Greater Manchester Police Fined £150,000 By ICO For Using Unencrypted USB Sticks

Greater Manchester Police Fined £150,000 By ICO For Using Unencrypted USB Sticks 

To fight against major security breaches, data loss, cyber theft, and many other cyber challenges, both Government and higher authorities are becoming as tight and strict as they can. While sitting at edge of cyber security, not even a single mistake or carelessness will be negotiated. So either you have to deliver your very best, or you have to penalty, exactly the same thing happened to Greater Manchester Police. Yesterday, I mean 16th of October The UK Information Commissioner's Office (ICO) in the UK recently fined the Greater Manchester Police £150,000 for a data breach. In their press release ICO said - Greater Manchester Police force is being fined for failing to take appropriate measures against the loss of personal data. The action was prompted by the theft of a memory stick containing sensitive personal data from an officer’s home. The device, which had no password protection, contained details of more than a thousand people with links to serious crime investigations. The ICO found that a number of officers across the force regularly used unencrypted memory sticks, which may also have been used to copy data from police computers to access away from the office. Despite a similar security breach in September 2010, the force had not put restrictions on downloading information, and staff were not sufficiently trained in data protection.

The findings prompted the Information Commissioner to use his powers under the Data Protection Act to impose a Civil Monetary Penalty of £150,000. Greater Manchester Police paid that penalty yesterday, taking advantage of a 20 per cent early payment discount (£120,000). 

David Smith, ICO Director of Data Protection, said: -“This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine. “It should have been obvious to the force that the type of information stored on its computers meant proper data security was needed. Instead, it has taken a serious data breach to prompt it into action.

“This is a substantial monetary penalty, reflecting the significant failings the force demonstrated. We hope it will discourage others from making the same data protection mistakes.” 

The monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Commissioner.   

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Greater Manchester Police Fined £150,000 By ICO For Using Unencrypted USB Sticks "https://www.voiceofgreyhat.com/2012/10/greater-manchester-police-fined-by-ico.html</a>

Sony: Credit data at risk in PlayStation hacking Network shut down; info on 77 million users said compromised halted

Sony Corp. said Tuesday that the credit card data of PlayStation users around the world may have been stolen in a hack that forced it to shut down its PlayStation Network for the past week, disconnecting 77 million user accounts.

Some players brushed off the breach as a common hazard of operating in a connected world, and Sony said some services would be restored in a week. But industry experts said the scale of the breach was staggering and could cost the company billions of dollars.

"Simply put, one of the worst breaches we've seen in several years," said Josh Shaul, chief technology officer for Application Security Inc., a New York-based company that is one of the country's largest database security software makers.

Sony said it has no direct evidence credit card information was taken, but said, "we cannot rule out the possibility."

It said the intrusion was "malicious" and the company had hired an outside security firm to investigate. It has taken steps to rebuild its system to provide greater protection for personal information and warned users to contact credit agencies and set up fraud alerts.

"Our teams are working around the clock on this, and services will be restored as soon as possible," it said in a blog post Tuesday.

The company shut down the network last Wednesday after it said account information, including names, birth dates, e-mail addresses and log-in information was compromised for certain players in the days prior.

Sony says people in 59 nations use the PlayStation network. Of the 77 million user accounts, about 36 million are in the U.S. and elsewhere in the Americas, 32 million in Europe and 9 million in Asia, mostly in Japan.

Purchase history and credit card billing address information may also have been stolen, but the intruder did not obtain the three-digit security code on the back of cards, Sony said. Spokesman Satoshi Fukuoka said the company has not received any reports yet of credit card fraud or abuse resulting from the breach.

Shaul said that not having direct proof of credit card information theft should not instill a sense of security, and could mean Sony just didn't know what files were touched.

"They indicated that they're worried about it, which is probably a very strong indication that everything was stolen," he said.

If the intruder successfully stole credit card data, the heist would rank among the biggest known thefts of financial data.

Recent major hacks included some 130 million card numbers stolen from payment processor Heartland Payment Systems. As many as 100 million accounts were lifted in a break-in at TJX Cos., the chain that owns discount retailers T.J. Maxx and Marshalls, and some 4.2 million card numbers were stolen from East Coast grocery chain Hannaford Bros. Those attacks allegedly involved a single person: Albert Gonzalez, a Miami hacker who was sentenced last year to 20 years in prison for the attacks.

The Ponemon Institute, a data-security research firm, estimated that the cost of a data breach involving a malicious or criminal act averaged $318 per compromised record in 2010, up 48 percent from the year earlier.

That could pin the potential cost of the PlayStation breach at more than $24 billion.

Alan Paller, director of research for the SANS Institute, a security training organization, said that even if credit numbers weren't stolen, knowing someone's name, e-mail address and which games he or she likes can lead to expertly crafted scam e-mails. Knowing billing histories can be even more harmful, since they can identify big spenders.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Sony: Credit data at risk in PlayStation hacking Network shut down; info on 77 million users said compromised halted"https://www.voiceofgreyhat.com/2011/04/77-mn-identities-hacked-from-sony.html</a>

Global Payments Hacked, 50K Cardholders At Risk (Visa & MasterCard Investigating The Breach)

Global Payments Hacked, 50K Cardholders At Risk (Visa & MasterCard Investigating The Breach)

A security breach at Global Payments Inc, a third-party U.S. based processor, may have compromised 

50,000 Visa and MasterCard cardholder accounts. Both Visa and MasterCard have sent out non-public alerts to banks notifying them of the breach.

Major credit card issuing agencies have alerted customers and asserted that their own systems are still secure. MasterCard has hired an independent data security firm to look into the hack, while Visa has given the affected account number to the banks so that steps can be taken to protect those customers and to help find the hacker. However, the breach affects all major credit card brands, including Discover and American Express.

Visa and MasterCard are investigating whether a data security breach at one of the main companies that processes transactions improperly exposed private customer information, bank officials said Friday. The event highlighted a crucial vulnerability that could affect millions of credit card holders. The breach occurred at Global Payments, an Atlanta company that helps Visa and MasterCard process transactions for merchants. One bank executive estimated that about one million to three million accounts could be affected. That does not mean that all those cards were used fraudulently, but that credit card information on the cardholders was exposed. The bank official, who insisted on anonymity because the inquiry is at an early stage, said that Visa and MasterCard notified his company on Thursday, but that banks had been frustrated with the pace of disclosure by Global Payments. He said that Global Payments, which is one of the biggest transactions processors, had provided little information on where the breaches took place, how accounts were hacked and other details that could indicate which customers might be vulnerable. This is the second breach at Global Payments in the last 12 months, according to two individuals briefed on the investigations who spoke on condition of anonymity because they were not authorized to speak publicly. Another similar attack was disclosed by Heartland Payment Systems in 2009, a breach that began in 2007 and resulted in the exposure of data on 130 million credit cards. Heartland estimated that breach cost it $140 million in fines, settlements and legal fees.

If you use a Visa or MasterCard credit card, you may be affected by this breach. The good news is that most credit cards have fraud protection, so even if you are affected by this security breach, you most likely will not be affected by fraudulent charges if you catch them early enough.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Global Payments Hacked, 50K Cardholders At Risk (Visa & MasterCard Investigating The Breach)"https://www.voiceofgreyhat.com/2012/04/global-payments-hacked-50k-cardholders.html</a>

LastPass hacking latest in a string of data breaches

News is emerging that yet another online network may have been hacked, and this time, from a service that acts as a safe-deposit box for users other passwords.
Cloud-based password management company LastPass issued a warning to users late Wednesday advising customers to change their passwords as a precaution to what may be a massive data-breach.

"We're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed," Joe Siegrist, LastPass CEO said.
"We know roughly the amount of data transferred and that it's big enough to have transferred people's email addresses, the server salt and their salted password hashes from the database."
LastPass is one of the largest cloud-based password management tools on the web. The company serves clients in 113 countries.
It said experts are delving deeper into the breach and will release more details as they emerge.
If the hack is proven, it represents the latest in a series of high-profile data-losses in the past few weeks.

Just last month Sony admitted that its only gaming network, the Playstation Network, was hacked, potentially exposing data of nearly 80 million users. The breach, one of the largest in history, also leaked 10 million credit cards, though the company said those were encrypted.
Also today, for the second month in a row, Best Buy has had to inform customers that their e-mail addresses were stolen.
On April 22, the consumer electronics retailer discovered some e-mail addresses had been exposed in a security breach at a third-party vendor.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">LastPass hacking latest in a string of data breaches"https://www.voiceofgreyhat.com/2011/05/lastpass-hacking-latest-in-string-of.html</a>

APAC lax on data breach, theft

SINGAPORE--Lack of data privacy regulations, as well as lenient law enforcement in the Asia-Pacific region, have not helped the fight against cybercrime, according to a security expert.

Touching on the recent Epsilon incident, Paul Ducklin, Sophos' head of technology for the Asia-Pacific region, told ZDNet Asia the lack of legislation in this region had given affected companies opportunities to "sweep it under the carpet".

The e-mail marketing service provider, which sends some 40 billion e-mail messages annually, revealed in early April that its system was breached and about 2 percent of its customers' client names and e-mail had been leaked. Among the organizations affected were Citi, JPMorgan Chase, Marriot International and McKinsey & Company.

Of the affected companies, only U.S. companies have revealed that they were customers of Epsilon, and sent out e-mail messages to customers informing them of the data breach, Ducklin noted in an interview during a recent visit to Singapore.

He blamed this on the lack of mandatory disclosure laws in the region, adding that companies have no obligations to go public, as the information stolen are mainly e-mail addresses and not personal identifiable information.

The United States, for instance, has legislation requiring companies, which handle and "do things" with consumer data, to disclose any data breach and implement encryption.

Aside from the absence of laws, judiciary powers do not appear to be taking cybercrime seriously, judging by the punitive measures, lamented Ducklin.

According to him, a criminal who tried to sell 60, 000 stolen credit card numbers to undercover police in Perth last year, was let off on a "good behavior bond" and payment of A$150 (US$161) for court costs. The sentencing was similar to a fine of not paying toll on the Sydney Harbour Bridge, he pointed out.

"The magistrates don't seem to accept the severity of cybercrime, where lots of people's identities are stolen at a time," said Ducklin. "You're not actually punching someone or committing [a] violent crime, so these hackers can expect quite light sentences in some cases."

Users more savvy, but Facebook must up security 
Ducklin added that cybercriminals are also finding Facebook an effective channel to lure victims, as seen from the security vendor's frequent blog updates of alerts of scams targeting the social media site. The popular social networking platform, he noted, is a good way to popularize dodgy sites as cyberciminals can typically reach tens of millions of users effortlessly, with many of the unsuspecting users falling prey to malicious apps and javascript injection.

Sophos published an open letter to Facebook last week, asking Facebook to take on three security issues to improve privacy and safety for its over 500 million users.

In the letter, Sophos' senior technology consultant Graham Cluley urged Facebook to--instead of being required to do so by regulators--implement opt-in functions for new features on information sharing, publish only vetted and approved third-party developer apps and enforce a "secure connection" at all times.

The HTTPS function currently requires users to turn it on in their account settings but Facebook noted that it is looking to enable HTTPS by default "sometime in the future". The social network also announced on Apr. 19 that it would automatically switch users back to the more secured connection after they have used a non-HTTPS application.

Ducklin said he is puzzled as to why Facebook users willingly allow apps from unknown or suspicious companies, access to their personal information. "Do you really want to allow someone you do not know to post articles as if it were you? It seems crazy but we're trying to bring the [preventive] message across," he pointed out.

Rogue apps are not only the ones making their rounds in the social media site now, he said. Another recently introduced 'feature' claiming to allow users to view stalkers or frequent visitors to their page, is actually a javascript attack that injects malicious codes when users try to access it through browsers.

Many URLs these days are shortened, making it very difficult "to see where you're going", he added.

Bogus surveys are also contributing to the underground economy, where users, lured by bogus iPhone and iPad prizes, are willing divulge information online to dodgy Web sites, said Ducklin. Not only are such information obtained by cybercriminals, users' computer systems may also be infected as these sites may trigger some form of exploit via browsers, he shared.

However, Ducklin acknowledged that an increasing number of people are now more aware of online scams. Citing an impromptu video survey in Singapore he conducted last year, where 20 locals and tourists were quizzed on whether they would divulge information for a free iPad, at least half stood firm against giving in to such "temptation".

"I was quite pleased that the results were 50-50, they were either willing or not willing to divulge any information," he said.

"If we did the same thing three years ago, when Facebook was still quite new, people either wouldn't be on it yet, or would be more than willing to partake in the 'fun'."

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">APAC lax on data breach, theft"https://www.voiceofgreyhat.com/2011/04/apac-lax-on-data-breach-theft.html</a>

Executives underestimate cybercrime danger

These are boom times for stolen data. Be it the publication of secret diplomatic cables on Wikileaks, foreign intelligence services mining data from German government computers, or the case of Sony, which had to admit that information on millions of customers had been hacked, the incidence of sensitive data being stolen from protected networks is on the rise.
German business leaders are well aware of this phenomenon, according to consulting firm Ernst & Young, which surveyed 400 executives on the topic of economic espionage and data theft. Almost all the respondents said they were convinced that the problem would become even more serious in the future, especially in countries and regions such as Asia, China, eastern Europe, Russia and the US.
However, Ernst & Young found a remarkable contradiction in its poll. While 94 percent of those leaders surveyed talked about the growing danger of cybercrime, 38 percent said they thought the threat to their own firm was rather small.



Digital denial
One-half of those polled said the danger posed to their companies was only moderate, and only one in ten admitted that their firms had been victims of corporate espionage or data theft in the past three years.
"This is far removed from reality," said Stefan Heissner, a security expert at Ernst & Young. "Our experience tells us that every company faces this risk, not just large corporations."
He added that many executives do not take the risk seriously enough.
"All information today can be accessed in some way and those who don't accept that live with a sense of false security," he said.


In-house problem
Sometimes simple online searches and the collection of data from different sources, available to anyone with an Internet connection, can lead to the assembly of amazingly complete troves of sensitive information.
Getting hold of important information doesn't always involve a talented hacker or direct access to a data-rich computer and a USB stick. Sometimes human vanity is enough, according to Heissner.
"Just think of the amounts of know-how some people reveal in speeches at conferences or trade fairs," he said. "It's sometimes really dramatic."

However, the most dangerous risk for companies is not hackers from another continent - experience bears out – but disgruntled in-house workers. In two-thirds of data theft cases, companies say their own employees were the guilty parties.
In about half of those instances, monetary gain was the motive, although one-third involved taking revenge for some kind of slight, perceived or otherwise.
"A good defense against data theft is satisfied employees," said Heissner.


Antitrust issues
Computers in a company's administration department are most frequently targeted, even more often than those in research and development sections. According to Heissner, that is because a company's administration usually has to have an immense amount of information on its computer drives just to be able market its own products.
That means data theft from these machines often becomes an antitrust issue if the material taken is related to product launches or pricing.
"Some cases where antitrust authorities suspect price collusion among companies are in fact instances of data theft by competitors," Heisser said.



Lax security
Many firms struggle to establish effective countermeasures to prevent data theft. While most companies do have a basic system of firewalls and passwords in place, big holes often remain.
Only one in five companies forbid CD burners or USB ports on its computers, which are often used by data thieves absconding with precious data. Only about 18 percent of companies prohibit employees from accessing the Internet. And just 6 percent have installed so-called intrusion detection systems, which can alert system administrators when outside parties try to breach computer security walls.
In addition, only one in ten firms is certified according to standards set out by the Federal Office of Information Security (BSI), which investigates IT security risks and develops preventive security measures.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Executives underestimate cybercrime danger"https://www.voiceofgreyhat.com/2011/05/executives-underestimate-cybercrime.html</a>

FBI Is Paying Attention To The US-China Commission Data Breach Issue

US-China Commission Data Breach issue is again on high node. Now Federal Bureau of Investigation (FBI) is investigating claims made by an Indian computer hacking group that India’s intelligence services intercepted the communications of the US-China Economic and Security Review Commission.

The documents posted on the Internet about a month ago and allege to be from the Indian government’s Directorate General of Military Intelligence and include about 10 emails from the Congressionally mandated Commission from September and October 2011. The commission reports to Congress annually on national security, trade and economic issue with China.

The Commission released their annual report to Congress in November 2011 this year. One federal law enforcement official indicated that the Indian government may have been snooping for early details on the assessments of the Commission if the documents are genuine.

While the emails do appear to be genuine the document has not been authenticated. Emails and phone calls made to the Indian embassy in Washington were not returned on Wednesday.

The alleged Indian military intelligence memo can be found Here

Though An FBI spokeswoman declined to comment on the investigation. The documents include an e-mail received by Michael Danis, the Commission’s executive director concerned General Electric’s business and joint ventures in China. The documents posted on the Internet were allegedly obtained by a group called the Lords of Dharamraja which has also compromised the source code on Symantec’s popular Norton antivirus software.
The document that is allegedly from the Indian intelligence service claims that the emails were obtained by using backdoors from mobile device manufacturers Apple, Research in Motion and Nokia. In the United States the Communications Assistance for Law Enforcement Act mandates that the FBI and police must have “backdoor” access to phone and internet communications with a lawful court order. The Bureau has been pushing for expanded surveillance powers with new technology such as Skype and Twitter in what they have termed their “Going Dark” program.
The inquiry into the data breach at the Commission follows the disclosure last month that China had infiltrated the US Chamber of Commerce computer system targeting the work by the Chamber’s Asia policy analysts.

-Source (ABC News)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">FBI Is Paying Attention To The US-China Commission Data Breach Issue"https://www.voiceofgreyhat.com/2012/01/fbi-is-paying-attention-to-us-china.html</a>

NASA Laptop Theft Puts Thousands of Employees & Contractors at Risk

NASA Laptop Theft Puts Thousands of Employees & Contractors at Risk

So far NASA have been targeted several times, where hackers penetrated the digital security. But here comes a bit different type of breach. A laptop with data on thousands of employees and contractors has been stolen from a NASA employee's car. NASA issued serious warning and it it informing its employees that a laptop computer with personnel information such as social security numbers was stolen from a locked car two weeks ago, potentially putting thousands of workers and contractors at risk. The laptop, issued to an employee at NASA headquarters in Washington, was password protected but its disk was not fully encrypted, making it relatively easy to access the information stored in that hard disk. This security breach  may affect thousands of employees and contractors at NASA facilities around the United States.

NASA has contracted a specialist consulting firm to identify and contact persons affected by the data breach, saying that the process could take up to 60 days due to the large amount of data. NASA Administrator Charlie Bolden banned the removal of unencrypted laptops containing sensitive information from any NASA facility and ordered security software upgrades to be finished by December 21. NASA has now instructed its employees to use full disk encryption (FDE) to lock down hard drives on all devices that process critical data by this 21st December. The agency also warned employees about storing sensitive data on smart phones and mobile devices. The agency is offering employees free credit-monitoring services and other support.

The laptop theft is the latest in a string of NASA security breaches over the past few years. In March, a Kennedy Space Center worker's laptop that contained personal information on about 2,300 employees and students was stolen. A NASA inspector general report this year determined 48 NASA laptops and mobile computing devices were lost or stolen between April 2009 and April 2011, many containing sensitive data.

-Source (Reuters)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">NASA Laptop Theft Puts Thousands of Employees & Contractors at Risk"https://www.voiceofgreyhat.com/2012/11/NASA-Laptop-Theft-Puts-Employees-at-Risk.html</a>

Adobe Confirms Data Breach, Hacker Leaked More Than 150,000 Customer Details

Adobe Confirms Data Breach, Hacker Leaked More Than 150,000 Customer Details 

Yet again Adobe, the American multinational computer software company had fallen victim of cyber attack. In September Adobe faced what it called a sophisticated cyber attack where hackers have breached Adobe server in order to compromise certificate to sign malware. As a move Adobe revoked those certificates on October 4th. After that massacre, here again one of Adobe's databases has been breached by a hacker and that it has temporarily taken offline the affected Connectusers.com website. The attacker who claimed responsibility for the attack, told that he used a SQL injection exploit in the breach. Adobe confirmed the breach and said that the hacker indeed managed to break into an Adobe server and copy the private credentials of approximately 150,000 users – including their names, email addresses and password hashes. Those affected accounts include Adobe customers, Adobe employees and partners along with U.S. military users including U.S. Air Force users, and users from Google, NASA, universities, and other companies. To prove the attack, the intruder, who goes by the name of "ViruS_HimA" and claims to be from Egypt, has released extracts from his haul on the Pastebin text hosting service. 

"It was an SQL Injection vulnerability -- somehow I was able to dump the database in less requests than normal people do," said ViruS_HimA. Users passwords for the Adobe Connect users site were stored and hashed with MD5, says the hacker, which made them "easy to crack" with freely available tools. And Adobe wasn't using WAFs on the servers, the hacker notes. "I just want to be clear that I'm not going against Adobe or any other company. I just want to see the biggest vendors safer than this," he told the press. "Every day we see attacks targeting big companies using Exploits in Adobe, Microsoft, etc. So why don't such companies take the right security procedures to protect them customers and even themselves?"

"Adobe is a very big company but they don't really take care of them security issues, When someone report vulnerability to them, It take 5-7 days for the notification that they've received your report!!" he wrote. "It even takes 3-4 months to patch the vulnerabilities!" 

While talking about such big cyber attacks, here we would like to give you reminder that in the last few months we have been a slew of attacks against the following sites: Guild Wars 2, Gamigo, Blizzard, Yahoo, LinkedIn, eHarmony, Formspring, Android Forums, Gamigo,  Nvidia,Blizzard, Philips, Zynga, VMWare, & so on. For all the latest on cyber security and hacking related stories; stay tuned with VOGH. 

-Source (Dark Reading, The-H)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Adobe Confirms Data Breach, Hacker Leaked More Than 150,000 Customer Details"https://www.voiceofgreyhat.com/2012/11/Hacker-Leaked-150000-Customer-Details-of-Adobe.html</a>

Hacker Steals 3.6 Million South Carolina Social Security No & Also Exposed 387,000 Card Details

Hacker Steals 3.6 Million South Carolina Social Security Number & Also Exposed 387,000 Card Details

The year 2012 is going from bad to worse for the cyber space, as yet another big data breach happened which effected more than 4.7 million residents of South Carolina at risk of identity theft. Anyone who filed a South Carolina tax return in the past 14 years may have had their Social Security number stolen and has been urged by the state government to immediately enroll in consumer protection services. The U.S. Secret Service detected a security breach at the S.C. Department of Revenue on Oct. 10, but it took state officials 10 days to close the attacker’s access and another six days to inform the public that 3.6 million Social Security numbers had been compromised. The attack also exposed 387,000 credit and debit card numbers. The stolen data included other information people file with their tax returns such as names and addresses. Businesses’ taxpayer identification numbers also potentially have been comprised in the attack that is being described as one of the nation’s largest against a state agency. The hacker began accessing the Department of Revenue’s computer system in August, but wasn’t noticed by the Secret Service until October, giving him about two months to gather the data in what is one of the largest computer breaches in the US. Most of the data had not been encrypted, meaning the hacker would not need a key to a secret code to read the stolen data. Revenue director James Etter said none of the Social Security numbers were encrypted and about 16,000 credit card numbers were not encrypted.

“The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the State of South Carolina and all our citizens,” South Carolina Gov. Nikki Haley said during a news conference. “We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected.” 

S.C. Inspector General Patrick Maley said nine agencies had been evaluated thus far, and some corrective action had been taken. There was no overarching security policy within state government, he said. No one at the Revenue Department or within the state’s information technology division has been disciplined over the latest attack.  

While this case of hacking was the largest in US history, it wasn’t the first. On March 30, 2012, officials in Utah discovered that one of their health department servers had been hacked. That time also a large number of Social Security numbers were stolen from the server – including those of children. Here we would like to give you reminder that in the last few months we have been a slew of attacks against the following sites: Adobe, Guild Wars 2, Gamigo, Blizzard, Yahoo, LinkedIn, eHarmony, Formspring, Android Forums, Gamigo,  Nvidia, Blizzard and  Philips. And after this breach Adobe also enlisted its name among those who was fallen victim to cyber criminals in this year. For all the latest on cyber security and hacking related stories; stay tuned with VOGH. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Hacker Steals 3.6 Million South Carolina Social Security No & Also Exposed 387,000 Card Details"https://www.voiceofgreyhat.com/2012/10/hacker-steals-36-million-south-carolina.html</a>

Anonymous & RedHack Breached Israeli Intelligence Agency 'Mossad' Leaked Personal Data of 35K Officials

Anonymous & RedHack Breached Israeli Intelligence Agency 'Mossad' Claimed to Have Personal Data of 35K Officials (#OpIsrael)

A week ago infamous hacker collective group Anonymous called for Operation Israel (#OpIsrael) second phase, where they vows to engage massive cyber attack against Israeli cyberspace in order to interrupt all the necessary service, which the hacker called a complete outage. The main phase of attack was planned at 7th April, but now it looks that those hacker collectives changed their strategy, or may be they can't wait till April, and as result anti-Israel hacking collective affiliated with Anonymous managed to breach several Israeli government servers, causing a big data leak of more than 35,000 Israeli government officials, including politicians, military leaders, and police officers. The hack was done under the banner of #OpIsrael, and from the twitter feed of Anonymous, the hacker group took responsibility of the cyber attack. A comprehensive spreadsheet purporting to include the information of all 35,000 Israeli officials was published by the website Cryptome, though it did not independently verify the information. The coalition of hackers appears to have ties to the Iranian government, Pakistan, Syria, Egypt, and the terror group Hezbollah, according to a report published by Cryptome. 

In our last report on this story we covered that, the attack will be organized as Anon ask other hackers and other underground communities to join the campaign. As expected, it happens; RedHack, a Turkey-based Marxist hacker group responded to Anonymous and they claimed to breach Israeli intelligence agency known as 'Mossad.' RedHack claimed to gain access inside Mossad's server; which lead them release personal information including phone numbers, emails and addresses of Mossad officials. "Yes, we realize we are sailing in dangerous water but we like swimming,” said hackers of RedHack. From a report of RT we came to know that not only data breach but also hackers performed massive denial of service attack against Mossad. In spite of RedHack’s claims, some argue that the names and information do not belong to Mossad officers or informants. 

“Whatever they stole, it probably wasn’t secure details of top Israeli brass, either from the army or the Mossad,” internet researcher Dr. Tal Pavel told the media. “There is no doubt that they got some identification information about Israelis, but the claims that they hacked the Mossad site and got a list of Mossad agents is most likely psychological warfare, and not a hack into an important database,” Pavel added. 

Whether those leaks are not that classified, whether those data does not belongs to Mossad, but one thing is clear and that is in-spite of having precaution, Israel government yet again failed to protect themselves from massive attack which caused a massacre. And from this story it is also predictable that hackers around the globe came under one shade or one unity, in order to target Israel over Gaza issue. As 7th April is still a week away from today so lets wait for the time, and stay tuned with VOGH to get all the latest update on this story and also other cyber issues.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Anonymous & RedHack Breached Israeli Intelligence Agency 'Mossad' Leaked Personal Data of 35K Officials"https://www.voiceofgreyhat.com/2013/03/OpIsrael-Anonymous-RedHack-Hacked-Mossad.html</a>

Twitter & Yahoo Tightening Their Security to Prevent Eavesdropping of NSA

Twitter & Yahoo Tightening Their Security to Prevent Eavesdropping of NSA & Other Govt Agencies 

Last month a untold and sensational story came to light, when the whistle blowers Edward Snowden unveiled one of the top secret program of NSA called called “Muscular” Former NSA contractor Snowden himself disclosed that the National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world in order to collect and snoop the private data of millions of internet users. NSA’s acquisitions directorate sends millions of records every day from internal Yahoo and Google networks to data warehouses at the agency’s headquarters at Fort Meade, Md. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records including “metadata,” which would indicate who sent or received e-mails and when, as well as content such as text, audio and video. Both Yahoo & Google said that they had never gave access to nay Govt agency to their data centers. Yahoo spokeswoman said, “We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency.” Google’s chief legal officer, David Drummond said “We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform,” 

But the matter of fact is that NSA has indeed sniffed the personal & private communication of million internet users of tech giants like Yahoo and Google. To get rid of this kind of privacy breach, now the tech giants who hold the personal record and credential of mass, are tightening and enhancing their existing security system. According to Marissa Mayer, CEO of Yahoo "We’ve worked hard over the years to earn our users’ trust and we fight hard to preserve it." Yahoo also says it will encrypt all information moving between its data centers by the end of the first quarter, and it will work on getting international partners to enable HTTPS encryption in Yahoo-branded Mail services.Yahoo says it will give users an option to encrypt all data flow to and from Yahoo. "Yahoo has never given access to our data centers to the NSA or to any other government agency ever. There is nothing more important to us than protecting our users’ privacy. To that end, we recently announced that we will make Yahoo Mail even more secure by introducing https (SSL - Secure Sockets Layer) encryption with a 2048-bit key across our network by January 8, 2014." added Marissa Mayer.

Not only Yahoo, but the social networking giant Twitter, who have registered users of almost 550 million with an active user of 250 million across the globe has also taken immediate steps after this breathtaking story of spying by NSA get the spot light. Twitter is implementing new security measures that should make it much more difficult for anyone to eavesdrop on communications between its servers and users. The entire security mechanism has been taken to tighten the data privacy of its users. According to a blog post of twitter the company has implemented "perfect forward secrecy" on its Web and mobile platforms, which made eavesdropping almost impossible. "As part of our continuing effort to keep our users’ information as secure as possible, we’re happy to announce that we recently enabled forward secrecy for traffic on twitter.com, api.twitter.com, and mobile.twitter.com. On top of the usual confidentiality and integrity properties of HTTPS, forward secrecy adds a new property. If an adversary is currently recording all Twitter users’ encrypted traffic, and they later crack or steal Twitter’s private keys, they should not be able to use those keys to decrypt the recorded traffic." -said the blog post.

While talking about Muscular program of NSA, we would also like to remind you that couple weeks ago we came to know about 'Royal Concierge' another secret program of GCHQ & NSA to spy foreign diplomats through hotel bookings uncovered by Edward Snowden.

-Source (CIO & PC World) 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Twitter & Yahoo Tightening Their Security to Prevent Eavesdropping of NSA"https://www.voiceofgreyhat.com/2013/11/twitter-yahoo-tightening-security-2stop-eavesdropping.html</a>

Android & NVIDIA Forum Hacked, Millions of User Credentials Stolen

Android & NVIDIA Forum Hacked, Millions of User Credentials Stolen 

After the massacre of Formspring & Yahoo! Voice yet again security breach effected NVIDIA & Phandroid Forum. Hackers have gained illegal access and stolen millions username & password hashes from those said forums.

NVIDIA has temporarily shutdown its online developer forum, after it fell victim to cyber criminals who may have gained access to members' hashed passwords. NVIDIA says that it took the site down last week to investigate intrusions into its systems by unauthorised third parties. The intruders reportedly gained access to private user data, including usernames, email addresses, and hashed passwords with random salt values. Data in users' "About Me" profiles, such as age, birthdate, gender and location, was also accessed in the breach; however, this information was already publicly accessible on the site.

In the security notice, NVIDIA said that it is currently "employing additional security measures to minimize the impact of future attacks", adding that it hopes to restore the Forums as soon as possible. Once restored, the company says that it will reset all user passwords and send an email to users with a temporary password and instructions on how to change it

Phandroid, a popular Android news site & online community popular with fans of Android smartphones faced cyber attack. Phandroid has confirmed that its Android Forums was compromised using "a known exploit", and data including usernames, hashed passwords and so forth were accessed. According to Phandroid's notice about the security breach, the user table of Android Forum's database was accessed by unknown intruders. 

The database in question contains a variety of information on forum users, including usernames, email addresses, hashed and salted passwords, registration IP addresses; also other forum-related data, such as last time online and post date as well as post count. Based on current information, the site's community manager says that they cannot confirm if the data was in fact downloaded, adding that they believe the attack was "most likely an e-mail harvesting attempt". Additional steps to further harden server security and "extra 'just in case' actions" have also reportedly been taken.

As per report more than 1 million users of Phandroid forum are potentially affected by the security breach. The site's administrators advise all users to change their passwords as soon as possible through the User Control Panel (UserCP) or by using the "Forgot your password?" function.

We would like to give you reminder that other sites who have been hit by hackers, while stealing information about users in recent weeks include Yahoo Voices, Formspring, eHarmony and LinkedIn. There also we have seen the same scenario where hackers have stolen millions of user credentials of those sites. 

 -Source (NVIDIA, Phandroid, The-H)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Android & NVIDIA Forum Hacked, Millions of User Credentials Stolen"https://www.voiceofgreyhat.com/2012/07/android-nvidia-forum-hacked-millions-of.html</a>

2011 "The Year of The Hack" A Brief Over View & Prediction of 2012

Everyday when you open voiceofgreyhat.com you see lost of hacks, defacement, data breached, server rooted, database hacked, information leaked and so on and on. Here is some summary where all the recent attacks ware covered. If 2011 was “the year of the hack,” as it was dubbed by Richard Clarke, former White House cyber-security czar

Would 2012 be the year enterprises apply the lessons learned and stop the attacks? 
Apparently not, as security experts are predicting even more sophisticated attacks for 2012. 

Defense contractors, government agencies, and other public and private organizations reported network breaches where attackers stole intellectual property, financial data and other sensitive data. Hacktivist groups such as Anonymous and LulzSec demonstrated how much damage they can cause large organizations by employing fairly well-known techniques against the application layer. 

What’s the security outlook for 2012? 

It’s appears gloomy, as security experts warn that cyber-attackers will target applications, mobile devices and social networking sites. There will be more social engineering as attackers research victims beforehand to craft even more targeted attacks.

2011 was a year in transition, David Koretz, CEO of Mykonos Software, told, the year when sophisticated Web application attacks came of age. Before, people were talking about the threat to Web applications but were unable to quantify the problem. “2011 is the year people started caring about Web security for the first time,” Koretz said

Attackers targeted applications through SQL injection and cross-site scripting attacks to get access to sensitive data, said Lori MacVittie, senior technical marketing manager at F5 Networks. There are more kits and exploit tools released that exploit certain vulnerabilities, making it easier for even less skilled attackers to launch sophisticated attacks. There will be more of these tools in 2012, she said.

Social media has become more ubiquitous. Forrester estimated 76 percent of enterprises allow some access to social networking sites from within the corporate networks,  and 41 percent allow “unfettered access” to these sites. Many of the data breach and cyber-attack headlines in 2011 were social engineering attacks that exploited email and the Web as an attack vector, according to Rick Holland, a Forrester analyst.

Attacks against social network sites accounted for only 5 percent of total social engineering attacks in Verizon’s 2011 Data Breach Investigations Report. Forrester expects this number to “increase significantly” in 2012, Holland said.

Malware for mobile platforms grabbed headlines in 2011, starting with Google removing apps infected with DroidDream malware from Android Market and then remotely removing them from user devices.

Malware developed for mobile platforms exploded in volume and sophistication, according to Juniper Networks’ Global Threat Center. Criminals released a mobile version of the Zeus Trojan designed to intercept security controls used for online banking for several mobile platforms. Many users were infected with malware that turned their smartphones into zombies participating in a botnet without their knowledge.

Mobile device adoption is on track to reach 60 million tablets and 175 million smartphones in the workforce by 2012, according to Forrester. The majority of users will not be using these devices secured within the corporate environment as they will be working from home offices, public hotspots and third-party networks.

Organizations will increasingly shift their content security operations to the cloud to better protect mobile users. Security professionals have to adapt quickly to multiple mobile form factors and evolving threats from sophisticated malware and social networks, Holland said. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">2011 "The Year of The Hack" A Brief Over View & Prediction of 2012"https://www.voiceofgreyhat.com/2011/12/2011-year-of-hack-brief-over-view.html</a>

Sony says 25 million more accounts hacked

Sony Corp. said Monday that hackers may have taken personal information from an additional 24.6 million user accounts after a review of the recent PlayStation Network breach found an intrusion at a division that makes multiplayer online games.

The data breach comes on top of the 77 million PlayStation accounts it has already said were jeopardized by a malicious intrusion.

The latest incident occurred April 16 and 17 - earlier than the PlayStation break-in, which occurred from April 17 to 19, Sony said.

About 23,400 financial records from an outdated 2007 database involving people outside the U.S. may have been stolen in the newly discovered breach, including 10,700 direct debit records of customers in Austria, Germany, the Netherlands and Spain, it said.

The outdated information contained credit card numbers, debit card numbers and expiration dates, but not the 3-digit security code on the back of credit cards. The direct debit records included bank account numbers, customer names, account names and customer addresses.

Company spokeswoman Taina Rodriguez said Sony had no evidence the information taken from Sony Online Entertainment, or SOE, was used illicitly for financial gain.

"We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1 we concluded that SOE account information may have been stolen and we are notifying you as soon as possible," Sony said in a message to customers.

Sony said that it shut service Monday morning to Sony Online Entertainment games, which are available on personal computers, Facebook and the PlayStation 3 console. Its most popular games include "EverQuest," "Free Realms" and "DC Universe Online."

The company said it will grant players 30 days of additional time on their subscriptions, along with one day for each day the system is down. It is also creating a "make good" plan for its multiplayer online games.

On Sunday, Sony executives bowed in apology and said they would beef up security measures after an earlier breach caused it to shut down its PlayStation network on April 20. The company is working with the FBI and other authorities to investigate what it called "a criminal cyber attack" on Sony's data center in San Diego, Calif.

The company said it would offer "welcome back" freebies such as complimentary downloads and 30 days of free service to PlayStation customers around the world to show remorse and appreciation.

PlayStation spokesman Patrick Seybold, in a blog post Monday, denied a report that said a group tried to sell millions of credit card numbers back to Sony.

He also said that while user passwords had not been encrypted, they were transformed using a simpler function called a hash that did not leave them exposed as clear text.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Sony says 25 million more accounts hacked"https://www.voiceofgreyhat.com/2011/05/sony-says-25-million-more-accounts.html</a>

Cloud Computing: Managing Risk and Compliance in the Cloud

Cloud computing represents today's big innovation trend in the information technology (IT) space. Because it allows enterprises to deploy quickly, move swiftly, and share resources, cloud computing is rapidly replacing conventional in-house facilities at enterprises of all sizes.

Unfortunately, in their eagerness to adopt cloud platforms and applications, enterprises are neglecting to recognize and address the compliance and security risks that come with implementation. Often the ease of getting a business into the cloud - a credit card and a few keystrokes is all that is required - provides a false sense of security.

However, shortcomings in the cloud providers' security strategy can trickle down to the businesses that leverage their services. In this context, damages can range from pure power outages impacting business performance, data loss, unauthorized disclosure, data destruction, copyright infringement, to brand reputational loss.

Risk in the Cloud
For enterprises planning to transition their IT environment to the cloud, it is imperative to be cognizant of issues such as loss of control and lack of transparency, which are often overlooked. Cloud providers may have service level agreements in place, but security provisions, the physical location of data, and other vital details may not be well defined. This leaves enterprises in a bind, as they must also meet contractual agreements and regulatory requirements for securing data and comply with countless breach notification and data protection laws.

Whether organizations plan to use public clouds, which promise an even higher return on investment, or private clouds, better security and compliance is needed. To address this challenge, organizations should institute policies and controls that match their pre-cloud requirements. At the end, why would you apply less stringent requirements to a third-party IT environment than your own - especially if it potentially impacts your business performance and valuation?

Recent cyber-attacks and associated data breaches of Google and Epsilon (a marketing services firm) are prime examples of why companies need to think about an advanced risk and compliance plan that includes their third-party managed cloud environment.

To protect your business, you should insist that your cloud service provider provides visibility into security processes and controls to ensure confidentiality, integrity, and availability of data.

Best Practices for Cloud Risk Management
According to Jim Reavis, co-founder and executive director of the Cloud Security Alliance (CSA), main inhibitors to the adoption of cloud computing in large organizations are consistent and standardized frameworks, open standards, interfaces that address security controls, and easy-to-implement processes to provide assurances on levels of Governance, Risk, and Compliance and security in cloud environments.

According to a report by Forrester Research (Compliance with Clouds: Caveat Emptor, August 2010) organizations should not wait for the cloud industry to step up its support for regulatory compliance, but instead security professionals should look beyond their cloud providers for compensating controls to aid cloud sourcing.

This view is obviously shared by IT and security leaders, who responded to the 2011 Global State of Information Security Survey of PricewaterhouseCoopers, CIO Magazine, and CSO Magazine, as they identified compliance (34%) and regulatory compliance (33%) among the top five business issues that will drive information security spending in their organization in 2011.

As cloud computing is still an emerging technology space, advice on how to address cloud risk management is limited. What best practices should organizations follow? Probably the best bet are the guidelines developed by the Cloud Security Alliance, a non-profit organization formed to promote the use of best practices for providing security assurance within cloud computing.

The CSA defines three distinct stages of a cloud adoption life cycle, starting with cloud risk readiness assessment, cloud risk operations monitoring, and finally leading to cloud audits (an area that still requires further standardization).

Cloud Risk Readiness
When you transition your IT infrastructure to a cloud environment you have to find ways to determine how to trust your cloud provider with your sensitive data. Practically speaking, you need the ability to assess security standards, trust security implementations, and prove infrastructure compliance to auditors.

To quickly evaluate your tolerance for moving asset to various cloud computing models (e.g., public cloud, private cloud, community cloud, or hybrid cloud) you should apply the followings steps:

1. Identify the assets for the cloud deployment (e.g., data, applications, functions, processes)
2. Evaluate the assets as it relates to criticality to the business and answer questions such as:
   
   • What impact would the business face if the asset became public information?
   • What impact would the business face if the asset would be accessed by the cloud service provider?
   • What impact would the business face if the application would be attacked or corrupted by an outsider?
   • What impact would the business face if the stored data were unexpectedly modified?
   • What impact would the business face if the asset were unavailable for a period of time?
3. Map the asset to the potential cloud deployment model
4. Evaluate potential cloud service models and providers and answer questions such as:
   
   • Does the cloud service provider meet current standards for security (e.g., assessment of threat and vulnerability management capabilities, continuous monitoring, business continuity plan)
   • Is the cloud service provider compliant with applicable regulations and can it pass a regulatory audit?
   • Can the cloud service provider generate dynamic and detailed compliance reports that can be used by the provider, auditors, as well as your internal resources?

Considering that many organizations deal with a heterogeneous cloud eco-system, comprised of infrastructure service providers, cloud software providers (e.g., cloud management, data, compute, file storage, and virtualization), platform services (e.g., business intelligence, integration, development and testing, as well as database), it is often challenging to gather the above mentioned information in a manual fashion. Thus, automation of the vendor risk assessment might be a viable option, especially if the same software tool can be leveraged for the other stages of the cloud adoption life cycle.

In addition, it's important to select a software tool that provides compliance controls assessment frameworks and content from regulations such as PCI DSS 2.0, FISMA 2010, SOX, NIST, ISO, CSA, SANS and BITS, threat controls content from CSA, as well as cloud risk dashboards and reports.

Cloud Risk Operations

A portion of the cost savings obtained by moving to the cloud should be invested into increasing the scrutiny of the security qualifications of an organization's cloud service provider, particularly as it relates to security controls, and ongoing detailed assessments and audits to ensure continuous compliance.

In this context, organizations should consider leveraging monitoring services or security risk management software that achieves:

• Continuous compliance monitoring
• Segregation and virtualization provisioning management
• Automation of CIS benchmarks and secure configuration management integrations with security tools such as VMware vShield, McAfee ePO, and NetIQ SCM
• Threat management with automated data feeds from zero-day vendors such as VeriSign and the National Vulnerability Database (NVD), as well as virtualized vulnerability integrations with companies such as eEye Retina and Tenable Nessus

Automated technology, which allows a risk-based approach and continuous monitoring for compliance, would be suitable for enterprises seeking to protect and manage their data in the cloud.

Cloud Risk Audit
This stage of the cloud adoption life cycle has not been very well defined yet and therefore requires further standardization driven by an increase in cloud deployments.

Nonetheless, when evaluating cloud service providers, organizations should ensure that they perform automated regulatory health checks and provide transparency in their infrastructure (IaaS), platform (PaaS), and software (SaaS) environments.

Practical Tips in Selecting the Right Cloud Risk Management Tool
When assessing Cloud Risk Management services or software, organizations should apply the following selection criteria:

• Choose a vendor that offers an all-encompassing solution, meaning providing methodologies, frameworks, tools, and best practices to properly assess and manage your organization's cloud initiatives across all three stages of your cloud adoption life cycle. The solution should cover Governance, Risk, and Compliance (GRC), as well as Security in the form of threat and vulnerability management capabilities.
• Choose an automated technology with an open architecture, since many organizations have invested heavily in security tools. This will allow data to be fed from the existing tools into the Cloud Risk Management tool and provide an aggregated view into both IT and business compliance and risk.
• Make sure you work with a vendor that offers a solution that is content rich and includes many of the regulations (PCI, FISMA, SOX, etc.), frameworks, and standards that are applicable to your organization.
• Seek out a vendor or service provider that can add value by offering innovative technology that goes beyond the traditional view of GRC. Namely, ensure that beyond governance and compliance, the areas of security (e.g., threat and vulnerability) and risk (e.g., enterprise risk management) are well covered, as it ensures higher return on investment.
• Since you measure the success of a technology implementation by the time it takes to achieve value from its investment, it's crucial to engage with a vendor that offers the most efficient time-to-value. From a deployment perspective, this means that an on-site implementation should not exceed 90 days and as a managed service client, you should be up and running within 30 days.

Summary
There is no doubt that cloud computing will continue growing and, as it does, continue to get safer. But data breaches at some of the largest enterprises highlight the fact that there are still many risks associated with cloud adoption. Constantly changing government regulations are making it more difficult to keep compliant during the audit process as well. While it's exciting to be at the frontline when it comes to embracing a new technology that is poised to change the way we conduct business, we must remember that these technologies almost always come with new risks that have not yet been fully addressed.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Cloud Computing: Managing Risk and Compliance in the Cloud"https://www.voiceofgreyhat.com/2011/04/cloud-computing-managing-risk-and.html</a>