What’s the fuss about?

LinkedIn, ‘Facebook for business people’, changed their terms of use to allow them to use your photo and name in third-party advertising.

It’s easy to see why LinkedIn would want to do this, as it appears as if you are endorsing the advert. However, therein lies the problem, as it could appear that you are endorsing the product.

LinkedIn have introduced this feature with the ability for you to switch it off – and that’s what has caused the furore, because the default is for you to be opted-in. There is even a view that LinkedIn may have broken Dutch privacy law and European Data Protection laws by changing these privacy settings.

How do I opt out of this ‘feature’?

1. In your web browser, go to https://www.linkedin.com
2. Log-in using your e-mail address and password.
3. In the top right-hand corner of the screen, move your mouse over your name and ‘Settings’ will appear. Click on ‘Settings’.
4. On the ‘Settings’ page, click on the ‘Account’ tab (near the button left-hand side of the screen).
5. Under the ‘Privacy controls’ heading, click on ‘Manage social advertising”.
6. Un-tick the check-box that says ‘LinkedIn may use my name, photo in social advertising’.

That’s it !

Also read this ….

LinkedIn’s Privacy Slip-up Draws Legal Scrutiny [PCWorld]

It’s a a common occurrence – a server is needed very quickly and a virtualized environment allows for the fast deployment.  In fact, some organisations are decentralising the deployment and management of virtual servers out of the IT function and in some cases to ‘super users’.

Beware – although this may speed-up the deployment of a platform, it will come back and bite you if you don’t manage it effectively.

A virtualized server may not need its own racked hardware, power and cooling, but it needs all the other maintenance, management and TLC that physical servers need.

Deployment

Virtualized servers are much quicker to deploy that a physical, but make sure you have a process that is followed by everyone that is able to do it.  This will ensure standards are kept to such as naming, licensing, anti-virus software and updating of the inventory.

Management and control

Aside from the physical aspects, a virtual server needs just as much management as a physical server. Make sure you maintain an inventory of all virtual servers as you would with all physicals. Perform a regular reconciliation between the inventory and the actual VMs that exist.

Do not allow yourself to get into VM-sprawl, otherwise you will have a headache in trying to get on top of the situation.

Backup

It’s all too easy to roll-out a new VM and forget about backing it up. You may have a replicated SAN for your storage – but replication isn’t a backup. Make sure that arranging backups is part of the deployment process.

Patching, Anti-virus and Protection

Here’s another reason why you need to manage your virtual servers. Don’t create a VM and handover management and control to someone who won’t keep it up to date with software updates (WSUS if Microsoft), anti-virus, application software patches etc.

If you don’t ensure VMs are patched, they will rapidly become a significant gap in your infrastructure security and protection.

Licensing

Don’t get caught out by software licensing. If you are only running open source software you may be covered, but you will find that other licensable product licence terms sometimes don’t fit well with a virtualized world.

Microsoft’s Data Centre licence, although expensive, is a method of ‘buying your way out of a problem’, as it allows you to run multiple instances of their Server operating systems on a virtualized server.  Take specialist licensing advice to ensure you understand how you need to be licence with regard to the number of processors and multiple physical VM hosts.

Don’t forget other software that is installed on the server. Even though a non-IT member may have installed it, you may be responsible for licensing in your firm.

Also, make sure you understand the licensing implications of software on a VM that is copied ‘for testing’ or for ‘safe keeping’. Different software vendors have very different views and many software contracts were written before the days of VMs.

And finally ….

Don’t get me wrong – I am fully supportive of virtualized environments. The message here is to manage them as thoroughly as if they were physicals. A virtual server that isn’t managed properly could become a chink in your security armour or a legal liability if not licensed.

Manage those VMs !

At the time of writing this, RSA are being very cagey about their communication into the public domain. Some commentators fear the issue is worse than RSA are letting on.  Information released so far from RSA confirms there was an issue, but then lists the basic security safeguards that clients should have in place anyway. This is leading people to speculate that sensitive information has been stolen – if that is the case, it can weaken the effectiveness of the SecurID token.

Background

• Typically, Internet based systems such as Internet banking use RSA’s SecurID as one of several layers of security.
• With SecurID, the client/user has their own (personal) PIN that they use in conjunction with the auto-generated number on the SecurID token.
• If, as some are speculating, SecurID token serial numbers and seeds have been stolen, it would mean that a hacker could potentially simulate a client’s SecurID token without having the physical token in their possession.  Therefore the hacker would only need to obtain the user’s PIN in order to gain access.
• RSA have an estimated 40 million SecurID customers.

What should you do now?

• Firstly, don’t panic.
• If a client/user of a SecurID device calls and wants their token PIN reset, make sure you can positively identify them.
• Keep a log of all calls and PIN changes.
• Make sure there is a written procedure in place that describes how you positively identify someone and how you reset their PIN.
• Make sure that all staff follow the procedure !
• Monitor your network and your SecurID infrastructure. Look for unusual patterns in usage and traffic.
• Monitor your SecurID infrastructure and produce reports to show failed authorisation attempts, SecurID token lockouts and activity out of usual hours.
• Ensure your client/user records and SecurID records are kept secure.
• Ensure you don’t send SecurID token to clients/users in an active state.
• Do not use the SecurID feature to allow a PIN to be auto-reset after a number of failed attempts.

Positively identifying someone on the telephone

• Call the client/user back on a pre-agreed telephone number.
• Set-up specific secret phrases or key challenge/responses between you (the provider) and your client/user. This could be set questions/answers or questions about recent account activity.
• Do not accept an email request – emails are very easily spoofed to look as if they have been sent from someone else.
• Do not rely on the sound of the callers voice.

What do I do if my SecurID service is provided for me?

• Firstly, ask your provider why they haven’t already advised you of the potential risk to your business !
• Ask them what monitoring they are performing on SecurID usage and unusual activity. Ask for copies of these reports so that you can evidence them.
• Ask your supplier to keep you informed of any developments.

What should I tell my client/user

• Remind them of the importance of not divulging their PIN.
• Supply written instructions of what to do if they lose their SecurdID token and/or PIN.
• Remind them of the importance of not divulging personal information on social media sites such as Facebook.
• Reassure them that your systems have not been compromised and that their data is safe.

What is a key-logger?

A key-logger is a small device that connects in-line to a keyboard connected via USB or PS2 style plug. It is small and looks like a ‘fat’ adaptor.

These are small hardware devices that work with no installed software – unlike the software key-loggers that are either installed by virus/malware or yourself to typically monitor your children.

It contains memory that records all the keystrokes of a keyboard – that includes your user name, password and any other details you type. Just imagine all your details being recorded when you logon to your Internet banking website.

The device can be removed later when you are not near the PC and all the captured key strokes displayed.

.

Are they really a risk ?

Most definitely ! Click here for a news story of how they were used in a public library in Manchester UK.

In 2005, Sumitomo Bank in London had multiple hardware key-loggers installed by cleaning staff. The attackers attempted to steal GBP£220m. Read here for further details.

.

Here’s the bad news

• They can be easily concealed at the back of a PC.
• They look like a standard USB or PS2 adaptor.
• They avoid detection by software – this includes ‘end-point security’ type software.
• They don’t leave any trace of their activity.
• Even if you have a Citrix/Thin client environment, they still work.
• They will record all keystrokes made on the keyboard and replay them on demand later.
• Even if you restrict USB devices with storage capability, a USB key-logger will still function because it is independent of the PC.
• As long as the keyboard is connected by a USB or PS2 style connector, the key strokes will be picked-up for any operating system running on the PC, Mac or Unix/Linux device.
• Key-loggers are relatively inexpensive (from around £20) and are readily available.
• There are now wireless versions available.

.

What can you do?

How to avoid being recorded by a key-logger

• Firstly, check your PC yourself every time you use it. A quick look at where your keyboard is plugged in – make sure the keyboard lead is plugged directly into a port on the PC.
• If your PC is in a public place or isn’t yours (for example, in a library or Internet cafe – always check it first.
• Use an on-screen keyboard for entering sensitive data such as your user name and password. The on-screen keyboard uses a mouse to select characters instead of the keyboard.
• Use a one-time password device such as SecurID. This means that even if the password is recorded when you enter it, it will have changed on next use, rendering the recording of no value.

How to prevent key-loggers being used?

• Have a regular visual check of all PC type devices. This won’t necessarily find a key-logger if it is connected and removed between checks, but it is still well worth doing.
• Educate staff to be vigilant and perform their own visual checks.
• USB key-loggers tend to show on a PC as a generic USB hub – sometimes a Texas Instruments one. It would be possible to monitor for such changes, but there is no guarantee that all key-loggers will behave in such a way. If you are still using PS2 attached devices, this won’t help you either.

What do I do if I find a key-logger

One option is to set-up a ‘sting’. The key-logger device needs to be retrieved in order to be read. Therefore, keep watch or set-up a webcam to wait and watch for the device to be retrieved.

.

And finally….

Hardware key-loggers are a real risk to you and the business you work for. Be vigilant.

In 2008, Sharp Copiers commissioned a security survey. They found that 60% of the respondents were unaware that copiers stored electronic images of the copied documents. People were also  not aware of, or not willing to pay for security packages offered by the major copier manufacturers. These encrypt or erase an image from the hard drive.

A recent news story is a scary reminder, after client data was found on a company’s used photocopier in a warehouse of second-hand equipment, when it was returned at the end of its lease.

Remember the saying “one man’s trash is another man’s gold” – just because you can’t access data on a faulty piece of media doesn’t mean someone else can’t.

How do you make sure that your equipment doesn’t contain any valuable company data when it leaves your premises ? Read on ….

Should I worry about this ?

In my view, the answer is “Yes!” (you probably guessed that, given I went to the trouble of writing this). If you think I am paranoid, read this news story from April 2010 …. 

A USA New York based organisation, Affinity Health Plan, had to notify 409,000 employees, providers, members and applicants that their personal information may have been breached. This was after CBS news reported that it had found a used photocopier machine in a warehouse that contained Social Security numbers, birth dates and medical info from Affinity Health Plan.  

Affinity Health Plan said that the potential breach was caused by a simple lack of knowledge about the way photocopiers store data. “Like many organizations across the country, we were not aware copy machines contained hard drives that need to be wiped” said Affinity’s senior vice president of Customer & Community Connections, Abbe Abboa-Offei. Their press release can be read here.  

Leaked or stolen data is not only bad for the individuals whose personal information has leaked, it can be expensive for your company in terms of legal fees, claims, settlements etc. Also, it doesn’t help your company to have a story published that suggests you don’t take care of an individual’s personal information.

If you aren’t convinced yet, remember that there are strict industry standards and government regulations in place that force organisations to mitigate aagainst the risk of unauthorised exposure of confidential data, such as Sarbanes-Oxley Act (SOx) and the Payment Card Industry Data Security Standards (PCI DSS). Failure to comply can result in fines and damage to company reputation, as well as civil and criminal liability.

What should I do to protect my company ?

You need to take a number of steps ….

• Firstly, you need a policy covering this subject. Don’t bury it in another policy – this is important and warrants its own document. A policy is not just words in a document, it sets the company standards and allows enforcement of them.
• Secondly, you need procedures that detail how different types of equipment are made safe when being disposed of.
• Thirdly, you need to ensure that sub-contractors and suppliers are contractually bound to follow your policies and procedures.
• Lastly, you need to communicate it. This doesn’t just mean e-mailing a document or posting it onto your Intranet. You must educate your employees, sub-contractors and suppliers about why this is so important.

You need to include any equipment that either contains data or has contained data in the past. This could include the following:

• Backup tapes, floppy disks (yes, they are still used in some places)
• DVDs, CDs, BluRay discs
• USB flash memory keys
• Any other removable memory, such as flash memory from a PDA, IPod or camera
• Equipment that contains data or configuration data in its internal memory, such as network equipment.
• Mobile phones, Blackberry devices, PDAs, IPods and similar devices.
• Internal hard drives from any device including PCs, servers, printers, photocopiers, fax machines. multi-function devices (MFDs) and network equipment.
• External hard drives

Remember that if you can’t access the data on a faulty piece of media, someone else may be able to using forensic methods. Therefore, the same rules should apply to media that you deem faulty.

Also, remember not to let a supplier take a disk offsite. For example, if your leased MFD fails, don’t let the engineer take the disk from your site. Don’t let them convince you that their contract gives you protection of the data on the disk. It is your data, not theirs. Any data leakage will be linked by the media to yourself, not a subcontractor.

Oh no, not another policy

Make sure your company has a policy for the secure moving of equipment outside of your company. The policy should cover the following:

• All equipment that has the ability to store data, such as PCs, servers, printers, photocopiers, fax machines, network equipment, mobile phones and PDAs/Blackberrys.
• Secure disposal of equipment that is end-of-life and will be scrapped or recycled.
• Safely allowing equipment to be sold or given to staff, charities, schools or other organisations.
• Removal/exchange of equipment or parts of equipment for servicing – for example the hard disk in a photocopier.
• Removal/exchange of equipment when at the end of its lease - for example a MFD.
• The policy should not just cover equipment managed by the IT team, but any other relevant equipment managed by another team in the company or outsourced to a third party.

Process needed

Hard disks

• This includes all hard drives that have been used by your business – whether internal to a PC or server, externally attached or used in a printer, photocopier, fax machine or elsewhere.
• If the hard disk isn’t too old to be unusable, it is possible to use specialised software to completely remove any data from it. Be carefull, as many products claim to do this but aren’t comprehensive – it will look as if it has worked, but you won’t really know ! Have a look here for details of data erasure standards.
• Many hard disks that you need to dispose of will be faulty or just too old to be of use. In this case, they should be destroyed even though it may make reuse of the PC uneconomic – i.e., the need to purchase a replacement disk.
• To destroy a hard disk, it should formatted and then physically destroyed – normally by guillotining it into pieces. Remember that hard drives are almost 100% recycleable.
• If you outsource the disk destruction, it should be degaussed onsite before transportation. See the section later in this document about degaussing.
• Keep a log detailing the following:
  • hard disk manufacturer
  • disk capacity
  • serial number (if it has one)
  • business system name it came out of
  • details of the data it contained (for example, ‘file server RAID disk’)
  • date formatted ready for destruction and by whom
  • date degaussed ready for destruction and by whom
  • date destroyed and by whom

Backup media

• This includes media such as backup tapes, data cartridges, tapes used for voice recordings and even the old-school dictation machine tapes.
• To destroy this type of media, it should formatted and then physically destroyed – normally by guillotining it into pieces.
• If you outsource the destruction, it should be degaussed onsite before transportation. See the section later in this document about degaussing.
• Make sure you remove any identifier that could link it your company, such as labels.
• Keep a log detailing the following:
  • any reference number previously assigned, such as backup tape number
  • media manufacturer
  • media capacity
  • business system it was used for
  • details of the data it contained (for example, ‘file server month-end backup June 2009′).
  • date formatted ready for destruction and by whom
  • date degaussed ready for destruction and by whom
  • date destroyed and by whom

Removable disks

• This includes diskettes, DVDs, CDs and BluRay discs.
• To destroy this type of media, it should be shredded (many office shredders can now cope with disks).
• Diskettes will need breaking open to take the disk out of the casing before shredding or cutting-up.
• Keep a log detailing the following:
  • any reference number previously assigned, such as backup tape number
  • media manufacturer
  • media capacity
  • business system it was used for
  • details of the data it contained (for example, ‘client presentation’).
  • date formatted ready for destruction and by whom
  • date degaussed ready for destruction and by whom
  • date destroyed and by whom

• Blackberrys – make sure they are initialised using the Blackberry function. If the Blackberry is lost, remember that this can be performed remotely.
• Mobile phones - make sure they are initialised, either using their reset function or some can be initialised remotely – such as Windows Mobile.
• Make sure they haven’t got a memory card inside that contains data.
• Make sure you remove any identifier that could link it your company, such as an asset tag.

Memory resident data in equipment

• Use the supplier provided reset and initialise functions. For example, make sure you always initialise your network equipment before disposing or selling it. You don’t want the inner secrets of your network topology in the wrong hands.

Disposing of equipment

• Before you actually dispose of equipment (and that includes sending it back to the leasing company, selling it second-hand or giving it to staff or charity), remove all identifiers that would link it back to your company. This includes branded stickers, asset tags, device name/address and even passwords !
• Remember that if an opportunist thief sees a number of second-hand devices, he will go for the one that he recognises as having come from a company – don’t let it be yours.

Information : What is ‘degaussing’?

Data is stored in media by making very small areas (called magnetic domains) change their magnetic alignment to be in the direction of an applied magnetic field. This phenomenon occurs in the same way as a compass needle points in the direction of the Earth’s magnetic field. Degaussing leaves the domains in random patterns with no preference to orientation, which means that any previous data is destroyed and unrecoverable. There are some domains whose magnetic alignment is not randomized after degaussing – this is called magnetic remanence because it is due to remanent magnetization. Comprehensive degaussing will ensure there is insufficient magnetic remanence to recover and reconstruct the data.

Data can be deleted on magnetic media in one of two ways:

• AC erasure in which the media is degaussed by applying an alternating field (from AC power) that is reduced from an initial high value.
• DC erasure in which the media is saturated by applying a unidirectional field (such as DC powered or a permanent magnet).

A degausser is a device that can generate a magnetic field for degaussing magnetic media. The magnetic field is very strong, so be sure you do not have your watch, mobile phone, credit cards and so-on near it.

And finally ….

If you have read this far, I hope you are convinced you need to securely destroy unwanted equipment that can contain your data. It may seem a lot of work, but most of the effort is getting the policy and processes in place. When that is done, the operational part of this will slip into your business-as-usual function.

Remember ….

• Just deleting the files on a disk isn’t enough, because only the index to the files is deleted, not the actual data. It is similar to tearing the contents page from a book – the detailed pages are still there, you just need to look harder.
• Data on a hard drive can still be retrieved even after several reformats by using forensic methods. Just formatting it or reinstalling an operating system isn’t enough – the previous data can still be accessed if the perpetrator is determined.
• Store all media securely until it is destroyed. It may look like old junk, but it can have valuable information on it.

Please take this subject seriously. It is much easier and less costly to put these steps in place, than to face the repercussions if your data is discovered outside your company.

The four URLs infected were BEP.gov (Bureau of Engraving and Printing), BEP.treas.gov, Moneyfactory.gov and Moneyfactory.com.  The type of attack was a script injection that redirected users. The attack was unusual in that only IP addresses that had not previously visited the Treasury site were targeted, which made it difficult for authorities to track.

Roger Thompson, chief research officer at AVG Technologies, first noticed the attack on Monday (03 May 2010). He is reported as explaining that the hackers added a small snippet of almost undetectable iframe HTML code that redirected visitors to a Web site in the Ukraine. This site then launched a variety of Web-based attacks based on a commercially available attack-kit called the ‘Eleonore Exploit pack’.

The Ukrainian Web site is associated with similar attacks, which targeted a small number of known software bugs, including flaws in Adobe Reader software.

In a statement, the USA Treasury said “The Bureau of Engraving and Printing (BEP)entered the cloud computing arena last year. The hosting company used by BEP had an intrusion and as a result of that intrusion, numerous BEP and non-BEP websites were affected”.

At the time of writing this, the Web sites are still suspended and it isn’t clear how the hackers managed to install malicious code on the Treasury Department Web sites.

.

Final thoughts ….

The headlines suggest that the vulnerability is at the Cloud infrastructure level instead of the individual Web services hosted on it. Exact details aren’t yet know, but let’s hope it isn’t a ‘cloud computing’ issue, as it could impede the deployment of  cloud services to companies who are already nervous about jumping into a cloud service provider.

This issue does highlight just how important security is for the underlying cloud infrastructure layer, because an issue at this layer can potentially impact all services running on it.

.

Also read ….

• Cloud Computing – why is everyone so excited ?

Google has a single sign-on system known internally as ‘Gaia’ and allows users to log into many of Google’s services that it offers, such as Gmail, web search, business applications and others, using just the  one password.

The hackers stole the code after gaining access to the Google’s software repository – this is the ’crown jewels’ for their services. The hackers copied the software but it is not thought that they gained access to customer passwords, which means that users aren’t directly affected by the theft. However, the risk to Google is that the hackers could examine the software for security vulnerabilities to devise ways to gain access to the system that would later impact users.

Google announced in January 2010 that it had been hacked. The hackers had targeted the source code repositories at other companies.

It is believed that the theft started when an instant message was sent to a Google employee in China who was using Windows Messenger. The message included a link to a malicious website. When the employee clicked the link, the hackers were able to gain access to the employee’s computer. This meant that they were inside the Google corporate network and from there, they could connect to Google’s headquarters in California.  It is thought that the intruders know the names of the ‘Gaia’ software developers, because the hackers had access to an internal Google corporate directory that lists the business activities of every Google employee. 

According to a McAfee report, the hackers used a malicious website that was hosted in Taiwan. When the victim clicked on a link to the site, the site downloaded and executed a malicious JavaScript, with a zero-day exploit that attacked a vulnerability in the user’s Internet Explorer browser. A binary executable (program) disguised as a JPEG file then downloaded to the user’s system that opened a backdoor into the computer, setting up a connection to the attackers’ command and control servers that were also hosted in Taiwan.

From that initial access point, the attackers obtained access to the source-code management system or burrowed deeper into the corporate network to gain a persistent hold.

Read More in this New York Times article.

This incident highlights the concerns that many people already have, that using ‘Cloud’ services can be less secure than private or own hosting. Entrusting your data to a third party provider needs careful due dilliegence to make sure the service and security protection is good enough for your needs.

This checklist will help you choose a strong password both at work and at home.

1. This checklist will help you choose a strong password both at work and at home.
2. Ensure it isn’t in the previous top 10 list of most commonly used passwords.
3. Ensure it isn’t a dictionary word or a number of dictionary words concatenated together.
4. Ensure it isn’t a person’s name, brand name, place name, the name of your football team and so on.
5. Ensure you haven’t used obvious character/numeric substitution. For example 3nglish, Rubb1sh and so on. There was a time when this was regarded as a secure password, but not any more. As hackers have learnt end-users tricks, they have added the words to their password cracking dictionaries.
6. Don’t use simple sequences such as 987654321 or QwErTy.
7. Use a different password for each system and service that you use.
8. Change your passwords regularly. The more important the system, such as electronic banking, the more frequent they should be changed.
9. Don’t use a password that can be linked back to you, such as using your date of birth, your wife’s name or your pet’s name.
10. Make sure your password is at least 8 characters long. For important systems, such as electronic banking, a password of 15 characters of longer is far more secure.
11. According to Microsoft, a password of 15 random letters and numbers is around 33,000 times stronger than an 8 character password.
12. Don’t use an incremental password system, such as mYpAssword01, mYpAssword02, mYpAssword03 and so on.
13. Don’t write your passwords down
14. Don’t share your passwords or tell anyone else.
15. Make sure you use non alphanumeric characters such as ,.<>?/;:@’~#{}[]_+-=()*!”£$%^&

The criminals were aged 31, 30 and 25. The investigators believe that other arrests may follow.

The first member of the gang was arrested in early February, when he inadvertently logged into the network without disguising the address of his computer. His computer allowed the investigators to link to two more suspects who were arrested later in the month.

The botnet was monitored and rendered inactive in December, following an investigation by the FBI, the Spanish Guardia Civil and security experts around the world.

The network of computers (botnet) was designed to steal sensitive information, including usernames, passwords, banking credentials and credit card data, from online e-mail services and social media sites. One of the criminas had 800,000 pieces of personal data on his machine.

Some very high profile businesses were targeted. Christopher Davis, chief executive of security firm Defence Intelligence, was one of the firms invited to join the Mariposa Working Group, which was set up to deal with the botnet in May 2009. Davis said “It would be easier for me to provide a list of the Fortune 1000 companies that weren’t compromised”.

A senior research advisor, Pedro Bustamante said the criminals behind the botnet did not have “advanced hacking skills”. “This is very alarming because it proves how sophisticated and effective malware distribution software has become, empowering relatively unskilled cyber criminals to inflict major damage and financial loss,” he said.

The criminal gang made money by renting out parts of the botnet to other cyber-criminals in addition to selling stolen credentials and using banking and credit card information to make transactions via ‘money mules’.

Working with law enforcement agencies comes with a risk for security firms. After the botnet was closed down, Defence Intelligence were hit by a Distributed Denial of Service (DDoS) attack in an apparent act of retaliation. The firm remains determined to pursue such cases. Davis said “We will continue to fight the threat of botnets and the criminals behind them. We’ll start by dismantling their infrastructure and won’t stop until they’re standing in front of a judge”.

Zaman was sentenced to 46 months in jail and three years supervised release in addition to a US$75,000 fine by a court in Boston after pleading guilty to one count of conspiracy in April 2009.

Zaman laundered between $600,000 and $800,000 for Gonzalez, who also pleaded guilty to a string of cyber-attacks on several firms, resulting in the theft of tens of millions of payment card details. According to the court papers, Gonzalez asked to be paid for card numbers in digital currency or by wire to a bank account in Latvia.

In November 2005 Zaman used ATM cards linked to accounts in the names of fictitious or unrelated individuals to withdraw and repatriate approximately $38,000 of Gonzalez’s Latvian funds. He then sent the money in cash, minus a cut, to the hacker in Miami.

During 2005 and 2006, Zaman went to California for Gonzalez on three occasions. He picked up between $50,000 and $370,000 from an unknown man and then shipped the cash to Gonzalez in Federal Express boxes after taking his cut. A similar process was carried out from New York.

In March 2008, Zaman sent Gonzalez logs from Barclays ATM systems, where he was working as a programmer. Although Gonzalez uploaded these logs to a Latvian server, there was no evidence that the data was used.

Gonzalez was sentenced to 20 years and one day (owing to the need to deal with the peculiarities in the USA sentencing statutes), after pleading guilty to many attacks on different companies which include Heartland Payment Systems and TJX.

The impact to Heartland Payment Systems was significant. It agreed to pay US$2.4 million to settle a consumer cardholder class action suit for losses suffered. It also paid US$1.5 million for the cost of notice to the settling class, and $0.76 million to cover the legal fees.

Heartland also agreed to a $3.6 million settlement with American Express. Its provision for expenses related to the massive data breach were US$73.3 million.