Tuesday, March 02, 2010

Why it is silly to state “We have no reports of fraud” the day you announce the breach. It is also risky to hold off replacing cards until you have proof of fraud.

http://www.databreaches.net/?p=10326

New fraud reports linked to Heartland breach

March 2, 2010 by admin

Ann Butler reports:

As many as 5,000 First National Bank of Durango customers may find they are unable to make purchases with their debit cards after a number of fraudulent transactions.

“We’re trying to get ahead of this,” said Moni Grushkin, a senior vice president at the bank. “We want to minimize losses and protect our customers.”

On Friday, the bank received two calls from customers who discovered charges on their bills they had not made, she said. As First National bankers were meeting to discuss the situation Monday, they heard from several more customers and their credit-card processor that a lot of debit cards had been compromised. Fewer than 20 customers had reported fraudulent charges by Monday afternoon.

The fraud is the result of more than 100 million transactions from all major credit-card brands being hacked from the computers at Heartland Payment Systems, a third-party credit-card processor, almost two years ago.

Read more in The Durango Herald.


(Related) How widespread will this become?

http://www.databreaches.net/?p=10331

Rash of identity thefts hits Valley

March 2, 2010 by admin

David Bolling reports:

A wave of identity theft has struck Sonoma with numerous local citizens falling victim to fraudulent bank charges. In the past week alone, at least nine Sonoma residents reported fraudulent charges billed to their bank accounts through bank card transactions they did not make.

The charges were global in scope, occurring in places as far a field as Singapore, the Philippines, Washington, D.C., New York City, Nashville, Tenn., and Milwaukee, Wisc. Illegal transactions have ranged from $10 at a fast-food restaurant to a variety of charges totaling more than $3,200 on one card. ID thieves bought airline tickets, gasoline, clothes and $624 worth of shoes.

Many, if not most, of the fraud cases may be traced to one Internet hacker who penetrated the transaction records of a card processing company employed by a Sonoma business. Police did not identify the company in question. The security breach has since been plugged but apparently the damage had already been done. Not all the cases are necessarily related to that one breach, said Sonoma Police Sgt. Darin Dougherty. “Other locations could have been compromised,” Dougherty said, “It’s been going on for almost a month.”

Read more on Sonoma News.

Card processing company? Is this still the Heartland breach or something else? Given that there are new reports of fraud linked to the Heartland breach coming out of Colorado this month, it’s possible, I suppose. It would be nice if we were actually given pesky little details like the names of breached entities or their payment processors.



“Oh yeah, encryption. Now we understand why we should have been doing that.”

http://www.databreaches.net/?p=10305

Shands notifies individuals of information breach

March 1, 2010 by admin

Shands Healthcare has now revealed more details on the breach mentioned last week. In a press release on their web site, they write:

Shands HealthCare officials have notified about 12,500 individuals that a Shands-owned laptop computer containing their health and other personal information was stolen last month.

The laptop held information about Shands patients and individuals who were referred over the past three years to the Shands at the University of Florida gastroenterology clinical services department, referred to as the G.I. Clinical Services department. Personal information stored on the laptop may include names, addresses, physician name, medical record numbers and abbreviated medical procedure or condition codes. The laptop also contained the Social Security numbers of about 650 people.

Shands has no evidence to believe that any of the confidential information stored on the computer has been used for fraudulent purposes. However, as a precaution, Shands officials have worked to quickly notify the people whose information was on the computer. Letters have gone out this week providing information and instructions about taking additional protective steps. Shands has also posted a notice on its public Web site Shands.org and has alerted statewide media per state and federal guidelines.

“We very much regret that this happened,” said Shands HealthCare CEO Timothy Goldfarb. “We’re doing all we can to work with and support those affected. We’re also working to reinforce our privacy policies and practices within the organization.”

A Shands employee had downloaded the health information onto an unencrypted Shands-owned laptop at home for work-related purposes. The employee reported the computer stolen on Jan. 27 when the employee’s home was burglarized. The Gainesville Police Department was notified immediately and initiated an investigation into the theft. Shands also immediately launched an internal investigation. The Shands HealthCare Privacy Office has reported this incident in compliance with state and federal regulations.

Shands leaders have since launched a systemwide encryption initiative to better safeguard protected health information stored on Shands-owned computers, laptops and other portable communications devices as well as on employee-owned devices used to support Shands work.

Cross-posted from PHIprivacy.net



Looks like they are finally starting to get their act together...

http://www.databreaches.net/?p=10308

OCR/HHS reveals two more breaches

March 1, 2010 by admin

The public list of breaches reported to HHS under the HITECH Act was updated to add two entries. Both entries are associated with the same business associate: MSO of Puerto Rico. I do not see anything on the web sites of the covered entities or the business associate about the incident nor did I see any press release in any of the major media outlets I routinely check for breach-related news.

[ … ]

While it is encouraging to see OCR updating the site in a timely fashion, we still do not know what types of information were involved nor how the breach occurred. Did an insider steal records, were they destroyed insecurely, was there a burglary? And how can we evaluate the risk? Did the paper records contain SSN, credit card information, diagnoses, treatment codes, Medicare Identification Numbers, or what? HHS is receiving this information from the entities but the HITECH Act does not require HHS to make all of the details publicly available on their site. It merely requires that a list of breached entities be posted.

I have not yet received an answer to my follow-up questions to OCR about the shielding of private practitioner’s names and public records nature of these breach reports, so there is nothing new to report on that front other than that I consider this a very important issue that goes to the core of open records. As a matter of public policy and decision-making, we need to know more about what is going on so that we can learn from it and develop better strategies for protecting the privacy and security of patients’ records.



No new fact and no indication of any progress toward resolution.

http://www.pogowasright.org/?p=8080

Webcamgate class action? Parents say “no, thanks”

March 2, 2010 by Dissent

Dan Hardy reports:

A group of Lower Merion and Harriton High School parents will meet tonight to discuss ways to derail the possibility that a federal lawsuit over laptop spying could lead to a lengthy and expensive class-action case against their district.

Bryn Mawr resident Michael Boni, one of the organizers, said yesterday: “We have spoken to our neighbors and friends, and it seemed that there was a groundswell of opposition to one family with one lawyer bringing this action on behalf of the community.”

He said the parents were “not suggesting there weren’t problems” with how the district has handled the laptop issue. “But we don’t think [a class-action lawsuit] is the answer.”

The group, which calls itself lmsdparents.org, is limited to parents of students at the two high schools. Between 300 and 400 parents had signed on by yesterday afternoon, said Bob Wegbreit, another founder.

A related group calling itself Parents in Support of the Lower Merion School District, which said it shared the same objectives, had garnered more than 700 signatures on an online petition by yesterday evening.

Read more on Philly.com.



Be afraid, be very afraid. Make sure your Security Manager see this! My Computer Security students will.

http://it.slashdot.org/story/10/03/02/0047249/Aurora-Attack-mdash-Resistance-Is-Futile-Pretty-Much?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Aurora Attack — Resistance Is Futile, Pretty Much

Posted by kdawson on Monday March 01, @09:36PM

eldavojohn writes

"Do you have branch offices in China? iSec has published a new report (PDF) outlining the severity of the attacks on Google.cn, allegedly by the Chinese government, dubbed 'Aurora' attacks. Up to 100 companies were victims, and some are speculating that resistance to such attacks is futile. The report lays out the shape of the attacks — which were customized per-company based on installed vulnerable software and antivirus protection:

'1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website.

2. This website uses a browser vulnerability to load custom malware on the initial victim's machine.

3. The malware calls out to a control server, likely identified by a dynamic DNS address.

4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials.

5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite.

6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server.

7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.'

The report also has pages of recommendations as well as lessons learned, which any systems administrator — even those inside the US — should read and take note of."



Perhaps we can learn from this?

http://www.pogowasright.org/?p=8077

Court rules anti-terror data storage illegal

March 2, 2010 by Dissent

In a victory for privacy advocates, Germany’s highest court on Tuesday knocked down an anti-terrorism law that allows authorities to store all phone and internet records of private citizens.

The Karlsruhe-based Constitutional Court ruled that the mass storage of private records breaches Germany’s constitution, effectively overturning a law passed in 2008 that compels communications companies to keep tabs on customer phone and internet usage for six months.

The court also demanded that data already stored be deleted ”immediately,” according to the website of news magazine Der Spiegel.

Read more in The Local (De). The Globe and Mail in Canada also covers the news.



Another instance of covering up a downturn in revenue by simply “inventing” new charges to add to customer bills. This is really simple to do when you have a computer and probably a large proportion of their customers didn't even notice.

http://www.databreaches.net/?p=10322

Payment Processing CEO Banned from the Business; Company Illegally Debited Millions from Consumers’ Bank Accounts

March 2, 2010 by admin

The chief executive officer of a payment processing company will be banned from the business as part of a settlement resolving Federal Trade Commission charges that the company illegally debited millions of dollars in bogus charges from consumers’ bank accounts.

In 2007, the FTC charged the executive, Tarzenea Dixon, her company, and others with processing unauthorized debits on behalf of deceptive telemarketers and Internet-based schemes they knew, or deliberately avoided knowing, were violating the FTC’s Telemarketing Sales Rule. In addition, the attorneys general of Illinois, Iowa, Nevada, North Carolina, North Dakota, Ohio, and Vermont charged the defendants with violating various state laws.

According to the FTC complaint, the company played a critical role in helping many of its clients carry out these illegal schemes by providing access to the banking system and the means to extract money from consumers’ bank accounts. Between June 23, 2004, and March 31, 2006, the defendants processed more than $200 million in debits and attempted debits. More than $69 million of the attempted debits were returned or rejected by consumers or their banks for various reasons, an indication that in many cases consumers had never authorized the charges. In many instances, the merchants either failed to deliver the promised products or services or sent consumers relatively worthless items.

[ … ]

Wachovia Bank Redress Program

In December 2008, the FTC announced a settlement between the Office of the Comptroller of the Currency and Wachovia Bank, N.A. to issue more than $150 million in redress checks to victims of telemarketing fraud. The checks reimbursed consumers for funds deducted from their accounts by three payment processors that maintained accounts with Wachovia, including Your Money Access.



For my Computer Forensic students. Now we can manufacture evidence to order! (Okay, we could always do that, but this makes it easier...) Think of all the government “Bounty” programs, like those for turning in tax cheats.

http://techcrunch.com/2010/03/01/chrome-experimental-apis/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

Coming Soon To Chrome: Extensions That Can Alter Your Browsing History

by MG Siegler on Mar 1, 2010

… “Experimental history” is described as follows:

The history API lets you query and modify the user’s browsing history. When it’s finalized, we’ll also allow you to replace the history page with your own, just like you can replace the new tab page today.



Security can be designed to ensure privacy. But not if you don't care...

http://www.phiprivacy.net/?p=2115

AU: Medicare privacy breaches ‘only the beginning’

By Dissent, March 2, 2010 7:04 am

Carly Laird reports:

Revelations that Medicare employees are being investigated for spying on customers’ personal information have renewed fears from privacy advocates that healthcare staff cannot be trusted. [Staff makes spur of the moment, idle curiosity peeks. Simple compartmentalization of security (with a warning message) would stop 99% of this. Bob]

As the Federal Government works to bring in a national identity scheme for patients, around 400 cases have emerged of unauthorised snooping on people’s private records over the past four years.

Medicare says it has implemented privacy controls and that the number of cases of snooping has been getting smaller, however it is not known who or how far the information was allowed to spread.

The agency has given few details of how the snooping was allowed to occur and no one from Medicare was available to speak to PM this afternoon.

The privacy commissioner, Karen Curtis, insists Medicare is not ignoring the issue.

“Any privacy breach is a concern, but the fact that Medicare is monitoring and investigating these potential breaches of personal information and they’ve got systems in place, that’s actually good news,” she said.

Read more on ABC (AU)



If it wasn't for the occasional leak, we wouldn't even know these negotiations were happening. Until we were arrested for violating “double secret” laws.

http://yro.slashdot.org/story/10/03/01/2053246/Another-ACTA-Leak-Discloses-Individual-Country-Data?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Another ACTA Leak Discloses Individual Country Data

Posted by ScuttleMonkey on Monday March 01, @04:54PM

An anonymous reader writes

"On the heels of the earlier leak of various country positions on ACTA transparency, today an even bigger leak has hit the Internet. A new European Union document [PDF] prepared several weeks ago canvasses the Internet and Civil Enforcement chapters, disclosing in complete detail the proposals from the US, and the counter-proposals from the EU, Japan, and other ACTA participants. The 44-page document also highlights specific concerns of individual countries on a wide range of issues including ISP liability, anti-circumvention rules, and the scope of the treaty. This is probably the most significant leak to date since it goes beyond the transparency debate to include specific country positions and proposals."



There's “aggressive defense” and then there's “cockamamie nonsense”

http://news.yahoo.com/s/nm/20100301/tc_nm/us_lawsuit;_ylt=Ah6cxP.pxa5PLVf8bmpJdxis0NUE;_ylu=X3oDMTNlMmRqMzhpBGFzc2V0A25tLzIwMTAwMzAxL3VzX2xhd3N1aXQEY2NvZGUDbW9zdHBvcHVsYXIEY3BvcwM5BHBvcwM2BHB0A2hvbWVfY29rZQRzZWMDeW5faGVhZGxpbmVfbGlzdARzbGsDY3V0ZWJhYnl2aWRl

Cute baby video wins battle against music label

By Eriq Gardner

LOS ANGELES (Hollywood Reporter) – How much should a copyright owner pay for improperly telling a website to remove content?

Stephanie Lenz got into trouble with Universal Music Group in 2007 after she posted a YouTube video of her toddler dancing to the Prince song "Let's Go Crazy." The label fired off a letter demanding removal of the clip and YouTube complied.

Lenz then teamed with online free-speech advocates at the Electronic Frontier Foundation to get a judge to declare that her video was a "fair use" of the song. She then sought damages against Universal, the world's biggest record company, for sending a meritless takedown request.

Universal fought back by raising affirmative defenses that Lenz had bad faith and unclean hands in pursuing damages. Now a California district court judge has rejected those arguments, granting partial summary judgment to Lenz and paving the way for Lenz to collect attorneys fees.



So, when FedEx makes their bid, we should accept? Or is this one of those “We can afford to allow these jobs to be cut” businesses? At what point does it become obvious (even to politicians) that we no longer need a government run postal service?

http://www.bespacific.com/mt/archives/023638.html

March 01, 2010

WaPo: Postal Service Expected to Announce Significant Changes

Washington Post: "The U.S. Postal Service will release projections Tuesday that confirm for the first time the suspicion that mail volume will never return to pre-recession levels. In response, the agency is pushing anew for a dramatic reshaping of how Americans get and send their letters and packages... The Postal Service experienced a 13 percent drop in mail volume last fiscal year, more than double any previous decline, and lost $3.8 billion. The projections anticipate steeper drops in mail volume and revenue over the next 10 years, and mounting labor costs only complicate the agency's path to firm fiscal footing...the Postal Service will ask Congress to cut mail delivery to five days per week...closing thousands of locations and moving some products and services to nearby supermarkets, office supply stores and pharmacies."



Have we already reached the “consolidation” phase of moving to the Cloud? I suspect Google has used their search engine to identify companies with complementary products that allow them to shortcut the development phase.

http://news.cnet.com/8301-17939_109-10461627-2.html?part=rss&subj=news&tag=2547-1_3-0-20

Google acquiring Web-based photo editor Picnik

by Rafe Needleman March 1, 2010 1:00 PM PST



It's called convergence, and it will impact you! Note: “Replace” here means “allow you to do without” it does not mean us old fogies will ever stop using the tools we grew up with.

http://thenextweb.com/mobile/2010/03/01/10-gadgets-smartphone-replace/

8 Things Your Phone Will (Probably) Replace



A list for my website classes

http://www.pcworld.com/article/189032/20_free_ways_to_manage_video_music_and_photos.html

20 Free Ways to Manage Video, Music, and Photos


Ditto

http://www.noupe.com/tutorial/the-ultimate-collection-of-brilliant-web-design-tutorials.html

The Ultimate Collection Of Brilliant Web Design Tutorials



For my students

http://www.makeuseof.com/tag/create-portable-app-flash-drive/

How To Create Your Own Portable App For A Flash Drive



Green or dumb? I'll carry the generator, you get the HDTV and waffle iron.

http://www.wired.com/wiredscience/2010/03/backpack-hydroelectric-plant/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Backpack Hydroelectric Plant Gives You 500 Watts on the Move

A human-portable hydroelectric generator that weighs about 30 pounds and generates 500 watts of power may soon be a new option for off-grid power.



A magnitude 8.8 earthquake is really really powerful!

http://science.slashdot.org/story/10/03/02/0114236/Chilean-Earthquake-Shortened-Earths-Day?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Chilean Earthquake Shortened Earth's Day

Posted by kdawson on Monday March 01, @11:30PM

ailnlv writes

"Days on Earth just got shorter. The recent earthquake in Chile shifted the planet's axis by about 8 cm and shortened days by 1.26 microseconds 'The changes can be modeled, though they're difficult to detect physically given their small size... Some changes may be more obvious, and islands may have shifted... Santa Maria Island off the coast near Concepcion, Chile’s second-largest city, may have been raised 2 meters (6 feet) as a result of the latest quake...'"

[Will shorter exposure to the sun decrease Global Warming? Or it that offset by shorter cooling at night? Bob]

No comments: