Saturday, October 02, 2010

Interesting M.O. Were their procedures so weak it was easy for the bad guys to replace POS terminals or did they happen to have an ALDI T-shirt and therefore looked “official?” Either way, this is a big (geographically) crime.

(Update) ALDI breach reports mushroom, customers in 11 states affected

October 1, 2010 by admin

The breach involving ALDI grocery stores is apparently larger than earlier reports suggested as reports trickle in from Pittsburgh and other areas. The chain has updated its statement on its website today:

October 1, 2010

ALDI Inc. recently learned that, from approximately June 1, 2010 to August 31, 2010, tampered payment card terminals were illegally placed in some ALDI stores, enabling unauthorized individuals to fraudulently obtain payment card information from a limited number of our customers. [“Limited” to everyone who used a Debit or Credit card on these terminals...” Bob] The tampered terminals were capable of capturing information such as name, card account number and PIN. We believe some terminals in a limited number of stores in the following areas may have been impacted:

Connecticut (limited to greater Hartford area)
Georgia (limited to greater Atlanta area)
Illinois (limited to greater Chicago area)
Indiana (limited to greater Indianapolis area)
New Jersey
New York (limited to greater Rochester area and Lower Hudson Valley)
North Carolina (limited to greater Charlotte and Raleigh areas)
Pennsylvania (limited to greater Pittsburgh and Philadelphia areas)
South Carolina (limited to greater Charlotte area)
Virginia (limited to greater Washington, D.C. area)


ALDI says that they are a leader in the international grocery retailing industry, serving Europe, the USA and Australia and that they have over 1,000 stores in 29 states, serving 18 million customers each month.

Perspective. If you have “covered up” your security breach, would you be surprised to learn your customers no longer trusted you?

Staring into the abyss: how many breaches go unreported?

October 1, 2010 by admin

While compiling data breach reports submitted to Maine a few months ago, one of the things I discovered (no pun intended), was that Discover submits batched reports to at least two states. Their reports indicate how many Discover card members are affected by the incidents, but their logs don’t provide much detail about the incidents themselves.

I’m concerned that for many of the breaches they report, we have never seen breach reports filed by the entities themselves nor media reports on the incidents. For now, though, let’s start with what I found when I received one batch of their reports to NYS. Keep in mind as you read the summaries that we are only talking about the number of Discover card users affected by the incidents and for only two states. The numbers affected by each incident could be considerably higher, but since the entities themselves never filed breach reports with NYS or Maine, I have no additional information at this time.

[Details omitted Bob]

Taken together, these breach summaries from Discover to two states suggest that there are many reportable breaches that are not getting reported to states by the breached entities themselves. Based on what I obtained, I would estimate that as a crude guess, there might easily be 70 or more business/hospitality sector breaches each year where the entities have not filed breach reports as required by just these two states. And that’s just for those using Discover cards.

The fact that in at least some cases, breaches are seemingly remained undetected for long periods continues to be a concern. But who, if anyone, is working with Level 4 merchants to help them comply with breach reporting requirements after they do realize that they’ve had a breach?

This is where one uniform breach-reporting requirement and standardized form would be a boon, as it should promote greater compliance with reporting requirements. Of course, we need Congress to actually pass such a bill, but hey, one can always hope.

Is there any suggestion that this “collection” is random or even ubiquitous? Surely collection of everything at a crime scene would be okay, even without the criminal's “consent?”

Article: DNA Theft: Recognizing the Crime of Nonconsensual Genetic Collection and Testing

By Dissent, October 1, 2010

Elizabeth E. Joh of the U.C. Davis has an article in a forthcoming issue of the Boston University Law Review (Vol. 91, 2011). Here’s the abstract:

The fact that you leave genetic information behind on the discarded tissues, used coffee cups, and smoked cigarettes everywhere you go is generally of little consequence. The trouble arises when third parties are interested in retrieving this detritus of everyday life for the genetic information you’ve left behind. These third parties may be the police, and the regulation over their ability to collect this evidence is unclear. [Refuse has rights? Bob]

And the police aren’t the only people who are curious about your genetic information. Whether the victims are celebrities, private persons with secrets to keep, or just the targets of nosy third parties with bad intentions, if someone wants to collect and analyze another person’s DNA without consent, they can do so. Committing DNA theft is as easy a sending in a used tissue to a company contacted over the internet, and waiting for an analysis by email. A quick on-line search reveals many companies that offer “secret” or “discreet” DNA testing. The rapid proliferation of companies offering direct-to-consumer genetic testing at ever lower prices means that both the technology and motives exist for DNA theft.

Yet in nearly every American jurisdiction, DNA theft is not a crime. [Can you steal that which has been discarded? Bob] Rather, the nonconsensual collection and analysis of another person’s DNA is virtually unconstrained by law. This article explains how DNA theft poses a serious threat to genetic privacy and why it merits consideration as a distinct criminal offense.

You can download the full article on SSRN. Via the Markle Foundation, @tracyannkosa and @MarieAndreeW

Should a government have access to every citizens communications?

India rejects RIM’s encryption key suggestion

October 1, 2010 by Dissent

Ben Woods reports:

Indian authorities are unhappy with suggestions proposed by BlackBerry manufacturer Research In Motion in response to requests for access to encrypted device data, according to reports.

The Indian Economic Times suggested on Friday that Research In Motion’s (RIM) proposals were not satisfactory to the Department of Telecommunications (DoT). The proposals included DoT directly approaching enterprises to request encryption keys for the manufacturer’s smartphones.

In an internal memo seen by the newspaper, the Indian authorities noted that they were still unable to monitor or intercept email or instant messages sent through RIM’s encrypted BlackBerry Enterprise Server (BES).

Read more on ZDNet (UK)

(Related) Consider this a partial solution. At least my Computer Forensics students will be able to find more evidence...

BlackBerry's Encryption Hacked; Backups Now a Risk

Posted by Soulskill on Friday October 01, @12:51PM

"InfoWorld blogger Martin Heller reveals that a Russian passcode-breaker developer has broken the encryption used in BlackBerry backups. That can help recover data when passwords are lost, but also gives data thieves access to a treasure trove of corporate secrets. And the developer boasts that it was easier to crack the BlackBerry encryption than it was to crack Apple's iOS."

We like Behavioral Advertising but we're not sure what the rules should be.”

IAB retracts 48-hour retargeting cookie advice

October 1, 2010 by Dissent

Online advertising trade body the Interactive Advertising Bureau (IAB) has withdrawn a code of practice which recommended that behavioural advertising retargeting cookies should expire after 48 hours.

The IAB’s Affiliate Marketing Council (AMC) published the code last week. It applied to the practice of ‘retargeting’ web users who had visited a site with ads for that site on other people’s websites, using cookies to track their movements and activities.

The code of practice included some measures that were compulsory for IAB members involved in the practice, and some that were advisory.

That code has been withdrawn and will be reworked after further industry consultation, though, the IAB said. The code has disappeared from the IAB’s website.

Read more on Related: Retargeting creates significant rise in search

Cyber-War? You have to admit, it is cheaper than sending in the bombers. And it has the virtue of being deniable...

Stuxnet Analysis Backs Iran-Israel Connection

Posted by Soulskill on Friday October 01, @06:32PM

"Liam O'Murchu of Symantec, speaking at the Virus Bulletin Conference, provided the first detailed public analysis of the worm's inner workings to an audience of some of the world's top computer virus experts. O'Murchu described a sophisticated and highly targeted virus and demonstrated a proof of concept exploit that showed how the virus could cause machines using infected PLCs to run out of control. Though most of the conversation about Stuxnet is still based on conjecture, O'Murchu said that Symantec's analysis of Stuxnet's code for manipulating PLCs on industrial control systems by Siemens backs up both the speculation that Iran was the intended target and that Israel was the possible source of the virus. O'Murchu noted that researchers had uncovered the reference to an obscure date in the worm's code, May 9, 1979, which, he noted, was the date on which a prominent Iranian Jew, Habib Elghanian, was executed by the new Islamic government shortly after the revolution. Anti-virus experts said O'Murchu's hypothesis about the origins of Stuxnet were plausible, though some continue to wonder how the authors of such a sophisticated piece of malware allowed it to break into the wild and attract attention."

Symantec has also issued a lengthy and detailed dossier on Stuxnet (PDF).

I've gotta say something about this... The more sophisticated (read: complex) your algorithm, the more sophisticated your testing must be. This is highly accelerated economics, and the SEC rules that suspend or stop trading weren't ready for it.

SEC, CFTC blame algorithm for flash crash

WASHINGTON (MarketWatch) -- The Securities and Exchange Commission and Commodity Futures Trading Commission on Friday blamed two liquidity crises caused by a computer trading algorithm as the source of the “flash crash” on May 6 that rattled markets and investor confidence worldwide.

The report comes in the wake of the Dow Jones Industrial Average’s sudden drop of nearly 1,000 points on May 6. At one point that afternoon, the Dow dropped 481 points in six minutes and then had recovered 502 points just 10 minutes later.

Specifically, the report points to a large fundamental trader, which the report does not identify, that executed a large sell order using an automated execution algorithm at a time in the afternoon while the markets were already very stressed.

[The report is here:


Dissecting The Flash Crash

A quick read of the report’s executive summary finds that the original sell algorithm only managed to sell about 35,000 E-Mini contracts (worth about $1.9 bilion) of the 75,000 intended, but the flood of selling that the initial order sparked vastly overwhelmed demand until a trading pause was triggered at 2:45:28 p.m. on the Chicago Mercantile Exchange. When trading resumed five seconds later, the price of the E-Mini, and eventually the SPY, began to recover.

Tools for teachers? Competing with

How To Make Your Own Podcast For Free

No comments: