This is why you employ defense-in-depth and full network monitoring, even if you don’t care what websites your employees visit at work.
But while the company was informed by AT&T of suspicious activity over its network connection on October 25—the day the Wen story was published—the attack had begun weeks earlier and appears to have been focused on getting into the e-mail accounts of Times Shanghai Bureau Chief David Barboza and South Asia Bureau Chief Jim Yardley. The attack used 45 different pieces of custom malware code, including remote access tools that gave Chinese hackers the run of the Times’ network.
The attackers used a botnet of computers compromised at US universities to obscure the source of the attack. They then infected computers at the Times with malware, most likely through e-mail “spear phishing” attacks, and used the malware to install remote access tools on at least three target systems that allowed them to gather more information from the network—finally finding the Windows network domain controller and grabbing its user directory and password tables. The hackers then used the cracked passwords to access other systems and created a custom program built to infiltrate the Times‘ mailserver to search all the e-mails and documents sent to Barboza and Yardley’s accounts—apparently searching for the names of people who may have spoken to Barboza as he reported on the Wen family.
via Chinese hackers attacked New York Times computers for four months | Ars Technica.
We security folks have long preached and rightly so the virtues of a “complex” password. By increasing the size of the alphabet and the length of the password, we increase the work the bad guys must do to guess or crack the passwords. We’ve gotten in the habit of telling users that a “good” password consists of [lower case, upper case, digits, special characters] choose 3. Unfortunately, if that is all the guidance we give, users being human and, by nature, somewhat lazy will apply those rules in the easiest way.
via ISC Diary | An analysis of the Yahoo! passwords.
The state of Utah lost the personal information of at least 500,000 people because:
Attackers were able to compromise the server because an authorization component was not configured properly.
The state’s Department of Technology Services “has processes in place to ensure the state’s data is secured, but this particular server was not configured according to normal procedure.” The agency plans to bolster its controls with additional networking monitoring and intrusion detection functionality.
Hopefully they’ll add some auditors, too. It’s a shame to have your system set up so you only find out about misconfigurations after outsiders do.
via Number of victims in state of Utah breach significantly rises – SC Magazine.
This is pretty bad news:
A major security breach at Global Payments, which does transaction processing for Visa and MasterCard, has exposed the credit card data of [1 million to 3 million] customers to potential theft.
That’s an awful lot of people.
via Global Payment Systems Compromised In ‘Massive’ Breach – Dark Reading.
Anonymous again demonstrates the importance of strong passwords:
Along with the release of these e-mails, Anonymous also exposed the passwords of 78 accounts on the Ministry’s servers. Of the passwords revealed, 31 were “12345” and a number were minor variations on that. Some of the other passwords in the set included:
via Anonymous exposes e-mails of Syrian presidential aides.
In another great example of What Not To Do, the intelligence firm Strategic Forecasting, Inc, apparently made no attempt whatsoever to comply with PCI DSS.
via Antisec hits private intel firm; millions of docs allegedly lifted:
Antisec breached Stratfor’s networks several weeks ago, according to sources within the group that attacked the firm. On Saturday, Antisec began posting credit card details of a few Stratfor customers on Internet Relay Chat. But that’s just the start of a much larger data dump, the group claims. Anonymous is planning to release much more information—up to 200GB worth, in parts throughout the week leading up to New Year’s Eve. That trove allegedly includes 860,000 usernames, e-mails, and md5-hashed passwords; data from 75,000 credit cards, including security codes used for no-card-present transactions; and over 2.5 million Stratfor e-mails, internal Stratfor documents from the company’s intranet, and support tickets from it.stratfor.com.
According to Antisec, Stratfor was using the e-commerce suite Ubercart to handle customer information. The software has built-in encryption, but Stratfor apparently used custom modules that stored customer data in cleartext. Additionally, Stratfor appears to have stored the card security code of its customers, a practice generally prohibited by credit card companies.
So they stored the security code, stored the entire unencrypted credit card number, used plain-jane md5-hashed passwords, and left everything wide open, and disabled what security features were built-in to the software they were using.
Very Bad Practice.
According to the study, 64 percent of PCI DSS-compliant organizations reported suffering no data breaches involving credit card data over the past two years, while only 38 percent of noncompliant organizations reported suffering no breaches involving credit card data over the same period. When it comes to overall data breaches (general incident or those involving credit card data), 63 percent of compliant organizations suffered no more than a single data breach, compared with 22 percent of noncompliant organizations. Notably, 26 percent of noncompliant organizations suffered more than five breaches over the same time period.
It is fantastic that taking certain, specific, minimum steps to establish a secure environment actually decreases breaches.
Also notable is the fact that DSS is a private, voluntary initiative with noteworthy results.
“In an era where governments are struggling with the creation of vague yet complex data protection acts, the credit card industry took a bold step toward regulating itself, using plain language, clear goals and a pragmatic focus,” said University of Connecticut School of Business professor Robert Bird. “PCI isn’t perfect—but it succeeded by imposing security mandates and forcing attention on data security, all without government regulation.”
via PCI DSS-Compliant Companies Suffer Fewer Data Breaches: Report – Midmarket – News & Reviews – eWeek.com.
An infected laptop was used to access the systems at the Pentagon’s credit union, exposing the financial records of the members of the United States military, according to a Kaspersky Lab report.
This isn’t the first time PenFed has been targeted. The credit union posted an alert on its Web site notifying users that a person who was calling members to say their mortgages were being sold and requesting personal information was fraudulently masquerading as a PenFed underwriter.
I wonder if the laptop had PCI-mandated firewall and anti-virus software.
via Hacked Laptop Causes Data Breach at Pentagon Federal Credit Union – Security – News & Reviews – eWeek.com.