Even when we start to get answers we find more questions.
http://www.pogowasright.org/?p=2873
Over 130 million stolen: 3 indicted for hacking Heartland, 7-Eleven, Hannaford
August 17, 2009 by Dissent Filed under Breaches, Court, Featured Headlines
An indictment [pdf] was returned today against three individuals who are charged with being responsible for five corporate data breaches, including the single largest reported data breach in U.S. history, announced Acting U.S. Attorney Ralph J. Marra, Jr., along with Assistant Attorney General of the Criminal Division Lanny A. Breuer and United States Secret Service Director Mark Sullivan.
The scheme is believed to constitute the largest hacking and identity theft case ever prosecuted by the U.S. Department of Justice.
The indictment describes a scheme in which more than 130 million credit and debit card numbers together with account information were stolen from Heartland Payment Systems, Inc., based in Princeton, N.J., 7-Eleven, Inc., and Hannaford Brothers Co. In addition, the indictment describes two unidentified corporate victims as being hacked by the coconspirators. [Two more? Should we assume the hacked in but got no data requiring disclosure? I'd think they (whoever they are) would be bragging about that. Bob]
As alleged in the indictment, between October 2006 and May 2008, Albert Gonzalez, 28, of Miami, Fla., acted with two unnamed coconspirators to identify large corporations, often by scanning the list of Fortune 500 companies and exploring corporate websites. Upon identifying a potential victim, Gonzalez and his coconspirators sought to identify vulnerabilities, both by physical observation and by online exploration. For example, according to the Indictment, Gonzalez and an individual identified in the Indictment as “P.T.” would go to the retail locations of their potential victims in an attempt to identify the type of point-of-sale (“checkout”) machines utilized by the victim companies. After reconnaissance of the computer systems was completed, information would be uploaded to servers which served as hacking platforms. These servers, located in New Jersey and around the world, were used by the coconspirators to store information critical to the hacking schemes and to subsequently launch the hacking attacks.
According to the Indictment, the hacking attacks launched against the corporate victims consisted of what is known as a SQL-injection attack, which is an attack that exploits security vulnerabilities in elements of a computer that receives user input. Gonzalez provided some of the malicious software (malware) to his coconspirators, and they added their own as they sought to identify the location of credit and debit card numbers and other valuable data on the corporate victims’ computer systems.
The coconspirators often worked together on a real-time basis, contacting each other by instant messaging as they were improperly accessing the corporate victims’ computer systems, according to the Indictment. Once the target information was discovered, it would be stolen from the corporate victims’ servers and placed onto servers controlled by Gonzalez and the coconspirators. In addition to searching for credit and debit card data on the victims’ computer systems, the Indictment alleges that Gonzalez and the coconspirators installed “sniffers” which conducted real-time interception of credit and debit card data being processed by the corporate victims and subsequently stolen from the corporate victims’ computer servers.
The indictment alleges that Gonzalez and the coconspirators employed numerous techniques to hide their hacking efforts and data breaches. For example, they allegedly accessed the corporate websites only through intermediary, or “proxy,” computers, thereby disguising their own whereabouts. They also tested their malware by using approximately twenty of the leading anti-virus products to determine if any of those products would detect their malware as potentially unwanted. Furthermore, they programmed their malware to actively delete traces of the malware’s presence from the corporate victims’ networks.
Upon stealing the credit and debit card data, Gonzalez and the coconspirators would seek to sell the data to others who would use it to make fraudulent purchases, make unauthorized withdrawals from banks and further identity theft schemes.
… A federal grand jury sitting in Newark, N.J., charged Gonzalez and two individuals identified only as “Hacker 1,” and “Hacker 2,” both in or near Russia, in the two-count Indictment. The first count charges conspiracy to (1) gain unauthorized access to computers, (2) commit fraud in connection with computers, and (3) damage computers. The second count charges conspiracy to commit wire fraud. Each defendant faces a maximum penalty of 5 years in prison on Count One and an additional 30 years on Count Two, for a total of 35 years. In addition, each of the individuals is subject to a maximum fine of $250,000 per Count One, and $1 million per Count Two, or twice the gain resulting from the offense, whichever is greater.
Gonzalez was previously indicted in the Eastern District of New York on May 12, 2008, and the District of Massachusetts on August 5, 2008, for his involvement in different conspiracies relating to data breaches of multiple companies. He was also previously arrested in New Jersey in 2003 for his role in ATM and debit card fraud. Gonzalez is currently detained in the Metropolitan Detention Center in Brooklyn, New York.
… The case is being prosecuted by Assistant U.S. Attorneys Seth Kosto and Erez Liebermann of the U.S. Attorney’s Office Computer Hacking and Intellectual Property Section, [Talk about a cool business card. Does the job come with a cape and secret identity? Bob] part of the Commercial Crimes Unit in Newark, New Jersey, and Senior Counsel Kimberly Kiefer Peretti of the Criminal Division’s Computer Crime & Intellectual Property Section.
Source: U.S. Attorney’s Office, District of New Jersey
(Related) Of course we've seen Mr. Gonzalez before. Is he really that good or are we blaming him for everything just to close the case?
http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with-heartland/
TJX Hacker Charged With Heartland, Hannaford Breaches
By Kim Zetter Email Author August 17, 2009 2:34 pm
Impacting the Google and Microsoft “Health Data Sharing” systems. Perhaps they caused the Financial Collapse?
http://www.pogowasright.org/?p=2902
FTC issues Health Breach Notification Rule
August 18, 2009 by Dissent Filed under Breaches, Featured Headlines, Govt
The Federal Trade Commission (“FTC” or “Commission”) is issuing this final rule, as required by the American Recovery and Reinvestment Act of 2009 (the “Recovery Act” or “the Act”). The rule requires vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached.
DATES: This rule is effective [insert date 30 days after date of publication in the FEDERAL REGISTER]. Full compliance is required by [insert date 180 days after date of publication in the FEDERAL REGISTER].
The rule can be found on the FTC’s site (pdf, 88 pp.). There will be more coverage of this after everyone has a chance to read through it.
See also the Health Breach Notification form (pdf) and the FTC’s press release.
[From the rule:
A second and related point that many commenters raised was that, to the extent possible, consumers should receive a single notice for a single breach.9 These commenters pointed out that receiving multiple notices for the same breach would confuse consumers and convey an exaggerated sense of risk.1 [...and it would point out how many entities had their data... Bob]
… Finally, many commenters expressed concerns about particular statutory requirements governing breach notification. For example, some commenters stated that entities should be required to provide breach notification for paper, as well as electronic, information;19 others expressed concerns about requiring media notice.20
18 Section 13400(5) of the Recovery Act defines “electronic health record” as an electronic record of health-related information on an individual that is “created, gathered, managed, and consulted by authorized health care clinicians and staff.” In contrast, section 13400(11) defines “personal health record” as an electronic record “on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.”
(Related?) If this means the FTC will start blogging about Privacy, I'll follow it. More likely, he just gets to explain what a blog is...
http://www.pogowasright.org/?p=2910
FTC hires privacy blogger
August 18, 2009 by Dissent Filed under Govt, Other, U.S.
In yet another sign that the Federal Trade Commission is serious about examining online privacy, Christopher Soghoian said today that he’s accepted a job as technical consultant to the FTC’s Bureau of Consumer Protection, Division of Privacy and Identity Protection. Soghoian, currently with Harvard’s Berkman Center for Internet & Society, is among the most influential researchers today when it comes to online privacy and advertising.
“David Vladeck, the new head of the Bureau of Consumer Protection recently told the New York Times that ‘he would hire technologists to help analyze online marketers’ tracking.’ I guess that means people like me,” Soghoian said on his blog.
Read more on Media Post and on Chris’s blog. This is good news, indeed.
Just call us here at Dial-a-Perp, and we'll provide you with the DNA evidence you need and deserve!
http://www.pogowasright.org/?p=2890
Fighting biological identity theft (updated)
August 17, 2009 by Dissent Filed under Featured Headlines, Other
Fascinating stuff: Elon Ganor is now working in the field of biotechnology with a new Israeli startup, Nucleix, a firm that is devoted to foiling biological identity theft.
Nucleix’s technology is designed to answer a new problem that has arisen where medicine and law meet: biological identity theft. That refers to the ability to build, in laboratory conditions, synthesized DNA based on the real DNA of a person. Other people could use that fabricated DNA to create the appearance of guilt where none exists, for example by disseminating it at crime scenes.
[...]
The startup’s expertise lies in differentiating between artificial DNA and the real genetic code of the actual person. Until now there has been no technology capable of distinguishing between genetic profiles obtained from faked DNA and real biological profiles, it says.
Read more on Haaretz.com
Update 1: The NY Times also has an article on this topic, and it links to a journal article by the investigators, “Authentication of forensic DNA samples.”
(Related) Now you can have a computer that's a clone of Bill Gates? Horrifying!
http://hardware.slashdot.org/story/09/08/17/1938243/IBM-Scientists-Build-Computer-Chips-From-DNA?from=rss
IBM Scientists Build Computer Chips From DNA
Posted by ScuttleMonkey on Monday August 17, @06:02PM from the some-chips-are-longer-than-others dept.
Enforcement should be an interesting challenge...
http://tech.slashdot.org/story/09/08/17/2141244/No-Social-Media-In-These-College-Stadiums?from=rss
No Social Media In These College Stadiums
Posted by kdawson on Monday August 17, @09:46PM from the ninety-thousand-reporters dept.
RawJoe writes
"Today, the Southeastern Conference (SEC) is expected to release a final version of its new media policy that, at the moment, can best be described as a ban on all social media usage at SEC games. Earlier this month, the conference informed its schools of the new policy, which says that ticketed fans can't 'produce or disseminate (or aid in producing or disseminating) any material or information about the Event, including, but not limited to, any account, description, picture, video, audio, reproduction or other information concerning the Event.' Translated, that means no Twitter, Facebook, YouTube, TwitPic, or any other service that could in any way compete with authorized media coverage of the event. In the case of the SEC, authorized media coverage rights belong to CBS, who has a $3B deal with the conference over the next 15 years, according to The St Petersburg Times."
Good luck with that. To quote Clay Shirky, "The idea that people can't capture their own lived experience is a losing proposition."
We can, therefore we must? A whole new set of data for e-Discovery.
http://www.pogowasright.org/?p=2916
Miami health centre starts RFID soap snooping
August 18, 2009 by Dissent Filed under Surveillance, U.S., Workplace
RFID tags are being deployed at the University of Miami to report when doctors and nurses wash their hands, and let them know if their fingernails aren’t clean.
In contrast to previously-suggested systems involving chemical sniffers, the RFID-based technology being used in Miami just monitors when a doctor or nurse is near a bed and when they use a soap dispenser, then compares the times to ensure the latter is done directly before the former - failure to comply resulting in a recorded reminder being played out over the tannoy. [“Attention Patients! Dr. (insert name here) is a walking germ factory! If you catch anything, be sure to sue (him/her) and not us!” Bob]
Read more in The Register.
[From the article:
(This is all explained in more detail by RFID Journal.)
Ah, the joys of operating a business that goes global instantly...
http://www.pogowasright.org/?p=2880
Privacy offerings: Facebook submits plan to Canada
August 17, 2009 by Dissent Filed under Featured Headlines, Internet, Non-U.S.
Facebook has submitted its proposal to the Canadian Privacy Commissioner to bring Facebook into compliance with Canada’s privacy law. Although they revealed few details publicly, The Financial Post reports that:
the company proposed a number of updates to its Statement of Rights and Responsibilities with several changes which may address some of the concerns contained in the privacy commissioner’s report.
In one section which speaks directly to third party developers creating applications for the Facebook platform, Facebook proposed changing a section which reads: “You will only use the data you receive for your application, and will only use it in connection with Facebook.”
The new section reads: “You will only request data you need to operate your application.”
Developers will also now be required to make it clear to users the data they plan to use and how they “will use, display or share that data.”
Read more in The Financial Post.
(Related) Of course, some countries are more foreign than others...
http://www.pogowasright.org/?p=2888
Facebook sued over privacy
August 17, 2009 by Dissent Filed under Court, Internet
The Associated Press reports that five Facebook users in California have filed a civil suit against Facebook. According to the AP, the lawsuit reportedly alleges that
Facebook violates California privacy and online privacy laws by disseminating personal information posted by users to third parties. It also alleges that Facebook engages in data mining and harvesting without fully disclosing those practices to its members.
Update 1: Jason Kincaid of TechCrunch finds this suit somewhat amusing.
...because it was politically incorrect?
http://www.pogowasright.org/?p=2900
White House disables e-tip box
August 18, 2009 by Dissent Filed under Govt, Internet
Following a furor over how the data would be used, the White House has shut down an electronic tip box — flag@whitehouse.gov — that was set up to receive information on “fishy” claims about President Barack Obama’s health plan.
E-mails to that address now bounce back with the message: “The e-mail address you just sent a message to is no longer in service. We are now accepting your feedback about health insurance reform via http://www.whitehouse.gov/realitycheck.”
Read more on Politico.
No doubt the geek community will be watching (and blogging) about this one! “Who do you think you are? What make you think you can regulate communications? We have a right to force customers off our system, even when we're the monopoly ISP.”
http://yro.slashdot.org/story/09/08/17/1750217/Comcast-Finally-Files-Suit-Against-FCC-Over-Traffic-Shaping?from=rss
Comcast Finally Files Suit Against FCC Over Traffic Shaping
Posted by ScuttleMonkey on Monday August 17, @04:18PM from the hoping-for-mutual-destruction dept.
Following up on their threat last year to sue the FCC over sanctions imposed, Comcast has finally filed suit, stating that there are no statutes or regulations that support the FCC's authority to stop traffic shaping procedures.
"First, let's recap: After months of proceedings, hearings, and investigations, the FCC concluded on August 1, 2008 that Comcast was discriminating against certain P2P applications using deep packet inspection techniques. These methods thwarted the ability of users to share video and other files via BitTorrent. 'Comcast was delaying subscribers' downloads and blocking their uploads,' declared then FCC Chair Kevin Martin. 'It was doing so 24/7, regardless of the amount of congestion on the network or how small the file might be. Even worse, Comcast was hiding that fact by making [affected] users think there was a problem with their Internet connection or the application.'"