The editor-in-chief of Bloomberg News said Monday that reporters working for the company’s news division should never have been allowed to access otherwise restricted client data.

Allegations surfaced last week that Bloomberg reporters have long enjoyed access to some client data via the company’s ubiquitous financial data terminals. The practice was largely unknown outside Bloomberg, and presumably gave the company’s reporters an advantage over competitors.

READ MORE …

A Denver-based domain name provider has suffered a breach where customers’ personal data, including encrypted passwords and credit card information, was compromised.

On Wednesday, Name.com notified customers by email about the incident. The company said the breach appeared to be an attempt by an intruder to “gain information on a single, large commercial account at Name.com,” though an undisclosed number of customers were impacted in the process.

A Name.com customer posted the email on a community forum called MyBB on Wednesday.

“Name.com recently discovered a security breach where customer account information including usernames, email addresses, and encrypted passwords and encrypted credit card account information may have been accessed by unauthorized individuals,” the email said. The company added that it stores customer credit card data using a “strong encryption” method and that the private keys required to access the information are stored “physically in a separate remote location that was not compromised.”

READ MORE …

Eight suspects have been charged in New York for their alleged roles in a global cybercrime ring that authorities say involved the theft of more than $45 million from financial institutions in two cyber heists.

The international gang hacked into the computers of bank card processors to steal prepaid debit card data, erase withdrawal limits on the cards and then pass the information to cashers or mules to siphon the money from ATMs around the world.

The gang first struck December 22 when hackers targeted a credit card processor that handled transactions for prepaid MasterCard debit cards issued to customers of the National Bank of Ras Al-Khaimah PSC, or RAKBANK, in the United Arab Emirates. They handed off the stolen card data to cashers in 20 countries who withdrew $5 million in cash in more than 4,500 ATM withdrawals.

READ MORE …

Having a safe doesn’t do much good if it is left open. Yet the safe where organizations house their data is sometimes left just as unsecure.

Last year for example, it was revealed that a university system upgrade at the University of North Carolina-Charlotte exposed data on the university’s H: drive on the Internet between Nov. 9, 2011, and Jan. 31, 2012. The news got worse for the university when it was discovered that misconfigured access settings also exposed sensitive data from the school’s College of Engineering from 1997 to February 2012.

“DBAs [database administrators] don’t have time for security – they spend less than five percent of their time on it,” said Forrester Research analyst Noel Yuhanna. “Most enterprises are dealing with data explosion that’s creating performance issues and availability concerns, which is where most of their time an effort goes. In a survey we did last year, performance was the top concern.”

READ MORE …

Last year for example, it was revealed that a university system upgrade at the University of North Carolina-Charlotte exposed data on the university’s H: drive on the Internet between Nov. 9, 2011, and Jan. 31, 2012. The news got worse for the university when it was discovered that misconfigured access settings also exposed sensitive data from the school’s College of Engineering from 1997 to February 2012.

“DBAs [database administrators] don’t have time for security – they spend less than five percent of their time on it,” said Forrester Research analyst Noel Yuhanna. “Most enterprises are dealing with data explosion that’s creating performance issues and availability concerns, which is where most of their time an effort goes. In a survey we did last year, performance was the top concern.”

READ MORE …

seeking to break into corporate databases.

“SQL injection is still out there for one simple reason: It works!” says Tim Erlin, director of IT security and risk strategy for Tripwire. “As long as there are so many vulnerable Web applications with databases full of monetizable information behind them, SQL injection attacks will continue.”

Even though some recent data out from WhiteHatshowed that SQL injection attacks bumped down from the top 10 most prevalent Web attacks in 2012, other data from Veracode saw SQLi attacks holding steady last year. And consensus from development, security, and IT consulting experts is that these attacks continue to expose enterprise databases on a daily basis.

READ MORE …

Prioritizing patches is tricky enough when organizations are not thinking about the downtime that can result from taking down a production database. When that comes into play, however, the patching process can slow down — so much so that databases can be months behind in critical updates.

Solving this issue, in part, means properly prioritizing what vulnerabilities need to be fixed — a process that starts with the relevance of a particular patch to the organization and its severity. For example, notes Imperva CTO Amichai Shulman, a vulnerability in a package that is not deployed on the database does not justify patching. Neither necessarily does a vulnerability that can be mitigated by shutting down a service that is unneeded for a specific organization.

READ MORE …

Some consolidation in the world of open source database startups:SkySQL, a provider of open source database solutions, is mergingwith Monty Program Ab, the creators of MariaDB, an open source database technology that is used by Facebook, Twitter, Wikipedia and other services. The merger is also a reunion of sorts: both companies employ key people from MySQL, the database company that was bought by Sun in 2008, and in turn became a part of Oracle. Monty Program was founded and led by Michael “Monty” Widenius, the founder of MySQL.

Financial terms of the deal were not disclosed; the merger is expected to complete in four months.

As part of the deal, SkySQL says it will dedicate more resources to MariaDB to make it more interoperable with both NoSQL and SQL database systems, and it will also see SkySQL develop new solutions that allow users of MySQL and MariaDB databases “to manage their data effectively in the enterprise and cloud.” SkySQL says that MariaDB currently sees some 500,000 user downloads per year, not counting community Linux distributions.

READ MORE …

A former employee of Hostgator has been arrested and charged with installing a backdoor that gave him almost unfettered control over more than 2,700 servers belonging to the widely used Web hosting provider.

Eric Gunnar Gisse, 29, of San Antonio, Texas, was charged with felony breach of computer security by the district attorney’s office of Harris County in Texas, according to court documents. He worked as a medium-level administrator from September 2011 until he was terminated on February 15, 2012, according to prosecutors and a company executive. A day after his dismissal, Hostgator officials discovered a backdoor application that allowed Gisse to log in to servers from remote locations, including a computer located at the Hetzner Data Center in Nuremberg, Germany. He took pains to disguise his malware as a widely used Unix administration tool to prevent his superiors from discovering the backdoor process, prosecutors said.

READ MORE …

An annual survey by Verizon’s security unit found that 19 percent of data breach attacks were connected to state-sponsored organizations in a sign that corporate espionage may be ramping.

The data breach investigations report (DBIR) is based on 19 global companies, their attacks, forensics and reporting agencies. Overall, the report features 47,000 reported security incidents and 621 confirmed data breaches. Over nine years, the DBIR has documented 1.1 billion compromised records and 2,500 data breaches.

Regarding state sponsored attacks, Mark Spitler, a senior security analyst at Verizon, said that the report “found quite a few” state sponsored attacks. Verizon determined that attacks were state sponsored based on known tactics, indicators of what was being examined and malware signatures. Cooperation and data sharing among participants also put the spotlight on state-sponsored attacks.

READ MORE …