tag:blogger.com,1999:blog-7684440264998606342010-06-11T08:28:13.255-07:00Blogging on all things Database SecuritySteve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comBlogger75125tag:blogger.com,1999:blog-768444026499860634.post-52982507871438397542010-06-11T08:25:00.000-07:002010-06-11T08:28:13.386-07:00

This week’s news of a breach at the AT&T network, which exposed 114,000 accounts of the recently launched iPad, is today an FBI investigation. The group that identified the breach is known for publicizing other weaknesses that can lead to breaches, such as Safari and Amazon.The compromised accounts – which include some of most powerful people on the planet – will likely suffer no long-term

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-54549690661885140182010-05-04T13:46:00.000-07:002010-05-04T13:49:29.347-07:00

News is emerging of a hack at the US Treasury Department, in which a series of websites associated with the U.S. Bureau of Engraving and Printing (BEP) were affected.Visitors to the sites were directed to another site in the Ukraine, one that is notorious for installing malware on computers.The attackers targeted a cloud computing company that hosted the BEP’s pages.This hack has the elements for

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-35645768766626056322010-04-19T08:24:00.000-07:002010-04-19T08:25:44.206-07:00

OWASP have released their 2010 “top 10” Application Security Risks. Topping the list (again) is the “Injection” risk. People involved in both application security and database security will not be surprised. The world is awash with applications that have each been poorly engineered in their own individual manner. It is an easy mistake to make, but very difficult to rectify without good tools

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-86459328864077315322010-04-11T23:30:00.000-07:002010-04-11T23:34:29.385-07:00

Reports are emerging of another attack on government computers, this one by a group in China that targeted networks in India and other countries. Among the data the hackers obtained are information on missile systems and relations between governments as well as correspondence from the Dali Lama’s office.The researchers who identified and tracked the hacker’s actions have identified social media

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-82947723420951172052010-03-29T01:48:00.000-07:002010-03-29T01:52:14.392-07:00

Last week, Albert Gonzalez was sentenced to 20 years in prison for his part in the hacking of more than 90 million credit and debit card numbers from TJ Maxx and other retailers. What makes this sentence unique is that it fits the severity of the crime. Gonzalez and his conspirators went after financial data with the intent to use it fraudulently. His knowledge of enterprise network weaknesses

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-56005941702649091652010-03-22T12:55:00.000-07:002010-03-22T12:58:19.795-07:00

The IC3 issued its annual online crime report, which reported that losses almost doubled from 2008 to 2009. In 2009, the losses totaled $560m (£371m) vs. $265m (£176m) in 2008. What is interesting to us in the security industry is an even greater increase in identity theft between the two years.In 2008, identity theft accounted for 2.5 percent of the claims; in 2009, the number is 14.1 percent,

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-79858331909444624682010-03-11T13:27:00.000-08:002010-03-11T13:31:37.424-08:00

News is breaking of a breach at HSBC affecting 24,000 customers with Swiss Bank Accounts. The implications of this breach are global, and the press is speculating that the breach could expose those using the accounts to avoid taxation in their home countries.French authorities have identified a former IT employee of a Swiss subsidiary as the suspect and allege that the former employee obtained

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-78583149078578618972010-03-08T15:06:00.000-08:002010-03-08T15:10:31.541-08:00

It’s official -- credit card security is no longer simply about WWII style “encryption” defenses, “it’s all in the database”. So says the information security industry’s “rock-star” Bruce Schneier. Bruce was being interviewed at this year’s RSA conference and was asked about the confidence of online shopping now that some “doubts” have arisen over the SSL encryption.True to form, Schneier went

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-92140314158360456862010-03-01T00:28:00.000-08:002010-03-01T00:33:29.257-08:00

According to reports, sometime between October 09 and January of this year, hackers broke into databases associated with the Wyndham Hotels and Resorts (WHR). This is the third time that the hotel chain has suffered a data breach within a year, and this time the hackers stole customer names and payment card information. What the hotel is saying through an open letter and associated FAQs creates

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-28294020692603874522010-02-22T19:59:00.000-08:002010-02-22T20:00:27.378-08:00

Last year, a data breach involving close to 30,000 Kaiser Permanente employees in California was discovered when the suspect’s home was searched for unrelated reasons and authorities found evidence that the data of Kaiser employees had been stolen. The evidence came in the form of dozens of driver’s licenses and credit cards in the names of the Kaiser Permanente victims, whose addresses, date of

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-91903019305751490272010-02-16T07:54:00.000-08:002010-02-16T08:04:34.754-08:00

This week brings news of a data breach at Royal Dutch Shell affecting 170,000 workers at the global oil company. From published reports, the database is thought to contain names, telephone numbers and additional details for both permanent and contract employees. The database is also believed to be about six months old.What makes this breach unique and points to its likely being from a disgruntled

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-72969381877585743902010-01-31T13:42:00.000-08:002010-01-31T13:44:24.624-08:00

A new colleague asked me recently how I felt about “all the security issues in the sky”. At first, I wondered if I had missed a news story about break-ins at Rupert Murdoch’s satellite TV network. After a little probing it transpired that when she talked of “sky computing” she meant “cloud computing”. Ah, at last we were finally on the “same page”.It is hard enough explaining what “cloud

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-35003679630982996732009-12-30T12:30:00.000-08:002009-12-30T12:34:44.837-08:00

So finally, Gonzalez, the ‘mastermind’ behind the targeted Heartland cyber-attack SQL injection attacks that yielded around 150 million payment card details is being sentenced to at least 17 years in a US prison. To put this time in perspective, Gonzalez will serve about four seconds for every record stolen. His co-conspirators, believed to be in Russia, have yet to be apprehended, making

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-15402968479398566852009-12-16T10:06:00.000-08:002009-12-16T10:13:15.831-08:00

The folks at Amazon have announced a demand and supply based pricing for their cloud resources whereby it becomes cheaper per hour to run your enterprise applications when demand is low. My take on this is broadly positive, as it is getting closer to the true cloud model of “pay per drink” where the price of the drink is dependent on how many other drinkers there are (and the size of the barrel)

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-17633878811374477862009-12-09T13:48:00.000-08:002009-12-09T14:01:50.452-08:00

Verizon has issued an addendum to its 2009 threat report that shows how damaging SQL injection attacks have become in a short period of time. According to the report, SQL injection were used in 19 percent of the cases and accounted for 79 percent of the breached records. We expect SQL injection to be the means of data access in 2010, accounting for as many as 90 percent of all breached records if

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-72502829945311393722009-12-01T10:46:00.000-08:002009-12-09T13:52:44.501-08:00

The news that Guardium has been acquired by IBM has been followed with great interest by those of us in the database security industry, as you can expect. What makes this acquisition so interesting is its timing. In 2009, the general business community became well aware of what we in the data security industry have viewed as the common threat landscape for years – insiders, third parties,

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-38659623376652532092009-11-17T11:54:00.000-08:002009-11-17T12:42:09.982-08:00

An old English proverb tells us that “There are none so blind as those who choose not to see.” Today T-Mobile are in the news for insiders selling-on customer personal data against U.K. Data Protection Legislation. T-Mobile claim the data was sold "without our knowledge".The key word in this excuse is "knowledge".What did they know about their data and the way it is/was used?What did they know

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-44712716262236295092009-11-11T03:38:00.001-08:002009-11-11T04:32:03.418-08:00

Yesterday, prosecutors in Atlanta announced indictments against an alleged crime ring from Eastern Europe. The achievements of their hackers point to frightening means of financial data theft. According the reports, the hackers attacked payment processor RBS WorldPay, cloned prepaid ATM cards, and used them to withdraw cash totaling $9 million from 280 cities globally. These attacks took place

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-27512083607218364852009-11-05T06:03:00.000-08:002009-11-05T06:11:22.778-08:00

Today brings news that the EU will require telecommunications companies to inform affected parties on data breaches. Although some would argue (and are arguing) that this measure should extend to all businesses – and we agree, eventually – the EU measure is a critical first step. Since the telecommunications companies and service providers have online components as well as the means to store vast

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-44199378842974618912009-10-27T11:44:00.000-07:002009-10-27T11:53:17.875-07:00

The Swiss foreign ministry has been hit by hackers, forcing its computer systems to be shut down for days. Details are still emerging but initial reports point to a computer virus designed to grab specific data that was well hidden on the network. What this attack shows is how attractive government computer systems have become to hackers, which makes sense given the amount of personal and

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-85562819631131250952009-10-25T12:59:00.000-07:002009-10-26T03:22:05.979-07:00

Job seekers using internet employment sites have been warned that their personal information has been compromised. The Guardian newspaper's Job site has contacted users posting their details about a breach. The information stolen would be sufficient for a criminal to fraudulently open bank accounts and apply for credit cards. This is not the first time job sites have been hacked with 1.3 million

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-13243015701781422272009-10-16T23:50:00.000-07:002009-10-16T23:57:05.541-07:00

It appears that US-based payroll services provider PayChoice has experienced the second phase of a very coordinated data attack. Last month, the company experienced a breach in which customer user names and passwords were stolen, and it appears that this information was used to trick customers into downloading malware. The download allowed criminals to add fraudulent employees and associated

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-41707357317496954962009-10-07T13:18:00.000-07:002009-10-07T13:21:19.312-07:00

This summer Actimize found that nearly 80 percent of financial institutions worldwide say the insider threat problem has increased in the wake of the economic downturn, with only 28 percent of the banks surveyed not suffering an insider breach. Surprisingly, the majority of the breaches are coming from what the industry calls “trusted insiders,” full-time employees with access to data.

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-11547595312502293702009-09-30T09:45:00.000-07:002009-09-30T10:00:28.975-07:00

Today I was part of a panel where we debated whether Clouds are compliant. The session was part of the BrightTalk online Cloud Computing Summit and was hosted by Peter Judge, UK Editor, eWeek Europe. I was joined by IBM's James Rendall, and Paul Roberts of The 451 Group and we participated in a lively session.The questions we worked through were:Q1. Do you trust the cloud?Q2. Are clouds

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.comtag:blogger.com,1999:blog-768444026499860634.post-64242412472438937272009-09-23T08:19:00.000-07:002009-09-23T09:01:33.863-07:00

Here at Secerno we spend all our time helping our customers protect databases to ensure that they keep their precious data safe. For an Internet Service Provider (ISP) like the U.K.’s Demon, precious data includes username and password information that their customers use to access services. Something certainly worth protecting!Imagine my horror to learn that "Demon's director of customer

Steve Moylehttp://www.blogger.com/profile/02989167299050273242noreply@blogger.com