• Take THAT IE Fan Boy

    Bruce Schneier just posted an interesting article on his blog entitled “Interview with an Adware Developer”.

    This article reinforces many of the things I have been telling people for a very long time, but for whatever reason never sinks in.

    [Read More...]
  • More on Heartland

    Many experts continue to speculate on why it took so long for Heartland to identify and disclose the breach. According to the Storefront Backtalk report, the payment processor revealed the breach was first discovered in late October or early November, whereas previous statements indicated that it was only in the fall. The company has had two outside forensics teams and the Secret Service working on the problem for more than two months, and yet the “sniffer” software used to collect the data was located only last week.

    [Read More...]
  • Heartland Breach

    Heartland Payment Systems acts as a payment gateway for credit card transactions for over 250,000 businesses. At some point a sniffer was installed in their data center intercepting all transactions. Some media outlets are calling this the “largest data breach ever”. They process “100 million credit card payments a month and more than 4 billion transactions per year” but currently have no idea when the malicious software was installed.

    [Read More...]
  • Massive World Bank Comprimise

    FoxNews (not one of my normal news sites… I promise) just posted a story entitled “World Bank Under Cyber Siege in ‘Unprecedented Crisis’“.

    The details are fairly chilling and include some amazingly upbeat quotes like…

    “While it remains unclear how much data has been pilfered from the bank, it’s a lot. According to internal memos, “a minimum of 18 servers have been compromised,” including some of the bank’s most sensitive systems — ranging from the bank’s security and password server to a Human Resources server “that contains scanned images of staff documents.””

    And…

    “The World Bank Group’s computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned.”

    This is certainly disturbing news for a number of reasons.  Most importantly the fact that the worlds financial system is serious peril and this…

    In a frantic midnight e-mail to colleagues, the bank’s senior technology manager referred to the situation as an “unprecedented crisis.” In fact, it may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public.

    The italicised text is what I find very disturbing.  GLB, SOX and a slew of other laws all have strict disclosure guidelines.  Trying to hide something of this magnitude is not only futile but also illegal.

  • Diebold Accidentally Leaks Results Of 2008 Election Early

    It would be funny if it weren’t so damn plausible. :)


    Diebold Accidentally Leaks Results Of 2008 Election Early

  • geeks.com comprimise

    The folks at consumerist (excellent site, btw) just posted a copy of the disclosure letter geeks.com (aka computergeeks.com) sent to customers informing them that their credit card data may be compromised.

    A few items that concerned me about the disclosure are…

    Genica Corporation dba Geeks.com
    1890 Ord Way Oceanside, CA 92056
    January 4, 2008

    [snip]

    The purpose of this letter is to notify you that Genica dba Geeks.com (“Genica”) recently discovered on December 5, 2007 that customer information, including Visa credit card information, may have been compromised. In particular, it is possible that an unauthorized person may be in possession of your name, address, telephone number, email address, credit card number, expiration date, and card verification number.

    Two things immediately jump out at me in this first chunk of text. The first is date of letter compared to the stated date of discovery.

    Being a PCI-DSS guy I know that most merchant gateway providers require disclosure within 1 day of “a suspected compromise”. Granted, that is disclosure to the merchant gateway and not customers. However, computer geeks operates out of California which is on the forefront of disclosure laws. In fact the California Security Breach Information Act (SB-1386) states…

    Any agency that maintains computerized data that includes
    personal information that the agency does not own shall notify the
    owner or licensee of the information of any breach of the security of
    the data immediately following discovery

    The other troubling part was “and card verification number”. This is the CVV2 that is NEVER to be stored per PCI directive 3.2.2.

    3.2.2 Do not store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions

    I am troubled by the fact that vendors still remain clueless on best practices and regulations that govern their actions. I am even more disturbed with the fact that (despite these regulations) implementing proper safeguards and demonstrating caution is in their customers best interests, but yet is still not done.

  • This Week in Links: 12/31/07 – 1/6/08

    Best of 2007

    Tech

    Security

    Privacy

    Apple

  • Pretexting

    I have seen “pretexting” in the news far too much without commenting on it.

    What is pretexting? According to wikipedia it is “the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone”.

    So in other words its a specific type of social engineering. Or as I like to call it: fraud.

    Lets not beat around the bush on this one. If you contact a company and pretend to be me in order to get information about me, or acquire a service or funds that you are not entitled to, you are committing fraud (and I will beat you down).

    Having been the victim of both identity and credit theft, I take privacy very seriously. But yet even a thorough understanding of privacy and paranoia is still not enough.

    The first time it happened someone forged my signature (convincingly too) to have all of my mail forwarded to Texas. The motivation on this one is still unclear, but it took the post office months to straighten my mail out.

    The second time I was a victim of credit card “double-swipe”. While at a gas station in Ontario, CA someone swiped my debit card through a modified card reader. This reader recorded the information stored on the strip on the back of my card. They also recorded my CVV (the 3 digit code on the back of the card) and used the information to print a new magnetic strip and clone my debit card. It was used for ‘card in hand’ transactions in Toronto.

    Neither of these events could have been prevented… by me. However with proper legislation our government could force private industry to implement effective safe guards against these sorts of attacks. Unfortunately until these safe guards are mandated or they become cost effective, they will never happen, and we as consumers will continue to suffer.

    A prime example of this country moving in the wrong direction is the recent HP verdict. The top levels of the company condoned (nay, encouraged) pretexting and got off with no jail time.

    And now we are seeing pretexting causing issues with xbox live.

    We have to be clear with law makers that we will no longer sit by and let our personal data be stolen and sold.

    Until we can convince law makers that this sort thing will not be tolerated all we can do is learn how to protect yourself and support organizations that are trying make things right.

    Electronic Privacy Information Center (EPIC)
    Identity Theft Resource Center
    Privacy Rights Clearinghouse
    Privacy Laws by State (source: Epic.org)

  • Texas County Clerks Want to be Above the Law on Data Privacy

    In case you haven’t been following security and privacy related news, last week Texas Attorney General Greg Abbot ruled that exposing SSNs in public documents violates state and federal laws.

    To me, this is common sense and good news for the common good of everyone in Texas. Why would you want anyone printing your social security number in a public document? It makes no sense and is outright dangerous.

    Now we have this little gem (source: computerworld.com)

    The Texas House of Representatives last week passed emergency legislation that would absolve county clerks of civil or criminal liability for exposing SSNs in public documents “in the ordinary course of business.” […] The ruling would require that clerks check each document for SSNs and remove them before making the documents public. Daunted by the task and fearful of running afoul of the law, county clerks asked state legislators to come to their aid.

    This sounds like a group of people so set in their ways and fearing of change that they are unwilling (or too lazy?) to change operating procedure to comply with the law and the good of the general public.

    I’m appalled that the Texas county clerks would ask legislators to exempt them from this law and I am even more disgusted with the fact that the legislators are considering it.

    Apparently even the privacy concerns are bigger in Texas.

  • Help! My Identity Has Been Thefted… Again!

    Well, not really.  This time it was only my debit card.

    I received word, last Saturday evening, from bank (National City) that my debit card had been used for a ‘card-in-hand’ transaction at a gas station in Canada (they made a physical card containing my debit card information on the back strip).  The women from the bank asked if had been in Canada earlier that day.  After telling her that I was at home all day she informed me that my card number had likely fallen prey to the recent rash of debit card information thefts.

    From what I was able to gather from previously reading about this, is that a number of merchants illegally retained debit card PIN information and the information was subsequently stolen and used all over Canada and Europe.

    The woman from the fraud department at National City informed me that the transaction had occurred about an hour earlier, that she saw no additional fraudulent transactions (I verified with my online account view), that my card had been frozen to prevent further charges and that the bank maintains no liability policy.  In other words I was not responsible for the transaction in any way.  She asked that I stop by a branch and fill out an ‘Affidavit of Fraud’ and that a new debit card was being mailed first thing Monday.

    All and all I was very impressed with quickness of detection and the fact that they took the initiative and corrected things.  They turned what could have been a disaster into only a minor inconvenience.

    I am, however, unimpressed with the fact that government still has not passed any law that will hold the vendor(s) accountable for allowing the information to be compromised.  I am certain that once a law of this sort passes, the frequency of these sort incidents will drop like a stone.

    The number of articles about this whole debacle indicate that hundreds of thousands of others have also fallen victim.  A couple from security focus are as follows:

    Seven arrested in online fraud crackdown
    Debit-card fraud underscores legal loopholes
    Debit-card fraud continues
    Citibank issues ATM fraud statement

%d bloggers like this: