The “I am legend” of the hacking and data theft world, Albert Gonzales, decided to plead guilty and now faces 15 to 25 years in jail. Gonzales is accused of masterminding a hacking circle that stole 130 million credit and debit card numbers from major retail chains such as Barnes and Noble, T.J. Maxx, Sports Authority, and OfficeMax.
According to The Register, Gonzales, who also used to be a government informant, agreed to plead guilty to 19 felony counts in Massachusetts by September 11. He also intends to plead guilty to a New York indictment accusing him of similar crimes that targeted 11 Dave & Buster’s restaurants. And that’s not all!
The deal does not cover a third indictment in New Jersey against Gonzalez related to the alleged theft of data from more than 130 million credit card accounts from card payment processor Heartland Payment Systems and retailers Hannaford Brothers and 7-Eleven.
In what money is concerned, Gonzales will also say goodbye to nearly 1.65 million US dollars in cash, his Miami condominium, a 2006 BMW, laptop computers, three Rolex watches, and then some more!
The White House might have a bright, shiny plan for cybersecurity, but it seems unable to keep the security heads it needs to manage and further implement it. No less than the people holding key positions related to the USA’s cybersecurity have resigned in the past few months.
The trend was started in March by Rod Beckstrom, who at the time resigned from his position as head of the National Cybersecurity Center within the Department of Homeland Security. The said center coordinates the defense of civilian, military, and intelligence networks. The reason for Beckstrom’s resignation? As he stated in a letter quoted by the Register, the post was underfunded and unduly controlled by the National Security Agency.
The next person to announce their resignation was Obama’s top cybersecurity director, Melissa E. Hathway. What led to her decision was the long months of delays by the Obama administration in appointing a permanent director to oversee the safety of the nation’s vital computer networks. As the Register points out, Hathway was one of the best candidates for the “cybersecurity czar” position. The czar would hold the authority for securing networks and infrastructure that serve US banks, hospitals and stock exchanges.
The third and most recent top cat in the US government to go is Mischel Kwon, the head of the US Department of Homeland Security’s Computer Emergency Readiness Team. Washington Post rumor has it that Kwon had grown frustrated by bureaucratic obstacles and a lack of authority to fulfill her mission. And it seems people in her position don’t stick around for too long, she was the fourth US-CERT director in five years.
Hopefully, the critical cybersecurity plan will eventually be implemented, without any further delays and resignations. Let’s keep our fingers crossed!
The Mozilla Foundation takes security breaches very seriously. It immediately closed its online stores after finding out a third-party company that runs one of the sites’ back-end operations had suffered a breach.
The security issues affected GatewayCDI, an SMB with offices in three US cities, which runs the Mozilla Store, the foundation said in a blog post quoted by the Register. There is still no information to confirm whether any customers of the website selling coffee cups, tee-shirts, and other Mozilla promotional goods have been compromised.
“Once notified, we took the immediate preventative step of shutting down the Mozilla Store to ensure that no additional users could be compromised,” Mozilla representatives wrote. “Mozilla immediately reached out to GatewayCDI and encouraged them to quickly inform individuals whose data had been compromised.”
Mozilla also stated they were undergoing a thorough analysis of their systems to determine the cause and extent of the breach. Additionally, GatewayCDI will make sure to contact directly any Mozilla Store customers who may have been affected by this blurry breach.
According to the same Register article, Mozilla also closed down its International Mozilla Store, although it wasn’t run by GatewayCDI. Both stores displayed a message saying “closed for maintenance.”
The Federal Trade Commission has recently issued a final rule that requires Web-based companies to notify consumers when the security of their electronic health information has been breached. The new rule was put into place by Congress as part of the American Recovery and Reinvestment Act of 2009.
As explained by Dark Reading, the rule applies to both vendors of personal health records “which provide online repositories that people can use to keep track of their health information ” and entities that offer third-party applications for personal health records.
The FTC’s Final Rule comes to complete the requirements of the Health Insurance Portability and Accountability Act (HIPAA), which left out many types of organizations that could have exposed health related information.
The Final Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers.
The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must also notify the FTC.
Security magazines and news sites have been raving about the case of Albert Gonzales. This man holds a record no one is really proud of: he has been charged with the largest number of stolen credit and debit cards accounts, about 130 million of them.
The story of Gonzales is rather complicated. After being indicted in May in the TJX breach – the one thought to be the largest in history until recently, it is said Gonzales has worked with the authorities to help them find all those involved in breaches he had taken part in. While his defense lawyer was looking forward to a settlement, new charges have surfaced. The federal authorities have charged him for attacks that breached credit card processor Heartland Payment Systems, retailers 7-Eleven and Hannaford Brothers, and a couple of other companies.
Gonzales seems to be behind all the largest data heists of the past few years:
- 130 million credit and debit card accounts taken from Heartland Payment Systems’ servers
- at least 94 million credit and debit card accounts stolen from TJX
- 4.2 million accounts were stolen from Hannaford’s servers
According to DarkReading, all the attacks Gonzales was involved in used familiar, easy to prevent methods to obtain the information they wanted:
While the attacks appear to be phased-in and coordinated, the attackers didn’t employ any hacks that the victim organizations could not have defended against, experts say. SQL injection, for instance, is the most commonly exploited flaw in Web attacks, according to data from the Web Hacking Incident Database.
Fortunately, Gonzales is being held responsible for the breaches. Let’s just hope no one gets their minds on setting a new record! Apparently, it’s easy to achieve.
When one thinks of institutions like the British Ministry of Defense, one expects tight security. Tight as in you cross us once, we expect you not to cross us twice. Apparently, things go another way, as the MoD, quoted by V3.co.uk, says the number of data breaches they have been exposed to was 4 times higher in the past year.
The Ministry’s latest resource accounts show it suffered eight serious breaches in the 2008 to 2009 period, up from just two in the preceding year. The most serious case lead to the loss of a portable hard disk from a contractor’s premises containing the names, passport information and bank account details of about 1.7 million individuals. That’s a big blow!
Other incidents included the theft of three USB sticks from “secure government premises”, which contained details of all RAF service personnel who served between 2002 to 2008 and some of their next of kin.
And in April last year, an unencrypted laptop was stolen from government premises containing the personal records of 300 people.
The MoD admitted that it had lost electronic equipment, devices or paper documents from outside government premises on 15 occasions, and in six instances they were lost from within government offices.
Facebook, LinkedIn, Twitter, they’re all making their way into day to day corporate life. Users share information, sometimes too much, with others. While denying the value of online networking or its potential of driving new business your way is not our goal – we do use this blog, Twitter and Facebook! – the threat is very real and it’s there. As in all things data security related, it’s either an external threat or an inside one. It’s either malware targeting social media sites, or it’s your employees who, out of lack of proper training or attention, or worse, knowingly and willingly, post classified information on such sites.
How to prevent it? The see no evil, hear no evil, speak no evil method is the first one you should stop thinking about. You can’t shut this door, we’ve stated this before, it might be crucial to growing your business. Restrict access through limited time and limited networks? Highly irrelevant. It takes a couple of seconds to post, and no matter how restrictive you are, information can spread through other users.
I was reading a Dark Reading article on the matter the other day. They quoted a survey conducted in February by Sophos showing that 62.8% of companies were concerned that employees were sharing too much information on social networks, while 66% believed employees using social networking sites endanger corporate security.
Very true! And what can you do? The solution is threefold. First, take care of the files your employees show. Make sure you restrict access to them. A white listing system would probably help you. This is only a temporary fix. Then, educate your staff. Tell them what’s fair game and what isn’t. And then, you should really start monitoring their moves. There’s a fourth solution: pray for the best outcome
While the United States government is dedicated to improving cybersecurity and IT security in general, it has one extremely important problem. They have the game plane, but might be lacking the people to actually implement it. A new report by the non-partisan Partnership for Public Service and the management consulting firm Booz Allen Hamilton shows the government is confronted with a serious shortage of skilled cybersecurity specialists, and it estimates an 8-fold increase in the number nationally sponsored graduates with security degrees is required.
According to a Register article on the report, the scholarship program run by the federal government produces around 120 entry-level cybersecurity specialists a year. The report advised the number should reach 1,000 to be able to take on the workload. It also showed that while the majority of government reps interviewed see attracting top information security specialists as a top priority, only 40% of them are satisfied with the quality of those applying for the available jobs.
The major downturn of the findings is that the lack of trained personnel might endanger Obama’s cybersecurity plans. Below you can see the report’s recommendations, as published in the Register:
- Developing a nationwide program to encourage more Americans to develop technology, math, and science skills.
- The development by Obama’s cybersecurity czar of a government-wide blueprint for meeting current and future employment needs for information security.
- The establishment of job classifications for cybersecurity and increased funding from Congress to train federal cybersecurity workers to meet those requirements.