[SecurityRatty] tag: dime

Two students access confidential Dominican University files

Wed, 14 May 2008 18:40:18 +0000

Technorati Tag: Security Breach

Date Reported:
5/8/08

Organization:
Dominican University

Contractor/Consultant/Branch:
None

Victims:
Students

Number Affected:
5,215

Types of Data:
"names, addresses, phone numbers, birthdays and Social Security numbers"

Breach Description:
"CHICAGO -- Some Dominican University students and alumni were notified this week of a breach in security that could have put their personal information at risk. The university said two students were able to access records on a staff network storage area in April. The files were three spreadsheets from 2003, 2005 and 2007."

Reference URL:
WMAQ NBC Channel 5 News
RiverForest-Leaves
Dominican University

Report Credit:
Dominican University

Response:
From the online sources cited above:

Dominican University takes information security very seriously. In April, we discovered that two student workers had accessed Excel files containing limited student data by misusing passwords related to their work-study employment.

Two computer science sophomores who had password access through their work-study employment discovered three Excel files, containing a total of 5,215 student records.

These files were in an unsecure location that was to be accessible only to specific staff members.
[Evan] Is this password misuse or just poorly secured files and poor security? The confidential files were stored in an unsecure location that was supposed to be accessible by specific staff. Does this make any sense to you?

One of the students came forward earlier this month with the information that they had accessed files that were to be available to staff only. The students then disclosed the full extent of their access to the exposed data and demonstrated to the administration how the access occurred.
[Evan] I wonder if the school would have ever found out if the student didn't come forward. My guess is not.

We notified all affected parties in writing, set up a toll-free hotline, and have worked closely with both the local police and states attorney’s offices.

A letter was sent to all affected students and alumni on April 18 when the extent of the exposure could be determined.

The students went through a full university judicial process, were suspended temporarily and have been barred from future campus employment, among other sanctions.

The students are expected to return to classes next fall "under a lot of supervision, as you'd expect,"
[Evan] I don't know. There are probably students doing worse things on campus that probably need a lot more supervision than these two. Judging only by what I have read, these students seem to have been pretty honest. They came forward, they cooperated with the investigation and even demonstrated what they did.

The university is conducting a complete security audit and internal review.
[Evan] This should be done a regular basis anyway. All good information security programs conduct regular audits, assessments and reviews.

Dominican has conducted a complete internal security audit and has hired an external consultant to review all security processes.
[Evan] I endorse the school's decision to enlist a third-party consultant, assuming that the consultant is good at what they do. The last statement contained the word "conducting", this statement contains "conducted".

At this time we have no reason to believe that any information has been misused, but retain the right to prosecute as necessary.

"Steps have been taken to make something like this more difficult to do in the future. We've significantly tightened security,"
[Evan] If I had a dime for every time I heard this, I could retire very comfortably. If there are no details or facts to support statements like this, they don't mean much to me

If I have more questions, who should I call? You can call our toll-free number: (877) 387-8310.

Student Reaction:
"I was a little upset. I was nervous. I didn't know what to do. I knew that our family's been affected by this before, so I wanted to react right away,"

"I think that's crazy, because ... people can get your information, know things about you (and) you can't do anything about it,"

"Someone actually just charged on my debit card something. (It was) unrelated to this, I think, but it freaks me out every day now,"
[Evan] This student didn't just buy some Adobe education version software, did he/she?

Commentary:
I'm not sure if I am reading this right or not, but it seems almost like these students stumbled upon the confidential files and informed officials of their findings. I don't sense an dishonesty on their part. I could be wrong, but it also seems like the school didn't (and maybe still doesn't) properly secure confidential information. The statement about a secure file in an unsecured location is puzzling.

If assumptions are correct, then it may be ill-advised to sanction these students. Does anyone else see this the same way, or would you say that I am off base here?

Past Breaches:
Unknown

EarthLink Will Shutter Philadelphia Network, Company Says

Tue, 13 May 2008 05:48:07 +0000

It's the end of the cycle, folks: The first shall be last and the last shall, apparently, be first to sue. The Philadelphia Wi-Fi network will be shuttered under plans by EarthLink that they announced via press release today.

The company plans to pull all its gear from the poles starting 12-June-2008. The company's press release said it offered to give the network at no cost to an unnamed non-profit, as well as to the city, but claimed that "unresolved issues" led to the effort falling apart. EarthLink offered cash and more equipment, as well, in undisclosed quantities. Wireless Philadelphia, the non-profit in charge of managing the network provider and administering digital divide programs, was apparently not the non-profit mentioned.

EarthLink filed a lawsuit to allow it to remove its Wi-Fi nodes and cap its liability at $1m. That's a pretty hostile move, given that the city would have been the more likely party to feel aggrieved and file suit against EarthLink for failing to live up to the terms of their agreement.

EarthLink's claims of offering the network to "a non-profit" or the city for free skirts the issue that EarthLink may have certain liabilities for electrical power and other fees that haven't yet been paid; Wireless Philadelphia had agreed to pick up or defer certain charges as part of the deal that brought the network provider in. But without a completed network, and the contract therefore perhaps susceptible to being declared in default in court, it's unlikely that this will play out nicely.

And I'll say bluntly: If someone offered you $17m of outdated equipment on a network that never worked to specification that wasn't completed, and that already had known high annual costs, and which a private firm gave up as a bad job that they couldn't turn a dime on--would you take that deal? No. EarthLink will ultimately have to pay much more than $1m, I predict, and I suspect some of the settlement will leave gear in selected neighborhoods behind for more modest networking purposes. It's not going to be as easy as releasing a press release, although I haven't read the contract's provisions for this set of circumstances, and I'm not a lawyer.

The failure in Philadelphia, and EarthLink's exiting the entire muni-Fi business, represents the end of a bad model in which a company agreed to assume all risk and costs associated with building a public access network. When the assumptions were that networks would be cheaper and easier to build in 2005, and that citizens in many larger cities had few affordable broadband options, it made some sense to build a network on spec.

Three years into this, however, it's clear that that capital investment is 2 to 3 times higher than what was anticipated to reach a level of service quality that people will expect; that, when presented with potential competition, DSL and cable operators will slash prices and offer cheap 1-year or "lifetime" rates with long-term contracts; and that wireless broadband delivered via Wi-Fi isn't the best of ideas for indoor service.

Minneapolis may wind up being the only large city, if the network quality and subscriber rates play out, that has a public access network that works and produces a return.

Just a reminder the free ride is coming to a end.

Sat, 19 Apr 2008 11:43:12 +0000

I posted a remark previously about this.
You are responsible for your actions.
Banks are refusing to pay up if you dont take steps to protect yourself.

clipped from www.techconsumer.com

Web Safety and Crime on the Internet

The latest news from United Kingdom’s major retail bankers says that if your online bank account has been compromised and you didn’t use any Internet computer security software such as antivirus and antispyware (e.g. Norton 360), you solely bear the responsibility for the loss, and they won’t compensate you a dime. A clause has been added to the newly updated Banking Code to make this very clear.

King of Spam pleads guilty; faces 26 years in prison

Sat, 15 Mar 2008 07:25:18 +0000

The spammer who notoriously bragged that he'd never paid a dime despite multiple rulings against him will be paying society back in years of his life instead. Robert Soloway is facing both a jail sentence and quality time with electrodes strapped to his body.

Wellesley seniors' personal information lost in mail

Fri, 29 Feb 2008 08:48:00 +0000

Technorati Tag: Security Breach

Date Reported:
2/29/08

Organization:
Town of Wellesley, Massachusetts

Contractor/Consultant/Branch:
Wellesley Health Department

Victims:
Certain town residents who received flu shots, all over the age of 65

Number Affected:
480

Types of Data:
Names, dates of birth, addresses, and Social Security numbers

Breach Description:
An envelope containing sensitive personal information belonging to seniors was sent from the Wellesley Health Department to a Medicare processing office in Charlestown. When the envelope arrived it was missing the list of information. The U.S. Postal Inspection Service and local police are investigating.

Reference URL:
The Boston Globe
WCVB-TV Channel 5
The Boston Herald

Report Credit:
WCVB-TV Channel 5 News

Response:
From the online sources cited above:

NewsCenter 5's Steve Lacy reported that the seniors got the flu shots last fall and then, last week, the town sent an envelope with all their personal information, including names, ages, addresses and Social Security numbers to Medicare as part of the reimbursement process.

All those listed were age 65 or older.
[Evan] Wonderful. Seniors are typically the easiest targets with much to lose.

The roster was mailed Feb. 21 by the town to Medicare for reimbursement.

The envelope arrived but was missing the list of names

Wellesley police were notified and launched an investigation, as has the U.S. Postal Inspection Service.

The sealed envelope was reportedly hand-delivered to the post office for mailing, which reduces the chances the information was stolen.
[Evan] This does not reduce the risk to a point that would be acceptable to me. Hand delivering the envelope to the post office eliminates one opportunity (maybe two) for loss, and that is between the Health Department office and the post office. It does not take into account theft or loss at the post office, between post offices, between the destination post office and the Medicare processing office, or within the Medicare processing office. Not to mention data destruction procedures once the information has been entered into the systems. In my opinion, this is a poor attempt at minimizing the situation.

The Postal Service is trying to determine whether theft or mechanical failure was to blame.

"There would be no reason why we would have questioned or hesitated using the US Postal Service to do this," Cohen said of the department's choice to send personal information through the mail. "We've been doing it for years this way. And I suspect most providers do it this way.", Shepard Cohen, chairman of the Board of Health in Wellesley
[Evan] Really? Do you think it's OK to send personal information including Social Security numbers in the mail nowadays? This is a fantastic opportunity for identity thieves. If I had a dime for every time I've heard "We've been doing it for years this way", I would be a rich man. Times change, people change, technology changes, an ______ changes (fill in the blank). Don't you think processes should change too?

One possible sign of ID theft is if consumers fail to receive bills, because thieves sometimes change mailing addresses to cover their tracks. Another is if consumers receive credit cards they did not apply for or if they are suddenly denied credit. Also, if consumers receive telephone calls about items they have not purchased.

The town said it will be mailing letters to anyone effected by early next week.

Commentary:
I wish that Mr. Cohen was wrong when he stated "I suspect most providers do it this way", but I would be fooling myself if I thought it weren't true. Most providers probably do follow similar processes that put confidential information at risk. Confidential information is money in the right (or wrong) hands.

Possible solutions...
Don't use Social Security numbers as identifiers (probably a lot of work!).
Send the information on an encrypted CD.
Send the information through a VPN
______ (add your own).

Past Breaches:
Unknown

Afilias and GoDaddy Want to Rule .US

Tue, 31 Jul 2007 10:19:04 +0000

As I described in a recent column, the contract for the .US domain registry is up and may be redesignated by the Department of Commerce. The quotes were due by Monday of this week.

Afilias and GoDaddy.com announced that they have formed a partnership that has bid to run the registry.

It's an interesting prospect. .US has badly underperformed, largely (I think) due to a lack of marketing and clout behind it. The alliance is called the DNAR (Domain Name Alliance Registry).

This would certainly change with GoDaddy, which is a massive hosting service with an interest in pushing customers to buy .US domains. The press release implies that they would lower the .US registry fee. It's been widely reported that, back when the .COM registry contract was being renegotiated, GoDaddy offered to run it with a $2 registry fee. Currently it's $6 and is scheduled to go up on a regular basis.

A cheap .US name space would provide a huge new up sell possibility for GoDaddy to its existing customers. Owning the .US versions of your .COM domains would suddenly cost much less. The DNAR addresses this head on in its press release: "Alliance Registry proposes a plan to revitalize the kids.us domain by: 1) streamlining the registration process; 2) attracting more sites and content (kids.us only has just 19 live sites now) to generate more usage by kids; and 3) strengthening the operational security of kids.us content monitoring."

But will they buy into GoDaddy running this domain? The company hasn't exactly pursued an image in its marketing that would endear it to the administration or, for that matter, any administration likely to come into office. Yah, they love kids. Don't we all? GoDaddy has had other problems, but their real problem here is image.

GoDaddy's bad-boy dirty image has always rubbed me the wrong way and I really doubt it gets them a dime of business they wouldn't otherwise get. It would be good for .US to have a company as big and aggressive as GoDaddy running it.

But I think a more boring company will get the contract.