Local.
Similar to many other PoS breaches.
Natural
Grocers Investigates Data Breach
The
incident has been contained, and the company said law enforcement is
investigating the matter. So far, Natural Grocers has not received
any reports of fraudulent use of customer information, and there is
no evidence any PIN numbers or card verification codes were accessed.
…
"While
its investigation is ongoing, Natural Grocers has accelerated
pre-existing plans to upgrade the point-of-sale system in all of its
store locations with a new PCI-compliant system that includes
point-to-point encryption and new pin pads that accept “chip and
PIN” cards," the company said in a statement.
…
According
to security
blogger Brian Krebs, the attackers broke into Natural Grocers
just before Christmas by attacking vulnerable database servers. From
there, they were reportedly able to pivot around the network and
infect the PoS systems.
[From
the Krebs article:
Perhaps they aren’t reporting the fraud to Natural Grocer, but
banking sources have told this author about a pattern of card fraud
indicating cards stolen from the retailer are already on sale in the
cybercrime underground.
“Gosh,
it looked Okay to us!”
Brian
Krebs reports:
A public hospital in
Washington state is suing Bank
of America to
recoup some of the losses from a $1.03 million cyberheist that the
healthcare organization suffered in 2013.
In April 2013, organized cyber
thieves broke
into the payroll accounts of Chelan
County Hospital No. 1,
one of several hospitals managed by the Cascade
Medical Center in
Leavenworth, Wash. The crooks added to the hospital’s payroll
account almost 100 “money
mules,” unwitting accomplices who’d been hired to receive and
forward money to the perpetrators.
On
Thursday, April 19,
and then again on April 20, the thieves put through a total of three
unauthorized payroll payments
(known as automated clearing house or ACH payments), siphoning
approximately $1 million from the hospital.
[From
the article:
“Craig Scott, a Bank of America employee, contacted the Chelan
County Treasurer’s office later that morning and asked if a pending
transfer request of $603,575.00 was authorized,” the complaint
reads. “No funds had been transferred at the time of the phone
call. Theresa Pinneo, an employee in the Chelan County Treasurer’s
Office, responded immediately that the $603,575.00 transfer request
was not authorized.
Nonetheless,
Bank of America processed the $603,575.00 transfer request and
transferred the funds as directed by the hackers.” [Oops!
Bob]
Interesting,
but not much detail.
Apple Pay sees 60x more fraud
than regular cards, expert says
…
Fraud in the so-called Yellow Path is “growing like a weed, and
the bank is unable to tell friend from foe,” Abraham wrote in a
blog
post on Feb. 22. “No one is bold enough to call the
emperor naked.”
He
estimated
that it’s not unusual to see fraud account for about 6 percent of
Apple Pay transactions compared with 0.1 percent using a traditional
credit or debit card, according to the
Wall Street Journal.
…
The White House recently announced that Apple Pay would be
available as an alternative to federal payment cards in systems like
GSA SmartPay. The service will also be available for transactions
with national parks.
Apple
has said the service is designed to be “extremely secure” and
suggested the banks may be at fault for the verification of
fraudulent cards.
(Related)
The Yellow Path.
Amid
Apple Pay fraud, banks scramble to fix Yellow Path process
…
According to
reports,
criminals have been setting up iPhones with stolen personal
information, then calling banks to authenticate a victim's card on
the new device. This is so-called "Yellow Path"
authentication, in which a card isn't automatically accepted (Green
Path) or rejected (Red Path), but requires additional provisioning by
the bank to be added to Apple Pay.
The
joys of politically motivated technology restrictions? (Failure to
pass Economics 101 leads to many other failures?)
Decade-old
'FREAK' security flaw left millions exposed
…
The newly discovered encryption flaw known as "FREAK attack"
left users of Apple's Safari and Google's
Android
browsers vulnerable to hackers for more than a decade, researchers
told the
Washington
Post. Users of the browsers were vulnerable to having their
electronic communications intercepted when visiting any of hundreds
of thousands of websites, including Whitehouse.gov, NSA.gov and
FBI.gov.
Researchers
said there was no evidence hackers had exploited the vulnerability,
which they blamed on a former US policy that banned US companies from
exporting the strongest encryption standards available, according to
the newspaper. The restrictions were lifted in the late 1990s, but
the weaker standards were already part of software used widely around
the world, including the web browsers.
“We
don't need no stinking employees!”
“We
don't need no stinking security!”
“We
don't need no stinking backups!”
Notice
a theme here?
Ted
Johnson reports:
Nine former Sony employees have filed an amended class action lawsuit
against
Sony
Pictures Entertainment, alleging that the studio failed to take
adequate safeguards to protect personal information that was exposed
in the hacking attack last year.
“Following the breach, SPE has focused on its own remediation
efforts, not on protecting employees’ sensitive records or
minimizing the harm to its employees and their families,” states
the amended complaint, filed on Monday in U.S. District Court in Los
Angeles. “Rather, SPE has focused on securing its own intellectual
property from pirates and a public relations campaign directed at
controlling damage to SPE associated with the release of embarrassing
internal emails.”
For
my Ethical Hackers: “Disruptions” are detectable... Just saying.
Kim
Zetter reports:
For years the government has kept mum about its use of a powerful
phone surveillance technology known as a stingray.
The Justice Department and local law enforcement agencies insist that
the only reason for their secrecy is to prevent suspects from
learning how the devices work and devising methods to thwart them.
But a court filing recently uncovered by the ACLU suggests another
reason for the secrecy: the fact that stingrays can disrupt cellular
service for any phone in their vicinity—not just targeted phones—as
well as any other mobile devices that use the same cellular network
for connectivity as the targeted phone.
[From
the article:
But
in the
newly
uncovered document (.pdf)—a warrant application requesting
approval to use a stingray—FBI Special Agent Michael A. Scimeca
disclosed the disruptive capability to a judge.
“Because of the way, the Mobile Equipment sometimes operates,”
Scimeca wrote in his application, “its use has the potential to
intermittently disrupt cellular service to a small fraction of
Sprint’s wireless customers within its immediate vicinity.
Do
their computers contain the intellectual property of the firm or the
skills of the lawyer? I'm pretty sure the answer is a four letter
word.
Debra
Cassens Weiss reports:
A battle over laptops taken by lawyers to a new law firm failed to
reach a settlement last week during a three-hour session before a
magistrate judge.
The suit by Pennsylvania insurance boutique
Nelson
Brown Hamilton & Krekstein initially sought the
return of laptops taken by 14 departing lawyers to
Lewis,
Brisbois, Bisgaard & Smith, the
National
Law Journal (sub. req.) reports. The suit seeks damages under
the Computer Fraud and Abuse Act.
After the suit was filed last May, Lewis Brisbois returned the
laptops, but erased and preserved the information they held, the
story says. Now both law firms have hired computer experts to
determine what information was on the devices.
The departing lawyers had represented hacked companies, and Nelson
Brown says sensitive information such as Social Security numbers may
have been saved on the laptops. The firm also says the devices may
have contained confidential client lists and legal strategies.
From
looking at the complaint, Nelson Brown owned the laptops and devices
that the departing attorneys took with them in February 2014. What
were the lawyers’ ethical obligations to the firm’s clients they
had been representing? Could they just hand over the
laptops and walk away?
And
given that personal and sensitive information of data breach victims
may have been on those laptops and devices, I wonder what would have
happened if Nelson Brown had configured their security so that data
were not stored locally but on their server from which it could be
accessed but not saved locally? Why were all their lawyers walking
around with PII on laptops? Were the data encrypted?
Wow!
I wonder where they got that crazy idea?
Irony:
Obama Balks At Chinese Government's Orwellian Cybersecurity Tactics
…
President Obama is fearful that China’s plans — which include
allowing the Chinese government to install security backdoors,
requiring companies to hand over encryption keys, and keeping user
data on Chinese soil — are an assault on intellectual property held
by American companies and leaves customers open to privacy
violations.
China’s
draft proposal for the its anti-terrorism legislation "would
essentially force all foreign companies, including U.S. companies, to
turn over to the Chinese government mechanisms where they can snoop
and keep track of all the users of those services," said
President Obama in an interview with Reuters. "As you
might imagine tech companies are not going to be willing to do that.”
(Related)
Makes you think the government doesn't get it.
14
Consumer Groups Outline Shortcomings In WH Privacy Legislation
“Consumer
Watchdog today joined 13 other public interest groups in a letter to
President Obama outlining the shortcomings of the draft Consumer
Privacy Bill Of Rights Act and pledging to work with the
Administration and Congress to strengthen the
“In
2 2012, you released your vision of the founding principles of
consumer privacy — the Consumer Privacy Bill of Rights. Many of us
hope that your principles, once implemented in legislation, will form
a powerful framework to protect Americans’ fundamental right to
privacy,” the 14 groups wrote in their joint letter.
“Unfortunately, the discussion draft released last Friday falls
short of that promise.”
Read
the groups’ letter
here.
…
“The bill is full of loopholes and gives consumers no meaningful
control of their data. Even the Federal Trade Commission says they
have concerns that the draft bill does not provide consumers with the
strong and enforceable protections needed to safeguard their privacy.
Read
the draft Consumer Privacy Bill of Rights Act
here.
Now
this could be amusing... If true, what else is implied? If we
dynamite the dam, what else is released? If we don't what else is
blocked?
Federal
Courts Considers FTC’s Data Protection Authority
EPIC
– “A federal appeals court heard arguments today in
FTC
v. Wyndham, an important data privacy case. Wyndham Hotels,
which revealed hundreds of thousands of customer records following a
data breach, is challenging the FTC’s authority to enforce data
security standards. In an
amicus
brief joined by legal scholars and technical experts, EPIC
defended the FTC’s “critical role in safeguarding consumer
privacy and promoting stronger security standards.” EPIC explained
that the damage caused by data breaches – more than $500 million
last year – makes data security one of the top concerns of American
consumers. EPIC warned the court that “removing the FTC’s
authority to regulate data security would be to bring dynamite to the
dam.”
It's
sad that this is the best way to catch pimps.
Adam
Liptak reports:
The Supreme Court on Tuesday
seemed
inclined to let the police in Los Angeles inspect hotel and motel
guest registries without permission from a judge.
A lawyer for the city, E. Joshua Rosenkranz, told the justices that
such surprise inspections are vital to law enforcement.
This case is about whether to deprive scores of cities of one
of the most effective tools that they have developed to
deter human trafficking, prostitution and drug crimes that have
seized the ground in America’s hotels and motels,” he said.
Anything
for a story? “Drones are illegal so let's get a drone and see what
the illegal drones saw?” Apparently journalists are much easier to
catch than competent drone operators.
Paris
Drone: Al Jazeera Journalist Fined
A
British journalist for the Al Jazeera network has been fined for
illegally flying a drone over central Paris.
…
Several of the aircraft had been seen flying over locations
including the US Embassy and the Eiffel Tower in the two nights
preceding the trio's arrests.
…
Al Jazeera confirmed initial reports that the
drone was being used to put together a report on the mystery
sightings in Paris when the journalists were arrested themselves.
…
Authorities were first alerted to mystery drone flights in October,
when state-run power company EDF filed a complaint with police.
Sightings continued into the new year.
Could
be worth following.
Michael
Cooney reports:
Most days it seems like keeping and protecting any sort of data
private is a
pipe
dream.
There are a variety of research efforts underway to keep private data
private but it may be too little too late, some experts say.
Despite that notion the researchers at DARPA next month will go over
a program the agency says will help develop the “technical means to
protect the private and proprietary information of individuals and
enterprises.”
The program is named after Louis Brandeis, an associate Supreme Court
Justice who was arguably the world’s first privacy champion having
helped pen “
The
Right to Privacy” for the Harvard Law Review in 1890 which is
still the basis for a number of privacy protections in the US.
Watson
(like Audrey in Little Shop of Horrors) demands to be fed!
IBM
buys AlchemyAPI to boost Watson computing unit
International
Business Machines Corp said on Wednesday it had acquired AlchemyAPI,
a fast-growing startup selling software that collects and analyzes
unstructured text and data in ways big enterprises, website
publishers and advertisers find useful.
… AlchemyAPI already has about 40,000 developers building tools
using its technology, which would give IBM access to a much bigger,
ready-made user base.
… AlchemyAPI, founded in 2005 and
based
in Denver, has 18 full-time employees. Its
customers include publishing company Hearst Corp and image agency
Shutterstock. IBM did not disclose the purchase price.
The startup's software gathers data from a wide range of sources,
from Twitter posts and news stories to website images and text
messages, sorts the data, learns to differentiate between them, and
allows users to see connections that would take much longer to
establish using more standard computing methods.
The software, which learns as it goes, enables users to group
together disparate information on a certain topic or event, find
related articles or information sources, and helps advertisers target
online ads better.
For
my Statistics students who have great difficulty “forecasting”
the solution to the Monte Hall Problem. (I'm trying to get them to
use algorithms.)
Algorithm
Aversion: People Erroneously Avoid Algorithms after Seeing Them Err
“Research
shows that evidence-based algorithms more accurately predict the
future than do human forecasters. Yet, when forecasters are deciding
whether to use a human forecaster or a statistical algorithm, they
often choose the human forecaster. This phenomenon, which we call
algorithm aversion, is costly, and it is important to understand its
causes. We show that people are especially averse to algorithmic
forecasters after seeing them perform, even when they see them
outperform a human forecaster. This is because people more quickly
lose confidence in algorithmic than human forecasters after seeing
them make the same mistake. In five studies, participants either saw
an algorithm make forecasts, a human make forecasts, both, or
neither. They then decided whether to tie their incentives to the
future predictions of the algorithm or the human. Participants who
saw the algorithm perform were less confident in it, and less likely
to choose it over an inferior human forecaster. This was true even
among those who saw the algorithm outperform the human.”
I
noticed a student just the other day who had his nose six inches from
the monitor because he had smashed his glasses and was awaiting a new
pair. Making the text larger was a revelation. (Who said this
generation knows everything about technology?)
Are
You Nearsighted or Farsighted? Tips to Make Windows More Accessible
for Young & Old
Perspective
for my Business Intelligence students.
Is
Social Media Actually Helping Your Company’s Bottom Line?
For
my nerdy students? Check out the photo that accompanies the article.
The
Bank of Canada is warning people to stop drawing Spock on their money
Canadians
are paying a strange sort of tribute to the late Leonard Nimoy —
they're drawing his most famous character, Star Trek's Spock, over a
19th-century politician on their banknotes.
…
It looks like the fad goes back
further. Apparently, Canadians have been turning Sir Wilfrid Laurier,
the country's first French-speaking prime minister, into a Vulcan for
years.