Security Breaches – A Short List

Security Breaches

Here are a basic sampling of Security Breaches that have been gathered from across the Internet. Who’s really winning this cyber war?

Hackers bait Zeus botnet trap with dead celeb tales

UPDATE: Idaho Power says Mercer breach affected over 375,000

UK insurer hit with biggest ever data loss fine

Judge approves Countrywide Financial ID theft settlement

Laptop stolen from U Kentucky had info on newborns and mothers

UConn notifies 10,174 applicants of laptop theft

Bank of America settles Countrywide data theft suits

College students slowest to respond to ID theft

Look for a weekly list from this point forward.

Wils Bell
President
SecurityHeadHunter.com, Inc.
POB 620298 * Oviedo, FL 32762
Direct: 407-365-2404

Top 10 Cyber Crime Jobs

The  Cyber Crime Organization

This morning while reading my daily dose of security breaches to post to my Twitter account I came across a great article from an FBI study that discusses the make up of a Cyber Crime organization. The Top 10 Positions, if you will.

It really made me think back to the days that hackers where young kids, bored, sitting at a computer seeing what mischief they could cause. Oh, how things have changed.

As I talk to clients daily and discuss the issues of Cyber security it makes me really wonder how many firms really think about hackers being in a “Cyber Crime Organization”. Clients have their internal IT and Security departments with a variety of talent who create applications and those that protect the applications, and data and networks and so forth. Well, so do Cyber Criminals.

As I tell my clients, Cyber Criminals are very smart and sophisticated. You need to be smarter and more sophisticated. These criminal enterprises are run like a business. They are staffed with top talent that are dedicated to the job, yes their criminal job! By having these enterprises setup and running, they can and do strike within hours of an opportunity making itself available.

Here is a look at how the” Top 10″ positions within a Cyber Criminal Organizations according to the FBI.

1. Coders/programmers, who write the exploits and malware used by the criminal enterprise.

2. Distributors, who trade and sell stolen data and act as vouchers for the goods provided by other specialists.

3. Tech experts, who maintain the criminal enterprise’s IT infrastructure, including servers, encryption technologies, databases, and the like.

4. Hackers, who search for and exploit applications, systems and network vulnerabilities.

5. Fraudsters, who create and deploy various social engineering schemes, such as phishing and spam.

6. Hosted systems providers, who offer safe hosting of illicit content servers and sites.

7. Cashiers, who control drop accounts and provide names and accounts to other criminals for a fee.

8. Money mules, who complete wire transfers between bank accounts. The money mules may use student and work visas to travel to the U.S. to open bank accounts.

9. Tellers, who are charged with transferring and laundering illicitly gained proceeds through digital currency services and different world currencies.

10. Organization Leaders, often “people persons” without technical skills. The leaders assemble the team and choose the targets.

As I said earlier, this is no longer a bored teenager looking for mischief.

Wils Bell

Information Security Recruiter
SecurityHeadhunter.com, Inc.
POB 620298
Oviedo, FL 32762
Desk: 407-365-2404

Security Job: Web Application Security Consultant

Position Summary for

Web Application Security Consultant w/ Java

“70% Telecommute Opportunity”

Job Type: Consultant
Job Location: Telecommute from home 70%+ of time
Compensation: $70 – $80 per hour; maybe more
Telecommute: Yes
Education: Degree a plus, but not required
Certifications: See Below
Travel %: 20-30%
Relo Paid: N/A

Our Client has developed a very strong track record of delivering web application security services on a consulting basis to their financial and banking industry clients.

This strong record of exceptional service has results in additional long-term assignments and the need for additional team members.

SecurityHeadhunter.com is seeking Web Application Security consultants to lead and participate in web application security consulting assignments. The current team is made up of seasoned software engineering professionals who have 20+ years of total experience. That experience includes building large Java enterprise applications.

As stated above, our client’s solid delivery and track record has created a situation where their clients invite them back for additional projects.

In this role, a consultant will perform application security assessments through both on-site and off-site project assignments. Successful consultant will lead small review teams and will consult on threats and mitigation approaches.

Majority of work will be done in a telecommute fashion whereby you can work from your home office. Expected travel will only be in the 20-30% range on weekdays only. You’ll be home on weekends.

Possible travel sites: NC, MN, PA, CA

Required Background:

  • A BS in math, computer science or engineering discipline is preferred.
  • Education at the Masters level is appreciated.
  • Certifications to include the CISSP, CSSLP, EC-Council E|CSP and/or SANS, GIAC Secure Software Programmer – Java (GSSP-JAVA) are highly appreciated.

A consultant must demonstrate the following:

• A very solid and deep knowledge & understanding of web application security threats, risk models and tools.

• Static analysis experience with Fortify (preferred) or IBM Ounce Labs tools.

• Architectural review, manual source code review, dynamic analysis.

• Solid technical background that includes Java enterprise application technology.

• Ability to interact with customers presentation and communication purposes.

• Ability to manage small technical teams and projects.

• Must be experienced on helping clients to build security into their software development processes.

The successful candidate must be able to read and understand Java code, APIs and architecture (JSP, Servlet, EJB, Hibernate, Struts, Ant, etc.). A prior Java programming background is strongly preferred.

Desired Skills

A background that includes Microsoft application technology is appreciated (.NET, classic VB and ASP). Technical project management / team leadership experience is required.

To learn more about this situation or others, please contact:

Wils Bell

Security Recruiter

SecurityHeadhunter.com, Inc.

POB 620298

Oviedo, FL 32762

Desk: 407-365-2404

Cell: 407-718-7764

Email: Bell@SecurityHeadhunter.com

LinkedIn Profile: http://www.linkedin.com/in/wilsbell

Web: SecurityHeadhunter.com

Blog: SecurityHeadhunter.wordpress.com

Twitter: security_REC

“I’m a great believer in luck, and I find the harder I work, the more I have of it.” — Thomas Jefferson

P Go Green – print only if necessary

Millions of MA Residents Exposed to Cyber Breaches

Todays Cyber Breach

From the Boston Globe:

http://www.boston.com/news/local/massachusetts/articles/2010/01/03/data_breaches_affect_million_state_residents/?rss_id=Boston.com+–+Massachusetts+news

Wils Bell
Information Security Recruiter
SecurityHeadhunter.com, Inc.
POB 620298
Oviedo, FL 32762
Desk: 407-365-2404
Cell: 407-718-7764
Twitter: security_REC

Security Breach Compromises Information

Security Recruiter – Daily Security Breach Report from the Web

Security breach compromises information on 1,400 District 86 grads

December 4, 2009
By SANDY ILLIAN BOSCH sbosch@pioneerlocal.com

A security breach discovered last month at the University of Nebraska involved the names, addresses and Social Security numbers of 1,400 Hinsdale High School District 86 graduates.

The breach involved a computer in the College of Education and Human Sciences at the Lincoln campus. The university’s investigation revealed the computer had not been adequately secured, allowing unauthorized external access to the computer and its information.

Associate Dean Deb Mullen said the information about students who graduated between 2002 and 2005 was used in a study intended to analyze the practices of school districts and what could be done to improve test performance.

“The district was doing it for school improvement,” Mullen said.

The information was provided to the university by the ACT organization, with permission from District 86, according to Mullen. She said it is not uncommon for researchers to obtain student information from school districts. The difference, she said, is that these days the students are identified by randomly assigned student identification numbers.

“Back in those days Social Security numbers were used as ID numbers,” she said.

Letters were sent to all 4,000 students whose information was made accessible through the security breach. Although no one has reported the misuse of information involved in the security breach, Mullen said she has fielded many calls from former students who did not understand how the University of Nebraska had their information. She said many people involved also have accepted the university’s offer to pay for a year of LifeLock identity protection.

Also included among the 4,000 names involved in the security breach were students from Glenbard District 87 and students from schools in South Sioux City, Neb. Mullen said all of the information has been purged from the university’s records.

Representatives from District 86 could not immediately be reached for comment Friday.

Source: http://www.pioneerlocal.com/clarendonhills/news/1921349,hi-d86security-120409-s1.article

Presented by:

Wils Bell – Security Recruiter

SecurityHeadHeadhunter.com

407-365-2404

Bell (at) SecurityHeadhunter.com

Web: SecurityHeadhunter.com

LinkedIn Profile: http://www.linkedin.com/in/wilsbell

“Why work with a generalized recruiter when you could work with a specialized Security Recruiter!!”

Why I Don’t Share Client Name

Why I Don’t Share the Name of Client on First Recruiting Call

When I am recruiting for an open Security Job that is not a retained search, I usually do not share the name of my client with a cold called candidate for several reason,  until we have talked in detail.

First, I interview many candidates daily, and unfortunately I must tell several that they are not a match for “this job”.  Perhaps future jobs, but not this one. It does not mean that are not a good security candidate, just not a good match for this job. Sometimes, they on the other hand, feel that they are a great fit and want to proceed with the interview process. When I explain that the client wants and expects me  to pre-screen heavily so as only to present dead on matches, they get upset.  I have had these people try to go directly to the client themselves or call other recruiters and ask them to present them. If the company name has not been discussed, it protects me.

Also, I have had some very good intentioned people that knew my client name simply mention  to a friend or co-worker that I called and discussed a great opportunity with them at XYZ company and the friend or co-worker simply goes directly to the company without thinking about me. They did not mean to cut me out, they just did not realize they should call me to present them. After all, I am dealing directly with the hiring authority and can make things happen.

Please be aware that I do share the client name as soon as we (you and I) determine that it is a good match and worth proceeding forward with the process.

Since this is how I earn a living for me and my family please don’t be insulted by the process and my guarding my client name until we agree it’s a match.

 

Happy Holidays,

 

Wils Bell – Security Recruiter

Bell (at) SecurityHeadhunter.com

SecurityHeadhunter.com, Inc.

SecurityHeadHunter.com

 

Desk: 407-365-2404

PCI Standards Not Doing Enough

PCI Standards Not Doing Enough

Visa, Inc. has begun testing new security measures with retailers and banks that goes beyond the current standards set by PCI.  This PCI (Payment Card Industry) standard has been the private sector’s attempt to regulate itself, but it no longer is thought of as strong IT Security. Way to much Debit and Credit card information is being breached by “so called” certified PCI compliant organizations.

According to Rep. Yvette Clarke (D -NY) the PCI Compliant Standard is not worthless, but is not currently sufficient to protect company data. She stated:” I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure.”

As an example, last February a third party certified a major grocery store chain (Hannaford Bros ) PCI Compliant one day AFTER it was informed of the system intrusions that had begun two months earlier. Hannaford Bros. later indicated that they would be spending “millions” of dollars upgrading security after the breach of 4 million plus credit and debit accounts.

As most of you know, these breaches are happening more and more. Remember Heartland, the card processor?

The cost to companies for data breaches as I wrote about in an earlier blog can be staggering, not to mention your loss of brand name.

What about the multiple lawsuits that follow these types of breaches.  They could put these companies out of business.

How many employees could lose their jobs for something they had no control over?

PCI Standards need to be updated and the compliancy and technology followed 24/7, 365 days a year.

By:  Wils Bell, President

LinkedIn Profile: http://www.linkedin.com/in/wilsbell
SecurityHeadhunter.com, Inc.

Security & Risk Recruitment Since 1990
Phone: 407-365-2404
eFax: 407-956-4976

Email: Bell@SecurityHeadhunter.com

Web: SecurityHeadhunter.com