[SecurityRatty] tag: jersey

Facebook tests New Jersey's icon for reporting predators, pornography

Thu, 04 Sep 2008 09:00:00 +0000

Facebook Inc. is testing an icon created by the state of New Jersey to provide online users with a way to report predators and inappropriate content to law enforcement authorities.

Facebook tests New Jersey's icon for reporting predators, pornography

Thu, 04 Sep 2008 09:00:00 +0000

Facebook Inc. is testing an icon created by the state of New Jersey to provide online users with a way to report predators and inappropriate content to law enforcement authorities.

Former prosecutor: U.K. hacker's extradition is inevitable

Wed, 13 Aug 2008 09:00:00 +0000

A European court has held up an order to extradite Gary McKinnon to the U.S. to face charges of hacking into military computers in New Jersey and Virginia.

Metro Round-Up: Cablevision Update; Springfield (Mich.)

Fri, 01 Aug 2008 10:49:43 +0000

Cablevision says it's already spent $20m towards its plan to build out Wi-Fi across its operating territory: The cable firm has $300m budgeted to put Wi-Fi in place for its higher-tier subscribers at no cost across Long Islands and parts of New Jersey and Connecticut, as well as New York City and Westchester County. Cablevision thinks their network will be good enough to replace cell phones across their coverage, which ties in with the quadruple play many cable operators are aiming for: data, voice, video, and mobile.

Springfield, Mich., puts in its first antennas for a city-wide network: The network is being built with a $750,000 grant from a state development corporation to extend access and improve the business climate. Access will cost $10 per month for residents after an initial free period while the service powers up.

New Jersey's Gift to Music

Wed, 25 Jun 2008 17:41:17 +0000

Wow. Just wow. So the Feelies are playing together again after 18 years or so! I have really enjoyed some of the offshoots like Wake Ooloo, but I really never thought I would get to hear the real Feelies again. Amazing. If you know them you are excited as me that they are playing in Hoboken next month. If not, then everything good that REM did in the early 80s was taken from "Crazy Rhythms", and I will put "The Good Earth" with any other record.

2 Congressmen Say Chinese Hacked Their Computers

Wed, 11 Jun 2008 15:48:00 +0000

Two House members -- Virginia's Frank Wolf and New Jersey's Chris Smith -- say their Capitol Hill computers, containing information about political dissidents from around the world, have been hacked by sources apparently working out of China.

Bus Defended Against Terrorists Who Want to Reenact the Movie Speed

Tue, 10 Jun 2008 08:31:22 +0000

We're spending money on this?

...a new GPS device enables authorities to remotely control a bus -- slowing it down to 5 mph and preventing it from restarting once it has stopped. The device has been installed on thousands of local commuter and tourist buses.
The technology is designed to prevent a terrorist from ramming a bus filled with people and explosives into buildings or tunnels.

Private bus companies have received millions of dollars from the Department of Homeland Security for the security systems. It costs $1,500 to equip each bus, with $50-per-bus monthly maintenance costs.

Gray Line double-decker tourist buses and Coach USA have spent hundreds of thousands of dollars in federal funds to install 3,000 devices. After receiving a $124,000 federal grant, DeCamp Bus Lines is installing the device on its 80 commuter buses, which travel routes from northern New Jersey to the Port Authority Bus Terminal in Midtown.

New Jersey Transit is currently in the process of equipping all of its roughly 3,000 buses with the technology. NJ Transit Chief of Police Joseph Bober said: "This enhanced technology helps us protect our bus drivers and customers. It's another proactive tool to protect our property, employees and customers."

LPL Financial reports eighteen compromised logons

Tue, 20 May 2008 04:56:31 +0000

Technorati Tag: Security Breach

Date Reported:
5/6/08

Organization:
LPL Financial

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
10,219

Types of Data:
"names, addresses, phone numbers, account numbers, Social Security numbers, and dates of birth"

Breach Description:
LPL Financial recently notified the Maryland State Attorney General of a breach in which "hackers compromised the logon passwords of fourteen financial advisors and four assistants of LPL Financial ("LPL")." The "hackers used these passwords to gain access to customer accounts in order to "pump and dump" penny stocks."

Reference URL:
Maryland State Attorney General breach notification

Report Credit:
Maryland State Attorney General

Response:
From the online source cited above:

We write to advise you of incidents in which hackers compromised the logon passwords of fourteen financial advisors and four assistants of LPL Financial ("LPL").
[Evan] How does a "hacker" compromise usernames and passwords of eighteen people working for the same company? Compromised logon server, spear phishing, malware?

To our knowledge, the hackers used these passwords to gain access to customer accounts in order to "pump and dump" penny stocks.

Attempted transactions were intercepted and either rejected or reversed.

No losses were passed on to customers

Hackers compromised the logon passwords of fourteen financial advisors and four assistants in branch offices located in New Jersey, Illinois, Rhode Island, Pennsylvania, Colorado, Texas, California, Georgia and Connecticut over the course of several months.

These incidents affected approximately 10,219 individuals

The information that was potentially accessible included unencrypted names, addresses and Social Security numbers of customers and non-customer beneficiaries.
[Evan] I don't know the architecture of LPL's network or other infrastructure components, but I question why customers or financial advisors need access to Social Security numbers as part of a trading system. I know that LPL needs to store Social Security numbers for tax and other reporting purposes, but financial advisors, traders and customers don't need access to them.

At this time, LPL has no specific knowledge that any customer information was accessed or misused as a consequence of the breach

We also are unaware of any personal instance of identity theft related to these incidents.

LPL learned of the first incident on July 16, 2007 and took the following actions: (1) notified law enforcement; (2) notified our primary regulator, the Financial Industry Regulatory Authority; (3) investigated the situation; (4) determined what information had been compromised; and (5) notified and offered solutions to the affected individuals.

LPL has taken several important steps to improve its level of data security and compliance

LPL has increased the profile of data security issues within the company at all levels, up to and including senior management.

In March 2008, LPL hired Marc Loewenthal as SVP - Chief Security/Privacy Officer, a newly created position at LPL.
[Evan] This is the first breach notification that I have read that included this type of information. I don't know Mr. Loewenthal (which doesn't say too much), but I do know that he is stepping into a pressure situation.

Mr. Loewenthal has extensive experience in the area of data protection. As a member of senior management, he reports directly to the Chief Risk Officer of LPL.
[Evan] I like when I read about information security personnel occupying "senior management" positions. Effective information security management needs to be as "senior" as possible in order to effect change in the organization. Information security governance is NOT an IT issue, but an organizational issue. There needs to be more good CISOs and CSOs.

In addition, LPL has developed a new, comprehensive information privacy and security program with new policies and procedures that were implemented in April 2008.

In August 2007, LPL engaged the services of Kroll Inc. ("Kroll"), a risk consulting company, to provide various services

In addition, LPL has commenced a project to enhance security on its advisor facing trading and operations systems in September 2007 and expects the project to complete in December 2008.
[Evan] Details are not available, but I would be interested in knowing more. Maybe removal of SSNs from the advisor facing trading systems and two-factor authentication are part of the mix.

Finally, LPL recently engaged the services of Edwards Angell Palmer & Dodge LLP to advise Mr. Loewenthal and LPL's in-house counsel as needed on information privacy and security issues.

LPL Financial is providing affected individuals with credit protection services from Kroll, Inc.

If you have any questions or feel you have an identity theft issue, please call ID TheftSmart at 1-800-588-9839 between 9:00 a.m. and 6:00 p.m. (Eastern Time), Monday through Friday.

If you want to talk to someone at LPL Financial to clarify or discuss the contents of this letter, please call us 1-800-558-7567, option 3 - Customer Service, between 9:00 a.m. and 6:00 p.m. (Eastern Time), Monday through Friday.

We apologize for any inconvenience or concern this situation may cause.

We at LPL Financial believe it is important for you to be fully informed of any potential risk resulting from this incident.

We remain committed to maintaining customer privacy as a key priority and will continue to take the needed steps to protect your information.

Commentary:
What makes this breach so interesting to me is the fact that there were at least 18 points of attack. I don't get the feeling that this was some sophisticated high-tech "hack" of LLP Financial's systems. It is much easier to craft an email or call someone and convince them to give you their login information.

Good luck Mr. Loewenthal, I'm sure you'll do fine!

Past Breaches:
Unknown

Way to go Interpol !

Thu, 08 May 2008 14:08:39 +0000

Interpol appeal unmasks US actor as child abuse suspect

Operation IDent-ification

By John Leyden ? More by this author

Published Thursday 8th May 2008 17:44 GMT

Find out how to eradicate 99.7% of spam

A man matching the description of a suspected child abuser who became the target of an international manhunt earlier this week has been arrested in the US.

Wayne Nelson Corliss, 58, was arrested in Union City, New Jersey on Thursday - two days after Interpol published photos resembling him. The actor, whose stage name is Casey Wane, is suspected of sexually abusing at least three boys aged between six and ten in south east Asia between April 2000 and May 2001.

Interpol Secretary General Ronald Noble hailed Corliss’s arrest: “Two days ago, this man’s nationality, identity and location were totally unknown. All we had to go by were a series of graphic photographs in which the suspect was seen sexually abusing young children and our confidence that the public and police worldwide would once again respond… That two days later, the primary suspect is now in custody is an outstanding achievement and a credit to the citizens, media and law enforcement worldwide who responded to Interpol’s call.”

In March 2006, police in Norwary found images of the abuse on the PC of a convicted paedophile. Two years of police investigation failed to identify the grey-haired, bespectacled suspect, or even his nationality. This prompted Interpol to publish six pictures of the man on Tuesday, in only its second appeal to find a suspected paedophile.

Last year a similar appeal uncovered the identity of Canadian Christopher Paul Neil, who is in jail awaiting trial on child abuse charges. German police unscrambled an image of Neil’s face that had been “swirled” to hide his identity. The picture was contained in a cache of child abuse images, and its publication by Interpol last October quickly led to his arrest in Thailand.

Former Verizon Wireless employee charged with identity theft

Sun, 27 Apr 2008 05:43:33 +0000

Technorati Tag: Security Breach

Date Reported:
4/22/08

Organization:
Verizon Wireless

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Name, address, Social Security number, and/or Verizon Wireless account number

Breach Description:
A former employee of Verizon Wireless who worked in a telesales position has been charged with identity theft by the Somerset County, New Jersey Prosecutor's Office. According to Verizon Wireless, it appears that he may have taken sensitive personal information belonging to Verizon Wireless customers during his employment from November, 2003 to January, 2005.

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

a former Verizon Wireless telesales employee apparently obtained sensitive personal information about them from our records from late 2003 through early 2005.

Verizon Wireless is providing this notice to let you know that a former Verizon Wireless employee appears to have obtained, in violation of our policies, sensitive customer personal information, which may include your name, address, social security number, and/or Verizon Wireless account number.
[Evan] As I have said before in other similar breaches, employee fraud is often a difficult problem for information security professionals to tackle. This holds especially true when dealing with positions in the company that have statistically high turnover rates, like telesales, customer service, etc. These employees need a certain level of access to perform their job functions, but the access that they are granted needs to be as granular as possible. There are many controls that we try to apply like background checks (initial and periodic), role-based access control, monitoring, etc., but sometimes even the best controls can be circumvented. Remember that we are not in the risk elimination business, we are in the risk reduction business.

This former employee was arrested on March 27, 2008

The former employee has been charged with identity theft by the Somerset County, New Jersey Prosecutor's office, and we understand that he is likely to be indicted shortly.

We do not know the exact circumstances of this theft since we have not spoken to this individual.

However, based on copies of documents provided to us by the Prosecutor's office, it appears that he may have printed computers screens containing customer's names, addresses and social security numbers.

It appears that he may have taken this sensitive information about you while he worked for us in a telesales position for a little over a year, from November 2003 to January 2005.

Approximately two years ago, long before we learned of this incident, we modified our systems so that they no longer allow telesales employees to access a customer's full social security number after that number has been used for an initial credit check.
[Evan] This was/is a good preventative control and a wise decision. I assume that Verizon has an extensive risk management and information security presence within the company. Verizon Wireless employs roughly 69,000 people and an estimated 65.7 million customers, so you can imagine the amount of sensitive personal information that they must control.

Although we do not have evidence that our former employee succeeded in stealing your identity, it is possible that this occurred given the nature of his offense.

We sincerely apologize for any inconvenience this may cause you

Commentary:
Verizon Wireless is providing affected persons with one year of credit monitoring.

Past Breaches:
None