Network Solutions Hack Compromises 573,000 Credit, Debit Accounts Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months, Security Fix has learned. Herndon, Va. based Network Solutions discovered in early June that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing -- to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores, Network Solutions spokeswoman Susan Wade said.

A disconnect exists between federal government CIOs, CISOs and IT hiring managers and the human resources professionals charged with finding qualified candidates with cybersecurity skills, according to a just-published report. The report, Cyber In-Security: Strengthening the Federal Cybersecurity Workforce from the Partnership for Public Service, concludes that IT managers are less satisfied than their HR counterparts with the quality of cybersecurity recruits and the time it takes to hire IT security personnel. "The human capital management process is broken; operations and HR people should be joined at the hip and collaborate across the government," the report quotes Norman Lorentz, former chief technology officer at the White House Office of Management and Budget. Indeed, one third of chief information officers, chief information security officers and IT hiring managers surveyed for the report expressed unhappiness with candidate quality vs. 10 percent for HR managers. Sixty-one percent of HR managers vs. 40 percent of IT managers expressed satisfaction with candidate quality (see chart).

The Government Accountability Office issued another scathing report saying that federal agencies still don't do enough to secure government IT assets. "Persistent weaknesses in information security policies and practices continue to threaten the confidentiality, integrity and availability of critical information and information systems used to support the operations, assets and personnel of most federal agencies," Gregory Wilshusen, GAO director of information security issues, wrote in a 66-page report issued Friday. "Recently reported incidents at federal agencies have placed sensitive data at risk, including the theft, loss, or improper disclosure of personally identifiable information of Americans, thereby exposing them to loss of privacy and identity theft." In a written response accompanying the report, federal CIO Vivek Kundra said OMB is committed to the vision of a secure federal government, and are taking steps to make that vision a reality. OMB, he said, has initiated a review of the language in the current reporting instructions to identify and clarify confusion in the annual reporting. OMB also is working with the CIO Council and the Council of Inspectors General on Integrity and Efficiency to improve guidance to agencies. The GAO report also said that nearly all of the 24 major federal agencies last year had weaknesses in information security controls. "An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs," Wilshusen said. "As a result, agencies have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise."

1. You get what you pay for. 2. Americans do not take information or security as seriously as they do their love for profit & cost savings. If one does not value what they are trying to protect accurately, the investment one is prepared to make will always be insufficient. Then there are hindsight and rationalization (a.k.a. politicians) - Karl The Government Accountability Office issued another scathing report saying that federal agencies still don't do enough to secure government IT assets. "Persistent weaknesses in information security policies and practices continue to threaten the confidentiality, integrity and availability of critical information and information systems used to support the operations, assets and personnel of most federal agencies," Gregory Wilshusen, GAO director of information security issues, wrote in a 66-page report issued Friday. "Recently reported incidents at federal agencies have placed sensitive data at risk, including the theft, loss, or improper disclosure of personally identifiable information of Americans, thereby exposing them to loss of privacy and identity theft." In a written response accompanying the report, federal CIO Vivek Kundra said OMB is committed to the vision of a secure federal government, and are taking steps to make that vision a reality. OMB, he said, has initiated a review of the language in the current reporting instructions to identify and clarify confusion in the annual reporting. OMB also is working with the CIO Council and the Council of Inspectors General on Integrity and Efficiency to improve guidance to agencies. The GAO report also said that nearly all of the 24 major federal agencies last year had weaknesses in information security controls. "An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs," Wilshusen said. "As a result, agencies have limited assurance that controls are in place and operating as intended to protect their inf

Senate Judiciary Chairman Patrick Leahy (D-Vt.) has reintroduced a data breach bill that would set tougher rules for government agencies and private sector firms regarding consumers' personal information. This will be the third time around the block for the Personal Data Privacy and Security Act, which has cleared the Judiciary Committee, but never come to a vote on the Senate floor. The bill would preempt the more than 40 state laws laying out requirements for notifying consumers in the event of a data breach, a long-deferred legislative goal that has the general support of the IT industry. But Leahy's bill is about more than just data breaches. Among other things, it would set baseline security information standards for government agencies, something that the Obama administration has begun to work on with the early steps of an overhaul of the government's cybersecurity apparatus. "This is a comprehensive bill that not only deals with the need to provide Americans with notice when they have been victims of a data breach, but that also deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place," Leahy said in a statement. "Passing this comprehensive data privacy legislation is one of my highest legislative priorities as Chairman of the Judiciary Committee."

The million-and-one ways in which the Internet can be useful, efficient and fun are well known. Its potential for abuse by pornographers, phishers, scammers and spammers has also been apparent since its early days. What has taken a bit more time to emerge, however, is awareness of the Internet's increasing threat to privacy as people become more comfortable offering information about themselves online. Faculty members at Wharton say people who access the Internet for what have become routine functions -- sending email, writing blogs, and posting photos and information about themselves on social networking sites -- do not realize how much of their personal privacy, their very identities, they put at risk. Nor do they fully comprehend the extent to which they are inviting mischief, embarrassment and harm, perhaps for decades to come, from others looking to dig up digital dirt. In addition, legal experts say that while laws already on the books provide criminal and civil remedies for some nefarious uses of personal information, the ways in which the Internet can be harnessed for questionable purposes that encroach on privacy have yet to be fully addressed by the courts.

Weak security policies and practices in nearly all 24 major federal agencies in 2008 have resulted in exposing personally identifiable information of Americans, according to a new report from the Government Accountability Office (GAO). "An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs," according to the GAO report, issued Monday. "As a result, agencies have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise." Federal agencies have reported some progress, providing awareness training for employees and testing system contingency plans, the GAO said. Still, employees with significant security responsibilities are not getting enough security training and known vulnerabilities remain wide open. The GAO conducts a periodic review of information security policies and procedures at federal agencies. Inspectors general review agency conformity to the Federal Information Security Management Act of 2002 (FISMA) and report their findings to Congress.

A group of computer scientists at the University of Washington has developed a way to make electronic messages "self destruct" after a certain period of time, like messages in sand lost to the surf. The researchers said they think the new software, called Vanish, which requires encrypting messages, will be needed more and more as personal and business information is stored not on personal computers, but on centralized machines, or servers. In the term of the moment this is called cloud computing, and the cloud consists of the data - including e-mail and Web-based documents and calendars - stored on numerous servers.

Two credit-card payment processors are offering to cover merchants' fines and penalties in the event of a data breach. However, the two companies, Heartland Payment Systems and Mercury Payment Systems, have different requirements that must be met before a merchant would qualify for coverage. For Mercury, the retailer would have to prove it was Payment Card Industry Data Security Standard-compliant (PCI DSS) at the time of a breach. "This is an enticement program to get merchants involved in PCI compliance," Jim Mackay, Mercury's vice president of marketing, told SCMagazineUS.com Friday. "Though there are critics who say that PCI does not go far enough, at least it's a step in the right direction."

Social engineering and mind games expert Brian Brushwood has not come by his knowledge in the traditional manner of school or business training. Brushwood is the host of the Internet video series Scam School, a show he describes as dedicated to social engineering in the bar and on the street. In addition to his passion for teaching people about social engineering cons, Brushwood is also a touring magician who frequently performs on college campuses and has appeared on the Tonight Show. He first became interested in social engineering years ago as a means to enhance his performance and pull off secret moves successfully. Brushwood said his understanding and use of the term social engineering goes beyond the security industry perception. "When I use the phrase, I am actually talking about an older version of it. Social engineering just basically means the application of social science to the solution of social problems," he said. "In other words, it's getting people to do what you want by using certain sociological principles."

As protests in Iran last month drew the world's attention, the top executives at a large global industrial goods company held a teleconference to consider their options. The meeting was hastily called, but the participants were not starting from scratch. In fact, the events unfolding in the country were strikingly similar to a scenario that they had developed, along with a handful others, in a 2008 offsite meeting focused on potential changes in their competitive environment. The workshop, the output, and the eventual impact on decision making represents a perfect illustration of how so-called scenario planning techniques can be utilized to help managers navigate in complex and uncertain environments. In the meeting the industrial company held last year, executives had discussed each scenario they developed, the potential triggers for each of them, and how the company should respond to each of these situations if it were to arise. Pulling out the notes from these discussions, they already knew their options and had a view on how they would like to respond. In many ways, they were prepared -- and already one step ahead of some other companies.

Hackers will soon gain a powerful new tool for breaking into Oracle Corp's database, the top-selling business software used by companies to store electronic information. Security experts have developed an easy-to-use, automated software tool that can remotely break into Oracle databases over the Internet to simulate attacks on computer systems, but cybercrooks can use it for hacking. The tool's authors created it through a controversial open-source software project known as Metasploit, which releases its free software over the Web. Chris Gates, a security tester who co-developed the Metasploit tool, will unveil it next week at the annual Black Hat conference in Las Vegas, where thousands of security experts and hackers will gather to exchange trade secrets. "Anyone with no skill and knowledge can download and run it," said Pete Finnigan, an independent consultant who specializes in Oracle security and who advises large corporations and government agencies.

The problem with securing data and insuring its safety is that there is simply so much more stored electronically these days that opportunities for outside hackers or insiders to steal valuable, confidential information off a company's computer systems are growing exponentially, according to those in the insurance industry who make it their business to cover this expanding exposure. Indeed, "you can take out more data in a thumb drive now than people could take out in a super-computer 10 years ago," according to Kevin Kalinich, co-national managing director for Professional Risk Solutions at Aon. The risk of a data breach is very real for companies large and small across almost any industry, noted Mr. Kalinich. He cited a report from the University of California, Berkeley, that more data has been aggregated and stored in the last three years than in the entire history of mankind. He also noted that between 75 and 85 percent of Fortune 2000 companies have suffered a "material data breach," meaning there is a growing market for those selling insurance coverage for liability and repair costs, as well as loss control services. Companies that take an "it won't happen to me" approach to securing data need only look at news headlines to see that organizations are often hit by breaches, and as more data is being stored electronically, the potential for, and impact of possible breaches increase. Princeton, N.J.-based credit and debit processing company Heartland Payment Systems reported that it had been compromised in 2008 in a breach that involved up to 100 million records, which would be tops for number of records accessed in a breach. The Heartland incident would displace the 2007 breach of TJX, in which over 45.6 million credit and debit card numbers were stolen. The TJX breach, in turn, took the record set by a breach of CardSystems Solutions in 2005.

Dr. Jay Holland of Little Rock and two former employees of St. Vincent Infirmary Medical Center pleaded guilty Monday to misdemeanor violations of the federal medical records privacy law, the U.S. Attorney's Office and the FBI in Little Rock announced. Holland, Sarah Elizabeth Miller of England and Candida Griffin of Little Rock admitted accessing "without any legitimate purpose" the medical records of Anne Pressly, the KATV-TV, Channel 7, reporter who was fatally attacked in her home in October. For the violations of the Health Insurance Portability and Accountability Act, each faces up to one year in prison, a fine of up to $50,000, or both. Sentencing has not been scheduled.

Compared to other key corporate executives, CEOs appear to underestimate the IT security risks faced by their own organizations, according to a survey of C-level executives released today by the Ponemon Institute. The Ponemon survey (download PDF) of 213 CEOs, CIOs, COOs and other senior executives reveals what appears to be a perception gap between CEOs and other senior managers concerning information security issues. For instance, 48% of CEOs surveyed said they believe hackers rarely try to access corporate data. On the other hand, some 53% of other C-level executives believe that their company's data is under attack on a daily or even hourly basis. The survey also found that the top executives were less aware of specific security incidents at their companies than other C-level executives and are more confident that data breaches can be easily avoided. Ponemon found that CEOs tend to view data protection efforts as vital to maintaining good customer satisfaction levels and to the company's brand image. The other managers, however, were more likely to say that the most important role for data security efforts is to satisfy regulatory requirements. The survey also found that CEOs and other top managers differed in their opinion of who is responsible for protecting corporate data. While eight out of 10 respondents said they believe there is one person responsible for data protection in their organization, there was a sharp difference of opinion on just who that person was. More than half of the CEOs said that CIOs are responsible for protecting data at their companies; only 24% of other senior managers felt the same way. And 85% of respondents said someone else would be held responsible for a data breach. "On the issue of accountability, we found that while people acknowledged that data breaches were a problem, very few people felt that if [their company] suffered a breach, they would be held responsible," said Larry Ponemon, founder of the Ponemon Institute.

Compared to other key corporate executives, CEOs appear to underestimate the IT security risks faced by their own organizations, according to a survey of C-level executives released today by the Ponemon Institute. The Ponemon survey (download PDF) of 213 CEOs, CIOs, COOs and other senior executives reveals what appears to be a perception gap between CEOs and other senior managers concerning information security issues. For instance, 48% of CEOs surveyed said they believe hackers rarely try to access corporate data. On the other hand, some 53% of other C-level executives believe that their company's data is under attack on a daily or even hourly basis. The survey also found that the top executives were less aware of specific security incidents at their companies than other C-level executives and are more confident that data breaches can be easily avoided. Ponemon found that CEOs tend to view data protection efforts as vital to maintaining good customer satisfaction levels and to the company's brand image. The other managers, however, were more likely to say that the most important role for data security efforts is to satisfy regulatory requirements. The survey also found that CEOs and other top managers differed in their opinion of who is responsible for protecting corporate data. While eight out of 10 respondents said they believe there is one person responsible for data protection in their organization, there was a sharp difference of opinion on just who that person was. More than half of the CEOs said that CIOs are responsible for protecting data at their companies; only 24% of other senior managers felt the same way. And 85% of respondents said someone else would be held responsible for a data breach. "On the issue of accountability, we found that while people acknowledged that data breaches were a problem, very few people felt that if [their company] suffered a breach, they would be held responsible," said Larry Ponemon, founder of the Ponemon Institute.

Further proof that LA has it head in the clouds - A plan to overhaul the city of Los Angeles' computer system is raising concerns about the security of confidential information. The nation's second-largest city is considering dumping its in-house computer network for Google Inc. e-mail and office programs that are accessed over the Internet. But the city police union says it doesn't have enough information to determine if sensitive witness and investigation files will be secure from hackers. Google spokeswoman Aviva Gilbert says security "is built into the DNA of our products."

A plan to overhaul the city of Los Angeles' computer system is raising concerns about the security of confidential information. The nation's second-largest city is considering dumping its in-house computer network for Google Inc. e-mail and office programs that are accessed over the Internet. But the city police union says it doesn't have enough information to determine if sensitive witness and investigation files will be secure from hackers. Google spokeswoman Aviva Gilbert says security "is built into the DNA of our products."

The Kaiser Permanente hospital in Bellflower has been hit with a $187,500 fine for failing for a second time to prevent unauthorized access to confidential patient information, state pubic health officials said today. [Updated at 3 p.m.: A spokesman for the hospital said the fine was part of the ongoing investigation into employees improperly accessing the medical records of Nadya Suleman and her children. Disciplinary action has been taken against the employees, said Jim Anderson, a hospital spokesman. All the incidents occurred in January; a previous post said they had occurred in April and May.] State officials said Kaiser Permanente Bellflower Medical Center compromised the privacy of four patients when eight employees improperly accessed records. This is the second penalty against the hospital, officials said. The hospital was fined $250,000 in May for failing to keep employees from snooping in the medical records of Nadya Suleman, the woman who set off a media frenzy after giving birth to octuplets in January. The fine was the first penalty imposed and largest allowed under a new state law enacted last year after the widely publicized violations of privacy at UCLA Medical Center involving Farrah Fawcett, Britney Spears, California First Lady Maria Shriver and other celebrities. "We are very concerned with violations of patient confidentiality and their potential harm to the residents of California," said Dr. Mark Horton, director of the California Department of Public Health. "Medical privacy is a fundamental right and a critical component of quality medical care in California."

Buying and renting tools used by cybercriminals to conduct attacks and steal credentials is becoming much easier for the average person. "For Rent" signs hang on botnets, automated hacking toolkits are sold at bargain prices, and the data reaped by the criminal activity is sold and traded in online forums on a daily basis. Researchers at networking giant Cisco Systems Inc. are warning of the increasingly sophisticated cybercriminal underground economy and how it could be attractive to those having trouble finding work or facing layoffs in a troubled global economy. Meanwhile, cybercriminals are borrowing some of the best strategies from legitimate companies and forming partnerships with one another to help make their illegal activities more lucrative, according to Cisco.

A law designed to keep college students' grades private often is used for a much different purpose -- to shield universities from potentially embarrassing situations. Some critics say a number of schools are deliberately misreading the Family Educational Rights and Privacy Act in order to keep scandals and other unflattering news from hitting the media. "Some schools have good-faith misunderstandings of the law, but there are others that simply see this as a handy excuse to hide behind," says Frank LoMonte, executive director of the Student Press Law Center, which provides student journalists with legal help. Legal experts say part of the problem is that the law is loosely defined. In addition, the potential consequences of violating the law -- namely, that schools would lose their federal funding -- prompt university officials to be conservative in their decisions about releasing information. Those complaints rankle advocates of student privacy, who say that, if anything, the three-decade-old law should be expanded. "Most of these kids are adults, and they should be able to make their own decisions," says Daren Bakst, president of the Council on Law in Higher Education. Congress already reworked the law to clarify when universities can disclose student information, especially involving health and safety matters. Those changes, adopted in January, followed the 2007 shooting rampage at Virginia Tech by a mentally troubled student.

Yahoo Tuesday announced that has developed a feature that will allow users to opt out of behavioral targeting on mobile devices. "We believe the mobile experience should offer the same privacy protections consumers expect to find on the PC," Yahoo said in a blog post announcing the feature. "Furthermore, management of privacy protections should be available via any mobile device, whether that's an iPhone or a Blackberry." Many companies that track people's Web activity on PCs and send them ads notify users about the practice and allow them to opt out. But it's still unusual for behavioral targeting companies in the mobile space to let people opt out. At least a dozen companies say they offer some form of mobile behavioral targeting. But only two appear to allow users to opt out, according to Jules Polonetsky, co-chair and director of the think tank Future of Privacy Forum.

In order to comply with Canadian privacy law, Facebook must take greater responsibility for the personal information in its care, the Privacy Commissioner of Canada said today in announcing the results of an investigation into the popular social networking site's privacy policies and practices. "It's clear that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates," says Privacy Commissioner Jennifer Stoddart. The investigation, prompted by a complaint from the Canadian Internet Policy and Public Interest Clinic, identified several areas where Facebook needs to better address privacy issues and bring its practices in line with Canadian privacy law. An overarching concern was that, although Facebook provides information about its privacy practices, it is often confusing or incomplete. For example, the "account settings" page describes how to deactivate accounts, but not how to delete them, which actually removes personal data from Facebook's servers. The Privacy Commissioner's report recommends more transparency, to ensure that the social networking site's nearly 12 million Canadian users have the information they need to make meaningful decisions about how widely they share personal information.