April 20, 2024

You are here: Home / Archives for security breach

Bits Blog: Even Big Companies Cannot Protect Their Data

January 18, 2012 by Leave a Comment

Zappos.com’s chief executive, Tony Hsieh, did not say why the company's data was vulnerable.Isaac Brekken for The New York TimesZappos.com’s chief executive, Tony Hsieh, did not say why the company’s data had been vulnerable.

9:02 p.m. | Updated

Barbara Scott just hit the trifecta of computer security breaches.

Since the New Year, Ms. Scott has been a victim of three separate cyberattacks. Two weeks ago, the online auction site eBay said in an e-mail to her that there had been suspicious activity on her account. On Monday, she received an e-mail from Zappos and another from 6PM, two online shoe retailers owned by Amazon. Both messages alerted her that — once again — her information had been compromised.

“It’s disturbing,” said Ms. Scott, who works in San Diego as a director at Redemtech, a technology services business. “Companies have to do a better job protecting our privacy. You would think companies like eBay and Amazon have the financial backing and wherewithal to take the proper security measures.”

The breaches at Zappos and 6PM may have compromised account information for 24 million customers — the largest breach of an online retailer since a series of cyberattacks against Sony last year that compromised 100 million customer accounts. The attacks point to an unsettling new world in which even the supposed stalwarts of the Internet — Amazon, eBay and even the security giants paid to keep hackers at bay — cannot seem to keep personal information safe.

And when there is a security breach, the companies and computer security experts more often than not resort to telling their consumers that it is up to them to protect their data stored on the company’s servers.

Zappos’s chief executive, Tony Hsieh, said Sunday that customer names, encrypted passwords, phone numbers, e-mail and mailing addresses and the last four digits of their credit card numbers might have been stolen in the attack. But he noted that the company quickly reset all passwords and that a separate database containing critical credit card information had not been breached.

Mr. Hsieh— who wrote the book “Delivering Happiness” and regularly invites customers to tour Zappos’ facilities — provided no explanation about why the data was vulnerable. He directed customers to an e-mail address because its customer service lines “simply aren’t capable” of handling the number of expected customer inquiries.

That response angered Eric Seftel, a Zappos customer, who posted a reply to Zappos’ e-mail alert on The New York Times’s Bits blog: “That’s it? That’s how you respond to a security exposure that may require me to change my password on a large number of other sites to protect myself? That’s how little you think of your customers, just drop this glib little note and wash your hands of the whole affair? You have a legal and moral obligation to protect my information.”

In an e-mail to The New York Times on Monday, Mr. Hsieh said the company did have a security breach response plan in place before the attack but could not discuss the specifics or about how it was breached. “Our plan specifically includes not disclosing details of our security processes or procedures,” Mr. Hsieh said. “Just like you would not expect a casino to disclose when the security guards change shifts.”

The breaches at Amazon’s sites, combined with several recent cyberattacks, could threaten to shake consumer confidence online. Over the year-end holidays, hackers who said they were members of the group Anonymous attacked the Web site of Strategic Forecasting, a research firm that specializes in security and intelligence. They dumped personal and payment details for thousands of subscribers.

In a separate attack on India’s military and intelligence servers two weeks ago, a different group of hackers managed to find and post a segment of source code belonging to Symantec, the largest security software company.

“There are a lot of people that are going to seriously reconsider before they purchase anything else on the Internet,” Jerry Irvine, a member of the National Cyber Security Task Force, said in an interview on Monday.

The White House is working on a plan to increase consumers’ confidence in the security of e-commerce sites. Its initiative, called the National Strategy for Trusted Identities in Cyberspace, works with major vendors — like banks, technology companies and cellphone service providers — to adopt higher standards for the way companies verify user identities and store personal data online.

But the program is less than a year old and, Mr. Irvine says, intended to be only one step in a larger process to protect customers’ identities and personal information on the Web. “These breaches are going to be an education for people to take a more layered approach to their security,” he said.

With companies unable to provide a good solution, many companies and security experts throw the burden back to consumers.

“It is always a good practice to use different passwords on different Web sites,” Mr. Hsieh advised. Mr. Irvine recommends that consumers protect their personal data more vigilantly. He suggests not using e-mail addresses as user names, creating a unique password for every Web site and refraining from saving personal and payment details online.

“That is the only way you’re going to be secure,” Mr. Irvine said.

Ms. Scott said she already used complex alphanumeric passwords and updated them on a regular basis. “Beyond that, I guess I have to be more conscious about who I choose to do business with online,” she said. “How hard can it be to find a safe place online to buy shoes?”

Article source: http://feeds.nytimes.com/click.phdo?i=f59802b9c6c09495a23e919627086d6f

Filed Under: Business News Tagged With: , ,

Dutch Widen Inquiry Into Hacking of Official Sites

September 6, 2011 by Leave a Comment

BERLIN — The Dutch government said Tuesday that it was widening its investigation into the hacking of official state Web sites in an attempt to learn whether the private data of Dutch citizens, many of whom file income tax returns online, had also been compromised.

The Dutch data protection agency, OPTA, has asked the government security contractor at the center of the controversy, DigiNotar, to report whether the integrity of a special class of digital certificates known as qualified certificates, which guarantee the authenticity of computer users interacting with government computers, had been breached.

“We are hoping to receive an answer from DigiNotar within a few days,” said Harriet Garvelink, a spokeswoman for OPTA in The Hague, who said the request was made Friday.

The hacking scandal in the Netherlands, one of the most digitally advanced countries in Europe, erupted last week when DigiNotar disclosed that several of its digital certificates — so-called SSL certificates, which guarantee the authenticity of Web sites — had been stolen by an unknown hacker in July. An independent report released Monday by the Dutch government traced the origin of the stolen certificates to a computer user in Iran.

“DigiNotar found evidence on July 28th that rogue certificates were verified by Internet addresses originating from Iran,” said the report prepared by Fox-IT, a company in Delft, the Netherlands, that the Dutch government hired to investigate the breaches. A copy of the report was posted on the site of Vasco Data Security International, DigiNotar’s parent company.

The report appears to link the theft of the certificates from DigiNotar to a security breach reported by Google in the past week. In its security blog on Aug. 29, Google reported that several users “primarily located in Iran” had been targeted by the hacker using a fraudulent certificate issued by DigiNotar.

If a qualified certificate has been breached, a hacker could impersonate the computer identity of another user to try to gain access to their private information.

The Google incident prompted DigiNotar to come forward with the security violation. The Fox-IT report found that DigiNotar discovered 333 fraudulent “rogue certificates” circulating from July 19 to July 28, many of which were for major Internet companies. The company subsequently revoked and invalidated the certificates.

The Dutch interior minister, Piethain Donner, told members of Parliament on Tuesday that the government so far had no evidence that the hackers had used stolen certificates to obtain the personal information on Dutch citizens from government’s Web sites.

Vincent van Steen, a spokesman for Mr. Donner, said the interior ministry was examining the procedures used by the government in overseeing the contractors that issue SSL certificates to learn more about how the intrusion occurred and how to prevent a future attack. “This matter shows us how vulnerable we are,” Mr. van Steen said.

Several security experts have speculated that the Iranian government may have orchestrated the hacking, which would have required the control of an Internet service provider, to spy on its own dissidents. The Iranian government has not commented on the situation.

DigiNotar, a unit of Vasco Data Security International, which is based in Oakbrook Terrace, Illinois, has been criticized by Dutch lawmakers for not immediately informing the government of the certificate theft. Dutch prosecutors told The Associated Press on Tuesday that they were investigating DigiNotar for possible criminal negligence.

Vasco said in a statement that it was cooperating with the Dutch government. In a separate statement issued Sunday, the company sought to reassure its own clients that the verification technology of DigiNotar, which Vasco acquired in January, had not yet been fully integrated into its own digital security products.

DigiNotar’s belated disclosure of the theft prompted OPTA to expand its inquiry into the incident and ask DigiNotar whether qualified certificates had also been breached. The qualified certificates check a computer’s unique I.P. address to verify the identity of the person or body interacting with the Dutch government.

Under Dutch law, OPTA each year hires an outside auditor to monitor the performance of DigiNotar and its verification of qualified certificates for Dutch government Web sites, Ms. Garvelink said. The last audit, which was conducted this year by PriceWaterhouseCoopers, found no irregularities, she said.

Relations between the Netherlands and Iran are strained. Earlier this year, Iran, over the objections of the Dutch government, hanged a Dutch-Iranian woman accused of participating in demonstrations and drug smuggling.

In April, an Iranian asylum seeker who was being extradited to Iran set himself on fire and died in Amsterdam. The Iranian embassy in The Hague criticized the Dutch government over the incident.

Article source: http://www.nytimes.com/2011/09/07/technology/dutch-widen-probe-into-hacking-of-official-sites.html?partner=rss&emc=rss

Filed Under: Global Business Tagged With: , ,

Nintendo Is Hit by Hackers, but Breach Is Deemed Minor

June 6, 2011 by Leave a Comment

TOKYO — Nintendo, the manufacturer of the Wii and 3DS game systems, said Sunday that it had been the target of a recent hacker attack, the latest in a flurry of intrusions into corporate Web sites.

Nintendo, which is based in Kyoto, said in a statement that a server at an affiliate of its United States unit was accessed unlawfully “a few weeks ago.” That server contained no consumer information and no data had been lost, the company said.

The attack on Nintendo appears to be significantly less serious than the security breach of Sony’s PlayStation Network, which forced it offline in late April for more than a month. Hackers in that case took personal data from tens of millions of user accounts, including credit card numbers.

Nevertheless, the continuing intrusions underscore the vulnerability of online services at a time companies have raced to expand their Internet offerings.

A hacker group called LulzSec, which has said it was behind several data breaches at Sony, also appeared to claim responsibility for the attack at Nintendo.

In a post on Twitter on Saturday, the group suggested that Nintendo might be spared some of the harsher intrusions it said it had directed at Sony.

“We’re not targeting Nintendo. We like the N64 too much — we sincerely hope Nintendo plugs the gap,” the group said on its Twitter account, referring to the company’s Nintendo 64 game machine, released in the mid-1990s.

LulzSec on Thursday claimed responsibility for breaking into the Sony Pictures Entertainment site and stealing personal information of about 52,000 customers. The group also claimed to have broken into a database for Sony Music’s Japanese site on May 23.

It is a consequential time for Nintendo, as it introduces its e-Shop service for the 3DS, its flagship device that lets users play 3-D games without wearing special glasses.

Nintendo said it has fixed the problem and that the hacking episode would not delay its new online service, the Nintendo e-Shop, which lets users download games for the 3DS hand-held machine. The service will go online Monday in the United States as planned, said Ken Toyoda, a spokesman for Nintendo.

“The server issue was resolved some time ago,” Mr. Toyoda said from Los Angeles, ahead of the annual E3 Expo, a major trade event for the gaming industry.

Gaming companies like Nintendo and Sony Computer Entertainment have been eager to take their businesses online to increase revenue and to compete with the popularity of simple downloadable games played on smartphones and tablet computers.

Sony had been banking on its PlayStation Network as a base for an online universe that would link its gaming consoles, and its TVs, digital music players and other Sony-made devices.

Sony promised in May that it would bolster its online security. It said it was cooperating with the F.B.I. in a wide-ranging investigation.

Other tech giants have been the focus of a global surge in hacker attacks. Last week, Google said that hundreds of users of Gmail had been the targets of clandestine attacks, apparently originating in China.

The attacks were aimed at stealing the passwords and monitoring e-mail from accounts of senior government officials in the United States, Chinese political activists, officials in several Asian countries, military personnel and journalists, Google said.

Article source: http://feeds.nytimes.com/click.phdo?i=bbfac37a0d7b8fb22ecbb21034af05a7

Filed Under: Business News Tagged With: , ,