At first reading, the
technique is similar to that used at Target.
It’s just hitting the
media today that Affinity Gaming was hit by a
cyberattack earlier this year that affected customers at its 11
casinos. They were alerted to the breach by the FBI
in October, and the critical period for data compromise is March
14 – October 16. Here is the relevant parts of their
announcement dated December 20 that describes the breach and a
second breach:
Affinity
Gaming (“Affinity”) has confirmed an unauthorized intrusion
into the system that processes customer credit and debit cards for
its casinos, and is issuing this public notice of the data
security incident and encouraging individuals who visited its gaming
facilities between March 14th and October 16th of 2013 to take steps
to protect their identities and financial information. Affinity
regrets any inconvenience this incident may cause and has established
a confidential, toll-free inquiry line to assist its customers.
Affinity
has also confirmed an unauthorized intrusion into the system that
processes credit and debit cards at its Primm Center Gas
Station in Primm, Nevada. This intrusion began on an
unknown date and it ended on November 29, 2013.
On
October 24, 2013, Affinity was contacted by law enforcement regarding
fraudulent charges which may have been linked to a data breach in
Affinity’s system. Affinity immediately initiated a thorough
investigation, supported by third-party data forensics experts who
determined the nature and scope of the compromise, and confirmed that
Affinity’s system has been fully secured and that its customer
payments are protected. On November 14, 2013, Affinity posted notice
of this incident on its website.
Affinity’s
investigation, while ongoing, has also determined that its system
became infected by malware, which resulted in a compromise of credit
card, and debit card, information from individuals who visited its
gaming facilities: Silver Sevens Hotel & Casino
in Las Vegas, NV; Rail City Casino in Sparks, NV;
Primm Valley Resort & Casino in Primm, NV;
Buffalo Bill’s Resort & Casino in Primm, NV;
Whiskey Pete’s Hotel & Casino in Primm, NV;
Lakeside Hotel- Casino in Osceola, IA; St.
Jo Frontier Casino in St. Joseph, MO; Mark Twain
Casino in LaGrange, MO;
Golden Gates Casino
in Black Hawk, CO; Golden
Gulch Casino in
Black Hawk, CO and, Mardi
Gras Casino in
Black Hawk, CO. Credit or debit card data was exposed at
these locations between March 14th and October 16th of 2013.
Price is a good
indication of card quality. If they have 40 million saleable cards
and can get $20 per, that really makes a crime like this pay. Note
that the banks trust the crooks not to sell copies of the cards they
buy back.
Cards
Stolen in Target Breach Flood Underground Markets
Credit and debit card
accounts stolen in a recent data breach at retail giant Target have
been flooding underground black markets in recent weeks, selling in
batches of one million cards and going for anywhere from $20
to more than $100 per card, KrebsOnSecurity has learned.
… At least two
sources at major banks said they’d heard from the credit card
companies: More than a million of their cards were thought to have
been compromised in the Target breach. One of those institutions
noticed that one card shop in particular had recently alerted its
loyal customers about a huge new batch of more than a million quality
dumps that had been added to the online store. Suspecting that the
advertised cache of new dumps were actually stolen in the Target
breach, fraud investigators with the bank browsed this card shop’s
wares and effectively bought back hundreds of the
bank’s own cards.
… Update,
5:20 p.m. ET: In a message to consumers, Target CEO Gregg
Steinhafel said Target would be offering free credit
monitoring for affected customers.
If the Superintendent
wasn't aware of this, who negotiated the deal? (and why do they
bother having a Superintendent?) No mention of money, but this could
open future cash deals, since “the data is already out there.”
Does removing names provide adequate security? If I gave you
information on a student named [REDACTED] that lived at 123 Fourth
Street, Littleton, CO 80121, was a Senior who played Soccer and had a
3.9 GPA how long would it take to identify him or her?
Ann Dornfield reports:
KUOW
has learned that the Washington state education department has signed
agreements to share non-public student data with media organizations
including The Seattle Times and the Associated Press. Data security
experts say the agreements raise serious privacy concerns for the
state’s public school students.
Do read more about this
agreement and the concerns it raises on KUOW.
It sounds like journalists want to do what could be useful
investigative analyses and pieces that perhaps the state should be
doing. But the journalists (AP and Seattle Times) can’t get the
data because of FERPA so they’ve entered into contracts with the
state. Very concerning….
[From
the article:
The Office of the
Superintendent of Public Instruction has so far promised the Times
individual student and staff data dating from 2009 to this year,
including individual students’ test scores on numerous state
assessments, grades, school schedules, absences and discipline
information. OSPI told KUOW the data would be "de-identified,"
meaning it would not include names of students or staff.
"Wow," said
Seattle Public Schools Superintendent Jose Banda. "I
wasn't aware of [this agreement], and I don’t think any of my staff
was aware that this was being considered and approved."
(Related)
Initial
findings from the Office of the National Coordinator for Health
Information Technology on ways to match patients with their data do
address problems with current HIT systems and data exchanges,
notes advocacy organization Patient Privacy Rights.
But
there isn’t much else in the findings that the organization agrees
with. In testimony at an ONC public meeting in December, PPR noted
that “the findings address today’s problems without anticipating
where we will be tomorrow; they did not foresee that the HITECH Act
and meaningful use requirements can be used to resolve many of
today’s problems without patient identity and patient matching.”
Read more on HealthData
Management.
Is there a “Judge
Guinness book of world records?” If not, why not?
Court
Decision in Tronox Bankruptcy Fraudulent Conveyance Case Results in
Largest Environmental Bankruptcy Award Ever
by Sabrina
I. Pacifici on December 20, 2013
EPA
Case Summary: “On December 12, 2013, the U.S. Bankruptcy Court
for the Southern District of New York decided against Kerr-McGee
Corporation (“Kerr-McGee”) and related companies that are
subsidiaries of Anadarko Petroleum Corporation (“Anadarko”) in a
fraudulent conveyance case and determined that the defendants
“acted to free substantially all [their] assets – certainly
[their] most valuable assets – from 85 years of environmental and
tort liabilities.” The Court awarded damages
between approximately $5.2 billion and $14.2 billion to the
plaintiffs which, even at the low end of the damages
range, is the largest amount ever awarded in a bankruptcy proceeding
for governmental environmental claims and liabilities. Approximately
$4.5 billion to $12.4 billion will go toward cleanup at contaminated
sites across the country. As referenced in the USAO-SDNY
press release, some of the key environmental recoveries for
environmental liabilities and for cleanup of environmental sites are
estimated to be the following based on the Court’s decision…”
Perspective. Might as
well start a “Law MOOC” now and avoid the rush.
Peper – Legal
Education in Crisis, and Why Law Libraries are Doomed
by Sabrina
I. Pacifici on December 20, 2013
Via SSRN – Legal
Education in Crisis, and Why Law Libraries are Doomed, James
G. Milles, SUNY Buffalo Law School, December 20,
2013, SUNY
Buffalo Legal Studies Research Paper No. 2014-015
“The dual crises
facing legal education—the economic crisis affecting both the job
market and the pool of law school applicants, and the crisis of
confidence in the ability of law schools and the ABA accreditation
process to meet the needs of lawyers or society at large—have
undermined the case for not only the autonomy, but the very
existence, of law school libraries as we have known them. Legal
education in the United States is about to undergo a long-term
contraction, and law libraries will be among the first to
go. A few law schools may abandon the traditional law library
completely. Some law schools will see their libraries whittled away
bit by bit as they attempt to answer “the Yirka Question” in the
face of shrinking resources, reexamined priorities, and university
centralization. What choices individual schools make will largely be
driven by how they play the status game.”
Might be an interesting
exercise for my Computer Security students to expand on the security
portion. I'll leave it to my lawyer friends to think about the legal
steps required.
… One critical
concept that we share with the participants in the National
Preparedness Leadership Initiative (NPLI) at Harvard is that
every crisis includes many situations, each with different
contingencies and considerations. In this case, they include
security, legal, law enforcement, customer relations, media,
shareholder, employee, the board, card issuers and providers,
regulatory, and more. While there can be overlap, each of these
situations has a distinct (and sometimes conflicting) set of
stakeholders, power structures, priorities, perspectives, interests,
requirements, and values. For example, Communications may want to be
immediately open and transparent while Legal may want to wait to
more fully assess the liability exposure that such a stance could
create. They each have a legitimate case. Navigating this
complex web of interdependent relationships is daunting in routine
times. In a crisis of this magnitude, the added pressure and higher
stakes can make it overwhelming. How can an executive successfully
lead through such a complex morass?
For all my students who
read...
Borrow
and Lend eBooks Through Open Library
If you're looking for a
new-to-you ebook to read during the holidays, take a look at Open
Library. The Open
Library is a part of the Internet
Archive. The Open
Library is a collection of more than one million free ebook
titles. The collection is cataloged by a community of volunteer
online librarians. The ebooks in the Open Library can be read
online, downloaded to your computer, read on Kindle and other ereader
devices, and embedded into other sites.
Some of the ebooks, like Treasure Island, can also be listened to
through the Open Library.
Applications
for Education
Much like Google Books,
the Open Library could be a great place to find free copies of
classic literature that you want to use in your classroom. The Open
Library could also be a good place for students to find books that
they want to read on their own. The audio option, while very
electronic sounding, could be helpful if you cannot locate any other
audio copies of the book you desire.
Something to look for?
Only $38 away from my favorite price point.
Datawind
brings a $38 Android tablet to the U.S. — on the heels of India’s
cheap Aakash tablet
Datawind’s
mission to deliver ultra-cheap tablets for everyone, no matter their
income, is finally headed to the U.S.
Today the Canadian
company announced that it will offer three of its 7-inch Android
UbiSlate tablets in the United States, with the cheapest (the
UbiSlate 7ci) running for a mere $38.
...never fails to
amuse.
… New
Jersey governor
Chris Christie
says
he will sign legislation that would allow undocumented
immigrants in New
Jersey to be eligible for in-state college tuition. [Making
it cheaper to come from Guatemala than from Pennsylvania? Bob]
… Alabama
joins
those states (16 in total) that allow computer
science classes to
count as math credit towards graduation. [Perhaps
“Home Economics” could count as Chemistry? Bob]
… The
tech blog VentureBeat
is
launching an education vertical, sponsored by a subsidiary of
Apollo Education Group (parent company of the University of Phoenix).
VentureBeat claims it is the “first major technology news
organization to dedicate a channel to how technology is transforming
the global education market” which is really a stretch (Chris
Dawson ran one for
ZDNet for a long time). But hey, with solid research into
education history like this, you know the coverage is gonna be
stellar!
… Students
are bored in school,
and Amanda
Ripley is on it. She monitored Twitter for a list of their
grievances. Another look at “bored at school” tweets is here.
God forbid that someday
someone will take one of these “threats” seriously and take out
Pyongyang. Worst
case scenario? One of the drones who have been told all their lives
that Kim is almost a God, takes the action he believe his
“Great/Dear/Glorious Leader” has commanded.
North
Korea sends fax threatening to strike South Korea 'without notice':
report
… A South Korean
news agency reported
Friday that the North has threatened to attack
“without notice” in response to anti-North rallies this week —
and that it sent the warning by fax.
… The threat was
sent by the North Korean military, according to the Yonhap news
agency. It arrived, apparently without a paper jam, at the South
Korean National Security Council.