Monthly Archives: December 2014

Restaurant Chain Working with Law Enforcement.

Atlanta-based fast-food chain Chick-fil-A says it is working with law enforcement and a leading IT security firm to investigate whether its point-of-sale network has been breached.

In a Dec. 30 statement, the chain says it has recently received reports of potential unusual activity involving payment cards used at a few of its restaurants.

“We want to assure our customers we are working hard to investigate these events and will share additional facts as we are able to do so,” Chick-fil-A states. “If the investigation reveals that a breach has occurred, customers will not be liable for any fraudulent charges to their accounts – any fraudulent charges will be the responsibility of either Chick-fil-A or the bank that issued the card. If our customers are impacted, we will arrange for free identity protection services, including credit monitoring.”

Suspicious Activity

The news comes just one week after some card issuers and a security expert told Information Security Media Group they suspected a common link between suspicious activity and payment cards recently used at some Chick-fil-A locations.

One security source, who asked not to be named, told ISMG on Dec. 22 that MasterCard had issued a fraud alert on Dec. 19 about a merchant that may have been breached sometime between December 2013 and September of this year. Many issuers suspected the merchant to be Chick-fil-A or its payments processor, Charge Anywhere, which in early December confirmed a breach of its network linked to malware.

Neither Chick-fil-A nor MasterCard would comment about that alert, but the source who spoke with ISMG said the alleged compromise of Chick-fil-A appeared to be sporadic. One card issuer in the Northeast reportedly had more than 8,000 cards impacted, while other issuers had fewer than 10 cards affected, the source said.

“It could be a segment or set of franchises, because the number of compromised cards they received was pretty low and they would typically receive a lot more cards by now,” the source told ISMG on Dec. 23. “It’s really a wild card for now.”

One executive with a banking institution based in the Southeast, who also asked not to be named, says considerable fraud linked to Chick-fil-A first surfaced over the summer. But this executive says the fraud at Chick-fil-A is likely linked to a breach of the chain’s processor, Charge Anywhere, not a POS attack targeted solely at the fast-food chain.

“I have reviewed the list from MasterCard on the processor breach and it does include Chick-fil-A and Dairy Queen, plus numerous other merchants,” the executive says. “One of the merchants is a local fruit market that we have suspected since 2007, but were never able to prove. This tells me that this was a breach at the processor, Charge Anywhere, and probably goes back even further than they are saying. They have indicated 2009, but I suspect at least 2007. It is really difficult to pinpoint a common point of compromise when a processor is involved, but this list solves many old unsolved cases for us.”

In October, Dairy Queen confirmed a breach of its POS network that affected 395 of its 4,500 franchised U.S. locations.

Charge Anywhere confirmed earlier this month that its network had been compromised by malware, but the company reported that the breach only dated back to 2009.

On Dec. 30, a Charge Anywhere spokesman told ISMG: “We haven’t got much information about the investigation and the status of that investigation right now.”

Via: bankinfosecurity

Just hours after Kim Jung-un’s government issues combative statement, country again drops off the Interne

North Korea on Saturday blamed the U.S. for its nine-and-a-half-hour Internet outage earlier in the week, and called President Barack Obama a “monkey” as part of a racist, vitriolic statement issued by the country’s highest government body, the National Defense Commission (NDC).

The statement by the NDC, which was carried by North Korea’s state-run news agency, was the country’s first official response to the severing of its Internet connection from the rest of the world on Monday.

“The U.S., a big country, started disturbing the Internet operation of major media of the DPRK, not knowing shame like children playing a tag,” the NDC statement read, using the Democratic People’s Republic of Korea moniker for the nation.

“We had already warned the U.S. not act like beating air after being hit hard by others,” the unnamed NDC spokesman said. “Of course, we do not expect the gangsters to pay heed to our warnings.”

Just hours after the North’s Central News Agency published the statement on its website — one of a handful that are reachable to the outside world — the isolated country again vanished from the Internet. According to Dyn Research and Akamai Technologies, the Dec. 27 outage lasted about five hours, and was preceded by intermittent connectivity issues.

According to the Chinese government’s Xinhua news agency, North Korea’s mobile network, which serves far more people than the regime lets access the foreign Internet websites, was knocked offline at the same time.

Elsewhere in the NDC’s statement, North Korea criticized the decision by Sony Pictures to screen The Interview, a farce whose plot revolves around the assassination of Kim Jung-un, North Korea’s dictator, and blamed Obama for pushing the studio into releasing the movie.

“U.S. President Obama is the chief culprit who forced the Sony Pictures Entertainment to ‘indiscriminately distribute’ the movie and took the lead in appeasing and blackmailing cinema houses and theatres in the U.S. mainland to distribute the movie,” the NDC contended.

Although Sony had initially said it could not distribute the film because major U.S. theater chains had backed out amid threats, the company reversed course and showed the picture in some venues starting on Dec. 25. The Interview was also made available from several online streaming services, including Google’s and Microsoft’s.

North Korea also lashed out at Obama with a racist reference. “Obama always goes reckless in words and deeds like a monkey in a tropical forest,” said the agency, which is headed by Kim himself.

In early November, hackers began placing gigabytes of internal Sony documents, including embarrassing emails, current and former employees’ personal information and financial information, on the Internet.

On Dec. 19, the FBI said that North Korea was responsible for the Sony intrusion. Many security experts, however, have remained skeptical, citing a lack of clear or publicly-disclosed evidence.

Nor has the individual or group responsible for the North Korean Internet outages been identified. Most security researchers, including ones from companies that specialize in defending customers against distributed denial-of-service (DDoS) attacks, suspect that hacktivists or petty cyber criminals used commonplace DDoS tools to flood the fragile North Korean connection with so much traffic that it became unresponsive.

Ironically, although the North Koreans have repeatedly denounced the U.S. for not revealing more evidence of the DPRK’s part in the Sony hack, it did not offer any proof that the U.S. was responsible for the week’s Internet blackouts.

North Korea also threatened retaliation for the outages, although it did not spell out what form that might take. Instead, it hauled out the Cold War propaganda vocabulary guidebook. “If the U.S. persists in American-style arrogant, high-handed and gangster-like arbitrary practices despite the repeated warnings of the DPRK, the U.S. should bear in mind that its failed political affairs will face inescapable deadly blows,” the NDC said.

The U.S. has denied any involvement in the DPRK’s Internet disruptions.

Via: csoonline

A German iron plant experienced a cyberattack that caused physical damage, according to a report from a German federal agency.

The incursion was achieved via spear-fishing and social engineering aimed at an office network at the plant. The attackers subsequently accessed the plant’s production network and were able to manipulate a furnace to prevent it from shutting down, resulting in “massive damage.”

This strike is a rare instance of a government acknowledging physical damage from a cyberstrike. One precedent is November 2010’s attack on Iran’s centrifuges, believed to have originated from a joint U.S. and Israel campaign dubbed Stuxnet.

Robert M. Lee, a co-founder at security firm Dragos Security, described the technical skills of the attackers as “very advanced,” owing to their detailed technical knowledge of the industrial control systems.

Via: scmagazine

If you’ve got more time than money and have a startup idea that you think you have the skills to build, a new partnership between Amazon Web Services and online education portal edX will hook you up with $1,000 in credit for completing one of two courses on entrepreneurship.

Unless you’ve already taken some classes on building a startup, you’re not going to be able to completely BS your way through MITx’s Entrepreneurship 101 or 102 on edX. You actually have to pass the course, so expect to put at least tens of hours into the class. But once you make your way through the coursework, you automatically receive $1,000 in credit to spend on processor time and/or storage in Amazon’s cloud.

You also get a few more bonuses meant for those more comfortable with code than administrating infrastructure, including credit for instructor-led training and web classes on using AWS, free support at Amazon’s premium tier, and “office hours” with Amazon specialists who can help figure out how to architect your app or service for Amazon’s instances.

EdX has a FAQ page on the partnership that also links directly to the classes you can take to be eligible for the free credit. Classes start on January 9, so you can look through the course summaries before committing.

Via: techcrunch

On the heels of AT&T settling up with the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) over “cramming” practices, two more U.S. telecommunications companies are facing their own cases over similar charges.

T-Mobile agreed to settle its July lawsuit with the FTC for $90 million on Friday, and rumors, confirmed by an unnamed The Wall Street Journal source, say that the FCC is investigating Sprint Corp. for its own cramming scheme.

T-Mobile’s cramming practices allowed the company to include hidden third-party charges for services, including horoscopes, love tips and celebrity gossip, on customers’ statements. Consumers were typically billed $9.99 per month, and T-Mobile received 35 to 40 percent of every charge they included.

As part of the settlement, the company will have to contact all customers who were improperly billed and then inform them of a refund program and claims process. T-Mobile will have to reach at least $90 million in redress or other payments, and in this case, no max has been set. Theoretically, if all T-Mobile customers filed for refunds, the company’s settlement could reach well over $90 million, Travis LeBlanc, director, FCC Enforcement Bureau, said in a Friday press call.

The company’s phone bills “made it nearly impossible for consumers to find and understand third-party subscription charges,” the FTC’s press release said. Often times, the charges were buried in phone bills that totaled more than 50 pages in length.

Separately, Sprint Corp. could have its own settlement coming. The FCC is allegedly planning to fine the telecommunications company $105 million over allegations that it charged its customers for unwanted text message alerts and other services.

If Sprint’s fine is approved, the amount that consumers could be refunded would depend on the total amount that regulators believe Sprint overcharged consumers. An unnamed official said the FCC’s investigation looked at August to October 2013, a time period during which Sprint received nearly 35,000 complaints from consumers about unwanted charges.

Three of five FCC Commissioners have said they’d vote in favor of the fine, the official said. The U.S. Consumer Financial Protection Bureau (CFPB) filed a lawsuit on Wednesday against Sprint for these allegations, and in its T-Mobile-related press call, the FCC said it couldn’t publicly comment on any investigations, although it did say that it had no reason to disagree with the allegations CFPB, a “sister agency,” made.

Meanwhile, the FTC and a defendant have settled over a separate cramming case. Nathan M. Sann, a defendant in a case against American eVoice Ltd., settled with the organization over allegations that the company’s operation put fines on consumers’ landline phone bills for unwanted voicemail services.

T-Mobile’s case, in particular, was meant to serve as a signal to all U.S. telecommunications companies, said LeBlanc. The companies will be, “held accountable for charging consumers millions of dollars in bogus charges.”

Via: scmagazine

An employee of Sony Pictures Entertainment outlines what they went through following North Korea’s alleged cyber attack on the company.

An employee* in the Los Angeles office of Sony Pictures Entertainment SNE 0.05% opened up to Fortune about the personal ordeal they went through following revelations of North Korea’s alleged cyber attack on the company. What follows is their words, condensed and edited for clarity.

***

The Monday before Thanksgiving, we all came to work. Some people had turned on their computers and were working. At around 8:15 a.m., that black screen of death came on.

They shut down the entire network. We couldn’t really work the rest of the week, which seemed OK because it was a holiday week. But as Tuesday and Wednesday progressed, it became clear that this wasn’t a simple hack.

Over Thanksgiving, I joked about it. We all thought it might take a while to get our work life back—files, things we have to do before the end of the year.

It wasn’t until Monday or Tuesday of the following week when we realized the extent of it. That’s when we got word that it might take weeks to get back up. Things became more clear when it was revealed what information was released. Around Wednesday or Thursday, people started saying: call your bank, change your passwords, set up a new checking account.

I was completely irate. Once it got personal, it was just, are you kidding me? Seeing the faces of colleagues with families—they’re worried about their life savings, their retirement funds, their kids.

And the blogs were the ones giving us all the information. We got more information from blogs and websites than we did from Michael [Lynton, CEO of Sony Pictures Entertainment] and Amy [Pascal, co-chair of Sony Pictures Entertainment].

The company provided us with All Clear ID, which is a security monitoring firm, but some people said that LifeLock was the way to go, and I decided to get it. There’s a reason you pay [$29.99 a month] for it.

That weekend, I set up alerts on all my bank accounts and credit cards. I get a text message about every transaction, and the [smartphone] apps send me notifications on my home screen anytime there’s a charge.

I changed every single password. Five for banking and credit cards. Then for my 401(k), health insurance, three email accounts, and Facebook. I changed them for Amazon, eBay, PayPal, and other shopping sites. In all, it was probably 25 to 30.

A few days later, we were on loaner laptops, pen and paper, recreating PowerPoints, re-creating databases. All the things you’d need when you’re working on any kind of business deal. Word documents, contracts, PDFs. We chugged along. We did as much as we could. But there were certain days that people had to leave the office to do what they had to do personally.

Going forward, I want to know that I won’t get a random $500 charge. I decided that I’m never going to access any of my financial accounts on my work computer ever again. If I need to do something urgently, I’ll use my smartphone, or I’ll go home and do it. It’s not worth the risk.

Some people have gone a little overboard, changing their passports and things like that. For me, money and keeping my finances secure is most important.

It’s taken a toll, mentally—do I have to worry about someone getting a random medical procedure with my benefits? And there’s the frustration at the way the top top brass handled the situation. Why didn’t they provide more for the employees? Why didn’t they bring in security consultants?

You read all these reports about morale being low. I wouldn’t say it’s low. You chug along. But it is like, wow, you always have to look over your shoulder. This is forever.

*The employee’s name has been withheld due to the sensitivity of the ongoing situation.

Via: fortune

You probably don’t need to be told that using complex and lengthy passwords are essential to good security. Of course, creating such a password– and then managing to remember it—takes a fair amount of effort.  Coming up with a unique password for each of the many Web sites/services you use regularly (not to mention password-protected applications and hardware devices) can be a Herculean chore, which explains why people take convenient-yet-insecure routes of jotting down passwords all over the place or using the same simplistic and easily-discovered password (kids’ names anyone?) every time one is called for.

But there’s no need to sacrifice your sanity for security, or vice-versa, because with password management software you can maintain good password practices while minimizing or eliminating most of the associated hassles. Password managers remember countless passwords so you don’t have to, but they can also help you create strong passwords, rate the strength of the ones you already use, and ensure that entering a password when needed is effortless–or very nearly so.

KeePass Password Safe

There are many good password management tools to choose from, and most of them are available at low or even no cost depending on the specific features you need. Here are some of the things you should consider when choosing password management software, along with five specific products you should check out.

Platform Support

Password managers can take the form of stand-alone PC applications, portable apps that work off a USB storage device, Web browser plug-ins, mobile (phone) versions, or any combination of these. Browser plug- ins are the most convenient, as they generally capture account usernames and passwords when you log into different sites then automatically serve up the appropriate credentials the next time you visit. (Otherwise, password managers typically use clipboard/hotkey combos to save you from having to type.)

If you typically work across a variety of different computing environments or devices, be sure to check that a password manager has support to match. Fortunately, the most popular password managers these days support a wide range of operating system, browser, and mobile platforms.

RoboForm

Storage and Synchronization

Password managers can store your password information either in an encrypted database file on your PC, or online on servers maintained by the software publisher (and in some cases, both). Ubiquitous access is an obvious benefit of storing your passwords “in the cloud,” but the flip side is that leaving the information under someone else’s control means trusting them to keep it secure and accessible.

Some password managers that store password information locally provide a synchronization feature so you can access your passwords from multiple devices. In other cases, you can usually use third-party file synchronization utilities, such as DropBox to keep your password database current on multiple devices.

 Authentication Methods

The majority of password managers use a master password to safeguard access to your password data so you only have to keep track of a single password. That master password needs to be a complicated one, however, since it’s all someone would need to gain access to all of your other passwords. Since you choose the master password, not the software, you’re probably out of luck if you forget it, though some password managers offer password recovery under certain circumstances.

For added security, some password managers offer multi-factor authentication, which supplements something you know—that master password—with something you have, such as a key file stored on a PC or USB device. If you don’t want to have to remember a master password, you may be able to use a key file in lieu of one, but then you’ll still need to protect access to the file. There are also biometric options available that can authenticate you via a fingerprint.

Password Generation and Rating

If you don’t like coming up with strong passwords on your own, make sure any password manager you choose includes a password generator that will conjure one up based on parameters you specify, such as a minimum length or inclusion of a certain number of mixed-case or special characters. You’ll also want to be sure that a password manager can rate passwords (whether you created them or the software did) to make sure that they’re strong.

1Password. Click to enlarge.

Data Import/Export

Chances are you already have a few passwords to bring into a new password manager, so unless you feel like typing them all in manually, you’ll want to consider a product’s data import capabilities. Many password managers can import a list of passwords from generic CSV or TXT files, a browser’s password cache, and in some cases from other password managers. Conversely, a password manager’s ability to export is important if you ever want to switch to another product, so be sure your data won’t be locked in.

In a nutshell, password managers are a great way to delegate the heavy lifting required to use secure passwords. Below are five diverse password managers to start you on your search.

LastPass

Arguably the most feature rich and flexible password manager out there, LastPass, which stores your password data online (but encrypts it both in storage and in transit), supports virtually every OS, Web browser, and handheld platform out there. It’s also free, at least for the standard version; to banish ads, use multifactor authentication, or get any of the mobile versions, you’ll have to ante up $1 per month (billed annually) for a LastPass Premium subscription.  (I’m a fan of this one as even without premium subscription)

RoboForm

RoboForm offers good browser and mobile platform support, and offers optional—but free—online backup and synchronization for your password data. The free version limits you to ten logins, while the $30 RoboForm Pro removes the restriction and enables creation of multiple identities (to keep personal and work-related passwords separate, for example).

KeePass Password Safe

KeePass is an old-school password manager that lacks online storage or browser integration, but this open-source utility—which is completely free and available in multiple versions—will run on a USB key or a Windows PC without installation and can also use a key file or Windows account to authenticate in lieu of a master password.

Eikon to Go Digital Privacy Manager

The $50 Eikon to Go Digital Privacy Manager stores passwords not on your system or online, but rather on a USB-based fingerprint reader. Although not portable in the strictest sense (you can’t move it easily between computers) it has some unique features like the ability to automatically log you into the operating system (Windows or Mac) and lets you dismiss those annoying Vista/Windows 7 UAC prompts with a finger swipe.

1Password

At $40, 1Password is one of the pricier software-only password managers, but it’s got a Mac-centric approach (it requires Leopard or Snow Leopard) that integrates with the OS X Keychain and offers slick iPhone and iPad versions, as well.  (A Windows version is currently in beta.)

Honorable Mention:

Launched just this month, a new password management software package from SecurityCoverage, Password Genie is particularly well-suited for groups or businesses. A Windows-only utility with IE and Firefox browser support (but no portable or mobile options), Password Genie uses uses 256-bit AES encryption for local password storage and 128-bit SSL encryption when synchronizing between computers. For a subscription price of $36 (billed annually), it permits installation on up to five computers, keeps passwords synchronized between systems, and provides free technical support via toll free phone or chat.

Via: esecurityplanet

It is a novel way to attack online copyright infringement. Two music companies have sued an internet service provider, alleging that because the ISP failed to terminate the accounts of repeat infringers, the ISP is guilty of secondary infringement. This lawsuit troubles many copyright experts and its success is far from certain, but the music companies may achieve their aims regardless.

The music industry has been fighting online infringement for almost 15 years, with only limited success. Despite litigation campaigns and the enactment of new laws around the world, online infringement remains “a huge problem for the music industry,” said Lawrence Iser, a partner in the Southern California law firm of Kinsella Weitzman Iser Kump & Aldisert. “There is still tons of illegal music online.”

So the music industry is trying something different. For the last few years, they have been working with ISPs to implement a graduated response system – often called a “six strikes policy.” Basically, the copyright owner monitors internet traffic and notifies the ISP when a subscriber’s IP address uploads or downloads infringing material. The ISP passes this notice of infringement to the subscriber, along with a warning. If the subscriber continues to infringe, subsequent warnings take on a more severe tone. After repeated warnings, the ISP may impose sanctions, such as temporarily throttling the customer’s bandwidth. But no ISP in the US has gone so far as to publicly embrace account termination as a sanction in its graduated response system.

Most of the big ISPs in the US are participating in a graduated response system, but there are exceptions.

Each ISP that has established a graduated response system sets its own rules on what to say to alleged infringers and what (if any) sanctions to impose. Cox Communications is more lenient than most, using a “ten strike policy.”

Two music companies thought Cox was being too lenient, so they sued Cox on 26 November. “They didn’t go after other ISPs. They picked Cox because it was not implementing what they thought was a reasonable solution,” said Jordan A. Sigale, director of Dunlap Codding, an Oklahoma law firm.

In the lawsuit, BMG Rights Management and Round Hill Music allege [pdf] that over 200,000 customers of Cox have used BitTorrent to repeatedly upload and download infringing copies of plaintiffs’ music. Cox was notified repeatedly about the infringements, but refused to terminate the accounts of the alleged infringers – thus protecting the revenue Cox receives from these allegedly infringing subscribers. As a result of all this, Cox is liable for contributory and vicarious copyright infringement, the suit claims.

No Safe Harbor?

This is a rather unusual lawsuit. The music industry has not previously targeted ISPs, largely because ISPs, like other online service providers, are protected in the US by the Digital Millennium Copyright Act. Section 512 of the DMCA declares that such online providers are not liable for infringements committed by their users, so long as certain conditions are met.

The lawsuit asserts that Cox has fallen out of the DMCA’s safe harbors because the company has failed to comply with Section 512(i) of the Act. This provision states the DMCA’s safe harbors “shall apply to a service provider only if the service provider … has adopted and reasonably implemented … a policy that provides for the termination in appropriate circumstances of subscribers and account holders of the service provider’s system or network who are repeat infringers.”

But what is a “repeat infringer” for purposes of this statute? Is it someone whom a court has ruled is a repeat infringer, or is it anyone whom a copyright owner asserts is a repeat infringer? Legal experts don’t agree on the answer, and the courts have never ruled on this issue.

The lawsuit against Cox could turn on this unresolved issue. Because if only a court can declare someone a repeat infringer, then Cox is not required by Section 512(i) to terminate the accounts of mere alleged infringers. The ISP would thus maintain its safe harbor protection and would not be liable for secondary copyright infringement.

Pros and Cons of Courts

Requiring a court verdict on every repeat infringer would be impractical, according to Iser. “Think about how long it would take to get such an adjudication,” he said.

Costs also make going to court impractical. A copyright owner would incur legal costs for subpoenaing the ISP to obtain the name and address of the alleged infringer and for suing that person for infringement. Such costs might not be great in individual cases, but if a copyright owner wants to go after tens of thousands of alleged infringers, the legal fees certainly would be significant.

There would, in addition, be reputation costs. The last time the music industry engaged in a litigation campaign against alleged online infringers, the industry became the object of scorn and derision, as news stories revealed the industry had sued a variety of sympathetic figures, including a 66-year-old grandmother who knew nothing about file-sharing. In the end, the industry dropped the litigation campaign and vowed not to engage in it again.

Going to court would be costly and time-consuming, but it would be unfair to require ISPs to act on anything less than a judicial verdict, according to many legal experts. Because copyright owners’ notices of alleged infringement are often wrong.

Copyright owners routinely notify YouTube and other online hosting services of allegedly infringing content, demanding the services take down the identified “infringing” content. However, “it has become very clear that lots and lots of the notices are wrong. How could that be otherwise? The copyright owners are using mechanized processes to send out millions of notices,” said Prof. Jessica Litman of University of Michigan Law School.

One problem is that a copyright owner’s investigator can’t know who uploaded or downloaded an infringing file. The investigator monitoring the internet can know only the IP address where the supposed infringement occurred. “That could be an open WiFi address. It could be a library, hotel, coffee shop or other small business where some customers or others are using BitTorrent,” said Sigale. It would be “draconian,” he added, to declare that the innocent owner of such an open IP address is a repeat infringer and must be lose all internet access.

Another problem with internet monitoring is that the copyright owner’s investigator can’t know for sure that any infringement has occurred. What an investigator thinks is infringement may be fair use, an unluckily named file, or an instance of someone else investigating infringement, Sigale noted.

“The complaint comes down to this: We [copyright owners] send emails saying these people are repeat copyright infringers, and the ISP is supposed to take that as gospel truth and shut these people down. That is crazy,” said Sigale. “As a copyright lawyer, I think copyright is super-important, but this isn’t a question of protecting copyright. This is an attempt to circumvent due process. This is exactly what the DMCA was supposed to prevent.”

Mixing Safe Harbors

The plaintiffs in this case are conflating two different provisions of the DMCA, Sections 512(a) and 512(c), according to Prof. Litman. Section 512(a) deals with transient material flowing through a system, while Section 512(c) deals with materials stored on a system.

Section 512(c) creates a safe harbor for companies like YouTube and SoundCloud, which store material posted by others. It provides that these hosts are not liable for such stored material, but makes this immunity subject to a notice-and-takedown regime. If a copyright owner notifies a company that some specific material being hosted is infringing, the hosting company must take down the infringing material or it will lose its safe harbor protection.

The courts have rejected past attempts to apply Section 512(c) to ISPs. “When peer-to-peer [file-sharing] began, content owners tried to use this provision to go after ISPs, but that didn’t work because the alleged infringing material didn’t reside on the ISPs’ systems,” said Litman.

ISPs (and other entities that provide internet connections) are covered by a different safe harbor provision. Section 512(a) provides that an ISP is not liable for any transient material flowing through its systems – provided the ISP did not put the material onto the system. This safe harbor protects an ISP from secondary liability arising from a customer’s using the internet to upload and download infringing content. And this provision, unlike Section 512(c), does not impose a notice-and-takedown regime.

The plaintiffs in this case are trying to change that, by asserting that Section 512(i) imposes a notice-and-takedown requirement for the Section 512(a) safe harbor. If an ISP receives notice that a customer is a repeat infringer, the ISP won’t take down any stored material, but instead must take down the customer’s internet connection.

The record labels here “suggest failure to follow the steps prescribed by 512(c) for material residing on your servers makes an ISP liable for contributory and vicarious copyright infringement,” said Litman. They are basically asserting that “Section 512(c)’s notice and takedown provision applies to Section 512(a),” she said.

This interpretation of Section 512(a) is rather dubious, according to Litman. The plaintiffs “are unlikely to prevail legally,” she said.

Congress, after all, explicitly imposed a notice-and-takedown requirement for Section 512(c), while omitting that requirement for Section 512(a). And there are strong policy reasons for this distinction. It is a relatively simple matter to remove material stored on one’s servers. It is far more difficult to police transient materials flowing though internet connections.

“Congress decided it would be impractical for ISPs to monitor the electronic bits that are passing through their systems,” said Litman. “The University of Michigan, for example, can’t possibly review all the bits of information passing through the system it supposedly controls.”

Winning without Winning

If the record labels were to win this lawsuit, it could significantly strengthen the music industry’s efforts to stem online infringement. Music companies could act swiftly and cheaply against tens of thousands of alleged infringers, while having ISPs perform the dirty work of cutting people off from the internet. Public ire might focus on the ISPs, not the music industry which, behind the scenes, would be forcing the ISPs to act.

However, the record labels may not really seek (or expect) to win this lawsuit. They may be using it merely as leverage, to force Cox and other ISPs to implement a more serious six-strikes policy. “This suit is really just a way to discipline Cox into passing notices of infringement to customers and terminating customers who supposedly infringe,” said Sigale.

The labels filed this action “in order to scare other ISPs into a graduated response,” said Litman. “This is theater more than a real lawsuit.”

Perhaps, but it might just prove to be powerful and effective theater.

Via: ip-watch

Centralized Zone Data System users’ names, addresses, email addresses, phone numbers, usernames and hashed passwords may have been accessed.

The Internet Corporation for Assigned Names and Numbers (ICANN) recently acknowledged that it was hit in late November 2014 by a spear phishing attack, which targeted ICANN staff members with emails that appeared to come from an icann.org address.

The phishing attack successfully compromised several ICANN staff members’ email credentials, which were then used to breach other ICANN systems, including the Centralized Zone Data System (CZDS), the ICANN Governmental Advisory Committee (GAC) Wiki, the ICANN Blog, and the ICANN WHOIS information portal.

Most importantly, the attacker gained administrative access to all files in the CZDS, including copies of the zone files in the system as well as users’ names, mailing addresses, email addresses, fax numbers, phone numbers, user names and hashed passwords.

Still, there is some good news — ICANN spokesman Brad White told the Washington Post that the Internet Assigned Numbers Authority (IANA) was not impacted. “At this point, we have confirmed that the attack has not affected the IANA-related systems,” he said. “They are separate systems with additional layers of security that were not breached.”

In response to the breach, ICANN is notifying all CZDS users whose personal information may have been compromised, and has reset all CZDS passwords.

“We suggest that CZDS users take appropriate steps to protect any other online accounts for which they might have used the same username and/or password,” ICANN said in a statement.

“Earlier this year, ICANN began a program of security enhancements in order to strengthen information security for all ICANN systems,” the statement added. “We believe these enhancements helped limit the unauthorized access obtained in the attack. Since discovering the attack, we have implemented additional security measures.”

Tyler Reguly, manager of security research at Tripwire, told Top Tech News it’s worth noting that the breach was not as bad as it could have been.

“All user passwords have been reset, and should the attackers act on the stolen salted hashes, hopefully users will not have reused passwords from other websites,” Reguly said. “It is, of course, advisable that users of the Centralized Zone Data System reset their passwords if they were reused elsewhere.”

“While the zone file copies contain useful information, much of that information will be available via other means, limiting the impact that any data exfiltration may have,” Reguly added.

It’s not yet clear who the attackers were, or what their motivation was.

Via: securityplanet

It was perhaps just a matter of time before the next household retail name came up in the data breach headlines. Staples has confirmed that it has been hacked with point-of-sale malware, which captured details on about 1.2 million payment cards.

The office-supply giant contacted law enforcement back in October about a potential incident, which has now been shown to have affected 115 stores nationwide. A list of affected locations can be found here.

The hackers were able to access “some transaction data at affected stores,” Staples said, including cardholder names, payment card numbers, expiration dates and card verification codes—everything needed to carry out online fraud. The malware was operational for just over a month at 113 stores, scraping info for purchases made from August 10 through September 16, 2014. At two stores, the malware was active from July 20 through September 16.

During the investigation Staples also received reports of fraudulent payment card use related to four stores in Manhattan, though no malware evidence was found. This was a longer period: the activity took place sporadically from April through September 2014. The investigation found no malware or suspicious activity related to the payment systems at those stores.

Staples is offering free identity protection services, including credit monitoring, identity theft insurance and a free credit report, to customers who used their payment cards at those stores during those specific time periods.

Typically, customers are not responsible for any fraudulent charges on their credit cards that are reported in a timely fashion. Those who shopped at the affected stores during the relevant time periods should review their account statements and notify their card issuers of any suspicious activity.

“Staples is committed to protecting customer data and regrets any inconvenience caused by this incident,” the company said. “Staples has taken steps to enhance the security of its point-of-sale systems, including the use of new encryption tools.”

Via: infosecurity-magazine