Friday, August 01, 2014
Oh no! Not Jimmy Johns!
Sandwich Chain Jimmy John’s Investigating Breach Claims
Sources at a growing number of financial institutions in the United States say they are tracking a pattern of fraud that indicates nationwide sandwich chain Jimmy John’s may be the latest retailer dealing with a breach involving customer credit card data. The company says it is working with authorities on an investigation.
… The unauthorized card activity witnessed by various financial institutions contacted by this author is tied to so-called “card-present” fraud, where the fraudsters are able to create counterfeit copies of stolen credit cards.
Beyond ATM skimmers, the most prevalent sources of card-present fraud are payment terminals in retail stores that have been compromised by malicious software.
… Reports of a possible card compromise at Jimmy John’s comes amid news that the Delaware Restaurant Association is warning its members about a new remote-access breach that appears to have been the result of compromised point-of-sale software.
Oh look, banks have rules!
Financial Crimes Enforcement Network: Customer Due Diligence Requirements for Financial Institutions
by Sabrina I. Pacifici on Jul 31, 2014
News release: “The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) today issued a Notice of Proposed Rulemaking (NPRM) to amend existing Bank Secrecy Act (BSA) regulations to help prevent the use of anonymous companies to engage in or launder the proceeds of illegal activity in the U.S. financial sector. The proposed rule would clarify and strengthen customer due diligence obligations of banks and other financial institutions (including brokers or dealers in securities, mutual funds, futures commission merchants, and introducing brokers in commodities). The proposed amendments would add a new requirement that these entities know and verify the identities of the real people (also known as beneficial owners) who own, control, and profit from the companies they service… The proposed rule benefits from extensive outreach and discussion with financial institutions and regulatory agencies. These proposed amendments represent significant enhancements to the BSA and build upon post-9/11 augmentation of the regulations designed to protect the U.S. financial system. They would make valuable information needed to disrupt illicit finance networks available to law enforcement. The resulting increase in financial transparency would enhance the ability of financial institutions and law enforcement to identify the assets and accounts of criminals and national security threats. The rule also would further the United States commitments in the G-8 Action Plan for Transparency of Company Ownership and Control published in June 2013. The rulemaking clarifies that customer due diligence includes four core elements: identifying and verifying the identity of customers; identifying and verifying the beneficial owners of legal entity customers; understanding the nature and purpose of customer relationships; and conducting ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions. The proposed requirement to identify and verify the identity of beneficial owners is addressed through the proposal of a new requirement for covered financial institutions to collect beneficial ownership in a standardized format. Those financial institutions will have to identify and verify any individual who owns 25 percent of more of a legal entity, and an individual who controls the legal entity.”
Is this really unexpected?
Twitter and the US government square off yet again
Twitter’s latest transparency report shows a steady rise in government requests for account information. And an increasing number of requests are coming from foreign governments. In the past six months, the company received more than 2,000 different requests from 54 different countries, an increase of almost 150 percent since Twitter began releasing the data in 2012.
(Related) Or this one?
Microsoft ordered to hand over emails on Dublin server
Microsoft's latest attempt to resist a US government warrant demanding access to emails stored on servers in Ireland has been dismissed by a federal judge.
A court in New York ruled against the tech company, which has consistently fought the order issued in December as part of a drug-trafficking trial.
Microsoft immediately announced plans to challenge the decision.
The company has previously said it will allow users to choose where their data is stored.
Is there a trend to make more/less data sensitive?
Daniel Solove writes:
…. I find it interesting what various countries define as sensitive data, and K Royal has created an awesome chart that she shared with me. To a privacy wonk like me, a chart like this makes me giddy with excitement, and so I thought I’d share it with you (with her permission, of course).
First, here’s a tally of the various types of most-commonly recognized categories of sensitive data. This is based on a chart of the sensitive data category of many countries that K Royal created.
See the chart and read more on LinkedIn.
If nothing else, ammunition for the annual budget wars.
NY AG Releases Report Showing Rise In Data Breaches, Provides Security Tips To Small Businesses & Consumers
by Sabrina I. Pacifici on Jul 31, 2014
“Attorney General Eric T. Schneiderman today issued a new report examining the growing number, complexity, and costs of data breaches in the New York State. Using information provided to the Attorney General’s Office pursuant to the New York State Information Security Breach & Notification Act, the report, titled “Information Exposed: Historical Examination of Data Security in New York State, analyzes eight years of security breach data and how it has impacted New Yorkers. The report reveals that the number of reported data security breaches in New York more than tripled between 2006 and 2013. In that same period, 22.8 million personal records of New Yorkers have been exposed in nearly 5,000 data breaches, which have cost the public and private sectors in New York upward of $1.37 billion in 2013. In addition, the report also found that hacking intrusions – in which third parties gain unauthorized access to data stored on a computer system – were the leading cause of data security breaches, accounting for roughly 40 percent of all breaches. Attorney General Schneiderman’s report also presents new recommendations on steps that both organizations and consumers can take to protect themselves from data loss.”
Rethinking our security strategy?
Don’t let your enterprise network fail on ‘the basics’
As many have pointed out, network security relies not on defenses that never fail, but on defenses that fail intelligently. However, today’s enterprise networks most often “fail on the basics,” according to Dmitriy Ayrapetov, director of product management at Dell SonicWall.
That has been a recurring theme at the Gartner Security & Risk Management Summit this week in Washington, D.C. New research from Gartner shifts the focus of security planning away from “preventive controls (such as signature-based anti-malware, network and host intrusion prevention systems, pervasive encryption and continuous patching),” calling such controls “increasingly ineffective.” Instead, Gartner’s analysis concludes that “the digital workplace reinforces the need to focus more on detective and reactive controls.”
… He noted the recent collapse of CodeSpaces.com, a code-hosting and project management service provider whose customer data was eradicated last week by an unknown intruder, causing the company to fail within a day. According to a published IDG News Service release published by ComputerWorld and other sources, “The devastating security breach happened over a span of 12 hours and initially started with a distributed denial-of-service attack followed by an attempt to extort money from the company.”
Mobile Apps Are Replacing the Web - Is Your Enterprise Ready?
We know mobile is quickly changing the way we do business and now it’s also beginning to replace the web. A recent Gartner study shows that 86 percent of users are now using mobile apps compared to the 14 percent still using mobile browsers. The trajectory is very clearly shifting from web to mobile and as CISOs, we really need to reevaluate if we are ready to properly secure and protect mobile applications from threats.
A recent study showed that this year, mobile users actually surpassed desktop users. The “mobile first” trend has finally arrived and it’s coming in at full force.
Whether we like it or not, BYOD is here and being adopted in most organizations.
… Gartner reports that by 2015, 75 percent of mobile apps will fail basic security tests.
… Follow OWASP’s top 10 mobile risks and the remediation for those risks is a great start. This covers everything from data encryption to preventing man-in-the-middle attacks to client side injection.
Perhaps we could host a war game?
Deloitte Brings Cyber War Games to the Enterprise
Deloitte's Cyber Risk Services group has launched new “cyber war-gaming and simulation services” that aim to unite those tasked with managing enterprise-wide responses to cyber-attacks.
According to Deloitte, its cyber threat war-gaming approach relies on thinking from the military and academia and incorporates lessons learned from war-game simulations conducted for multi-national companies, government entities, regulatory bodies and industry groups.
Deloitte co-authored the "After Action" report (PDF)for Quantum Dawn 2, a simulated systemic cyber attack on the U.S. financial system back in June 2013.
Microsoft Launches EMET 5.0
Microsoft announced on Thursday the general availability of the Enhanced Mitigation Experience Toolkit (EMET) 5.0.
According to the company, version 5.0 of the free security tool comes with two new mitigations, Attack Surface Reduction (ASR) and Export Address Table Filtering Plus (EAF+), both of which were introduced in EMET 5.0 Technical Preview.
Should be enlightening.
DC Circuit Rules for EPIC in Case Against NSA, Vacates Lower Court Ruling That Secret Order Is Not Subject to FOIA
The U.S. Court of Appeals for the D.C. Circuit ruled in favor of EPIC today in a Freedom of Information Act case seeking the full text of National Security Presidential Directive 54, a previously-secret Presidential order granting the government broad authority over cybersecurity matters. EPIC successfully obtained the Directive from the NSA, and the DC Circuit has vacated the lower court’s Fall 2013 ruling that NSPD-54 was not an “agency record” subject to the FOIA. The Directive also includes the Comprehensive National Cybersecurity Initiative and evidences government efforts to enlist private sector companies to assist in monitoring Internet traffic. EPIC has several related FOIA cases against the NSA pending in federal court. For more information, see EPIC v. NSA: NSPD-54 Appeal and EPIC: Freedom of Information Act Cases.
Might be useful
If you missed the 2014 Health Privacy Summit, you can view videos from the conference on Patient Privacy Rights’ site.
I'm shocked, shocked I tell you! Imagine a regulation requiring you to treat every request as if it was rational and reasonable. Then imagine individuals with no such requirements.
Zach Miners reports:
Some of those seeking to scrub their histories from the Web under Europe’s “right to be forgotten” rule are being economical with the truth when making their requests, Google said Thursday.
In a letter to European data regulators, Google listed some of the challenges it faces in complying with the ruling, which allows people to compel search engines like Google and Bing to remove links to pages that mention their name, if the references are “inadequate,” “irrelevant” or “excessive.”
Read more on Computerworld.
SkyNet will not work unless robots can self-repair.
Robot 'learns to keep going with broken leg'
Engineers have taken a step towards having machines that can operate when damaged by developing a robot that can teach itself to walk, even with a broken leg.
Using "intelligent trial and error", their six-legged robot learned how to walk again in less than 2 minutes.
Something useless for the game club. (Wink wink)
Play Game Boy Advanced Games On Your iPhone
Apple doesn’t allow emulators on its platform, but coders keep finding a way to offer them. GBA4IOS is a free Game Boy Advanced emulator you can install on your iPhone or iPad, for free.
Installing this is a little odd: you’ll need to set your time back 24 hours before you can download it, a trick that apparently lets this unapproved app get around Apple’s walled garden.
Of course, you can’t play any games with this unless you download ROMs – which would be illegal. We know none of you would break the law, ever, so I suppose this isn’t useful – just like the emulators you installed on your Raspberry Pi.
I know some students who will love this.
A Tool That Answers 'What's That Typeface?'
… it's so addicting to be able to mouse over and identify any font you see online. That's what the browser plug-in FontFace Ninja allows. There's even a button that lets you hide everything on the page except for the text.