View Full Version : Security breach/compromise - 2012

2012-04-02, 11:23

Global Payments breach - 1.5M exposed ...
- https://krebsonsecurity.com/2012/04/global-payments-1-5mm-cards-exported/
April 2, 2012 - "Global Payments, the credit and debit card processor that disclosed a breach of its systems late Friday, said in a statement Sunday that the incident involved at least 1.5 million accounts. The news comes hours ahead of a planned conference call with investors, and after Visa said it had pulled its seal of approval for the company... In a press release issued 9:30 p.m. ET Sunday, Atlanta based Global Payments Inc. said it believes “the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers may have been exported. Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained”. It remains unclear whether there are additional accounts beyond these 1.5 million that were exposed by the breach; the company’s statement seems to be focusing on the number of cards it can confirm that thieves offloaded from its systems..."

Breach anatomy graphic
- https://krebsonsecurity.com/wp-content/uploads/2012/04/breachanatomy-600x430.png

- http://h-online.com/-1498448
2 April 2012

- http://www.reuters.com/article/2012/04/02/us-visa-globalpayments-idUSBRE83102P20120402
Apr 1, 2012 - "Visa Inc. has dropped payment processor Global Payments Inc. from its list of approved service providers after a major cyber intrusion that could expose Visa, MasterCard, American Express and Discover card holders to fraud. Global Payments said it believes less than 1.5 million credit card numbers were stolen in the cyber security breach..."

- http://www.databreaches.net/?p=23827
March 30, 2012

- http://corporate.visa.com/media-center/index.shtml
Mar 30, 2012 - "Visa Inc. is aware of an announcement from Global Payments Inc. that it experienced unauthorized access into a portion of its processing system... Visa encourages cardholders to regularly monitor their accounts and to notify their issuing financial institution promptly of any unusual activity..."
- http://www.visasecuritysense.com/en_US/index.jsp

- http://newsroom.mastercard.com/2012/03/30/3-security-steps-to-protecting-your-personal-data/
March 30, 2012 - "... MasterCard and financial institutions do not proactively solicit personal or payment card information from customers... be wary of unsolicited requests by anyone claiming to represent one of these entities..."

:fear: :mad:

2012-05-02, 04:30

Breach window at Global Payments expands
- https://krebsonsecurity.com/2012/05/global-payments-breach-window-expands/
May 1, 2012 - "A hacker break-in at credit and debit card processor Global Payments Inc. dates back to at least early June 2011, Visa and MasterCard warned in updated alerts sent to card-issuing banks in the past week. The disclosures offer the first additional details about the length of the breach since Global Payments acknowledged the incident on March 30, 2012... Visa and MasterCard have issued at least seven updates, warning of additional compromised cards and pushing the window of vulnerability at Global Payments back further each time. Initially, MasterCard and Visa warned that hackers may have had access to card numbers handled by the processor between Jan. 21, 2012 and Feb. 25, 2012. Subsequent alerts sent to banks have pushed that exposure window back to January, December, and then August. In an alert sent in the last few days, the card associations warned issuers of even more compromised cards, saying the breach extended back at least eight months, to June 2011... so far, Global Payments has offered few details about the incident beyond repeating that less than 1.5 million card numbers may have been stolen from its systems... Global Payments spokeswoman Amy Korn declined to comment for this story, but said the company would be releasing additional information about the incident in a statement on its Web site, http://www.2012infosecurityupdate.com/ , later this evening*."
* http://www.2012infosecurityupdate.com/
"... Based on our announcement of unauthorized activity in a limited segment of our North American processing system, some card brands removed us from their list of PCI compliant service providers. They have requested we revalidate our PCI status, which we will do following the current investigation. We anticipate that we will be re-instated to those lists at the conclusion of the re-validation and any required remediation... We have not publicly communicated any time periods and there is a full investigation underway. It would be premature and inappropriate for us to speak to or confirm any timeframes until the investigation is complete. We identified and self-reported this incident in early March, and we will continue to provide information to the appropriate parties as revealed by the investigation."
... As of May 1, 2012

:sad: :hair:

2012-05-14, 07:27

Debit card accounts stolen - Global Payments breach ...
- https://krebsonsecurity.com/2012/05/global-payments-breach-fueled-prepaid-card-fraud/
May 14, 2012 - "Debit card accounts stolen in a recent hacker break-in at card processor Global Payments have been showing up in fraud incidents at retailers in Las Vegas and elsewhere, according to officials from one bank impacted by the fraud. At the beginning of March 2012, Danbury, Conn. based Union Savings Bank began seeing an unusual pattern of fraud on a dozen or so debit cards it had issued, noting that most of the cards had recently been used in the same cafe at a nearby private school. When the bank determined that the school was a customer of Global Payments, it contacted Visa to alert the card association of a possible breach at the Atlanta-based processor, according to Doug Fuller, Union Savings Bank’s chief risk officer. That’s when USB heard from Tony Higgins, then a fraud investigator at Vons, a grocery chain in Southern California and Nevada owned by Safeway Inc. According to Fuller, Higgins said the fraudsters were coming to the stores to buy low-denomination Safeway branded prepaid cards, and then encoding debit card accounts issued by USB onto the magnetic stripe on the backs of the prepaid cards. The thieves then used those cards to purchase additional prepaid cards with much higher values, which were then used to buy electronics and other high-priced goods from other retailers... The experience of Union Savings Bank illustrates how fraudsters can extract value from debit cards even if they only have -some- of the data associated with the accounts. Initial alerts about the breach from Visa and MasterCard stated that the breach at Global Payments compromised -both- Track 1 and Track 2 data from affected card accounts, meaning thieves could produce counterfeit versions of the cards and possibly commit other acts of identity theft against cardholders. Global Payments claims that only Track 2 data was taken, and that cardholder names, addresses and other data were were not obtained by the criminals. Yet, as USB’s story shows, the data on Track 2 alone was enough for the crooks to encode the card number and expiration date onto any cards equipped with a magnetic stripe. The cards could then be used at any merchant that accepts signature debit — transactions that do not require the cardholder to enter his or her PIN... USB’s experience also raises fresh questions about the timing of the breach discovery. Global Payments says it self-discovered and self-reported the breach on March 8, but Fuller said his bank figured out Global Payments was having an issue and reported the fraud before that..."


2012-05-25, 03:26

WHMCS breach ...
- https://krebsonsecurity.com/2012/05/whmcs-breach-may-be-only-tip-of-the-trouble/
May 24, 2012 - "A recent breach at billing and support software provider WHMCS that exposed a half million customer usernames, passwords — and in some cases credit cards — may turn out to be the least of the company’s worries.. for the past four months hackers have been selling an exclusive zero-day flaw that they claim lets intruders break into Web hosting firms that rely on the software... Following an extended period of downtime on Monday, the privately-owned British software firm disclosed that hackers had broken in and stolen 1.7 gigabytes worth of customer data, and deleted a backlog of orders, tickets and other files from the firm’s server... WHMCS’s user forums have been and remain under a constant denial-of-service attack, and the company is urging customers to change their passwords... Many users seem to be worried that the data stolen the now-public breach may include WHMCS direct customer data, as well as the location of the installed software and credit card data, and passwords for WHMCS installs that were done by them or supplied during troubleshooting..."

- http://www.databreaches.net/?p=24284
May 22, 2012


2012-06-06, 21:01

LinkedIn Blog:
- http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/
June 6, 2012 - "... update on this morning’s reports of stolen passwords.
We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:
1. Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
2. These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in these emails. For security reasons, you should -never- change your password on any website by following a link in an email.
3. These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.
It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases..."

LinkedIn passwords leaked ...
- http://nakedsecurity.sophos.com/2012/06/06/millions-of-linkedin-passwords-reportedly-leaked-take-action-now/
June 6, 2012 - "Although not yet confirmed by the business-networking website, it is being widely speculated that over six million passwords belonging to LinkedIn users have been compromised. A file containing 6,458,020 SHA-1 unsalted password hashes has been posted on the internet, and hackers are working together to crack them. Although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals. Investigations by Sophos researchers have confirmed that the file does contain, at least in part, LinkedIn passwords. As such, it would seem sensible to suggest to all LinkedIn users that they change their passwords as soon as possible as a precautionary step..."

- http://www.reuters.com/article/2012/06/06/linkedin-breach-idUSL1E8H68FJ20120606
Jun 6, 2012

- https://krebsonsecurity.com/2012/06/if-you-use-linkedin-change-your-password/
June 6, 2012
> http://krebsonsecurity.com/password-dos-and-donts


2012-06-07, 15:02

eHarmony dating site data-breach
- http://www.theregister.co.uk/2012/06/07/eharmony_also_breached_in_linkedin_password_dump/
7 June 2012 - "Along with the LinkedIn password dump, dating site eHarmony has confirmed that some of its users’ passwords have also been published online, possibly by the same attacker as that obtained the LinkedIn data... It says all affected user passwords have been reset, along with providing the usual advice of creating strong passwords, using a different password for every site, and changing passwords every few months*. The LA Times says that the eHarmony list contained only passwords..."

* http://advice.eharmony.com/blog/2012/06/06/update-on-compromised-passwords/
June 6, 2012

> http://www.reuters.com/article/2012/06/07/us-linkedin-breach-idUSBRE85511820120607
Jun 7, 2012

eHarmony admits to leaking 1.5 million passwords
- http://h-online.com/-1612654
7 June 2012

:sad: :fear::fear:

2012-06-08, 00:07

Top 15 Worst Data Breach Incidents of 2012 ...
- http://www.csoonline.com/slideshow/detail/52656/The-Worst-Data-Breach-Incidents-of-2012---So-Far#slide1
June 18, 2012

6 Biggest Breaches Of 2012 So Far
- http://www.darkreading.com/taxonomy/index/printarticle/id/240002408
Jun 20, 2012
1. Zappos - Time Of Disclosure: January 2012 - Records Breached: 24 million records, including names, email addresses, phone numbers, last four digits of credit card numbers, and encrypted passwords...
2. UNC - Time Of Disclosure: February 2012 - Records Breached: 350,000 records...
3. Global Payment Systems - Time Of Disclosure: March 2012 - Records Breached: 7 million consumer records, including 1.5 million credit cards...
4. South Carolina Health and Human Services - Time Of Disclosure: April 2012 - Records Breached: 228,435 records...
5. University of Nebraska - Time Of Disclosure: May 2012 - Records Breached: 654,000 student records...
6. LinkedIn - Time Of Disclosure: June 2012 - Records Breached: 6.5 million user passwords...

Last.fm - change your password...
- http://arstechnica.com/security/2012/06/another-hack-last-fm-warns-users-to-change-their-passwords/
Jun 7, 2012 - "Social music site Last.fm announced an investigation into a user password leak this morning*... Last.fm is asking users to change their passwords immediately. Last.fm users can switch their passwords by logging in and accessing the "Settings" page, or by reporting their password as lost**. In the site's announcement, Last.fm re-emphasized these are the -only- means for password changes: 'We will never e-mail you a direct link to update your settings or ask for your password'..."

Millions of Last.fm passwords leaked
- http://h-online.com/-1613641
8 June 2012

* http://www.last.fm/passwordsecurity

** https://www.last.fm/settings/lostpassword

eHarmony - Vague post leaves unanswered questions
- http://arstechnica.com/security/2012/06/eharmony-confirms-member-passwords-compromise/
Jun 7, 2012

10 (or so) of the worst passwords exposed by the LinkedIn hack
- http://arstechnica.com/security/2012/06/10-or-so-of-the-worst-passwords-exposed-by-the-linkedin-hack/
Jun 6, 2012

:sad: :fear::fear:

2012-07-13, 17:49

Yahoo! - 453,492 pwd's and email addresses hacked and exposed...
>> https://www.computerworld.com/s/article/9229084/Passwords_leaked_from_Yahoo_Boozy_preachy_angry_and_easy
July 12, 2012 - "... a list of 453,492 email addresses and passwords in plain text... found them by hacking into a database associated with an unnamed Yahoo service. The passwords weren't all for Yahoo services; they also come from domain names including gmail.com, hotmail.com and aol.com..."
- http://www.reuters.com/article/2012/07/13/net-us-yahoo-hackers-idUSBRE86B0HT20120713

- http://h-online.com/-1637505
12 July 2012

Yahoo! confirms data breach
- http://h-online.com/-1640148
13 July 2012

Over 1 million user credentials compromised in Android Forums hack
- http://h-online.com/-1640164
13 July 2012

NVIDIA Forums suspended after hack
- http://h-online.com/-1640918
13 July 2012

Password Leaks Continue: Billabong, NVIDIA...
- https://threatpost.com/en_us/blogs/password-leaks-continue-billabong-nvidia-accounts-compromised-071312
July 13, 2012 - "... The attacks, which some have suggested are driven by a demand for e-mail addresses used to supply spam runs and targeted phishing attacks... especially when that password information is stored in cleartext..."

Thousands of GMX accounts compromised to send SPAM
- http://h-online.com/-1638088
13 July 2012

:sad: :fear: :spider:

2012-07-24, 17:53

11 million passwords leaked from Gamigo ...
- http://h-online.com/-1651198
24 July 2012 - "A file with 11 million password hashes belonging to users of the online games platform Gamigo has been circulated on the internet. According to an analysis by ZDNet, 8.2 million different email addresses are also part of the 478MB file. Around 3 million of these belong to users from the US, 2.4 million are German addresses and 1.3 million are supposed to originate in France. The list also includes corporate email addresses from companies such as IBM, Siemens, Deutsche Bank and the German insurance company Allianz. The file appeared in the same forum which had previously circulated millions of password hashes from Linkedin, Last.fm, eHarmony and other web sites... Gamigo, which is a subsidiary of the German Axel Springer publishing group, has confirmed to The H's associates at heise Security that the data contained in the file is authentic. The company has stated that it noticed a "security-related incident" in March 2012 in which an older version of a database was copied off its servers. Gamigo says it immediately contacted the affected members and reset the passwords to their accounts. The company also says it took the affected database offline and initiated "a comprehensive security audit". Now that the data has been leaked, the company wants to look at the incident again. Users who are registered with Gamigo and have used the same password at other web sites should immediately change their logins..."

Password leak at meetOne - 900,000 members ...
- http://h-online.com/-1652783
26 July 2012 - "A data leak at the meetOne dating site allowed anyone to access private data including the plaintext passwords, email addresses and real names of the site's approximately 900,000 members..."

:sad: :mad:

2012-07-29, 22:54

8.7 million hacked mobile customers in S.Korea
- http://news.yahoo.com/8-7-million-mobile-customers-hacked-korea-062535102.html
July 29, 2012 - "South Korean police have arrested two hackers who stole personal data of 8.7 million customers of the nation's second-biggest mobile operator, the company said. KT said the hackers - formally arrested on Sunday - had stolen data such as customers' names, phone numbers and residential registration numbers for five months since February and sold the information to telemarketing firms... Hacking attacks on major companies aimed to gain access to the personal data of their customers is a frequent occurence in South Korea, one of the world's most-wired nations. Seoul authorities said in July last year hackers using an Internet address registered in China had gained access to South Korean major websites including web portal Nate .com and may have stolen the private data of 35 million users. In November 2011, Seoul's top games developer Nexon saw personal information of 13 million users of its popular online game MapleStory stolen by hackers. In March 2010, authorities launched a probe into the security systems of major retailer Shinsegae and 24 other companies after private data on 20 million customers was leaked."

:sad::fear: :mad: :mad:

2012-08-01, 15:37

Dropbox: Password Breach Led to Spam
- https://krebsonsecurity.com/2012/07/dropbox-password-breach-led-to-spam/
July 31, 2012 - "Two weeks ago, many Dropbox users began suspecting a data breach at the online file-sharing service after they started receiving spam at email addresses they’d created specifically for use at Dropbox. Today, the company confirmed that suspicion, blaming the incident on a Dropbox employee who had re-used his or her Dropbox password at another site that got hacked... a statement released on its blog* this evening... says it has plans to roll out additional security measures that should help users protect their Dropbox accounts even if users (or employees, assumedly) lose account passwords, including two-factor authentication..."
* http://blog.dropbox.com/index.php/security-update-new-features/
July 31, 2012 - "A couple weeks ago, we started getting emails from some users about spam they were receiving at email addresses used only for Dropbox... Our investigation found that usernames and passwords recently stolen from -other- websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts. A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam... we’re taking steps to improve the safety of your Dropbox even if your password is stolen, including:
• Two-factor authentication, a way to optionally require two proofs of identity (such as your password and a temporary code sent to your phone) when signing in. (Coming in a few weeks)
• New automated mechanisms to help identify suspicious activity. We’ll continue to add more of these over time.
• A new page that lets you examine all active logins to your account.
• In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time).
At the same time, we strongly recommend you improve your online safety by setting a unique password for -each- website you use..."

- http://h-online.com/-1657230
1 August 2012

- http://countermeasures.trendmicro.eu/dropbox-breach-leaves-unanswered-questions/
1 August 2012

:fear: :sad:

2012-08-10, 17:58

Blizzard pwned - email, encrypted passwords slurped
Millions of World of Warcraft players raided
- http://www.theregister.co.uk/2012/08/10/blizzard_hacked/
10 Aug 2012 - "Blizzard Entertainment, which makes World of Warcraft, Diablo III and other games, has coughed to a security breach of its internal network. Email addresses, answers to security questions and encrypted passwords linked to player accounts are believed to have been lifted by hacks. The gaming outfit said in a lengthy statement on its website that its security team had spotted "unauthorised and illegal access" into its system. It said: "We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened." Blizzard said it was yet to uncover evidence that sensitive financial data, including gamers' credit cards and billing addresses, had been compromised. "Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed," the company added. However, a list of email addresses for Battle.net users across the globe, excluding those based in China, had been lifted in the hacking. And it gets worse..."
(More detail at the URL above.)

- https://isc.sans.edu/diary.html?storyid=13870
Last Updated: 2012-08-10 01:51:02 UTC

- http://h-online.com/-1665425
10 August 2012


2012-09-18, 15:07

$10 million hacking spree on Subway sandwich shops
The Romanians admitted their role in ring that compromised some 146,000 cards
- http://arstechnica.com/security/2012/09/romanians-cop-to-10-million-hacking-spree/
Sep 18, 2012 - "Two Romanian men have admitted to participating in an international conspiracy that hacked into credit-card payment terminals at more than 150 Subway restaurant franchises and stole data for more than 146,000 accounts. The heist, which spanned the years 2009 to 2011, racked up more than $10 million in losses, federal prosecutors said.
Iulian Dolan, 28, of Craiova, Romania, pleaded guilty to one count of conspiracy to commit computer fraud and two counts of conspiracy to commit credit card fraud, documents filed on Monday in US District Court in New Hampshire showed. Dolan admitted he helped alleged ring leader Adrian-Tiberiu Opera scan the Internet for point-of-sale systems... Monday's plea agreement, which was signed by the defendant, stated. "Next, once he cracked the password and gained administrative access, Dolan remotely installed software programs called 'keystroke loggers' (or 'sniffers') onto the POS systems. These programs would record, and then store, all of the data that was keyed into or swiped through the merchants' POS systems, including customers' payment card data."
Dolan hacked into "several hundred US merchants'" systems and stole payment data belonging to about 6,000 cardholders, according to the document. He has agreed to spend seven years in prison.
Cezar Iulian Butu, 27, of Ploiesti, Romania, pleaded guilty to one count of conspiracy to commit credit card fraud. In a separate plea agreement that was also signed, he admitted repeatedly asking Opera to provide him with payment card data stolen through the conspiracy. He obtained data belonging to about 140 cardholders. Butu has agreed to be sentenced to 21 months in prison..."


2012-09-26, 13:45

IEEE data breach exposes 100,000 passwords ...
- http://h-online.com/-1717358
26 Sep 2012 - "Romanian researcher Radu Drăgușin says that he managed to extract 100,000 plain text IEEE member passwords from approximately 100GB of log files. The log files were publicly accessible on the IEEE's FTP server and had been available for at least a month before being discovered by the researcher... the most frequently used password continues to be "123456", closely followed by "ieee2012" and "12345678"... The IEEE has now confirmed the incident on its Facebook page and on its web site*, noting that the problem has been fixed and that it is currently in the process of informing affected users. The organisation is the largest technical industry association worldwide, managing, maintaining and approving standards such as the current Ethernet and Wi-Fi specifications."
* https://origin.www.ieee.org/about/news/2012/25september_2_2012.html

- http://www.theregister.co.uk/2012/09/25/ieee_leaks_logins/
25 Sep 2012 - "... Apple, Google, IBM, Oracle, Samsung, NASA, Stanford University and so on – practically any outfit that employs high-ranking engineers in electrical, electronics, computer sciences and communications disciplines will probably get mentioned somewhere in the logs..."

- http://www.darkreading.com/taxonomy/index/printarticle/id/240008028
Sep 26, 2012

:fear: :spider: :sad:

2012-09-28, 15:10

Adobe hacked ...
- http://h-online.com/-1719955
28 Sep 2012 - "Adobe's Director of Product Security and Privacy, Brad Arkin, has summarised the current state of his company's investigations into the inappropriate use of Adobe certificates in a blog post*. Unknown intruders are thought to have hacked an internal server in order to provide specific malware programs with a valid digital signature. These tools were then apparently used for targeted attacks... Arkin doesn't specify who was attacked or what happened as a result. However, the extent of the attackers' efforts points towards a high-profile or at least a lucrative target. Arkin also neglects to answer the question of how the attackers intruded into Adobe's systems. What is known is that they compromised an internal build server that had the ability to issue code-signing requests. This server and the complete code-signing infrastructure have now been decommissioned. Arkin said that the private key that is associated with the compromised certificate was not stolen because it is kept in a hardware security module that was not breached. No other information or source code appears to have been stolen. On Thursday 4 October, Adobe plans to respond by revoking the affected certificate for any software that was signed after 10 July 2012. The revocation affects Adobe applications on the Windows platform as well as three Adobe AIR applications that are available for Windows and Mac systems (Adobe Muse, Adobe Story AIR Applications and Acrobat.com Desktop Services). The company has provided more detailed information about the affected software on a dedicated support page**..."
* https://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html

** http://helpx.adobe.com/x-productkb/global/certificate-updates.html

- http://www.f-secure.com/weblog/archives/00002435.html
Sep 28, 2012

- http://arstechnica.com/security/2012/09/adobe-to-revoke-crypto-key-abused-to-sign-5000-malware-apps/
Sep 27, 2012

:mad: :fear: :sad:

2012-10-16, 16:34

Hacks steal $400K from city bank account
- https://www.computerworld.com/s/article/9232372/Cyberthieves_loot_400_000_from_city_bank_account
Oct 15, 2012 - "Burlington, Wash. officials have notified hundreds of employees and residents that their bank account information was compromised last week when hackers broke into city systems and stole more than $400,000 from a city account at Bank of America. Among those impacted by the breach are employees participating in Burlington's electronic payroll deposit program and utility customers enrolled in the city's autopay program for sewer and storm drain charges. In an alert issued this morning, city administrator Bryan Harrison said all autopay customers should assume that their name, bank account number and routing number was comprised following an intrusion into a city utility billing system. He urged affected customers to immediately contact their bank to flag or close their accounts... All employees participating in the city's electronic payroll deposit program have also been asked to close out their old accounts and establish a new one as a result of the breach... the city first learned of the online heist last Thursday when an east coast bank sought information about a series of suspicious transfers from a Burlington city account... The city immediately reviewed the activity and noticed at least three "significant transactions" from its Bank of America account to accounts at the east coast bank. In all, over $400,000 was illegally transferred to business and personal accounts around the country over a two-day period... Investigators are trying to figure out how the intruders gained access to the Bank of America account. The account has been frozen and all of the city's money has been temporarily moved out of Bank of America as a precaution. Numerous other small town, municipalities and small businesses have been victimized by similar online heists over the past three or four years... The FBI has estimated that U.S. businesses and banks have lost hundreds of millions of dollars due to such thefts in recent years. The Burlington theft came just days after security firm RSA warned* of cybercriminals plotting a massive and concerted campaign to steal money from the online accounts of thousands of consumers at 30 or more major U.S. banks..."
* http://blogs.rsa.com/rsafarl/cyber-gang-seeks-botmasters-to-wage-massive-wave-of-trojan-attacks-against-u-s-banks/

TD Bank: Data loss affects 260,000 U.S. customers*
- http://www.databreaches.net/?p=25643
Oct 12, 2012
* http://www.onlinesentinel.com/TD-Bank-data-breach-affects-35000-in-Maine-.html
"... loss of data affects bank customers in at least six states, and may include names, addresses, dates of birth and account numbers..."


2012-11-15, 05:30

Adobe pwd database compromised - Connectusers.com via SQL injection attack
- https://blogs.adobe.com/adobeconnect/2012/11/connectusers-com-forum-outage-following-database-compromise.html
Nov 14, 2012 - "Adobe is currently investigating reports of a compromise of a Connectusers.com forum database. These reports first started circulating late during the day on Tuesday, November 13, 2012. At this point of our investigation, it appears that the Connectusers.com forum site was compromised by an unauthorized third party. It does not appear that any other Adobe services, including the Adobe Connect conferencing service itself, were impacted. To protect Connectusers forum users, we have taken the following actions:
- The Connectusers.com forum site was taken offline in the evening of Tuesday, November 13, 2012. We are working diligently to restore forum services as soon as possible.
- We are in the process of resetting the passwords of impacted Connectusers.com forum members and will reach out to those members with instructions on how to set up new passwords once the forum services are restored.
As a reminder, one of the best ways to protect yourself online is to follow password best practices and use different login credentials across different websites and services. We sincerely apologize for the inconvenience this may cause to our forum members. Your security is of critical importance to us, and we appreciate your patience as we work towards restoring Connectusers.com forum services."

- https://isc.sans.edu/diary.html?storyid=14515
Last Updated: 2012-11-15 04:03:00 UTC


2012-11-19, 04:56

FreeBSD.org intrusion - Security Incident on FreeBSD Infrastructure
- http://www.freebsd.org/news/2012-compromise.html
Nov 17 2012 - "On Sunday 11th of November, an intrusion was detected on two machines within the FreeBSD.org cluster. The affected machines were taken offline for analysis. Additionally, a large portion of the remaining infrastructure machines were also taken offline as a precaution. We have found no evidence of any modifications that would put any end user at risk. However, we do urge all users to read the report (here)... and decide on any required actions themselves. We will continue to update (this) page as further information becomes known. We do not currently believe users have been affected given current forensic analysis, but we will provide updated information if this changes. As a result of this event, a number of operational security changes are being made at the FreeBSD Project, in order to further improve our resilience to potential attacks. We plan, therefore, to more rapidly deprecate a number of legacy services, such as cvsup distribution of FreeBSD source, in favour of our more robust Subversion, freebsd-update, and portsnap models.
> http://www.freebsd.org/news/2012-compromise.html#details
On Sunday 11th November 2012, two machines within the FreeBSD.org infrastructure were found to have been compromised. These machines were head nodes for the legacy third-party package building infrastructure. It is believed that the compromise may have occurred as early as the 19th September 2012. The compromise is believed to have occurred due to the leak of an SSH key from a developer who legitimately had access to the machines in question, and was not due to any vulnerability or code exploit within FreeBSD... No part of the base FreeBSD system has been put at risk. At no point has the intruder modified any part of the FreeBSD base system software in any way. However, the attacker had access sufficient to potentially allow the compromise of third-party packages. No evidence of this has been found during in-depth analysis, however the FreeBSD Project is taking an extremely conservative view on this and is working on the assumption that third-party packages generated and distributed within a specific window could theoretically have been modified.
- What is the Impact?
If you are running a system that has had no third-party packages installed or updated on it between the 19th September and 11th November 2012, you have no reason to worry. The Source, Ports and Documentation Subversion repositories have been audited, and we are confident that no changes have been made to them. Any users relying on them for updates have no reason to worry. We have verified the state of FreeBSD packages and releases currently available on ftp.FreeBSD.org. All package sets for existing versions of FreeBSD and all available releases have been validated and we can confirm that the currently available packages and releases have not been modified in any way. A package set for the upcoming FreeBSD 9.1-RELEASE had been uploaded to the FTP distribution sites in preparation for 9.1-RELEASE. We are unable to verify the integrity of this package set, and therefore it has been removed and will be rebuilt. Please note that as these packages were for a future release, the standard "pkg_add -r" tools to install packages could not have downloaded these packages unless they were requested explicitly. We unfortunately cannot guarantee the integrity of any packages available for installation between 19th September 2012 and 11th November 2012, or of any ports compiled from trees obtained via any means other than through svn.freebsd.org or one of its mirrors. Although we have no evidence to suggest any tampering took place and believe such interference is unlikely, we have to recommend you consider reinstalling any machine from scratch, using trusted sources..."
(See more detail in the "Table of Contents" at the Freebsd URL above.)


2012-11-27, 23:18

Piwik Compromised Source Package Backdoor Security Issue
- https://secunia.com/advisories/51304/
Release Date: 2012-11-27
Criticality level: Extremely critical
Impact: System access
Where: From remote
... compromised source file was distributed with version 1.9.2 on November 26, 2012 from 15:43 UTC to 23:59 UTC.
Solution: Download and reinstall Piwik.
Original Advisory:


2012-12-14, 18:05

LogMeIn, DocuSign investigate Breach Claims
- https://krebsonsecurity.com/2012/12/logmein-docusign-invesigate-breach-claims/
Dec 14, 2012 - "Customers of remote PC administration service Logmein.com and electronic signature provider Docusign.com are complaining of a possible breach of customer information after receiving malware-laced emails to accounts they registered exclusively for use with those companies. Both companies say they are investigating the incidents, but so far have found no evidence of a security breach. Some LogMeIn users began complaining of receiving malware spam to LogMeIn-specific email addresses on Dec. 3, 2012. The messages matched spam campaigns that spoofed the U.S. Internal Revenue Service (IRS) and other organizations in a bid to trick recipients into opening a malicious attachment. Multiple LogMeUsers reported receiving similar spam to addresses they had created specifically for their LogMeIn accounts and that had not been used for other purposes. The first LogMeIn user to report the suspicious activity said he received a malicious email made to look like it came from DocuSign but was sent to an address that was created exclusively for use with LogMeIn... DocuSign released a statement* saying that it is investigating the incident and is working with law enforcement agencies to take further action. But it chalked the incident up to aggressive phishing attacks, noting that 'antivirus vendors report malicious code incidents have been increasing by as much as 3600% in recent weeks'..."
* http://www.docusign.com/spam
"... some have also been received by DocuSign users. The latest spam emails contain a zip file with an executable containing malicious code that installs malware on the recipient’s computer if opened. These spam emails are not coming from DocuSign and are not related to the DocuSign service. DO NOT OPEN THE ATTACHMENT..."