Another processor breached!?
WBZ is reporting that hundreds of bank customers are starting their holiday weekend off without their debit cards after a breach at the bank’s card processor, Metavante, forced the Winthrop Federal Credit Union to deactivate some customers’ MasterCards. [Can they do that? Does that suggest they are liable? Bob] At least one case of fraud has already been tentatively linked to the breach.
No one was immediately available at Metavante to confirm or clarify the report and there is no statement on their web site. Metavante is listed as PCI-DSS compliant on MasterCard’s listing dated May 19. They are also listed as compliant by Visa as of their May 19th listing, and completed a review this year where TrustWave was the assessor.
This post will be updated as I find out more or as more is reported in the mainstream media.
[From the article:
While it was not a security breach, [Not a breach of their system? Bob]the Winthrop Federal Credit Union decided to freeze [Not “forced” as above Bob] a block of cards as a precaution, something that Metavante did not advise them to do.
… "Maybe overcompensate, but what we did was we restricted access on a larger block of cards," Clark said. "However, so far three cards have been compromised." [Have they panicked, or were they told the breach is larger that we see in this report. Bob]
… One woman, whose card was place on hold, wrote into WBZ saying her card had $700 worth of fraudulent charges on it. She was told hundreds of accounts were affected. [Not three, as the Credit Union asserts? Who is lying? Bob]
[From a Related article:
… "The actual compromised cards have been identified and have resulted in zero dollar losses to the member's account. As a precaution, however, WFCU placed restricted access on a large block of cards to minimize the potential exposure to our debit card base," Winthrop Federal Credit Union said in a statement.
However, customers are questioning why if only three customers had their accounts compromised, why so many having trouble with their cards. [Good question... Bob]
Local. Iron Mountain is gaining a reputation for sloppy work. Not sure if it is untrained employees or a corporate culture that accepts doing as little as possible.
No charges in document dump outside Boulder Kia dealership
Police don’t expect to charge anyone for leaving 10 recycling bins full of customers’ personal information outside of the now-defunct Anderson Kia dealership in Boulder.
Since the discovery of the documents Friday, investigators found that an operations director for Iron Mountain Auto Plex made arrangements with Compost Recycling to pick up the bins and shred all the records, Boulder police spokeswoman Sarah Huntley said.
Compost didn’t pick up the records right away, Huntley said, but will now destroy the documents.
They made arrangements after the discovery of the files or they had already made arrangements before the discovery? How do you read this story?
Could this represent a new government strategy? No need to present embarrassing evidence or conclude the government was wrong, yet the case goes away! Brilliant!
Judge Takes Government to Task in Al-Haramain Spying Case
Saturday, May 23 2009 @ 05:22 AM EDT Contributed by: PrivacyNews
Today, United States District Court Chief Judge Vaughn Walker took the government to task for failing to obey his prior orders in Al-Haramain v. Obama (formerly known as Al-Haramain v. Bush), asking the government to explain why he should not sanction the government by holding that the plaintiffs win the warrantless wiretapping lawsuit.
... Judge Walker ordered the government to show cause as to "why, as a sanction for failing to obey the court’s orders" the government "should not be prohibited ... from opposing the liability" for spying without warrants and that the "court should not deem liability ... established and proceed to determine the amount of damages to be awarded to plaintiffs." A hearing is set for June 3, 2009 in the San Francisco federal court.
Source - EFF
Given that the physical process of printing and mailing takes only a couple of hours... How long is long enough? 48 hours is barely enough time to compose the letter, but is seven days too long?
Maine Requires Breach Notice within Seven Days of Go-Ahead from Law Enforcement
From the Privacy & Information Security Law Blog:
On May 19, Maine Governor John Baldacci signed legislation limiting the time that breach notification may be delayed following a determination by law enforcement that providing notice will not compromise a criminal investigation. The provision, which will take effect 90 days after the close of the Legislature’s 2009 session (scheduled to occur on June 17), will limit the permissible delay to seven business days.
High tech security or low tech crook? Looks like the latter... or maybe just nuts?
Phony SureWest employee pleads guilty to fraud
Friday, May 22 2009 @ 11:19 AM EDT Contributed by: PrivacyNews
Here's a breach where the company says that their security prevented PII from being compromised:
On his Facebook page, Roseville resident Preston Vandeburgh claimed to work “long hours at SureWest,” where he said he was an information security manager from June 2000 to the present.
But authorities say that was a lie – and that the 27-year-old, over a period of about six months, actually impersonated SureWest employees, so he could break into the company and take a credit card, access company computers, obtain confidential information and even take a company car – a Chevrolet Impala – out for a spin.
On Tuesday, Vandeburgh pleaded guilty in Placer County Superior Court to felony charges connected with the case.
SureWest Spokesman Ron Rogers said computer data access was limited.
“When this situation initially took place, we completed a detailed scan and inspection of our systems, specifically pertaining to all customer and employee data, and confirmed that SureWest’s state-of-the-art preventative security measures prohibited access to our systems,” he said. “No customer or employee information was accessed and there was no damage to our network. These security measures were also instrumental in helping lead police to the arrest.”
Source - Gold Country Media
[From the article:
The plea agreement reached with prosecutors comes five months after Roseville Police arrested Vandeburgh at a friend’s home.
SureWest officials had contacted the police when they detected someone using one of their computers at an address in the city, according to a news release from the Placer County District Attorney’s Office.
When police arrived, they found Vandeburgh using the computer, the release stated, as well as numerous SureWest items taken during a burglary.
[So he had one of their computers at a friends home... Something suggests that he was delusional rather than trying to steal information. Bob]
For the “presumed guilty” file. Even if you assume the warrant was legitimate, would actions taken outside the scope of the warrant be worth a lawsuit?
Judge Rules Dorm Room Search for Evidence of Prank Email Illegal
Friday, May 22 2009 @ 02:42 PM EDT Contributed by: PrivacyNews
A justice of the Massachusetts Supreme Judicial Court has ordered police to return a laptop and other property seized from a Boston College computer science student's dorm room after finding there was no probable cause to search the room in the first place. The police were investigating whether the student sent hoax emails about another student.
The Electronic Frontier Foundation (EFF) and Boston law firm Fish and Richardson are representing the computer science student, who was forced to complete much of the final month of the semester without his computer and phone. Boston College also shut off the student's network access in the wake of the now-rejected search. [Any logic to that at all? Bob]
For the full order from Judge Botsford: http://www.eff.org/files/SJCcalixteorder.pdf
For more on this case: http://www.eff.org/deeplinks/2009/05/mass-sjc-tosses-calixte-warrant
For this release: http://www.eff.org/press/archives/2009/05/22
If true, this would be an interesting case study...
Deny This, Last.fm
by Michael Arrington on May 22, 2009
A couple of months ago Erick Schonfeld wrote a post titled “Did Last.fm Just Hand Over User Listening Data To the RIAA?” based on a source that has proved to be very reliable in the past. All hell broke loose shortly thereafter.
… Now we’ve located another source for the story, someone who’s very close to Last.fm. And it turns out Last.fm was telling the truth, sorta, when they said Erick’s story wasn’t correct.
Last.fm didn’t hand user data over to the RIAA. According to our source, it was their parent company, CBS, that did it.
… We believe CBS lied to us when they denied sending the data to the RIAA, and that they subsequently asked us to attribute the quote to Last.fm to make the statement defensible.
I'm sure this isn't company policy, but apparently the employees thought it was. Would this have changed if the cops had started arresting people for obstruction?
Verizon Tells Cops "Your Money Or Your Life"
Posted by Soulskill on Friday May 22, @07:23PM from the pay-it-forward dept. Cellphones The Almighty Buck News
"A 62-year-old man had a mental breakdown and ran off after grabbing several bottles of pills from his house. The cops asked Verizon to help trace the man using his cellphone, but Verizon refused, saying that they couldn't turn on his phone because he had an unpaid bill for $20. After an 11-hour search (during which time the sheriff's department was trying to figure out how to pay the bill), the man was found, unconscious. 'I was more concerned for the person's life,' Sheriff Dale Williams said. 'It would have been nice if Verizon would have turned on his phone for five or 10 minutes, just long enough to try and find the guy. But they would only turn it on if we agreed to pay $20 of the unpaid bill.' Score another win for the Verizon Customer Service team."
How to corner the market?
Mr. Bezos Goes To Washington
Posted by Soulskill on Saturday May 23, @08:14AM from the cloudy-weather dept. Government The Internet
"TechFlash takes a look at Amazon's evolving government cloud strategy, reporting that the company is quietly building an operation in the D.C. area ('Amazon Government Solutions') as it aims to become a key technology provider to federal and state governments and the US military. According to Input, the federal government market for cloud services is projected to grow to $800 million by 2013, and the state and local cloud market is expected to reach $635 million by that year."
For my Computer Security class
Pentagon Seeks a New Generation of Hackers
Posted by ScuttleMonkey on Friday May 22, @02:49PM from the just-give-them-places-to-play dept. Security The Military
Hugh Pickens writes
"Forbes reports on a new military-funded program aimed at leveraging an untapped resource: the population of geeky high school and college students in the US. The Cyber Challenge will create three new national competitions for high school and college students intended to foster a young generation of cybersecurity researchers. 'The contests will test skills applicable to both government and private industry: attacking and defending digital targets, stealing data, and tracing how others have stolen it. [...] The Department of Defense's Cyber Crime Center will expand its Digital Forensics Challenge, a program it has run since 2006, to include high school and college participants, tasking them with problems like tracing digital intrusions and reconstructing incomplete data sources. In the most controversial move, the SANS Institute, an independent organization, plans to organize the Network Attack Competition, which challenges students to find and exploit vulnerabilities in software, compromise enemy systems and steal data. Talented entrants may be recruited for cyber training camps planned for summer 2010, nonprofit camps run by the military and funded in part by private companies, or internships at agencies including the National Security Agency, the Department of Energy or Carnegie Mellon's Computer Emergency Response Team.'"
“Does this mean ah won't get to be Gov-a-na?”
So. Carolina AG ordered to leave Craigslist alone
by Greg Sandoval May 22, 2009 3:01 PM PDT
… Craigslist has filed suit against McMaster, whose motivations were questioned in a story by The Associated Press. On Thursday, the AP reported that McMaster has never prosecuted a prostitution case in six years. Critics have said that if McMaster were serious about combating prostitution, he could start trying cases or at least go after newspapers and other classified publications that also offer the same kind of questionable content as Craigslist.
The problem with using an argument like this is that you are admitting you didn't notice (or ignored) the problem until now. Or maybe they just need to establish documentation for future use as an excuse?
Report: Faulty Communications Imperil President
The U.S. Secret Service is asking for $34 million to help upgrade its communication system, and says that without the money the president’s life could be in danger, according to a news report.
The agency says that its communication system is incompatible with the White House communication system, [“and we never noticed!” Bob] resulting in a “dangerous gap” that could “prevent the attainment of the performance target of 100 percent protection.”