Liability being tested

I’m surprised it didn’t happen earlier. A California law firm (I would have won the bet that it would be in California) filed a class-action law suit on behalf of eight and a half million customers that were "damaged" by a breach in data. The contention is that the Fidelity National Information Services and a subsidiary company did not take adequate measures to protect customer information, according to Computerworld.com story.

Unlike other recent attacks, this one was from within; a former employee reportedly "carried" the data out the door on portable media.

The original estimate was that the breach involved credit card, bank account, and other personal information for 2.3 million customers, but that was later increased to 8.5 million.

This is expected to be the first of many such cases involving large scale data breaches of consumers.

Monster.com, your personal information, and Bot attacks

There’s plenty of blame to go around here, but my guess is that someone at Monster.com is looking for a job today. Estimates have it that more that 1.25 million Monster.com users have had their personal information stolen. Most of those people were all here in the United States. Monster.com was pretty slow on releasing the breach and didn’t even seem to know until they were contacted by Symantec.

It started with hackers breaking into the site. The attack originated from compromised web servers in Ukraine, along with a network compromised PCs controlled by the attackers. According to Reuters,

"Hackers broke into the U.S. online recruitment site’s password-protected resume library using credentials that Monster Worldwide Inc said were stolen from its clients, in one of the biggest Internet security breaches in recent memory."

Of course, "biggest" is a matter of perspective. I’m sure that Harry Potter disagrees. I bring up Harry Potter because the two incidents have a common thread: Email Socially Engineered Attack (eSEA). Symantec has some examples of these emails here.

The emails contained enough personal information and employment promises that many fell for it. Users clicking on the link in the emails were getting Trojan dubbed Infostealer.Monstres.

There are reoccurring lessons to be learned here. I’m not quick to call it "blame". For sure, that will be assessed in the lawsuits that will follow from this. But as I see it, contributing factors in this are:

• the breached servers in Ukraine
• the compromised PCs that formed the attack network
• the users that clicked on the link (and any that shared personal information via an email)
• Monster.com for not releasing this information sooner.

MS blamed for Skype outage

It’s laughable. It is so cliche to blame Microsoft for anything and everything. Frankly, I’m surprised I haven’t see someone blaming Uncle Bill for the pr1ce of gas. Last week, when the Skype service was unavailable, Microsoft was poised as the cause. In a storm of irony, the contention was that when MS released the patches for August, there were so many PCs that got rebooted, that it provided the equivalent of denial of service to Skype.

Well, MS defended itself by publicly spelling out the steps they took to look into the issue ("What changed?"). Skype did some back peddling and said they found the problem; a bug in their code. Why this is just happening now, is a good question. After all, MS patches every month.

OSG Online says: patch anyway.