Archive for February, 2013

Don’t ignore a data breach letter

Skeptical consumers, take heed: If you receive a notice that your personal data has been breached, pay attention and take free self-help steps to protect yourself from identity fraud. Data-breach notifications have become an increasingly reliable predictor of identity fraud headed your way, according to the latest annual survey by Javelin Strategy and Research, the California consulting firm that has studied this crime for 10 years.

Unfortunately, “we find that consumers often ignore these letters,” says Jim Van Dyke, Javelin’s president. That arguably made some sense four years ago, when only 10 percent of breach-notice recipients had subsequently become victims of identity fraud, but it can be a mistake now.

The 2012 survey of more than 5,000 consumers’ experience with ID fraud found that 22.5 percent of breach notice recipients had subsequently become victims of the crime, the highest of a persistently rising rate since 2009. That’s almost eight times the 2.9 percent ID fraud rate for consumers who hadn’t received a breach notice.

Worse still, identity thieves tend to attack breach victims with new-account fraud—opening new credit accounts in their name—a less common but more onerous type of identity fraud, because it’s more complicated to correct and hits victims with higher out-of-pocket losses.

Since 2003, when California became the first state to require such notifications, 46 states and the District of Columbia now mandate that banks, retailers, health care providers, and other companies alert their customers when the company has lost their Social Security number or other private identifying information, due to negligence or theft.

Last year alone, 680 breaches involving the information of more than 24 million people were publicly reported, according to the Privacy Rights Clearinghouse, the San Diego-based organization that has been tracking breaches since 2005 and which says its total is conservative.

If you receive a breach notification, take these no-cost precautions:

1) Immediately add a fraud alert to your credit report by contacting any one of the big three credit bureaus—Equifax, Experian, and TransUnion—which warns prospective creditors who pull your file that your identity data has been stolen and the person applying for credit in your name may not be you. This is a quick but imperfect stopgap, because lenders don’t always read or heed fraud alerts.

2) Place a security freeze on your credit reports by individually contacting all three credit bureaus online, by phone, or by mail. That blocks access to your report by prospective lenders who don’t already do business with you, a considerable impediment for a crook applying for new credit in your name. Since you’ve been notified of a data breach, you’re already an ID theft victim, and the freezes should be free.

3) Close any affected accounts and put yourself on a schedule of regularly monitoring your financial accounts and credit reports.

4) And, as we advised in the January issue of Consumer Reports, don’t waste $120 to $300 a year paying for ID protection services. They don’t cover you after the fact anyway.

Although you should take ID theft and a breach notice seriously, don’t panic. The vast majority of what is now called ID fraud actually involves the theft of your existing credit and debit cards. Your liability for those losses is limited by consumer protection laws—often to nothing, under card issuer’s zero liability policies.

Most victims of existing account fraud suffer no losses personally, though the average was $336 last year, in part because the financial institutions that are legally on the hook for losses are doing a better job at stopping ID thieves themselves.

Although the total number of ID fraud victims was up last year, to 12.5 million vs. 11.6 million in 2011, that’s still below the 2009 peak of 13.9 million. Meanwhile, new account fraud, which has historically affected only 0.8 percent of the population, increased last year to 1.2 percent, but consumer out-of-pocket losses for that type of ID fraud were down last year, to $952 from $1,205 in 2011.

Article source: http://news.consumerreports.org/money/2013/02/dont-ignore-a-data-breach-letter.html

,

No Comments

Bill calls for mandatory data breach reporting

With the Conservative government’s privacy reform bill sitting untouched after being introduced about two years ago, New Democractic Party MP Charmain Borg has introduced a private member’s bill that that would make it mandatory for organizations to report data breach incidents.

“An organization having personal information under its control shall notify the (Privacy) Commissioner of any incident involving the loss or disclosure of, or unauthorized access to, personal information, where a reasonable person would conclude that there exist a possible risk or harm to an individual as a result of the loss or disclosure or unauthorized access,” the proposed bill reads.

The document also includes two determining factors for considering a breach harmful:

-The sensitivity of the personal information

-The number of individuals whose personal information was involved

Bill C-475 also says the commissioner may require organizations to notify affected individuals “to whom there is an appreciable risk of harm” as a result of the breach.

The notification should include:

-A report of the risk of harm
-Instructions about reducing the risk of harm or mitigating the harm
-Any other prescribed information

The proposed bill also empowers the privacy commissioner to order the organization concerned to conduct actions such as: corrective measures; destruction of data; deleting or adding a record; stop data collection or disclosure; and publishing a notice of actions taken.

RELATED CONTENT

Another data loss at Human resources Canada
Ottawa urged to draft data breach notification law

Should the organization fail to comply within a prescribed limit, they may subject to penalty of no more than $500,000 or punitive damages imposed by the court. Individuals affected by the breach also have the right to sue the organization for damages or loss suffered due to non-compliance to the act by the organization.

In a his blog post today, privacy advocate and University of Ottawa Internet law professor Michael Geist said Bill C-475 is a better than the government’s Bill C-12 as it provides clear cut breach disclosure requirements, comes and comes with an order making power “backed by significant penalties for compliance failures.”

Article source: http://www.itworldcanada.com/news/proposed-bill-calls-for-mandatory-breach-reporting/146801

,

No Comments

Guest blog: Are data breaches inevitable in a digital age?

CBR Staff Writer
Published 28 February 2013

Christian Toon, Head of Information Risk at Iron Mountain, explains how organisations can implement a rigid Corporate Information Responsibility (CIR) programme to be ready for the EU “right to be forgotten” legislation before it arrives.

With 93 per cent of large and 76 per cent of small organisations admitting to falling foul of a security breach in the past two years, you would be forgiven for thinking that some form of data loss within business is inevitable. Indeed Iron Mountain research found that more than half (53.3 per cent) of European businesses expect to lose data. As a result, they are unprepared when it comes to protecting company information.

This complacency is cause for concern. Many businesses are choosing to insure their business against the financial impact of data loss, rather than doing something to protect against the loss in the first place. Surely it would be more cost effective and better for the long-term prosperity of the business to invest money in closing the gaps in its data-protection programme and keep information from getting into the wrong hands?

Losing control of your data – the business impact
The European Commission’s draft revision to data protection legislation includes fines of up to one million Euros or two per cent of annual revenue for a data breach. The threat of the potentially huge financial impact of data loss on a business seems to do little to promote good governance when it comes to protecting information and has so far done little to encourage businesses to take greater information responsibility.

However, it’s not just the financial hit that businesses will need to take. A data breach could, potentially, be far more damaging to your business’ brand reputation and customer loyalty. With the use of social media in both a business and personal context on the rise, bad news now travels faster and further, meaning that even the smallest data breach can have serious consequences.

Managing data protection expectations
Before a business can put measures in place to protect its information, it firstly needs to assume responsibility and accountability for that data – wherever the information is stored. By law, companies are liable for the loss of their own data, even if the loss occurs while the information stored with a third party. It is therefore up to businesses to scrutinise, mitigate and manage their own information risk supply chain, as part of their Corporate Information Responsibility (CIR) programme.

The proposed new EU data protection legislation will mean a big change for businesses. According to the draft legislation, timeframes surrounding notification of a breach will only afford businesses 24 hours to notify regulators. This will require processes for the identification and reporting of an incident will need to be slick and efficient. Monitoring data integrity is also a key area for businesses to address. This has become all the more complex thanks to the prevalence of social media and mobile devices. Knowing exactly what information you hold in both physical and digital formats could prove a real headache.

The legislation will force businesses to take action and not be complacent about data loss. It will bring significant positive changes to the way organisations monitor and handle information risk issues, but it won’t happen over night. Examples of good practice are there to be followed. In Germany, for example, organisations are already obliged to make a member of staff responsible for data protection and ensuring compliance with the law. The challenge will be to get all EU countries to pull in the same direction.

Data breaches must not be seen as inevitable. The proposed changes to EU legislation present a chance for companies to assess whether they have the right policies in place to prevent against data loss; a chance to sure up defences, reduce exposure to information risk and showcase the business as a responsible custodian of sensitive information ─ a business that will take the necessary steps to protect the personal data that it holds on behalf of European citizens. When it comes to exposure to information leaks, businesses would do well to stop mopping the floor and think about turning off the tap instead.

 

Christian Toon, head of information risk at Iron Mountain

Article source: http://www.cbronline.com/blogs/cbr-rolling-blog/guest-blog-are-data-breaches-inevitable-in-a-digital-age-280213

,

No Comments

How Much Does A Botnet Cost?

BotnetsThe cost of a botnet is contingent largely upon the physical location of the malware-infected computers inside of it. Therefore, a botnet containing only American or European machines is worth more than one with machines from less prosperous nations.

Security researcher Dancho Danchev recently profiled an underground botnet service and found that the market for botnets fueled by American machines is more lucrative than botnets consisting of an international hodgepodge of IP addresses. Specifically, American machines demand the highest price, followed by machines in Germany, Canada, and Great Britain, which are worth slightly more than zombie computers located within the larger European Union. The least expensive botnets are those that are made up of indiscriminately located machines.

American machines are more valuable, Danchev claims, quite simply because American consumers have more “online purchasing power” than their international counterparts.

If you are in the market for a botnet, this particular seller offers bottom-end packages of “world mix” IP addresses at a rate of $25 for 1,000 hosts, $110 for 5,000 hosts, and $200 for 10,000 hosts. In the next tier, confirmed EU-located machines sell at $50, $225, and $400 for 1,000, 5,000, and 10,000 hosts respectively. Above that are botnets with machines from Canada, Great Britain, and Germany costing $80 per 1,000, $350 per 5,000, and $600 per 10,000 machines. The going rate among top-of-the-line American machines is 1,000 zombies for $120, 5,000 zombies for $550, and 10,000 zombies for a cool $1,000.

This e-shop is, according to Danchev, another example of cybercriminals adopting legitimate business practices, in this case market segmentation, in order to increase their profits. The shop is also practicing a bit of vertical integration by offering Socks5 servers, which are actually just more malware infected machines, as anonymous proxies to customers seeking disgression.

Botnet costs

Commenting on this Article will be automatically closed on May 28, 2013.

Article source: http://threatpost.com/en_us/blogs/how-much-does-botnet-cost-022813

No Comments

Anonymous: 10 Things We’ve Learned In 2013

Anonymous continues to evolve. After launching online attacks against the Church of Scientology in 2008, Anonymous gained renewed energy with distributed denial-of-service (DDoS) attacks in 2010 against PayPal, MasterCard and other organizations it accused of blockading financial payments to WikiLeaks.

Since then, the loosely organized and chaos-loving hacktivist collective has continued stealing and dumping — doxing — data from businesses, government agencies and individuals that the group’s members disliked, gaining further notoriety with high-profile breaches of HBGary Federal, private intelligence firm Strategic Intelligence (better known as Stratfor), consumer electronics giant Sony and even an FBI transatlantic cybercrime coordination call. Along the way, a limelight-seeking spinoff, LulzSec, and subsequent re-merger in the form of Operation AntiSec helped further burnish the Anonymous brand.

At least, that is, until authorities caught up with alleged key members, leading to multiple arrests and convictions. Worst of all for Anonymous supporters, court documents revealed that founding father and LulzSec leader Sabu — real name: Hector Xavier Monsegur — had been busted by the FBI in June 2011 and within a day of his arrest turned informant. In short order, U.S. and British authorities claimed to have collared the ringleaders of the attacks launched against not just Sony and Stratfor, but numerous police departments and businesses. Far from being a group without a leader, authorities said, the Anonymous and LulzSec attacks had been carried out by a few key people, typically by exploiting known vulnerabilities in websites.

But with the alleged ringleaders facing jail time, the Anonymous brand didn’t seem to suffer. Notably, Anonymous groups in specific geographies, including Mexico, South America, France and beyond began promoting a more local and overtly political agenda.

In the United States, meanwhile, the group appeared to gain new impetus in January 2013, after Internet activist Aaron Swartz committed suicide. The co-founder of Reddit had been facing a potential jail sentence of at least 35 years after being arrested in 2011 for hacking the JSTOR academic database and downloading millions of articles that had been funded by the U.S. government, and which he planned to post for free. Ultimately, he never did so, and after agreeing to unspecified damages, as well as to delete all of the data he’d downloaded, officials at JSTOR considered the case to be closed. Federal prosecutors and the Massachusetts Institute of Technology, however, pressed ahead, ultimately charging Swartz — who’d long suffered from depression — with 13 felony violations.

In the wake of Swartz’s death, Anonymous focused its efforts on reforming an issue already near and dear to many members’ hearts: The 1986 Computer Fraud and Abuse Act (CFAA) law that’s often used to prosecute hackers, and punishing anyone it felt was responsible for contributing to Swartz’s death. Cue website defacements and takedowns.

Read on to catch up on the latest Anonymous developments.

Photo courtesy of Flickr user Edans.

Article source: http://feeds.informationweek.com/click.phdo?i=8e06d81881d7d340b50985b272a1e351

No Comments

MiniDuke Espionage Malware Uses Twitter To Infect PCs

Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
Security researchers have spotted an online espionage campaign that infects targeted systems with malware that’s only 20KB in size and controlled via Twitter accounts.

According to Russian security firm Kaspersky Lab and Budapest-based CrySyS Lab, which both discovered the attack code — named MiniDuke — the campaign appears to remain active, because recovered malware used by attackers was created as recently as Feb. 20.

“To compromise the victims, the attackers used extremely effective social engineering techniques which involved sending malicious PDF documents to their targets,” according to an overview of MiniDuke published by Kaspersky Lab. “The PDFs were highly relevant and well-crafted content that fabricated human rights seminar information and Ukraine’s foreign policy and NATO membership plans.”

[ Malware is everywhere, but here’s how one attacker was shut down. Read Virut Malware Botnet Torpedoed By Security Researchers. ]

The malicious PDFs exploited a bug, since patched, in Adobe Reader versions 9, 10 and 11, which allowed the attackers to bypass Reader’s sandbox and install a small dropper, or downloader, onto the PC that gives an attackers a backdoor for remotely accessing the now-compromised system.

The attack used same the zero-day vulnerability in Adobe Reader discovered by FireEye and first publicly detailed on Feb. 12, after the security firm spotted malicious PDFs disguised as a Turkish visa application. But it’s not clear if MiniDuke was launched by the same group, or whether it just purchased a crimeware toolkit from the same vendor that included an exploit for the vulnerability.

Interestingly, each MiniDuke backdoor is custom coded to work only on the targeted machine, meaning if it’s moved to a different PC it won’t execute. “This downloader is unique per system and contains a customized backdoor written in Assembler,” said Kaspersky Lab. “When loaded at system boot, the downloader uses a set of mathematical calculations to determine the computer’s unique fingerprint, and in turn uses this data to uniquely encrypt its communications later.”

“The backdoor is written in ‘old school’ assembler and is tiny by current standards — only 20 KB,” according to “The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor” research report released Wednesday by Kaspersky and CrySys Lab. “This is most unusual for modern malware, which can be several megabytes in size.”

After infecting a PC, the attack code first checks to see if it’s infected a desired system. If so, then the PC will surreptitiously contact Twitter accounts created by MiniDuke command-and-control (CC) servers, which contain tweets which list encrypted URLs — in the form of hash tags — to which the infected PC can connect to receive further instructions. These instructions are received in the form of GIF files that are “disguised as pictures that appear on a victim’s machine,” according to Kaspersky Lab, and enable the downloader to then grab another executable — one recovered sample was a 300KB file disguised as a GIF — from a server in either Panama or Turkey. This larger piece of malware then serves as a platform for conducting cyber-espionage, including not just copying and removing files, but also running new malware and spreading malware onto other systems connected to the same network.

The malware includes backup capabilities in the event that Twitter can’t be reached or the malnet’s Twitter accounts get deleted, such as using Google to search for encrypted URL strings. “This model is flexible and enables the operators to constantly change how their backdoors retrieve further commands or malcode as needed,” said the Kaspersky report.

The malware’s creators have tried to make their attack code difficult to detect, in part by using disguised JavaScript. “The available malware samples are highly obfuscated, and compiled by a polymorphic compiler. The attackers were able to produce new variants with only a few minutes difference between compile times. Therefore, the number of distinct samples could be very large,” said a blog post from the CrySyS lab, which also released a report that includes more detailed information on the malware, as well as tips for how to spot PCs that have been infected.

Based on the logs of command-and-control servers accessed by researchers, MiniDuke has been used only in a small number of targeted attacks. To date, just 59 infected systems have been found in 23 countries, including the United States and much of Europe, as well as Brazil, Israel, Japan, Romania, the Russian Federation and Ukraine.

Attend Interop Las Vegas, May 6-10, and attend the most thorough training on Apple Deployment at the NEW Mac iOS IT Conference. Use Priority Code DIPR02 by March 2 to save up to $500 off the price of Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 350+ exhibiting companies, and the latest technology. Register for Interop today!

Article source: http://feeds.informationweek.com/click.phdo?i=595eb83ed073fb6b8e6e250aa4760633

No Comments

China Targets U.S. In Hacking Blame Game

Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
China Thursday upped the stakes in the China-America hacking blame game by accusing the United States of launching hack attacks against Chinese government networks. According to the China’s defense ministry, Chinese military systems were subjected to 144,000 attacks per month throughout 2012, and 63% of those attacks came from the United States.

“The Defense Ministry and China Military Online websites have faced a serious threat from hacking attacks since they were established, and the number of hacks has risen steadily in recent years,” said ministry spokesman Geng Yansheng, Reuters reported. Geng’s comments were delivered in a monthly press briefing that’s closed to foreign reporters, and which were later distributed by the government.

China’s allegations came as a response to increased accusations from security experts in the United States that Chinese government has been sponsoring a long-running online espionage campaign that targets private businesses.

[ Why does the U.S. accuse China of hacking? Read China Denies U.S. Hacking Accusations: 6 Facts. ]

Notably, security firm Mandiant last week released a report that accused the Chinese government of supporting multiple groups of advanced persistent threat (APT) attackers, and one particular group of having successfully compromised 141 businesses since 2006.
Although the group — dubbed Comment Crew by some security watchers, and APT1 by Mandiant — was first spotted in 2006, Mandiant’s report was the first to lay out voluminous evidence, albeit of a circumstantial nature, that attempted to link APT1 not just to China, but to the People’s Liberation Army (PLA) Unit 61398, which Mandiant described as an elite military hacking unit.

According to a statement released last week by China’s defense ministry, however, “the Chinese army has never supported any hackings.” Indeed, the Chinese government has repeatedly denied that it hacks foreign governments’ or businesses’ websites, and Chinese officials labeled Mandiant’s report “groundless both in facts and legal basis,” accusing the security firm of invoking the specter of Chinese attacks to drum up more business.

Chinese officials likewise dismissed last month an allegation by The New York Times that the Chinese government was responsible for hacking into the paper’s network and stealing a copy of every employee’s password. After the Times discovered the breach in November 2012, it hired Mandiant to conduct a digital forensic investigation. In January, based on research provided by Mandiant, the Times accused China — and in particular, APT group #12 — of having launched the attacks. The Wall Street Journal and Washington Post later said they’d also been targeted in similar attacks.

As the hacking accusations against China have increased, Chinese government officials have gone to great pains to emphasize that people in China are themselves regularly subjected to attacks launched from overseas. “In 2012, about 73,000 overseas IP addresses controlled more than 14 million computers in China and 32,000 IP addresses remotely controlled 38,000 Chinese websites,” foreign ministry spokesman Hong Lei said at a news conference last week, noting that the greatest number of attacks emanated from the United States.

Despite the increase in foreign attacks targeting Chinese systems, “Beijing has seldom accused other countries of launching the attacks,” said Wen Weiping, a professor at the School of Software and Microelectronics at Peking University, in a statement released by Xinhua News Agency, which is the official press agency of the People’s Republic of China.

Thursday, meanwhile, defense ministry spokesman Geng said that no Chinese soldiers are engaged in cyber warfare or online attacks, noting that Chinese “blue teams” participate only in military drills, “to enhance the country’s ability to safeguard cyber security,” according to a statement released by Xinhua. Blue teams refers to the “good guys” in a military exercise, while red teams play the enemy.

But Geng said China is working to improve its military cybersecurity capabilities. “Compared with military capabilities around the world, however, there is still a gap,” he said.

Speaking this week at the RSA conference in San Francisco, some information security experts said they expect China’s alleged cyber attacks to continue unabated.

In part that appears to be because high-level discussions on the topic have yet to agree on terminology, James Lewis, a senior fellow at the Center for Strategic and International Studies (CSIS), told the conference. In particular, Chinese government officials who engage in proxy discussions with U.S. think tanks prefer to avoid discussing espionage, or even using the word “espionage” at all.

Attend Interop Las Vegas, May 6-10, and attend the most thorough training on Apple Deployment at the NEW Mac iOS IT Conference. Use Priority Code DIPR03 by March 9 to save up to $500 off the price of Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 350+ exhibiting companies, and the latest technology. Register for Interop today!

Article source: http://feeds.informationweek.com/click.phdo?i=affa8d0e773793f019166063e6fd72b2

No Comments

Bank of America says data breach occured at other company

Bank of America blamed a data breach on another company that revealed internal emails related to monitoring of hacktivist groups including Anonymous.

/

A group affiliated with Anonymous, which calls itself the “Anonymous Intelligence Agency: Par:AnoIA” released what it claims is 14GB of data belonging to the bank and other organizations, including Thomson Reuters, Bloomberg and TEKsystems.

Email correspondence in the data suggests that TEKsystems was a contractor working for Bank of America and charged with monitoring public activity by hacker networks targeting the bank.

In a statement, Bank of America did not confirm it was working with TEKsystems, an IT consultancy that is part of the Allegis Group. But it said the source of the data came from a third party. Bank of America said its own systems were not compromised.

“In this instance, a third-party company was compromised,” Bank of America said Wednesday. “This company was working on a pilot program for monitoring publicly available information to identify information security threats.”

Officials with TEKsystems and Allegis group could not be immediately reached.

In a news release, Par:AnoIA said the data came from an unsecured server in Tel Aviv. “The source of this release has confirmed that the data was not acquired by a hack but because it was stored on a misconfigured server and basically open for grabs,” the group said.

Large corporations have become increasingly interested in monitoring social networks and hacker forums for indications that they may come under attack. Companies that specialize in that kind of monitoring have also been targeted by groups such as Anonymous.

HB Gary Federal, a California security consultancy, was compromised by Anonymous in 2011 after the company had researched the real identities of some Anonymous members. That breach disclosed emails describing a proposal to help Bank of America’s law firm, Hunton and Williams, discredit the whistle-blowing site WikiLeaks.

For its part, the banking industry has drawn the ire of Anonymous since it cut off payment processing of donations to WikiLeaks.

Par:AnoIA’s data dump includes a batch of more than 500 emails with brief reports on the Occupy Wall Street movement and hacking groups such as TeaMp0isoN and UGNazi. It also contained briefings on public releases of credit-card numbers. The sources for the information were public sources, including Twitter, Pastebin and The Pirate Bay, according to the emails.

The data also included a special file listing of four intelligence analysts who authored some of the emails, including three who work for TEKsystems and one who formerly worked for Bank of America.

Article source: http://www.itworld.com/security/345429/bank-america-says-data-breach-occured-other-company

,

No Comments

Security gaps still exist 4 months after SC data breach

Full encryption of the department’s data is still months away.

COLUMBIA, S.C. — Four months after a massive data breach at the South Carolina Department of Revenue exposed millions of state taxpayers to identity theft, state government’s response to the hacking is incomplete and uncertain.

Full encryption of the department’s data files is months away from being finished, officials are waiting on a consultant to be hired to begin an overall security assessment, and lawmakers are waiting on the consultant’s report before deciding how much money to spend to further protect taxpayer data in all agencies.

STORY: S.C. agencies slow on cyber protection

STORY: S.C. data breach just latest in onslaught

And nervous taxpayers who have had 3.8 million Social Security numbers, 3.3 million bank account numbers and information for nearly 700,000 businesses stolen have no assurance that the credit monitoring service offered to them free last year in response to the breach will continue after a year.

Meanwhile, the chairmen of two legislative committees that have spent months investigating the Department of Revenue breach say they don’t think state agencies made data security their top priority, especially before the hacking. The agency is responsible for collecting state taxes from income to sales.

“We did not focus on the risk that was there,” said GOP Rep. Bruce Bannister of Greenville, S.C., House majority leader and chairman of the committee. “I think the real takeaway from the Department of Revenue breach is we can’t continue to operate all the other agencies the same way.”

GOP Sen. Kevin Bryant of Anderson, S.C., chairman of a Senate subcommittee that investigated the breach, said the lesson he has learned from the hearings has been that state agencies will have to be forced to protect their data.

“One would think they would be scrambling and rushing to get their data protected, but they’re not,” he said.

Political issue

The issue is one that Democrats predict will stay with GOP Gov. Nikki Haley, who disclosed the breach Oct. 26 and has had to reverse her initial opinion that it couldn’t have been avoided.

“I think the data breach is going to ultimately stick with the governor because ultimately she is responsible for the Department of Revenue,” said Sen. Vincent Sheheen, a Democrat from Camden, S.C., who lost to Haley in the 2010 governor’s race and could run against her in 2014.

“It’s also, unfortunately, going to stick with the people of South Carolina, and that’s where the focus should be. We’re going to be experiencing this data breach for the lives of our children, and we need to be doing more to make sure it doesn’t happen again and to correct it.”

COLUMN: How to protect yourself from identity theft for free

MORE: Complete coverage of the South Carolina hacking scandal

The governor’s spokesman, however, has a different view.

“From the beginning, Governor Haley harnessed the resources of law enforcement, the administration, IT experts, credit monitoring services and state business leaders — and worked with the General Assembly — to deliver South Carolinians the best protection available at the least cost and has fought every day since she learned of the attack to strengthen security and make sure we never find ourselves in this position again,” Haley spokesman Rob Godfrey said.

“This isn’t a political issue for the governor,” he said.

Lewis Gossett, president of the South Carolina Manufacturers Alliance, said he has been pleased at the response from Haley’s office to the breach and its outreach to the business community.

“They haven’t exactly inherited a smooth operation,” he said. “They are fixing things. And I think that is a big task.”

The September 2012 breach occurred after a Department of Revenue employee opened a phishing email the month before, giving the hacker access to the department’s data system, experts have told lawmakers.

During a period of weeks, the hacker patiently and methodically scoured the department’s system by remote access, using the stolen employee’s credentials and then finding more credentials once inside the system, undetected by the agency.

Then, over a two-day period in mid-September, the hacker zipped up huge data files and sent them to the Internet. Mandiant, a cybersecurity firm that investigated the breach for the state Department of Revenue, said that 74.7 gigabytes of data was stolen.

State officials didn’t learn of the breach until Oct. 10, when the federal Secret Service notified the state that it believed the Revenue Department’s system had been hacked.

For the next 15 days, state and federal investigators quietly pursued the case. On Oct. 26, Haley, after consulting with investigators, publicly disclosed the breach and moved to protect taxpayers by announcing they would be able to sign up for a one-year free credit monitoring service with Experian.

Since then, about 1 million people have signed up for the protection, which is costing the state $12 million.

Testimony conflicts

Haley initially told the public that the breach was sophisticated and couldn’t have been prevented.

But legislative hearings eventually found otherwise.

The Department of Revenue didn’t encrypt all of its data despite recommendations to do so from one of its former security officers and didn’t use a multi-password system to access its data, two protections that experts said could have greatly reduced chances of the breach.

Former Department of Revenue Director Jim Etter told senators that the password system would have cost the agency about $25,000.

The department also didn’t encrypt its laptops or desktops and didn’t use a free state network monitoring service over its entire network.

Scott Shealy, a former Revenue Department security officer, said security at the agency wasn’t a top priority.

In late November, Haley said security at the agency, part of her cabinet, wasn’t what it should have been. She announced then that Etter would resign by the end of the year.

“We should have done more than we did,” she said then. “We should have done above and beyond what we did.”

The state didn’t encrypt its data in storage other than credit cards because the IRS didn’t recommend encrypting all data, including Social Security numbers, Haley said.

She said then that the biggest lesson for her from the breach is that the state has to go beyond what others recommend and come up with its own protection plans.

Haley ordered her cabinet agencies to use the state’s monitoring service, which was being upgraded to provide around-the-clock protection and asked the state’s inspector general, Patrick Maley, to look at state government cybersecurity.

Security inadequate

After interviewing 18 chief information officers, the inspector general concluded that cybersecurity in agencies statewide was inadequate.

He recommended the state hire a consultant to develop a statewide security program and that the state create the post of chief information security officer.

It is now four months after the breach was revealed, and no official knows the cyber security vulnerabilities of every agency.

That’s because South Carolina’s government is largely decentralized. While the state’s Division of Information Technology can recommend security policies and procedures, agencies don’t have to follow them.

Last month, officials said the Department of Revenue completed installing the new multi-password system, which cost about $12,000, and began the process of encrypting all sensitive data, a process that could take 90 days.

The breach also sparked a lawsuit, filed by former GOP Sen. John Hawkins of Spartanburg, S.C., alleging that the state failed to protect taxpayers.

Circuit Judge G. Thomas Cooper has dismissed Haley and Etter, as individuals, from the suit. He still is considering a motion to dismiss the case against Haley’s office, the Department of Revenue, a private security company and the state information technology office.

Meanwhile, staffers of Bannister’s committee are studying Revenue Department computer logs to determine if employees who were supposed to be monitoring the logs missed any indicators of the breach.

No arrests have been announced in the case.

Article source: http://www.usatoday.com/story/news/nation/2013/02/27/hacker-south-carolina/1951719/

,

No Comments

Bank of America says data breach occured at other company

Bank of America blamed a data breach on another company that revealed internal emails related to monitoring of hacktivist groups including Anonymous.

A group affiliated with Anonymous, which calls itself the “Anonymous Intelligence Agency: Par:AnoIA” released what it claims is 14GB of data belonging to the bank and other organizations, including Thomson Reuters, Bloomberg and TEKsystems.

Email correspondence in the data suggests that TEKsystems was a contractor working for Bank of America and charged with monitoring public activity by hacker networks targeting the bank.

In a statement, Bank of America did not confirm it was working with TEKsystems, an IT consultancy that is part of the Allegis Group. But it said the source of the data came from a third party. Bank of America said its own systems were not compromised.

“In this instance, a third-party company was compromised,” Bank of America said Wednesday. “This company was working on a pilot program for monitoring publicly available information to identify information security threats.”

Officials with TEKsystems and Allegis group could not be immediately reached.

In a news release, Par:AnoIA said the data came from an unsecured server in Tel Aviv. “The source of this release has confirmed that the data was not acquired by a hack but because it was stored on a misconfigured server and basically open for grabs,” the group said.

Large corporations have become increasingly interested in monitoring social networks and hacker forums for indications that they may come under attack. Companies that specialize in that kind of monitoring have also been targeted by groups such as Anonymous.

HB Gary Federal, a California security consultancy, was compromised by Anonymous in 2011 after the company had researched the real identities of some Anonymous members. That breach disclosed emails describing a proposal to help Bank of America’s law firm, Hunton and Williams, discredit the whistle-blowing site WikiLeaks.

For its part, the banking industry has drawn the ire of Anonymous since it cut off payment processing of donations to WikiLeaks.

Par:AnoIA’s data dump includes a batch of more than 500 emails with brief reports on the Occupy Wall Street movement and hacking groups such as TeaMp0isoN and UGNazi. It also contained briefings on public releases of credit-card numbers. The sources for the information were public sources, including Twitter, Pastebin and The Pirate Bay, according to the emails.

The data also included a special file listing of four intelligence analysts who authored some of the emails, including three who work for TEKsystems and one who formerly worked for Bank of America.

All four have deleted their LinkedIn profiles, but the profiles still appear in Google’s cache. One analyst’s profile was live as recently as three days ago.

Par:AnoIA said its release also includes the application OneCalais, which collects unstructured information from news stories, blogs and research reports. The software is made by ClearForest, an Israeli company owned by Thomson Reuters. Officials with Thomson Reuters and ClearForest could not be immediately reached.

The compromised data also contained salary information on executives, although much of it appears to be publicly available.

Send news tips and comments to [email protected] Follow me on Twitter: @jeremy_kirk

Article source: http://www.pcadvisor.co.uk/news/security/3428949/bank-of-america-says-data-breach-occured-at-other-company/

,

No Comments