Sunday, May 03, 2009

"It ain't over till it's over." - Yogi Berra, ball player and legal philosopher.

http://www.databreaches.net/?p=3417

Pointer: The TJX Case: It Lives! With a New Theory of Liability: “Unfairness”

May 2, 2009 by admin Filed under: Breach Reports

David Navetta has an interesting piece on InfoSec Compliance that begins this way:

Little know (or at least discussed) fact: despite announcing settlements with VISA and Mastercard in 2007, the TJX data security litigation is still going. In fact most of the issuing banks impacted by the TJX breach are no longer pursuing TJX and/or have settled via VISA and Mastercard dispute resolution processes.

However, two financial institutions (Amerifirst Bank and SELCO Community Credit Union - hereinafter “Issuing Banks” or plaintiffs) have pressed forward with an appeal of various dismissals and class certification motions to the U.S Court of Appeals for the First Circuit (the “Appellate Court”). The 1st Circuit’s opinion sheds some more (high level) light on the liability risk of payment card data breach security cases. Ultimately, the Appellate Court allowed three theories of liability to proceed, including a previously dismissed theory alleging that TJX’s inadequate security amounted to an unfair business practices under Massachusetts’s unfair and deceptive business practices law.

Read more on InfoSecCompliance.com



Interesting failure. Based on the pictures of a skimmer attached to an ATM here in Denver, it should be easily visible on the surveillance videos, let alone to anyone servicing the ATMs. Are they not bothering to look? Perhaps a computer could compare “before” and “after” images of the ATM and flag any modification?

http://www.databreaches.net/?p=3430

NY: Thieves raid accounts of Staten Island bank

May 2, 2009 by admin Filed under: Financial Sector, Skimmers, U.S.

Barton Horowitz of the Staten Island Advance reports:

An ATM security breach at SI Bank & Trust’s Oakwood branch that went undetected for more than a month is under investigation by the FBI. Apparently, bank officials were not aware of the crime until the stealth thieves began cashing in on the stolen data.

… Fifty of the bank’s customers were directly affected by the theft, and the bank made good the approximately $53,000 in total that was pilfered from their accounts, Armstrong said.

[From the article:

Upon learning of the theft, the bank scrutinized security tapes from the branch, working backwards to early March, Armstrong said.

Once the specific day of the March data theft was revealed, the bank blocked further use of all cards used at the ATM vestibule on that day, although it turned out only one of the machines had been tampered with.



Remember the name of every bone, muscle and nerve in the human body? No problem. Remember any ethical or regulatory duty? No way.

http://www.databreaches.net/?p=3433

4 more employees gone after sneaking into octuplets’ files

May 2, 2009 by admin Filed under: Healthcare Sector, Insider, U.S., Unauthorized Access

Sarah Tully of The Orange County Register reports:

Four more hospital employees this week were forced out of their jobs for sneaking into the octuplets’ mother’s private medical records, a hospital spokeswoman confirmed today.

Previously, another 15 employees were terminated and eight were disciplined for improperly looking at mother Nadya Suleman’s documents at Kaiser Permanente Bellflower Medical Center. That brings to a total of 27 employees disciplined for accessing the files of the world-famous mother and Orange County resident.



Perhaps the computer isn't always right? What kind of certification would be required to avoid this in future? (The results of the NJ source code review were pretty damning.)

http://yro.slashdot.org/article.pl?sid=09/05/02/1646213&from=rss

MN Supreme Court Backs Reasoned Requests For Breathalyzer Source Code

Posted by Soulskill on Saturday May 02, @01:27PM from the if-you-work-for-it dept.

viralMeme writes with news that the Minnesota Supreme Court has upheld the right of drunk-driving defendants to request the source code for the breathalyzer machines used as evidence against them, but only when the defendant provides sufficient arguments to suggest that a review of the code may have an impact on the case. In short: no fishing expeditions. The ruling involves two such requests (PDF), one of which we've been covering for some time. In that case, the defendant, Dale Underdahl simply argued that to challenge the validity of the charges, he had to "go after the testing method itself." The Supreme Court says this was not sufficient. Meanwhile, the other defendant, Timothy Brunner, "submitted a memorandum and nine exhibits to support his request for the source code," which included testimony from a computer science professor about the usefulness of source code in finding voting machine defects, and a report about a similar case in New Jersey where defects were found in the breathalyzer's source code. This was enough for the Supreme Court to acknowledge that an examination of the code could "relate to Brunner's guilt or innocence."



How to greatly irritate a Supreme: take him at his (non-judicial) word. (Anyone want a copy of this? It's pretty dull.)

http://www.pogowasright.org/article.php?story=20090502070415402

Justice Scalia's Dossier: Interesting Issues about Privacy and Ethics

Saturday, May 02 2009 @ 07:04 AM EDT Contributed by: PrivacyNews

Dan Solove comments on Justice Scalia's comments about privacy and an assignment Professor Joel Reidenberg gave his students to compile a dossier on Justice Scalia.

Also see the professor's response and comments.



This is one of those articles that is just too absurd to believe. I tracked down what was actually said. I suspect there is some kind of “change to function” process that requires advance notice, proof of testing, training, etc. But this would have been a “return to original status” and there should have been a quick/cheap/simple protocol for that.

http://news.cnet.com/8301-1009_3-10232284-83.html?part=rss&subj=news&tag=2547-1_3-0-5

Feds' red tape left medical devices infected with computer virus

by Stephanie Condon May 2, 2009 9:29 AM PDT

… Rodney Joffe, one of the founders of an unofficial organization known as the Conficker Working Group, said that government regulations prevented hospital staff from carrying out the repairs.

… The devices were used in hospitals to allow doctors to view and manipulate high-intensity scans like MRIs and were often found in or near intensive care unit facilities, connected to local area networks with other critical medical devices.

"They should have never, ever been connected to the Internet," Joffe said.

Regulatory requirements mandated that the impacted hospitals would have to wait 90 days before the systems could be modified to remove the infections and vulnerabilities.

[Joffe's testamony: http://energycommerce.house.gov/Press_111/20090501/testimony_joffe.pdf



For the “Someday I might want to be a stalker...” file.

http://www.makeuseof.com/tag/how-to-trace-a-mobile-phone-location-with-google-latitude/

How To Trace a Mobile Phone Location with Google Latitude

May. 2nd, 2009 By Ryan Dube

… The cool thing about Google Latitude is that there are really no fancy, expensive gadgets required. All you need is a mobile phone and you can build what’s essentially a GPS network of friends, without the need for GPS technology.

… The convenience of Google Latitude is that you don’t need GPS, and it’ll work on almost any mobile phone that can use Google Maps. According to Google, these include Android-powered devices, iPhone, BlackBerry, Windows Mobile 5.0+ and Symbian.



Another article for Cindy's “Sex & Power” class.

http://tech.slashdot.org/article.pl?sid=09/05/03/0855202&from=rss

The In-House Decency Patrol at Facebook

Posted by timothy on Sunday May 03, @08:04AM from the keeping-the-milquetoast-lukewarm dept. Social Networks The Internet

theodp writes

"How'd you like a job where you get fired if you DON'T view porn at work? Newsweek reports on Facebook's internal police force of 150 staffers who are charged with regulating users' decorum, hunting spammers and working with actual law-enforcement agencies to help solve crimes. Part hall monitors, part vice cops, the $50,000-a-year 'porn cops' also keep Facebook safe for corporate advertisers."

No comments: