| |
Rare Legal Fight Takes on Credit Card Company Security Standards and Fines
Wired News (01/11/12) Zetter, Kim
The owners of a Utah eatery have filed a lawsuit against merchant acquirer U.S. Bank for wrongfully seizing money to pay a fine imposed on the businesses by Visa and MasterCard, allegedly due to network security lapses that led to fraudulent transactions on customer bank cards. The eatery owners' countersuit challenges PCI security standards, which they claim are unfairly arbitrary in terms of their rules as well as the level of penalties imposed on retailers. They also contend that fines are levied without provision of proof of a breach or of fraudulent losses, and without giving retailers a fair chance to challenge claims before money is seized. The plaintiffs hired several forensics companies in accordance with PCI regulations to determine if a breach took place and whether they were complying with PCI security standards, but no concrete evidence of a breach or theft of payment card data was found. Noncompliance with PCI standards was determined, however. Moreover, the eatery owners say U.S. Bank went ahead with the seizure without informing them about the fines or giving them opportunity to dispute Visa and MasterCard's allegations. If the court deems the fines in this case to be punitive, then the system of penalizing retailers could end up being problematic for the payment card industry, says University of Pennsylvania law professor Andrea Matwyshyn.
Chinese Writers Step Up Anti-Piracy Efforts With Apple Lawsuit
Wall Street Journal (01/10/12) Fletcher, Owen
A group of Chinese authors has filed a lawsuit in a Beijing court against Apple, alleging that applications in the company's App Store allow for the unauthorized downloading of books. The lawsuit covers roughly 36 books by nine different authors, including books written by Han Han and Li Chengpeng. The suit is seeking $1.9 million in damages from Apple. The group said that it is planning to file a second lawsuit against Apple as well as another suit against the Chinese search engine Baidu, which offers a service that allows users to upload books with authorization. Apple has not commented on the lawsuit. Its agreement with app developers states that applications offered in its App Store are not allowed to violate, misappropriate, or infringe on copyrights. However, certain materials that are downloaded within apps, including books and other files, are not approved by Apple. The group of Chinese authors said that Apple needs to ensure that pirated material does not appear in apps offered through its App Store.
NY Lawsuit Faults Hotel Chain for Assault on Guest
Associated Press (01/09/12)
A Florida woman has filed a lawsuit against Starwood Hotels & Resorts Worldwide in Manhattan federal court, saying that the hotel chain's lax security resulted in her being sexually assaulted. The assault took place at the Hotel Kamp in Helsinki, Finland, early in the morning of January 15, 2011. The victim, 31-year-old Alison Fournier, awoke and found a man entering her room. He then began to grope her while she was in bed. Afraid that she was going to be raped, Fournier put on a bathrobe and fled. Fournier alleges that the man, who was drunk at the time, was able to get into her room because he told the hotel's staff that he was her husband. However, Fournier said that staff at the Hotel Kamp did not check the man's identification. An attorney for Fournier also noted that she was traveling alone and no one else was registered to her hotel room. The lawsuit is seeking an unspecified amount of compensatory and punitive damages. Starwood Hotels has said that it is investigating the incident. The man who assaulted Fournier has not been criminally prosecuted.
Capitol Records Sues ReDigi: EMI Label Alleges Copyright Infringement by 'Used' Digital Music Site
Chicago Tribune (01/09/12)
Capitol Records has filed a copyright infringement suit against ReDigi, a digital music company that sells "used" files. The lawsuit called the site "a clearinghouse for copyright infringement and a business model built on widespread, unauthorized copying of sound recordings." ReDigi previously received a cease-and-desist letter from the Recording Industry Association of America (RIAA), which represents four U.S. major label groups, but Capitol is the first company to pursue concrete legal action. ReDigi's Web site claims that it uses music legally, but Capitol disputes ReDigi's right to resell files under the "first-sale doctrine" that protects the redistribution of physical albums and other legally-purchased copyright material. "ReDigi ... is not an 'owner' of any such lawfully made copy, nor is ReDigi disposing of the actual particular copy purchased by a user," the suit alleges. "Rather, ReDigi and its users are making and distributing unauthorized copies of that original file."
NHL Drug Use on Pound's Radar
Calgary Sun (01/11/12) Costa, Morris Dalla
Former World Anti-Doping Agency (WADA) President Dick Pound is criticizing the National Hockey League's drug testing policy, saying that while it is better than nothing, it does not go far enough in preventing players from using drugs. Pound noted that there are several reasons why the NHL's drug testing policy is inadequate, including the fact that it does not require testing for stimulants, which Pound said was the most popular drug among hockey players. Other drugs on the WADA list are not tested for either. In addition, players are not tested between seasons. Pound said that means that players can use drugs in the off season and get them out of their systems before they are tested. As a result, the NHL's drug testing policy does not catch many players who are using drugs, Pound said. He noted that the players' unions share much of the blame for the failure of the drug testing policy because they are skeptical about meeting the demands of management and the public. However, owners and managers are to blame as well, Pound said. He added that other professional sports leagues also do not take their drug testing policies seriously enough.
Protests Put Cities on Alert
Wall Street Journal (01/11/12) Nicas, Jack
A number of cities hosting high-profile events this year are changing their laws regarding demonstrations in order to prevent the kind of violent protests that took place across the country in 2011. In Chicago, for example, the mayor has called for placing limits on the times when demonstrations can be held, increasing fines for resisting police, and requiring parade permit applicants to provide descriptions of "attention-getting devices" such as amplifiers, banners, or signs. The proposals, which will be voted on next week, come ahead of the NATO and Group of Eight summits in Chicago this May. Meanwhile, city officials in Charlotte, N.C.--which is hosting the Democratic National Convention in September--plan to ban camping and fires on public property and prevent protesters from possessing weapons, armor, and other types of items. Demonstrators would also be banned from throwing anything. Some experts have criticized such laws, saying that they could scare peaceful demonstrators away from participating in protests and leave only those who are prepared for a confrontation, thereby sparking the very violence that the laws were designed to prevent. Unlike their counterparts in Chicago and Charlotte, officials in Tampa, Fla., the site of the Republican National Convention in August, are taking a more accommodative approach by giving the expected 15,000 protesters a dedicated parade route and a protest area that will be as close as possible to the convention site.
Iran Scientist Killed in Bomb Blast
Associated Press (01/11/12)
An Iranian university professor was killed and two other people were injured in a bombing in Tehran on Wednesday. The professor, 32-year-old Mostafa Ahmadi Roshan, was inside his car with two other individuals when an assailant on a motorcycle affixed magnetic bombs to the vehicle. The bombs were then detonated. The attack was similar to several other attacks on scientists who were believed to have ties to Iran's alleged nuclear weapons program. For example, Tehran University senior physics professor Masoud Ali Mohammadi was killed on January 12, 2010 after a motorcycle that was equipped with a bomb exploded near his car. Later that same year, Majid Shahriari--a member of the nuclear-engineering faculty at Tehran's Shahid Beheshti University who was cooperating with the Atomic Energy Organization of Iran--was killed in a bombing in Tehran. That bombing coincided with another attack that wounded Fereidoun Abbasi, the head of Iran's atomic agency. Iran has blamed such attacks on the U.S. and Israel, though both Washington and Jerusalem have denied those charges. It remains unclear whether Roshan, the victim of Wednesday's attack, was involved in the alleged Iranian nuclear program. Roshan specialized in petroleum at the university where he worked.
Afghan Minority Coalition Cautiously Supports Talks With Taliban but Wants Seat at the Table
Associated Press (01/13/12)
Prominent Afghan opposition leaders said that they support possible U.S.-brokered peace negotiations with Taliban militants, but want to be part of any talks. Members of a coalition representing Afghanistan’s ethnic minorities spoke as they returned from a conference in Berlin, where they met with U.S. congressional leaders. Most of the delegation fought in the Northern Alliance against the Taliban government in the 1990s. Separately, the Taliban said a video showing American forces urinating on dead Taliban fighters would not harm efforts to broker peace talks.
Al-Qaeda Members Gripe Over Cash Crunch as U.S. Targets Funding
Bloomberg BusinessWeek (01/09/12) Katz, Ian; Walcott, John
A number of countries around the world, including the U.S. and Saudi Arabia, are trying to put an end to terrorism by shutting off the funding for terrorist groups. Since last fall, the U.S. Treasury's Office of Terrorism and Financial Intelligence has put sanctions in place against members of al-Qaida and affiliated groups, as well as state sponsors of terrorism such as Iran and Syria. In Saudi Arabia, meanwhile, religious authorities helped try to crackdown on terrorist financing by issuing a religious decree in 2010 that banned the practice. According to one U.S. intelligence official who spoke on condition of anonymity, the Saudi crackdown on terrorism financing has helped reduce the amount of money that is sent from wealthy individuals in the Persian Gulf region to al-Qaida's leadership in Pakistan. As a result, al-Qaida in Pakistan has been forced to spend less money on things like training and recruiting new members. In fact, as of 2009 and 2010, al-Qaida was in the weakest financial shape it had been in since 2001, said David Cohen, the Treasury Department's undersecretary for terrorism and financial intelligence. However, some terrorist attacks do not require large amounts of money to execute. The printer cartridge bombing plot in late 2010, for example, cost only a few thousand dollars. Terrorists are also using informal money transfer networks known as Hawala networks to circumvent sanctions put in place by the U.S. and others. Those networks can be difficult for counterterrorism officials to penetrate.
Muslim Man Charged in Attempted Florida Car Bombing
Reuters (01/10/12) Liston, Barbara
An FBI sting operation has resulted in the arrest of a 25-year-old Tampa, Fla., man on charges of attempting to use a weapon of mass destruction. The investigation into Sami Osmakac, a naturalized American citizen who was born in Kosovo, began last fall when Osmakac, who is Muslim, asked someone how to obtain flags for al-Qaida. The person who Osmakac asked about the flags informed the FBI. Another meeting was held in November between the Osmakac and the person who he asked about the flags, in which the two allegedly discussed possible targets in the Tampa area that could be attacked. Osmakac also allegedly asked the individual for help in obtaining firearms and explosives. A series of meetings was then set up between Osmakac and an undercover FBI agent in which Osmakac allegedly asked for explosives to build three cell-phone-triggered car bombs, though he settled for building one bomb after the agent said that a large purchase of bomb-making materials would attract too much attention. In addition to wanting to build a car bomb, Osmakac also allegedly wanted to use an explosive belt and go to a crowded public place, take hostages, and demand the release of prisoners. Osmakac also allegedly asked for an AK-47-style machine gun, Uzi submachine guns, large-capacity magazines, and grenades. Osmakac allegedly told the agent that he wanted to target nightclubs in a Cuban neighborhood in Tampa and the Hillsborough County, Fla., Sheriff's operations center. Osmakac was arrested after the agent gave him what he thought was a car bomb, though the FBI had rendered the device harmless. In a video made before he was arrested, Osmakac said that he wanted to carry out the attacks in order to retaliate against the wrongs done to Muslims.
Feds Seek Stronger Security for Power Grid
InformationWeek (01/10/12) Montalbano, Elizabeth
In an attempt to gain insight into how to best protect the U.S. electricity grid, the Department of Energy and the Department of Defense have joined forces to create a cybersecurity model that can be tested and applied across the utility industry. The Electric Sector Cybersecurity Risk Management Maturity Model pilot project seeks to work with experts in the public and private sector to use current cybersecurity strategies to create a "maturity model" that can identify how secure the electric grid is from cyber threats. Once complete, the model will be tested with participating utilities to see how effective it is. Taking the lead on the project, the DOE will hold workshops with the private sector over the next few months to develop the model. Once the model is finished, it will be tested by more than a dozen electric utilities and grid operators. A risk-management model will then be released to the industry over the summer.
Hacktivists Will Be Busy This Year, Experts Warn
USA Today (01/11/12) P. B1 Acohido, Byron
Ideology-driven cyberattacks are likely to increase this year and continue to frustrate corporations and governments and put customers at risk. That follows a spate of so-called hacktivist attacks in 2011 at the hands of the loose-knit Anonymous and LulzSec hacking outfits, say security analysts. "[Hacktivists] are learning from each other," says consultant Kris Harms, who notes that corporations and governments must recognize that more break-ins are inevitable. The unprecedented uptick in politically-motivated cyberhacks was capped by Anonymous' breach of Strategic Forecasting's Web site over the holidays. It was just over a year ago when Anonymous temporarily brought down the Web sites of Visa, MasterCard, PayPal, and others in retaliation for those companies refusing to process payments from WikiLeaks. As the caper unfolded, hacktivists publicly posted credit card records for tends of thousands of the Austin-based online publication's subscribers, along with their email addresses, phone numbers, and encrypted passwords, according to Identity Finder. By posting stolen data as proof of an attack, hacktivists make such information readily accessible, for free, to ID thieves, says Identity Finder CEO Todd Feinman.
New Denial-of-Service Attack Cripples Web Servers by Reading Slowly
DarkReading (01/05/12) Higgins, Kelly Jackson
Qualys researcher Sergey Shekyan has published a roof-of-concept code that takes a different approach to the slow HTTP denial-of-service (DoS) attack by prolonging the process of reading the server's response and ultimately overpowering it. Shekyan also has added this new Slow Read attack to his open source Slowhttptest tool. Slowloris keeps links open by sending partial HTTP requests and sends headers at periodic intervals to keep the sockets from closing, while the Slow HTTP POST distributed DoS (DDoS) tool simulates an attack using POST headers with a legitimate content-length field that informs the Web server how much data is arriving. Once the headers are sent, the POST message body is transmitted slowly, thus freezing the connection and server resources. Slow HTTP attacks are becoming increasingly popular among hackers as a way to inconspicuously wage a DoS attack because these exploits are relatively easy to execute, require minimal computing resources, and frequently are hard to spot. Shekyan says today's attackers are combining old-school, low-tech SYN Flood DDoS attack strategies with the application-layer attacks that exploit HTTP traffic. "And the more techniques you combine in an attack, the more effective it is," he notes. Shekyan says his Slow Read attack slows down the HTTP response reading phase by taking advantage of TCP's design, which maintains an open connection even if there is little or no data flowing there. This attack is more difficult to detect than the Slow HTTP attack.
FedRAMP Security Controls Unveiled
GovInfoSecurity.com (01/09/12) Chabrow, Eric
The federal government has released roughly 170 controls for the Federal Risk and Authorization Management Program (FedRAMP). The program consists of a unified risk management process that will evaluate vendors' IT services for federal agencies, thereby eliminating the need for agencies to conduct their own risk management programs. This in turn will allow agencies to evaluate a vendor's IT services in light of their specific needs and their privacy and security requirements. The recently released security controls, which must be implemented by cloud computing providers before they can provide cloud services to federal agencies, will be mapped to the National Institute of Standards and Technology Special Publication 800-53 Revision 3 for low- and medium-impact systems. The process for implementing the security controls will be outlined in a number of documents that will be released ahead of FedRAMP's initial operating capability later this year. Those documents, which will be aligned with NIST SP 800-37 Risk Management Framework, will include a number of items, such as a system security plan that clearly spells out how each security control's requirements will be met in a cloud computing environment. Within this plan, each control will be required to provide information about the devices, documents, and processes, and other solutions that are being deployed; the responsibilities of providers and government customers for putting the plan into effect; the timetable for implementing the plan; and how solution will satisfy controls. The documents also will include a security assessment plan and a security assessment report.
Windows 8 Can Scrub Data From Disk, but Not Up to Tough Security Specifications
Network World (01/04/12) Greene, Tim
Microsoft says that there is a security vulnerability in the reset function included in its new Windows 8 operating system. Designed to be run if users encounter problems with the operating system, the reset function restores Windows 8 to a clean state and removes data applications from the hard drive without requiring users to first backup their data to an external hard drive so that it can be restored later. Although the data can be erased more thoroughly than it would be after performing a traditional reformatting, the data can still be recovered, albeit with some difficulty. Microsoft's Steven Sinofsky says that someone could recover data that has been erased from a hard drive after performing the reset function but would have to use highly expensive special equipment to do so. Sinofsky notes that the optional "thorough" reset makes the process of recovering data more difficult and is sufficient for users who are recycling their computers or donating them to charity. However, the thorough reset would not be sufficient for erasing highly confidential corporate and government data, Sinofsky says. He notes that organizations that need to erase such data still need to perform multi-pass scrubbing operations to comply with various regulations.
Abstracts Copyright © 2012 Information, Inc. Bethesda, MD |
No comments:
Post a Comment