Saturday, December 28, 2013

Slow Saturday Special: Conventioneers Caught in Boston Globe Briar Patch

"Chain confirms it was source of breach affecting conventions" by Deirdre Fernandes |  Globe Staff, December 28, 2013

A local restaurant chain confirmed Friday that its computer systems were breached, putting the credit-card information of thousands of customers at risk, including visitors who attended two major conventions in Boston.

The Briar Group, which owns 10 restaurants and bars in Boston, including two at the Westin hotel connected to the Boston Convention & Exhibition Center, said its computer systems were infiltrated sometime between October and early November. It said customer names, credit-card numbers, expiration dates, and security information were captured from the cards’ magnetic strips.

The company isn’t sure how many customers were affected, but every month thousands visit Briar’s locations, said Diana C. Pisciotta, a spokeswoman for the chain.

**********************

It remains unclear who engineered the theft. The Briar Group believes that it was a sophisticated, outside attack, Pisciotta said. Boston Police and the US Secret Service are investigating.

Related: Sunday Globe Special: Hacking is Good Bu$ine$$ 

Yeah, they don't know who did it and who benefit$?

The US Attorney’s Office, which is overseeing the case, declined to comment.

This is the second major breach of the Briar Group’s payment systems. In 2009, malware, or malicious software, was apparently installed on Briar’s computers, allowing thieves to access credit and debit card information. The chain paid a $110,000 to the state to settle allegations that it failed to protect diners’ personal information after that security breach.

Data breaches are becoming increasingly common and complex. Earlier this month, Target, the giant retailer, acknowledged that 40 million credit and debit card accounts were stolen from its customers who shopped at its stores between Thanksgiving weekend and Dec. 15. Nearly one million of those accounts belonged to customers who made purchases at Target’s three dozen Massachusetts stores.

RelatedTarget says customers’ encrypted PINs were stolen

Also see: Globe Xmas Gift: Xmas Day Shopping

The theft compromised the financial data of customers who made purchases by swiping cards at terminals in Target’s US stores, exposing similar information as the Briar Group’s breach. In addition, Target on Friday acknowledged that the thieves also captured encrypted personal identification numbers, or PINs, that can be used for debit cards....

--more--" 

I'm sure that will be making this years guests feel secure about their personal information:

"Convention authority predicts big year" by Katie Johnston |  Globe Staff, December 24, 2013

The Massachusetts Convention Center Authority, which recently filed legislation for a $1 billion expansion at its South Boston exhibit hall, expects 2014 to be a record year.

The authority is forecasting that next year’s meetings and conventions will generate the most hotel room stays and associated economic impact in the city’s history. More than 750,000 attendees at roughly 250 events at the Boston Convention & Exhibition Center and Hynes Convention Center are projected to spend 629,000 nights in hotels and drum up $680 million in economic activity, breaking the 2006 record of 616,000 room nights and the 2012 record of $656 million.

The year kicks off with a skating rink being built at the Boston Convention & Exhibition Center for the Prudential US Figure Skating Championships Jan. 5-10. That will be followed by several large conferences projected to generate more room nights and spending than in the past, according to the authority.

Among the biggest events: the American College of Rheumatology’s November convention, with 38,358 room nights, and the American Society of Cataract and Refractive Surgery’s April gathering, with 35,475 room nights.

In 2013, the centers hosted 254 events with 770,000 attendees, who generated 462,000 hotel room night stays and $620 million.

--more--"

That's odd; no mention of the hacking of conventioneers.

"Conventioneers’ credit card data stolen in Boston; Hundreds of attendees at two conventions this fall affected" by Deirdre Fernandes |  Globe Staff, December 11, 2013

Hundreds of attendees at two large conventions in Boston this fall have reported that their credit card information was stolen and was used to purchase goods around the country and overseas.

Though it is unclear how the thefts occurred, many of the victims say they had used their credit cards in area restaurants and businesses, especially in the Seaport District, where the Boston Convention & Exhibition Center is located.

Convention officials and local businesses have said they contacted Boston and State Police, as well as the Secret Service, which also investigates data theft.

Victims said their credit card numbers were fraudulently used at a hearing aid company in North Carolina, at women’s clothing stores in New York City, and in drugstores and big box retailers around the country to buy gift cards that can be resold for cash....

Though the public authority that runs the convention center said the data breach did not occur at its facility, the timing of the thefts is inauspicious for the agency. In January, the Boston facility will host the annual meeting of convention planners — the professionals who advise associations and large groups where to hold their events....

Oh, HOW IRONIC! My suggestion would be LET'S NOT HOLD ANY in BOSTON! Pay only cash and let's get the hell out of here as we can.

Credit card theft is common, costing millions of American consumers and businesses billions of dollars....

Well, CERTAINLY the NSA and the TELECOMS must KNOW SOMETHING!

Massachusetts was home to one of the largest and most notorious such thefts on record — the 2007 hacking of retailer TJX Cos., in which thieves stole at least 130 million customer credit and debit card numbers....

Albert Gonzalez received a 20-year sentence in 2010 for his part in the thefts....

What the Globe won't tell you is he was employed by the U.S. government at the time and then claimed a lame Asperger's defense.

Restaurants are particularly vulnerable to credit card theft because servers walk away with diners’ cards. Wayward employees can simply write down the credit card information or use a device called a skimmer to capture not only the name, card number, expiration date, and security code, but the information in the magnetic stripe as well.

This gives thieves the ability to manufacture new cards that are indistinguishable from the originals, said Chris Zoladz, founder of Navigate LLC, an information protection and privacy consultancy in Germantown, Md.

“Any time a credit card is pulled out and presented to somebody, and put online for that matter,” Zoladz said, “any time it’s used, it’s at risk.”

--more--" 

I'm so glad I no longer have credit cards.

"Many more may be victims of data theft" by Deirdre Fernandes |  Globe Staff, December 12, 2013

The credit card theft that hit hundreds of attendees at conventions in Boston this fall could be much larger and include other victims throughout the city, police investigating the crime said Wednesday.

Uh-oh!

Boston Police Detective Steven Blair said the thefts were widespread and not limited to people who attended the conferences at the Boston Convention & Exhibition Center in October and November....

On Wednesday, the Massachusetts Convention Center Authority sought to reassure a group of convention planners scheduled to meet in Boston in January that the thefts did not take place inside the Boston facility, but rather perhaps at nearby restaurants and businesses.

The authority also disclosed that a dozen of its employees were also victimized by the thefts....

Victims told event organizers that while in Boston they primarily used their credit cards in nearby restaurants and businesses, such as M.J. O’Connor’s Restaurant and the City Bar, both of which are inside the Westin Boston Waterfront Hotel.

The Briar Group, which owns those businesses, said its security consultants have to date found no problems with its systems. The Westin also said it found no evidence of a breach in its systems.

In addition to the Boston Police probe, the thefts are being investigated by the state attorney general’s office and the US Secret Service. Police have reached out to the major credit card companies to help retrace the steps of potential victims and pinpoint where they used their credit cards.

Meanwhile, city leaders sought to head off any damage the data thefts might inflict on Boston’s booming tourism industry....

--more--"

At least RSA is looking after your data:

"Bedford’s RSA under fire after NSA allegations" by Michael B. Farrell and Hiawatha Bray |  Globe Staff, December 28, 2013

Cybersecurity experts and privacy advocates are continuing to press Bedford cybersecurity company RSA to reveal more details about its relationship with the National Security Agency’s spying program, with some critics calling for a boycott of the company’s upcoming annual convention.

Where they holding that convention?

A Dec. 20 Reuters article suggested that RSA, a division of the data storage giant EMC Corp. of Hopkinton, received $10 million from the NSA to modify one of its cybersecurity products, Bsafe, in a way that would allow the spy agency to get around computer safeguards and access sensitive data.

EMC and its division just happy to be one of the global leaders in government and industry storage of data -- and all the while were supplying the NSA with trap-door access!

Critics contend RSA has failed to clarify what its specific business dealings were with the NSA....

RSA and EMC each declined to comment Friday.

The product in question, Bsafe, is a widely used software tool designed to prevent hackers from breaking into software applications and stealing data....

Was TARGET TARGETED by the NSA!!???

Moreover, the RSA encryption software is used throughout EMC’s products, raising the possibility that data stored on EMC systems might be vulnerable.

The Reuters story said RSA installed a computer algorithm selected by the NSA into Bsafe, and made it the default number generator, so that it would more likely be used by customers. That could give the NSA the means to break into applications protected by the RSA product.

Earlier this year, leaks by former government contractor Edward Snowden revealed that the NSA had designed such an encryption formula and made it available to the cybersecurity industry.

Made it "available," huh? What if you didn't want it? NSA show you the file they have on you?

The Reuters article is the first account suggesting that RSA was paid to be complicit in using the NSA algorithm. The story quoted some in the industry who questioned whether RSA was duped into using the encryption tool by the NSA.

This past weekend, RSA acknowledged it had worked with the NSA on a computer code for its security products, as far back as 2004 — well before anyone had an inkling of the widespread snooping the agency would conduct....

The company’s statement, however, has failed to mollify many critics....

Now, just eight weeks before the company hosts its annual conference, one of the computer security industry’s most prestigious events, RSA is facing a growing backlash, from cyber professionals and privacy advocates alike.

Two prominent speakers have withdrawn from the conference, and talk of a boycott of the RSA Conference is spreading on social media.

You anti-semitic, I mean $security bastards!

“There are going to be economic consequences, especially outside the United States. The boycott of the RSA Conference is just the tip of the iceberg,” said Nicco Mele, a technology and policy expert at the Harvard Kennedy School.

Indeed, one of the first cybersecurity experts to withdraw from the conference was Mikko Hypponen, a well-known privacy specialist and chief research officer at the Finnish company F-Secure. Soon thereafter, Josh Thomas, an executive with Atredis Partners in Houston, also canceled his talk at the RSA Conference.

“I feel absolutely no need to go to that conference and speak, and by my actions and my words to further the RSA brand,” said Thomas, who worked for more than a decade developing artificial intelligence software for the Army and cryptographic software for the Pentagon.

Previously RSA earned a reputation for fighting the government’s efforts to weaken encryption tools. In the 1990s, under Jim Bidzos, former chief executive, it helped quash an NSA program to get telecommunications companies to adopt a chip that would make government eavesdropping easier.

Now its credibility is being called into question.

“What can RSA say? You caught us here, but we haven’t done it anywhere else? You can trust us?” said Bruce Schneier, author of multiple books on data security and privacy.

More broadly, said Schneier, the NSA spying scandal is taking a toll on the American technology industry.

For instance, he said, Cisco Systems Inc. said last month that customers in emerging markets are buying less of its equipment out of concern about built-in back doors that could let US spies access their data.

A bid by AT&T Inc. to buy the British cellphone company Vodafone Group PLC has faced pushback from European regulators worried about NSA infiltration of American telecommunications.

“This is the poison of what NSA has done,” said Schneier. “They’ve destroyed trust on the Internet.”

No, they have destroyed trust in government, authority, and its mouthpiece jewsmedia. The internet is the only thing I trust now.

Meanwhile, some smaller security companies that offer similar products to the RSA Bsafe tool kit may stand to benefit....

At least someone is over the construction of the totalitarian $urveillance state and its a$$ociated products.

--more--"