Saturday, June 16, 2012
What didn't Heartland learn from their “Top 10” breach? Why can't victims pin down the scope of their breach? Why can't they even determine they have been breached?
Penn Station breach mushrooms to 80 locations; Heartland Payment and Secret Service investigating
June 15, 2012 by admin
Ruh oh. Tracy Kitten reports:
Restaurant chain Penn Station Inc. has upped the number of franchise locations affected by a payments breach to 80, almost double what it originally reported.
The breach, which Penn Station says it’s still investigating, is connected to a point-of-sale processing hack that may have exposed credit and debit details, but not PINs, [Not sure how you grab some data but not all... Bob] at restaurants in Illinois, Indiana, Kentucky, West Virginia, Michigan, Missouri, Ohio, Pennsylvania, Virginia, North Carolina and Tennessee.
Penn Station says its investigation into the breach, which is being overseen by its processor, Heartland Payment Systems, and the Secret Service, is ongoing and that results, to date, have been inconclusive.
Read more on BankInfoSecurity.com
[From the article:
On its list of frequently asked questions, the chain says the exposure was limited to cardholder names and card numbers because Penn Station only accepts signature-based transactions. [That answers my question. Bob]
… "We did not learn of the possibility of unauthorized access until late April," the company says in its updated FAQ. "Our first step after learning such information was to change the method for processing credit and debit card transactions. [Does this suggest the process had known flaws? Bob]
… Dunaway told BankInfoSecurity that Penn Station learned of the breach from a customer. The patron connected the dots after swapping stories with others who had suffered fraud following dining at a local Penn Station restaurant.
… Based on what Penn Station has revealed so far, industry experts suggest the breach could be linked to one or both of two possible scenarios - a processing hack, like the one that targeted 100 Subway locations between 2008 and May 2011, or a point-of-sale scheme, similar to the one discovered by the Michaels crafts store chain in May 2011. [Yep. Known flaws Bob]
A new flaw or a “backdoor” that US Cyber Command no longer requires? Since the US is now in the Cyber Attack business, we have to consider that they may “draft” some vendors for the “war effort.”
"The U.S. Computer Emergency Readiness Team (US-CERT) has disclosed a flaw in Intel chips that could allow hackers to gain control of Windows and other operating systems, security experts say. The flaw was disclosed the vulnerability in a security advisory released this week. Hackers could exploit the flaw to execute malicious code with kernel privileges, said a report in the Bitdefender blog. 'Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack,' the US-CERT advisory says. 'The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape.'"
According to the article, exposed OSes include "Windows 7, Windows Server 2008 R2, 64-bit versions of FreeBSD and NetBSD, as well as systems that include the Xen hypervisor."
How our infrastructure may die. Imagine similar security failures at a site that updates financial systems (or controllers for centrifuges...)
"A web site used to distribute software updates for a wide range medical equipment, including ventilators has been blocked by Google after it was found to be riddled with malware and serving up attacks. The U.S. Department of Homeland Security is looking into the compromise. The site belongs to San Diego-based CareFusion Inc., a hospital equipment supplier. The infected Web sites, which use a number of different domains, distribute firmware updates for a range of ventilators and respiratory products. Scans by Google's Safe Browsing program in May and June found the sites were rife with malware. For example, about six percent of the 347 Web pages hosted at Viasyshealthcare.com, a CareFusion Web site that is used to distribute software updates for the company's AVEA brand ventilators, were found to be infected and pushing malicious software to visitors' systems."
Be more private than the next guy...
June 15, 2012
EFF - How to Turn on Do Not Track in Your Browser
"In recent years, online tracking companies have begun to monitor our clicks, searches and reading habits as we move around the Internet. If you are concerned about pervasive online web tracking by behavioral advertisers, then you may want to enable Do Not Track on your web browser. Do Not Track is unique in that it combines both technology (a signal transmitted from a user) as well as a policy framework for how companies that receive the signal should respond. As more and more websites respect the Do Not Track signal from your browser, it becomes a more effective tool for protecting your privacy. EFF is working with privacy advocates and industry representatives through the W3C Tracking Protection Working Group to define standards for how websites that receive the Do Not Track signal ought to response in order to best respect consumer's choices. The following tutorial walks you through the enabling Do Not Track in the four most popular browsers: Safari, Internet Explorer 9, Firefox, and Chrome."
Ubiquitous surveillance. Perhaps there will be a market for my Rent-a-Drone idea?
June 15, 2012
UK Mail reports Google and Apple deploying advanced satellite surveillance
Mail Online: "Spy planes able to photograph sunbathers in their back gardens are being deployed by Google and Apple. The U.S. technology giants are racing to produce aerial maps so detailed they can show up objects just four inches wide. But campaigners say the technology is a sinister development that brings the surveillance society a step closer. Google admits it has already sent planes over cities while Apple has acquired a firm using spy-in-the-sky technology that has been tested on at least 20 locations, including London. Apple’s military-grade cameras are understood to be so powerful they could potentially see into homes through skylights and windows. The technology is similar to that used by intelligence agencies in identifying terrorist targets in Afghanistan."
Oh boy, the MPAA's Justice Department isn't going to like this... I doubt that DoJ has had time to look at all the data they seized.
U.S. ordered to prepare for handover of MegaUpload data
A New Zealand court has ordered the U.S. government to get ready to give MegaUpload founder Kim Dotcom and his co-defendants copies of the data from servers seized by federal agents, ComputerWorld reported today.
The data includes over 10 million intercepted emails, financial records and more than 150 terabytes of data stored on servers seized in New Zealand.
The same court told the U.S. in May that it had three weeks to show the evidence that supports its indictment against MegaUpload managers. [Wow! They won't take the MPAA's word for it? Bob]
The “Ban” didn't last long – unfortunately, stupid is forever...
World gets second helpings of girl's school dinner blog as ban is overturned
When nine-year-old Martha Payne set up a blog six weeks ago, to show pictures of her daily school lunch – sometimes meagre, often fried – it was meant as a writing project that would be seen by few others than her close relatives.
But word spread over social media, and in just over a week more than 100,000 people had viewed Martha's stark photos of her food, sitting on a white, prison-style tray.
Still, she could have been little prepared for the deluge of publicity on Friday, when Argyll and Bute council was forced into a humiliating climbdown over a decision to effectively close the blog, by banning photography in the school dining hall.
By 11pm, her blog, NeverSeconds, which has drawn the support of Jamie Oliver, had attracted more than 4m page views and she had managed to raise more than £52,000 for the charity Mary's Meals.
… Argyll and Bute came up with a response likely to be immortalised on public relations curriculums under "how not to do it".
A statement accused a girl of "unwarranted attacks" on local school meals "which have led catering staff to fear for their jobs".
"In an interview with Udacity founder Sebastian Thrun, it was revealed that he hopes to offer a Masters degree for only $100, and is close to offering a full computer science degree. 'There are unfortunately some rough edges between our fundamental class CS101 and the next class up, when this is done I believe we can get an entire computer science education completely online and free and I think this is the first time this has happened in the history of humanity.' The latest course from Udacity is on statistics, and he is hoping to top the 160,000 sign up for his first online class on AI. It is also hoped to be the first class where students can visit a testing center to get their achievments formally certified."
For my Ethical Hackers... (Great illustration that should be a poster.)
"In the wake of confirmation that the U.S. government was involved in the creation of Stuxnet and likely Flame, a look over job listings on defense contractor sites shows just how explicitly the Pentagon and the firms that service it are recruiting offense-oriented hackers. Northrop Grumman, Raytheon, Lockheed Martin, SAIC, and Booz Allen have all posted job ads that require skills like 'exploit development,' have titles like 'Windows Attack Developer,' or asks them to 'plan, execute, and assess an Offensive Cyberspace Operation.'"
(Related) Start 'em young!
Huge (unofficial) rise in AP CS Test Takers
Last week was the AP CS Reading, where over 100 computing teachers read over students’ programs and graded them. Several readers (including Barbara) have come back saying that the unofficial count for the number of tests this year was 26,000. Compare that to 21,139 last year, and 19,390 the year before that. We probably won’t have the official numbers until January, and we’ll get the demographic breakdown then, too. A 20+% increase in a single year is remarkable!