Archive for March, 2013

Data breaches all too common

LIMA — Last month, Allen County officials learned that more than 1,100 county employees had personal information, including Social Security numbers, accidentally available on the Web.


While the county took the information down within minutes of learning about it, the deed was done, so to speak. While there has been no evidence that any of the data contained in the breach were misused, the county did purchase LifeLock memberships for all employees and the few retired employees affected by the data breach. LifeLock is a company specializing in preventing identity theft.

By all accounts, the data disclosure was simply an accident.

“It wasn’t something that someone maliciously did,” Allen County Commissioner Cory Noonan said.

Unfortunately, this is a common story that happens on a fairly regular basis across the nation.

Often, the situation involves a missing or stolen laptop containing personal information.

For example, last year a NASA employee had a laptop stolen from a parked car. The laptop contained unencrypted files of more than 10,000 NASA employees, including Social Security numbers and background check details. In North Carolina last year, five laptops disappeared from a county board of elections with information on more than 71,000 voters. Also last year, about 800,000 people had their personal information jeopardized from the California Department of Child Support Services when several computer systems were lost in shipping.

Another way government data is breached is through intentional hacking.

A hacker group calling itself SpexSec hijacked 110,000 records from a school system in Tennessee in June. Hackers also gained access to a Navy system last year compromising the personal information of more than 200,000 Navy personnel. In South Carolina last year, a former employee stole the personal data of more than 228,435 Medicaid beneficiaries. In Utah, Eastern European hackers stole 780,000 Medicaid records and information for the state’s Children’s Health Insurance Program.

Also last year, the largest cyberattack against a state government put 75 percent of South Carolina’s population at risk for identity fraud when a hacker stole a database from the state’s Department of Revenue.

In a case similar to what happened in Allen County, though on a much larger scale, the Wisconsin Department of Revenue accidentally posted Social Security numbers of more than 110,000 people and businesses on line. This was the fourth such incident in Wisconsin since 2009.

Finally, in one of the more bizarre security breaches of last year, paradegoers at the Macy’s Thanksgiving Day Parade had shredded strips of paper raining down on them that were readable and contained details about serving police officers, including their names, Social Security numbers, and bank details, as well as references to crimes in the area.

The fact is that in today’s data-driven society, even governments are not immune from data breaches.

Area government officials are reluctant to talk about such things. Or, as one county official put it while refusing to go on the record, part of their security measures include remaining silent about their security measures. Nor do they want to talk publicly about computer security lest hackers take it as a challenge to target them.

Even in Allen County, officials were vague about what happened and how long the data was publicly available.

“There’s nothing to hide,” said Jay Begg, Allen County commissioner. “It’s just that we want to be sure employees’ identities and information are protected before we tell everybody what happened.”

There are steps government agencies as well as businesses can take to prevent such data breaches.

Todd Thiemann, senior director of product marketing at Vormetric, a data security company, said agencies don’t need to secure everything.

“One of the first things that government agencies need to do … is understand where that sensitive information might be,” he said. “Then you put security around as close to that data as possible.”

He said the best thing agencies can do to supplement the firewalls and other perimeter security they have in place is to encrypt sensitive data and closely monitor the activity surrounding that data. Additionally, the security should be at the file level.

Such security saves money in the long run.

“In Allen County, the total cost of remediating the breach was $25,o00,” he said. “There are solutions out there that could cost less than that.”

Also, adopting the approach of giving employees just enough access to do their jobs and no more would reduce the chance of inadvertent disclosures, such as what happened in Allen County.

Identity theft professionals caution everyone to remain vigilant in monitoring their personal data. People should visit http://annualcreditreport.com to get free copies of their credit reports from the three major credit bureaus. Those who believe their information has been breached can place a fraud alert on their credit reports.

Article source: http://www.limaohio.com/news/local_news/article_86bf5860-98bb-11e2-80a1-0019bb30f31a.html

,

No Comments

Huawei Network Security Becomes Issue in Sprint Softbank Merger

NEWS ANALYSIS: An agreement between U.S. law enforcement and wireless companies to drop Huawei from list of acceptable  telecom vendors may look like paranoia, until you look a little deeper.

To say that government officials in Washington are paranoid about Chinese spies would be incorrect. After all, as the saying goes, it’s not paranoia if they really are out to get you. This is very much the situation in Washington, and it explains a lot about why a number of government agencies and members of Congress are insisting that Softbank and Sprint not use equipment from Chinese manufacturer Huawei when their merger goes through.

The pending agreement, which was reported in the New York Times on March 28, makes it clear that approval of the merger hinges on meeting national security concerns. For its part, Softbank has reported that it has already excluded Huawei from wireless networks it builds in Japan. Sprint does not use Huawei in its own networks, but does in its Clearwire subsidiary. Sprint has agreed to replace the existing Huawei telecom equipment at Clearwire.

So what’s fueling this heightened level of concern in Washington? The fact is that the Chinese government is already doing everything it can to infiltrate its spies into every walk of life in this region. There are restaurants in Washington’s Chinatown that are owned indirectly by the Chinese government and are used as places to gather information as well as to serve as conduits for infiltration. These places, which have been raided by Immigration agents on several occasions, serve as safe houses for Chinese staying in the U.S. illegally.


Click here

On March 25, a Chinese national was sentenced to prison for stealing secret navigation technology used in cruise missiles, drones and smart bombs. A few days before that, another Chinese national was caught at Washington Dulles International Airport by the Department of Homeland Security and the FBI while trying to flee the U.S. with his luggage stuffed with hard drives and flash drives containing secret rocket and other weapons technology stolen from NASA where he worked as a contractor. The same person had been suspected of illegally taking technology secrets to China on previous trips. This time, he was leaving with a one-way ticket.

A few months before that, and FBI sting caught Chinese spies in action trying to steal secrets in the Pentagon parking lot. A tape of the operation was broadcast on the CBS news program “60 Minutes,” and resulted in prison time for the Chinese spy involved and for his American counterpart.

The Chinese intelligence effort seems to spare nothing in its efforts to penetrate the U.S. government. National Journal reporter Bruce Stokes told Washingtonian Magazine that Chinese intelligence services impersonated him by spoofing his email.

Article source: http://feeds.ziffdavisenterprise.com/~r/RSS/eweeksecurity/~3/hdP4kEgVCMg/

,

No Comments

US Companies In China Distrust Cybersecurity Efforts And Claim Data Breaches

U.S. companies with operations in China are weary about cybersecurity and 90 percent of them distrust China’s cloud computing services, according to a new report from a business support lobby in Beijing.

Article source: http://www.ibtimes.com/us-companies-china-distrust-cybersecurity-efforts-claim-data-breaches-1161119

,

No Comments

Fired Tooele County worker sent employee SSNs

TOOELE Tooele County officials have recovered employee data after a security breach led to employee Social Security numbers being sent to a former county employee.

The employee, Shane Brozovich, had been terminated on March 12 and requested a copy of his personnel file from the county’s human resources department. The department copied the file to a CD and gave it to Brozovich on March 18, but later found that two insurance documents, one from 1996 and one from 1997, had been included on the CD.

The documents contained the names and Social Security numbers of current and former employees of the county. When the county asked Brozovich to return the file, he initially declined, according to county officials.

Article source: http://www.ksl.com/?nid=148&sid=24572239

,

No Comments

New Zealand Earthquake Commission Acknowledges Data Breaches

Following a disclosure on March 22nd that a privacy breach at New Zealand’s Earthquake Commission (EQC) had exposed the personal information of 9,700 claimants, the EQC has now stated that information was exposed regarding all 83,000 people who filed 98,000 claims following the February 2011 Christchurch earthquake.

The EQC’s Web site is currently unavailable, with a statement reading simply, “The Government has requested the Earthquake Commission shut down all its external email systems and Internet while a review of our systems is undertaken.”

According to the EQC’s initial statement regarding the breach, the information was mistakenly e-mailed to someone outside the EQC who was not the intended recipient.

According to Radio New Zealand, the recipient used the EQC’s online complaints system to let them know that he’d received the information. The recipient did apparently agree to destroy the information he’d received, which included claim numbers and street addresses, but not customer names.

“I am really disappointed that this breach has occurred,” EQC chief executive Ian Simpson said in a statement. “I apologize unreservedly that private customer information was sent to the wrong person. I want to assure our customers that every effort will be directed at ensuring this doesn’t happen again.”

Unfortunately, that wasn’t the end of it — yesterday, a second breach was disclosed, in which a spreadsheet containing 2,200 names and other information regarding $23 million in checks was sent to the wrong person. Radio New Zealand reports that Simpson said in response to the second breach, “We moved as quickly as we possibly could to address the issues that came around last week. But clearly, more dramatic steps are required.”

Article source: http://www.esecurityplanet.com/network-security/new-zealand-earthquake-commission-acknowledges-data-breaches.html

,

No Comments

Utah lawmakers approve money to extend ID theft protection for health data …

Post Contributor Badge

This commenter is a Washington Post contributor. Post contributors aren’t staff, but may write articles or columns. In some cases, contributors are sources or experts quoted in a story.

Article source: http://www.washingtonpost.com/business/utah-lawmakers-approve-money-to-extend-id-theft-protection-for-health-data-breach-victims/2013/03/28/80c52e5a-97c9-11e2-b5b4-b63027b499de_story.html

,

No Comments

Credit monitoring extended for data breach victims

Victims of a massive Utah health department data breach are getting another year of identity theft protection.

The Salt Lake Tribune reports ( http://bit.ly/YIavL3) state lawmakers approved $1 million to extend credit monitoring for a second year. The health department has also received $300,000 to hire information technology staff to strengthen and enforce data security procedures.

State officials announced in May that hackers broke into a government server and stole the personal information of about 780,000 people, including the Social Security numbers of about 280,000.

Utah’s chief technology officer resigned in the wake of the theft.

___

Information from: The Salt Lake Tribune, http://www.sltrib.com

Article source: http://www.heraldextra.com/news/state-and-regional/utah/credit-monitoring-extended-for-data-breach-victims/article_c3cae5dd-587e-51a2-a97c-41c8813b26ad.html

,

No Comments

US Companies In China Distrust Cyber Security Efforts And Claim Data Breaches

U.S. companies with operations in China are weary about cybersecurity and 90 percent of them distrust China’s cloud computing services, according to a new report from a business support lobby in Beijing.

Article source: http://www.ibtimes.com/us-companies-china-distrust-cyber-security-efforts-claim-data-breaches-1161119

,

No Comments

Difficult Path To Certification Of Data Breach Classes

Law360, New York (March 29, 2013, 11:57 AM ET) — On March 20, 2013, the United States District Court for the District of Maine denied a motion brought by plaintiffs in In re Hannaford Brothers Company Data Security Breach Litigation that would have allowed the suit to proceed as a class action. The decision, which concluded that plaintiffs had failed to meet the predominance requirement of Federal Rule of Civil Procedure 23(b)(3), demonstrates the difficulty of certifying a class in the data breach context, where claims often turn on individual issues of causation and damages. Perhaps…

Article source: http://www.law360.com/classaction/articles/428415/difficult-path-to-certification-of-data-breach-classes

,

No Comments

Has Anyone Seen a Missing Scroll Bar? Phony Flash Update Redirects to Malware

Microsoft said it has received 70,000 reports this week of a new Trojan disguised as an Adobe Flash Player update that will change your browser’s home page and redirect a Web session to an attacker’s page.

There are several clues something is amiss, namely part of the GUI for the supposed Flash 11 update is written in Turkish, and there is no scroll bar on the EULA.

Microsoft detects the file, which is spreading in emails, as Trojan:Win32/Preflayer.A. The malware will change the home page on Internet Explorer, Google Chrome, Mozilla Firefox and Yanex to either anasayfada[.]net or heydex[.]com. 

“These sites appear to be a type of search engine, but there are pop-up advertisements displayed on the pages, and there was an instance where I was redirected to a different page not of my choosing,” said Jonathan Jose, an antivirus researcher at Microsoft.

When a victim executes the malicious file, a typical Flash Player dialog box pops up; the text of the agreement isn’t entirely visible because of the lack of a scroll bar. Jose said by highlighting the text, you’re able to read it to the end and notice a condition that states the user’s home back will be changed

“Not having a scroll bar is a bit dodgy as most users won’t realize that the program is going to change the browser’s start page,” he said.

Should the user go ahead and click on the install button, written in Turkish, the malware executes and changes the start pages. The domains were for the new start pages, as well as the domains hosting the malicious Flash update were created within the last six months, including one on March 4 that hosts the Flash executable.

Jose said that in addition to changing the browser start page, the browser shortcut file may also change to open either of the malicious pages.

“It’s a fairly simple ruse – misleading file name, misleading GUI, deliberately inaccessible EULA, misleading file properties – and some of the files are even signed. And yet, we’ve received over 70,000 reports of this malware in the last week,” he said. “Social engineering doesn’t have to be particularly sophisticated to be successful. So the message today is be wary. If you think something ‘feels’ wrong (like that missing scrollbar in the EULA) it may well be. Listen to those feelings and use them to protect yourself by saying ‘no’ to content you don’t trust.”

Commenting on this Article will be automatically closed on June 29, 2013.

Article source: http://threatpost.com/en_us/blogs/has-anyone-seen-missing-scroll-bar-phony-flash-update-redirects-malware-032913

No Comments