A recent DOS attack on an Eugene School District server managed to succeed in breaching their security and access the said computer which contained the names, employee ID numbers and phone numbers of about 2500 current and former employees. While other sensitive information such as security numbers were not stored on the breached machine, the server was connected with others (apparently protected by other security systems as well), that contained private details on a total of 26000 people and vendors.

Luckily all student data are stored on different networks of the Eugene School District, so none of those studying in the region have been affected. The supposed breach seems to have only affected adults.

Yet the safetly of the 26000 different records is in no way guaranteed. There is no proof of further breaching, but there isn’t any to show there was none either. In the mean time, the breach is being investigated, while the school district’s website has been updated with information on the breach.

“A thorough investigation of the security breach has been initiated, police have been notified, and the district has taken measures to further safeguard the involved server,” the district said. “We are continuing to assess our information security systems to make certain that we have all appropriate measures in place to ensure that personal information is secure. We sincerely regret any inconvenience this may cause to our staff and vendors.”

More information here.

Military personnel included in exposed group of carpooling employees

A website built to help commuters carpool to work is exposing sensitive information of workers for hundreds of employers in Southern California, including at least one military installation. The reason for the data breach was caused by programming errors in the website code.

The bugs, discovered on the RideMatch.info website enable hackers to easily access personal information such as names, home addresses, phone numbers, the times they commute to and from work, and in some cases employee numbers. According to a recent article published by The Register, the SQL injection vulnerability was still active 2 days ago, although it has been discovered two weeks before and reported to a developer who runs the website.

The issue has been discovered and reported bu Kristian Hermansen, a security researcher. Upon receiving a form to fill in by his employer, apparently a legal requirement for all employees, he investigated the website where the information was to be posted.

RideMatch.info is a joint project developed by transit authorities in five regional governments in Southern California. Each individual using the website enters work and home addresses and the time they leave from each. Based on the data, the website then teams them with others who live and work nearby and commute at similar times, thus providing an effective carpool matchmaking services. Too bad the same range of data can be accessed by any hacker willing to exploit the vulnerability!

The “I am legend” of the hacking and data theft world, Albert Gonzales, decided to plead guilty and now faces 15 to 25 years in jail. Gonzales is accused of masterminding a hacking circle that stole 130 million credit and debit card numbers from major retail chains such as Barnes and Noble, T.J. Maxx, Sports Authority, and OfficeMax.

According to The Register, Gonzales, who also used to be a government informant, agreed to plead guilty to 19 felony counts in Massachusetts by September 11. He also intends to plead guilty to a New York indictment accusing him of similar crimes that targeted 11 Dave & Buster’s restaurants. And that’s not all!

The deal does not cover a third indictment in New Jersey against Gonzalez related to the alleged theft of data from more than 130 million credit card accounts from card payment processor Heartland Payment Systems and retailers Hannaford Brothers and 7-Eleven.

In what money is concerned, Gonzales will also say goodbye to nearly 1.65 million US dollars in cash, his Miami condominium, a 2006 BMW, laptop computers, three Rolex watches, and then some more!

Did a data breach occur at T-Mobile USA? According to a group of hackers it did. They claimed to have gained access to all customer information of the company and posted network scans to prove it on the Full Disclosure web site. They also said they were trying to sell all the private records to T-Mobile’s competitors, who wouldn’t take them on the offer. Yet they’re still doing their best to sell all stolen info to the highest bidder.

T-Mobile has a different view on the story though. They said, and were quoted by ChannelWeb, that there is no proof whatsoever of any breach. And although the document posted online did in fact belong to T-Mobile, it contained to sensitive date, nor was it obtained while their system had been hacked into.

“The document in question has been determined to be a T-Mobile document, though there is no customer information contained in the document,” the company said in a statement. “There is no evidence to indicate that the T-Mobile security system was hacked into nor any evidence of a breach.”

While ChannelWeb seems to incline to believe T-Mobile on this one, their security experts say large mobile carriers often fall pray to hackers who harest their confidential customer records for their own benefit, mostly because the security systems they’re using are outdated. If I were T-Mobile right now, I’d make sure to check everything 100 times and find out exactly how the harmless file get posted online. Cause you can never know, can you?

Fashionably late, as the who’s who laws require, electronic payment services firm RBS WorldPay has admitted a breach that exposed 1.5 million payroll and gift card holders exposed to fraud and identity theft. The breach was caused by a group of hackers finding their way to the RBS network and accessing about 1.1 million social security records, along with other private details, reports The Register.

RBS disclosed the breach to law enforcement and regulators on November 10, but waited untill December 23rd to also let those affected know their private data was at risk. Great Christmas gift idea! Yet the company pledges strong commitment to prevent any fraud or identity theft attempts and  offers 12 months complimentary membership to a credit monitoring service toall those whose personal information has been exposed by the hackers. Does this mean they will also take a good look at everything going on in their customer’s accounts between November 10 and December 23? 100 payroll cards have already been misused as a result of the breach, but have been deactivated since. We hope the toll does not go up.

There’s an ongoing silent war between inmates and the personnel of the prison holding them. There have been quite a few movies on riots, guards having their families threatened and other such. And now  this topic hits the endpoint security arena: a former inmate has hacked into a prison’s network and made the employee’s database available to his imprisonment colleagues.

The 42-year-old Francis G. Janosko accessed the names, addresses, dates of birth, social security numbers and telephone numbers of employees working for the Plymouth County Correctional Facility in Massachusetts, said the US District Court in Boston. Using a thin client connected to a prison server, Janosko exploited a bug in legal research software made available to inmates to gain access to the database.

Janosko then shared the private details with his felllow inmates and also managed access the Internet and to download videos and digital photographs of prison employees, inmates and aerial shots of the prison. The hacking took place between October 2006 and February 2007. He is currently charged with identity theft and intentional damage to a protected computer. If convicted, the maximum sentence is 12 years in prison and a fine of $250,000. He could additionally be forced to pay unspecified restitution.