The week’s biggest data breach news had nothing to do with Anonymous or any other online group. Instead, Stanford University’s hospital confirmed that a spreadsheet containing 20,000 patient records had been posted onto a commercial Website.
In this incident, an employee of a third-party service provider to the hospital posted the entire patient information spreadsheet to a Website in search of help on creating bar graphs. This is a remarkable, yet telling example of what can go wrong if employees are not trained to be privacy conscious.
As organizations increasingly share sensitive data with partners and contractors, it’s critical that IT administrators implement strong security controls internally and demand their third-party providers to do the same.
Meanwhile, the fallout from the hacking of Dutch certificate authority DigiNotar continues, as major browser makers revoked the compromised company’s root certificates. Microsoft removed the root certificates from all supported versions of Windows so that Internet Explorer and other programs won’t allow users to access sites with an SSL certificate signed by DigiNotar.
Mozilla followed suit, but went one step further by demanding that all other CAs audit their systems, especially after reports that other certificate authorities may also have been compromised.
Google moved quickly to update Chrome, and Opera Software has followed suit. Apple on Sept. 9 finally released its Mac OS X update to protect Safari users. Adobe also removed DigiNotar’s Qualified CA certificate from the Adobe Approved Trust List, protecting Adobe Reader and Adobe Acrobat versions 9 and X.
Highlighting the fragility of the infrastructure powering the Internet, Turkish attackers breached a European DNS provider and modified the Domain Name System records for several major Websites, including the United Kingdom newspapers The Register and the Daily Telegraph.
Even though there’s been a lot of talk by domain owners and DNS providers about the necessity of deploying the security protocol DNSSEC to protect domains, researchers pointed out that this wouldn’t have stopped the attackers, since the orders to redirect the sites came from the actual DNS provider. It underscores the importance of securing Websites from basic issues such as SQL injection because attackers will always go after the lowest hanging fruit instead of sophisticated exploits.
Microsoft announced a small Patch Tuesday release for September, with only five bulletins, none of which was rated “critical.” The company accidentally released the final bulletins detailing the vulnerabilities fixed on Sept. 9, four days too early, but managed to keep the links to the patches inactive.
The bulletins have been yanked, but researchers at SANS Institute are concerned that some of the bugs are misclassified and should have been ranked “critical.” The actual Patch Tuesday updates are expected to be released on Sept. 13.
Cyber-criminals continue to rely on botnets to push out their malicious operations, and SpyEye was the most dominant in the first half of 2011, according to a report released Sept. 7. The researchers speculated that SpyEye’s dominance could be the result of the merger with the Zeus Trojan, and speculated even bigger activity now that a version of the toolkit is readily available online.