Wednesday, December 30, 2009

Apparently, there are ways around the notification laws. (Amazing what a smart lawyer and a dumb manager can do) More news leaks out. How many retailers were hacked? Will we ever know?

http://www.databreaches.net/?p=9211

Target Co was victim of hacker Albert Gonzalez

December 29, 2009 by admin Filed under Breach Incidents, Business Sector, Hack, Malware, Of Note, U.S.

Target Co said it was among the victims of computer hacker Albert Gonzalez, mastermind [...if someone who noticed that there is no WiFi security can be called a mastermind. Bob] of the biggest identity theft in U.S. history.

[...]

Target spokeswoman Amy Reilly said her company was among the victims, having had an “extremely limited” number of payment card numbers stolen by Gonzalez about two years ago.

She declined to say how many card numbers had been stolen, and described the term of the exposure as brief.

“A previously planned security enhancement was already under way at the time the criminal activity against Target occurred,” Reilly said. “We believe that, at most, only a tiny fraction [...of the millions and millions... Bob] of guest credit and debit card data used at our stores may have been involved.”

She said that Target had notified the card issuers, leaving them to tell their customers. [Is that legal? Bob]

Read more on Reuters.


(Related) There may be two other “double secret victims”

http://www.wired.com/threatlevel/2009/12/heartland-guilty-plea/

Albert Gonzalez Pleads Guilty in Heartland, 7-11 Breaches — Updated

By Kim Zetter December 29, 2009 3:39 pm

… Gonzalez, known by the online nicks “segvec” and “Cumbajohnny,” was charged in August in New Jersey, along with two unnamed Russian conspirators, with hacking into Heartland Payment Systems, a New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed “major” national retailers identified only as Company A and Company B.

… On Monday, Company A filed a sealed motion in Boston and a request for oral argument in the case.

The court docket doesn’t indicate the nature of the filings, but in November, Company A filed a letter with the court indicating that it might intervene in the case to obtain a protective order to ensure the company’s “dignity, privacy and anonymity.”

Prosecutors told Threat Level in August that they were not identifying the two anonymous retailers because the companies have never acknowledged publicly that they were breached.



“You got mud on yo' face

You big disgrace

Kickin' your can all over the place

Singing

We will, we will, SUE YOU!”

http://www.databreaches.net/?p=9196

RockYou Sued for Failing to Protect the Personal Data of its 32 Million Customers

December 29, 2009 by admin Filed under Breach Incidents, Business Sector

From the press release:

An Indiana man filed a class action lawsuit Monday against RockYou, the developer of popular online applications and services for use with social networking sites such as Facebook and MySpace, after RockYou failed to safeguard the highly sensitive personal information of him and 32 million others.

The lawsuit alleges that RockYou maintained its customers’ email account and password information, as well as the login credentials for social networking sites, in an unencrypted and unsecured database. As a result, according to the lawsuit, hackers were able to harvest all of this information by utilizing a well-known and easy-to-prevent exploit.

The lawsuit is brought by Alan Claridge, Jr., of the Evansville, Ind., area. According to the suit, only after the media began reporting about the data breach did RockYou notify Mr. Claridge and others of the data breach.

“This alleged data breach was by no means unforeseeable. The means of attack has been well-documented for some time, as has been the means to prevent it,” explained Michael Aschenbrener, the lead attorney for the class action. “RockYou allegedly did nothing to prevent the attack or safeguard its customers’ sensitive personal information. How any company in possession of this much data could do nothing to secure it not only violates the law, but also basic common sense.”

The class action seeks injunctive relief and monetary damages for failing to protect RockYou user data.

On its site, RockYou had posted the following about the breach:

As we previously explained, one or more individuals illegally breached one of our databases that contained the usernames and passwords for about 32 million users in an unencrypted format. It also included these users’ email addresses. This database had been kept on a legacy platform dedicated exclusively to RockYou.com widgets. After learning of the breach, we immediately shut the platform down to prevent further breaches.

… However, because the platform breached contained user email addresses and passwords, we recommend that our RockYou.com users change their passwords for their email and other online accounts if they use the same email accounts and passwords for multiple online services.

… We are separately communicating with our users so that they take this step and are informed of the facts.

It’s hard to imagine the lawsuit prevailing. If anything, some regulatory agency might want to look at whether RockYou misled customers over its security and privacy protections, but I really don’t see how RockYou users are likely to get anywhere with this lawsuit in light of the bulk of court opinions about the need to demonstrate actual harm. Does any reader think this lawsuit has a snowball’s chance?



This could be another breach, or an organized crime group. It is becoming so common, I expect to see a late night info-mercial: “Make big bucks skimming credit card information in your spare time!”

http://www.databreaches.net/?p=9209

Skimmers hitting debit card customers across N.C.

December 29, 2009 by admin Filed under Breach Incidents, Financial Sector

Dan Bowens reports:

Cases in which debit card information has been stolen are cropping up across North Carolina, and officials said Tuesday that thousands of customers could be affected.

The State Employees Credit Union informed about 300 customers in recent days that their account information had been obtained by skimmers and used to make withdrawals and purchases.

[...]

Account information has been stolen from customers in Raleigh to Winston-Salem to Charlotte, according to SECU security officer Cory Mathes. He said the widespread nature of the thefts leads him to believe either a large skimming network is involved or someone has hacked into the computer system of a company that processes debit card transactions.

Read more on WRAL.



Satire is fine, parody too, but embarrass a politician and you guarantee an over-reaction in response. (And lots of media coverage – just what the activists wanted.)

http://yro.slashdot.org/story/09/12/29/1921257/Canadian-Censorship-Takes-Down-4500-Sites?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Canadian Censorship Takes Down 4500 Sites

Posted by timothy on Tuesday December 29, @03:00PM from the now-that's-what-I-call-political-science dept.

uncadonna writes

"According to activist group The Yes Men, the government of Canada has shut down two parody websites criticizing Canada's poor environmental policy. The article goes on to claim that 'In response to Environment Canada's request, Serverloft immediately turned off a whole block of IP addresses, knocking out more than 4500 websites that had nothing to do with the parody sites or the activists who created them. Serverloft was shown no warrant, and never called the web hosting company about the shutdown.'"


(Related) Censorship is not always based on what politicians want. Or even common sense. Could this be the basis for a stockholder's suit?

http://yro.slashdot.org/story/09/12/30/0027217/Following-In-Bings-Footsteps-Yahoo-and-Flickr-Censor-Porn-In-India?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Following In Bing's Footsteps, Yahoo! and Flickr Censor Porn In India

Posted by Soulskill on Tuesday December 29, @11:06PM from the searching-for-morality dept.

bhagwad writes

"Following recent news on how Bing decided sex was too sensitive for India, Yahoo! and its associated site Flickr have decided to do the same. While it's true that this is because of India passing laws that prohibit the publication of porn, no complaint was ever launched (and never will be), and glorious Google still continues to return accurate and unbiased results. So why is Yahoo! doing this? Is it because of its tie-up with Bing? I assume this is the case. Indian ISPs have already told the government and the courts that it's not their job to restrict porn and it's technologically infeasible too. In the absence of a complaint, I can only assume that Yahoo! has decided to do this of their own volition. Given that the 'sex' search term is searched more in India than in any other country, isn't it the duty of Yahoo! to provide accurate results to its customers? It can always plausibly deny control of its results and claim that filtering porn is infeasible. Since Yahoo! already has a low search market share in India, this will drive it even lower."


(Related) On the other hand, if you can mislead a politician or a court, censorship can be made to serve your purposes.

http://yro.slashdot.org/story/09/12/30/0240254/Italy-May-Censor-Torrent-Sites?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Italy May Censor Torrent Sites

Posted by Soulskill on Wednesday December 30, @05:11AM from the giving-them-the-boot dept.

An anonymous reader writes

"Following a Pirate Bay block more than a year ago, Italy continues its attempts to censor torrent sites. The Italian Supreme Court has ruled that copyright holders can now force ISPs to block BitTorrent sites, even if they are hosted outside Italy. The torrent sites which 'hold' copyrighted materials are accused of taking part in criminal activity. It seems someone should enlighten Italian jurists about technology." [That's my point. “Someone” already has... Bob]



Bruce thinks rationally. Would that any politician had the guts to listen.

http://www.cnn.com/2009/OPINION/12/29/schneier.air.travel.security.theater/index.html

Is aviation security mostly for show?

By Bruce Schneier, Special to CNN December 29, 2009 7:38 a.m. EST

... Our current response to terrorism is a form of "magical thinking." It relies on the idea that we can somehow make ourselves safer by protecting against what the terrorists happened to do last time.



Why was this allowed to fester in the first place? A simple code review should have disclosed that the code was (or looked like it had been) copied, and a patch could have been generated pre-release. But then, Microsoft is not known for avoiding legal battles.

http://yro.slashdot.org/story/09/12/30/0011258/MS-Issues-Word-Patch-To-Comply-With-Court-Order?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

MS Issues Word Patch To Comply With Court Order

Posted by Soulskill on Tuesday December 29, @08:02PM from the wrist-slap-complete dept.

bennyboy64 writes

"iTnews reports that Microsoft has begun offering what appears to be a patch for its popular Word software, allowing it to comply with a recent court ruling which has banned the software giant from selling copyright-infringing versions of the word processing product. The workaround should put an end to a long-running dispute between Canadian i4i and Redmond, although it has hinted that the legal battle might yet take another turn."



Towards the “universal translator” of Science Fiction fame. Note that this requires storage of three complete dictionaries and the related programming. Something we couldn't do 5 years ago.

http://mobile.slashdot.org/story/09/12/29/2338202/Toshiba-Intros-Trilingual-Translation-App-For-Cellphones?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Toshiba Intros Trilingual Translation App For Cellphones

Posted by Soulskill on Tuesday December 29, @07:04PM from the like-a-liberal-arts-major-only-better dept.

MojoKid writes

"Shortly after hearing of a simple, two-way Spanish-to-English translator for the iPhone, Toshiba has announced that it has developed a new language translation system that requires no server-side interaction. The app is designed to be operated independently on a smartphone, which will eliminate costly data roaming fees that are generally incurred using systems that require an internet connection to retrieve translations. The system is trilingual in nature and enables users to translate freely between Japanese, Chinese and English."



Too late for another stocking stuffer? In my next Security Engineering class, I'll have my students design a detector to detect Decaff which detects Cofee. Think I'll call it Re-caff.

http://www.thetechherald.com/article.php/200953/5015/DECAF-no-stunt-developer-says-%C2%96-DECAF-2-launched

DECAF no stunt developer says – DECAF 2 launched

by Steve Ragan - Dec 29 2009, 20:30

DECAF has returned, and COFEE is not the only forensic set that it will monitor. After the first version of DECAF was pulled on December 18, with a notice that it was all a “stunt” and anyone who downloaded the software discovered it wasn’t working. Now it’s back, with new features, and an explanation as to why it was really pulled. Legal fears.

First, DECAF was not fake, the tool worked.


(Related) Another stocking stuffer. Available during the Consumer Electronics Show January 7-10

http://www.wired.com/gadgetlab/2009/12/blio-ray-kurzweil-book/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Singularity Proponent Ray Kurzweil Reinvents the Book, Again

By Priya Ganapati and Charlie Sorrel December 29, 2009 7:03 am

… Blio is not a device. Rather, it is a “platform” that could run on any device, but would be most obviously at home on a tablet. The software is free and available currently for PCs, iPod Touch and iPhone.

[Support site: http://www.blioreader.com/

No comments: