[SecurityRatty] tag: pizza

America's CTO

Sat, 08 Nov 2008 13:08:05 +0000

I hope this message gets through to the Obama people - Bill Joy would be an amazingly good pick for the newly created CTO cabinet post. A grand slam to the upper deck. You can count the people with as a good a track record in technology on one hand.

Also, I could not agree more with John Doerr on these points:

The next question from the president-elect was what single policy issue he could focus on that would most help entrepreneurs.

“The most important thing he’s got to do is kick-start a huge amount of research and innovation in energy,” said Mr. Doerr, who backed Google and Amazon.com and has invested heavily in clean energy technology for the last few years.

The nation now invests less than $1 billion a year in renewable energy versus $32 billion a year in health care, Mr. Doerr said. “I think we’ve just scratched the surface in terms of clean ways to use energy, to produce energy. It’s the challenge of our generation.”

How to do that? Double the number of engineers who graduate from American universities each year to 60,000, Mr. Doerr said. Bring more women into the field, and encourage foreigners who study engineering here to stay here.

“What we do is bring foreign nationals to the world’s greatest universities. We train them, invest in them and make them go home,” he said. “What kind of national strategy is that? So I would staple a green card to the diploma.”

While it is amazing that it took until 2009 for the US to have a CTO as a cabinet level position, it is very cool to think about all the things that could happen going forward. As Neal Stephenson said the US is only world class at three things - 1. Movies, 2. High speed pizza delivery and 3. Software development.

If you read your John Hagel and JSB, then you know that innovation is the only sustainable edge. Luckily its hard wired into our system, but it will be helpful to have a seat at the table for certain things.

Creepy Customer Profiling via Facial Recognition

Fri, 22 Aug 2008 05:41:08 +0000

Usually, shopping off-line is usually more ad-free than shopping online. But this is changing, with ads coming in strange places like video screens at Gas Stations, Albertson’s, and so on. Google’s been using content targeted at users for some time, and now this is coming to offline ads too. Some unlikely retailers like Dunkin Donuts are installing facial recognition systems that change the ads shown, depending whether the viewer is male or female, and in what age range.

The Wall Street Journal says that Dunkin’ Donuts is experimenting with video screens that use facial recognition technology to figure out your age and gender. The screens then display ads targeted specifically to you.

Creepy!

Dunkin’ Donuts is also tailoring the cash register ads to your specific purchase. If you buy a breakfast sandwich, you can expect an ad prompting you to return “for a coffee break in the afternoon” to “try an oven-toasted pizza.” The system is already in place at two Buffalo, NY locations.

Read the full article here.

Insurance claims and policy information in the dumpster

Wed, 18 Jun 2008 08:41:02 +0000

Technorati Tag: Security Breach

Date Reported:
6/13/08

Organization:
Texas Insurance Claims Services

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
"hundreds of files"

Types of Data:
Insurance claims and policy paperwork including "names, social security numbers and policy numbers"

Breach Description:
Files containing sensitive confidential information were discovered in a dumpster in Richardson, Texas. The files are believed to have been thrown out by the owner of a company called Texas Insurance Claims Services.

Reference URL:
WFAA Channel 8 News

Report Credit:
Rebecca Lopez, WFAA-TV

Response:
From the online source cited above:

on Friday, hundreds of files with people's names, social security numbers and policy numbers were found in a Richardson dumpster

The files contain a lot of private information.

The people who filled out the forms probably never expected them to end up where anyone could simply walk away with them.
[Evan] There we go with expectations again. See my comments in the "Tucson area Domino's Pizza customer information exposed" breach.

You expect when you give your private information to an insurance company, it will stay that way.

Mike McCarty was driving by a dumpster near his work in Richardson. He saw a man taking pictures of trash inside, so he stopped.
[Evan] Taking pictures?

"[The man] said he was looking for empty boxes because he was going to move but he found a bunch of these files."
[Evan] But why was the man taking pictures? The story isn't clear on this point, so I wonder.

There were files with people's names, addresses, social security numbers and even pictures of their homes and cars.

The files were dumped here by a company called Texas Insurance Claims Services which processes people's claims.

We asked the owner why he threw them away. He wouldn't go on camera but said he was only required to keep the files five years and could then toss them.
[Evan] Oh, well then. Sounds like a good enough explanation to me... NOT! Where is the corporate and social responsibility?

The company says it sometimes uses commercial shredding services but decided not to do so this time.
[Evan] Let me see if I understand this correctly. The company obviously knows the importance of shredding confidential papers in general, otherwise they wouldn't "sometimes use commercial shredding services". What the @#$^ explains why the company chose not to use the shredding services in this instance?

Authorities say it's not unusual for criminals to dumpster dive to look for ways to get personnel information that they can use to illegally run up huge bills.
[Evan] This is very true. There are even people who organize and belong to dumpster diving clubs, not to imply that THESE people are "criminals", but only to point out that people DO dumpster dive.

The dumpster was full of files. Most of them were taken away by garbage collectors. We are shredding the few we took for our story.
[Evan] The files were taken away by garbage collectors? I wonder how much confidential information a person could find at the dump (landfill)?

Commentary:
It may just be the context of the owner's remarks, or it may just be me, but the owner seems to be oblivious to the risk of throwing confidential customer information out with the garbage.

Past Breaches:
Unknown

Tucson area Domino's Pizza customer information exposed

Wed, 18 Jun 2008 06:43:34 +0000

Technorati Tag: Security Breach

Date Reported:
6/18/08

Organization:
Domino's Pizza

Contractor/Consultant/Branch:
Unnamed former owner of 24 Tucson area locations

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Names and credit card numbers

Breach Description:
Hundreds of credit card receipts dating back as many as five years were found "blowing in the wind" after a former owner of 24 Domino's Pizza stores in the Tucson, Arizona area was found to have been discarding boxes of old records near her home.

Reference URL:
KVOA Channel 4 News

Report Credit:
Tom McNamara, KVOA Channel 4 News

Response:
From the online source cited above:

Investigators found credit card numbers blowing in the wind for anyone to see.

These piles and papers strewn across the alley contain hundreds of old receipts from Domino's Pizza stores.

When we got a call about this, we went down to University Avenue and Euclid and saw these receipts were three, four, and even five years old.
[Evan] Is there any business reason to keep credit card receipts for this period of time? I suppose a case could be made that these should be kept for up to seven years for tax purposes.

We contacted the former owner of 24 Domino's Pizza stores in Tucson.
[Evan] This could have been a very risky breach in terms of overall potential impact considering the number of affected persons. 24 stores, x number of credit card transactions per year, and 5 years could add up to a pretty significant number.

She won't talk with us on-camera, but told us she'd been discarding boxes of old records near her home and somehow all those receipts got loose.
[Evan] Incidents like this tear me up. I very much doubt that this lady had any malicious intention behind her actions, but nonetheless her actions could have caused considerable inconvenience (and possible loss) to a number of individuals. I presume that she just didn't know any better.

We found Scott Brumage's name and credit card number on one of those receipts in the alley.

Tom McNamara asks him, "See that? Recognize that name? Recognize the number?" Scotts nods, "Uh huh."

Tom asks, "Well how'd you feel when we called you out of the blue and told you what we'd found? What went through your mind?"

"It was just kind of surreal at first because I like to think I can trust using my card [because of] the convenience and everything of course."

Scott was startled to see his name and card numbers on our screen.

He says he's ordered a lot of pizzas over the years and expects privacy and protection when he pays for his pepperoni pie.
[Evan] Is this an unreasonable expectation? Maybe it is an unreasonable expectation, given the current environment and considering the bigger picture (merchants, processors, banks, "the system", etc.). I don't think that it is an unreasonable requirement, but requirements, expectations and practices are not in alignment.

Scotts tells us, "I don't know. [I'm] just dumbfounded, other than they need to figure a better way of disposing."
[Evan] It is dumbfounding, isn't it. I often wonder what people are thinking when they do some of the things they do.

The Investigators contacted the Federal Trade Commission in Washington and they say thieves could potentially use discarded credit card numbers even if the card has expired. The numbers on the card in many cases are still the same.

They say there could be enough information on the receipt to help a thief reveal more information about you, such as your social security number.

It's small comfort for Scott. He says, "I'm hoping this is a one time only [situation]. They might have just lost a loyal customer."
[Evan] The impact to the victim is usually pretty clear and easy to quantify. The impact to the business (or organization) is not usually as easy to measure. In a competitive business like pizza sales, companies need to identify and communicate differentiators like ingredient quality, service, taste, price, location, etc. Maybe if customers viewed information security practices as an important differentiator, businesses would put more time and effort into securing information. Pipe dream?

In this case, the Investigators contacted Tucson Police and several officers came to collect the records we found and have them destroyed.

Commentary:
This breach reminds me of a recent discussion I had online with Benjamin Wright in the comments section of the "Cotton Traders confirms that their website was compromised" breach. He makes a very good argument regarding accountability in credit card breaches. My responses to him are included.

Past Breaches:
Unknown

Creating and Entrapping Terrorists

Wed, 05 Mar 2008 03:25:43 +0000

When I wrote this essay -- "Portrait of the Modern Terrorist as an Idiot" -- I thought a lot about the government inventing terrorist plotters and entrapping them, to make the world seem scarier. Since then, it's been on my list of topics to write about someday.

Rolling Stone has this excellent article on the topic, about the Joint Terrorism Task Forces in the U.S.:

But a closer inspection of the cases brought by JTTFs reveals that most of the prosecutions had one thing in common: The defendants posed little if any demonstrable threat to anyone or anything. According to a study by the Center on Law and Security at the New York University School of Law, only ten percent of the 619 "terrorist" cases brought by the federal government have resulted in convictions on "terrorism-related" charges -- a category so broad as to be meaningless. In the past year, none of the convictions involved jihadist terror plots targeting America. "The government releases selective figures," says Karen Greenberg, director of the center. "They have never even defined 'terrorism.' They keep us in the dark over statistics."
Indeed, Shareef is only one of many cases where the JTTFs have employed dubious means to reach even more dubious ends. In Buffalo, the FBI spent eighteen months tracking the "Lackawanna Six" -- a half-dozen men from the city's large Muslim population who had been recruited by an Al Qaeda operative in early 2001 to undergo training in Afghanistan. Only two lasted the six-week course; the rest pretended to be hurt or left early. Despite extensive surveillance, the FBI found no evidence that the men ever discussed, let alone planned, an attack -- but that didn't stop federal agents from arresting the suspects with great fanfare and accusing them of operating an "Al Qaeda-trained terrorist cell on American soil." Fearing they would be designated as "enemy combatants" and disappeared into the legal void created by the Patriot Act, all six pleaded guilty to aiding Al Qaeda and were sentenced to at least seven years in prison.

In other cases, the use of informants has led the government to flirt with outright entrapment. In Brooklyn, a Guyanese immigrant and former cargo handler named Russell Defreitas was arrested last spring for plotting to blow up fuel tanks at JFK International Airport. In fact, before he encountered the might of the JTTF, Defreitas was a vagrant who sold incense on the streets of Queens and spent his spare time checking pay phones for quarters. He had no hope of instigating a terrorist plot of the magnitude of the alleged attack on JFK -- until he received the help of a federal informant known only as "Source," a convicted drug dealer who was cooperating with federal agents to get his sentence reduced. Backed by the JTTF, Defreitas suddenly obtained the means to travel to the Caribbean, conduct Google Earth searches of JFK's grounds and build a complex, multifaceted, international terror conspiracy -- albeit one that was impossible to actually pull off. After Defreitas was arrested, U.S. Attorney Roslynn Mauskopf called it "one of the most chilling plots imaginable."

Using informants to gin up terrorist conspiracies is a radical departure from the way the FBI has traditionally used cooperating sources against organized crime or drug dealers, where a pattern of crime is well established before the investigation begins. Now, in new-age terror cases, the JTTFs simply want to establish that suspects are predisposed to be terrorists -- even if they are completely unable or ill-equipped to act on that predisposition. High-tech video and audio evidence, coupled with anti-terror hysteria, has made it effectively impossible for suspects to use the legal defense of entrapment. The result in many cases has been guilty pleas -- and no scrutiny of government conduct.

In most cases, because no trial is ever held, few details emerge beyond the spare and slanted descriptions in the indictments. When facts do come to light during a trial, they cast doubt on the seriousness of the underlying case. The "Albany Pizza" case provides a stark example. Known as a "sting case," the investigation began in June 2003 when U.S. soldiers raided an "enemy camp" in Iraq and seized a notebook containing the name of an imam in Albany -- one Yassin Aref. To snare Aref, the JTTF dispatched a Pakistani immigrant named Shahed "Malik" Hussain, who was facing years in prison for a driver's-license scam. Instead of approaching Aref directly, federal agents sent Malik to befriend Mohammed Hossain, a Bangladeshi immigrant who went to the same mosque as Aref. Hossain, an American citizen who ran a place called Little Italy Pizzeria in Albany, had no connections whatsoever to terrorism or any form of radical Islam. After the attacks on 9/11, he had been quoted in the local paper saying, "I am proud to be an American." But enticed by Malik, Hossain soon found himself caught up in a government-concocted terror plot. Posing as an arms dealer, Malik told Hossain that a surface-to-air missile was needed for an attack on a Pakistani diplomat in New York. He offered Hossain $5,000 in cash to help him launder $50,000 -- a deal Hossain claims he never properly grasped. According to Muslim tradition, a witness is needed for significant financial transactions. Thus, the JTTF reached out for Hossain's imam and the true target of the sting -- Aref.

Union Mortgage loan applicant information found in dumpster

Fri, 29 Feb 2008 11:14:23 +0000

Technorati Tag: Security Breach

Date Reported:
2/22/08, updated on 2/28/08

Organization:
Union Mortgage Services of Cleveland, Inc.

Contractor/Consultant/Branch:
None

Victims:
Loan applicants

Number Affected:
Unknown*

*"hundreds of people" including "Thousands of pages of sensitive documents"

Types of Data:
Information that is typically found in loan applications, including bank statements, credit reports, and tax returns.

Breach Description:
Thousands of pages of sensitive loan application information were discovered in a dumpster behind a pizza shop in Cleveland, Ohio. The documents were allegedly discarded by employees of Union Mortgage Services of Cleveland, Inc., which has closed down after failing to pay taxes or failure to file tax returns.

Reference URL:
WKYC-TV News

Report Credit:
WKYC-TV News, by way of Attrition.org

Response:
From the online source cited above:

Thousands of pages of sensitive documents were thrown out in a dumpster located behind a pizza shop at East 105th and Superior in Cleveland.

Confidential files were found on hundreds of people who applied for loans with a company called Union Mortgage, whose last known addresses were in Beachwood and Parma.
[Evan] Union Mortgage Services addresses are/were; 23611 Chagrin Blvd Suite 275 Beachwood, OH 44122 and 1440 Snow Road Suite 118 Parma, OH 44134

Investigator Tom Meyer learned the company closed its doors recently after either failing to pay taxes or file its tax returns
[Evan] Sounds shady for a mortgage company that people trust much of their financial lives with.

Channel 3 News retrieved as many documents as possible and returned them to their rightful owners.

Ken Knabe, a lawyer from Lakewood, was shocked that we had his bank accounts, credit reports, tax returns and other personal information including his social security number. "That's appalling. This is private information in a dumpster,"

Channel 3 News returned files of information on Kim and Edwin Soeder of Mentor, including their retirement accounts. "It makes you wonder how bad your credit rating becomes if people get this in their hands," said Mrs. Soeder.

Ohio Attorney General, Marc Dann, has sued another mortgage company, Randall Mortgage Services, Inc., for allegedly abandoning customers' loan and financial information. Dann says he would take action against Union Mortgage if customers came forward and filed complaints with his office.

[Evan] Attorney General Marc Dann's site has some good information for consumers. To file a complaint, visit http://www.ag.state.oh.us/citizen/consumer/complaints.asp

Dann said businesses that collect personal information are responsible for protecting it just like they would protect their own information.

Commentary:
This is similar to the First Magnus breach reported earlier this month. Similarities include two financially troubled (or bankrupt) loan companies that figured their obligation to protect confidential personal information ceased when they closed the doors. The obligation to protect information entrusted to you only ceases when you transfer custodianship (i.e. return it to the owner, destruction, etc.)

I assume that we will only continue to see more of these types of breaches as more loan companies continue to suffer from today's credit crunch. When I researched Union Mortgage Services for this posting, I had a general sense of uneasiness. The lack of discovered background information and other legitimate references about the company might have made me question whether or not I would have done business with them in the first place. Hindsight is 20/20 they say.

Past Breaches:
Unknown

Boston/Cambridge InfoSecurity Events

Tue, 18 Dec 2007 16:12:25 +0000

Software Security Weaknesses - Avoiding and Testing

Bob Martin is giving a talk tonight at the Boston Software Process Improvement Network (SPIN) meeting on “Software Security Weaknesses - Avoiding and Testing”. The meeting is at MITRE in Bedford in the basement conference center of M-Building (the one next to the parking garage). Pizza and discussions at 6pm, talk at 7:10pm.

Its open to anyone.

BeanSec

BeanSec, an informal gathering of security professionals, is held the 3rd Wednesday of every month in Cambridge. It will be held tomorrow night from 6pm-9pm at the Middlesex Lounge, 315 Mass. Ave, Cambridge, MA. Note that this is a change of venue from the Enormous Room.

Source: Boston 2008

Source: Boston is a new security conference taking place in Cambridge on March 12-14th. This lines up pretty well with St. Patrick’s Day weekend which will be a fun time to be in Boston. Mike Murray has a great writeup about it on his blog.