The news that federal authorities have indicted the man they claim is responsible for the TJX attack for also allegedly hacking into the networks of Heartland Payment Systems, 7-Eleven and the Hannaford Brothers grocery chain shows that law enforcement is indeed stepping up its work on cybercrime. But it also provides what is probably the clearest evidence to date that the people executing these attacks are highly competent, organized and motivated.
A Miami man and two Russians have been indicted [usdoj.gov] by a grand jury in New Jersey on charges of conspiring to commit some of the largest data breaches in U.S. history.
Albert Gonzalez, 28, and the two still-unnamed Russian citizens are charged with running an international scheme to steal more than 130 million credit and debit card numbers along with personally identifying information from five companies, including Heartland Payment Systems Inc., 7-Eleven Inc. and Hannaford Brothers Co. The two other companies were not named in the indictment because their breaches have not yet been made public. Read the full story [computerworld.com] Here’s a PDF link to the indictment [washingtonpost.com]
By Dmitry Bestuzhev
The credit crunch means we’re all increasingly aware of bank charges, interest rates, and how we can save a few extra pennies. Financial advisors have written pages on how transferring an existing credit card balance to another card issuer could save you money, and most people are shopping around for the best offers.
Of course, the APR and other rates don’t worry cybercriminals. All they want to do is get their hands on credit card numbers and then use them or sell them on. Who cares if the card owner gets stung with additional charges? Read the full story [Viruslist].
A huge number of Web sites are employing a little-known tracking mechanism to gather information on visitors and are failing to disclose the practice in their privacy policies, according to a new paper from a group of university researchers. The technique employs cookies generated by the Adobe Flash software and the cookies often have the same value as HTTP cookies, the researchers report.
By Rich Mogull (Securosis)
Mr. Carr,
I read your interview with Bill Brenner in CSO magazine today, and I sympathize with your situation. I completely agree that the current system of standards and audits contained in the Payment Card Industry Data Security Standard is flawed and unreliable as a breach-prevention mechanism. The truth is that our current transaction systems were never designed for our current threat environment, and I applaud your push to advance the processing system and transaction security. PCI is merely an attempt to extend the life of the current system, and while it is improving the state of security within the industry, no best practices standard can ever fully repair such a profoundly defective transaction mechanism as credit card numbers and magnetic stripe data.
From IDG News Service (Juan Carlos Perez)
Members of the eBay Developers Program must change their account passwords because the e-commerce company recently discovered a way in which account information could be accessed by malicious hackers.
This requirement comes “out of an abundance of caution” on the part of eBay, which hasn’t detected any suspicious activity in developer accounts, the company said Monday evening. Read the full story [cio.com] See the eBay warning [ebay.com]
Two of the largest U.S. banks — Bank of America and Citigroup — have issued new credit and debit cards to Massachusetts customers after running into data-safety concerns.
Bank of America and Citigroup each recently issued replacement cards to consumers, telling them in letters that their account numbers may have been compromised. Read the full story [bizjournals.com]
By Bruce Schneier There are several ways two people can divide a piece of cake in half. One way is to find someone impartial to do it for them. This works, but it requires another person. Another way is for one person to divide the piece, and the other person to complain (to the police, a judge, or his parents) if he doesn’t think it’s fair. This also works, but still requires another person – at least to resolve disputes. A third way is for one person to do the dividing, and for the other person to choose the half he wants.
From SC Magazine (Angela Moscaritolo)
Businesses are using a variety of technologies to help reduce the impact of threats, prevent breaches and meet compliance — but some of these products are more beneficial than others, according to a new Forrester report released Wednesday that examines the state of network threat mitigation. “Current attacks are very complex, and enterprise teams struggle to keep up,” the report states.
The report studies the benefits of many of the most popular technologies that business are using to secure their networks. Web application firewalls and intrusion prevention systems (IPS) are said to be necessary technologies for many businesses. At the same time, network access control (NAC) and unified threat management (UTM) technologies will continue to struggle to find a foothold, the report states. Read the full story [scmagazineus.com] Here’s a link to the Forrester report [forrester.com]
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
