Monday, October 23, 2017

Update.
Nearly 100 Whole Foods Locations Affected by Card Breach
Amazon-owned Whole Foods Market informed customers last week that a recent hacker attack aimed at its payment systems affected nearly 100 locations across the United States.
Whole Foods has set up a webpage where customers are being provided some details about the breach. The page allows users to check if the store they made purchases in has been hit.
According to the company, cybercriminals may have stolen payment cards used at taprooms and full table-service restaurants in various cities in Alabama, Arizona, Arkansas, California, Colorado, District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Kansas, Maine, Michigan, Minnesota, Missouri, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Ohio, Oregon, Pennsylvania, Tennessee, Texas, Virginia, Washington and Wisconsin. The largest number of affected locations is in California.
Whole Foods said it had learned of unauthorized access to some payment systems on September 23 and replaced affected point-of-sale (PoS) devices by September 28. However, the investigation conducted by the firm in collaboration with cybersecurity forensics experts revealed that hackers had gained access to some stores in as early as March 10.
The supermarket chain pointed out that the incident only impacted payment systems at taprooms and restaurants within stores




A different approach, but possibly not the best one.
Not the most technical/legal explanation of the new EU regs, but this Daily Mail piece by Ben Ellery does convey some of what is concerning businesses:
Computer hacking victims will be able to claim thousands of pounds in compensation under new laws – even if they do not lose any money.
The ‘distress’ they suffer will be enough to qualify for a payout regardless of whether their accounts have actually been raided.
And with the potential damages as high as £6,000 per person, companies with millions of customers could be left crippled by a cyber-attack.
Read more on The Daily Mail.
Now it would be great if businesses were so concerned that they: (1) collected and stored less data, and (2) provided better security for the data they do collect and store, but as Ellery notes, what happens if companies just decide to take a risk and not report breaches for fear of penalties? Hmmm…




A ‘toss away’ comment without context. How many of these were critical to the prosecution? How many cases involved terrorists?
Michael Balsamo reports:
The FBI hasn’t been able to retrieve data from more than half of the mobile devices it tried to access in less than a year, FBI Director Christopher Wray said Sunday, turning up the heat on a debate between technology companies and law enforcement officials trying to recover encrypted communications.
In the first 11 months of the fiscal year, federal agents were unable to access the content of more than 6,900 mobile devices, Wray said in a speech at the International Association of Chiefs of Police conference in Philadelphia.
Read more on Philly Voice.




How would you regain trust after the DHS claims you were spying?
Kaspersky Really Wants People and Governments to Trust It Again
The U.S. Department of Homeland Security has banned federal agencies from using its products, due to its alleged ties with Russian intelligence, and even the electronic retailer Best Buy has pulled Kaspersky’s antivirus.
… On Monday morning, the firm said it would allow an independent review of its source code by “an internationally recognized authority” in the first quarter of 2018, along with an independent review of its internal processes to determine their integrity.
The company also promised three “transparency centers” in the U.S., Europe and Asia, to allow clients and governments to review its code and the rules it uses to detect threats. The centers will open between 2018 and 2020, it said.
… It is not uncommon for major software firms with government contracts to allow those governments to inspect their code—Microsoft does it, for example, in order to assure agencies around the world that Windows and other products do not contain backdoors.




An article for my Computer Security students.
How I Socially Engineer Myself Into High Security Facilities




Continuing our “We don’t know what is happening in our own business” discussion.
Bank of America's Merrill Lynch fined £35m by UK watchdog
The US bank failed to report nearly 69 million transactions over two years, the Financial Conduct Authority said.
… The bank said it had reported the issue as soon as it was discovered and was "wholly committed" to following financial regulations.
… The types of trades involved, known as derivatives, can create a "complex web of interdependence" that then make it difficult to identify risks, according to the watchdog.
Merrill Lynch said it had alerted authorities that it had failed to report the financial trades between February 2014 and February 2016.
Mark Steward, the FCA's head of enforcement, said firms needed to ensure their reporting systems worked properly.




For my lawyer friends and the geeks who support them.
Stay Up To Date With These Legal Technology Blogs
The majority of jurisdictions (28) now require lawyers to stay on top of legal technology changes. This means that the majority of lawyers have an ethical obligation to learn about and understand technology in order to make informed decisions about whether to use technology in their practices.
… Aside from attending on-point CLEs, one of the easiest ways to learn about legal technology is to use an RSS feed reader such as feedly (my feed reader of choice), subscribe to number of legal technology blogs, and spend a few minutes each day reading them and learning about the latest legal technology trends.


(Related) Here are some of the best legal blogs in the US.
The Expert Institute's Best Legal Blog Contest
Every one of these blogs has earned its spot as a leader in its category, but now it's time for our readers to select the best of the best - creating the most definitive list of the Internet's top legal blogs.




Perspective.
MasterCard Says Signatures No Longer Required at the Checkout Counter
Checks are basically extinct. Cash is almost gone. Credit cards are being replaced by phones. And even the cards are changing — though that’s going slower than originally planned.
… MasterCard just announced it’s doing away with a policy where merchants must require signatures from customers at checkout counters. The action concerns all transactions in the U.S. and Canada.
The phase-out will be complete by April 2018




Marcus is a bit obsessive, but that just means he lists EVERYTHING. You have to pick and choose.
New on LLRX – Open Educational Resources (OER) Sources 2018
by Sabrina I. Pacifici on Oct 22, 2017
Via LLRX – Open Educational Resources (OER) Sources 2018 – Costs continue to rise for students who are pursing college and post graduate degree programs. By leveraging best practice sites, services and non-traditional options to expand knowledge, skills and abilities in many disciplines, students can choose from a wide range of options to complete their respective goals. This guide by Marcus Zillman is a comprehensive listing of useful open source educational resources, sites, e-books and courses on the Internet that can assist you in optimizing your learning opportunities.




For the toolkit, and my Computer Security students. (Think of it as backup)




I’ll ask my students which is best.
At the start of 2012, the number of cable TV subscriptions in the United States peaked at 103 million. The figure has now dropped to 96 million, and by the end of 2018, experts believe it will be down to about 92 million.
But all those people haven’t suddenly stopped watching television. Instead, they’re increasingly finding ways to watch TV online for free.
Clearly, there are lots of illegal ways to watch your favorite shows, but there are also plenty of perfectly legal (and free) ways. Here are some of the best…




Beware of passionate people!


No comments: