Wednesday, November 25, 2009

The joy spreads. Perhaps companies (their lawyers?) are realizing that “compliant” does not mean “secure.” In any case (no pun intended), suits like these could further swamp the courts.

http://www.databreaches.net/?p=8408

Radiant Systems and Computer World responsible for breach affecting restaurants – lawsuit

November 24, 2009 by admin Filed under Breach Incidents, Hack, ID Theft, Of Note, U.S.

There’s been a lot of coverage of the lawsuits against Heartland Payment Systems, a payment processor fined by both Visa and Mastercard for not being PCI-DSS compliant. Now a class-action lawsuit by seven restaurants claims that dozens of restaurants may have become victims of card fraud because systems provided to the restaurants by Radiant Systems and its Louisiana distributor, Computer World Inc., were not PCI-DSS compliant.

According to a statement provided to DataBreaches.net by Charles Hoff of the Law Offices of Charles Y. Hoff, PC, general counsel for the Georgia Restaurant Association and one of the attorneys acting as a legal advisor to the restaurants in the lawsuit, the plaintiffs “do not have any exact numbers from the Secret Service but have been told that it is believed that dozens of restaurants as well as some hotels were victims of security breaches.”

Seven restaurants in Louisiana and Mississippi are named as plaintiffs in the lawsuit, including a Best Western, Mel’s Diner, Sammy’s Grill, Crawfish Town USA, Jone’s Creek Cafe, Don’s Seafood, and Picante’s Mexican Grill. In a separate, but related lawsuit, On the Half Shell and Boudreaux’s and Thibodeaux’s, sued Radiant Systems and Computer World in April.

Keith Bond, owner of Mel’s Diner in Broussard, Louisiana says that he purchased the “Aloha” system in 2007. In the spring of 2008, one of the restaurant’s servers noticed a problem that the mouse seemed to be moving around out of their control. According to Bond, they called Computer World, who told them to disconnect their internet connection and that they would send someone out the next day. When the service tech examined the system, he reportedly removed and replaced the hard drive, but was “vague” about what was wrong with the system, reassuring them that the problem was now resolved. Less than one month later, the restaurant received letters from Visa and Mastercard that they had been breached, were being fined, and were required to arrange for a forensic audit with an approved auditor. According to Bond, Visa fined them $5,000 and debited the money from their account immediately. Mastercard fined them $100,000 but waived the fine. [Visa fined the restaurant? First time I've heard that. Bob]

Bond says that 669 of his customers were affected by the breach, although he never heard any complaints [“No illegal use of this data has been reported.” Bob] from any of them and only knew of the breach because of Visa and Mastercard contacting him. Other restaurants involved in the lawsuit were reportedly not as lucky. Bond says that Sammy’s Grill had 45,000 customers whose cards were compromised over a three-year period, and that he knows of 19 businesses who had similar breaches while using the Aloha system. He suspects that there are many more restaurants who also experienced breaches of a similar nature.

In a press release from the plaintiffs, Radiant Systems and Computer World Inc., are accused of having directly contributed to the breach by providing products that were not PCI-DSS compliant. [If they were certified compliant, do they automatically win the lawsuit? Bob]

1) Restaurants were sold earlier model POS systems although they were represented to be new models;
2) Computer World used a remote access system that did not have adequate security patches – a violation of PCI-DSS standards;
3) Computer World used the same password for at least 200 operators in violation of PCI standards;
4) The distributor failed to remove prior sensitive customer credit data upon installation of Radiant POS systems, again in violation of PCI standards.

Bond claims that in his case, when Secure Metrics performed the forensic audit, they discovered that the system had previously been installed as Sorano’s Salsa Company’s system. It’s not clear whether any personal or financial data were still accessible, but it was clear that the system was not new. Bond says that pcAnywhere came installed on his system so that Computer World could remotely access the system to service it. But as with every Computer World installation for every Aloha customer, Computer World allegedly used the default password, and all 200 installations used the same password, “computer.” According to Bond, the Secret Service discovered that a Romanian hacker had accessed all of the computers using the system and common password and installed keyloggers to capture the card data.

The plaintiffs also claim that “Radiant and Computer World were warned by Visa in 2007 that their programs were non-compliant, but the restaurants were unaware of these warnings at the time they purchased the Aloha system.”

The plaintiffs are seeking damages to cover all of the expenses they incurred.

Both Radiant Systems and Computer World were contacted for a response to the press release issued yesterday by the plaintiffs. C. York Craig, III, of the law firm representing Computer World, Forman Perry Watkins Krutz & Tardy LLP, sent the following statement:

Computer World, through its New Orleans attorney, Joseph B. Morton, III of Forman Perry Watkins Krutz & Tardy LLP, denied the assertions of the plaintiffs. Morton stated, “We prefer to handle these matters in the proper forum. Computer World is confident that when all of the evidence is examined in a court of law, it will be established that Computer World fulfilled its contractual obligations, appropriately installed/monitored the POS hardware and software, complied with all government requirements and was very responsive to the needs of its clients.”

As of the time of this posting, Radiant Systems did not reply to DataBreaches.net’s inquiry. Bond says that a motion by Radiant Systems to break up the class action lawsuit was dismissed by a judge yesterday, and that the lawsuit has been allowed to go forward as a class-action lawsuit.

Bond informs DataBreaches.net that as a result of the breach, another one of the plaintiffs gave up on using credit cards altogether rather than incur the costs of a forensic audit and fines by Visa and Mastercard. [Good for them! Bob] As for Bond himself, after incurring $19,000 in forensic audit fees, several thousand dollars in fees for an IT consultant to implement the auditor’s recommendations, $20,000 in chargebacks, attorney fees, miscellaneous fees, and $5,000 in fines from Visa, Mel’s Diner has gone back to using dial-up.



When you know (not just suspect, know) someone has hacked your system, shouldn't your review be AT LEAST as through as a “routine” review?

http://www.databreaches.net/?p=8451

Cobra.com hack exposed customer card data for 9,000

November 24, 2009 by admin Filed under Breach Incidents

Almost five months after a security breach was first discovered, lawyers for Cobra Electronics Corporation notified the New Hampshire Attorney General’s Office that its web site at www.cobra.com had been hacked and customer card data might have been accessed.

According to the letter from David E. Teitelbaum of Sidley Austin, Cobra was alerted to a problem on June 14. Subsequent investigation determined that the server had been hacked on June 14. The site was totally offline from June 23 until July 3 while the company addressed the security issues. But according to the notification:

Although the intruder apparently used the Cobra.com site to attempt to download malicious software to customer computers, Cobra did not believe at the time that the intruder had access to any Cobra files containing personally identifiable information, such as cardholder information.

During a routine security review in late September, [Apparently their “Incident Review” did not rise to the level of a “routine” review, even thought they knew they had been hacked.! Really poor management! Bob] however, the company realized that there were unencrypted card numbers in archival files on the server at the time of the intrusion. A subsequent forensic examination concluded that there was no access to the data between June 16 and October 2, but the examiners were unable to determine if there had been any access between June 14 and June 16 because the web host could not provide the relevant hard drives. [What caused them to destroy evidence? Bob] As a result, Cobra decided to notify 9,000 customers whose unencrypted card numbers were on the server at the time of the intrusion or whose unencrypted card numbers were entered after the intruder was shut out but before all data on the server were fully encrypted. The notifications include all customers who made purchases via the web site between November 18, 2007 and September 30, 2009.

Cobra offered affected customers free credit monitoring services and created an FAQ on the breach at http://www.cobra.com/creditcardquestions



Even criminals can learn to be more efficient.

http://www.databreaches.net/?p=8456

The Year Of The Mega Data Breach

November 24, 2009 by admin Filed under Commentaries and Analyses, Of Note

Andy Greenberg reports:

Glance at 2009’s data breach statistics, and you might think the IT world had scored a rare win in the endless struggle against cybercrime.

According to the Identity Theft Resource Center, government agencies and businesses reported 435 breaches as of Nov. 17, on track to show a 50% drop from the number of breaches reported in 2008. That would make 2009 the first year that the number of reported data breaches has dropped since 2005, when the ITRC started counting.

But the decrease in data breaches is deceptive. In fact, the number of personal records that were exposed–data like Social Security numbers, medical records and credit card information tied to an individual–that hackers exposed has skyrocketed to 220 million records so far this year, compared with 35 million in 2008. That represents the largest collection of lost data on record. And the majority of 2009’s data loss stems from a single source: credit card processing firm Heartland Payment Systems.

Read more on Forbes.



Something tipped the scales here, forcing(?) the hospital to act. I wonder what happened? (The liability must be huge!) Nothing on either Google or Yahoo news search.

http://www.phiprivacy.net/?p=1534

TX: Hospital District Employees Fired for Violation

By Dissent, November 25, 2009 8:56 am Andrea Watkins reports:

A major breach in patient privacy at the Harris County Hospital District has caused 16 employees to lose their jobs.

Melinda Muse, a hospital district spokeswoman, says the employees were fired because of HIPAA violations.

[...]

HCHD says it will not confirm specific details on the privacy breach, but it released the following statement:

“The Harris County Hospital District, in all circumstances, is guided by the best interests of our patients, especially in matters of patient’s protected health information, and our policies that protect our patients privacy are always vigorously enforced. Actions by the hospital district were the result of steadfast diligence performed in the best interests of our patients.”

The hospital district has not specified the patient or patients affected by the privacy violation.

Maybe one of the patients who receives notification of the breach will provide more detail. It sounds like a snooping situation, but we’ll have to wait and see.

Source: MyFoxHouston



An example of domestic wiretapping? Who had this data (before WikiLeaks I mean) and do they also have SMS messages, emails, voice mails, etc?

http://www.pogowasright.org/?p=5734

WikiLeaks releases 573.000 pager intercepts from 9/11 2001

November 25, 2009 by Dissent Filed under Breaches, Other

From Wikileaks.org:

From 3AM on Wednesday November 25, 2009, until 3AM the following day (US east coast time), WikiLeaks will release over half a million US national text pager intercepts.

The intercepts cover a 24 hour period surrounding the September 11, 2001 attacks in New York and Washington.

To foster a deeper understanding, the messages will be released to the global community “live”. That is, the first message, corresponding to 3AM September 11, 2001, five hours before the first attack, will be released at 3AM November 25, 2009 and the last, corresponding to 3AM September 12, 2001 at 3AM November 26, 2009.

To follow the release, please visit http://911.wikileaks.org



Not so fast, RIAA... Perhaps there is hope!

http://torrentfreak.com/european-commission-no-3-strikes-without-judicial-oversight-091124/

European Commission: No 3 Strikes Without Judicial Oversight

Written by enigmax on November 24, 2009

The European Commission has issued a warning to the Spanish government that any plan to disconnect file-sharers from the Internet without involving a judge would create conflict with the EU. This statement could also throw the three-strikes plans of the UK government and the Irish ISP Eircom into serious doubt.


(Related) Poor description of the problem. Sounds like they would be unable to bill their customers if true.

http://yro.slashdot.org/story/09/11/24/2025212/UK-File-Sharing-Laws-Unenforceable-On-Mobile-Networks?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

UK File-Sharing Laws Unenforceable On Mobile Networks

Posted by kdawson on Tuesday November 24, @04:42PM from the p2p-ringtones dept.

superglaze writes

"UK mobile broadband providers currently have no way of telling which subscribers are file-sharing which copyrighted content, ZDNet UK reports. This represents something of a problem for new laws that have been proposed to crack down on unlawful file-sharing. According to the article, databases (tracking IP address mappings) could be built to make it possible to identify what specific users are downloading, but the industry is loathe to fund this sort of project itself. Also, as an analyst points out in the piece, users of prepaid phone cards are mostly anonymous in the UK, which creates another challenge for the government's plans. And if that isn't enough, connection-sharing apps like JoikuBoost would make identification pretty much impossible anyway."



They guy did act strangely, but there is no flexibility any more – guilty until proven innocent.

http://www.pogowasright.org/?p=5729

UK jails schizophrenic for refusal to decrypt files

November 24, 2009 by Dissent Filed under Court, Non-U.S., Surveillance

Chris Williams reports:

The first person jailed under draconian UK police powers that Ministers said were vital to battle terrorism and serious crime has been identified by The Register as a schizophrenic science hobbyist with no previous criminal record.

His crime was a persistent refusal to give counter-terrorism police the keys to decrypt his computer files.

The 33-year-old man, originally from London, is currently held at a secure mental health unit after being sectioned while serving his sentence at Winchester Prison.

Read more on The Register.

[From the article:

He was arrested on 15 September 2008 by officers from the Metropolitan Police's elite Counter-Terrorism Command (CTC), when entering the UK from France. Sniffer dogs at Gare du Nord in Paris detected his Estes model rocket, which was still in its packaging and did not have an engine. [What exactly did the dogs detect? Bob]

… In his final police interview, CTC officers suggested JFL's refusal to decrypt the files or give them his keys would lead to suspicion he was a terrorist or paedophile.

"There could be child pornography, there could be bomb-making recipes," said one detective.

"Unless you tell us we're never gonna know... What is anybody gonna think?"



This would be funny if it wasn't pathetic.

http://www.databreaches.net/?p=8466

How many computers were stolen from your school district?

November 24, 2009 by admin Filed under Breach Incidents

Okay, I don’t know if this is some kind of dysrecord, but in an AP story on a Detroit teacher accused of pawning one of the district’s laptops, it says:

More than 500 district computers have been stolen over the past six months.

I wonder what the numbers are like in other major urban school districts. Anyone know?



None of these are new. If Gartner is correct, they are at that point on the learning curve where adoption starts to go vertical.

http://www.bespacific.com/mt/archives/022871.html

November 24, 2009

Gartner Identifies the Top 10 Strategic Technologies for 2010

News release: "Gartner, Inc. analysts highlighted the top 10 technologies and trends that will be strategic for most organizations in 2010... Gartner defines a strategic technology as one with the potential for significant impact on the enterprise in the next three years. Factors that denote significant impact include a high potential for disruption to IT or the business, the need for a major dollar investment, or the risk of being late to adopt. These technologies impact the organization's long-term plans, programs and initiatives. They may be strategic because they have matured to broad market use or because they enable strategic advantage from early adoption."

[In brief:

Cloud Computing.

Advanced Analytics

Client Computing.

IT for Green

Reshaping the Data Center

Social Computing

Security – Activity Monitoring

Flash Memory

Virtualization for Availability

Mobile Applications.



Interesting stuff for us military history buffs.

http://www.dailymail.co.uk/sciencetech/article-1230025/Google-Earth-Second-World-War-Amazing-aerial-images-taken-daring-Allies-revealed-Hitlers-weapons.html?ITO=1490

From Colditz to D-Day: Amazing aerial images taken by daring Allied pilots on secret missions during World War II

By David Wilkes Last updated at 9:53 AM on 23rd November 2009



Got movies? For the Website students too...

http://www.makeuseof.com/tag/media-cope-an-all-in-one-media-player-cutter-converter/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Makeuseof+%28MakeUseOf.com%29

Media Cope – An All In One Media Player, Cutter & Converter

Nov. 24th, 2009 By Varun Kashyap

We have covered plenty of audio/video tools in the past, from mp3 joiner to video transcoding tools. If you are an avid user of such tools, you will have a nice, albeit a little lengthy, collection in your start menu. Well here is one tool that can make that list a little shorter.

It is an all in one media player solution and lets you play audio & video files, cut them according to your needs or transcode them to other formats. In addition you get a photo cutter, resizer and much more. In short, it’s as complete a media package as you’re likely to get. It is called Media Cope.

No comments: