It was announced today that a few laptops went missing a little closer to home. Back in December apparently three laptops were stolen from the Ontario Teachers Insurance Plan.
From CBC:
The three laptops contained names, addresses, birth dates and social insurance numbers of about 8,600 teachers, most of whom work at elementary schools for the Toronto District School Board.
The computers were stolen from the Waterloo, Ont., offices of the Ontario Teachers Insurance Plan on Dec. 3.
The organization provides insurance for teachers across the province. The affected teachers were informed of the theft earlier this week, said a spokeswoman for the non-profit insurance organization.
The local police characterized the theft as a “smash & grab”. This occurred on December 3, 2009. Soooo, why did it take so long to alert the affected parties? Granted there was an element of a police investigation. That being said, why was there two months before the disclosure?
I wonder if they were insured against…sorry, couldn’t resist.
(Image used under CC from myoldpostcards Flickr feed)
Hmm. It appears that Palm is a little too interested in what its Palm Pre handset users are up to. A Sprint customer, Joey Hess, discovered that his phone had been happily chirping away sending his info to Palm.
From The Telegraph:
The software developer said that log files for the handset show that his phone has been sending data back to Palm on a regular basis.
Mr Hess said that although the data was sent over a secure link, it contained information about his location, and a list of the applications installed on his handset. It showed how long he spent using those applications, and sent back crash data whenever applications unexpectedly quit.
The information was sent to Palm over a secure channel. Which would mean something if he had consented to the aforementioned monitoring.
Now, I understand crash reports and the like but, this appears at least from the article and the buzz on the tubes to be more than that. At least with crash reports on Microsoft and Apple systems there is a go no go option presented to the user as to whether or not they want to send.
Palm said its privacy policy was similar to many others in the industry. “[It] includes very detailed language about potential scenarios in which we might use a customer’s information, all toward a goal of offering a great user experience,” said the company in a statement. “For instance, when location based services are used, we collect their information to give them relevant local results in Google Maps. We appreciate the trust that users give us with their information, and have no intention to violate that trust.”
The road to hell is paved with good intentions.
The Twitter corporate mothership got nailed by a hacker recently who leaked confidential documents. The problem here isn’t so much with the hack itself as TechCrunch’s decision to publish the documents. They also brought to light the fact that an admin password was set to, you guessed it, password. It becomes less of a wonder as to why their security staffer ended up on the Wall of Sheep last summer at Defcon. But, I digress.
Twitter had this as a response to the hacking incident.
We are in touch with our legal counsel about what this theft means for Twitter, the hacker, and anyone who accepts and subsequently shares or publishes these stolen documents. We’re not sure yet exactly what the implications are for folks who choose to get involved at this point but when we learn more and are able to share more, we will.
Now, here is some background on the story.
From San Jose Mercury News:
Twitter was forced to acknowledge the burglary after some of the stolen documents were published by TechCrunch, a popular technology blog in Palo Alto, as well as a French blog called Korben.
Among the documents was an internal financial forecast that Twitter would increase revenues from zero during the first two quarters of this year to $140 million by the end of 2010. By 2013, Twitter projected it would have 1 billion users and make $1.54 billion.
The hacker also claimed to have purloined a salary grid, meeting reports and confidential contracts with Nokia, Samsung, Dell, AOL and Microsoft.
Now, Techcrunch has said that they plan to release some of the aforementioned docs. Not sure I remotely agree with their plan of action. Possession of stolen property and that sort of thing.
From TechCrunch:
Some documents show floorplans and security passcodes to get into the Twitter offices. We’re not going to post any of those documents.
But we are going to release some of the documents showing financial projections, product plans and notes from executive strategy meetings. We’re also going to post the original pitch document for the Twitter TV show that hit the news in May, mostly because it’s awesome.
While I find it mildly amusing that Twitter got nailed using Google Docs I find it less so that TechCrunch plans to profit from this. A lack of ethics comes to mind.
Cyberdouchery.
The Bonanno mafia crime family has been implicated in a database breach. A Boynton Beach resident and several alleged mobsters were charged in relation to a data breach at LexisNexis.
From PC World:
Information broker LexisNexis has warned more than 13,000 consumers, saying that a Florida man who is facing charges in an alleged mafia racketeering conspiracy may have accessed some of the same sensitive consumer databases that were once used to track terrorists.
Lee Klein, 39, of Boynton Beach, Florida, was charged by the U.S. Department of Justice in May following an undercover sting operation that netted 11 suspects from an alleged South Florida crew of the Bonanno crime family.
The New Hampshire attorney general posted a copy of the letter (content offline) that LexisNexis had sent to its customers on its website.
As for LexisNexis, sadly, this isn’t the first time that data security problems have cropped up.
LexisNexis has had problems preventing criminals from using its databases for identity theft. Last May, the company warned that ID thieves had accessed around 32,000 records using its services. In March 2008, LexisNexis settled charges brought by the U.S. Federal Trade Commission, which said the company wasn’t doing enough to prevent its data from being abused.
I hope for their sake they’ve figured it out now.
Microsoft is having a bad week and I seem to be equating that with LOL Cats. Go figure. A few days back the news of a zero day Direct Play vulnerability started to surface (exploit PoC). Only to find out yesterday that Microsoft knew of this vulnerability for almost a year.
Now we find that there is a zero day in the Microsoft Office Web components according to this advisory from the Redmond mothership.
From SANS:
Microsoft has released an advisory related to an Office Web Components ActiveX vulnerability, it is available here. This vulnerability exists in the ActiveX control used by IE to display Excel spreadsheets. The CVE entry for the vulnerability is CVE-2009-1136. Microsoft mentions that they are aware of active exploits against this vulnerability, although we at the SANS Internet Storm Center haven’t seen it used or mentioned in public as of yet (this has changed, we are seeing active exploit pages).
Apparently this permits remote code execution and may not require user interaction. Doesn’t bode well for the upcoming release from Microsoft…for free.
Oh, goodie (/sarcasm)
This is one of the reasons I get bent out of shape with the length of time that vendors take to address bugs.
From The Register:
Microsoft was aware of a critical vulnerability in an Internet Explorer component at least 12 months before attackers started targeting it in lethal exploits that take full control of end-users’ PCs, a member of its security team said Wednesday.
The disclosure comes as attacks targeting the MSVidCtl ActiveX control vulnerability have increased exponentially. On Monday, online ads distributed by through the Giant Realm network on popular gaming websites began including code that exploits the bug, according to security firm ScanSafe.
I would be interested to hear Microsoft’s response to this allegation that was leveled.
Strangely enough…
Microsoft’s Reavey defended the decision to withhold an advisory until Monday, explaining that any fix must meet a demanding balancing act that ensures it is thorough enough to block a wide variety of related attacks while narrow enough that it doesn’t cripple crucial parts of the software.
The spin. I loathe the spin.
OK, so I’m a little annoyed with Symantec. I submitted this vulnerability to them in January of 2008 and they released it last night without chatting with me regarding the advisory. Every vendor I have dealt with up to this point has at least extended that courtesy.
They get it wrong,
“The flaw only allows an attacker to display a message of their choice on the Reporting Server login screen. The attacker does not gain additional access to the Reporting Server program unless the message persuades a trusted user to forward their login credentials to the attacker.”
No. More can be accomplished than just passing text to the user interface. There is more to it. This would process code if you passed it correctly. If you have a look at the screen cap above (click to expand) check a look at the URL and consider your options.
This made me choke on my morning coffee. They released this last night.
To set up an attack, an attacker would either need access to the Reporting Server, or to entice a trusted user to click on a specially crafted link to the Reporting Server.
Right. That’s the only way. (/sarcasm)
Where I get more annoyed is that they list their affected products as only being Symantec Antivirus Corporate Edition, Symantec Client Security and Symantec Endpoint Protection. From my discussions with Symantec (and I have the emails) they indicated that any product in their line that uses this reporting library is affected. After delays, it’s now finally fixed. Although the fix cannot be delivered via LiveUpdate.
Date Submitted: January 17, 2008
Vendor Response: January 18, 2008
Date Fixed: June 2008 date missed by Symantec
Date Fixed: November 2008 date missed by Symantec
Date Fix Released: April 28, 2009
Why did a vulnerability rated as “low” take that long to fix you ask? Damn good question.
This was an annoying experience dealing with Symantec and it’s inability to meet deadlines that it set forth. Being responsible and working with vendors sometimes just isn’t worth the hassle. I think I’ll just submit future finds to ZDI.
Symantec Advisory
Secunia Advisory
According to the site Nemesis / t3am3lite, Symantec has joined the ranks of sites that are susceptible to cross site scripting (XSS) attacks including iframe URL injection.
Um, oops.
From The Register:
The XSS, or cross-site scripting, bugs allow attackers to steal the web cookies Symantec sets on visitors’ hard drives. Such cookies are frequently used to prove a visitor has already entered a valid password, so the ability to lift the file could be a non-trivial lapse of Symantec’s security.
Other exploits showed it was possible to inject images from third-party websites such as imageshack.us. They were documented by a hacking collective that calls itself t3am3lite. Less-charitable hackers could exploit the hole to inject javascript or other types of code that exploits unpatched vulnerabilities or carries out other malicious acts.
For a collection of screen shots from the XSS bugs check out the Nemesis site. According to the site, Symantec has in fact been contacted about this problem and they’re working on it.
At the time of this posting the bugs were still live.
An unnamed payment processor? (Thx to the Intern for picking this article up for the morning news) What are we, in grade school? This is absolutely bizarre that neither Visa or Mastercard is coming clean as to the source of the breach. Which leads me to suspect that it may be rooted in one of the banks that currently is sweating it out in the national spotlight. The market is a mess enough as it is and this might be the proverbial straw that breaks the camel’s back.
Poor camel. Should really think about seeing a chiropractor.
The rumours are swirling that this breach may be on the scale of (or close to) the Heartland fiasco. We’ve had several tips none of which can be verified. We won’t go out on a limb unless we have something more than a LOT of smoke. The fire part is in there somewhere but, as of now we can only smell it burning.
From CNET:
The breach appears to have affected fewer account holders than were affected by a breach reported by Heartland Payment Systems last month, but represents a “significant number nonetheless,” the statement said. “According to VISA officials, the breach affected all card brands. Evidence indicates that the account number, PAN and expiration dates were stolen.”
This dance is getting tired and it’s time for someone to get voted off (note to self: stop watching TV with the missus).
Why has the number of affected card holders as well as the name of the affected processor being witheld still?
And then, the spin,
The Tuscaloosa Virginia Credit Union posted a statement on its site that said malicious software was placed on the processor’s system but there is no evidence that accounts were viewed or data taken by hackers.
Malicious software no longer constitutes evidence?
OK, so let’s review. From the CNET article we know that card processing is provided by the same company to Tuscaloosa Virginia Credit Union, Alabama Credit Union and the Pennsylvania Credit Union Association. That much we know. Anyone able to connect the dots?
Here is some more from Data Breaches:
Thanks to a more recent credit union notice that Jai Vijayan of Computerworld uncovered from the Alabama Credit Union, we now know that this is not just credit cards that have been affected, but that the breach also appears to involve “long lists” of compromised ATM/debit cards. Visa and MasterCard remain mute about the source of the breach, although once the confirmation was found, Visa confirmed to Computerworld that a processior “experienced a compromise of payment card account information from its systems,” and MasterCard’s statement referred to the processor as being in the U.S.
The plot thickens.
UPDATE: (Feb 26th) Datalossdb has a time line that covers this story. I’ll offer a free t-shirt to the person who can give me a name of the breached shop that we can validate. I know its not much but hey, we have no budget here at the Digest.
The Heartland ripple effect has begun. Canadian retailer, Canadian Tire, has begun to cancel and reissue 16,000 replacement Mastercards.
From The Star:
“What we started to do was…call the cardholders and actually share the information with them and then cancel their card, and re-issue them a secure card.”
Any card that was used in the U.S. during a specific period of time was deemed to be at risk, said Gibson, whose own personal card was affected.
Canadian Tire Financial Services manages the country’s second-largest MasterCard franchise, with more than five million accounts. The number of cards affected represents a very small percentage of the total number of cards issued by the retailer, Gibson said.
“Having said that, obviously we wanted to take it seriously, which is why we canceled the cards.”
Good job on Canadian Tire for doing what Heartland didn’t. Show some responsibility.
This passage makes me wonder,
Mastercard has refused to comment further, citing an ongoing investigation. Heartland president and chief financial officer Robert Baldwin said the company immediately notified U.S. law enforcement officials after learning of the breach.
This seems to be somewhat in question. The argument could be made that this breach was, at least at a cursory level, known a year ago.
Robert Baldwin was also quoted in the Washington Post as saying that,
…the company, which processes payments for more than 250,000 businesses, began receiving fraudulent activity reports late last year from MasterCard and Visa on cards that had all been used at merchants which rely on Heartland to process payments.
and
Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. But Baldwin said it wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients.
The source was uncovered in January but, at what point did they know there was a breach?
The ripples continue.
