Security Breach, the gift that keeps on giving... (Exerpts from a much more detailed post)

Global Payments revises total breach cost estimates upwards, but wait until you see what *didn’t* cost them

In September, I posted Global Payments’ statement from their quarterly filing that dealt with the costs of a breach disclosed in March 2012. BankInfoSecurity.com has just reported on their most recent filing. Whereas last year, Global Payments estimated the cost of the breach at about $84 million, their current 10-Q filing puts the cost of the breach at $93.9 million. Although the total is up, the overall fraud costs resulting from the incident were significantly lower than what they had estimated last year ($35.9 million vs. $67.4 million). Also of note, they report that their losses due to being removed from PCI-DSS compliant status were “immaterial:”

… The firm provides its updated breakdown of costs:

During the six months ended November 30, 2012, we recorded $9.5 million of expense associated with this incident, bringing the life-to-date total expense to $93.9 million. Of this life-to-date expense, $60.0 million represents costs incurred through November 30, 2012 for professional fees and other costs associated with the investigation and remediation, incentive payments to certain business partners and costs associated with credit monitoring and identity protection insurance. An additional $35.9 million represents our estimate of total fraud losses, fines and other charges that will be imposed upon us by the card networks. We have also recorded $2.0 million of insurance recoveries based on claims submitted to date as discussed below. During the three months ended November 30, 2012, we reduced our estimate of fraud losses, fines and other charges by $31.5 million resulting in a credit of $14.5 million for total processing system intrusion costs for the quarter ended November 30, 2012.

No indication of WHY they decrypt your data.

Nokia confirms HTTPS traffic is temporarily decrypted on its servers

Phone maker Nokia has confirmed some recent reports that have been circulating claiming that it was decrypting HTTPS traffic originating from some of its smartphones. Nokia confirmed that its Xpress Browser used on the company’s Asha and Lumia smartphones temporarily decrypts the HTTPS traffic as it passes through Nokia servers.

… Nokia also says that there’s no need for people to worry because it would never access the customer’s data.

… The researcher claims that Nokia would have access to clear text information that could include login information for social networks, banking, and anything else transmitted by HTTPS. The researcher also noted that decrypting the information also goes against Nokia’s privacy statement that says it doesn’t collect usernames or passwords during purchase transactions. For its part, Nokia says that it doesn’t store any of the information that passes through its servers.

For my Computer Security students: This is not the best way for your Ethical Hacking friends to stay in touch... (Remember, “Default” is the French word for “Only an idiot would fail to change this” ) In New Jersey, we would say “De fault is yours!”

Thousands of SCADA Devices Discovered On the Open Internet

Trailrunner7 writes with news of the continuing poor state of security for industrial control systems. From the article:

"Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget. That's mostly what comprises the arsenal of two critical infrastructure protection specialists who have spent close to nine months trying to paint a picture of the number of Internet-facing devices linked to critical infrastructure in the United States. It's not a pretty picture. The duo ... have with some help from the Department of Homeland Security (PDF) pared down an initial list of 500,000 devices to 7,200, many of which contain online login interfaces with little more than a default password standing between an attacker and potential havoc. DHS has done outreach to the affected asset owners, yet these tides turn slowly and progress has been slow in remedying many of those weaknesses. … The pair found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums."

Technology specific guidelines are nice, but we are at a point where we should be able to look back at laws that have evolved to address issues on mainframes, mini-computers, microcomputers (PCs), and now smartphones. Eventually the laws addressing each of these technologies will address the same issues in the same way. Why not get ahead of the technology and write “Generalized Best Practices?” It would save everyone a lot of effort.

California Attorney General issues privacy guidelines for mobile apps

California Attorney General Kamala Harris has issued privacy guidelines for mobile apps. In a statement introducing the guidelines, Ms. Harris writes:

The mobile app industry is growing fast, but it is still in the early stages of development, with practitioners who are not all alert to privacy implications and how to address them. To help educate the industry and promote privacy best practices, the Attorney General’s Privacy Enforcement and Protection Unit has prepared Privacy on the Go: Recommendations for the Mobile Ecosystem. The recommendations, which in many places offer greater protection than afforded by existing law, are intended to encourage app developers and other players in the mobile sphere to consider privacy at the outset of the design process.

Recognizing that the legally required general privacy policy is not always the most effective way to get consumers’ attention, Privacy on the Go recommends a “surprise minimization” approach. This approach means supplementing the general privacy policy with enhanced measures to alert users and give them control over data practices that are not related to an app’s basic functionality or that involve sensitive information.

You can access the full guidelines in Privacy on the Go here.

(Related)

http://www.wired.com/opinion/2013/01/securing-the-internet-of-things/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Top+Stories%29

The Internet of Things Has Arrived — And So Have Massive Security Issues

… While not devoid of hype and hyperbole, the Internet of Things (IoT) does represent a revolution happening right now. Companies of all kinds – not just technology and telecommunications firms – are linking “things” as diverse as smartphones, cars and household appliances to industrial-strength sensors, each other and the internet. The technical result may be mundane features such as intercommunication and autonomous machine-to-machine (M2M) data transfer, but the potential benefits to lifestyles and business opportunities are huge.

But … with great opportunity comes great responsibility. Along with its conveniences, the IoT will unveil unprecedented security challenges: in data privacy, safety, governance and trust.

(Related) It might also help Judges evaluate the need for a subpoena.

FBI Documents Shine Light on Clandestine Cellphone Tracking Tool

I’ve covered Stingray before, but the general public really really needs to become more aware of its use.

Ryan Gallagher reports:

The FBI calls it a “sensitive investigative technique” that it wants to keep secret. But newly released documents that shed light on the bureau’s use of a controversial cellphone tracking technology called the “Stingray” have prompted fresh questions over the legality of the spy tool.

Functioning as a so-called “cell-site simulator,” the Stingray is a sophisticated portable surveillance device. The equipment is designed to send out a powerful signal that covertly dupes phones within a specific area into hopping onto a fake network. The feds say they use them to target specific groups or individuals and help track the movements of suspects in real time, not to intercept communications. But by design Stingrays, sometimes called “IMSI catchers,” collaterally gather data from innocent bystanders’ phones and can interrupt phone users’ service—which critics say violates a federal communications law.

The FBI has maintained that its legal footing here is firm. Now, though, internal documents obtained by the Electronic Privacy Information Center, a civil liberties group, reveal the bureau appears well aware its use of the snooping gear is in dubious territory.

Read more on Slate.

Another example of new technologies operating in areas we have defined legally before – haven't we? Has no one ever been tracked/stalked before cellphones made it easier?

Their Apps Track You. Will Congress Track Them?

Natasha Singer reports:

There are three things that matter in consumer data collection: location, location, location.

E-ZPasses clock the routes we drive. Metro passes register the subway stations we enter. A.T.M.’s record where and when we get cash. Not to mention the credit and debit card transactions that map our trajectories in comprehensive detail — the stores, restaurants and gas stations we frequent; the hotels and health clubs we patronize.

Each of these represents a kind of knowing trade, a conscious consumer submission to surveillance for the sake of convenience.

But now legislators, regulators, advocacy groups and marketers are squaring off over newer technology: smartphones and mobile apps that can continuously record and share people’s precise movements. At issue is whether consumers are unwittingly acquiescing to pervasive tracking just for the sake of having mobile amenities like calendar, game or weather apps.

Read more on The New York Times.

Should we not do this? Will we want to expand it to identify school shooters before they shoot?

http://www.wired.com/threatlevel/2013/01/precog-software-predicts-crime/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Top+Stories%29

U.S. Cities Relying on Precog Software to Predict Murder

… New crime-prediction software used in Maryland and Pennsylvania, and soon to be rolled out in the nation’s capital too, promises to reduce the homicide rate by predicting which prison parolees are likely to commit murder and therefore receive more stringent supervision.

The software aims to replace the judgments parole officers already make based on a parolee’s criminal record and is currently being used in Baltimore and Philadelphia.

Richard Berk, a criminologist at the University of Pennsylvania who developed the algorithm, claims it will reduce the murder rate and other crimes and could help courts set bail amounts as well as sentencing in the future.

Just a reminder...

http://www.bespacific.com/mt/archives/032325.html

January 10, 2013

Check Your Credit Report Regularly -- It's Free!

"You are entitled to a FREE credit report from each of the three credit reporting agencies (Equifax, Experian, and TransUnion) once every 12 months. You can request all three reports at once, or space them out throughout the year. It's important to review your credit report to ensure that your personal information and financial accounts are being accurately reported and that no fraudulent accounts have been initiated in your name. If you do find an error on your credit report, you can dispute the error."

If the answer contains a number, WolframAlpha might be the best place to ask the question.

Use Wolfram Alpha To Dig Up Cool Statistics About Your Facebook Account [Weekly Facebook Tips]

If you’ve heard of Wolfram Alpha before, you’ll know that it’s a wealth of knowledge that’s occasionally compared to the likes of the Star Trek computer. There are all sorts of weird and wonderful uses for Wolfram Alpha, including powerful search terms, other searching tips, widgets, a variety of cool uses and other truly powerful uses of Wolfram Alpha. However, even if you know all about these Wolfram Alpha tools, you may still not yet know about their Facebook analytics tool.

With the Wolfram Alpha Facebook analytics tool, you can find out a huge amount of information about your Facebook account. It’s quite fun to see which of your posts or photos are the most popular, who your top commenters are, who is sharing your posts the most and more interesting tidbits. Plus, it’s easy to use this tool and completely free.

Using Wolfram Alpha’s Facebook analysis tool is completely free, so all you need to do is log in using your Facebook credentials and give it access to your account.

… Here’s a video showing how it works.

It's geeky and it goes Bang! What's not to like?

The Science Behind Building a Space Gun

"Astronomer and gamer Scott Manley (more famous for his Kerbal Space program coverage) has created a fantastic video explaining the science behind building guns that could one day be used to launch payloads into space. It's not as easy as simply making a bigger gun, there's a whole host of unorthodox 'gun' designs which work around the limitations of garden variety propellants."

Where is Emily Post when we need her? Posters suitable for framing?

http://gizmodo.com/5974981/everybody-should-follow-these-rules-for-using-their-phone

Everybody Should Follow These Rules for Using Their Phone