Friday, March 30, 2007

I have been finding a few details of the TJX breach in the news but not in their SEC filing. The “informal” source is TJX spokeswoman Sherry Lang. NOTE: They have updated their Frequently Asked Questions (FAQ) but there is no indication of that until you click on the undated link and scroll to the bottom of the page to see the date (March 28, 2007). And they still make statements like this:

How many payment card numbers were used fraudulently?

We do not know whether any fraudulent use has occurred or if so, to what extent. Law enforcement has advised us that they are investigating what may be fraudulent use of information stolen from our systems. We have provided extensive transaction information to the banks and payment card companies, but they have not shared details of possible fraudulent use with us.

This seems contradicted by the story this week about the card scam in Florida http://www.boston.com/business/personalfinance/articles/2007/03/29/store_ids_led_to_arrests/ and as far back as January by the banks. http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1241259,00.html


http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsid=2418

Retailer suffers world's biggest ever data breach

Forty five million credit card details fraudulently accessed over 18 months

By Jaikumar Vijayan, Computerworld

... In its filing, TJX confirmed that its systems were first accessed illegally in July 2005 and then on several occasions later in 2005, 2006 and even once in mid-January 2007 -- after the breach had already been discovered. [This suggests it was useful to hold the announcement. One assumes this access was traced. Bob] However, no data appears to have been stolen after 18 December 2006, when the intrusion was first noticed.

... It is hard to know exactly what kind of data was stolen because a lot of the information accessed by intruders was deleted by the company in the normal course of business. "In addition, the technology used by the intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006," the company said. It did not elaborate on the technology it was referring to. [You can bet this will be of utmost interest to the Security community... Bob]

... "We are continuing to try to identify information stolen in the computer intrusion through our investigation, but other than the information provided ... we believe that we may never be able to identify much of the information believed stolen," TJX said.


http://www.infoworld.com/article/07/03/29/HNtjxpayment_1.html?source=rss&url=http://www.infoworld.com/article/07/03/29/HNtjxpayment_1.html

Payment systems culprit in TJX heist

Security experts contend that criminals found a common weakness in retailers' defenses by targeting TJX's payment card systems

By Matt Hines, IDG News Service March 29, 2007

... At the time that TJX hired IBM and General Dynamics to begin investigating the break-in during Dec. 2006, the consultants found that the malware tools used by the data thieves were still present in the company's systems.

... The analyst said that sources were telling her that the attack carried out against TJX originated in Eastern Europe and likely took advantage of an unprotected wireless network somewhere at the company to break into the software controllers that drive its point-of-sale registers in addition to hacking into its back-end systems.

Most companies do not monitor all their point-of-sale controllers, and from there, the criminals were likely able to find a way to penetrate the firm's back-end servers, she said.


http://www.eweek.com/article2/0,1759,2109299,00.asp?kc=EWRSS03119TX1K0000594

TJX Intruder Had Retailer's Encryption Key

By Evan Schuman, Ziff Davis Internet March 29, 2007

The massive data breach at $16 billion retailer TJX involved someone apparently armed with the chain's encryption key, but it might not have been needed as the cyber-thief was accessing data during the card-approval process before it was encrypted.

... The intruder or intruders here apparently planted software in TJX systems to capture data throughout the day and they also engaged in an increasingly popular tactic: post-event cleanup.

That's where intruders spend extra effort cleaning up their tracks—deleting and otherwise tampering with log files, [This should not be possible in a reasonable security system Bob] changing clock settings and moving data to hide their movements.

... Veteran retail technology analyst Paula Rosenblum, a vice president with Retail Systems Alert Group, said the fact that the software went undiscovered for so long is most troubling.

“It’s incomprehensible that what amounts to a computer worm was placed on mission-critical systems at one of the world’s largest retailers and remained there—undiscovered—for 18 months. The scope of the theft is stunning," she said.



“Let the executions begin!” (various)

http://techdirt.com/articles/20070329/104337.shtml

Weak Fines Aren't Going To Stop Data Leaks

from the falling-short dept

The concept of "pretexting" -- posing as somebody else in order to gain access to their personal information -- got a lot of publicity when it was revealed that HP investigators used the tactic to spy on board members and journalists. However, it's a problem that's been going on for some time, and the usual responses to it gloss over the fact that wireless operators' inadequate security is to blame for these leaks as much as any fraudster. Many attempts to enact or strengthen legislation in this area focus on people selling the information, rather than doing anything to force the operators to better secure their customers' private data, but the FCC has proposed a $100,000 fine against virtual operator Amp'd for its shoddy safeguards to protect users' calling records. The amount is a drop in the bucket for the company, or any other operator, and isn't likely to do much in the way of motivation, since enacting better security procedures probably costs more than the fine. This is a big problem with pretexting, or other forms of identity theft: companies have very little motivation to do much to prevent it, since the costs of a leak are borne largely by the victims or third parties. Many companies, including the wireless operators, have been very successful with their PR efforts to make themselves look like victims here, and generate the public perception that hackers and criminals are the real problem, when corporate sloppiness, incompetence and disinterest are more to blame.



True enough?

http://www.wave3.com/Global/story.asp?S=6299761&nav=0RZF

Veterans argue stolen information could still pose risk

March 29, 2007 03:00 PM

(LOUISVILLE) -- Data thieves could have swiped personal information on millions of veterans from a stolen laptop and be waiting for the right time to use it, according to a court filing from veterans who sued last year over the highly publicized theft.

Federal officials say they are confident that no sensitive information was copied from the laptop, which was taken from a Veterans Affairs analyst's Maryland home on May 3 and recovered on June 29. The computer contained sensitive information on 26.5 million veterans in the VA's system.

... The veterans said in a court filing Wednesday that the suits should go forward because, among other reasons, the data could have been accessed and copied by thieves without leaving any evidence of tampering. The information on the laptop included the names, birth dates and social security numbers of veterans discharged since 1975, which identity thieves could use to apply for credit cards or loans.

... Attorneys for the government said the suit should be thrown out because, among other reasons, the plaintiffs lack standing to sue under the federal Privacy Act.

... But attorneys for the veterans argued that sophisticated identity thieves depend on intermediaries to bring them raw data from stolen hard drives and personal computers. They said thieves could "lie low" until the public uproar dies down.

"Will it happen next month or two months from now or a year from now because somebody got it?" said Douglas J. Rosinski, a South Carolina attorney who represents the Vietnam veterans. "The worry itself is harm, and we oppose the government's position that 'Hey, we got it back, no harm occurred."'



There are many cases like the VA laptop theft...

http://www.channel4.com/news/articles/society/health/stolen+hospital+laptop+recovered/355722

Stolen hospital laptop recovered

Last Modified: 29 Mar 2007 Source: PA News

A stolen laptop containing information on about 11,000 young patients has been recovered by police.

The computer - carrying names, addresses and dates of birth of children aged eight months to eight years old - was one of three taken from an office at King's Mill Hospital, in Sutton-in-Ashfield, Nottinghamshire, on Wednesday.

It was found after a "detailed investigation" by detectives, Notts Police said.

... A man and a woman have been arrested in connection with the theft and a second burglary. They have been released on police bail pending further inquiries.



...and they can critique your grammar (and grampar).

http://techdirt.com/articles/20070329/120008.shtml

Software Needed To Detect If This Post Is Or Is Not True

from the quandary dept

No matter what advances technology throws at us, people remain fascinated with developing the ability to detect when people are lying. Polygraphs remain largely inaccurate (and easily gamed), so researchers focused on the legal, security and defense markets remain busy, while others explore new ways to detect lies and and learn more about people in other fields as well. While we've seen before applications for mobile phones that purport to be able to detect lies, some researchers at Cornell now think they can develop software that will be able to detect lies in emails and text messages. They say they can use linguistic information like word choice, shifts in verb tense and use of the passive voice to detect lies, and they've analyzed materials such as emails from the Enron fraud case to hone their methods. They plan to spend the next three years working on a system to evaluate the content and context of communications, with a view to training software to be able to detect subtle changes that may indicate a lie. Or at least that's what the article says. After all, they could be lying.



Sounds like this one will be amusing...

http://yro.slashdot.org/article.pl?sid=07/03/29/1836235&from=rss

Google to Viacom - The Law is Clear, and On Our Side

Posted by Zonk on Thursday March 29, @04:11PM from the time-is-on-their-side-too-i'm-told dept. Google The Courts

An anonymous reader writes "Google responded to the opinion piece in the Washington Post by a Viacom Lawyer with a letter to the editor titled 'An End Run on Copyright Law.' Their strong wording sends a very concrete message: 'Viacom is attempting to rewrite established copyright law through a baseless lawsuit. In February, after negotiations broke down, Viacom requested that YouTube take down more than 100,000 videos. We did so immediately, working through a weekend. Viacom later withdrew some of those requests, apparently realizing that those videos were not infringing, after all. Though Viacom seems unable to determine what constitutes infringing content, its lawyers believe that we should have the responsibility and ability to do it for them. Fortunately, the law is clear, and on our side.'"


No copyright issue here, right?

http://www.bespacific.com/mt/archives/014424.html

March 29, 2007

Appellate Courts Go Live on Case Management/Electronic Case Files

The Third Branch, March 2007: "Some day in the not-too-distant future, locating and reading a brief filed in a federal appellate case will become as easy as finding an appeals court opinion. And electronic appellate briefs will feature hyperlinks to lower court rulings, statutes, regulations, and other cited materials. “Judges generally are excited about having attorneys file briefs that contain hyperlinks to citations,” said Gary Bowden, chief of the Administrative Office’s Appellate Court and Circuit Administration Division. “And through PACER (the Public Access to Court Electronic Records system) these briefs will be available to everyone.” Until late last year, 10 of the 12 regional appellate courts were using an antiquated system of receiving, storing and tracking their cases, a system that at age 20 was long overdue for retirement." The St. Louis-based U.S. Court of Appeals for the 8th Circuit took a giant step in December when it became the first of those 10 courts to go live with Case Management/Electronic Case Files (CM/ECF). The rest are to follow by the end of 2007."


Another approach to copyright infringement?

http://www.washingtonpost.com/wp-dyn/content/article/2007/03/28/AR2007032802038.html?referrer=digg

McLean Students Sue Anti-Cheating Service

Plaintiffs Say Company's Database of Term Papers, Essays Violates Copyright Laws

By Maria Glod Washington Post Staff Writer Thursday, March 29, 2007; Page B05

Two McLean High School students have launched a court challenge against a California company hired by their school to catch cheaters, claiming the anti-plagiarism service violates copyright laws.

The lawsuit, filed this week in U.S. District Court in Alexandria, seeks $900,000 in damages from the for-profit service known as Turnitin. The service seeks to root out cheaters by comparing student term papers and essays against a database of more than 22 million student papers as well as online sources and electronic archives of journals. In the process, the student papers are added to the database.

Two Arizona high school students also are plaintiffs. None of the students is named in the lawsuit because they are minors.

"All of these kids are essentially straight-A students, and they have no interest in plagiarizing," said Robert A. Vanderhye, a McLean attorney representing the students pro bono. "The problem with [Turnitin] is the archiving of the documents. They are violating a right these students have to be in control of their own property."

... Attorneys for the company and various universities and public school systems, including Fairfax , have concluded that the service doesn't violate student rights. [No bias here! Bob] Turnitin is used by 6,000 institutions in 90 countries, including Harvard and Georgetown universities, company officials have said. Some public schools in Arlington, Prince George's and Loudoun counties use the service.

According to the lawsuit, each of the students obtained a copyright registration for papers they submitted to Turnitin. The lawsuit filed against Turnitin's parent company, iParadigms LLC, seeks $150,000 for each of six papers written by the students.

One of the McLean High plaintiffs wrote a paper titled "What Lies Beyond the Horizon." It was submitted to Turnitin with instructions that it not be archived, but it was, the lawsuit says.

Kevin Wade, that plaintiff's father, said he thinks schools should focus on teaching students cheating is wrong.

"You can't take a person's work and run it through a computer and make an honest person out of them," Wade said. "My son's major objection is that he does not cheat, and this assumes he does. This case is not about money, and we don't expect to get that."

Andrew Beckerman-Rodau, co-director of the intellectual property law program at Suffolk University Law School, said that although the law regarding fair use is subject to interpretation, he thinks the students have a good case.

"Typically, if you quote something for education purposes, scholarship or news reports, that's considered fair use," Beckerman-Rodau said. "But it seems like Turnitin is a commercial use. They turn around and sell this service, and it's expensive. And the service only works because they get these papers."



Interesting business model. You easily could do this at home, in your spare time.

http://www.techcrunch.com/2007/03/29/sellaband-music-model-may-be-working/

SellABand Music Model Gaining Traction

Michael Arrington March 29 2007

Marshall Kirkpatrick wrote about German startup SellABand when it launched last August.

Like Amie Street, SellABand has an innovative way for struggling new artists to get their music heard, and make some money as well. Artists sign up and upload some of their music. Users listen to it. If they like it, they pay $10. If a band reaches $50,000 in donations, SellABand helps them record an album with a studio and expert producer.

It’s great in theory. At the time of our original post there wasn’t much data - 130 bands had signed up in the first couple of weeks, and had raised a few hundred dollars each.

But a few months later, wow. 2700 bands from all over the world have signed up, and four have already reached the $50,000 mark and have recorded albums (Nemesea, Cubworld, Second Person and Clemence, and more are on the way. Mandyleigh, one of our readers, is currently no. 4 on the top list and looks to be headed to the studio soon.

Listeners who donate to an artist get a free CD when the goal is reached - and are refunded their money if it isn’t. Artists get 1/3 of all advertising revenue from their profile, and 60% of proceeds from eventual album sales. They also get all rights back to their music a year after the album comes out.



No doubt it is copyrighted and the RIAA will sue...

http://www.bbspot.com/News/2007/03/riaa-lawsuit-matrix.html

RIAA Lawsuit Decision Matrix

By Brian Briggs Thursday, March 29 12:00 AM ET

BBspot has obtained secret documents which RIAA lawyers use to determine whether to file a lawsuit against a copyright violator. These documents give insight into the RIAA's decision-making process, and could help people avoid lawsuits in the future. We offer these documents as a public service.



http://www.youtube.com/watch?v=VcP3V9bgUoI

Emily of the State - Internet Spying Short

No comments: