Oh
no! Not Jimmy Johns!
Sandwich
Chain Jimmy John’s Investigating Breach Claims
Sources
at a growing number of financial institutions in the United States
say they are tracking a pattern of fraud that indicates nationwide
sandwich chain Jimmy John’s may be the latest retailer dealing with
a breach involving customer credit card data. The company says it is
working with authorities on an investigation.
…
The unauthorized card activity witnessed by various financial
institutions contacted by this author is tied to so-called
“card-present” fraud, where the fraudsters are able to create
counterfeit copies of stolen credit cards.
Beyond
ATM skimmers, the most prevalent sources of card-present fraud are
payment terminals in retail stores that have been compromised by
malicious software.
…
Reports of a possible card compromise at Jimmy John’s comes amid
news
that the Delaware Restaurant Association is warning
its members about a new remote-access breach that appears to have
been the result of compromised point-of-sale software.
Oh
look, banks have rules!
Financial
Crimes Enforcement Network: Customer Due Diligence Requirements for
Financial Institutions
by
Sabrina I.
Pacifici on Jul 31, 2014
News
release: “The U.S. Department of the Treasury’s
Financial Crimes Enforcement Network (FinCEN) today issued a Notice
of Proposed Rulemaking (NPRM)
to amend existing Bank Secrecy Act (BSA) regulations to help prevent
the use of anonymous companies to engage in or launder the proceeds
of illegal activity in the U.S. financial sector. The proposed rule
would clarify and strengthen customer due diligence obligations of
banks and other financial institutions (including brokers or dealers
in securities, mutual funds, futures commission merchants, and
introducing brokers in commodities). The
proposed amendments would add a new requirement that these entities
know and verify the identities of the real people (also known as
beneficial owners) who own, control, and profit from the companies
they service… The proposed rule benefits from extensive
outreach and discussion with financial institutions and regulatory
agencies. These proposed amendments represent significant
enhancements to the BSA and build upon post-9/11 augmentation of the
regulations designed to protect the U.S. financial system. They
would make valuable information needed to disrupt illicit finance
networks available to law enforcement. The resulting increase in
financial transparency would enhance the ability of financial
institutions and law enforcement to identify the assets and accounts
of criminals and national security threats. The rule also would
further the United States commitments in the G-8 Action Plan for
Transparency of Company Ownership and Control published in June 2013.
The rulemaking clarifies that customer due diligence includes four
core elements: identifying and verifying the identity of customers;
identifying and verifying the beneficial owners of legal entity
customers; understanding the nature and purpose of customer
relationships; and conducting ongoing monitoring to maintain and
update customer information and to identify and report suspicious
transactions. The proposed requirement to identify and verify the
identity of beneficial owners is addressed through the proposal of a
new requirement for covered financial institutions to collect
beneficial ownership in a standardized format. Those financial
institutions will have to identify and verify any individual who owns
25 percent of more of a legal entity, and an individual who controls
the legal entity.”
Is
this really unexpected?
Twitter
and the US government square off yet again
Twitter’s
latest transparency report shows a steady rise in government requests
for account information. And an increasing number of requests are
coming from foreign governments. In the past six months, the company
received more than 2,000 different requests from 54 different
countries, an increase of almost 150 percent since Twitter began
releasing the data in 2012.
(Related)
Or this one?
Microsoft
ordered to hand over emails on Dublin server
Microsoft's
latest attempt to resist a US government warrant demanding access to
emails stored on servers in Ireland has been dismissed by a federal
judge.
A
court in New York ruled against the tech company, which has
consistently fought the order issued in December as part of a
drug-trafficking trial.
Microsoft
immediately announced plans to challenge the decision.
The
company has previously said it will allow users to choose where their
data is stored.
Is
there a trend to make more/less data sensitive?
Daniel
Solove writes:
…. I find it interesting what various countries define as sensitive
data, and K
Royal has created an awesome chart that she
shared with me. To a privacy wonk like me, a chart like this makes
me giddy with excitement, and so I thought I’d share it with you
(with her permission, of course).
First, here’s a tally of the various types of most-commonly
recognized categories of sensitive data. This is based on a chart of
the sensitive data category of many countries that K Royal created.
See
the chart and read more on LinkedIn.
If
nothing else, ammunition for the annual budget wars.
NY
AG Releases Report Showing Rise In Data Breaches, Provides Security
Tips To Small Businesses & Consumers
by
Sabrina I.
Pacifici on Jul 31, 2014
“Attorney
General Eric T. Schneiderman today issued a
new report examining the growing
number, complexity, and costs of data breaches in the New York State.
Using information provided to the Attorney General’s Office
pursuant to the New York State Information Security Breach &
Notification Act, the report, titled “Information Exposed:
Historical Examination of Data Security in New York State, analyzes
eight years of security breach data and how it has impacted New
Yorkers. The report reveals that the number of reported data
security breaches in New York more than tripled between 2006 and
2013. In that same period, 22.8 million personal records of New
Yorkers have been exposed in nearly 5,000 data breaches, which have
cost the public and private sectors in New York upward of $1.37
billion in 2013. In addition, the report also found that hacking
intrusions – in which third parties gain unauthorized access to
data stored on a computer system – were the leading cause of data
security breaches, accounting for roughly 40 percent of all breaches.
Attorney General Schneiderman’s report also presents new
recommendations on steps that both organizations and consumers can
take to protect themselves from data loss.”
Rethinking
our security strategy?
Don’t
let your enterprise network fail on ‘the basics’
As
many have pointed out, network security relies not on defenses that
never fail, but on defenses that fail intelligently. However,
today’s enterprise networks most often “fail on the basics,”
according to Dmitriy Ayrapetov, director of product management at
Dell SonicWall.
That
has been a recurring theme at the Gartner
Security & Risk Management Summit this week in Washington,
D.C. New
research from Gartner shifts the focus of security planning away
from “preventive controls (such as signature-based anti-malware,
network and host intrusion prevention systems, pervasive encryption
and continuous patching),” calling such controls “increasingly
ineffective.” Instead, Gartner’s analysis concludes that “the
digital workplace reinforces the need to focus more on detective and
reactive controls.”
…
He noted the recent collapse of CodeSpaces.com, a code-hosting and
project management service provider whose
customer data was eradicated last week by an unknown intruder,
causing the company to fail
within a day. According to a published IDG News Service
release published
by ComputerWorld and other sources, “The devastating security
breach happened over a span of 12 hours and initially started with a
distributed denial-of-service attack followed by an attempt to extort
money from the company.”
(Related)
Mobile
Apps Are Replacing the Web - Is Your Enterprise Ready?
We
know mobile is quickly changing the way we do business and now it’s
also beginning to replace the web. A recent Gartner
study shows that 86 percent of users are now using mobile apps
compared to the 14 percent still using mobile browsers. The
trajectory is very clearly shifting from web to mobile and as CISOs,
we really need to reevaluate if we are ready to properly secure and
protect mobile applications from threats.
A
recent study showed that this year, mobile users actually
surpassed desktop users. The “mobile first” trend has finally
arrived and it’s coming in at full force.
Whether
we like it or not, BYOD is here and being adopted in most
organizations.
…
Gartner
reports that by 2015, 75
percent of mobile apps will fail basic security tests.
…
Follow
OWASP’s
top 10 mobile risks and the remediation for those risks is a
great start. This covers everything from data encryption to
preventing man-in-the-middle attacks to client side injection.
Perhaps
we could host a war game?
Deloitte
Brings Cyber War Games to the Enterprise
Deloitte's
Cyber Risk Services group has launched new “cyber war-gaming
and simulation services” that aim to unite those tasked with
managing enterprise-wide responses to cyber-attacks.
According
to Deloitte, its cyber threat war-gaming approach relies on thinking
from the military and academia and incorporates lessons learned from
war-game simulations conducted for multi-national companies,
government entities, regulatory bodies and industry groups.
Deloitte
co-authored the "After
Action" report (PDF)for Quantum Dawn 2, a simulated systemic
cyber attack on the U.S. financial system back in June 2013.
(Related)
Microsoft
Launches EMET 5.0
Microsoft
announced on Thursday the general availability of the Enhanced
Mitigation Experience Toolkit (EMET)
5.0.
According
to the company, version 5.0 of the free security tool comes with two
new mitigations, Attack Surface Reduction (ASR) and Export Address
Table Filtering Plus (EAF+), both of which were introduced in EMET
5.0 Technical Preview.
Should
be enlightening.
From
EPIC:
The U.S. Court of Appeals for the D.C. Circuit
ruled
in favor of EPIC today in a Freedom of Information Act case seeking
the full text of National
Security Presidential Directive 54, a
previously-secret Presidential order granting the government broad
authority over cybersecurity matters. EPIC successfully obtained the
Directive from the NSA, and the DC Circuit has vacated the lower
court’s Fall 2013 ruling that NSPD-54 was not an “agency record”
subject to the FOIA. The Directive also includes the Comprehensive
National Cybersecurity Initiative and evidences government efforts to
enlist private sector companies to assist in monitoring Internet
traffic. EPIC has several related FOIA cases against the NSA pending
in federal court. For more information, see EPIC
v. NSA: NSPD-54 Appeal and EPIC:
Freedom of Information Act Cases.
Might
be useful
If
you missed the 2014 Health Privacy Summit, you can view videos from
the conference on
Patient Privacy Rights’ site.
I'm
shocked, shocked I tell you! Imagine a regulation requiring you to
treat every request as if it was rational and reasonable. Then
imagine individuals with no such requirements.
Zach
Miners reports:
Some of those seeking to scrub their histories from the Web under
Europe’s “right to be forgotten” rule are being economical with
the truth when making their requests, Google said Thursday.
In a letter
to European data regulators, Google listed some of the challenges it
faces in complying with the
ruling, which allows people to compel search engines like Google
and Bing to remove links to pages that mention their name, if the
references are “inadequate,” “irrelevant” or “excessive.”
Read
more on Computerworld.
SkyNet
will not work unless robots can self-repair.
Robot
'learns to keep going with broken leg'
Engineers have taken a step towards having machines that can operate
when damaged by developing a robot that can teach itself to walk,
even with a broken leg.
Using
"intelligent trial and error", their six-legged robot
learned
how to walk again in less than 2 minutes.
Something
useless for the game club. (Wink wink)
Play
Game Boy Advanced Games On Your iPhone
Apple
doesn’t allow emulators on its platform, but coders keep finding a
way to offer them. GBA4IOS
is a free Game Boy Advanced emulator you can install on your iPhone
or iPad, for free.
Installing
this is a little odd: you’ll need to set your time back 24 hours
before you can download it, a trick that apparently lets this
unapproved app get around Apple’s walled garden.
Of
course, you can’t play any games with this unless you download ROMs
– which would be illegal.
We know none of you would break the law, ever, so I
suppose this isn’t useful – just like the emulators
you installed on your Raspberry Pi.
Oh
well.
I
know some students who will love this.
A
Tool That Answers 'What's That Typeface?'
…
it's so addicting to be able to mouse over and identify any font you
see online. That's what the browser plug-in FontFace
Ninja allows. There's even a button that lets you hide
everything on the page except for the text.
No comments:
Post a Comment