Faulk says he and others in his section of the NSA facility at Fort Gordon routinely shared salacious or tantalizing phone calls that had been intercepted, alerting office mates to certain time codes of "cuts" that were available on each operator's computer.

"Hey, check this out," Faulk says he would be told, "there's good phone sex or there's some pillow talk, pull up this call, it's really funny, go check it out. It would be some colonel making pillow talk and we would say, 'Wow, this was crazy'," Faulk told ABC News.

Warrants are a security device. They protect us against government abuse of power.

1. The Sun-Sentinel newspaper in Fort Lauderdale accidentally republishes a six-year-old news story about the bankruptcy of UAL. It wasn't on the home page, but instead buried somewhere inside the web site.
2. Google's news crawler (an automated thing, remember) finds the story and incorporates it as part of its news feed.
3. Investors see the story, and immediately react. When UAL's stock plunged 76% to a low of $3, Nasdaq shut down trading. Eventually trading resumed, and the stock closed at just under $11, losing about 11%.
4. United blamed Tribune Company (the owner of the Sun-Sentinel) for "irresponsibly" changing the date on the story and demanded a retraction.
5. Tribune Company blamed Google, claiming they've had issues with Google's crawler "for months."

Who will blame be shifted to next?

Look -- if people haven't realized by now that the Internet pretty much lacks a delete function, then (IMNSHO) it becomes the requirement of each and every one of us to pay close attention to what we're reading, to use our own big brains and fine-tuned bullshit detectors to suss out whether something makes sense.

Since this is my blog, I'm going to parcel out blame the way I see it:

• United: 0%. If the concept of "negative blame" made any sense, then I'd actually write −∞ (that's a negative infinity, in case your character set is different than mine).
• Google: 5%. How can an automated crawler know that a newly-dated story isn't really new? Well, those folks over there at Google are smart. Certainly it shouldn't be that difficult to compare a "new" article against existing ones. Content hashes won't work as a comparison tool, because the date would be included in the hash computation, thus making the hashes different anyway. Full-text comparisons? Sure, it would take a lot of horsepower. Perhaps not every "new" story needs comparison, but at least the crawler could submit to the comparator any stories that ought to be verified (say those with the word "bankruptcy" in them).
• Tribune Company: 30%. Hey guys, you changed the date on the article. Don't go blaming someone else for your screw-up.
• Investors: 65%. If you're using an automated news aggregator (remember, an aggregator is not a source of news) to make major financial decisions -- decisions that affect the livelihoods of thousands (maybe millions) of people -- well, you're a moron. You should know that incorrect information can be just as instantly available as correct information. Verify potentially damaging claims before engaging in reckless behavior.

What's this got to do with security? I don't know, maybe nothing directly related. But it certainly raises the question -- what if someone intentionally wanted to cause nearly permanent damage to a person or a corporation? Malicious content, disguised as "news," certainly seems to have become a potentially successful attack vector this week.

Worried about a social engineering attack on a massive scale? I suspect that what happened Monday (8 September) was the largest social engineering attack in history -- although I wouldn't classify it as intentionally malicious. Just you wait until the idea spreads.

Some day soon, you may go in and turn on your Windows PC and find your most valuable files locked up tighter than Fort Knox.

You'll also see this message appear on your screen:

"Your files are encrypted with RSA-1024 algorithm. To recovery your files you need to buy our decryptor. To buy decrypting tool contact us at: ********@yahoo.com"

How is this any worse than the old hacker viruses that put a funny message on your screen and erased your hard drive?

Here's how I see it, if someone actually manages to pull this up and put it into circulation, we're looking at malware Armegeddon. Instead of losing 'just' your credit card numbers or having your PC turned into a spam factory, you could lose vital files forever.

Of course, you could keep current back-ups. I do, but I've been around this track way too many times to think that many companies, much less individual users, actually keep real back-ups. Oh, you may think you do, but when was the last time you checked to see if the data you saved could actually be restored?

The single most important thing any company or individual can do to improve security is have a good backup strategy. It's been true for decades, and it's still true today.

Now slap yourself and head back into the detention hall. Dumbass.

From the Houston Chronicle:

George Bush High School’s valedictorian is among a group of Fort Bend Independent School District seniors who will not be allowed to take part in graduation ceremonies because of an investigation into tampering with the district’s computer network.

Khurrum Khan, 18, is the only valedictorian involved in the computer tampering incidents, which also occurred at Hightower and Elkins high schools, district spokeswoman Mary Ann Simpson said Tuesday.

The speech at the Bush graduation ceremonies will be given by the class salutatorian Saturday.

I recall this one. I wrote about this a while ago. But this part still amazes me,

The case is a potential a felony because investigators estimated the financial loss to the school district at a minimum of $190,000.

Sure block them from the grad ceremony, fair enough. But, 190K? Bite me.

Article Link

Date Reported:
2/13/08

Organization:
Tenet Healthcare Corporation

Contractor/Consultant/Branch:
None

Victims:
Patients*

*Tenet Healthcare Corp. owns 54 hospitals in a dozen states, including Hilton Head Regional Medical Center and Coastal Carolina Medical Center.

Number Affected:
37,000

Types of Data:
Social Security numbers and other personal information.

Breach Description:
A former employee working in the Tenet Healthcare Corporation billing center in Frisco, Texas has been convicted of identity theft.  Terrence Brooks worked for the company for less than two years and stole names, Social Security numbers and other personal information belonging to at least 90 patients, but also had access to 37,000.

Reference URL:
The Beaufort Gazette online story
The Sun-Sentinel online story

Report Credit:
Daniel Brownstein, The Beaufort Gazette

Response:
From the online sources cited above:

A former employee of a locally connected national hospital chain who was convicted of identity theft had access to the personal information of about 37,000 patients, according to a company spokesman.

Terrance Brooks, 30, of Fort Worth, was arrested Nov. 25 when he tried to open a Costco credit card using a state ID with fraudulent information, police said.

The company mailed letters last week announcing the security breach to anyone who could have been affected, said spokesman Steven Campanini.

Tenet also informed victims how to set up free fraud alerts at the nation's three major credit bureaus.

"There's an annoyance factor and we apologize for that," Campanini said. "We recognize consumer privacy is very important and take it very seriously."
[Evan] I am not personally a victim, but I am pretty sure that this surpasses "an annoyance factor" for some people.

The ex-employee worked at a Frisco, Texas, billing center for less than two years, and is confirmed to have stolen the names, Social Security numbers and other personal information of about 90 patients, Campanini said. The company has paid to monitor the credit reports of those victims.

Terrence Brooks, 30, had access to 37,000 other accounts

He pleaded guilty last month to five counts of fraudulent use and possession of identification information and was sentenced to nine months in prison.
[Evan] Only nine months in prison.  In 2006, the average time it took victims to recover from identity theft was 607 hours.

He had passed a background check to get the Tenet job. Brooks was immediately fired when the company learned of his arrest.

"What's challenging in this situation is there was an employee intent on committing fraud," Campanini said. "No company can prevent that, but we can have practices in place to immediately address it when it does occur, and that's what we did."
[Evan] I agree that preventing employee fraud is challenging, but reducing risk is very impossible.  There are several things that companies can do to reduce the risk significantly (segregation of duties, job rotation, cross-training, etc.).  Access to Social Security numbers should require an additional level of clearance and this clearance should be closely scrutinized.  The normal "run of the mill" billing work does not require Social Security number access.

"I'm more concerned with what could happen than what has happened," Ashley Latzer a person that received one of the Tenet notification letters.
[Evan] More than an "annoyance"?

Tenet patients concerned about the security of their personal information may call a company hotline at 1-800-553-6101 between 8 a.m. and 6 p.m. weekdays.

Commentary:
I am concerned with how many people in companies have unnecessary access to confidential information.  One of the first steps in reduding risk of employee fraud is to limit access to confidential information to only when it is absolutely required.  The resolution of most customer service, help desk, and billing calls don't require Social Security numbers, credit card numbers (including CVV2), and other sensitive information. 

I don't know enough about how Tenet manages its data and billing center, but I am sure that creative information security solutions could reduce the risk of this happening again.

Past Breaches:
Unknown