Will Romania
send a copy of the credit card data to someone (e.g. the credit card
companies?) who can tell breach victims that the actors have been
identified?
Romanian
authorities dismantle cybercrime ring responsible for $25 million
credit card fraud
November 27, 2012 by
admin
I wonder how many breaches this bust
clears up? For IDG News Service, Lucian Constantin
reports:
Romanian law
enforcement authorities have dismantled a criminal group that stole
credit card data from foreign companies as part of an operation that
resulted in fraudulent transactions totaling US$25 million.
[...]
According to
DIICOT, the group’s members gained unauthorized access to computer
systems belonging to foreign companies that operate gas stations and
grocery stores, and installed computer applications designed to
intercept credit card transaction data.
The applications
were configured to store the captured data locally for later
retrieval, upload it automatically to external servers or send it to
email addresses controlled by the gang’s members, the agency said.
The stolen credit card information was then sold or used to create
counterfeit cards.
For example,
between December 2011 and October 2012 members of the group sold
68,000 credit cards at $4
each through a specialized online shop, making a
profit of $270,000, DIICOT revealed.
I wonder if this
information sells for moer that $4? How big is an average refund
check?
FL:
Broward man pleads guilty in massive identity theft
November 27, 2012 by
admin
Wayne K. Roustan reports that a former
employee of an unnamed North Miami law firm was involved in an ID
theft/tax refund scheme:
Rodney Saintfleur,
28, of West Park, plead to one count of conspiracy to defraud the
government, one count of access device fraud, and one count of
aggravated identity theft, prosecutors said.
Evidence showed
that between April 2009 and July 2012, Saintfleur tapped into to the
Lexis/Nexis online proprietary database where he worked.
He accessed the
names, birth dates, and social security numbers of more than 26,000
people and gave this sensitive information to co-conspirators to file
fraudulent income tax returns seeking refunds, according to court
documents.
Read more on the
Sun
Sentinel. The law firm is not named in the court filings, as far
as I can tell.
One question: how is
that he accessed 26,000 SSN and LexisNexis didn’t flag this?
Or did they detect it, but just not in a timely fashion? I’ve
sent them an inquiry about that.
Who comes up
with this stuff, Alfred E. Newman?
"A new flaw has been discovered
in printers manufactured by Samsung whereby a backdoor
in the form of an administrator account would enable attackers to
not only take control of the flawed device, but will also allow them
to attack other systems in the network. According
to a warning on US-CERT the administrator account is hard-coded
in the device in the form of an SNMP community string with full
read-write access. The backdoor is not only present in Samsung
printers but also in Dell printers
that have been manufactured by Samsung. The
administrator account remains active even if SNMP is disabled from
the printer's administration interface."
Perhaps a site that offers the plans
for “Do It Yourself” surveillance equipment? (I told you 3D
printers were going to be fun!)
Want
a Flying Drone? These Students 3D-Printed Their Own
… The “Wendy” aircraft —
named for Turman and Easter’s mother — is the latest
demonstration of the power of 3D prototyping. The project is the
brainchild of Michael Balazs and Jonathan Rotner, two scientists at
research and engineering firm MITRE’s
Center
for Integrated Intelligence Systems. Their mission, jointly
funded by the Department of Defense and MITRE, is to develop cheaper
and faster solutions to expensive government programs, such as
building autonomous aircraft.
“[We're] trying to achieve 90 percent
capabilities of what the big companies can do, but at 10 percent of
the cost,” Balazs says. “So we leverage everything from open
technologies to commercial off-the-shelf systems to agile advanced
manufacturing, to show the government that they can meet their
robotics goals of unmanned systems, whether they’re ground, aerial,
underwater or whatever it is.”
Wendy is their best example so far. In
addition to its 3D-printed body, it uses a common Android smartphone
as the sophisticated on-board brain of the aircraft’s system.
(Related) It's a whole new type of
war.
U.S.
Buys Yemen a Fleet of Spy Planes for Growing Shadow War
It’s not enough for Yemen’s skies
to fill up with armed U.S. drones. Now the Pentagon wants to buy its
Yemeni ally small, piloted spy planes. It’s a sign that the U.S.
is upgrading the hardware it gives the Yemeni military, and digging
in for a long shadow war.
(Related)
China
Unveils New Killer Drones, Aims Them at Russia
… This year, Beijing’s most
prominent new drone is the dinosaur-named Wing Loong, or Pterodactyl,
according
to a round-up at Defense News. The drone is
reportedly operational — China has previously shown only models of
the drone — and closely resembles the U.S. MQ-9 Reaper, which the
Pentagon uses to bomb insurgent hideouts in Pakistan. Few foreign
journalists were reportedly allowed to see it, but photos and videos
that appeared online prompted ace aviation journalist David Cenciotti
to remark that the Wing Loong appeared “
largely
copied from the U.S. version.”
But a lot cheaper. The Wing Loong
reportedly comes at a rather incredible bargain price of $1 million,
compared to the Reaper’s varying price tags in the
$30
million range.
So the next
question is: How do you cover your tracks?
Should
you cover your tracks from government snooping?
Peter Fleischer writes:
[…] Seen from a
global perspective, it’s important to realize that most governments
around the world are accessing user data. It’s not just one or two
governments. I can’t count the number of times privacy advocates
in Europe have warned users that the
US government
could potentially access their data in the cloud, without mentioning
the risks that their own governments could do the same thing. In
fact, to take the French example, the French government is trying to
launch a “French cloud”, explicitly to try to evade US government
surveillance, even though this taxpayer-funded initiative is based on
“
bad
assumptions about cloud computing and the Patriot Act“, and
even though France’s own anti-terrorism law
“has
been said to make the Patriot Act look “namby-pamby by comparison”,
as reported on ZDNet. I think it’s fair to assume that most people
would be far more uncomfortable with foreign governments, rather than
their own governments, accessing their data. That points to one of
the hardest issues in the cloud, namely, that multiple governments
can (and do) have the power to demand access to user data, if they
follow appropriate legal procedures.
Porn makes headlines! (Sex sells legal
arguments?)
Verizon
Sued For Defending Alleged BitTorrent Pirates
Ernesto writes:
A group of adult
movie companies is suing Verizon for failing to hand over the
personal details of alleged BitTorrent pirates. The provider
systematically refuses to comply with court-ordered subpoenas and the
copyright holders see these actions as more than just an attempt to
protect its customers. According to the them, Verizon’s objections
are in bad faith as the Internet provider is profiting from
BitTorrent infringements at the expense of lower-tier ISPs.
[From the article:
In many cases the person who pays for
the account is not the person who shared the copyrighted material.
However, this is the person who gets sued, something that can have
all kinds of financial implications.
To shield their customers from this
kind of outcome Verizon now
objects
to subpoenas granted by courts in these cases. Not in one case,
but in dozens. One of the arguments cited by Verizon’s attorneys
is that the requests breach the privacy rights of its customers.
“[The subpoena] seeks information
that is protected from disclosure by third parties’ rights of
privacy and protections guaranteed by the first amendment,” their
counsel informed the copyright holders.
Verizon further cites arguments that
have previously been successful in similar cases, including the
notion that mass lawsuits are not proper as the
defendants did not act in concert.
(Related) How to win friends and
indict people?
"A forensic software company
has
collected
files on a million Canadians
who it says have downloaded pirated content. The company,
which works for the motion picture and recording industries, says a
recent court decision forcing Internet providers to release
subscriber names and details is only the first step in a bid to crack
down on illegal downloads. 'The door is closing. People should
think twice about downloading content they know isn't proper,' said
Barry Logan, managing director of Canipre,
the Montreal-based forensic software company."
Sometimes.
Ignorance is not bliss...
UK:
PCC rejects complaint over Facebook injuries photo
Helen Lambourne reports:
A complaint
against a weekly newspaper which published a story on an assault
victim which included a photo of his injuries taken from Facebook has
been rejected.
The Press
Complaints Commission has published a ruling on a story by the
Farnham Herald from 15 June with the headline “Assaulted after
night out”.
Once again, it seems, users do not
fully understand how their Facebook privacy controls work and how
they are usually not as protected as they think they are:
The newspaper said
one of its reporters, who had a mutual acquaintance with the
complainant, had seen a comment – posted by this shared Facebook
friend – identifying the complainant as the victim of the attack.
The reporter had
then accessed the complainant’s Facebook page, which
had no privacy settings, where the complainant had posted
the photograph and had identified himself as the victim of an attack.
Facebook isn't the only one who can
change policies without notice...
Ca:
LCBO wants personal data of wine club members
CBC News reports:
An Ontario wine
club says it’s being forced to hand its members’ personal
information over to Ontario’s Liquor Control Board in what it calls
a breach of privacy.
Warren Porter, the
president of the Toronto-based Vin de Garde wine club, said he’s
upset the Liquor Control Board of Ontario wants his members’
personal information including names, addresses, as well as the size
of each order.
Porter said he has
complained to Ann Cavoukian, the province’s privacy commissioner,
because he believes the LCBO is breaching his members’ privacy.
[From the article:
Since May, Porter said his members have
had to reveal more personal information for each order. That has
turned one large order into hundreds of separate orders due to the
mandatory release of private information.
That is irritating some of his members,
especially clubs, he said, and he worries the wine club could soon be
put out of business.
"We have to take all of their data
— name, address, quantities ordered — all on separate order
forms," Porter said, adding it creates a large administrative
burden.
"A member of our wine club should
be afforded the same level of anonymity that someone walking into an
LCBO is."
… LCBO spokeswoman Heather
MacGregor said the policy requiring the release of personal
information has been around for decades.
She could not explain why Vin de Garde
was only obligated to follow the policy as of six months ago, but
MacGregor did say the information prevents fraud, including illegal
resale, and helps the LCBO locate any recalled products.
Just a quick
review of this “Guidance” but the assumption seems to be that the
holder of the data anonymizes and then gives the presumably
anonymized dataset to someone else – the end user. This seems
backwards. Why not have the analysis done by a trusted entity
(business opportunity?) and give the results to the “someone
else?” Far less likely to de-anonymize if they don't have
individual records.
Yesterday, OCR released the guidance on
de-identification of PHI:
Now I just need to find time to read
it…
Clearly they are
not valuable – no one stole them.
"[The
program] appears to be changing drivers’ behavior, state officials
said Monday, noting an overall decline in traffic citations and
right-angle crashes. The Department of Transportation also said,
however, that rear-end crashes have risen by
20 percent and total crashes are up by 0.9 percent
at intersections where cameras have operated for at least a year.
The agency recommended the program stay in place, calling for
'continued data collection and monitoring' of camera-monitored
intersections. The department’s report drew immediate criticism
from Assemblyman Declan O’Scanlon, R-Monmouth, who wants the
cameras removed. He called the program 'a dismal failure,' saying
DOT statistics show the net costs of accidents had climbed by more
than $1 million at intersections with cameras."
Illogic Alert! Let's not
anthropomorphize. I will reprogram my car to protect me, not some
random school bus that's blocking my way.
"If your driverless car is
about to crash into a bus, should it veer off a bridge? NYU Prof.
Gary Marcus has a good essay about the
need to program ethics and morality into our future machines.
Quoting: 'Within two or three decades the difference between
automated driving and human driving will be so great you may not be
legally allowed to drive your own car, and even if you are allowed,
it would immoral of you to drive, because the risk of you hurting
yourself or another person will be far greater than if you allowed a
machine to do the work. That moment will be significant not just
because it will signal the end of one more human niche, but because
it will signal the beginning of another: the era in which it will no
longer be optional for machines to have ethical systems.'"
I like it! Now I can have an open
“Good Bob” system and a seperate, heavily encrypted “Evil Bob”
system that I use “only to communicate with my lawyer” that is
therefore immune from subpoena!
"Next year, smart phones will
begin shipping with the ability to have dual identities: one for
private use and the other for corporate. Hypervisor developers, such
as VMware and Red Bend, are working with system manufacturers to
embed their virtualization software in the phones, while IC makers,
such as Intel, are developing more powerful and secure mobile device
processors. The combination will enable mobile platforms that afford
end users their own user interface, secure from IT's prying eyes,
while in turn allowing a company to secure its data using mobile
device management software. One of the biggest benefits
dual-identity phones will offer is enabling
admins to wipe corporate data from phones [That
ain't gonna happen Bob] without erasing end
users profiles and personal information."
Tools for electronic discovery
Escape
From Babel: The Grossman-Cormack Glossary
… A glossary, which I was
surprised to learn when researching for this blog is also called an
idioticon, provides an alphabetical list of terms in a
particular domain of knowledge with definitions for those terms.
Interesting. A tool for podcast
fans...
Pod Bay is an online way to listen to
your favourite podcasts, eliminating the need for desktop and iOS
clients which download each episode. Search the directory to find
great new podcasts to listen to.
… If you stop listening to the
podcast you can return to the same spot later and pick up where you
left off. If you’d like to share a clip of the podcast with
friends, you can do so very easily.