The news that JPMorgan Chase & Co, which is the largest of the US banks with a reach that extends to half of all American households, has been breached will surprise nobody. At least not in the sense that this is old news, with a disclosure of the event happening in August. The actual breach was discovered by the bank back in July, and is thought to have been active for at least a month prior to that. What is surprising, however, is that a financial organisation of such a size and reputation should fall victim to such a breach …

Member Avatar
Member Avatar
+1 forum 2

According to the latest [Verizon 2015 Data Breach Investigations Report](http://www.verizonenterprise.com/DBIR/) all but four per cent of the security incidents analyzed by researchers could be accounted for by just nine basic attack types. That's pretty useful information for enterprise looking to prioritize their approach to security in terms of establishing a stronger security posture. So, as far as the nearly 80,000 incidents that were analyzed to form the basis of the report, what were these nine basic patterns then? Verizon states that the nine threat patterns are: 1. Miscellaneous errors (such as sending an email to the wrong person for example) …

Member Avatar
+1 forum 0

So, a bunch of US financial institutes have been hacked. Nothing new there, if we are being brutally honest. The newsworthyness in this particular case comes courtesy of one of those organisations apparently being none other than JP Morgan Chase. USA Today reported yesterday that a federal law enforcement official had told the media outlet, unofficially, that Russian hackers were behind the series of breaches which resulted in the loss of "sensitive data." JP Morgan Chase did not confirmed the accuracy of the report, but a spokesperson did tell USA Today that it uses "multiple layers of defense to counteract …

Member Avatar
+1 forum 0

SuperValu has confirmed that is has, indeed, suffered a data breach. The supermarket company [stated](http://www.supervalu.com/security.html) that what it calls a "criminal intrusion into the portion of its computer network that processes payment card transactions for some of its retail food stores, including some of its associated stand-alone liquor stores" may have resulted in "the theft of account numbers, and in some cases also the expiration date, other numerical information and/or the cardholder’s name, from payment cards used at some point of sale systems at some of the Company’s owned and franchised stores." If you thought that was a bit of …

Member Avatar
+1 forum 0

Another day, another breach. The latest to disclose that there had been some 'unauthorised access' to systems and internal company data' is music streaming service Spotify. The disclosure itself was something of an odd one, claiming that investigation suggested only a single user's data had been compromised following an issue with the Android app. Oskar Stal, CTO at Spotify, claims that the investigation suggests no password, financial or payment information was accessed. "Based on our findings, we are not aware of any increased risk to users as a result of this incident" Stal insists, continuing "...as a general precaution will …

Member Avatar
Member Avatar
+1 forum 1

The latest major online outfit to suffer from a breach is Bitly, the url shortening service beloved by users of Twitter and Facebook. According to a statement from Bitly CEO Mark Josephson, the company has "reason to believe that Bitly account credentials have been compromised." ![c385df134b645f20b10410443c05d835](/attachments/large/0/c385df134b645f20b10410443c05d835.jpg "c385df134b645f20b10410443c05d835") Although Josephson insists that there is no indication at the current time that any Bitly accounts have actually been accessed by the hackers, he has quite wisely taken the proactive step of disconnecting all users' Facebook and Twitter accounts which means they will be required to reconnect these when they next login once …

Member Avatar
Member Avatar
+0 forum 3

If a week is a long time in politics, then 24 hours is an absolute age in ecommerce security terms. Which make the findings of a Tripwire survey, published today, all the more worrying. The survey, conducted by Atomic Research, questioned 102 financial organizations and 151 retail organizations which process card payments in the United Kingdom. It has concluded that 35% of organisations takes two or three days to detect a breach, with 44% admitting they could protect customer data better. This gets more worrying when you realise that 24% had already been victims of a data breach which saw …

Member Avatar
+0 forum 0

Last week, the NoSQL database host MongoHQ suffered a breach which exposed customer files, email addresses and password data to the attackers. The ripples from that breach are still being felt, as users of the Sunrise calendar app on the iPhone found out this morning. Luckily that password data was not only encrypted, but hashed using bcrypt. As security expert [Paul Ducklin](http://nakedsecurity.sophos.com/2013/10/31/lessons-to-learn-from-the-mongohq-database-breach/) from Sophos explains: "bcrypt is a so-called keystretching function that ramps up the time it takes for a supplied password to be checked against its stored hash, by requiring various parts of the hash calculation to be repeated …

Member Avatar
Member Avatar
+0 forum 1

UK home shopping pioneers Lakeland have sent an email to all customers past and present to warn them that the retailers website has been hacked. What Managing Director Sam Rayner calls a "sophisticated and sustained attack" took place late on Friday 19th July. Measures were taken at the time to block that attack and repair the system, however the ongoing investigation has revealed that two encrypted databases were compromised. In that email to customers, Rayner states that the company has been "unable to find any evidence that the data has been stolen" but nonetheless has taken immediate action to delete …

Member Avatar
Member Avatar
+1 forum 1

Back in December 2011, reports were circulating regarding a data breach at one of the big Chinese social networking sites, Tianya.cn that suggested the login credentials of some 40 million users were potentially exposed. Clear text usernames and password combinations were stolen by hackers during the breach, although a Tianya spokesperson at the time said that only those users who registered before November 2009 would have had clear text logins as after that the service had implemented encryption (!) - quite why the existing membership data could not have been encrypted at this point is, frankly, beyond me. Word on …

Member Avatar
Member Avatar
+0 forum 2

New research by [Varonis](http://www.varonis.com/) has revealed that only 25% of those companies questioned were able to answer yes to the question: "Are you able to detect when files containing sensitive data are uploaded to a third party cloud service?" Which left a staggering three-quarters of businesses in the dark about the potential for data leakage. It's a growing problem, what with the increasingly widespread availability of public cloud storage such as [Dropbox](http://www.dropbox.com) and [Google Drive](https://drive.google.com/) to employees during the last couple of years. The research paper 'Security Incidents and Real-time Alert' also suggests that companies are in the dark about …

Member Avatar
Member Avatar
+2 forum 2

Although the Opera web browser client is no longer the big 'little player' that it used to be having long since been eclipsed by the likes of Chrome and Firefox in the Internet Explorer alternatives stakes, it can still claim more than 300 million users and a place as world’s most popular browser for mobile phones. So when you learn that Opera Software, the company in Norway behind the Opera browser, has admitted that its internal network infrastructure has been hacked you have every right to be a little concerned. That concern may grow a bit when you discover that …

Member Avatar
Member Avatar
+2 forum 3

One of the Internet's biggest online dating sites, eHarmony, has confirmed that security has been breached and member passwords compromised. eHarmony spokesperson Becky Teraoka says that "a small fraction of our user base has been affected" although I am led to understand that the 'small fraction' in question is actually around 1.5 million. The password hashes were published on a Russian hacking forum, with members asking for help in cracking them and converting the hashes into usable passwords. ![dweb-eharmony](/attachments/small/0/dweb-eharmony.jpg "align-right") Sound familiar? Well that's because this has the hand of the LinkedIn password hacker all over it. As [DaniWeb reported …

Member Avatar
Member Avatar
+2 forum 6

Following on from the news earlier this month that [LinkedIn had suffered a major security breach](http://www.daniweb.com/internet-marketing/social-media-and-web-communities/news/425019/linkedin-confirms-six-million-password-hack-check-if-yours-is-one-of-them) involving the compromise of at least six million user passwords, and then dating site [eHarmony apparently falling victim to the same password hacking compromise](http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/news/425118/dating-disaster-eharmony-confirms-passwords-exposed-by-linkedin-hacker), the latest to be hit would appear to be the UK-based consumer technology news and magazine site TechRadar. ![dweb-techradar](/attachments/small/0/dweb-techradar.jpg "align-right") Late last night the site, owned by magazine giants Future Publishing and which gets in excess of seven million visitors from around the world each month, made the announcement on Twitter and the website forums were closed while an investigation …

Member Avatar
Member Avatar
+0 forum 1

Over the weekend, software development and collaboration tools specialist Atlassian suffered a security breach to an internal system, potentially exposing customer passwords. The reason? It forgot about an old legacy database which had not been taken offline. According to Atlassian spokesperson [URL="http://blogs.atlassian.com/news/2010/04/oh_man_what_a_day_an_update_on_our_security_breach.html"]Mike Cannon-Brookes[/URL] the company had migrated its customer database into a new one, where all customer password were encrypted, during July 2008. "However, the old database table was not taken offline or deleted" Cannon-Brookes says "and it is this database table that we believe could have been exposed during the breach". He agrees that this was "a big error" …

Member Avatar
+1 forum 0

I have a lot of passwords to get me onto various online sites and services, but I only need to remember one: the complex and hard to crack one that unlocks my encrypted password store. Not everyone is as paranoid as I am it seems, and many fall neatly into the dumbass category if a recent analysis of 32 million consumer passwords is anything to go by. A data security company called Imperva undertook a [URL="http://www.imperva.com/ld/password_report.asp"]detailed analysis[/URL] of breached consumer passwords, and the very fact that they ended up in the 32 million breached passwords database suggests that they were …

Member Avatar
Member Avatar
+1 forum 1

Heartland Payment Systems, one of the biggest card payment processors in the US, has been the victim of what could well be the biggest security breach of its kind. Malicious software installed onto the Heartland network could have compromised as many as 100 million transactions according to numerous emerging reports. This would dwarf the [URL="http://www.daniweb.com/blogs/entry3772.html"]TJ Maxx breach[/URL] which involved details of some 40 million credit card transactions being stolen. Apparently the hack attack at Heartland was discovered in-house last week and law enforcement agencies notified along with the credit card companies whose customers could become potential victims of the fraud. …

Member Avatar
+0 forum 0

Back in May, I [URL="http://www.daniweb.com/blogs/entry1466.html"]broke the story[/URL] on DaniWeb in this very blog of how the online application facility for UK visas was not only insecure, but that it had potentially been so for years. The company concerned, VFS Global, which operated the visa online application form filing service on behalf of the UK government in India and other countries, had such Mickey Mouse security in place that anyone could easily get hold of the full application form information of anyone who had made such an application. That's anyone as is terrorist, identity thief, innocent applicant stumbling across the information …

Member Avatar
Member Avatar
+1 forum 1

The End.