Granted
there are always false positives that need to be investigated
(Otherwise they are true positives) What broke down here? It looked
like a real program name so we didn't bother to check?
Neiman
Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data
The hackers who raided
the credit-card payment system of Neiman Marcus Group (NMG)
set off alerts on the company’s security systems about 60,000 times
as they slunk through the network, according to an internal company
investigation.
The hackers moved
unnoticed in the company’s computers for more than eight months,
sometimes tripping hundreds of alerts daily because their
card-stealing software was deleted automatically each day from the
Dallas-based retailer’s payment registers and had to be constantly
reloaded. Card data were taken from July through October.
The 157-page analysis,
which is dated Feb. 14, also shows that the Neiman Marcus breach is
almost certainly not the work of the same hackers who
stole 40 million credit card numbers from Target (TGT),
said Aviv Raff, an Internet-security expert.
… Ginger Reeder, a
spokeswoman for Neiman Marcus, says the hackers were sophisticated,
giving their software a name nearly identical to the company’s
payment software, so any alerts would go unnoticed amid the
deluge of data routinely reviewed by the company’s security team.
… The company’s
investigation has found that the number of customer cards exposed
during the breach was lower than the original estimate of 1.1
million. The maximum number of customer cards exposed, according to
the most recent estimate, is less than 350,000, Reeder says.
Approximately 9,200 of those have been used fraudulently since the
attack, she says.
… According to the
report, Neiman Marcus was in compliance with standards meant to
protect transaction data when the attack occurred.
… New details of
the cyberattack on Neiman Marcus, which the retailer disclosed on
Jan. 10, emerged in a forensic report required under security
standards set by the major credit-card brands. The review leaves
many questions about the attack unanswered because the data are
insufficient. Investigators couldn’t trace how the hackers broke
into the network, for example, or when the data were removed.
… The system’s
ability to automatically block the suspicious activity it flagged was
turned off because it would have hampered maintenance, such as
patching security holes, the investigators noted.
… Neiman Marcus was
first notified of a potential problem on Dec. 17 by TSYS (TSS),
a company that processes credit-card payments, according to the
report. TSYS linked fraudulent card usage back to what’s called “a
common point of purchase”—in this case, Neiman Marcus stores.
Does “Not private”
mean open to the public?
Rochelle Olson reports:
A
U.S. District Court judge on Friday threw out three major cases
involving hundreds of allegations of improper public-employee
snooping into driver’s license data, saying no federal law was
violated and driver information is not private.
In
three similar orders, Judge David Doty said information on
drivers’ licenses such as eye color, height, weight and address may
be personal, but it’s not private.
Read more on Star
Tribune.
[From
the article:
“The identical
information can be obtained from public property tax records ...
[and] there is a long history in the United States of treating motor
vehicle records as public records,” the judge’s order said,
citing a 1998 ruling from a different circuit.
… A critical
question in the cases was whether viewing driver’s license data
without an official purpose qualifies as a misuse under federal
Driver’s Privacy Protection Act. The driver database contains
historical photographs, addresses and driving records on Minnesotans
with a license.
In each of the three
orders, Doty wrote about two dozen pages with similar reasoning. The
judge said the plaintiffs failed to show that the defendants had
accessed their records for an impermissible reason. “In the
absence of clear evidence to the contrary, courts presume that
[public officers] have properly discharged their official duties,”
he wrote.
(Related) “Oh, the
plan we canceled? That was “Plan 9 from Outer Space,” plans 1
through 8 are working fine, thank you.”
Extensive
DHA Licence Plate Data Collection Exists – Expansion Planned
by Sabrina
I. Pacifici on February 22, 2014
Follow up to previous
posting - EFF
– A Massive Expansion of Plate Data Collection, via ACLU -
Setting
the record straight on DHS and license plate tracking: “First
of all, contrary to widespread understanding, DHS’ solicitation for
bids had nothing to do with asking a contractor to build a nationwide
license plate tracking database. Such a database
already exists.
The solicitation was more than likely merely a procedural necessity
towards the goal of obtaining large numbers of agency subscriptions
to said database, so that ICE agents across the country could dip
into it at will, as many have
been doing for years already. There was never a plan to “build”
a plate database. A database almost exactly like the one DHS
describes is a current fact. It is operated by a private corporation
called Vigilant Solutions, contains nearly two billion records of our
movements, and grows by nearly 100 million records per month. As I
explain in greater detail here,
DHS likely just wanted broader access to tap it. Second, contrary to
the impression that many seem to have that DHS does not use license
plate readers, some of the agency’s sub-organizations have been
using the technology for years now. Customs, Border Patrol, for
example, operates
license plate readers at every land border crossing, a fact that has
been somewhat widely reported. You have to read beyond headlines
like “Department of Homeland Security cancels national
license-plate tracking plan” to understand that DHS already makes
substantial use of license plate readers, both by deploying its own
and accessing
privately held databases containing billions of records. It seems as
if many people are under the mistaken impression that we dodged a
surveillance-bullet when DHS withdrew this solicitation. We didn’t.
A national plate tracking database exists, run by Vigilant
Solutions, and it is widely used by law enforcement nationwide. The
company is currently aggressively
defending in court its ability to track anyone it wants, however
it wants. If you’d like to see which agencies have
access to its rapidly growing database, you can click here
and scroll through the drop down menu. Vigilant has helpfully
provided a list for all to peruse.”
Something for the IP
lawyers? “Okay, give them the contact information, but we (the
court) will watch them like a hawk, because they are clearly a bunch
of trolls.”
Canadian
Court Decision on Copyright Trolls and P2P Lawsuit
by Sabrina
I. Pacifici on February 22, 2014
Via
Michael Geist: “The federal court has released its much
anticipated decision in Voltage
Pictures v. Does, a case involving demands that TekSavvy, a
leading independent ISP, disclose the identities of roughly 2,000
subscribers alleged to have downloaded movies without authorization.
The case attracted significant attention for several reasons: it is
the first major “copyright troll” case in Canada involving
Internet downloading (the recording industry previously tried
unsuccessfully to sue 29 alleged file sharers), the government sought
to discourage these file sharing lawsuits against individuals by
creating a $5,000
liability cap for non-commercial infringement, TekSavvy ensured
that affected subscribers were made aware of the case and CIPPIC
intervened to ensure the privacy issues were considered by the court.
Copies of all the case documents can be found
here. The court set the tone for the decision by
opening with the following quote from a U.S. copyright case: “the
rise of so-called ‘copyright trolls’ – plaintiffs who file
multitudes of lawsuits solely to extort quick settlements –
requires courts to ensure that the litigation process and their
scarce resources are not being abused.” The
court was clearly sensitive to the copyright troll concern, noting
that “given the issues in play the answers require a delicate
balancing of privacy rights versus the rights of copyright holders.
This is especially so in the context of modern day technology and
users of the Internet.”
A most interesting
Infographic...
The
Evolution of Data Storage
For my website
students.
– is a set of testing
tools for Microsoft web developers. Test your site on various
versions of IE using free virtual machines for Windows, Mac, and
Linux. Test your site on browsers hosted by Browserstack. Scan for
common coding problems.
No comments:
Post a Comment