Archive for January, 2009

CNBC’s Carmen Wong Ulrich highlighted LoJack for Laptops in her Consumer Alert. The segment features a recovery that involved three Tampa Airport baggage handlers. And security expert Jim Stickley talks about additional measures you can take to secure your laptop and the data on it.

Go to the Consumer Alert video

Good news for U.S. K-12 schools and colleges. The U.S. House of Representatives approved the Obama administration’s $819 billion stimulus package. The bill sets aside $142 billion for education.

Both the Senate and House versions of the stimulus package would supply about $20 billion for school infrastructure improvements, though the funding would be apportioned differently: K-12 schools would get $14 billion and colleges $6 billion in the House version, while the Senate version allocates $16 billion for K-12 schools and $3.5 billion for colleges. The House version also sets aside another $1 billion for educational technology, while the Senate version includes ed-tech funding as part of the infrastructure line item.

No matter how the education portion of the bill pans out in the Senate, Education still wins. And when passed, schools and colleges will be able to continue to give their students and teachers the technology that they need for the best learning environment.

Via eSchool News

An open apartment window was just the invitation a thief needed to steal a laptop off the desk of an Alabama LoJack for Laptops customer. Fortunately for the laptop’s owner, the stolen computer began checking in with the Absolute Monitoring System just weeks later, allowing the Absolute Recovery Team to trace its whereabouts.

Absolute’s tracking tools revealed interesting information – namely that the laptop was called from the same apartment that it had been stolen from. After working with the Absolute Recovery Team to obtain a search warrant for the identified locale, police paid a visit to the un-neighborly suspect.

The search proved to be productive, as not only did police recover the stolen laptop, but also confiscated a quantity of drugs. Related charges are pending. In the meantime, the laptop has been returned to another satisfied LoJack for Laptops customer.

Click here to learn more about the Absolute Theft Recovery Process.

Please note that indictments and criminal complaints are unproven accusations and the accused, in all cases, are presumed innocent until proven guilty.  

Monster.com posted on January 23rd that their database had been hacked, this being the third time the company has experienced a breach of this sort.

The breached data includes contact information such as email addresses, phone numbers and usernames/passwords, but does not include personal data such as Social Security Numbers or financial data, as that is not data collected by the company. The breach affects USAJobs.gov (official job site for the US Federal Government) as well as Monster.com.

Despite the fact that SSNs and financial data was not breached, consumers should still be concerned about their lost data. Email addresses and other personal information can be used in various identity theft scams as a means to gain higher-level personal data. If consumers use the same access username & password for banking services, which is all too common (41% user the same password for everything, via Sophos), this information can be used directly in fraud or identity theft.

Here’s an opinion video from Sophos about the Monser.com breach and why it’s important:

In August 2007 Monster.com experienced a data breach that affected 1.3 million people, who then were targeted by phishers, and in October of the same year another a hacker hijacked job listings to infect visitors with malware.

Monster.com recommends that its users change their passwords (making it mandatory on the site), with a warning to not fall prey to phishing attacks based on that premise. Monster.com will not be contacting consumers about this breach, by email or by mail.

For tips about choosing a strong password, read here or here.

Via I’ve been mugged

The U.S. Department of Veteran Affairs (VA), which suffered a data breach affecting 26.5 million people in 2006, has agreed to pay $20 million to veterans affected by the breach.

The VA data breach of 2006, which was listed as one of the 10 largest data breaches since 2000 and as one of the worst breaches ever, was the result of computer going missing from the home of an employee, who had taken the computer home without permission. The computer contained insurance claim data (including Social Security Numbers and insurance information) for 26.5 million active duty troops and veterans, leaving them open to to identity theft and fraud.

The FBI was able to recover the equipment and apprehended the thieves; the VA found no evidence that data had been compromised. The VA Inspector General faulted the data analyst and his supervisors for putting veterans at unreasonable risk. A series of delays after the employee notified his superiors meant that affected veterans were not told about the breach until 3 weeks later.

Five veteran groups filed a class-action lawsuit against the VA alleging invasion of privacy. The lawsuit sought $1000 in damages for violations of privacy for each military personnel affected. This would have amounted to $26.5 billion in damages.

In court filings on Tuesday, lawyers for the VA and the veterans represented in the suit agreed to settle the lawsuit for $20 million. VA spokesman Phil Budahn made a statement, after the settlement, that:

“We want to assure veterans there is no evidence that the information involved in this incident was used to harm a single veteran.”

The money for the settlement will come from the U.S. Treasury and will go to veterans who can show they suffered “actual harm” (physical symptoms of emotional distress or expenses) as the result of the breach. I’ll be curious to see how they determine the ‘proof’ of these items. Each veteran will receive $75 – $1500 upon proving their suffering. Any remainder of funds will be donated to veterans’ charities. U.S. District Judge James Robertson must approve the terms of this settlement before it becomes final.

In November of 2007, the VA suffered a smaller breach, affecting 12,000, after 3 computers were stolen. They have suffered other data breaches, affecting up to 1.8 million, several times since 2006. Let’s hope this settlement means that the VA is truly accepting responsibility for the data breach suffered in 2006.

Via Yahoo, SC Magazine

Teachers at a California high school arrived at work one morning to find that thieves had made off with a number of the school’s laptops. Although all of the laptops had been locked to a classroom cart, intruders managed to break through the locks at take with them over 20 computers. Luckily, the computers were equipped with Computrace®, and in coalition with the County Sherriff’s Department, the Absolute Team began work on recovery.

The first computer called into the Absolute Monitoring Center just days after the theft, and in the weeks that followed, 12 more of the missing computers checked in. Each time a laptop connected to the Internet, Absolute was able to extract useful information and provide police with the details necessary to identify suspects and locales.

With every laptop Absolute directed police to, an interesting story surfaced. One of the computers had been purchased off the streets from a stranger, while another man acquired three of the laptops in a trade for his motorcycle. Absolute tracked two of the laptops to an area pawn shop, while two more were found when individuals attempted to resell them on the high school’s own campus.

Just months after the theft, Absolute has been successful in recovering over half of the stolen laptops, and is busily tracking those that remain missing. Armed with information provided by the Absolute Team, local authorities have been able to make several arrests in connection to the case.

Click here to learn more about the Absolute Theft Recovery Process..

Please note that indictments and criminal complaints are merely unproven accusations and the accused in all cases are presumed innocent until proven guilty

Watch the video and see Detective Quincy Burns talk about how he caught 3 career thieves and got an Absolute customer’s laptop back with the help of LoJack for Laptops.

The Federal Trade Commission (FTC) has released a report on Social Security Numbers (SSNs) and their correlation with Identity Theft. The report, which can be downloaded here [PDF], is a follow-up to a 2007 workshop on the same topic and the continued work of the President’s Identity Theft Task Force that was established in May 2006.

In the report, the FTC makes 5 recommendations to reduce the role of SSNs in identity theft. One of the recommendations is that Congress take action to strengthen procedures that private-sector organizations use to authenticate identities; they are pushing for nationwide standards in authentication. The task force believes that stronger authenticaton would make it more difficult for criminals to use stolen information, SSNs included, to impersonate consumers. As the report notes:

“Identity theft continues to be a major problem in this country, with victims numbering in the millions each year and out-of-pocket losses (primarily to businesses) in the billions of dollars.”

The Commission’s five recommendations are:

• Improve consumer authentication
• Restrict the public display and the transmission of SSNs
• Establish national standards for data protection and breach notification
• Conduct outreach to businesses and consumers
• Promote coordination and information sharing on use of SSNs

The task force believes that better authentication will make it more difficult to use SSNs to open new accounts or access existing accounts or services. They hope that this will, in turn, limit the demand for SSNs by criminals. Currently financial institutions that are federally regulated by banking agencies are the only private companies subjected to nationwide authentication standards.

You can continue reading more about that here, or read the more comprehensive Task Force Report here [PDF].

Via data breach watch

This week McAfee released the 2009 Threat Predictionsreport and VARBusiness released its interpretation of the 10 Security Predictions for 2009.Both reports indicate that cyber criminals are exploiting the current economic situation to create new scams of various sources.

McAfee senior vice president Jeff Green notes:

“Computer users face a dangerous one-two punch today. The current economic crisis is delivering a blow to our financial well-being, while malware authors are taking advantage of our distraction to deliver a roundhouse strike.”

McAfee Threat Predictions for 2009:

1. Threats Hide in the Cloud - Threats that take advantage of Web 2.0 will replace traditional delivery methods
2. Personalized Threats Speak Your Language – Using single-use binary files that create a sea of threats; other threats include difersifying malware into non-English languages.
3. Malware Targets Consumer Devices - USB sticks and flash-memory devices
4. The Rogue Web and Malvertising – using mainstream practices to “sell” software that is misleading or fraudulent.
5. McColo: The Effects of a Takedown – Spam went down 60% after this host was taken down, so we may see more of a collaborative effort to take down these cyber criminals.

Download the report here [PDF].

VARBusiness 10 Security Predictions For 2009:

1. Malware Grows Up - Web 2.0 apps being targeted, with malware harder to track. Malicious code will be written with more variants.
2. Bad Economy Spurs More Scams – More legitimate-looking phishing attacks targeted with a banking angle
3. Let’s Socialize – Social networking sites will be impersonated or contacts spoofed
4. This Time It’s Premeditated - working harder at large-scale attacks
5. Unified Security Is the Way to Go - Efficiency and affordability will be the name of the game in 2009.
6. Rise Of The Underworld – The cyber crime underworld will continue to evolve and become more organized
7. You Left That Door Open – Disgruntled workers being laid off during the economic crunch may try to take data
8. Data Breach Bonanzas – Credit-card companies are imposing more stringent regulations on businesses as credit card data becomes more highly targeted by criminals
9. Got Game?- Cyber crime in online gaming
10. Weather Forecast: Cloud Computing – Trends to outsource security tasks

Continue reading the report here.

Who Breached: Heartland Payment Systems
Number Affected: As many as 100 Million+
Information breached: Credit Card Data
How: Network compromised

In a breach to rival those of TJX (~45 – 94 million) in the US and HMRC (25 million) in the UK, Heartland Payment Systems announced on January 20th that they have uncovered malicious software in their processing system. Cyber criminals gained access to their network and to the 100 million credit card transactions it handles each month.

Although no merchant information or Social Security Numbers were compromised, data that was improperly accessed included the information on a card’s magnetic strip (card number, expiration date, bank codes), which could be used to duplicate the cards. Heartland says that it cannot estimate the number of records that may have been accessed.

Avivah Litan, analyst at Gartner, calls the Heartland Payment Systems breach the “largest card-data breach ever“. Heartland’s president says it’s too early for such a “speculative” statement.

Heartland has set up a breach website with a statement of the incident:

“After being alerted by Visa® and MasterCard® of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network.”

At the time of this breach, Heartland did not have real-time monitoring of network activities that would have detected the access. The company recommends that customers examine their monthly statements closely and to report any suspicious activity.

Earlier this month, CheckFree Corporation also notified more than 5 million customers that criminals took control of several of their domains and redirected customers to malicious websites.

Via FOX, Computerworld, WSJ