CardSystems Cards Being Exploited

The Denver Channel reports that “Stolen Credit Card Data Now Being Sold On Internet:”

CardSystems Solutions Inc. is admitting it made a huge mistake after some 40 million credit card accounts ended up in the wrong hands. Some of those account numbers are already being sold on a Russian Web site, and some consumers are already finding fraudulent charges on their statements.

The damage from this one is going to be fast and furious, as thieves try to cash out before the card numbers are changed. (Via Paul Melson, posting to the Firewall Wizards list.)

Schneier, Solove on Medical Privacy

In U.S. Medical Privacy Law Gutted, Bruce Schneier analyzes the new rules on who gets prosecuted for violating your medical privacy. Answer: fewer people than you’d think or hope:

I’ve been to my share of HIPAA security conferences. To the extent that big health is following the HIPAA law — and to a large extent, they’re waiting to see how it’s enforced — they are doing so because of the criminal penalties. They know that the civil penalties aren’t that large, and are a cost of doing business. But the criminal penalties were real. Now that they’re gone, the pressure on big health to protect patient privacy is greatly diminished.

In “How HIPAA Was Undermined,” Daniel Solove quotes Peter Swire:

Now, seeing that the federal government has created immunity for bad actors, all these people may wonder why they tried so hard to do the right thing.

Solove’s article is worth reading in full.

FDIC, 6,000 employee SSNs, “security failure”

Thousands of current and former employees at the Federal Deposit Insurance Corp. are being warned that their sensitive personal information was breached, leading to an unspecified number of fraud cases.

In letters dated last Friday, the agency told roughly 6,000 people to be “vigilant over the next 12 to 24 months” in monitoring their financial accounts and credit reports. The data that may have been improperly accessed included names, birth dates, Social Security numbers and salary information on anyone employed at the agency as of July 2002.

From The Washington Post, “FDIC Alerts Employees of Data Breach,” via Daniel Solove, who asks all the right questions in “Notice Much Delayed: The FDIC Data Security Breach.”

Why I Blog

Inspired in part by Daniel Solove’s “How Blogging Changed My Life,” in part by a number of emails I’ve just sent saying “Sorry, I’ve been heads down with product release,” and the contrasting reality that I’ve found energy to write twelve blog posts in that time, I thought I’d talk about the muses.

I started blogging to get a better understanding of blogging. There are a great many things in life which are better understood by doing, rather than reading or talking. As those bloggers who are bitten by the bug will all tell you, it quickly becomes a form of release.

I try to blog about things I find interesting and worth sharing, and which are interesting enough to form an opinion, a quip, or a rant. Now and then I consider the linkability of a post. Will other people pick up on this? Is it exciting? I’m really bad at those predictions. I do try not to blog things everyone else has already blogged, unless I have something to add to it.

I blog because Choicepoint exists. Choicepoint has become the doubled bane of my existence. First, for who they are, and how they invade my privacy. Second, for their story grabbing ahold of me and not letting go. Having taken hold, I feel compelled to blog about them when I see interesting things. And people send me interesting things, damn you. Please don’t stop. No, the tripled bane, because from Choicepoint has begat a whole breach category of posts. From which I get great search-foo and random visitors. (Personal to AT: Ok, quadrupled, and I’d apologize in public, except I promised not to.) For Choicepoint, I use Technorati and Google Alerts, because as Solove says, the blog is a hungry monster, and they provide rich fodder.

I often blog to clear my head. Bringing up NetNewswire and skimming through the blogosphere distracts me from other things, and gives me a chance to focus on something else for a few minutes.

I also blog things that I once would have turned into an article or talk. Much of what I find interesting simply doesn’t warrant a 10 page article. So why pump it up to that? This relates, I think to Solove’s comment that he blogs differently than his academic writing. I’ve commented in the past about the academic style of writing. We have strictly limited interest in this endeavor, as the reward structures associated with academia become less relevant to this author.

But really, even when I wasn’t posting, I was composing blog posts. So at the end of the day, I blog because I enjoy it, and hope you enjoy reading.

CardSystem Solutions, 40,000,000 CC, hacker

The New York Times (and probably everyone else) is reporting that “MasterCard Says 40 Million Files Are Put at Risk.”

MasterCard said its investigation found that CardSystems, in violation of MasterCard’s rules, was storing cardholders’ account numbers and security codes on its computer systems. That information, MasterCard said, was supposed to be transferred to the bank handling the merchants’ transactions but not retained by CardSystems.

CardSystems, being a bank, has not yet gotten the message that the rules have changed, and there’s no message on their homepage.

You and I have no way to protect ourselves from this. Shredding your statements doesn’t make a difference. You can’t ask a store clerk “Who’s your credit card acquirer?” (Well, you can, and they are unable to tell you. They know, at best, “swipe and check signature.” They have no idea what happens behind that.)

Congress needs to step in to regulate these industries who take these risks with our personal information, where we can’t protect ourselves, negotiate, or even know that the company exists.

[Update: Bob Sullivan has an analysis at “40 million credit cards exposed,” and Slashdot has a story with a roundup in the summary. Chris Walsh covers my back with the irony and sarcasm at “Prepare for the onslaught of “priceless” jokes. Richard Bejtlich has some insightful comments in “Cardsystems Solutions Intrusion Exposes 40m CC, including catching this quote from Mastercard’s press release about GLBA, the fancy new bank “privacy” law:

Currently, GLBA only applies to financial institutions providing services to consumers, including MasterCard. MasterCard urges Congress to extend that application to also include any entity, such as third party processors, that stores consumer financial information, regardless of whether or not they interact directly with consumers.”

And with that, I’m going to be paying attention to the most excellent practical attacks on prox cards talk here at REcon, and missing some additional blog posts on this.]

Thanks, but…

The Open Mind kindly writes:

Adam Shostack who is in the computer security side of business always has informed and interesting news on the security vs privacy front. (Another great blog via Harry’s world of interesting links. ) If you read anything vaguely connected to security or privacy in the mainstream media, Adam has probably covered a few days and in some cases weeks previously.

It is clearly time for me to take a vacation, and I’ll be back next Monday or so.

More on North Korean Online Warfare

I wrote about this in “North Korean Hacking Story,” and more detail emerges from a mail (or perhaps its a website? Hard to tell.) Anyway, this was eventually forwarded to Dave Farber’s IP list, Anyway, Brooks Isoldi, edidor of Intellnet writes:

North Korea has trained a small army of computer hackers whose
capability is equal to that of U.S. intelligence agencies, a South
Korean defense official said last week.

Byeon was referring to a 1997 U.S. military exercise code-named
Eligible Receiver that used National Security Agency officials posing
as North Korean hackers. Using software obtained publicly from the
Internet, the simulation showed that North Korea could shut down all
U.S. military communications in the Pacific and the entire electric
power grid in the western United States.

Ok, so lets see. Not only was it a simulation, but it was seven or eight years ago. And what it found was that Americans were able to hack into and shut down US military communications. Which is bad. But it was also seven years ago. Perhaps they’ve improved things a little since then.

The skeptical reporter might also consider what differences exist between Americans pretending to be North Koreans, and real North Koreans. This is made harder because North Koreans are subject to one of the nastiest dictatorships on Earth. You can’t go, hang out with some North Korean hacker kids, and learn how they think. They have essentially no industry (have you ever seen a product made in North Korea?) They have no infrastructure. The ability of the North Korean military to execute on complex operational plans is unknown, but given the Stalinist nature of the country, it is unlikely that the operators are encouraged to take initiative or creatively exploit what they find. That might be mitigated or made worse when your unit is operating from a cube farm, with officers around.

On the other hand, the North Koreans seem to have produced nuclear weapons, and their military frequently does things (suicide squads sent through the DMZ, landed by submarine, etc) which seem to make no sense.

So Eligible Reciever is probably a bad model, but it may also be the best model that anyone has.

Minnesota, 2,000 medical records, hacker

The Duluth News Tribue is carrying a story, “State’s Web systems bogged down:”

[Monicq] Feider, [manager of the Health Professionals Services Program] disclosed the problem in a March 31 letter sent to nearly 2,000 health professionals.

“The case management system database includes private and public information about you,” she wrote. “The security company believes that the primary purpose of the attack was most likely to use our system to launch additional attacks against other organizations. The security company also reported that the breach may have been used to seek data for the purpose of identity theft.”

The database includes names, addresses, dates of birth and illnesses of the health workers. It also includes names and phone numbers of people who referred them to the program.

Motorola, 34,000 Employee SSNs, Outsourcer ACS

In an article titled “Stolen PCs contain Motorola HR data“, Reuters is reporting that:

In the latest example of hardware theft putting data security at risk, two computers containing personal information on Motorola employees were stolen from the mobile phone maker’s human resources services provider, Affiliated Computer Services (ACS).

The data on the stolen computers included names and Social Security numbers but no financial information, according to Motorola. The number of employees affected was not disclosed.

No financial information? They had SSNs, but no salaries? I suppose that makes some sort of twisted, perverse sense. Incidentally, Reuters (or subtitled the article “Ah, physical theft… how very old school!” Private to Reuters: You report, we snark. Any questions?

ACS’ chief marketing officer, Lesley Pool, said: “All employees were notified but to this date there is no indication that any personal information has been compromised. It is clear that it was just an amateur burglary.”

I feel better already! If these burglars were amatuers…why could they get to these computers? And seriously, what were social security numbers doing on a system that wasn’t tied to IRS reporting?

Star Wars Posts

Lileks bleats:

When you switch to the Dark Side, do you have to go to Sith HR to fill a bunch of forms? If the Jedi Council finds out you’re looking to switch sides, they send guards to make you empty out your desk and escort you out – or at least they used to. Apparently the fired guy always did a backflip once they were outside and decapitated the guards.


Obi sighs. The sun is behind him, so we know he’s in the right here. “Only Siths deal in absolutes,” he says.

Well, Obster, you’re not with him, right? And you’ve come to kill him, right? So Darth has a point. One might say that the Jedi failure to deal in absolutes, such as make absolutely sure Vader is absolutely dead instead of leaving him to bake like a tater tot left overnight in the broiler machine, might have served everyone well.

In other, pointed to by Slashdot news, Ghent posts on what its like to watch all the movies out of in order, in Prequel Generation Questions a New Hope and Why doesn’t Obi-Wan remember Artoo?

2005 Underhanded C Contest

Inspired by Daniel Horn’s Obfuscated V contest in the fall of 2004, we hereby announce an annual contest to write innocent-looking C code implementing malicious behavior. In many ways this is the exact opposite of the Obfuscated C Code Contest: in this contest you must write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.

Read more at the 2005 Underhanded C Contest. I covered the Obfuscated Voting Contest, and the winners.
Via Slashdot.

More Terrorist Slander Against Heroic Prison Guards

Except this time, the “terrorists” are American veterans working for a private company in Iraq:

“I never in my career have treated anybody so inhumane,” one of the contractors, Rick Blanchard, a former Florida state trooper, wrote in an email quoted in the Los Angeles Times. “They treated us like insurgents, roughed us up, took photos, hazed [bullied] us, called us names.”

(Reports The Guardian in “Marines ‘beat US workers’ in Iraq.” Meanwhile, that worthless liberal rag the Chicago Tribune reports🙂

Mark Schopper, a lawyer for two of the detainees, said Marines threw contractors roughly to the ground, jammed knees into their backs, taunted them and denied requests to call their families. Schopper, whose clients are both former Marines, said one client “had his testicles squeezed so hard that he nearly passed out from the pain.”

At one point during the contractors’ confinement, Schopper said, a Marine asked, “How does it feel to be a rich contractor now?”

(Via Sivacracy. Alternate headline: “The beatings will continue until morale improves. Or at least until there’s some leadership.”)

Small Bits: Soviet Realism at DHS and in China, Going Public, Lameness, and Curves


  • Artiloop reports on a security poster on the Marc commuter trains. Its clearly the work of a thoughtcriminal, encouraging ironic responses. I want to heroically help plan the tractor factory.
  • I’ve been meaning to discuss the Chinese blog crackdown, but instead I’ll just juxtapose it with Soviet Realism.
  • The Supreme Court of Canada has ruled that its not OK for the provinces to forbid private health care arrangements. The New York Times can’t help but editorialize with a headline of “In Blow to Canada’s Health System, Quebec Law Is Voided:”

    The court ruled that the waiting lists had become so long that they violated patients’ “life and personal security, inviolability and freedom” under the Quebec charter of human rights and freedoms, which covers about one-quarter of Canada’s population.

    How about “in blow for human liberty and dignity, Canadians allowed to spend their money as they see fit?

  • Silicon Beat reports that “Silicon Valley’s Polyfuel to go public in……London?” I’ve talked in the past about the effects of “Sarbox and Venture Capital,” in which I said: “In any event, I’m confident that investors and startups will work out new exit strategies.” It seems that in this case, the strategy may be to use a non-US market. I’m not sure what that does to compliance costs. Anyone?
  • normal-curve-framed.jpg
    Lamest Edit Wars of Wikipedia.

  • At Statistical Modelling, Andrew posts some cool Normal curves. (I think its lens flare which causes it to be in front of the person.)