Once again in the news. Once again setting new standards for bad security management.
TJX employee fired for exposing shoddy security practices
TJX Companies, the mammoth US retailer whose substandard security led to the world's biggest credit card heist, has fired an employee after he left posts in an online forum that made disturbing claims about security practices at the store where he worked.
Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords, [“Our employees are too dumb to remember a password...” Bob] the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards. Benson said he was fired on Wednesday after managers said he disclosed confidential company information online.
Source - The Register
[From the article:
So last August, Benson took to Sla.ckers.org, a website dedicated to web application security, and began anonymously reporting the shoddy practices in this user forum.
... The account has us wondering if other TJX employees have tales similar to Benson's. If so, please contact your reporter using this link. (Anonymity assured.) [Perhaps we need a national “rat out your employer” web site? Bob]
Most Retailer Breaches Are Not Disclosed, Gartner Says
While nearly half of U.S. retailers have been hit with some kind of information security attack, only a small percentage of them have actually reported breaches to their customers, research company Gartner reports.
In a new study based on interviews with 50 U.S. retailers, Gartner found that 21 of them were certain they had had a data breach. However, just three of the retailers had disclosed the incident to the public.
The small number of retailers in the survey make it impossible to draw any firm conclusions from the data, but it does underscore a noteworthy trend, said Gartner analyst Avivah Litan. "Sensitive data is being stolen and most of the time it's not being disclosed," she said. "There are a lot more breaches than we hear about."
Source - PC World
[From the article:
Data breaches at retailers are the top cause of credit and debit card theft, accounting for about 20 percent of all incidents, Gartner said.
And this type of crime is not going away. Credit card companies predict that payment card fraud rates will double over the next two years, the research company said.
Also related. I wonder if their “forensic expert” offered to assume some liability if they are wrong?
Saks: laptops recovered, so no need to notify customers
Back in mid-April of this year, retailer Saks Fifth Avenue (SFA) discovered that four laptops had been stolen. Two of the stolen laptops contained names, addresses, and credit card information on some of their customers. On April 30, Saks notified New Hampshire and Maryland attorney generals of the incident and their intent to notify customers of the loss.
But according to an updated notification [pdf] from SFA dated May 16, two of the four laptops were reportedly recovered by police within 24 hours of SFA's letter to the states attorney general, and the remaining two laptops were recovered "shortly thereafter." SFA says that they then retained an "independent, certified forensics company that analyzed the recovered laptops and was able to confirm that none of the personal data on any of the laptops was accessed or compromised in any way." [I need to do more research. As far as I know, it is impossible to make this claim with certainty. Bob]
Relying on the forensics report, SFA concluded that there is "no risk of identity theft or fraud to the individuals whose information was on those laptops," and cancelled their plan to send out notifications to customers.
Perhaps SFA does not realize that the breach report was posted on the internet where their customers might find out about it. Or perhaps SFA thinks that their customers will agree with them that there was no need to notify them in light of the forensics report. But at least one customer who was interviewed about the situation felt otherwise. "I would want to know everything," said Frances, a long-time SFA customer who prefers to be identified by only her first name. "Even if they think there is no risk, I would want to be told, just in case."
Calls to SFA for a statement were not answered by the time of publication.
Of course you only want to steal the best identities...
HOSP ID-THEFT DUO NAILED
Erika Martinez reports in the NY Post:
Two information specialists at a Brooklyn hospital stand accused of swiping patient information to open bogus credit-card accounts and shop online while working.
Jessica Paul, 23, and Jessica Darden, 20, of Maimonides Medical Center in Borough Park, accessed patient files and ran the names through a credit-check Web site, seeking people with high credit ratings, authorities said.
Paul is accused of stealing the identities of four people from March 1 to May 7 and of using a doctor’s computer to set up Neiman Marcus and PayPal accounts.
Full story - NY Post
Cute. If you copy the slides, remember to keep checking for new and bigger breaches...
Laptop Losers Hall of Shame
By Carolyn Duffy Marsan, Network World, 05/22/08
Here's a list [Slides, actually. Bob] of the 10 biggest (known) security breaches from lost or stolen laptops, where government agencies, corporations and colleges failed to safeguard the names, Social Security numbers and other personal info of their customers. Encryption software - which costs as little as $10 per laptop - could have prevented most of these incidents.
Another HP stype witch hunt?
Deutsche Telekom Suspected of Privacy Breaches
Security staff at telecoms giant Deutsche Telekom are suspected of breaching German data privacy laws during a secret attempt to identify the sources of high-level leaks to the media, the company said Saturday, May 24.
Using the company's own records of millions of numbers dialed, the dates and the durations, the internal-security unit had hunted for possible matches between news reporters and Telekom directors.
Source - dw-world.de
Almost there... Does the right to confront your accuser trump the 'privacy card?'
Greeley schools agree to let parents see school bus video
Associated Press - May 23, 2008 8:24 PM ET
GREELEY, Colo. (AP) - Greeley school officials have agreed to let parents of students disciplined for bad behavior on school buses to view security video of what happened.
... School officials said Friday they think they can respect students' privacy while allowing parents to view video in disciplinary cases. The district is still determining specific procedures for viewings.
A tool for the nervous browser? Far from fool proof, but far better than nothing.
May. 23, 2008 at 7:59am Eastern by Barry Schwartz
Google's Safe Browsing Diagnostic Tool
A week ago Google announced the release of a safe browsing diagnostic tool. To use the tool, just append a URL to the end of http://www.google.com/safebrowsing/diagnostic?site=.
For example, to test this site, you would enter http://www.google.com/safebrowsing/diagnostic?site=http://searchengineland.com/. Google will then return four sets of security information about that page.
... The Zero Day blog has some additional information on this Google security release.
This could be useful, even if it is written in Canadian...
Ca: New book launched to help businesses comply with privacy law
The Office of the Privacy Commissioner of Canada (OPC) today launched a new book to help businesses comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), the federal private sector privacy law. Leading by Example: Key Developments in the First Seven Years of PIPEDA was unveiled at a three-day summit organized by the International Association of Privacy Professionals.
Source - CNW Group
A whole new field of employment for my hacking students?
The future of political dirty tricks and deception online
By Julian Sanchez | Published: May 22, 2008 - 07:30PM CT
Make sure your driving record is clear, citizen. See that you've paid off your parking tickets and paid up your child support, and remembered to bring two forms of ID before showing up to the polls on Thursday. That's the preposterous, predictable refrain of the voter "information" flyers and robocalls that crop up like clockwork—usually in minority neighborhoods—during election season, touting ersatz endorsements, fictitious voting requirements, and precisely-wrong times, dates, and places at which to make your voice heard in the democratic process. With old-fashioned smear campaigns already proving disturbingly effective in digital form, civil rights activists worry that it's only a matter of time before voter suppression tactics make the leap to the Internet. Earlier this week, at the annual Computers, Freedom and Privacy conference, they braced for the inevitable.
Related? I think so. “If we don't have the ability to hang the occasional chad, anyone could be President!”
Senators: No need for paper e-voting trails, 'electronic' ones are OK
Posted by Anne Broache May 23, 2008 12:20 PM PDT
Computer scientists have pressed for e-voting paper trails for years, in peer reports and in testimony on Capitol Hill. Now it looks like Congress is poised to ignore this idea: forthcoming legislation will say that a backup "electronic" record is OK too.
The law seems to “suggest” that electric suppliers might want to comply, but they can “accept the risk” instead and they don't need to buy new equipment. Sounds like they wrote the law... “You want a warm fuzzy feeling? Microwave your cat.”
May 23, 2008
FERC Chairman Testifies on Implications of Cyber Vulnerabilities on the Resiliency and Security of the Electric Grid Event
Chairman Kelliher testified before the House Homeland Security Committee, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology on Implications of Cyber Vulnerabilities on the Resiliency and Security of the Electric Grid
"The Congress made FERC responsible for overseeing the reliability of the bulk power system, but it provided specific restrictions on the procedures to be used to develop and put into effect mandatory reliability standards. [Section 215 of the Federal Power Act] is an adequate basis to protect the bulk power system against most reliability threats, and for that reason I do not believe there is a need to amend section 215. However, I believe a different statutory mechanism is needed to protect the grid against cyber security threats, given the nature of these threats."