Thursday, December 10, 2009

I guess the argument that Visa retroactively revoked their PCI Certification is not the same as certifying that they were not secure.

http://www.databreaches.net/?p=8806

Judge dismisses shareholder lawsuit against Heartland (updated)

December 9, 2009 by admin Filed under Financial Sector, Hack, Of Note, U.S.

Dan Kaplan reports:

A U.S. District Court judge in New Jersey has tossed out a class-action lawsuit filed by shareholders against Heartland Payment Systems, the credit card processor announced Wednesday.

The judge granted Heartland’s motion to dismiss the action, which was filed in the wake of Heartland’s massive breach that was reported earlier this year, according to a company statement. No reason was given for the dismissal.

Read more on SC Magazine.

Kaplan makes some statements in the story that are not consistent with other reports on the breach. For example, he writes:

Heartland revealed the breach on Jan. 20. The company learned of the breach about a week earlier, but hackers had been lifting credit card numbers for some nine months prior.

Actually, Heartland was notified of the breach months earlier by Visa and MasterCard, but said it took them several months and three forensics teams to confirm the breach for themselves. Shortly after confirming the breach, they revealed it.

Kaplan also writes:

Heartland did not say how many records were compromised in the breach, but some estimates placed the number around 100 million, making it the largest reported data breach in history.

In indicting Albert Gonzalez earlier this year, the U.S. Attorney’s Office in New Jersey alleged that the number was 130 million. If that is accurate, that makes the largest known single breach. Heartland has never issued any numbers, indicating that they didn’t know.

Heartland issued a brief press release:

Heartland Payment Systems® (NYSE: HPY), a leading provider of credit/debit/prepaid card processing, payroll, check management and payment services, today announced that on December 7, 2009, the United States District Court for the District of New Jersey, granted Heartland’s motion to dismiss the consolidated shareholder class action, titled In Re Heartland Payment Systems, Inc. Securities Litigation, which had been filed against Heartland, Robert O. Carr, Heartland’s Chairman and Chief Executive Officer and Robert H.B. Baldwin, Jr., Heartland’s President and Chief Financial Officer. The case, which arose out of the breach to the company’s processing system previously disclosed by the Company on January 20, 2009, was dismissed in its entirety with prejudice.

Mary Pat Gallagher of New Jersey Law Journal adds more:

U.S. District Judge Anne Thompson in Trenton, N.J., on Monday granted a defense motion to dismiss the case, In re Heartland Payment Systems Inc. Securities Litigation, 09-civ-1043, finding the plaintiffs failed to allege the existence of any material statement or omission or to adequately plead scienter.

Thompson dismissed the suit with prejudice, saying it appeared “further specificity would not cure the Complaint’s deficiencies” and thus, “amendment would be futile.”


(Related) The CEO had suggested in a speech (before the breach) that PCI security was inadequate. Would that plus a lack of evidence showing they had implemented additional security be sufficient?

http://www.storefrontbacktalk.com/securityfraud/federal-judge-dismisses-heartland-data-brach-lawsuit-cites-insufficient-evidence-of-weak-security/

Heartland Lawsuit Dismissed, “Insufficient Evidence” Of Weak Security

Written by Evan Schuman December 10th, 2009

A federal judge dismissed a data breach-related lawsuit against Heartland Payment Systems on Monday (Dec. 7), saying that the plaintiffs hadn’t proved any of their allegations that Heartland knew it had inadequate security and lied about it to shareholders. The judge’s detailed ruling sheds light on the environment data breach retail victims are likely to face in court and could provide some guidance on how they should act when discussing those breaches.

… Heartland’s people spent much of January 2008 cleaning up the payroll mess, ultimately concluding that no data was taken from the payroll program.

But what Heartland’s people didn’t know at the time, Thompson wrote in her decision, was that Gonzalez’s team had hidden another program in the system, one that infected payment processing. Whether the payroll program attack failed or if it had always been intended to be a distraction, giving Heartland the false belief that the threat had been neutralized, is still unknown.

… Thompson also ruled that a retailer can say it has strong security without meaning that it is invulnerable to any attack. “The fact that a company has suffered a security breach does not demonstrate that the company did not ‘place significant emphasis on maintaining a high level of security.’ It is equally plausible that Heartland did place a high emphasis on security but that the Company’s security systems were nonetheless overcome. In fact, given all the money that Heartland spent [Note that “all the money” is without reference. Did smaller competitors spend less? Was any money invested in detecting security breaches? Bob] on security in late 2007 and the fact that Heartland did take steps to fix its security after the SQL breach, the latter explanation seems much more plausible,” she wrote.



Bad decision. The delay is making them look uncaring and incompetent.

http://www.phiprivacy.net/?p=1622

UMC patients at risk of identity theft may wait 60 days to find out

By Dissent, December 10, 2009 7:19 am

Marshall Allen follows up on a UMC breach and shows how HITECH’s 60-day notification deadline is being used by the hospital to its fullest:

Kathy Silver, CEO of University Medical Center, learned three weeks ago that names, birth dates and Social Security numbers for at least 21 patients were leaked from the hospital — a crime being investigated by the FBI.

But the hospital still has not disclosed the breach to the patients, Silver told a committee of legislators Wednesday. She spoke as if this was not a problem. The law allows 60 days from the time UMC learns of a security breach to inform patients, she said.

One victim says that is too long to wait to tell patients they may be at risk of identity theft.

The hospital should have disclosed the breach immediately, said a 40-year-old UMC patient whose personal information — the kind that can be used for identity theft — was leaked. The man, who went to the public hospital Nov. 1 after a motorcycle accident, learned his privacy had been breached only when a Las Vegas Sun reporter told him Wednesday afternoon.

Read more in the Las Vegas Sun.

Reading the news story, I am reminded of the old adage, “Just because you can doesn’t mean you should.” [Sound familiar? Bob]

[From the article:

Silver was called before the state’s Legislative Committee on Health Care as a result of Sun stories that exposed an allegedly systemic leak of patient information at the hospital.

Silver assured the committee that the hospital is committed to uncovering the leak, and when the employee or employees are identified, “termination will be the least of their problems. It’s a serious situation.”

… The Sun reported the leak — the latest scandal to hit the beleaguered hospital — after the newspaper obtained 21 UMC patient “face sheets” — cover sheets that include overviews of each case — from a source who was concerned about the leak. The sheets were from Oct. 31 and Nov. 1 and were for people involved in traffic accidents.

The Sun’s source said he was several degrees removed from the leak and did not know how the records were being released from the hospital, but that they were allegedly being sold for months, or even years, to ambulance-chasing attorneys so they could mine for clients.



Improve” things for whom?

http://www.pogowasright.org/?p=6194

Facebook’s New Privacy Changes: The Good, The Bad, and The Ugly

December 9, 2009 by Dissent Filed under Featured Headlines, Internet

Kevin Bankston writes:

Five months after it first announced coming privacy changes this past summer, Facebook is finally rolling out a new set of revamped privacy settings for its 350 million users. The social networking site has rightly been criticized for its confusing privacy settings, most notably in a must-read report by the Canadian Privacy Commissioner issued in July and most recently by a Norwegian consumer protection agency. We’re glad to see Facebook is attempting to respond to those privacy criticisms with these changes, which are going live this evening. Unfortunately, several of the claimed privacy “improvements” have created new and serious privacy problems for users of the popular social network service.

The new changes are intended to simplify Facebook’s notoriously complex privacy settings and, in the words of today’s privacy announcement to all Facebook users, “give you more control of your information.” But do all of the changes really give Facebook users more control over their information? EFF took a close look at the changes to figure out which ones are for the better — and which ones are for the worse.

Our conclusion? These new “privacy” changes are clearly intended to push Facebook users to publicly share even more information than before. Even worse, the changes will actually reduce the amount of control that users have over some of their personal data.

Not to say that many of the changes aren’t good for privacy. But other changes are bad, while a few are just plain ugly.

Read EFF’s analysis of the changes on EFF.



What “Existing” database are they talking about? Do they have pictures of “frequent shoppers” or “frequent shoplifters” and where did they get the pictures?

http://tech.slashdot.org/story/09/12/10/0224204/Biometric-Face-Recognition-At-Your-Local-Mall?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Biometric Face Recognition At Your Local Mall

Posted by samzenpus on Thursday December 10, @02:09AM from the sunglass-and-disguise-hut dept.

dippityfisch writes

"The Sydney Morning Herald reports that face recognition is being considered at Westfield's Sydney mall to catch offenders. The identification system matches images captured by surveillance cameras to an existing database of faces. Police said they could not comment on the center's intentions, but would welcome any move to improve security and technology in the area."

[From the article:

[Police] said many businesses already used face recognition systems without public knowledge.

''You'd be surprised at how many have it,'' Detective Inspector Grant Healey of Penrith said. ''Any tool that helps us identify offenders is a great tool for us, too.


(Related)

http://www.pogowasright.org/?p=6203

Israel tests biometric database

December 10, 2009 by Dissent Filed under Legislation, Non-U.S., Surveillance

John Oates had this news report in the The Register earlier this week:

The Israeli Knesset has voted in favour of a bill for a compulsory biometric database of all citizens.

The Biometrics Database Law passed the Knesset 40 votes in favour to 11 against.

A big row over privacy forced the bill back to the drawing board. This led to the idea of a two-year trial rather than a full-blown introduction. Three months before the end of that period ministers will decide to adopt or ditch the technology.

Read more in The Register.


(Related) It could never happen here...

http://www.wired.com/threatlevel/2009/12/terrorist-watchlist/

FBI: 19,000 Matches to Terrorist Screening List in 2009

By Kim Zetter December 9, 2009 3:50 pm

… A Justice Department inspector general report earlier this year found that the FBI was mishandling the watchlist and was failing to add legitimate suspects of terrorist investigation while also failing to properly update and remove records from the list, subjecting U.S. citizens to unjustified scrutiny.



Lawsuits in the Cloud. Is this a new branch of Computer Law? Sounds like a no-brainer to me (as in “Management has no brain.”).

http://www.databreaches.net/?p=8799

Microsoft and Danger to blame for Sidekick data loss – lawsuit

December 9, 2009 by admin Filed under Breach Incidents, Of Note

Courthouse News has uploaded a copy of a class action lawsuit against Microsoft and Danger Inc. The complaint, filed by Terrence and Katie Teraszcka, Adam Beckelman, and Michael Guerrero in Cook County Court on November 17th, alleges that the defendants negligently failed to back up data before a network upgrade, resulting in Sidekick users losing their important data. [Again, ignoring “Best Practices” Bob] The data loss occurred in October 2009.

The lawsuit cites an article by Dan E. Dilger in Roughly Traded Magazine that points the finger at Microsoft by citing a source who implicates Roz Ho of Microsoft:

According to the source, the real problem was that a Microsoft manager directed the technicians performing scheduled maintenance to work without a safety net in order to save time and money. The insider reported:

“In preparation for this [SAN] upgrade, they were performing a backup, but it was 2 days into a 6 day backup procedure (it’s a lot of data). Someone from Microsoft (Roz Ho) told them to stop the backup procedure and proceed with the upgrade after assurances from Hitachi that a backup wasn’t necessary. This was done against the objections of Danger engineers.

”Now, they had a backup from a couple of months ago, but they only had the SAN space for a single backup. Because they started a new backup, they had to remove the old one. If they hadn’t done a backup at all, they’d still have the previous backup to fall back on.

“Anyway, after the SAN upgrade, disks started ‘disappearing.’ Logically, Oracle [software] freaked out and started trying to recover, which just made the damage worse.”

The problem with this report is that is places the blame, not on a complex Oracle deployment, not on bad SAN hardware or a firmware glitch, not a disgruntled employee with inappropriate levels of access to a mission critical service, but squarely upon Microsoft management.

The plaintiffs seek class-action status and economic relief of less than $75,000 per plaintiff.



Focus on telling the truth. “Unlimited” means “Limited” Honest!

http://mobile.slashdot.org/story/09/12/09/2028245/ATampT-Moves-Closer-To-Usage-Based-Fees-For-Data?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

AT&T Moves Closer To Usage-Based Fees For Data

Posted by timothy on Wednesday December 09, @04:08PM from the applied-price-theory dept.

CWmike writes

"AT&T has moved closer to charging special usage fees to heavy data users, including those with iPhones and other smartphones. Ralph de la Vega, CEO of AT&T Mobility and Consumer Markets, came close on Wednesday to warning about some kind of use-based pricing while speaking at a UBS conference. 'The first thing we need to do is educate customers about what represents a megabyte of data and...we're improving systems to give them real-time information about their data usage,' he said. 'Longer term, there's got to be some sort of pricing scheme that addresses the [heavy] users.' AT&T has found that only 3% of its smartphone users — primarily iPhone owners — are responsible for 40% of total data usage, largely for video and audio, de la Vega said. Educating that group about how much they are using could change that, as AT&T has found by informing wired Internet customers of such patterns. De la Vega's comments on data use were previewed in a keynote he gave in October at the CTIA, but he went beyond those comments on Wednesday: 'We are going to make sure incentives are in place to reduce or modify [data]uses so they don't crowd out others in the same cell sites.' Focus groups have been formed at AT&T to figure out how to proceed."


(Related)

http://www.wired.com/epicenter/2009/12/iphone-caps/

Cap My iPhone? Try This Instead, AT&T

By Ryan Singel December 9, 2009 6:09 pm

The first piece of advice is just a no-brainer. If you can’t handle the network traffic, stop selling a device that comes with a promise of unlimited 3G data service.



Think HUGE!

http://www.crunchgear.com/2009/12/09/study-americans-consume-34-gigabytes-of-information-per-day/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

Study: Americans consume 34 gigabytes of information per day

There’s a pretty interesting report that was just published today entitled “How much information?” It was put together by the Global Information Industry of the University of California at San Diego. It looks at the year 2008 and tries to quantify how much information the average American consumes across all forms of media: TV, newspaper, Web sites, radio, you name it. When you crunch all the numbers, it looks like the average American consumes 34 gigabytes of data every single day. (That’s 3.6 zettabytes in total.)



Need a tool for visualizing large data sets?

http://www.insideria.com/2009/12/28-rich-data-visualization-too.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+oreilly%2Fnews+%28O%27Reilly+News%29

28 Rich Data Visualization Tools

Theresa Neil December 10, 2009



For my website students

http://www.makeuseof.com/tag/create-professional-looking-photo-slideshows-with-photo-story-3/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Makeuseof+%28MakeUseOf.com%29

Create Professional Looking Photo Slideshows With Photo Story 3

Dec. 9th, 2009 By Mark O'Neill

… One of those nice pieces of software is something called Photo Story 3 for Windows, an app which allows you to make professional looking photo slideshows complete with music, your own narration and photo subtitles. It claims you need Windows XP to run it but it is is working perfectly fine on my Windows 7 machine. You can find out here all the other system requirements needed to make this app work.



This is not for the faint of heart...

http://www.makeuseof.com/tag/powerpoint-twitter-tools-to-auto-tweet-instantly-view-feedback/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Makeuseof+%28MakeUseOf.com%29

How To Integrate Twitter with PowerPoint: Tweet Presentation Notes & See Instant Feedback

Dec. 9th, 2009 By Mahendra Palsule

Speakers and presenters at conferences are increasingly finding their audience live tweeting during their presentation. In most cases, the presenter has no clue about what the audience is saying on Twitter. This leads to a disconnect between the true thoughts of the audience in contrast with that of the presenter. In order to avoid such scenarios, you can incorporate Twitter within your PowerPoint presentation both to be an active participant as well as to gather feedback from the audience.

No comments: