Remember our recent post on Californian commuters being forced by the law to submit their private details to a site that was clearly exposing them and doing nothing about it? While we emphasized the cause of the problem, an SQL injection vulnerability, and the fact that the site failed to fix it after its being reported, another security writer thought of exploring the consequences that could be triggered.
So here’s a fictional take on what could actually happen if anyone would exploit such a vulnerability, along with a few famous data theft cases that have rocked the security world, including the now world famous case of record holder Albert Gonzales.
The “I am legend” of the hacking and data theft world, Albert Gonzales, decided to plead guilty and now faces 15 to 25 years in jail. Gonzales is accused of masterminding a hacking circle that stole 130 million credit and debit card numbers from major retail chains such as Barnes and Noble, T.J. Maxx, Sports Authority, and OfficeMax.
According to The Register, Gonzales, who also used to be a government informant, agreed to plead guilty to 19 felony counts in Massachusetts by September 11. He also intends to plead guilty to a New York indictment accusing him of similar crimes that targeted 11 Dave & Buster’s restaurants. And that’s not all!
The deal does not cover a third indictment in New Jersey against Gonzalez related to the alleged theft of data from more than 130 million credit card accounts from card payment processor Heartland Payment Systems and retailers Hannaford Brothers and 7-Eleven.
In what money is concerned, Gonzales will also say goodbye to nearly 1.65 million US dollars in cash, his Miami condominium, a 2006 BMW, laptop computers, three Rolex watches, and then some more!
Security magazines and news sites have been raving about the case of Albert Gonzales. This man holds a record no one is really proud of: he has been charged with the largest number of stolen credit and debit cards accounts, about 130 million of them.
The story of Gonzales is rather complicated. After being indicted in May in the TJX breach – the one thought to be the largest in history until recently, it is said Gonzales has worked with the authorities to help them find all those involved in breaches he had taken part in. While his defense lawyer was looking forward to a settlement, new charges have surfaced. The federal authorities have charged him for attacks that breached credit card processor Heartland Payment Systems, retailers 7-Eleven and Hannaford Brothers, and a couple of other companies.
Gonzales seems to be behind all the largest data heists of the past few years:
- 130 million credit and debit card accounts taken from Heartland Payment Systems’ servers
- at least 94 million credit and debit card accounts stolen from TJX
- 4.2 million accounts were stolen from Hannaford’s servers
According to DarkReading, all the attacks Gonzales was involved in used familiar, easy to prevent methods to obtain the information they wanted:
While the attacks appear to be phased-in and coordinated, the attackers didn’t employ any hacks that the victim organizations could not have defended against, experts say. SQL injection, for instance, is the most commonly exploited flaw in Web attacks, according to data from the Web Hacking Incident Database.
Fortunately, Gonzales is being held responsible for the breaches. Let’s just hope no one gets their minds on setting a new record! Apparently, it’s easy to achieve.
When one thinks of institutions like the British Ministry of Defense, one expects tight security. Tight as in you cross us once, we expect you not to cross us twice. Apparently, things go another way, as the MoD, quoted by V3.co.uk, says the number of data breaches they have been exposed to was 4 times higher in the past year.
The Ministry’s latest resource accounts show it suffered eight serious breaches in the 2008 to 2009 period, up from just two in the preceding year. The most serious case lead to the loss of a portable hard disk from a contractor’s premises containing the names, passport information and bank account details of about 1.7 million individuals. That’s a big blow!
Other incidents included the theft of three USB sticks from “secure government premises”, which contained details of all RAF service personnel who served between 2002 to 2008 and some of their next of kin.
And in April last year, an unencrypted laptop was stolen from government premises containing the personal records of 300 people.
The MoD admitted that it had lost electronic equipment, devices or paper documents from outside government premises on 15 occasions, and in six instances they were lost from within government offices.
There has been much noise about the Goldman Sachs ex-employee who managed to leave the company with their secret solution to be faster and better than their financial services competitors. At first, the name of the company reporting the data breach was unclear, then more started whispering Goldman Sachs. Let’s sink into the juicy details.
It all started when a computer programmer was arrested for stealing classified application code that powerd his former employer’s, later identified as Goldman Sachs, high-speed financial trading platform. The programmer’s name, along with more details on the incident, were reproduced from an FBI affidavit by DarkReading:
According to an affidavit (PDF) filed by the arresting FBI officer and subsequently posted by news media, the programmer, Sergey Aleynikov, copied “proprietary trade code” from his company and uploaded it to a Website in Germany. He later quit his job at the New York firm and moved to a new company in Chicago that “intended to engage in high-volume automated trading” — and paid him around three times his old salary of $400,000, according to the affidavit.
The programmer says it was all a mistake. Apparently, he only wanted some open sourced files he was working on and ended up with the entire shabang. The fact he never sold the code or tried to otherwise use it plays in his favor. The fact he tried to hide all traces of the data transfer, doesn’t. But that’s somehting to be settled in a court.
What’s fascinating, as ZDNet’s Larry Dignan explained on one of the network’s blogs, is that Goldman Sachs, “a master at gauging risk”, was able to overlook the danger of inside threats. Especially when it’s something all security experts have been talking about for a long while.
When you think about it, nothing happened to Goldman Sachs. Other than a much needed wake up call. What could have happened? The competition actually improving their own platforms and taking over more and more clients from Goldman Sachs. I have a feeling adding up the numbers of this potential loss would make us all dizzy!.
Take it to the could. See how it works explaind in plain english.
Device Control and DLP taken to the cloud to help you reduce cost and deploy much faster.
CoSoSys, a leading developer of endpoint security and portable storage device applications, has just released My Endpoint Protector (MyEPP), the first Software-as-a-Service (SaaS) application to deliver Data Loss Prevention and device control “in the cloud”. MyEPP will help companies manage the internal and external security threats created by the broad availability and use of portable data storage devices, while focusing on keeping the impact on IT resources at a minimum. The new web service uses a policy-based approach to enable businesses to manage how data can be used on all endpoints – Desktops, Laptops, Netbooks and more – from a single centralized web console, no matter where those endpoints are located.
Why should you consider a MyEPP subscription?
- Your company will be able to minimize inside threats and prevend data loss and data theft
- The cloud computing approach means you don’t have to worry about servers setup, installation or management
- You can access the centralized web-based dashboard remotely, from any computer with and Internet connection and a web browser
- Real time monitoring of all devices used by your employees
- Create your own security policy without the need for additional hardware or software, without the need of having in house IT security experts
- Enforce your policies easily through customizable templates
- All for prices as low as $2 per PC per month
“Most businesses today are aware that they need to proactively protect both their own intellectual property and customer information held in trust on their systems,” said Roman Foeckl, CoSoSys CEO. “But the thought of having to hire dedicated staff or consultants to install, implement and manage this type of solution has prevented many from taking the steps needed to protect that data.
“My Endpoint Protector makes enterprise-level device control and security accessible to even the smallest organizations without the need for expensive additional equipment or staff. Whether employees work from home, on the road or from remote locations, the security of their desktops and laptops can easily be centrally managed through the cloud.”
If you need more reasons to act now, just go ahead and evaluate the costs of a real data breach!
For more details on MyEPP, click here.
More and more employees chose to overlook data security policies put in place by the companies they work for and engage in activities that could easily lead to data breaches, according to the findings of a new Ponemon Institute survey. The risky activities include taking private records with them on unsecured storage devices, downloading personal software on company systems, turning off security settings and networking on social media sites.
Most members of a company’s staff copy classified data to USB drives or turn off security settings on their work laptops. Compared to the Institute’s 2007 findings, the numbers of those ignoring company policies has increased.
Here are some highlights of the survey findings, as presented by PC World:
- 69 percent of the 967 IT professionals surveyed copied confidential company data to USB sticks
- those who lost said USB sticks with confidential corporate data on them failed to report it immediately
- almost 31 percent of respondents engaged in social-networking practices on the Web from work PCs
- around 53 percent said they downloaded personal software on corporate PCs
Did a data breach occur at T-Mobile USA? According to a group of hackers it did. They claimed to have gained access to all customer information of the company and posted network scans to prove it on the Full Disclosure web site. They also said they were trying to sell all the private records to T-Mobile’s competitors, who wouldn’t take them on the offer. Yet they’re still doing their best to sell all stolen info to the highest bidder.
T-Mobile has a different view on the story though. They said, and were quoted by ChannelWeb, that there is no proof whatsoever of any breach. And although the document posted online did in fact belong to T-Mobile, it contained to sensitive date, nor was it obtained while their system had been hacked into.
“The document in question has been determined to be a T-Mobile document, though there is no customer information contained in the document,” the company said in a statement. “There is no evidence to indicate that the T-Mobile security system was hacked into nor any evidence of a breach.”
While ChannelWeb seems to incline to believe T-Mobile on this one, their security experts say large mobile carriers often fall pray to hackers who harest their confidential customer records for their own benefit, mostly because the security systems they’re using are outdated. If I were T-Mobile right now, I’d make sure to check everything 100 times and find out exactly how the harmless file get posted online. Cause you can never know, can you?
The CoSoSys team attended the Provision Security Days in Brasov, Romania over the weekend. Vendor of the most innovative and effective applications for endpoint security and portable storage devices, CoSoSys was one of the event sponsors and held a presentation on critical data security, device control and linked it to the recent Obama announcement on a White House coordinated plan to prevent cyber attacks.
I’ll reproduce here one the most significant quotes CoSoSys identified in what data loss protection is involved:
“The threat to critical data systems is among ‘the most serious economic and national-security challenges’ today”
You might wonder why economic. The answer is easy: everything translates into money. Less customers, hacked bank accounts, brand trust going down the drain, it all means loss of money. A competitor getting their hands on your prototype and producing it at a faster pace means money you’ll lose (the amount you’ve already invested) and money you’ll never get.
So what does CoSoSys offer as a solution? A best of breed endpoint security, device control and DLP solution, Endpoint Protector 2009. It effectively:
- stops data loss
- prevent data theft
- stops data leakage
- keeps data safe on the road
Speaking of data theft in the office, CoSoSys also presented a video emphasizing how easily they can be prevented. Enjoy!