Thursday, November 19, 2009

Health Net healthcare data breach affects1.5 million

What's happening: Health Net announced that it is investigating a healthcare data security breach that resulted in the loss of patient data, affecting 1.5 million customers.The Woodland Hills, Calif.-based managed healthcare provider said the lost files, a mixture of medical data, Social Security numbers and other personally identifiable information, were collected over the past seven years and contained on a portable external hard drive, which was lost six months ago. The company said the healthcare data was not encrypted containing data on 446,000 Connecticut patients.

What it means: This loss illustrates some of the challenges of securely managing sensitive information. Who — if anyone — authorized sensitive information to be stored on a portable—easy-to-lose—hard drive? Why was the drive not encrypted? Why did it take the company 6 months to to notify anyone? What will this cost them? What will they learn from it?

What to do: Stay vigilant. Every business is at risk that what happened to Health Net can happen to it.

**********************************
Health Net healthcare data breach affects1.5 million

Wednesday, November 18, 2009

Is Your Smartphone Eavesdropping on Your Converstaions?

What's happening: In late October, Indonesian developer Sheran Gunasekera released mobile-phone software that can help someone eavesdrop on your conversations.The free application, called PhoneSnoop, can be downloaded onto your BlackBerry, remotely turn on the microphone, and listen to conversations held in proximity to the device.

What it means: PhoneSnoop and the similar FlexiSPY are two of a growing number of applications that can be downloaded onto a smartphone without a user's knowledge. Smartphones and the growing number of people using them are becoming a bigger target for unauthorized and potentially harmful software, including worms, viruses, and spyware that tracks a user's Web activity.

What to Do: Configure your smartphone so apps can be downloaded and installed only with your approval. Make sure IT staff is staying on top of this growing threat.

**********************************
Smartphones: A bigger target for security threats

UK Police Reveal Arrests Over Zeus Banking Malware

What's happening: British police said Wednesday they've made the first arrests in Europe of two people for using Zeus, a malicious software program often used in sophisticated online bank fraud. When installed on a PC, Zeus can send spam, steal financial or other data or conduct a distributed denial-of-service attack against other computers. Machines infected with Zeus are essentially a botnet.

What it means: While it's good to get these two cybercriminals off the street, the total effect is like taking a glass of water out of the ocean.

What to do: Celebrate that these two are in jail. Then go back to protecting sensitive business and family information.The battle is far from over.

**********************************
Two held in global PC fraud probe

Thursday, November 12, 2009

Phishing Alert: “Rejected ACH Transaction.”

What's happening: NACHA – The Electronic Payments Association has received reports that individuals and/or companies have received a fraudulent e-mail that has the appearance of having been sent from NACHA. See NACHA's press release below

What it means:
Cybercriminals are attempting to lure unsuspecting businesses to a web site that will infect their computers with malware.

What to do: Don't fall victim to these phishing attacks. Always be suspicious. Ask yourself: "Does this email make sense?" Make sure technology defenses are in place in case you slip.

**********************************
NACHA Phishing Alert (11/12/2009) E-mail Claiming to be from NACHA

NACHA – The Electronic Payments Association has received reports that individuals and/or
companies have received a fraudulent e-mail that has the appearance of having been sent from
NACHA. See sample below.

The subject line of the e-mail states: “Rejected ACH Transaction.” The e-mail includes a link
which redirects the individual to a fake web page which appears like the NACHA Web site and
contains a link which is almost certainly executable virus with malware. Do not click on the link.
Both the e-mail and the related Web site are fraudulent.

Be aware that phishing e-mails frequently have links to Web pages that host malicious code and
software. Do not follow Web links in unsolicited e-mails from unknown parties or from parties with whom you do not normally communicate, or that appear to be known but are suspicious or
otherwise unusual.

NACHA itself does not process nor touch the ACH transactions that flow to and from
organizations and financial institutions. NACHA does not send communications to individuals or
organizations about individual ACH transactions that they originate or receive.

If malicious code is detected or suspected on a computer, consult with a computer security or
anti-virus specialist to remove malicious code or re-install a clean image of the computer system.
Always use anti-virus software and ensure that the virus signatures are automatically updated.
Ensure that the computer operating systems and common software applications security patches
are installed and current.

Be alert for different variations of fraudulent e-mails.

= = = = = Sample E-mail = = = = = =

From: nacha.org [mailto:report@nacha.org]
Sent: Thursday, November 12, 2009 10:25 AM
To: Doe, John
Subject: Rejected ACH transaction, please review the transaction report
Dear bank account holder,
The ACH transaction, recently initiated from your bank account, was rejected by the Electronic
Payments Association. Please review the transaction report by clicking the link below:
Unauthorized ACH Transaction Report (this is the how the link is presented)
------------------------------------------------------------------
Copyright ©2009 by NACHA - The Electronic Payments Association
= = = = = = = = = = = = = = = = = = =

Tuesday, November 10, 2009

Hundreds of Facebook Groups Hacked

What's happening: A hacker, or group of hackers, has taken over up to 300 different Facebook groups.

What it means: Facebook has again shown that its security controls are inadequate to keeping hackers from misusing their network. Cybercriminals and other miscreants continue to have their way with social network sites. This puts the burden of security on end-users like you and me.

What to do: Don't assume Facebook is protecting your security. They can't. Take responsibility for protecting yourself.

**********************************
Hundreds of Facebook Groups Hacked

Tuesday, November 3, 2009

FBI Says Total On-Line Fraud Exceeds $100M and Continues to Grow

What's happening: The FBI has issued a new warning about the magnitude of online bank fraud. The amount lost so far now exceeds $100 Million.

What it means:
The magnitude of the threat to business continues to increase as cyber-criminals continue to steal money from small and medium sized businesses, not-for-profits, and educational institutions.

What to do:
Make sure all defenses are in place. Consult our guides for specific advice.

**********************************
From IDG News Service: FBI warns of $100M cyber-threat to small business

Cyberthieves are hacking into small- and medium-sized organizations every week and stealing millions of dollars in an ongoing scam that has moved about $100 million out of U.S. bank accounts, the FBI warned Tuesday.

It's now one of the top problems being addressed by the National Cyber Forensics and Training Alliance (NCFTA), which works with the FBI and industry to share information about cyberattacks, said NCFTA Executive Director Ron Plesco. "Every year there seems to be a trend and this has been the trend this year," he said.

There has been a "significant increase" in what's known as ACH (automated clearinghouse) fraud over the past few months, much of it targeting small businesses, municipal governments and schools, the FBI said in an alert posted to its Web site.

http://www.computerworld.com/s/article/9140308/FBI_warns_of_100M_cyber_threat_to_small_business?taxonomyId=142

IC3 Intelligence Note: Online Bank Fraud

What's happening: The Internet Crime Complaint Center (IC3) has released an Intelligence Note on the recent jump in online bank fraud. The report provides a good non-technical overview of what's going on and some of the things needed to deal with it.

What it means: Bad news is that online bank fraud is on the rise. The good news is that—by shining the spotlite on the problem—potential victims can take appropriate steps to better their odds.

What to do: Read the article. Forewarned is forearmed.

**********************************
IC3 Intelligence Note: Compromise Of User's Online Banking Credentials Targets Commercial Bank Accounts