Fork It Over

Here's why it is bad to have a branch near a construction site: An unattended forklift can very easily become an ATM removal device.

Such a situation unfolded last week at Research Triangle Park near Raleigh, the Associated Press reported on Saturday. At about 4 a.m., thieves used a forklift stolen from a nearby construction site to remove an ATM that belonged to RTP Federal Credit Union.

At the time the article ran, suspects in the ATM theft had not been identified. The credit union is offering a $5,000 reward for information leading to the machine's recovery, the article said, and both the Durham County Sheriff's Office and the Federal Bureau of Investigation are involved.

Check Payment

Certegy Check Services Inc. has agreed to a settlement regarding a data breach it disclosed in 2007.

Under an agreement with Florida Attorney General Bill McCollum, Certegy, a unit of Fidelity National Information Services Inc., said it would pay $850,000 to cover the costs of the state's investigation, contribute $125,000 to McCollum's Seniors vs. Crime Program and commit itself to observing certain security safeguards and assessments, the Tampa Bay Business Journal reported Monday.

In 2007, Certegy disclosed that a former employee had stolen 2.3 million customer account numbers. According to court filings, the employee, William Sullivan, established a company to sell the stolen information to marketing firms. Sullivan has since been convicted of fraud and is serving a 57-month federal prison sentence.

Misplaced Trust

Albert Gonzalez received a hefty, 20-year prison sentence for masterminding the TJX Cos. Inc. breach, among others, but he did not act alone; last week, the last of his U.S.-based accomplices was sentenced to five years in prison.

Damon Patrick Toey was described by prosecutors as the "trusted subordinate" of Gonzalez, but when arrested, "he provided information that investigators say likely helped persuade Gonzalez to plead guilty last year to what prosecutors are calling the most serious and largest identity-theft crimes ever prosecuted," according to Wired.com's "Threat Level" blog on April 15.

In addition to the prison sentence, Toey, 25, was fined $100,000 and given three years' supervised release — though he could have received a 22-year prison sentence, the article said. Prosecutors, citing Toey's cooperation after his arrest, had sought a six-year sentence.

From 2003 to 2006, Toey worked for Gonzalez as "a vendor and a mule," Wired.com wrote — he did not commit the hacks, but he sold stolen card data and withdrew cash from compromised accounts. In 2007, he moved to Florida to live in Gonzalez' condo and take a more active role in the hacks by testing corporate networks for vulnerabilities. Toey was arrested in 2008.

Password Protection

Google Inc.'s password system, Gaia, was targeted by hackers in December, affecting millions of users of the company's Web services, The New York Times reported Tuesday.

The Gaia system, which the Times said has only once been discussed publicly, allows users to sign on once in order to gain access to multiple services (it is also called Single Sign-On). The breach did not affect users of Google's webmail service, Gmail.

The breach began last year when a Google employee in China clicked on a malicious link sent over Microsoft Corp.'s Messenger program, an anonymous source told the Times.

By clicking on the link, the employee inadvertently granted access to his or her computer and, ultimately, sensitive software at Google's headquarters.

Security experts told the Times that Google's fast response to the attack probably prevented the attackers from doing long-term damage to Google's systems, such as installing their own access points into Google's data systems.

But any system compromise of this nature could make individuals and companies cautious about using Google's online services, the article said. "Because vast amounts of digital information are stored in a cluster of computers, popularly referred to as 'cloud' computing, a single breach can lead to disastrous losses," the Times wrote.

Though Google disclosed in January that it had been targeted by hackers — and famously changed its policy for doing business in China thereafter — it was not explicit then about what information had been compromised, the article said. Google executives declined to comment for the Times article, but the paper noted that Google has been relatively open in its discussion of the breach, particularly considering that many companies that suffer a breach try not to go public about it.

Zeal on Trial

Is being too protective of passwords against the law? Terry Childs, the network administrator accused of holding San Francisco's municipal computer systems hostage in 2008, said his mistake was guarding the city's passwords too closely.

After a nearly six-month trial, jurors began deliberations Tuesday, and Childs faces up to five years in prison if convicted, according to an article Computerworld ran Tuesday.

For 12 days in July 2008, Childs refused to give the city's network passwords to anyone, but his attorney said this refusal was originally, from Childs' point of view, all part of his job as a security professional.

"In court Monday, Childs' attorney, Richard Shikman, argued that his client is a security-conscious professional who simply balked during a stressful situation," the article said. "Childs did not believe the other people in the room and those who were conferenced in via speakerphone were authorized to have access to the passwords."

If this is true and Childs believed he was only doing his job, then under California law, he would not be guilty, the article said. Also at issue is whether any disruption was caused by Childs' actions, since the city's network kept running even when administrators were locked out. Childs eventually gave the passwords to San Francisco's mayor, Gavin Newsom.

San Francisco Assistant District Attorney Conrad Del Rosario disagreed with the defense's portrayal of the conflict.

"This was nothing more than his attempt to become an indispensable employee," Del Rosario said.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.