HSBC has been having a really rough go trying to keep a handle on their data and system security. Examples 1, 2, 3, 4, 5 and 6.
A tad disconcerting for their customer base.
From Infosecurity UK:
HSBC’s Swiss banking operation – operating in an industry that is reknowned for its secrecy – has been rocked by revelations that details on as many as 24 000 of its wealthiest clients have been leaked.
When the news of the data leakages – apparently caused by a rogue member of the HSBC staff – were first reported last December, it was thought that fewer than 10 accounts were involved. At the time, Herve Falciani, a former HSBC IT specialist, was reported to have stolen the data and passed it to the French tax authorities.
HSBC has now admitted it has now discovered that 15 000 existing and 9000 former clients were affected.
That certainly is a lot more than ten accounts which was the number they thought were affected when this first came to light in Dec ‘09. This is further compounded by this passage, “HSBC says it only realised the full extent of the data leak earlier this month when the Swiss authorities returned the data in their possession.” I would hazard a guess that at some point HSBC will realize that they have what appears to be a systemic problem with their security program. A quick scan of their Canadian site shows that they are trying to bring on some new security people. I wonder if they have a decentralized security model at HSBC. It would certainly explain a fair bit.
For more on this latest breach, read on.
(Image used under CC from K e v i n)
This is the second time in recent memory where a bank has put the burden of proof on the victim.
From CBS MoneyWatch:
It’s every technophobe’s nightmare, but this time its true. Some $50,000 was stolen from Fan Bao’s online bank account by Croatian computer hackers and the bank told him that the loss is not their problem.
Could it happen to you? Here’s the back story to help fill in who is at risk.
Seven years ago, Fan Bao opened a checking account at Bank of America to facilitate his small import-export business called ZICO USA.
Scary story. For the full article read on.
There are few things that annoy me than when a vendor bends the truth to try and sell product. Here is part of an email that I received yesterday.
Dear Dave,
As you are most likely aware, last week David Litchfield from NGS has blessed the world with another cyber attack announcement on Oracle databases that allows an attacker to take complete control of an Oracle database system. No fix is available by Oracle.
Litchfield has been infamous for doing something similar with the slammer worm that affected millions of companies a few years back. This irresponsible move has even more companies worried today about a potentially greater new security risk.
$VENDOR sent out an announcement last night. If you did not receive it please let us know and we will get you the information.
$VENDOR is the only company globally capable of fixing this issue. The details are in the announcement:
Ah, the joy of getting half the story.
What David did at Black Hat in the summer of 2002 (and I was in the room for it) was show a proof of concept for what eventually became slammer more than 6 months later. The inference in the email was that he had released the worm. Not sure if that was intended but, that was my take away.
This is not the way to win customers. Tell me why your product stands on its own two feet. If you want to sell your product don’t play the Coke vs Pepsi nonsense. And for all that’s good and holy…don’t tell me that only $VENDOR can fix it.
Don’t piss on my leg and tell me it’s raining.
Rant off.
(Image used under CC from John Markos O’Neill’s Flickr feed)
Thanks to one of our readers we get word this morning of a data breach that occurred last month. This database compromise affected customers of ihomeaudio.com timexaudio.com and kiddesigns.com.
A letter was posted on January 26, 2010 informing our reader of the data breach. Upon reviewing bank transactions it became apparent that the card was compromised before January 17, 2010 when erroneous transactions began to appear on his statement. It is unclear from the letter when the breach actually took place.
The rather disconcerting aspect is that SDI Technologies, the parent company, did not offer any sort of credit services but, merely suggested to customers that they monitor their credit and links to download free copies of their reports.
Here is a screen cap thumbnail of part of the letter.
Oddly there it doesn’t appear to be any mention of the breach on their websites.
It was announced today that a few laptops went missing a little closer to home. Back in December apparently three laptops were stolen from the Ontario Teachers Insurance Plan.
From CBC:
The three laptops contained names, addresses, birth dates and social insurance numbers of about 8,600 teachers, most of whom work at elementary schools for the Toronto District School Board.
The computers were stolen from the Waterloo, Ont., offices of the Ontario Teachers Insurance Plan on Dec. 3.
The organization provides insurance for teachers across the province. The affected teachers were informed of the theft earlier this week, said a spokeswoman for the non-profit insurance organization.
The local police characterized the theft as a “smash & grab”. This occurred on December 3, 2009. Soooo, why did it take so long to alert the affected parties? Granted there was an element of a police investigation. That being said, why was there two months before the disclosure?
I wonder if they were insured against…sorry, couldn’t resist.
(Image used under CC from myoldpostcards Flickr feed)
Surreal. Here’s a story that pushes the edges of…well, common sense. The real problem is what could potentially happen if the bank wins in this case.
From Krebs On Security:
A machine equipment company in Texas is tussling with its bank after organized crooks swiped more than $800,000 in a 48-hour cyber heist late last year. While many companies similarly victimized over the past year have sued their banks for having inadequate security protection, this case is unusual because the bank is preemptively suing the victim.
Read on for the full article.
On a side note be sure to subscribe to Brian’s RSS feed. He’s a must read writer in the security space.
(Image used under CC from peggyarcher’s Flickr feed)
I generally don’t have much of a problem with social networks. They are what they are and people are social creatures. Where it tends to become a problem is when it intersects with military networks for example. A problem that is all to real for the Brits.
From Sky News:
The MoD refused to comment on whether the leaks related to operational issues and what disciplinary action was taken.
MoD personnel need clearance from their bosses before publishing anything which relates to operations, or offers opinions on Defence activity.
Staff are also forbidden from speaking on behalf of the MoD in relation to controversial, sensitive or political matters.
The leaks have occurred 16 times in the last 18 months according to the article. And that’s just the ones that we’re aware of.
(Image used under CC from johnkay’s Flickr feed)
Did someone hear a thud? Something big just dropped.
Oh, Oracle patches again. Gotcha.
From PC World:
Oracle on Tuesday will release a patch update that includes 24 security fixes for its database, application server and other products.
Ten of the patches affect Oracle’s database, and two of the vulnerabilities addressed can be remotely exploited over a network without the need for a username and password, Oracle said.
Now, riddle me this. How many companies will roll out the aforementioned patches before the summer?
(Image used under CC from poyang Flickr feed)
Ah, the epic fail abounds today. Now, having formerly worked for the DoD as a contractor I can say there are good contractors and others that should be given a cigarette and a blindfold.
I wonder where I’m leaning on this story.
From the WSJ:
Militants in Iraq have used $26 off-the-shelf software to intercept live video feeds from U.S. Predator drones, potentially providing them with information they need to evade or monitor U.S. military operations.
Senior defense and intelligence officials said Iranian-backed insurgents intercepted the video feeds by taking advantage of an unprotected communications link in some of the remotely flown planes’ systems. Shiite fighters in Iraq used software programs such as SkyGrabber — available for as little as $25.95 on the Internet — to regularly capture drone video feeds, according to a person familiar with reports on the matter.
Now, first off this isn’t hacking. Transmission was/is in the clear. It’s just piss poor design and I’m rather amazed that this one made it into the field without someone catching it. Or maybe they did and were told to hush up in favour of meeting deadlines?
If you send data, or anything else for that matter in clear text, you have zero expectation of privacy. Zilch, zip, nada and bubkiss.
Just to put this firmly in perspective for our non-technical readers this is as secure as…
Or this…
For more on this story please follow the link to the WSJ article.
Article Link (Thx Brooks)
UPDATE: More information on this story from Wired. Apparently, this clear text problem affects more than just drone aircraft.
Ah, the TSA amuses me to no end sometimes. Recently there was a misguided attempt by the agency to post a “redacted” pdf document of their screening guide online. Sadly, this fell into the trap of being a simple black bar placed across the offending text. Unknown to the parties doing this is that it is a trivial exercise to recover the blacked out text.
Now, the corner office types are circling the wagons.
From ABC:
On Wednesday, the Transportation Security Administration’s (TSA) acting director insisted to Congress that the mistaken posting of secret airport screening procedures online posed no threat to holiday travelers because the procedures had changed, but refused to provide members of Congress with the newest version of the TSA’s screening manual to prove it.
Ah, fuckwittery abounds. If you’re bored feel free to download a copy of the TSA manual which we have mirrored. They have since removed the document from their website but, too late. The thing is literally all over the tubes of the web.
Now, Congress may have a two drink minimum at the best of times but, I doubt it could be ever considered as wise to piss them off. Gale Rossides, acting TSA head, insisted that the discovered SOP version of the sceening manual that was outdated. But, front line folks for the TSA disagreed.
But current and former Transportation Security Officers (TSO), meaning TSA employees who have direct knowledge of screening procedures, disagreed with Rossides about the impact of the breach. They said that they were appalled that the agency failed to take immediate steps across the country to counteract the heightened travel threat caused by the posting of the improperly redacted document.
I would tend to agree with the folks that work for a living as opposed to the spin doctors.
Call me a cynic.
