Following a massive security breach, Visa has dropped Global Payments from its registry of providers that meet data security standards, The Associated Press reported on Monday. Global Payments CEO Paul Garcia said that the company will continue to process Visa transactions, however being dropped from the registry “could give our partners some pause that they’re doing business with someone who experienced a breach.” Garcia fully expects his company to be reinstated once it has been issued a new report of compliance, although he declined to specify when that might happen. The CEO maintains that the situation is “absolutely contained” and is being fully investigated. Global Payments confirmed on Sunday that hackers stole credit card numbers belonging to as many as 1.5 million MasterCard and Visa customers, however cardholder names, addresses and Social Security numbers were not compromised. The company plans to set up a website to assist consumers who might have been affected by the breach.

Read

Hackers stole credit card numbers belonging to as many as 1.5 million MasterCard and Visa customers, Global Payments, Inc. confirmed on Sunday. The international credit card processor was blocked by Visa after it reported the possibility of a major security breach on Friday. The company did not indicate how the hackers gained access to its system or who might be responsible for the attack. ”Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained,” the firm told The Wall Street Journal while noting that cardholder names, addresses and Social Security numbers were not compromised. The company did say that the credit card numbers were downloaded during the attack rather than just being accessed, however, indicating that the perpetrators may intend to use the information to create counterfeit credit cards. Affected Visa and MasterCard customers have not yet been notified that their account information was stolen.

Executive assistant director of the FBI Shawn Henry, who after more than two decades is preparing to leave the bureau, said in an interview with The Wall Street Journal that computer criminals are too talented and current defensive measures are too weak to stop them. “We’re not winning,” he said, claiming that the current public and private approach to fighting off hackers is “unsustainable.” Congress is currently considering two competing bills that are designed to strengthen critical U.S. infrastructures such as power plants and nuclear reactors. Henry believes that companies must make major changes in the way they use computer networks to avoid further damage to national security and the economy, however. He said too many companies don’t recognize the financial and legal risks they are taking by operating vulnerable networks. “I don’t see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it’s an unsustainable model,” Henry said. “Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security.”

Read

Zappos on Sunday confirmed that hackers breached the company’s servers and accessed personal data belonging to many of its customers. The Amazon-owned shoe retailer known for top-notch service and surprising customers with express shipping at no extra cost confirmed that personal data from 24 million accounts was accessed during a recent security breach. The hackers gained access to range of sensitive data including user names, encrypted passwords, customer names, email addresses, phone numbers and the last four digits of credit card numbers. The company stated that full credit card numbers were not compromised. As a security measure, Zappos reset the passwords of all affected customers and sent out emails alerting them to the situation. The company’s full email to customers follows below.

First, the bad news:

We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

THE BETTER NEWS:

The database that stores your critical credit card and other payment data was NOT affected or accessed.

SECURITY PRECAUTIONS:

For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password.

We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.

PLEASE CREATE A NEW PASSWORD:

We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the “Create a New Password” link in the upper right corner of the web site and follow the steps from there.

We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at passwordchange@zappos.com.

Massachusetts Attorney General Martha Coakley recently said her iTunes account was compromised by identity thieves and that she will press Apple for answers. It is unclear how the thieves gained access to Coakley’s account, perhaps through an application, but the hackers stole credit card information and made fraudulent purchases, ThreatPost said. Coakley brought up the attack during a speech for the launch of the Massachusetts Advanced Cyber Security Center. She noted that Dell blocked her credit card when the hackers tried to purchase a computer, believing the purchase to be fraudulent. Apple, however, did not. Coakley said she would reach out to the iPhone maker and demand information. ThreatPost argued that Coakley might have been speaking so strongly in an effort to build support for Massachusetts’ state data privacy, data protection and data breach notification laws. Coakley believes companies such as Apple should be held liable when in violation of the aforementioned laws. The Massachusetts Attorney General’s office said any company that has had a breach which “creates a substantial risk of identity theft or fraud against a resident of the commonwealth,” should publicly disclose the attack.

Read

Following a major security breach earlier this year, Sony made good on its promise to bolster its security by hiring a former official from the U.S. Department of Homeland Security to serve as its chief information security officer and senior vice president, Reuters reported on Tuesday. Philip Reitinger formerly served as the director of the U.S. National Security Center. “Certainly the network issue was a catalyst for the appointment,” a Sony spokesman told Reuters. “We are looking to bolster our network security even further.” Sony’s online PlayStation and Qriocity networks were attacked in May when a hacker group known as LulzSec gained access to personal data belonging to more than 100 million users. A string of subsequent hacks on Sony’s digital properties made headlines for the better part of two months, and Sony’s PlayStation Network was not fully restored until July.

Read

A breach of Dutch SSL certificate authority DigiNotar is reportedly much bigger than initially thought, with more than 200 digital certificates having been stolen in July by hackers who breached the company’s network. Using the stolen certificates, hackers can potentially intercept and even alter data Internet users believe to be secure and encrypted. ”About 200 certificates were generated by the attackers,” Dutch security expert Hans Van de Looy told Computerworld, citing anonymous sources. Van de Looy says certificates for mozilla.com, yahoo.com and torproject.org were among those obtained by the hackers. Mozilla’s Johnathan Nightingale, director of Firefox development, confirmed the breach on Thursday. “DigiNotar informed us that they issued fraudulent certs for addons.mozilla.org in July, and revoked them within a few days of issue,” Nightingale said in a statement. BGR reported on Wednesday that the Iranian government has allegedly been using one of the stolen certificates to spy on Gmail users, and at that time the full extent of the DigiNotar breach was unknown. The compromised certificates have all revoked by DigiNotar, but not all Web browsers check for revoked certificates so the impact of this breach will likely be ongoing for some time.

Read

In response to the arrests of LulzSec member Topiary and Anonymous PayPal hackers, members of the AntiSec initiative have infiltrated 50 police departments across the United States and stolen 10GB of data. According to a release put out by the group, which includes members from Anonymous and LulzSec, the data includes “private police emails, training files, snitch info and personal info on retaliation for Anonymous arrests.” It also includes social security numbers, address information, passwords, credit card numbers, training files and more. “We hope that not only will dropping this info demonstrate the inherently corrupt nature of law enforcement using their own words, as well as result in possibly humiliation, firings, and possible charges against several officers, but that it will also disrupt and sabotage their ability to communicate and terrorize communities,” a recent press release said. The data was stored on a single server and the hackers said it took less than 24 hours to infiltrate and copy the information. In a release posted on PostBin, the AntiSec movement called on other hackers to join in and “make 2011 the year of leaks and revolutions.” The group also told the government to give up and said “you are losing the cyberwar, and the attacks against the governments, militaries, and corporations of the world will continue to escalate.”

[Via Gizmodo]

Read

An Arkansas man has been indicted for carrying out a cyberattack on AT&T servers that resulted in the theft of personal data from more than 100,000 iPad users. Andrew Auernheimer has been charged by a New Jersey grand jury with one count of conspiracy to gain unauthorized access to computers and one count of identity theft, Reuters reports. Auernheimer’s codefendant Daniel Spitler entered a guilty plea after being charged with the same crimes late last month. Court documents recount several conversations Auernheimer allegedly had surrounding the AT&T breach, and the evidence appears to be damning. “If we get 1 reporters address with this somehow we instantly have a story,” he wrote to Spitler on June 6, 2010, according to the indictment. “HI I STOLE YOUR EMAIL FROM AT&&T WANT TO KNOW HOW?” Auernheimer later continued, “The more email addresses we get … the more of a freakout we can cause.” Both Auernheimer and Spitler are said to be associated with “Goatse Security,” a hacker group reportedly focused on disrupting online content and services.

Read

Apple has promised to patch a security hole found in the iPhone and iPad following a report published by Germany’s Federal Office for Information Security. Reportedly, a PDF security hole could allow hackers to gain unauthorized access to personal data — such as messages and passwords — stored on an iPhone or iPad and could “infect the mobile device with malware without the user’s knowledge.” Apple’s PR team was quick to respond to the allegations. “[Apple is] aware of this reported issue and developing a fix that will be available to customers in an upcoming software update,” Bethan Lloyd, an Apple spokesperson told AFP on Thursday. Apple has not yet confirmed when it will push out the security update.

[Via Mobile Burn]

Read

Nearly two and a half months after its networks were breached by the hacker group LulzSec, Sony will finish restoring its PlayStation Network later this week when it reactivates the service in Japan. According to Bloomberg, Sony has been working with the FBI to identify the LulzSec hackers who were responsible for the attack on its San Diego data centers, during which the hackers obtained account information for more than 100 million PlayStation Network users. Reportedly, LulzSec rented and used servers from Amazon.com’s cloud service to facilitate the attack. Sony CEO Howard Stringer apologized after the attacks and offered a year of identity theft protection to those affected by the breach, as well as a free month of access to PSN.

Read

Notorious hacker collective “Anonymous Operations” on Sunday published data it claims to have obtained by breaching a server belonging to Apple. The data, which consisted of 27 usernames and passwords, was allegedly taken during from surveys stored on an Apple server. Though the group said on one of its Twitter accounts that it is “busy elsewhere,” and therefore will seemingly not be targeting Apple again in the near future, it claims to have exploited a security flaw common to several companies when it gained access to Apple’s server. Anonymous said the breach was part of its AntiSec movement, short for anti-security, which is aimed at “exposing corporate and government data and humiliating security firms.”

Read

The infamous group of “hacktivists” known as Anonymous Operations on Thursday launched a new tool to aid its digital crusade against targeted governments and corporations. Dubbed “HackerLeaks,” the new site is a tool hackers can use to distribute data anonymously, and it adopts the model popularized by WikiLeaks. Hacker groups like the now-defunct LulzSec used a variety of tools to disseminate the spoils of their cyberattacks, but Anonymous explains that their tool has a number of benefits. “Anonymous and the [People’s Liberation Front] have already established connections to the media outlets that can help better expose important data, and that they hope to also provide ‘unique and enlightening analysis,’” the group said in a statement. HackerLeaks it the latest addition to Anonymous’ movement known as “AntiSec,” which is aimed at “exposing corporate and government data and humiliating security firms.”

Read

The small group of hackers known as Lulz Security, or simply “LulzSec,” would never disband without one final round of fun. BGR reported on Monday that the group’s reign of terror was coming to an end after 50 lul-filled days. During that period of time, LulzSec released data stolen in a series of online breaches with targets ranging from Sony to the U.S. Government. In its coup de grâce, LulzSec released a stash of stolen data from a variety of targets, including AT&T, Disney and the U.S. Navy. But data obtained through online breaches wasn’t the only thing LulzSec stuffed into the file; a directory named “BootableUSB” also contained a variety of malware including trojans and worms. While “LulzSec” is no more and its notorious Twitter account now sits dormant, members of the well-known hacktivism group “Anonymous Operations” have confirmed that LulzSec is gone in name only — the six LulzSec members have been absorbed by Anonymous, according to the group’s official Twitter feed.

Read

A recent online security breach involving the left of 360,000 credit card numbers will cost Citigroup $2.7 million, the company confirmed to U.S. government officials on Monday. Hackers infiltrated Citigroup servers last month and stole account numbers and personal information associated with over 360,000 Citi-branded credit cards. According to Citigroup, personal information and card numbers from approximately 3,400 cardholders was subsequently used to make about $2.7 million in unauthorized purchases. Citigroup stated that affected customers would be reimbursed for the fraudulent charges. No arrests have been made in association with the breach.

Read