Apparently some facts are leaking out. (Boy, those WSJ guys are good!) Nothing new on the TJC web site since March 28th but someone is talking.
Depths Of TJX's Incompetence Continues To Astound
from the leave-the-front-door-open dept
The TJX credit-card data breach -- the largest ever -- was sort of amazing, in that it went on for a few years before it was detected and disclosed. It was established at the outset that the company didn't comply with credit-card companies' strict security guidelines, but a story in today's Wall Street Journal spells out the depths of TJX's incompetence when it came to security. Investigators believe that the hackers used directional antennas to intercept signals sent over the WiFi networks at the company's stores, which were encrypted only with the easily cracked WEP standard, since TJX never bothered to update to WPA. You wouldn't think that would be too much of a problem, because apart from the network being encrypted, the company had installed other layers of encryption and security, right? Wrong. Once the hackers had gained access to the TJX network through a single store, they used keyloggers to get access to the company's central database at its headquarters, and they established their own accounts and the major theft began. Again, TJX made this easier on the crooks by transmitting credit-card data to banks without encryption. [There is an easy solution to this: Don't pay companies for unencrypted records... Bob] Banks continue to see claims from fraudulent activities related to the theft, and they're left holding the bag -- so it's little wonder some of them have sued TJX in hopes of recovering damages. This illustrates one of the biggest problems when it comes to identity theft and data protection: companies responsible for leaks and losses aren't typically the ones that have to deal with or pay for the fallout. For instance, in this case, TJX's financial liability has thus far been limited, and any fines it will have to pay will likely be minimal, despite its ridiculously shoddy security. The company has no incentive to enact better security if it feels no repercussions from a breach, so why should it bother? These misaligned incentives exacerbate the problem, and don't help anyone.
[From the WSJ article: (Well worth a careful read.)
... The biggest known theft of credit-card numbers in history began two summers ago outside a Marshalls discount clothing store near St. Paul, Minn. [They have traced it back! Bob]
... The $17.4-billion retailer's wireless network had less security than many people have on their home networks, [What is the legal definition of negligence? Bob]
... A person familiar with the firm's internal investigation says they may have grabbed as many as 200 million card numbers all told from four years' records. [TJX announced a “limited number” Bob]
... TJX ... can't crack the encryption on files that the hackers left in its system.
... Banks could spend $300 million to replace cards
... TJX's breach-related bill could surpass $1 billion over five years -- including costs for consultants, security upgrades, attorney fees, and added marketing to reassure customers, but not lawsuit liabilities -- estimates Forrester Research
... The security upgrade alone could cost $100 million
... It says it will also pay for a credit-card fraud monitoring service to help avert identity theft for customers whose Social Security numbers were stolen. [Earlier, it said it would not! Only those whose “drivers' license, military ID or state ID numbers” were taken. In fact, their web site still says that... Bob]
... An auditor later found the company also failed to install firewalls and data encryption on many of its computers using the wireless network, and didn't properly install another layer of security software it had bought.
... The auditor told the company last Sept. 29 [2006 Bob] that it wasn't complying with many of the requirements imposed by Visa and MasterCard, according to a person familiar with the report. The auditor's report cited the outmoded WEP encryption and missing software patches and firewalls.
... Investigators did find traces of the hackers: altered computer files, suspicious software and some mixed-up data such as time stamps in the wrong order. [This supports my contention that their “financial records” have been modified. Doesn't that make their Sarbanes-Oxley certification of “adequate control” rather suspect? Bob]
May 04, 2007
Wardriving may have started TJX breach
The largest data breach in U.S. history may have started with wardriving, the practice of cruising for vulnerable wireless access points
... If the report is true, it would have an uncanny resemblance to another hack at retailer Lowe's in 2003. In that case, a Michigan man plead guilty to hacking a wireless network at a Lowe's store, then using that access to compromise systems at the company's headquarters and other stores in the U.S.
Security is as security does? “Let us set an example for you!”
TSA Loses Hard Drive With Personal Info
By MATT APUZZO Associated Press Writer May 5, 2007, 7:54 AM EDT
WASHINGTON -- The Transportation Security Administration has lost a computer hard drive containing Social Security numbers, bank data and payroll information for about 100,000 employees.
Authorities realized Thursday the hard drive was missing from a controlled area at TSA headquarters. TSA Administrator Kip Hawley sent a letter to employees Friday apologizing for the lost data and promising to pay for one year of credit monitoring services.
... TSA said it has asked the FBI and Secret Service to investigate and said it would fire anyone discovered to have violated the agency's data-protection policies. [No doubt that will encourage cooperation... Bob]
In a statement released Friday night, the agency said the external -- or portable -- hard drive contained information on employees who worked for the Homeland Security agency from January 2002 until August 2005.
... The agency added a section to its Web site Friday night addressing the data security breach and directing people to information about identity theft.
Rep. Sheila Jackson Lee, D-Texas, whose Homeland Security subcommittee oversees the TSA, promised to hold hearings on the security breach. She said Homeland Security buildings are part of the critical infrastructure the agency is charged with protecting.
Public Statement on Employee Data Security Incident
Always worth a quick read. I'll quote only one example...
Data “Dysprotection” Weekend Roundup for Week Ending May 6th
(update 1) Friday May 04th 2007, 3:12 pm
Filed under: Privacy, Children or Students, Identity Theft, Data Protection
... The GAO issued a report on lessons learned from the May 2006 VA breach involving 26.5 million vets. Surprisingly (to me, anyway), their appendices listed other breaches that I had never seen reported in the media, including the Farm Services Agency, the Marines, the National Center for Education Statistics, and Health and Human Services Centers for Medicare & Medicaid Services. Another half a million or so to add to the counters.
“We need a bigger government! No one else would pay us to write such fluff!” (Looks like they've been writing for the entire seven years. The executive summary is 37 pages long!)
After seven years, government data-regulation committee recommends new federal bureaucracy
Posted by Declan McCullagh May 4, 2007 2:02 PM PDT
MONTREAL -- Remember the fable about the scorpion and the frog? The scorpion can't help himself from stinging the frog: "I could not help myself. It is my nature."
Keep that in mind when reading a new 400-page government report from the National Research Council, which is called "Engaging Privacy and Information Technology in a Digital Age" and has been in the works for seven years.
... The NRC report says the United States should follow the European model of creating Yet Another Federal Bureaucracy (YAFB)
... To wit: "The committee recommends... that a national privacy commissioner or standing privacy commission should be established to provide ongoing and periodic assessments of privacy developments."
The report isn't listed on the home page of the National Academies Press Web site or the site of the Computer Science and Telecommunications Board, which actually organized the committee that created it. But if you poke around, you can find it and the executive summary on their site.
... The so-called Privacy and Civil Liberties Oversight Board has been mostly useless. In fact, a YAFB for privacy could be actively harmful in two ways: First, its bureaucrats would have a strong incentive to expand their own power and budget by inventing new and economically onerous ways to impose unnecessary data collection and use regulations on private firms. Second, by endorsing harmful government privacy practices, it would provide a useful political shield for future administrations.
Colorado didn't need seven years!
Inviting ID fraud
Ritter should reject weakening of identification standards
May 4, 2007
Gov. Bill Ritter has the chance to prevent Colorado from retreating in the battle against identity theft and fraud: He should veto House Bill 1313.
... To be sure, HB 1313 would eliminate some ambiguities in the current law. But it would also gravely weaken the standards for obtaining state IDs. This could invite rampant identity fraud.
Fear is a fearful thing.
Prom night includes breath test
"The school is afraid of drunk-driving accidents. Prom is a notorious time for that to happen." Jason Mix Brookfield High junior
By Heather Barr THE NEWS-TIMES BROOKFIELD -- Red light. Green light. May 04 2007 9:15 AM
Parents may give students the green light to drive to the prom, but if they get a red light at the door, they won't get in and they won't be driving themselves home.
For the first time, the Brookfield school district will make every student attending the junior prom use a passive breath device, a 4-inch-by 2-inch hand-held box held front of their face as they count aloud.
... More Connecticut high school students drink at school than the national average. Alcohol testing is increasing both nationally and in the region.
The device is meant to be "non-intrusive," said Brookfield High School principal Bryan Luizzi.
He said it works when a person speaks in front of it. If the light on the device stays green, the student can go into the dance. If it turns red -- showing the device has detected alcohol molecules -- the student will be asked to step aside and sit for 15 minutes.
After that wait, he or she can take the test again, in case the device was wrong -- say, detecting alcohol molecules from mouthwash. [If it correctly detect alcohol, how is it wrong? I recommend all students come to the prom with bad breath! Bob]
... "We don't use this to catch anybody," [Have you have been drinking, sir? If you don't want to catch anyone, why use the devices? Bob] said Luizzi of the breath devices.
... Using breath devices is something school officials and the Board of Education have discussed for a couple of years, but school officials decided to purchase six of them two months ago because the cost became affordable, said Luizzi. [We can. Therefore we must! Bob]
Virtual Lawyers take note! I think it is time to finish my book on “Virtual Philosophy”
Is Virtual Rape a Crime?
Posted by ScuttleMonkey on Friday May 04, @12:33PM from the because-/quit-is-so-hard-to-type dept. The Internet
cyberianpan writes "Wired is carrying commentary on the story that Brussels police have begun an investigation into a citizen's allegations of rape in Second Life. For reasons of civil liberty & clarity we'd like to confine criminal law to physical offenses rather than thought crimes but already threats, menace & conspiracy count as crimes. Could we see a situation where our laws extend?"
This should be very interesting!
California county to share data in e-voting suit
Alameda County will share the data from its e-voting machines as part of a lawsuit brought against the county charging failure to properly disclose the required data
By Robert Mullins, IDG News Service May 04, 2007
In a case that illustrates the technological and legal uncertainties about electronic voting, a California county has agreed to share data stored on computer voting machines in a disputed election.
The deputy counsel for Alameda County revealed in a state court hearing Friday in Oakland that it has tracked down 307 of 420 voting machines [The others are in the hands of the Democrats/Republicans Bob] that may [Must? Bob] still contain vote tabulations from a disputed 2004 election in Berkeley, California.
... State Superior Court Judge Winifred Smith ruled a month ago that the county violated state election laws by not sharing voting records that could verify whether the election results were accurate with the plaintiffs.
... Despite a recount being sought in December 2004, Alameda County sent back to Diebold Systems the electronic voting machines it used without downloading election results from flash memory chips on each of the machines.
Scottish e-counting under scrutiny in election mess
By Julian Goldsmith Story last modified Fri May 04 13:11:52 PDT 2007
Scotland's Electoral Commission is undertaking a full review of its elections, with the electronic-counting process, ballot rejection and voting via mail all under scrutiny.
The commission said "e-counting" in the recent election had worked well in a number of areas, adding that where counts have been completed, the results are accurate and final. [Are they suggesting that some “computer counts” have not yet been completed? Bob]
But it said "serious technical failures have arisen to delay the announcement of results" [Didn't you just announce that the results are suspect? Bob] in various areas, adding: "We share the public's concern about the high number of rejected ballot papers." According to a BBC report, seven vote counts were suspended and up to 100,000 ballot papers were spoiled.
May 04, 2007
GPO and SMU Offer Digital Collection of World War II Publications
Press release: "As the world pauses to remember the 62nd anniversary of the Allies' victory in Europe during World War II (May 8, 1945), the U.S. Government Printing Office (GPO) is joining with Southern Methodist University (SMU) Central University Libraries to provide the public with a digital collection of more than 300 U.S. Government publications distributed during the course of the war...SMU Central University Libraries, which are part of GPO's Federal Depository Library Program (FDLP), have digitized hundreds of historical World War II publications that are available to the public. With just a few keystrokes, Americans can access World War II reports and documents such as: Choosing Women for War - Industry Jobs, America's Biggest War Plant and Air Raid Shelters in Buildings.
These documents and many others are accessible here."