Tuesday, January 30, 2007

What took you so long?

http://www.telegram.com/apps/pbcs.dll/article?AID=/20070130/NEWS/701300360/1002

Lawsuit filed against TJX

Company director resigns

By Bob Kievra TELEGRAM & GAZETTE STAFF rkievra@telegram.com Jan 30, 2007

FRAMINGHAM – A class action lawsuit was filed yesterday in U.S. District Court in Boston against the TJX Cos., the same day the discount retailer confronting a data breach disclosed the departure of a director and provided additional information about an ongoing investigation.

Two law firms, including Stern Shapiro Weissberg & Garin LLP of Boston, yesterday filed an 11-page complaint against the Framingham company, which announced earlier this month someone broke into its computer system last year and stole credit and debit card numbers.

The lawsuit, filed on behalf of Paula G. Mace of West Virginia, alleges TJX failed to maintain adequate computer data security, [That should be obvious. But is it negligent or even criminal? Bob] which resulted in the exposure of millions of customers’ personal financial information. The company’s actions put customers at risk for fraud and identity theft and other damages, according to the complaint.

The lawsuit was filed the same the day the company took a more public role in discussing the data breach, which TJX disclosed Jan. 17. The company also said yesterday that Gary L. Crittenden resigned as a director on Wednesday. Mr. Crittenden, who is also a director at Framingham-based Staples Inc., is executive vice president and chief financial officer at American Express Co.

TJX spokeswoman Sherry Lang could not be reached for comment. She told Bloomberg News the company doesn’t comment on director resignations.

In a video message and memo posted yesterday on the company’s Web site, www.tjx.com, company officials said they waited a month to disclose the mid-December data breach to contain the problem and strengthen the company’s computer network.

TJX purchased a full-page advertisement in the Sunday Telegram and posted updated information on its Web site yesterday, including a 7-1/2 minute video from founder and Chairman Ben Cammarata.

I regret any difficulties our customers may experience because of this incident,” Mr. Cammarata said while standing in an empty TJX store. “We want our customers to feel safe shopping in our stores and I really believe you are.”

The company said its investigation has determined that customer transactions at its Bob’s Stores were not involved in the data breach and that debit cards issued by Canadian banks also were not affected.

He said TJX has decided not to pay for any credit monitoring because such a service doesn’t detect fraud on debit or credit cards. He also said identity theft as a result of the data breach is unlikely because the vast majority of the stolen information did not include names or addresses. He reminded customers to be wary of potential scams as a result of the data breach. Customers should not provide any personal information about their bank accounts to anyone who might contact them by phone or e-mail, he said.

Related - Press Release Related - Consumer Affairs



http://www.networkworld.com/columnists/2007/012907-bradner.html

TJX security breach aftermath: a case study in what to do wrong

Retailer needs to disclose more information before it is forced to

'Net Insider By Scott Bradner, Network World, 01/29/07

Late week I wrote about what retailer TJX had done wrong leading up to its recent widely reported security lapse. This week's column is about what TJX has done wrong since the lapse was discovered.

In spite of full-page ads in the Boston Globe and Boston Herald in the last two days, the extent of the security lapse is still not known because TJX has steadfastly refused to provide any concrete information. The lack of information provides fertile ground for speculation -- for example, published reports last week that as many as 30% of all New Englanders may have been impacted. On Jan. 26, TJX announced it had hired John Gilbert, formerly with Dunkin' Donuts, as chief marketing officer. Maybe he is smart enough to understand that stonewalling is the worst possible reaction to a problem. Everything will come out in the end, and in this case it may come out with the president of TJX testifying on national TV in front of Congress. It is far better to provide more information than is being requested so it does not look like you are covering up.

Maybe TJX feels it cannot do this because it is covering up. Originally TJX maintained that it delayed making a public announcement at the request of law enforcement only to later admit the delay was in part a "business decision" and now, in the ads, the company says it was "in the best interest of our customers." Yeah -- the best interest of customers was to keep them in the dark until they finished their Christmas shopping. In the end, TJX only admitted to a problem after the first Wall Street Journal report.

TJX has still not said how many cards were exposed, yet some information must exist because banks are quite busy contacting their customers and replacing cards (including my wife's). At the very least, TJX could tell its customers -- the folks whose trust it has to retain in order to stay in business -- what TJX told the banks. Delaying will increase rather than decrease the pain when the numbers do come out.

Unlike most organizations that have had similar, although far smaller, breaches, TJX has not said it would protect customers by buying credit watch services for them. I expect the company will have to do so at some point but because it is delaying so long, it's clear that protecting customers has not been a concern for TJX and it will only do so when forced.

TJX has not admitted that it was not compliant with the PCI security standards nor has the company committed to becoming compliant in the new ads. Visa's security requirements say that merchants the scale of TJX had to be compliant with the security standards by Sept. 30, 2004. If Visa had any courage it would give TJX a short fixed period of time to become compliant (say, 30 days from the breach discovery) or be stopped from accepting Visa cards.

The PCI standard requires merchants to "limit storage amount and retention time [of cardholder data] to that which is required for business, legal, and/or regulatory purposes." TJX has not said it has or will destroy the data retained in excess of this standard.

In short, TJX has said squat of any consequence. It will continue to be raked over the coals for that. It would have been so easy to do what Johnson & Johnson did after the 1982 Tylenol deaths -- get in front of the issue and stay there. But TJX decided to hide its head in the sand instead -- a very poor decision, but a good case study in what not to do.

Disclaimer: I can only guess if the Harvard Business School will a develop a case study about TJX or what one would say, so the above review must be mine.



No entry for TJX, yet. Anyone feel like writing?

http://digg.com/business_finance/A_Community_Driven_to_Do_The_Right_Thing

A Community Driven to Do The Right Thing

Using Digg technology, DoTheRightThing.com is a community driven site that collects information about the social impact of a company ’s behavior. After 60 days of public scrutiny and voting - a social impact score is calculated. It's a go-to site to find information about a company's behavior and another example of Digg tech used for a new purpose.

http://dotherightthing.com/



In other disasters...

http://www.wcax.com/Global/story.asp?S=6006557&nav=4QcS

State computer hacked, thousands at risk

WATERBURY, Vt. -- A state computer containing the names, Social Security Numbers and bank account information for 70,000 Vermonters has been hacked into in an automated computer attack that puts their personal information at risk for misuse, the state said Monday.

Human Services Secretary Cynthia LaWare said there is no indication the information has been used illicitly, but she said it was possible.

The state is planning to send letters to the affected individuals Tuesday and Wednesday urging them to monitor their bank accounts. It is also offering to pay for credit monitoring.

The Human Services computer was used as a tool to track noncustodial parents who owe back child support. The state and a number of banks exchanged financial information on the computer, which was taken out of service in early December after technicians discovered what they thought was a computer virus.

It remains off-line, officials said.

About 12,000 of the affected individuals owed back child support. The rest of the names _ about 58,800 people _ were supplied to the state by the New England Federal Credit Union, which shared customer information with the understanding that only the data on child support debtors would be used. [So you don't need to be “of interest” to the state to be a victim. Perhaps a more secure way to identify people before you transfer the data would be useful? Bob]

New England Federal CEO David Bard said his organization shared information with the state quarterly, as required by law. Usually, the credit union will only provide the state with information about people known to owe back child support.

But on two occasions, once in 2004 and once in 2005, the credit union supplied the state with 58,800 names and information, almost the entire membership of the Williston-based credit union. The state is then supposed to look in that list for people who owe child support. It is acceptable under federal rules, but more than is required by the state, Bard said. [“It” must be “fishing for felons” Bob]

"We have a number of people who are going to be very frustrated and unsettled by this breech," Bard said. "This never should have happened."

LaWare said the state kept the information on the computer even though it wasn't needed. [Don't do that! Bob]

"We retained that information," LaWare said. "Once we received that information, the state has a responsibility to protect that information."

Customers from eight additional banks and credit unions, representing about 2,800 individuals, were also affected, the state said.

... Thomas Murray, commissioner of the Department of Information and Innovation, said the situation was similar to one in which someone breaks into a file room, but there is no indication if any of the files were looked at.

Murray said there were indications the attacks came from Australia, New Zealand and China, but the origin cannot be determined. The state's computer was being used so it could relay video or be used for other purposes by a remote user such as to launch a denial of service attack; an episode of the television show "Bones" was found on the machine.

"It was an automated attack, which I think is critically important, and not a targeted attack by an individual," LaWare said. [Automated attacks take advantage of “known security vulnerabilities” -- the state probably has the same information but did not use it. Bob]

"They are trying to access the computer for the storage," LaWare said. [Do not attempt to read minds. Bob]

The revelation marks the third time in recent months that state officials have had to answer for computer-related security breaches with the potential to aid identity thieves: [Too busy fighting fires to attempt fire prevention? Bob]



Just one guy, but he is dangerously knowledgeable... (He recognizes BS when he hears it.)

http://www.technologyreview.com/blog/posts.aspx?id=17512&author=garfinkel

I Am a Victim

How Notre Dame put my SSN on the Internet.

By Simson Garfinkel Monday, January 29, 2007

Last week I got a letter in the mail from the Mendoza College of Business at the University of Notre Dame. Apparently, the school had put information about me, including my social-security number (SSN) and demographic information, on the Internet. "We have no evidence to date that this information was used inappropriately," the school wrote, but I might want to take "prudent ... precautions" by periodically checking my credit report with the three major bureaus.

What's so infuriating about this is that I never had anything to do with the University of Notre Dame.

In 2001, I was thinking about going back to graduate school, so I took the GMAT, LSAT, and GRE exams. I checked off the boxes that said that my information could be forwarded to schools so that they could recruit me. A few schools contacted me, and that was that. Or so I thought. It seems that the Graduate Management Admissions Council didn't just provide my test scores and demographic information: it also provided my SSN.

But why did the Mendoza College of Business keep that information for six years? And how did it make it available on the Internet?

I called Notre Dame to find out what had happened and was told that a file of GMAT names, scores, SSNs, and other information had been inadvertently left on a computer that was decommissioned. At some later point in time this computer was turned back on and plugged into the Internet, and it made the files available through some kind of file-sharing program. Google picked up the files, indexed them, and added them to its archive. How was this discovered? Somebody did a Google search on his or her own name and found the jackpot of personal information.

The woman I spoke with from Notre Dame said that the school had looked at the log files on the computer, and there were no other signs of access other than by the one person who had accessed his or her files. I'm not sure that this makes sense because she said that there was also no evidence that Google had accessed the files, and clearly Google had. Besides, if the information was cached by Google, bad guys could have downloaded it directly from the cache and avoided leaving traces at Notre Dame. [Be certain what you say is true (or at least logical) Bob]

... The reason SSNs can be used for identity theft is that banks and other financial institutions think that if you know somebody's SSN, then you must be that person. This has got to change.



Blogger rights?

http://www.macnn.com/articles/07/01/29/apple.pays.legal.fees/

Monday, January 29,2007 @ 1:30pm

Apple pays $700,000 for bloggers' legal fees

Bloggers and online journalists have completed their final victory lap in a protracted fight against Apple. Earlier this month, a Santa Clara County Court ordered Apple to pay the legal fees associated with the defense of subpoenas issued to online journalists (and other related entities) in response to online reports about a confidential audio/video product -- code-named "Asteroid" -- under development at the Cupertino-based company. The "Asteroid" product was never released, but Apple claimed the news reports violated California state trade secret law and that the journalists were not entitled to First Amendment protections. However, following an appeals decision last year that strongly sided with the journalists, the Court ordered Apple to pay all legal costs associated with the defense, including a 2.2 times multiplier of the actual fees. [updated]

... "We can think of no workable test or principle that would distinguish 'legitimate' from 'illegitimate' news," wrote a three judge panel. "Any attempt by courts to draw such a distinction would imperil a fundamental purpose of the First Amendment, which is to identify the best, most important, and most valuable ideas not by any sociological or economic formula, rule of law, or process of government, but through the rough and tumble competition of the memetic marketplace," the judges added.



Recourse? At least this article points out a couple more avenues of attack.

http://www.banktechnews.com/article.html?id=20070129OYR8ALCW

February 2007

Legal: Breaches in Court: No Harm, No Foul

Several times in the past year, data breach victims have argued the potential for harm is enough to make banks and other firms pay. Judges have soundly disagreed.

By Glen Fest

... What's analogous with these cases, besides the lack of fraud activity, is that in the past year each of these federal cases was tossed out on its ear by judges ruling that without actual losses, there was no standing to sue for negligence. In Giordano vs. Wachovia, U.S. District Judge Jerome Simandle found there was not even precedence to order Wachovia to pay for credit monitoring. He called "inapt" an attempt by plaintiff lawyers to equivocate credit impairment to previous case law recognizing the damages for future harm in medical issues-such as chemical exposure.

... The most notable breach case was last year's Guin vs. Brazos, in which Brazos was accused of negligence under both Minnesota state laws and the "duty of care" responsibilities carried in Gramm-Leach-Bliley's data protection statute. Although Johnson won the case for Brazos, he noted it was the first case of its kind where a negligence claim under GLB was made-and one where his client agreed that the student had the right to use the GLB statute.

... Even though banks and other firms are getting cases thrown out where actual harm is absent, the eventual impact of the Brazos precedence means that failure to live up to GLB standards, which actually don't call for any prescriptive measures like encryption, may be the centerpiece of future claims if its shown an improper GLB risk assessment, says Johnson.

Eric Durr, an associate with Halleland Lewis and former deputy chief compliance officer with U.S. Bancorp, says the legal and regulatory environment for banks around data breaches is only going to get deeper, as laws become supplemented by a regulatory squeeze, including the FFIEC exam manual which now "dictates that each one of the banks needs to conduct a risk assessment of both its business line as well as operations security compliance."



This means most do not! The detail is interesting...

http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/01-29-2007/0004514835&EDATE=

Two out of Five Identity Theft Victims Know Source of Crime, According to Identity Theft Assistance Center Survey

Data on Identity Theft Sources Can Help Protect Consumers

WASHINGTON, Jan. 29 /PRNewswire-USNewswire/ -- Two out of five identity theft victims surveyed by the Identity Theft Assistance Center (ITAC) know how their personal data was stolen, providing valuable insight about how identity theft occurs.



Too hard to give us what we need? Give us everything and we'll fish around till we find something.”

http://news.com.com/2100-7348_3-6154457.html?part=rss&tag=2547-1_3-0-5&subj=news

FBI turns to broad new wiretap method

By Declan McCullagh Story last modified Tue Jan 30 06:19:12 PST 2007

The FBI appears to have adopted an invasive Internet surveillance technique that collects far more data on innocent Americans than previously has been disclosed.

Instead of recording only what a particular suspect is doing, agents conducting investigations appear to be assembling the activities of thousands of Internet users at a time into massive databases, according to current and former officials. That database can subsequently be queried for names, e-mail addresses or keywords.

Such a technique is broader and potentially more intrusive than the FBI's Carnivore surveillance system, later renamed DCS1000. It raises concerns similar to those stirred by widespread Internet monitoring that the National Security Agency is said to have done, according to documents that have surfaced in one federal lawsuit, and may stretch the bounds of what's legally permissible.

Call it the vacuum-cleaner approach. It's employed when police have obtained a court order and an Internet service provider can't "isolate the particular person or IP address" because of technical constraints, says Paul Ohm, a former trial attorney at the Justice Department's Computer Crime and Intellectual Property Section. (An Internet Protocol address is a series of digits that can identify an individual computer.)

That kind of full-pipe surveillance can record all Internet traffic, including Web browsing--or, optionally, only certain subsets such as all e-mail messages flowing through the network. Interception typically takes place inside an Internet provider's network at the junction point of a router or network switch.

The technique came to light at the Search & Seizure in the Digital Age symposium held at Stanford University's law school on Friday. Ohm, who is now a law professor at the University of Colorado at Boulder, and Richard Downing, a CCIPS assistant deputy chief, discussed it during the symposium.

In a telephone conversation afterward, Ohm said that full-pipe recording has become federal agents' default method for Internet surveillance. "You collect wherever you can on the (network) segment," he said. "If it happens to be the segment that has a lot of IP addresses, you don't throw away the other IP addresses. You do that after the fact."

"You intercept first and you use whatever filtering, data mining to get at the information about the person you're trying to monitor," he added.

On Monday, a Justice Department representative would not immediately answer questions about this kind of surveillance technique.

"What they're doing is even worse than Carnivore," said Kevin Bankston, a staff attorney at the Electronic Frontier Foundation who attended the Stanford event. "What they're doing is intercepting everyone and then choosing their targets." [First get the fish in the barrel, then shoot. Bob]

When the FBI announced two years ago it had abandoned Carnivore, news reports said that the bureau would increasingly rely on Internet providers to conduct the surveillance and reimburse them for costs. While Carnivore was the subject of congressional scrutiny and outside audits, the FBI's current Internet eavesdropping techniques have received little attention.

Carnivore apparently did not perform full-pipe recording. A technical report (PDF: "Independent Technical Review of the Carnivore System") from December 2000 prepared for the Justice Department said that Carnivore "accumulates no data other than that which passes its filters" and that it saves packets "for later analysis only after they are positively linked by the filter settings to a target."

One reason why the full-pipe technique raises novel legal questions is that under federal law, the FBI must perform what's called "minimization."

Federal law says that agents must "minimize the interception of communications not otherwise subject to interception" and keep the supervising judge informed of what's happening. Minimization is designed to provide at least a modicum of privacy by limiting police eavesdropping on innocuous conversations.

Prosecutors routinely hold presurveillance "minimization meetings" with investigators to discuss ground rules. Common investigatory rules permit agents to listen in on a phone call for two minutes at a time, with at least one minute elapsing between the spot-monitoring sessions.

That section of federal law mentions only real-time interception--and does not explicitly authorize the creation of a database with information on thousands of innocent targets.

But a nearby sentence adds: "In the event the intercepted communication is in a code or foreign language, and an expert in that foreign language or code is not reasonably available during the interception period, minimization may be accomplished as soon as practicable after such interception."

Downing, the assistant deputy chief at the Justice Department's computer crime section, pointed to that language on Friday. Because digital communications amount to a foreign language or code, he said, federal agents are legally permitted to record everything and sort through it later. (Downing stressed that he was not speaking on behalf of the Justice Department.)

"Take a look at the legislative history from the mid '90s," Downing said. "It's pretty clear from that that Congress very much intended it to apply to electronic types of wiretapping."

EFF's Bankston disagrees. He said that the FBI is "collecting and apparently storing indefinitely the communications of thousands--if not hundreds of thousands--of innocent Americans in violation of the Wiretap Act and the 4th Amendment to the Constitution."

Marc Rotenberg, director of the Electronic Privacy Information Center in Washington, D.C., said a reasonable approach would be to require that federal agents only receive information that's explicitly permitted by the court order. "The obligation should be on both the (Internet provider) and the government to make sure that only the information responsive to the warrant is disclosed to the government," he said.

Courts have been wrestling with minimization requirements for over a generation. In a 1978 Supreme Court decision, Scott v. United States, the justices upheld police wiretaps of people suspected of selling illegal drugs.

But in his majority opinion, Justice William Rehnquist said that broad monitoring to nab one suspect might go too far. "If the agents are permitted to tap a public telephone because one individual is thought to be placing bets over the phone, substantial doubts as to minimization may arise if the agents listen to every call which goes out over that phone regardless of who places the call," he wrote.

Another unanswered question is whether a database of recorded Internet communications can legally be mined for information about unrelated criminal offenses such as drug use, copyright infringement or tax crimes. One 1978 case, U.S. v. Pine, said that investigators could continue to listen in on a telephone line when other illegal activities--not specified in the original wiretap order--were being discussed. Those discussions could then be used against a defendant in a criminal prosecution.

Ohm, the former Justice Department attorney who presented a paper on the Fourth Amendment, said he has doubts about the constitutionality of full-pipe recording. "The question that's interesting, although I don't know whether it's so clear, is whether this is illegal, whether it's constitutional," he said. "Is Congress even aware they're doing this? I don't know the answers."



Brief overview...

http://www.infosecwriters.com/texts.php?op=display&id=532

Enterprise Rights Management (ERM): Architectural Approaches

by Avoco Secure on 29/01/07

One of the prime features of electronic documents is their ease of movement. They can be passed from one person to another not just to share and disseminate information but also to collaborate on that information. This key attribute of electronic documents gives them the technological edge over paper supporting the ultimate goal of the ‘paperless office’.

In contradiction to this freedom of movement, is a need to control document content and ensure that it does not get into the wrong hands or is used illegitimately. Enterprise rights management systems (ERM) attempt to combat this data leakage by going a step beyond encryption and adding controls to the use of the content of a document (not just protecting the file itself). However, the way that an ERM system approaches this task is vital in retaining the fluid communication characteristic of electronic documents.

If the system in any way reduces or removes the inherent fluidity of a document, then this vital feature of free-flowing movement will be lost.

This document is in PDF format. To view it click here.



Tools & Techniques Unlikely? Where would the X-ray source be located?

http://www.breitbart.com/news/na/paXrayMon03Xraycameras.html

X-ray cameras on lampposts plan

Jan 29 12:18 AM US/Eastern

The Government is considering installing X-ray cameras on lampposts to spot armed terrorists and other criminals.

According to a leaked memo seen by The Sun, "detection of weapons and explosives will become easier" if the scheme drawn up by Home Office officials is adopted.

However, officials acknowledged that it would be highly controversial as the cameras can "see" through clothing.

"The social acceptability of routine intrusive detection measures and the operational response required in the event of an alarm are likely to be limiting factors," the memo warned.

"Privacy is an issue because the machines see through clothing."

The Sun reported that the memo, dated January 17, was drawn up by the Home Office for the Prime Minister's working group on security crime and justice.

It noted that some technologies used for airport security had already been used in police operations searching for drugs and weapons in nightclubs.

"These and other could be developed for a much more widespread use in public places," it said.

"Street furniture could routinely house detection systems that would indicate the likely presence of a gun for example."

A Home Office spokeswoman said: "We don't comment on leaked documents".



Forward to your security guru (Came to me from my favorite Law Librarian)

Laptop, PC and Removable Media Encryption Webinar

Wednesday, January 31st at 2:00 PM ET

Starbucks coffee is on us! See below

We would like to invite you to a webinar co-hosted by BEW Global & Voltage for "Laptop, PC and Removable Media Encryption". In today's mobile environment, mission-critical data routinely leaves the confines of the enterprise on laptops and other mobile devices. Unfortunately, the convenience of laptops also presents a real risk--lost and stolen laptops represent the most common source of potentially leaked data. Data protection is a must today.

Join BEW Global and Voltage Security for an overview of best practices, and how Voltage SecureDisk can fit into your data protection strategy. During this webinar, the Voltage team will then provide an overview on how their portfolio of solutions can help protect data for the following scenarios:

Voltage SecureDiskT uses strong whole disk encryption to ensure that even in the event of a lost laptop, there is always data protection.

Voltage SecureMail Blackberry enables users to send secure and receive sensitive ad-hoc business communication with their Blackberry.

Voltage SecureMail is the first secure encrypted email solution that makes secure ad-hoc business communication easy.

See why organizations like HealthSouth, NTT Communications, California Department of Health Services and Health Axis have leveraged the Voltage solutions as part of their data protection frameworks.

We know you have every possible product vendor and re-seller banging on your door, so the least we can do is buy you a cup of coffee, tea or what ever suits you're fancy at Starbucks as thanks for taking time with our firm. All attendees of the webinar who stay for the entire presentation will receive a $5.00 Starbucks card.

To register for this event, please email information@bewglobal.com with the following information:

Name and date of event: Laptop, PC and Removable Media Encryption Webinar

Name of your organization:

Email address:

Phone number:

Upon receipt of the registration information, we will provide the webinar conference details for phone and web access

No comments: