Re: usajobs.gov Compromised (due to Monster)

[Catalin Ghercoias <catalin.ghercoias () gmail com>]

I apologize upfront for being blunt, but I've been reading these emails for
quite some time yet I have to see some action taken.
I have not heard or seen major action law suits or any other type of action
taken against the real people who are to be blamed for all these issues.
You know who I am talking about -- I am referring to all those incompetent
IT directors, sloppy IT Managers, good for nothing IT Operations
Managers/Directors, CIO/CTO politicians and last but not least system
administrators, programmers, coders, etc. who do not care about the security
of their applications. I am talking about those who decided at some point in
time not to encrypt the customer data, not to secure comunications with
their credit processor/bank, not to establish site to site or point to point
connections with their most sensitive sites and offices that carry sensitive
and confidential data, not to obey HIPAA, PCI, SOX, etcetera or ... you fill
in the blanks here......

These days there are so many solutions (free or not free) to secure and
encrypt the data to protect it from attackers -- be it inside or outside --
to block access to people that do not have a need to access sensitive data
or simply block a freakin' USB port, that I don't even need to mention here.


I would like to hear and see some names made public and some action taken
against those people and I'm sure there are others as well that would like
to see this.

I am saying this because I believe there are still smart people on this list
and elsewhere who can take charge and get things straight in this country.

I don't want to blame those people who do their jobs right, just I really
don't believe that these companies that got hacked recently and in the past
(like TJX) have changed anything in their systems (or very little) and the
same directors and managers are still in place getting big bonuses and
enjoying their vacation houses and boats, while average Joe and Jane has to
fight to clean his/her credit report because some hacker stole his identity
and they lost pretty much all they've had.

Let's get some justice done here people!
-- 
Regards,
___________________________
Catalin Ghercoias,
catalin.ghercoias () gmail com


On Tue, Feb 17, 2009 at 8:08 PM, security curmudgeon
<jericho () attrition org>wrote:

> http://www.usajobs.gov/securityNotice.asp
>
> Attention USAJOBS Users
> As is the case with many companies that maintain large databases of
> information, our technology provider (Monster), often is the target of
> illegal attempts to access and extract information from its database. We
> recently learned that the Monster database was illegally accessed and
> certain contact and account data were taken, including user IDs and
> passwords, email addresses, names, phone numbers, and some basic
> demographic data. The information accessed does not include resumes. The
> accessed information does not include - sensitive data such as social
> security numbers or personal financial data.
>
> As a further precaution, we want to remind you that an email address could
> be used to target "phishing" emails. USAJOBS will never send an
> unsolicited email asking you to confirm your username and password, nor
> will Monster ask you to download any software, "tool" or "access
> agreement" in order to use your USAJOBS account.
>
> In order to help assure the security of your information, you may soon be
> required to change your USAJOBS password upon logging onto the site.
> Please follow the instructions on the site. We would also recommend you
> proactively change your password yourself as an added precaution. We
> regret any inconvenience this may cause you, but feel it is important that
> you take these preventative measures.
>
> We continue to devote significant resources to ensure USAJOBS (Monster)
> has security controls in place to protect our infrastructure and
> stakeholders information. We hope that these efforts are helpful, and
> continue to allow users to defend themselves against similar attacks.
>
> Mary Volz-Peacock
> Program Director
> USAJOBS
> _______________________________________________
> Dataloss Mailing List (dataloss () datalossdb org)
>
> CREDANT Technologies, a leader in data security, offers advanced data
> encryption solutions.
> Protect sensitive data on desktops, laptops, smartphones and USB sticks
> transparently
> across your enterprise to ensure regulatory compliance.
> http://www.credant.com/stopdataloss
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently 
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss