Beware Toxic Resumes

The US Internet Crime Complaint Center issued a warning that hackers are searching the internet for online job postings, and responding with booby-trapped resumes.  Recently, more than $150,000 was stolen from a US business via unauthorised wire transfer as a result of an e-mail attachment that contained malware.  In that particular case, the malware was embedded in an e-mail response to a job posting the business had placed on an employment website.  The malware allowed the attacker to obtain the online banking credentials of a person authorised to conduct financial transactions within the company.


Gov Website Access For Sale

Researchers from Imperva’s Hacker Intelligence Initiative have found a number of .mil, .gov and .edu web sites have been hacked using SQL injection vulnerabilities, with access up for sale, cheap.  The hacker claims to have control over a number of important websites, including the U.S. Army’s Communications-Electronics Command (CECOM) and other military sites, government sites, and those belonging to universities.    Administrative access to these sites is being sold for as low as $33 to $499 each. 

The hacker is also selling entire databases of personal information stolen from the websites for $20 per thousand records, data could be used by fraudsters to break into online accounts.

Trustwave 2011 Global Security Report

Hackers continue to improve their malware, while 3rd-party vendors continue to under serve their clients when it comes to data security, and Russia appears as the single biggest source of attacks on databases according to the new Global Security Report 2011 from Trustwave.  The report is based on more than 200 data-breach investigations and 2,300 penetration tests conducted in 2010.  Payment card data once again was the most sought-after asset in 85% of Trustwave’s cases.  Sensitive company data were next at 8%, followed by trade secrets at 3%.  As reported last year, hotels were the major target in 2009.  This has shifted to food and beverage merchants in 2010.

Criminals used malware to harvest data in 76% of Trustwave’s investigations, a 23% increase from 2009.  They also used malware in 44% of cases to exfiltrate data from targeted computer systems.  The malware is getting more sophisticated, becoming virtually undetectable by current anti-virus products, according to Trustwave.  Still, many of the issues found point to human error or indifference, and not much has changed from 2009.  3rd parties were responsible for system admin in 88% of Trustwave’s 2010 investigations, often taking shortcuts such as leaving in default passwords or failing to activate firewalls.  Such shortcuts often go undetected by merchants who trust their hired security experts.

Continue reading

Recent Breach News

Over the past week, these stories have been published, and have piqued my interest. 

Popular cosmetics chain Lush has been attacked by hackers, with credit card information and personal consumer details used to make fraudulent purchases.  The hackers may have been stealing sensitive data for up to 4 months.  Lush has advised consumers to contact their banks if they believe their details had been used by the hackers.  On January 21st, a message on the Lush home page explained the situation, and the online store were shut down.  On Lush’s Facebook fan page, people complained about having to cancel their credit cards out of fear, and many claimed to have lost money.  The biggest complaint seems to be that Lush took so long in detecting the breach., creator of a popular mobile app that warns users about nearby speed traps, notified users this week that their passwords may have been exposed due to an attack, releasing few details about the incident.  In an e-mail, the company said it understood how the attack occurred and had already rewritten code to prevent it from happening in the future, but would not disclose what happened or when.  It is not clear whether the hackers successfully captured any e-mail addresses or passwords, and there is nothing to suggest the information has been used.  If you have used this service, and used the same password elsewhere, take precautions and change your online passwords.  Do it NOW.

Two men, both of whom work at Goatse Security, have been charged with computer crimes for hacking into AT&T servers and stealing e-mail addresses and other information of about 120,000 iPad users last summer.  Andrew Auernheimer, 25, was arrested in Fayetteville, Ark., while appearing in court on unrelated drug charges, and Daniel Spitler, 26, of San Francisco, surrendered to FBI agents in Newark, N.J.  They each face one count of conspiracy to access a computer without authorization and one count of fraud in connection with personal information, and looking at a maximum of 10 years in prison and a $500,000 fine.

Auernheimer claims the intent of the breach was to point out lax security on the part of AT&T.  He also claims that Goatse has a reputation for fighting cyber crime.  A letter urges the dropping of the prosecution because continuing might damage his professional reputation.  “I pray for you to see wisdom in your actions, and pray for you to be guided towards righteousness. I advise you to discuss this matter with your family, your friends, victims of crimes you have prosecuted and your teachers, for they are the people who would have been harmed had AT&T been allowed to silently bury their negligent endangerment of United States infrastructure.”