Thursday, September 16, 2010

So it wasn't “several” restaurants. What else have they got wrong? Why so long to figure out what was happening?

Update: Roseville credit-card fraud traced to one restaurant

September 15, 2010 by admin

Bill Lindelof reports:

Hundreds of local cases in which thieves have collected credit-card numbers and used them to fraudulently make purchases have been traced to customers who frequented one Roseville restaurant, police said today.

Roseville police said that hundreds of credit-card numbers were compromised at Paul Martin’s American Bistro.

Read more on the Sacramento Bee.

It seems that law enforcement is walking back on their previous statement that they believed that the breach was not at the restaurant itself (see this earlier blog entry).

[From the article:

… The cyber criminals who perpetrated the fraudulent credit-card activity are not known and could be operating anywhere in the world, police said.

The crooks were able to access the restaurant's credit-card processing system and steal credit-card numbers, which were then sold to other criminals and used to make purchases, police said.

… The earliest of the cases under investigation appears to date back to March, said Dee Dee Gunther, police spokeswoman, said last week.

Should I have my Computer Security students design security for the school and should my Ethical Hackers try to break it?

Are colleges and universities at greater risk of data breaches?

September 15, 2010 by admin

John Cox discusses the recent report by Application Security, mentioned previously on this site.

A database security vendor says colleges and universities need to do more to secure their databases against break-ins.

Application Security, which uses the name AppSec, reviewed data breaches in higher education, drawing from a variety of published sources. The company, based in New York City, specializes in database security and has two main products: DbProtect, an application for database security, risk and compliance; and AppDetectivePro, which automatically discovers all database applications on a company’s network and evaluates their security.

The data in its report, “An Examination of Data Breaches at Higher Education Institutions,” highlights increasing data-loss incidents at colleges and universities. But it doesn’t clearly distinguish between the business market as a whole and the higher education sub-market, and it does little to put the higher education breaches into context.

Cox offers a number of other criticisms of the report. You can read it all on NetworkWorld.

In the meantime, while folks analyze breaches at the uni level, I’ve seen almost nothing on breaches at the k-12 level. School districts compile a tremendous amount of sensitive information on both students and their families, and I would guess that there have been many many breaches but we just don’t know about them. Even scarier: do the districts even know that they’ve been breached?

No surprise. Each technology added must go through the same learning curve, no matter how similar to earlier technologies.

Could Chat Transcripts Be Security Minefields?

By Dissent, September 15, 2010

I usually link to Evan Schuman’s wonderful articles from, but one of this article is particularly relevant to this site. Evan writes:

When Rite-Aid and Walgreens both announced pharmacist chat programs last month, they were the latest chains to try and use chat to get closer to their customers. But, ironically, the preservation of chat discussions of super-sensitive patient medical history may prove a very serious threat to security.

It’s ironic because both chains are taking substantial steps to secure the access to confidential patient data, but neither is specifying steps to protect transcripts of that very same data. Imagine forcing call center employees to comply with all PCI rules regarding not preserving prohibited payment card data and then allowing them to write down all of that data in plain-text files that are then transmitted to consumers (who are unlikely to protect them) and saved in the chain’s files.

Read more on StorefrontBacktalk.

This can't be important. Stealing logins is so easy, even a caveman can do it.

Large collection of stolen logins go public

September 15, 2010 by admin

Christopher Boyd blogs:

Below is a rather bland FarmVille phish that was brought to my attention by a friend who had it posted to their Facebook account. The entire page is blank save for the fake login.


Nothing spectacular, I’m sure you’ll agree. However, we did a little digging around on the same URL and came across a large collection what the site claims are stolen Facebook logins dating from July right up to today.

Read more on SunbeltBlog. Note that in a comment, it says that this has been reported to Facebook and all those affected are having their passwords reset. Of course, in light of the new malware going around with the subject line that “Your Facebook Password has been reset,” this could be a recipe for more problems.

Today seems like “Bash Facebook” day. Or perhaps that's an everyday thing now...

Facebook the Most Dangerous Social Tool For Businesses

Posted by samzenpus on Wednesday September 15, @05:32PM

"According to a recent study Facebook is by far the most popular and most dangerous social media tool among small-to-medium-sized businesses, with 69 percent of respondents reporting that they have active accounts with this site, followed by Twitter, YouTube, and LinkedIn. Facebook is also the top culprit for malware infections and privacy violations, e.g. the leaking of sensitive company information. YouTube took the second spot for malware infection, while Twitter contributed to a significant number of privacy violations. For companies suffering financial losses from employee privacy violations, Facebook was again cited as the most common social media site where these losses occurred, followed by Twitter, YouTube, and LinkedIn."

(Related) Another “Privacy enhancement” for Facebook?

Bing could get access to anonymized Facebook data

September 15, 2010 by Dissent

Emil Protalinski writes:

Microsoft and Facebook are in talks to further strengthen their search partnership, possibly resulting in Bing gaining access to anonymized data generated by Facebook users to better personalize its search results, [Why do I find “anonymous personalization” an oxymoron? Bob] according to anonymous sources cited by All Things Digital. Microsoft would be able to use the information from Facebook’s Like buttons, which the social giant has managed to have plastered all over the Web.

When a user likes a webpage, their Facebook friends are notified; if this deal goes through, Microsoft would also be able to know which webpages users are appreciating, and would be able to work that into Bing’s algorithms (it could be particularly useful for Bing News), instead of just relying on spiders scouring the Internet. With Facebook’s 500 million users, such a deal could give it quite a boost over Google, which presumably would be excluded from the data. The sources did point out an important hurdle though: because of Facebook’s many privacy issues, the possible expansion of the search relationship would only be able to encompass information which users have already agreed to make public.

Read more on Ars Technica.

(Related) Perhaps they'll add a “Like” button for the ambulance that comes to cut you out of your car?

General Motors Boosts OnStar to Challenge Sync

After watching Ford dominate the in-car connectivity market with Sync, General Motors is fighting back with a slew of new features for OnStar in a push it calls “responsible connectivity.”

OnStar will roll out a long list of improvements, including Pandora online radio, Stitcher podcasts and wi-fi. Down the road, we could see voice-activated Facebook, texting and iPod control so you can stay connected while keeping your hands firmly planted at 10 and 2.

(Related) “All your plates belong to us” Maybe they don't have all the data from DMVs around the country, but it will be interesting to see if drivers with “road rage” will follow the email trail to Facebook, then get your address, then show up at your front door to “discuss” your driving skills. “Like putting a cookie on a car”

September 15, 2010 by Dissent

Tom Simonite reports:

Next time you’re stuck in traffic, take a look at the license plates on the cars around you. To a user of–which launches today–each one is like an email address that can be used to contact the owner, whether to tell them a rear light is out or that you like their bumper sticker.

“To send a message you just need to specify state and plate,” Bump’s VP of technology John Albers-Mead told me at the DEMO conference in Santa Clara, California, where the La Jolla, California, firm will launch this afternoon.


“It allows us to track users, it’s like putting a cookie on a car,” says Albers-Mead, likening his technology to the small files used to track web users and offer functionality like autologins online. Once connected up to Bump’s tech, a camera at a store or drive-in burger joint could, for example, showing menu choices similar to those you’ve selected before. That extra data could be valuable to store owners, Bump say, who could also make use of the messaging functions.

Read more on Technology Review.

[From the article:

Anyone that has registered their license plate can pick up those messages while an upcoming smartphone app--initially for iPhone but later Android too--will use image recognition to make sending messages easier. When using it you simply snap a photo of a license plate after which it is processed in the cloud to direct your message appropriately. Initially you have to specify a plate to contact manually, or using an automated call-in service.

… But the firm also says that being able to recognize license plates and message a car's owner could has the potential to be of serious interest to businesses.

“If we build it, they will come – and find many ways to misuse it!”

Intel CTO Says Future Phones Will Sense Your Mood

Posted by samzenpus on Wednesday September 15, @10:03PM

"Ultra-smartphones that react to your moods and televisions that can tell it's you who's watching are in your future as Intel Corp's top technology guru sets his sights on context-aware computing. Chief technology officer Justin Rattner stuffed sensors down his socks at the annual Intel Develop Forum in San Francisco on Wednesday to demonstrate how personal devices will one day offer advice that goes way beyond local restaurants and new songs to download. 'How can we change the relationship so we think of these devices not as devices but as assistants or even companions?' he asked." [Or perhaps stalkers and harassers? Bob]

I summarize...

12 reasons why we're losing the identity theft battle (and why you should care)

1. Zero Liability has made consumers feel they have nothing to lose.

2. Law enforcement lack resources to handle id theft cases.

3. Consumers think we're winning the battle.

4. Organized crime gave cybercrime and identity theft a whole new lease of life.

5. Financial institutions need to talk to their customers about identity theft.

6. The small business community is still ignoring their security responsibilities.

7. Thieves are emboldened because they know they're unlikely to be caught.

8. Consumers are still not protecting their computers or changing their habits.

9. Check verification still has too many loopholes.

10. Many banks are not using all the authentication and verification options available because they think more security challenges will annoy customers.

11. Consumers are giving away too much personal information on social networking.

12. Businesses and consumers are becoming indifferent to data breaches.

...because students got no rights!

ACLU-PA settles cell phone search suit against school district

September 15, 2010 by Dissent

The American Civil Liberties Union of Pennsylvania announced today that it has settled a lawsuit filed in May alleging that the Tunkhannock Area School District (Wyoming County) illegally searched a student’s cell phone, punished her for storing semi-nude pictures of herself on the device, and then referred her case for criminal prosecution to the district attorney’s office. Under the settlement, the school district denied any liability or wrongdoing but agreed to pay the student and her lawyers $33,000 to resolve the dispute. The student’s claims against the District Attorney’s Office were not settled and will proceed through litigation.

The case began in January 2009 when a teacher confiscated the cell phone of N.N., a 17-year-old senior, for using the phone after homeroom began, a violation of school policy. Later that morning, the principal informed N.N. that he had found “explicit” photos stored on her cell phone, which he turned over to law enforcement. He then gave her a three day out-of-school suspension, which she served.

The photographs, which were not visible on the screen and required multiple steps to locate, were taken on the device’s built-in camera and were never circulated to other students in the school. N.N. appeared fully covered in most of the photographs, although several showed her naked breasts and one indistinct image showed her standing upright while fully naked. The photographs were intended to be seen only by N.N.’s long-time boyfriend and herself.

The ACLU-PA hoped to use this case to help alert school officials across Pennsylvania to students’ privacy rights in their cell phones. Very little case law exists discussing student-cell-phone searches. While the settlement forecloses a court ruling, the case has led the ACLU-PA to contact the Pennsylvania School Boards Association (PSBA), which this week agreed to work with the ACLU towards crafting guidelines for teachers and school officials to help them better handle situations involving student cell phones and other electronic devices without unlawfully invading student privacy. Walczak noted that the goal was to prevent future violations of students’ constitutional rights.

The lawsuit, filed in the U.S. District Court for the Middle District of Pennsylvania, will continue against former DA George Skumanick, who threatened to prosecute N.N.; Police Detective David Ide, who investigated and viewed the images; and Jeff Mitchell, the current Wyoming County District Attorney.

N.N. is represented by Walczak and Valerie Burch from the ACLU of Pennsylvania. The case is N.N. v. Tunkhannock Area School District et al., 10-cv-01080-ARC.

Source: ACLU of PA.

Related: Complaint (pdf)

How to avoid surveillance? Could they claim the camera was installed by a peeping tom?

Carlisle man destroyed CCTV camera spying on his home

A man who objected to a CCTV camera keeping watch on his bedroom window from the house opposite appeared before a judge – for stealing the camera and throwing it in a river.

The camera had been installed in the empty house opposite Christian Lord’s home in Welsh Road, Harraby, Carlisle.

He and his girlfriend didn’t like the 24-hour monitoring of their movements, so he broke in and removed it.

Prosecuting counsel Jonathan Dickinson told the court it was unclear who had installed the camera, or why, although it was thought Lord’s landlords – a housing association – were responsible.

“There is no dispute that the CCTV looked out solely upon the property occupied by Mr Lord and his girlfriend,” he said.

… “He was not aware of its purpose, but he was very concerned about where it was pointing. It appeared to be pointing at his front bedroom.”

For certain values of “Best?”

September 15, 2010

US News: Best Lawyers, Best Law Firms 2010

"U.S. News and Best Lawyers, the leading survey of lawyers worldwide, have joined to rank nearly 9,000 firms in 81 practice areas in 171 metropolitan areas and 7 states.

What a concept! Dilbert has inspired me to go back through my blog and put all my comments into book form! Oh, wait...

No comments: