Archive for September, 2013

Adobe hack: 2.9 million customer data at risk

September 30th, 2013

As recently discovered by Adobe, it had suffered some sophisticated attacks on its network that lead to theft of 2.9 million customer’s personal information including payment card information and source code for multiple Adobe software products such as ColdFusion, ColdFusion Builder, Adobe Acrobat and some more.

Brad Arkin, chief security officer of Adobe said “Very recently, Adobe’s security team discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products. We believe these attacks may be related”.

Arkin further added “Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We deeply regret that this incident occurred. We’re working diligently internally, as well as with external partners and law enforcement, to address the incident”.

“Over 40 Gigabytes in encrypted archives have been discovered on a hackers’ server that appear to contain source code of such products as Adobe Acrobat Reader, Adobe Acrobat Publisher, and the Adobe ColdFusion line of products. It appears that the breach of Adobe’s data occurred in early August of this year but it is possible that the breach was ongoing earlier,” Hold Security, the security firm said in a post.

Adobe’s Arkin says the company is not aware of zero-day exploits or other specific threats to its customers due to the source code theft. “However, as always, we recommend customers run only supported versions of the software, apply all available security updates, and follow the advice in the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide. These steps are intended to help mitigate attacks targeting older, unpatched, or improperly configured deployments of Adobe products,” he says.

All the Adobe customers who were affected by this data breach incident will be informed and adviced to change their password. Company is also alerting customers whose credit and debit card information was stolen. The news which brings some relief to the company is that the financial information was encrypted.

The company is working on “federal law enforcement” which would help them in investigation process of the hacks.

cybersecurity journalist Brian Kreb wrote on his blog, KrebsonSecurity.com, on Thursday that the two men discovered the code while investigating breaches at Dun & Bradstreet Corp, Altegrity Inc’s AGRTY.UL Kroll Background America Inc and Reed Elsevier’s LexisNexis Inc.

The hacking team’s server contained huge data of code that appeared to be source code for ColdFusion and Adobe Acrobat. Shortly after that discovery, KrebsOnSecurity shared several screen shots of the code repositories with Adobe.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

145K job applicants affected by Virginia Tech data breach

September 28th, 2013

Information of about 145,000 job applicants at Virginia Tech was revealed in a data breach by hackers. The mistake led to a cyber attack to compromise a computer server in the university’s human resources department, said Larry Hincker, Virginia Tech spokesman.

Individuals affected by this data breach incident include applicants between 2003 and 2013. The compromised data includes names, addresses, employment and education history. In the case of about 16,650 individuals, the compromised data includes driver’s license numbers.

“Faculty applicants are asked to provide minimal information on the online application, so no employment or education history was on the server. For staff applicants, employment and education history was on the server” a Virginia Tech news release said.

In a statement given by the university, no Social Security Numbers or dates of birth were compromised in the incident. Lawrence Hincker, associate vice president for university relations at Virginia Tech blamed the breach on a process failure.

“The server was placed in service without our normal cyber protection protocols,” thereby allowing illegal access to the data, Hincker said in an email.

The university said that someone illegally accessed the server and the data it contained. In many cases, such data compromises go unnoticed until the breached entity is notified by law enforcement, credit card companies or victims.

Hincker commented “Mitigation in this instance means ensuring that people with responsibility for placing equipment into service follow standard procedures”.

All victims whose driving license numbers were compromised have been notified of the breach, the university said.

Driver’s license numbers and employment data are considered protected financial information, Under Virginia law. Organizations that suffer a breach involving such data are required under state law to issue a public notification.

In recent years, hundreds of universities and millions of data records have been compromised due to what security analysts say are poor security practices. The number of data breaches involving universities and other institutes of higher education does appear to be declining though.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

Organisations fear Data Theft from old laptops

September 25th, 2013

It often happens that many companies give or sell their old laptops to the computer firm from which they buy new laptops. The computer firm, such as Dell, then sells them to a firm that refurbishes laptops, which in turn sells them on eBay.

These Companies sometimes do not wipe the data from the laptops and assume that computer firm will wipe the data. But sometimes, the data wiping falls through the cracks.

That is what recently happened to U.K. film maker Glenn Swift, who returned a faulty Acer laptop to Sainsbury, where he initially bought it. Sainsbury told Swift that they needed to return the laptop to the manufacturer to have it fixed.

“But then, six days later, out the blue, I received an email from a gentleman who informed me he had just purchased a second-hand laptop on eBay. It still had my profile on it and he asked for my password to allow him to unlock it. Alarm bells started ringing,” told Swift.

Swift said “It was then I realised just how much information a Windows 8 profile can access. When you first use it you have to set up a profile. If you are an existing user your profile is automatically downloaded to the new computer–apps, settings and passwords, Facebook, Twitter, Yahoo, BlackBerry, Gmail, etc. all your information, accessible in one single place”.

Swift did not give the person the password, but contacted Sainsbury’s, who informed him that they had returned the laptop to the manufacturer for diagnostics. If the manufacturer further sold the laptop, it would first be refurbished and the data wiped, they told him.

There was a different case with Swift, Police had warned him that he was vulnerable to identity theft, so he started changing his passwords.

While Swift’s case involved an individual laptop, similar risks await for organizations that return used laptops to computer firm trusting that the data will be wiped by them.

IT security researcher, Graham Cluley advised “to prevent data from getting into the wrong hands, enterprises should ensure all laptops have hard disk encryption and that a complete erasure of data, including multiple passes across the hard drive, is performed before the used laptop is turned over to a third party”.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

7 laptops stolen from Tulare Salvation Army

September 23rd, 2013

Seven laptops were stolen from the Tulare Salvation Army computer lab. The laptops were used by local youth to enroll in college classes and adults to learn English.

Salvation Army Capt. Harold Laubach said “the computers were also used by some young people to apply for jobs online and during tutoring sessions for middle and elementary school students. All of a sudden teens don’t have access to college enrollment”.

The laptop theft incident took place during the day time when the Tulare Salvation Army received help from a number of different people in the community.

“One you steal from a church but two you feel from a charity that’s also a church and where are we supposed to go find more money to buy more computers and that’s the bad part you know-stealing is stealing you know but you steal from a charity that provides computers for free?” Laubach said.

After this theft, the Salvation Army doesn’t have enough computers now to run its adult language classes or open up the lab for youth group sessions. Laubach says a lot of teenagers come in to use the computers because they don’t have internet access at their place.

The Beaumont Foundation had donated these laptops, along with dock stations, screens, keyboards and other accessories, to the Salvation Army. While they weren’t new, the computers were getting plenty of use with the tutoring, college enrollment, online job application and ESL classes. Three months ago, a server that provided Internet access was installed.

“They outfitted the place. Internet access was set up and use picked up. The teens don’t have anything to work on” he said.

Tulare Police Sergeant Darron Altermatt said the theft is under investigation. No arrests have been made. Police estimated the value of laptop at $100 each.

The computer lab was empty. Computer monitors were dark. Keyboards were unhooked and cords’ connections sprawled about.

To the electronics thief, Laubach said: “They’re hurting people who came to the lab. I hope they can sleep at night.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Stolen laptop with 9/11 pictures still missing

September 21st, 2013

It was more than six years ago, when a city medical examiner’s laptop was stolen, as learned by The Post. It contained 200 to 300 sensitive photographs of body parts from 9/11 and other victims and the laptop is still missing.

Frank DePaolo, the ME’s director of special operations, while ­attending a meeting downtown in April 2007 left the laptop also containing photos of Staten Island Ferry crash victims, as well as city disaster plans in his city-issued Chevy Tahoe.

A burglar broke into Frank’s SUV and took the laptop as well as two bags that he dropped while pedaling away on a bike.

Using a DNA swab from one dropped bag, Jeffrey Davis was busted by cops four month later but investigators have not been able to recover the laptop till date, said Joan Vollero, a spokeswoman for the Manhattan District Attorney’s Office.
The possibility that hundreds of morgue photos remain lost angers 9/11 victims’ relatives.

Sally Regenhard, whose firefighter son, Christian, died on Sept. 11, 2001 said “Who on earth would leave a laptop clearly visible in a car with the most sensitive materials and compromise the dignity and privacy of crime victims who met such a brutal death?”.

“No identifying information about any victims was on the laptop.” Said ME spokeswoman Ellen Borakove.

However, a memo by the city Department of Investigation, released to The Post, says the laptop had “pictures and names” of Staten Island Ferry victims and “pictures of the City Hall shooting, 2003” in which City Councilman James ­Davis and his killer, Othniel Askew, were shot dead. The department memo cites “9/11 material and pictures” on the laptop. Officials refused to comment on this.

The ME’s office tightened security for new laptops, after the laptop theft, allowing systems to locate and remotely delete sensitive data on missing or stolen computers, the department memo says.

When 9/11 relatives first learned about the disturbing theft in The Post, then-Chief ME Charles Hirsch wrote them a letter saying the laptop had “some images of bone fragments but none linked to a named victim.”

He said DePaolo did nothing wrong, and he used the laptop to work at home and give lectures on the World Trade Center recovery.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

Health Data Breach: St. Mary’s Janesville Hospital

September 18th, 2013

St. Mary’s Janesville Hospital of Wisconsin sent notice to 629 patients informing them about the recent data breach in which an unencrypted laptop was stolen from an employee’s car.

After this health data breach involving theft of an unencrypted laptop was reported,  healthcare organizations will start thinking about forming strict policies regarding encrypting and storing devices such as laptop that contain health information.

Compromised health information of 629 patients was stored in the laptop. It may have included information such as medical record, patient name, date of birth and account numbers, provider and department of service, bed and room number, date and time of service, visit history, complaint, diagnosis, procedures, test results and vaccines. Some information which was not compromised included Social Security numbers, addresses, credit card numbers or financial information.

According to PHIPrivacy.net, St. Mary’s Janesville Hospital published a notice on its website explaining that the stolen laptop was not encrypted and it was against its security policies.

In a statement St. Mary’s Hospital said “We have no reason to believe the laptop was stolen to gain access to patient information or that this information has been accessed or misused in any way. In fact, the computer was configured in such a way that information could not be written to the hard drive. Email information, however, was stored on the hard drive and password protected but not encrypted, which was in violation of St. Mary’s Janesville Hospital policy. We take our responsibility to protect patient information very seriously”.

St. Mary’s also added that it will be working with ID experts to help patients with identity and credit monitoring. “We have inspected all laptops to ensure they all have encryption software. We will actively be monitoring consistency of laptop encryption and conducting monthly audits to ensure compliance with our encryption policies”.

While the blame here is that the laptop wasn’t encrypted, the question is whether the device should have been in the employee’s car in the first place. There was nothing that could have been done about thieves breaking into a car, but considering the data breach incidents that include this type of theft, organizations need to start being more strict about device storage.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

Computer containing 3541 patients data stolen from UCSF employee’s car

September 16th, 2013

An unencrypted laptop containing the medical and personal data of more than 3,500 UC San Francisco patients was stolen from an employee’s car.

The theft, which could cost the university hundreds of thousands of dollars in fines, is just the latest in a series of IT security breaches in recent years that have cost the institution millions.

The computer belonged to a Medical Center employee who works in the Division of Transplantation, according to the school. The name of the employee was not released.

The 3,541 patients affected by the theft were notified via letter that some of their medical data was on the stolen laptop. The data include names, dates of birth, some health information and medical record numbers. In some cases, the information included Social Security numbers. Paper documents containing medical data of 31 patients also were taken.

The letter, which the university was required to file with the state Attorney General’s Office, also gave patients a number to a special hotline set up to assist them and a year of free credit monitoring. UCSF also reported the incident to the California Department of Public Health and federal authorities.

In addition to fines related to losing the data, UCSF may face fines for failing to report the security breach within five business days, according to the agency.

UCSF did not determine specifically what kind of information was on the computer according to the notification letter.

In the past few years, a handful of similar security breaches have occurred at UCSF.

Most recently, in 2010 another laptop was stolen from an employee. It contained data from 4,310 patients. In 2009, a phishing scam gave hackers access to the medical data of 600 patients. In 2008, another security breach occurred involving information for 2,625 patients. And in 2007, university IT teams caught a hacker in the act.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

Data Theft hits Vodafone customers

September 13th, 2013

Mobile phone and broadband provider Vodafone Deutschland was attacked by a large-scale data theft affecting the personal details of their two million German customers.

Spokesman Alexander Leinhos said that a computer specialist who worked at Vodafone was accused of this data theft incident.

Vodafone Germany said in a statement that the unnamed suspect launched a “criminal attack” on one of the company’s servers to steal the customers’ names, addresses; dates of birth, bank codes and account numbers.

Alexander said the company was advising its customers to take special care while providing their details to access its services, he claimed it was hardly possible for the attacker to access the bank accounts of affected customers.

The company referred to accused as a “hacker” who had knowledge of Vodafone Germany’s IT systems, a UK technology magazine has labeled the accused as a contract IT worker of Vodafone.

German media reports stated that the suspect worked at Vodafone as a system administrator for an external service provider, which employed him full-time.

In particular, added Die Welt, a Vodafone Germany spokesman – Alexander Leinhose cited security checks that all “external employees of service providers” must pass, which the accused reportedly did.

Vodafone stated on its website that there was a raid conducted at the house of accused, he was cooperating with the authority. They also asked him for the data theft to remain under wraps so their investigation would not be compromised.

The Mobile phone and broadband provider added: “The security of data has highest priority for Vodafone. We shall take all necessary steps to further improve the security of our systems and to protect against future criminal attacks”.

Vodafone has more than 32 million mobile phone customers and more than three million broadband subscribers in Germany. It is a wholly owned subsidiary of Vodafone Group.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Laptop theft that can put patients lives at risk

September 11th, 2013

The metallic red Toshiba Satellite was stolen from the office of The Scottish Emergency Rider Volunteer Service (ScotsERVS), based in Glasgow’s Southern General Hospital, after thieves broke into the campus. The charity says the theft of  laptop, which contains all their funding information, is catastrophic.

Police are working hard to find how this laptop was stolen and who took it, asking people with information to come forward and help.

Volunteers of ScotsERVS, came forward to help the NHS in delivering urgent supplies, including donor breast milk, blood, plasma, samples, vaccines and medical files to hospitals. Traveling by motorbike or car, the volunteers get the supplies to the hospital.

The charity was rolled out to the whole of Scotland in June but is based at NHS Greater Glasgow and Clyde (NHSGGC).

Ms Cameron said the laptop was usually kept in a locked up location but had been borrowed by another member of the group and used in the office. She also told that the laptop had all our funding information on it.

“It has the history of our funding applications, it has prepared packages for grants we’re applying for. It has everything on it that helps us to survive. The theft can affect the lives of sick kids and others who benefit from our service” said Ms Cameron.

“We are appealing for any information about the identity of those responsible for the laptop theft and its recovery due to the significance of the data stored on it and the implications for future funding for the charity” told the spokesman from Strathclyde Police.

A spokeswoman from NHSGGC added: “We can confirm that office space on the Southern General Campus which we gift to the charity ScotsERVS was broken into on September 5. It is very disappointing when any thefts occur on hospital grounds. The hospital is monitored by CCTV and all footage has been provided to Police Scotland as part of their inquiries into the theft.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

3514 UCSF patients information on stolen laptop

September 10th, 2013

UCSF is a leading university dedicated to promoting health worldwide through advanced biomedical research, graduate-level education in the life sciences and health professions, and excellence in patient care. It includes top-ranked graduate schools of dentistry, medicine, nursing and pharmacy, a graduate division with nationally renowned programs in basic biomedical, translational and population sciences, as well as a preeminent biomedical research enterprise and two top-ranked hospitals, UCSF Medical Center and UCSF Benioff Children’s Hospital.

A laptop belonging to an employee of UC San Francisco was stolen. Some patients were informed about this theft as the laptop held patient’s personal information.

The security for the protection of health information at UCSF is of utmost importance. UCSF is taking best possible caution and concern, while there is still no evidence that there has been any attempt to access the information.

Letters have been sent informing the 3,541 patients whose information was there in the laptop. The California Department of Public Health and the California Attorney General have been alerted, and federal authorities are also being notified. A special phone line has been installed to address questions from patients who receive the notification letters.

As told by UCSF an unencrypted laptop was stolen from the locked vehicle of a UCSF Medical Center employee who works in the Division of Transplantation. When the employee came to know about the theft, he instantly informed San Francisco police, UCSF police and UCSF officials.

To find what information was in the laptop, UCSF immediately began an extensive technical analysis. The analysis revealed that the laptop contained personal and health information of some UCSF patients, including their name and medical record number. Social Security numbers were also involved for a small number of individuals.

Paper documents of 31 patients were also stolen, some of whose information was also on the laptop. Information in the paper documents included patient names, date of birth, medical record number and some health information.

Special phone line has been set up by UCSF to provide additional assistance to all the affected individuals.

UCSF is committed to maintaining the privacy of personal information and takes many precautions to secure that information. In response to the incident, UCSF is working to strengthen educational and operational processes to safeguard patients’ health information.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta