December 23, 2024

ICANN: ‘Most Critical’ Systems Not Affected in Recent Breach

Posted on December 21, 2014 by in Security

On Dec. 16, Internet Corporation for Assigned Names and Numbers (ICANN) said it fell victim to a spear phishing attack that resulted in email credentials of several ICANN staff being compromised.

The incident, which occurred in late November and was discovered in early December, allowed attackers to access the Centralized Zone Data System and the ICANN GAC Wiki.

The attacker(s) were able to poke around ICANN systems and obtain administrative access to all files in the CZDS, including copies of the zone files in the system, as well as user information such as name, postal address, email address, fax and telephone numbers, username, and password, according to the original announcement.

DNSFortunately, ICANN said that those compromised accounts did not have access to the IANA functions systems, which the organization says are a separate system with additional security measures that have not been breached.

IANA functions coordinate domain names with IP addresses to appropriately direct DNS requests to the appropriate server.

ICANN has a contract with U.S. Department of Commerce to maintain the IANA functions on behalf of the entire Internet community.

“During and after the attack, all critical functions hosted by ICANN, including the IANA functions, remained fully operational and unaffected by the attacker’s activities,” ICANN said in an update.

“ICANN employs multiple levels of protection for its most critical services. While the attackers were able to breach the outermost layer of defenses, our on-going investigation indicates our most critical systems were not affected.”

Related: Don’t Let DNS be Your Single Point of Failure

Related: DNS Hijack – How to Avoid Being a Victim

Subscribe to the SecurityWeek Email Briefing

view counter

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed

Trustwave Hit With Lawsuit Tied to Target Breach

Posted on March 26, 2014 by in Security

The fallout from the Target data breach has put security firm Trustwave in the middle of a class action lawsuit.

The complaint, which was filed March 24 in U.S. District Court in Illinois, names both Target and Trustwave and accuses the security company of failing to protect Target’s systems.

Contacted by SecurityWeek, a Trustwave spokesperson said the company does not comment on pending litigation or confirm the identities of customers.

Trustwave Sued Over Target BreachThe complaint was filed on behalf of Trustmark National Bank and Green Bank, N.A., and “all other similarly situated financial institutions.”

In the compliant, the banks state Trustwave was hired by Target to protect and monitor the retailer’s systems, and that the security vendor scanned Target’s systems on Sept. 20, 2013, and found no vulnerabilities were present. Because of vulnerabilities in Target’s network however, millions of payment card records were stolen, the complaint states.

“Additionally…Trustwave also provided round-the-clock monitoring services to Target, which monitoring was intended to detect intrusions into Target’s systems and compromises of PII [personally-identifiable information] or other sensitive data,” the complaint reads. “In fact, however, the Data Breach continued for nearly three weeks on Trustwave’s watch.”

“Trustwave failed to live up to its promises, or to meet industry standards,” the complaint continues. “Trustwave’s failings, in turn, allowed hackers to cause the Data Breach and to steal Target customers’ PII and sensitive payment card information. In addition, Trustwave failed to timely discover and report the Data Breach to Target or the public.”

The investigation into the breach revealed that Target’s systems were compromised from Nov. 27 to Dec. 15. The data breach, which also included the theft of information such as email and mailing addresses for millions of Target customers, was one of the biggest such incidents in recent history. In February, the Consumer Bankers Association (CBA) and the Credit Union National Association (CUNA) reported that costs associated with the breach exceed $ 200 million. Much of that figure – $ 172 million – comes from the cost of replacing cards for CBA members, while CUNA reported that the cost to credit unions had reached $ 30.6 million.

“A recent analysis by global investment banking firm Jefferies suggests that payment card issuers could sustain upwards of $ 1 billion of damages as a result of the Target Data Breach based on an estimated 4.8 million to 7.2 million stolen and compromised Payment Cards being used to make fraudulent purchases and unauthorized cash withdrawals,” according to the complaint. “These costs fall on Trustmark and the other Class members, even though they had nothing to do with causing the Data Breach and could not have avoided it.”

The suit asks for unspecified damages. 

Just last week, TrustWave announced that it had acquired Cenzic, Inc., a maker of application security testing solutions, for an undisclosed sum.

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

Neiman Marcus Breach Not as Bad as First Thought

Posted on February 24, 2014 by in Security

Nieman Marcus Data Breach

In the world of security, these types of announcements don’t happen often. While still bad news, the recently-disclosed data breach at Neiman Marcus has impacted fewer customers than the company first thought.

 In early January, the high-end department store warned that customer credit and debit card information was compromised as a result of a cyber attack.

Neiman Marcus did not originally say how payment card numbers were affected as a result of the data breach, but on Jan. 23 said approximately 1,100,000 customer payment cards could have been potentially affected after hackers used sneaky point-of-sale (POS) malware to obtain details of customer payment cards.

Now, according to the investigation of the data breach, the number of potentially affected payments cards is lower, and is now estimated to roughly 350,000.

“The number has decreased because the investigation has established that the malware was not operating at all our stores, nor was it operating every day in those affected stores, during the July 16 -October 30 period,” Karen Katz, President and CEO of Neiman Marcus, wrote in a notice posted to the company’s Web site.

“We do know, and our forensic reports have confirmed, that malicious software (malware) was clandestinely installed on our system and that it attempted to collect or “scrape” payment card data from July 16, 2013 to October 30, 2013,” Katz said.

Fortunately, Neiman Marcus does not use PIN pads its retail locations, so PINs were never at risk, unlike the recent data breach at Target.

Neiman Marcus told SecurityWeek in January that it was warned by its credit card processor in mid-December about potentially unauthorized payment card activity that occurred following customer purchases at Neiman Marcus stores.

Of the 350,000 payment cards that may have been captured by the POS malware, Katz said Visa, MasterCard and Discover told Neiman Marcus that, so far, approximately 9,200 of were subsequently in fraudulent transcations elsewhere.

The Neiman Marcus Group operates 41 Neiman Marcus branded stores, 2 Bergdorf Goodman stores, and 35 Last Call stores.

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed