[SecurityRatty] tag: dwight

Wee-Fi: Houston-Fi, ASCII WPA Passphrases, Green Wi-Fi

Tue, 19 Aug 2008 06:26:25 +0000

Houston flips switch on free downtown Wi-Fi: Dwight Silverman of the Houston Chronicle accidentally discovers the soft launch of the network funded by EarthLink's $5m default fee. (The fee was paid when they missed a milestone, and the firm later walked away.) The downtown area now has a limited pilot project that's free; the real effort in Houston is supposed to be at 10 housing projects and in parks where service would be used to bridge the digital divide and improve the quality of life. How, exactly, is part of what's being tested.

That's ASCII, not hex: An article on wardriving raises security hackles by repeating some slightly overheated statements about Wi-Fi security. The article opens with a 63-character ASCII WPA passphrase, which is later described as "hex." (ASCII passphrases in WPA can be up to 63 "printable" characters - ASCII 32 to 127 - while a hex version of a 256-bit TKIP or AES password is 64 hexadecimal digits long.) The article tries to conflate Wi-Fi attacks that led to the largest set of breaches in retail credit-card systems and wardriving, a hobbyist activity that's never been looked on very favorably by law enforcement. The sense of ennui of wardriving pioneers is pretty clear; when Wi-Fi is everywhere and generally secured, it's far less interesting. The wardriver in the article convinced the reporter that a maximum-length WPA passphrase stored on a USB drive for automatic use was the best way to go. But, really, 20 characters containing letters and punctuation and no words found in a dictionary along with changing your network's SSID (network name) provides all the security you'll ever need for a home or small business. (If you need more, deploy WPA/WPA2 Personal.)

Green Wi-Fi's Senegal efforts hit snags: The folks at Green Wi-Fi are well motivated, and they're running up against all forms of security theater and bureaucracy both here and in Senegal, where they have an active project. The San Francisco Chronicle notes the group's effort to build solar-powered, self-sustaining Internet access via mesh networked nodes. Getting devices out of the country, clearing customs in Senegal, and hooking up their solar system all hit problems they're working through. As with the One Laptop Per Child program, I see a "build it and they will come" mentality in Green Wi-Fi's mission statement: the notion that providing computing power and Internet access will result in good things, rather than an effort to figure out what good things need to be achieved, and whether computers and the Internet will assist.

Pocono Mountain School District "irregularities"

Mon, 02 Jun 2008 08:36:33 +0000

Technorati Tag: Security Breach

Date Reported:
5/30/08

Organization:
Pocono Mountain School District

Contractor/Consultant/Branch:
None

Victims:
Students and parents

Number Affected:
Unknown*

*"SCHOOL DISTRICT ENROLLMENT (2007-2008) 11,500 students K-12 (Current as of Oct. 17, 2007)"

Types of Data:
"Student ID, network password, SSN if provided, ethnicity, gender, birthdate, grade, grade year, building no., building name, homeroom no., homeroom teacher, attendance code (if absent today), dietary allergies (for food services), bus assignment, free/reduced lunch status, home phone, primary home mailing address, secondary mailing address, parent names, parent phone numbers, emergency contact names, and emergency contact phone numbers"

Breach Description:
"An apparent cyber break-in of Pocono Mountain School District's computer system has put at potential risk personal information about students and parents, the district announced Friday.

District Superintendent Dwight Pfennig sent home letters on Friday afternoon telling parents about the apparent breach, which the district found out about the previous evening, according to Wendy Frable, director of public information."

Reference URL:
Pocono Mountain School District "Letter to Parents"
Pocono Record
The Morning Call

Report Credit:
Pocono Mountain School District

Response:
From the online sources cited above:

A hacker apparently broke into the computers at Pocono Mountain School District and may have tapped into confidential information concerning students and their parents, the district's superintendent said Friday.
[Evan] This statement is provided by Joe McDonald of The Morning Call. It is unclear if a "hacker" breached the system or if there was another cause for the "irregularities" reported at the school.

District Superintendent Dwight Pfennig sent home letters on Friday afternoon telling parents about the apparent breach, which the district found out about the previous evening, according to Wendy Frable, director of public information.
[Evan] This is a quick notification. I think it is possible to be too quick in notifying victims, almost like The Boy Who Cried Wolf. It seems as though the school has not gathered the facts required to make a proper notification. Judge for yourself.

Frable said the district's technical staff had noted some irregularities during a routine security check Thursday night. "They detected some activity that seemed a little unusual," she said.

The technical staff is checking to see to what extent any personal information — and to whom it may belong — had been compromised.

The district referred the matter to Pennsylvania State Police at Swiftwater for further investigation, Frable said.

The information that may have been compromised includes the following: Student ID, network password, SSN if provided, ethnicity, gender, birthdate, grade, grade year, building no., building name, homeroom no., homeroom teacher, attendance code (if absent today), dietary allergies (for food services), bus assignment, free/reduced lunch status, home phone, primary home mailing address, secondary mailing address, parent names, parent phone numbers, emergency contact names, and emergency contact phone numbers.

"We don't know if anything was accessed," she said, adding that the district will contact anyone whose data had been found to be compromised. Frable also said that very few records include children's Social Security numbers.
[Evan] A breach involving children's personal information is especially bothersome.

We have conducted an internal investigation and suggest you take the following preventative measures now to help prevent and detect any misuse of your or your child’s information.

"As a first step to protect yourself from the possibility of identity theft, we recommend you closely monitor any accounts that may contain any or some of this information," Pfennig wrote in his letter to parents.

If you see any unauthorized activity, promptly contact your service provider and or office of the Executive Director of Technology at (570) 873-7121 Ext. 10151.

"We're just trying to do what's right by everyone," Frable said. "There's no reason to panic anyone, but people should just be cautious."
[Evan] Understandable, but some people will panic anyway. This is why it’s a good idea to gather facts before notification.

Parents got the letters when their children returned at the end of the school day, and at least one parent felt the school was being rather nonchalant.

''It sounds to me like they're trying to downplay it,'' said Ralph Ortega, who lives in Jackson Township. ''It's incredibly vague.''
[Evan] I agree. I question whether this is because there aren't enough facts available yet, or whether the school is not being square with the victims.

Commentary:
This breach leaves us with more questions than answers. People will speculate where there is a lack of clarity. I hope students and parents get the answers to the questions that they should demand answers too.

Past Breaches:
Unknown

Presbyterian Hospital admissions rep allegedly steals patient information

Mon, 14 Apr 2008 12:04:54 +0000

Technorati Tag: Security Breach

Date Reported:
4/12/08

Organization:
Presbyterian Hospital/Weill Cornell Medical Center

Contractor/Consultant/Branch:
None

Victims:
Patients

Number Affected:
Over 50,000

Types of Data:
"names, phone numbers and social security numbers of male patients between 58 and 78 years old"

Breach Description:
"A former employee of the New York Presbyterian Hospital/Weill Cornell Medical College pleaded guilty on Friday to selling information from the personal records of over 50,000 patients."

Reference URL:
The Cornell Daily Sun
New York Post
United Press International

Report Credit:
United Press International

Response:
From the online sources cited above:

A former employee of the New York Presbyterian Hospital/Weill Cornell Medical College pleaded guilty on Friday to selling information from the personal records of over 50,000 patients.
[Evan] According to this statement, he has already pleaded guilty.

After the hospital was made aware of the theft in January, it was confirmed in an internal investigation hospital spokeswoman Myrna Manners said.

"We obviously deeply regret that this has happened," she told the Times.

Dwight McPherson, the man arrested in connection with the crimes, was said to have been selling information since 2006, when he was approached with a request for the names, phone numbers and social security numbers of male patients between 58 and 78 years old.
[Evan] He was approached rather than the other way around? This is interesting if it is true. It means that identity thieves (or those that trade in such information) are actively seeking out employees of organizations for sensitive personal information. This is an angle that I never really thought of, though in hindsight I should have.

McPherson's alleged scam was uncovered when postal inspectors in Atlanta executing a search warrant on an identity-theft operation there discovered 221 documents that had come from New York-Presbyterian Hospital.

Dwight McPherson, a 38-year-old patient-admissions representative from Brooklyn, admitted he began to access the files and sell information in early 2006

the information was used for identity theft

McPherson was released on Saturday under the condition that he not leave the state

McPherson was released on $500,000 bail
[Evan] Whoa! Does this mean that he had to come up with $50,000 to post bail? I think you have to come up with 10% yourself. $50,000 is a lot of money for a "patient-admissions representative" to have lying around.

His lawyer, Bob Walters, defended his client, saying, "He is a hardworking, honest man,"
[Evan] Uh, but he pleaded guilty to taking the easy way and committing fraud, right?

After looking through computer logs, they realized McPherson's user login had been used to improperly access the files of 49,841 patients.

McPherson most recently sold 1,000 records near the end of last year for about $750 and more records a bit later for $600.

Those whose identities have been stolen will receive a letter detailing what happened, and have access to a hotline with credit-monitoring services.

Commentary:
Of the 300 breaches reported thus far on The Breach Blog, this is the first one that I recall in which an outsider approached an employee for personal information. I have read about breaches where the employee approached and sold information to an intermediary or outsider (i.e. Fidelity/Certegy and William Sullivan), but not the other way around. This is interesting.

Mr. McPherson appears to have used his legitimate user account to access records in a manner for which he was not authorized. This activity can be difficult to detect without specialized controls. People that do bad things end up costing us all in the long run.

Past Breaches:
Unknown

Inspector General claims the Park Police are plagued by low morale

Sun, 10 Feb 2008 03:46:00 +0000

According to a report from the Interior Department's inspector general, the U.S. Park Police may not be properly protecting the Nation's monuments. Even the Fraternal order of Police have appealed for management changes and describe the agency as a "mess".

A Union survey found that only 2.2% of respondents had confidence in the Chief, Dwight E. Pettiford. When Chief Pettiford was asked about the failure of his officers to properly protect the monuments he replied: "They're still standing".

Apparently, his comment referred to the monuments, not the photograph of a supposedly sleeping officer on post.