This sounds quite cheap on a 'per card compromised' basis. I wonder who their lawyers are?
http://www.databreaches.net/?p=8991
Heartland to pay up to $2.4 million to settle cardholder class action suit
December 21, 2009 by admin Filed under Breach Incidents, Financial Sector, Of Note
Under the terms of the settlement, Heartland says it will pay a minimum of $1 million and up to a maximum of $2.4 million to class members who submit valid claims for losses as a result of the intrusion.
The payment processor says it will also shell out $1.5 million for the cost of notice to the settling class, and $0.76 million to cover legal fees.
Heartland has additionally agreed to submit the report of an independent expert on its plans to improve the security of its computer system since the announcement of the intrusion on January 20, 2009.
Read more on Finextra.
(Related) Completing(?) the picture of a mad hacker. Too technical for a movie of the week, I wonder if anyone will write a book about these hacks?
http://www.databreaches.net/?p=8994
Albert Gonzalez Enters Plea Agreement in Heartland, Hannaford Cases
December 21, 2009 by admin Filed under Business Sector, Financial Sector, Hack, ID Theft, Of Note, U.S.
Kim Zetter reports:
Albert Gonzalez, who has admitted hacking into TJX and other companies, has filed a plea agreement in charges that he breached Heartland Payment Systems, Hannaford, 7-Eleven and two other companies.
Under the terms of the agreement, Gonzalez, a former Secret Service informant, [They keep saying that. Perhaps they just like to embarrass the Secret Service? Bob] will plead guilty to two counts of conspiracy to gain unauthorized access to computers, and to commit wire fraud. Prosecutors have agreed to seek a sentence of no more than 25 years, to run concurrent with his sentence in two other pending cases. Gonzalez had agreed to ask the court for no less than 17 years in prison.
Read more on Threat Level.
(Related) How do you get students to pay attention to Security lectures? “Bags of cash...”
http://www.databreaches.net/?p=8996
7-Eleven Hack From Russia Led to ATM Looting in New York
December 21, 2009 by admin Filed under Breach Incidents, Hack, Of Note
Kevin Poulsen provides newly released details on the 7-Eleven hack included in Albert Gonzalez’s plea agreement:
….In his most recent plea agreement, filed in court on Monday, confessed hacker Albert Gonzalez admitted conspiring in the 7-Eleven breach, and fingered two Russian associates as the direct culprits. The Russians are identified as “Hacker 1″ and “Hacker 2″ in Gonzalez’s plea agreement, and as “Grigg” and “Annex” in an earlier document inadvertently made public by his attorney.
The Russians, evidently using an SQL injection vulnerability, “gained unauthorized access to 7-Eleven, Inc.’s servers through 7-Elevens’ public-facing internet site, and then leveraged that access into servers supporting ATM terminals located in 7-Eleven stores,” the plea agreement reads. “This access caused 7-Eleven, Inc., on or about November 9, 2007, to disable its public-facing internet site to disable the unauthorized access.”
At the time, there were 5,500 Citibank-branded ATMs at 7-Eleven stores around the country. According to SEC documents, 7-Eleven ran its own transaction processing server [Perhaps unwise from a liability perspective? Bob] to handle 2,000 of them: advanced models called Vcom machines, manufactured by NCR. The 7-Eleven Vcoms support special functions like bill-payment, check cashing and money order purchases. For two weeks in September 2007, anyone who typed their PINs in one of these was exposed.
Read more on Threat Level.
[Article contains more details and other crimes. Bob]
Ryabinin’s wife told investigators that she witnessed her husband “leave the couple’s house with bundles of credit cards in rubber bands and return with large sums of cash,” a Secret Service affidavit (.pdf) reads.
(Related) Computer Crime is Big Business.
http://tech.slashdot.org/story/09/12/21/1922215/Malware-and-Botnet-Operators-Going-ISP?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29
Malware and Botnet Operators Going ISP
Posted by ScuttleMonkey on Monday December 21, @04:53PM from the spam-is-big-business dept.
Trailrunner7 writes to mention that malware and botnet operators appear to be escalating to the next level by setting up their own virtual data centers. This elevates the criminals to the ISP level, making it much harder to stop them.
"The criminals will buy servers and place them in a large data center and then submit an application for a large block of IP space. In some cases, the applicants are asked for nothing more than a letter explaining why they need the IP space, security researchers say. No further investigation is done, and once the criminals have the IP space, they've taken a layer of potential problems out of the equation. 'It's gotten completely out of hand. The bad guys are going to some local registries in Europe and getting massive amounts of IP space and then they just go to a hosting provider and set up their own data centers,' said Alex Lanstein, senior security researcher at FireEye, an anti-malware and anti-botnet vendor. 'It takes one more level out of it: You own your own IP space and you're your own ISP at that point.'"
Two interesting “facts” 1) the WSJ rarely gets it wrong. 2) NSA was involved?
http://www.databreaches.net/?p=8999
WSJ report on Citigroup hack disputed by Citigroup
December 22, 2009 by admin Filed under Financial Sector, Hack, Of Note
Siobhan Gorman and Evan Perez of the Wall Street Journal report:
The Federal Bureau of Investigation is probing a computer-security breach targeting Citigroup Inc. that resulted in a theft of tens of millions of dollars by computer hackers who appear linked to a Russian cyber gang, according to government officials…… The Citibank attack was detected over the summer, but investigators are looking into the possibility the attack may have occurred months or even a year earlier. The FBI and the National Security Agency, along with the Department of Homeland Security and Citigroup, swapped information to counter the attack, according to a person familiar with the case.
But not so fast. Citigroup is denying any breach:
Joe Petro, managing director of Citigroup’s Security and Investigative services, said, “We had no breach of the system and there were no losses, no customer losses, no bank losses.” He added later: “Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true.”
Their denial did not seem to convince WSJ, and the rest of the article provides background and some details on the alleged Citibank hack and the use of Black Energy software to steal banking data.
So… was there a breach or wasn’t there? And should those organizations that compile databases include a breach if the entity firmly denies being breached and we don’t have named sources? Right now, I’m glad that I don’t compile breaches as I’m not sure what I’d do with this one. Maybe an entry with an asterisk? Even then, associating the name with a possible breach can do reputational harm. I’ll be interested to see what OSF, ITRC, and the PRC do with this one.
[Black Energy is a botnet use for DDOS attacks: http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf
So much for the “We did nothing wrong.” statement from the French earlier in the week. (What do you bet they keep a copy?)
http://www.databreaches.net/?p=8987
UPDATE: France agrees to hand back ’stolen’ Swiss bank data
December 21, 2009 by admin Filed under Breach Incidents, Financial Sector, Insider, Non-U.S., Of Note
From the Agence France-Presse:
France said Monday it would agree to a Swiss request to hand back data taken from a HSBC bank branch in Geneva that is at the centre of a row between the two countries.
HSBC Private Bank says the information was stolen by a former employee who later gave it to French authorities probing suspected tax evasion by several thousand French taxpayers.
The Swiss authorities had called on France to hand it back after it was seized in January by police in southern France under a Swiss warrant for the former employee, a French citizen identified as Herve Falciani.
Read more on MSN.
Never happen. Gossip, especially the juicy stuff, trumps privacy every time.
http://www.pogowasright.org/?p=6480
Privacy and ethics: discussing celebrities’ private lives
December 21, 2009 by Dissent Filed under Other
Over on Chronicles of Dissent, I’ve been blogging about privacy issues and the ethics of psychologists discussing celebrities’ personal lives. Part 1 of the discussion uses the Tiger Woods scandal and Brittany Murphy death to illustrate some ethical concerns and it includes statements from the ethics codes of the Society of Professional Journalists, the American Psychological Association, and the American Psychiatric Association. Part 2 of the discussion quotes U.K. social psychologist Dr. Gary Wood, who shares my view that it is unethical for psychologists to discuss or speculate about the mental health of celebrities.
A “good deal” for a company is not always a good deal for customers. (Business 101) Will this result in more phone calls to Class Action lawyers?
http://mobile.slashdot.org/story/09/12/21/237211/Verizon-Removes-Search-Choices-For-BlackBerrys?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29
Verizon Removes Search Choices For BlackBerrys
Posted by kdawson on Monday December 21, @08:22PM from the you've-been-bung dept.
shrugger writes
"I picked up my BlackBerry this morning to do a search and noticed Bing as my default search engine. I thought this was very strange, since I didn't pick this setting. I went to change it back to Google and, to my chagrin, Bing was my only option! Apparently Verizon has pushed an update that removes all search providers except Bing. Thanks a lot Verizon!"
The Reg notes: "The move is part of the five-year search and advertising deal Verizon signed with Microsoft in January for a rumored $500m."
[A thread in the Comments:
A: Ah, the wonderful sound of thousands of canceled contracts! Nothing quite like it.
B: ah but they doubled their termination fee. now it is cheaper to get a divorce than to pay Verizon to get out of the contract.
C: Divorce her and leave her the phone. That'll teach her.
Looks like this judge just made the no-fly list!
http://www.pogowasright.org/?p=6490
TSA Must Release Some ‘No-Fly List’ Evidence – Court
December 22, 2009 by Dissent Filed under Court, Featured Headlines, Surveillance, U.S.
Anne Youderian reports:
A federal judge in San Francisco ordered the Transportation Security Administration to release some evidence relating to a Muslim woman’s inclusion on the government’s “no-fly list,” breaking what the judge called a “potential jurisdictional impasse.”
Rahinah Ibrahim, a Malaysian Muslim, said she was illegally detained at the San Francisco International Airport because her name appeared on the “no-fly list,” which had been implemented after the Sept. 11, 2001, terrorist attacks.
Ibrahim said airport police handcuffed her in front of her 14-year-old daughter and detained her for two hours. She was getting her doctorate at Stanford University at the time, and had no criminal record or link to terrorists.
Agents later released her and told her that her name had been removed from the no-fly list. But when she tried to return to the United States to finish her degree, she learned that her student visa had been revoked.
She sued, claiming she’d been wrongfully included on the no-fly list.
U.S. District Judge William Alsup dismissed for lack of jurisdiction, but the 9th Circuit reversed on a 2-1 vote.
[...]
But the case faced a second jurisdictional hurdle on remand.
“[I]t turns out that important evidence at the heart of the case is still under lock and key by TSA,” Judge Alsup wrote. “The federal government asserts that this Court again lacks subject-matter jurisdiction, this time lacking jurisdiction to compel TSA to release the evidence. Fortunately, a portion of the jurisdictional impasse can be broken – a recent statutory amendment allows district courts to compel the production of at least some of the sensitive information” (original emphasis).
The judge ordered the TSA to produce FBI phone logs related to Ibrahim; TSA employee logs; documents discussing the incident, instructing police to detain or arrest Ibrahim, and discussing those instructions; and airport video recordings.
Read more on Courthouse News.
For Law School students? They get access to Lexus as part of their tuition. Is that enough to addict them to the service?
http://www.bespacific.com/mt/archives/023072.html
December 21, 2009
Google Scholar: A New Way to Search for Cases and Related Legal Publications
Follow up to Google Scholar Now Includes Free Case Law Database and Bridging the DiGital Divide: A New Vendor in Town? Google Scholar Now Includes Case Law, this related article - Google Scholar: A New Way to Search for Cases and Related Legal Publications.
Merry Christmas! Whose “Naughty or Nice” list do you get on?
http://www.pogowasright.org/?p=6498
An E-Book Buyer’s Guide to Privacy
December 22, 2009 by Dissent Filed under Breaches, Internet
Ed Bayley of EFF writes:
As we count down to end of 2009, the emerging star of this year’s holiday shopping season is shaping up to be the electronic book reader (or e-reader). From Amazon’s Kindle to Barnes and Noble’s forthcoming Nook, e-readers are starting to transform how we buy and read books in the same way mp3s changed how we buy and listen to music.
Unfortunately, e-reader technology also presents significant new threats to reader privacy. E-readers possess the ability to report back substantial information about their users’ reading habits and locations to the corporations that sell them. And yet none of the major e-reader manufacturers have explained to consumers in clear unequivocal language what data is being collected about them and why.
As a first step towards addressing these problems, EFF has created a first draft of our Buyer’s Guide to E-Book Privacy. We’ve examined the privacy policies for the major e-readers on the market to determine what information they reserve the right to collect and share.
Read more on the Electronic Frontier Foundation. You might be surprised when you look at their comparison chart about which device(s) seem to provide better privacy protection.
Why not eDoctors to go with those eHealth Records? (This would be more profitable if we could off-shore it to Sri Lanka.)
http://science.slashdot.org/story/09/12/21/1748220/Virtual-Visits-To-Doctors-Spreading?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29
Virtual Visits To Doctors Spreading
Posted by ScuttleMonkey on Monday December 21, @03:09PM from the what-could-possibly-go-wrong dept.
tresho writes to tell us that virtual doctors visits seem to be on the rise. A new service, most recently deployed in Texas, from "NowClinic" is allowing doctors to make virtual house calls and prescribe anything short of controlled substances.
"For $45, anyone in Texas can use NowClinic, whether or not they are insured, by visiting NowClinic.com. Doctors hold 10-minute appointments and can file prescriptions, except for controlled substances. Eventually they will be able to view patients’ medical histories if they are available. The introduction of NowClinic will be the first time that online care has been available nationwide, regardless of insurance coverage."
Is there a market for Do-it-yourself security cameras? Those little “This house protected by video surveillance” signs work only when the crooks can read.
http://www.networkworld.com/community/node/49174
Caught on tape: Burglars target wrong techie
Grateful police say they've "never seen anything like this before"
By Paul McNamara on Sat, 12/19/09 - 12:03pm.
… A Framingham, Mass., resident received an urgent text message at work on Friday. It was from his home computer reporting the presence of movement inside of his apartment, which he had equipped with a motion detector and surveillance camera after a recent burglary.
The guy logs on, calls up the video feed, and bingo: Two burglars are having their way with his stuff. He calls the cops, who I'm going to presume have rarely had an easier collar.
From a MetroWest Daily News report:
Kevin John Fegan, 27, and Joshel Garcia, 18, both of Framingham, were inside the 205 Beaver St. apartment when police arrived and arrested them at 9:30 a.m., never knowing they were being watched via computer, Deputy Police Chief Craig Davis said.
The break-in and theft were also recorded for future use in court proceedings, the deputy chief said.
It is easy to justify huge amounts of compensation when a CEO makes you lots of money. Much harder is compensating one for avoiding a 100% loss.
http://www.appleinsider.com/articles/09/12/21/apples_steve_jobs_named_worlds_best_performing_ceo.html
Apple's Steve Jobs named world's best-performing CEO
By Neil Hughes Published: 12:50 PM EST
… "The #1 CEO on the list, Steve Jobs, delivered a whopping 3,188% industry-adjusted return (34% compounded annually) [Better than Bernie Madoff! Bob]after he rejoined Apple as CEO in 1997, when the company was in dire shape," the report said. "From that time until the end of September 2009, Apple’s market value increased by $150 billion."