[SecurityRatty] tag: hill

Let's Play Two

Tue, 12 Aug 2008 08:47:51 +0000

Every year my Dad and I go to see a Red Sox series. Last weekend was this year's trip and we went to Chicago to see the World Champion Boston Red Sox (saying that never gets old) play the White Sox. Of course, while you are in Chicago you have to see Wrigley Field, and we really lucked out. This weekend was Red Sox versus the White Sox (the battle of the Soxes they used to call it on Channel 38) on the southside and northside featured Cubs versus Cardinals! The last four World Series winners in town on the same weekend (Red Sox 04, 07, White Sox 05, Cards 06).

We learned several things- first in heaven the Cubs play the Red Sox in the World Series. Those ballparks are true gems. (In hell its probably the Yankees versus Phillies). Also, the people on the southside and northside *really* have a rivalry going. Its basically Boston v NY but they live in the same town! Here is one example from the southside

One of the great things about Wrigley (and there are many despite what southsiders say), is that its in the middle of a real neighborhood

Epicenter of Cub universe

Lots of action before and after game time, lots of people wandering around with gloves catching batting practices homers outside the stadium...err Field. Key point - Wrigley is a field, not a Stadium. Also Fenway is a Park. The Greek root of the word "paradise", means "enclosed green space", not concreteopolis

Wrigley is baseball Mecca

The greatest Cub of all, Ernie Banks, was our touchstone for the day - "Let's Play Two." we started at Wrigley for the day game (Zambrano got shelled) and then got crosstown for the night game.

To pull this off the L is your friend. As several Chicagoans pointed out, they are the only city that can have a true subway series, because the Red Line services both the White Sox and Cubs, whereas Mets-Yankees involves numerous transfers and so on.

We got to US Cellular Field which is fine but a shadow of Wrigley and absolutely nothing good to eat. Luckily we had Daisuke Matsuzaka on the hill

Before every game, Big Papi holds court in center with some players from the other team, he is to be a very popular guy. Ozzie Guillen told him before the series that with Manny gone, he wouldn't see a pitch to hit all weekend (ps. he did and crushed a bases loaded double)

The question we got most was - what about the Manny trade? His replacement strikes out a lot, but is otherwise a promising player

The Red Sox and White Sox share a little history, most especially Pudge Fisk who hit the famous homer in the 75 world series for the Red Sox and then had a great career for the White Sox (actually played more games for Chicago than Boston, but went into Cooperstown with a B on his hat)

Red Sox won, hanging out in Wrigley was an even bigger highlight, and Chicago is a beautiful city to visit, by far the most accessible of the big US cities. Also, lots of good places to eat courtesy of Thomas Ptacek.

Object Refinement in CEP: Tracking Temperatures

Thu, 07 Aug 2008 09:39:29 +0000

Our colleagues at Apama share an interesting use case, tracking the body temperature of someone walking in their recent press release.

This use case is a clear example of a subfunction of complex event processing, folks in the mult-sensor data fusion field (and here at The CEP Blog) refer to as event (object) refinement, sometimes called “track and trace.”

The reason we call this processing function “event (object) refinement” is that, in the way the use case was described in the press release, the medical staff are basically tracking body temperature and comparing it to a key indicator to generate an alarm, in this case “body temperature too high.” This is a simple event, not complex, because the level of inference is quite very low in an overall knowledge hierarchy.

For example, we cannot infer from the alarm that “body temperature too high” is caused by a previous medical condition. There is no causality at this stage of the game. We cannot infer from the alarm that the walker has embarked up a steep hill, and the body temperature is expected to exceed a key indicator for a period of time.

Looking at another complex event model, the system does not (yet) combine all of the body temperatures of the entire group of walkers, correlated by the situation of an approaching thunderstorm, and infer that the walkers have increased their pace because they don’t want to be caught in a driving rainstorm with high winds.

In other words, tracking a single object like “body temperature” is a basic-step in a CEP application, but not really a CEP application yet, because to really be a complex event, there should be some inference of higher knowledge, or estimated situation. For example, tracking and tracing the position of an aircraft is good data, but being able to infer the complex situation “potential mid-air crash” between two airplanes is better (defining a complex event vs simply tracking state changes).

Steam processing engines are well suited for track and trace processing of individual event objects, like a walker’s body temperature, or a similar temperature monitoring application from a network device, as demonstrated by the Apama use case. Tracking events such as “temperature in an object reaches critical threshold” have been going on for decades, in your network, in your car, in your washing machine, in as spacecraft, just about everywhere we sense-and-respond to temperature changes.

The real marvel of this application was not the event processing on the back end, but in the sensor network, comprised of the human body, an RFID sensor, and a transmission network to a centeralized data collection facility.

Employee fraud hits Baptist Health in Arkansas

Thu, 10 Jul 2008 20:00:20 +0000

Technorati Tag: Security Breach

Date Reported:
7/2/08

Organization:
Baptist Health*

*Baptist Health is the largest not-for-profit healthcare organization in Arkansas

Contractor/Consultant/Branch:
None

Victims:
Patients

Number Affected:
~1,800

Types of Data:
"name, address, date of birth, Social Security number, and reason for coming to Baptist Health"

Breach Description:
"LITTLE ROCK (AP) - A North Little Rock woman has been arrested for using financial information from patients at Baptist Health to illegally obtain Wal-Mart gift cards for her own use. The hospital has notified about 1,800 patrons of the ID theft."

Reference URL:
Associated Press via WXVT Channel 15 News
KARK Channel 4 News
Arkansas Democrat-Gazette

Report Credit:
Toby Manthey, Arkansas Democrat-Gazette

Response:
From the online sources cited above:

Baptist Health has sent letters warning about 1,800 patients that the hospital system’s records may have been breached
[Evan] Uh, "may have been breached"?!

The notification came after the arrest of a Baptist Health employee at a Wal-Mart store on 25 counts of financial identity fraud.
[Evan] Wouldn't life be grand if we could trust our employees? Maybe, I suppose.

The letters, mailed last week, follow the firing of the woman in early June

North Little Rock police say Tamara Hill, 30, of that city worked at Baptist Health Medical Center-North Little Rock in the emergency department.

Hill, an admissions clerk, was arrested May 30 at the Wal-Mart

Ebony Flowers, 25, also of North Little Rock, was arrested at the store the same day on three counts of identity fraud

Flowers was listed in a police report as a janitor for the North Little Rock School District
[Evan] Key word is "was".

Baptist Health recorded more than 950,000 patient visits systemwide in 2007, a number that includes repeat visits.

Mark Lowman, spokesman for the Little Rock-based Baptist Health system, confirmed that the system fired the employee after notification of the arrest.

Police reports say the women used a victim’s personal information to obtain temporary Wal-Mart "account authorization numbers" - credit cards, essentially - used to buy Wal-Mart gift cards.

The victim reported to police that he had not authorized the transactions

the same victim confirmed he was a Baptist Health patient

He expressed appreciation of the handling of the case by the system and by the North Little Rock police.

Among the items found during a search connected with the arrest of Hill was personal information for 24 other people, including "screen shots" - printouts showing the exact appearance of the images on a computer screen - that showed victims’ personal information.
[Evan] This seems like confirmation that "may have been breached" is not all that accurate.

Also found were four Wal-Mart gift cards and $ 1,490 in cash

Police found a small bag of marijuana on Flowers, according to the reports. In a search connected with her arrest, they also discovered a. 25-caliber magazine with six bullets, as well as a receipt for four of the gift cards and information on three-identity theft victims.
[Evan] A thug.

The U. S. Secret Service is helping with the investigation.

"Due to a breach of our information systems security policies, there is a possibility that some personal information, such as your name, address, date of birth, Social Security number, and reason for coming to Baptist Health, was accessed by an unauthorized person."
[Evan] This is from the letter to the victims.

No information in the patient’s "medical records" and no information about the patient’s diagnosis or prognosis was accessed

while no "medical record" information was accessed, the letter mentioned the patient’s "reason for coming" to the system possibly was accessed

Lowman said a reason stated by a patient using the system isn’t considered medical information because the reason is a layman’s explanation, not one from a medical professional.
[Evan] This is Mark Lowman, spokesman for the Little Rock-based Baptist Health system

He said the breach wouldn’t violate the Health Insurance Portability and Accountability Act, or HIPAA.

But Pam Dixon, executive director of the San Diego-based World Privacy Forum, a privacy advocacy group, thinks all the information mentioned in the letter falls under HIPAA.

"It doesn’t matter that [it’s not ] a prognosis or diagnosis," she said.
[Evan] Splitting hairs. The bottom line is that confidential personal information was stolen and there are victims. Whether or not it is a HIPAA violation seems somewhat irrelevant.

Dixon found the system’s letter lacking in several respects, such as clarifying the exact meaning of a "reason for coming to Baptist Health." The letter also should have mentioned when and for how long the breach occurred, she said.

"Almost all breach letters have that," Dixon added.
[Evan] Almost all breach letters have what? A mention about for how long the breach occurred? I must be reading some of the wrong breach letters because it seems to me that this information is 50/50 at best. Also missing is the "we have no reason to believe that the information will be misused", but this one doesn't fit does it?

Dixon said Baptist Health should have offered in the letter to set up free credit monitoring for victims.
[Evan] Why? One year (or two) of credit monitoring is almost useless. Credit monitoring alerts a victim after fraud has already occurred and one year (or two) of monitoring is too limited for information that has a much longer lifespan. I guess credit monitoring would be better than nothing, but not by much.

Lowman said the health system continually conducts audits to know which staff members are accessing what information, and whether or not the access is appropriate.
[Evan] Good!

"We’re always looking to provide better audits and better oversight of private, confidential and protected information," Lowman said.
[Evan] And Good!

Commentary:
Preventing and detecting employee fraud has always been a challenge. This doesn't mean we give up though. We have some tools at our disposal such as employee background checks, role-based access control, segregation of duties, and job rotation to name a few.

I don't think that these two crooks are anything more than common criminals. The fact of the matter is that identity theft and fraud are very easy crimes to commit and require very little skill.

Past Breaches:
Unknown

Can you hear me now?

Fri, 27 Jun 2008 06:56:10 +0000

Verizon released a very interesting Data Breach report that analyzes over 500 forensic reports on their system over a number of years. It is great work by Verizon to gather this data and to publish it. Of course a consultant I go into lots of companies where they could learn a lot just by being more open and talking through issues with peers in other companies. Would be great to see other companies follow Verizon's lead.

I suggest you read their report, and I would like to add a little color to their findings from the perspective of the swamp I spend most of my time in - Web services security. Granted it is just one report, but the data run counter to a lot of conventional security "wisdom":

Who is behind data breaches?

73% resulted from external sources
18% were caused by insiders
39% implicated business partners
30% involved multiple parties

The internal/external divide is pretty silly these days, as is companies' recanting "inside the firewall and outside the firewall", I spend most of time hooking things up together precisely _so_ they intereoperate remotely. The firewall is a speed bump at best. At any rate external sources is a primary concern in Web services security, because - hey look our Web service front end just made your Mainframe/As400/Unix DB/ CICS/whatever accessible remotely. This is great from a functionality standpoint, but the issue is that these back end systems were never designed with anything remotely resembling an Internet threat model. Additionally, the Verizon team's findings around business parties and multiple parties strikes at the heart of a number of popular misconceptions in Web services security - "well its just B2B and its behind a firewall."

How do breaches occur?

62% were attributed to a significant error

59% resulted from hacking and intrusions

31% incorporated malicious code

22% exploited a vulnerability
15% were due to physical threats

A couple of things to note here - malicious code in my opinion is likely to be the biggest problem in Web services security going forward. There is a large gap waiting to be exploited here. You have no control over the other end of the pipe plus a massive attack surface, the only thing lacking is the attacker's ability to find and exploit which I strongly suspect is just a matter of time. Wrt hacking an intrusions we have the remote, passive nature of web security to blame here in Web services world. Paraphrasing Jeff Williams, the problem is that an attacker can just try an attack if it doesn't work, try again, again, and so on. This partially because of the loosely coupled nature of the systems, but it is also because commonly used information security protocols have diverged from reality are modeled using an object-centric mentality, where you "own" the object you are protecting and can afford to put passive controls around.

What commonalities exist?

66% involved data the victim did not know was on the system
75% of breaches were not discovered by the victim
83% of attacks were not highly difficult
85% of breaches were the result of opportunistic attacks
87% were considered avoidable through reasonable controls

Many of the attacks against Web Services are not difficult, in my training class, we'll typically execute 8-10 different attacks in a two day period. But the big one from this list is the first one - the amazing amount of attack surface offered up by Web services. Brad Hill has done a good job articulating these issues in SOAP/XML/WS-*, but at an enterprise its even bigger than those standards - the thing is we use Web services to make stuff interoperate, to make stuff reusable, and to virtualize endpoints. Great stuff if what you want to do is decentralize your business, but this creates oceans of space for attackers to roam. When you look beyond the Visio and the IDE view of web services, and get to the runtime there is an amazing amount of detritus left behind by all these layers.

Danger in Dubai?

Tue, 17 Jun 2008 13:57:00 +0000

Those who come to Dubai could be forgiven for thinking that this is an Oasis in a peaceful desert. In reality though, they would do well to remember that this Oasis is located in the middle of a volatile region.

I came to Dubai and the United Arab Emirates a week ago to promote an International Executive Protection course that we are holding here later in the summer. While it is true that most citizens in the U.A.E. are law abiding, there is potential here for opportunists to turn that around. Anyone who spends anytime here, especially in the vicinity of Dubai, will see that it is an extremely wealthy area.

I was talking to an ex-pat business man last night at dinner and he made the comment that a friend of his could not get the attention of the Valets at a local club recently because he was "only driving a Porsche 911". The valets were too busy finding premium parking spots for the Bentleys, Aston Martins and Ferraris. This is why Sexton Executive Security is opening an office in the U.A.E. We believe it is only a matter of time before cunning criminals realize how much money they could make from kidnappings, stealing luxury cars/chop shops and a host of other crimes.

Then yesterday morning something else happened. One of the Embassies released a terrorist alert warning for the U.A.E. Despite the fact that this is the Middle East, alerts like this are not common. Afteralll, this is a shopper's paradise where vistors can spend thousands of dollars on a hotel suite for the night. Now we have begun to compile a list of Executive Protection Specialists with current passports who are available for International assignments.

Don't let the bright lights fool you. This is not Kansas Dorothy. Keep your eyes open and like they used to say on Hill Street Blues; "let's be careful out there."

2 Congressmen Say Chinese Hacked Their Computers

Wed, 11 Jun 2008 15:48:00 +0000

Two House members -- Virginia's Frank Wolf and New Jersey's Chris Smith -- say their Capitol Hill computers, containing information about political dissidents from around the world, have been hacked by sources apparently working out of China.

Two HSBC breaches with similar circumstances

Mon, 02 Jun 2008 05:40:52 +0000

Technorati Tag: Security Breach

Date Reported:
5/28/08

Organization:
Hong Kong and Shanghai Banking Corporation ("HSBC")

Contractor/Consultant/Branch:
HSBC Branch at Bayview & Major Mackenzie (CA)
HSBC Branch in UK (Cheshire)

Victims:
Customers

Number Affected:
Unknown, "hundreds of bank customers" in Canada

Types of Data:
"personal information" in Canada, and "credit card applications and overdraft review dates, photocopies of a passport, driving licences, a marriage certificate, bank account sort codes and account numbers" in the UK

Breach Description:
Two breaches were reported in the past week affecting HSBC customers in Canada and the UK. In Canada, "A Richmond Hill man was driving in his neighbourhood Saturday night when he spotted a bank bag full of cancelled cheques on the side of the road." In the UK "papers, which relate to current bank accounts and applications, were found in a quiet road in Sale by children playing in the street."

Reference URL:
CTV News Toronto
Wigan Observer

Report Credit:
CTV News Toronto and Richard Bean at the Wigan Observer

Response:
From the online sources cited above:

In Canada:
A Richmond Hill man was driving in his neighbourhood Saturday night when he spotted a bank bag full of cancelled cheques on the side of the road.

He took the bag to a police station after a quick peek inside revealed the personal information of hundreds of bank customers.
[Evan] Information security aims to reduce the risk of unauthorized disclosure, modification, and destruction of confidential information to an "acceptable level" no matter what form the confidential information takes. Unauthorized disclosure of confidential information on paper is just as damaging as unauthorized disclosure of confidential information on a backup tape, CD, laptop, etc.

he was in the Bayview Avenue and Major Mackenzie Drive area when he spotted the redbag at the side of the road with the HSBC bank logo emblazoned at the front.
[Evan] I presume that this bag was lost in shipment. Was the information in the bag or the bag itself inventoried? Do you suppose the bank would have ever noticed that the bag was missing?

the bag belonged to the HSBC branch at Bayview and Major Mackenzie

"There were about 300 of them," he told CTV Toronto Saturday night. "There were more documents in there destroyed by the rain."

he tried to contact the bank but didn't have much luck

York Regional Police are speaking with bank officials as they investigate how the sensitive information ended up on the side of a road.

In the UK:
An investigation is under way after bank details of Wigan customers were found dumped in Cheshire.
[Evan] Does "dumped" mean thrown away, like in a dumpster?

The confidential 60-page sheaf of A4 documents, featured lists of customers of high street bank HSBC.

Among the information contained in the papers were credit card applications and overdraft review dates, photocopies of a passport, driving licences, a marriage certificate, bank account sort codes and account numbers.
[Evan] Sheesh. A bad guy (or gal) could do a helluva lot of damage with this information.

The papers, which relate to current bank accounts and applications, were found in a quiet road in Sale by children playing in the street.

Lynne Stewart, 47, whose children found the documents, has informed the police and is waiting for them to collect them

She said: "I would be extremely worried and angry if I was a customer of theirs because this is just the type of stuff that criminal gangs would love to get their hands on." She has now filled a bag with as many of the computer print-offs she could find, although fears that many more have blown away on the windiest day of the year.

The papers were initially found by her nine-year-old daughter Xxxxxx who then alerted her brother Xxxxxx, 12.
[Evan] My comment here is not related to the breach itself, but I feel a little uncomfortable using children's names publicly.

Neither understood the significance of the papers – although Mrs Stewart immediately did.

She said: "Reece had been to get his ball back after it had bounced into a sub-station and says he saw a pile on top of the transformer and they were whistling around in the gale.

"But it was Jessica who grabbed one as it blew past her in the street and showed it to me.

"I have counted at least 15 pages of lists of names and account details before you even start to talk about letters applying for credit cards and photo copies of personal documents which people have sent to the bank when they have made these applications.
"I find it very alarming that this kind of information is just blowing about in the street.
[Evan] No doubt!

"Surely in this day and age when ID fraud is all over the news the bank should be more careful about this information being printed out on paper."

A spokesman for HSBC, which has branches in Mesnes Road and Wallgate, said: "HSBC is investigating the find of documents found in Greater Manchester over the weekend.

"The security of our customers' personal information is of paramount importance and we have stringent procedures in place to guard against their loss.
[Evan] Is everyone aware of and following the "stringent procedures"?

"Without speculating on how this occurred, something has clearly gone wrong, and we are extremely disappointed to hear of these particular circumstances.

"When the cause of the incident has been determined, we will be reviewing our processes to ensure this does not happen again."
[Evan] In my opinion, promises that are made but cannot be fulfilled lead to a loss of confidence.

A UK Victim's Reaction:
"I can't believe it. The first I knew was when I was contacted by the person who found them. It is unforgivable that the bank would firstly lose such confidential details and then fail to tell its clients what had happened."

"I have been with this bank since I was a young lad and it is very disappointing indeed."

Commentary:
Let's take this from both sides for a second. Poor information security practice led to these two breaches. Real lives are affected when these things happen and HSBC should be more careful in the way they protect confidential personal information. I count five publicly reported breaches from HSBC in the past six months including the two in this post. There are likely more that weren't reported publicly as well.

Now the other side, for arguments sake. HSBC is a huge company with ~10,000 offices in 83 countries and territories around the world. I presume that they also have hundreds of thousands of customers (maybe millions). Information security breaches in companies this large and diverse are bound to happen. It isn't possible to eliminate them, so the best you can hope to do is reduce risk to a level that is "acceptable" to management and shareholders. Information security personnel are not in the risk elimination business, we are in the risk reduction business. This is reality.

Past Breaches:
May, 2008 - HSBC loses a server in branch renovation
April, 2008 - HSBC loses disc with 370,000 customer details
February, 2008 - Five-year-old wanders into bank branch after-hours

NAC is about more than security at UNC

Sun, 11 May 2008 20:00:00 +0000

When the University of North Carolina at Chapel Hill implemented network access control campus-wide last spring, it was as much a natural progression of the school's network management strategy as it was a security project.

Card skimming at Lunardi's Supermarket

Tue, 06 May 2008 08:25:33 +0000

Technorati Tag: Security Breach

Date Reported:
4/29/08

Organization:
Lunardi's

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"bank card numbers and personal identification codes"*

*bank cards include credit cards and debit cards

Breach Description:
"About 150 people who used their bank debit cards at a Lunardi's Supermarket in Los Gatos have become victims of an identity theft scam. And that number is expected to grow, Los Gatos police Capt. Dave Gravel said."

Reference URL:
KPIX TV Channel 5
The Mercury News
The Mercury News (update)

Report Credit:
KPIX TV Channel 5

Response:
From the online sources cited above:

An ATM and credit card reader in a checkout aisle at the Los Gatos Lunardi's supermarket was recently switched, resulting in more than two dozen reported cases of identity theft, a Los Gatos/Monte Sereno Police Department spokesman said today.
[Evan] The number "two dozen" was used in the original report on April 29th.

About 150 people who used their bank debit cards at a Lunardi's Supermarket in Los Gatos have become victims of an identity theft scam.
[Evan] By the time of the May 2nd story, the number of reported cases grew to about 150.

And that number is expected to grow, Los Gatos police Capt. Dave Gravel said.

Police received the first reports from victims who said their credit or debit cards had been used fraudulently on Sunday night and additional victim reports continued on Monday and today, according to police spokesman Tam McCarty.

Police believe the victims all had their card numbers stolen at the Los Gatos Lunardi's, 720 Blossom Hill Road, after officials from Lunardi's contacted them about a problem with one of their card readers.

"It was a switched card reader at one of the aisles,'' McCarty said.

"What we have here is more than one person - they've been able to get in there (Lunardi's) and switch out the ATM card reader," said Los Gatos-Monte Sereno police Sgt. Tam McCarty. "Once they've done that they can read the card and PIN numbers and either make a temporary card or sell the numbers over the phone."
[Evan] Completely switch out the card reader? I have never been to the store so I don't know the layout, but how does a person switch out a card reader during business hours without anyone noticing? It seems very risky to make the switch during business hours. I suppose that a thief could pose as a repair or other support person that wouldn't look suspect. Was the switch done while the store was closed? If so, this seems to imply an insider. Just thoughts, I am sure that the investigators have already thought through these questions.

The thieves then transferred that bank information onto cloned cards - any card with a magnetic stripe can be used - and made cash withdrawals from ATMs in Southern California.
[Evan] Search Google for "Credit Card Encoder" and take your pick of various credit/debit card magnetic stripe readers/writers. Extreme Media has information on "Credit Card Hacking, ATM Hacking, Debit Card Hacking and more. From Identity Fraud to Off Shore Banking we have you covered." I have never used or read any of their wares, so I don't know how reliable it is. The point I am trying to make is that committing fraud with compromised credit/debit card information is easy and there are plenty of people willing to help the bad guys.

police are still trying to determine how much money was stolen.

Recent shoppers of the Los Gatos Lunardi's should check the status of their bank or credit card accounts for charges they did not make, according to police.
[Evan] If I were a customer of Lunardi's, I would contact my bank and close my credit/debit card account and open a new one (with new numbers).

Through an attorney, the Lunardi family, which owns the upscale grocery chain, also declined to discuss specifics about the technology used.

In a statement, the owners said the chain "in no way wants to compromise the ongoing investigation by law enforcement authorities or to reveal details of our security measures which could counteract their effectiveness."

George Silvestri, an attorney for Lunardi's, said the chain has replaced the payment devices at all seven of its Bay Area locations with machines that are locked onto the checkout stands.

Lunardi's employees with access to these devices have been trained in security procedures recommended by law enforcement and banking authorities.

Anyone who finds fraudulent charges on an account should contact the local police department or the Los Gatos/Monte Sereno Police Department at (408) 354-8600.

The thefts at Lunardi's in Los Gatos comes about three weeks after police uncovered a similar scam at an Arco AM/PM in Los Altos.
[Evan] I missed this specific breach, but I did report an ARCO "skimming" related breach in December, 2007. The December breach occurred at the El Monte station.

Commentary:
Card skimming is nothing new, but the methods have been refined and the technology has gotten better. The devices used by the criminals used to be pretty easy to identify, but now some of the devices are so small and well made that it can be difficult to notice, even to a trained eye.

A video or two might be helpful to readers (good information, but nothing earth shattering)

An NBC 10 News report:

From the UK, "The Real Hustle - ATM Scam"

Past Breaches:
Unknown

Binghamton University mistaken email exposes students

Wed, 19 Mar 2008 11:10:22 +0000

Technorati Tag: Security Breach

Date Reported:
3/17/08

Organization:
State University of New York

Contractor/Consultant/Branch:
Binghamton University

Victims:
School of Management students

Number Affected:
338

Types of Data:
Names, Social Security numbers and grade point averages

Breach Description:
"The Social Security numbers of more than 300 Binghamton University students were accidentally e-mailed to a list of hundreds of other students on Friday", 3/14/08

Reference URL:
BU Pipe Dream
Press & Sun-Bulletin

Report Credit:
John Hill, Press & Sun-Bulletin

Response:
From the online sources cited above:

One wrong move has left more than 300 School of Management students vulnerable to identity theft. An e-mail containing the names, Social Security numbers and grade point averages of 338 accounting students were mistakenly sent to an accounting Listserv instead of another SOM faculty member Friday afternoon.

Brian Perry, an SOM undergraduate adviser, had meant to send the e-mail to other faculty members for the purpose of selecting students to receive various academic awards. Instead, the e-mail showed up in the inbox of 288 accounting students.
[Evan] Ouch it stinks to be named as the culprit publicly, by name. Why were Social Security numbers required in an email meant to select students for academic rewards? Does the school use Social Security numbers as identifiers (instead of student IDs)?

“We are taking the matter very seriously,” said Upinder Dhillon, SOM dean. “The University is conducting a full investigation of this incident, including how this information was compromised and how information security in the School of Management can be improved.”

Friday evening James VanVoorst, vice president for administration, sent an e-mail to students whose information had been included on the list, notifying them of the situation.
[Evan] The school should be credited for a very prompt response.

“The University is exploring ways to limit the dissemination of the information,” VanVoorst stated in the e-mail. “Although we have no indication that any of this information will be misused, we recommend that you take appropriate action, including placing a fraud alert through one of the three credit agencies listed.”

“It’s important to note that this wasn’t someone invading our campus database,” he said. “We have firewalls to prevent this. We continually stay vigilant on that scope.”
[Evan] More often than not, breaches are not caused by "someone invading" systems from the outside. People need to think of security holisticly and evaluate risks from many sources. Firewalls are obviously important, but they are not more than what they are.

Upinder is encouraging the 338 students who had their information exposed to contact his office with any questions, either by calling (607) 777-2314 or via e-mail to dhillon@binghamton.edu

Commentary:
This appears to be a simple employee mistake. It is scary how easily this could happen in many organizations. I know I have sent emails to unintended recipients before. I am concerned that Social Security numbers were contained in the email and wonder why? I am also curious about how access is restricted to such personally identifiable information (PII).

Potential causes that can lead to a higher risk of employee mistakes:

Overwork. Employees that are overworked and rushed make more mistakes.
Poor awareness. Improved awareness equates to less mistakes.
Technological conveniences. In this can, I think of Outlook and the auto-complete functions when addressing emails. It saves me time by not having to type the entire email address, but I can easily choose one of the wrong email addresses from the drop-down.
People are people. We all make mistakes. It just stings a little more when we are talking about the disclosure of confidential information.

Past Breaches:
Unknown