| 05.15.14 | Former Subway franchisee sells malicious POS systems to other stores

If you are unable to see the message below, click here to view.

What's New: 1. Former Subway franchisee serves up infected POS systems to other stores 2. FireEye's Operation Saffron Rose report details new Iranian digital offensive capabilities 3. Target, Nike, other big retailers form cybersecurity information-sharing center 4. Most plaintiffs dismissed in SAIC's case of the unencrypted backup tapes Spotlight: 8 questions the Board should ask the CEO about risk Also Noted: Winkler's run-in with Syrian Electronic Army; Is Linux secure?; more Much more... News From The Fierce Network: 1. As Square shuts down Wallet, pundits wonder - Are mobile wallets dead? 2. Dairy Queen catches flack over data privacy fail, says let them eat cake 3. SAP restructuring, to cut unspecified number of jobs May 15, 2014 Subscribe | Website Refer FierceITSecurity to a Colleague This week's sponsors: HP HP HP Follow @fierceitsec on Twitter This week's sponsor is HP.   Ponemon According to the Ponemon Institute's 2013 Cost of Cyber Crime study, the average cost to businesses of cyber crime is more than $7M per year—a 30% increase over last year. And the average number of attacks per company grew 20% to 73 successful attacks annually. With the incidence and cost of cyber crime rising sharply, this study of 234 companies in six countries details the types of cyber attacks found to be most common and the losses resulting from each type of attack. Read it to learn more. Sponsor: HP Webinars > Reduce Datacenter Energy Costs by up to 15%: Software Meets Datacenter ROI - Friday, May 16, 2014 - 2 pm ET / 11 am PT > WEBINAR: Rethinking Enterprise Mobility Management ? Beyond BYOD - SPONSORED BY: CA Technologies Events > Gartner Security & Risk Management Summit 2014 - June 23-26, 2014 - National Harbor, MD Marketplace > Whitepaper: Finding ROI in Document Collaboration > Whitepaper: Delight & Engage Customers with Mobile APIs > Whitepaper: Running Out of Bandwidth? Take a Fresh Look at 100G > Whitepaper: 5 Unsung Tools of Dev Ops > eBook: Getting to DevOps (And Getting the Payoff) > Whitepaper: 802.11ac in the Enterprise: Technologies and Strategies > Whitepaper: Defense Against the Dark Arts: Finding and Stopping Advanced Threats > Whitepaper: Longline Phishing: A new Class of Advanced Phishing Attacks > eBook: eBrief | Best Practices in Mobile Application and Management Delivery > Whitepaper: Hardware Test Equipment is the Key to Accurate Network Testing > Whitepaper: APIs Drive Opportunity Explosion > Whitepaper: Supporting VDIs and Thin Clients > Whitepaper: Four Ways to Improve IT Efficiency This week's sponsor is HP. eBook | Critical Infrastructure and Cybersecurity Critical infrastructure industries vary in the sophistication of their digital defenses. In this FierceITSecurity eBook, industry experts discuss how to stay ahead of cuber security threats and maximize their defensive efforts.Download this eBook today. What's New 1. Former Subway franchisee serves up infected POS systems to other stores By Derek C. Slater Comment | Forward | Twitter | Facebook | LinkedIn More proof that simple hacks sometimes work. (And also that they sometimes get you caught.) IDG News Service's Jeremy Kirk writes of the March indictment of Shahin Abdollahi, a former Subway restaurant franchise operator, on charges of Wire Fraud, Conspiracy and Criminal Forfeiture. Abdollahi and another man allegedly sold point-of-sale systems to other Subway stores, then accessed those systems remotely after hours to load value onto Subway gift cards. The scheme was strikingly straightforward. According to the indictment, Abdohalli became co-operator of POS Doctor, selling POS systems to Subway franchise operations. He and Jeffrey Wilkinson surreptitiously loaded the remote access application LogMeIn onto some of these systems before shipping them to Subway locations in various locations including Massachusetts, California and Wyoming. They then accessed those systems and loaded dollar value onto gift cards already in their possession, either selling the cards on eBay and Craiglist--and delivering them by hand, or "making purchases at Subway restaurants" for themselves. The Fierce Take: At least that indicates they believed in the product… For more: - See the indictment on DocumentCloud.org - Read Kirk's version on Computerworld More on fraud and POS systems: 'Swatting' Brian Krebs earns Canadian teen arrest Newly rich Bitcoin users likely target for fraudsters, SEC warns 7 deadly sins: The most dangerous new attack techniques for 2014   Read more about: fraud back to top This week's sponsor is HP.   State of Security Ops As the incidence and cost of cyber crime have escalated, organizations have responded by establishing security operations centers (SOCs) to detect and counter cyber attack and to assure compliance with industry guidelines. But how capable are SOCs, and where is the greatest opportunity for improvement? Read this report now for more details. 2. FireEye's Operation Saffron Rose report details new Iranian digital offensive capabilities By Derek C. Slater Comment | Forward | Twitter | Facebook | LinkedIn A hacking group dubbed the Ajax Security Team, believed to be operating out of Iran, shows capabilities that have evolved in recent years from defacing websites to conducting malware-based espionage. That's the lead conclusion in the new "Operation Saffron Rose" report issued by security vendor FireEye. FireEye's research finds the Ajax group has used malware-based attacks to target U.S. defense organizations and successfully breached the Navy Marine Corps Intranet. They also take aim at dissidents within Iran, seeding versions of common anti-censorship tools, such as Psiphon and Ultrasurf, with malware and gathering information about users of those programs. The report says the Iranian group comprises between five and 10 individuals. Their relationship to other groups and activity originating within Iran is unclear. FireEye says the capabilities and actions of the group mirror the earlier evolution of espionage groups operating out of China, though they are currently smaller in scale and less advanced. For more: - see FireEye's report [PDF] - read Dark Reading's summary - see TechTimes' writeup More on advanced threats and cyber espionage: Hackers get better while  IT security falls further behind, says Verizon Some security pros would lie to CEO about cyberattacks Mathematical model may predict next StuxnetSpotlight: US panel calls for action against China for industrial cyberespionage     Read more about: cyber attacks back to top 3. Target, Nike, other big retailers form cybersecurity information-sharing center By Derek C. Slater Comment | Forward | Twitter | Facebook | LinkedIn Tired of being bullied in the digital arena, major retailers are jumping onboard a new information sharing program under the auspices of the Retail Industry Leaders Association. The Retail Cyber Intelligence Sharing Center comprises three elements: a Retail Information Sharing and Analysis Center (ISAC) an educational program and a research program, in collaboration with academia. Al Pascual, a Javelin Strategy and Research Analyst, tells BankInfoSecurity that retailers "have gotten significant heat" for not having an active ISAC like numerous other vertical industries (though ISACs are most plentiful in critical infrastructure industries). The RILA says it consulted with the FS-ISAC in financial services, as well as other long-standing information sharing groups, in forming the R-CISC program. The Fierce Take: Retailers have been sharing information about organized retail crime and other shoplifting activities for many years. Interesting that it took so long to get together on cybercrime. For more: - see the RILA official announcement - read BankInfoSecurity's coverage More on retail security and information sharing: 'Dark web' behind massive retail breaches, says McAfee Target data breach: A timeline FS-ISAC threat information sharing helped thwart DDOS attacks against US banks   Read more about: Information Sharing back to top 4. Most plaintiffs dismissed in SAIC's case of the unencrypted backup tapes By Derek C. Slater Comment | Forward | Twitter | Facebook | LinkedIn It's hard to keep data breaches straight any more, but maybe you'll remember this one: In 2011 an SAIC employee was driving unencrypted backup tapes from one facility to another for Tricare, a military health program provider.  The tapes were stolen from the car, exposing personal data of about 4.9 million Tricare customers. Eight different class-action lawsuits ensued, and eventually consolidated to one lawsuit with 33 plaintiffs.  After last Friday, only two of those plaintiffs are still standing. A U.S. District Court ruled that the other 31 plaintiffs failed to meet the criterion of "plausibly assert[ing] that their data was accessed or abused." The key question, according to the judge's statement, is when loss of data can confer legitimate standing on claims of injury. "Most [courts] have agreed that the mere loss of data--without evidence that it has been either viewed or misused--does not constitute an injury sufficient to confer standing. This court agrees," he wrote.  Two of the plaintiffs showed sufficient evidence of harm and are being allowed to proceed to the next phase of the lawsuit. For the other 31, appeals may follow (don't they always?)  Speaking to HealthInfoSecurity.com, privacy attorney Adam Greene made several important points about the ruling. First, a District Court ruling is not binding on other districts. So this decision may or may not have any effect on other class action suits. Second, *most* court decisions seem to be following the same line of thinking. However, some don't--Greene cites recent settlements paid by Stanford and AvMed over data breaches. Cases such as those "likely provide plenty of incentive for class action plaintiffs to continue bring claims," he said. The Washington Business Journal notes that the judge's decision also made mention of the fact that a GPS and car stereo were also taken, giving the impression of a "low-tech, garden-variety" theft as opposed to "a black-ops caper." For more: - read the report on HealthInfoSecurity - and coverage in Washington Business Journal More on data breaches: Hospitals hit with largest-ever HIPAA fine over patient data exposed to search engines After pledging to protect customer data, Orange reports second major data breach 33 lawsuits against Target over data breach will be heard by one Minnesota judge Read more about: encryption back to top Also Noted TODAY'S SPOTLIGHT... 8 questions the Board should ask the CEO about risk For most of us, the CEO is the one who asks the questions. For the Board of Directors, of course, the CEO is the one who has to supply answers. So what should the Board ask the CEO about risk management? Norman Marks has a few thoughts, such as: "Ask the CEO to describe the relationship between the executive leadership team and the risk function." Or how about "Ask internal audit and the risk officer to describe how they work together." There are six more. Should be a fun conversation. How many Boards are asking these questions? Our guess--not many.   > Ira Winkler: My run-in with the Syrian Electronic Army (Computerworld) > Blade Runner redux: Do embedded systems need a time to die? (Security Ledger) > Popular SIEM starter use cases (Gartner blogs) > Is desktop Linux secure? (Datamation) > Data breach roundup for April (eSecurityPlanet) And Finally... Network admin allegedly hacked Navy--while on an aircraft carrier (Wired)   Webinars > Reduce Datacenter Energy Costs by up to 15%: Software Meets Datacenter ROI - Friday, May 16, 2014 - 2 pm ET / 11 am PT Join us for a look at two Intel Datacenter Software solutions, sample use cases, and implementation overviews. Intel Data Center Manager (Intel DCM): Energy Director provides device-level power and thermal monitoring and management for groups of servers, networking, storage, and other IT equipment. Register Today! > WEBINAR: Rethinking Enterprise Mobility Management ? Beyond BYOD - SPONSORED BY: CA Technologies Enterprise mobility management is about more than just getting handle on the flood of BYOD devices coming into the organization. It is about managing the explosion of new devices, applications, content and transactions, which threatens to overwhelm IT managers. Our panel of experts will help you understand how to develop effective strategies that accelerate mobility transformation and prepare your organization for the mobile future. Register Today! Events > Gartner Security & Risk Management Summit 2014 - June 23-26, 2014 - National Harbor, MD Discover five programs covering IT security, risk and compliance, BCM, the CISO and the marketplace for security, so you can validate your strategy against the full spectrum of security and risk initiatives. Save $300 with code GARTFSI. To register, visit gartner.com/us/securityrisk. Marketplace > Whitepaper: Finding ROI in Document Collaboration Read this Accusoft whitepaper to learn about the factors that make document collaboration more difficult than it should be, and about how to create a collaboration strategy that makes sense for your organization. Download Now! > Whitepaper: Delight & Engage Customers with Mobile APIs Read this success story and learn how a robust API and secure API Management powered Keep’s iOS app to become one of the most popular apps in the Lifestyle category in the iTunes App Store. > Whitepaper: Running Out of Bandwidth? Take a Fresh Look at 100G This white paper describes each of these technological advances and how this 100G benefit in scale can even be accomplished with existing, fully depreciated, legacy 10G DWDM systems. Download this white paper today. > Whitepaper: 5 Unsung Tools of Dev Ops Jonathon Thurman shares his five favorite DevOps tools which have been around a long time. They may not be flashy but they're time tested and just work. He also tells you how to use them and how to configure them for maximum value. Download 5 Unsung Tools of DevOps to see which tools make the cut and why. > eBook: Getting to DevOps (And Getting the Payoff) DevOps is a more holistic approach to application development, more fully taking into account deployment and ongoing operational needs – and tossing a lot of automation into the mix. This FierceEnterpriseCommunications eBook provides step-by-step guidance on implementing DevOps for CIOs and IT and application development managers. Download this eBook today! > Whitepaper: 802.11ac in the Enterprise: Technologies and Strategies Download the White Paper "802.11ac in the Enterprise: Technologies and Strategies" to learn from industry expert Craig Mathias about the technologies behind 802.11ac, deployment misconceptions and review steps that every organization should take in getting ready for 802.11ac. Download today! > Whitepaper: Defense Against the Dark Arts: Finding and Stopping Advanced Threats Today's most-damaging targeted attacks don't occur by happenstance. They are carefully planned and executed by a new breed of professional adversaries. Read this white paper, Defense Against the Dark Arts: Finding and Stopping Advanced Threats to gain a practical understanding of today's Advanced Threat Landscape and strategies for detecting and stopping Advanced Threats. Download today! > Whitepaper: Longline Phishing: A new Class of Advanced Phishing Attacks The last few years have seen a dramatic increase in the use of email as a vehicle for cyberattacks on organizations and large corporations. Recently, Proofpoint researchers identified a new class of sophisticated and effective, large-scale phishing attack dubbed "longline" phishing attacks. Download this whitepaper to learn about the unique characteristics of these attacks, how they are carried out, and the alarming effectiveness they have. Download today! > eBook: eBrief | Best Practices in Mobile Application and Management Delivery Your organization knows that mobile productivity is important, and it may have already started down the road toward Mobile Device Management (MDM) and Mobile Application Management (MAM). But have you developed a holistic view of application management and delivery -- and its impact on the business? Download this free eBrief to learn about best practices for your mobile deployment. > Whitepaper: Hardware Test Equipment is the Key to Accurate Network Testing Surprisingly, many organizations are not adequately testing their networks. Network testing is crucial for any IT organization that wants to ensure availability, security and performance of applications and services running on their networks. Download this whitepaper now to learn more! > Whitepaper: APIs Drive Opportunity Explosion Argos took bold, transformative measures to respond to market disruption from competitors selling online in addition to the move by grocers into non-food product ranges. Learn how APIs paired with a secure API Management solution can enable a digital transformation by delivering content and purchasing capabilities to customers any where at anytime. Download Today! > Whitepaper: Supporting VDIs and Thin Clients Companies have already begun deploying VDIs and thin clients (like Google's Chromebook) on a massive scale. The low-cost, easily deployed workstations present a significant cost savings for companies, but require unique tools to support them. This whitepaper, written by Proxy Networks, outlines the best way to do that. Download now. > Whitepaper: Four Ways to Improve IT Efficiency The role of the help desk within businesses has expanded considerably over the last decade, becoming an integral piece of the overall corporate strategy. In this whitepaper, Proxy Networks outlines the best way to align your IT department with that strategy in order to improve overall departmental efficiency. Download now. ©2014 FierceMarkets, a division of Questex Media Group LLC This email was sent to ignoble.experiment@arconati.us as part of the FierceITSecurity email list which is administered by FierceMarkets, 1900 L Street NW, Suite 400, Washington, DC 20036, (202) 628-8778. Refer FierceITSecurity to a Colleague Contact Us Editor: Fred Donovan. VP sales and business development: Jack Fordi. Publisher: Ron Lichtinger. Advertise General advertising: Jack Fordi. Press releases: Fred Donovan. Request a media kit. Email Management Manage your subscription Change your email address Unsubscribe from FierceITSecurity Explore Our Network You may enjoy these publications from FierceMarkets: FierceBigData FierceBiotech FierceBiotechIT FierceBiotech Research FierceCable FierceCIO FierceCIO:TechWatch FierceCMO FierceCFO FierceContentManagement FierceCRO FierceDeveloper FierceDiagnostics FierceDrugDelivery FierceEMR FierceEnergy FierceEnterpriseCommunications FierceFinanceIT FierceGovernment FierceGovernmentIT FierceHealthcare FierceHealthFinance FierceHealthIT FierceHealthPayer FierceHealthPayerAntiFraud FierceHomelandSecurity FierceITSecurity FierceMedicalDevices FierceMedicalImaging FierceMobileGovernment FierceMobileHealthcare FierceMobileIT FierceMobileRetail FierceOnlineVideo FiercePharma FiercePharmaManufacturing FiercePharmaMarketing FiercePracticeManagement FierceRetail FierceRetailIT FierceSmartGrid FierceTelecom FierceVaccines FierceWireless FierceWireless:Europe FierceWirelessTech Hospital Impact