Archive for August, 2013

A Palestinian programmer Hacks Mark Zuckerberg’s Facebook Page

August 27th, 2013

Khalil Shreateh, an unemployed Palestinian programmer said he was attracted by the $500 bounty the social network giant, Mark Zuckerberg offers to those who voluntarily expose its glitches.

As Facebook ignored his first two reports, Shreateh took his message to the top and hacked into CEO Mark Zuckerberg’s personal page to prove his point.

Khalil wrote the Facebook CEO that he had no other choice after all the reports he sent to facebook were ignored and that he was not in Mark’s friend list and still he could post on his timeline. He was also sorry for breaking his privacy.

This successful attempt cost Khalil the bounty, but it earned him praise and many jobs offers coming his way for being able to hack Mark’s personal facebook page.

Khalil has been unable to find a job since he completed his graduation in Information Technology two years ago. He told Facebook found a way that allowed anyone to post on anyone else’s wall, just wanted to make a point to Mark Zuckerberg.

In a message posted to the Hacker News, a user-driven security news site, Facebook software engineer Matthew Jones said the initial report was poorly worded, although he acknowledged that the company should have pressed for more information.

“As a few other commenters have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isn’t great — though this can be challenging, it’s something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided, and even those … provide some modicum of reproduction instructions.” said Jones in his message.

Shreateh said he was initially disappointed by the Facebook response but as the job offers started pondering from all over the world he is happy with how things worked out.

“I am looking for a good job to start a normal life like everybody. I am so proud to be the Palestinian who discovered that exploit in Facebook” He said.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

596 Houston patients’ information at risk

August 26th, 2013

A laptop containing information of nearly 600 orthopedic students was stolen from a doctor affiliated with the University of Texas Health Science Center at Houston.

The University of Texas Health Science Center at Houston, the most comprehensive academic health center in the UT System and the U.S. Gulf Coast region, is home to schools of biomedical informatics, biomedical sciences, dentistry,medicine, nursing and public health. UTHealth educates more healthcare professionals than any other health-related institution in the State of Texas.

Letters notifying about the theft were mailed to the patients 26 days after the un-encrypted laptop was stolen from a locked closet in the orthopedic clinic. The laptop was attached to an electromyography machine used by a member of the health science center’s medical practice group, known as UT Physicians. The investigation for the stolen laptop is still continuing, in conjuction with UT Police.

A letter signed by Andrew Casas, UT Physicians’ chief operating officer said “UT Physicians does not have any reason to believe that the information has been accessed or used by any unauthorized individual. We believe that the laptop may have been taken for the value of the hardware, not to gain access to its data content.”

As told by Casas, the stolen laptop contains patient names, birth dates, medical record numbers and hand and arm image data. It does not include addresses, social security numbers or insurance or other financial information.

He also requested the 596 affected patients to review their health insurance activity as a precaution and report in case of any suspicious activity.

The security breach is just the latest in the Texas Medical Center. Since 2010, there have been incidents at the UT Medical Branch at Galveston, UT M.D. Anderson Cancer Center, Houston Methodist Hospital and Texas Children’s Hospital. M.D. Anderson’s two breaches in 2012 involved the data of more than 32,000 patients.

The UT Houston health science center and physician group had previously encrypted more than 5,000 laptops, but not the laptop in question, said chief information security officer Amar Yousif. He described the computer as “not your typical laptop” because it uses a hard-to-obtain power source and propriety hardware and software. It was never attached to any wired or wireless network and its power cord is not missing.

A physical search of all clinics and offices is being conducted by UT Physicians to ensure there are no other un-encrypted laptops or storage devices attached to medical equipment, Casas’ says in a letter.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

UK estate agency Foxtons hacked

August 23rd, 2013

Famous UK estate agency Foxtons had to reset passwords of all its customers as a precaution, as it appeared hackers lifted thousands of clients’ usernames and passwords from the systems.

Hackers claimed to have leaked online user names, email addresses and passwords of nearly 10,000 Foxtons’ customers, resulting in a big data breach incident.

All the details were quickly leaked but assumptions were that the copies were made before this happened. The hackers failed to pull out credit card or bank details but they still gathered enough information of customers.

Writing to the affected customers, Foxtons said it was investigating the purported hack. In the meantime it had reset user passwords as a precaution.

Foxtons have been able to download the list of usernames and passwords that were posted and are currently running checks to determine its accuracy. They also assured all its customers that any sensitive information that they may have provided in relation to payments made through Foxtons is completely secure with the external payment providers.

However, immediate precautions had been taken to safeguard the accounts and an investigation was in progress. The affected customers will be contacted directly contacted by Foxtons’ team.

Foxton had also asked its customers to create new password once they login.

When Foxtons’ representative was asked whether the company salted stored passwords, a basic security practice, they declined to comment on any aspects of the incident and said that it may decide to issue a statement at some point.

“Tighter regulation might be needed to stem the growing list of data breaches. The recent spate of high-profile data breaches, such as this alleged attack on Foxtons, is evidence that organisations are either not taking cyber security seriously or are bewildered by the problem. Regulation in this case is a necessity to alter corporate behaviour.” said Ross Parsell, director of cyber security at Thales UK.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

League of Legends suffers security breach

August 20th, 2013

League of Legends players were warned of a security breach, which was expected to result in the theft of some user data. Affected payers were sent notifications depending on how they were affected. This security breach led to the promotion of implementation of some new security features that are now in development.

According to the company, the data breach resulted in compromise of some usernames, email addresses, names and passwords. As the passwords were encrypted, the hacker will not be able to use them to access accounts, but could use the other information stolen to breach accounts.

About 120,000 transaction records dated in 2011 were accessed in this breach. These transaction records contained credit card numbers, and were part of a system that it says has not been used since 2011, when the records were produced.

Players located in North America were only affected in this breach incident, all of whom were asked to change their password within 24 hours and the new ones should be more complex and hard to guess. The requirement will follow an automatic prompt that appears when a player tries to log in, but gamers can get a jump on this by changing the password on their own now.

As a result of this breach, new security measures have spawned, two of which are currently being developed: email verification and two-factor authentication. The email verification will require registration and account changes to be made by verifying a valid email address, while two-factor authentication will need to be verified using a text message or email.

“We’re sincerely sorry about this situation,” Riot Games’ Marc Merrill and Brandon Beck said in a statement. “We apologize for the inconvenience and will continue to focus on account security going forward.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Hackers new target: Health Insurance data

August 18th, 2013

The work “health insurance” brings up images of medical bills to people’s mind, but for hackers it is a way to make dollars.

The packages of data on individual people, which include verified bank account numbers and credentials, Social Security numbers, and other personally identity information, are known in the underground as “fullz.”

When further packaged with custom manufactured documents, such as credit cards and driver’s licenses, the hacker merchandise is referred to as “kitz,” each of which sells for between $1,200 and $1,300 a piece.

Don Jackson, Senior Security Researcher for Dell SecureWorks’ Counter Threat Unit said “Selling fullz and kitz aren’t new, but the selling of kitz, which is focused on health insurance credentials and all the other supporting credentials and documents needed to use those stolen health insurance credentials, is a new trend. Selling credentials by themselves does not have enough value, as those other credentials are needed to obtain medical services.”

The fullz is sold at comparatively less price, about $500 each based on the information included – full names, addresses, phone numbers, email addresses with passwords, and so on. Health insurance credentials are priced $20 each, with an additional $20 added whenever there is a dental, vision, or chiropractic plan associated with the health plan. Other data such as U.S credit card with CVV code is priced at $1 to $2, or $20 to $200 for a PayPal account with a verified balance.

“The health insurance information is being used to get free medical services. Theft of medical services, including doctor visits, drugs, and surgeries, are the primary goal for buying these stolen credentials” said Jackson.

He further commented “We have seen the cost of health insurance and the cost of medical services continue to rise. As such, we have seen more demand for stolen health insurance data and the associated credentials needed to use the health insurance, such as physical documents like the insurance card, the driver’s license, the SSN, address, payment card, etc. There is definitely an increase in the buying and selling of information like health insurance contracts. So the selling of kitz with this type of information, like health insurance credentials, is on the rise, and that is a new trend.”

Jackson has not identified exactly who was behind the underground marketplaces hawking the data, but he is sure about the fact that the criminals are located in the U.S.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Largest Data-Breach Scheme in U.S.

August 15th, 2013

Five hackers were charged in the largest hacking scheme ever in U.S. history. It was a break-in to computers of retail chains that included 7-Eleven Inc. and Carrefour SA (CA), said the French retailer.

This hacking scheme targeted the Nasdaq OMX Group Inc. (NDAQ) and 800,000 bank accounts at Citigroup Inc. (C) and PNC Financial Services Group Inc.

Paul Fishman, the U.S. attorney in New Jersey said “In this worldwide scheme that targeted major corporate networks, the hackers stole more than 160 million credit card numbers and resulted in hundreds of millions of dollars in losses”.

He further commented “this type of crime is the cutting edge. Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy and our national security.”

“Sniffer” programs were used to steal credit card information, by targeting companies that processed financial transactions and retailers that received and transmitted financial data.

According to an indictment unsealed in federal court in New Jersey, “The five men operated ‘a prolific hacking organization’ that penetrated the secure computer networks of several of the largest payment-processing companies, retailers and financial institutions in the world”.

 

The data stolen by the hackers, known as “dump”, was sold to “dumps resellers”, who then sold it to organizations or individuals through online forums.

The men encoded the data into the magnetic strips of blank plastic cards and withdrew money from automated teller machines and made credit-card purchases, the U.S. said.

“Financial institutions, credit card companies and consumers suffered hundreds of millions in losses, including losses in excess of $300 million by just three of the corporate victims, and immeasurable losses to identity-theft victims,” according to the indictment.

The hackers used the stolen data to create ATM cards, which were used to withdraw $2.9 million from Citibank accounts. Back in 2008, Citibank’s online banking website was attacked by use of a computer program, it resulted in the theft of account information of more than 300,000 accounts. That data was also stolen to create ATM cards and it led to theft of $3.6 million.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

Paper records results to most VA data breaches

August 12th, 2013

According to Stephen Warren, VA Acting Assistant Secretary for Information and Technology, paper based records are the leading cause of data breaches at the Department of Veterans Affairs.

Warren briefed stated that up to 98 percent of data breach incidents still continue to involve “physical paper”, whereas the theft of patent information contained in electronic devices is very rare and steady now.

Problematic paper records include documentation misplaced, mishandled or improperly mailed by agency employees – such mistakes takes place hundreds of times every month, as suggested by VA’s data breach report over the three-month period. Vetran’s personal information such as Social Security numbers, address, compensation and pension claim ratings is exposed publicly.

Warren said instances where veterans’ information is not kept private are undesirable, but he said that the error rate of VA is very low considering its large number of patients. It has the best error rate in the health care industry for mishandling and it sends millions of packages per month. Patients that experience privacy issues are frequently offered credit protection services from VA.

Warren said “We are constantly reinforcing the fact” that health care matters, emphasizing that every data breach report is investigated and analyzed. In 2008, The VA’s Data Breach Core Team was created, in order to review monthly data breaches they make use of key players in several of the department’s components, assessing risk based on National Institute of Standards and Technology-developed standards.

During this three month period, most data breach incidents were rates as low risk, none were classified as high risk.

Six personal computers and 27 laptops were reported missing between April and June, three of which were not encrypted. Based on the reports, the stolen or misplaced electronic devices did not have access to VA’s network, so it does not appear that private information, with the potential exception of the names of some veterans, was compromised.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

Data loss: Companies lost 44 million records this year

August 10th, 2013

Data loss will probably always be one of the major security threats, over past four years companies have lost an estimated 1.1 billion records and some 44 million records this year alone.

Data loss and data breach are two different terms. In a data breach, data is intentionally accessed for malicious reasons. But data loss can be caused by employees who have no intention of causing a security incident.

Data can be taken out of a company in case of a breach, or employees might steal it without being noticed. Educating employees on the dangers of data loss, and ensuring that the proper policies are in place in the event that an employee leaves the company, are important steps to take to ensure your data is secure. These four prevention policies can protect your company from data loss incidents.

Be sure to implement these four policies to stay secure:

  • Policy # 1: Put departing employee protocols in writing.

When an employee is about to leave the company, have a written agreement ready that explains what data he can and cannot leave the company with. Once it is in writing, the employees can not pretend that they did not know what data was confidential.

  • Policy # 2: Make sure employee computers are wiped clean.

Do not rely on the employee to do a comprehensive wipe of their own device. It is important that company IT employs do their own best practices to ensure data is removed from devices as they leave the company.

  • Policy # 3: Create mirror images of employee data.

Security and IT department should make a mirror image copy of employee’s data before he/she leaves the company. This will give your team the ability to confirm the source of data loss.

  • Policy # 4: Apply PC encryption software.

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

Data Stolen Again at Department of Energy

August 8th, 2013

The U.S. Department of Energy (DOE) was hacked again. The employees were notified by the government agency via email that the attackers gained personal information of 14,000 current and former employees, information including names and Social Security Numbers were compromised as per the Wall Street Journal.

This cyber attack was second this year, DOE was also hacked in February. But this is not the only government entity that’s shown itself vulnerable. Back in May, the U.S. Department of Labor’s website was also hacked and malicious code was placed on the site in this attack.

“The Department’s Cybersecurity office, the Office of Health, Safety and Security and the Inspector General’s office are working with other federal law enforcement to obtain information concerning the nature of the incident. No classified data was targeted or compromised. Once the full nature and extent of this incident is known, the Department will implement a full remediation plan.” the memo, which the Journal obtained, said.

Director of security research at Lancope, Tom Cross, told that in order to impersonate the employees in phishing attack or to steal their access credentials, attackers target information about the employees.

“Organizations need to move beyond thinking about computer attacks as involving exploit code and malicious software. Sometimes, the attackers log right in using employees access credentials and then proceed to access information on the network without using any custom malware. A defensive strategy that focuses exclusively on detecting exploits and malware cannot detect this sort of unauthorized activity.” he said.

Anthony DiBello, strategic partnerships manager, Guidance Software, said “this will not be resolved without a complete forensic analysis of the compromised system and this process may or may not have already started”.

“After a breach, an organization should take the time to learn what happened, and leverage the lessons learned to improve their systems. Otherwise, they may leave themselves vulnerable to another, similar attack,” he added.

Gidi Cohen, CEO of Skybox Security, commented that to minimize the risk of attacks from hackers and to identify them quickly, organizations need real-time visibility.

He further added “these remedies are far less expensive than undoing the damage a breach can cause from a financial standpoint, reputation and in this case, possible loss of highly confidential information. Next time, it may not just be Social Security and payroll information that these attackers are after, but information that could impact the safety of the American people.”

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

Legal disputes over data theft rising

August 6th, 2013

The number of High Court legal disputes over the data theft from businesses has reached a record high, as the popularity of cloud storage services making it easier for confidential data to be stolen.

According to commercial law firm EMW, last year there was a growth by 58 percent of legal disputes taken to the High Court, with 167 cases during 2012, up from 45 in 2010 and 106 in 2011.

The majority of these cases are civil claims against former employees launched by businesses, with the aim of preventing them from taking confidential data from company database.

Popularity of cloud storage systems such as DropBox has made it easier for employees to steal information outside the business. This is one of the reasons for the increase in businesses taking action against employees, said Mark Finn, principal at EMW.

Finn said “The boom in cloud computing and the widespread use of services like Dropbox have made copying a large database something that can be accomplished by virtually anyone in seconds”.

Finn added that many of the cases which have appeared in court have concerned financial services firms, estate agents and recruitment businesses which have had databases of contacts taken over to rival firms by their employees. This has become more of a problem as the tough economic climate of the past years has meant that more staff has been moving from one company to another.

“Employment contracts are generally very clear on this issue – all know-how, databases and other forms of intellectual property developed by staff during their work time is the property of the employer. Occasionally, disgruntled staff may misguidedly feel they have a ‘moral right’ to take data they have developed. This simply is not the case” he said.

“As the economy improves and businesses increasingly see employees leave to join rivals, they will have no choice but to undertake potentially lengthy and costly legal action to protect their interests”.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta