The San Francisco Chronicle reports personal banking information and other data from perhaps tens of thousands of students, faculty and administrators at City College of San Francisco, have been stolen in what is being called “an infestation” of computer viruses with origins in criminal networks in Russia, China and other countries. At work for more than a decade, the viruses were detected a few days after Thanksgiving, when the college’s data security monitoring service detected an unusual pattern of computer traffic, flagging trouble.
David Daw at PC World notes 3D printers–desktop devices that can print out objects as easily as your home inkjet prints out documents–are getting less expensive and more common every day, and they promise to revolutionize manufacturing in the same way that desktop printing revolutionized publishing. Unfortunately, though the promise of 3D printing is great, we’ve also begun to see glimpses of its dark side as criminals–and average citizens who are up to no good–think up dangerous and creepy new uses for 3D printed material. In September 2011, a gang was prosecuted after stealing more than $400,000 dollars using ATM skimmers. The gang’s skimmers–devices that fit over an ATM machine and steal the debit or credit card information of unsuspecting ATM users–were created on high-tech 3D printers to help make the skimmer overlays for the ATM machines look as realistic as possible
Threat Post reports a partial analysis of another massive leak of user passwords has again shone a light on the scourge of weak passwords used to protect sensitive data in online accounts, according to a report by the Tech Herald. Using the leaked password list from STRATFOR, the open source intelligence service that was hacked last month, reporters from the Tech Herald were able to decipher over 80,000 of the hashed passwords, around 10% of the more than 800,000 passwords stolen in the attack. The analysis showed that trivial passwords like 123456, 11111111 and 123123 were common among STRATFOR customers.
The Association for Financial Professionals notes many banks are confused over how to implement new federal regulations aimed at reducing cybersecurity threats. Released last summer, guidelines by the Federal Financial Institutions Examination Council (FFIEC) require banks to complete periodic risk assessments, establish layered security controls, and educate retail and commercial clients on the widespread threat of fraud. In November, Guardian Analytics surveyed about 300 executives at more than 100 banks and credit unions of all sizes on the FFIEC Guidance. Guardian found that although most banks are working to implement the requirements, many were having difficulty interpreting the minimum expectations for layered security
Bank Info Security reports the Connecticut Attorney General has issued a letter to Wells Fargo & Co. asking the bank to explain why it released customers’ Social Security numbers when it mailed copies of subpoenas issued by the state Department of Social Services. The Social Security numbers allegedly were included in information the DSS requested as part of a fraud investigation. If the disclosure of those numbers is found to be improper, Wells could be facing fines for violating Connecticut privacy laws.
Dark Reading reports Care2, a website that promotes a variety of political causes and encourages users to take action to support them, reported a hack at the end of the year. Care2′s disclosure reads, in part: “We have discovered that Care2.com servers were attacked, resulting in a security breach. The hackers were able to access login information for Care2 member accounts. Our team has worked to secure Care2.com against this type of attack from recurring.”
The Register reports a Saudi Arabian hacking group claims it has leaked information on up to 400,000 Israelis, including names, addresses and credit card details. The data dump follows a reported attack on Israeli websites and has already led to fraudulent use of the sensitive info. Credit card biz Isracard said it had reissued 6,600 of the 14,000 cards revealed.
SC Magazine reports the hackers who raided the servers belonging to global intelligence firm Stratfor are using some of their plunder to send fictitious emails to subscribers. Nearly a week after the attack, which was publicized Christmas Eve Day, the hackers dumped 75,000 names, addresses and passwords of every customer that has ever paid Stratfor for services. Additionally, the group posted the personal information of 860,000 people who registered with the company. The intruders also claim to have gotten their hands on 90,000 credit card numbers, which were purportedly used to make about a million dollars in donations to charities. Some security experts, however, expressed doubt that the recipients would be able to keep the money because of the fraud involved.
Threat Post reports an Apple patent filing, 20120005747A1, describes a method for storing a password recover secret on a peripheral device, including a power adapter. The development would, in essence, turn power cords and other peripherals into a second factor that would make it harder for thieves to gain access to devices they steal. The 16 page patent application, filed on Thursday, describes a system in which a password secret is stored in memory on a special power adapter that is associated with a specific device. Users who forgot the password necessary to access their device would first have to connect the adapter before they were able to view the recovery secret.
PR Newswire reports a study published today by merchant data security firm SecurityMetrics, shows 71 percent of merchants who entered the study were found to store unencrypted payment card data in 2011, which is an increase of 8 percent since 2010. Merchants who store unencrypted payment card data directly violate Payment Card Industry Data Security Standard (PCI DSS) requirements and may be subject to fines and other penalties after a compromise. The discovery of unprotected cardholder data may indicate a number of factors, including an improperly designed or configured payment application, a non-PCI compliant payment application or improper card handling by employees. In it’s entirety, the study found over 370 million unencrypted cards on various-sized business and home networks, with the largest amount of payment cards discovered in a single network scan at over 96 million. The study concluded card discovery and deletion is not a one-time event, but must be a part of regular business operation to impact security.
