Macrocosmic Technologies

Remember that prescreening frequent fliers could subject themselves to which would allow them to breeze through airport checkpoints? It turns out the data for some 33,000 travelers may have been exposed after the laptop was misplaced in San Francisco’s airport.

The thing is, the laptop was lost, and subsequently found, in the same locked room in which it had been left. They are now claiming, contrary to initial reports, that the data is secured by two levels of password protection. Now, if those levels are BIOS password and Windows login, yes, it is protected by two levels of protections, both of which are easily circumvented.

So, it seems that the awaited fix to the mono sound issue for GHIII on the Wii has been announced. Having already been through the process, I can tell you what to expect.

If you call (866) 780-8286 and ask to pre-register, you’ll give up your name, address, phone number, and email address. Within 10-14 days, you’ll receive a postage-paid mailer. You send this mailer off with your GHIII disc, and 10-14 days later, you’ll receive your new GHIII disc with non-crippled sound. 20-28 days round trip, half of which you’ll spend without use of your game.

So, what’s wrong with this? Well, the first thing that comes to mind is that you’ll be deprived of the use of your game for a week or two. The law talking guys usually call this cause of action. Never mind that Activision already had to open up Pandora’s box of fraud with the whole Dolby Digital logo on the box with monaural sound inside. Now, in order to fix their wrong, they’re forcing customers to give up use of their game for “ten to fourteen days” (any bets on how long it takes this wait to stretch into six or eight weeks?). If they’re trying to make plaintiff counsel’s job easy in the class action lawsuit over the fraud case, this is it.

What they SHOULD do, in addition to this, is allow for folks to purchase the upgrade (say $40 or $50, to minimize ebay arbitrage), provide a mailer for the old disc, and upon receipt of the old disc, credit all or a substantial portion of the purchase price. What they’re doing is pushing folks to keep a substandard product, or explore alternatives that allow for playing games off of “backup” copies of discs.

A settlement has been proposed between TJX and the lead plaintiffs for consumers who were affected. Divided into two classes are those whose financial details were exposed and those whose identity information was exposed. If you lost money, you can collect up to two $30 gift certificates, provided you can document the loss, including your wasted time at a princely $10 per hour. If you returned something without a receipt, and gave your driver’s license, you can collect three years of credit monitoring too. Oh, and they’re going to have a sale sometime in 2008 where you can get 15% off.

So, if a company implements shoddy security practices and causes mass card cancellation, as well as untold identity theft and consumer fraud, instead of quietly burying it, you turn it into a marketing event. Got it.

I have an $80 charge from 11/05 against a card that was used at TJX during the period that thieves had open access to the credit card details. Needless to say, FCRA’s 60 day dispute period is long gone, so a lawsuit against TJX may be my only reasonable recourse. Treble damages, court fees, time lost, and identity monitoring and theft protection come up to a tidy sum. Even if I accepted the class action settlement, I’d get, at most, $60 in gift certificates for my lost $80.

In this Information Week article, it is reported that TJ Maxx, poster child for the mother of all data disclosures, is being sued by banks. If you remember, they let loose some 45 million credit and debit cards. Figuring $25 cost for each exposed card incurred by a bank to void and reissue the card in question, you come up with somewhere north of a billion dollars as the cost of cleanup. Banks are not primarily in the “spending money out of the goodness of our hearts” business, and will want to collect on their costs, thus coming after the responsible party. Enter the class action suit, covering some 300 banks.

Prediction: This is just the first wave in this type of lawsuit. No longer will admonishment by the FTC or a “mea culpa” sent to customers be the biggest driver behind keeping data on lockdown. Now, private recovery costs will be the biggest stick in the game.

According to this article, a Massachusetts IHOP has recently found itself in hot water for requiring diners to leave a drivers license with the restaurant while eating. According to one patron, the security guard at the restaurant had “at least forty” licenses in his hand. Needless to say, this didn’t go over well with corporate, who issued a statement saying it was done without management’s approval.

Some 300,000 people and 9,000 employers have had their information placed at risk through a hacker accessing a backup server used by Nebraska’s Child Support Payment Center. Apparently, the hacker had access to the server for forty minutes, during which time they left a virus on it.

Why, if you had access to a system that handles $233 million a year, you would do something as mind-numbingly juvenile as planting a virus is beyond me. Fortunately, this is another example of one of the most important things that keeps society from crumbling down–Namely that criminals are stupid.

HSBC has recently had a fraud attempt originated by an offshore data-processing unit’s employee in Bangalore who accessed data and passed it along to associates in the UK. Around 20 accounts were compromised with losses pegged at approximately $425,000, for which HSBC is accepting full responsibility and reimbursing defrauded customers for. Needless to say, Indian officials are quick to point out that this kind of thing happens all the time, regardless of where the employees are.

According to a recent survey by the National Threat Assessment Center, the Secret Service’s research arm, some 85% of the threats against financial services firms come from insiders, not outsiders. Not surprisingly, financial gain motivates a vast majority of these attacks.  Surprisingly, 61% of these attacks are found by non-automated means. This underscores the need to ensure your employees are trained to recognize when things aren’t right and follow their instincts when it comes to potential fraud.

According to the KATU TV web site, a trojan downloaded from a porn site by an Oregon Department of Revenue employee exposed the names, addresses, and social security numbers of some 2200 residents.

There’s some bad juju out there, there’s no denying that. It’s painfully evident that spyware needs to be addressed at the enterprise level. Anyone who says otherwise is itching for a fight*.

* Apologies to Michael Feldman

You know, I REALLY don’t like just regurgitating whatever Bruce Schneier is writing about, but sometimes, he’s got some GREAT stuff on his blog. He points us toward a product called KRYPTO 2.0.

From the site: Krypto uses repeated 256 bits (full bits) a coding purely been based on information of the keys file, which are the technically highest coding depth at all on computers possible are.

Now, I understand that the author is German, and that it’s fairly evident English is NOT one of his primary languages, but it’s still no excuse.

This is also reminiscent of a presentation I was witness to recently. The author of a product for biometric encryption claimed that his product’s encryption was superior because it used Super S Blocks, rather than that dusty old crap everyone else uses. Now, mind you, this product was also explained as using the biometric identifier (such as a fingerprint) as the
key, rather than having the identifier open a certificate which serves as the key. Sucks when you have to revoke the credential, huh? Well, at least you still have nine other fingers that are perfectly functional!

According to a recent article, an unclassified computer belonging to the DOE was hacked in September of 2005, and had a file containing names, social security numbers, and security clearances for 1500 employees stolen. Frighteningly, senior management was only made aware of this two days ago, or nearly nine months after the fact.

What separates this incident from most data disclosures is that the article makes this out to be a TARGETED theft of data, rather than randomly stealing hardware that happens to contain sensitive data. In this case, the data was the target.