*The bigger they are, the harder they fall. via SANS
TOP OF THE NEWS
–Some Customer Data Permanently Destroyed in Amazon Cloud Crash (((ow!)))
(April 28, 2011)
The crash of Amazon's cloud services not only inconvenienced its
customers because of web site inaccessibility, but in some cases, data
were permanently destroyed. A thorough explanation of the crash has not
yet been offered. Two businesses that use Amazon's cloud services
managed to continue running undisrupted during the crash because they
had taken measures themselves to protect themselves from such an
incident.
http://technolog.msnbc.msn.com/_news/2011/04/28/6549775-amazons-cloud-crash-destroyed-many-customers-data
http://www.informationweek.com/news/cloud-computing/infrastructure/229402385
[Editor's Note (Ranum): You can put your data in the cloud - it's
getting it back that's the hard part.
(Schultz): Amazon has an excellent reputation as a cloud service
provider; I am baffled by what happened. At the same time, there is a
huge lesson to be learned here–never, never completely rely on a cloud
provider for anything–always have a plan B, as the two businesses
mentioned in this story so nicely illustrate.]
(((Well, that's what you get for building a "platform" on a "cloud"... Do "clouds" have to "crash," metaphorically speaking? Can't they have, like, "tornadoes" or something?)))
THE REST OF THE WEEK'S NEWS
–Sony Admits Data Were Stolen in PSN Breach; Lawsuits Filed
(April 28, 2011)
Sony says that the credit card information stolen in a security breach
of its PlayStation network (PSN) was encrypted. Other information,
including names and associated email addresses, was not encrypted. Sony
took the PSN down on Friday, April 22, three days after discovering the
intrusion, but did not acknowledge that user data were stolen until the
evening of Tuesday, April 26. As many as 77 million customers may be
affected by the breach. Lawsuits have been filed against Sony over the
situation.
Internet Storm Center: http://isc.sans.edu/diary.html?storyid=10768
http://www.pcmag.com/article2/0,2817,2384561,00.asp
http://www.informationweek.com/news/security/attacks/229402362
http://www.bbc.co.uk/news/technology-13192359
http://www.bloomberg.com/news/2011-04-28/sony-faces-lawsuit-regulators-scrutiny-over-playstation-user-data-breach.html
http://www.scmagazineus.com/sony-confirms-playstation-network-cards-were-encrypted/article/201655/
[Editor's Note (Pescatore): The credit card information may have been
encrypted, but there were quotes that a Sony admin password had been
compromised - were the data encryption keys compromised, as well?
(Honan): There are reports, yet to be confirmed, that up to 2.2 million
credit cards have actually been compromised despite Sony's claims.
http://www.siliconrepublic.com/digital-life/item/21595-psn-hackers-took-2-2/
http://bits.blogs.nytimes.com/2011/04/28/hackers-claim-to-have-playstation-users-card-data/]
(((Well, at least nobody's blaming the Chinese this week... Whoops! Spoke too soon!)))
–FBI Warns of Fraudulent Wire Transfers to China
(April 26 & 27, 2011)
The FBI has issued a fraud alert warning of unauthorized wire transfers
to China. Between March 2010 and April 2011, the FBI noted 20 incidents
of fraudulent wire transfers ranging from US $50,000 to US $985,000. In
all, cyber thieves have stolen US $20 million from US businesses using
these fraudulent wire transfers. The money has been sent to companies
in China near the Russian border. Online banking credentials were stolen
to conduct the fraudulent transactions. The FBI recommends that banks
alert business customers of suspicious wire transfers going to any of
the cities on a list specified in the alert and that all transfers to
those locations be carefully scrutinized.
http://krebsonsecurity.com/2011/04/fbi-20m-in-fraudulent-wire-transfers-to-china/
http://www.informationweek.com/articles/229402300
http://www.scmagazineus.com/fbi-warns-of-millions-lost-in-fraudulent-transfers-to-china/article/201573/
http://www.v3.co.uk/v3-uk/news/2046033/fbi-warns-phishing-funds-flowing-china
http://www.ic3.gov/media/2011/ChinaWireTransferFraudAlert.pdf
