http://www.databreaches.net/?p=1103
Canadian Tire cancels 16,000 Mastercards after Heartland breach results in hundreds of cards being misused
Posted January 29th, 2009 by admin
Canadian Tire (TSX:CTC) says it has cancelled and is re-issuing 16,000 Mastercard credit cards issued by its financial services arm over security concerns.
Spokeswoman Lisa Gibson says the cards were deemed to be at risk after a widespread security breach disclosed last week by Heartland Payment Systems (NYSE:HPY), a U.S. credit card transaction processor.
Gibson says for the most part, the cancelled Options Mastercards were deemed to be at risk because they had been used in the U.S.
[...]
Canadian Tire Financial Services manages the country’s second-largest MasterCard franchise, with more than five million accounts.
Read more on Stockhouse
Note: Ms. Gibson informs me that 2% of the cards involved had been misused. [I wonder how that compares to HPS's market share? Bob]
A rather poorly written article. However it does offer some new information (if it is more credible than the writing style indicates.)
http://www.databreaches.net/?p=1090
Heartland Sniffer Hid In Unallocated Portion Of Disk
Posted January 29th, 2009 by admin
Evan Schuman of StorefrontBacktalk reports:
The sniffer malware that surreptitiously siphoned tons of payment card data from card processor Heartland Payment Systems hid in an unallocated portion of a server’s disk. The malware, which was ultimately detected courtesy of a trail of temp files, was hidden so well that it eluded two different teams of forensic investigators brought in to find it after fraud alerts went off at both Visa and MasterCard, according to Heartland CFO Robert Baldwin.
“A significant portion of the sophistication of the attack was in the cloaking,” Baldwin said.
Payment security experts pretty much agreed that hiding files in unallocated disk space is a fairly well-known tactic. But it requires such a high level of access—as well as the skill to manipulate the operating system—that is also indicates a very sophisticated attack. One of those security experts—who works for a very large U.S. retail chain and asked to have her name withheld—speculated that the complex nature of the hiding place, coupled with the relatively careless leaving of temp files, could suggest a less-skilled cyberthief who simply obtained some very powerful tools.
Read more on StorefrontBacktalk
[From the article:
Baldwin also added more details to the sketchy timeframes that have been revealed thus far about the attacks, specifying that Heartland was contacted by Visa and MasterCard “in very late October,” possibly October 28.
… Some of the problem might not involve common points of purchases or common points of processors as much as common points of high-tech hoodlums. Baldwin said Justice Department and U.S. Secret Service officials have told him “the bad guys they think got us have successfully breached other financial institutions.” [Something to look forward to? Bob]
… After the card brands alerted Heartland in late October, it took about two weeks of internal investigation to conclude that, yes, the company had been breached. [In their Inaugural Day announcement, they stated that they found “evidence of the intrusion last week” Bob]
… The company hired a forensic investigation team to come in and focus solely on that one area, an effort that ultimately proved fruitless. “We found issues in a large segment of our processing environment. The one that looked like the most promising turned out to be clean,” he said. [Translation: “Your security looks like Swiss Cheese and you don't log anything, so we can't tell what happened.” Bob]
… Heartland on Tuesday (Jan. 27) announced that it will be creating a new department that will be “dedicated exclusively to the development of end-to-end encryption.” [“But don't expect us to succeed, since we've already pointed out that getting every cash resister/card swipe machine to encrypt using a common technique is likely to be impossible.” Bob]
Not everything is related to HPS... (maybe)
http://www.databreaches.net/?p=1105
Ca: Debit scam victims now in the ‘hundreds’
Posted January 29th, 2009 by admin
This incident keeps growing and growing…..
Joe Belanger reports:
Police now confirm there are “hundreds” of victims in a debit card scam in Stratford.
Although police said every financial institution was hit, they’ve confirmed there were more than 350 victims at just two banks.
“We’re just starting to extrapolate the data, but it’s obviously in the hundreds,” said Det. Inspector Sam Theocharis.
Asked how much money the culprits have scammed, Theocharis said: “Who knows? We can’t say for sure just yet, but it’s well over $100,000. Right now, I can say there’s no bank that hasn’t been affected.”
Police are working with the Interact Canada, the Canadian Bankers Association, and security branches of the various banks to try and gauge the breadth of the scam, which was discovered last weekend as Stratford residents began seeing money disappear from accounts and debit cards were disabled.
Read more in the London Free Press
[From the article:
The CBA says debit card fraud is a problem, but not as widespread as some may think. Less than one per cent of the 21 million debit cards in circulation in 2007 were hit by fraud, with the total amount lost estimated at $107 million. [One percent of 21,000,000 is 210,000. $107,000,000 divided by 210,000 works out to about $51 per card. I you can go through 1000 cards a week, that's not a bad income. Bob]
Told ya!
http://www.databreaches.net/?p=1099
Pointer: SQL Server Database Hack Tricks Forensics
Posted January 29th, 2009 by admin
OK, because I’m not a security professional but a privacy advocate, I generally do not post just “straight security” news items, but this one really touches on an issue that keeps coming up.
How many times have we been told that some unnamed or named forensics service examined a recovered laptop or a hacked database and was able to determine that nothing happened, etc.?
For years, I have been told by security professionals I know that such statements are inaccurate and that it is certainly possible to access data without leaving any evidence that forensic examiners would find. And for years, I have argued that press releases should honestly say, “As far as we can tell…” instead of making blanket assurances that are probably false. Now this, from Kelly Jackson Higgins of Dark Reading:
A database security researcher will demonstrate at Black Hat DC next month how an attacker can cover his tracks using anti-forensics techniques after breaking into a SQL Server database.
Cesar Cerrudo, the lead researcher for Application Security Inc.’s Team SHATTER and founder and CEO of Argeniss, says he will show a proof-of-concept that circumvents forensics investigations by abusing some inherent features in the database “If the attacker has done a good job of removing his tracks, then it becomes pretty difficult to determine what was done, how it was done, why, and by whom,” Cerrudo says.
Read more here.
[From the article:
An attacker who infiltrates a database can even frame another person for the attack using antiforensics techniques. "One of the scary things about these antiforensics techniques is that the attacker can point investigators in the wrong way by making it look like another person performed the attack," Cerrudo says.
… "Without logs or [with] confusing logs, investigation becomes harder, the evidence is not enough, and in order to find the real culprit you must find real evidence that points to him," Cerrudo days.
How can an organization protect itself from such an attack? "Nowadays, using a third-party monitoring mechanism should be a must since built-in security mechanisms can't protect [the database] once the attacker has enough permissions," he says.
Technology you can (lie and) rely on?
http://yro.slashdot.org/article.pl?sid=09%2F01%2F29%2F2018254&from=rss
Lie Detector Company Threatens Critical Scientists With Suit
Posted by timothy on Thursday January 29, @04:18PM from the slapp-ing-them-around dept. Censorship The Courts Science
An anonymous reader writes
"The Swedish newspaper DN reports that the Israeli company Nemesysco has sent letters to researchers at the University of Stockholm, threatening legal action if they do not stop publishing findings (Google translation). An article called 'Charlatanry in forensic speech science: A problem to be taken seriously' was pulled by the publisher after threats of a libel lawsuit."
Online translations can be a little wonky; if your Swedish is as bad as mine, this English-language article describes the situation well.
[From the second article:
The article's conclusion is that there is no scientific evidence to show that lie detectors actually work.
Related?
http://blog.wired.com/gadgets/2009/01/bbc-snakeoil-pe.html
BBC Snakeoil: 'Perfectly Accurate' Voice Recognition Phone 'Too Secret' to See
By Charlie Sorrel January 30, 2009 6:53:51 AM
Just to point out what can be done. Contrast with what your cable company is doing?
http://tech.slashdot.org/article.pl?sid=09%2F01%2F29%2F2252230&from=rss
Charter Launches 60 Mbps Service
Posted by timothy on Thursday January 29, @06:01PM from the deepening-the-digital-divide dept. The Internet Networking
ndogg writes
"While other companies are throttling their services, and capping bandwidth, Charter Communications, the cable company, is launching a 60/5 Internet service, starting in St. Louis, MO. It's certainly not cheap, starting at 129.99 per month (add another 10 if it's not being bundled with television or phone.) Currently, it's the fastest down stream speed available, and being a cable company, they potentially have greater reach than FiOS."
However, there may be a risk to putting too much money down on this service; Charter Communications as a company faces some serious financial problems right now. reader Afforess writes, "rumors abound that Paul Allen may just cut his losses and run," by selling the company. (Allen is the majority stockholder.)
“We work hard to develop the best games possible, then our marketing guys wrap it in DRM software that makes it inaccessible to our customers.” (Does this sound SONY-like?)
http://games.slashdot.org/article.pl?sid=09%2F01%2F30%2F0556251&from=rss
DRM Shuts Down PC Version of Gears of War
Posted by Soulskill on Friday January 30, @01:58AM from the you-know-what-really-grinds-my-gears dept. Games
carlmenezes writes
"It seems that the DRM on the PC version of Gears of War came with a built-in shut-off date; the digital certificate for the game was only good until January 28, 2009. Now, the game fails to work unless you adjust your system's clock. What is Epic's response? 'We're working on it.'"
Is this an “Our geeks are better than your geeks” issue, or is it because the fix simple on Googles side? Will Apple sue?
http://news.cnet.com/8301-17939_109-10153165-2.html?part=rss&subj=news&tag=2547-1_3-0-5
Google fakes out Hotmail for Chrome support
Posted by Stephen Shankland January 29, 2009 9:19 PM PST
… "While the Hotmail team works on a proper fix, we're deploying a workaround that changes the user agent string that Google Chrome sends when requesting URLs that end with mail.live.com," Chrome Product Manager Mark Larson said in a blog announcement. It also fixes a problem sending mail from Yahoo Mail, he said.
Something for those Ethics guys to argue about?
http://www.wired.com/culture/culturereviews/magazine/17-02/st_essay
Do Humanlike Machines Deserve Human Rights?
By Daniel Roth Email 01.19.09
Something for students who haven't taken the “Ethics and the Computer” class
http://news.cnet.com/8301-1009_3-10153017-83.html?part=rss&subj=news&tag=2547-1_3-0-5
'Obama worm' probably a student prank, experts say
Posted by Elinor Mills January 29, 2009 4:10 PM PST
… "Someone played around with one of the many number of DIY malware kits and just added this small social engineering bait of Obama's picture," he wrote in an e-mail.
So which is it? $10 or $100
http://mobile.slashdot.org/article.pl?sid=09%2F01%2F30%2F1051258&from=rss
India Will Show Its $10 Laptop Prototype
Posted by timothy on Friday January 30, @08:09AM from the better-than-a-chicken-in-every-pot dept. Portables Hardware
Tech Ticker writes
"The Indian Government last year announced the development of a cheap $10 laptop, but was later rectified as $100 laptop. Now the government has announced that HRD minister Arjun Singh will unveil the prototype of a Rs. 500 ($10) computer. The computer is developed by the Indian Institute of Science (IISc), Bangalore, and Indian Institute of Technology (IIT), Chennai. No specifications were revealed but DNA, a daily newspaper, has mentioned that it will be small and portable, will feature Wi-Fi, LAN, and expandable memory, and will operate on 2 watts of power."
We're watching you!
http://www.killerstartups.com/Web20/congressspacebook-com-transparent-lawmaking
CongressSpacebook.com - Transparent Lawmaking
http://www.congressspacebook.com
Lawmaking has always been on the shady side of things. Luckily for us non-politician folks, the internet has been striving to make things more transparent, and now there’s Congressspacebook.com.
The site aims to make things easier for us to understand, keeping a close eye on all of our elected officials. You can search for officials by state, name, or position, making it easy to find the person you want to keep an eye on. The site’s design is simple enough to make the content stand out, so you won’t get lost with too much over the top designs. Each member profile is filled with very interesting information, and profiles are updated every time there are new things to report. [Not really. They still show Ken Salazar as a Sentor. Bob]
It’s amazing to see how good this can be to everyone, as both lawmakers and regular folk will be able to benefit from government transparency. If you feel transparency is good for American politics, then you must check out Congressspacebook.com.
This immediately brought an old joke to mind. A friend asked if I would pour a bottle of Jack Daniel's over his grave. I promised I would even filter it through my kidneys first. (Ta dum bum)
http://news.slashdot.org/article.pl?sid=09%2F01%2F30%2F0329218&from=rss
Power In Scotland From Tides and Whiskey
Posted by timothy on Friday January 30, @06:17AM from the plus-the-spinning-corpse-of-william-wallace dept. Earth Power Technology
… And reader Mike writes
"Here's something to raise a glass to: recently the Rothes consortium of whiskey and scotch distillers announced that they have partnered with Helius Energy to install a power plant fueled entirely by whiskey by-products. The completed plant will use biomass cogeneration to convert draff and pot ale from the distillery into 7.2 MW of electricity — enough to power 9,000 homes."
No comments:
Post a Comment