Security Breaches – A Short List

Security Breaches

Here are a basic sampling of Security Breaches that have been gathered from across the Internet. Who’s really winning this cyber war?

Hackers bait Zeus botnet trap with dead celeb tales

UPDATE: Idaho Power says Mercer breach affected over 375,000

UK insurer hit with biggest ever data loss fine

Judge approves Countrywide Financial ID theft settlement

Laptop stolen from U Kentucky had info on newborns and mothers

UConn notifies 10,174 applicants of laptop theft

Bank of America settles Countrywide data theft suits

College students slowest to respond to ID theft

Look for a weekly list from this point forward.

Wils Bell
President
SecurityHeadHunter.com, Inc.
POB 620298 * Oviedo, FL 32762
Direct: 407-365-2404

Top 10 Cyber Crime Jobs

The  Cyber Crime Organization

This morning while reading my daily dose of security breaches to post to my Twitter account I came across a great article from an FBI study that discusses the make up of a Cyber Crime organization. The Top 10 Positions, if you will.

It really made me think back to the days that hackers where young kids, bored, sitting at a computer seeing what mischief they could cause. Oh, how things have changed.

As I talk to clients daily and discuss the issues of Cyber security it makes me really wonder how many firms really think about hackers being in a “Cyber Crime Organization”. Clients have their internal IT and Security departments with a variety of talent who create applications and those that protect the applications, and data and networks and so forth. Well, so do Cyber Criminals.

As I tell my clients, Cyber Criminals are very smart and sophisticated. You need to be smarter and more sophisticated. These criminal enterprises are run like a business. They are staffed with top talent that are dedicated to the job, yes their criminal job! By having these enterprises setup and running, they can and do strike within hours of an opportunity making itself available.

Here is a look at how the” Top 10″ positions within a Cyber Criminal Organizations according to the FBI.

1. Coders/programmers, who write the exploits and malware used by the criminal enterprise.

2. Distributors, who trade and sell stolen data and act as vouchers for the goods provided by other specialists.

3. Tech experts, who maintain the criminal enterprise’s IT infrastructure, including servers, encryption technologies, databases, and the like.

4. Hackers, who search for and exploit applications, systems and network vulnerabilities.

5. Fraudsters, who create and deploy various social engineering schemes, such as phishing and spam.

6. Hosted systems providers, who offer safe hosting of illicit content servers and sites.

7. Cashiers, who control drop accounts and provide names and accounts to other criminals for a fee.

8. Money mules, who complete wire transfers between bank accounts. The money mules may use student and work visas to travel to the U.S. to open bank accounts.

9. Tellers, who are charged with transferring and laundering illicitly gained proceeds through digital currency services and different world currencies.

10. Organization Leaders, often “people persons” without technical skills. The leaders assemble the team and choose the targets.

As I said earlier, this is no longer a bored teenager looking for mischief.

Wils Bell

Information Security Recruiter
SecurityHeadhunter.com, Inc.
POB 620298
Oviedo, FL 32762
Desk: 407-365-2404

Security Job: Web Application Security Consultant

Position Summary for

Web Application Security Consultant w/ Java

“70% Telecommute Opportunity”

Job Type: Consultant
Job Location: Telecommute from home 70%+ of time
Compensation: $70 – $80 per hour; maybe more
Telecommute: Yes
Education: Degree a plus, but not required
Certifications: See Below
Travel %: 20-30%
Relo Paid: N/A

Our Client has developed a very strong track record of delivering web application security services on a consulting basis to their financial and banking industry clients.

This strong record of exceptional service has results in additional long-term assignments and the need for additional team members.

SecurityHeadhunter.com is seeking Web Application Security consultants to lead and participate in web application security consulting assignments. The current team is made up of seasoned software engineering professionals who have 20+ years of total experience. That experience includes building large Java enterprise applications.

As stated above, our client’s solid delivery and track record has created a situation where their clients invite them back for additional projects.

In this role, a consultant will perform application security assessments through both on-site and off-site project assignments. Successful consultant will lead small review teams and will consult on threats and mitigation approaches.

Majority of work will be done in a telecommute fashion whereby you can work from your home office. Expected travel will only be in the 20-30% range on weekdays only. You’ll be home on weekends.

Possible travel sites: NC, MN, PA, CA

Required Background:

  • A BS in math, computer science or engineering discipline is preferred.
  • Education at the Masters level is appreciated.
  • Certifications to include the CISSP, CSSLP, EC-Council E|CSP and/or SANS, GIAC Secure Software Programmer – Java (GSSP-JAVA) are highly appreciated.

A consultant must demonstrate the following:

• A very solid and deep knowledge & understanding of web application security threats, risk models and tools.

• Static analysis experience with Fortify (preferred) or IBM Ounce Labs tools.

• Architectural review, manual source code review, dynamic analysis.

• Solid technical background that includes Java enterprise application technology.

• Ability to interact with customers presentation and communication purposes.

• Ability to manage small technical teams and projects.

• Must be experienced on helping clients to build security into their software development processes.

The successful candidate must be able to read and understand Java code, APIs and architecture (JSP, Servlet, EJB, Hibernate, Struts, Ant, etc.). A prior Java programming background is strongly preferred.

Desired Skills

A background that includes Microsoft application technology is appreciated (.NET, classic VB and ASP). Technical project management / team leadership experience is required.

To learn more about this situation or others, please contact:

Wils Bell

Security Recruiter

SecurityHeadhunter.com, Inc.

POB 620298

Oviedo, FL 32762

Desk: 407-365-2404

Cell: 407-718-7764

Email: Bell@SecurityHeadhunter.com

LinkedIn Profile: http://www.linkedin.com/in/wilsbell

Web: SecurityHeadhunter.com

Blog: SecurityHeadhunter.wordpress.com

Twitter: security_REC

“I’m a great believer in luck, and I find the harder I work, the more I have of it.” — Thomas Jefferson

P Go Green – print only if necessary

Millions of MA Residents Exposed to Cyber Breaches

Todays Cyber Breach

From the Boston Globe:

http://www.boston.com/news/local/massachusetts/articles/2010/01/03/data_breaches_affect_million_state_residents/?rss_id=Boston.com+–+Massachusetts+news

Wils Bell
Information Security Recruiter
SecurityHeadhunter.com, Inc.
POB 620298
Oviedo, FL 32762
Desk: 407-365-2404
Cell: 407-718-7764
Twitter: security_REC

Security Breach Compromises Information

Security Recruiter – Daily Security Breach Report from the Web

Security breach compromises information on 1,400 District 86 grads

December 4, 2009
By SANDY ILLIAN BOSCH sbosch@pioneerlocal.com

A security breach discovered last month at the University of Nebraska involved the names, addresses and Social Security numbers of 1,400 Hinsdale High School District 86 graduates.

The breach involved a computer in the College of Education and Human Sciences at the Lincoln campus. The university’s investigation revealed the computer had not been adequately secured, allowing unauthorized external access to the computer and its information.

Associate Dean Deb Mullen said the information about students who graduated between 2002 and 2005 was used in a study intended to analyze the practices of school districts and what could be done to improve test performance.

“The district was doing it for school improvement,” Mullen said.

The information was provided to the university by the ACT organization, with permission from District 86, according to Mullen. She said it is not uncommon for researchers to obtain student information from school districts. The difference, she said, is that these days the students are identified by randomly assigned student identification numbers.

“Back in those days Social Security numbers were used as ID numbers,” she said.

Letters were sent to all 4,000 students whose information was made accessible through the security breach. Although no one has reported the misuse of information involved in the security breach, Mullen said she has fielded many calls from former students who did not understand how the University of Nebraska had their information. She said many people involved also have accepted the university’s offer to pay for a year of LifeLock identity protection.

Also included among the 4,000 names involved in the security breach were students from Glenbard District 87 and students from schools in South Sioux City, Neb. Mullen said all of the information has been purged from the university’s records.

Representatives from District 86 could not immediately be reached for comment Friday.

Source: http://www.pioneerlocal.com/clarendonhills/news/1921349,hi-d86security-120409-s1.article

Presented by:

Wils Bell – Security Recruiter

SecurityHeadHeadhunter.com

407-365-2404

Bell (at) SecurityHeadhunter.com

Web: SecurityHeadhunter.com

LinkedIn Profile: http://www.linkedin.com/in/wilsbell

“Why work with a generalized recruiter when you could work with a specialized Security Recruiter!!”

Why I Don’t Share Client Name

Why I Don’t Share the Name of Client on First Recruiting Call

When I am recruiting for an open Security Job that is not a retained search, I usually do not share the name of my client with a cold called candidate for several reason,  until we have talked in detail.

First, I interview many candidates daily, and unfortunately I must tell several that they are not a match for “this job”.  Perhaps future jobs, but not this one. It does not mean that are not a good security candidate, just not a good match for this job. Sometimes, they on the other hand, feel that they are a great fit and want to proceed with the interview process. When I explain that the client wants and expects me  to pre-screen heavily so as only to present dead on matches, they get upset.  I have had these people try to go directly to the client themselves or call other recruiters and ask them to present them. If the company name has not been discussed, it protects me.

Also, I have had some very good intentioned people that knew my client name simply mention  to a friend or co-worker that I called and discussed a great opportunity with them at XYZ company and the friend or co-worker simply goes directly to the company without thinking about me. They did not mean to cut me out, they just did not realize they should call me to present them. After all, I am dealing directly with the hiring authority and can make things happen.

Please be aware that I do share the client name as soon as we (you and I) determine that it is a good match and worth proceeding forward with the process.

Since this is how I earn a living for me and my family please don’t be insulted by the process and my guarding my client name until we agree it’s a match.

 

Happy Holidays,

 

Wils Bell – Security Recruiter

Bell (at) SecurityHeadhunter.com

SecurityHeadhunter.com, Inc.

SecurityHeadHunter.com

 

Desk: 407-365-2404

PCI Standards Not Doing Enough

PCI Standards Not Doing Enough

Visa, Inc. has begun testing new security measures with retailers and banks that goes beyond the current standards set by PCI.  This PCI (Payment Card Industry) standard has been the private sector’s attempt to regulate itself, but it no longer is thought of as strong IT Security. Way to much Debit and Credit card information is being breached by “so called” certified PCI compliant organizations.

According to Rep. Yvette Clarke (D -NY) the PCI Compliant Standard is not worthless, but is not currently sufficient to protect company data. She stated:” I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure.”

As an example, last February a third party certified a major grocery store chain (Hannaford Bros ) PCI Compliant one day AFTER it was informed of the system intrusions that had begun two months earlier. Hannaford Bros. later indicated that they would be spending “millions” of dollars upgrading security after the breach of 4 million plus credit and debit accounts.

As most of you know, these breaches are happening more and more. Remember Heartland, the card processor?

The cost to companies for data breaches as I wrote about in an earlier blog can be staggering, not to mention your loss of brand name.

What about the multiple lawsuits that follow these types of breaches.  They could put these companies out of business.

How many employees could lose their jobs for something they had no control over?

PCI Standards need to be updated and the compliancy and technology followed 24/7, 365 days a year.

By:  Wils Bell, President

LinkedIn Profile: http://www.linkedin.com/in/wilsbell
SecurityHeadhunter.com, Inc.

Security & Risk Recruitment Since 1990
Phone: 407-365-2404
eFax: 407-956-4976

Email: Bell@SecurityHeadhunter.com

Web: SecurityHeadhunter.com

Security Breach Leaves 45,000 Exposed

Another University Security Breach

On Tuesday of this week, Cornell University notified 45,000 current and former members of the University community that their names and social security numbers had been exposed.

How: A university owed laptop was stolen earlier in the month.

A member of the University’s “Technical Staff” had access to the laptop which contained the sensitive data. They had the laptop for the purpose of correcting file processing transmission errors.

The files on the computer containing the names and social security numbers were not encrypted and the laptop was left in a physically unsecured environment, which violates University policy.

Even though the data on the laptop contained “no other sensitive data ” besides the names and social security numbers it is unbelievable that the data was not encrypted.

The university has stated that they feel they have identified all affected individuals and will provide protective services to those affected, including free credit reporting, credit monitoring and identity theft restoration services to those affected by the security breach.

As I have written before in this BLOG, Data Breach Can Cost You Millions of dollars and this does not include your brand reputation.

Individuals affected by this security breach include 22,546 students (10,597 of whom are alumni) and 22,731 faculty and staff members (of whom 4,284 are retirees or other separated employees.

University officials indicated that thus far non of the exposed data has been abused, however once again this data breach draws attention to the far boarder issue of the security of private information in this digital age.

The university also indicated that last June another Cornell computer used for administration purposes was hacked and the university notified 2,500 students of the incident and that person information may have been breached.

As noted in other postings, it appears that many times when a Data or Security Breach is brought to light, the affected organization also indicates that this is not their first incident.

Wils Bell – President
SecurityHeadhunter.com, Inc.
POB 620298
Oviedo, FL 32762
PH: 407-365-2404
Fax: 407-956-4976
Email: Bell@SecurityHeadHunter.com

Web: SecurityHeadhunter.com

Linkedin: http://www.linkedin.com/in/wilsbell

Twitter: Security_REC

Breaking into the Computer Forensics Field

This article is being republished from Larry E. Daniel of  Guardian Digital Forensics on his Blog

I thank Larry for this and future post we may republish

**********************************************************

I receive a lot of inquiries from folks wanting to break into the computer forensics field.  They typically ask what they need in terms of background, education, certifications, etc.The answer is; It varies.

Different companies and organizations will have different needs and different minimum standards based on where they are in size, growth and organizational life cycle.

For instance, a law enforcement agency with an established high tech crime unit may take on someone with minimum skills and train them from the ground up to perform forensic examinations.  Normally, this means that they already have someone who manages and directs their forensic activities.  On the other hand if they are trying to start up a forensic unit, they may be looking for someone with considerable skill and may draw from the rank of police officers first.

Private companies range from one man shops up to mega companies.  Smaller companies may need to hire examiners who require less time to cases than a bigger company that may have the luxury of hiring lesser experienced people and training them.

In the big companies it is possible to start out just doing acquisitions or standardized functions on cases such as setting up the case, copying the evidence and running the first few steps before an examiner takes over for the actual analysis.

There are always different paths to the same destination.  If you are a recent graduate of a computer forensics degree, then you have some educational background, but you probably don’t have much in the way of useful, i.e. practical experience in computer forensics in a lab environment.

In that case, I would recommend trying to find an internship with a forensic company or a law enforcement agency.  Preferably before you graduate so you can put that practical experience on your resume.

Different organizations may offer either paid or unpaid internships.  Since the intern is getting more out of the relationship than the company or organization, don’t be surprised if they only pay a stipend to cover your gas for the period of the internship.

If you are an experienced computer support person with a track record in network administrations, PC support and or IT security, your backgroun is a big plus.  However, you would still be pretty useless in a computer forensics lab until you are trained in the tools and processes.  My advice for those of you considering a career change is to get your hands on the tools and practice with them so you can demonstrate knowledge to a prospective employer.

Bear in mind that computer forensics people tend to be very highly motivated toward self learning and are constantly trying out tools and techniques to improve their skills.  Many tools are available for free or as trial versions.   You can even get a demo copy of Encase with the purchase of the Encase ENCE Study guide that will get you some hands on experience.

While many people think that computer forensics means firing up the forensic software and clicking away, that is not the case at all.   There are many things one must learn to practice forensics.  Both technical and legal.

If you are interested in the field and want a nice overview, I highly recommend “Computer Forensics for Dummies“.  It does a good job of giving a general overview of the field without being so technical you cannot understand it.  Bear in mind, reading that book will not make you an examiner, but it will give you enough information to dig deeper if you are so inclined.

On the topic of internships, I would like to see more companies and agencies offering them.  However, bear in mind that providing a decent internship experience to someone is time consuming.  Also, bear in mind that as an intern, you may get very little practical experience the first time around.  You may spend a significant portion of the internship doing guided learning specific to the field.  The positive aspect of doing an internship is that you get face time with a company or agency that may hire you permanently.  At the very least, you are bolstering your resume for future employment prospects.

I offer internships at my company because I want to help people get into the field and also it gives me a chance to have a good look at potential future employees.  I only take on two interns at a time and only pay a stipend for the intern period.  But, in exchange, I try to make it the best experience I can for the interns and allow them to get some practical experience along the way.

I encourage my fellow examiners to do the same as I believe it will make the field stronger and also provide opportunities for aspiring computer forensics examiners.

By: Larry E. Daniel
May 26, 2009