Friday, August 17, 2007

The plot sickens...

http://it.slashdot.org/article.pl?sid=07/08/16/207215&from=rss

TJX Security Breach Described

Posted by kdawson on Thursday August 16, @06:22PM from the details-emerging dept.

Bunderfeld notes more details coming out about how bad guys got into the TJX network. Last time we discussed this, the best information indicated that a WEP crack had started the ball rolling. Now we learn that instead, or in addition: "Poorly secured in-store computer kiosks are at least partly to blame for acting as gateways to the company's IT systems, InformationWeek has learned. According to a source familiar with the investigation who requested anonymity, the kiosks, located in many of TJX's retail stores, let people apply for jobs electronically but also allowed direct access to the company's network, as they weren't protected by firewalls. 'The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals,' [...and no one noticed? Bob] says the source. In a March filing with the Securities and Exchange Commission, TJX acknowledged finding 'suspicious software' on its computer systems."



Looks like this technique is spreading...

http://www.canada.com/vancouversun/news/story.html?id=ca871c8b-d05a-4ddc-be47-c9f30b669950&k=43701

Shocked shoppers and retailers tighten up on debit card use

Catherine Rolfsen Vancouver Sun Friday, August 17, 2007

Shoppers are thinking twice about using debit cards and retailers are taking extra precautions after a spate of PIN pad frauds victimized at least 200 consumers and four stores at Park Royal Shopping Centre.

West Vancouver police revealed Thursday that Whole Foods, Athletes World, SportChek, and Purdy's Chocolates all had compromised PIN pads planted in their stores between April and July.

The day before, police had refused to identify the affected businesses. Cpl. Fred Harding said he's satisfied none of the stores were complicit in the scheme, in which the rigged devices recorded customer information. Thieves later retrieved them and used the information to create counterfeit cards. [If the thieves retrieved them, would there be any evidence that this happened in many more stores? Bob]

... Although he said he's confident all of Park Royal's compromised PIN pads had been identified, [...then something is missing from this story... Bob] the scam could be reproduced any time.

"Just because you may not have shopped in one of these shops doesn't mean you haven't been targeted," Harding said. [Huh? Bob]

... Whole Foods announced Thursday it would replace all debit units with ones that are affixed to the register, while Purdy's decided to suspend its debit card system until the integrity of each terminal is determined.

United Colors of Benetton assistant manager Debra Lee McCormick said her shop has upped security around PIN pads.

"We used to leave it up here," McCormick said, pointing to her counter. "Since we got the notice, after the transaction's over we just put it away."



Iron Mountain spills data again... A good example of how to kill your reputation.

http://www.pogowasright.org/article.php?story=20070816164601471

Personal Checks Discovered Blowing Down Street

Thursday, August 16 2007 @ 04:46 PM CDT Contributed by: PrivacyNews News Section: Breaches

When Matt Zimmerman and Al Tincher decided to take a lunchtime walk, escaping their New Hope, Minn. offices, they were looking for some exercise. Instead, they found a personal check.

.... In all, three personal checks were found, all with names, addresses and bank account numbers. One check even had a driver's license number. They were all discovered on the same block as a document shredding facility.

... The document shredding company in New Hope is owned by Iron Mountain, a Boston, Mass. information protection and storage corporation.

... Mahoney indicated that Iron Mountain was moving out of the New Hope building, and it's possible that during that process, some non-shredded checks ended up outside the building, on the street.

Source - WCCO



Coverage should be interesting.

http://blog.wired.com/27bstroke6/2007/08/nsa-hearing-ope.html

NSA Judge: 'I feel like I'm in Alice and Wonderland'

By Kevin Poulsen EmailAugust 15, 2007 | 6:33:00 PMCategories: NSA

Ryan Singel and David Kravets are blogging the U.S. 9th Circuit hearing on the NSA's spying, and AT&T's alleged complicity, reporting live from the San Francisco courthouse. Hit 'refresh' in your browser and scroll to the bottom for updates.

David Kravets' Analysis of the political meaning of today's NSA Hearing

Ryan Singel's Analysis: Some Secret Documents Are Too Secret Even for Critical Judges

Audio of the NSA Appeals Court Hearing



This is an oldie, but a goodie...

http://aclu.org/pizza/images/screen.swf

No comments: