Saturday, February 14, 2009

Another exhausting meeting of the Privacy Foundation yesterday. We made a bunch of hard decisions (I had the Chicken Cordon Bleu and a nice Pinot Noir) discussed the current financial crisis (How big should the tip be to provide adequate economic stimulus?) and considered future seminar topics, which of course will include the Heartland Payment Systems breach.



These are the easy ones. Crooks so dumb they stand in front of the surveillance video camera while using the counterfeit cards.

http://www.databreaches.net/?p=1489

First arrests made in Heartland data breach case

Posted February 13th, 2009 by admin

Chuck Miller reports:

Three men have been arrested in Tallahasee, Fla., in connection with the Heartland Payment Systems data breach, authorities said.

The men, Tony Acreus, Jeremy Frazier and Timothy Johns, each were charged with multiple counts of credit card fraud, police said. The arrests were part of a larger investigation into the breach,

[...]

There is no evidence that they were the masterminds of this breach,” Drzewiecki said. “All that we were able to connect is that the credit card numbers were stolen in the hijacking of the records from the Heartland processing center.”

Read more in SC Magazine

[From the article:

The suspects were running a sophisticated criminal enterprise, according to police.[Sounds better than: :They're too stupid to pour water out of a boot if the directions are written on the heel.” Bob] Law enforcement organizations, which included the U.S Secret Service, are looking into how the men were able to obtain the data. [My money is on e-mail. Bob]


From a similar article: Suggests this wasn't a direct link from HPS (which was only identified last month) but rather some credit card crooks who happened to have HPS data in addition to whatever was traced to them.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9127984&intsrc=hm_list

First arrests made in Heartland breach case

The arrests followed a three-month investigation of a major stolen credit card ring by the sheriff's office, the Tallahassee Police Department and the U.S. Secret Service.


Related. This one should be very interesting...

http://www.ad-hoc-news.de/heartland-payment-systems-announces-conference-call-to--/de/Unternehmensnachrichten/20047508

Unternehmensnachrichten 13.02.2009 18:07 Uhr

Heartland Payment Systems Announces Conference Call to Discuss Fourth Quarter and Fiscal Year End 2008 Results

… Chairman & Chief Executive Officer Robert Carr and President & Chief Financial Officer Robert Baldwin will host a conference call beginning at 8:30 AM Eastern Time, Tuesday, February 24, 2009, to discuss fourth quarter and fiscal year end 2008 results and conduct a question and answer session.

Heartland Payment Systems invites all interested parties to listen to its conference call broadcast through a webcast on the Company?s website. To access the call, please visit the Investor Relations portion of the Company?s website at: www.heartlandpaymentsystems.com. The webcast will be archived on the Company?s website within two hours of the live call and will remain available through Friday, May 22, 2009.


For those keeping score

http://www.bankinfosecurity.com/articles.php?art_id=1210

Heartland Data Breach: List of Victims Grows; First Arrests Made

… The list of financial institutions impacted by the Heartland Payment Systems (HPY) breach now tops 220



I'm pretty sure this is just bad reporting of the HPS breach, but then again it could be a new one...

http://www.reviewonline.com/page/content.detail/id/510475.html?nav=5008

Debit card breach a nation-wide occurrence

By JEN MATSICK jmatsick@reviewonline.com POSTED: February 14, 2009

CHESTER - A security compromise at VISA has affected the use of debit cards for customers of banks nationwide, including Hancock County Savings Bank.

… Human Resource and Marketing director Barbara Matey stated that the breach is a nationwide occurrence and does not solely affect Hancock County Savings Bank customers.



It's not the size, it's the frequency. (and the fact that they aren't reported.) Do your employees install P2P software at your organization?

http://www.databreaches.net/?p=1487

More p2p fiascos

Posted February 13th, 2009 by admin

Rian from RedTeam Protection, a division of Tony Josephs and Sons Investigations Inc., just sent me another batch of p2p cockups that exposed personal — and in some cases — sensitive medical — information. In each case, RedTeam advised the entity and/or helped ensure removal of the filesharing application. Some of these breaches are more security-related than privacy-related, but they’re all reminders of the risks. What a shame that most of these never seem to get reported to states so that they can be included in our chronologies and databases. RedTeam doesn’t reveal the names of the entities, however, and treats all of their findings as confidential.

An employee of a Virginia based family counseling corporation, leaked out 1,698 files onto the gnutella file sharing network. These documents included Individualized Service Plans, which included psychological evaluations, Medicaid numbers, social security numbers, and dates of birth.

The administrator of a California based treatment home, leaked 1,632 business documents onto the gnutella P2P network, including Individualized Service Plans, including dates of birth, complete medical histories, and health insurance numbers.

The owner of a California based music studio, published 2,436 business related files onto the gnutella file sharing network. The files included personal contact information and signatures of well known musicians.

An executive at a United Arab Emirates based insurance provider, made publicly assessable 2,435 business related documents, including insurance numbers, scanned certificates, and workers compensation claims.

A Turkish accountant published 6,882 files onto the gnutella file sharing network, which included client balance sheets, account numbers, nondisclosure agreements, confidential merger information, and five years of faxes stored on the accountant’s hard drive.

A family counselor at a Washington, DC based treatment center, made 4,886 files accessible over the gnutella file sharing network. These files included the personal identifiers of juveniles seeking treatment for various behavioral issues, in addition to psychological profiles and emergency contact information.

A facilities manager at a national engineering consultancy published 13,038 files onto the gnutella file sharing network. These files contained confidential security and safety information for an manufacturing plant, numerous vendor non disclosure agreements and internal correspondence.

A security manager at a Louisiana based chemical plant leaked 107 confidential files onto the gnutella P2P network. These files included bomb threat procedures, internal contact numbers, login names and passwords for the plant security system, contingency management documents and radio frequency assignments.

An employee of a presidential protection unit in Africa, published 2,298 files onto the gnutella file sharing network, including intelligence reports regarding child soldiers and pending investigations.

An executive at an Indonesian airline corporation published 9,263 files onto the gnutella P2P network, including security documents, human resource information and thousands of files relating to internal communications and vendor relations.

The superintendent/former superintendent of a Texas based school district, published 11,884 internal files onto the gnutella files sharing network. These files included confidential correspondence with parents, confidential grade sheets with dates of birth and student ID numbers, and confidential statistics listing grades sorted by demographics such as age and race.

Previous coverage of p2p breaches here.



More on how NOT to design your security (There's no example like a bad example)

http://www.pogowasright.org/article.php?story=20090213152337624

DVD Planet Uses 'Ebay' For Password, Sends It To You Via Email If You Ask

Friday, February 13 2009 @ 03:23 PM EST Contributed by: PrivacyNews

Update to a story posted earlier today...

Dear DVD Planet, you might want to sit down with the person who designed your customer account system and have a long talk. You know, about things like data security. After we posted this story yesterday about an Amazon shopper who was surprised to find you'd automatically created a barely secure account in his name with his data, another reader—this time a former eBay customer from nearly two years ago—decided to check whether you'd done the same thing to her. Yep! And the password was "Ebay."

Source - The Consumerist



If the Obama team is taking the same position as the Bush team, isn't it possible that there is some kind of National Security implication here?

http://www.pogowasright.org/article.php?story=20090213142214892

In Spy Case, Obama's Justice Department Holds Fast to State Secrets Privilege

Friday, February 13 2009 @ 02:22 PM EST Contributed by: PrivacyNews

The Obama administration on Thursday invoked the state secrets privilege for the second time in a week, this time in a closely watched spy case weighing whether a U.S. president may bypass Congress and establish a program of eavesdropping on Americans without warrants.

The move came days after U.S. Attorney General Eric Holder announced the department was reviewing all the litigation it inherited from the Bush administration in which the privilege was invoked.

Source - Threat Level



This could be big for Linux.

http://yro.slashdot.org/article.pl?sid=09/02/13/2345232&from=rss

Microsoft Sued Over Vista-To-XP Downgrade Fees

Posted by Soulskill on Friday February 13, @07:22PM from the can't-win-for-losing dept. Microsoft The Courts News

Krojack writes with this excerpt from Computerworld

"Los Angeles resident Emma Alvarado charged Microsoft with multiple violations of Washington state's unfair business practices and consumer protection laws over its policy of barring computer makers from continuing to offer XP on new PCs after Vista's early-2007 launch. Alvarado is seeking compensatory damages and wants the case declared a class-action suit. ... Irked at having to pay a fee for downgrading a new Lenovo notebook to XP, Alvarado said that Microsoft had used its position as the dominant operating system maker to 'require consumers to purchase computers pre-installed with the Vista operating system and to pay additional sums to "downgrade" to the Windows XP operating system.'"



Cure these, rule the world!

http://tech.slashdot.org/article.pl?sid=09/02/13/1852241&from=rss

UC Berkeley Lab Examines Cloud Computing Obstacles

Posted by ScuttleMonkey on Friday February 13, @02:30PM from the just-throw-money-at-it dept. Networking Technology

alphadogg writes

"UC Berkeley researchers have outlined their view of cloud computing, which they say has great opportunity to exploit unprecedented IT resources if vendors can overcome a litany of obstacles. 'We argue that the construction and operation of extremely large-scale, commodity-computer data centers at low-cost locations was the key necessary enabler of Cloud Computing,' The paper outlines 10 obstacles to cloud computing [PDF]."



How to find how tos – my kind of list!

http://news.cnet.com/8301-17939_109-10163564-2.html?part=rss&subj=news&tag=2547-1_3-0-5

How to find how-tos on the Web

by Don Reisinger February 13, 2009 3:25 PM PST

5min eHow Expert Village Howcast Instructables

No comments: