Friday, April 18, 2008

This was on the blog yesterday. I wonder how many schools are impacted? This is #2

http://www.pogowasright.org/article.php?story=20080417150456840

Buffalo State College will notify students about security breach

Thursday, April 17 2008 @ 03:04 PM EDT Contributed by: PrivacyNews News Section: Breaches

Buffalo State College will be sending out notices to students about what could be a major security breach.

The school was notified on April 11, 2008, that a laptop containing about 16,000 Buffalo State current and former students' private information had been stolen.

The laptop was owned by a consultant from SunGard, the company that provides Banner®, the records system used at Buffalo State.

Source - WIVB

This is probably related to the breach reported here


Related #3

http://www.pogowasright.org/article.php?story=20080417200644154

MO: Laptop theft may have compromised student info

Thursday, April 17 2008 @ 08:06 PM EDT Contributed by: PrivacyNews News Section: Breaches

The theft of a laptop computer in New York could potentially put personal information about Northwest Missouri State University students and alumni in the wrong hands.

SunGard Higher Education has notified Northwest of the theft of a laptop computer owned by one of SunGard’s employees that may have put the personal information of students and former students at risk.

While it is not believed identity theft was the motive behind the incident, which occurred in March on a college campus in New York, Northwest moved immediately to inform those who might be affected.

Source - Maryville Daily Forum

Related - Laptop stolen with student data, contained personal information of 3,400 CSU System pupils
Related - Buffalo State College will notify students about security breach



Tools & Techniques A Halloween tale? “As soon as you die, cancel all your credit cards.”

http://www.pogowasright.org/article.php?story=20080417170459815

Feds Charge California Woman With Stealing IDs From the Dead

Thursday, April 17 2008 @ 05:04 PM EDT Contributed by: PrivacyNews News Section: Breaches

Federal prosecutors this week charged a Southern California woman with aggravated identity theft and other crimes for allegedly using a popular genealogy research website to locate people who had recently died, and then taking over their credit cards.

Tracy June Kirkland, 42, allegedly used Rootsweb.com to find the names, Social Security numbers and birth dates of people who, shall we say, had no further need for their consumer credit lines. She then "would randomly call various credit card companies to determine if the deceased individual had an … account," according to the 15-count indictment (.pdf) filed in federal court in Los Angeles Tuesday.

Source - Threat Level blog



How to convince your CEO that security education is worth while?

http://www.pogowasright.org/article.php?story=20080417144340634

Identity Theft Smash & Grab, CEO Style

Thursday, April 17 2008 @ 02:43 PM EDT Contributed by: PrivacyNews News Section: Breaches

Tens of thousands of corporate executives were the target of a series of identity-theft scams this week, e-mail-borne schemes that appear to have netted close to 2,000 victims so far. [10% is higher than the average phishing success rate. Interesting. Bob]

Early Monday morning, according to two security experts with firsthand knowledge of the attacks, nearly 20,000 executives received an e-mail purporting to be a subpoena ordering each recipient to appear in court for legal violations leveled against their company. The messages addressed each executive by name, and included their phone number and the name of their company.

Source - Security Fix blog

[From the article:

(the malicious add-on only installed for users visiting the site with Microsoft's Internet Explorer Web browser). Approximately half of the recipients of the e-mail messages were executives at major financial institutions.

... Richard said the group responsible for this attack is based in Romania and is thought to have masterminded nearly two dozen similar attacks over the past year that netted the group millions of dollars.



“We have the technical ability – all other considerations are unimportant” This is going to be controversial at best, and the opportunity for offense is staggering: “Welcome to (insert name of religious site here)' but first a word from our sponsor Hustler Magazine...” We already have cable systems doing it, but I suspect they have contracts specifying how it can be done.

http://yro.slashdot.org/article.pl?sid=08/04/18/0118256&from=rss

Study Confirms ISPs Meddle With Web Traffic

Posted by Soulskill on Friday April 18, @12:15AM from the you-wouldn't-like-me-when-i'm-angry dept

Last July, a research team from the University of Washington released an online tool to analyze whether web pages were being altered during the transit from web server to user. On Wednesday, the team released a paper at the Usenix conference analyzing the data collected from the tool. The found, unsurprisingly, that ISPs were indeed injecting ads into web pages viewed by a small number of users. The paper is available at the Usenix site. From PCWorld:

"To get their data, the team wrote software that would test whether or not someone visiting a test page on the University of Washington's Web site was viewing HTML that had been altered in transit. In 16 instances ads were injected into the Web page by the visitor's Internet Service provider. The service providers named by the researchers are generally small ISPs such as RedMoon, Mesa Networks and MetroFi, but the paper also named one of the largest ISPs in the U.S., XO Communications, as an ad injector."



No evidence, no crime.

http://techdirt.com/articles/20080417/041747875.shtml

Congress Won't Fund Paper Backups For E-Voting Machines

from the we-broke-it...-but-don't-expect-us-to-pay-you-to-fix-it dept

It was Congress that first mandated that polling places needed to start using e-voting machines a few years back, which has led to the ridiculously long trail of stories concerning buggy machines with questionable results and no way to go back and check to see how accurate the results are. It appears that politicians have finally been realizing that the lack of a paper trail (even if just to confirm the results) is problematic. So they're pushing states to make sure they use e-voting machines that also include a paper trail. But, when it comes to paying to make those changes, the states are apparently on their own. Congress has rejected a plan to fund the states in making sure a paper backup was available. Why? Well, as Rep. Vernon Ehlers says: "I think there are other methods of achieving redundancy" though he conveniently leaves those out. He then notes: "hand counting is not as accurate as almost any machine counting that I have seen." It's true that hand counting has its problems too. No one denies that. But the point isn't that hand counting is perfect, but that there's a way to go back and compare the results to make sure they're correct and accurate. Without that in place, we're simply relying on the machines to work perfectly, and we know that doesn't work.



Sometimes you can figure out what concerns governments by their (not so) subtle actions.

http://blog.wired.com/27bstroke6/2008/04/gsm-researcher.html

GSM Security Researcher Targeted in Airport Shakedown

By Kim Zetter April 17, 2008 | 2:45:00 PM

A security researcher on his way this week to speak at a conference about mobile phone security was stopped by British authorities at Heathrow Airport and questioned before being relieved of his Nokia phone, SIM card and USRP (Universal Software Radio Peripheral).

The researcher was on his way to Dubai to deliver a talk at the Hack-in-the-Box security conference about cracking GSM encryption to intercept mobile phone calls and text messages and track the location of users using less than $1,000 in equipment.



As a rule, if you make an “unbreakable system” someone will break it.

http://tech.slashdot.org/article.pl?sid=08/04/18/0436232&from=rss

NULL Pointer Exploit Excites Researchers

Posted by Soulskill on Friday April 18, @05:18AM from the ruh-roh-shaggy dept. Java Security

Da Massive writes

"Mark Dowd's paper "Application-Specific Attacks: Leveraging the ActionScript Virtual Machine" has alarmed researchers. It points out techniques that promise to open up a class of exploits and vulnerability research previously thought to be prohibitively difficult. Already, the small but growing group of Information Security experts who have had the chance to read and digest the contents of the paper are expressing an excited concern depending on how they are interpreting it. While the Flash vulnerability described in the paper[PDF] has been patched by Adobe, the presentation of a reliable exploit for NULL pointer dereferencing has the researchers who have read the paper fascinated. Thomas Ptacek has an explanation of Dowd's work, and Nathan McFeters at ZDNet is 'stunned by the technical details.'"



This might be fun to watch. It should give some advanced notice of the tools DHS plans to use.

http://www.bespacific.com/mt/archives/018124.html

April 17, 2008

House Homeland Security Committee Newsletter Focuses on Opportunities for Small Business Contractors

Chairman, Rep. Bennie G. Thompson: "I began this newsletter to alleviate the gap that exists between the need for information about opportunities available at the Department and the ability to locate and disseminate that information in a timely and user-friendly manner. Similarly, my experience has taught me that the gap between need and ability also affects businesses in their quest to interact with the Department. A small business owner may have a concept for a product that will address an important homeland security need, but lack the resources necessary to bring the product on-line. A large company may not have developed the original concept, but may possess the resources necessary to transform a prototype into an available product. The gap between concept and production can be bridged by providing each party with the type of information they need to create a product that fills a critical need. This newsletter is intended to bridge the gaps that keep information unavailable, sidelines worthwhile businesses, discourages full participation, and permits vulnerabilities to continue."



This could be useful, I'll have to play around with it some more...

http://www.killerstartups.com/Web20/Socratocom---Interactive-Test-Prep-and-Assessment/

Socrato.com - Interactive Test Prep and Assessment

Socrato.com is a web-based test preparation and assessment platform. Based in Boston, Socrato’s Beta version includes practice tests for Massachusetts state exams, as well as the U.S. citizenship exam. There are also vocabulary tests for the SAT and GRE, and users can upload their own practice tests or study materials to share publicly or amongst a private group. These ‘study groups’ can be set up by classmates or teachers, or even by school administrators for use across a district. Socrato also features tools for assessing a student’s learning styles, strengths and weaknesses, progress, etc., which can be used by the student or by their parents, teachers, and tutors. Currently, all tests on this site are multiple-choice, true or false, or fill in the blank – essays are not supported.

http://www.socrato.com/



I need this. I just found out that the big red “S” on my chest has already been copyrighted.

http://www.killerstartups.com/Web-App-Tools/LogoEasecom---Design-A-Unique-Logo/

LogoEase.com - Design A Unique Logo

Whether you are a company making a logo for your business or you are an individual who wants to make a symbol for your work, your brand image is your logo and that is important. You want a unique logo that represents your mark and your vision, something that stands out from the rest. There are many free logo design services available on the web and if you are very creative you can try to make a logo with those tools that is unique. Making a unique logo from the tools provided is a challenge because everyone is provided with the same shapes to choose and the same editing tools. Logo Ease provides users with two options. The first option is the free option where you can choose from an array of shapes which include categories such as: mountains, transport, eye, sports, religious, space, music, celebration, and more . You can then edit by adding up to five lines of text, choosing fonts, adjusting the scale, rotating, and changing the color. You then save your finished logo and you are done. Anyone can use the free logo editor and therefore you run the risk of creating a logo that is similar to someone else’s. Logo Ease gives users the opportunity to use professional logo design software so that you can make a unique logo. The software costs $149 and you can revise your logo as many times as you want. Logo Ease offers logo options for all the different needs users may have.

http://www.logoease.com/

No comments: