http://www.databreaches.net/?p=8475
Risky business: Remote Desktop opened the door for Aloha hackers
November 25, 2009 by admin Filed under Breach Incidents, Business Sector, Hack, Of Note, U.S.
When nine restaurants in Louisiana and Mississippi filed lawsuits against Radiant Systems and its Louisiana distributor, they may have represented only the tip of a substantial iceberg of hacks affecting restaurants that used Radiant Systems’ Aloha POS system. It seems that the scope of the problem is first coming to the public’s attention approximately one and a half years after the hacking incidents started. [Yesterday's article mentioned a three year period. Bob]
Breaches in Other Parts of the Country
During a two-month period in late 2008, a Spicy Pickle franchise in Michigan was hacked and 150 customers’ card data were stolen and misused. The franchise closed in June 2009, reportedly unable to recover from the loss of customer confidence after the breach. At around the same time in 2008, Ted’s Cafe Escondido in Oklahoma also reported being hacked. Although both breaches were reported at the time on PogoWasRight.org, the POS system they were using was not reported in the media. Unbeknownst to me at the time, a forum member on FoodService.com commented on both breaches by noting both restaurants used the Aloha system. There was no indication in the forum member’s report, however, as to whether the restaurants had removed any remote access software that was suspected of creating the vulnerability to hacks or whether the restaurants had used commercial grade firewalls.
Hacks Started in Early 2008
Also flying completely under my radar at the time, in December 2008, WKZO News reported this about the Spicy Pickle hack:
Co-owner Terry Henderson says the FBI’s been investigating fraud cases across the country for seven months and they were just the latest victims. [Do the warn anyone? Bob]
“There’s a similar thread to all of it and it keeps leading to one particular software manufacturer,” says Henderson, adding that he’s not at liberty to say which manufacturer that is. [Some kind of gag order? Bob] “It’s a popular software that’s used by thousands of restaurants throughout the country.”
Continuing to work backwards to see what else I had missed, I found that in August 2008, WAFB and the Associated Press had reported that a rash of hacks involving Louisiana restaurants began in March 2008. And although Aloha’s name did not appear in any media reports on affected restaurants, when the Secret Service met with Louisiana restauranteurs in August 2008, they may have specifically mentioned the Aloha system. Another poster on the FoodServices.com forum wrote on August 19, 2008:
I spoke to someone who attended the meeting outlined in the Associated Press article. The meeting was set up by the Lousiana (sic) Restaurant Association and was attended by the Secret Service agent on the case, a US Attorney and a represtative (sic) from Visa. During the meeting it was presented that the 15 breaches occured (sic) were all Aloha POS systems. It was stated that he hackers were able to breach the systems as the Remote support software were all using the same User Name and Password (this is against PCI requirements). The hackers installed a “sniffer” program that would capture credit card data on the Local LAN (ie private network).
So it seems as if suspicions about Aloha were being raised over a year ago but were not specifically mentioned in media coverage.
Radiant’s Response
In August 2008, within days of the Secret Service and Visa representatives meeting with Louisiana restauranteurs, Aloha sent a data security alert to its customers. The alert said, in part:
Radiant Systems has been working with Visa on an emerging issue that could cause POS systems to be compromised. The specific vulnerability is related to Remote Desktop being enabled on BOH servers, POS terminals, and routers, which may allow intruders to gain access to POS systems. Once intruders gain access they could install malware such as packet sniffers to capture card holder data. Remote access to POS systems is critical to supporting sites, but can also provide a method for unauthorized users to obtain access to systems and potentially sensitive credit card data. Configuring and managing access to POS systems is extremely important.
The alert then provided specific steps Aloha clients should take to configure their systems securely including:
Disable Remote Desktop on routers, BOH servers, and POS terminals, if this remote access tool is not used to support the site.
Use Command Center as the single means of remote access for Aloha POS systems to ensure the highest level of site security. Command Center has a number of inherent features that significantly increase your ability to support sites, and also significantly decrease the risks associated with accessing sites.
Alternative measures were described for those who chose to leave remote access tools enabled.
Their alert may well have prevented more restaurants from being hacked, but may be small comfort to the allegedly many restaurants who had already suffered hacks resulting in lost business, fines by Visa and Mastercard, and the cost of forensic audits and IT consultants. Whether the juries will agree with the restaurant-plaintiffs or with Radiant Systems remains to be seen, but it would seem that some jurors are in for a real earful on security. [Anyone need an expert? Bob]
Some interesting “statistics” for those who lose hard drives...
http://www.databreaches.net/?p=8511
Update: BCBS of Tennessee to start sending notifications
November 25, 2009 by admin Filed under Breach Incidents, Healthcare Sector, Theft
John Commins updates us on the Tennessee BlueCross BlueShield breach:
BlueCross BlueShield of Tennessee is readying a Nov. 30 mass mailing to some of its 3.1 million customers in the Volunteer State who may have had their Social Security numbers and other private data compromised after an Oct. 2 hard drive theft at a remote training facility in Chattanooga.
“It’s going to be a progression of mailings, with those who would be most at risk receiving the first mailings, depending upon how many people had a Social Security number compromised,” says BCBST spokeswoman Mary Thompson.
[...]
Meanwhile, local, state, and federal law enforcement officials have been called in to investigate the Oct. 2 theft of three 3.5″ X 10″ hard drives, which were physically removed from server racks on computers inside a data storage closet at a training center located in a strip mall. [Not your typical “grab the laptop and run” – sounds like they knew what they wanted. Bob]
“We were using the information on those drives for training purposes. [Training with live data? Very inefficient. Bob] We were auditing [Wait! We weren't training, we were auditing. Bob] our [customer service representatives] to ensure that they were delivering the correct information and servicing providers correctly and using it for training [Wait! No, yes, were were using it to train after all. Bob] of new CSRs,” Thompson says.
[...]
In the past several weeks, Thompson says BCBST has had as many as 800 people—including employees from a private security company—working at any given time on the arduous task of analyzing more than 300,000 screen shots and about 50,000 hours of audio data to identify potential breaches.
Read more on Health Leaders Media.
Is anyone else confused by the reference to three hard drives? Earlier reports talked about 57 hard drives and then 68.
“Hey, you gottta pay for law school somehow!” An interesting flaw (loophole? Bug?) in the legal system. Some simple (Hacking 101) tools gather IP addresses, the court orders the ISP to disclose the owner of that IP address, lawyers send a mass mailing and some (significant?) percentage settle. Like SPAM, but you get to wear a wig.
http://torrentfreak.com/30000-internet-users-to-receive-file-sharing-cash-demands-091125/
30,000 Internet Users to Receive File-Sharing Cash Demands
Written by enigmax on November 25, 2009
As many as 25,000 BT and 5,000 customers of other ISPs will be receiving shock letters demanding big payments during the coming weeks. Lawyers in the UK have been granted more court orders which force ISPs to hand over the details of individuals who they say have been monitored sharing hardcore pornography. [No evidence required? Bob]
For regular readers of TorrentFreak, this fresh news can hardly come as a surprise. The supposed anti-piracy scheme originally pioneered in the UK in conjunction with lawyers Davenport Lyons rolls on, but now in the hands of ACS:Law and their partners DigiProtect.
Although there is an insistence that the project is aimed at reducing piracy, in reality piracy is the scheme’s lifeblood, providing healthy profits for all concerned, except the original rightsholders that is. [What could the copyright holders do? Bob]
The difference between apologizing and attacking: In an attack, Google would have highlighted this picture and made the authors the subject of ridicule. Instead, they have allowed the Streisand Syndrome free rein to 'encourage' more users to view the images without hearing why anyone might find it offensive. Yes, it is offensive and stupid, but inevitable. “Failure to spank” just encourages the idiots.
Google Apologizes For "Michelle Obama" Results
Posted by samzenpus on Thursday November 26, @04:00AM from the was-that-wrong? dept.
theodp writes
"CNN reports that for most of the past week, when someone did a Google image search for 'Michelle Obama,' one of the first images that came up was a picture of the First Lady altered to resemble a monkey. After being hit with a firestorm of criticism over the episode, Google first banned the site that posted the photo, saying it could spread malware. Then, when the image appeared on another site, Google displayed the photo in its search results, but displayed an apologetic Google ad above it. On Wednesday morning, the racially offensive image appeared to have been removed from any Google Image searches for 'Michelle Obama.' Google officials could not immediately be reached for comment."
Is this truly a better idea? How will it be funded?
http://www.bespacific.com/mt/archives/022881.html
November 25, 2009
New York Review of Books: Google and the New Digital Future
Follow up to previous postings on Google Book Search (GBS), Google and the New Digital Future, Robert Darnton is Carl H. Pforzheimer University Professor at Harvard
"...The digitizing, open-access distribution, and preservation of orphan works could be done by a nonprofit organization such as the Internet Archive, a nonprofit group that was built as a digital library of texts, images, and archived Web pages. In order to avoid conflict with interests in the current commercial market, the database would include only books in the public domain and orphan works. Its time span would increase as copyrights expired, and it could include an opt-in provision for rightsholders of books that are in copyright but out of print. The work need not be done in haste. At the rate of a million books a year, we would have a great library, free and accessible to everyone, within a decade. And the job would be done right, with none of the missing pages, botched images, faulty editions, omitted artwork, censoring, and misconceived cataloging that mar Google's enterprise. Bibliographers—who appear to play little or no part in Google's enterprise—would direct operations along with computer engineers. Librarians would cooperate with both in order to assure the preservation of the books, another weak point in GBS, because Google is not committed to maintaining its corpus, and digitized texts easily degrade or become inaccessible." [Quite the opposite, actually. Bob]
For the Online Reference Library
http://www.makeuseof.com/tag/the-incredible-guide-to-ubuntu-karmic-koala-linux-pdf/
The Incredible Guide to NEW Ubuntu (Karmic Koala) [PDF]
Nov. 25th, 2009 By Simon Slangen
… In the past we published A Newbie’s Getting Started Guide to Linux, aimed at the making you familiar with the most basic Linux principles.
… We teamed up with Guvnr.com to create the Ubuntu Karmic Koala Bible – a guide that’s both great for Linux initiates, and invariably useful for Linux intermediates. With over fifty pages of copy-paste tutorials, this guide belongs in the virtual library of every Linux user!
… Don’t waste any time, download the Ubuntu Karmic Koala Bible now in PDF, or read it online on Scribd!
For the Swiss Army folder
http://download.cnet.com/8301-2007_4-10405343-12.html?part=rss&subj=news&tag=2547-1_3-0-20
Big changes in Security Starter Kit 2010
by Seth Rosenblat November 25, 2009 3:51 PM PST
… To help you during these tough economic times, we've refreshed the Download.com Security Starter Kit for 2010. Although nothing can replace common-sense browsing, this collection of freeware security tools will help you protect new machines and old from pernicious threats,
No comments:
Post a Comment