[SecurityRatty] tag: school

Random Stupidity in the Name of Terrorism

Thu, 03 Jul 2008 08:57:04 +0000

An air traveller in Canada is first told by an airline employee that it is "illegal" to say certain words, and then that if he raised a fuss he would be falsely accused:

When we boarded a little later, I asked for the ninny's name. He refused and hissed, "If you make a scene, I'll call the pilot and you won't be flying tonight."

More on the British war on photographers. A British man is forced to give up his hobby of photographing busses due to harrassment.

The credit controller, from Gloucester, says he now suffers "appalling" abuse from the authorities and public who doubt his motives. The bus-spotter, officially known as an omnibologist, said: "Since the 9/11 attacks there has been a crackdown. "The past two years have absolutely been the worst. I have had the most appalling abuse from the public, drivers and police over-exercising their authority. Mr McCaffery, who is married, added: "We just want to enjoy our hobby without harassment. "I can deal with the fact someone might think I'm a terrorist, but when they start saying you're a paedophile it really hurts."

Is everything illegal and damaging now terrorism?

Israeli authorities are investigating why a Palestinian resident of Jerusalem rammed his bulldozer into several cars and buses Wednesday, killing three people before Israeli police shot him dead. Israeli authorities are labeling it a terrorist attack, although they say there is no clear motive and the man -- a construction worker -- acted alone. It is not known if he had links to any terrorist organization.

Boston public school locked down after someone saw a ninja:

Turns out the ninja was actually a camp counselor dressed in black karate garb and carrying a plastic sword. Police tell the Asbury Park Press the man was late to a costume-themed day at a nearby middle school.

And finally, not terrorism-related but a fine newspaper headline: "Giraffe helps camels, zebras escape from circus":

Amsterdam police say 15 camels, two zebras and an undetermined number of llamas and potbellied swine briefly escaped from a traveling Dutch circus after a giraffe kicked a hole in their cage.

Are llamas really that hard to count?

Chinese Bloggers Bypassing Censorship by Blogging Backward

Wed, 02 Jul 2008 12:25:19 +0000

With China trying to silence over 30,000 rioters during the weekend, by deleting forum postings and deactivating accounts mentioning the riot, Chinese bloggers have started using a widget they originally came up in order to bypass the "Great Firewall of China" by blogging backward, vertically and horizontally :

"So bloggers on forums such as Tianya.cn have taken to posting in formats that China's Internet censors, often employees of commercial Internet service providers, have a hard time automatically detecting. One recent strategy involves online software that flips sentences to read right to left instead of left to right, and vertically instead of horizontally. China's sophisticated censorship regime -- known as the Great Firewall -- can automatically track objectionable phrases. But "the country also has the most experienced and talented group of netizens who always know ways around it," said an editor at Tianya, owned by Hainan Tianya Online Networking Technology Co., who has been responsible for deleting posts about the riot"

An old-school content obfuscation service that they could take advantage of, offers the opportunity to turn a short message into spam or a fake PGP encrypted file, where both parties can easily decode them to the original.

Spammmic is what I have in mind.

Credit Card "Hack Pack" Is Flavour Of The Month With Script Kiddies

Mon, 30 Jun 2008 04:34:20 +0000

There's a collection of credit card hack / generation tools currently in circulation, and apparently quite popular with the script kiddies. With programs seemingly dating back from 1995(!) up until the present day, there's something for everyone in this little bundle of "joy".

Here's what you'll see when the files have been unzipped:

The folders give dates from 2006 to 2008, though the dates of the included programs stretch back quite a way further than that. One of the programs inside the folders is dated as 2001:

As you can see, it's a fairly basic Credit Card generator / validation program. The rest of the programs are something of a mixed bag indeed, some of them don't actually work (not that I'm complaining). For the old school connoisseur, here's an ancient program going back to 1995:

Click to Enlarge

The most notable program included would probably be something called Credit Wizard, which seems to make up the majority of the bundle with updated releases in each folder:

Click to Enlarge

As you can see, it comes with most of the options of the other tools and also comes with an "Info Generator", which allows you to create fake names & addresses at the push of a button. There are a few URLs included in the zip which seem to point to Argentinian hacking sites, but as they all seem to be down, there's no way to verify if they distributed this collection or are just getting shout-outs from their friends. Either way, not the greatest thing to wake up to on a Monday morning...

Bizarre Forum Spam

Mon, 30 Jun 2008 04:03:58 +0000

When SEO companies.....attack!

Click to Enlarge

I think someone needs to send the "Online Media Executive" back to online media executive school...

D.C. Gun Ban Lifted - Thank You Supreme Court!

Thu, 26 Jun 2008 22:23:00 +0000

The news came like music to my ears (and to hundreds of thousands of other ears across the country, I dare say). Law abiding citizens in the District of Columbia would be allowed to protect their homes and families.

The vote was not unanimous by any means - the historical decision was arrived at by a 5 to 4 vote to remove the ban prohibiting District residents from obtaining handguns. In a WTOP radio interview today, the NRA lobby spokesman, Chris Cox, spoke about the need for cities such as Chicago and San Francisco to fight to have their Second Ammendment rights re-instated.

Mr. Cox also gave notice to D.C. Mayor Fenty that he would have to honor the Supreme Court's decision, even though it is well known that the Mayor is a fierce opponent of allowing law abiding citizens to protect themselves and their loved ones with the aid of a firearm. Mayor Fenty was later qoted as saying; "More guns will mean more crimes".

Apparently the Mayor's flawed and at this stage, thread-bare reasoning, did not influence the majority of Supreme Court Justices. I would dearly love to be able to ask the Mayor this one question; how has the ban on handguns, which has been in effect in the District of Columbia for the past 32 years, helped to cut down on violent crime involving the use of ILLEGAL firearms? I am sure that I am not the only one who has heard D.C. referred to as; "The murder Capital of the World". Are drive-bys, and drug/gang related homicides ever committed by a law abiding citizen? How could having a firearm in one's home lead to more crime?

I put it to you Mr. Mayor, that the exact opposite would/will happen. All of those two-bit gun wielding punks on your streets who think they are big and bad because they have a "piece" jammed in their waist bands will think twice before burglarizing the home of a law abiding citizen who just might be pointing the noisey end of a 45 pistol at them. It is a well known fact that D.C. and Maryland criminals are very reluctant to break into a Virginia home as they know that Virginians have easy access to weapons.

Of course this latest ruling does not in any way mean that we'll all be walking around downtown with concealed firearms. Far from it, I am sure. Justice Scalia pointed out that restrictions will still be in place. As it should be. Law abiding citizens do not want to see convicted Felons carrying guns nor should those suffering from mental disorders or with a history of violent domestic abuse be allowed to access guns. Similar to what we have in Virginia, it is realistic to expect that guns will be banned from Government buildings and schools.

As the owner of a security firm who protects clients from harm and as someone allowed to carry concealed in Virginia and Maryland, I would hope that those of us who are properly licensed and insured in the District will be able to carry concealed there. I wouldn't even mind if the Mayor acted like a proper politician and found a way to tax us for the privilege.

He can even insist that all future gun holders undergo a mandated safety course. Being a certified security training school, we're ready to get on board with the training program today!

Mashup of the Titans

Wed, 25 Jun 2008 13:29:25 +0000

Information Security - an Oxymoron for the information age

“Always the beautiful answer who asks a more beautiful question.” e. e. cummings

...or why i am with Gelernter

This is a mashup of Saltzer & Schroeder's famous information security principles with David Gelernter's Manifesto.

The premise of this mashup is to examine the paper by Saltzer and Schroeder which was written in 1975 and serves as the basis for most information security programs against the Gelernter's manifesto as to where computing is actually going. Each of the eight principles in Saltzer and Schroeder's paper is listed in order, and followed by select excerpts of Gelernter's manifesto. This comparison is to examine theoretical information security principles vis a vis the actual utility of modern information systems. I will not make an attempt to reconcile theory and practice, but will point out where the two schools of thought agree. In fairness, Saltzer and Schroeder's paper was written 25 years before Gelernter's, however Saltzer and Schroeder's principles dominate the thinking about information security to this day and so its important to view them side by side with Gelernter's thinking on the direction of computing.

Saltzer and Schroeder:

"a) Economy of mechanism: Keep the design as simple and small as possible. This well-known principle applies to any aspect of a system, but it deserves emphasis for protection mechanisms for this reason: design and implementation errors that result in unwanted access paths will not be noticed during normal use (since normal use usually does not include attempts to exercise improper access paths). As a result, techniques such as line-by-line inspection of software and physical examination of hardware that implements protection mechanisms are necessary. For such techniques to be successful, a small and simple design is essential."

Gelernter:

"9. The computing future is based on "cyberbodies" — self-contained, neatly-ordered, beautifully-laid-out collections of information, like immaculate giant gardens."

Conclusion(gp): So far, so good

Saltzer and Schroeder:

"b) Fail-safe defaults: Base access decisions on permission rather than exclusion. This principle, suggested by E. Glaser in 1965,8 means that the default situation is lack of access, and the protection scheme identifies conditions under which access is permitted. The alternative, in which mechanisms attempt to identify conditions under which access should be refused, presents the wrong psychological base for secure system design. A conservative design must be based on arguments why objects should be accessible, rather than why they should not. In a large system some objects will be inadequately considered, so a default of lack of permission is safer. A design or implementation mistake in a mechanism that gives explicit permission tends to fail by refusing permission, a safe situation, since it will be quickly detected. On the other hand, a design or implementation mistake in a mechanism that explicitly excludes access tends to fail by allowing access, a failure which may go unnoticed in normal use. This principle applies both to the outward appearance of the protection mechanism and to its underlying implementation."

Conclusion(gp): A conservative design principle that puts the object's owner in control of permissions. This makes a lot of sense from the object point of view, but does little to address the use case in which it executes.

Saltzer and Schroeder:

"c) Complete mediation: Every access to every object must be checked for authority. This principle, when systematically applied, is the primary underpinning of the protection system. It forces a system-wide view of access control, which in addition to normal operation includes initialization, recovery, shutdown, and maintenance. It implies that a foolproof method of identifying the source of every request must be devised. It also requires that proposals to gain performance by remembering the result of an authority check be examined skeptically. If a change in authority occurs, such remembered results must be systematically updated."

Gelernter:

"8. The software systems we depend on most today are operating systems (Unix, the Macintosh OS, Windows et. al.) and browsers (Internet Explorer, Netscape Communicator...). Operating systems are connectors that fasten users to computers; they attach to the computer at one end, the user at the other. Browsers fasten users to remote computers, to "servers" on the internet.

Today's operating systems and browsers are obsolete because people no longer want to be connected to computers — near ones OR remote ones. (They probably never did). They want to be connected to information. In the future, people are connected to cyberbodies; cyberbodies drift in the computational cosmos — also known as the Swarm, the Cybersphere.

13. Any well-designed next-generation electronic gadget will come with a ``Disable Omniscience'' button.

17. A cyberbody can be replicated or distributed over many computers; can inhabit many computers at the same time. If the Cybersphere's computers are tiles in a paved courtyard, a cyberbody is a cloud's drifting shadow covering many tiles simultaneously.

20. If a million people use a Web site simultaneously, doesn't that mean that we must have a heavy-duty remote server to keep them all happy? No; we could move the site onto a million desktops and use the internet for coordination. The "site" is like a military unit in the field, the general moving with his troops (or like a hockey team in constant swarming motion). (We used essentially this technique to build the first tuple space implementations. They seemed to depend on a shared server, but the server was an illusion; there was no server, just a swarm of clients.) Could Amazon.com be an itinerant horde instead of a fixed Central Command Post? Yes."

Conclusion(gp): Complete mediation provides the underpinning for Saltzer and Schroeder's system, but does not appear to scale to the desired itinerant horde at least in common interpretation.

Saltzer and Schroeder:

"d) Open design: The design should not be secret. The mechanisms should not depend on the ignorance of potential attackers, but rather on the possession of specific, more easily protected, keys or passwords. This decoupling of protection mechanisms from protection keys permits the mechanisms to be examined by many reviewers without concern that the review may itself compromise the safeguards. In addition, any skeptical user may be allowed to convince himself that the system he is about to use is adequate for his purpose. Finally, it is simply not realistic to attempt to maintain secrecy for any system which receives wide distribution."

Conclusion(gp): both seem to agree, hard to get the itinerant horde moving in a swarm without open standards.

Saltzer and Schroeder:

"e) Separation of privilege: Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key. The relevance of this observation to computer systems was pointed out by R. Needham in 1973. The reason is that, once the mechanism is locked, the two keys can be physically separated and distinct programs, organizations, or individuals made responsible for them. From then on, no single accident, deception, or breach of trust is sufficient to compromise the protected information. This principle is often used in bank safe-deposit boxes. It is also at work in the defense system that fires a nuclear weapon only if two different people both give the correct command. In a computer system, separated keys apply to any situation in which two or more conditions must be met before access should be permitted. For example, systems providing user-extendible protected data types usually depend on separation of privilege for their implementation."

Gelernter:

"37. Elements stored in a mind do not have names and are not organized into folders; are retrieved not by name or folder but by contents. (Hear a voice, think of a face: you've retrieved a memory that contains the voice as one component.) You can see everything in your memory from the standpoint of past, present and future. Using a file cabinet, you classify information when you put it in; minds classify information when it is taken out. (Yesterday afternoon at four you stood with Natasha on Fifth Avenue in the rain — as you might recall when you are thinking about "Fifth Avenue," "rain," "Natasha" or many other things. But you attached no such labels to the memory when you acquired it. The classification happened retrospectively.)"

Conclusion(gp): Information Security models tend to look at things statically through information classification lenses, but its how information is used that makes it valuable. In practice this is how information security theory breaks down in the face of reality - what does an access control matrix look like for a mashup? What does it look like for a data mining app?

Saltzer and Schroeder:

"f) Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily, this principle limits the damage that can result from an accident or error. It also reduces the number of potential interactions among privileged programs to the minimum for correct operation, so that unintentional, unwanted, or improper uses of privilege are less likely to occur. Thus, if a question arises related to misuse of a privilege, the number of programs that must be audited is minimized. Put another way, if a mechanism can provide "firewalls," the principle of least privilege provides a rationale for where to install the firewalls. The military security rule of "need-to-know" is an example of this principle."

Gelernter:

"28. Metaphors have a profound effect on computing: the file-cabinet metaphor traps us in a "passive" instead of "active" view of information management that is fundamentally wrong for computers.

29. The rigid file and directory system you are stuck with on your Mac or PC was designed by programmers for programmers — and is still a good system for programmers. It is no good for non-programmers. It never was, and was never intended to be.

30. If you have three pet dogs, give them names. If you have 10,000 head of cattle, don't bother. Nowadays the idea of giving a name to every file on your computer is ridiculous."

Conclusion(gp): Least Privilege is the point where the practical matter of applying Saltzer and Schroeder's principles breaks down in modern systems. Its a deployment issue, and a matter of insufficient models and modes.

Saltzer and Schroeder:

"g) Least common mechanism: Minimize the amount of mechanism common to more than one user and depended on by all users [28]. Every shared mechanism (especially one involving shared variables) represents a potential information path between users and must be designed with great care to be sure it does not unintentionally compromise security. Further, any mechanism serving all users must be certified to the satisfaction of every user, a job presumably harder than satisfying only one or a few users. For example, given the choice of implementing a new function as a supervisor procedure shared by all users or as a library procedure that can be handled as though it were the user's own, choose the latter course. Then, if one or a few users are not satisfied with the level of certification of the function, they can provide a substitute or not use it at all. Either way, they can avoid being harmed by a mistake in it."

Gelernter:

"6. Miniaturization was the big theme in the first age of computers: rising power, falling prices, computers for everybody. Theme of the Second Age now approaching: computing transcends computers. Information travels through a sea of anonymous, interchangeable computers like a breeze through tall grass. A dekstop computer is a scooped-out hole in the beach where information from the Cybersphere wells up like seawater.

16. The future is dense with computers. They will hang around everywhere in lush growths like Spanish moss. They will swarm like locusts. But a swarm is not merely a big crowd. The individuals in the swarm lose their identities. The computers that make up this global swarm will blend together into the seamless substance of the Cybersphere. Within the swarm, individual computers will be as anonymous as molecules of air.

55. Software can solve hard problems in two ways: by algorithm or by making connections — by delivering the problem to exactly the right human problem-solver. The second technique is just as powerful as the first, but so far we have ignored it.

56. Lifestreams and microcosms are the two most important cyberbody types; they relate to each other as a single musical line relates to a single chord. The stream is a "moment in space," the microcosm a moment in time."

Saltzer and Schroeder:

"h) Psychological acceptability: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Also, to the extent that the user's mental image of his protection goals matches the mechanisms he must use, mistakes will be minimized. If he must translate his image of his protection needs into a radically different specification language, he will make errors."

Gelernter:

"7. "The network is the computer" — yes; but we're less interested in computers all the time. The real topic in astronomy is the cosmos, not telescopes. The real topic in computing is the Cybersphere and the cyberstructures in it, not the computers we use as telescopes and tuners.

27. Modern computing is based on an analogy between computers and file cabinets that is fundamentally wrong and affects nearly every move we make. (We store "files" on disks, write "records," organize files into "folders" — file-cabinet language.) Computers are fundamentally unlike file cabinets because they can take action.

31. Our standard policy on file names has far-reaching consequences: doesn't merely force us to make up names where no name is called for; also imposes strong limits on our handling of an important class of documents — ones that arrive from the outside world. A newly-arrived email message (for example) can't stand on its own as a separate document — can't show up alongside other files in searches, sit by itself on the desktop, be opened or printed independently; it has no name, so it must be buried on arrival inside some existing file (the mail file) that does have a name. The same holds for incoming photos and faxes, Web bookmarks, scanned images...

32. You shouldn't have to put files in directories. The directories should reach out and take them. If a file belongs in six directories, all six should reach out and grab it automatically, simultaneously.

33. A file should be allowed to have no name, one name or many names. Many files should be allowed to share one name. A file should be allowed to be in no directory, one directory, or many directories. Many files should be allowed to share one directory. Of these eight possibilities, only three are legal and the other five are banned — for no good reason.

53. Your car, your school, your company and yourself are all one-track vehicles moving forward through time, and they will each leave a stream-shaped cyberbody (like an aircraft's contrail) behind them as they go. These vapor-trails of crystallized experience will represent our first concrete answer to a hard question: what is a company, a university, any sort of ongoing organization or institution, if its staff and customers and owners can all change, its buildings be bulldozed, its site relocated — what's left? What is it? The answer: a lifestream in cyberspace."

Conclusion(gp):

The Saltzer and Schroeder principles of Open Design and Economy of Mechanism hold up well in the face of modern computing realities, and to a certain extent Fail Safe Defaults does as well; however if we information security people are to be effective we need to re-think the other principles.

Last word: Gelernter:

We'll know the system is working when a butterfly wanders into the in-box and (a few wingbeats later) flutters out — and in that brief interval the system has transcribed the creature's appearance and analyzed its way of moving, and the real butterfly leaves a shadow-butterfly behind. Some time soon afterward you'll be examining some tedious electronic document and a cyber-butterfly will appear at the bottom left corner of your screen (maybe a Hamearis lucina) and pause there, briefly hiding the text (and showing its neatly-folded rusty-chocolate wings like Victorian paisley, with orange eyespots) — and moments later will have crossed the screen and be gone.

NHTI loses thumb drive that may have contained student information

Tue, 24 Jun 2008 13:21:39 +0000

Technorati Tag: Security Breach

Date Reported:
5/30/08

Organization:
NHTI, Concord's Community College

Contractor/Consultant/Branch:
None

Victims:
Nursing program graduates form the classes of 2006 and 2007

Number Affected:
128

Types of Data:
"names, social security numbers, addresses, phone numbers, and email addresses"

Breach Description:
NHTI has notified the New Hampshire State Attorney General of a lost flash drive that may have contained sensitive personal information belonging to nursing program 2006 and 2007 graduates.

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
New Hampshire State Attorney General

Response:
From the online source cited above:

We are writing to notify you that NHTI, Concord's Community College recently learned of a data security incident involving personal information of individuals who have graduated from the College.

On April 23, 2008, it was discovered that a data storage device, or flash drive, was missing.
[Evan] Are unsecured flash drives allowed for use with NHTI information resources? There is no mention in the breach notification.

The flash drive may have contained the names, social security numbers, addresses, phone numbers, and email addresses of our nursing program graduates from the classes of 2006 and 2007.

Our Campus Safety Department conducted a thorough investigation to locate the flash drive.

The investigation concluded that we cannot determine whether a security breach has occurred.
[Evan] What is the school's definition of a security breach? Was the Campus Safety Department unable to confirm that personal information was stored on the lost flash drive? If not a breach, then poor information management at the least.

The potential security breach involved personal identification information of 128 former students.

While we do not believe the flash drive was taken for purposes of identity theft, we have recommended that the affected individuals take steps to protect themselves from the possible misuse of personal information.
[Evan] Really, at the end of the day I don't think it matters how many steps people take to protect themselves if the custodians of confidential information do not take proper care of the information entrusted to them. Everyone needs to play their role. Owner, custodians and users.

There is no indication that the disappearance of the device, a USB flash drive, was motivated by identity theft.

We do not have any evidence that your information has been misused, and we believe the likelihood of such misuse is low.
[Evan] "Low" is subjective and hard to measure. This reminds me of some informal research we conducted a while back. We were curious. We found a left-over box of unused flash drives that a marketing department had been giving away (s.w.a.g.) at a trade show. We wanted to find out #1, how many people pick-up a flash drive if they find one lying around, and #2, how many people plug them in and peruse the contents/use them. We had 40 flash drives. 29% of people picked them up (meaning it took 137 people walking by to nab 40 flash drives). We tried to vary the locations of the flash drives both out in the open and semi-private. Of the 40 people that picked up the flash drives, all 40 used them. I suppose that this particular flash drive could have ended up in the garbage or destroyed somehow, but if someone found it, I think chances are pretty good that someone will find the information. The difficult part is trying to determine what someone will do with the information once they have it, I suppose.

However, out of an abundance of caution, we are informing everyone who may be affected by this incident so that they may properly evaluate what actions -if any -they wish to take in this matter.
[Evan] The "abundance of caution" phrase is quickly becoming my pet peeve. An abundance of caution would have gone a long way towards preventing the breach. Storing confidential information on an insecure flash drive certainly does not demonstrate an abundance of caution.

We have obtained the services of a credit monitoring organization to provide free credit monitoring for one year to the affected individuals.

NHTI takes the protection of confidential information very seriously.

We sincerely regret that this incident occurred and are taking steps to prevent this type of breach from occurring again.

The College has instituted safeguards to prevent such incidents in the future.
[Evan] Like?

If you have any questions or concerns, please contact NHTI's Director of Communications, Alan Blake, at (603) 271-8904.

Commentary:
Most of my commentary is included above. Flash drives are very convenient, but sometimes the thought of them sends a slight shiver down my spine. If their use cannot be properly controlled, their use can be disastrous. So, if you can't control their use, then prohibit their use. I know of quite a few companies that have banned flash drives and disabled USB and FireWire ports.

I was a little tardy in finding this breach. I thought is was still good information for readers though.

Past Breaches:
Unknown

Some of the other noteworthy breaches last week, 6/16/08 - 6/22/08

Mon, 23 Jun 2008 04:11:34 +0000

Technorati Tag: Security Breach

The Breach Blog

Just SOME of the other noteworthy breaches from the past week (6/16/08 - 6/22/08)

Citibank Hack Blamed for Alleged ATM Crime Spree
By Kevin Poulsen, Wired.com, 6/18/08

A computer intrusion into a Citibank server that processes ATM withdrawals led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City cash machines in February, pocketing at least $750,000 in cash, according to federal prosecutors.

The ATM crime spree is apparently the first to be publicly linked to the breach of a major U.S. bank's systems, experts say.

Security firm finds server with health-care data
By Jeremy Kirk, NetworkWorld, 6/18/08

Security researchers with Finjan Software are seeing a growing thirst from cybercriminals for data other than credit-card numbers, with the latest findings including servers containing passwords leading to heath-care records and airline systems data.

The problem is two-fold: sensitive data is being stolen after PCs are infected with malicious software, and then that data sent to unprotected remote servers, said Yuval Ben-Itzhak, chief technology officer for Finjan. The content of those servers is then indexed by search engines, leaving it open to anyone who uses the right query terms.

Bank scam spreads as institutions look for possible source of breach
By Leanne Tokars, WSBT Channel 22 News, 6/18/08

SOUTH BEND - An international bank scam is spreading, and there is some idea how that information may have gotten out.

Hundreds of people and dozens of banks and credit unions across our area are trying to recover from a major security breach.

[Evan] This story is related to the "1st Source Bank reissues all debit cards in response to breach" posting on 5/30/08. Another supporting story; Fraudulent ATM transactions overseas could be tied to Indiana bank breach This is a winding storyline.

Parents livid over database putting student profiles, pictures online
By Mohit Joshi, Top News, 6/16/08

Melbourne, June 16: With the State government planning to post the profile of every state school student on its intranet database, called OneSchool, parents in Australia are livid over the fact that it will make their kids vulnerable to paedophiles.

OneSchool, will provide each and every detail of the state's 480,000 public school students enrolled from Prep to Year 12, for which, the photographs, personal details, career aspirations, off-campus activities and student performance records are already being collected from all 1251 state schools.

[Evan] I think I’d be livid too. Are parents given the opportunity to opt out, without penalty or lost opportunities? "According to Education Minister Rod Welford, if the parents refuse to give their consent to their child being profiled, they could also be denied access to public education."

Blears PC loss - officials blamed
BBC News, 6/17/08

Information on a computer stolen from Communities Secretary Hazel Blears' office had been sent in breach of data security rules, it has emerged.

The Communities and Local Government department admitted its officials had "not fully" complied with guidance on handling sensitive data.

Its top civil servant Peter Housden said "no damage had been done" as the documents were not secret.

The computer contained a combination of constituency and government information relating to defence and extremism.

[Evan] It is disappointing to read about breaches where the government does not follow its own laws and regulations. Mr. Housden claims that the files were "not secret". They certainly weren’t public, were they?

Personal details of thousands of patients stolen from hospital in new security blunder
By James Tozer, The Daily Mail, 6/18/08

Laptops holding tens of thousands of patients' records have been stolen from a hospital and a GP's home, it emerged yesterday.

In the latest lost personal data scandal, the information was stored on the machines in contravention of NHS guidelines.

It was revealed that details of 20,000 patients were on six laptops stolen earlier this month from filing cabinets at St George's Hospital, in Tooting, South West London.

[Evan] This is six stolen laptops in one month, and the four breaches in one year?! The exposed information in this breach was "names, postcodes, hospital numbers and dates of birth". Check out the excuse for storing confidential information on these poorly secured laptops; "Normally such information is stored on the hospital's central network, but because of technical problems it was being stored temporarily on the laptops."

To Readers: I am testing this weekly "Other noteworthy breaches" post. I am using this first one to gauge interest and decide if it is something we should continue. Please feel free to comment.

Teen faces 38 years in jail for grade-tampering hack

Thu, 19 Jun 2008 09:00:00 +0000

A California teen could get 38 years in jail if he's convicted on charges of breaking into his school's computers to alter grades. A second teen faces related charges in the case.

Teens charged with loading spyware, changing grades

Tue, 17 Jun 2008 20:00:00 +0000

Two Orange County, California, teenagers have been charged with breaking into high school offices and using stolen usernames and passwords to change lackluster grades to A's.