Friday, July 22, 2011

Oh, the horror! My favorite anchovy/sausage pizza at risk! Well, maybe not...

http://www.databreaches.net/?p=19722

Franchises from at least three national pizza chains hacked

July 21, 2011 by admin

Scott Thomas Anderson reports:

The rampant hacking of credit cards and ATM accounts that has hit Amador County is partly the result of “malicious software” installed at a Martell business, according to investigators from Amador County Sheriff’s office. Worse yet, six months of online victimization may not be over for some locals, particularly for those who entered Mountain Mike’s Pizza last winter without cash in their hands.

Sheriff’s officials updated reporters yesterday afternoon about a lengthy investigation into more than 70 cases of ATM/credit card fraud inundating its investigations bureau. Additional cases have also been reported to the Jackson Police Department. Undersheriff Jim Wegner said his detectives had been working closely with fraud units from several banks affected by the string of crimes, which began at the end of 2010 and gained an almost overwhelming momentum by February of this year.

Read more on Ledger Dispatch.

So far, only that one Mountain Mike’s Pizza store in California has been identified as having been breached from that chain, but other national chains have not been so fortunate, it seems.

In March, Extreme Pizza disclosed that the point of sale (POS) systems at a number of its west coast franchises had been compromised beginning in August 2010. Customers’ credit and debit card numbers were reportedly misused between then and January 2011. In an FAQ on its site, the chain said it was first made aware of the breach on February 28, 2011. Sixteen stores in California as well as stores in Colorado and Oregon were affected.

Both the Extreme Pizza and Mountain Mike’s Pizza breaches were on the west coast, where a third national pizza chain, zpizza, is also headquartered. zpizza provided DataBreaches.net with the following statement:

Zpizza was affected by malware on our point of sales system used to process credit and debit card transactions at 12 of our locations. These incidents did not involve an internal security issue within zpizza, and based on investigation, we have sufficient reasons to believe that zpizza is one of many small businesses across the nation that was affected by a computer hacker. Additional details about the issue is on store websites.

Zpizza is working with the Secret Service to address and resolve this issue as quickly as possible. Additionally, we have hired an outside consultant to ensure that our point of sale systems are secure and protected from any further intrusion.

[...]

The notice posted on individual stores’ web sites in mid-May read:

An Important Notice to our Customers

This notice pertains to any customer who used a credit card or debit card at the (LOCATION) zpizza location from September 2010 through and including January 2011. In advance, zpizza apologizes for any inconvenience that you may experience from the circumstances described below.

Zpizza recently discovered that an unauthorized person wrongfully accessed certain point of sale systems that zpizza uses to process credit and debit card transactions. Based upon its investigation to date, zpizza reasonably believes that a computer hacker improperly acquired credit and debit card information. This incident did not involve an internal security issue within zpizza. [Except that it was their “internal security that was breached? Bob] In fact, zpizza has learned that it is one of many small businesses across the nation that has been affected by this computer hacker.

Zpizza has moved swiftly to address this unfortunate incident and is working with the Secret Service to investigate it. zpizza is also working with an outside consultant to ensure that its point of sale systems are secure and protected from any further intrusion.

If you have used your credit card or debit card at this zpizza location from September 2010 through and including January 2011, please consider taking the following immediate steps in order to prevent the unauthorized and unlawful use of your personal information:

[...]

Some of the locations of affected zpizza stores include California, Montana, and Virginia.

Elsewhere, a breach involving a national pizza chain was also rumored to be the source of card fraud reports in the Ohio area, but whether that will pan out (no pun intended) and whether it’s yet another national pizza chain remains to be seen.

Firefly POS Implicated?

At least a few people involved with the situation have been pointing fingers at the Firefly POS software. Over on PMQ.com, a forum for the pizza industry, one owner wrote:

We had a breach of our credit card system. Talked to the bank fraud unit, the local authorities and forensic audit companies. The indication is that the majority of credit card breaches have been with the Firefly/Granbury system from what the people we contacted have said.

Other sources with knowledge of the situation also allege that the breached units of Extreme Pizza and zpizza were all, or almost all, using Firefly. A spokesperson for zpizza confirmed to DataBreaches.net that their breached units were using Firefly.

Whether the Firefly allegations are also correct for Extreme Pizza and other pizza stores could not be confirmed at the time of this posting. Granbury was contacted several times over the past two weeks and asked to respond to the allegations but did not provide answers to questions posed or any statement specifically addressing a number of allegations that have been made.

Charles Hoff, an attorney who has been involved in a number of high-profile cases where restaurants have sued POS vendors and/or their installers replied “No comment” when asked whether he has been asked to file any lawsuits against Firefly, its parent company, Granbury, or any of their authorized installers.

Deja Vu All Over Again?

The breach description for Mountain Mike’s Pizza sounds somewhat like a number of restaurant breaches in 2008 that occurred when login credentials to remote access to the desktop were left in a default state and were exploited by hackers. [Let's hope that isn't the case again! Bob] At least one commenter on PMQ.com indicates that his system was breached by a remote-access account that had been enabled to allow support.

As of 2006, Visa had issued warnings about the risks of enabling remote access software – warnings that it has repeated numerous times since. Despite Visa’s repeated warnings, remote access compromise accounted for 41% of attacks in the merchant category during the period January 2009 – June 2010. As recently as April 19, Visa issued an alert, “Remote Access Vulnerabilities—Most Frequent Attack Method Used by Intruders,” and asked acquirers and processors to share the alert with merchants as soon as possible. But despite repeated warnings, either Level 4 merchants have not gotten the message or they have not understood how to ensure they comply with industry standards on firewalls and the need to change default configurations.

Ultimately, of course, it is the stores that are responsible for the security of customers’ credit card and debit card data, and it is the stores that suffer if customers stop using cards or stop frequenting a store if they’ve suffered fraud as a result of transactions with a merchant. But are the processors, acquirers, vendors, and installers doing enough to help the merchants who pay large fees to get a system that they believe is compliant? It doesn’t seem so if four years later, we are still talking about a lot of POS hacks in the restaurant sector.

In the meantime, if these breaches occurred in August and September of 2010 and there was a rash of fraud, how many other national pizza chains were also affected that we haven’t yet found out about in the media? Hopefully, some of the mainstream journalists will start digging into this a bit more.



I suspect (hope!) they used very weak encryption. I'd hate to think serious encrypting could be easily broken.

http://www.databreaches.net/?p=19760

StudentCity.com hacked; hackers decode encrypted credit card data

July 21, 2011 by admin

I just read a breach disclosure to the New Hampshire Attorney General’s Office with accompanying notification letters to those affected that impressed me favorably. But first, to the breach itself:

StudentCity.com, a site that allows students to book trips for school vacation breaks, suffered a breach in their system that they learned about on June 9 after they started getting reports of credit card fraud from customers. An FAQ about the breach, posted on www.myidexperts.com explains:

StudentCity first became concerned there could be an issue on June 9, 2011, when we received reports of customers travelling together who had reported issues with their credit and debit cards. Because this seemed to be with 2011 groups, we initially thought it was a hotel or vendor used in conjunction with 2011 tours. We then became aware of an account that was 2012 passengers on the same day who were all impacted. This is when we became highly concerned. Although our processing company could find no issue, we immediately notified customers about the incident via email, contacted federal authorities and immediately began a forensic investigation.

According to the report to New Hampshire, where 266 residents were affected, the compromised data included students’ credit card numbers, passport numbers, and names. The FAQ, however, indicates that dates of birth were also involved.

Frustratingly for StudentCity, the credit card data had been encrypted but their investigation revealed that the encryption had broken in some cases. In the FAQ, they explain:

The credit card information was encrypted, but the encryption appears to have been decoded by the hackers. It appears they were able to write a script to decode some information for some customers and most or all for others.

The letter to the NH AG’s office, written by their lawyers on July 1, is wonderfully plain and clear in terms of what happened and what steps StudentCity promptly took to address the breach and prevent future breaches, but it was the tailored letters sent to those affected on July 8 that really impressed me for their plain language, recognition of concerns, active encouragement of the recipients to take immediate steps to protect themselves, and for the utterly human tone of the correspondence.

Kudos to StudentCity.com and their law firm, Nelson Mullins Riley & Scarborough, LLP, for providing an exemplar of a good notification. [About time someone figured it out... Bob]



I thought their security sounded a bit weak... What does this do to the case if everything is already available on the Internet?

http://www.wired.com/threatlevel/2011/07/science-pirate-bay/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Huge Trove of Academic Docs Posted Online in Response to Activist Arrest

Just two days after activist hacker Aaron Swartz was charged with hacking for downloading too many academic articles, a giant collection of articles from the same service has been posted to the notorious file sharing search engine, The Pirate Bay.

The documents are allegedly 18,952 scientific articles from the Philosophical Transactions of the Royal Society that were downloaded at some point from the scholarly archive service JSTOR. JSTOR is the same service that Swartz is accused of stealing from for downloading 4 million articles via a guest account at MIT.

But according to the note accompanying the huge download, these are not the files that Swartz is accused of downloading (and returning). Instead, the manifesto says the documents came from another source, and the manifesto is signed by a person identifying himself as Greg Maxwell. The manifesto says the documents date back before 1923, making them public domain — though that contention might not be the case, given the difference between U.S. and U.K. copyright laws.



Stephen Rynerson points me to a service for those of us who don't want to play in TSA's Security Theater. Flying in a small plane means you can't possibly be a terrorist and therefore don't need to go through security. I think this may even be cheaper than Stephen's private jet!

http://blogs.forbes.com/edzitron/2011/06/29/planered/

PlaneRed To Taunt Airlines, TSA

PlaneRed is an all-you-can-eat flight subscription launching around September 1st 2011 that will fly just below the TSA’s radar – using 9-person planes to dodge under their screening of any plane carrying over 10 passengers. The subscriptions will work as such – passengers will pay around $150 a month for access to a booking system much like a city bus, able to book on popular routes on the east coast, serving Atlantic City, New York, Philadelphia, Washington D.C.. They hope to expand quickly to Boston, and then open up new runs in Texas, California, and the Midwest.

… They’re seeking VC investment, but only from those who understand what they’re going for and share the pain of the average airline passenger. “Anything that lets us fly faster, better, and simpler is welcomed around here.”

The first 10,000 signups to PlaneRed’s website will have access to the initial subscription packages.



Still early days, but worth looking at (and trying to educate your Congressman?)

http://www.pogowasright.org/?p=23791

The SAFE Data Act: An admirable attempt that needs expansion



I wonder why they don't already spell this out in their policy... Bad security and bad insurance choices?

http://www.databreaches.net/?p=19747

Sony insurer sues to deny data breach coverage

July 21, 2011 by admin

Ben Berkowitz reports:

One of Sony Corp’s insurers has asked a court to declare that it does not have to pay to defend the media and electronics conglomerate from mounting legal claims related to a massive data breach earlier this year.

Zurich American Insurance Co asked a New York state court in documents filed late on Wednesday to rule it does not have to defend or indemnify Sony against any claims “asserted in the class-action lawsuits, miscellaneous claims, or potential future actions instituted by any state attorney general.”

Read more on Reuters. Chris Dolmetsch of Bloomberg also covers the lawsuit.

I’ve uploaded a copy of the complaint and summons as well as the exhibits.

[From the Reuters article:

Zurich American, in its court papers, said 55 purported class-action complaints have been filed in the United States against Sony.

… Zurich American said its policy only covers the Sony unit for "bodily injury, property damage or personal and advertising injury." It said no such claims have been made in any of the class-action lawsuits.



Some may even be worth watching...

Videos from Health Privacy Summit Now Available

By Dissent, July 22, 2011

Organizers of the June 13th, D.C. Health Privacy Summit, “Getting IT Right: Protecting Patient Privacy in a Wired World” [http://www.healthprivacysummit.org], today announced the release of all videos from the Summit.

… For the full agenda, more information on the panels, and links to each video, see: http://www.healthprivacysummit.org/agenda. [http://www.healthprivacysummit.org/agenda]



Yes. The actual question is “By whom?” and under what circumstances?

http://www.pogowasright.org/?p=23809

Are Student Cell Phone Records Discoverable?

July 21, 2011 by Dissent

Joshua A. Engel reports:

The debate over when officials can search a student’s cell phone is an emerging e-discovery issue. This is illustrated in the recent case N.N. v. Tunkhannock Area School District, Civil Action No. 3:10-CV-1080, U.S. District Court for the Middle District of Pennsylvania.

In this case, a student at Tunkhannock Area High School in Tunkhannock, Pa., violated a school policy requiring cell phones to be turned off and stored in lockers during the school day by placing a call from her cell phone while on school property. A teacher confiscated the phone. School officials then examined the contents of the cell phone and discovered what appeared to be inappropriate photographs stored in the phone’s memory. [Why would they do that? Bob]

Read more on Law Technology News.



For my Computer Security and Ethical Hacking students. First Rule: Protect yourself. Second Rule: Leave no traces. (Eighty-fourth Rule: Send 10% to my Swiss Account)

A Linux Distro From the US Department of Defense

"The Lightweight Portable Security distribution was created by the Software Protection Initiative under the direction of the Air Force Research Laboratory and the U.S. Department Of Defense. The idea behind it is that government workers can use a CD-ROM or USB stick to boot into a tamper proof, pristine desktop when using insecure computers such as those available in hotels or a worker's own home. The environment that it offers should be largely resistant to Internet-borne security threats such as viruses and spyware, particularly when launched from read-only media such as a CDROM. The LPS system does not mount the hard drive of the host machine, so leaves no trace of the user's activities behind."



Gosh, maybe there are legitimate uses for BitTorrent...

http://torrentfreak.com/artists-share-50000-free-music-albums-on-bittorrent-110721/

Artists Share 50,000 Free Music Albums on BitTorrent

With more than 300,000 tracks and 50,000 albums published since its inception, the music publishing website Jamendo holds one the greatest libraries of free music online. A great success story that is in part powered by BitTorrent. From the start the site embraced P2P downloads to save resources and because artists and fans appreciated it.

http://www.jamendo.com/en/



Tools for research?

7 Library Tools Students Would Find Handy

WorldCat

WorldCat.org lets you search the collections of libraries in your community and thousands more around the world. WorldCat is one of the largest network of library content and services which students can use to complete their projects, essays and other school/university related work.

LOC Catalog

LOC Catalog contains a massive library of books, serials, computer files, manuscripts, cartographic materials, music, sound recordings, and visual materials which can be useful for students. They can search for different books to study for their exams, complete assignments and much more.

Smithsonian Institution of Libraries

SIL was founded in 1846 and manage around 20 branches today which contains hundreds of thousands of books and electronic journals which students can check and take help from.

Libweb

Libweb consists of over 8000 pages in over 146 countries which can be used to search libraries, their location, name and other information and can be used by students to find out about libraries in their areas.

National Library of Medicine

The National Library of Medicine (NLM), on the campus of the National Institutes of Health in Bethesda, Maryland, is the world’s largest medical library and collects materials, provides information and research services in all areas of biomedicine and health care.

Library Elf

Elf is a web-based and email tool for library users to keep track of their library borrowings and helps users keep track of what they have on loan from the library.

IPL2

ipl2 is a public service organization which helps students get answers to different academic questions from other students, volunteer library and information science professionals.



Attention all Academic (and other) researchers! Dilbert illustrates (in three frames) why selecting the proper sample increases the odds of a successful survey!

http://dilbert.com/strips/comic/2011-07-22/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+dilbert%2Fdaily_strip+%28Dilbert+Daily+Strip+-+UU%29


No comments: