Last year (2009), hackers breached Google’s network and stole the source code for their global password system.

Google has a single sign-on system known internally as ‘Gaia’ and allows users to log into many of Google’s services that it offers, such as Gmail, web search, business applications and others, using just the  one password.

The hackers stole the code after gaining access to the Google’s software repository – this is the ’crown jewels’ for their services. The hackers copied the software but it is not thought that they gained access to customer passwords, which means that users aren’t directly affected by the theft. However, the risk to Google is that the hackers could examine the software for security vulnerabilities to devise ways to gain access to the system that would later impact users.

Google announced in January 2010 that it had been hacked. The hackers had targeted the source code repositories at other companies.

It is believed that the theft started when an instant message was sent to a Google employee in China who was using Windows Messenger. The message included a link to a malicious website. When the employee clicked the link, the hackers were able to gain access to the employee’s computer. This meant that they were inside the Google corporate network and from there, they could connect to Google’s headquarters in California.  It is thought that the intruders know the names of the ‘Gaia’ software developers, because the hackers had access to an internal Google corporate directory that lists the business activities of every Google employee. 

According to a McAfee report, the hackers used a malicious website that was hosted in Taiwan. When the victim clicked on a link to the site, the site downloaded and executed a malicious JavaScript, with a zero-day exploit that attacked a vulnerability in the user’s Internet Explorer browser. A binary executable (program) disguised as a JPEG file then downloaded to the user’s system that opened a backdoor into the computer, setting up a connection to the attackers’ command and control servers that were also hosted in Taiwan.

From that initial access point, the attackers obtained access to the source-code management system or burrowed deeper into the corporate network to gain a persistent hold.

Read More in this New York Times article.

This incident highlights the concerns that many people already have, that using ‘Cloud’ services can be less secure than private or own hosting. Entrusting your data to a third party provider needs careful due dilliegence to make sure the service and security protection is good enough for your needs.

Humza Zaman, a former Barclays Bank programmer was sentenced to four years in jail for helping the ‘TJX’ hacker Albert Gonzalez launder funds he gained through cyber crimes.

Zaman was sentenced to 46 months in jail and three years supervised release in addition to a US$75,000 fine by a court in Boston after pleading guilty to one count of conspiracy in April 2009.

Zaman laundered between $600,000 and $800,000 for Gonzalez, who also pleaded guilty to a string of cyber-attacks on several firms, resulting in the theft of tens of millions of payment card details. According to the court papers, Gonzalez asked to be paid for card numbers in digital currency or by wire to a bank account in Latvia.

In November 2005 Zaman used ATM cards linked to accounts in the names of fictitious or unrelated individuals to withdraw and repatriate approximately $38,000 of Gonzalez’s Latvian funds. He then sent the money in cash, minus a cut, to the hacker in Miami.

During 2005 and 2006, Zaman went to California for Gonzalez on three occasions. He picked up between $50,000 and $370,000 from an unknown man and then shipped the cash to Gonzalez in Federal Express boxes after taking his cut. A similar process was carried out from New York.

In March 2008, Zaman sent Gonzalez logs from Barclays ATM systems, where he was working as a programmer. Although Gonzalez uploaded these logs to a Latvian server, there was no evidence that the data was used.

Gonzalez was sentenced to 20 years and one day (owing to the need to deal with the peculiarities in the USA sentencing statutes), after pleading guilty to many attacks on different companies which include Heartland Payment Systems and TJX.

The impact to Heartland Payment Systems was significant. It agreed to pay US$2.4 million to settle a consumer cardholder class action suit for losses suffered. It also paid US$1.5 million for the cost of notice to the settling class, and $0.76 million to cover the legal fees.

Heartland also agreed to a $3.6 million settlement with American Express. Its provision for expenses related to the massive data breach were US$73.3 million.

March 2010

Hancock sent an open letter to customers that warned of the scam. It occurred between August and September 2009 and provided the thieves with access to the names printed on customer payment cards, card numbers and expiration dates and PIN codes.

Hancock Fabrics said that reported incidents of fraud had been “limited” but said that customers who shopped with them in the summer of 2009 should check their account statements.

The retailer worked with USA state and federal authorities to replace all of their PIN pads as well as installing an automated system that allows them to monitor them for suspicious activity.

March 2010

The scale of the breach was a major embarrassment to HSBC. They initially claimed that no more than ten accounts had been affected when the news first broke at the end of 2009. In a statement from the HSBC Swiss private bank, they admitted that data relating to 15,000 client accounts was stolen by a former IT employee three years previously. In addition, an additional 9000 accounts that had been closed in the past were also affected.

“We deeply regret this situation and unreservedly apologise to our clients for this threat to their privacy”, Alexandre Zeller, chief executive of the HSBC Swiss private bank, told reporters that he had received reassurances from the French authorities that the information will not be used “inappropriately”. The HSBC statement said “the bank does not believe that the stolen data has or will allow any third party to access any client account”.

Foreign tax authorities are willing to pay for information relating to Swiss private bank accounts and this has been a growing source of diplomatic tension. In January 2010, the Swiss government said it planned to draft a new law that would ban banking officials from co-operating with foreign countries where private account details have been stolen.

A laptop containing unencrypted personal information for 800,000 people who applied for jobs with clothing retailer Gap Inc. has been stolen.

The computer contained social security numbers and other sensitive information belonging to residents of the US and Puerto Rico who applied online or by phone for jobs from July 2006 to June 2007, the retailer said in this list of frequently asked questions. Details for applicants living in Canada were also exposed, although they didn’t include social insurance numbers.

The laptop was stolen from the offices of a third-party vendor the Gap hired to manage applicant data. The Gap didn’t identify the vendor or explain why it failed to encrypt such a large number of applicants’ personal information.

Gap joins scores of other organizations that have lost sensitive information entrusted to them. The US Department of Veterans Affairs, IBM and VeriSign have also been dogged by laptops or storage tapes that weren’t encrypted and were later lost or stolen.

More recently, high-stakes data breaches have resulted from criminals who found ways to exploit weaknesses in corporate networks. Last week, TD Ameritrade said hackers infiltrated a database containing social security numbers, birth dates and account numbers on an undisclosed number of clients. And in August, cyber gumshoes discovered a Trojan that stole more than 1.3 million records from people who were looking for work through job recruiter Monster.com.

Few companies disclose details of their data-retention policies, such as whether computers containing sensitive information are encrypted. This is partly because the release of too much information can tip off criminals. But we can’t help thinking the lack of disclosure also gives lawyers wriggle room in the event something goes wrong.

Indeed, Gap’s FAQ didn’t say whether customer records, applicant information and other sensitive details in its possession are encrypted, or whether it plans to enforce such a policy in the future. The Associated Press, however, quoted Glenn Murphy, the company’s CEO and chairman saying the storing of applicant data without encrypting it ran contrary to Gap’s agreement with the third-party vendor.

Gap is contacting applicants based in the US and Puerto Rico who had their social security numbers exposed. It is also arranging for them to receive one year of free credit monitoring. The company said it is unaware of any of the data being misused. ®

Posted in Enterprise Security, 28th September 2007 20:59 GMT

Iannuzzi admitted that Monster.com had no idea how much information had been taken in the second attack nor how often its database had been accessed.

“We are assuming that it is a large number,” he told Reuters. “It could easily be in the millions.”

Despite promising to invest $80m to $100m in traffic surveillance and security, Iannuzzi admitted that Monster.com may never be safe.

“I want to be clear and I want to be frank: there is no guaranteed fix,” he said. “I wish I could say there will be absolutely no way that the Monster site can be compromised. I cannot ever make that promise, and no internet company can.”

Monster.com said that the only data that was taken were names, addresses, phone numbers and email addresses.

However, follow-up attacks have already targeted Monster.com job seekers using social engineering techniques to try and gain financial details.

Emails have been sent out pretending to be from recruiters asking for bank account details to complete job applications.

False emails containing links to malicious software that could steal sensitive data have also been sent out.

Monster.com kept the original attack secret for five days before alerting users to the problem.

The company’s database holds around 73 million CVs. Iannuzzi claimed that only a few hundred had cancelled their accounts, along with a “handful” of employers.

Matt Chapman, vnunet.com, 30 Aug 2007

The security firm found that the Infostealer.Monstres Trojan had uploaded more than 1.6 million pieces of personal data belonging to several hundred thousand people to a remote server.

“We were very surprised that this low profile Trojan could have attacked so many people, so we decided to investigate how the data could have been obtained, ” the Symantec blog said.

“Interestingly, only connections to the hiring.monster.com and recruiter.monster.com sub-domains were being made.”

Symantec said that further investigation revealed that the Trojan appeared to be using the stolen credentials of a number of recruiters to search for CVs and steal the personal data.

Information stolen from the site included name, email address, country and home address, as well as work, mobile and home phone numbers. Most of the candidates who had their details stolen were based in the US.

“Such a large database of highly personal information is a spammer’s dream,” said Symantec.

“In fact, we found that the Trojan can be instructed to send spam using a mail template downloadable from the command and control server.”

Symantec has informed Monster.com of the compromised Recruiter accounts so that they can be disabled.

The security firm also warned prospective job applicants to protect their identities when using recruitment sites by limiting the amount of contact information they post and using a separate disposable email address.

“Never disclose sensitive details such as your Social Security number, passport or driving licence numbers, bank account information etc to prospective employers until you have established that they are legitimate,” Symantec said.

Graham Cluley, senior technology consultant at Sophos, agreed that users should be careful about sharing their data.

“Incidents like the Monster security breach underline how careful people should be about sharing their personal information on the internet,” Cluley told vnunet.com.

“Websites can be hacked, breaches can occur, and mistakes can happen which may mean that data which you thought was being held securely is now in the hands of cyber-criminals.”

Matt Chapman, vnunet.com, 21 Aug 2007

Big brand names have realised there is the potential of a new dimension of marketing and income from virtual worlds. However, it is all too easy to copy products in a virtual world, so issues of virtual counterfeited goods are appearing.

The issues are deeper than that, because the virtual world presents a great opportunity to launder money. Imagine for a moment converting your money into virtual currency, splitting this into smaller amounts, passing the virtual funds through several layers of transactions, before converting it back into real money in a different currency in a different country. Virtual money laundering really is possible and is difficult to trace.

The European Network and Information Security Agency (ENISA) has released a report and survey on the subject. They believe that multiplayer online gamers are a ‘soft target’ for cybercriminals looking to raid the EUR1.5 billion virtual goods market, which has an estimated 1 billion players

A survey in the report shows that 30% of users have recently lost some form of virtual property through fraud. In less than a year, more than 30,000 new malicious programs have been detected, that specifically target accounts and property in online games and virtual worlds – an increase of 145%.

The ENISA report calls for the creation of an industry-wide forum for service providers to share best-practice on security vulnerabilities, and clarification of virtual property rights to give theft protection. The report also suggests that operators should work with banks, credit companies and online payment service providers to develop procedures for prohibiting virtual asset theft using chargebacks.

The interesting part of the report for myself, is the recommendation that the virtual worlds fund work on the clarification of legal issues, such as intellectual property rights and legal clarity.