[SecurityRatty] tag: unsure

The Importance of Advance Planning in Executive Protection

Sun, 12 Oct 2008 16:10:00 +0000

I was delighted to see the Herald Standard quoting an executive/close protection agent regarding the importance of Advance work.

Sy Alli is an E.P./C.P. team leader for "Limited Brands Inc.," and was speaking at the California University of Pennsylvania's 2nd annual conference on Corporate and Homeland Security.

Mr. Alli was describing a previous trip to Indonesia where he was in charge of the advance to make sure everything was in place before the Principal arrived out with the other protective agents. Very accurately, he described the need to cover every minute detail from the routes of travel to the alternative routes and to include such important features as local hospitals should medical treatment be needed.

Another important point highlighted was the need for agents to have access to contacts in different countries who could assist with logistics, general and specialized support on the ground, current political situations, etc.

Far too often I am approached by security persons (and not even all are qualified/trained in executive or close protection)who find out that we may have overseas work and want to be included. On some occassions, those requesting to be included on the detail did not even have a current passport!

If you are serious about making a career out of this line of work, you owe it to yourself to do your homework. Over the years I have developed hundreds of contacts all over the world who will respond immediately and who can be trusted to support us in any number of situations and scenarios.

This took a lot of preparing and involved constant contact. It is not something that you throw together a day before your client is scheduled to arrive in a country. If you have people in different parts of the country, or world if you wish to work globally, who can assist when you are in need, you will be able to facilitate your client in a way that will not only gain his/her admiration, but will undoubtedly cement your position in that client's security detail.

In these unsure times, there is a lot to be said for knowing your job is safe for the foreseeable future.

Mailing error at the University of Maryland exposes student information

Fri, 18 Jul 2008 05:18:07 +0000

Technorati Tag: Security Breach

Date Reported:
7/17/08

Organization:
University of Maryland

Contractor/Consultant/Branch:
Department of Transportation Services

Victims:
All students registered for Fall 2008 classes

Number Affected:
23,727

Types of Data:
Names, addresses, and Social Security numbers

Breach Description:
On July 1st, 2008, the University of Maryland Department of Transportation Services mailed an on-campus parking brochure to all students registered for Fall 2008 classes as of June 15, 2008. Recipient Social Security numbers were inadvertently exposed on the mailing labels.

Reference URL:
University of Maryland
ABC Channel 7 News
WTOP FM 103.5 News

Report Credit:
University of Maryland

Response:
From the online sources cited above:

On July 1st, 2008, the University of Maryland’s Department of Transportation Services sent all students registered at the time, by U.S. mail, a brochure with on-campus parking information.

On July 8, 2008, the University discovered that the labels on that mailing included the addressees’ Social Security numbers.
[Evan] Sheesh, a fraudster doesn't even have to tamper with the mail if the Social Security number is on the label.

The error was discovered on the morning of July 8 when calls were made to the University.

This parking mailer was sent to all individuals registered for Fall 2008 classes at the University of Maryland as of June 15, 2008.

The mailing list numbered 23,727 individuals.

In our annual effort to provide parking and transportation information to the University community, the names and addresses of all registered students was requested internally at the Department of Transportation Services for the purpose of creating mailing labels for a brochure.

This information was generated by a computer query and included names, addresses and what was believed to be University identification numbers (UIDs).
[Evan] When writing and executing database queries, isn't it a good idea to check the results and see if the information displayed is the information you were looking for? I wonder if UIDs are also nine digits long like Social Security numbers are.

Our normal process is to remove the University ID numbers prior to mailing.
[Evan] Is it safe to assume that "normal process" was not followed in this instance? If so, then why not? There is no mention in the school's response.

It was not apparent to departmental staff that these numbers not only still existed within the file, but were Social Security numbers, and not University ID numbers.
[Evan] Not apparent? They were on the labels!

The numbers were not identified as Social Security numbers and did not show the normal spacing between digits.
[Evan] So it would be xxxxxxxxx instead of xxx-xx-xxxx. What percentage of people would recognize the first set of nine digits as a SSN?

This mailer was sent using third class, bulk mail delivery and may not have been delivered to you yet.

Currently, there is no evidence that anyone's Social Security number has been misused.

The University apologizes and deeply regrets this unfortunate mistake.

We are initiating immediate action to ensure that this error does not recur.
[Evan] Like what? Maybe train people to review their query results and follow "normal process"?

The University of Maryland values the critical importance of your personal information.

We strongly recommend that you take appropriate precautions to mask, black out or destroy this document after use.

In unfortunate situations like this, it is possible that dishonest people may contact you asking for personal information in the guise of offering assistance from the University.
[Evan] Equally unfortunate is the fact that there are a lot of dishonest people.

Please note that the University WILL NOT contact you by phone, e-mail or in any other way requesting personal information regarding this incident.

Please do not release any personal information in response to contacts claiming to be from the University.

In response to this incident, the University, and specifically the Department of Transportation Services, has moved to severely restrict access to sensitive student and faculty/staff information; we believe the fewer individuals who have access to this data will only increase our ability to protect sensitive information.

If individuals feel that they would like to take extra steps beyond the fraud alert, the University has arranged with Equifax to make available, at no cost to them, a 12-month service that includes credit monitoring, customer care, fraud expense reimbursement insurance and access to their credit report.

If you have not received this mailer and are unsure if you are included in the affected group, please call toll-free 1(877) 935-2428, Monday - Friday, 8:30 a.m. - 5 p.m. EST.

You may contact us in one of the following ways:
By telephone: Toll-free 1(877) 935-2428, Monday-Friday, 8:30 a.m. - 5 p.m. EST
Via e-mail: parkingmailer@umd.edu
Mailing address: Regents Drive Garage, Building #202, College Park, MD 20742

Commentary:
The lack of attention to detail coupled with lack of control leads to an increase of risk of confidential information disclosure. Not all that uncommon.

Past Breaches:
Unknown

Houston law firm threw confidential client information in the trash

Thu, 17 Jul 2008 10:59:25 +0000

Technorati Tag: Security Breach

Date Reported:
7/15/08

Organization:
Weber Law Firm

Contractor/Consultant/Branch:
"his wife"

Victims:
Clients

Number Affected:
"hundreds"

Types of Data:
"personal financial records, documents with Social Security numbers, people's medical files and more"

Breach Description:
"HOUSTON -- Harris County Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in northwest Houston on Monday."

Reference URL:
KHOU-TV News (original)
KHOU-TV News (follow-up)

Report Credit:
Jeremy Desel, KHOU-TV

Response:
From the online sources cited above:

Harris County Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in northwest Houston on Monday.

The records were mostly bankruptcy case files from a Houston attorney's office that found their way into a dumpster belonging to a Houston day care.
[Evan] There is little doubt about the sensitivity of the information found in a person's bankruptcy files. Don't you think that an attorney should know better?

The discovery came in a trash bin in the 9100 block of Jones Road, with box after box of records including personal financial records, documents with Social Security numbers, people's medical files and more.

When the sheriff's office first arrived, the responding deputies had no idea what to do with the records.

So, they called the law office from where the records had come from. 11 News called the law offices of William Weber as well.
[Evan] Mr. Weber's bio is pretty extensive.

Weber, who eventually arrived to pick up the discarded records, told both 11 News and the sheriff's office that it was "no big deal"
[Evan] Obviously, this answer probably doesn't go over very well. In hindsight, I am guessing that Mr. Weber wishes he could take these words back.

Still, at the insistence of the sheriff's office, Weber did arrive to pick the boxes up.

Weber had a different answer for 11 News when he showed up to retrieve the 32 boxes.

"It's a mistake," he said. "We regret it. We regret it. They weren't intended to be put here. I didn't put them here. It was a misunderstanding between me and my wife."
[Evan] Ugh. Blaming the wife would not be a good idea in my house, even if it were my her fault.

He added it was a one-time problem.

But he also said his firm does not have a policy for disposing of sensitive documents.
"No, I do not. I don't think there is a formal disposal policy. Legally," he answered.

Don't tell that to Radio Shack or Select Medical Corporation. Both settled lawsuits with the Texas Attorney General's Office this week for violating the Texas ID Theft Law that was passed in 2005.

It requires businesses to destroy any documents that contain sensitive information. Select Medical dumped 4,000 documents in its own dumpster, but did not destroy them first.

Both companies settled this week with the state for hundreds of thousands of dollars in fines.
[Evan] Don't forget about EZMONEY, L.P. and EZPAWN L.P. They agreed to pay $660,000 to the Texas Attorney General. Don't mess with Texas!

However, it's not just a civil law question. It is also an ethics question.

"If a customer of Radio Shack had an interest in privacy and an interest to have their identity protected (and) not just tossed to the wind, I can assure you that a medical provider or a lawyer has a higher duty," said 11 News legal expert Gerald Treece.

The sheriff's office is looking into the possibility laws were broken by throwing away the records in that dumpster, but were unsure if anything illegal happened.

As a matter of fact, there's a good possibility no laws were broken.
[Evan] Not criminal. This case may be ripe for a civil proceeding, however.

Weber spent several minutes loading the boxes into his car, but he also spent a lot of time avoiding the 11 News cameras as he picked up the discarded records.

Eventually, he left the scene, leaving a few boxes behind when he was confronted by 11 News cameras.

In his rush to get away, a box was left on the trunk lid of his vehicle and some of the papers inside flew out as he sped off.
[Evan] Embarrassed?

Weber told 11 News that all the documents were shredded on Wednesday morning.
[Evan] Any thought given to notifying the affected individuals? If not, it is probably too late now.

Weber also said he has talked with an attorney at the attorney general's office and told them he would cooperate fully.

11 News also spoke with one of the clients whose file was found in the dumpster on Monday. She said she's angry and feels betrayed.

Commentary:
We have read about organizations dumping sensitive confidential information in dumpsters before, but this is the first time I have read about a lawyer being responsible (or his wife). Mistakes do happen, but I question how much of a mistake this actually was due to Mr. Weber's initial "no big deal" reaction.

Past Breaches:
Unknown

How personal information wound up at the side of the road is a mystery

Thu, 10 Jul 2008 06:50:31 +0000

Technorati Tag: Security Breach

Date Reported:
7/10/08

Organization:
Liberty Furniture*

*"a North Carolina based company with Mid-South ties to Cromcraft - a furniture warehouse in Tate County", Mississippi. According to the report, Liberty Furniture may have gone out of business more than 20 years ago.

Contractor/Consultant/Branch:
Unknown

Victims:
Former employees

Number Affected:
"hundreds, maybe even thousands of people"

Types of Data:
Personal information including W-2 forms and tax forms containing names, addresses, and Social Security numbers

Breach Description:
"Eyewitness News Everywhere Uncovers the personal information of hundreds, maybe even thousands of people - dumped along a Mid-South road."

Reference URL:
Eyewitness News Everywhere

Report Credit:
Kevin Holmes, Eyewitness News Everywhere

Response:
From the online source cited above:

Eyewitness News Everywhere Uncovers the personal information of hundreds, maybe even thousands of people - dumped along a Mid-South road.
[Evan] For those readers who may be unsure where this "Mid-South" is located, in this case it is Mississippi.

We even found W-2 forms, tax forms with people's names, addresses and social security numbers.

Investigators in Tate County are trying to figure out how the papers got there.

Larry Davis made the discovery.

He says he was driving into town when he came across thousands of forms.

"That's just uncalled for...you are entrusting these people with a lot of information that could ruin you very quickly, but yet they treat it like it's trash," said Davis.
[Evan] I think most people share Mr. Davis' feelings. It is puzzling. What was the person who dumped the information on the side of the road thinking, supposing the the person was thinking and supposing the information was dumped and not lost (i.e. fell off a truck).

Financial records, shipping order forms, and W-2's of former employees

"Stupidity on the person that threw it out on the road. The people who disposed of these, there should be some legal action against them, but to me that's mismanagement," said Davis.
[Evan] Again, I think many people share the same feelings as Mr. Davis.

Many of the records are from Liberty Furniture, a North Carolina based company with Mid-South ties to Cromcraft - a furniture warehouse in Tate County

"There all from North Carolina, how did they get here? This is Mississippi. We got some strong wind, but they ain't that strong," says Davis.

Even Cromcraft employees were shocked when we brought this to their attention.

Most of the W-2's are from the late 1970's and early 80's.
[Evan] Wow! These W-2's are 20-30+ years old?!

we're told Liberty Furniture went out of business more than twenty years ago.

Larry Davis' daughter Susan Herron said, "This could be someone's grandparents on fixed income, now their social security number is floating around somewhere and it's awful, people need to be more careful."

Eyewitness News Everywhere caught up with one of the former employees whose personal information was exposed.

"My initial feeling was a very sinking, horrified, scared, feeling....You feel vulnerable and hope your social security number hasn't fallen into the wrong hands. So I have to be diligent in checking my credit report," said the employee.
[Evan] It is interesting to read how a person feels when they learn that their personal information has been compromised. I feel bad for these people. This employee doesn't need to feel "horrified and scared", but he/she does nonetheless, and it's all due to negligence. This is just one reason why information security is so personal to me.

Other former Liberty Furniture employees tell Eyewitness News Everywhere they will be doing the same thing - checking their credit report.

Eyewitness News Everywhere will keep those forms in a secure place until we hand them over to the proper authorities.

Commentary:
There is a lot of mystery surrounding this breach. How did the information get there? Why was the information still kept? Who was in possession of the information before it was found on the side of the road? Why wasn't the information already destroyed if the company who was responsible for it is no longer in business?

Past Breaches:
Unknown

Slow removal of child sexual abuse image websites

Wed, 11 Jun 2008 10:02:32 +0000

On Friday last week The Guardian ran a story on an upcoming research paper by Tyler Moore and myself which will be presented at the WEIS conference later this month. We had determined that child sexual abuse image websites were removed from the Internet far slower than any other category of content we looked at, excepting illegal pharmacies hosted on fast-flux networks; and we’re unsure if anyone is seriously trying to remove them at all!

It is perhaps timely that this week three large ISPs in the USA have announced that they have decided to block access to child sexual abuse image newsgroups on Usenet and remove sites hosting this material from their servers. This was initially inaccurately reported so as to imply the installation of blocking systems for other people’s websites; which is unlikely to be especially effective, and may even provide an “oracle” by which the people who seek illegal material can locate new websites to visit.

Our new paper, “The Impact of Incentives on Notice and Take-Down”, examines a number of different types of wicked Internet content and discusses how effective people are at getting the material removed by serving notices upon the website owners who host it. We have a number of interesting results, but perhaps the most striking is that although phishing websites impersonating banks are generally removed in a couple of hours, the mean lifetime for a website hosting child abuse images is almost a month and even the median (the time by which half of the sites are removed) is 12 days.

We believe that the reason that the child abuse image websites are removed so slowly is that the Internet Watch Foundation (IWF), who collate a list of illegal sites, is only prepared to talk directly with the hosting ISPs within the UK. If the site is hosted abroad (which is now 99.8% of all sites) the IWF informs the UK police, who pass the message on to law enforcement in the relevant country, and that clearly leads to considerable delays. Furthermore, the same parochial attitude appears to be taken by similar organisations in other countries.

The IWF are a member of INHOPE, an association of child sexual abuse image reporting hotline organisations operating in 29 countries, and the IWF will also pass reports to the appropriate INHOPE members. However, in the US, which hosts around half of all the illegal sites, IWF tell us that NCMEC the hotline operator there will only pass on notices to their members — and that means that American ISPs do not get a timely notice.

We think it is the close involvement with the police, who have to operate within a particular jurisdiction, which leads the IWF to believe that they would be “treading on other people’s toes” if they contacted ISPs outside the UK. I assume that this is why I was firmly told in an email this week that they “are not permitted or authorised to issue notices to takedown content to anyone outside the UK”. Indeed, this echoed in a letter to The Guardian today by John Carr who says “The IWF cannot issue a notice to a Polish or Irish internet service provider”.

We don’t think there is some magical international permission given to the people who try to take down any of the other types of content we studied — from phishing, to fake escrow sites, to illegal pharmacies. It only seems to be INHOPE members, dealing with child sexual abuse images, who are not prepared to make an attempt!

Besides this issue, we have a number of other interesting results in the paper (so do read it!) For example we looked at “mule recruitment websites” — with job adverts for payment processors who will be conned into handling the proceeds of phishing scams in the belief that they’re handling payments for legitimate companies. These sites are only taken down by volunteer (amateur) efforts — since they don’t attack any particular bank, but the whole industry, no particular bank is prepared to put in any effort to remove them. Unsurprisingly, their average lifetime is 13 days (mean 8 days) — far longer than the phishing websites — which is not good news for gullible consumers.

Learn how to see whos knocking on your door.

Sun, 01 Jun 2008 11:32:17 +0000

You can learn alot about staying safe online by using this program that comes with your puter.
Check out the article on how to use it and give it a try.

clipped from www.makeuseof.com

Free Port Analyzers - Defeat Spyware And Botware

How to use Netstat:

You should close all open programs before you begin the following process, if you are unsure which ports/connections are normally open while you are connected to the internet. On the other hand, if you are familiar with the ports/connections that are normally open, there is no need to close programs.

"Crawling" Toward SDL

Thu, 06 Mar 2008 19:13:00 +0000

Hey everyone, Jeremy Dallman here.

One of the phrases I often hear during vision and strategy planning meetings at Microsoft is "What is the crawl, walk, run?" We use this phrase to differentiate the initial activities that will get us quickly moving toward our larger goals and then supplement them with other activities that may require longer preparation or planning. As I help non-Microsoft companies implement SDL into their development lifecycles, this "crawl" phase toward full adoption of SDL is very important. Usually some person in an organization picks up on the principles of SDL and is ready to roll them out immediately. However, that person usually is faced with competing interests that complicate full adoption: the team is mid-stream in development, short on budget, or management wants to see clear evidence before investing in the changes to support full SDL adoption.

Since we usually focus on how to roll out the full Lifecycle, I want to take a shot at defining what it means to start “crawling” toward SDL. One very important note before I start. What I describe below is not Microsoft’s SDL process. It matches some of the tools and principles, but does not encompass the holistic application security solution provided by SDL.

In my mind, to start crawling toward SDL, you need to execute on some of the core principles. They obviously need to be low-cost and effective. So, I want to summarize these into three components.

1. Detailed awareness of your architecture and its attack surface.

2. Tools that will perform security analysis on your application.

3. Results that show how the analysis resulted in improved security.

The good news is that you can attain these components with tools that are already available. The one consistent minimum requirement is that your code compiles/builds within Visual Studio 2005 SP1. The SP1 piece of this is important because some of the important defenses I discuss below were first made available in that version. Let’s look at some of the tools you can use to get “crawling” toward SDL today:

Detailed awareness of your architecture and its attack surface

Threat Modeling

Even if you are past the design phase, assign someone to do a retrospective model (perhaps as part of a pre-release review). This will likely give you a better understanding of your overall architecture and uncover holes in places you may have inadvertently overlooked.

Tools that will perform security analysis on your application

This is probably one of the most often discussed topics around SDL, so I’ll spend some time providing more detail. Let’s break this down into how it impacts differing parts of your team or organization: developers, testers, and operation.

Developers

You should start by strengthening your compiler defenses. Depending on whether you are writing native or managed code, these will differ.

For C and C++ code:

Strengthen your compiler defenses

· Use the latest compiler and linker because important defenses are added by the tools

· If using Visual C++, use Visual Studio 2005 SP1 or later

· Compile with appropriate compiler flags

· Compile clean at the highest possible warning level

· Compile with –GS to detect stack-based buffer overruns

· Link with appropriate linker flags: /NXCompat to get NX defenses, /DynamicBase to get ASLR, and /SafeSEH to get exception handler protections

Do not use banned APIs in new code

· Use #include “banned.h” header file to find banned C/C++ functions in your code quickly. This header file is included in the companion disk in the Security Development Lifecycle book.

· Compile regularly with /W4 and fix all C4996 (banned C Runtime function) warnings

For all Languages:

Strengthen your compiler defenses

· Use the latest compiler, linker and libraries because defenses are added by the tools and code

o If using C#, use C# v2.0 or later and if using VB.Net use 8.0 or later

· Use .NET Framework 2.0 or later

· Do not use weak crypto in new code

o Use only AES, RSA and SHA-256 (or better)

· Prevent XSS vulnerabilities by using filtering and escaping libraries around all Web output

· Secure your SQL script by only using prepared SQL statements - no string concatenation or string replacement

Run these tools habitually

· PREfast (in Visual Studio 2005, use the /analyze compiler option) – a static analysis tool that identifies defects in C/C++ programs and enables you to perform quick desktop error detection on small code bases

· FxCop – an application that analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies

· Application Verifier (AppVerif) – detect and help debug memory corruptions, critical security vulnerabilities, and limited user account privilege issues.

Testers

James Whittaker has covered testing in the SDL on this blog in the past. In a “crawl” scenario, you need to keep it simple while maximizing the value of output. I would recommend focusing on fuzz testing. This is likely something you will need to invest some time creating. Scott Lambert’s article on Fuzz Testing at Microsoft and the Triage Process provides some good guidance on how to think through what type(s) of fuzzing to exercise against your application.

If you choose to expand beyond fuzz testing, I would point you back to James’ article on the broader topic of Testing in SDL. You may come to the conclusion that expanded security testing may come later in your “walk” or “run” phases, but I would take some time to think through testing even while “crawling” to ensure you are getting broad enough coverage for your application. James’ article highlights the three-pronged approach to security testing we use at Microsoft. You should use these three approaches to ensure your own fuzz testing is comprehensive.

1. Attacks against the application’s environment.

2. Direct attacks against the application itself.

3. Indirect attacks against the application’s functionality.

Results that show how the analysis resulted in improved security

Response planning

Protecting your customers is the entire reason for focusing energy on application security. If there are holes in your code that you don’t uncover, someone else will. It is absolutely critical that you are prepared to respond rapidly and protect your customers. It is equally important that you construct your response plan to serve as a front-line barometer for detecting the resilience of your security design and what pieces of your applications security should be proactively bolstered to address externally reported vulnerabilities. The knowledge you harvest from these security incidents (typically through root cause analysis) is the primary way to improve your code and security tooling for the future. Do everything you can to learn lessons from the vulnerabilities others find. If you don’t have a response plan in place, you need to get one in place as soon as possible. If you don’t know where to start, take a look at how our own Microsoft Security Response Center does it and fit to your scale or pick up the Security Development Lifecycle book and dig into the four-step process outlined.

The four steps of the emergency response process:

1. Watch

2. Alert and Mobilize

3. Assess and Stabilize

4. Resolve

Bugs, Bugs, Bugs

Gathering evidence that clearly shows your work has improved the security of your application is always a challenge. Trying to keep it lightweight adds to that challenge. The most effective way to create traceable and practical evidence without a lot of overhead is detailed management of security issues in your bug database. The key here is that your bug database is configurable and able to be queried in a variety of ways to pull out this data. From the time you set out to implement this plan, be strict in tracking every discovery from threat modeling, the mitigations to those threats, and every bug you expose in tool analysis. This library of security bugs will give you an easy way to go back and gather evidence that shows the quantity of issues you discovered, the mitigations you used, and the impact the changes had on your application.

I have provided a fairly detailed view of these components. As I indicated, many of these defenses are available for you in Visual Studio 2005 SP1 or various linked resources above. If you are unsure whether you are taking advantage of all available defenses in your development tools, take the time to check.

It is my hope that some of you can use this scaled back entry into the principles of SDL to get moving toward improved security assurance. In the non-Microsoft SDL engagements I have been involved in, we have seen these steps effectively establish a baseline architectural understanding of your application security and identify critical weaknesses while providing solid evidence to support the decision to “run” forward into full SDL adoption.

[I want to thank Michael Howard for providing some of the key data for the Developer pieces in this article.]

Stolen Salt Lake Community College laptop

Thu, 28 Feb 2008 12:12:17 +0000

Technorati Tag: Security Breach

Date Reported:
2/26/08

Organization:
Salt Lake Community College ("SLCC")

Contractor/Consultant/Branch:
None

Victims:
Students, faculty and staff

Number Affected:
unsure, maybe 1,000*

*Although the school claims "we called more than 25,000 people"

Types of Data:
Names, addresses, dates of birth, Social Security numbers and bank account numbers.

Breach Description:
A laptop belonging to the Salt Lake Community College is missing and presumably stolen. The laptop may have contained sensitive authentication information that could in turn be used to access resources containing personal information belonging to students, faculty and staff of the school.

Reference URL:
The Salt Lake Tribune online news story

Report Credit:
Roxana Orellana, The Salt Lake Tribune

Response:
From the online source cited above:

SLCC acknowledged a laptop had been stolen, but spokesman Joy Tlou said the school is still unsure whether the laptop taken from the Continuing Community Education of SLCC's Miller campus in Sandy contained internal log-in information for about 1,000 students, faculty and staff.
[Evan] What is "log-in information"? Is Joy Tlou talking about usernames, passwords, or both? Let's assume that it's both. If so, then this is very poor information security practice. There is NO need for anyone to know personal passwords except for the person that it belongs to. A personal password is confidential information that should not be disclosed to anyone. It proves to the system that you are who you proclaim yourself to be (called authentication). No assurance of password confidentiality = no proof that a person (or entity) is who they proclaim to be.

"We know which computer it was and we are trying to ascertain what information was on that computer," Tlou said.

Within a matter of hours of the computer's disappearance, the school began to contact all subscribers to the SLCC Web site through telephone calls, e-mails and a notice on the site.

"By the end of the next day, we called more than 25,000 people," he said.
[Evan] Due to poor information management the school does not know which 1,000 of the 25,000 people were victims, thus they have to call all 25,000?

With a user name and password, an intruder could gain access to a student's "My Page" account, which contains a Social Security number and financial aid information, among other information, students said.
[Evan] Social Security numbers stored in a database accessible through an intranet page with passwords stored in clear-text on a laptop. Sound like a bum deal? I can only venture to guess what controls and processes surround database access.

Tlou said even if log-in information were on the laptop, it "may or may not have been accessible because of the security measures that were already placed on that machine."
[Evan] Like?

"We have done everything we possibly can to make sure everyone is physically safe and that their information is safe," Tlou said. "I can't stress enough that is our No. 1 priority."
[Evan] No, no, no. Everything possible entails much, much more.

He added that the security concern prompted SLCC to accelerate a planned policy change that will require all college personnel to change passwords every 90 days.
[Evan] Regular password changes (if you use them) offers a limited amount of risk mitigation with regards to what caused this breach. The problem is much bigger.

Victim Response:
"I'm upset that they're not telling me everything that happened," Marty Greenlief, SLCC student

Student Dan Behunin said that although SLCC officials tried to assuage his concerns, he's still worried someone may have access to information on his student account. "That information is crucial," Behunin said. "That could ruin you."

Commentary:
I am glad that I do not have any of my personal information under the custodianship of SLCC. Organizations that collect and store confidential information need to design appropriate controls around the security of such information. Judging from the (very) limited information I have about SLCC's information security practices, they have much room for improvement and much work to do.

By the way, did anyone mention encryption?

Past Breaches:
Unknown

Adware Spyware Remover from Trend Micro systems

Wed, 01 Aug 2007 15:22:00 +0000

Adware Spyware Remover from Trend Micro systems

Computers are composed of two things namely the hardware and the software. Should something infect the software such as a virus or spyware, the person will soon lose sensitive information or at worse have to spend a lot of money to have it repaired.

As more companies and households are using computers for almost everything, people should be vigilant more than ever when it comes to Internet security. This can be done by making sure that there are backup files stored in a safe place as well as setting up certain defense mechanisms from viruses and other threats.

One such system is called an adware spyware remover and those who only want the best should get it from Symantec.

Symantec is one of the leading service providers of products of business solutions to small, medium and large enterprises. The customer can choose a program to handle a specific or multiple threats such as viruses, Trojan, spyware and worms.

What makes spyware so dangerous is that it records certain information from a user, which can be read by the programmer later on. This individual can then use the credit card to make unauthorized purchases or steal money from the account.

Symantec’s adware spyware remover system is designed to look for existing bugs in the system and then destroy it. The package it offers can be used by those at home or when working in the office.

Since new spyware and adware pop up everyday, customers who choose to purchase the system can be rest assured that the computer is always secure because the company always launches product updates that can be done either manually or automatically

The person can download the adware spyware removal system from the company website. Those who are unsure whether to buy it can try it for 30 days free but pay before the expiration in order to continue the services.

Symantec unlike other programs does not have to be activated in order to do a systems check on the computer. This is because it will automatically do this once the user has logged on.

The only thing the individual will have to do is make sure the program is compatible with the existing operating system as well as check if there is enough memory in the hard drive to download it. Those who are unable to run it should probably do an upgrade.

When the spyware or adware has been removed, the best way to make sure it does not return is by creating a firewall. The person should also be careful when opening email from strangers, accessing certain websites and pop up ads because this is the reason why these things end up in the computer.

Symantec continues to be one of the most trusted names in the computer industry. It has received good reviews from critics and PC magazines for the standard of excellence it has provided in all of its products.

As software companies try to make the computers people use safe everyday, so too are the hackers and programmers who want to do the same for personal gain. The individual can choose to be with the best or get something else but it is always better to be safe than sorry when it comes to protecting the information stored in the computer.