Tag: data

Epsilon data breach hits Hilton, Barclays and 48 others

Another day, another data breach. This time from the seed fund behind a socialite’s bar tab, Hilton Worldwide.

Its third party marketing partner, Epsilon, warned it that there had been a breach of sorts. It insists financial and other sensitive details are unaffected but names and e-mail addresses have been farmed. We reported on the breach yesterday.

Hilton says that the most likely impact, if any, will be unsolicited emails. It suggests a couple of handy tips to counter its marketing vendor’s security inadequacies – don’t share personal information by email or open weird messages from strangers.

Be cautious, as always, of phishing scams. Hilton won’t ask for those details, etc., etc., etc.,. 
Hilton said Epsilon’s just one of a group of companies affected by the breach. 

But it has turned out that “approximately two percent” of all of its clients were struck, which makes up about 50. The incident, Epsilon said, occurred on the 30th and that a “full investigation is currently underway”.

It seems top hitters may have been targeted, with Barclays, Citibank, JP Morgan Chase, Lacoste and Marriott all issuing warnings, according to CIO magazine. D’oh. 

Google readies Android NFC for data gathering

The all encompassing Google, known for its “accidental” data collecting, is getting cosy with MasterCard and Citigroup. Together the trio have come up with technology which will allow customers to use their Android mobile phones to buy items by waving their smartphones in front of a small reader at the checkout counter.

According to the WSJ the scheme would start with holders of Citigroup-issued debit and credit cards being able to use the service by activating a mobile payment application developed for one current handset.

Google has also said that it will not take a cut of any of the transaction fees. Instead, Google will be using NFC to boost its advertising business.

Sources told the Wall Street Journal that Google would use the technology as a way to offer retailers more data about their customers. This will help it target ads to mobile-device users near their stores.

Sounds rather like data harvesting.

Privacy advocate Big Brother Watch has its concerns. Daniel Hamilton, director, told TechEye: “Allowing people to pay for goods with their mobile phones would be an interesting step forward in development of contactless payment systems.

 “While there are clear advantages for consumers in using such systems in terms of both ease and speed, it is important that retailers are straight with their customers about exactly how their data will be used.

“Contactless payment systems should be about customer convenience, not targeting advertising at unsuspecting consumers without the prior knowledge and expressed permission,” he added.

A Google spokesperson told TechEye that it doesn’t comment on rumour or speculation.

SSDs harder to securely erase than standard hard disks

Researchers at the University of California, San Diego have found that erasing sensitive data stored on Solid State hard drives (SSD’s) may not be as easy or reliable as they thought.

Two PhD students at the University’s Non-Volatile Systems Laboratory have presented research at this month’s USENIX Conference on File Storage Technologies that show even on-device secure erase commands may be buggy – and ineffective at removing sensitive data that may be stored on the SSD.

The researchers used a FPGA-based flash hardware tester named Ming the Merciless to analyse the data left on the SSD’s raw NAND flash chips, which are used to do the actual storage, and bypass any software built into the SSD’s interface.

They found that the build-in commands to delete all the data off an SSD disk are often reliable, but manufacturers have built versions with bugs causing them to work incorrectly.

Existing tools used to erase normal hard disks are entirely ineffective at destroying the data on SSDs. The final option for removing data from SSDs is to use dedicated software to overwrite parts of the device. These were found to be effective after 2 passes on the disk but not entirely reliable.

The researchers have published their paper online (or check out the synopsis). Also check out this YouTube videoshowing how they rounded off destroying the UK ID Card Database earlier this month.

HP proposes to Vertica

A beautiful relationship is growing between HP and Vertica.

HP today announced that it will be taking the privately held, real-time analytics platform company as one of its many wives. However, it is unknown how much it’s currently paying for the privilege.  

According to the announcement, the acquisition of Vertica will allow HP to add real-time business analytics for large and complex sets of data in physical, virtual and cloud environments.

This is because Vertica’s platform apparently helps customers analyse massive amounts of data quickly “resulting in “just-in-time” business intelligence”.

Shane Robison, executive vice president and chief strategy and technology officer at HP said: “In today’s highly competitive environment, customers need the ability to manage the increasing amounts of data and growing streams of information with more flexible, more dynamic architectures.

“Vertica’s unique platform combines simplicity with industry-leading performance, allowing HP to leap ahead of the industry in the race to analyse massive amounts of data.”

Verica responded by claiming that the fruits of the companies joint labour will allow HP’s customers to “develop flexible business performance solutions that improve decision making and streamline business processes.”

The courtship is hoped to end in the second quarter of this year. Once the pair are wed
Vertica products will be available through HP sales and service channels – well it’s like taking HP’s name in tech terms we suppose.

Spammers capitalise on Ireland's unemployment rate

One of Ireland’s largest job websites, RecruitIreland.com, has been hacked and user details seized.

At 1.50pm yesterday afternoon the website managers of the recruitment site were alerted to the breach. They shut down the website and database ten minutes later and reported the incident to the Gardaí and the Data Protection Commissioner. It is also being investigated internally by RecruitIreland and externally by a security expert.

It was revealed that certain user details were compromised in the attack, including first and last names along with email addresses. It is not believed any other information was obtained, such as CVs, usernames or passwords.

However, the data that was obtained can easily be used for spam and there have already been reports of such. The spam messages use the full name of the individual and present a fake job opportunity. RecruitIreland has urged users to take extra care and not respond to such messages if they manage to escape the anti-spam filter. It is believed that acquiring data for spam was the sole purpose of the attack.

More and more people are using these kinds of websites in Ireland as the unemployment rate remains considerably high at 13.4 percent, according to recent figures for January by the Central Statistics Office. This is a sharp increase from the rate of 4.4 percent five years ago in the heart of Ireland’s Celtic Tiger economic boom.

This attack is the latest in a string of website hacks and data breaches in Ireland. The website of one of the main political parties, Fine Gael, was hacked by Anonymous, while a Northern Ireland political party website was hacked by an Irish language activist. Laptops have also been stolen from the Irish tax office and the Irish government is being investigated for sending unsolicited emails

With an election at the end of February, it doesn’t look like these problems will go away any time soon.

Cisco sees mobile data go through the roof

Big, fat cat Cisco, maker of bespoke networking equipment, claims mobile data traffic will grow 26-fold in the five-year plan period between 2010 and 2015.

According to the Cisco Visual Networking Index Global Mobile Data Traffic Forecast for 2010 to 2015, a nice and short title, the compound annual growth rate (CAGR) will 92 percent, leading to 6.3 exabytes of data flowing down- and upstream each month in 2015. That would be a total of 75 exabytes in 2015, 75 times the amount of internet traffic back in 2000, the year civilisation was not obliterated.

Or, in more easily understandable terms, 75 exabytes is around “19 billion DVDs or 536 quadrillion SMS text messages”. Thank heavens for LTE, otherwise mobile operators would be suffering from severe constipation. Average smartphone connection speeds are prophesied to rise from 1.036 kbps in 2010 to 4.404 kbps in four years time.

Cisco VNI mobile data traffic forecast slide

This, naturally, will only be the case if earth doesn’t go bang in 2012, as people reckon the Mayans believed ages ago, without considering the Mayans never had a chance to reform their calendar.

Cisco sees “mobile-ready devices such as tablets and smart phones, and widespread video content consumption” being the driving forces behind oversensitive luddites having to make tin foil hats to protect themselves from the surge in mind-controlling microwaves. Good thing smartphones aren’t only internet-enabled but also “mobile-ready”, otherwise one wouldn’t be able to put them in pocket or bag and take them for walkies.

Over 5.6 billion “personal devices” will be connected to the internet by 2015, while there will be 1.4 billion machine-to-machine (M2M) nodes. Cisco not Crisco would like the readers of its study to know that this is basically equivalent to the world population.

M2M traffic will approximately be 285 per month in 2015, whereas tablets will generate 248 petabyte of traffic, more than the montly level of the entire mobile data traffic in 2010, which was 237 petabytes each month.

Cisco VNI mobile data traffic forecast slide 2

Alas, the starving recipients of Band Aid won’t get a free Cisco router, nor an iPad or anything similar, as people in First World countries will simply hog multiple devices to themselves.

Cisco seems to expect demand for tablets to soar, as the company states data traffic from such devices will have grown 205-fold by the end of 2015. Broken down by region, the Middle East and Africa will have the highest growth rates, namely a CAGR of 129 percent, or 63 times over the 2010 level by the end of 2015.

North America, i.e. the USA including Canada will witness 20-fold growth, whereas Western Europe shall see its mobile data traffic be 25 times as high as back then. India will be world leader in terms of growth rate, experiencing a CAGR of 158 percent, or, in other Cisco terms, 115-fold growth.

Interested parties can find the report right here.

Wikileaks ISP refuses data hand-out to Swedish government

ISP Bahnhof has come up with a way to bypass Sweden’s European Data Retention Directive.

The plans will come as good news to users, but cyber-security groups have warned that the ISP could become a haven for those using the internet for dodgier dealings.

The Swedish ISP, hosts Wikileaks, has, according to TorrentFreak,  announced that it will run all customer traffic through an encrypted VPN service. This means that logging what their users get up to will be impossible for now and will prevent law enforcement agencies from being able to retrieve information on users’ activities.

In 2009, Sweden introduced the Intellectual Property Rights Enforcement Directive (IPRED), which gave rights holders the power to request the personal details of alleged copyright infringers.

However, with Bahnof not providing data, there are no details to give.

A source at a systems security outfit with high clearance tells TechEye: “This, in theory, will work to some advantage for customers but the question is whether the company has really thought this through.

“While the ISP is claiming that it trying to protect its customer’s data there is a possibility that it could become the must have place for people who want to use the internet for untoward activities, which could in-turn make it a haven for terror activities and serial pirates.

“Bahnhof  needs to ensure it finds the right balance between customer data and those who could misuse the policies.”

He also warned that the unique methods could make the ISP a target to hackers who will see it as a challenge to break into the system, while law enforcement agencies will try to disband the idea or hire their own hackers to bring the system down.

Customers who want their data to be made public do have the option to do this. However, they will have to pay  around $8.00 per month extra for the privilege.

Gigabytes of government data stolen in fake e-card scam

Several gigbaytes of sensitive government data has been stolen from government and online security staff in a fake White House e-card scam, according to KrebsonSecurity.

An email circulated among a large number of public sector employees in the US on December 23 pretending to be a legitimate electronic greeting card from the government. The message read:

“As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings. Be sure that we’re profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission.

Greeting card:

hxxp://xtremedefenceforce.com/[omitted]hxxp://elvis.com.au/[omitted]

Merry Christmas!

___________________________________________

Executive Office of the President of the United States

The White House

1600 Pennsylvania Avenue NW

Washington, DC 20500

When users accepted it, however, it installed data-stealing malware on their computers, including a ZeuS trojan variant that focused on nabbing documents rather than financial details, suggesting that this attack was primarily interested in taking advantage of the Christmas season to steal government information.

A large number of people fell for the scam, including an official at the Moroccan government’s Ministry of Industry, Commerce and New Technologies, an employee of the Millennium Challenge Corporation, a member of the Financial Action Task Force, and worst of all an intelligence analyst working for the Massachusetts State Police and a staff member of the National Science Foundation’s Office of Cyber Infrastructure, people who probably should have known better.

Information that was gathered in the 2GB data attack includes NSF technology and science grant applications, court-ordered mobile phone intercepts, classified national security documents, financial files, and other sensitive information.

Honda punch drunk from data leak

Carmaker Honda has warned its US punters that their personal details, including their car identification numbers, will be in the hands of hackers.

More than two million customers, whose details were contained in an e-mail database, have seen their data nicked.

Although Honda have not said it, it might be connected to the recent breach of the e-mail marketing firm Silverpop Systems.

Honda used Silverpop for years. Its data was breached and  customer data from McDonald’s and deviantArt nicked.

Honda said that the list contained the names, login names, e-mail addresses and vehicle identification numbers of more than two million Honda owners. Another list, containing only the e-mail addresses of nearly three million Acura car owners, was also copied.

The carmaker confirmed that no financial information was included in the hacked customer lists.

Honda has e-mailed everyone to warn them that their details have been stolen. It is worried that owners could be hit with an effective phishing attack. After all many will talk to phishers if they appear to be Honda and have their vehicle ID number.

“Be cautious of unsolicited emails requesting personal information. Often, these communications can look official. Be cautious of unsolicited emails requesting personal information.” Honda warned its customers

“If ever asked for this information, you can be confident it is not from us,” the warning said.

RIM buckles on India's Blackberry encryption pressure

Research in Motion has bowed to the Indian government at last. It told the home ministry that it will comply with the 31 January deadline to provide a “final solution” – you what!? – for lawful access to its data services.

This will be done by giving ministers access to the records over a cloud based system which will not involve an “overseas data path.”

“We are happy to confirm that as per the compliance schedule agreed by both Research in Motion and the Ministry Of Home Affairs , RIM infrastructure is ready to receive and process via the cloud computing based system, lawfully intercepted BlackBerry messenger data from India service providers,”  Robert E Crow , vice president of industry, government and university relations at RIM, told the home ministry in a statement obtained by the Economic Times.

The agreement should put a stop to bickering between the two, which has been raging since earlier this year when India threatened to ban Blackberry services – citing that it didn’t have control over the data being sent to and from users.

The ministry’s reasoning for snooping was, as usual, potential terrorist threats. A terrorist could use BlackBerry email and messaging services to coordinate and plot attacks as information exchanged on these channels couldn’t be monitored at the time.

After reinstating services the government ordered RIM to come up with something that would give intelligence agencies complete access to all services offered on its handsets by October. This would include RIM being forced to hand over the encryption keys and codes of its corporate mail and messaging services. The extension to January 2011 was given after RIM pushed for a timeframe of 23 weeks in August, while it worked out how to cooperate without breaching data protection laws.

Corporate secrets have a way of “being leaked” – see Radia, A Raja – so we’re waiting with baited breath to see how India looks after encrypted data.

Only yesterday we reported that some key Department of Telecommunication (DoT) officials might face arrest for the alleged involvement in the 2G spectrum scam, which has been raging since 2008 and has led to leaked tapes doing the rounds.

Meanwhile Google has denied India access to Gmail citing privacy  concerns.