[SecurityRatty] tag: child

Gonzo: Two Thumbs In and Up

Thu, 17 Jul 2008 06:10:12 +0000

Just saw the Hunter S. Thompson movie - Gonzo, and if you are a fan you should to. Lots of good stuff in there, the film links various part of his life and career, and gives a pretty unvarnished view of the high highs and the low lows. Weaves in writing, politics, and fame seamlessly. I have never really had as much fun as early on in my career in the early-mid 90s I was a web programmer in Aspen, hacking CGI/PERL. Among the most fun things was building and running HST's site. My boss, Ed, was his neighbor. Ed was also seriously allergic to bees. One day he was alone in his house and got stung. He was dying. Luckily Hunter was due over to his house to watch a basketball game, walked in and called 911. My boss woke up in the ambulance with Hunter pounding on him chest and screaming at him. Ed said - "Waking up to that face screaming at me, I didn't know if I was alive or dead." Seeing the movie it was also great to see a lot of the Woody Creek folks again like George Stranahan, who lovingly said about Hunter - "my friend and neighbor who never paid his rent, broke up my marriage and taught my children to smoke dope. " Of course, there was no way he could match his early productivity and this is true of almost all artists. Most of the last two decades were wasted from a writing standpoint. However his piece written on 9/11 is as good as its gets:

The towers are gone now, reduced to bloody rubble, along with all hopes for Peace in Our Time, in the United States or any other country. Make no mistake about it: We are At War now -- with somebody -- and we will stay At War with that mysterious Enemy for the rest of our lives.

It will be a Religious War, a sort of Christian Jihad, fueled by religious hatred and led by merciless fanatics on both sides. It will be guerilla warfare on a global scale, with no front lines and no identifiable enemy. Osama bin Laden may be a primitive "figurehead" -- or even dead, for all we know -- but whoever put those All-American jet planes loaded with All-American fuel into the Twin Towers and the Pentagon did it with chilling precision and accuracy. The second one was a dead-on bullseye. Straight into the middle of the skyscraper.

Nothing -- even George Bush's $350 billion "Star Wars" missile defense system -- could have prevented Tuesday's attack, and it cost next to nothing to pull off. Fewer than 20 unarmed Suicide soldiers from some apparently primitive country somewhere on the other side of the world took out the World Trade Center and half the Pentagon with three quick and costless strikes on one day. The efficiency of it was terrifying.

We are going to punish somebody for this attack, but just who or what will be blown to smithereens for it is hard to say. Maybe Afghanistan, maybe Pakistan or Iraq, or possibly all three at once. Who knows? Not even the Generals in what remains of the Pentagon or the New York papers calling for WAR seem to know who did it or where to look for them.

This is going to be a very expensive war, and Victory is not guaranteed -- for anyone, and certainly not for anyone as baffled as George W. Bush. All he knows is that his father started the war a long time ago, and that he, the goofy child-President, has been chosen by Fate and the global Oil industry to finish it Now. He will declare a National Security Emergency and clamp down Hard on Everybody, no matter where they live or why. If the guilty won't hold up their hands and confess, he and the Generals will ferret them out by force.

Good luck. He is in for a profoundly difficult job -- armed as he is with no credible Military Intelligence, no witnesses and only the ghost of Bin Laden to blame for the tragedy.

One unintended lesson I take away from Hunter's life is how important patience is. Obama is a politician and may yet disappoint us all, but I gotta believe Hunter would be seriously impressed. If he had waited another couple of years, he may have seen a lot of the stuff he fought for in 1968 and 72 come to fruition. Sometimes you are just 36-40 years ahead of your time and you have to be ok with that and figure out how to deal if possible. (Note - it sure sometimes feels this way in software security). Speaking of security:

Security

by Hunter S. Thompson (1955).

Security ... what does this word mean in relation to life as we know it today? For the most part, it means safety and freedom from worry. It is said to be the end that all men strive for; but is security a utopian goal or is it another word for rut?

Let us visualize the secure man; and by this term, I mean a man who has settled for financial and personal security for his goal in life. In general, he is a man who has pushed ambition and initiative aside and settled down, so to speak, in a boring, but safe and comfortable rut for the rest of his life. His future is but an extension of his present, and he accepts it as such with a complacent shrug of his shoulders. His ideas and ideals are those of society in general and he is accepted as a respectable, but average and prosaic man. But is he a man? has he any self-respect or pride in himself? How could he, when he has risked nothing and gained nothing? What does he think when he sees his youthful dreams of adventure, accomplishment, travel and romance buried under the cloak of conformity? How does he feel when he realizes that he has barely tasted the meal of life; when he sees the prison he has made for himself in pursuit of the almighty dollar? If he thinks this is all well and good, fine, but think of the tragedy of a man who has sacrificed his freedom on the altar of security, and wishes he could turn back the hands of time. A man is to be pitied who lacked the courage to accept the challenge of freedom and depart from the cushion of security and see life as it is instead of living it second-hand. Life has by-passed this man and he has watched from a secure place, afraid to seek anything better What has he done except to sit and wait for the tomorrow which never comes?

Turn back the pages of history and see the men who have shaped the destiny of the world. Security was never theirs, but they lived rather than existed. Where would the world be if all men had sought security and not taken risks or gambled with their lives on the chance that, if they won, life would be different and richer? It is from the bystanders (who are in the vast majority) that we receive the propaganda that life is not worth living, that life is drudgery, that the ambitions of youth must he laid aside for a life which is but a painful wait for death. These are the ones who squeeze what excitement they can from life out of the imaginations and experiences of others through books and movies. These are the insignificant and forgotten men who preach conformity because it is all they know. These are the men who dream at night of what could have been, but who wake at dawn to take their places at the now-familiar rut and to merely exist through another day. For them, the romance of life is long dead and they are forced to go through the years on a treadmill, cursing their existence, yet afraid to die because of the unknown which faces them after death. They lacked the only true courage: the kind which enables men to face the unknown regardless of the consequences.

As an afterthought, it seems hardly proper to write of life without once mentioning happiness; so we shall let the reader answer this question for himself: who is the happier man, he who has braved the storm of life and lived or he who has stayed securely on shore and merely existed?

A ship is safest at port, but thats not why we build ships.

Lompoc's Comeback

Tue, 15 Jul 2008 06:57:35 +0000

I've been citing Lompoc, Calif., as a poster child of what can go wrong in municipal Wi-Fi for a few years: But I apparently have to change my tune. Lompoc, near Santa Barbara, had unreasonable expectations, if you read their first and second RFPs. The first provider built a network that Lompoc found unacceptable and they bid it out for a second network to be built (some of these details are murky and some under dispute).

What's been clear is that after spending more than $3m, the city couldn't acquire more than a few hundred regular subscribers, about 10 percent of the point they'd need to pay expenses and pay down capital outlay. But it turns out that the backend was as important as their network deployment, IDG News Service reports.

The latest city network administrator brought in Aptilo Networks for backend authentication and session processing, opened the network to 15-minute free trials, and started accepted ad hoc payment. The new network guru also let outsourced contracts expire and brought customer support and other services back in house to reduce expenses and improve the feedback loop. He discovered their existing authentication system was licensed for 500 users, so that might have explained their failure to grow, too.

The city now has 1,000 regular users at all levels, from pay-as-you-go to monthly household subscriptions. They've revised breakeven down to 2,000 subscribers, and say they are breakeven for expenses.

The other problem Lompoc had, by the way, is that the cable and telephone companies didn't sit still. I exaggerate, but when Lomopoc was planning its network, it had very poor coverage for its 42,000 residents for DSL and cable modem service. When the Wi-Fi network was announced, the incumbents started pulling copper, coax, and fiber, and dramatically improved network coverage. The $3m wasn't entirely ill spent so far: it was a kind of reverse incentive to the private companies to get their act together.

Wait a min, I use Comcast!

Sun, 13 Jul 2008 12:09:34 +0000

Cmon Comcast, Im ashamed ! I use your service.
On another note, way to go Verizon, Im a user with you too.

clipped from tech.blorge.com

AOL, AT&T join child porn battle

clipped from tech.blorge.com

AT&T and AOL (the largest and third-largest ISPs respectively) committed to blocking access to all newsgroups with child porn, along with offending websites stored on their servers. Verizon, Time Warner and Sprint had already agreed to this action.

Williamson County Schools learns of breach reported nine months ago

Sat, 12 Jul 2008 20:12:01 +0000

Technorati Tag: Security Breach

Date Reported:
7/11/08

Organization:
Williamson County Schools

Contractor/Consultant/Branch:
None

Victims:
Students*

*"3,052 ACT students and 2,117 students who took the second grade test were affected", Source: Student Information News Conference Text 7/11/08

Number Affected:
5,169

Types of Data:
Names, testing scores, and Social Security numbers

Breach Description:
"FRANKLIN, Tenn.- It now appears a security breach at Williamson County schools was much worse than expected. School officials now say more than 5,000 students may have been affected when a school employee accidently posted their personal information online."

Reference URL:
Williamson County Student Information News Conference
News Channel 5
WREG Channel 3 News
WSMV Channel 4 News

Report Credit:
Liberty Coalition

Response:
From the online sources cited above:

FRANKLIN, Tenn.- It now appears a security breach at Williamson County schools was much worse than expected. School officials now say more than 5,000 students may have been affected when a school employee accidently posted their personal information online.

Now the county could lose some federal funding because of the mistake.
[Evan] Do you really think that this will happen? If we looked deeper into the way the public school systems handle confidential information, half of the school districts would lose funding. Williamson County is in good company across the country.

The school district had to notify the Department of Education because this was a federal violation.

Director of Schools, Rebecca Sharber is taking on the responsibility of fixing the problem.

"I'm the head of the school system. I'm accountable," said Sharber.
[Evan] What a fantastic statement. Corporate CEOs, non-profit executive directors, etc. ARE ultimately responsible for the protection of information. Ms. Sharber just earned my respect.

"It certainly is distressing to me that information was ever out there," said Sharber.

According to school officials, former assessment specialist, Chris Nugent is responsible for the computer mix-up.

He resigned Friday.

"Mr. Nugent has resigned his position as Assessment Specialist, effective immediately."

It was August last year when Nugent mistakenly loaded the info on a personal web page, but he never alerted the district.

They only found out a couple of weeks ago.

"A principal who had been contacted by a parent brought this to our attention on June 26th."

"The information given to us indicated that our assessment specialist, Chris Nugent, was involved. This was the first we had heard of this situation."

"We began our investigation immediately asking Mr. Nugent to gather all data that could possibly be associated with this situation."

"We thought at that time he would be able to supply the names of students possibly involved in the most timely manner."

"When Mr. Nugent was unable to get that information for us, our attorney Jason Golden contacted the Liberty Coalition, the organization that had posted the Internet report presented to us by the principal."
[Evan] The Liberty Coalition posted the information surrounding the breach in October, 2007, many months before the victims were ever made aware.

"Yesterday afternoon, the Liberty Coalition was able to provide the names of the students affected."

"Our investigation indicates that the student information was posted on a private website created by Mr. Nugent sometime during the month of August, 2007."

"On August 28, 2007, the Liberty Coalition notified Mr. Nugent that private student information was on his web site."

"On August 29, 2007, the web site was shut down."

"Mr. Nugent did not notify school authorities."

"Our investigation has established that Mr. Nugent had confidential student files on the same thumb-drive with his personal files."

"We believe that when Mr. Nugent uploaded his personal files to a web site he created, he inadvertently uploaded our student files."

Sharber said the first step will be to look at revising policies on student information.

They will also pay for fraud alerts for the students.

It could cost the district hundreds of thousands of dollars to pay for those fraud alerts.

"I would say to other school districts they need to really, really check their policies and procedures on how student data is being used," said Sharber.
[Evan] Again, did I mention that I respect Ms. Sharber? This statement is very good advice.

More than 5,000 students had their security information posted.

Most of those are high school students who took the ACT in the 2006-2007 school year, and second graders who took the TCAP the same year.

"We have learned that most students who took the second grade TCAP achievement test and most students who took the ACT test during the 2006-07 school year had social security numbers on a private website during August of 2007."
[Evan] Is there some kind of legal requirement that states that a Social Security number must be tied to test scores, or was this just poor judgment? Are/were Social Security numbers used as student IDs at the district?

"Our review of the records shows that 3,052 ACT students and 2,117 students who took the second grade test were affected."

The information was on the internet for about a month.

"I want to thank the parents of Williamson County Schools for their patience and understanding and the positive suggestions they have shared as we have conducted our investigation and gone public with this information.", said Sharber
[Evan] The Liberty Coalition went public with this breach in October, 2007. I appreciate the motives of the Liberty Coalition, but I am not pleased with the way they report breaches. I'll elaborate below in the commentary section.

"I understand the anxiety that our parents are experiencing.", said Sharber

"On Monday, we will be calling all parents of students whose social security numbers were exposed to let them know their child was affected, and we will follow up that phone call with a letter."

"We are working to locate a security company, and at our expense, we will cover the cost of fraud protection for the students affected."
[Evan] I hope that the school locates a good "security company". Of course FRSecure would be glad to help. I promise to keep the plugs to a minimum .

Commentary:
OK. We all know that a breach affecting kids is especially bad. We all know that we are all human and all humans make mistakes. I presume that there are a number of risky information security behaviors at Williamson County Schools. This risky behavior just so happened to expose personal information online. What other risky behaviors will be addressed at the school district?

Now about the Liberty Coalition's role. I appreciate the motives of Aaron Titus and the Liberty Coalition. He maintains the SSNBreach.org web site where he publicizes information security breaches that his organization finds (or is informed about). My attention was first drawn to Aaron Titus in August 2007, when he reported the Louisiana Board of Regents breach affecting ~200,000 people. What drew my attention to his report was not the breach itself, but the way in which it he proceeded to report it. Lyger at Attrition.org covers it well here.

In this case, the Liberty Coalition publicly posted this breach in October, 2007 which is more than 9 months before the victims were ever made aware! According to the Liberty Coalition press release; "We updated this press release after becoming aware of Mr. Nugent's relationship with the school district. The Liberty Coalition also worked directly with district officials to help them notify the affected individuals." It would have been nice if the victims were notified prior to a public press release. I wonder why Mr. Nugent's relationship with the school district wasn't known earlier. I don't have the details that the Liberty Coalition does surrounding this breach, so I can only speculate.

The fact that some breaches are reported on SSNBreach.org prior to notification (in this case nine months), I chose to generally not report them here at The Breach Blog.

Past Breaches:
Unknown

AT&T, AOL join other ISPs to block child porn

Thu, 10 Jul 2008 20:00:00 +0000

AT&T and AOL have joined three other major Internet service providers in eliminating access to child pornography newsgroups, New York Attorney General Andrew Cuomo said Friday.

How Can I Find Them? They Haven't Gone Missing!

Wed, 09 Jul 2008 08:45:35 +0000

I've often highlighted the utterly worthless spam messages that seem to endlessly circulate on Facebook, usually warning not to add (insert random name here) because they're an evil hacker and will destroy your PC, kill your family and so on.

Well, today I came across another such message:

.....insert gag about them being related to Chuck here....but underneath that message was something far more interesting:

Sounds serious, right? It seems personal, because it's their friend missing which adds a little more urgency - they provide a contact email address to notify them on, and it mentions a real world example of someone who went missing and was found via the Internet.

However.

Dig into this a little bit, and it all becomes clear quite quickly that something isn't quite right here. For starters, search for the missing persons name and there is no mention of him ever "going missing". Nothing on websites, news pages....it's like the whole thing is a work of fiction. In fact, buried in unrelated entries is the following snippet from a page on myyearbook.com:

Click to Enlarge

Check out the name of the "hacker" you shouldn't add. It seems someone has simply swiped the name and started pasting it into spam messages. A quick search of Facebook confirms the name and face go together.

A quick search for the email address listed as a contact brings up more interesting posts, this time posted to a personal blog:

Click to Enlarge

Same text....same reference to "real world" example....same email address. This person sure does get through a lot of missing friends! Note that this "missing person" chain letter has now stepped outside of Facebook and into other websites and networks.

At this point, you're probably wondering about the validity of the "real world" example, aren't you? Well, that would be a good idea! Notice they don't give any detail - it simply says "That is how the girl from Stevens Point was found by circulation of her picture on TV", and expect you to accept it as is. If you go searching for that phrase, it doesn't take long to find a page on Snopes.com regarding a missing girl hoax that stretches back some years:

"Please look at the picture, read what her father says, then forward his message on. Maybe if everyone passes this on, someone will see this child. That is how the girl from Stevens Point was found by circulation of her picture on tv..."

An email hoax, wrapped up and repackaged for the Facebook generation.

Can The Gov Be Trusted With Your Personal Data?

Thu, 26 Jun 2008 08:44:35 +0000

Survey says…(insert buzzer noise)

Faith in the (UK) gov’s ability to securely manage personal data is out the window.

From Reuters:

The inquiries followed Britain’s biggest data loss scandal, when two discs containing child benefit records, including names, addresses and bank details, of some 25 million people, went missing after being put in the post by a junior employee.

The reports concluded that it wasn’t individuals who were to blame - some 30 were officials played some role in events leading to the loss of the discs - but institutional and systematic failures at Britain’s tax authority.

But the HMRC is not alone in such security breaches. A separate report into a stolen laptop containing the details of 600,000 potential recruits revealed similar failings at the Ministry of Defence. In all, four MoD computers had been stolen since 2004 and the report said the MoD was probably in breach of several principles set out in the Data Protection Act.

Well, where do you stand? Do you trust your respective government not to punt on data security?

Read on.

Article Link

Some of the other noteworthy breaches last week, 6/16/08 - 6/22/08

Mon, 23 Jun 2008 04:11:34 +0000

Technorati Tag: Security Breach

The Breach Blog

Just SOME of the other noteworthy breaches from the past week (6/16/08 - 6/22/08)

Citibank Hack Blamed for Alleged ATM Crime Spree
By Kevin Poulsen, Wired.com, 6/18/08

A computer intrusion into a Citibank server that processes ATM withdrawals led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City cash machines in February, pocketing at least $750,000 in cash, according to federal prosecutors.

The ATM crime spree is apparently the first to be publicly linked to the breach of a major U.S. bank's systems, experts say.

Security firm finds server with health-care data
By Jeremy Kirk, NetworkWorld, 6/18/08

Security researchers with Finjan Software are seeing a growing thirst from cybercriminals for data other than credit-card numbers, with the latest findings including servers containing passwords leading to heath-care records and airline systems data.

The problem is two-fold: sensitive data is being stolen after PCs are infected with malicious software, and then that data sent to unprotected remote servers, said Yuval Ben-Itzhak, chief technology officer for Finjan. The content of those servers is then indexed by search engines, leaving it open to anyone who uses the right query terms.

Bank scam spreads as institutions look for possible source of breach
By Leanne Tokars, WSBT Channel 22 News, 6/18/08

SOUTH BEND - An international bank scam is spreading, and there is some idea how that information may have gotten out.

Hundreds of people and dozens of banks and credit unions across our area are trying to recover from a major security breach.

[Evan] This story is related to the "1st Source Bank reissues all debit cards in response to breach" posting on 5/30/08. Another supporting story; Fraudulent ATM transactions overseas could be tied to Indiana bank breach This is a winding storyline.

Parents livid over database putting student profiles, pictures online
By Mohit Joshi, Top News, 6/16/08

Melbourne, June 16: With the State government planning to post the profile of every state school student on its intranet database, called OneSchool, parents in Australia are livid over the fact that it will make their kids vulnerable to paedophiles.

OneSchool, will provide each and every detail of the state's 480,000 public school students enrolled from Prep to Year 12, for which, the photographs, personal details, career aspirations, off-campus activities and student performance records are already being collected from all 1251 state schools.

[Evan] I think I’d be livid too. Are parents given the opportunity to opt out, without penalty or lost opportunities? "According to Education Minister Rod Welford, if the parents refuse to give their consent to their child being profiled, they could also be denied access to public education."

Blears PC loss - officials blamed
BBC News, 6/17/08

Information on a computer stolen from Communities Secretary Hazel Blears' office had been sent in breach of data security rules, it has emerged.

The Communities and Local Government department admitted its officials had "not fully" complied with guidance on handling sensitive data.

Its top civil servant Peter Housden said "no damage had been done" as the documents were not secret.

The computer contained a combination of constituency and government information relating to defence and extremism.

[Evan] It is disappointing to read about breaches where the government does not follow its own laws and regulations. Mr. Housden claims that the files were "not secret". They certainly weren’t public, were they?

Personal details of thousands of patients stolen from hospital in new security blunder
By James Tozer, The Daily Mail, 6/18/08

Laptops holding tens of thousands of patients' records have been stolen from a hospital and a GP's home, it emerged yesterday.

In the latest lost personal data scandal, the information was stored on the machines in contravention of NHS guidelines.

It was revealed that details of 20,000 patients were on six laptops stolen earlier this month from filing cabinets at St George's Hospital, in Tooting, South West London.

[Evan] This is six stolen laptops in one month, and the four breaches in one year?! The exposed information in this breach was "names, postcodes, hospital numbers and dates of birth". Check out the excuse for storing confidential information on these poorly secured laptops; "Normally such information is stored on the hospital's central network, but because of technical problems it was being stored temporarily on the laptops."

To Readers: I am testing this weekly "Other noteworthy breaches" post. I am using this first one to gauge interest and decide if it is something we should continue. Please feel free to comment.

Security Circumvented: My Anti-Virus

Thu, 19 Jun 2008 23:31:34 +0000

I recently needed to renew the anti-virus subscription on my tablet PC. Of course, Symantec popped up and let me know well in advance, and of course, I waited until the almost-last-day before I renewed.

When my renewal options appeared, there was a selection to upgrade to the shiny new Norton 360. Woo hoo! It listed all these great new security features… I don’t remember what they were… but, they sounded REALLY great (I promise).

So I went with the upgrade, instead of the anti-virus signature renewal. Okay.

It did seem like a good idea at the time. However, in addition to my overly-protective Vista popups eeeevvvvery time I want to run something, connect somewhere, or wipe my nose… Now, I have the Vista pop up AND the Norton 360 popup. Okay.

Except, the Norton pops up with flagrantly ambiguous information like “An application is trying to access your Internet.” Do I want to allow it? I don’t know. How am I supposed to know- which application wants to access my Internet? Oh, it’s not going to tell me. Okay.

Well, I guess I’ll click ‘Allow’ because I have no clue what is trying to access my Internet, but I’ll assume it’s something that I have somehow asked to access my Internet… and I’ll be quite upset if whatever I clicked on doesn’t work. So YES, ALLOW. Okay again.

And what was the point in that? One click has transformed to three, and I’m no more secure than I was before, I’m just being forced to make more clicks to earn my insecurity. So today I am the poster child of what NOT to do.

Security circumvented is quite possibly worse than no security at all. I see visions of ‘invalid browser certificate’ notices dancing in my head.

# # #

Q&A: A misconfigured laptop; a wrecked life

Wed, 18 Jun 2008 09:00:00 +0000

Michael Fiola's laptop set off a chain of events that would cost him his job, his friends and about a year of his life, as he fought criminal charges that he had downloaded child pornography onto the laptop. He talks about the case, which prosecutors dropped last week.