[SecurityRatty] tag: connecticut

Should BRIC be BIIC?

Sat, 16 Aug 2008 06:14:34 +0000

People who follow emerging economies know BRIC (Brazil, Russia, India, China). There are some serious doubts on Russia's margin of safety for investors,(see previous post), noted China bull Jim Rogers

"Q: Where do you see Russia fitting into this as it comes onto the scene?
Rogers: I don’t. Russia will continue to disintegrate. The Soviet Union has already broken up into 15 countries. Putin controls Petersburg, Moscow, a few airports, et cetera, but Russia never has been a homogeneous [nation] - I mean, in the Soviet Union there were 124 - the "official" number was 124 - ethnic, linguistic, religious, historic and national groups.
It’s broken up into 15 states. It’ll be 50 … it’ll be 100 [states] before it’s over. Ukraine may break up next. Who knows who’ll break up [after that]? Maybe even parts of Russia.
To the bulls who say I’m wrong, my rejoinder is this: Let me ask you about Chechnya. The Russians have been trying to deal with Chechnya for 15 years with no success.
Chechnya’s the size of Connecticut. Chechnya has a million-and-a-half people. If they can’t handle Chechnya, how is the Soviet Union, or Russia, going to handle these other places that are pulling away?
There’s capitalism there, but it’s outlaw capitalism. If you’re good with dealing with the Mafia, you can probably make a fortune, if you’re on the ground [there]. For the most part, they have a lot of natural resources, which has been great.
They have huge foreign reserves, but they’re stripping the assets.
They’re not reinvesting for the most part in productive capacity. They’re stripping the assets. You know, oil production has peaked in Russia, even though there could conceivably be gigantic amounts of oil there somewhere. Nearly everything has peaked, because they have been stripping the assets, rather than reinvesting. "

To quote Charles Barkley "that's why I don't eat shrimp." The future for all the BRIC countries is probably bright in the long run, but in the short run where is the margin of safety for an investor in Russia?

Maybe instead of BRIC it should BIIC - Brazil, India, Indonesia and China. Indonesia just reported its seventh consecutive quarter of GDP growth in excess of 6%. Its the fourth largest country in the world with 240 million people and 17,000 islands. Its one to watch.

AOL phisher gets seven year sentence

Wed, 13 Aug 2008 09:00:00 +0000

A West Haven, Connecticut, man has been sentenced to seven years in prison for masterminding a phishing scheme ...

Metro Round-Up: Cablevision Update; Springfield (Mich.)

Fri, 01 Aug 2008 10:49:43 +0000

Cablevision says it's already spent $20m towards its plan to build out Wi-Fi across its operating territory: The cable firm has $300m budgeted to put Wi-Fi in place for its higher-tier subscribers at no cost across Long Islands and parts of New Jersey and Connecticut, as well as New York City and Westchester County. Cablevision thinks their network will be good enough to replace cell phones across their coverage, which ties in with the quadruple play many cable operators are aiming for: data, voice, video, and mobile.

Springfield, Mich., puts in its first antennas for a city-wide network: The network is being built with a $750,000 grant from a state development corporation to extend access and improve the business climate. Access will cost $10 per month for residents after an initial free period while the service powers up.

CTW Library Consortium Computers Containing A Database Breached By Hackers

Tue, 29 Jul 2008 06:46:24 +0000

Two computer servers containing a database of Connecticut College, Wesleyan University and Trinity College library patrons were accessed by hackers, Connecticut College officials said Friday. The database included the names, addresses, social security and driver’s license numbers. The personal information on the servers belonged to 12 Wesleyan University library patrons, approximately 2,800 Connecticut College library [...]

Wee-Fi: Sprint Treo 800w, New Wireless in Portland (Ore.), Hartford (Conn.) Fail

Mon, 14 Jul 2008 06:45:41 +0000

Palm Treo 800w released: Sprint is offering the EVDO/Wi-Fi phone with Windows Mobile 6.1 and built-in GPS. The phone is $250 with a two-year contract. This is apparently the phone that Palm should have released a couple of years ago; now, it's unfavorably compared to the iPhone except for keyboard entry and the ability to subscribe ($10/mo) for turn-by-turn live navigation. You'll note that applications are scarcely mentioned, which is one of the linchpins of the iPhone. This is a business phone with productivity tools--unlike the iPhone, you can use on-board apps to create and edit Word and Excel documents, not just view them. There's also no store mentioned for purchasing video and audio, or software for synchronizing them. The reviewer finds the video quality washed out as well, and the 320-by-320-pixel touchscreen is a bit small compared to other smartphones that focus on video.

Stephouse steps into Portland, Ore., void: Local firm Stephouse has built out 5 sq mi of business-grade wireless availability in downtown Portland and 2 sq mi in an underserved part of north Portland using Proxim gear for both Wi-Fi and WiMax service. Wi-Fi use is $20 per month or 1 free hour per day up to 10 free hours per month. The offering seems to focus on the business side, though, in competition with services like Towerstream. Prices aren't listed on the company's site.

Hartford drops Wi-Fi effort: Connecticut's trouble capital city has given up on city-wide Wi-Fi. No surprise. No firms ready to build for free, no money, no tangible goals. My wife grew up in the suburb to the west--West Hartford, prosaically enough--and speculates that the lack of county-oriented government in Connecticut has doomed Hartford to be a civic wasteland. It's recovering a bit as housing affordability goes up, and there's more going on in the city than there used to be. But there won't be Wi-Fi. Incidentally, the Mark Twain House & Museum in Hartford, home of one of the world's first bloggers, is near financial ruin. It's a great piece of American history; I'm hoping it's saved again--it's had many lives since Twain built it and went bankrupt.

Confidential Connecticut Department of Labor mailing is missing

Tue, 10 Jun 2008 08:00:32 +0000

Technorati Tag: Security Breach

Date Reported:
6/2/08

Organization:
State of Connecticut

Contractor/Consultant/Branch:
Connecticut Department of Labor

Victims:
Customers

Number Affected:
2,160

Types of Data:
"personal information, including name, address and Social Security number"

Breach Description:
"WETHERSFIELD, The Connecticut Department of Labor is notifying approximately 2,100 customers that files containing copies of letters sent to them regarding their unemployment insurance claim cannot be located."

Reference URL:
Connecticut Department of Labor
Associated Press via The Hartford Courant
Newsday

Report Credit:
Connecticut Department of Labor

Response:
From the online sources cited above:

WETHERSFIELD, The Connecticut Department of Labor is notifying approximately 2,100 customers that files containing copies of letters sent to them regarding their unemployment insurance claim cannot be located.

the agency strongly believes that the letters were mistakenly shredded along with others that were being rightfully destroyed

Following an extensive search, it appears the copies were inadvertently shredded and destroyed on or before May 21

we feel it is in the best interest of our customers to be proactive in our efforts to ensure that personal information is not compromised

The files contained copies of letters dated from May 2 to May 20 informing applicants that they were ineligible for the unemployment insurance.

Copies of the letters, which must be kept on file for three years, contained personal information, including name, address and Social Security number.
[Evan] Why does a letter informing someone that they are not eligible for unemployment insurance require a Social Security number?

we do not believe information on these letters will be used in a manner that will compromise the security of these residents

we have arranged for two years of free preventative services through the Debix Identity Protection Network
[Evan] Two years is much better that the semi-standard one year given by many organizations. Government breaches tick me off a little more than most. One reason is the fact that taxpayers get to foot the bill.

We sincerely regret any inconvenience or concern that has been caused by this situation

the agency takes the protection of personal information very seriously and since last year, we have been working on additional security features for the state’s unemployment insurance compensation system

Since federal law mandates that we use the entire Social Security number in the course of business, we are looking at ways to encrypt that data and still comply with regulations.
[Evan] I am glad to read that the agency is considering encryption of confidential information (albeit late, better than never), but this is only feasible for electronic information. Encryption would not have provided any protection against this particular breach which involved printed confidential information, namely Social Security numbers. I think it is generally a poor business practice to send mail with Social Security numbers in print unless it is absolutely necessary. I don't think that federal law requires that these mailings include Social Security numbers.

Residents who receive a letter from the agency and who may have questions regarding the free protection service can contact Debix directly at 888-332-4963. Those with questions about their Determination Letter can call the Labor Department’s Assistance Center at 860-263-6785.

Commentary:
If the missing letters only contained the information necessary to communicate the required message, then the impact of this breach would be considerably smaller.

Information security personnel don't currently review mailed information prior to release in the companies I consult for. This breach gets me thinking about a potential risk that I may have missed in my assessments.

Past Breaches:
September, 2007 - Stolen laptop contains names and allegations in state DCF cases
August, 2007 - State of Connecticut Stolen Laptop

LPL Financial reports eighteen compromised logons

Tue, 20 May 2008 04:56:31 +0000

Technorati Tag: Security Breach

Date Reported:
5/6/08

Organization:
LPL Financial

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
10,219

Types of Data:
"names, addresses, phone numbers, account numbers, Social Security numbers, and dates of birth"

Breach Description:
LPL Financial recently notified the Maryland State Attorney General of a breach in which "hackers compromised the logon passwords of fourteen financial advisors and four assistants of LPL Financial ("LPL")." The "hackers used these passwords to gain access to customer accounts in order to "pump and dump" penny stocks."

Reference URL:
Maryland State Attorney General breach notification

Report Credit:
Maryland State Attorney General

Response:
From the online source cited above:

We write to advise you of incidents in which hackers compromised the logon passwords of fourteen financial advisors and four assistants of LPL Financial ("LPL").
[Evan] How does a "hacker" compromise usernames and passwords of eighteen people working for the same company? Compromised logon server, spear phishing, malware?

To our knowledge, the hackers used these passwords to gain access to customer accounts in order to "pump and dump" penny stocks.

Attempted transactions were intercepted and either rejected or reversed.

No losses were passed on to customers

Hackers compromised the logon passwords of fourteen financial advisors and four assistants in branch offices located in New Jersey, Illinois, Rhode Island, Pennsylvania, Colorado, Texas, California, Georgia and Connecticut over the course of several months.

These incidents affected approximately 10,219 individuals

The information that was potentially accessible included unencrypted names, addresses and Social Security numbers of customers and non-customer beneficiaries.
[Evan] I don't know the architecture of LPL's network or other infrastructure components, but I question why customers or financial advisors need access to Social Security numbers as part of a trading system. I know that LPL needs to store Social Security numbers for tax and other reporting purposes, but financial advisors, traders and customers don't need access to them.

At this time, LPL has no specific knowledge that any customer information was accessed or misused as a consequence of the breach

We also are unaware of any personal instance of identity theft related to these incidents.

LPL learned of the first incident on July 16, 2007 and took the following actions: (1) notified law enforcement; (2) notified our primary regulator, the Financial Industry Regulatory Authority; (3) investigated the situation; (4) determined what information had been compromised; and (5) notified and offered solutions to the affected individuals.

LPL has taken several important steps to improve its level of data security and compliance

LPL has increased the profile of data security issues within the company at all levels, up to and including senior management.

In March 2008, LPL hired Marc Loewenthal as SVP - Chief Security/Privacy Officer, a newly created position at LPL.
[Evan] This is the first breach notification that I have read that included this type of information. I don't know Mr. Loewenthal (which doesn't say too much), but I do know that he is stepping into a pressure situation.

Mr. Loewenthal has extensive experience in the area of data protection. As a member of senior management, he reports directly to the Chief Risk Officer of LPL.
[Evan] I like when I read about information security personnel occupying "senior management" positions. Effective information security management needs to be as "senior" as possible in order to effect change in the organization. Information security governance is NOT an IT issue, but an organizational issue. There needs to be more good CISOs and CSOs.

In addition, LPL has developed a new, comprehensive information privacy and security program with new policies and procedures that were implemented in April 2008.

In August 2007, LPL engaged the services of Kroll Inc. ("Kroll"), a risk consulting company, to provide various services

In addition, LPL has commenced a project to enhance security on its advisor facing trading and operations systems in September 2007 and expects the project to complete in December 2008.
[Evan] Details are not available, but I would be interested in knowing more. Maybe removal of SSNs from the advisor facing trading systems and two-factor authentication are part of the mix.

Finally, LPL recently engaged the services of Edwards Angell Palmer & Dodge LLP to advise Mr. Loewenthal and LPL's in-house counsel as needed on information privacy and security issues.

LPL Financial is providing affected individuals with credit protection services from Kroll, Inc.

If you have any questions or feel you have an identity theft issue, please call ID TheftSmart at 1-800-588-9839 between 9:00 a.m. and 6:00 p.m. (Eastern Time), Monday through Friday.

If you want to talk to someone at LPL Financial to clarify or discuss the contents of this letter, please call us 1-800-558-7567, option 3 - Customer Service, between 9:00 a.m. and 6:00 p.m. (Eastern Time), Monday through Friday.

We apologize for any inconvenience or concern this situation may cause.

We at LPL Financial believe it is important for you to be fully informed of any potential risk resulting from this incident.

We remain committed to maintaining customer privacy as a key priority and will continue to take the needed steps to protect your information.

Commentary:
What makes this breach so interesting to me is the fact that there were at least 18 points of attack. I don't get the feeling that this was some sophisticated high-tech "hack" of LLP Financial's systems. It is much easier to craft an email or call someone and convince them to give you their login information.

Good luck Mr. Loewenthal, I'm sure you'll do fine!

Past Breaches:
Unknown

SCSU web server becomes spam server and exposes personal information

Fri, 02 May 2008 07:12:47 +0000

Technorati Tag: Security Breach

Date Reported:
4/24/08

Organization:
Southern Connecticut State University

Contractor/Consultant/Branch:
None

Victims:
Current and former students

Number Affected:
11,000

Types of Data:
Names, addresses and Social Security numbers

Breach Description:
"Two weeks after discovering that its Web site had been used by hackers to flog fancy wedding rings, Southern Connecticut State University is notifying 11,000 current and former students that their Social Security numbers may have been compromised."

Reference URL:
SCSU Alert
PCWorld
NBC Channel 30 News
Chronicle of Higher Education

Report Credit:
Southern Connecticut State University

Response:
From the online sources cited above:

From the University's Alert Page:
During a recent security review of the Southern Connecticut State University Web server, it was discovered that certain identifying information pertaining to current students and alumni could have been vulnerable to access by unauthorized individuals.
[Evan] As you will read further in this posting, the web server appears to have been compromised. I don't think "could have been vulnerable" is an accurate assessment. The information WAS vulnerable.

The information, including names, addresses, and Social Security numbers, was contained in a protected records office file in which students would register for graduation.

Records of about 11,000 students had been stored in the file dating back to 2002.
[Evan] Personal information belonging to thousands of people on a public web server. UGH.

Upon discovering this potential vulnerability, the university immediately disabled the application and secured the file.

There has been no determination that the personal information contained in the file was accessed, nor is there any indication that this data has been or will be used for purposes of identity theft.
[Evan] Even novice web site administrators log access to web pages and files. If the attacker accessed the file through the web service/daemon, then access was probably logged. If the attacker had completely compromised the web server or taken a different avenue of attack, then there might not be easily obtained evidence of access. Either way, I assume that the file could have been accessed easily.

The university has notified all the affected individuals by letter and taken a number of proactive steps, along with a full security review of the university's Web server.
[Evan] What is proactive in a response?

The University has undertaken a review of all files containing personal information on its Web server and there is no evidence to date that any of them have been compromised.
[Evan] The University should undertake a review of all files containing personal (and other confidential) information everywhere, not just its Web server. Why would personal information storage be permitted at all on a web server?

Identity protection services will be provided at the university's expense to the affected individuals, for a period of up to two years. To obtain this optional coverage, registration for this service is necessary.
[Evan] At the "university's expense" means at the current and future student's expense. As the cost of business goes up, so does the cost of service (at some point) which means an increase in the price of tuition or increase in taxes (SCSU is a member of the Connecticut State University System). Does this sound like good management?

A help desk has been established to respond to questions. The help desk number is: (203) 392-7216 and will be staffed between the hours of 8:30 a.m. to 4:30 p.m.

A dedicated Web page, containing updated information, has been created and may be accessed at www.southernct.edu/creditmonitoring/

Now From Outside Sources:
Two weeks after discovering that its Web site had been used by hackers to flog fancy wedding rings, Southern Connecticut State University is notifying 11,000 current and former students that their Social Security numbers may have been compromised.
[Evan] Do you see how the school's alert web site differs from outside sources? See a spin (one way or the other)? Do you think that the outside sources try to sensationalize the story, or do you think that the school doesn't want the embarrassment that their web server was a spam-related site for some time? Maybe a combination of the two.

The personal data was in a file on the university's Web server, which was accessed by criminals who were using the university's site as part of a spam operation, said Patrick Dilger, the university's director of public affairs.
[Evan] Not only was personal information stored on a public web server, but it was stored on a poorly secured (and probably poorly monitored) public web server.

"The hackers were using our Web server as a host for their own Web site," he said.

Pages on the university's site contained ads for diamond rings, Viagra and Cialis.

After noticing the ads on April 9th, IT staff discovered the file containing the sensitive information. "When we were doing the security review after the hacker incident, we saw this file there and it wasn't properly secured, so it could have been targeted by someone," Dilger said.

The university believes that the hackers came from outside the U.S., and it is working with Connecticut's attorney general's office to investigate

Richard Blumenthal, Connecticut’s attorney general, sent a letter last week to Michael J. Hogan, president of the University of Connecticut, describing the breach and advising him that the many campuses he oversees should be vigilant about their storage, use, and disposal of confidential data.

Commentary:
There are so many things wrong with this, it is hard to know where to start. Will anyone be held accountable.

Past Breaches:
April, 2008 - Stolen SunGard laptop affects at least 10 post-secondary schools (PogoWasRight has been keeping a running update of the Sungard breach, check out their search.)

U.S. man gets 30 months in prison for 'warez' operation

Tue, 29 Apr 2008 20:00:00 +0000

A Woodbury, Connecticut, man has been sentenced to 30 months in prison for operating Web sites where users could download unauthorized copies of movies, music and software titles, the U.S. Department of Justice announced.

UConn bookstore sells drive holding personal data

Sat, 26 Apr 2008 20:00:00 +0000

University of Connecticut police are investigating how a hard drive containing personal documents and photos from about 10 students, faculty and non-university individuals was accidentally sold last week by the school's bookstore to a student on campus.