December 2009

You are currently browsing the monthly archive for December 2009.

Fox Sports Compromised… Again

December 30, 2009 in Hacking, Web | No comments

In the Fox Sports web site was found to have been compromised with an iframe that redirected visitors to a site hosting malicious content.  The affected URL was hxxp://msn.foxsports.com/fantasy/baseball/hotstreak/external and an example of the injected code is below:

Anyone who accessed this site while the malicious code was active could potentially have had their computer infected with malware.  Fox Sports administrators eventually removed the iframe, but today the same page was infected again.  This time the below two script tags were injected:

and



These same two scripts were also used in the October Fox Sports web site compromise incident.  The akcworld.com  and nt002.cn domains are widely known to host malicious content and are frequently used as part of the campaign.  At approximately 9:50pm I checked the Fox Sports web site to verify if the page was still infected.  It was not.  I then checked the page information and saw that it had been modified at 9:39pm EST, just 10 minutes before I checked the site.

foxsports

The Fox Sports administrators moved very quickly this time to rectify the site compared to the October incident which nearly two weeks to address.  However, this situation obviously begs the question how the Fox Sports web site keeps being compromised.  I can think of several possibilities that would explain how this could occur:  1)  The hackers installed a backdoor that they continue to use for access 2) The hackers continue to use compromised credentials to the web site 3) A vulnerability exists in the web site that has not been remediated 4) Fox Sports administrators restored an older version of the page that included the malicious code from the October hack.  We won’t likely learn the root cause of this compromise any time soon, but it is certain that unless Fox Sports takes preventative action, it will probably occur again.

WCPSS Student SSN Disclosure

December 13, 2009 in Data Loss | No comments

Recently the Wake County Public School System, in Raleigh North Carolina, sent out about 15,000 post cards to the parents of students.  These post cards contained information for parents on how to indicate their intentions for school attendance in the next school year.  And about one third of these post cards contained something else…the social security number of the student.  My children attend school in Wake County and also received one of these post cards.  Luckily, we were in the two thirds that did not have the social security number displayed on the post card.  Below is a photo of an actual card that was sent out.  The number circled in red was an actual social security number on those cards that were affected by the leak.

DSCN0630new

As troubling as this mistake was, what is even more troubling is the lack of recourse for affected students and parents.  North Carolina, like most states, has a data breach notification law which I have written about previously.  This law specifically prohibits sending post cards that contain personal information such as social security numbers.  See the relevant section of the law below:

Except as provided in subsections (c) and (d) of this section, no agency of the State or its political subdivisions, or any agent or employee of a government agency, shall do any of the following:

(9) Print an individual’s social security number on any materials that are mailed to the individual, unless state or federal law required that the social security number be on the document to be mailed. A social security number that is permitted to be mailed under this subdivision may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened.

Like most state breach notification laws, the North Carolina law requires incidents such as this to be reported and for those affected to be contacted.  To their credit, the Wake County Public School System did disclose the error and has agreed to provide one year of free credit monitoring for affected families.  But they are not required to do so.  According to the statute, “No private right of action may be brought by an individual for a violation of this section unless such individual is injured as a result of the violation.”   Proving injury is next to impossible as there usually is no way to demonstrate the source of identity theft or credit fraud.  Moreover, these SSNs could be stored for years before being used fraudulently.  Affected students will need to monitor their credit closely for many years to come.  And if they do end up being victimized by the this egregious mistake, they have little legal recourse.

North Carolina’s breach notification law is similar to most states in that it requires businesses and other organizations to disclose breaches of personally identifiable information (PII).  And as with most other state laws of this type, penalties for violation are not very strong.  North Carolina’s law is one of the few that actually does allow an individual to sue in the event that injury is caused by the breach.  In actuality though, it is highly unlikely that any business will have to pay for injuries resulting from disclosure of PII.  Congress is currently debating a that would apply to all U.S. business.  This is a step in the right direction and guarantees that any U.S. citizen whose PII has been disclosed will be notified.  But penalties for violation are still weak and until businesses are faced with financial penalties, disclosures will continue to be a problem.

Copyright © 2011 InfoSecStuff.com — All Rights Reserved