It was a week of déjà vu and doppelgangers in the world of IT security, with another rogue financial trader scandal and doppelganger domains stealing data. Here is this week’s IT Security Rewind with all the gory details:

“I need a miracle” – This Facebook status update couldn’t be more appropriate for Kweku Adoboli, the 31-year old City trader at UBS suspected of carrying out Britain’s biggest banking fraud. This week has to feel like déjà vu for the financial industry, as Mr. Adoboli was arrested at his desk yesterday for allegedly losing £1.3 billion through his rogue trades. This case is eerily familiar to the case of Jérôme Kerviel, the Paris-based Société Générale worker who lost £4 billion in rogue trades back in 2008.What’s worse is that UBS only became aware of the unauthorized trading when Mr. Adoboli told them, the bank’s monitoring systems had not picked up the loss. Could this be another situation where privilege identity management could have signaled an early warning? Stay tuned…

“When it absolutely, positively has to be there overnight.” – This week our own Oded Valin shared his thoughts on move file transfers processes to the cloud with Infosecurity Magazine. Boiling his advice down to seven steps, Oded outlined how organizations can safely exchange sensitive files in the cloud while maintaining security and compliance requirements.

Big Data = Big Problems – Dark Reading’s Ericka Chickowski put the spotlight on data warehouses and emphasized that the quicker and easier it is to access these “big data” stores, the greater security risk there is to all of that sensitive information. We have to agree with Ericka on this one, when you put more eggs into the basket (i.e. instead of separate databases you consolidate many databases into a single “big data”) security needs to become a higher priority.

Doppelgangers Stealing Data! –Two researchers who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months. Of the data collected in the e-mails, Wired reported, were configuration details and passwords for an IT consulting firm’s routers and virtual private network access information for a company that manages toll roads. They also collected a lot of personal information on employees, including credit card statements and bank account records.

Feel like you’ve finally got all the drama figured out? Let us know your thoughts in our comments section!

What could 43,000 Yale graduates, the Securities and Exchange Commission, the Maine voter registration system and RSA possibly have in common? Their data has all been tampered with. In this week’s IT security rewind we’ll reveal the email that took down RSA, review this week’s noteworthy data breaches and question the SEC’s involvement in data destruction associated with the  Berni Madoff case. What a week!

Dear RSA, “I forward this file to you for review. Please open and view it.” – It’s been a rough week for RSA, as researchers at F-Secure believe that this email carrying an infected Excel sheet may be the sole cause of the major phishing breach that tainted the company’s reputation. According to IDG, “The e-mail was sent on March 3 and uploaded to VirusTotal, a free service used to scan suspicious messages, on March 19, two days after RSA went public with the news that it had been hacked in one of the worst security breaches ever.”

Mainers and Yale Grads Beware! Since the beginning of the “IT Security Rewind,” we have yet to go a week without some sort of publicized data breach, and this week is no different. This Tuesday, Yale University notified about 43,000 faculty, staff, students and alumni that their names and Social Security numbers were publicly available via Google search for about 10 months. What’s interesting about this breach is that a File Transfer Protocol (FTP) server on which the data was stored became searchable via Google as the result of a change the search engine giant made last September.

The very next day, voters in the state of Maine were notified that a CVS-linked computer in one of the town offices was infected with data-stealing malware.

The Berni Saga won’t end – and this week data surrounding the case takes center stage as the Securities and Exchange Commission (SEC) has been accused of destroying thousands of data files on high profile inquiries including an early-stage investigation into Berni Madoff. Whether or not privileged access played a role in this possible tampering is unclear, however according to CSO Online, “Senator Chuck Grassley, the senior Republican on the Senate Judiciary committee, said the data that the SEC is alleged to have destroyed – between 1993 and 2010 – also concerned investigations into alleged insider trading at Deutsche Bank, SAC Capital and collapsed bank Lehman Brothers; as well as into corporate practices during Goldman Sachs’ trading of complex products with insurer AIG.”

Can you handle the security drama? Let us know your thoughts on this week’s events below…

Limitations of technologies that are supposed to be protecting against emerging security vulnerabilities, deeper examinations of mainstream breaches and more painful insider attacks—they’re all a part of the next installment of our IT Security Rewind Series. Let’s take a look, shall we?

• You Live, You Learn: Few attacks generated as much media coverage and buzz as the attack against RSA that occurred earlier this year. This video interview from ThreatPost with Uri Rivner of RSA breaks down the different aspects of the attack including the elevation of privileges that were used to the advantage of the hackers.  As Rivner explains, this breach directly exposes the limitations associated with a security strategy focused on perimeter protection, and not on the accessibility of the sensitive information and controls that can easily be manipulated from the inside of a system.

• DAMn—Is this technology working?: A feature from Ericka Chickowski of Dark Reading finds that financial institutions are still struggling with insider threats and other security vulnerabilities despite investments in database activity monitoring tools. While DAM technology plays a critical role in protecting against SQL injections and exploits in database protocols and commands, its inherent limitation in providing for privileged user monitoring may play a key role in its apparent ineffectiveness.

• Fast Food Diner on Network Crime: As IDG reported, a former IT worker at the U.S. subsidiary of Japanese drug-maker Shionogi, has pleaded guilty to effectively using his privileged access and controls to “create virtual chaos” by wiping out the VMWare host services that ran the company’s corporate email systems. Apparently, after laying off the employee, Jason Cornish,  Shionogi did a poor job of revoking passwords to the company’s network.  Using a Shionogi account, Cornish logged on from a public McDonald’s Internet connection to access a vSphere VMware management console that he’d secretly installed on the company’s network a few weeks earlier. He then proceeded to delete 88 company servers from the VMware host systems—further highlighting the need to control privileged users in both physical AND virtual environments.

That’s a wrap for this week—let us know what other stories you think should be added to the rewind.

As the summer heat continues to rise, it’s clear that news about the frequency of IT security breaches refuses to take a vacation.  This week the founder of popular online news site Reddit was caught red-handed while security influencers stayed cool reporting on some real threats for the utilities and government industries. Here is our take on this week’s hottest IT security stories:

• Reddit Founder Hacks into MIT and Gets Himself Caught — Computerworld’s Grant Gross provided us with details of the indictment of the co-founder of online news site Reddit.  Aaron Swartz was charged with computer intrusion, fraud and data theft for allegedly stealing 4.8 million documents from an MIT network. If convicted, Swartz, who is also the founder of the political advocacy group Demand Progress, faces a possible 35 years in prison and fines of up to $1million.
• Be Afraid, Be Very Afraid – We’ve all fallen for “doom-and-gloom-we’re-all-gonna-die” stories that make you want to stock your bomb shelter.  CSO’s Bill Brenner typically takes these reports as B-S; this week however, he shared an interesting report from Brian Ross, “New Terror Report Warns of Insider Threat to Utilities” to which he says “the insider threat is real.” While Brenner is referring to physical security in this particular piece, given the numerous flaws and vulnerabilities reported in SCADA software over the past few months we can’t help but draw the connection to an IT security threat as well.
• Hackers Infiltrate Computers at the German Federal Police and Customs Service – It’s one thing to hack into a system and get the heck out of there – but to stay in that system undetected for say, months, is a whole other ballgame. In what could be an incredibly devastating data loss for the German Federal Police and Customs Service – hackers reportedly gained access to federal police computers in September 2010 and were able steal information undetected for months. In addition, hackers were able to gain access to the German customs service and publish stolen files on the Internet. In the words of an anonymous security officer, “that is pretty much the worst thing that could happen.”

What other hot stories would you add to this list?

Despite our nice little July 4^th break in the U.S.  this week’s news continues  to suggest that 2011 has been anything but an IT security “holiday” for a number of organizations. Let’s take a look at some of the week’s biggest news items:

Big Brother, Where Art Thou? – Remember the consultant who was able to exploit a hardcoded, default password in a police cruiser’s digital video recorder system to gain access to controls and manipulate its use? We thought that was bad news, but now according to figures released by the Big Brother Watch, over 900 police officers and other staffers were subjected to internal discipline for breaching the data protection act (DPA) in the U.K. It’s one thing when law enforcement’s technology is susceptible to a data breach, it’s another when the actual officers are illegally viewing computer records for “non-policing purposes.” Talk about an abuse of privileges.

Not an Even Trade Between U.S. and China - A ThreatPost article details the arrest of a CME Group employee who allegedly stole trade secrets and proprietary source code used to run trading systems for the Chicago Mercantile Exchange and passed them along to China. The implications here obviously are far reaching as the employee downloaded “thousands of files” containing “source code and proprietary algorithms” used by CME to run its trading systems.” What is unclear, however, is how he gained access to the systems—was it through an escalation of privilege to access this sensitive information?

IT Security Rewind, uh, Rewind – Clearly, we think it’s important to recap the week’s most important IT security related developments, so we are always excited to identify similarly detailed reports, like this one from Help Net Security, that covers recent security incidents. The report recaps some of the biggest events of the year—from RSA to Citibank—and highlights the impact of the breaches on the organizations and their users.

That’s it for this week—thoughts? Comments? Bring ‘em on.

Another week and yet another high-profile data breach with potentially disastrous implications. Already, this attack has forced one of the officials involved with the organization to refer to the exposed data as “political dynamite.” Let’s dig into this breach and the rest of this week’s headlines in our IT Security Rewind:

IMF—Stable but not secure: The biggest news item of the week actually originated over the weekend, when word first broke that the International Monetary Fund—an organization of 187 countries committed to ensuring the stability of the international monetary and financial system – was the target of a sophisticated computer security attack. While details on the culprits and severity of the attack are still only trickling out, Government Computer News reports that the hack may have been carried out by a foreign government. The coordinated attack, which resulted in the loss of a “large quantity of data” relating to “sensitive country financial information,” was likely initiated by an old school spear-phishing attack, but is there more to the story? Typically, spear phishing and similar tactics are simply the door hackers use to enter an organization—once inside, they use and exploit elevated privileges to reach their destination and the troves of sensitive data stored across systems.

Not Summer in the Citi: Last week’s massive Citigroup data breach continued to attract headlines. While the bank divulged that the attack affected 360,000 credit card customers, according to the Financial Times, U.S. officials are demanding more details regarding the extent of the breach and its potential for reoccurrence. The article also suggests that the breach not only calls into question the relative lack of regulation in place to protect consumer data, but also the security of online banking websites. In this instance, attackers may have been able to leverage flaws in the website’s programming language or the way it is administered.

Data Breach Notification—The Law is Taking a Stand: As this eWeek article points out, the United States Congress continues to push for new data breach legislation. This time, Congressmen have filed legislation that would require companies to notify customers when a data breach has occurred within 48 hours following the completion of an incident assessment. However, other Congressmen have expressed skepticism over this pending legislation—will this law just result in stalling tactics? What’s your take—would this law have a positive impact on the industry? Is there a better alternative?

That’s it for this week’s Rewind. As always, your comments are encouraged!

Security breaches, server attacks, data loss. No matter what headline, as you’ll see in this week’s IT Security Rewind post, it appears that hackers continue to follow similar patterns of infiltration and escalation.

Bank + Data Beach = Bad Combination: Banking organizations continue to be increasingly susceptible to data breaches. This week the latest victim was Citi Bank.  Initial estimates have found that 200,000 customers are already affected. Despite the size of the breach, there is still no confirmation on the actual attack vector that was used to obtain access, but if you are a betting man (or woman) elevated privileges would be a safe bet.

Stuxnet—Plenty of Holes in This Story. The opening line to this ThreatPost article says it all—“The media storm over the Stuxnet worm may have passed, but many of the software holes that were used by the worm remain unpatched and leave Siemens customers open to a wide range of potentially damaging cyber attacks, according to industrial control system expert Ralph Langner.”

In the piece, Langner proceeds to claim that the media paid too much attention to the zero day Windows vulnerabilities that enabled the worm, but overlooked the other security holes that were exposed and utilized. One of those vulnerabilities that still exist is a hard coded password in Siemens WinCC. If uncovered and exploited, as has all too commonly become the case, this vulnerability can provide an attacker with unfettered access to a system’s network.

Insiders as a First Line of Defense: An interesting study out of the Ponemon Institute found that three quarters of UK organizations have suffered data loss in the past year. While these numbers include data that was compromised due to network attacks, or lost due to stolen equipment, the study does shine light on the lack of enterprise-wide employee awareness of data security best practices. According to the report, 53% of UK respondents surveyed believe their employees have little or no awareness about data security, compliance and policies.  This data highlights a greater need for data protection strategies to include an emphasis on user awareness, “as people are often the first line of defense.”

What other security headlines do you think are worth highlighting this week?

A talk about Siemens SCADA hack gets pulled, Dropbox gets caught lying and could there be hackers in space?  These are just a few of the headlines we’re focused on for this week’s IT Security Rewind.  Let’s dig into the details:

Liar, liar files aren’t encrypted: The FTC has filed a complaint that Dropbox “has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts their data.” According to WIRED, the FTC provides evidence that Dropbox employees could view customer data and files. This puts users at risk of government searches, rogue Dropbox employees, and even companies trying to bring mass copyright-infringement suits. While Dropbox defends claims that employees couldn’t access files due to company policies it looks like they are in some hot water with the FTC.

Hacker in space: This week Threatpost reported a Romanian hacker, who uses the handle “Tinkode,” has published a screen capture from what he claims is an FTP server at NASA’s Goddard Center. NASA, no stranger to security issues, has been criticized for its lackluster policies on cyber security. They can now add this FTP server to their list of weaknesses.  Interestingly enough, this wasn’t “Tinkode’s” first time in space, in April he published the names and e-mail addresses of European Space Agency employees after compromising a server operated by that agency.

The White House focuses on the Utility Industry: While most of last week’s proposed Cybersecurity Legislation focuses on better reporting practices – one area of specific interest is the potential impact on the utility industry.  An industry that is continuously looking for guidance on how to protect itself, this proposal will give utility executives some things to consider and clear ramifications for those who don’t take action.

U.S. cybersecurity and Siemens representatives cancel SCADA talk: Attendees at the TakeDown Conference in Dallas may have left disappointed as a scheduled talk on the security vulnerabilities in Siemens industrial control systems was canceled. ComputerWorld’s Rob MacMillan explained, “It is common for security researchers to talk about security bugs once the software in question has been patched. But if the vendor can’t get the issue fixed in time that can create problems for security researchers, who may be expecting to talk about the issue at a hacker conference.”

What other security headlines do you think are worth highlighting?