[SecurityRatty] tag: franklin

Post Your Questions for Philadelphia Wireless Panelists

Wed, 17 Sep 2008 06:10:36 +0000

Organizers of day-long discussion about ubiquitous mobile broadband want to know what you want to ask: In Philadelphia on 22-Sept-2008, panelists from AT&T, Comcast, Sprint XOHM, The Wharton School, and Network Acquisition Corporation (the folks who will be operating the former EarthLink network in Phila.) will be on one stage at 6 pm at The Franklin Institute's Planetarium (free, $5 contribution requested, advance registration recommended).

The panel will discuss fourth-generation (4G) networks, including both LTE and WiMax, and discuss what these networks might deliver, as well as how Wi-Fi networks fit into this future.

One of the organizers asked if I'd solicit questions--you can post them below--which they'll try to ask during the panel. The group would then write up responses which could posted in turn here.

The powerhouse that is Kevin Werbach, a professor at The Wharton School, is moderating the event. Werbach has been part of interesting thinking about spectrum for many years, a former editor of Release 1.0, and a former FCC staffer. He'll share the stage with a fairly high-powered crowd, including AT&T's enterprise architect for mobility, the president of NAC, and senior people from Comcast and Sprint Xohm.

The event is part of the Mid-Atlantic Chapter series called MobileMonday, an interesting business group that's trying to provoke discussion and development around mobile technology and access. This particular event is sponsored by local business development organization Select Greater Philadelphia.

Williamson County Schools learns of breach reported nine months ago

Sat, 12 Jul 2008 20:12:01 +0000

Technorati Tag: Security Breach

Date Reported:
7/11/08

Organization:
Williamson County Schools

Contractor/Consultant/Branch:
None

Victims:
Students*

*"3,052 ACT students and 2,117 students who took the second grade test were affected", Source: Student Information News Conference Text 7/11/08

Number Affected:
5,169

Types of Data:
Names, testing scores, and Social Security numbers

Breach Description:
"FRANKLIN, Tenn.- It now appears a security breach at Williamson County schools was much worse than expected. School officials now say more than 5,000 students may have been affected when a school employee accidently posted their personal information online."

Reference URL:
Williamson County Student Information News Conference
News Channel 5
WREG Channel 3 News
WSMV Channel 4 News

Report Credit:
Liberty Coalition

Response:
From the online sources cited above:

FRANKLIN, Tenn.- It now appears a security breach at Williamson County schools was much worse than expected. School officials now say more than 5,000 students may have been affected when a school employee accidently posted their personal information online.

Now the county could lose some federal funding because of the mistake.
[Evan] Do you really think that this will happen? If we looked deeper into the way the public school systems handle confidential information, half of the school districts would lose funding. Williamson County is in good company across the country.

The school district had to notify the Department of Education because this was a federal violation.

Director of Schools, Rebecca Sharber is taking on the responsibility of fixing the problem.

"I'm the head of the school system. I'm accountable," said Sharber.
[Evan] What a fantastic statement. Corporate CEOs, non-profit executive directors, etc. ARE ultimately responsible for the protection of information. Ms. Sharber just earned my respect.

"It certainly is distressing to me that information was ever out there," said Sharber.

According to school officials, former assessment specialist, Chris Nugent is responsible for the computer mix-up.

He resigned Friday.

"Mr. Nugent has resigned his position as Assessment Specialist, effective immediately."

It was August last year when Nugent mistakenly loaded the info on a personal web page, but he never alerted the district.

They only found out a couple of weeks ago.

"A principal who had been contacted by a parent brought this to our attention on June 26th."

"The information given to us indicated that our assessment specialist, Chris Nugent, was involved. This was the first we had heard of this situation."

"We began our investigation immediately asking Mr. Nugent to gather all data that could possibly be associated with this situation."

"We thought at that time he would be able to supply the names of students possibly involved in the most timely manner."

"When Mr. Nugent was unable to get that information for us, our attorney Jason Golden contacted the Liberty Coalition, the organization that had posted the Internet report presented to us by the principal."
[Evan] The Liberty Coalition posted the information surrounding the breach in October, 2007, many months before the victims were ever made aware.

"Yesterday afternoon, the Liberty Coalition was able to provide the names of the students affected."

"Our investigation indicates that the student information was posted on a private website created by Mr. Nugent sometime during the month of August, 2007."

"On August 28, 2007, the Liberty Coalition notified Mr. Nugent that private student information was on his web site."

"On August 29, 2007, the web site was shut down."

"Mr. Nugent did not notify school authorities."

"Our investigation has established that Mr. Nugent had confidential student files on the same thumb-drive with his personal files."

"We believe that when Mr. Nugent uploaded his personal files to a web site he created, he inadvertently uploaded our student files."

Sharber said the first step will be to look at revising policies on student information.

They will also pay for fraud alerts for the students.

It could cost the district hundreds of thousands of dollars to pay for those fraud alerts.

"I would say to other school districts they need to really, really check their policies and procedures on how student data is being used," said Sharber.
[Evan] Again, did I mention that I respect Ms. Sharber? This statement is very good advice.

More than 5,000 students had their security information posted.

Most of those are high school students who took the ACT in the 2006-2007 school year, and second graders who took the TCAP the same year.

"We have learned that most students who took the second grade TCAP achievement test and most students who took the ACT test during the 2006-07 school year had social security numbers on a private website during August of 2007."
[Evan] Is there some kind of legal requirement that states that a Social Security number must be tied to test scores, or was this just poor judgment? Are/were Social Security numbers used as student IDs at the district?

"Our review of the records shows that 3,052 ACT students and 2,117 students who took the second grade test were affected."

The information was on the internet for about a month.

"I want to thank the parents of Williamson County Schools for their patience and understanding and the positive suggestions they have shared as we have conducted our investigation and gone public with this information.", said Sharber
[Evan] The Liberty Coalition went public with this breach in October, 2007. I appreciate the motives of the Liberty Coalition, but I am not pleased with the way they report breaches. I'll elaborate below in the commentary section.

"I understand the anxiety that our parents are experiencing.", said Sharber

"On Monday, we will be calling all parents of students whose social security numbers were exposed to let them know their child was affected, and we will follow up that phone call with a letter."

"We are working to locate a security company, and at our expense, we will cover the cost of fraud protection for the students affected."
[Evan] I hope that the school locates a good "security company". Of course FRSecure would be glad to help. I promise to keep the plugs to a minimum .

Commentary:
OK. We all know that a breach affecting kids is especially bad. We all know that we are all human and all humans make mistakes. I presume that there are a number of risky information security behaviors at Williamson County Schools. This risky behavior just so happened to expose personal information online. What other risky behaviors will be addressed at the school district?

Now about the Liberty Coalition's role. I appreciate the motives of Aaron Titus and the Liberty Coalition. He maintains the SSNBreach.org web site where he publicizes information security breaches that his organization finds (or is informed about). My attention was first drawn to Aaron Titus in August 2007, when he reported the Louisiana Board of Regents breach affecting ~200,000 people. What drew my attention to his report was not the breach itself, but the way in which it he proceeded to report it. Lyger at Attrition.org covers it well here.

In this case, the Liberty Coalition publicly posted this breach in October, 2007 which is more than 9 months before the victims were ever made aware! According to the Liberty Coalition press release; "We updated this press release after becoming aware of Mr. Nugent's relationship with the school district. The Liberty Coalition also worked directly with district officials to help them notify the affected individuals." It would have been nice if the victims were notified prior to a public press release. I wonder why Mr. Nugent's relationship with the school district wasn't known earlier. I don't have the details that the Liberty Coalition does surrounding this breach, so I can only speculate.

The fact that some breaches are reported on SSNBreach.org prior to notification (in this case nine months), I chose to generally not report them here at The Breach Blog.

Past Breaches:
Unknown

Links for 2008-06-10 [del.icio.us]

Tue, 10 Jun 2008 20:00:00 +0000

700,000 records on stolen CCB server

Tue, 22 Apr 2008 10:57:38 +0000

Technorati Tag: Security Breach

Date Reported:
4/18/08

Organization:
Numerous*

*See Commentary section for list of businesses

Contractor/Consultant/Branch:
Central Collection Bureau ("CCB")

Victims:
Individuals who were referred to CCB for debt collection purposes by Indiana businesses, on or before March 20, 2008

Number Affected:
~700,000

Types of Data:
"personal information, including names, contact information, Social Security numbers, dates of birth, dates of service, and medical procedure codes"

Breach Description:
"Indiana residents are hereby alerted to a security breach at Central Collection Bureau (CCB, located at 7510 South Madison Avenue, Indianapolis, Indiana. This breach potentially exposed the personal information, including names, contact information, Social Security numbers, dates of birth, dates of service, and medical procedure codes."

Reference URL:
Central Collection Bureau
Chicago Sun-Times (Associated Press)
NBC Channel 13 Eyewitness News

Report Credit:
Central Collection Bureau

Response:
From the online sources cited above:

SECURITY BREACH NOTIFICATION ALERT:
CENTRAL COLLECTION BUREAU
Dated April 18, 2008

Indiana residents are hereby alerted to a security breach at Central Collection Bureau (CCB, located at 7510 South Madison Avenue, Indianapolis, Indiana.

This breach potentially exposed the personal information, including names, contact information, Social Security numbers, dates of birth, dates of service, and medical procedure codes.

These individuals were referred to CCB for debt collection purposes by Indiana businesses, on or before March 20, 2008

Approximately 700,000 files may have been breached.

The businesses that engaged CCB for debt collection during that period of time are listed below.

Please note that only a very small percentage of the individuals who were patients or customers of the businesses below—i.e., those who ultimately were referred for debt collection—would have their personal information included in the CCB database.

Some of the information might be outdated. St. Vincent Health System said it had not given any billing business to Central Collection in more than three years, so all of the missing billing information is several years old.
[Evan] This was a question that my colleagues and I were debating about this breach. 700,000 records seems like an awful lot of "active" collection accounts. CCB would need quite a few collection agents to service this many accounts, if in fact they were all active. I think we can assume that only a fraction of the 700,000 records were actually "active" and CCB did not effectively destroy information that they no longer needed to keep.

Other patients and customers of those companies are not affected by this breach.

The theft occurred on Friday, March 21, 2008, at CCB's location in Indianapolis.

On that date, thieves broke into the company's offices and stole 8 computers, as well as one of its servers (databases).

The server was password protected and protected by three locked doors. The 8 computers did not contain personal information.

The information was protected by two passwords but was not encrypted, Klene said.

"Our server was password protected. We have obviously spoken to some IT people who feel that a good computer hacker could get through those passwords," he said.
[Evan] It doesn't even take a "good computer hacker" to get through the passwords.

CCB promptly contacted the police and is working with the Indiana Attorney General's office.

The company also promptly installed additional locks, a security system, and a motion detection system to help minimize the risk of any further unauthorized access to its information.
[Evan] These will help with physical security. Full-disk encryption and a effective data retention policy wouldn't hurt for logical security, eh? Us information security guys would refer to multiple defensive layers as "defense in depth". Brilliant!

CCB apologizes to its clients and all Indiana residents affected by this incident.

"We're obviously heartsick about this," said Chet Klene, Central Collection Bureau president. "We've been in business since 1972, and nothing like this has ever happened before."
[Evan] I don't doubt that CCB is "heartsick" by this incident. I feel bad for them and the fact that they probably did not know any better. Maybe this is partly a failure on the part of the information security profession as a whole.

While the company has no information suggesting that the breach occurred for purposes of identity theft, it nevertheless has contacted the three national credit bureaus to place a fraud alert.

Please go to the CCB website at www.ccbinc.net, call CCB at 317-887-5165 or 1-800-878-5165 or email CCB at theft@ccbinc.net for more information

Commentary:
Clients of CCB with information on the stolen server include:

Academy Animal Hospital, Advanced Interventional Pain, Advanced Physical Therapy, Alternative Care Experience, Anderson General Surgery, Andrew Dick MD, Anesthesia, Aqua Systems, Associated Billing, "Barbara Sturm, MD", Brad Sammons DDS, Brien Grow DO, Buchanan Counseling Services, Campion Barrow & Assoc., Cardiothoracis Surgeons, Cardiovascular Diagnostic Services, Carl Foster MD, Caryn Guba DDS, Center For Orthopaedic Surgery, Central Indiana Phys Medicine & Rehab, Charles Howe Professional Medical Corp, Charles Kelley III DPM, Charles Kerkhove Jr DDS, Charles Tomich DDS, Chiropractic Thereputics, Citizens Gas & Coke, City of Franklin Ambulance, Clarian Radiology, Clinical Laboratory Physicians, Comdent, Comprecare, Culligan Water Conditioning, Cummins Behavioral Health System, D.E. Kelley DDS, Daniel Feeny MD, David Pennington III MD, David Shaw MD, David Szentes MD, Denture By Design, Dermatopathology Lab, Diagnostic Medicine, Dunlap Urgent Care, Edward J Diekhoff MD, Emily Cline MD, Emergency Medical Group Physicians, Forest Creek Family Dental, Friendly Village of Indy, Gary Hunt DDS, Gary Taylor DDS, Generations In Dentistry, George Small Jr MD, Gial Anesthesiology Service, Grandmas House Child Care, Greg Hardin MD, Hamilton Anesthesia Group, Hearing Center, Henderson Drugs & Home Health, House of Kids, Howard Alig MD, Howard Regional Health System, Indiana Radiology Partners, Indiana Spine Group, Indiana General Surgery, Indiana Medical Network, Indpls Neurosurgical Group, Internal Medicine Plus, JCB Anesthesia & Pain Mgt, Jeffrey Stevens DPM, Jennifer Siegel DDS, JMH Health Affiliates, John Jackson DC, John Norris MD, Johnson Co Anesthesia, Johnson County REMC, Johnson Memorial Hospital, Joseph Meek DDS, Julie Chao MD, Kenny Stall MD, Kerry Mays MD, Kevin Macadaeg MD, Khalil Wakim MD, Kidd Pediatrics, Knowledge Learning Corp, Koehring & Sons, Kokomo Sports Center, Larry Buckel MD, Laura Steiner MD, Laura Stitle MD, Laurette Robey MD, Laverne Tubergen MD, Lawrence Falender DDS, Library Park Immediate Care, Lora Overton DO, Madison Anesthesia Group, Madison Avenue Flower Shop, Mark Ellis DDS, Mark Kahn DDS, Mark Ogle MD, Mark Yamanaka MD, Martinsville Dental Center, Memory Maker Studios, Mere Image Sportswear, Meridian Veterinary Clinic, Methodist Arthritis Physicians, Methodist Medical Group, Michael Arnold DDS, Michael Cozzi MD, Michael Harper, Midamerica Surgery Center, Milto Cleaners, Mitchell Foster MD, Muncie Cataract & Laser Center, Nancy Zinni MD, Northside Surgical Specialists, Northside Anesthesia Services, Northwest Medical Pain Control, Nufinity, Orthopaedic Supplies Inc., Panchapakesan Harlan MD, Paul Batties MD, Paul Johnson DDS, Paul Johnson DDS, Paul Strange MD, Philip Borders MD, Pioneer Anesthesia Consultanta, PT Buntin MD, R.D. McQuiston MD, Rebecca De La Rosa DDS, Richard Herd Jr DDS, Rick Stephens Builder, Riley Bennett & Egloff LLP, Robert Smith MD, Robert's Salon & Day Spa, Ronald Wines DDS, RW Armstrong, Sandhya Nanda MD, Sarah Akard DDS, Scot Hagadorn MD, South Emerson Anesthesia Assoc., South Emerson Pain Management, South Emerson Surgery Center, Southeast Family Physicians, Southside Animal Hospital, Southside Family Medical Group, Southside Pediatrics, St. Vincent Health and related entities, Stephen Stitle MD, Stephen Szynal DO, Stonehedge Apartments, Stop 11 Animal Hospital, Sun Medical, Surgical Associates of Madison Co, Susan Wagner DDS, Thomas Eads MD, Thomas Ferrara MD, Tim Schafer DDS, University Family Physicians, University Pediatric Associates, University Surgeons, USF Inc, Valle Vista Guidance Center, Valle Vista Hospital, Walker Family Dentistry, Wells & Marvel PC

Past Breaches:
Unknown

The Continuing .Gov Blackat SEO Campaign

Mon, 18 Feb 2008 12:23:38 +0000

Just like the situation in the previous case of injecting SEO content into .gov domains, once the pages are up and running, they get actively advertised across the Web, again automatically. While bridger-mt.gov responds to 72.22.69.184, the subdomain freeporn.eee.bridger-mt.gov is pointing to another netblock, in this case 66.49.238.80, exactly the same approach was used in a previous such assessment that was however serving malware to its visitors. Here are some of the very latest such examples listed by directory :

- Cobb County Government - cobbcountyga.gov/css - over 2,240 pages
- Benton Franklin Health District - bfhd.wa.gov/search/templates/dark/.thumbs - 1,200 pages
- Bridger, Montana - freeporn.eee.bridger-mt.gov - 778 pages
- Mid-Region Council of Governments - mrcog-nm.gov/includes/phpmailer/language - 336 pages
- Michigan Senate - senate.michigan.gov/FindYourSenator/top - 26 pages
- Nevada City, California - nevadacityca.gov/postcards - 13 pages
- Brookhaven National Laboratory - pvd.chm.bnl.gov/twiki/pub/Trash/OnlinePharmacy - 12 pages

Who's behind all of these? Checking the outgoing links and verifying the forums the advertisements got posted at could prove informative, but for instance, topsfield-ma.gov/warrant where a single blackhat SEO page was located seems to have been hacked by a turkish defacement group who left the following - "RapciSeLo WaS HeRe !!! OwNz You - For AvciHack.CoM with greets given to "J0k3R inf3RNo ByMs-Dos FuriOuS SSeS UmuT SerSeriiii Ov3R YstanBLue DeHS@ CMD 3RR0R SaNaLBeLa Keyser-SoZe GoLg3 J0k3ReM JackalTR Albay ParS MicroP"

Franklin University student information posted on Web

Wed, 30 Jan 2008 15:33:19 +0000

Technorati Tag: Security Breach

Date Reported:
1/29/08

Organization:
Franklin University

Contractor/Consultant/Branch:
None

Victims:
Students and/or alumni

Number Affected:
Unknown

Types of Data:
Name, Social Security number, trimester and course number, email address, and Franklin University ID number

Breach Description:
A file containing sensitive personal information belonging to Franklin University students and alumni was inadvertently posted to a public web server. The number of affected persons has not been publicly released.

Reference URL:
The New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

A file containing the names, Social Security numbers, term and class information, email addresses, and Franklin University identification numbers of students and/or alumni was inadvertently placed on our web server, which made it possible for the information to be viewed online.

Although we believe the exposure to be minimal, it is possible that your information may have been viewed by others.
[Evan] The "others" in this case are unauthorized persons.

We have removed the file from the Web server so the file can no longer be viewed online and we are working with third party experts to minimize the risk of future incidents of this nature.
[Evan] If this information was available on the internet, there is a good chance that the information is also available through search engine caches. There is no mention whether or not Franklin University contacted Google, Yahoo!, etc. to have any cached information removed promptly. Personally, I have not had the opportunity to look.

We deeply regret this unfortunate situation.

Because we value our students and alumni, we are offering you credit monitoring through Experian@ for 12 months, at no expense to you.

We sincerely apologize for any inconvenience that this may cause you. To view Frequently Asked Questions on our Web site, visit www.franklin.edu/go/securityupdate. If you have additional questions, please call us on our dedicated toll-free line at 1-877-212-2211 Monday through Thursday 8 a.m.-8 p.m., Friday 8 a.m.-5 p.m., or Saturday 9 a.m.-1 p.m. EST.

Commentary:
Mistakes will happen, so you should count on them happening. Many mistakes can be averted through effective information security training and awareness, and many mistakes can be minimized through effective incident response procedures and testing.

Past Breaches:
Unknown

Security vs. Privacy

Tue, 29 Jan 2008 02:21:41 +0000

If there's a debate that sums up post-9/11 politics, it's security versus privacy. Which is more important? How much privacy are you willing to give up for security? Can we even afford privacy in this age of insecurity? Security versus privacy: It's the battle of the century, or at least its first decade.

In a Jan. 21 New Yorker article, Director of National Intelligence Michael McConnell discusses a proposed plan to monitor all -- that's right, all -- internet communications for security purposes, an idea so extreme that the word "Orwellian" feels too mild.

The article (now online here) contains this passage:

In order for cyberspace to be policed, internet activity will have to be closely monitored. Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the authority to examine the content of any e-mail, file transfer or Web search. "Google has records that could help in a cyber-investigation," he said. Giorgio warned me, "We have a saying in this business: 'Privacy and security are a zero-sum game.'"

I'm sure they have that saying in their business. And it's precisely why, when people in their business are in charge of government, it becomes a police state. If privacy and security really were a zero-sum game, we would have seen mass immigration into the former East Germany and modern-day China. While it's true that police states like those have less street crime, no one argues that their citizens are fundamentally more secure.

We've been told we have to trade off security and privacy so often -- in debates on security versus privacy, writing contests, polls, reasoned essays and political rhetoric -- that most of us don't even question the fundamental dichotomy.

But it's a false one.

Security and privacy are not opposite ends of a seesaw; you don't have to accept less of one to get more of the other. Think of a door lock, a burglar alarm and a tall fence. Think of guns, anti-counterfeiting measures on currency and that dumb liquid ban at airports. Security affects privacy only when it's based on identity, and there are limitations to that sort of approach.

Since 9/11, approximately three things have potentially improved airline security: reinforcing the cockpit doors, passengers realizing they have to fight back and -- possibly -- sky marshals. Everything else -- all the security measures that affect privacy -- is just security theater and a waste of effort.

By the same token, many of the anti-privacy "security" measures we're seeing -- national ID cards, warrantless eavesdropping, massive data mining and so on -- do little to improve, and in some cases harm, security. And government claims of their success are either wrong, or against fake threats.

The debate isn't security versus privacy. It's liberty versus control.

You can see it in comments by government officials: "Privacy no longer can mean anonymity," says Donald Kerr, principal deputy director of national intelligence. "Instead, it should mean that government and businesses properly safeguard people's private communications and financial information." Did you catch that? You're expected to give up control of your privacy to others, who -- presumably -- get to decide how much of it you deserve. That's what loss of liberty looks like.

It should be no surprise that people choose security over privacy: 51 to 29 percent in a recent poll. Even if you don't subscribe to Maslow's hierarchy of needs, it's obvious that security is more important. Security is vital to survival, not just of people but of every living thing. Privacy is unique to humans, but it's a social need. It's vital to personal dignity, to family life, to society -- to what makes us uniquely human -- but not to survival.

If you set up the false dichotomy, of course people will choose security over privacy -- especially if you scare them first. But it's still a false dichotomy. There is no security without privacy. And liberty requires both security and privacy. The famous quote attributed to Benjamin Franklin reads: "Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." It's also true that those who would give up privacy for security are likely to end up with neither.

This essay originally appeared on Wired.com.

Presenting at the Connecticut Developers Group August 28th

Wed, 22 Aug 2007 09:20:00 +0000

If anyone in the Connecticut is interested, I will be doing a presentation entitled Applied Cryptography on August 28^th. It’s similar to the presentation I used to do (Block Ciphers and Initialization Vectors) only I’ve expanded its scope a little.

I changed the presentation slightly and am trying to turn it into a dnrTV episode with Cark Franklin (who will also be in attendance). Hope to see you there.

-Eric Marvets