Exposed student data leaves prying eyes wide open: Via City College News at Minneapolis Community and Technical College.

Names, work-study information and student IDs left open for all

An online MCTC directory left sensitive student data and internal documents accessible to the prying eyes of anyone with an Internet connection since at least the summer of 2006, according to an investigation by City College News.

Besides annual accounts-receivable reports and salary rosters, a database spanning the last several years of work-study records contained the names of students, their student ID numbers, the amount which they were awarded and the amount which they had earned, sorted by department. [ Read more ... ]

Tighter Medical Privacy Rules Sought: Via NYT > Privacy.

he Obama administration is rewriting new rules on medical privacy after an outpouring of criticism from consumer groups and members of Congress who say the rules do not adequately protect the rights of patients.

Democratic lawmakers and a few Republicans have denounced the rules, saying they fall short of offering patients the fullest protections possible. Hospitals and insurance companies, seeking to maintain greater control over patient notification, generally support the rules. The White House finds itself caught in the middle.

The rules specify when doctors, hospitals and insurers must tell patients about the improper use or disclosure of information in their medical records. Such breaches appear to have become more frequent, with the growing use of health information technology, social media and the Internet.

Kathleen Sebelius, the secretary of health and human services, issued temporary rules, with the force of law, in August last year. After analyzing comments from the public, she developed final rules and submitted them to the White House Office of Management and Budget for approval in May.

At the urging of the White House, Ms. Sebelius recently withdrew the rules to allow for further consideration. [ Read more ... ]

Alleged Carder ‘BadB’ Busted in France — Watch His Cartoon: Via Threat Level.

An alleged old-timer in the international carding community and one of the top sellers of stolen bank card data has been arrested in France, and faces extradition to the United States on an indictment unsealed Wednesday in Washington, D.C.

Vladislav Anatolievich Horohorin, 27, aka BadB, holds dual-citizenship in Ukraine and Israel and was one of the earliest members of CarderPlanet, a first of its kind Russian-language carding forum that was launched around 2002 by a group of East Europeans. CarderPlanet was shuttered in 2004, and BadB had more recently been selling his stolen goods at carder.su and on his own websites, dumps.name and badb.biz, where he promoted his product in lighthearted Flash cartoons like the one above.

Authorities say the network created by Horohorin and other CarderPlanet veterans is linked to “nearly every major intrusion of financial information reported to the international law enforcement community.” [ Read more ... ]

Foursquare Puts Money Before Privacy: Via Threat Level.

Foursquare, one of the net’s hottest startups, got an unwanted message on June 20 from a white-hat hacker: it was leaking user data on a massive scale in plain violation of its privacy policy.

The company asked the white hat, Jesper Andersen, to give it nine days to deal with the problem that it was publishing all users’ location data to the entire web despite its privacy-policy promise to users that “You can opt out of such broadcasts through your privacy settings.”

At the same time, the company was wrapping up a protracted and very public finance round that stalled for a while as the company reportedly almost sold itself to Facebook.

So when the nine days were up, the company told Andersen in a private e-mail Tuesday morning that it had fixed the “privacy leak” (the company’s own words) by modifying how an existing privacy setting worked, and that it had no solution yet for two other privacy holes that Andersen also reported, saying it was trying to figure out how to balance usability with privacy. [ Read more ... ]

AT&T Breach May Be Worse Than Initially Thought: Via Slashdot.

ChrisPaget writes "I'm somewhat of an authority on GSM security, having given presentations on it at Shmoocon (M4V) and CCC (I'm also scheduled to talk about GSM at this year's Defcon). This is my take on the iPad ICCID disclosure — the short version is that (thanks to a bad decision by the US cell companies, not just AT&T) ICCIDs can be trivially converted to IMSIs, and the disclosure of IMSIs leads to some very severe consequences, such as name and phone number disclosure, global tower-level tracking, and making live interception a whole lot easier. My recommendation? AT&T has 114,000 SIM cards to replace and some nasty architectural problems to fix."
Reader tsamsoniw adds that AT&T has criticized the security group responsible for pointing out the flaw, while the group claims they did it 'as a service to our nation.'

Read Original Article:(Via Slashdot.)

State Department Anxious About Possible Leak of Cables to Wikileaks: Via Threat Level.

The State Department and personnel at U.S. embassies around the world are reportedly waiting anxiously to find out if an Army intelligence analyst was telling the truth when he boasted that he had supplied 260,000 classified State Department diplomatic cables to the whistleblower site Wikileaks.

If Wikileaks has the secret documents and publishes them, the leak could not only expose damaging information about U.S. foreign policy and national security issues, but also expose embarrassing information about backroom diplomatic deals and U.S. attitudes toward foreign leaders — such as the opinions of U.S. ambassadors about the honesty, integrity, and strength and longevity of those leaders.

The concerns are reported in a story published at the Daily Beast that appears to confirm that alleged leaker Bradley Manning had access to the kinds of cables he discussed with a former hacker who turned him in to authorities.

Manning told ex-hacker Adrian Lamo that he had given 260,000 classified U.S. diplomatic cables to Wikileaks, and said the documents exposed “almost-criminal political back dealings.” [ Read more ... ]

Facebook Glitch Brings New Privacy Worries: Via NYT > Privacy.

A major security flaw in Facebook’s privacy settings heightened a feeling among many users that it was becoming hard to trust the service to protect their personal information.

For many users of Facebook, the world’s largest social network, it was just the latest in a string of frustrations.

On Wednesday, users discovered a glitch that gave them access to supposedly private information in the accounts of their Facebook friends, like chat conversations.

Not long before, Facebook had introduced changes that essentially forced users to choose between making information about their interests available to anyone or removing it altogether.

Although Facebook quickly moved to close the security hole on Wednesday, the breach heightened a feeling among many users that it was becoming hard to trust the service to protect their personal information.

“Facebook has become more scary than fun,” said Jeffrey P. Ament, 35, a government contractor who lives in Rockville, Md. [ Read more ... ]

Spy Network Pilfered Classified Docs From Indian Government and Others: Via Wired: Threat Level.

A spy network targeting government networks in India and other countries has been pilfering highly classified and other sensitive documents related to missile systems, the movement of military forces and relations among countries, according to a report released Tuesday.

It also grabbed nearly a year’s worth of personal correspondence from the Dalai Lama’s office, even after reports published last year indicated that the Dalai Lama’s network had been compromised in what is believed to be a separate breach.

The researchers say the spying is an example of a sophisticated shift that has occurred in malware networks from “what were once primarily simple to increasingly complex, adaptive systems spread across redundant services and platforms” and from ones that primarily focused on exploitation for criminal purposes to ones that are focused on “political, military, and intelligence-focused espionage.”

The spynet, dubbed Shadow Network, was discovered by a group of computer-security researchers in Canada and the United States who have been monitoring the espionage for at least eight months and watched as the spies siphoned classified and other restricted documents from the Indian Defense Ministry and other computer networks.

The researchers — based primarily at the Munk School of Global Affairs’ Citizen Lab at the University of Toronto and at SecDev Group, a consultancy in Ottawa — are the same ones who reported last March on another spynet, dubbed Ghost Net, that had breached computers of the Dalai Lama and more than 1,200 other systems at embassies, foreign ministries, news media outlets and nongovernmental organizations based primarily in South and Southeast Asia. [ Read more ... ]

Government Stops Shielding Corporate Breach ‘Victims’: Via Threat Level.

For the past few months, national retailer J.C. Penney has been fighting an under-seal court battle to keep you from knowing that its payment card network was breached by U.S. and Eastern European hackers. [ Read more ... ]

Unprecedented 25-Year Sentence Sought for TJX Hacker: Via Threat Level.

Computer hacker Albert Gonzalez deserves a quarter-century behind bars for leading a gang of cyberthieves who stole tens of millions of credit and debit card numbers from a transaction processor and several giant retail chains, federal prosecutors argued in a court filing Thursday night.

“[T]he sentences would be the longest ever imposed in an identity theft case and among the longest imposed for a financial crime, which is appropriate because Gonzalez was at the center of the largest and most costly series of identity thefts in the nation’s history,” wrote Boston-based Assistant U.S. Attorney Stephen Heymann. “He knowingly victimized a group of people whose population exceeded that of many major cities and some states.”

The government also disputed a defense claim that Gonzalez suffers from Asperger’s disorder, a mild form of autism that was grounds for a slightly reduced sentence in a previous hacking prosecution.

Gonzalez, 28, is set for sentencing next week on three indictments covering virtually every headline-making bank-card theft in recent years, including intrusions at TJX, DSW Shoe Warehouse, Office Max, Hannaford Brothers, 7-Eleven, and Heartland Payment Systems, which alone exposed magstripe data on 130 million credit and debit cards. He performed the intrusions while an informant for the Secret Service.

The hacker’s plea agreements contemplate a total prison term of between 17 and 25 years. [ Read more ... ]

TJX Hacking Conspirator Gets 4 Years: Via Threat Level.

Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced Thursday in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy. The sentence matches what prosecutors were seeking.

Zaman, a 33-year-old former network security manager at Barclays Bank, was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts.

Zaman pleaded guilty in April to one count of conspiracy. His sentence includes three years of supervised release with the condition that Zaman must disclose his conviction to any future employer. Upon release, Zaman will not be barred from using computers. [ Read more ... ]

Wyndham hotels hacked again: Via Computerworld Cybercrime/Hacking News.

Hackers broke into computer systems at Wyndham Hotels & Resorts recently, stealing sensitive customer data.

The break-in occurred between late October 2009 and January 2010, when it was finally discovered. It affected an undisclosed number of company franchisees and hotel properties that Wyndham manages. Wyndham has acknowledged the incident in a note posted to its Web site.

"A hacker intruded on our systems and accessed customers information from a limited number of franchised and managed properties," the company said. "The hacker was able to move some information to an off-site URL before we discovered the intrusion."

Hackers were able to steal data required for credit card fraud, the company said, including "guest names and card numbers, expiration dates and other data from the card's magnetic stripe." [ Read more ... ]

Wyndham Worldwide hacked and database breached, giving access to some payment card information: Via Wyndham Worldwide.

To our Wyndham Hotels and Resorts guests:

In late January, 2010, our company discovered that a sophisticated hacker penetrated the computer systems of one of the Wyndham Hotels and Resorts (WHR) data centers. By going through the centralized network connections, the hacker was then able to access and download information from several, but not all, of the WHR hotels and remove payment card information of a small percentage of our WHR customers. The incident did not affect any of the other branded hotels in the Wyndham Hotel Group system. We deeply regret that this incident occurred and are doing everything we can to notify our customers directly, to address and remedy the problem. CLICK HERE FOR FAQS ABOUT THE INCIDENT. [ Read more ... ]

Student slaps Google Buzz with privacy lawsuit: Via The Money Times .

Lawsuit against Google

Now a student at Harvard Law School has filed a class action suit against the company for making personal information of the users public.

Law firms in San Francisco and Washington, D.C. have sued Google on behalf of Eva Hibnick.

The 24-year-old law student filed the law suit against the search giant after finding herself automatically opted to the new networking service, without consent. [ Read more ... ]

Over 75,000 systems compromised in cyberattack: Via Computerworld Cybercrime/Hacking News.

Correction: An earlier version of this story incorrectly said the cyberattacks began in 1998. They began in 2008.

Security researchers at Herndon, Va.-based NetWitness Corp. have unearthed a massive botnet affecting at least 75,000 computers at 2,500 companies and government agencies worldwide.
The Kneber botnet, named for the username linking the affected machines worldwide, has been used to gather login credentials to online financial systems, social networking sites and e-mail systems for the past 18 months, according to NetWitness.

A 75GB cache of stolen data discovered by NetWitness included 68,000 corporate login credentials, login data for user accounts at Facebook, Yahoo and Hotmail, 2,000 SSL certificate files and a large amount of highly detailed "dossier-level" identity information. In addition, systems compromised by the botnet also give attackers remote access inside the compromised network, the company said.

"Disturbingly, the data was only a one-month snapshot of data from a campaign that has been in operation for more than a year," NetWitness said in a statement announcing the discovery of the botnet late yesterday. [ Read more ... ]

Shell hit by massive data breach: Via The Register(UK).

Shell has been hit by a massive data breach - the contact database for 176,000 staff and contractors at the firm has been copied and forwarded to lobbyists and activists opposed to the company.

John Donovan, an activist who received the database, said he had voluntarily destroyed the files. But he warned that other copies were available online.

The email supposedly comes from 176 "concerned staff" to highlight Shell's activities in Nigeria. The database is about six months old and could have been released by a recently laid off staff member, or there could really be a rogue campaign group within Shell. [ Read more ... ]

Guard Your Health Insurance Card: Via Bucks Blog - NYTimes.com .

You may want to make sure you know where your health insurance card is.

According to a new study, the 2010 Identity Fraud Survey Report, from the research company Javelin Strategy & Research, 7 percent of identity fraud victims this year reported identity thieves stole their health insurance information, up from just 3 percent last year.

So even though the actual total dollar amount of health care identity fraud didn’t increase meaningfully from 2008 to 2009, James Van Dyke, the president and founder of Javelin, said he expected to see more incidences of health insurance identity fraud showing up in next year’s study and beyond. “We’re seeing more criminal access to private medical records in our survey now, and therefore, we expect to see resulting increases in health care fraud in future years’ studies,” Mr. Van Dyke said. [ Read more ... ]

Record 13-Year Sentence for Hacker Max Vision: Via Threat Level.

PITTSBURGH — A skilled San Francisco-based computer intruder was sentenced to 13 years in federal prison Friday for stealing nearly two million credit card numbers from banks, businesses and other hackers — receiving the longest hacking sentence in U.S. history.

Max Ray Vision, 37, was also ordered to pay $27.5 million in restitution, and to serve five years under court supervision following his release, during which time he’ll be allowed to use computers only for legitimate employment or education.

Vision, who changed his name from Max Butler shortly before his arrest, ran an online forum for thousands of identity thieves called CardersMarket, where he sold credit card magstripe data to the underground for about $20 a card. He was caught with 1.8 million stolen credit card numbers belonging to 1,000 different banks, who tallied the fraudulent charges on the cards at $86.4 million. [ Read more ... ]

Google to enlist NSA to help it ward off cyberattacks: Via washingtonpost.com .

The world's largest Internet search company and the world's most powerful electronic surveillance organization are teaming up in the name of cybersecurity.

Under an agreement that is still being finalized, the National Security Agency would help Google analyze a major corporate espionage attack that the firm said originated in China and targeted its computer networks, according to cybersecurity experts familiar with the matter. The objective is to better defend Google -- and its users -- from future attack.

Google and the NSA declined to comment on the partnership. But sources with knowledge of the arrangement, speaking on the condition of anonymity, said the alliance is being designed to allow the two organizations to share critical information without violating Google's policies or laws that protect the privacy of Americans' online communications. The sources said the deal does not mean the NSA will be viewing users' searches or e-mail accounts or that Google will be sharing proprietary data. [ Read more ... ]

Hackers Steal Millions in Carbon Credits: Via Threat Level.

Credit card numbers are so passe. Today’s hackers know the real powerhouse data to steal is emission certificates.

That’s exactly what hackers went after last week when they obtained unauthorized access to online accounts where companies maintain their carbon credits, according to the German newspaper Der Spiegel.

The hackers launched a targeted phishing attack against employees of numerous companies in Europe, New Zealand and Japan, which appeared to come from the German Emissions Trading Authority. The workers were told that their companies needed to re-register their accounts with the Authority, where carbon credits and transactions are recorded. [ Read more ... ]

Report Details Hacks Targeting Google, Others: Via Threat Level.

It’s been three weeks since Google announced that it and numerous other U.S. companies were targeted in a recent sophisticated and coordinated hack attack dubbed Operation Aurora.

Until now we’ve only known that the attackers got in through a vulnerability in Internet Explorer and that they obtained intellectual property and access to the Gmail accounts of two human rights activists whose work revolves around China. We also know a few details about how the hackers siphoned the stolen data, which went to IP addresses in Taiwan, and about 34 mostly undisclosed companies were breached.

Now a leading computer forensic firm is providing the closest look so far at the nature of the attacks, and attackers, that struck Google and others. The report never mentions Google by name, or any other companies, but focuses on information gathered from hundreds of forensic investigations the firm has conducted that are identical to what we know about the Google hack. [ Read more ... ]

Social Security numbers found lying in street: Via Chicago Tribune.

Hundreds of sensitive, intact documents — including W-2 forms, investment account balances and job applications — were inexplicably swirling around Touhy Avenue and Eastview Drive on Thursday afternoon. After being tipped to the airborne paper trail, the Tribune contacted some of the people and companies listed on the documents.

None of them knew how the papers could have ended up in the street.

"I am pretty much disgusted with this," said Cruz, 47, of Chicago, who was notified that at least 17 documents with her Social Security number (the apparent remnants of an old job application) had been retrieved. "All of that is sensitive information. You would think your stuff is secure." [ Read more ... ]

Chinese Fingerprints Said to Be Found in Google Attacks : Via NYTimes.com .

SAN FRANCISCO — An American computer security researcher has found what he says he believes is strong evidence of the digital fingerprints of Chinese authors in the software programs used in attacks against Google.

The search engine giant announced last Tuesday that it had experienced a series of Internet break-ins it believed were of Chinese origin. The company’s executives did not, however, detail the evidence leading them to the conclusion that the Chinese government was behind the attacks, beyond stating that e-mail accounts of several Chinese human rights activists had been compromised.

In the week since the announcement, several computer security companies have made claims supporting Google’s suspicions, but the evidence has remained circumstantial. [ Read more ... ]

Connecticut AG Opens New Era in HIPAA Enforcement with Health Net Suit: Via Security, Privacy and The Law Published by Foley Hoag LLP.

In the first instance of a state attorney general exercising the new powers granted by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), Connecticut Attorney General Richard Blumenthal (and recently announced candidate for the U.S. Senate) filed suit today against Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 enrollees in Connecticut and for failing to promptly notify consumers of the security breach. [ Read more ... ]

Google attack part of widespread spying effort: Via Computerworld Cybercrime/Hacking News.

Google's decision Tuesday to risk walking away from the world's largest Internet market may have come as a shock, but security experts see it as the most public admission of a top IT problem for U.S. companies: ongoing corporate espionage originating from China.

It's a problem that the U.S. lawmakers have complained about loudly. In the corporate world, online attacks that appear to come from China have been an ongoing problem for years, but big companies haven't said much about this, eager to remain in the good graces of the world's powerhouse economy.

Google, by implying that Beijing had sponsored the attack, has placed itself in the center of an international controversy, exposing what appears to be a state-sponsored corporate espionage campaign that compromised more than 30 technology, financial and media companies, most of them global Fortune 500 enterprises. [ Read more ... ]