Tuesday, January 10, 2012


Take it a step further, would compliance with PCI-DSS provide proof of the breach or is that security worthless? I suspect that would get settled quickly...
The merchant strikes back: Cisero’s sues processor and bank over pass-along fines following alleged breach
January 9, 2012 by admin
There’s an interesting lawsuit to watch in Utah. The owner of Cisero’s in Park City is suing their payment processor and bank for deducting money from their account after card issuers fined them over an alleged breach of the restaurant’s system.
The case stems from a March 2008 incident. According to Cisero’s, Visa had notified them that they appeared to be the common point of compromise in a situation involving credit card fraud and that they needed to bring in forensic investigators. Two independent forensic investigations found that the restaurant had unknowingly stored credit card numbers, but there was no clear evidence of any actual breach. Despite the absence of confirmation of any breach that could account for customers’ fraudulent charges elsewhere, Visa ultimately fined U.S. Bank, the acquiring bank. Elavon, the payment processor, is a unit of U.S. Bank.
Thom Weidlich provides the background on the case on Bloomberg.
At issue here is that the restauranteur’s claim that there was no evidence that they had been hacked, Visa didn’t prove that there had been a compromise of their system that resulted in fraud, and that although they had unknowingly stored over 8,000 card numbers, that number was below the contractual threshold to trigger fines. The owners had been sued by Elavon for over $82,000 in fines that Visa and MasterCard had levied. The owners countersued in August.
“At no time has Elavon, US Bank, Visa, MasterCard or any other entity proven that a data breach occurred at Cisero’s, that card issuers actually suffered fraud losses or that any such losses were caused by a data breach at Cisero’s,” the restaurant said in court papers.
The owners also allege that U.S. Bank never provided any information or support to assist them in staying secure and PCI-DSS compliant, and that rules were unilaterally changed without notice or consent over time.
Some of their suit seems strikes me as buyer’s remorse. They signed a contract that permitted some of these things to occur. Was it a lousy contract? Probably. Were there documents that they weren’t even provided before they signed the contract? It seems so. But what it may boil down to is that they did sign a contract. So what part of the contract did the bank and processor actually breach? Their strongest arguments appears to be that they were not notified of the fine, as required by the contract, in time for them to file a timely appeal and that Visa ascribed losses to a breach without justifying their numbers – particularly since there was no proof any breach had even occurred. I think their claim that the acquiring bank failed to provide them with information and support to remain compliant is also worth pursuing, but without the language of the contract to determine the bank’s contractual obligations to them, I’m not sure where that will go.
Visa is not a defendant in this law suit, but they are the elephant in the room.
You can read the payment processor’s lawsuit against the restaurant and the countersuit against the processor and acquiring bank, courtesy of Bloomberg. See what you think. Do you think they stand a chance of prevailing?


The problem with tit-for-tat is that it tends to escalate. Given time, either the Hatfields or the McCoys would have gone nuclear.
Israel’s hacker avengers: We’ve obtained Saudi credit card info
January 9, 2012 by admin
Aviel Magnezi reports:
The major credit card information leak, a by-product of the activities of the Saudi hacker who has been sneering over attempts to locate him, has not been ignored.
Israeli hackers who spoke to Ynet claimed on Monday that they have managed to lay their hands on the details of thousands of credit cards used on Saudi shopping websites. Ynet has confirmed the hackers’ reports. “If the leaks continue, we will cause severe damage to the privacy of Saudi citizens,” one of the Israeli hackers threatened.
Read more on ynet.
Yes, because we know two wrongs always make a right and turning innocent Saudi shoppers into potential fraud victims will really improve international relations, right?


Ubiquitous surveillance. Thank God I didn't have access to these when I was a kid...
App-Controlled RC Toys Make You Feel Like Ethan Hunt
… At CES Unveiled Sunday night, Interactive Toy Concepts showed off its new Wi-Spi line of video surveillance vehicles: an RC helicopter and RC race car that house a camera that delivers a live stream of video to your device. Both are controlled, as the name would imply, by Wi-Fi.


I don't see it as a big problem, but then I'm not getting $450 per hour...
By Dissent, January 9, 2012
Howard Anderson reports:
The federal government has issued streamlined standards for electronic funds transfers that a health plan uses to pay a claim, as well for related electronic remittance advice. But despite the issuance of a new rule enacting the standards, it remains unclear under what circumstances the HIPAA privacy and security rules might apply to banks handling transactions, one compliance expert says.
Read more on HealthcareInfoSecurity. Hopefully the final rule will clarify this. If not, a lot of lawyers are going to be pulling their hair out [Translation: are going to be making a lot of money Bob] trying to sort this out.


For my Ethical Hackers
Smart meter SSL screw-up exposes punters’ TV habits
January 9, 2012 by Dissent
John Leyden reports:
White-hat hackers have exposed the privacy shortcomings of smart meter technology.
The researchers said German firm Discovergy apparently allowed information gathered by its smart meters to travel over an insecure link to its servers. The information – which could be intercepted – apparently could be interpreted to reveal not only whether or not users happened to be at home and consuming electricity at the time but even what film they were watching, based on the fingerprint of power usage.
Read more on The Register.
[From the article:
During the talk, entitled, Smart Hacking for Privacy (YouTube video here), the researchers explained that they came across numerous security and privacy-related issues after signing up with the smart electricity meter service supplied by Discovergy.
… Because meter readings were sent in clear text, the researchers were able to intercept and send back forged (incorrect) meter readings back to Discovergy. [Cheap energy at last! Bob]
In addition, the researchers discovered that a complete historical record of users' meter usage was easily obtained from Discovergy's servers via an interface designed to provide access to usage for only the last three months. The meters supplied by the firm log power usage in two-second intervals. This fine-grained data was enough not only to determine what appliances a user was using over a period of time – thanks to the power signature of particular devices – but even which film they were watching.
They explained that the fluctuating brightness levels of a film or TV show when displayed on a plasma-screen or LCD TV created fluctuating power-consumption levels. This creates a power/consumption signature for a film that might be determined from the readings obtained by Discovergy's technology.
… More commentary on the presentation can be found in a blog post by Sophos here.


Inevitable?
India Reports Completely Drug-Resistant TB


A list for my students (and fellow faculty) with a couple examples...
10 Free Software you should Download to have a Brilliant Year Online (Windows)
2. Backup Tool – Comodo Backup
Comodo Backup is a superior solution that lets you backup any files to a choice of destinations, including to CD or DVD, or online, and it can be easy or as advanced as you want it to be.
4. SanBoxing - SandBoxie
The software can sandbox any application, which means running it in a secure and disposable section of your hard drive to prevent it making any permanent changes to your PC. You can download and even run malware in the sandbox and it won’t be able to infect your system.


Another resource for students...
Recently, Google has launched a new site – Good to Know – which contains useful tips that can help users make their stay on the Internet secure.


A day for resources...
Tuesday, January 10, 2012
Over the last couple of months Evernote has become my favorite tool for bookmarking websites and saving files. Evernote allows me to access my bookmarks and files from all of my devices whenever I'm connected to the Internet. I also like the tagging and sorting options that I have available to me in Evernote. Before using Evernote I used Google Bookmarks. While Google Bookmarks is good, Evernote's tagging and sorting options are much better.
Recently, I learned that Evernote has an education section in which they provide examples of Evernote being used by teachers and students. Through the Evernote for Education page you can access an hour-long webinar explaining the how Evernote can be used by teachers and students.


For the students in my Modern Dance class...
Kinect Comes To Windows On February 1st
… They’ve been hinting at it, people have been hacking it, and they even released an SDK a little while back
… If you’re interested in contributing, check out the SDK, or if you just want to see what people have put together (there has really been some mind-blowing stuff over the last year), scroll through our Kinect tag.


Am I seeing money in Online Education?
Ampush Media Acquires One Of Bill Gates’ Favorite Education Startups, Academic Earth
Ampush Media, an online marketing startup, has acquired Academic Earth, an online education video site that’s sort of like a “Hulu for Education” and a Bill Gates-favorite. Financial terms of the deal were not disclosed.
As we’ve written in the past, Academic Earth is a user-friendly, curated platform for educational videos that allows anyone to freely access instruction from the scholars and guest lecturers at the leading academic universities. The site offers 350 full courses and over 5,000 total lectures from Yale, MIT, Harvard, Stanford, UC Berkeley, and Princeton that can be browsed by subject, university, or instructor through a user-friendly interface.
Additionally, editors have compiled lectures from different speakers into Playlists such as “Understanding the Financial Crisis” and “First Day Of Freshman Year.” Since the site’s launch in 2008, Academic Earth has grown to attract 400,000 unique visitors per month, primarily through word of mouth.

No comments: