In a Salt Lake Tribune article, reporter Patty Henetz quoted Utah Department of Health spokesman Tom Hudachko, who said that in this particular incident, a configuration error occurred at the level where passwords are entered, allowing the hacker to invade the security system. Technology Services has processes in place to ensure the state’s data is secured, but this particular server was not configured according to normal procedure.

Michael Hales, the Health Department’s Medicaid Director, said, “It just looks like processes broke down,” according to the Tribune.

This sounds like a weaselly way of admitting that the default passwords were not changed.  Default passwords are the easiest way into any system!

via Utah Medicaid Breach Exemplifies Value Of Encryption And Access Control – Dark Reading.

The state of Utah lost the personal information of at least 500,000 people because:

Attackers were able to compromise the server because an authorization component was not configured properly.

The state’s Department of Technology Services “has processes in place to ensure the state’s data is secured, but this particular server was not configured according to normal procedure.” The agency plans to bolster its controls with additional networking monitoring and intrusion detection functionality.

Hopefully they’ll add some auditors, too.  It’s a shame to have your system set up so you only find out about misconfigurations after outsiders do.

via Number of victims in state of Utah breach significantly rises – SC Magazine.

The first is from SC Magazine, Visa expels Global Payments following 1.5M-card breach:

“What’s the takeaway on PCI?” Litan asked on Monday in a blog post. “The same one that’s been around for years. Passing a PCI compliance audit does not mean your systems are secure. Focus on security and not on passing the audit.”

And the second is from Adrian Sanabria, QSA at Sword and Shield, Global Payments Credit Card Data Breach:

The worst thing I’ve been able to determine from the details so far, is that it seems Global Payments was storing Track Data – information swiped from the magnetic stripe on the back of the card. The PCI DSS explicitly forbids storing track data (requirement 3.2.1), and PCI considers the storage of sensitive data to be one of the most serious PCI violations. CardSystems was effectively shut down for a lesser violation, though their breach was much larger.

It’s a doubly-bad violation of DSS to 1) Not be compliant in the first place, and 2) to suffer a loss of cardholder data.

I imagine the reinstatement audit, if there is one, will be quite extensive.

If you don’t learn from the past, you’re doomed to repeat it.

Here are 9 of the largest most recent financial services data breaches:

via The Top 9 Most Costly Financial Services Data Breaches – - 1 – Wall Street & Technology.

If they’d bother getting a contract first, they’d probably make good money in pen testing.

A Cayman Islands security firm got a bit of unsolicited web security advice on March 30 from MalSec, a group of “malicious security” hackers who recently broke into a server belonging to the Nigerian Senate. But unlike some of the nastier site defacements done recently by members of Anonymous’ #AntiSec collective—including takedowns of two Federal Trade Commission sites—the MalSec hackers left the site itself intact, posting only a replacement home page to advise the company, The Security Centre Ltd., of their vulnerability.

[...]

“Whilst no harm was done to the original site,” the hackers wrote on their replacement home page, “we urge you to secure your site before claiming to be ‘the best of the best’ in any kind of security. We were not first—traces of previous security breaches were found.” The page gave instructions on how to return the site to normal, and advised the company to “please oversee your security before somebody else with more harmful intent does. You can thank us later <3.”

In Security Centre’s defense, they are a physical security company, not information security.

via Hackers politely deface security firm website, suggest fixes.

This is pretty bad news:

A major security breach at Global Payments, which does transaction processing for Visa and MasterCard, has exposed the credit card data of [1 million to 3 million] customers to potential theft.

That’s an awful lot of people.

via Global Payment Systems Compromised In ‘Massive’ Breach – Dark Reading.

The 8-acre facility looks like any other industrial park in a sleepy suburb. But the serene setting masks hundreds of cameras and a crack team of former military personnel. Hydraulic bollards beneath the road leading to the OCE can be quickly raised to stop an intruding car going 50 mph. Any speed faster, and the car can’t navigate a hairpin turn, sending it into a drainage pond that functions as a modern-day moat.

The data center resembles a fortress, with dogged attention to detail. It can withstand earthquakes and hurricane-force winds of up to 170 mph. A 1.5-million-gallon storage tank cools the system. Diesel generators onsite have enough power, in the event of an outage, to keep the center running for nine days. They generate enough electricity for 25,000 households.

[...]

Visa’s core-transaction network is private, immune — the company says — from Internet dangers such as denial-of-service attacks by the likes of Anonymous. When hackers took down Visa’s corporate website in 2010, for example, it had no impact on the core network.

via Top secret Visa data center banks on security, even has moat – USATODAY.com.

A few weeks ago, Fox News breathlessly reported that the embattled WikiLeaks operation was looking to start a new life under on the sea. WikiLeaks, the article speculated, might try to escape its legal troubles by putting its servers on Sealand, a World War II anti-aircraft platform seven miles off the English coast in the North Sea, a place that calls itself an independent nation. It sounds perfect for WikiLeaks: a friendly, legally unassailable host with an anything-goes attitude.

But readers with a memory of the early 2000s might be wondering, “Didn’t someone already try this? How did that work out?” Good questions. From 2000 to 2008, a company called HavenCo did indeed offer no-questions-asked colocation on Sealand—and it didn’t end well.

Perhaps demand will pick up a bit if the U.S. government continues to seize and shut down websites before even arresting or convicting the site’s operators.

It’s an interesting story, though.

via Death of a data haven: cypherpunks, WikiLeaks, and the world’s smallest nation.

Via: ISC Diary | evilcode.class, this was too good not to repost:

It’s too bad Cisco ASDM requires Java, or I could stop using it completely.

IT is worried: More than half of IT leaders say malware sophistication is outpacing their ability to analyze it.

A new study conducted by Forrest Anderson Research and commissioned by Norman ASA found that 62 percent of IT pros have this concern, while 58 percent say their biggest worry is the growing number of threats.

Problems like this are going to make whitelisting a nearly mandatory strategy.

via Malware Advancing Faster Than Companies Can Analyze It – Dark Reading.