Saturday, February 10, 2007

This is somehow related to their project to remove SSANs from their system.

http://www.fox21.com/Global/story.asp?S=6067739&nav=2KPp

Personal data of students, staff may have been exposed on Web site

GREENVILLE, N.C. East Carolina University administrators are notifying students, former students and employees about a programming error that may have exposed personal data on a university Web site.

About 65-thousand people will receive notification letters from the university giving them tips on how to check for identity theft.

Officials say access to personal information in university files was available for a week last month.

The system was shut down within 15 minutes after the problem was reported and has since been corrected.

University officials say they are working to cut down on the use of Social Security numbers for identification.

On the Net: http://www.ecu.edu/incident



Embarrassing, but far less serious than sending all the information to a hacker. (See next article)

http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/02/10/npens10.xml

26,000 pensioners' bank details sent to wrong addresses

By Martin Beckford Last Updated: 1:53am GMT 10/02/2007

Thousands of pensioners have been put at risk of identity theft after the Government sent their bank details to the wrong addresses, it was disclosed last night.

As many as 26,000 letters containing pensioners' personal account numbers and National Insurance details have been posted to people who were not the intended recipients.

... However, the Department for Work and Pensions admitted that it was unsure whether computer failure or a human mistake was to blame. [Sounds like something to check BEFORE you announce. Bob]

... She added that DWP staff would be able to pinpoint where each letter went and would contact everyone affected.



This is how a hacker does it...

http://www.fortwayne.com/mld/journalgazette/16667910.htm

Hacker gets state credit card info

Web site breach affects thousands of Hoosiers, businesses

By Niki Kelly The Journal Gazette Posted on Sat, Feb. 10, 2007

INDIANAPOLIS – State technology officials sent letters Friday to 5,600 people and businesses informing them that a hacker obtained thousands of credit card numbers from the state Web site.

Although numbers are usually encrypted or shortened to the last four digits, the Office of Technology conceded a technical error allowed the full credit card numbers to remain on the system and be viewed by the intruder. [“The computer did it,” is a lousy excuse. It suggests that no one looked at the output of the program to ensure it was working! Bob]

Like thousands of web sites, the state’s web site is constantly under attack from hackers,” the letter said. “To repel these attacks, the state has implemented the highest levels of security and submitted itself to regular independent audits to ensure that data is safeguarded.

Despite these efforts, the state’s web site recently experienced a security breach.”

Chris Cotterill, director of the site, www.IN.gov, said the hacking occurred in early January but wasn’t discovered until Jan. 25. [Bad, but still better than TJX. Bob]

The next week was spent undergoing an outside audit, which revealed the credit card numbers had been compromised. That news came 10 minutes into the Super Bowl on Sunday.

It was one thing that the hacker got in and another that they were able to access the info because of our technical mistake,” Cotterill said Friday, noting that no disciplinary action has yet been taken.

... The state has already notified the Secret Service and the credit card companies of those cards that were viewed.

... “We had planned for this but didn’t expect it,” [Better than saying “This was unforeseen.” Bob] Cotterill said. “This has caused a top-to-bottom review of all Web activity.”

... The letter was sent from “the IN.gov Team” and did not include the name of the person in charge – something Cotterill said he now regrets.

He said he signed his name to the first draft but was advised by staffers that Hoosiers receiving the letter could use his name to find his phone number and harass his family.



Another evil machine out-thinks management!

http://clubs.ccsu.edu/recorder/news/news_item.asp?NewsID=175

Social Security Numbers Exposed in CCSU Letters

By Melissa Traynor

News Editor Febuary 7, 2007

Over the past week approximately 750 CCSU students have received mail from the Bursar’s office that revealed their social security numbers in the name and address window of the envelopes. The letters were folded incorrectly by a malfunctioning machine in the office. [And no one looked to see if it was operating correctly? These things can be adjusted, you know. Bob]

The letters mailed were IRS 1098T forms, which are student tuition statements that were meant to be mailed out by January 31. Last Monday, during the preparation of the first batch of 2,300 letters which were being folded by the machine, all were folded incorrectly, but the office was able to catch about 1550 letters and correct them before they were mailed out.



Are we talking 40,000,000 cards?

http://new.channel5belize.com/archive_detail_story.php?story_id=17910

Date: Tuesday, February 06, 2007

Credit card recall applies to all banks

There is more detailed news to report tonight on the cautionary replacement of credit cards in Belize. Research reveals that the compromising of the Visa and Mastercards was not isolated to one bank but involves virtually all banks that issue those cards worldwide.



Good backgrounder...

http://www.informationweek.com/news/showArticle.jhtml?articleID=197004939

How Does The Hacker Economy Work?

It's a murky world of chat rooms, malware factories, and sophisticated phishing schemes. Here's a look inside.

By Larry Greenemeier J. Nicholas Hoover InformationWeek Feb 10, 2007 12:02 AM (From the February 12, 2007 issue)

... Credit card information is mostly sold in bulk. "You don't just buy one Amex card with no limit; you typically buy a set because any one could be canceled or entered into fraud claims," Dagon says. Though some sites have list prices, basic card information can go for as low as $1 a card, and prices often depend on the quality of the data, says Johannes Ullrich, CTO of the SANS Internet Storm Center.

... Despite these successes, the hacker economy continues to flourish. At the RSA Security Conference in San Francisco last week, RSA president Art Coviello told the audience that the market for stolen identities has reached $1 billion, according to IDC research, and that malware has risen by a factor of 10 in the last five years, according to the Yankee Group.



Because we wouldn't want anyone to know they were being scanned? This is another way to offer “personalized” services – your computer confirms your ID without your knowledge, greets you with a hearty “Good morning, Bob,” and records everything you do for future “personalization.”

http://www.livescience.com/scienceoffiction/070206_technovelgy.html

Stealthy Iris Scanner in the Works

By Bill Christensen posted: 06 February 2007 02:05 pm ET

A public iris scanning device has been proposed in a patent from Samoff Labs in New Jersey. The device is able to scan the iris of the eye without the knowledge or consent of the person being scanned. The device uses multiple cameras, and then combines images to create a single scan.



It is obvious, isn't it?

http://techdirt.com/articles/20070208/191319.shtml

Elections Officials Try To Defend Their Handling Of E-Voting Machine Testing

from the wasn't-really-that-bad,-they-claim dept

In the ongoing debate we've had with an e-voting company employee in our comments, we were told repeatedly that last month's story that the US Election Assistance Commission had barred the largest testing firm from testing e-voting machines was overblown. Now, it appears that EAC officials are trying to convince more people of that as well, saying that it was nothing out of the ordinary to ban the firm who tested most e-voting machines, after it was determined that they weren't complying with the testing rules. They claim that the press and blogs (such as this one, we assume) got something "lost in the translation." That may be true, but they seem to be missing the point. If there were real transparency in all of this and real security experts were free to do the tests they wanted, then people would feel a lot more comfortable about things. The problem is that there's almost no transparency, other than some "public tests" that are still limited. At the end of the article things get even more bizarre. The EAC folks complains that they haven't been able to do as much as they want because they have "limited resources." In other words, they're admitting that the current resources aren't enough for them to make sure these machines are thoroughly tested. There's a really simple solution to all of this. There is a good group of security experts out there who aren't just willing, but are pretty much begging to help test these machines to make sure they really are secure. Why won't the EAC open up the testing to let them take part? It should be a total win-win solution. The critics can see for themselves what's really going on and if the machines withstand the scrutiny then that should make everyone happy and a lot more comfortable with elections that use the machines.



Le amusement du jour! (Think of it as a way to ensure the President supports the arguments in your thesis.)

http://digg.com/celebrity/President_Bush_Singing_the_Hits_This_is_so_funny

President Bush Singing the Hits! This is so funny!

Here are some great videos of President Bush and other politicians singing. A hilarious cleverly dubbed/edited video of Bush singing Sunday Bloody Sunday, Bush singing Imagine and Walk on The Wildside Remix, Bush and Blair singing "Endless Love" together, Colin Powell singing YMCA in front of a live audience, and more....

http://www.webtvhub.com/president-george-bush-sings-sunday-bloody-sunday-endless-love-tony-blair-duet-and-more/



Complete with annotated illustrations. Quick & easy.

http://www.rvc.cc.il.us/faclink/pruckman/humor/grading.htm

A Guide to Grading Exams

by Daniel J. Solove Associate Professor of Law, The George Washington University Law School

Posted at ConcurringOpinions.Com December 14, 2006

No comments: