[SecurityRatty] tag: sacramento

Silent Break-Ins: How Technology Compromises Physical Security Too

Tue, 11 Nov 2008 12:17:53 +0000

I could have used this technique last night — I got home to my apartment in Oakland at 11:30, only to realize I’d left my keys in Sacramento. Two hours later a locksmith finally came and charged me $100 to let me in my own apartment. Expensive? Maybe, but comparable to other services, and compared to the havoc that a lock-breaker could wreak if he was trying to use his talents for crime rather than service, it’s a small price.

It’s kind of frightening to see how quickly a skilled lock-picker can jimmy a lock and get in. But new technology makes it even simpler — apparently all you need is a good telephoto lens to break in to someone’s house — just wait till they leave their keys out on a table, snap a picture, and take it to an unethical key maker, and wha-la, a perfect replica:

“We built our key duplication software system to show people that their keys are not inherently secret,” said Stefan Savage, the computer science professor from UC San Diego’s Jacobs School of Engineering who led the student-run project. “Perhaps this was once a reasonable assumption, but advances in digital imaging and optics have made it easy to duplicate someone’s keys from a distance without them even noticing.”

Professor Savage presents this work on October 30 at ACM’s Conference on Communications and Computer Security (CCS) 2008, one of the premier academic computer security conferences.

Read the full article here.

Ive got a better idea Arnold!

Thu, 24 Jul 2008 15:10:58 +0000

Why dont you and the rest of our corrupt officials start working for nothing?

clipped from www.latimes.com

Schwarzenegger seeks to slash state workers’ pay till budget passes

SACRAMENTO — –
Gov. Arnold Schwarzenegger has prepared an order to cut the pay of about 200,000 state workers to the federal minimum wage of $6.55 an hour until a budget is signed.

Can Azulstar Make WiMax Work without Buying Spectrum?

Fri, 09 May 2008 06:58:59 +0000

Azulstar once pinned its fortunes on city-wide Wi-Fi, but now looks to a special licensed spectrum band to make WiMax work where Wi-Fi failed: Azulstar has been the also-ran in Wi-Fi for some years, I'll just state bluntly and upfront. They built a network in Grand Haven, Mich., in 2003 that's one of--if not the--longest running metro-scale Wi-Fi networks in the world designed for public access. The mayor of Grand Haven since 2003, Roger Bergman, told me, "I got on board personally right away, and I am still on."

Azulstar soon answered several RFPs and partnered up with major firms to bring Wi-Fi to Rio Rancho, N.M., Winston-Salem, N.C., Sacramento, Calif., and most notably Silicon Valley--a set of dozens of cities along with county government and private enterprise all wanting some kind of tiered Wi-Fi across 1,500 sq mi.

While EarthLink, MetroFi, and even Kite Networks (with their extensive Arizona buildout in Tempe launched a bit before any other large competiting network) seized the headlines, and later made news about their stalls, failures, and exits, Azulstar seemed quietly to sink into the sand. The Wireless Silicon Valley deal fell apart, as did Sacramento after efforts to get stakeholder and outside investment seemed to fail to materialize, and the marquee partners--Cisco, IBM, and Intel--just wouldn't step up to the plate to make the project move forward. Azulstar was the lead techology firm, but the money just didn't come. (Both California projects are moving forward with a different set of partners and expectations now.)

Rio Rancho was perhaps one of the biggest letdowns. City manager Jim Payne explained in an interview a few weeks ago, "They had a number of things that were going against them from the start, and they did make an attempt to meet the requirements of the contract." But Rio Rancho voted to not just terminate the contract after years of attempts to make the network work, but rejected a proposal from Azulstar a few weeks ago to switch over equipment on the poles. Azulstar now has to remove all its devices.

All of this might make the typical company head a bit depressed about his firm's future, and less than sanguine about the potential for wireless broadband to work at all. Not so for Tyler van Houwelingen, Azulstar's chief, and I have to admit that he convinced me that the wireless provider has a fighting chance, due to a good combination of timing, spectrum policy, and a large dollop of can-do spirit.

BART Wi-Fi Access Moves Closer in Bay Area

Wed, 09 Apr 2008 02:39:32 +0000

WiFi Rail may sign contract with Bay Area Rapid Transit soon: That's typical marketing fare from many companies, to pre-announce deals, but a BART official confirmed the state of negotiations in this Sacramento Bee article. I had a long talk with the WiFi Rail folks a few months ago, and they sent me some fascinating video of a live four-way video chat with three participants communicating from moving trains.

Their technical description of what they're doing makes a lot of sense, and if they can pull off their trial work in a production environment, they will have a set of patents and products that will likely be the model for deploying subway and train Wi-Fi in urban areas around the world. Yes, that's a big claim; but they have a unique and interesting solution.

The company told the Bee that they would start on heavily traveled underground routes first, with service available within 4 months of a contract. WiFi Rail relies on leaky coax, which is wiring that runs in the tunnel already, and they've overlaid Wi-Fi signals on in a way that simulates a very long antenna.

The Bee reports that they've raised $1.5m in financing so far with another round of $15m to $20m to close later this year. With a BART contract in hand, I can't imagine they'll have any difficulty getting funds. Captive audiences are worth the big bucks.

New parents exposed in Fresno County lost mail

Mon, 07 Apr 2008 12:07:10 +0000

Technorati Tag: Security Breach

Date Reported:
4/3/08

Organization:
Fresno County

Contractor/Consultant/Branch:
None

Victims:
New parents and babies

Number Affected:
279

Types of Data:
Names and Social Security numbers

Breach Description:
"Fresno County health officials say 279 birth certificate applications that list personal information of Valley babies and their parents are missing after they were mailed to the state. An envelope containing the birth certificate applications arrived at the the state Department of Public Health in Sacramento damaged, but with most of the forms missing."

Reference URL:
The Mercury News
The Fresno Bee

Report Credit:
The Associated Press

Response:
From the online sources cited above:

Fresno County health officials say 279 birth certificate applications that include the Social Security numbers of the babies' parents are missing.
[Evan] Thankfully, these babies do not have Social Security numbers yet, otherwise this adds a whole new dimension.

The state Department of Public Health told the county in February that an envelope containing 378 birth certificate applications from Fresno County had arrived damaged in Sacramento and that most were missing.

The forms contain information about babies born in six San Joaquin Valley hospitals, including their parents' names and Social Security numbers.
[Evan] Again, Social Security numbers used as personal identifiers in a manner that they were never designed for.

State officials called the incident a low risk for identity theft, but parents were notified about the missing forms.
[Evan] I wonder who makes the judgment call that terms this "low risk". Must be somebody that is well versed in risk management, right?

The Postal Service is searching for the items and trying to figure out where the certified letter was damaged.

Fresno Bee Opinion Column:
The latest screw-up by Fresno County is more evidence of how cavalierly county officials treat the public's sensitive personal information. No wonder identity theft is out of control. Our government, at all levels, is a major contributor to the problem.

Sending this information by mail may not have been the dumbest thing county officials have done lately, but it has to be right up there. Why wasn't this packet sent by courier or some other more secure means?
[Evan] Like encrypted on a CD or transferred over a secure network.

In February, county officials warned thousands of CalWORKs clients that they could be victimized after a laptop computer was stolen.
[Evan] We missed this one on The Breach Blog. I may have to go back an add it now.

The response by county officials is to shrug off these lapses, and offer the standard response that they don't think anyone has been the victim of fraud because of their negligence. How do they really know?

The security of personal information must have a much higher priority than the Board of Supervisors gives it. The board should be demanding that sensitive information not be put on laptops that can be easily stolen, or bundled up and dropped in the mail -- a packet that can be easily damaged during the mailing process.

Every year, tens of thousands of Californians become identity theft victims. Thieves create new credit card accounts with stolen Social Security numbers, then rack up huge expenditures on the cards before the victims notice.
[Evan] Tens of thousands of victims in California, yet people continue to tag breaches as "low risk".

In the San Joaquin Valley, methamphetamine users are glad that Fresno County doesn't have strong security procedures for personal data. Police tell us that 70% of Fresno's identity-theft cases are committed by meth addicts. They stay up for days finding ways to steal personal financial information.

Fresno County makes it easy for them.

Commentary:
Can you imagine the joy that many of these parents feel in bringing home a new baby boy or girl. Now imagine some of the joy being taken away because somebody unnecessarily exposed your personal details. It stinks that terrible security practices have the potential to affect personal lives.

Past Breaches:
Unknown

OmniAmerican Bank targeted by cyber criminals

Mon, 28 Jan 2008 08:26:35 +0000

Technorati Tag: Security Breach

Date Reported:
1/24/08

Organization:
OmniAmerican Bank

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Internal bank systems and account numbers

Breach Description:
An "international gang of cyber criminals" breached OmniAmerican bank systems and used a variety of information to create new personal identification numbers (PINs) and fake debit cards. The criminals then used the cards at to make withdrawls at ATMs in Eastern Europe, Russia, Ukraine, Britain, Canada and New York.

Reference URL:
Star-Telegram Story
Sacramento Bee Story

Report Credit:
Barry Shlachter, Star-Telegram

Response:
From the online sources cited above:

An international gang of cyber criminals hacked into OmniAmerican Bank's records, the bank's president disclosed Wednesday.

They stole scores of account numbers, created new PINs, fabricated debit cards, then withdrew cash from ATMs in Eastern Europe, including Russia and Ukraine, as well as in Britain, Canada and New York.
[Evan] This is either a geographically disperse "gang", or the information was sold to various buyers.

"It was a pretty sophisticated scheme," said Tim Carter, president of the Fort Worth-based bank.
[Evan] I wonder how sophisticated this attack really was. My first suspicion is a targeted (spear) phishing attack, which isn't very sophisticated.

The amount stolen is not yet known, he said, describing it only as "minimal." No depositors will lose money, he said.

Fewer than 100 accounts, some of them dormant, were compromised, all with a daily withdrawal limit of less than $1,000, he said.

After discovering the fraudulent activity Friday afternoon, OmniAmerican placed temporary limits on some ATM and debit-card transactions and suspended some electronic banking services, which were restored Sunday, Carter said. At no time were customer deposits at risk, he stressed. "We reduced by half the dollar amount that could be withdrawn and limited [access] to Texas. We cut out anything outside Texas," Carter said.
[Evan] Seems like a logical response, but what a hassle for customers. As of Monday morning, the warning below is still posted on OmniAmerican's home page.

The unauthorized withdrawals were stopped Friday, and bank employees worked over the weekend to deal with the damage, he said.
[Evan] The unauthorized withdrawls made on accounts that were known to have been compromised at least.

The bank learned of the breach from customers inquiring about unusual activity in their accounts, from internal monitoring and from a law-enforcement agency, which Carter declined to name.

Letters alerting check-card holders of the fraudulent activity were mailed Wednesday, the bank said.

OmniAmerican is also issuing approximately 40,000 new debit cards as a safeguard against future fraudulent activity, Carter said. Each needs a revised personal identification number.

Martin Carmichael, the Plano-based chief security officer at McAfee, a computer-security firm, said this type of cyber-attack has become "a commonplace occurrence," although some banks are reluctant to admit that their security has been breached.
[Evan] I agree with Mr. Carmichael. In my work with banks, they all expect to lose a certain amount of money. They say it comes with the territory. If a breach is disclosed to the public, it could negatively affect customer confidence which equates to lost revenue. Lost dollars due to customer confidence usually outweigh the lost dollars from the breach itself. I guess anyway. Banks are attacked and/or compromised every day because they have the one thing everybody wants…money.

Carmichael said OmniAmerican apparently fell victim to one of the more skilled gangs of criminal hackers.
[Evan] Again, I question how skilled an attacker really needs to be. Many "skilled" attackers go unnoticed and why would skilled attackers stop at "fewer than 100 accounts" before calling attention to themselves?

"If you look at the sophistication of it -- going in, modifying PINs, issuing cards -- this is not a kid out there," he said. "This appears to be something set up. Time was involved in executing it."

Whoever they are, he said, "they're elite, more elegant, and it's difficult for banks and many enterprises to keep pace with their activities.

"Banks are under a great amount of pressure to balance risk and shareholder value," said Carmichael, speaking from Las Vegas, where he is attending a conference. "They could do more, [but they] have a hard time justifying the cost until an incident occurs."
[Evan] Very well put, sad and true.

Commentary:
Maybe this was a sophisticated attack like some are claiming. I just think about how easy it could be to carry out a spear phishing attack either to download and install malware or collect a password of a bank employee (because many people use one password for everything) and proxy the network traffic through compromised systems in other countries. Phishing and other attacks based on human behavior are usually much more successful than high-tech exploits.

OmniAmerican deserves some credit for a firm and decisive incident response.

Past Breaches:
Unknown