Sunday, February 23, 2014
Granted there are always false positives that need to be investigated (Otherwise they are true positives) What broke down here? It looked like a real program name so we didn't bother to check?
Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data
The hackers who raided the credit-card payment system of Neiman Marcus Group (NMG) set off alerts on the company’s security systems about 60,000 times as they slunk through the network, according to an internal company investigation.
The hackers moved unnoticed in the company’s computers for more than eight months, sometimes tripping hundreds of alerts daily because their card-stealing software was deleted automatically each day from the Dallas-based retailer’s payment registers and had to be constantly reloaded. Card data were taken from July through October.
The 157-page analysis, which is dated Feb. 14, also shows that the Neiman Marcus breach is almost certainly not the work of the same hackers who stole 40 million credit card numbers from Target (TGT), said Aviv Raff, an Internet-security expert.
… Ginger Reeder, a spokeswoman for Neiman Marcus, says the hackers were sophisticated, giving their software a name nearly identical to the company’s payment software, so any alerts would go unnoticed amid the deluge of data routinely reviewed by the company’s security team.
… The company’s investigation has found that the number of customer cards exposed during the breach was lower than the original estimate of 1.1 million. The maximum number of customer cards exposed, according to the most recent estimate, is less than 350,000, Reeder says. Approximately 9,200 of those have been used fraudulently since the attack, she says.
… According to the report, Neiman Marcus was in compliance with standards meant to protect transaction data when the attack occurred.
… New details of the cyberattack on Neiman Marcus, which the retailer disclosed on Jan. 10, emerged in a forensic report required under security standards set by the major credit-card brands. The review leaves many questions about the attack unanswered because the data are insufficient. Investigators couldn’t trace how the hackers broke into the network, for example, or when the data were removed.
… The system’s ability to automatically block the suspicious activity it flagged was turned off because it would have hampered maintenance, such as patching security holes, the investigators noted.
… Neiman Marcus was first notified of a potential problem on Dec. 17 by TSYS (TSS), a company that processes credit-card payments, according to the report. TSYS linked fraudulent card usage back to what’s called “a common point of purchase”—in this case, Neiman Marcus stores.
Does “Not private” mean open to the public?
Rochelle Olson reports:
A U.S. District Court judge on Friday threw out three major cases involving hundreds of allegations of improper public-employee snooping into driver’s license data, saying no federal law was violated and driver information is not private.
In three similar orders, Judge David Doty said information on drivers’ licenses such as eye color, height, weight and address may be personal, but it’s not private.
Read more on Star Tribune.
[From the article:
“The identical information can be obtained from public property tax records ... [and] there is a long history in the United States of treating motor vehicle records as public records,” the judge’s order said, citing a 1998 ruling from a different circuit.
… A critical question in the cases was whether viewing driver’s license data without an official purpose qualifies as a misuse under federal Driver’s Privacy Protection Act. The driver database contains historical photographs, addresses and driving records on Minnesotans with a license.
In each of the three orders, Doty wrote about two dozen pages with similar reasoning. The judge said the plaintiffs failed to show that the defendants had accessed their records for an impermissible reason. “In the absence of clear evidence to the contrary, courts presume that [public officers] have properly discharged their official duties,” he wrote.
(Related) “Oh, the plan we canceled? That was “Plan 9 from Outer Space,” plans 1 through 8 are working fine, thank you.”
Extensive DHA Licence Plate Data Collection Exists – Expansion Planned
by Sabrina I. Pacifici on February 22, 2014
Follow up to previous posting - EFF – A Massive Expansion of Plate Data Collection, via ACLU - Setting the record straight on DHS and license plate tracking: “First of all, contrary to widespread understanding, DHS’ solicitation for bids had nothing to do with asking a contractor to build a nationwide license plate tracking database. Such a database already exists. The solicitation was more than likely merely a procedural necessity towards the goal of obtaining large numbers of agency subscriptions to said database, so that ICE agents across the country could dip into it at will, as many have been doing for years already. There was never a plan to “build” a plate database. A database almost exactly like the one DHS describes is a current fact. It is operated by a private corporation called Vigilant Solutions, contains nearly two billion records of our movements, and grows by nearly 100 million records per month. As I explain in greater detail here, DHS likely just wanted broader access to tap it. Second, contrary to the impression that many seem to have that DHS does not use license plate readers, some of the agency’s sub-organizations have been using the technology for years now. Customs, Border Patrol, for example, operates license plate readers at every land border crossing, a fact that has been somewhat widely reported. You have to read beyond headlines like “Department of Homeland Security cancels national license-plate tracking plan” to understand that DHS already makes substantial use of license plate readers, both by deploying its own and accessing privately held databases containing billions of records. It seems as if many people are under the mistaken impression that we dodged a surveillance-bullet when DHS withdrew this solicitation. We didn’t. A national plate tracking database exists, run by Vigilant Solutions, and it is widely used by law enforcement nationwide. The company is currently aggressively defending in court its ability to track anyone it wants, however it wants. If you’d like to see which agencies have access to its rapidly growing database, you can click here and scroll through the drop down menu. Vigilant has helpfully provided a list for all to peruse.”
Something for the IP lawyers? “Okay, give them the contact information, but we (the court) will watch them like a hawk, because they are clearly a bunch of trolls.”
Canadian Court Decision on Copyright Trolls and P2P Lawsuit
by Sabrina I. Pacifici on February 22, 2014
Via Michael Geist: “The federal court has released its much anticipated decision in Voltage Pictures v. Does, a case involving demands that TekSavvy, a leading independent ISP, disclose the identities of roughly 2,000 subscribers alleged to have downloaded movies without authorization. The case attracted significant attention for several reasons: it is the first major “copyright troll” case in Canada involving Internet downloading (the recording industry previously tried unsuccessfully to sue 29 alleged file sharers), the government sought to discourage these file sharing lawsuits against individuals by creating a $5,000 liability cap for non-commercial infringement, TekSavvy ensured that affected subscribers were made aware of the case and CIPPIC intervened to ensure the privacy issues were considered by the court. Copies of all the case documents can be found here. The court set the tone for the decision by opening with the following quote from a U.S. copyright case: “the rise of so-called ‘copyright trolls’ – plaintiffs who file multitudes of lawsuits solely to extort quick settlements – requires courts to ensure that the litigation process and their scarce resources are not being abused.” The court was clearly sensitive to the copyright troll concern, noting that “given the issues in play the answers require a delicate balancing of privacy rights versus the rights of copyright holders. This is especially so in the context of modern day technology and users of the Internet.”
A most interesting Infographic...
The Evolution of Data Storage
For my website students.
– is a set of testing tools for Microsoft web developers. Test your site on various versions of IE using free virtual machines for Windows, Mac, and Linux. Test your site on browsers hosted by Browserstack. Scan for common coding problems.