[SecurityRatty] tag: suburban

Wee-Fi: Detroit Update, Home Network-Fi, Piggyback-Fi, PHL Free-Fi

Mon, 16 Jun 2008 07:21:48 +0000

The Detroit Free Press rounds up free and fee Wi-Fi efforts around it: The city and its suburban and exurban surroundings could use more broadband, but Wi-Fi has arrived only slowly as an option. It hasn't disappeared outright, and it's made inroads in some places. The project to unwire Oakland County is on hold as even though the county and cities secured pole rights for a firm to build service, that firm is still searching for capital. A county-wide network might be a better model, but the density is always the issue: mounting locations and assets coupled with homes passed and their median income.

GigaOm's Michael Wolf rounds up what other forms of networks are needed in a home beyond Wi-Fi: Ethernet, HomePlug, MoCA, HomePNA, Wireless HD, personal networks (Bluetooth), and automation controls. (My home is a very stupid home, thank you very much.)

He who steals my Wi-Fi steals hash: Mike Rogoway at the (Portland) Oregonian poses the question as to whether using a neighbor's unsecured Wi-Fi is borrowing, stealing, or nothing at all. I pipe in noting that more people are securing their networks. In my current office, where I've been three years, I spotted over a dozen networks when I arrived, most unsecured. Today, all the networks are secured (only some are small business networks), and many of the names have changed. The reasons? Better security wizards, widespread use of WPA, improved Wi-Fi network setup in Windows Vista and XP SP2, start of use of WPS, and general fear of security issues. Rogoway also runs through what the options for connectivity in Portland are as MetroFi is about to hit its network shutdown date.

Philadelphia's mixed free airport Wi-Fi: I somehow missed this story months ago, but PHL (Philadelphia's airport) is offering free Wi-Fi on the weekends to every one, and free Wi-Fi on the weekdays to college students. Students go to an information counter, show their valid student ID, and get an access code. This is a very neat idea. The airport is otherwise $8 for 24 hours or $40 per month, although it's part of much cheaper roaming plans from Boingo Wireless and iPass.

Yahoo! Boosts Search Security with McAfee Partnership

Wed, 07 May 2008 06:21:16 +0000

Just as Microsoft is walking away from a deal with Yahoo!, the search engine is announcing plans to make its services more secure by using McAfee technology. Red warning messages may soon start showing up next to questionable or dangerous site links in a yahoo search. Apparently, Google started this over a year ago in February 2007.

Another interesting factoid from the original article:

Citing a March 2008 survey conducted by marketing research services provider Decipher, Yahoo and McAfee claim that 65% of Americans online are more worried about clicking unsecured search listings than the threat of neighborhood crime, getting one’s wallet stolen, or e-mail scams. Unfortunately, Decipher hasn’t posted this survey online, making it harder to divine why so many people supposedly prefer being pistol-whipped and robbed to a malware infection.

Being as I live in Oakland, California, an area known for serious crime, I think those results are pretty funny. I don’t worry so much about malware (maybe it’s just cuz I have a Mac), but I do worry about getting mugged–though I never have. But maybe the people surveyed were from safe, suburban and rural towns, living in cozy sprawling homes where they keep their front doors unlocked.

Maybe now when they tuck their kids in at night, they’ll feel a bit safer when they go downstairs and look stuff up online.

Parents who say "No" to guns, but also "No" to metal detectors?

Mon, 21 Apr 2008 09:53:00 +0000

If there ever was a case of "having your cake and eating it", this must surely be it.

Daniel De Vise, a reporter for the Washington Post wrote an article that recently caught my attention. The title read: "Suburban Schools Reject Metal Detectors". The word "Why" kept ringing in my ears as I read the story. Apparently, many parents feel that metal detectors in schools make the schools seem like camps or prisons. Surprisingly, consensus is building against the machines even at Albert Einstein High School in Kensington, where last week, three loaded guns were found in a locker.

As if this was not bad enough, the article claims that many school officials view metal detectors as costly, impractical and fallible. Costly? Compared to what? If a metal detector saves even one life (and from what we have been witnessing at school shootings, single shootings are the exception while multiple killings are the "norm"), has that machine not paid for itself for the rest of time?

Another complaint amongst teachers appear to be the fact that the detectors will slow down access and leave children a few minutes late for class. I have not conducted a poll amongst parents but I am 100% sure I know what the result would be if I polled parents on which was most important: their child being five minutes late for class because they had to walk through a metal detector to keep them safe or getting to class in time but possibly becoming the victim of a deranged classroom killer who was able to bring a weapon into school because there was nothing to stop him.

I recently returned from a Threat Assessment workshop at UCLA hosted by Gavin De Becker and Associates. We studied school killings in greater detail. The one thing that was repeated throughout the course was the fact that many people are in denial. They want to believe that it couldn't happen to them or at their school. The sad fact is, it can happen anywhere that does not have adequate security. We live in more violent times and there does not seem to be any sign of things getting better any time soon. Sticking our heads in the sand and hoping the "Bogeyman" goes away is not the answer. We have got to act responsibly and demand that schools take every measure they can to keep our children safe.

Students breach Williamsville Central School District security

Tue, 15 Apr 2008 11:12:32 +0000

Technorati Tag: Security Breach

Date Reported:
4/12/08

Organization:
Williamsville Central School District*

*"the largest suburban school district in Western New York, Williamsville Central encompasses 40 square miles including portions of the towns of Amherst, Clarence and Cheektowaga."

Contractor/Consultant/Branch:
Williamsville North High School

Victims:
Employees

Number Affected:
1,800

Types of Data:
"personal information and Social Security numbers"

Breach Description:
"Several current and former Williamsville North High School students are believed to have broken into the school district’s computer system last month and copied secure files that included the personal information and Social Security numbers of school employees"

Reference URL:
The Buffalo News
WCAX-TV News

Report Credit:
The Buffalo News and the Associated Press (AP)

Response:
From the online sources cited above:

WILLIAMSVILLE, N.Y. (AP) - Authorities say several current and former students broke into a school district’s computer system in western New York last month and copied secure files that included the personal information of employees.

This computer breach marks the third time in the past month that students have gained unauthorized access to sensitive information in area school districts.
[Evan] What did the school district do after the first two in an attempt to prevent a third?

"From talking with staff and from talking with students involved, we know these students gained access to personal information regarding employees of the school district," Amherst Police Chief John Askey said.

The students, Askey said, overrode the security defenses of a classroom computer at Williamsville North and went trolling for information.
[Evan] I can only imagine what the "security defenses" entailed. A student (or "hacker") can do a lot of damage if they are granted physical access to a computer. Obviously the students need to access classroom computers. Having said this, doesn't it then become critical that they be closely supervised.

"They actively attacked the system " subverted those security procedures and precautions," he said.

He added that several of the hackers are considered "very bright kids" and good students with no lengthy disciplinary records.

The extent of the security breach remains unknown because police are required to have computer evidence extracted by the Western New York Regional Computer Forensics Laboratory, Askey said, which might take several weeks.

This prompted Superintendent Howard S. Smith to send a letter this week to the district’s 1,800 employees, asking them to notify Amherst police if they uncover any suspicious credit card or banking activity.

So far, however, police and school officials say they have no evidence that any of the accessed data has been distributed or used to commit crimes.

Employees or students who suspect their private information might have been used improperly should call the police at 689-1311.

District computer technicians noticed some unusual activity during routine monitoring of its network on March 26, Smith said.

"Immediately upon getting the information, we began our investigation and involved the police," he said, "and they have been working with us ever since."

Two school computers, four personal student computers and one portable flash drive have been confiscated as part of the investigation, Askey said.

At least three individuals are suspected in the breach, he said, and several more knew about it. Those involved have told police they simply were interested in how far they could get into the system.
[Evan] I remember the day when being "interested in how far" we "could get into the system" was commonplace. We were curious and we wanted a challenge, but things are much different today.

Smith said the district has begun disciplinary action against one student and expects to take further action as the police wind up their investigation. He added that the district also has taken steps to improve security.
[Evan] We don't have all the facts, but assuming that the information security practices at the school are less than adequate, how about some disciplinary action against the people that did not secure the information in the first place?

"There are several charges, mostly misdemeanors, that could result," Askey said.
[Evan] This is in reference to the students. Should charges be considered for those who collected the personal information and likely did not secure it properly? I think that the finger could be pointed in either direction.

Commentary:
Kids are kids. On one hand, I think it's important for them to push the boundaries, explore and challenge themselves. On the other hand, their actions in this case led to potential victims. These students should be punished, but I think that the school could come up with some creative solutions (after they secure personal information better). If students are interesting in "hacking", why not teach it. Teach it in a way that clearly communicates the law, but at the same time challenges students to explore and learn. Maybe we can make good information security professionals out of them. My blog, my $.02

Whatever the school district has been doing isn't working. Otherwise, this wouldn't be the third occurrence in the past month.

Past Breaches:
Unknown