| Apocalypse Now Just because you think your data is | | | | reported in December 2006 that the data of 35,000 |
| safe does not mean your database of sensitive | | | | individuals (current students and alumni) was |
| organization information has not already been cloned | | | | compromised. Social security numbers were exposed, |
| and is resident elsewhere ready to be sold to the | | | | according to the Privacy Clearing House. |
| highest bidder. To make matters worse, only recently, it | | | | Changing Trends in What Motivates Hackers |
| has been discovered that hackers are not simply | | | | According to Zone-H, the top 50 attackers defaced a |
| selling your; they're also selling the fact that you have | | | | total of approximately 2.5 million websites all over the |
| vulnerabilities to others be they hackers, industrial spies | | | | globe. According to the CSI/FBI Computer Crime and |
| or terrorists. | | | | Security Survey 2005, one of the most dramatic |
| It all sounds apocalyptic, doesn't it? Well, rather than | | | | findings was the exponential increase in website |
| being an angel of doom, I'll let the stats speak for | | | | defacement experienced by their respondents: in 2004, |
| themselves. | | | | 5% of the respondents experienced defacement while |
| TJX Companies Inc. TJX Companies, owners of T.J. | | | | in 2005 that figure went up to 95%. Recent trends |
| Maxx, Marshalls, Winners, HomeGoods, A.J. Wright, | | | | over the past 12 months show that there is a shift |
| and Bob's stores, on the 17th January this year, | | | | from such disruptive vandalism that gains notoriety |
| disclosed that 40 million of their customers' credit and | | | | towards theft of data that translates into profit. The |
| debit card details were stolen. In parallel, federal credit | | | | report on 2006 is still to be published. |
| union SEFCU published a similar warning that the | | | | Statistics Since many organizations do not monitor |
| personal details of 10,000 of its customers were | | | | online activity at the web application level, hackers |
| compromised in the hack attack. | | | | have free reign and even with the tiniest of loop holes |
| Another 60 banks including Citizen Union Savings Bank | | | | in a company's web application code, any experienced |
| and Bank of America seem to have customers | | | | hacker can break in using only a web browser and a |
| whose credit and debit cards have been breached in | | | | dose of creativity and determination. It seems that |
| this attack. | | | | most hack attacks are discovered months after the |
| Ben Cammarata, Chairman and Acting Chief | | | | initial breach simply because attackers do not want |
| Executive Officer of TJX Companies, stated that the | | | | and will not leave an audit trial. In web application |
| nature of the hack is not known and two computer | | | | attacks physical evidence (e.g., a missing database) is |
| security experts are at hand examining the problem. | | | | inexistent - hackers are interested in stealing the data |
| The warning issued by SEFCU sheds greater light and | | | | and leaving it intact. |
| states "A fraudster may have gained access to ... | | | | Recent research by a leading research firm shows |
| card information through one of those entities in the | | | | that 75% of cyber attacks are done at web |
| payment network, including the merchant." | | | | application level. As yet unpublished research at |
| SC Magazine reports that hackers used data from the | | | | Acunetix seems to corroborate this finding. Competing |
| breach to purchase goods in a number of states in the | | | | web application security organizations record similar |
| US, in Hong Kong and in Sweden. | | | | data. |
| A digest of the latest developments follows:o | | | | The Privacy Clearing House reports more interesting |
| According to 3WCAX-TV Website, the attack is | | | | findings including the fact that over 100 million records |
| expected to cost consumers one-point-five (M) million | | | | have been compromised since February 2005. |
| dollars. This article was published before law suits | | | | However this figure excludes the TJX episode of |
| started sprouting.o Brian Fraga, Standard-Times, | | | | around 40 million records. Out of a total of around 140 |
| reports that a class action lawsuit filed this week in U.S. | | | | million approximately 80 million were due to hacking |
| District Court (Boston) against TJX. The amount of | | | | attacks. Having said this it is not known whether the |
| damages sought is undisclosed. According to SC | | | | TJX episode was a network or a web application |
| Magazine, yesterday a West Virginia resident slapped | | | | breach. |
| another lawsuit and is suing TJX for $5 million.o U.S. | | | | The Cost of Being Hacked The costs of hack attacks |
| Rep. Ed Markey, D-Mass., chairman of the House | | | | to any organization are extensive with possible |
| Subcommittee on Telecommunications and the | | | | financial burdens that may result in closure:o Loss of |
| Internet, has called for the Federal Trade Commission | | | | customer confidence, trust and reputation with the |
| to investigate the hacking, according to a report today | | | | consequent harm to brand equity and consequent |
| in the Boston Globe.o Today, the Government of | | | | effects on revenue and profitability;o Possible loss of |
| Canada, stated that it is launching an investigation into | | | | the ability to accept certain payment instruments e.g. |
| TJX and the data breach.o Of note is that the hacking | | | | VISA, Mastercardo Negative impact on revenues and |
| may have started in May 2006 and the breach was | | | | profits arising from any falsified transactions and from |
| discovered only in December 2006 (and publicized in | | | | employee downtime;o Website downtime which is in |
| January 2007). | | | | effect the closure of one of the most important sales |
| Universities University systems are usually highly | | | | channels for an e-business;o The expenditure involved |
| decentralized which makes it hard to ensure tight | | | | in repairing the damage done and building contingency |
| security. To the extent that one department may have | | | | plans for securing compromised websites and web |
| deployed a hardened security infrastructure while | | | | applications; and,o Legal battles and related implications |
| others loll in lax measures making the whole system | | | | from Web application attacks and lax security |
| weak. | | | | measures including fines and damages to be paid to |
| The following are some of the recent university hacks | | | | victims. |
| due to web application vulnerabilities: o Last month, a | | | | The 2005 CSI/FBI Annual Computer Crime and |
| hacker infiltrated a massive database from the | | | | Security Survey reports some interesting findings: |
| University of California, Los Angeles, containing | | | | The total losses per category of breach (valid only for |
| personal information (including social security numbers, | | | | the US) is reported to be over $130 m for the 639 |
| dates of birth, home addresses and contact | | | | respondents willing and able to estimate their losses. |
| information) on 800,000 people in one of the worst | | | | The Survey authors also state that while explicit costs |
| computer breaches ever at a US university.o In | | | | (such as costs of reinstalling software and |
| January 2007, the University of Arizona reported a | | | | reconfiguring computer systems) is more accurately |
| breach happening November and December last year | | | | accounted for by respondents, implicit costs (such as |
| that effected several services according to the | | | | lost future sales due to negative media coverage |
| Privacy Clearing House. The number of effected | | | | following a breach) is more difficult to account for and |
| records is as yet undisclosed.o In December 2006, | | | | are largely not represented in the loss numbers |
| University of Colorado - Boulder experienced a hack | | | | reported here. |
| attack that resulted in the theft of thousands of names | | | | Now does it sound apocalyptic? I believe there is |
| and social security numbers - a total of 17,500 records | | | | serious need for all to worry. |
| were compromised.o University of Texas, Dallas, | | | | |