Monday, 13 October 2014

Kmart Says Card Data Stolen in Latest Retail Cyber Hack

Sears Holdings Corp. (SHLD)’s Kmart discount chain, the latest victim of hacker attacks on retailers, said it detected a security breach this week and is investigating the incident with law enforcement officials.
The retailer’s information-technology team identified the breach on Oct. 9 and is working with a top security firm to assess the incursion, which happened in early September, Kmart said in a filing yesterday. Customer payment-card information was probably exposed by the attack.
“According to the security experts Kmart has been working with, the Kmart store payment data systems were infected with a form of malware that was undetectable by current anti-virus systems,” the company said. “Kmart was able to quickly remove the malware. However, Kmart believes certain debit and credit card numbers have been compromised.”
A wave of data breaches at companies including Home Depot Inc. (HD), Target Corp. (TGT) and Neiman Marcus Group Ltd. have pressured retailers to bolster database and credit-card processing security. Nationwide concerns about cyber intrusions have escalated after JPMorgan Chase & Co. (JPM) recently disclosed that an attack by hackers exposed contact information of 76 million households and 7 million small businesses.
Kmart said it doesn’t appear that personal information, debit-card PINs, e-mail addresses or social security numbers were obtained by the hackers. Howard Riefs, a spokesman, was unable to provide the number of customers affected.

‘Advanced Software’

Kmart said in the statement that it’s working closely with federal law enforcement authorities, banking partners and IT security firms in the ongoing investigation and is “deploying further advanced software to protect customers’ information.”
Home Depot’s data breach between April and September put about 56 million payment cards at risk, the company said in September. The hackers used custom-made software to evade detection as they infiltrated computers at stores in the U.S. and Canada, relying on tools that haven’t been seen in previous attacks, according to the Atlanta-based home improvement retailer.
The company began investigating the attack on Sept. 2, immediately after banking partners and law enforcement raised alarms that its systems may have been infiltrated. Home Depot has said that while payment systems were hacked, there is no evidence that debit-card PINs have been compromised.

Discount Chain

Target has recorded $146 million in expenses as of Aug. 2 related to the discount chain’s breach in which data for 40 million accounts were stolen. Part of the expenses include an estimate on claims yet to be made by the credit card companies.
More than 100 lawsuits have been filed against Target relating to the breach, which contributed to the ouster of Chief Executive Officer Gregg Steinhafel in May. The chain also blamed the attack, which became public in December, for a sales decline in the fourth quarter.
Hackers also have attacked Supervalu Inc. (SVU) and AB Acquisition LLC, the operator of the Albertsons supermarket chain.
Shares of Sears, based in Hoffman Estates, Illinois, fell 6 percent to $24.78 at the close in New York yesterday, taking its decline for the year to 38 percent.
The parent of Kmart is struggling to revive sales growth and is unloading assets to generate cash after nine straight quarters of losses.

Meet the UK's PRISM program

(Image: ZDNet/CBS Interactive)
British police have access to an automated data demand system, which is regularly used to acquire data belonging to customers of three of the four major UK mobile networks.
According to a report first published on Friday by The Guardian, customer data is handed over "like a cash machine" to British police, in many cases automatically and without the direct consent each time of the phone companies.
EE, the company behind T-Mobile and Orange, along with Vodafone and Three give police "click of a mouse" access to tens of millions of UK mobile customers.
A fourth operator, O2, is the only major phone network requiring staff to review police requests, the newspaper cited the company as saying.
Although the system "mirrors" the US PRISM program, the name of the UK program is not known.
For more than a decade, every single mobile, cellular, and landline operator in the UK has been obligated under British law, specifically the Regulation of Investigatory Powers Act (RIPA), to store communications data for up to two years. That includes calls made, when, for how long, and to whom.
RIPA was introduced in 2000, pre-dating a mass surveillance effort in the US following the September 11 attacks a year later. It acts as the US' equivalent of the Patriot Act and the Foreign Intelligence Surveillance Act (FISA), which can force a company to hand over data — often in secret — without public judicial oversight.

Such laws have been the basis of the modern-day UK-USA agreement, which has been used to conduct surveillance on a massive scale — not just on citizens but also governments, politicians, private companies, and journalists.
There is little oversight for RIPA, either. A senior police officer must give the authority to access the UK's PRISM system, but in many cases these can be conducted without any significant checks and balances from the British courts.
But to date, it's believed that not a single UK mobile operator has released figures showing how many data demands they are served each year under British surveillance laws, either through RIPA, or through warrants or court orders.
Vodafone, however, became the first UK operator to disclose that in some countries law enforcement has "direct access" to its networks. Thanks to the new report by The Guardian, that also includes the UK.
Earlier this year, the European Court of Justice struck down a crucial data retention law that forced phone networks to store communications data, ruling it unlawful. The data retention laws were critical for British police and intelligence agencies to acquire this data. It took a matter of weeks for the British parliament to create its own emergency data retention laws to allow the UK's PRISM program to continue.

"Without these capabilities we run the risk that murderers will not get caught, terrorist plots will go undetected, drug traffickers will go unchallenged, child abusers will not be stopped, and slave drivers will continue in the appalling trade in human beings," UK Home Secretary Theresa May said at the time.
One of the more recent concerns with US surveillance laws was the allegation that there were "two versions" of the Patriot Act: one that was written in the public law books, and a secret interpretation developed and used by the US Justice Department.
However, by contrast, RIPA is relatively straightforward and lays out much of what British police and intelligence agencies can do.
The UK has been working to expand its snooping powers during the Cameron-Clegg coalition administration, but failed due to strong opposition. But in the Queen's Speech in 2013, the proposals to widen the tracking of people's internet and phone activities were rekindled.
These proposals, although still in Home Office development, remain vastly under wraps.

Researcher makes the case for DDOS attacks

To some people, a political mission matters more than anything, including your rights. Such people (the Bolsheviks come to mind) have caused a great deal of damage and suffering throughout history, especially in the last 100 years or so. Now they're taking their mission online. You better not get in their way.
Molly Sauter, a doctoral student at McGill University and a research affiliate at the Berkman Center at Harvard ("exploring cyberspace, sharing its study & pioneering its development"), has a paper calling the use of DDOS (distributed denial of service) attacks a legitimate form of activism and protest. This can't go unchallenged.

Sauter notes the severe penalties for DDOS attacks under "...Title 18, Section 1030 (a)(5) of the US Code, otherwise known as the CFAA" (Computer Fraud and Abuse Act). This section is short enough that I may as well quote it here verbatim:
(5)(A) [Whoever] knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.
There are other problems with the CFAA with respect to some legitimate security research and whether it technically falls afoul of the act, but that's not the issue here.
Sauter goes on in some detail with the penalties under Federal law for violating this act and, no argument here, they are extreme and excessive. You can easily end up with many years in prison. This is, in fact, a problem generally true of Federal law, the number of crimes under which has grown insanely in the last 30 or so years, with the penalties growing proportionately. For an informed and intelligent rant on the problem I recommend Three Felonies a Day by Harvey Silverglate. Back to hacktivist DDOS attacks.
She cites cases of DDOS attacks committed against Koch Industries, Paypal, the Church of Scientology and Lufthansa Airlines, some of these by the hacktivists who call themselves Anonymous. In the US cases of the attacks against Koch, Paypal and the Church, the attackers received prison time and large fines and restitution payments. In the Lufthansa case, in a German court, the attacker was sentenced to pay a fine or serve 90 days in jail; that sentence was overturned on appeal. The court ruled that "...the online demonstration did not constitute a show of force but was intended to influence public opinion."
This is the sort of progressive opinion, dismissive of property rights, that Sauter regrets is not happening here in the US. She notes, and this makes sense to me, that the draconian penalties in the CFAA induce guilty pleas from defendants, preventing the opportunity for a Lufthansa-like precedent.
This is part and parcel of the same outrageous growth of Federal criminal law I mentioned earlier; you'll find the same incentive to plead guilty, even if you're just flat-out innocent, all over the US Code. I would join Sauter in calling for some sanity in the sentencing in the CFAA, but I part ways with her argument that political motives are a mitigating, even excusing factor.
Sauter's logic rises from a foundation of anti-capitalism: would appear that the online space is being or has already been abdicated to a capitalist-commercial governance structure, which happily merges the interests of corporate capitalism with those of the post-9/11 security state while eliding democratic values of political participation and protest, all in the name of 'stability.'

Once you determine that capitalism is illegitimate, respect for other people's property rights is no longer a problem. Fortunately, the law protects people against the likes of Anonymous and other anti-capitalist heroes of the far left.
I would not have known or cared about Sauter's article had it not been for a favorable link to it by Bruce Schneier. Schneier is a Fellow at the Berkman Center.
Progressives and other leftists who think DDOS, i.e. impeding the business of a person or entity with whom you disagree in order to make a political point, should consider the shoe on the other foot. If I disagree with Schneier's positions is it cool for me to crash his web site or those of other organizations with which he is affiliated, such as the Berkman Center, the New America Foundation's Open Technology Institute, the Electronic Frontier Foundation, the Electronic Privacy Information Center and BT (formerly British Telecom)? I could apply the same principle to anti-abortion protesters impeding access to a clinic. I'm disappointed with Schneier for implying with his link that it's legitimate to engage in DDOS attacks for political purposes.
It's worth repeating that Sauter has a point about the CFAA, particularly with respect to the sentences. It does need to be reformed — along with a large chunk of other Federal law. The point of these laws is supposed to be to protect people against the offenses of others, not to protect the offender.