It’s almost unbelievable but hackers have found a way to steal personal information through electrical outlets. It sounds implausible to many but, unfortunately, the threat is actually real.
I read an article about how hackers have found a way to “steal information typed on a computer keyboard using nothing more than the power outlet to which the computer is connected.”
How is that possible? Typing on a regular keyboard sends an electrical signal through the unshielded cable to the computer which then leaks the information into the ground wire on the computer’s power supply. All a thief has to do is set up in a nearby location and use a power socket in order to detect and grab the information in the ground leakage. This is possible up to 15 meters away.
I never would have thought this sort of thing was possible but that’s why hackers are so good at what they do – they find ingenious ways to get other people’s vital information. If only they used those skills to do something good for the world…like find a solution to this problem.
Earlier this month, PC World posted a true story about a man who was able to recover his stolen laptops using a free remote-access service, LogMeIn.
The story was this: David Krop left 2 laptops in his SUV in a parking garage while he attended a meeting. The computers were stolen and they weren’t even password protected. However, David had a trial access of LogMeIn installed, which allowed him to remotely access his laptop. He was able to use this service to see that his stolen laptop was being used by its alleged thief. By spying on this person, and collecting all his personal information as he browsed the internet (including his face via a video chat), Krop was able to supply information to the police. The police were then able to recover the laptop.
Now, this sounds like a good deal, right? However, it’s a pretty a-typical situation to be in, and does not guarantee laptop recovery. The scenario depended on many factors, including:
That the unauthorized user did not dismiss the tracking icon that appeared when his laptop activity was being watched
That the unauthorized user would reveal a wide variety of detailed personal information while using the laptop (phone number, email address, face)
That the unauthorized user wouldn’t wipe all the existing software off the computer
As you can see, using LogMeIn or other free laptop tracking or remote access services is not the same thing as using a dedicated laptop tracking & recovery program and service such as Computrace or LoJack for Laptops from Absolute Software. Only Absolute has a dedicated Theft Recovery Team to work with police to recover your computer. Our software does not require your to sit around waiting for the alleged thief to supply detailed information about him/herself – all investigations and tracking are done on your behalf. And you don’t have to hope to talk a police officer into taking on your case – we have existing relationships with local police around the world. Also, most PCs also now have our software at the BIOS level, protecting it from being wiped if software is deleted. So even if a crafty thief that tries to remove the software, the BIOS firmware will make sure its installed.
David Krop has learned his lesson about leaving his laptop in his car. And he now uses remote tracking software. If you aren’t yet set up to track your laptop, check out our theft recovery products here.
Many of us think about protecting our data against the strangers of the world who might be trying to find a way to use our information to their benefit. It can be surprising, therefore, when the breach occurs within our company (or circle of friends, family, etc…). Unfortunately, DuPont is learning that insider theft is becoming more and more common.
The industrial manufacturing company discovered that one of their employees, a senior research chemist, transferred confidential files containing trade secrets from his company-issued laptop to an external hard drive.
Immediately, I couldn’t help but wonder why DuPont wouldn’t have some sort of alert in place in case someone tried to attach a hard drive to company computers. I was further baffled when I learned that this isn’t the first time they’ve been through this.
After 10 years with DuPont, an employee gathered information from thousands of documents and scientific abstracts. His mission? To sell the information to rival company, Victrex. He ended up being sentenced to 18 months of jail time.
Aside from setting up some sort of alert system for when data breaches occur and using laptop security products like Computrace, DuPont (and other companies) has to find a way to work around the fact that even people with legitimate access to their information need to be considered potential threats.
Who Breached: Network Solutions Number Affected: 500,000+ Information breached: Credit card information How: hacked
As the result of a hacker penetrating their e-commerce system, Network Solutions has determined that approximately 573,938 credit card holders may have had their data transfered. The company detected that hackers had placed unauthorized code on servers for some e-commerce merchants’ websites, and that this code may have been used to transfer data on some transactions. The credit card data was encrypted and PCI-compliant, and it is currently unknown how the malicious code entered the system.
The unauthorized code may have been used to transfer data on certain transactions for approximately 4,343 of our more than 10,000 merchant websites to servers outside the company. On July 13, 2009, we were informed by our outside forensic experts that the data being transferred may have included credit card information. The code may have captured transaction data from approximately 573,928 cardholders for certain periods this spring.
Merchants and their customers are currently being notified. Network Solutions has additionally put together an informational website for their merchants at careandprotect.com. Consumer information is also included there for reference. They have included a blog in the website to answer questions that have arisen in the last week.
The quick and forthright response by Network Solutions has been quite impressive. They seem very keen to answer questions and be public with their responses. In addition, they have offered to foot the bill for customer notification, rather than those costs falling to the merchants affected.
Other notable data breaches from July:
HSBC Life, Lost Media, 180,000 affected (read more)
University of California San Diego Moores Cancer Center, Hack, 30,000 affected (read more)
LexisNexis, possible organized crime, >13,000 (read more)
Alberta Health Services Edmonton, Virus, >11,000 (read more)
Earlier this year, we posted about one of the largest data breaches to ever come to light: the Heartland Payment Systems breach that affected as many as 100 million people after their network was compromised. News this month indicates that the breach has cost the company $12.6 million in legal costs and fines from MasterCard and Visa.
In a conference call with investors, Heartland’s CEO, Robert Carr, shared the financial damage that was the result of the Q1 breach. They say that of the $12.6 million charge, less than $1 million is related to fines by Visa, but more than 50% of the cost is associated with a fine from MasterCard. The company is contesting the fines, which allege a failure by Heartland to take appropriate action upon learning of the network compromise.
Carr has been frank about talking about the data breach, and lays some blame on the payment industry itself for not having stringent enough best practices. Though I think it’s great that Heartland is encouraging new best practices, those best practices are a baseline of efforts in any industry. Companies should always be considering their particular risk factors and taking any added measures necessary to mitigate those.
Heartland was recently re-certified as PCI DSS compliant by Visa, MasterCard and Discover. However, much damage has been done to their reputation and, fines aside, the costs of this breach have been severe.
Who Breached: Virgina Prescription Monitoring Program
Number Affected: 8 million +
Information breached: Prescription records
How: hacker
This isn’t an April Fool’s Joke, though it may seem like it. Hackers allegedly broke into a Virginia state website used by pharmacists to track prescription drug abuse. The hackers then deleted records on more than 8 million patients and 35 million prescription records.
Not satisfied just with the data, the alleged hackers replaced the site’s homepage with a ransom note demanding $10 million for the return of the records. The site is now completely unavailable (the state shut down access after they detected the breach), though the message was recorded.
“I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password.”
Director of Virginia’s Department of Health Professions, Sandra Whitley Ryals, declined to discuss the reported hack, saying [PDF] only that an investigation is underway by federal and state authorities. She said that they are working with experts to restore systems and ensure they’re safe. The Virginia Department of Health Professions says that all data has been backed up and those files remain secure. There is no word yet if affected patients will be contacted about this breach.
Who Breached: Oklahoma Department of Human Services Number Affected: 1 Million+ Information breached: Social Security Numbers How: laptop stolen from car
It’s been a while since I’ve done a major highlight of any recent data breaches. They keep happening, to be sure, but the details often start to look the same. However, this one caught my eye from it’s magnitude. The Oklahoma Department of Human Services (OKDHS) is notifying more than 1 million residents of the state that their data has been breached as the result of a stolen, unencrypted, laptop.
According to their press release, a password-protected OKDHS laptop was stolen from an employee vehicle (a far too common theft location). The laptop contained names, Social Security Numbers, dates of birth and home addresses for clients who received Medicaid, Child Care assistance, and other program assistance. The laptop was stolen on April 3rd with a press release going out from OKDHS on April 23rd. Letters to affected clients started to go out in the same week.
OKDHS Director Howard H. Hendrick believes the “risk of the data being accessed is low because the computer uses a password protected system,” which is only a very minor security protocol. There’s no guarantee the password was strong and, even with strong password-protection, systems with no additional security precautions pose a high risk for being easily accessed. It is believed that the employee was not violating any policy in place, indicating that the current information security policy does not deal with taking data home or with proper data asset handling.
According to the Security Incident FAQ, OKDHS believes they have “numerous security measures” in place already to ensure client data is safeguarded, but plan to review all policy, procedures and training methods. Let’s hope this sheds some light through the entire organization about how much more can – and should – be done to protect sensitive information.
You can help prevent data breaches such as these, or recover from them more easily, with strong computer security policies, enforcement and training and software such as Computracefrom Absolute, which offers many layers of security protection.
Following on the heels of the Heartland Payment Systems breach that affected as many as 100 million credit cards, 3 arrests were made. The arrests followed the 3-month investigation into a stolen credit card ring. The arrests were for men caught using stolen credit card numbers at local WalMart stores. Apparently the Secret Service has a suspect in the Heartland data breach, someone outside North America.
With more than 580 institutions affected by this data breach, it should be no surprise that lawsuits would follow. A PA-based law firm filed a class action lawsuit against Heartland in January, accusing Heartland of belated and inaccurate notifications of the breach and inadequate security precautions. In addition, this week 8 banks and credit unions filed lawsuits against Heartland over its failure to protect credit and debit card data. The lawsuits seek compensation for the costs of breach notification and re-issue of cards by the financial institutions. Where fraud has occurred, the banks also seek recompense.
Other large breaches: the Arkansas Department of Information Systems lost a data tape from storage (807,000 affected), and it appears that information about the communications, navigation and management electronics on Marine One (the Presidential helicopter) were accidentally leaked onto a peer-to-peer file sharing network. It was thought for a week that there was a new large payment processing breach, but Visa has issued a statement that clarifies that breach notifications pertain to existing, not new, issues.
It also caught my eye that the Berkeley Center for Law & Technology and the Berkeley Technology Law Journal are holding their 13th annual Security Breach Notification seminar on March 6th. The seminar talks about identity theft and changes coming in the future. You can learn more here. If you can’t make it, check out some resources here.
An email [PDF] obtained by the Project on Government Oversight earlier indicated that the Los Alamos National Laboratory (LANL) had lost 3 computers and a BlackBerry device during a 2-week period this year. After the news went public, further government response indicates that the nuclear weapons laboratory has a total of 67 “missing”, lost or stolen data devices.
The National Nuclear Security Administration (NNSA) wrote [PDF] to the LANL about the most recent computer theft expressing concern that the apparent “robustness of cyber security implementation” was not being vigilantly overseen. They say there are issues with individual security controls but also configuration management and accountability issues.
“In treating this initially as only a property management issue, my staff and I, and apparently the cyber security elements of the laboratory, were not engaged in a timely and proactive manner to assess and address potential loss of sensitive information.”
The quote above indicates a common misconception – that the loss of data devices is a property issue, not a data security issue. The memo advices LANL to treat all loss of equipment that can carry data – not just computers – as a cyber-security concern.
The letter revealed that 13 LANL computers have been stolen within the last year and that 67 are currently “missing.” Very little data was available – or collected – about what data has been compromised as the result of these breaches. Jeffrey Berger, director of communications at LANM, says that no classified data was held on any of the lost devices and thinks the leaked memos “distorted” the situation.
Los Alamos has suffered 3 major public breaches in the past, so none of this experience is ‘new’ to them. A system like Absolute Software’s Computrace could help with the asset tracking that appears to be a major problem for the lab – so they would know, in seconds, where every single computer is.
Monster.composted on January 23rd that their database had been hacked, this being the third time the company has experienced a breach of this sort.
The breached data includes contact information such as email addresses, phone numbers and usernames/passwords, but does not include personal data such as Social Security Numbers or financial data, as that is not data collected by the company. The breach affects USAJobs.gov (official job site for the US Federal Government) as well as Monster.com.
Despite the fact that SSNs and financial data was not breached, consumers should still be concerned about their lost data. Email addresses and other personal information can be used in variousidentity theft scams as a means to gain higher-level personal data. If consumers use the same access username & password for banking services, which is all too common (41% user the same password for everything, via Sophos), this information can be used directly in fraud or identity theft.
Here’s an opinion video from Sophos about the Monser.com breach and why it’s important:
In August 2007 Monster.com experienced a data breach that affected 1.3 million people, who then were targeted by phishers, and in October of the same year another a hacker hijacked job listings to infect visitors with malware.
Monster.com recommends that its users change their passwords (making it mandatory on the site), with a warning to not fall prey to phishing attacks based on that premise. Monster.com will not be contacting consumers about this breach, by email or by mail.
For tips about choosing a strong password, read here or here.
Archive
Laptop Security Blog 
As you can see, using LogMeIn or other free laptop tracking or remote access services is not the same thing as using a dedicated laptop tracking & recovery program and service such as 
Who Breached: Network Solutions
Earlier this year, we posted about one of the largest data breaches to ever come to light: the