CyberInsecure.com

Archive for the ‘Privacy’ Category

German anti-fascist hackers have broken into the secure forum server of one of the world’s largest neo-Nazi groups, Blood & Honour, and copied more than 30,000 pieces of data. Members of Daten-Antifa managed to break the access codes of the forum last week. They copied roughly 800MB of data, including information that was only available to members.

Blood & Honour, founded back in 1987 in the UK by Ian Stuart Donaldson, leader of the notorious skinhead band Skrewdriver, has been banned in Germany since 2000. The Spanish division was closed in 2005 after the arrest of many of its main leaders.

In a statement the hackers said that the databases of the server was accessed in a “laboriously prepared cloak-and-dagger operation” which involved a “house search”.

The data, published online in an archived format 7zip, includes the IP addresses of 31,948 registered users and information about close to 1,200 German neo-Nazis.

German authorities had previously suspected B&H was used by members of the German neo-Nazi scene. “Some people in the far-right extremist scene are going to get very nervous,” Günther Hoffmann from the Center for Democratic Culture told the Frankfurter Rundschau.

Since the data was gathered illegally, police may not be able to do anything with the information from hacked forum.

The data was uploaded to free file hosting service providers (rapidshare and megaupload) and is currently available for free download at http://de.indymedia.org/2008/08/225641.shtml. Torrents are also available. The page also contains information about the software used for zipping, 7zip.

Prince William County Public Schools (PWCS) recently learned that certain personal information relating to a small group of students, staff, and volunteers was inadvertently exposed to the public through the Internet for a period of approximately five weeks this summer. It was determined that a school-based employee, while working on school business from home on a personal computer, inadvertently exposed certain PWCS information to the public through a file-sharing program.

The data, which do not appear to have been compromised, were immediately secured and a number of steps have been taken to address the matter, including the creation of a special telephone “hotline” and paying for individual’s credit protection.

The exposed student information was limited to students who attend, have attended, or have applied to Porter Traditional School since its opening in 2004; a small number of students who attended Montclair Elementary School for several years prior to the 2004-05 school year; a limited number of parent volunteers at Porter Traditional School, and a select number of School Division employees.

An investigation conducted by PWCS has revealed that the student data included names, addresses, and/or student identification numbers for 1625 students associated with Porter Traditional School and Montclair Elementary School. The names and social security numbers of 65 employees were exposed, as well as other confidential information for 257 Division employees. The names, addresses, and email addresses of 736 volunteers at Porter Traditional School were also exposed.

Immediately upon learning of the exposure of confidential School Division data, PWCS secured the information and commenced an investigation to determine the scope and duration of this exposure. To date, the School Division’s investigation has produced no evidence that this information was compromised during this period.

The School Division has contacted all appropriate authorities and credit monitoring companies, and will also provide a credit monitoring service at no charge to the employees whose social security numbers were exposed.

Should any of these individuals have questions regarding the specific nature of any exposed information relating to them, they are asked to contact the special PWCS call center using the telephone “hotline” that has been set up to answer questions from those employees, parents, and volunteers who have received a letter. The number is 703.791.8157, calls should be made from 9 a.m. to 3:30 p.m. on Monday through Friday. Questions can also be emailed to pwcsie@pwcs.edu.

Taiwan’s Criminal Investigation Bureau (CIB) has successfully tracked down and arrested six people in what the CIB believes to be the biggest personal data breach in Taiwan to date. Apparently, the group also managed to obtain personal data on Taiwan’s current and former presidents.

The suspects are believed to have stolen more than 50 million records of personal data, including information about President Ma Ying-jeou, his predecessor Chen Shui-bian and police chief Wang Cho-chiun, the official said. They then offered to sell the information for 300 Taiwan dollars (10 US) per entry, he said.

The hackers, based in Taiwan and China, also swindled victims out of millions of Taiwan dollars through their online bank accounts, he said. They will face up to five years in prison on charges of hacking and fraud.

An official at Taiwan’s Criminal Investigation Bureau said the hackers had tapped into data held by government agencies, state-run firms, telecom companies and a television shopping network. He called it the biggest hacking operation of its kind in Taiwan.

The announcement comes a week after China detected a sophisticated fake diploma scheme, where ten government databases were compromised.

Criminal gang has stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds. Thursday night, an unknown hacker, possibly Indian, successfully breached the IT defences of the Best Western Hotel group’s online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

The attack scooped up the personal details of every single customer that has booked into one of Best Western’s 1312 continental hotels since 2007. With eight million people staying in the hotel group’s 86,375 continental rooms every year, gaining access to the system is a major coup for the cyber-criminals responsible. Given that criminals now have access to all bookings from 2007-2008, and based on the FBI-sponsored Internet Crime Complaint Center’s reports that the average victim of internet crime loses £356, they are sitting on a potential haul of at least £2.84bn.

Amounting to a complete identity-theft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment. It seems that the hacker from India succeeded in bypassing the system’s security software and placing a Trojan virus on one of the Best Western Hotel machines used for reservations. The next time a member of staff logged in, her username and password were collected and stored.

The stolen login details were then put up for sale and shared on an underground website operated by a notorious branch of the Russian mafia, which specialises in internet crime and offers heavily guarded and untraceable hosting services with no questions asked for criminal activity. Once the information was online, experts estimate that it would take less than an hour to write and run software capable of harvesting every record on Best Western’s European reservation system.

Although the security breach was closed on Friday, experts fear that information seized in the raid is already being used to pursue a range of criminal strategies. There are plenty of hacked company databases for sale online but the sheer volume and quality of the information that’s been stolen in the Best Western raid makes this particularly rare. The Russian gangs who specialise in this kind of work will have been exploiting the information from the moment it became available late on Thursday night. In the wrong hands, there’s enough data there to spark a major European crime wave. Armed with the numbers and expiry dates of customers’ credit cards, fraudsters are equipped to make multiple high-value purchases in their victims’ names before selling on the goods.

The stolen data might also be used by professional organised criminal gangs which specialise in identity theft to apply for loans, cards and credit agreements in the victims’ names. Because the compromised information included future bookings, the gang now has the capacity to sift through the data and sell “burglary packs”, giving the home addresses of local victims and the dates on which they are expected to be away from their home.

Best Western Hotels closed the breach at around 2pm on Friday afternoon. Stressing that staff are fully aware of the potential seriousness of the attack, the company reassured customers that it is now taking appropriate action. The investigation also include the third-party website that has allegedly facilitated this illegal exchange of information.

Concerned clients are advised to contact Best Western customer service at 0800 528-1238.

Credit: Sunday Herald

Update (August 29): Best Western rejected claims that it had suffered a massive compromise of customer details.  Best Western confirmed on Tuesday that it had suffered a breach at one of its German hotels, but denied Sunday Herald claims that every customer using Best Western European hotels since 2007 had had their booking details compromised.

“We can confirm that on 21 August, 2008, three separate attempts were made via a single logon ID to access the same data from a single hotel,” said Best Western in a statement. “The hotel in question is the 107-room Best Western Hotel am Schloss Kopenick in Berlin, Germany, where a Trojan horse virus was detected by the hotel’s antivirus software.”

Best Western insisted that the compromised login ID only permitted access to reservations data for the Berlin hotel. Moreover, Best Western said the login ID was immediately terminated, and the computer in question had been removed from use.

While the Sunday Herald estimated that eight million people had been affected by the hack, Best Western claimed that only 10 customers had been affected. Moreover, Best Western said that it “purges reservations data within seven days of guest departure, thereby limiting potential data exposure”. The company added that it was working with the FBI and international authorities to investigate the incident further.

Chief strategy officer for security firm StillSecure and security consultant Alan Shimel woke on Sunday morning to discover that his personal blog, which is frequently visited by readers and press, was pointing to a website featuring explicit gay porn. Equally disturbing, he found someone had cracked open his Yahoo! Mail account and published sensitive documents he filed with the Internal Revenue Service. The attackers also sent crude pornographic images to parents on the Little League baseball team Shimel coached.

Shimel is one of three high-profile researchers in the security world known to have been attacked by unknown criminals over the past week. A personal Gmail account belonging to Petko D. Petkov, of the GNUCitizen ethical hacking collective, was ransacked and 2GB of its contents made public. Logs believed to come from the home blog of Security-Protocols.com researcher Tom Ferris have also been exposed.

It is not new that security researchers have always been the target of computer and internet based attacks. But the recent rash of attacks, which coincided with this year’s Black Hat and Defcon conferences in Las Vegas, are getting more attention in the security world than previous ones.

“You can immediately see how emotional this is,” said one well-known researcher who refused to allow his name to be published out of concern it would make him more of a target. “People are generally worried. You’re always worried you made some stupid mistake.”

Shimel stressed that the breach concerned only his personal blog and email and never extended to StillSecure. Shimel said he reported the breach to the FBI, and Petkov said unnamed law enforcement officials have also been notified. Petkov declined to discuss the attack in detail, except to say it occurred more than a year ago.

Shimel said his scrape with the attackers was a wake-up call for him to follow security best practices, including the use of different passwords for each online account. “It’s going to make me be a bit more vigilant,” he said. “I don’t think these people are worthy of much attention, except that you should do what you normally do to lock down your infrastructure.”

What separates the fresh attacks from previous ones is the degree of malice. The attackers here seem more interested in injuring the reputations and privacy of their victims than exposing mistakes they may have made in locking down their private information. The miscreants have publicly pledged on a mailing list to wage war against more than two-dozen researchers, firms and journalists in the security world. In addition to Shimel, Petkov and Ferris, others said to be targeted include Dan Kaminsky, Joanna Rutkowska, Gadi Evron, Matasano and Theo de Raadt.

Perhaps the most worrisome part of the attacks is that, so far, no one knows exactly how the they were carried out. In an email exchange, Petkov said he suspected his Gmail account was accessed through a cross-site scripting (XSS) flaw. Some posit the passwords were intercepted as a result of a colossal debacle in the Debian distribution of Linux, which for more than a year generated OpenSSL keys that are trivial to crack. Once the keys are broken, encrypted sessions, even those from years ago, can be decrypted.

Others guess that the miscreants gained entry through the victims’ blogs, which typically used blogging software from TypePad and WordPress. Those programs have routinely been found to contain gaping security holes. Indeed, Shimel admits the administrative password for his blog (which was parked at GoDaddy at time of writing) was also used to unlock his Yahoo Mail account.

Credit: Dan Goodin, The Register.

Drivers in Virginia and Washington, D.C. whose driver’s licenses have their Social Security numbers and who got traffic tickets in Maryland will find those numbers and other personal information on a Maryland state Web site. Maryland has never used Social Security numbers when issuing driver’s licenses, but Virginia and the District have.

Traffic citations are listed in Maryland’s court records, which the state makes publicly accessible online. The traffic citation records show a person’s full name, address, sex, height, weight, birth date and driver’s license number, which is sometimes the same as driver`s Social Security number. Currently, a quick search for a popular name on the state’s Judiciary Case Search Web site will instantly pull up thousands of records spanning more than 30 years.

Virginia ended the practice in July 2003, although drivers were able to keep their old licenses until they expired, which in some cases was not until this year. Washington began offering drivers the option of having random numbers on their driver’s licenses instead of their Social Security numbers in 2001. Washington stopped issuing licenses with Social Security numbers on them altogether after federal regulations banned the practice in 2004.

The problem remains since Maryland’s court records date back decades, and drivers from D.C., Virginia or any state that once used Social Security numbers on licenses will find their Social Security numbers online today if they received Maryland tickets during that time.

A spokesman for the Maryland courts system was not immediately able to determine whether the number could be removed from the public record at the person’s request. People who find their Social Security numbers listed on the Web site can place a fraud alert with one of the three major credit bureaus at no charge. People who find their numbers listed on the Website should place a fraud alert with a credit bureau immediately.

More than 120 workers at a Los Angeles hospital looked at celebrities’ medical records and other personal information without permission between January 2004 and June 2006, nearly double the number initially reported earlier this year, according to a state report.

Even after UCLA Medical Center warned employees about severe measures against unauthorized access to medical records, the privacy of a “well-known individual” was breached by two nurses and an emergency room technician who called up the patient’s computerized records in mid-April, according to a critical state report released Monday.

The California Department of Public Health also found that nearly twice as many medical center employees as had previously been reported peeked at confidential medical records at UCLA. Nearly 60 additional employees gained improper access to records between January 2004 and June 2006, the report said, bringing the total number of workers implicated in the growing scandal to 127.

Monday’s report was the fifth by the public health agency following articles in The Times this year about UCLA employees’ prying into the records of celebrities and prominent patients, including California First Lady Maria Shriver, actress Farrah Fawcett and singer Britney Spears. After the April violations, the report said, one nurse was fired and the two other employees received warnings.

State regulators continue to fault the hospital for failure to take adequate steps to maintain patient confidentiality. The latest findings detail how one employee — a former administrative specialist who faces federal criminal charges for violating Fawcett’s privacy — looked at the records of 939 patients “without any legitimate reason” from April 2003 to May 2007.

The hospital has proposed firing seven, suspending six for two to three weeks each and providing verbal or written warnings to eight others, three remain under investigation.

Under the legislation, being carried by Sen. Elaine Alquist (D-Santa Clara) and Assemblyman Dave Jones (D-Sacramento), healthcare workers who unlawfully view patient records would be fined from $1,000 to $250,000, depending on the seriousness of the violation. Hospitals and other health facilities would face fines of $25,000 to $250,000 for similar violations.

The FBI on Friday arrested a former Countrywide Financial Corp. employee and another man in an alleged scheme to steal and sell sensitive personal information, including Social Security numbers, of as many as 2 million mortgage applicants. The breach in security, which occurred over a two-year period though July. Countrywide detected the breach and alerted federal authorities, according to Suzy Martin, a spokeswoman for the company.

The insider was identified as Rene L. Rebollo Jr., 36, who had worked as a senior financial analyst at Full Spectrum Lending, Countrywide’s subprime lending division. He was arrested at his home in Pasadena and charged with unauthorized access to a financial institution’s computers. Authorities also arrested Wahid Siddiqi, 25, at his home in Thousand Oaks. Authorities alleged that he was a reseller of Countrywide data.

Rebollo appeared in court Friday afternoon and was released on $80,000 bond. Siddiqi was being held on a fraud charge pending a court appearance Monday. The FBI said Rebollo had voluntarily described the scheme. Rebollo said he would charge $400 or $500 for batches of thousands of “leads” — personal and account information that presumably would help outside loan agents solicit new mortgages from the Countrywide applicants, some of whom had been denied loans by the Calabasas company.

Prosecutors suspect the data was eventually sold to companies that would then try to make other loans to the Countrywide customers, said Thom Mrozek, a spokesman for the U.S. attorney’s office. Authorities said they didn’t know whether any of the information had been used for outright fraud, such as identity theft.

Rebollo would copy information on about 20,000 customers at a time on Sunday nights by using a Full Spectrum computer that did not have the same security features that other machines in the office had, according to the affidavit by FBI Special Agent Richard P. Ryan. At that rate, the U.S. attorney’s office said, Rebollo would have compromised up to 2 million customer profiles for about 2.5 cents each — an astonishingly small amount considering the importance of the material.

Mortgage leads are among the most expensive for sale because of the potential payoffs to intermediaries when loans are made. Social Security numbers alone generally fetch dollars, not pennies, since they can be used to open new bank accounts.

A criminal complaint against Rebollo said that he earned about $65,000 a year at Countrywide and had opened a personal bank account for holding what he estimated to be up to $70,000 in proceeds from Countrywide data sales.

The complaint said Siddiqi sold computer discs containing data on Countrywide customers to a witness working for the FBI, taking in $4,000 for about 38,000 customer profiles.

Countrywide spokeswoman Susan Martin said 19,000 customers had so far been identified as having their identities compromised.

Victims were being contacted by mail and would be offered free credit monitoring services for two years. Countrywide Communications Vice President Susan Martin said affected customers would be notified by mail. A special hotline was set up at (800) 669-6607.

Two computer servers containing a database of Connecticut College, Wesleyan University and Trinity College library patrons were accessed by hackers, Connecticut College officials said Friday. The database included the names, addresses, social security and driver’s license numbers. The personal information on the servers belonged to 12 Wesleyan University library patrons, approximately 2,800 Connecticut College library patrons and three Trinity College library patrons.

David Pesci, director of public relations at Wesleyan, said that on Wednesday, when information technology workers noticed the servers had been broken into, they removed all the personal information. Investigators from Wesleyan believe the breach was committed so hackers could set up illegal chat rooms, attack other sites and perhaps send spam.

The breach was limited to two servers from the CTW library consortium housed at CTW’s headquarters at Wesleyan. It did not affect other servers in Wesleyan’s computer network, and no Wesleyan faculty, students or staff were affected. The CTW consortium has investigated this incident and found no evidence the personal information on the servers was viewed or stolen.

Officials from Wesleyan and CTW members have alerted police and the state attorney general’s office regarding this incident.

All personal information has been deleted from the database and steps were taken to secure the servers. Individuals with questions may contact Ruth Seeley, manager of computer support services at ruth.seeley@conncoll.edu or (860) 439-2052.

The Centers for Osteopathic Research and Education (CORE) at Ohio University removed a Web document last week that inadvertently contained personal information belonging to individuals who have provided academic programming for the medical education consortium. CORE is an osteopathic medical education consortium comprising member teaching hospitals, clinical training sites and osteopathic medical schools. The Ohio University College of Osteopathic Medicine is the central academic member of CORE.

CORE has identified, sent information to and developed resources for the 492 presenters affected, including doctors and nurses. The document was available to all for months. On July 16, CORE removed a spreadsheet that contained the information.

It had been accessible since March 20 and was discovered when a nurse found the information last week while conducting online research. A document that should have been posted did not contain personal information, according to CORE. The document that should have been posted was intended to help CORE’s Residency Program Advisory Committees (RPAC) directors, who coordinate education programs for physicians-in-training and identify and engage medical education speakers.

It was not intended to carry personal information. In addition to names and Social Security numbers, the spreadsheet included contact numbers, addresses, their speaking topics and federal employer identification numbers. The person responsible for posting the information was put on paid administrative leave and has no access to the Web site or to CORE data pending a review.

There is no indication that any of the personal information was misused, said CORE spokeswoman Karoline Lane. With the help of OU experts, CORE is examining what happened and how it happened.

Within one week of learning about the error, CORE has undertaken the following to assist those whose information was exposed: published an informational Web site (www.ohiocore.org/answers); provided a toll-free call-in number (866-437-8698); and offered credit monitoring service for one year.