Thursday, March 29, 2007

Well it's official. TJX is a name that will live in infamy –at least in IT Security circles, and until the next “largest ever”

http://www.boston.com/business/globe/articles/2007/03/29/breach_of_data_at_tjx_is_called_the_biggest_ever/

Breach of data at TJX is called the biggest ever

Stolen numbers put at 45 .7 million

By Jenn Abelson, Globe Staff March 29, 2007

At least 45.7 million credit and debit card numbers were stolen [I didn't see this in the SEC filing. Bob] by hackers who accessed the computer systems at the TJX Cos. at its headquarters in Framingham and in the United Kingdom over a period of several years, making it the biggest breach of personal data ever reported, according to security specialists.

While details are still sketchy, TJX said unauthorized software placed on its computer systems stole at least 100 files [I didn't see this in the SEC filing. Bob] containing data on millions of accounts from systems that process and store transaction information in Framingham and Watford, United Kingdom. Moreover, TJX believes the hackers last year had the capability to steal payment card data from its Framingham system as transactions were being approved.[I didn't see this in the SEC filing. Bob] Even the files TJX tried to protect through encryption may have been compromised because the company believes the hackers had access to the decryption tool. [I didn't see this in the SEC filing. Bob]

"It's the biggest card heist ever," said Avivah Litan of technology consulting firm Gartner Inc. " It's done considerable damage."

TJX, the discounter that operates the T.J. Maxx and Marshalls chains, also said in a regulatory filing yesterday that another 455,000 customers who returned merchandise without receipts had their personal data stolen, including driver's license numbers.

The filing provided the first detailed accounting on the breach since TJX publicly disclosed the problem in mid-January. TJX spokeswoman Sherry Lang said about 75 percent [75% unusable? That leaves 25% or 11.4 million... Bob]of the compromised cards were expired or had data in the magnetic strip masked, meaning the information was stored as asterisks rather than numbers. But the true extent of the damage likely will never be known, Lang said, because of the methods used by the intruder and file deletions by TJX done in the normal course of business.

... The security breach has already cost the retailer $5 million for the investigation and new computer security, among other efforts, but TJX said it cannot yet estimate total losses. This case represents one of the most aggressive and widespread data security breaches ever, according to several security specialists. The Federal Trade Commission has struck more than a dozen settlements with businesses following data security breaches.

"These guys perpetrated a perfect crime," Ken Steinberg , chief executive of Savant Protection Inc. a Nashua maker of security software, said of the TJX case. "This is what scares the living daylights out of everybody. And this one won't be the last."


[Full 10K http://ir.10kwizard.com/contents.php?ipage=4772887&repo=tenk&source=487

[Discussion of intrusion follows: http://ir.10kwizard.com/filing.php?repo=tenk&ipage=4772887&doc=1&num=7&total=123&source=487]

We suffered an unauthorized intrusion into portions of our computer systems that process and store information related to customer transactions [Does that qualify as a “financial system” under Sarbanes-Oxley? Bob] that we believe resulted in the theft of customer data.

... Discovery of Computer Intrusion. On December 18, 2006, we learned of suspicious software on our computer systems. [Trojan horse? Rootkit? Bob] We immediately initiated an investigation, and the next day, [“We knew we were in big trouble... Bob] General Dynamics Corporation and International Business Machines Corporation, leading computer security and incident response firms, were engaged to assist in the investigation. They determined on December 21, 2006 that there was strong reason to believe that our computer systems had been intruded upon and that an Intruder remained on our computer systems.

... On December 22, 2006, we notified law enforcement officials [Actually quite timely... Bob] of the suspected Computer Intrusion and later that day met with representatives of the U.S. Department of Justice, U.S. Secret Service and U.S. Attorney, Boston Office to brief them.

... With the assent of law enforcement, on December 26 and December 27, 2006, we notified our contracting banks and credit and debit card and check processing companies of the suspected Computer Intrusion (we refer to credit and debit cards as “payment cards”). On December 27, 2006, we first determined that customer information had apparently been stolen [What was the basis for contacting law enforcement before that? Bob] from our computer systems in the Computer Intrusion.

... On January 13, 2007, we determined that additional customer information had apparently been stolen from our computer systems.

On January 17, 2007, we publicly announced the Computer Intrusion and thereafter we expanded our forensic investigation of the Computer Intrusion.

On February 18, 2007, in the course of our ongoing investigation, we found evidence that the Computer Intrusion may have been initiated earlier than previously reported and that additional customer information potentially had been stolen. On February 21, 2007, we publicly announced additional findings on the timing and scope of the Computer Intrusion.

Timing of Computer Intrusion. Based on our investigation to date, we believe that our computer systems were first accessed by an unauthorized Intruder in July 2005, on subsequent dates in 2005 and from mid-May 2006 to mid-January 2007, but that no customer data were stolen after December 18, 2006.



Two points: 1) I'm amazed people still use floppy disks and 2) It is probably more secure because many computers (particularly laptops) don't come with floppy drives any more...

http://mdn.mainichi-msn.co.jp/national/news/20070329p2a00m0na013000c.html

Printing firm loses personal data of successful university applicants

A floppy disc containing names and other private information of 972 people who passed entrance examinations for Waseda University's commerce faculty has been lost, it has emerged.

Waseda University had employed a Tokyo-based company to print and send letters to the 972 examinees notifying them of their successful results.

The company later told officials of the university that it had lost a floppy disc containing the names, addresses, and examinee numbers of the 972 people.

"We don't know where it is now," an official of the company was quoted as telling the university.



There must be more here than meets the eye...

http://www.wyff4.com/news/11422275/detail.html

Senator Involved In Computer Case Fires Back

School District Alleges Senator Took Advantage Of Situation

POSTED: 3:34 pm EDT March 28, 2007 UPDATED: 6:04 am EDT March 29, 2007

GREENVILLE, S.C. -- The Greenville County School District alleges that a South Carolina senator misused his office when he didn't tell the district about school computers that were auctioned off while they still contained personal information.

VIDEO: Thomas Responds To School District's Charges

The district said that Sen. David Thomas took advantage of his elected office and was the situation for his own personal gain.

Wednesday, Thomas denied those claims, and said that he was acting as a public servant, trying to protect students.

WYFF News 4 first learned about the computer in question last year when Kenneth Holbert and Scott Mann claimed they bought school computers and found thousands of private student records

Thomas later showed News 4 those computers in his Greenville office.

The school district sued Hobert and Mann to get the data back. The men then filed a counter-suit against the district.

Hobert and Mann said that they would settle for an apology and reimbursement for their costs.

On Tuesday, the district rejected that offer to settle, and in their response, made the allegations against Thomas that he used the situation for his personal gain.

There are some things everyone involved has publicly admitted: the computer was owned by the district and it does contain confidential information about thousands of Greenville County students.

But now in question is the motivation of the two men who bought the computer, and why is Thomas involved?

WYFF News 4's Gordon Dill spoke with Thomas in Columbia.

Thomas said, "... They then came to me because they knew I was an attorney and I had a lot of interest in the issue of identity theft"

... The district also said that Thomas misused his position as state senator. Specifically, they said that while he was holding the information, he introduced an identity theft bill in the Senate.

Previous Stories:



No one likes anonymity...

http://www.pogowasright.org/article.php?story=20070329071506511

JP: Police call on Internet cafes to record users' data to fight cyber crime

Thursday, March 29 2007 @ 07:15 AM CDT - Contributed by: PrivacyNews - Non-U.S. News

A National Police Agency (NPA) cyber security committee is calling for Internet cafes in Japan to check the identity of users and introduce methods to eliminate password-stealing software on computers to fight illegal computer access.

The calls from the NPA's general security measures council follow a police report showing that as of the end of May last year, 139 out of 277 cases in which police failed to apprehend people for illegal computer access involved computers at Internet cafes.

Source - Mainichi Daily News



Legislate first, consider the facts later?

http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/03/28/BAGBMOT2ON1.DTL

Inmate GPS tags approved by panel

Minimum-security prisoners would wear the devices

Matthew Yi, Chronicle Sacramento Bureau Wednesday, March 28, 2007

(03-28) 04:00 PDT Sacramento -- After an emotional plea from the mother of a slain San Francisco police officer, an Assembly committee unanimously approved a bill on Tuesday that would require inmates in minimum-security facilities to wear GPS tracking devices.

Officer Bryan Tuvera, 28, was allegedly gunned down by Marlon Ruff after a foot chase in San Francisco's Sunset District on Dec. 22.

... That confrontation occurred 22 months after Ruff walked away from the Eel River Conservation Camp in Redway (Humboldt County).

Ruff was eligible for the minimum-security program after the Department of Corrections deemed him nonviolent despite his conviction for punching an armored car guard and stealing $4,600 in 2003. He was on parole for a gun conviction at the time of that robbery.

More than a dozen inmates walk away from facilities like Eel River every year because there are no security fences around the perimeter of the camps, said Assemblywoman Fiona Ma, D-San Francisco, who is writing the measure, AB439.

... There was no opposition to the bill, but a representative of a prison reform activist group testified that before mandating GPS devices for inmates, a better solution would be to make sure that violent criminals like Ruff don't end up in minimum-security facilities.

... Besides, an inmate bent on escaping could simply ditch the device before making a run for it, he said.



Only second class citizens should be surveiled.

http://www.stuff.co.nz/stuff/thepress/4007787a6530.html

Friday, 30 Mar 2007

Surveillance upsets nursing home staff

Filming staff in rest homes shows a "lack of trust" in nurses and carers responsible for vulnerable patients, a nurses' union says.

Responding to a staff complaint about surveillance cameras in Christchurch's Rosewood Resthome, the New Zealand Nurses Organisation (NZNO) yesterday questioned why areas such as tea rooms and the nurses' station needed to be monitored.

A registered nurse working at the home said he and other staff did not like being on camera constantly. ... He did not object to cameras placed in other areas to watch the residents, despite failing to understand how it aided their safety, but said there was no need in staff-only areas.



I suspect this is far broader than just legal education. Could it be a business opportunity?

http://www.bespacific.com/mt/archives/014411.html

March 28, 2007

White Paper Addresses Legal Education and the Promise of Technology

New Skills, New Learning: Legal Education and the Promise of New Technology, by Gene Koo, Berkman Center for Internet & Society at Harvard Law School, March 26, 2007.

  • "A large majority of lawyers perceive critical gaps between what they are taught in law schools and the skills they need in the workplace, and appropriate technologies are not being used to help close this gap. This was the core conclusion of a new study by the Berkman Center for Internet & Society at Harvard Law School, in partnership with LexisNexis, which found:
    • More than 75 percent of lawyers surveyed said they lacked critical practice skills after completing their law school education.
    • Today's workplace demands skills that the traditional law school curriculum does not cover.
    ◦ Many attorneys work in complex teams distributed across multiple offices: nearly 80 percent of lawyers surveyed belong to one or more work teams, with 19 percent participating in more than five teams. Yet only 12 percent of law students report working in groups on class projects.
    ◦ Smaller firms can stay competitive with larger firms through more nimble deployment of technology tools and by exploiting the exploding amount of data openly available on the Web. Attorneys at these firms need tech-related skills to realize these opportunities.
    Legal educators seriously under-utilize new technologies, even in those settings, such as clinical legal education, that are the most practice-oriented.
    Research also suggests a breakdown in post-school workplace training, with smaller firms particularly unable to afford formal professional development.
    • Neither law schools nor most workplaces provide new attorneys with a structured transition between school and practice. Only 36 percent of lawyers surveyed report a dedicated training experience during their first year of employment.
    • Clients are increasingly unwilling to pay for training of associates, e.g. prohibiting firms from billing for young attorneys' attendance at client-facing meetings. New lawyers' involvement in such meetings has long been an important apprenticeship activity.
    Finally, advances in computing and networking offer potential solutions to shortcomings in skills training at law schools.
    • Utilizing authentic practice technologies to support law school clinical programs exposes law students to the practical tools they need to succeed in future practice.
    • Learning through computer simulation mirrors the technology-based foundation of most legal practice settings today and enables participants to experience non-linear decision making closest to real-world casework."



How did they get caught in this mess in the first place? (See previous article?)

http://techdirt.com/articles/20070328/111454.shtml

Julie Amero Sentencing Delayed Again; Prosecutors May Be Trying To Figure Out How To Back Out Gracefully

from the just-admit-you-were-wrong dept

The Julie Amero case has been getting plenty of attention lately, after prosecutors (and the local press) in Connecticut condemned a local substitute teacher after the classroom computer she was using was overrun with porn popups from spyware. For this, she was facing 40 years in jail. While the local paper and the prosecutor kept insisting that everyone didn't know the full story, once the transcripts became available it became clear that it was the prosecutors, the local police and the local press who didn't seem to recognize the full story. While the local Norwich Bulletin continues to insist she deserves to be thrown in jail (update: they no longer support jailing Amero, but still get twisted about trying to explain how she's guilty of something), it sounds like the prosecutors on the case may be recognizing that they were wrong. The sentencing has been delayed for another month, and the suggestion is that its the prosecution that's looking for a way to get out of this mess cleanly without looking too bad. In the meantime, the Hartford Courant put together a good article summarizing the details of the case that make it clear this whole thing was something of a witch hunt.



How can they lose? (AT&T will no doubt love the free publicity this generates for FreeConference.) I see parallels in DRM and RIAA...

http://techdirt.com/articles/20070327/154203.shtml

FreeConference.com Sues AT&T For Blocked Phone Calls

from the need-a-resolution dept

Earlier this month, we were surprised to hear that various mobile operators were blocking phone calls to services like FreeConference.com. When you get phone service, you expect that the phone service will work to any phone number, not the ones that your phone provider decides are okay. Oddly, given the attention the story received, the FCC has remained quiet about it. Apparently, the folks at FreeConference.com got tired of sitting around and waiting and have decided to sue AT&T, asking for an injunction against the company to get it to stop blocking calls to the FreeConference.com service. It's no secret that services like FreeConference.com are costing AT&T money, mainly through ridiculous termination fees set up by regulators protecting rural telcos. However, AT&T should take that up with the regulators, rather than simply blocking access to the service. Either way, it seems likely that both the FCC and the courts will soon be deeply involved in this issue.



Why do people still use a technology invented before the Civil War? (Think of it as proof that crooks will use any technology available.)

http://www.forbes.com/feeds/ap/2007/03/27/ap3555074.html

J2 Files Lawsuit Against Hot Lead

Associated Press 03.27.07, 9:42 AM ET

Voicemail and fax services provider j2 Global Communications Inc. said Tuesday it filed a lawsuit against Hot Lead Co. and its founders for sending unsolicited faxes to j2 customers.

In the lawsuit, j2 said it believes Hot Lead sent hundreds of thousands of illegal junk faxes every day.

... In January j2 settled junk fax lawsuits against Venali and Vision Lab Telecommunications Inc. and certain affiliates. The company said it also continues to pursue a lawsuit against Protus IP Solutions, a Canadian company that owns MyFax.com.



Clearly news reading was more efficient on the Internet, perhaps it is more effective as well?

http://techdirt.com/articles/20070329/004329.shtml

Shocking News: Online Readers Actually Have An Attention Span

from the and-it's-not-that-short dept

There's been plenty of talk the web shortening people's attention spans, but the latest Eyetrack study from the folks at the Poynter Institute has found instead that online news readers are actually much more likely to read to the end of news stories than those who are reading news stories offline. Of course, it's not that hard to figure out why: newspapers lose an awful lot of readers when they put in a "go to page 14 to continue." It ruins the entire flow of reading a news story, and it's the point at which anyone who's not fully engaged simply gives up. Still, it does say something that people do tend to read to the end of online news stories, rather than being quickly distracted by the next random viral video on YouTube.



I'll remember this the next time one of my students claims their hard drive crashed...

http://www.eweek.com/article2/0,1759,2108697,00.asp?kc=EWRSS03119TX1K0000594

Web Site Offers Directory of Data Recovery Services, Software

March 28, 2007 By Chris Preimesberger

Two leading IT think tanks estimate that 5.6 million hard drives will fail in 2007, and chances are fair to good that one or more of them might well be yours. So a new company has decided to step in and help out.

Data Recovery Who's Who on March 28 launched the Internet's first one-stop directory of data recovery services and software, Data Recovery - Who's Who.



The first comment pretty much sums this up: “Why take two years to produce incompetent results when you can be just as incompetent in a few months?

http://yro.slashdot.org/article.pl?sid=07/03/28/2345229&from=rss

USPTO New Accelerated Review Process

Posted by samzenpus on Wednesday March 28, @09:49PM from the take-only-one-cookie dept. Patents Politics

Intron writes "Perhaps you have been lying awake worrying that your software patent on bubble sort might spend too much time being "examined" or "peer reviewed". You will be pleased to know that the US Patent and Trademark Office has launched their accelerated review process. "Applicants' submissions enjoy a presumption of patentability" says the patent office. Applicants are also responsible for disclosing any prior art."



I knew there had to be at least one site like this. Dennis pointed me to it. You should be able to find a blog like this for every case/cause/story of interest...

http://recordingindustryvspeople.blogspot.com/

Recording Industry vs The People

A blog devoted to the RIAA's lawsuits of intimidation brought against ordinary working people.

No comments: