Wyndham hotels hacked again: Via Computerworld Cybercrime/Hacking News.

Hackers broke into computer systems at Wyndham Hotels & Resorts recently, stealing sensitive customer data.

The break-in occurred between late October 2009 and January 2010, when it was finally discovered. It affected an undisclosed number of company franchisees and hotel properties that Wyndham manages. Wyndham has acknowledged the incident in a note posted to its Web site.

"A hacker intruded on our systems and accessed customers information from a limited number of franchised and managed properties," the company said. "The hacker was able to move some information to an off-site URL before we discovered the intrusion."

Hackers were able to steal data required for credit card fraud, the company said, including "guest names and card numbers, expiration dates and other data from the card's magnetic stripe." [ Read more ... ]

Wyndham Worldwide hacked and database breached, giving access to some payment card information: Via Wyndham Worldwide.

To our Wyndham Hotels and Resorts guests:

In late January, 2010, our company discovered that a sophisticated hacker penetrated the computer systems of one of the Wyndham Hotels and Resorts (WHR) data centers. By going through the centralized network connections, the hacker was then able to access and download information from several, but not all, of the WHR hotels and remove payment card information of a small percentage of our WHR customers. The incident did not affect any of the other branded hotels in the Wyndham Hotel Group system. We deeply regret that this incident occurred and are doing everything we can to notify our customers directly, to address and remedy the problem. CLICK HERE FOR FAQS ABOUT THE INCIDENT. [ Read more ... ]

Student slaps Google Buzz with privacy lawsuit: Via The Money Times .

Lawsuit against Google

Now a student at Harvard Law School has filed a class action suit against the company for making personal information of the users public.

Law firms in San Francisco and Washington, D.C. have sued Google on behalf of Eva Hibnick.

The 24-year-old law student filed the law suit against the search giant after finding herself automatically opted to the new networking service, without consent. [ Read more ... ]

Over 75,000 systems compromised in cyberattack: Via Computerworld Cybercrime/Hacking News.

Correction: An earlier version of this story incorrectly said the cyberattacks began in 1998. They began in 2008.

Security researchers at Herndon, Va.-based NetWitness Corp. have unearthed a massive botnet affecting at least 75,000 computers at 2,500 companies and government agencies worldwide.
The Kneber botnet, named for the username linking the affected machines worldwide, has been used to gather login credentials to online financial systems, social networking sites and e-mail systems for the past 18 months, according to NetWitness.

A 75GB cache of stolen data discovered by NetWitness included 68,000 corporate login credentials, login data for user accounts at Facebook, Yahoo and Hotmail, 2,000 SSL certificate files and a large amount of highly detailed "dossier-level" identity information. In addition, systems compromised by the botnet also give attackers remote access inside the compromised network, the company said.

"Disturbingly, the data was only a one-month snapshot of data from a campaign that has been in operation for more than a year," NetWitness said in a statement announcing the discovery of the botnet late yesterday. [ Read more ... ]

Shell hit by massive data breach: Via The Register(UK).

Shell has been hit by a massive data breach - the contact database for 176,000 staff and contractors at the firm has been copied and forwarded to lobbyists and activists opposed to the company.

John Donovan, an activist who received the database, said he had voluntarily destroyed the files. But he warned that other copies were available online.

The email supposedly comes from 176 "concerned staff" to highlight Shell's activities in Nigeria. The database is about six months old and could have been released by a recently laid off staff member, or there could really be a rogue campaign group within Shell. [ Read more ... ]

Guard Your Health Insurance Card: Via Bucks Blog - NYTimes.com .

You may want to make sure you know where your health insurance card is.

According to a new study, the 2010 Identity Fraud Survey Report, from the research company Javelin Strategy & Research, 7 percent of identity fraud victims this year reported identity thieves stole their health insurance information, up from just 3 percent last year.

So even though the actual total dollar amount of health care identity fraud didn’t increase meaningfully from 2008 to 2009, James Van Dyke, the president and founder of Javelin, said he expected to see more incidences of health insurance identity fraud showing up in next year’s study and beyond. “We’re seeing more criminal access to private medical records in our survey now, and therefore, we expect to see resulting increases in health care fraud in future years’ studies,” Mr. Van Dyke said. [ Read more ... ]

Record 13-Year Sentence for Hacker Max Vision: Via Threat Level.

PITTSBURGH — A skilled San Francisco-based computer intruder was sentenced to 13 years in federal prison Friday for stealing nearly two million credit card numbers from banks, businesses and other hackers — receiving the longest hacking sentence in U.S. history.

Max Ray Vision, 37, was also ordered to pay $27.5 million in restitution, and to serve five years under court supervision following his release, during which time he’ll be allowed to use computers only for legitimate employment or education.

Vision, who changed his name from Max Butler shortly before his arrest, ran an online forum for thousands of identity thieves called CardersMarket, where he sold credit card magstripe data to the underground for about $20 a card. He was caught with 1.8 million stolen credit card numbers belonging to 1,000 different banks, who tallied the fraudulent charges on the cards at $86.4 million. [ Read more ... ]

Google to enlist NSA to help it ward off cyberattacks: Via washingtonpost.com .

The world's largest Internet search company and the world's most powerful electronic surveillance organization are teaming up in the name of cybersecurity.

Under an agreement that is still being finalized, the National Security Agency would help Google analyze a major corporate espionage attack that the firm said originated in China and targeted its computer networks, according to cybersecurity experts familiar with the matter. The objective is to better defend Google -- and its users -- from future attack.

Google and the NSA declined to comment on the partnership. But sources with knowledge of the arrangement, speaking on the condition of anonymity, said the alliance is being designed to allow the two organizations to share critical information without violating Google's policies or laws that protect the privacy of Americans' online communications. The sources said the deal does not mean the NSA will be viewing users' searches or e-mail accounts or that Google will be sharing proprietary data. [ Read more ... ]

Hackers Steal Millions in Carbon Credits: Via Threat Level.

Credit card numbers are so passe. Today’s hackers know the real powerhouse data to steal is emission certificates.

That’s exactly what hackers went after last week when they obtained unauthorized access to online accounts where companies maintain their carbon credits, according to the German newspaper Der Spiegel.

The hackers launched a targeted phishing attack against employees of numerous companies in Europe, New Zealand and Japan, which appeared to come from the German Emissions Trading Authority. The workers were told that their companies needed to re-register their accounts with the Authority, where carbon credits and transactions are recorded. [ Read more ... ]

Report Details Hacks Targeting Google, Others: Via Threat Level.

It’s been three weeks since Google announced that it and numerous other U.S. companies were targeted in a recent sophisticated and coordinated hack attack dubbed Operation Aurora.

Until now we’ve only known that the attackers got in through a vulnerability in Internet Explorer and that they obtained intellectual property and access to the Gmail accounts of two human rights activists whose work revolves around China. We also know a few details about how the hackers siphoned the stolen data, which went to IP addresses in Taiwan, and about 34 mostly undisclosed companies were breached.

Now a leading computer forensic firm is providing the closest look so far at the nature of the attacks, and attackers, that struck Google and others. The report never mentions Google by name, or any other companies, but focuses on information gathered from hundreds of forensic investigations the firm has conducted that are identical to what we know about the Google hack. [ Read more ... ]

Social Security numbers found lying in street: Via Chicago Tribune.

Hundreds of sensitive, intact documents — including W-2 forms, investment account balances and job applications — were inexplicably swirling around Touhy Avenue and Eastview Drive on Thursday afternoon. After being tipped to the airborne paper trail, the Tribune contacted some of the people and companies listed on the documents.

None of them knew how the papers could have ended up in the street.

"I am pretty much disgusted with this," said Cruz, 47, of Chicago, who was notified that at least 17 documents with her Social Security number (the apparent remnants of an old job application) had been retrieved. "All of that is sensitive information. You would think your stuff is secure." [ Read more ... ]

Chinese Fingerprints Said to Be Found in Google Attacks : Via NYTimes.com .

SAN FRANCISCO — An American computer security researcher has found what he says he believes is strong evidence of the digital fingerprints of Chinese authors in the software programs used in attacks against Google.

The search engine giant announced last Tuesday that it had experienced a series of Internet break-ins it believed were of Chinese origin. The company’s executives did not, however, detail the evidence leading them to the conclusion that the Chinese government was behind the attacks, beyond stating that e-mail accounts of several Chinese human rights activists had been compromised.

In the week since the announcement, several computer security companies have made claims supporting Google’s suspicions, but the evidence has remained circumstantial. [ Read more ... ]

Connecticut AG Opens New Era in HIPAA Enforcement with Health Net Suit: Via Security, Privacy and The Law Published by Foley Hoag LLP.

In the first instance of a state attorney general exercising the new powers granted by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), Connecticut Attorney General Richard Blumenthal (and recently announced candidate for the U.S. Senate) filed suit today against Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 enrollees in Connecticut and for failing to promptly notify consumers of the security breach. [ Read more ... ]

Google attack part of widespread spying effort: Via Computerworld Cybercrime/Hacking News.

Google's decision Tuesday to risk walking away from the world's largest Internet market may have come as a shock, but security experts see it as the most public admission of a top IT problem for U.S. companies: ongoing corporate espionage originating from China.

It's a problem that the U.S. lawmakers have complained about loudly. In the corporate world, online attacks that appear to come from China have been an ongoing problem for years, but big companies haven't said much about this, eager to remain in the good graces of the world's powerhouse economy.

Google, by implying that Beijing had sponsored the attack, has placed itself in the center of an international controversy, exposing what appears to be a state-sponsored corporate espionage campaign that compromised more than 30 technology, financial and media companies, most of them global Fortune 500 enterprises. [ Read more ... ]

Children's hospital lost data on 1m patients: Via IT Law in Ireland.

In a follow up to his excellent story about Temple Street Children's Hospital storing DNA samples of over 1.5 million people without any legal basis, Mark Tighe has a piece in today's Sunday Times revealing that the hospital also lost two servers full of information about patients in 2007:

Two computer servers containing the records of almost 1m patients were stolen from the Children’s University hospital in Temple Street in 2007 and have never been recovered.

The data were far more than that lost on stolen bank laptops in recent years. The theft was investigated by the data protection commissioner (DPC) and the gardai after being reported by the Dublin hospital in February 2007. The organisations had decided that there was no need to inform the public, believing there was little chance of the thief being able to access the data.

Patients’ details, including names, date of birth and reason for admission are thought to have been included.

Interestingly, there's no mention of the servers having been encrypted, making it unclear on what basis it was decided that the data couldn't be accessed. [ Read more ... ]

Alleged Ponzi Mastermind Stanford Pwned in Antigua: Via Threat Level.

In early 2008, while federal investigators were busy looking into disgraced financier Robert Allen Stanford for his part in an alleged $8 billion fraudulent investment scheme, Eastern European hackers were quietly hoovering up tens of thousands of customer financial records from the Bank of Antigua, an institution formerly owned by the Stanford Group.

According to a fraud investigator with firsthand knowledge of the break-in, the hackers responsible infiltrated a component of the Stanford Group’s network by exploiting vulnerabilities in the company’s web servers and databases. On the condition of anonymity, the investigator shared with this author files recovered from the breach, which were stored in plain text for at least several weeks on a website controlled by the attackers. This source said he forwarded the same information on to the FBI shortly after discovering it in early 2008.

Once inside Stanford’s network, the unidentified hackers appear to have swiped the credentials from an internal network administrator. They soon had downloaded the user names and password hashes for more than 1,000 employees of Stanford Financial, Stanford Group, Stanford Trust and Stanford International Bank. [ Read more ... ]

The Decade’s 10 Most Dastardly Cybercrimes: Via Threat Level.

It was the decade of the mega-heist, when stolen credit card magstripe tracks became the pork bellies of a new underground marketplace, Eastern European hackers turned malware writing into an art, and a nasty new crop of purpose-driven computer worms struck dread in the heart of America.

Now that the zero days are behind us, it’s time to reflect on the most ingenious, destructive or groundbreaking cybercrimes of the first 10 years of the new millennium. [ Read more ... ]

FaceBook App Maker Hit With Data-Breach Class Action: Via Threat Level.

>RockYou, the popular provider of third-party apps for Facebook, Myspace and other social-networking services, is being hit with a proposed class-action accusing the company of having such poor data security that at least one hacker got away with 32 million e-mails and their passwords.

The suit accuses the maker of apps like “Slideshow” for MySpace and “Superwall” for Facebook of making its unencrypted customer data “available to even the least capable hacker.”

“RockYou failed to use hashing, salting or any other common and reasonable method of data protection and therefore drastically exacerbated the consequences of a hacker bypassing its outer layer of web security,” according to the Monday complaint in San Francisco federal court. [ Read more ... ]

Heartland hacker pleads guilty in third case: Via Computerworld Cybercrime/Hacking News.

The hacker who enabled the theft of millions of credit card numbers has pleaded guilty to two counts of conspiracy and will receive a prison term of at least 17 years.

Albert Gonzalez, the hacker, has already pleaded guilty in two other cases related to the theft. As part of his plea agreement in those cases, in Boston and New York, he agreed to ask for no less than 15 years in prison and the government agreed to ask for no more than 25 years. [ Read more ... ]

Former Morgan Stanley Coder Gets 2 Years in Prison for TJX Hack: Via Threat Level.

The two great friends talked every day and shared information about all of their exploits — sexual, narcotic and hacking — according to prosecutors. Now another thing they’ll have to share information about is their experience in federal prison.

While accused TJX hacker kingpin Albert Gonzalez awaits a possible sentence of 17 years or more in prison, one of his best friends and accomplices was sentenced on Tuesday in Boston to two years for his role in what the feds are calling “the largest identity theft in our nation’s history.”

Stephen Watt, a 25-year-old former Morgan Stanley software engineer, pleaded guilty last December to creating a custom sniffing program dubbed “blabla” that Gonzalez and other hackers used to siphon millions of credit and debit card numbers from TJX’s network. The breach cost TJX $200 million, according to its 2009 SEC filing. [ Read more ... ]

7-Eleven Hack From Russia Led to ATM Looting in New York: Via Threat Level.

Flashback, early 2008: Citibank officials are witnessing a huge spike in fraudulent withdrawals from New York area ATMs — $180,000 is stolen from cash machines on the Upper East Side in just three days.  After a stakeout, police arrest one man walking out of a bank with thousands of dollars in cash and 12 reprogrammed cards. A lucky traffic stop catches two more plunderers who’d driven in from Michigan. Another pair are arrested after trying to mug an undercover FBI agent on the street for a magstripe encoder. In the end, there are 10 arrests and at least $2 million dollars stolen.

The wellspring of the dramatic megaheist turns out to be more prosaic than imagined: It started with a breach of the public website of America’s most famous convenience store chain: 7-Eleven.com. [ Read more ... ]

Citigroup, law enforcement refute cyber heist report: Via Computerworld Cybercrime/Hacking News.

Citigroup says no system breach, no losses of customer or bank data, funds

Citigroup and a federal law enforcement source on Tuesday refuted a claim that the bank's customers lost millions of dollars in an advanced cyber heist over the summer, leaving lingering questions over details of the alleged attack.

According to a report in Tuesday's Wall Street Journal, the FBI is investigating the theft of tens of millions of dollars from Citibank using malicious software created in Russia.

A source within federal law enforcement who declined to be identified said the Wall Street Journal story was inaccurate and appears to have confused a known 2007 hack of Citigroup-branded automated teller machines with a long-running criminal effort to hack online banking customers and move money out of their accounts.

"They've screwed up so many different things," he said. The FBI had no comment. [ Read more ... ]

Albert Gonzalez Enters Plea Agreement in Heartland, Hannaford Cases: Via Threat Level.

Albert Gonzalez, who has admitted hacking into TJX and other companies, has filed a plea agreement in charges that he breached Heartland Payment Systems, Hannaford, 7-Eleven and two other companies.

Under the terms of the agreement, Gonzalez, a former Secret Service informant, will plead guilty to two counts of conspiracy to gain unauthorized access to computers, and to commit wire fraud. Prosecutors have agreed to seek a sentence of no more than 25 years, to run concurrent with his sentence in two other pending cases. Gonzalez had agreed to ask the court for no less than 17 years in prison.

Gonzalez is currently facing a sentence of between 15 and 25 years in two combined cases out of Massachusetts and New York, involving the hacks of TJX and Dave & Buster’s restaurants. The New Jersey agreement would add two years to the minimum time he could seek. [ Read more ... ]

Santa's Naughty–Nice Database Hacked: Via Schneier on Security.

This is very serious.

Read Original Article:(Via Schneier on Security.)

Heartland pays Amex $3.6M over 2008 data breach: Via Computerworld.

Heartland Payment Systems will pay American Express $3.6 million to settle charges relating to the 2008 hacking of its payment system network.

This is the first settlement Heartland has reached with a card brand since disclosing the incident in January of this year.

The U.S. Department of Justice has charged Albert Gonzalez and several other accomplices with the hack, saying that Heartland was one of several companies that the hackers managed to break into using SQL injection attacks.

Other alleged victims include 7-Eleven and Hannaford Brothers. In total, the gang managed to steal more than 130 million credit card numbers from Heartland and about 4.2 million from Hannaford, prosecutors allege. [ Read more ... ]