Log in

Posts Tagged ‘Google’

DigiNotar forced into bankruptcy after a hack attack

September 21st, 2011

DigiNotar winds up its operations. Hackers intercept google docs

Internet security company DigiNotar, whose servers were hacked into by an Iranian hacker in July, had filed for bankruptcy. A Dutch judge has granted the bankruptcy filing Tuesday.

About DigiNotar

DigiNotar is an Internet security solutions company offering services in the field of identity management, electronic signatures, reliable document exchange and electronic archiving. DigiNotar has gained popularity and trust in the field of Internet security over the years in The Netherlands.

The hacking incident at DigiNotar

The DigiNotar site was hacked into by ‘Comodohacker’, which exposed around 300,000 Iranians to GMail and Google Docs interception. False DigiNotar certificates known as SSLs, were issued to customers and used in an apparent attempt to snoop on Google users in Iran.

Using the login cookie the hacker logged in directly to the Gmail mailbox of the victims and read the stored emails. In addition he was able to log in all other services Google offers like stored location information from Latitude or documents in Google Docs.

The hacker also succeeded in creating a fraudulent certificate for *.google.com on 10 July.

How was the hack found out?

Google’s Chrome team landed on a DigiNotar-issued certificate for google.com that didn’t match its internal certificate list for google.com. According to Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab, vendors add a similar feature to their software so they could automatically confirm the legitimacy of a certificate. “You need to disincentivize actors to hack CAs. In the current system, we need to live with the fact that CAs can be hacked,” he said

Voluntary bankruptcy

According to DigiNotar’s parent company Vasco Data Security, the firm has filed for voluntary bankruptcy. The company is winding up its affairs and is being supervised by one of its trustees.

Statement by T. Kendall Hunt, VASCO’s Chairman and CEO

“Although we are saddened by this action and the circumstances that necessitated it,”. “We would like to remind our customers and investors that the incident at DigiNotar has no impact on VASCO’s core authentication technology. The technological infrastructures of VASCO and DigiNotar remain completely separated, meaning that there is no risk for infection of VASCO’s strong authentication business. In addition, we plan to cooperate with the Trustee and the Judge to the fullest extent reasonably practicable to bring the affairs of DigiNotar to an appropriate conclusion for its employees and customers. We also plan to cooperate with the Dutch government in its investigation of the person or persons responsible for the attack on DigiNotar.”

Can digital certificate disasters be prevented?

The downfall of DigiNotar has sparked debate in the digital world about preventing digital certificate disasters in the future.

Hackers are going to continue their hacking games so there are no guarantees that such a digital disaster could be prevented altogether. What can be done is that vendors could store a whitelist of proper certificates for the top 10 or 20 targets of cyberespionage, such as Facebook, Gmail, Yahoo, and Tor, as well as any high-profile sites.

Alertsec comes to the rescue

80% of data loss is due to lost or stolen equipment. 50% of network breaches take place by using passwords from lost or stolen equipment. Laptop encryption is the solution to laptop theft problem. Small and big companies are now realizing the importance of tracking software. Alertsec offers laptop encryption service to secure your data.

No comments »

Posted in Computer security, Data Protection, Hackers, Identity and Information loss, Lawsuits and settlements, Security Flaw, computer security software, data breach, data encryption

Tags: Bankruptcy Certificate authority Chief executive officer Enter your zip code here GMail Google Google Docs Iran Law Netherlands Politics of the Netherlands Public key certificate Transport Layer Security

Nokia Developer Network hacked

September 1st, 2011

NDN hacked exposing developer data

Hackers are firing rounds after rounds of data breaches. They are getting better at it and taking advantage of the fact that security systems are not that robust.

Nokia’s developer forum was recently hacked and a database table containing e-mail addresses of developer forum members was accessed. This was done by exploiting vulnerability in the bulletin board software that allowed an SQL injection attack.

As per statement given by Nokia “Initially we believed that only a small number of these forum member records had been accessed, but further investigation has identified that the number is significantly larger,” the statement said.

Apparently the bug was quickly fixed but the developer community website was taken off. The discussion boards are not yet accessible. As per Nokia’s advisory the service should be up and running soon.

Those who visited the site before it was closed were redirected to a website that showed an image of Homer Simpson smacking his head and exclaiming “D’Oh.” Just below his picture were the words “Worlds number 1 mobile company but not spending a dime for server security! FFS patch you security holes otherwise you will be just another antisec victim. No Dumping, No Leaking!”

The site is under further investigation and security assessment. Initially it was assumed that only a small number of email addresses were accessed but later it was found out that a large amount of data was compromised.

The company further adds “We are not aware of any misuses of the accessed data, but we are communicating with affected forum members, though we believe the only potential impact to them may be unsolicited e-mail.” Nokia added that it “apologizes for this incident.”

The attack was claimed by a hacker known as “pr0tect0r AKA mrNRG”, believed to be based in India.

This happened at a bad time for the Finnish company as it is quickly losing market share to Apple’s iPhone and to companies that manufacture smartphones that use Google’s Android OS. Nokia is looking to increase its share of the U.S. market through a partnership with Microsoft. Nokia plans to start a new line of Windows Phone 7-powered phones by end of 2011 or early in 2012.

Security guaranteed with Alertsec Xpress

This incident highlights the need of a data security and data encryption software, the threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

Alertsec has offices in the US, UK, Sweden and operates in many other countries around the world through partners.

It’s mission is to continuously improve its products and services in order to deliver the easiest and most cost-effective managed encryption service on the market.

No comments »

Posted in Computer security, Data Protection, Hackers, computer security software, data breach, data encryption

Tags: Android computer encryption software data breach data security data theft prevention Email address Google Homer Simpson ICQ Internet forum IPhone Nokia security SQL injection Table (database) Uniform Resource Locator Windows Phone 7

Data Breach at Yale compromises 43k Social Security Numbers‎

August 28th, 2011

Breach at Yale

Summary: It has become a regular phenomenon. Another serious data breach. This time its Yale University whose data has been compromised, thanks to Google indexing !

The story

Alumni, faculty and staff belonging to Yale were recently informed that the names and Social Security numbers of 43,000 people affiliated with Yale were accessible via Google search engine for the last 10 months.

Here is an extract from the letter sent by Yale:

“A Yale computer file that contained your name and Social Security number was stored for 10 months in a way that left it accessible to Google Internet searches,” the letter explained. “The computer file was created in 1999 and was inadvertently moved to an insecure section of a computer server in July 2005. At that point, the file was no longer fully protected but could not be located by an ordinary Internet search engine. The situation changed in September 2010, when Google modified its search engine in a way that allowed it to locate files stored on servers like the one holding this file.”

According to Len Peters, Information Technology services director for Yale,
“the file and its directory had innocent sounding names, and someone encountering the file via Google would not be able to figure out what was in it without first opening it up”.

“It was pretty well-hidden, with a very inconspicuous file name,” said Peters, in a statement.

How was the breach discovered?

As soon as Yale discovered on June 30 that its data was left open on an unsecured server, it immediately blocked the FTP server from the Internet and deleted all the server’s data. The compromised victims have been offered identity theft insurance and free credit report monitoring services for two years by Yale.

Google made a major change in Sept that allowed its search engine to index and find FTP servers. Unfortunately Yale university IT officials were oblivious to the change.

Series of University breaches

A similar type of breach was reported in June where Southern California Medical-Legal Consultants Inc. (SCMLC) said that the names and Social Security numbers of about 300,000 people who had filed for California workers compensation had been were exposed. This happened because data on the internal server remained exposed to search engines.

There was another one where a server containing Social Security numbers and other personal information of more than 7,000 former Purdue University students was accessed last week. The breach occurred April 5, 2010, and affected students who took math courses from 2000 through the summer session of 2005, according to the statement.

Protect your servers with Alertsec

Alertsec Xpress offers a customizable data encryption software solution from Checkpoint, the industry leader in encryption software (former Pointsec). Alertsec has come up with a web based encryption service that helps in deployment and management of PC encryption.

The need of a Data encryption software and recovery software is felt by big and small companies in today’s vulnerable data world. The threat could have simply been reduced to an insurance matter by a mere investment of $13/month. Certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model.

No comments »

Posted in Data Protection, Encryption Chip, Identity and Information loss, Security Flaw, Uncategorized, identity theft

Tags: data breach Enter your zip code here File Transfer Protocol Google Google Search Servers Social Security number Web search engine Yale University

ICO deals out £160,000 in data breach fines

November 25th, 2010

: Image via Wikipedia

The ICO has used its power to impose data-breach fines for the first time, handing out penalties of thousands of pounds to a local council and an employment services firm.

One recent high-profile case in which the ICO said it could not levy a fine was Google’s unsolicited harvesting of data sent over unsecured Wi-Fi.

The UK data watchdog levied fines totalling £160,000 against two organisations that had failed to protect sensitive information. These were the first two organisations to be fined since the powers of the Information Commissioner’s Office were strengthened in April. The ICO announced a £100,000 penalty was handed to Hertfordshire County Council, while employment services company A4e was hit with a £60,000 fine.

In the first case, an employee faxed information relating to a child sex abuse court case to a member of the public by mistake. In the same month, another member of the same unit faxed information on care proceedings for three children to a barrister’s chambers unconnected with the case. Information commissioner Christopher Graham said “It is difficult to imagine information more sensitive than that relating to a child sex abuse case and I am concerned at this breach – not least because the local authority allowed it to happen twice within two weeks”.

County Council told ZDNet UK on Wednesday that it was “unlikely to appeal” the ICO fine. The council said in a statement “We are sorry that these mistakes happened, and have put processes in place to try to prevent any recurrence, we accept the findings of the commissioner.”

In the second case, Employment services company A4e had an unencrypted laptop stolen. The laptop, which was stolen from an A4e employee’s house, contained the details of 24,000 people who had used legal advice centres in Hull and Leicester. The details included names, addresses, income level, information about alleged criminal activity, and whether an individual had been a victim of violence. There was an unsuccessful attempt to access the data on the laptop.

“The laptop theft, while less shocking, also warranted nothing less than a monetary penalty as thousands of people’s privacy was potentially compromised by the company’s failure to take the simple step of encrypting the data,” Graham said.

A4e told ZDNet UK that it had voluntarily told the ICO about the data breach and had notified all the individuals affected. The company has also strengthened its security procedures, including making it mandatory for all data encryption to ISO-standard level, a spokeswoman said.

How Alertsec Xpress Would Have Helped

In an incident which highlights the need of a data security and recovery software, the threat could have simply be reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-da0079 free trial.

ICO hands out first data breach fines (v3.co.uk)
Information Commissioner levies first fines (guardian.co.uk)

No comments »

Posted in Alertsec Express, data breach

Tags: A4e Child sexual abuse Christopher Graham data breach Google Hertfordshire County Council Information Commissioners Office Information sensitivity

Leakage of personal information leaves students & employees of six Florida universities exposed

August 13th, 2010

Six colleges in Florida had their students and employees’ personal data exposed due to a state library service center software glitch. The information was publically available on the Internet for 5 days.

Students, faculty, and employees at Broward College, Florida State College at Jacksonville, Northwest Florida State College, Pensacola State College, South Florida Community College, and Tallahassee Community College, all are at risk of exposed personal data, according to The College Center for Library Automation (CCLA), which provides automated library services and electronic resources to Florida public colleges.

Private information such as Social Security Numbers, names, driver’s license and card numbers of an estimated 126,000 students and employees was available on the internet after a library services firm serving the colleges inadvertently left the information in its database exposed for five days. The personal information in CCLA’s database did not include financial data or library usage records, and it was exposed between May 29 and June 2.

Six state community college colleges were affected because their borrower records were contained in temporary work files that were being processed at the time the breach occurred. The library agency learned of the incident on June 23, after a student reported finding his Social Security Number on the internet through a Google search.

The CCLA did not provide details of what the software upgrade entailed or why the upgrade left the database exposed, except that the compromised records had been stored in temporary work files that were being processed when the breach occurred.

“We pride ourselves on protecting private information and deeply regret this inadvertent exposure,” said Richard Madaus, CEO of CCLA. “I apologize to those involved for any worry or inconvenience this may cause them. We will continue to enhance our technology to safeguard all of the information entrusted to us.”

He also added “We’ve had some new grad hires who said when they took tests in college, they had to write their SSN on top of the test” to identify themselves, he says. “I think that’s changing, but there still are some old systems out there that need to be updated.”

The affected individuals are being notified by snail mail. Moreover, the agency has started with the investigation after discovering the breach, and the case has also been turned over to the county sheriff’s office. Also, the CCLA has set up a webpage about the breach and recommends that people affected by the breach place free fraud alerts on their credit files and check their credit reports for suspicious activity.

Want to prevent breach?

Have you been affected by data breach? Do you think that your organization is susceptible to a potential security breach? For further information visit our website where you will learn about our encryption software and other security protection methods.

A trusted way to protect information stored on a PC or laptop is by using encryption. Alertsec Xpress offers full disk encryption and is therefore superior to other encryption methods when comparing security, performance, robustness and ease-of-use for both administrators and users. To find out more, see Tech Specs.