Saturday, December 21, 2013

At first reading, the technique is similar to that used at Target.
It’s just hitting the media today that Affinity Gaming was hit by a cyberattack earlier this year that affected customers at its 11 casinos. They were alerted to the breach by the FBI in October, and the critical period for data compromise is March 14 – October 16. Here is the relevant parts of their announcement dated December 20 that describes the breach and a second breach:
Affinity Gaming (“Affinity”) has confirmed an unauthorized intrusion into the system that processes customer credit and debit cards for its casinos, and is issuing this public notice of the data security incident and encouraging individuals who visited its gaming facilities between March 14th and October 16th of 2013 to take steps to protect their identities and financial information. Affinity regrets any inconvenience this incident may cause and has established a confidential, toll-free inquiry line to assist its customers.
Affinity has also confirmed an unauthorized intrusion into the system that processes credit and debit cards at its Primm Center Gas Station in Primm, Nevada. This intrusion began on an unknown date and it ended on November 29, 2013.
On October 24, 2013, Affinity was contacted by law enforcement regarding fraudulent charges which may have been linked to a data breach in Affinity’s system. Affinity immediately initiated a thorough investigation, supported by third-party data forensics experts who determined the nature and scope of the compromise, and confirmed that Affinity’s system has been fully secured and that its customer payments are protected. On November 14, 2013, Affinity posted notice of this incident on its website.
Affinity’s investigation, while ongoing, has also determined that its system became infected by malware, which resulted in a compromise of credit card, and debit card, information from individuals who visited its gaming facilities: Silver Sevens Hotel & Casino in Las Vegas, NV; Rail City Casino in Sparks, NV; Primm Valley Resort & Casino in Primm, NV; Buffalo Bill’s Resort & Casino in Primm, NV; Whiskey Pete’s Hotel & Casino in Primm, NV; Lakeside Hotel- Casino in Osceola, IA; St. Jo Frontier Casino in St. Joseph, MO; Mark Twain Casino in LaGrange, MO; Golden Gates Casino in Black Hawk, CO; Golden Gulch Casino in Black Hawk, CO and, Mardi Gras Casino in Black Hawk, CO. Credit or debit card data was exposed at these locations between March 14th and October 16th of 2013.

Price is a good indication of card quality. If they have 40 million saleable cards and can get $20 per, that really makes a crime like this pay. Note that the banks trust the crooks not to sell copies of the cards they buy back.
Cards Stolen in Target Breach Flood Underground Markets
Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card, KrebsOnSecurity has learned.
… At least two sources at major banks said they’d heard from the credit card companies: More than a million of their cards were thought to have been compromised in the Target breach. One of those institutions noticed that one card shop in particular had recently alerted its loyal customers about a huge new batch of more than a million quality dumps that had been added to the online store. Suspecting that the advertised cache of new dumps were actually stolen in the Target breach, fraud investigators with the bank browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.
Update, 5:20 p.m. ET: In a message to consumers, Target CEO Gregg Steinhafel said Target would be offering free credit monitoring for affected customers.

If the Superintendent wasn't aware of this, who negotiated the deal? (and why do they bother having a Superintendent?) No mention of money, but this could open future cash deals, since “the data is already out there.” Does removing names provide adequate security? If I gave you information on a student named [REDACTED] that lived at 123 Fourth Street, Littleton, CO 80121, was a Senior who played Soccer and had a 3.9 GPA how long would it take to identify him or her?
Ann Dornfield reports:
KUOW has learned that the Washington state education department has signed agreements to share non-public student data with media organizations including The Seattle Times and the Associated Press. Data security experts say the agreements raise serious privacy concerns for the state’s public school students.
Do read more about this agreement and the concerns it raises on KUOW. It sounds like journalists want to do what could be useful investigative analyses and pieces that perhaps the state should be doing. But the journalists (AP and Seattle Times) can’t get the data because of FERPA so they’ve entered into contracts with the state. Very concerning….
[From the article:
The Office of the Superintendent of Public Instruction has so far promised the Times individual student and staff data dating from 2009 to this year, including individual students’ test scores on numerous state assessments, grades, school schedules, absences and discipline information. OSPI told KUOW the data would be "de-identified," meaning it would not include names of students or staff.
"Wow," said Seattle Public Schools Superintendent Jose Banda. "I wasn't aware of [this agreement], and I don’t think any of my staff was aware that this was being considered and approved."

Initial findings from the Office of the National Coordinator for Health Information Technology on ways to match patients with their data do address problems with current HIT systems and data exchanges, notes advocacy organization Patient Privacy Rights.
But there isn’t much else in the findings that the organization agrees with. In testimony at an ONC public meeting in December, PPR noted that “the findings address today’s problems without anticipating where we will be tomorrow; they did not foresee that the HITECH Act and meaningful use requirements can be used to resolve many of today’s problems without patient identity and patient matching.”
Read more on HealthData Management.

Is there a “Judge Guinness book of world records?” If not, why not?
Court Decision in Tronox Bankruptcy Fraudulent Conveyance Case Results in Largest Environmental Bankruptcy Award Ever
by Sabrina I. Pacifici on December 20, 2013
EPA Case Summary: “On December 12, 2013, the U.S. Bankruptcy Court for the Southern District of New York decided against Kerr-McGee Corporation (“Kerr-McGee”) and related companies that are subsidiaries of Anadarko Petroleum Corporation (“Anadarko”) in a fraudulent conveyance case and determined that the defendants “acted to free substantially all [their] assets – certainly [their] most valuable assets – from 85 years of environmental and tort liabilities.” The Court awarded damages between approximately $5.2 billion and $14.2 billion to the plaintiffs which, even at the low end of the damages range, is the largest amount ever awarded in a bankruptcy proceeding for governmental environmental claims and liabilities. Approximately $4.5 billion to $12.4 billion will go toward cleanup at contaminated sites across the country. As referenced in the USAO-SDNY press release, some of the key environmental recoveries for environmental liabilities and for cleanup of environmental sites are estimated to be the following based on the Court’s decision…”

Perspective. Might as well start a “Law MOOC” now and avoid the rush.
Peper – Legal Education in Crisis, and Why Law Libraries are Doomed
by Sabrina I. Pacifici on December 20, 2013
“The dual crises facing legal education—the economic crisis affecting both the job market and the pool of law school applicants, and the crisis of confidence in the ability of law schools and the ABA accreditation process to meet the needs of lawyers or society at large—have undermined the case for not only the autonomy, but the very existence, of law school libraries as we have known them. Legal education in the United States is about to undergo a long-term contraction, and law libraries will be among the first to go. A few law schools may abandon the traditional law library completely. Some law schools will see their libraries whittled away bit by bit as they attempt to answer “the Yirka Question” in the face of shrinking resources, reexamined priorities, and university centralization. What choices individual schools make will largely be driven by how they play the status game.”

Might be an interesting exercise for my Computer Security students to expand on the security portion. I'll leave it to my lawyer friends to think about the legal steps required.
How to Lead During a Data Breach
… One critical concept that we share with the participants in the National Preparedness Leadership Initiative (NPLI) at Harvard is that every crisis includes many situations, each with different contingencies and considerations. In this case, they include security, legal, law enforcement, customer relations, media, shareholder, employee, the board, card issuers and providers, regulatory, and more. While there can be overlap, each of these situations has a distinct (and sometimes conflicting) set of stakeholders, power structures, priorities, perspectives, interests, requirements, and values. For example, Communications may want to be immediately open and transparent while Legal may want to wait to more fully assess the liability exposure that such a stance could create. They each have a legitimate case. Navigating this complex web of interdependent relationships is daunting in routine times. In a crisis of this magnitude, the added pressure and higher stakes can make it overwhelming. How can an executive successfully lead through such a complex morass?

For all my students who read...
Borrow and Lend eBooks Through Open Library
If you're looking for a new-to-you ebook to read during the holidays, take a look at Open Library. The Open Library is a part of the Internet Archive. The Open Library is a collection of more than one million free ebook titles. The collection is cataloged by a community of volunteer online librarians. The ebooks in the Open Library can be read online, downloaded to your computer, read on Kindle and other ereader devices, and embedded into other sites. Some of the ebooks, like Treasure Island, can also be listened to through the Open Library.
Applications for Education
Much like Google Books, the Open Library could be a great place to find free copies of classic literature that you want to use in your classroom. The Open Library could also be a good place for students to find books that they want to read on their own. The audio option, while very electronic sounding, could be helpful if you cannot locate any other audio copies of the book you desire.

Something to look for? Only $38 away from my favorite price point.
Datawind brings a $38 Android tablet to the U.S. — on the heels of India’s cheap Aakash tablet
Datawind’s mission to deliver ultra-cheap tablets for everyone, no matter their income, is finally headed to the U.S.
Today the Canadian company announced that it will offer three of its 7-inch Android UbiSlate tablets in the United States, with the cheapest (the UbiSlate 7ci) running for a mere $38.

...never fails to amuse.
New Jersey governor Chris Christie says he will sign legislation that would allow undocumented immigrants in New Jersey to be eligible for in-state college tuition. [Making it cheaper to come from Guatemala than from Pennsylvania? Bob]
Alabama joins those states (16 in total) that allow computer science classes to count as math credit towards graduation. [Perhaps “Home Economics” could count as Chemistry? Bob]
The tech blog VentureBeat is launching an education vertical, sponsored by a subsidiary of Apollo Education Group (parent company of the University of Phoenix). VentureBeat claims it is the “first major technology news organization to dedicate a channel to how technology is transforming the global education market” which is really a stretch (Chris Dawson ran one for ZDNet for a long time). But hey, with solid research into education history like this, you know the coverage is gonna be stellar!
Students are bored in school, and Amanda Ripley is on it. She monitored Twitter for a list of their grievances. Another look at “bored at school” tweets is here.

God forbid that someday someone will take one of these “threats” seriously and take out Pyongyang. Worst case scenario? One of the drones who have been told all their lives that Kim is almost a God, takes the action he believe his “Great/Dear/Glorious Leader” has commanded.
North Korea sends fax threatening to strike South Korea 'without notice': report
… A South Korean news agency reported Friday that the North has threatened to attack “without notice” in response to anti-North rallies this week — and that it sent the warning by fax.
… The threat was sent by the North Korean military, according to the Yonhap news agency. It arrived, apparently without a paper jam, at the South Korean National Security Council.

No comments: