We regularly update the FRSecure Twitter feed with noteworthy items and news from around the information security industry. We realize that not everyone uses Twitter and not everyone has the time to catch our updates regularly. FRSecure Security Week is a summary of the week’s information security news and events. Each Monday morning, we will produce the FRSecure Security Week as a service and convenience to our customers.
Our post this week includes “Headlines”, “Security News”, “Compliance”, “Government”, and “Breaches” sections. We have fourteen (14) breaches this week!
Be sure to check out FRSecure news!
Headlines
REDMOND, Wash. – The world’s largest email provider, Microsoft, was struggling to restore its services Friday after outages that reportedly affected up to 365 million users worldwide.
The service disruptions affected a variety of Microsoft email products including Office 365, MSN.com, Live@edu and Windows Live Hotmail. The extent of the disruption was unclear…
[Comment] This doesn’t help to instill confidence for cloud computing.
Just how bad is online crime and hacking? Would you believe that the amount of time and money lost to cybercrime exceeds that of the global black market value for marijuana, cocaine, and heroin combined?
[Comment] “The $338 billion lost in money ($114 billion) and time ($274 billion) to cybercrime is greater than that of the illicit global drug trade—about $288 billion.” Does this surprise you?
AMSTERDAM – Hackers who broke into a web security firm issued hundreds of bogus security certificates for spy agency websites including the CIA as well as for Internet giants like Google, Microsoft and Twitter, the Dutch government said Monday.
Information Technology experts say they suspect the hackers were probably co-operating with the Iranian government, and hundreds of thousands of private communications between Iranian Internet users and Google were likely monitored in August.
[Comment] There is a global cyber-war raging. Do people know this?
Security News
Cybercrooks are gearing up for the 10th anniversary of the 9/11 attacks with a range of malware traps and hacking attempts both on social networks and the wider internet, net security firm BitDefender warns.
The attacks of Sept. 11, 2001 sparked a new urgency to predict future threats to the United States. And though the reviews of our physical security assets, geopolitical strategy, and intelligence gathering apparatus probably gathered the most headlines, the desire to better prepare the nation’s defenses didn’t stop there.
[Comment] What hasn’t changed in the past 10 years?
Microsoft has queued up fixes for 15 vulnerabilities but IT administrators will have no critical flaws to deal with in a fairly light Patch Tuesday on Sept. 13
An Indiana man was sentenced to 14 years in prison for selling counterfeit payment cards that caused more than $3 million in losses.
Tony Perez III, 21, received the sentence on Friday, five months after pleading guilty to one count each of wire fraud and aggravated identity theft. He was also ordered to forfeit more than $2.8 million in proceeds and pay a $250,000 fine.
British police on Thursday arrested two men as part of a trans-Atlantic investigation into attacks carried out by the hacking groups Anonymous and Lulz Security.
Scotland Yard said a 24-year-old and a 20-year-old were arrested at two separate U.K. addresses as part of a continuing investigation in collaboration with the FBI and other law-enforcement agencies.
[Comment] The US and UK governments have enough resources and motivation to keep hunting these guys down. Expect more arrests.
Sony chief executive Howard Stringer said that the company has largely recovered from the cyberattacks that hit it last spring, and is actually seeing some growth on its PlayStation network.
[Comment] People don’t seem to care.
Sony is looking to a former employee of the Department of Homeland Security to help its security efforts in the wake of the PlayStation Network breach earlier this year.
[Comment]Are you impressed? We aren’t.
Whistleblowing website WikiLeaks is suing the Guardian over allegations that the newspaper published a password to files which led to the identity of top secret sources being revealed.
The Guardian partnered with WikiLeaks last year to publish a tranche of secret US diplomatic cables, but 251,000 of unredacted US diplomatic cables are now available online after a security blunder.
[Comment] They were once pals.
The FBI has revealed a wide range of businesses – mostly in the US – have been carefully targetted in a DDoS attack originating from Russia.
According to The Smoking Gun newswire, the FBI is investigating a series of DDoS attacks against a number of key businesses with an online presence, generating losses of more than $600,000.
[Comment] You too can hire a crook to sabotage your competition.
A strange Facebook security flaw has allowed page administrator to kick off original Page creators from the admin list, thus hijacking the page from an original owner.
Summary: Symantec has found that approximately three out of every 20 videos on Facebook are fake: they are just likejacking scams.
The DigiNotar breach (“Operation Black Tulip”) is certainly likely to be a watershed in Internet security, and possibly in how we perceive cyberwar. But one lesser point may get lost: how vulnerable we are with a single username password to access all Google accounts.
[Comment] Does this make you comfortable with putting all your eggs in the cloud computing basket?
“Knee-jerk” reaction to data loss fears
Nearly one-third of UK companies are blocking access to social networks over security fears even though they realise the potential benefits of adopting Web 2.0 tools, according to a new study.
Apple’s PR patrol is going to be working overtime this weekend as reports leak out about a breach of the law by some of its security officials.
Earlier this week, word got out that in July an Apple employee had misplaced (read: lost) an iPhone 5 prototype at a San Francisco restaurant and bar, Cava 22.
[Comment] The pre-release iPhone 4 was lost in a similar manner.
Lose an iPhone prototype once, shame on you. Lose an iPhone prototype twice, and you may need to tighten security.
Kenneth C. Osbourne, Jr. and Sheldon Hylton were charged today by indictment, filed on August 25, 2011, with conspiracy to commit bank fraud and aggravated identity theft, bank fraud, aggravated identity theft, and aiding and abetting, announced United States Attorney David Memeger.
The freewheeling online activities of the hacker groups Anonymous and Lulz Security appear to have been curtailed after a concerted international effort led to what could prove the most significant arrests yet.
[Comment] Running scared?
The Consumer Federation of America today unveiled a new identity theft website, www.idtheftinfo.org to help individuals and businesses access the best information on preventing and detecting identity theft, as well as dealing with its aftermath.
Over one million adults around the world are the victim of cybercrime every day, according to figures published Wednesday.
The Norton Cybercrime Report 2011 paints a gloomy picture.
A new report from security software provider McAfee suggests that your car might soon be the next target for hackers. The company has partnered with Wind River in releasing a PDF outlining the potential danger that hackers present to the growing number of connected vehicles.
[Comment]Is your car hackable?
There’s an old saying, “If you can’t beat them, join them.” For many managers and senior executives, the new version may be “If you can’t beat them, hire them.” Several hackers, known for their skills in finding and exploiting security vulnerabilities in commercial products, have been hired by some of the biggest names in the business to redirect their talents and energy.
Data breaches are not a matter of if, but when, for enterprises. To step up to the challenge, organizations will need to implement a risk management plan that employs more than the usual IT fixes.
Compliance
The U.S. Department of Health and Human Services’ Office for Civil Rights has submitted a report (pdf) to Congress on HIPAA compliance that reveals the most common privacy compliance issue investigated from April 2003-Dec. 2010 was impermissible uses and disclosures of protected health information.
Will your organization be on the list? Just a short few weeks ago, the US Department of Health and Human Services awarded a $9.2 million dollar contract to the professional services firm KPMG to provide HIPAA audit services. The awarded contract anticipates completing 150 audits that vary in size and scope.
After being vetoed twice by the prior administration, a bill that updates California’s pioneering data breach notification law was signed into law Wednesday by Gov. Jerry Brown.
[Comment] If history serves, these updates to the breach notification law will probably be adopted by other states.
Healthcare organizations that are performing risk assessments as a way to craft patient-privacy policies might want to consider a new potential attack vector: federal regulators.
[Comment] After 15 years of doing nothing in terms of enforcement, the DHS is turning up the heat. Does it just take the feds 15 years to do anything?
From September 2009 when the federal breach notification rule became effective and through 2010, large breaches of protected health information accounted for less than 1 percent of nearly 31,000 reported incidents, but affected 99 percent of the 7.8 million individuals touched by a breach.
Government
Senator Richard Blumenthal, Democrat of Connecticut, introduced a new bill Thursday that aims to protect citizens’ personal information from online data breaches. The bill would also punish companies that are careless with customers’ information.
Computerworld – The U.S. Department of Homeland Security today issued a somewhat unusual bulletin warning the security community about the planned activities of hacking collective Anonymous over the next few months.
WASHINGTON — Homeland Security officials are warning the public to beware of email scams and possible cyberattacks related to Hurricane Irene and the upcoming 10th anniversary of the Sept. 11 attacks.
Attorney General Martha Coakley is warning consumers about a robo-calling scam to steal credit and bank card numbers, and Social Security information.
On Thursday, the Palm Beach County State’s Attorney’s Office charged Juliet Sherry-Ann Smith Mahabir, 38, (aka Maria Del Carmen Diaz) with the criminal use of personal identification information of a deceased person.
Mahabir, an illegal alien from Trinidad, allegedly assumed the identity of an 8-year-old Massachusetts girl who died in 1981. She used the little girl’s Social Security number to get a job and establish various lines of credit…
Breaches
There are fifteen (15) breach-related news articles this week! Not good.
Since FBI translator Shamai Leibowitz was sentenced to 20 months in prison after pleading guilty to leaking information to a blogger, the case has been shrouded in mystery. Even the judge trial didn’t know what information Leibowitz had divulged. Over a year later, it is now known that Leibowitz acquired secret transcript of wiretapped conversation from the Israeli Embassy and passed them on to a blogger named Richard Silverstein. The case is the Obama administration’s first successful prosecution over the leaking of classified information to the media.
Details stolen from over a million credit cards throughout Europe – estimated to be worth around £300 million – have been recovered by the Government Communications Headquarters (GCHQ) intelligence agency, The Telegraph reports.
NEW YORK– A hacker broke into the Twitter account of NBC News and sent out a handful of false tweets about a suspected hijacking and a plane attack at ground zero just days before the tenth anniversary of 9/11.
Staffers noticed the false tweets at around 6 p.m. Eastern time Friday, contacted Twitter and soon after had the account suspended.
[Comment] Does anybody really believe anything NBC says anyway?
INDIANAPOLIS — The Indiana University School of Medicine says a thief who stole a physician’s laptop computer may have gained access to the confidential patient information of more than 3,000 people.
[Comment] Not encrypted. Why don’t people get it?
The Linux Foundation has mailed users of the Linux.com and LinuxFoundation.org sites informing them that they discovered a security breach on 8 September which “may have compromised your username, password, email address and other information”. The Foundation says that it believes the breach is connected to the security breach at kernel.org at the start of September.
MONTICELLO, Minn. — Investigators are looking for victims of a credit card skimming ring that targeted customers at a McDonalds restaurant in Monticello.
Sheriff Joe Hagerty tells KARE 11 that the case involves a juvenile female employee who worked the drive-thru of the McDonalds on 7th Street in July and August of 2011.
Private data belonging to 26 Texas law enforcement agencies that was published online by the hacking group Anonymous earlier this month contains hundreds of social security numbers, scores of passwords, and loads of other sensitive information, according to a leading developer of data loss prevention software.
A medical privacy breach led to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes, the hospital has confirmed. The information stayed online for nearly a year.
One of India’s premier banking institutions, the Housing Development Finance Corporation Limited, popularly known as the HDFC bank has reported suffered a hack affecting its customer database system. Citing a threat of a critical level was discovered on the 15th July, 2011 by team zSecure.
American singer, songwriter, and musician Pink claims her Facebook account was hacked and her personal pictures were stolen. She insists it was a breach of her privacy, although she also admits sharing the photographs in question on Facebook was probably not the best idea in the first place. Pink, whose real name is Alecia Beth Moore, made the complaints via her Twitter account:
A breach of privacy relating to personal health information has occurred at the North Bay Regional Health Centre affecting roughly 5,800 patients. “Any information collected during a stay at the hospital is considered personal health information,” says Chief Privacy Officer, Marc Bouchard. “For example it can include a patient’s name, address, diagnosis, test results and prescribed drugs.”
The Information Commissioner’s Office (ICO) has found the University Hospital of South Manchester NHS Foundation Trust in breach of the Data Protection Act (DPA) after losing an unencrypted USB key containing patients’ personal data.
Sensitive personal information relating to the treatment of 87 patients at the hospital was lost after a medical student copied data onto a personal, unencrypted memory stick – provided by the Trust – for research purposes.
One of the godfathers of PC gaming, AMD, sweetened the deal on some of its Radeon graphics cards by making an offer gamers couldn’t refuse: buy the card and get a digital copy of DiRT 3 for free. Unfortunately for AMD, rather than drumming up interest and shooting Radeon cards to the top of the sales charts, the offer turned into more of a “horse head in the bed” affair after hackers pilfered 3 million activation keys.
HALTOM CITY — Two students from Birdville schools hacked into a school district network server and accessed a file with 14,500 student names and social security numbers, a Birdville spokesman said Thursday.
[Comment] Most schools are very hackable. Too hackable.
DEXTER, Mo. — The Dexter School District has reported a security breach dealing with school funds.
A two-line news release sent out Wednesday by Dexter Police Department Lt. Trevor Pulley said only that a complaint had been filed “to report that money was missing externally.”
This is a list of 28 data breaches at healthcare organizations that occurred in the past six months, beginning with the most recent…
FRSecure
Join us on October 1st at Lake Harriet in Minneapolis to support Minnesota Teen Challenge! We haven’t set up our team yet, but will be soon. Email us at info@frsecure.com if you’d like to join us, and stay tuned for more information next week!
The FRSecure September Newsletter will be out soon
If you haven’t signed up already, be sure to soon! Click here to subscribe.
Share this article
