Wednesday, March 04, 2015
Local. Similar to many other PoS breaches.
Natural Grocers Investigates Data Breach
The incident has been contained, and the company said law enforcement is investigating the matter. So far, Natural Grocers has not received any reports of fraudulent use of customer information, and there is no evidence any PIN numbers or card verification codes were accessed.
… "While its investigation is ongoing, Natural Grocers has accelerated pre-existing plans to upgrade the point-of-sale system in all of its store locations with a new PCI-compliant system that includes point-to-point encryption and new pin pads that accept “chip and PIN” cards," the company said in a statement.
… According to security blogger Brian Krebs, the attackers broke into Natural Grocers just before Christmas by attacking vulnerable database servers. From there, they were reportedly able to pivot around the network and infect the PoS systems.
[From the Krebs article:
Perhaps they aren’t reporting the fraud to Natural Grocer, but banking sources have told this author about a pattern of card fraud indicating cards stolen from the retailer are already on sale in the cybercrime underground.
“Gosh, it looked Okay to us!”
Brian Krebs reports:
A public hospital in Washington state is suing Bank of America to recoup some of the losses from a $1.03 million cyberheist that the healthcare organization suffered in 2013.
In April 2013, organized cyber thieves broke into the payroll accounts of Chelan County Hospital No. 1, one of several hospitals managed by the Cascade Medical Center in Leavenworth, Wash. The crooks added to the hospital’s payroll account almost 100 “money mules,” unwitting accomplices who’d been hired to receive and forward money to the perpetrators.
On Thursday, April 19, and then again on April 20, the thieves put through a total of three unauthorized payroll payments (known as automated clearing house or ACH payments), siphoning approximately $1 million from the hospital.
Read more on KrebsOnSecurity.com.
[From the article:
“Craig Scott, a Bank of America employee, contacted the Chelan County Treasurer’s office later that morning and asked if a pending transfer request of $603,575.00 was authorized,” the complaint reads. “No funds had been transferred at the time of the phone call. Theresa Pinneo, an employee in the Chelan County Treasurer’s Office, responded immediately that the $603,575.00 transfer request was not authorized. Nonetheless, Bank of America processed the $603,575.00 transfer request and transferred the funds as directed by the hackers.” [Oops! Bob]
Interesting, but not much detail.
… Fraud in the so-called Yellow Path is “growing like a weed, and the bank is unable to tell friend from foe,” Abraham wrote in a blog post on Feb. 22. “No one is bold enough to call the emperor naked.”
He estimated that it’s not unusual to see fraud account for about 6 percent of Apple Pay transactions compared with 0.1 percent using a traditional credit or debit card, according to the Wall Street Journal.
… The White House recently announced that Apple Pay would be available as an alternative to federal payment cards in systems like GSA SmartPay. The service will also be available for transactions with national parks.
Apple has said the service is designed to be “extremely secure” and suggested the banks may be at fault for the verification of fraudulent cards.
(Related) The Yellow Path.
Amid Apple Pay fraud, banks scramble to fix Yellow Path process
… According to reports, criminals have been setting up iPhones with stolen personal information, then calling banks to authenticate a victim's card on the new device. This is so-called "Yellow Path" authentication, in which a card isn't automatically accepted (Green Path) or rejected (Red Path), but requires additional provisioning by the bank to be added to Apple Pay.
The joys of politically motivated technology restrictions? (Failure to pass Economics 101 leads to many other failures?)
Decade-old 'FREAK' security flaw left millions exposed
… The newly discovered encryption flaw known as "FREAK attack" left users of Apple's Safari and Google's Android browsers vulnerable to hackers for more than a decade, researchers told the Washington Post. Users of the browsers were vulnerable to having their electronic communications intercepted when visiting any of hundreds of thousands of websites, including Whitehouse.gov, NSA.gov and FBI.gov.
Researchers said there was no evidence hackers had exploited the vulnerability, which they blamed on a former US policy that banned US companies from exporting the strongest encryption standards available, according to the newspaper. The restrictions were lifted in the late 1990s, but the weaker standards were already part of software used widely around the world, including the web browsers.
“We don't need no stinking employees!”
“We don't need no stinking security!”
“We don't need no stinking backups!”
Notice a theme here?
Ted Johnson reports:
Nine former Sony employees have filed an amended class action lawsuit against Sony Pictures Entertainment, alleging that the studio failed to take adequate safeguards to protect personal information that was exposed in the hacking attack last year.
“Following the breach, SPE has focused on its own remediation efforts, not on protecting employees’ sensitive records or minimizing the harm to its employees and their families,” states the amended complaint, filed on Monday in U.S. District Court in Los Angeles. “Rather, SPE has focused on securing its own intellectual property from pirates and a public relations campaign directed at controlling damage to SPE associated with the release of embarrassing internal emails.”
Read more on Variety.
For my Ethical Hackers: “Disruptions” are detectable... Just saying.
Kim Zetter reports:
For years the government has kept mum about its use of a powerful phone surveillance technology known as a stingray.
The Justice Department and local law enforcement agencies insist that the only reason for their secrecy is to prevent suspects from learning how the devices work and devising methods to thwart them.
But a court filing recently uncovered by the ACLU suggests another reason for the secrecy: the fact that stingrays can disrupt cellular service for any phone in their vicinity—not just targeted phones—as well as any other mobile devices that use the same cellular network for connectivity as the targeted phone.
Read more on Wired.
[From the article:
But in the newly uncovered document (.pdf)—a warrant application requesting approval to use a stingray—FBI Special Agent Michael A. Scimeca disclosed the disruptive capability to a judge.
“Because of the way, the Mobile Equipment sometimes operates,” Scimeca wrote in his application, “its use has the potential to intermittently disrupt cellular service to a small fraction of Sprint’s wireless customers within its immediate vicinity.
Do their computers contain the intellectual property of the firm or the skills of the lawyer? I'm pretty sure the answer is a four letter word.
Debra Cassens Weiss reports:
A battle over laptops taken by lawyers to a new law firm failed to reach a settlement last week during a three-hour session before a magistrate judge.
The suit by Pennsylvania insurance boutique Nelson Brown Hamilton & Krekstein initially sought the return of laptops taken by 14 departing lawyers to Lewis, Brisbois, Bisgaard & Smith, the National Law Journal (sub. req.) reports. The suit seeks damages under the Computer Fraud and Abuse Act.
After the suit was filed last May, Lewis Brisbois returned the laptops, but erased and preserved the information they held, the story says. Now both law firms have hired computer experts to determine what information was on the devices.
The departing lawyers had represented hacked companies, and Nelson Brown says sensitive information such as Social Security numbers may have been saved on the laptops. The firm also says the devices may have contained confidential client lists and legal strategies.
Read more on ABA Journal.
From looking at the complaint, Nelson Brown owned the laptops and devices that the departing attorneys took with them in February 2014. What were the lawyers’ ethical obligations to the firm’s clients they had been representing? Could they just hand over the laptops and walk away?
And given that personal and sensitive information of data breach victims may have been on those laptops and devices, I wonder what would have happened if Nelson Brown had configured their security so that data were not stored locally but on their server from which it could be accessed but not saved locally? Why were all their lawyers walking around with PII on laptops? Were the data encrypted?
Wow! I wonder where they got that crazy idea?
Irony: Obama Balks At Chinese Government's Orwellian Cybersecurity Tactics
… President Obama is fearful that China’s plans — which include allowing the Chinese government to install security backdoors, requiring companies to hand over encryption keys, and keeping user data on Chinese soil — are an assault on intellectual property held by American companies and leaves customers open to privacy violations.
China’s draft proposal for the its anti-terrorism legislation "would essentially force all foreign companies, including U.S. companies, to turn over to the Chinese government mechanisms where they can snoop and keep track of all the users of those services," said President Obama in an interview with Reuters. "As you might imagine tech companies are not going to be willing to do that.”
… What’s somewhat amusing is that the U.S. government has been found to employ some of these same tactics not only abroad, but also on home turf. FBI Director James Comey has been an ardent critic of smartphone encryption employed by Google and Apple, seeing it as an affront to law enforcement and national security.
(Related) Makes you think the government doesn't get it.
14 Consumer Groups Outline Shortcomings In WH Privacy Legislation
“Consumer Watchdog today joined 13 other public interest groups in a letter to President Obama outlining the shortcomings of the draft Consumer Privacy Bill Of Rights Act and pledging to work with the Administration and Congress to strengthen the
“In 2 2012, you released your vision of the founding principles of consumer privacy — the Consumer Privacy Bill of Rights. Many of us hope that your principles, once implemented in legislation, will form a powerful framework to protect Americans’ fundamental right to privacy,” the 14 groups wrote in their joint letter. “Unfortunately, the discussion draft released last Friday falls short of that promise.”
Read the groups’ letter here.
… “The bill is full of loopholes and gives consumers no meaningful control of their data. Even the Federal Trade Commission says they have concerns that the draft bill does not provide consumers with the strong and enforceable protections needed to safeguard their privacy.
Read the draft Consumer Privacy Bill of Rights Act here.
Now this could be amusing... If true, what else is implied? If we dynamite the dam, what else is released? If we don't what else is blocked?
Federal Courts Considers FTC’s Data Protection Authority
EPIC – “A federal appeals court heard arguments today in FTC v. Wyndham, an important data privacy case. Wyndham Hotels, which revealed hundreds of thousands of customer records following a data breach, is challenging the FTC’s authority to enforce data security standards. In an amicus brief joined by legal scholars and technical experts, EPIC defended the FTC’s “critical role in safeguarding consumer privacy and promoting stronger security standards.” EPIC explained that the damage caused by data breaches – more than $500 million last year – makes data security one of the top concerns of American consumers. EPIC warned the court that “removing the FTC’s authority to regulate data security would be to bring dynamite to the dam.”
It's sad that this is the best way to catch pimps.
Adam Liptak reports:
The Supreme Court on Tuesday seemed inclined to let the police in Los Angeles inspect hotel and motel guest registries without permission from a judge.
A lawyer for the city, E. Joshua Rosenkranz, told the justices that such surprise inspections are vital to law enforcement.
This case is about whether to deprive scores of cities of one of the most effective tools that they have developed to deter human trafficking, prostitution and drug crimes that have seized the ground in America’s hotels and motels,” he said.
Read more on New York Times.
Anything for a story? “Drones are illegal so let's get a drone and see what the illegal drones saw?” Apparently journalists are much easier to catch than competent drone operators.
Paris Drone: Al Jazeera Journalist Fined
A British journalist for the Al Jazeera network has been fined for illegally flying a drone over central Paris.
… Several of the aircraft had been seen flying over locations including the US Embassy and the Eiffel Tower in the two nights preceding the trio's arrests.
… Al Jazeera confirmed initial reports that the drone was being used to put together a report on the mystery sightings in Paris when the journalists were arrested themselves.
… Authorities were first alerted to mystery drone flights in October, when state-run power company EDF filed a complaint with police. Sightings continued into the new year.
Could be worth following.
Michael Cooney reports:
Most days it seems like keeping and protecting any sort of data private is a pipe dream.
There are a variety of research efforts underway to keep private data private but it may be too little too late, some experts say.
Despite that notion the researchers at DARPA next month will go over a program the agency says will help develop the “technical means to protect the private and proprietary information of individuals and enterprises.”
The program is named after Louis Brandeis, an associate Supreme Court Justice who was arguably the world’s first privacy champion having helped pen “The Right to Privacy” for the Harvard Law Review in 1890 which is still the basis for a number of privacy protections in the US.
Read more on Network World.
Watson (like Audrey in Little Shop of Horrors) demands to be fed!
IBM buys AlchemyAPI to boost Watson computing unit
International Business Machines Corp said on Wednesday it had acquired AlchemyAPI, a fast-growing startup selling software that collects and analyzes unstructured text and data in ways big enterprises, website publishers and advertisers find useful.
… AlchemyAPI already has about 40,000 developers building tools using its technology, which would give IBM access to a much bigger, ready-made user base.
… AlchemyAPI, founded in 2005 and based in Denver, has 18 full-time employees. Its customers include publishing company Hearst Corp and image agency Shutterstock. IBM did not disclose the purchase price.
The startup's software gathers data from a wide range of sources, from Twitter posts and news stories to website images and text messages, sorts the data, learns to differentiate between them, and allows users to see connections that would take much longer to establish using more standard computing methods.
The software, which learns as it goes, enables users to group together disparate information on a certain topic or event, find related articles or information sources, and helps advertisers target online ads better.
For my Statistics students who have great difficulty “forecasting” the solution to the Monte Hall Problem. (I'm trying to get them to use algorithms.)
Algorithm Aversion: People Erroneously Avoid Algorithms after Seeing Them Err
Dietvorst, Berkeley J. and Simmons, Joseph P. and Massey, Cade, Algorithm Aversion: People Erroneously Avoid Algorithms after Seeing Them Err (July 6, 2014). Forthcoming in Journal of Experimental Psychology: General. Available for download at SSRN: http://ssrn.com/abstract=2466040 or http://dx.doi.org/10.2139/ssrn.2466040
“Research shows that evidence-based algorithms more accurately predict the future than do human forecasters. Yet, when forecasters are deciding whether to use a human forecaster or a statistical algorithm, they often choose the human forecaster. This phenomenon, which we call algorithm aversion, is costly, and it is important to understand its causes. We show that people are especially averse to algorithmic forecasters after seeing them perform, even when they see them outperform a human forecaster. This is because people more quickly lose confidence in algorithmic than human forecasters after seeing them make the same mistake. In five studies, participants either saw an algorithm make forecasts, a human make forecasts, both, or neither. They then decided whether to tie their incentives to the future predictions of the algorithm or the human. Participants who saw the algorithm perform were less confident in it, and less likely to choose it over an inferior human forecaster. This was true even among those who saw the algorithm outperform the human.”
I noticed a student just the other day who had his nose six inches from the monitor because he had smashed his glasses and was awaiting a new pair. Making the text larger was a revelation. (Who said this generation knows everything about technology?)
Are You Nearsighted or Farsighted? Tips to Make Windows More Accessible for Young & Old
Perspective for my Business Intelligence students.
Is Social Media Actually Helping Your Company’s Bottom Line?
For my nerdy students? Check out the photo that accompanies the article.
The Bank of Canada is warning people to stop drawing Spock on their money
Canadians are paying a strange sort of tribute to the late Leonard Nimoy — they're drawing his most famous character, Star Trek's Spock, over a 19th-century politician on their banknotes.