[SecurityRatty] tag: fired

Leave Your Webcam On 24/7? Might Want To Reconsider...

Mon, 01 Sep 2008 11:46:09 +0000

It's nothing new that many hackers use programs that allow them to "spy" on their victims once they've compromised the PC (as long as they have a webcam switched on, of course). Similarly, hacking culture has always had a fascination for memes, incorporating them into part of the design of their latest DDoS tools.

However, the strange obsession with shock memes has now spilled into a "fun" game currently doing the rounds on various hacking sites and forums.

What this involves is hackers compromising a PC, ensuring the victim has a webcam switched on then opening up shock meme websites at the most inopportune moment, recording the moment of impact with the webcam feed. Or, as one guy put it:

If you don't know what Meatspin is, you can probably count yourself lucky. If you still want to know, click here (for an explanation. Not Meatspin itself, though the explanation might be classed NSFW anyway).

Here's a real life example of one such incident, taken from a message board:

Click to Enlarge

Typically, the shock meme website is opened up at full blast, which startles the victim (most sites of this nature loop a piece of music in the background while the, er, action takes place on screen). The bigger the shock, the better. Here's one guy who sounds like he shot about six feet in the air when the meme site fired up in his browser:

Click to Enlarge

This might all sound like fun and games - sort of - but note that the above individual did try to grab the victims credit card details.

Generally, the attacker doesn't interact with the victim (because they want friends, relatives or others to think the victim actually brought the site up themselves) but here's a little trash talk anyway:

At this point, the attacker may or may not grab a screenshot for posterity. I've seen quite a few galleries on sites comprised of people looking shocked at Tubgirl, or being spun round baby right round by Meatspin, and there's no doubt countless others out there floating around. Of course, not everybody is shocked (or indeed impressed) by a shockmeme site popping up on their computer. As an example of that, take this guy:

Full credit to anyone that counters a shockmeme site appearing on their desktop by picking their nose for five minutes. At any rate, the golden rule with this is that the hackers only bother doing this when a webcam is present and left switched on. If there's no webcam, there's no point trying to elicit a response (because for all they know they're popping open 2 Girls and 1 Cup to an empty server room).

Webcams can be a fun tool, but remember to switch them off every now and again or they could come back to haunt you. Of course, depending on the shock meme site deployed (and who happens to be in the room with you at the time), that could be the least of your worries...

A British Bank Bans a Man's Password

Fri, 29 Aug 2008 06:44:04 +0000

Weird story.

Mr Jetley said he first realised his security password had been changed when a call centre staff member told him his code word did not match with the one on the computer.
"I thought it was actually quite a funny response," he said.

"But what really incensed me was when I was told I could not change it back to 'Lloyds is pants' because they said it was not appropriate.

[...]

"The rules seemed to change, and they told me it had to be one word, so I tried 'censorship', but they didn't like that, and then said it had to be no more than six letters long."

Lloyd's claims that they fired the employee responsible for this, but what I want to know is how the employee got a copy of the man's password in the first place. Why isn't it stored only in encrypted form on the bank's computers?

How secure can the bank's computer systems be if employees are allowed to look at and change customer passwords at whim?

Phishing Messages on XBox Live Network

Tue, 05 Aug 2008 12:24:21 +0000

You may or may not have come across these before, but there seems to be a fresh set of phish messages (most likely from compromised accounts) being fired around XBox Live using the lure of free Microsoft points as bait (gamers can use these points to buy games, amongst other things).

Consequently, if you happen to be sent something like this by one of your contacts:

...then run away very quickly. In this case, the website was made to look like a genuine login page - of course, when you entered your details you had been phished and would be returned to the real XBox page as if nothing untoward had happened.

The phishing page above is currently offline, but may well return (and obviously it's the easiest thing in the world for the scammer behind this to simply change the URL being sent out by hijacked accounts).

San Francisco Held Cyber-Hostage? Disgruntled Techies Have Wreaked Worse Havoc

Wed, 16 Jul 2008 21:00:00 +0000

San Francisco's purported network lockout sounds extreme, but disgruntled or fired employees have long used computers to get revenge.

Woman fired over death threat sent from work e-mail

Tue, 15 Jul 2008 20:00:00 +0000

An employee of 1-800-Flowers.com has been fired after an e-mailed death threat was linked to her account.

Work-place violence kills many U.S. workers every year.

Sat, 12 Jul 2008 14:28:00 +0000

Our company is hired regularly to make sure that fired employees do not come back to work and kill a supervisor or fellow colleagues.

When people hear that Corporations hire bodyguards to work in their Corporations pending and following company terminations they are surprised. This surprises me. Every year, workplace violence makes the "top ten" list of serious concerns facing U.S. businesses.

Yesterday, on WTOP radio station I heard the phrase; "Desk Rage" for the first time. Unfortunately it is very appropriate. Some people have very bad tempers and an argument or decision at work can lead to them getting a weapon and committing homicide. This was evidenced a couple of weeks ago in Kentucky when five factory workers were killed by an employee who had been slightly reprimanded.

Employers do have a responsibility to ensure a safe work place environment. That is the reason companies hire us. If we are called in and are onsite when a violent worker returns intent on hurting people, we will be the ones to stop him or her from committing the act.

Fellow workers should report incidents involving any type of inappropriate behavior, especially instances where people are likely to get hurt, or worse. Very rarely does an employee just go ballistic or "postal" for no reason. The most common cause of work place homicides are domestic situations. An employee with a dangerous spouse/significant other who has just been arrested on domestic violence charges or has been served with a protective should be brought to a supervisor's attention immediately.

With so much rage in schools, on the road and in the home, the Police have their hands full just reacting to situations where many times the SWAT team will be called in. Private security companies are a great resource to the business community as Police do not have the resources to sit for days and wait to see if something will happen.

Be part of the solution. Report all potentially dangerous situations in the workplace to a supervisor.

Employee fraud hits Baptist Health in Arkansas

Thu, 10 Jul 2008 20:00:20 +0000

Technorati Tag: Security Breach

Date Reported:
7/2/08

Organization:
Baptist Health*

*Baptist Health is the largest not-for-profit healthcare organization in Arkansas

Contractor/Consultant/Branch:
None

Victims:
Patients

Number Affected:
~1,800

Types of Data:
"name, address, date of birth, Social Security number, and reason for coming to Baptist Health"

Breach Description:
"LITTLE ROCK (AP) - A North Little Rock woman has been arrested for using financial information from patients at Baptist Health to illegally obtain Wal-Mart gift cards for her own use. The hospital has notified about 1,800 patrons of the ID theft."

Reference URL:
Associated Press via WXVT Channel 15 News
KARK Channel 4 News
Arkansas Democrat-Gazette

Report Credit:
Toby Manthey, Arkansas Democrat-Gazette

Response:
From the online sources cited above:

Baptist Health has sent letters warning about 1,800 patients that the hospital system’s records may have been breached
[Evan] Uh, "may have been breached"?!

The notification came after the arrest of a Baptist Health employee at a Wal-Mart store on 25 counts of financial identity fraud.
[Evan] Wouldn't life be grand if we could trust our employees? Maybe, I suppose.

The letters, mailed last week, follow the firing of the woman in early June

North Little Rock police say Tamara Hill, 30, of that city worked at Baptist Health Medical Center-North Little Rock in the emergency department.

Hill, an admissions clerk, was arrested May 30 at the Wal-Mart

Ebony Flowers, 25, also of North Little Rock, was arrested at the store the same day on three counts of identity fraud

Flowers was listed in a police report as a janitor for the North Little Rock School District
[Evan] Key word is "was".

Baptist Health recorded more than 950,000 patient visits systemwide in 2007, a number that includes repeat visits.

Mark Lowman, spokesman for the Little Rock-based Baptist Health system, confirmed that the system fired the employee after notification of the arrest.

Police reports say the women used a victim’s personal information to obtain temporary Wal-Mart "account authorization numbers" - credit cards, essentially - used to buy Wal-Mart gift cards.

The victim reported to police that he had not authorized the transactions

the same victim confirmed he was a Baptist Health patient

He expressed appreciation of the handling of the case by the system and by the North Little Rock police.

Among the items found during a search connected with the arrest of Hill was personal information for 24 other people, including "screen shots" - printouts showing the exact appearance of the images on a computer screen - that showed victims’ personal information.
[Evan] This seems like confirmation that "may have been breached" is not all that accurate.

Also found were four Wal-Mart gift cards and $ 1,490 in cash

Police found a small bag of marijuana on Flowers, according to the reports. In a search connected with her arrest, they also discovered a. 25-caliber magazine with six bullets, as well as a receipt for four of the gift cards and information on three-identity theft victims.
[Evan] A thug.

The U. S. Secret Service is helping with the investigation.

"Due to a breach of our information systems security policies, there is a possibility that some personal information, such as your name, address, date of birth, Social Security number, and reason for coming to Baptist Health, was accessed by an unauthorized person."
[Evan] This is from the letter to the victims.

No information in the patient’s "medical records" and no information about the patient’s diagnosis or prognosis was accessed

while no "medical record" information was accessed, the letter mentioned the patient’s "reason for coming" to the system possibly was accessed

Lowman said a reason stated by a patient using the system isn’t considered medical information because the reason is a layman’s explanation, not one from a medical professional.
[Evan] This is Mark Lowman, spokesman for the Little Rock-based Baptist Health system

He said the breach wouldn’t violate the Health Insurance Portability and Accountability Act, or HIPAA.

But Pam Dixon, executive director of the San Diego-based World Privacy Forum, a privacy advocacy group, thinks all the information mentioned in the letter falls under HIPAA.

"It doesn’t matter that [it’s not ] a prognosis or diagnosis," she said.
[Evan] Splitting hairs. The bottom line is that confidential personal information was stolen and there are victims. Whether or not it is a HIPAA violation seems somewhat irrelevant.

Dixon found the system’s letter lacking in several respects, such as clarifying the exact meaning of a "reason for coming to Baptist Health." The letter also should have mentioned when and for how long the breach occurred, she said.

"Almost all breach letters have that," Dixon added.
[Evan] Almost all breach letters have what? A mention about for how long the breach occurred? I must be reading some of the wrong breach letters because it seems to me that this information is 50/50 at best. Also missing is the "we have no reason to believe that the information will be misused", but this one doesn't fit does it?

Dixon said Baptist Health should have offered in the letter to set up free credit monitoring for victims.
[Evan] Why? One year (or two) of credit monitoring is almost useless. Credit monitoring alerts a victim after fraud has already occurred and one year (or two) of monitoring is too limited for information that has a much longer lifespan. I guess credit monitoring would be better than nothing, but not by much.

Lowman said the health system continually conducts audits to know which staff members are accessing what information, and whether or not the access is appropriate.
[Evan] Good!

"We’re always looking to provide better audits and better oversight of private, confidential and protected information," Lowman said.
[Evan] And Good!

Commentary:
Preventing and detecting employee fraud has always been a challenge. This doesn't mean we give up though. We have some tools at our disposal such as employee background checks, role-based access control, segregation of duties, and job rotation to name a few.

I don't think that these two crooks are anything more than common criminals. The fact of the matter is that identity theft and fraud are very easy crimes to commit and require very little skill.

Past Breaches:
Unknown

You want the truth, you can't handle the truth!

Thu, 10 Jul 2008 18:50:16 +0000

I am not sure what it is with Richard Stiennon. Maybe his mom beat him with a NAC stick when he was young. Hence his Jack Nicholson looks (more like the Joker in Batman, than Col Jessep in A Few Good Men) and his total disdain for NAC. In any event Richard never seems to miss a chance to take a pot shot at NAC. I have fired back and debated him many times on this. In fact I am convinced that Richard's problem with NAC is that like Uncle Joe, he is just moving a little slow. Richard still thinks of NAC as Cisco???s network admission control, circa Dec ???03. He has not gotten up to speed on anything happening with NAC since. Richard is going to debate NAC with Joel Snyder according to this article by Tim Greene today. My prediction is Snyder by a knockout in 3 rounds or less.

Richard???s latest NAC knock comes on a comment to an excellent article by the Hoff. Chris takes a bold stand for someone working for a vendor and calls BS on the whole analyst thing (I will write more about that later in this article). Richard being an ex-analyst himself (lets face it, with Richard you can take the man out of the analyst job, but you can???t take the analyst out of the man), takes exception to Hoff???s ???whining??? (Richards words, not mine) and tries to tell Hoff that giving up is not the answer and the way to show up analysts, is to prove them wrong. Great Richard you try to prove them wrong, when because of what they report you don???t have a market, can???t get any capital and have no visibility. I guess that is when it is time to move on to the next gig, right? Then Richard has a bad NAC deja vu and feels it necessary to write this:

???Look how easy it is to one up the analyst firms, who as near as I can tell support Network Admission Control universally. Everyone except the folks at Updata Ventures know how seriously flawed NAC is with only one viable market, edu.???

I assume Richard is referring to Updata recently leading the Bradford Networks VC round. But more importantly Richard it is time to call a code red on you and give you the cold hard truth. Richard the fact is that the edu market is not the only viable market for NAC. In fact, one of the biggest customers of NAC is the DoD. That is right Richard at least 3 of the 4 armed forces use NAC in helping to secure their networks. To paraphrase my friend Col Jessep - Richard, you want the truth, you can???t handle the truth! You sleep securely under the blanket of protection that NAC provides. If it is good enough to help ???clean the sand??? out of laptops coming home from SWA (that is SouthWest Asia, like in Iraq and Afghanistan, in case you don???t know Richard), it should be good enough for you. Think about that next time you are about to bad mouth NAC.

Let me give you some other truths you may not like Richard. Why do you think every switch vendor (of which we partner with many of them) is lining up and bringing out NAC solutions? Why has Microsoft put such a big push on NAP? Why despite the Luddites like you does NAC still draw crowds at conferences like Interop (ask Joel about that). Richard we are still signing new major OEM partners. I am afraid you are the one sadly out of touch on this one Richard. Just as you are out of touch in missing Hoff???s point in his article.

As to Hoff???s article, as I said I give Chris credit for speaking his mind. I spend an ungodly amount of my time speaking with analysts and trying to ???learn??? from them while at the same time trying to educate them. I am constantly amazed that so many analysts (and press for that matter) just take a vendors word as gospel. I have seen research reports from analysts big and small, that I am sure did not have any more research done than calling a handful of vendors and listening to their spiel. Too many of these vendors if they do speak to customers, base their findings on such a small sample that it is impossible to have an accurate picture.

Personally, like Hoff says, who watches the watchers is the truth. I would like to see a code of conduct among analysts. I would start by dictating that vendors cannot pay analysts. Take the payola out of the equation the way they did to the DJ/Radio business in the late 50s. Next analyst reports have to come with metrics to back up the findings. I want to know how many customers they spoke to, how big they were, how they were found, etc. A vendor giving an analyst a real live???pet??? customer is not real research. I want to know if the customer pays the analyst. It is a dirty business.

Hey let me be clear, I play the game as well as the next guy. But I agree with Hoff we need to clean up the rules to make the whole analyst thing more fair, viable and valuable.

You want the truth, you can't handle the truth!

Thu, 10 Jul 2008 18:35:46 +0000

I am not sure what it is with Richard Stiennon. Maybe his mom beat him with a NAC stick when he was young. Hence his Jack Nicholson looks (more like the Joker in Batman, than Col Jessep in A Few Good Men) and his total disdain for NAC. In any event Richard never seems to miss a chance to take a pot shot at NAC. I have fired back and debated him many times on this. In fact I am convinced that Richard's problem with NAC is that like Uncle Joe, he is just moving a little slow. Richard still thinks of NAC as Cisco’s network admission control, circa Dec ‘03. He has not gotten up to speed on anything happening with NAC since. Richard is going to debate NAC with Joel Snyder according to this article by Tim Greene today. My prediction is Snyder by a knockout in 3 rounds or less.

Richard’s latest NAC knock comes on a comment to an excellent article by the Hoff. Chris takes a bold stand for someone working for a vendor and calls BS on the whole analyst thing (I will write more about that later in this article). Richard being an ex-analyst himself (lets face it, with Richard you can take the man out of the analyst job, but you can’t take the analyst out of the man), takes exception to Hoff’s “whining” (Richards words, not mine) and tries to tell Hoff that giving up is not the answer and the way to show up analysts, is to prove them wrong. Great Richard you try to prove them wrong, when because of what they report you don’t have a market, can’t get any capital and have no visibility. I guess that is when it is time to move on to the next gig, right? Then Richard has a bad NAC deja vu and feels it necessary to write this:

“Look how easy it is to one up the analyst firms, who as near as I can tell support Network Admission Control universally. Everyone except the folks at Updata Ventures know how seriously flawed NAC is with only one viable market, edu.”

I assume Richard is referring to Updata recently leading the Bradford Networks VC round. But more importantly Richard it is time to call a code red on you and give you the cold hard truth. Richard the fact is that the edu market is not the only viable market for NAC. In fact, one of the biggest customers of NAC is the DoD. That is right Richard at least 3 of the 4 armed forces use NAC in helping to secure their networks. To paraphrase my friend Col Jessep - Richard, you want the truth, you can’t handle the truth! You sleep securely under the blanket of protection that NAC provides. If it is good enough to help “clean the sand” out of laptops coming home from SWA (that is SouthWest Asia, like in Iraq and Afghanistan, in case you don’t know Richard), it should be good enough for you. Think about that next time you are about to bad mouth NAC.

As to Hoff’s article, as I said I give Chris credit for speaking his mind. I spend an ungodly amount of my time speaking with analysts and trying to “learn” from them while at the same time trying to educate them. I am constantly amazed that so many analysts (and press for that matter) just take a vendors word as gospel. I have seen research reports from analysts big and small, that I am sure did not have any more research done than calling a handful of vendors and listening to their spiel. Too many of these vendors if they do speak to customers, base their findings on such a small sample that it is impossible to have an accurate picture.

Personally, like Hoff says, who watches the watchers is the truth. I would like to see a code of conduct among analysts. I would start by dictating that vendors cannot pay analysts. Take the payola out of the equation the way they did to the DJ/Radio business in the late 50s. Next analyst reports have to come with metrics to back up the findings. I want to know how many customers they spoke to, how big they were, how they were found, etc. A vendor giving an analyst a real live“pet” customer is not real research. I want to know if the customer pays the analyst. It is a dirty business.

Hey let me be clear, I play the game as well as the next guy. But I agree with Hoff we need to clean up the rules to make the whole analyst thing more fair, viable and valuable.