Security
Breach, the gift that keeps on giving... (Exerpts from a much more
detailed post)
In September, I
posted Global Payments’ statement from their quarterly filing
that dealt with the costs of a breach disclosed in March 2012.
BankInfoSecurity.com
has just reported on their most recent filing. Whereas last
year, Global Payments estimated the cost of the breach at about $84
million, their current 10-Q
filing puts the cost of the breach at $93.9 million. Although
the total is up, the overall fraud costs resulting from the incident
were significantly lower than what they had estimated last year
($35.9 million vs. $67.4 million). Also of note, they report that
their losses due to being removed from PCI-DSS
compliant status were “immaterial:”
… The firm provides its updated
breakdown of costs:
During the six
months ended November 30, 2012, we recorded $9.5 million of expense
associated with this incident, bringing the life-to-date total
expense to $93.9 million. Of this life-to-date expense, $60.0
million represents costs incurred through November 30, 2012 for
professional fees and other costs associated with the investigation
and remediation, incentive payments to certain business partners and
costs associated with credit monitoring and identity protection
insurance. An additional $35.9 million represents our estimate of
total fraud losses, fines and other charges that will be imposed upon
us by the card networks. We have also recorded $2.0 million of
insurance recoveries based on claims submitted to date as discussed
below. During the three months ended November 30, 2012, we reduced
our estimate of fraud losses, fines and other charges by $31.5
million resulting in a credit of $14.5 million for total processing
system intrusion costs for the quarter ended November 30, 2012.
No indication of WHY they decrypt your
data.
Phone maker Nokia has confirmed some
recent reports that have been circulating claiming that it was
decrypting HTTPS traffic originating from some of its smartphones.
Nokia confirmed that its Xpress Browser used on the company’s Asha
and Lumia smartphones temporarily decrypts the HTTPS traffic as it
passes through Nokia servers.
… Nokia
also says that there’s no need for people to worry because it would
never access the customer’s data.
… The
researcher claims that Nokia would have access to clear text
information that could include login information for social networks,
banking, and anything else transmitted by HTTPS. The researcher also
noted that decrypting the information also goes against Nokia’s
privacy statement that says it doesn’t collect usernames or
passwords during purchase transactions. For its part, Nokia says
that it doesn’t store any of the information that passes through
its servers.
For my Computer Security students:
This is not the best way for your Ethical Hacking friends to stay in
touch... (Remember, “Default” is the French word for “Only an
idiot would fail to change this” ) In New Jersey, we would say “De
fault is yours!”
Trailrunner7 writes with news of the
continuing poor state of security for industrial control systems.
From the article:
"Never
underestimate what you can do with a healthy list of advanced
operator search terms and a beer budget. That's mostly what
comprises the arsenal of two critical infrastructure protection
specialists who have spent close to nine months trying to paint a
picture of the number of Internet-facing devices linked to critical
infrastructure in the United States. It's not a pretty picture. The
duo ... have with some help
from the Department of Homeland Security (PDF) pared down an
initial list of 500,000 devices to 7,200, many of which contain
online login interfaces with little
more than a default password standing between an attacker and
potential havoc. DHS has done outreach to the affected asset
owners, yet these tides turn slowly and progress has been slow in
remedying many of those weaknesses. … The pair found not only
devices used for critical infrastructure such as energy, water and
other utilities, but also SCADA devices for HVAC systems, building
automation control systems, large mining trucks, traffic control
systems, red-light cameras and even crematoriums."
Technology
specific guidelines are nice, but we are at a point where we should
be able to look back at laws that have evolved to address issues on
mainframes, mini-computers, microcomputers (PCs), and now
smartphones. Eventually the laws addressing each of these
technologies will address the same issues in the same way. Why not
get ahead of the technology and write “Generalized Best Practices?”
It would save everyone a lot of effort.
California Attorney General Kamala
Harris has issued privacy guidelines for mobile apps. In a statement
introducing the guidelines, Ms. Harris writes:
The mobile app
industry is growing fast, but it is still in the early stages of
development, with practitioners who are not all alert
to privacy implications and how to address them. To help
educate the industry and promote privacy best practices, the Attorney
General’s Privacy Enforcement and Protection Unit has prepared
Privacy on the Go: Recommendations for the Mobile Ecosystem.
The recommendations, which in many places offer greater protection
than afforded by existing law, are intended to encourage app
developers and other players in the mobile sphere to consider privacy
at the outset of the design process.
Recognizing that
the legally required general privacy policy is not always the most
effective way to get consumers’ attention, Privacy on the Go
recommends a “surprise minimization” approach. This approach
means supplementing the general privacy policy with enhanced measures
to alert users and give them control over data practices that are not
related to an app’s basic functionality or that involve sensitive
information.
You can access the full guidelines in
Privacy on the Go here.
(Related)
The
Internet of Things Has Arrived — And So Have Massive Security
Issues
… While
not devoid of hype and hyperbole, the Internet of Things (IoT) does
represent a revolution happening right now. Companies of all kinds –
not just technology and telecommunications firms – are linking
“things” as diverse as smartphones, cars
and household appliances to industrial-strength sensors, each other
and the internet. The technical result may be mundane features such
as intercommunication and autonomous machine-to-machine (M2M) data
transfer, but the potential benefits to lifestyles and business
opportunities are huge.
But … with great opportunity comes
great responsibility. Along with its conveniences, the IoT will
unveil unprecedented security challenges: in data privacy,
safety, governance and trust.
(Related) It might also help Judges
evaluate the need for a subpoena.
I’ve covered Stingray before, but
the general public really really needs to become more aware of its
use.
Ryan Gallagher reports:
The FBI calls it a
“sensitive investigative technique” that it wants to keep secret.
But newly released documents that shed light on the bureau’s use
of a controversial cellphone tracking technology called the
“Stingray” have prompted fresh questions over the legality of the
spy tool.
Functioning as a
so-called “cell-site simulator,” the Stingray is a sophisticated
portable surveillance device. The equipment is designed to send out
a powerful signal that covertly dupes phones within a specific
area into hopping onto a fake network. The feds say they use
them to target specific groups or individuals and help track the
movements of suspects in real time, not to intercept communications.
But by design Stingrays, sometimes called “IMSI catchers,”
collaterally gather data from innocent bystanders’ phones and can
interrupt phone users’ service—which critics say violates a
federal communications law.
The FBI has
maintained that its legal footing here is firm. Now, though,
internal documents obtained by the Electronic Privacy Information
Center, a civil liberties group, reveal the bureau
appears well aware its use of the snooping gear is in dubious
territory.
Read more on Slate.
Another example of new technologies
operating in areas we have defined legally before – haven't we?
Has no one ever been tracked/stalked before cellphones made it
easier?
Natasha Singer reports:
There are three
things that matter in consumer data collection: location, location,
location.
E-ZPasses clock
the routes we drive. Metro passes register the subway stations we
enter. A.T.M.’s record where and when we get cash. Not to mention
the credit and debit card transactions that map our trajectories in
comprehensive detail — the stores, restaurants and gas stations we
frequent; the hotels and health clubs we patronize.
Each of these
represents a kind of knowing trade, a conscious consumer submission
to surveillance for the sake of convenience.
But now
legislators, regulators, advocacy groups and marketers are squaring
off over newer technology: smartphones and mobile
apps that can continuously record and share people’s precise
movements. At issue is whether consumers are unwittingly
acquiescing to pervasive tracking just for the sake of having mobile
amenities like calendar, game or weather apps.
Read more on The
New York Times.
Should we not do this? Will we want to
expand it to identify school shooters before they shoot?
U.S.
Cities Relying on Precog Software to Predict Murder
… New crime-prediction software
used in Maryland and Pennsylvania, and soon to be rolled out in the
nation’s capital too, promises to reduce the homicide rate by
predicting which prison parolees are likely to commit murder and
therefore receive more stringent supervision.
The software aims to replace the
judgments parole officers already make based on a parolee’s
criminal record and is currently being used in Baltimore and
Philadelphia.
Richard Berk, a criminologist at the
University of Pennsylvania who developed the algorithm, claims it
will reduce the murder rate and other crimes and could help courts
set bail amounts as well as sentencing in the future.
Just
a reminder...
January 10, 2013
Check
Your Credit Report Regularly -- It's Free!
"You are entitled to a FREE
credit report from each of the three credit reporting agencies
(Equifax, Experian, and TransUnion) once every 12 months. You can
request all three reports at once, or space them out throughout the
year. It's important to review your credit report to ensure that
your personal information and financial accounts are being accurately
reported and that no fraudulent accounts have been initiated in your
name. If you do find an error on your credit report, you can dispute
the error."
If the answer contains a number,
WolframAlpha might be the best place to ask the question.
If you’ve heard of Wolfram Alpha
before, you’ll know that it’s a wealth
of knowledge that’s occasionally compared to the likes of the
Star
Trek computer. There are all sorts of weird
and wonderful uses for Wolfram Alpha, including powerful
search terms, other
searching tips, widgets, a variety
of cool uses and other truly
powerful uses of Wolfram Alpha. However, even if you know all
about these Wolfram Alpha tools, you may still not yet know about
their Facebook analytics tool.
With the Wolfram Alpha Facebook
analytics tool, you can find out a huge amount of information about
your Facebook account. It’s quite fun to see which of your posts
or photos are the most popular, who your top commenters are, who is
sharing your posts the most and more interesting tidbits. Plus, it’s
easy to use this tool and completely free.
Using Wolfram
Alpha’s Facebook analysis tool is completely free, so all you
need to do is log in using your Facebook credentials and give it
access to your account.
… Here’s a video
showing how it works.
It's geeky and it goes Bang! What's
not to like?
"Astronomer and gamer Scott
Manley (more famous for his Kerbal Space program coverage) has
created a
fantastic video explaining the science behind building guns that
could one day be used to launch payloads into space. It's not as
easy as simply making a bigger gun, there's a whole host of
unorthodox 'gun' designs which work around the limitations of garden
variety propellants."
Where
is Emily Post when we need her? Posters suitable for framing?
Everybody
Should Follow These Rules for Using Their Phone
No comments:
Post a Comment