Slowly, we are learning that TJX never read “Security for Dummys”
TJX Intruder Moved 80GB of Data Without Detection
October 25, 2007 By Evan Schuman
Citing new information about the TJX data breach, attorneys suing the clothing retail chain amended their complaints on Oct. 25 and want a jury to evaluate TJX's security professionalism.
New details that emerged from documents filed in federal court Oct. 25 include:
# A TJX consultant found that not only was TJX not PCI-compliant, but it had failed to comply with nine of the 12 applicable PCI requirements. Many were "high-level deficiencies," the consultant said.
# "After locating the stored data on the TJX servers, the intruder used the TJX high-speed connection in Massachusetts to transfer this data to another site on the Internet" in California. More than "80 GBytes of stored data improperly retained by TJX were transferred in this manner. TJX did not detect this transfer." [At minimum, one would need to look at the increasing volume of storage (the hacker encrypted his files before transfer) and in traffic to plan changes in the IT infrastructure. Bob]
# In May 2006, a traffic capture/sniffer program was installed on the TJX network by the cyber-thieves, where it remained undetected for seven months, "capturing sensitive cardholder data as it was transmitted in the clear by TJX."
# In 2004, before the attacks began, TJX was issued a report on its security compliance that "identified numerous serious deficiencies at TJX, including specific violations. TJX did not remedy many of these deficiencies."
# At his deposition, the unnamed TJX consultant said that "he had never seen such a void of monitoring and capturing via logs activity at a Level One merchant as he saw at TJX."
# "The data breach at TJX affected more than 100 million separate and distinct credit and debit card account numbers, more than twice the size of the next largest data breach in the history of the country."
# The filings confirmed that both Visa and MasterCard have fined TJX. Visa issued "a substantial fine" in connection with the TJX data breach, dubbing it an "egregious violation" of security procedures. The sizes of the fines were not specified.
The filings for the first time also listed the key security problems that a TJX consultant found: improperly configuring its wireless network; not segmenting cardholder data devices from the rest of network traffic; "TJX did not have an IT department that was properly tasked to manage the environment used to store, process or transmit cardholder data"; improperly storing prohibited cardholder data; using usernames and passwords "that were easy to penetrate"; improper patch procedures; logs not properly maintained; anti-virus protection "improper"; and weak intrusion detection.
Oct. 25's revised complaint linked the bad security practices with the computer breach, which forced banks to take expensive actions to defend themselves. One key issue in civil cases such as this is whether the defendant can be shown to be simply careless or deliberately reckless. That distinction relies on showing what was likely in the defendant's mind at the time of the acts that led to the data breach.
Attorneys for the banks indicated they would try to show that intent with internal TJX documents obtained during discovery. "TJX knew—and discussed internally prior to the breach—that its deficiencies in network and data security could lead to the exact losses incurred here in the many millions of dollars," said the filing. "Had TJX properly disclosed information about the extent of its noncompliance with network security requirements prior to the breach, then actions to correct the deficiencies and prevent the breach could have been taken," the filing said.
Here's a question for someone who knows Public Relations better than I do: Why would a CEO want to keep the story alive by making public (but fact free) announcements?
Company says personal information untapped on stolen laptop
© 2007 The Associated Press Oct. 25, 2007, 4:39PM
DALLAS — The chief executive of a personnel-services company said Thursday there is no indication that anyone has tapped personal information on nearly 160,000 people that was contained on a stolen computer. [Nor is there any evidence that Aliens haven't kidnapped him and replaced him with a robot. Bob]
Even Librarians understand Privacy...
October 24, 2007
OCLC Report: Sharing, Privacy and Trust in Our Networked World
OCLC press release and related links: "The practice of using a social network to establish and enhance relationships based on some common ground—shared interests, related skills, or a common geographic location—is as old as human societies, but social networking has flourished due to the ease of connecting on the Web. This OCLC membership report explores this web of social participation and cooperation on the Internet and how it may impact the library’s role, including: T he use of social networking, social media, commercial and library services on the Web; How and what users and librarians share on the Web and their attitudes toward related privacy issues; Opinions on privacy online; Libraries’ current and future roles in social networking."
Complete text of the OCLC Report: Sharing, Privacy and Trust in Our Networked World, October 2007 (280 pages, PDF)
Highlights of the Report (16 pages, PDF)
An interesting take on the story. Is this a (government sanctioned) monopoly acting evil? An interesting tack for the Class Action lawyers to sail.
Comcast and Net Neutrality
October 24th, 2007 by Ed Felten
The revelation that Comcast is degrading BitTorrent traffic has spawned many blog posts on how the Comcast incident bolsters the blogger’s position on net neutrality — whatever that position happens to be. Here is my contribution to the genre. Mine is different from all the others because … um … well … because my position on net neutrality is correct, that’s why.
Let’s start by looking at Comcast’s incentives. Besides being an ISP, Comcast is in the cable TV business. BitTorrent is an efficient way to deliver video content to large numbers of consumers — which makes BitTorrent a natural competitor to cable TV. BitTorrent isn’t a major rival yet, but it might plausibly develop into one. Which means that Comcast has an incentive to degrade BitTorrent’s performance and reliability, even when BitTorrent isn’t in any way straining Comcast’s network.
For my Contingency Planning students.
Running the Numbers on a US Pandemic
Posted by Zonk on Thursday October 25, @03:54PM from the plz-stay-theoretical-k-thnx dept. Businesses Security Science
Lucas123 writes "A U.S. pandemic would exhaust antiviral medications, reduce basic food supplies, put ATMs out of service, shut down call centers, increase gas prices and up health insurance claims by 20%, according a test project developed by financial service firms. The pandemic paper planning scenario is used by 3,000 banks, insurance companies and security firms in preparing for disasters. The financial services groups are now sharing the pandemic flu exercise information, and all the scenarios are available for download."
...so, how could you train people to deal with a pandemic?
The E-Learning Adventure
By Nicole Girard TechNewsWorld 10/25/07 6:15 AM PT
Improvements in the processing power of personal computers combined with Internet delivery applications provide a tremendous opportunity for novel approaches to preparedness training. The power of virtual learning environments lies in creating 3-D spaces that give users a sense of learning by doing.
For my Security Management students: “Some users weren't doing what we thought they should do, so we 'fixed them.'”
Microsoft's OneCare silently changes Automatic Updates
Many Windows XP and Vista users were mystified when their Automatic Updates settings were changed without approval, and a researcher thinks OneCare is to blame
By Gregg Keizer, Computerworld October 25, 2007
Microsoft's consumer security software changes the AU (Automatic Updates) settings in Windows XP and Vista without telling users or getting their approval, a researcher said Thursday -- behavior that may explain recent reports of patches being installed and systems rebooting without permission.
When Microsoft responded to new charges of silent changes last week, however, it denied that AU settings were ever altered without user approval, and it didn't mention OneCare as a possible culprit.
Scott Dunn, an editor at the "Windows Secrets" newsletter, reported Thursday morning that OneCare silently changes AU settings as it installs. No matter what AU setting the user selected previously, OneCare's installer quietly changes it to the fully automatic option.
...and as proof that “Bill knows best” (Hey! It's their operating system, we're just renting it. This could be a matter of National Security!)
More gnashing of teeth after Microsoft update brings PCs to a standstill
Resource-hogging search app sprung on reluctant admins
By Dan Goodin Published Thursday 25th October 2007 01:04 GMT
Updated This story was updated on Thursday 25th October 2007 23:21 to add comment from Microsoft.
Something seems to have gone horribly wrong in an untold number of IT departments on Wednesday after Microsoft installed a resource-hogging search application on machines company-wide, even though administrators had configured systems not to use the program.
Education is changing. It should be possible (I can see no technical obstacles) to generate “one off” degrees for students with very specific interests. (A PhD in Blogging, for example.)
October 25, 2007 08:30 AM Eastern Daylight Time
Concord Law School Partners with Loyola University Chicago School of Law to Introduce Online Version of Popular MJ Degree in Health Law
LOS ANGELES--(BUSINESS WIRE)--Concord Law School announced today that it will partner with Loyola University Chicago’s School of Law to offer a Master of Jurisprudence (MJ) in Health Law online to Loyola students beginning May 2008.
“Increased accessibility to legal education is a significant part of Concord’s mission, and we are very pleased to be part of this project,” said Barry Currier, Dean of Concord Law School. “Bringing our online expertise to this partnership will give Loyola an opportunity to bring its health law curriculum to a broader audience, providing both opportunities for students and service to the health care industry.”
Now this has potential! A non-browser browser...
By: LabRats On: October 25th, 2007 Posted In: Mozilla Labs
Personal computing is currently in a state of transition. While traditionally users have interacted mostly with desktop applications, more and more of them are using web applications. But the latter often fit awkwardly into the document-centric interface of web browsers. And they are surrounded with controls–like back and forward buttons and a location bar–that have nothing to do with interacting with the application itself.
... Prism is an application that lets users split web applications out of their browser and run them directly on their desktop.
Attention fans of the Da Vinci Code! (Think of it as e-art – when you have a wall sized hi-def TV, this can be your screen saver...)
"Last Supper" to go online
Thu Oct 25, 2007 3:53pm EDT By Gilles Castonguay
MILAN (Reuters) - A high-resolution image of Da Vinci's "Last Supper" will soon be posted on the Internet by an Italian technology firm, allowing art lovers and conspiracy theorists alike to scrutinize it from their own computers.