Tuesday, October 06, 2009

Update Only 16 suits?

http://www.databreaches.net/?p=7687

Lawsuits over Heartland data breach folded into one

October 5, 2009 by admin Filed under Breach Incidents, Financial Sector, ID Theft, U.S.

Jaikumar Vijayan reports:

A lawsuit consolidating 16 separate class-action complaints brought by financial institutions against Heartland Payment Systems Inc. has been filed in U.S. District Court for the Southern District of Texas.

[...]

The amended complaint includes for the first time several statements that Heartland is alleged to have made regarding the controls it had in place to protect credit and debit card data just prior to the breach. The fact that the company suffered the breach despite its claimed security measures shows that Heartland either negligently or deliberately misrepresented the facts, the lawsuit alleged.

Read more in Computerworld

[From the article:

So far, Heartland has publicly admitted to spending nearly $13 million on breach-related costs, and analysts expect that the incident will cost the company millions more in the coming years.

… The cases were consolidated in federal court in Texas because Heartland's data centers are located in that state, Sauder said.


(Related) Surely they still teach CEO's how to avoid putting their feet in their mouths? This fails the test for inspiring customer confidence too. Even if it is true (and I agree it is) after a statement like this, they had better show significant additional effort to secure their records.

http://www.databreaches.net/?p=7684

Lawsuit: Heartland Knew Data Security Standard was ‘Insufficient’

October 5, 2009 by admin Filed under Breach Incidents, Commentaries and Analyses, Financial Sector, Hack, ID Theft, Of Note, U.S.

Linda McClasson reports:

Months before announcing the Heartland Payment Systems (HPY) data breach, company CEO Robert Carr told industry analysts that the Payment Card Industry Data Security Standard (PCI DSS) was an insufficient protective measure.

This is the contention of a new master complaint filed in the class action suit against Heartland, which in January announced a data breach that is now estimated to be the largest known hack, involving 130 million credit and debt card accounts.

Read more on BankInfoSecurity.com

[From the article:

Heartland executives have said consistently that the company was PCI-compliant at the time on the breach, which the complaint now says may have begun as early as December 2007. Visa, however, removed Heartland from its list of PCI-compliant service providers in March of this year, and one Visa security executive was quoted as saying "We have never seen anyone breached that was PCI compliant." [But both TJX and Heartland had been certified just before (or during in TJX's case) their breaches. Very weasel-word statement. Bob]

Heartland was re-certified as PCI compliant in May.



Interesting statistic. Not reflected in breach disclosures to my knowledge.

http://news.slashdot.org/story/09/10/05/2251233/72-of-Banks-Say-Their-Employees-Committed-Fraud?from=rss

72% of Banks Say Their Employees Committed Fraud

Posted by kdawson on Monday October 05, @11:54PM from the by-the-wheelbarrow-full dept.

yahoi writes

"The financial crisis appears to be exacerbating fraud by bank employees: a new survey found that 72 percent of financial institutions say that in the last 12 months they have experienced a case of data theft by one of their workers. Meanwhile, most banks don't want to talk about the insider threat problem and remain in denial, says a former Wachovia Bank executive who handled insider fraud incidents at the bank and has co-authored a new book called Insidious — How Trusted Employees Steal Millions and Why It's So Hard for Banks to Stop Them that investigates several real-world insider fraud cases at banks."

The article dispels one assumption that might commonly be made about such insider fraud: "Interestingly, it's not the stereotypical offshore or outsourced employee who's most risky to their organizations. Nearly 70 percent of financial institutions say their full-time employees are most likely to pose an insider fraud threat..." Technology workers placed third in the roster of the job categories most abused.



The title alone practically guaranteed it would leak. Perhaps it should be required reading for my Computer Security students – if they get arrested, they fail the class.

http://yro.slashdot.org/story/09/10/06/0349209/Ministry-of-Defences-How-To-Stop-Leaks-Document-is-Leaked?from=rss

Ministry of Defence's "How To Stop Leaks" Document Is Leaked

Posted by samzenpus on Tuesday October 06, @04:16AM from the there's-no-fighting-in-the-war-room dept.

samzenpus writes

"A restricted 2,400 page-document [No doubt everyone signs a document claiming they have read and understood it... Bob] put out by the MoD designed to help intelligence personnel with information security has been leaked onto the internet. Wikileaks notes that Joint Services Protocol 440 (JSP 440), was published in 2001 and lays out protocols to defend against hackers, journalists, and foreign spies. it says, 'Leaks usually take the form of reports in the public media which appear to involve the unauthorized disclosure of official information (whether protectively marked or not) that causes political harm or embarrassment to either the UK Government or the Department concerned... The threat [of leakage] is less likely to arise from positive acts of counter-espionage, than from leakage of information through disaffected members of staff, or as a result of the attentions of an investigative journalist, or simply by accident or carelessness.' "

Looks like it's time to write JSP 441.

[From the article:

The document is particularly keen to avoid the attentions of journalists, noting them as "threats" alongside foreign intelligence services, criminals, terrorist groups and disaffected staff.

As far as traditional espionage and intelligence threats go, the document singles out the Chinese as having "a voracious appetite for all kinds of information; political, military, commercial, scientific and technical."

However, it is "very different to the portrayal of 'Moscow Rules' in the novels of John Le Carre". The Chinese agencies do not "run agents", but instead "make friends", as befits intelligence officers in the Facebook era.



Perhaps the words “public records” no longer mean what I thought they did?

http://www.pogowasright.org/?p=4395

FBI investigated coder for liberating paywalled court records

October 6, 2009 by Dissent Filed under Surveillance, U.S.

Ryan Singel reports:

When Aaron Swartz, a 22 year-old programmer, decided last fall to help an open government activist amass a public and free copy of millions of federal court records, he did not expect he’d end up with an FBI agent trying to surveil his house.

But that’s what happened, as Swartz found out this week when got his FBI file through a Freedom of Information Act request. A partially-redacted FBI report shows the feds mounted a serious investigation of Swartz for helping put public documents onto the public web.

[...]

The Great Court Records Caper began last year when the judiciary and the Government Printing Office experimented with giving away free access to PACER at 17 select libraries around the country. Swartz decided to use the trial to grab as many of the public court records as he could and, perversely, release them to the public.

Read more on Threat Level.


(Related) but perversely revers logic... We used to just flash our headlights. Now we have to send an instant message or update a map.

http://www.techcrunch.com/2009/10/06/trapster-speed-trap-app-dowloads-hit-50000day/

Trapster Speed Trap App Dowloads Hit 50,000/Day

by Michael Arrington on October 6, 2009

A must-have iPhone application for people who drive a lot is Trapster – the app for avoiding speed traps.



Interesting “Futures” article.

http://www.wired.com/techbiz/people/magazine/17-10/st_thompson

Clive Thompson on How the Real-Time Web Is Leaving Google Behind

By Clive Thompson 09.21.09

… People increasingly turn to the Internet for up-to-the-minute information about, well, everything—blog postings about celebrity antics, status updates from friends, and pictures and videos of political events as they unfold, like the protests over the Iranian election. Studies have shown that these types of search requests are on the rise.

Pundits call it the real-time Web. It's upending the Internet as we've known it, and it's not something that Google can easily dominate.


(Related) Freebies become much more expensive. (Not that anyone has given me anything. Honest, FTC guys!)

http://news.cnet.com/8301-13577_3-10368064-36.html?part=rss&subj=news&tag=2547-1_3-0-20

Yes, new FTC guidelines extend to Facebook fan pages

by Caroline McCarthy October 5, 2009 4:51 PM PDT

… Here's a sample scenario: a celebrity or other prominent figure with loads of friends on Facebook receives free hotel says from Hotel Chain X in exchange for running Hotel Chain X ads on his or her blog. If that person then signs up as a Facebook fan of Hotel Chain X--which, remember, could mean that the person's name can show up for his or her Facebook friends alongside Hotel Chain X display ads on the social network--he or she could be held liable by the FTC.



It's looks like journalism (cops are arresting protestors on 5th avenue) but the FBI calls it aiding and abetting.

http://www.pogowasright.org/?p=4383

Man arrested for twittering goes to court

October 6, 2009 by Dissent Filed under Court, Govt, Internet, Surveillance, U.S.

Kevin Bankston of EFF writes:

Over the past day, Everyone has been reporting about the arrest last month of Elliot Madison for twittering about police movements to protesters during the G-20 Summit in Pittsburgh, PA.

The reason this is being reported on now is because on last Thursday, the FBI also raided Mr. Madison’s home in Queens, NY, followed on Friday by Mr. Madison’s filing of a motion in the Eastern District of New York federal court in Brooklyn for the return of his seized property.

In reviewing all the stories, we saw lots of quotes from Mr. Madison’s legal filings and from the Pennsylvania state criminal complaint against him, but no links to the legal papers themselves. As a resource to journalists and interested readers, we are posting Mr. Madison’s motion and his lawyer’s supporting declaration; attached to the declaration are copies of the search warrant, an inventory of the seized items, and the original criminal complaint.



She probably should. These are “stalker friendly” (and terrorist friendly) issues.

http://www.pogowasright.org/?p=4379

Will Erin Andrews Sue Marriott, Ramada?

October 5, 2009 by Dissent Filed under Breaches, Businesses, Surveillance, U.S.

Robert J. Ambrogi writes:

The question is probably not, “Will she?” but “When will she?”

On Friday, the FBI arrested 48-year-old Michael David Barrett and charged him with secretly taping ESPN sports reporter Erin Andrews in the nude and posting the videos on the Internet. Andrews’ attorneys, Marshall B. Grossman and Daniel Alberstone of Bingham McCutchen, quickly issued a statement praising the FBI and the U.S. Attorney in Los Angeles for making the arrest — and revealing that the Bingham attorneys and the private investigation firm Kroll Inc. played key roles in the investigation.

But Grossman was not so kind toward the hotel where the filming took place. He criticized management at the Nashville Marriott at Vanderbilt University for booking Barrett into the room adjacent to Andrews and questioned the hotel’s attention to privacy and security. “One can’t pass this off to simple ignorance,” Grossman said.

Read more on Law.com



Security just got a bit tougher...

http://www.npr.org/templates/story/story.php?storyId=113509667

Tale Of Exploding Assassin Worries Security Officials

by Mary Louise Kelly October 6, 2009

… The assailant had a bomb hidden inside his body in an elaborate effort to kill the Saudi prince.

… Barrett says this was a key part of al-Qaida's plan: to get the prince talking on a cell phone. "The prince was on the telephone when the signal was sent to detonate the bomb that was concealed inside Assiri," he says.



More Twitter statistics than I've been able to get my head around. Might be a few examples for my Statistics class.

http://www.techcrunch.com/2009/10/05/twitter-data-analysis-an-investors-perspective/

Twitter Data Analysis: An Investor’s Perspective

by Guest Author on October 5, 2009



For the Swiss Army folder

http://www.makeuseof.com/tag/a-free-open-source-alternative-to-microsoft-visio/

A Free Open Source Alternative to Microsoft Visio

Oct. 6th, 2009 By Karl L. Gechlik

Do you diagram? Chart? Maybe you sketch room layouts or wiring schematics? How about flow charts?

Most people in the corporate world use the industry standard (and expensive) Microsoft Visio. So what do you do if you are in need of Visio but you can’t afford it or don’t want to use another Micro$oft product? Are there any free Visio alternatives?

Dia for Windows http://dia-installer.de/index_en.html



For the “Learn to be a Geek” folder...

http://www.techradar.com/news/world-of-tech/10-useful-video-sites-to-teach-you-new-tech-skills-640740

10 useful video sites to teach you new tech skills

Increase your tech IQ with video instead of words

By Aditya Chandrasekhar



Ooooo! I want one!

http://www.youtube.com/watch?v=7H0K1k54t6A

No comments: