http://www.databreaches.net/?p=9874
Ceridian breach disclosure provides clear timeline
February 7, 2010 by admin
Ceridian’s notification to the New Hampshire Attorney General’s Office is now available online (pdf). By letter from its attorney dated February 1, it summarizes the time line beginning with it first becoming aware on December 23 of a possible breach when its personnel spotted unusual activity that might indicate a problem. Further investigation indicated unauthorized access had occurred on December 22 and December 23 and the FBI was subsequently contacted.
By January 11, the company had determined “with reasonable certainty” which files might have been illegally accessed or acquired, and began compiling information on names and addresses of individuals to be notified. By January 29, the company had started sending out notifications.
Although the disclosure does not make any mention of how the hackers were able to gain access to its database (nor is such disclosure required under the law), Ceridian’s disclosure provides a useful example of disclosure and notification letters that are clearly written and generally answer the questions that most recipients might be asking. The company also set up a call center to answer questions and offered those affected free services.
Did they, as one person alleged, contribute to their own problems by having no longer active accounts on the system? Was their security up to industry standards at the time of the incident? I don’t know the answer to either question, but they do get a thumbs up from this site for their quick recognition of a problem, their prompt handling of it, and the clarity of their disclosure and notification letters.
[Interesting that they mark their letter notifying the AG as “Confidential” Perhaps they failed to realize the notices are posted to a public database? They also sent a list of state Attorneys' General phone numbers with their notice letters. Bob]
Perhaps it is impossible to be compliant. Russo doesn't sound like the most techie of managers, but this is a fair summation of the “party line.”
http://news.cnet.com/8301-27080_3-10448197-245.html?part=rss&subj=news&tag=2547-1_3-0-20
PCI compliance: What it is and why it matters (Q&A)
by Elinor Mills February 8, 2010 4:00 AM PST
There have been a number of big data breaches lately. Were the companies PCI compliant or not in those cases?
Russo: It's been our experience that none of the breaches that occurred have been compliant at the time of the breach. Becoming compliant with the standard is pretty much a snapshot in time. An assessment company would come in and go through all those requirements and check that this stuff is in place. If everything is in place they issue a report on compliance. It is then your responsibility as a merchant to maintain that compliance. If there are new patches to come out for the operating system you have to install those. One piece we ask for is that you turn the logging on. Forensics find all the information in the logs so we insist you turn the logging on. Except, if nobody ever looks at these logs and they're sending out alerts, what good is it? It's up to the merchant to make sure they stay in compliance and that they are secure. For each of those [big public] breaches credit card companies looked at the logs [and found] that none of them was compliant at the time of the breach.
But I thought Heartland executives said they were compliant.
Russo: They had that piece of paper that said they were compliant but they weren't. What happened at Heartland was a SQL injection attack [in which an attacker injects commands to a back end database using input fields on a Web site]. That's an old exploit and there are myriad ways to prevent that outlined in the standards. As it turns out they were not complaint at the time of the breach. [Heartland CEO Robert Carr eventually disclosed that the assessors had incorrectly informed the company that it was PCI compliant.]
Now this is amusing.
http://www.databreaches.net/?p=9896
Liechtenstein bank owes tax dodger damages, court rules
February 8, 2010 by admin
A German tax dodger has won millions in damages in a suit against his Liechtenstein bank for failing to reveal that his information was stolen along with hundreds of other account holders and sold to Berlin for a criminal investigation.
The case against LGT Treuhand, a former subsidiary of the LGT Group, was decided in January, according to a report in daily Süddeutsche Zeitung on Monday.
The Bad Homberg real estate developer, who was exposed for tax evasion when a bank employee sold the data to the German intelligence service for €4.5 million two years ago, has been awarded €7.3 million by the Vaduz district court.
Read more in The Local (De)
[From the article:
The Liechtenstein court case has been closely watched by numerous other Germans who are also planning to sue the bank, the paper said.
They argue that if the bank had informed them that their data had been sold, they could have turned themselves in, receiving temporary amnesty and much lower fines.
This should be interesting. Has Paypal been hacked?
Paypal Reverses Payments Made To Indians
Posted by kdawson on Sunday February 07, @02:19PM
bhagwad writes
"Beginning January 28, Paypal has been reversing the payments made to any Indian provider of services. In addition, Indian users have been unable to withdraw their money to their bank accounts. As a result, a large number of Indian Paypal accounts have a negative balances running into the thousands of dollars. The worst part is that users weren't informed beforehand — the funds were just whisked away. Indian providers have gone ballistic, with over 2,000 posts on a thread on the reversal of payments and over 700 posts on this thread about the delay in transfers. Paypal hasn't given any explanation to this behavior other than they're looking into it. Although Paypal claims in the above blog post that payments made for 'Services' are not being reversed, this is not true. All payments not made for 'Goods' with a shipping address have been reversed — in fact, the Paypal e-mail tells the Indian sellers to encourage their clients to lie and claim that they're paying for goods with a shipping address instead."
A tool to extend your personal surveillance capabilities.
Vitamin D Video Surveillance System Sheds Beta Tag, Announces Pricing
by John Biggs on February 8, 2010
Vitamin D Video has officially gone out of beta and is now available in 1.0. The basic, single camera version of the software is available now for free while a two camera version costs $49 and unlimited cameras costs $199. The software watches a web-based camera – including many popular models from Linksys and D-Link – and records motion as it it happens, even alerting you when humans step into the frame.
What, again? You'd think someone at the White House would know a lawyer...
White House Claims Copyright On Flickr Photos
Posted by kdawson on Sunday February 07, @04:39PM
Hugh Pickens writes
"US government policy is that photos produced by federal employees as part of their job responsibilities are not subject to copyright in the US. But Kathy Gill writes that after originally putting official White House photos in the public domain, since January the Obama White House has been asserting that no one but 'news organizations' can use its Flickr photos taken by the official White House photographer, who is a US government employee. This change appears to be a heavy-handed response to last month's controversy resulting from a billboard that implied the President endorsed The Weatherproof Garmet Co. after the company used an AP photo of the president for a Times Square billboard. However a New York law already protects individuals from unauthorized use of their image for advertising, and the billboard was quickly taken down. Gill writes, 'Whatever the reason, the assertion of these "rights" seems to be in direct contrast to official government policy and is certainly in direct contrast to reasonable expectations by the public, given that the photos are being produced with taxpayer (i.e., public) money. Ironically, the same Flickr page that claims (almost exclusive) copyright also links to the US copyright policy statement.'"
For my Statistics students. Using statistical techniques to analyze....
Statistical Analysis of U of Chicago Graffiti
Posted by kdawson on Monday February 08, @01:34AM
quaith writes
"Quinn Dombrowski, a member of the University of Chicago's central IT staff, has been recording the graffiti left in the Joseph Regenstein Library Since September 2007. To date she has photographed and transcribed over 620 pieces of graffiti; over 410 of them are datable to within a week of their creation. She has now published in Inkling Magazine a statistical analysis of the entire graffiti collection covering such subjects as love, hate, despair, sex, anatomy, and temporal fluctuations of each of these. After November, both love and despair graffiti drop off significantly until spring, while sex graffiti reaches its one and only peak in December before declining for the rest of the school year. The story includes links to all of the original graffiti photos, which the researcher has made freely available to use under a Creative Commons Attribution-Share Alike license."
For my Computer Security class. I wonder what the school administration will say...
http://www.makeuseof.com/tag/create-custom-logon-screen-windows-logonstudio/
How To Easily Create a Custom Logon Screen for Windows with LogonStudio
By Tim Lenahan on Feb. 7th, 2010
For my website students.
http://www.makeuseof.com/dir/calameo-easy-document-sharing/
Calameo: Easy Document Sharing & Publishing Website
Calameo is an easy document sharing and publishing service that lets you create online magazines from your offline documents. You could upload PDF files, spreadsheets, word documents and powerpoint presentations to create reports, magazines, catalogs, brochures etc and publish it online. Once published, it can be easily shared across multiple social networks, emailed to friends and added to the community where you can get feedback from readers on the published material.
For more similar sites see our article “3 Websites To Publish & Share Your PDFs Online“
For my B students. (Remember, I get 10%!!!)
How To Make Money In Online Video
by Guest Author on February 7, 2010
Video will be Everywhere: on all Websites
Video on the Web is no longer just about entertainment. It is also about marketing, instruction, and conveying information of all kinds.
Content bellwether Wikipedia announced it will be rolling out videos soon enough.
e-Commerce leader Zappos encourages users to submit their video experiences which increase sales 6% to 30%. In 2010, it will create 50,000 videos.
It won’t be long before organizations feature their accountants, lawyers, management, VCs in videos too.
No comments:
Post a Comment