracking. Total privacy of your information. No legal hassles."
At SlickHackers.com, they boast, "We are professionals interested in helping serious people for whom an email password would mean saving their marriage, knowing the truth, preventing a fraud, protecting their family/job/interests only when conventional ways and normal procedures do not work."
Proof and payment
All the services advertise that they will e-mail a screenshot of the target's in-box or even send an e-mail from the target's e-mail as proof that they've cracked the password. The customer then sends payment. One service, whose fee is only 20 British pounds (about $33), then responds with the script from a scene from a Shakespeare play, with the stolen password hidden in the copy.
E-mail inquiries to several of these services did not elicit any responses.
The FBI cannot police the Internet, a spokesman said. "The FBI is aware of these illegal services," spokesman Paul Bresson said, "and we have been successful in the past in identifying criminal activity and working with prosecutors to bring indictments. Users of these services should know that just because a product is marketed on the Internet doesn't mean it's legal."
But agents must be made aware of specific illegal acts occurring in this country before they can pursue a provider, Bresson said. They can't investigate an online service without evidence of a particular crime in the United States.
"This kind of thing has been on the radar of law enforcement already," said Alissa Cooper of the Center for Democracy and Technology in Washington. But with many of the hackers overseas, "in practice it takes a lot of resources and time to build up relationships with [law enforcement] in other countries. They're starting to do that in the cybersecurity realm."
Numerous ways to steal passwords
Experts said there are numerous ways to steal someone's e-mail password, from simply guessing at family names or pet names to high-tech infiltration. The most common way is to send the target a link to a greeting card or something else they might specifically be interested in. When the target opens the link, software is installed on his or her computer that snatches the password the next time it's typed in and sends it to the hacker. Web-based e-mail, such as Google's gmail and Yahoo, can also be attacked through bugs in the Web browser, Eckersley said.
"The unfortunate news is there's rather less of computer security than we would want," Eckersley said. "We think of a computer as being incredibly sophisticated. But as it does more, it actually becomes less secure."
Another problem is that many computer users are not terribly computer savvy. "As human beings, we don't have good intuitions about the internal workings of computers. Ninety percent of us make the wrong decision when something pops up about accepting an unauthorized certificate. It's really saying, 'Do you want to be hacked?' "
How to avoid detection
The Electronic Frontier Foundation published a brochure this summer for people wanting to avoid government detection in international hot spots, including Iran and Burma, but the tips apply universally, Eckersley said. Beware of malware, such as viruses, worms and keystroke loggers. Choose the least risky communication channels. Use encryption. Use different passwords for everything. Eckersley said changing operating systems and carrying all important data on portable disks is another step, if a burdensome one.
The tips are available on the EFF's Web site.
But "if you're an ordinary person and afraid you have an ex-lover who wants to hack you," Eckersley advised, "you're probably better off not using computers for the kinds of communications you want to keep secret."
Once authorities decide to follow a hacker, it's not difficult to determine the source. An FBI agent investigating Cioni simply subpoenaed her phone and e-mail records from the various providers, which showed that she had used e-mail and PayPal to enlist YourHackerz in her quest. A search of her computer found fragments of her targets' e-mail in-boxes.
Then, according to testimony at her trial, when she called her boyfriend, she mentioned material that could be known only by those who had read her boyfriend's e-mail.
PCI Alert!….WPA Cracked in less than 60 seconds…(Uh Oh!)
PCI Alert!….WPA Cracked in less than 60 seconds…(Uh Oh!)
August 28th, 2009 by cmark Posted in PCI DSS
An article in today’s Network World reported that researchers have broken WPA encryption in less than 60 seconds. While the vulnerability has been known for some time, this is the first time that a practical attack has been used to compromise WPA. The attack was developed by Toshihiro Ohigashi of Hiroshima University and Masakatu Morii of Kobe University, who plan to discuss further details at a technical conference set for Sept. 25 in Hiroshima.
In November 2008 researchers showed how WPA could be broken but now the Japanese researchers have put the rubber to the road and actually demonstrated the attack is viable and can be used in the real world.
For those who are on WPA2, it should be noted that this attack is not considered effective. Unfortunately, many companies in the payment card industry are still using WEP, and many more have upgraded to WPA only to find that neither technology is now secure.
August 28th, 2009 by cmark Posted in PCI DSS
An article in today’s Network World reported that researchers have broken WPA encryption in less than 60 seconds. While the vulnerability has been known for some time, this is the first time that a practical attack has been used to compromise WPA. The attack was developed by Toshihiro Ohigashi of Hiroshima University and Masakatu Morii of Kobe University, who plan to discuss further details at a technical conference set for Sept. 25 in Hiroshima.
In November 2008 researchers showed how WPA could be broken but now the Japanese researchers have put the rubber to the road and actually demonstrated the attack is viable and can be used in the real world.
For those who are on WPA2, it should be noted that this attack is not considered effective. Unfortunately, many companies in the payment card industry are still using WEP, and many more have upgraded to WPA only to find that neither technology is now secure.
Radisson Breach Letter
http://www.radisson.com/openletter/openletter.html
