Nov 11 2008 3:08PM GMT
Posted by: Dennis Fisher
Data Breaches and Identity Theft
The creativity and resourcefulness of the criminal underground never ceases to amaze me. Granted, these guys have nothing else to do but sit around and come up with new scams, but still, some of these things are truly inspired. Have a look at this Google AdWords phishing scam that has been showing up in recent days:
From: Google AdWords <setup@google.com>
To: xxx at xxx.xxx
Subject: Google AdWords Alert
Date: Wed, 12 Nov 2008 02:27:xx +1000
Hello,
Our attempt to charge your credit card on Wed, 12 Nov 2008 02:27:xx +1000
for your outstanding Google AdWords account balance was declined.
Your account is still open. However, your ads have been suspended. Once
we are able to charge your card and receive payment for your account
balance, we will re-activate your ads.
Please update your billing information, even if you plan to use the
same credit card. This will trigger our billing system to try charging
your card again. You do not need to contact us to reactivate your
account.
To update your primary payment information, please follow these steps:
1. Log in to your AdWords account at: http://adwords .google .com
.session- xxxxxxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxxxxxx .com68 .ru
3. Click 'Billing Preferences' link.
4. Click Edit next to the appropriate 'Payment Details' section.
5. Enter your new or updated payment information.
6. Click 'Save Changes' when you have finished.
In the future, you may wish to use a backup credit card in order to
help ensure continuous delivery of your ads. You can add a backup
credit card by visiting your Billing Preferences page.
------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message. If you
have any questions, please visit the Google AdWords Help Centre at https://adwords.google.com/support/?hl=e... to find answers to
frequently asked questions and a 'contact us' link near the bottom of
the page.
----------------------------------------------------------------
Thank you for advertising with Google AdWords.
We look forward to providing you with the most effective advertising available.
Sincerely,
The Google AdWords Team
I don’t see too many glaring errors in this message that make it stand out as a phish. As the Internet Storm Center diary entry on this scam points out, the only real problems are the URL ending in .ru and the date that is in the future. Aside from that, this is pretty solid work. I’d guess that most average users would have little to no chance of recognizing this as a phishing email. No misspellings, no first-grade grammar and no pleas for money to be transferred to an account in Djibouti. Egads.
Oct 28 2008 1:37PM GMT
Posted by: Dennis Fisher
Security Vendor News,
Data Breaches and Identity Theft
There’s an interesting post on the Wall Street Journal’s Business Technology blog today about security vendors resorting to gimmicks and publicity stunts in order to sell more stuff and, allegedly, raise the level of awareness about security threats. The lack of large-scale threats such as Slammer and Code Red that broke into the mainstream media has left consumers and some IT shops complacent about security. And all the while the epidemic of data breaches has snuck up on enterprises and made a royal mess of things, writes the WSJ’s Ben Worthen.
Publicity-seeking moves this month included antivirus software maker F-Secure’s call for an international police force to combat computer crime; Panda Security’s release of a study that draws a connection between cyber attacks and the stock-market crash; and McAfee’s appointment of a chief cyber security mom. The goal of that position, says McAfee Chief Executive Dave DeWalt, is to make tech security a “family” issue.
There are a couple of things that deserve some examination here. First, let’s just stipulate that security companies have been using gimmicks, scare tactics and all manner of other trickeration to hype their products since the dawn of the Internet age (and probably earlier). That’s just a given. (One small example: A security company that shall remain nameless once sent me an entire iron-and-wood seat from an old movie theater to promote its involvement with some upcoming movie or other. The thing must have weighed 85 pounds, so God knows what it cost to ship. Your license fees at work.) Second, it’s hard to imagine a more cynical example of this than the McAfee move that Worthen cites: the appointment of a cybersecurity mom. Ugh.
Now, I get that vendors are always looking for new ways to make the security story real, both for consumers and enterprises. There’s no question that people have started to tune out when they hear someone talking about another data breach or identity theft. There are just too many of them to keep track of, and if it doesn’t directly affect you, you’re pretty unlikely to care. And telling people that they should care isn’t going to do it, either.
The faulty assumption behind all of these gimmicks and goofy campaigns is that people don’t understand the threat, so vendors need to play the role of doomsayers or carnival barkers. In my experience, even the least technically savvy people see through these tactics and end up developing a bad image of the companies that employ them. I’m probably shouting into the wind on this, because the vendors have shown no signs of slowing down with this junk, and the threats themselves aren’t going away anytime soon. So I guess we should all prepare ourselves for a vendor to announce the inevitable appointment of Harry Potter as Chief Security Wizard sometime soon.
Oct 2 2008 3:00PM GMT
Posted by: Dennis Fisher
Data Breaches and Identity Theft
Anytime there is a notification of another data breach — which is essentially every day at this point — the details of the event tend to get washed away, and the breach is reduced to basically two pieces of information: the name of the victimized company and the number of records it lost. This leads to an assumption that all of these incidents are created equal, which is demonstrably not the case. Verizon Business on Thursday released a supplement to its June Data Breach Investigative Report, which shows that of all the breaches the company’s security response team worked on from 2004 through 2007, the majority (62%) were caused by errors and not malware or direct attacks.
The Verizon Business Supplemental Report, which breaks the incidents down by industry, found that errors were by far the largest contributing factor in breaches in the technology industry, affecting 67% of breaches. By contrast, hacking only contributed to 45% of incidents in the tech sector. “It could rightly be said that some form of error occurs somewhere in the chain of events surrounding nearly all data breaches. While this is true, our investigators focus on errors that directly cause or significantly contribute to the incident,” the report says. With that in mind, the report shows that errors of omission are by far the largest problem, contributing to 80% of breaches in all industries.
The data in the report is fascinating and, aside from the causes of the breaches, there is plenty of fodder for further investigation. The other thing that jumped out at me is that in many of the incidents that had attacks as a contributing factor, the Verizon team found that the attack took some significant skill to execute. Across all industries, 45% of these incidents were rated either moderate or high in terms of difficulty. In the tech industry, 69% of the attacks took moderate or high skills.
I have to say that surprises me more than a little bit. Most of the experts I’ve talked to about specific incidents that they’ve been involved with have said that the attack involved was usually a low-level one, like the Wi-Fi sniffing attack that was used in the TJX breach. What this tells me, among other things, is that there is a whole lot we don’t know about these breaches, especially with regard to how they’re going down and why. More information, please.
Jul 24 2008 8:03PM GMT
Posted by: Marcia Savage
Compliance,
Data Breaches and Identity Theft,
Laws, Investigations and Ethics
Interesting news on the HIPAA front. Seattle-based Providence Health & Services has agreed to a settlement over HIPAA security and privacy violations, the U.S. Department of Health and Human Services (HHS) announced last week. In what HHS called the first of its kind “resolution agreement,” Providence will pay $100,000 and implement a corrective plan after losing backup media and laptops containing personal health information in 2005 and 2006.
Previously, HHS’ Office for Civil Rights (OCR) and the Centers for Medicare & Medicaid Services (CMS), which enforce HIPAA’s privacy and security rules, settled complaints by requiring organizations to make changes to their security and privacy practices. A CMS spokesman said last fall that the agency preferred resolving problems rather than punishing mistakes, but this agreement with Providence may indicate that the government is stepping up HIPAA enforcement. A statement by Winston Wilkinson, OCR director, certainly seems to signal a change: “We are committed to effective enforcement of health information privacy and security protections for consumers. Other covered entities that are not in compliance with the privacy and security rules may face similar action.”
In the Providence case, backup tapes, optical disks and laptops containing unencrypted personally identifiable health information were taken out of two Providence home health care operations and later lost or stolen. More than 360,000 patients were affected. In addition to the fine, Providence agreed to revise its policies and procedures regarding safeguards for off-site transport and storage of electronic media containing patient information. It also must train employees on the safeguards, conduct audits and site visits of facilities, and submit compliance reports to HHS for three years.
Jul 16 2008 9:03AM GMT
Posted by: Robert Westervelt
Information Security Threats,
Data Breaches and Identity Theft
Graham Cluley, a senior technology consultant with Sophos Inc., has discovered a flaw in Facebook which could allow a hacker to view the date of birth of users regardless of whether their profiles are set to private. It appears that Facebook has plugged the flaw fairly quickly, but Cluley warns that it could return in the future.
While on the surface it doesn’t seem like a major breach, Cluley points out that a person’s date of birth is a valuable piece of information for identity thieves. Cluley says Facebook users should change their date of birth to avoid being targeted by phishers.
Cluley posted a YouTube video demonstrating the flaw.
Jul 9 2008 2:13PM GMT
Posted by: Marcia Savage
Data Breaches and Identity Theft
The Washington Post reported today that a security breach caused by file sharing at an investment firm exposed the confidential information of about 2,000 of the firm’s clients, including Supreme Court Justice Stephen G. Breyer. Apparently, an employee at Wagner Resource Group in McLean, Va., used LimeWire to share music or a movie on a company computer, which accidentally exposed private files containing names, birth dates and Social Security numbers belonging to the firm’s clients.
In May, a P2P network was the apparent source of a breach at Walter Reed Army Medical Center that exposed the personal information of 1,000 former patients.
Jun 11 2008 6:47PM GMT
Posted by: Marcia Savage
Data Breaches and Identity Theft
The University of Utah Hospitals & Clinics said Tuesday that a metal box of backup tapes containing billing records for about 2.2 million patients and guarantors was stolen from a car belonging to a storage contractor’s employee.
The driver for Perpetual Storage violated the storage company’s policies for secure data transport, officials said. The theft, which occurred June 2, is under investigation by the Salt Lake County Sheriff’s Department, the FBI and the U.S. Postal Service. The University of Utah Hospitals & Clinics is offering a $1,000 reward for return of the tapes.
The billing records included patient names, demographic information and diagnostic codes. Records for a subset of 1.3 million patients also contained Social Security numbers.
Although officials said there is no evidence that the data on the tapes has been accessed, the health care system is notifying the affected individuals, providing them with credit monitoring, and taking additional steps to safeguard its records. It also suspended deliveries of backup tapes to Perpetual Storage pending a review of procedures.
Jun 9 2008 2:05PM GMT
Posted by: Marcia Savage
Data Breaches and Identity Theft
Stanford University is notifying 72,000 current and former employees that a laptop containing their personal data was stolen.
The university said on Friday that it’s sending emails and letters to those whose confidential data may be at risk. The laptop contained personnel records of current and former Stanford employees who were hired before Sept. 28, 2007. As many as 72,000 could be affected, but university officials said there is no evidence that any of the data on the laptop has been accessed.
The laptop was stolen recently, but Stanford said it was not disclosing additional details about the theft while it’s under investigation. Data on the system included names, Social Security numbers, phone numbers, salaries and home addresses. Stanford is working with law enforcement officials to recover the laptop.
In light of the theft, Stanford is convening a task force to review its policies and practices for protecting confidential information. “The university has guidelines that prohibit keeping sensitive information on unsecured computers. This effort will be redoubled after this incident,” Stanford Vice President for Business Affairs and CFO Randy Livingston said in a prepared statement.
Jun 4 2008 8:17AM GMT
Posted by: Robert Westervelt
Security Vendor News,
Data Breaches and Identity Theft
Some security researchers at malware protection vendor Sophos have created a video that really gives people a visual of how complicated Web-based attacks can be. No, they’re not exploiting erotic pictures of the troubled pop star. It shows spam pushing pictures of Britney Spears to a tangled web of attacks spanning the globe. From a server in Hoboken, to a PC in Warsaw, malware is certainly spread far and wide. It’s these kinds of visuals that could help educate the public. All it takes is one click on a link in the Britney Spears spam email.
Sophos, Spam, Trojans and Britney Spears:
Play Now |
Play in Popup |
Download
Researchers at security vendor Trusteer have discovered a new phishing method that forces pop-up login messages to appear on legitimate banking websites.
