Tuesday, September 21, 2010

Word is getting out to Crooks-R-Us that this is both easy and profitable.


Julie’s Place hack: an all-too-familiar story by now

September 20, 2010 by admin

This breach was first reported earlier this month, but I seem to have missed it:

About 100 people found out over the last couple weeks that someone else had accessed their bank account, taking their money and leaving them stunned.


After being flooded with reports of fraud, the Leon County Sheriff’s Office began to investigate and found that the computer system at the restaurant Julie’s Place had been hacked and someone, somewhere had full access.

Read more on WCTV.

In follow-up coverage today in the Tallahassee Democrat, the owner reportedly claims that he was told that the breach involved an Aloha POS-specific malware:

The company that provided the Aloha card terminal also found evidence of where the intruder got past the system’s firewall and was able to remotely access the terminal and steal the customers’ information.

“They found malware that was specifically for this Aloha system,” he said of the technicians’ evaluation. Since then, he has had the entire system changed out and security features upgraded to prevent a recurrence.

Radiant Systems’ Response

DataBreaches.net contacted Radiant Systems, manufacturers of the Aloha POS systems, about the statement that the malware was “Aloha-specific” in any way. Ernie Floyd, Director of Data Security and Compliance for Radiant stated that there was no unusual or Aloha-specific malware, and that as in other cases, when cybercriminals find systems with remote access software in listening mode, they then probe for the presence of payment applications that would indicate that card data might be available. If they find it, they then upload the malware to scrape the card data. In the case of Julie’s Place, Floyd said that the system had PCAnywhere in listening mode and no commercial-grade firewall. [PCAnywhere “enables one computer to remotely control and access another computer, establishing a one-to-one connection.” according to the manufacturer. Symantec. Bob]

Floyd says that although it was not available at the time of this particular breach, the company has a developed two-factor authentication tool for support services. [“We could have protected this computer, but we didn't bother...” Bob] According to him, the firm and its resellers have really been trying to educate restauranteurs that having PA-DSS validated software is simply not sufficient if there is no commercial grade software or if the rest of the environment is in shambles.

Breaches in the Hospitality Sector Are Up

Floyd also confirmed my impression that breaches in the hospitality sector are up this year. At a Visa symposium in June, attendees were reportedly informed that although Q1 was a slow quarter in terms of breach reports, Q2 was more active than any quarter in 2009. A Trustwave SpiderLabs representative also reported that by August, they had already conducted more post-breach forensic evaluations than they had for the entire year in 2009. Trustwave SpiderLabs typically handles about half of all forensic evaluations in the hospitality sector.

Symptoms of another Heartland type breach? Without broader geographic coverage, it's impossible to tell.


NE: Lincoln police investigating credit card number theft

September 20, 2010 by admin

Cory Matteson reports that customers at three banks have been victims of fraud, but it is not clear whether the fraud is linked to recent arrests of two individual or is unconnected:

Officer Katie Flood said the purchases — often ordered from far-flung places such as Hong Kong — were made with debit and credit card numbers acquired from account holders at Cornhusker Bank, Pinnacle Bank and West Gate Bank. ….. How the numbers were obtained is unknown, Flood said Monday. She said it appeared some type of database had been breached.

Whether the unauthorized purchases were connected with two Lincoln residents arrested last week and suspected of stealing credit card numbers to make unauthorized online purchases is unknown, Flood said.


A probable cause affidavit for Kipf’s arrest said police were allowed by Nguyen to search a laptop computer found in Kipf’s hotel room. The affidavit says a folder on the computer’s hard drive holds the names of 26 people, along with their addresses, phone numbers, credit card or debit numbers and three-digit security codes.

Read more in the Lincoln Journal Star. I expect we’ll see more on whether this is one breach incident or more.

“We don't bother to review our attack ads...”


Dems include West social security number in flier, call it ‘oversight’

September 20, 2010 by Dissent

George Bennett reports:

The Florida Democratic Party today said it made an “oversight” when it included Republican congressional challenger Allen West’s Social Security number in an attack mailer.

West, who is challenging U.S. Rep. Ron Klein, D-Boca Raton, in a nationally watched race, called the mailer “an unprecedented new low in American politics.”

Read more in the Palm Beach Post.

[From the article:

The lien notice was pulled from public records in Indiana and is reproduced in the mailer with West's wife's name removed and his address blacked out. But his Social Security number is visible in a column that says "Identifying Number."

...now if everyone brings a gift... Failure to understand the technology has consequences.


Teen sends Facebook invite to 15; 21,000 reply

The Telegraph has been friendly enough to reveal the Facebook faux-pas performed by the teen. She decided to hold a birthday party at her mom's house and mom kindly said she could invite 15 of her closest companions.

Being almost 15, what other forum could she possibly have considered than Facebook? So she created a nice little event page and waited, no doubt expectantly, for everyone to say "yes." Unfortunately, the everyone she envisaged seemed to comprise, well, everyone. At least 21,000 people reportedly said they were coming, before she realized that she had invited the whole world. Or at least the whole Facebook world, which is more or less the same thing.

… Now, the police in the small town of Harpenden (population 30,000) are reportedly going to have to guard her neighborhood on October 7, the fatefully festive day in question.

Her mom told the Telegraph: "She did not realize that she was creating a public event... She is going to have to change her mobile phone SIM card because of the number of calls she has been getting about it."

(Related) Secret changes to how Facebook works can't help but confuse users...


Facebook Has Quietly Implemented A De-Facto Follow Feature

… Previously, you could either Confirm or Ignore (deny) a request. Now, Ignore has been replaced by “Not Now”. This new option takes some of the pressure off you having to reject people as it instead moves them into a state of limbo, where they’re neither accepted nor rejected. But it actually does a lot more as well.

You see, when someone requests to be your friend on Facebook, this automatically subscribes them to all of your public (“Everyone”) posts in their News Feed. Facebook doesn’t talk about this much, but it’s a very real feature, which we reported on in July of last year. You see these posts until this person rejects you (because obviously if they accept you as a friend, you’ll keep seeing them). So with this new Not Now button, and the removal of the simple rejection mechanism, Facebook has basically created a de-facto follow feature.

Perhaps we could learn from the EU?


Privacy Key Obstacle to Adopting Electronic Health Records, Study Finds

By Dissent, September 20, 2010

The United States could achieve significant health care savings if it achieved widespread adoption of electronic health records (EHRs), but insufficient privacy protections are hindering public acceptance of the EHR concept, according to a new paper from researchers from North Carolina State University. The paper outlines steps that could be taken to boost privacy and promote the use of EHRs.

Read more on Science Daily. The article cites Dr. David Baumer, head of the business management department at NC State and co-author of the paper:

However, a lack of public support related to privacy concerns has hindered its progress. And Baumer says that those concerns are not entirely unwarranted. For example, there is some evidence showing that EHRs can facilitate identity theft. But EHRs have become prevalent in the European Union, which has significantly more stringent privacy protections and whose citizens feel more comfortable with the EHR concept.

“We are moving in the right direction in regard to putting better privacy protections in place, but we have a long way to go,” Baumer says. And that lack of privacy protection is hindering the adoption of EHRs.

Note that what Dr. Baumer is saying is more consistent with what I have maintained than what Eric Demers suggested. The latter treated privacy concerns somewhat dismissively, in my opinion.

The paper is ”Privacy and Security in the Implementation of Health Information Technology (Electronic Health Records): U.S. and EU Compared,” and is c-authored by Janine Hiller and Matthew McMullen of Virginia Tech and Wade Chumney of Georgia Tech. The paper will be published in a forthcoming issue of Boston University Journal of Science and Technology Law.



Europe Proposes International Internet Treaty

Posted by Soulskill on Monday September 20, @12:28PM

"Europe has proposed an Internet Treaty to protect the Internet from the political interference which threatens to break it up. The draft international law has been compared to the 1967 Outer Space Treaty, which sought to prevent space exploration being pursued for anything less than the benefit of all human kind. The Internet Treaty would similarly seek to preserve the Internet as a global system of free communication that transcends national borders." [Net Neutrality? Bob]

Do you have Privacy in your professional life? Should you be able to contest/correct your rating like you can a credit score?


Disgruntled Lawyer Drops Libel Claim, Sues Website Over Privacy

September 20, 2010 by Dissent

Daniel Fisher writes:

Florida attorney Larry Joe Davis didn’t like his listing on Avvo.com, a website that purports to rate lawyers according to a proprietary scale. He rates 3.7 out of 10 and has a “caution” warning because he was disciplined by the Florida Bar in 2007 over a matter involving failure to pay child support.

First Davis sued Avvo for libel in late August. Now he’s filed an amended complaint that drops the libel charges but unleashes a litany of complaints that would be familiar to anybody who resents being put on public display without his permission on the Internet.

Read more on Forbes.

[From the article:

It also accuses Avvo of manipulating his score based on whether he is willing to engage with the site, a common complaint against sites that rate businesses.

When Davis logged on to the site to eliminate the reference to employment law and remove any other details, he says, his rating plunged to 1. Since nothing had happened in his professional life, he says, that’s evidence that Avvo is misleading consumers.

… His main complaint, it seems, is that he can’t simply remove his listing from the site.

“If you build it, they will come!” For my Ethical Hackers


September 20, 2010

Guidelines for Smart Grid Cyber Security: Privacy and the Smart Grid

Guidelines for Smart Grid Cyber Security: Vol. 2, Privacy and the Smart Grid. The Smart Grid Interoperability Panel – Cyber Security Working Group, August 2010

  • "The Smart Grid brings with it many new data collection, communication, and information sharing capabilities related to energy usage, and these technologies in turn introduce concerns about privacy. Privacy relates to individuals. Four dimensions of privacy are considered:

  • (1) personal information—any information relating to an individual, who can be identified, directly or indirectly, by that information and in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural, locational or social identity;

  • (2) personal privacy—the right to control the integrity of one’s own body;

  • (3) behavioral privacy—the right of individuals to make their own choices about what they do and to keep certain personal behaviors from being shared with others; and

  • (4) personal communications privacy—the right to communicate without undue surveillance, monitoring, or censorship."

Just hacking into a system won't get you a passing grade in the Ethical Hacker class. After all, anyone can do that..


23% of university students have hacked into an IT system

September 21, 2010 by admin

A good education is so important.

Carrie Ann-Skinner reports:

Nearly a quarter (23 percent) of university students have successfully hacked into IT systems, says Tufin Technologies.

Research by the security firm revealed that of those that successfully hacked into a system, 40 percent were over 18.

While 84 percent of students surveyed said they knew hacking were wrong, nearly a third (32 percent) said it was also ‘cool’ and worryingly, 28 percent said they found it easy to hack into an IT system.

Read more on PC Advisor.

Somehow I can't picture Mr. Chips monitoring Twitter to find new words...


My BFF just told me “TTYL” is in the dictionary. LMAO.

cloud computing n. the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer.

For my Business Continuity class – a new risk category and an illustration of infrastructure fragility.


Hunters Shot Down Google Fiber

Posted by Soulskill on Tuesday September 21, @05:12AM

"Google has revealed that aerial fiber links to its data center in Oregon were 'regularly' shot down by hunters, forcing the company to put its cables underground. Hunters were reportedly trying to hit insulators on electricity distribution poles, which also hosted aerially-deployed fiber connected to Google's $600 million data center in The Dalles. 'I have yet to see them actually hit the insulator, [...and we used to be a nation of sharpshooters. Bob] but they regularly shoot down the fibre,' Google's network engineering manager Vijay Gill told a conference in Australia. 'Every November when hunting season starts invariably we know that the fiber will be shot down, so much so that we are now building an underground path [for it].'"

Dilbert illustrates “Marketing over Technology”


No comments: