Saturday, May 26, 2012

Compromise of a contractor's computer system almost a year ago. What do you bet there will be no consequences to the contractor...
Computer security breach at Serco affects 123,000 Thrift Savings Plan participants
May 25, 2012 by admin
Hazel Bradford reports:
A cyber attack on a computer of a contractor for the $313 billion Thrift Savings Plan, Washington, could have compromised account information for about 123,000 plan participants, the Federal Retirement Thrift Investment Board, which oversees the plan, announced Friday.
The attack was made on a computer at Serco Inc., a contractor helping to update TSP’s disbursement system software, and was first detected by the FBI in April. [See below Bob]
Serco and the board performed a forensic analysis to see which TSP account holders were affected, concluding that 43,587 participants had personal information including Social Security numbers potentially compromised, and another 80,000 may have had their Social Security numbers accessed from the Serco computer. Those participants are being notified in letters mailed on Friday.
Read more on Pensions & Investments.
A statement posted on Serco’s site today says:
Serco Inc., a provider of professional, technology, and management services, announced today that one of its computers used in support of the Federal Retirement Thrift Investment Board (FRTIB) was subjected to a sophisticated cyber attack.
There is no evidence of any funds being diverted or identity theft resulting from the incident. An extensive forensic analysis of the data also shows no indication that the TSP network, which supports TSP’s 4.5 million participants, was subjected to unauthorized access.
In April 2012, the Federal Bureau of Investigation (FBI) informed Serco that one of its computers used in support of the FRTIB was subjected to unauthorized access. The FRTIB and Serco acted quickly and decisively to further investigate the incident, take additional steps to protect the integrity of FRTIB’s data, and ensure that FRTIB’s TSP continues to be a safe and secure retirement plan for federal employees.
FRTIB and Serco performed forensic analysis to determine which TSP participants and payees were possibly affected and the extent of the possible compromise of data. Steps taken included an immediate shut down of the compromised computer, launch of a task force involving both Serco and FRTIB senior executives to focus all capabilities and resources in a coordinated system-wide review of the protection of data, and fortification of the security systems.
… The FBI supplied data to Serco and the FRTIB that required extensive IT security expert analysis in order to determine which TSP members were potentially affected. [Suggests they had no record of the data stored on that computer? Bob] The analysis required opening and reviewing thousands of files in order to determine what personal information might be at risk and the identity of the potentially affected individuals, as well as taking further actions to determine the scope of the incident.
This incident fits with the increasing number of cyber attacks in which the goal of those seeking unauthorized access does not appear to include identity theft or financial misappropriation. [They have no idea what the hacker's motivation was Bob]
Not surprisingly, it doesn’t really say anything about the attack itself, nor when the attack occurred. At some point, Serco will need to explain why it didn’t detect the attack via its own measures or audits if it didn’t prevent it.
Update: MyFox Detroit has some additional details, including a statement that the attack occurred last July.

Another “third party” compromise? If it was the VISA network, this is gonna be HUGE!
Was it or wasn’t it hacked: conflicting reports on a possible bank hack
May 25, 2012 by admin
WNYF reports:
The accounts of hundreds of Community Bank customers may have been compromised in an apparent identity theft attempt involving debit cards.
State police investigators tell 7 News that a data base used by the bank was apparently hacked into earlier this month with personal account information of numerous north country customer accounts obtained.
The bank’s public relations firm denies that Community Bank’s computer systems were compromised.
Read more on WNYF.
Guess we’ll have to wait for more info on this one as they both can’t be right, can they?
[From the article:
Pat Spadafore of Eric Mower & Associates, acting as a spokesman for Community Bank, tells 7 News in an e-mail that the VISA debit card network was apparently compromised.

I have absolutely no pity for managers who can't even get the basics right.
"A fortnight ago the Bitcoin financial website Bitcoinica was hacked and the hacker stole $87,000 worth of Bitcoins. At the time the owner promised that all users would have their Bitcoins and US dollars returned in full, but one of the site developers has just confirmed that they have no database backups and are having difficulty figuring out what everyone's account balance should actually be. A failure of epic proportions for a site holding such large amounts of money."

Anything new?
May 24, 2012
Disappearing Phone Booths - Privacy in the Digital Age
  • "I will...explain why the confluence of at least four circumstances – (1) digital ubiquity, (2) the increasing number of parties that take part in our daily transactions, (3) the commodification and monetization of data, (4) and woefully out-of-date privacy laws – creates something of a perfect storm, leaving us as a nation poorly equipped, in our present state, to preserve any measure of a right to privacy. That is to say, I will be arguing that technology and policy both play powerful roles in framing what is possible and how we live our lives, and that changes in technology must be accompanied by changes to policy."

Tools for Privacy advocates?
CloudFlare To Launch Service For Sites Dealing With Tortuous EU Cookie Law
The European “Directive on Privacy and Electronic Communications” that regulates the ways websites can track users, is coming to sites which serve European users, which covers plenty out there. The Directive requires that sites disclose the use of cookies on their site and allows visitors to opt-in to their use. It could be an immediate turn-off for users, but it’s here to stay. On Saturday, May 26, the UK implements the first phase of the law, so website owners are scrambling to ensure they are in compliance (assuming they even know about it). As we’ve said before, we think it’s dumb and will make it much harder on European startups.

Before you build a huge national biometric database...
"The iris scanners that are used to police immigration in some countries, like the UK, are based on the premise that your irises don't change over your lifetime. But it seems that assumption is wrong. Researchers from the University of Notre Dame have found that irises do indeed change over time, enough so that the failure rate jumps by 153% over three years. While that means a rise from just 1 in 2 million to 2.5 in two million, imagine how that will affect a system like India's — which already has 200 million people enrolled — over 10 years."

Is this an indication that teachers are unable to accurately record attendance? More likely, they hope students give their “chips” to classmates when they are going to miss school so the school can count them for “attendance related funds.” See, it's not about the students, it's about the money!
Texas schools expand RFID chipping of students
May 25, 2012 by Dissent
Back in October 2010, I commented on a news report out of Houston on the use of RFID tags with students. Yesterday, Francisco Vara-Orta reported on the situation in San Antonio.
As I anticipated when I wrote, ” the student’s’ RFID tag will register them as “in school” and track their location throughout the day so that the district can get all of its attendance-related funds from the state.,” that appears to be precisely the motivation in San Antonio.
Here’s the kicker:
Texas Education Agency spokeswoman DeEtta Culbertson said no state law or policy regulates the use of such devices and the decision is up to local districts.
It might behoove the state to come up with some guidelines or regulations about where such tracking cannot be used and for how long data can be retained…. or whether it can be shared.
And if RFID tagging is used for attendance monitoring, does that make it part of the student’s education record subject to FERPA??

An interesting expansion of liability. Would a smarter lawyer tried for “conspiracy?”
"After mowing down a motorcycling couple while distracted by texting, Kyle Best received a slap on the wrist. The couple's attorney then sued Best's girlfriend, Shannon Colonna, for exchanging messages with him when he was driving. They argued that while she was not physically present, she was 'electronically present.' In good news for anyone who sends server-status, account-alerts or originates a call, text or email of any type that could be received by a mobile device, the judge dismissed the plantiff's claims against the woman."

Interesting. I wonder if Colorado has a secret court? (Should we really believe that defense lawyers have never heard of this?)
Washington lawyers challenge secret court proceedings
May 25, 2012 by Dissent
Gene Johnson reports:
A defense lawyer in Eastern Washington was reading a detective’s statement in his client’s drug case when he came across a curious line. In asking to search the man’s house and cars, the detective revealed that he had already seen the defendant’s bank records.
That’s odd, thought the lawyer, Robert Thompson of Pasco. There’s no search warrant for the bank records. How’d he get them?
The answer — with a subpoena secretly issued by a judge — provides a window into the little-known use of “special inquiry judge proceedings” in Benton County and across the state. Prosecutors who use them say the proceedings are authorized by state law, make for more efficient investigations and have plenty of judicial oversight, but Thompson and other defense attorneys say they raise questions about privacy, accountability and the open administration of justice.
Read more on Seattle PI.
[From the article:
The proceedings, created by the Legislature in 1971, function as grand juries without the grand jury: At the request of a prosecutor, a judge can secretly hear from witnesses, review evidence or issue subpoenas based on a reasonable belief that someone "may be able" to provide testimony or evidence.
… Witnesses can be compelled to testify, but are immune from prosecution for what they say — important in complex public corruption or organized crime investigations. If no charges are ever filed, no one aside from those involved ever learns the proceedings occurred.

Managers: monitor your IT environment!
Spiceworks Eyes Skunkworks, Keeps Tabs on Cloud
Bring-your-own-device (BYOD) may be the concern du jour — what with employees’ devices running any old app they please — but what about the cloud creep into the workplace via that skunkworks project?
… With Spiceworks 6.0, IT pros can automatically scan their networks more than 40 popular cloud services “to see exactly which cloud services are in use and by whom, providing an extra layer of control over sensitive resources,” the company said in a press release on Thursday.

For my Computer Security students
… Sure, your files may be encrypted in transit and on the cloud provider’s servers, but the cloud storage company can decrypt them — and anyone that gets access to your account can view the files. Client-side encryption is an essential way to protect your important data without giving up on cloud storage.

For my “smartphone enabled” students which as it happens are most of them.
TinyVox takes a retro tape recorder and turns it into a digital format app for the very popular devices, iOS and Android. The app can be quickly used to make notes, record quotes from a friend or just make an audio log to share and promote with your friends.
Similar tools: SaveMeeting and NoteRec.

A techno-sea change?
"Dallas Mavericks owner and media entrepreneur Mark Cuban thinks he knows the reason for Facebook's disappointing IPO; smart money has realized that 'mobile is going to crush Facebook', as the world's population increasingly accesses the Internet mostly through smartphones and tablets. Cuban notes that the limited screen real estate hampers the branding and ad placement that Google and Facebook are accustomed to when serving to desktop browsers, while phone plans typically have strict data limits, so subscribers won't necessarily take kindly to YouTube or other video ads. Forbes' Eric Jackson likewise sees a generational shift to mobile that will produce a new set of winners at the expense of Facebook and Google."

I want one!
Microsoft to Offer 80-Inch Windows 8 Tablets for Offices
“Steve Ballmer has an 80-inch Windows 8 tablet in his office. He’s got rid of his phone, he’s got rid of his note paper. It’s touch-enabled and it’s hung on his wall.”

No comments: