What didn't Heartland learn from their
“Top 10” breach? Why can't victims pin down the scope of their
breach? Why can't they even determine they have been breached?
Penn
Station breach mushrooms to 80 locations; Heartland Payment and
Secret Service investigating
June 15, 2012 by admin
Ruh oh. Tracy Kitten reports:
Restaurant chain
Penn Station Inc. has upped the number of franchise locations
affected by a payments breach to 80, almost double
what it originally reported.
The breach, which
Penn Station says it’s still investigating, is connected to a
point-of-sale processing hack that may have exposed
credit and debit details, but not PINs, [Not sure how you grab some
data but not all... Bob] at restaurants in Illinois,
Indiana, Kentucky, West Virginia, Michigan, Missouri, Ohio,
Pennsylvania, Virginia, North Carolina and Tennessee.
[...]
Penn Station says
its investigation into the breach, which is being overseen by its
processor, Heartland
Payment Systems, and the
Secret Service, is ongoing and that results, to date, have been
inconclusive.
Read more on BankInfoSecurity.com
[From the article:
On its list of frequently asked
questions, the chain says the exposure was limited to cardholder
names and card numbers because Penn Station only accepts
signature-based transactions. [That answers my
question. Bob]
… "We did not learn of the
possibility of unauthorized access until late April," the
company says in its updated FAQ. "Our first
step after learning such information was to change the method for
processing credit and debit card transactions. [Does this suggest
the process had known flaws? Bob]
… Dunaway told BankInfoSecurity
that Penn Station learned of the breach from a
customer. The patron connected the dots after swapping
stories with others who had suffered fraud following dining at a
local Penn Station restaurant.
… Based on what Penn Station has
revealed so far, industry experts suggest the breach could be linked
to one or both of two possible scenarios - a processing hack, like
the one that targeted 100
Subway locations between 2008 and May 2011, or a
point-of-sale scheme, similar to the one discovered by the Michaels
crafts store chain in May 2011. [Yep. Known flaws
Bob]
A new flaw or a “backdoor” that US
Cyber Command no longer requires? Since the US is now in the Cyber
Attack business, we have to consider that they may “draft” some
vendors for the “war effort.”
"The U.S.
Computer Emergency Readiness Team (US-CERT) has disclosed a flaw in
Intel chips that could
allow hackers to gain control of Windows and other operating systems,
security experts say. The flaw was disclosed the vulnerability in a
security advisory released this week. Hackers could exploit the flaw
to execute malicious code with kernel privileges, said a report in
the Bitdefender blog. 'Some 64-bit operating systems and
virtualization software running on Intel CPU hardware are vulnerable
to a local privilege escalation attack,' the US-CERT advisory says.
'The vulnerability may be exploited for local privilege escalation or
a guest-to-host virtual machine escape.'"
According to the article, exposed OSes
include "Windows 7, Windows Server 2008 R2, 64-bit versions of
FreeBSD and NetBSD, as well as systems that include the Xen
hypervisor."
How our infrastructure may die.
Imagine similar security failures at a site that updates financial
systems (or controllers for centrifuges...)
"A web site used to distribute
software updates for a wide range medical equipment, including
ventilators has been blocked by Google after it was found
to be riddled with malware and serving up attacks. The U.S.
Department of Homeland Security is looking into the compromise. The
site belongs to San Diego-based CareFusion Inc., a hospital equipment
supplier. The infected Web sites, which use a number of different
domains, distribute firmware updates for a range of ventilators and
respiratory products. Scans
by Google's Safe Browsing program in May and June found the sites
were rife
with malware. For example, about six percent of the 347 Web
pages hosted at Viasyshealthcare.com, a CareFusion Web site that is
used to distribute software updates for the company's AVEA brand
ventilators, were found to be infected and pushing malicious software
to visitors' systems."
Be more private than the next guy...
June 15, 2012
EFF
- How to Turn on Do Not Track in Your Browser
"In recent years, online tracking
companies have begun to monitor our clicks, searches and reading
habits as we move around the Internet. If you are concerned about
pervasive online web tracking by behavioral advertisers, then you may
want to enable Do Not Track on your web browser. Do Not Track is
unique in that it combines both technology (a signal transmitted from
a user) as well as a policy framework for how companies that receive
the signal should respond. As more and more websites respect
the Do Not Track signal from your browser, it becomes a more
effective tool for protecting your privacy. EFF is working with
privacy advocates and industry representatives through the W3C
Tracking Protection Working Group to define standards for how
websites that receive the Do Not Track signal ought to response in
order to best respect consumer's choices. The following
tutorial walks you through the enabling Do Not Track in the four
most popular browsers: Safari, Internet Explorer 9, Firefox, and
Chrome."
Ubiquitous surveillance. Perhaps there
will be a market for my Rent-a-Drone idea?
June 15, 2012
UK
Mail reports Google and Apple deploying advanced satellite
surveillance
Mail
Online: "Spy planes able to photograph sunbathers in their
back gardens are being deployed by Google and Apple. The U.S.
technology giants are racing to produce aerial maps so detailed they
can show up objects just four inches wide.
But campaigners say the technology is a sinister development that
brings the surveillance society a step closer. Google admits it has
already sent planes over cities while Apple has acquired a firm using
spy-in-the-sky technology that has been tested on at least 20
locations, including London. Apple’s military-grade cameras are
understood to be so powerful they could potentially see into homes
through skylights and windows. The technology is similar to that
used by intelligence agencies in identifying terrorist targets in
Afghanistan."
Oh boy, the MPAA's Justice Department
isn't going to like this... I doubt that DoJ has had time to look at
all the data they seized.
http://news.cnet.com/8301-1023_3-57454433-93/u.s-ordered-to-prepare-for-handover-of-megaupload-data/
U.S.
ordered to prepare for handover of MegaUpload data
A New Zealand court has ordered the
U.S. government to get ready to give MegaUpload founder Kim Dotcom
and his co-defendants copies of the data from servers seized by
federal agents, ComputerWorld
reported today.
The data includes over 10 million
intercepted emails, financial records and more than 150 terabytes of
data stored on servers seized in New Zealand.
The same court
told the U.S. in May that it had three weeks to show the evidence
that supports its indictment against MegaUpload managers. [Wow!
They won't take the MPAA's word for it? Bob]
The “Ban” didn't last long –
unfortunately, stupid is forever...
World
gets second helpings of girl's school dinner blog as ban is
overturned
When nine-year-old Martha Payne set up
a blog six weeks ago, to show pictures of her daily school lunch –
sometimes meagre, often fried – it was meant as a writing project
that would be seen by few others than her close relatives.
But word spread over social media, and
in just over a week more than 100,000 people had viewed Martha's
stark photos of her food, sitting on a white, prison-style tray.
Still, she could have been little
prepared for the deluge of publicity on Friday, when Argyll and Bute
council was forced into a humiliating climbdown over a decision to
effectively close the blog, by banning photography in the school
dining hall.
By 11pm, her blog, NeverSeconds,
which has drawn the support of Jamie
Oliver, had attracted more than 4m page views and she had managed
to raise more than £52,000 for the charity Mary's Meals.
… Argyll and Bute came up with a
response likely to be immortalised on public relations curriculums
under "how not to do it".
A statement accused a girl of
"unwarranted attacks" on local school meals "which
have led catering staff to fear for their jobs".
The competition...
"In an interview with Udacity
founder Sebastian Thrun, it was revealed that he hopes
to offer a Masters degree for only $100, and is close to offering
a full computer science degree. 'There are unfortunately some rough
edges between our fundamental class CS101 and the next class up, when
this is done I believe we can get an entire computer science
education completely online and free and I think this is the first
time this has happened in the history of humanity.' The
latest course from Udacity is on statistics, and he
is hoping to top the 160,000 sign up for his first online class on
AI. It is also hoped to be the first class
where students can visit a testing center to get their achievments
formally certified."
For my Ethical Hackers... (Great
illustration that should be a poster.)
"In the wake of confirmation
that the U.S. government was involved in the creation of Stuxnet and
likely Flame, a look over job listings on defense contractor sites
shows just how explicitly the
Pentagon and the firms that service it are recruiting
offense-oriented hackers. Northrop Grumman, Raytheon, Lockheed
Martin, SAIC, and Booz Allen have all posted job ads that require
skills like 'exploit development,' have titles like 'Windows Attack
Developer,' or asks them to 'plan, execute, and assess an Offensive
Cyberspace Operation.'"
(Related) Start 'em young!
Huge
(unofficial) rise in AP CS Test Takers
Last week was the AP CS Reading, where
over 100 computing teachers read over students’ programs and graded
them. Several readers (including Barbara) have come back saying that
the unofficial count for the number of tests this year was 26,000.
Compare
that to 21,139 last year, and 19,390 the year before that. We
probably won’t have the official numbers until January, and we’ll
get the demographic breakdown then, too. A 20+%
increase in a single year is remarkable!