The Security Pub

Random Thoughts About Security

Category Archives: Data Security

Missing BP Laptop had Personal Data of Gulf Oil Spill Victims

 

A BP employee lost a laptop containing unencrypted personal information on approximately 13,000 people who had filed compensation claims prior to August 2010 stemming from the Gulf oil spill.

BP spokesperson, Curtis Thomas, said the oil company sent out letters notifying those affected and reported the incident to law enforcement on Monday. BP contends that none of the personal information has been misused, but nonetheless is offering to pay for any necessary credit monitoring services to the victims of the breach.

“We’re committed to the people of the Gulf Coast states affected by the Deep-water Horizon accident and spill, and we deeply regret that this occurred,” said Thomas.

The employee in question lost the laptop on March 1 during business travel, nearly a month ago, when asked why so much time elapsed before reporting the incident, Thomas claimed his company was doing “due diligence and investigating” the incident, according to AP.

The breach only affects claimants who filed claims directly to BP before the Gulf Coast Claims Facility took over the compensation operation in August of last year.

Hackers Penetrate Nasdaq Computers

Computer hackers have breached the systems of the company that runs the Nasdaq stock exchange in New York but did not penetrate the part of the system that handles trades, Nasdaq said Saturday.  The exchange’s operating company, Nasdaq OMX, said in a statement that it had discovered suspicious files on its United States servers, and that it immediately began conducting an investigation in conjunction with outside firms and federal law enforcement agencies.

The company said it had determined that a Web-based application on its servers called Directors Desk, on which corporations can store and share information, might have been affected. Nasdaq said the suspicious files “were immediately removed and at this point there is no evidence that any Directors Desk customer information was accessed or acquired by hackers.”

“At no point was any of Nasdaq OMX’s operated or serviced trading platforms compromised,” the company said.

Read the full articleThe New York Times

PIN Pad Physical Security

So I was at the grocery store this evening (I won’t mention which one) . When I was paying for my groceries with my credit card I noticed how the PIN pad was secured.  Can you see what’s wrong with this picture?

If you are having difficulties identifying what’s wrong I will go ahead and explain…

This grocery store has decided to secure all their pin pads to the stand with zip ties.  I did take a look underneath the device and there wasn’t any screws mounting the device to the stand.  So if a hacker wanted to they could easily remove and replace these PIN pads with modified versions.

Here are some examples of good security for physically securing PIN pads.

Free Guide: Web Application Security

Vulnerabilities in web applications are now the largest vector of enterprise security attacks. Stories about exploits that compromise sensitive data frequently mention culprits such as “cross-site scripting,” “SQL injection,” and “buffer overflow.” Vulnerabilities like these fall often outside the traditional expertise of network security managers.

To help you understand how to minimize these risks, Qualys provides this guide as a primer to web application security. The guide covers:

[box type="info"]Typical web application vulnerabilities

Comparison of options for web application vulnerability detection

QualysGuard Web Application Scanning solution[/box]

NON-ATM, ATM Skimmers

Careful ATM users know enough to give a hasty visual check to the machine before using it and to hide the keyboard while entering their PIN. Unfortunately, sometimes even that is not enough to prevent the fraudsters, and the worst part of it is that they continually think of new ways of stealing your credit and debit card data.

A cleaver type of attack that can’t be detected by ATM users because there’s nothing off on the machine or close enough to it to make them suspicious has been pointed out by Brian Krebs. According to Brian, criminals have devised a very clever tactic – one that is usually employed to steal the information from users who prefer to use the ATMs located in the antechamber of a bank or building lobby.

Access to these ATM’s is usually controlled by a key card lock that allows customers to enter only after they have swiped their ATM card through it. Unfortunately, crooks have devised a way to add a skimmer to these locks, so that when the customers perform the action, it records the cards’ information. And odds are that customers won’t even check to see if there’s something suspicious about the lock.

When the customers finally access the ATM, those of them who don’t take particular care to hide the keyboard from view with the palm of their hand or another object, have their PINs stolen through the use of a zoom-in camera hiding behind a mirror located on the wall above an ATM – which they assume is there to allow them to see if someone is standing behind them.

An instance of this type of attack has been recorded all the way back in 2009, when a customer of a bank in California discovered the camera behind the mirror above one of the two ATMs in the lobby of the bank. It turns out that the criminals put an “Out of Order” sing on the other ATM to force the customers to use only the one that was covered by the camera.

Form Based Phishing Attacks are on the RISE

As always, spammers are keeping abreast with the important events of the season’s, and know that January is when the public usually submits tax returns and starts getting refunds. Websense is reporting that the form-based approach is being used more frequently than the usual direct links to phishing sites.

What are form-based email attacks?

Form-based attacks is just another type of phishing attack.  Instead of using a link to take the user to a phishing site, the hacker includes a form that the user is asked to complete. When the user completes the form and submits it, the details are then sent to the attacker. Here is a short video that shows an example.

Trend Micro protects Android devices

Trend Micro announced Mobile Security which protects digital files and secures banking transactions on Android devices by identifying and stopping online threats.

Key Features of Mobile Security for Android include:

  • Safe surfing
  • Parental controls
  • Download protection
  • Call and text filtering.

Backed by the Trend Micro Smart Protection Network, Mobile Security users receive real-time and instant browser protection wherever they take their Android mobile device.

Custom filtering lists enable users to screen or block unwanted calls or messages, while Web reputation and parental controls make mobile surfing safer for everyone.

Trend Micro Mobile Security for Android is available in the Android Market.