Wednesday, June 09, 2010

Our theme today seems to be failure to take basic security measures...


This should be embarrassing, but I doubt their customers will even notice.

http://www.databreaches.net/?p=12090

FTC Approves Final Settlement Order with Dave & Busters

June 8, 2010 by admin

Following a public comment period, the Federal Trade Commission has approved a final settlement order with entertainment operation Dave & Busters. The final order settles charges that the company failed to secure customers’ sensitive credit and debit card information, resulting in several hundred thousand dollars in fraudulent charges.

The FTC vote approving the final order was 4-0, with Commissioner Edith Ramirez not participating. (FTC File No. 0823153; the staff contact is Katrina Blodgett, Bureau of Consumer Protection, 202-326-3158. See press release dated March 25, 2010 at http://www.ftc.gov/opa/2010/03/davebusters.shtm.)

Source: FTC

[From the release:

Specifically, it failed to:

  • Take sufficient measures to detect and prevent unauthorized access to the network.

  • Adequately restrict outside access to the network, including access by Dave & Buster’s service providers.

  • Monitor and filter outbound data traffic to identify and block the export of sensitive personal information without authorization.

  • Use readily available security measures to limit access to its computer networks through wireless access points.



Billionaire Mayors have a different financial perspective...

http://www.databreaches.net/?p=12081

Crooks Steal $644,000 from NYC Department of Education

June 8, 2010 by admin

Michael Cheek reports:

Hackers have defrauded the New York City’s Department of Education of more than $644,000 by targeting an online bank account used to manage petty cash expenditures, according to investigators.

The Department of Education’s bank account with JPMorgan Chase was supposed to have a $500 limit but, due to an oversight, any amount of funds could be transferred. The cyber criminals were able to carry out the crime for 3 years because the DOE failed to reconcile its accounts on a regular basis. [A simple “Management Control” that no one bothered with. Bob]

“It is difficult to understand how the DOE accumulated years of account statements, reflecting hundreds of thousands of public dollars spent to pay bills, but did not review them,” the report, which was written by Special Commissioner of Investigation for the New York City School District, stated. “A cursory examination would have shown that the charges were not normal school expenses.”

Albert Attoh, who spearheaded the theft, was sentenced in April to 364 days in federal prison and ordered to pay more than $275,000 in restitution after pleading guilty to bank larceny. Attoh provided the routing and account information to others in exchange for cash.

Read the report here

The report explains the “oversight” mentioned above as to why there was no limit on transfers:

In interviews with DOE officials, SCI investigators learned that the DOE account used to perpetrate the fraud was one of two SIPP accounts at Chase which covered the entire DOE school system and it was limited to purchases of less than $500. However, there was no limit to the amount of money that could be used to pay bills by an EFT, because the DOE had not blocked the use of EFT from any DOE bank accounts, some of which had been established before EFT existed.

DOE officials explained that the fraudulent transfers dated back to October 2003, began with relatively small amounts, increased significantly starting in November 2004, and continued until the discovery of the fraud in February 2007. At that time, DOE officials blocked the use of EFT on the two accounts. DOE officials said that the SIPP accounts were not reconciled on a monthly basis, but when they were, the DOE employees who conducted the reconciliation believed the charges were legitimate. The SIPP accounts were subsequently moved from Chase to the NYC DOF.

In interviews with Chase officials, SCI investigators learned that, although there was a $500 limit for purchases from the account, there was no amount limit for an EFT and, because the DOE had not blocked the use of EFT, any amount could be electronically debited from the account. Chase officials acknowledged that, at the time the account was opened in 1990, EFT was not in existence. A Chase official said that the bank would be able to go back 60 days and recover approximately $130,000 debited from the DOE account.

The report also notes:

This is not the first time that SCI has found serious lapses in fiscal oversight within the DOE. Just last year, SCI reported substantiated findings about a clerk assigned to the unit then known as the Division of Assessment and Accountability who was able to steal more than $60,000 because no one looked at statements which reflected that he made thousands of dollars worth of personal purchases, including flying his family around the world. Last month, SCI issued another report which pointed out the lack of financial oversight in a number of DOE schools.

NYC DOE security grade: FAIL.

Anyone care to hazard a guess how often the employee and student databases may have been breached without the NYC DOE ever discovering it?


(Related)

http://www.databreaches.net/?p=12086

Another Small Company Takes a Financial Hit on the Cyber Chin

June 8, 2010 by admin

Matthew Gardiner writes:

Similar to the case of Hillary Machinery that I previously blogged about, another small company, DKG Enterprises, has recently taken a nearly $100K hit from cyber thieves. Very simply the thieves stole the corporate controller’s banking credentials, fraudulently transferred money to multiple mules, and voila, goodbye $100K. The headline of the KrebsonSecurity article that describes the case appears to blame Windows and its vulnerabilities for the breach since the company typically used Macs. While using a Mac versus a Windows PC to do sensitive transactions like transferring money for DKG and similar organizations may be reasonable advice for the short-term, we really need to address the bigger security problem and to do that, we need to first agree that the user (and his Web access machine) is not to blame.

Read more on CA Community.



If I use an open wifi connection at the local library, don't I “intercept” the same data? Otherwise I wouldn't know which packets belong to me rather than the guy sitting next to me.

http://www.pogowasright.org/?p=10972

Former Prosecutor: Google Wi-Fi Snafu ‘Likely’ Illegal

June 8, 2010 by Dissent

David Kravets reports:

Google “likely” breached a U.S. federal criminal statute in connection with its accidental Wi-Fi sniffing — but not for siphoning private data from internet surfers using unsecured networks, a former federal prosecutor said Tuesday.

Ironically, says former prosecutor Paul Ohm, it’s likely Google did not violate wiretap regulations, but instead might have breached the Pen Register and Trap and Traces Device Act for intercepting the metadata and address information alongside the content.

“I think it’s likely they committed a criminal misdemeanor of the Pen Register and Trap and Traces Device Act,” said Ohm, a prosecutor from 2001 to 2005 in the Justice Department’s Computer Crime and Intellectual Property Section. “For every packet they intercepted, not only did they get the content, they also have your IP address and destination IP address that they intercepted. The e-mail message from you to somebody else, the ‘to’ and ‘from’ line is also intercepted.”

Read more on Threat Level.



You need to manage your lawsuits as well as your IT... Or better in this case.

http://www.philly.com/inquirer/local/20100608_Lower_Merion_s_legal_fees_near__1_million_in_webcam_case.html#axzz0qIrc9LSS

Lower Merion's legal fees near $1 million in webcam case

By John P. Martin Inquirer Staff Writer

Legal fees in the Lower Merion School District's webcam case are inching toward $1 million, a sum that could end up handed to local taxpayers.

A district spokesman on Monday disclosed that the bills to defend the use of the now-disabled laptop tracking system have grown to about $780,000.

At the same time, the lawyer whose lawsuit over the webcam monitoring drew worldwide attention disclosed in court papers that his fees - costs he is likely to ask Lower Merion to pay - were more than $148,000 and climbing.

And the district's insurance firm renewed its contention that it shouldn't have to foot the bill in the case.

… Who will pay the legal tab remains unclear. Attorneys for Lower Merion contend that the district's multimillion-dollar insurance policy covers Robbins' claim. But in its Monday filing, Graphic Arts contended the district had breached its policy by "unilaterally retaining counsel and incurring other obligations and expenses."


(Related) Not surprising, Schools don't think about governance of IT either.

http://thejournal.com/articles/2010/06/07/lower-merion-seeks-outside-help-with-it-policies-in-wake-of-webcam-suit.aspx

Lower Merion Seeks Outside Help with IT Policies in Wake of Webcam Suit

By Dian Schaffhauser 06/07/10

The school district enmeshed in a lawsuit for using school laptops to capture images of students without their knowledge has just signed a $25,000 contract with SunGard Services to help with IT auditing and policy development. The school board for Lower Merion School District in Pennsylvania approved the emergency expenditure in May 2010 after reviewing a report from a national legal firm that investigated the district's use of a "theft tracking" Webcam feature.

"There are a number of policy requirements delineated in the recent court order the district received," said Superintendent Christopher McGinley during a board meeting. "In order to fulfill both requirements and to make certain we're taking appropriate considerations in terms of the state of the art in other school districts, we are asking the school board to approve the contract with a company that specializes in IT governance, so that our policies we'll be working on in the next couple of months are fully developed and complete before we turn them back to the board. This will involve a number of policies in the area of technology."



It's one way to attract new businesses to Spain...

http://yro.slashdot.org/story/10/06/08/2352223/Spanish-Judges-Liken-File-Sharing-To-Lending-Books?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Spanish Judges Liken File Sharing To Lending Books

Posted by kdawson on Wednesday June 09, @02:14AM

"A three-judge panel in the Provincial Court of Madrid has closed a case that has been running since 2005, ruling that the accused are not guilty of any copyright infringement on the grounds that their BitTorrent tracker did not distribute any copyrighted material, and they did not generate any profit from their site: '[t]he judges noted that all this takes places between many users all at once without any of them receiving any financial reward.' This implies that the judges are sympathetic to file sharers. The ruling essentially says that file sharing is the digital equivalent of lending or sharing books or other media. Maybe it's time for all them rowdy pirates to move to Spain."



How much do you want to bet that China's perspective will serve as a guide for US legislation?

http://www.bespacific.com/mt/archives/024438.html

June 08, 2010

China's cabinet published a white paper on the Internet in China

The Register: "The Chinese government has issued a white paper laying out current, and future, internet policy - and you might not recognise its view of internet use in that country. The paper warns: "Citizens are not allowed to infringe upon state, social and collective interests or the legitimate freedom and rights of other citizens. No organization or individual may utilize telecommunication networks to engage in activities that jeopardize state security, the public interest or the legitimate rights and interests of other people."..."China's 3G network covers the whole country. Of all internet users in China - 346 million use broadband and 233 million use mobile phones to access the net."

  • Full Text: The Internet in China, Information Office of the State Council of the People's Republic of China, Tuesday, June 8, 2010



For my Computer Security geeks. NOW CUT IT OUT!

http://www.makeuseof.com/tag/6-signs-cell-phone-tapped/

6 Possible Signs Your Cell Phone May Be Tapped



Looks like parts of this site are down at the moment, but what a concept!

http://www.makeuseof.com/tag/post-your-videos-to-your-blo/

Post Memorable Videos To Your Blog Where You’re the Star

… One awesome resource I discovered that can help to post your own videos to your blog is Oddcast Widgets.

Oddcast is a very cool technology that major brands have used to offer customers the ability to create viral videos that incorporate their own face. Saikat touched on this technology earlier when he wrote about Gizmoz. However, Oddcast takes the technology to a whole new level by allowing you to customize really funny videos with your own messages, or by integrating your own face into famous movie scenes, and letting you post your custom movie videos anywhere online.



Let's see if my Statustics students can figure this one out...

http://tech.slashdot.org/story/10/06/08/2158202/2-In-3-Misunderstand-Gas-Mileage-Heres-Why?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

2 In 3 Misunderstand Gas Mileage; Here's Why

Posted by kdawson on Tuesday June 08, @06:34PM

thecarchik sends in this piece, which was published last March but remains timely:

"OK, so here's a little test: Which saves more gasoline, going from 10 to 20 mpg, or going from 33 to 50 mpg? If you're like most Americans, you picked the second one. But, in fact, that's exactly backwards. Over any given mileage, replacing a 10-mpg vehicle with one that gets 20 mpg saves five times the gasoline that replacing a 33-mpg vehicle with one that gets 50 does. Last summer, Duke University's Fuqua School of Business released a study that shows how much damage comes from using MPG instead of consumption to measure how green a car is. Management professors Richard Larick and Jack Soll's experiments proved that consumers thought fuel consumption was cut at an even rate as mileage increased."

No comments: