http://www.databreaches.net/?p=1660
Meanwhile, back at the Heartland breach
February 21, 2009 by admin
Like most blogs, DataBreaches.net totally abandoned any attempt to track all of the affected entities. Instead, we have been trying to support BankInfoSecurity.com’s efforts to keep track. Expect the numbers of affected banks and credit unions to rise to 500 or more next week after they have a chance to enter about five dozen links to reports of affected institutions this site sent them in the past 24 hours. Not all reports assert unequivocally that their members’ or customers’ cards were affected, but all of the institutions were affected in terms of proactively replacing cards or in other ways. Some of the credit unions and banks did an excellent job of providing information on their web sites linked from their home page, while others did not make clear whether any of their customers were actually affected. [Perhaps a research paper for my Computer Security class? Bob]
It is hard to fathom what the total cost of this breach will be. As one example, the North Carolina State Employees Credit Union was hit especially hard. Earlier this week, David Morrison of The Credit Union Times reported:
The $16.5 billion State Employees’ Credit Union has, so far, had more than 500,000 of its credit and debit cards involved in the Heartland Payment Systems breach and is facing the prospect of more, according to the credit union’s CEO Jim Blaine.
Blaine estimated the costs of closing accounts and reissuing plastics, so far, at more than $1.5 million. According to the credit union’s September 2008 call report, State Employees’ credit union has more than 190,000 credit card accounts and more than 1.6 million share draft accounts that are eligible for debit cards.
Then, too, there is the impact of consumers. Although many sources have indicated that the consumers have zero liability protection, for many consumers, their ability to function was impacted when banks suddenly imposed restrictions such as limiting cards to PIN-based transactions only and blocking signature-based transactions. Other institutions imposed caps on daily limits. This is a breach that has clearly affected many people already.
In a recent communication, Jason Maloni, Heartland spokesperson, indicated that the processor had been notified on October 28th by Visa and MasterCard after approximately 1,000 fraud reports led to them identifying Heartland as the source of the breach. In a separate statement on January 21, CUNA Mutual Group explained their part in uncovering the breach:
In October, CUNA Mutual notified Visa and MasterCard of higher-than-normal fraud activity after credit unions began informing the insurer of a spike in plastic card fraud and related activities. “CUNA Mutual Risk Management detected that something big was happening,” Cashman said. “We reported our findings to both card associations to help facilitate an investigation to determine if a breach had occurred and, if so, its origin.”
[The “impact map” is here: http://www.bankinfosecurity.com/heartland_breach.php
Once a hacking technique proves successful against one target, wouldn't you take a shot at every possible target you can find?
http://www.databreaches.net/?p=1686
More details on the second processor breach (corrected and updated)
February 21, 2009 by admin
My googling skills are paying off. Found this on TVACU.com: (not CardNet as originally cited; the CardNet notice is provided below the TVACU.com notice)
On the heels of the Heartland Payment Systems breach, another U.S. acquirer-processor has confirmed a network intrusion exposing primary card numbers and card expiration dates for card-not-present (CNP) transactions. Unlike the Heartland Payment breach, this breach does not expose magnetic stripe track data. The reported incident involves confirmed unauthorized access to a U.S. acquirer processor’s settlement system of stored transaction information that included Primary Account Numbers (PANs) and expiration dates.
As the entity involved has not yet issued a press release, Visa and MasterCard are unable to release the name of the merchant processor. It is important to note that this event is not related to the Heartland Payment Systems breach. [Other than it involves the same crooks using the same techniques to penetrate a network (in)secured the same way? Bob]
Update Good reason to be concerned.
http://it.slashdot.org/article.pl?sid=09/02/22/1048252&from=rss
Uncle Sam's Travel Site Grounded By Breach
Posted by timothy on Sunday February 22, @07:41AM from the bailout-is-in-order dept. Security Government United States
McGruber writes
"Northrup-Grumman's Govtrip.com website has been shut down following a security breach, according to a report by 'Security Fix' blogger Brian Krebs. Being a federal employee and frequent work traveler, I am (was?) a Govtrip user. My agency required me to use Govtrip to book all of my trips, including my airfare, car rentals, and hotel reservations, so Northrup-Grumman's Govtrip databases contain my frequent flier numbers, Avis & Budget car rental numbers and frequent hotel guest (Choice Privileges, Marriott Rewards, Priority Club, etc.) numbers. Northrup-Grumman also stored all of my trip itineraries, including destinations, dates & modes of travel and the particular vendors (airline, hotel, rental car brand, etc.) used on a particular trip. Also stored on the website were my work travel credit-card (it has a $15,000 charge limit), personal checking account where my travel reimbursements were deposited, my home address, and emergency contacts ... just imagine what an accomplished social engineer can do with that combination of information!"
Have I got this right? “The law is wrong, so we need another law saying you can't do what the first law says you can do?”(Another case of treating the symptoms rather than the cause?)
http://www.pogowasright.org/article.php?story=20090221075120205
Too Much Information? Critics Decry Sites That Mine Public Data
Saturday, February 21 2009 @ 07:51 AM EST Contributed by: PrivacyNews
If you want to know the names of people in Tennessee who have permits to carry concealed weapons ... or the folks who contributed their money in support of California's ballot measure to ban gay marriage ... the answers are just a few keystrokes away.
And that's too close for comfort, some privacy law experts say.
To some, it's all about the public's right to know. But for others, it's too much information. Transparency, they say, can lead to intimidation, harassment and even death threats.
Source - MyFOX Boston
[From the article:
Increased listing of public information by political activists and media organizations has led some to question whether posting data made public through state campaign finance disclosure laws and other methods exceeds the public's right to know.
Related Who owns the data and what will they allow you to do with it?
http://www.pogowasright.org/article.php?story=200902210746479
Security, Privacy And Compliance In The Cloud
Saturday, February 21 2009 @ 07:46 AM EST Contributed by: PrivacyNews
One of the more interesting panel discussions at the IDC Cloud Computing Forum on Feb 18th in San Francisco was about managing the complexities of security, privacy and compliance in the Cloud. The simple answer according to panelists Carolyn Lawson, CIO of California Public Utilities Commission, and Michael Mucha, CISO of Stanford Hospital and Clinics is "it ain’t easy!"
"Both of us, in government and in health, are on the front-lines," Lawson proclaimed. "Article 1 of the California Constitution guarantees an individual’s right to privacy and if I violate that I’ve violated a public trust. That’s a level of responsibility that most computer security people don’t have to face. If I violate that trust I can end up in jail or hauled before the legislature," she said. "Of course, these days with the turmoil in the legislature, she joked, "the former may be preferable to the later."
Source - InformationWeek
News from Big Brother Land... (Comments are amusing) Just think of it as an additional cost of your liquor license. Fortunately something like this could never, never happen in the land of the free...
http://yro.slashdot.org/article.pl?sid=09/02/22/0821204&from=rss
London Police Seek To Install CCTV In Pubs
Posted by timothy on Sunday February 22, @04:33AM from the well-they-do-call-it-a-public-house dept. Privacy Government
JCWDenton writes
"The Met Police got a short sharp rap over the knuckles yesterday, as the Office of the Information Commissioner questioned what looks very much like a blanket policy to force CCTV onto public houses in certain parts of London. The story begins with a letter to the Guardian last week, from Nick Gibson. He is currently renovating Islington pub The Drapers Arms, after its previous owners allowed it to go insolvent and then disappeared. In his letter, he argues that if he had merely taken over an existing licence, the police could not have imposed any additional conditions. However, because this was now a new licence, the police were able to make specific requests, including one particular request in respect of installing CCTV."
...but it could happen in Chicago. Where does this rank on the importance to society scale? Ask yourself this: “We need ubiquitous surveillance more than [….] because...” (Substituting your favorite underfunded project(s) as appropriate.)
http://yro.slashdot.org/article.pl?sid=09/02/21/0425218&from=rss
A Surveillance Camera On Every Chicago Street Corner?
Posted by Soulskill on Saturday February 21, @08:17AM from the must-cctv dept. Privacy News
Mike writes
"Chicago Mayor Daley has stated that if his Olympic dreams come true, by 2016 there will be a surveillance camera on 'every street corner in Chicago.' Just like in London, elected officials all over America appear to be happily advancing a 'surveillance society' without regard for civil rights or privacy concerns. Ray Orozco, executive director of Chicago's Office of Emergency Management and Communications is quoted as saying, 'We're going to grow the system until we eventually cover one end of the city to the other.'"
Chicago has been developing its surveillance network for some time, but it seems they plan to continue increasing the scale.
Of course we in Colorado have had a download sales tax for some time now. Not that there aren't a few ways to avoid paying it...
http://news.slashdot.org/article.pl?sid=09/02/21/1724230&from=rss
Wisconsin Passes Digital Download Tax
Posted by Soulskill on Saturday February 21, @01:23PM from the harvesting-the-tubes dept.
McGruber writes with news that the State of Wisconsin has passed legislation to extend sales tax to digital downloads. The new law will go into effect on October 1st. Estimates suggest that the 5% tax on "downloads of music, games, books, ring tones and other video entertainment" will bring in $6.7 million annually. "[Wisconsin Governor Jim Doyle] has been fighting for the change for years. He and other state officials say it is a matter of fairness: Internet vendors shouldn't have a tax-exempt advantage over Wisconsin's brick-and-mortar retail stores." Similar legislation has been proposed in North Carolina, and we've previously discussed New York's foray into taxing sales made online in addition to downloaded purchases.
Business proposition: I need an aggressive young lawyer to write up a notice I can email to everyone who updates software on my computer (still less than 100 companies) offering to host a test of anything (not part of their product) they want to load onto my machine without notice. You write the notice, generate the bill, draft an appropriately nasty collection letter, and do that “we're gonna sue!” dance – and you can have 99% of anything you collect.
http://developers.slashdot.org/article.pl?sid=09/02/21/1955220&from=rss
Sun Slips Firefox Extension Into Java Update
Posted by timothy on Saturday February 21, @03:31PM from the we-thought-you-wanted-it dept. Java Mozilla Sun Microsystems
pcardno writes
"It seems it's not just Microsoft that have spotted a good opportunity to distribute their software through Firefox Addons. On installing the latest annoying, sysbar bubble based Java update, my Firefox informed me that I had a wonderful new Java addon automatically. Here's the addon screenshot. Yes, I could opt out of it, but why are Sun installing Addons to my Firefox without me making specific choices in the application itself? To be clear — I have never chosen to install this Addon, yet it has been installed without my permission with the latest Java Update."
For my Geek friends. Carry a spare Operating System in your pocket.
http://www.pakblogger.com/how-to-install-ubuntu-810-using-usb/
How To Install Ubuntu 8.10 Using USB
February 21, 2009 ·
Ubuntu 8.10 is more stable and secure as compare to earlier versions. The new “carry on USB” feature lets you download and install Ubuntu via a USB flash drive instead of burning it to a CD. Here is a short tutorial on how you can install Ubuntu 8.10 using a flash drive.
Related. Why you might want to become familiar with Ubuntu...
http://news.cnet.com/8301-19413_3-10168951-240.html?part=rss&subj=news&tag=2547-1_3-0-5
Ubuntu now has 'cloud computing inside'
by James Urquhart February 20, 2009 10:50 PM PST
… It sounds like the majority of the work on the server side in Karmic Koala will be around cloud computing. Here is the entire text of that portion of the announcement:
A good Koala knows how to see the wood for the trees, even when her head is in the clouds. Ubuntu aims to keep free software at the forefront of cloud computing by embracing the API's of Amazon EC2, and making it easy for anybody to setup their own cloud using entirely open tools.
Research: There are several sites like this one. (Free accounts are limited to 50 survey invitations a month.)
http://www.killerstartups.com/Web-App-Tools/esurveyspro-com-create-surveys-and-polls-online
eSurveysPro.com - Create Surveys And Polls Online
eSurveysPro.com is a company that provides a wide array of services related to surveys in general. The services they provide have a wide range of applications and can be easily used by independent web developers or just anyone who feels like making a survey. The tools they provide make it easy for anyone to give it a shot and create their own survey. The choices are endless counting a survey editor, 14 question types and the possibility to control the way your surveys flow.
Apart from making it possible to collect information easily, they provide many different ways to analyze the data collected. To start with, the reports may be produced in real-time and if you were to wish doing so, you can also export the data to be analyzed offline using different tools such as excel amongst others.
No comments:
Post a Comment