Tuesday, May 29, 2012

Initial reports were that only 30,000 students were impacted. They don't know what was downloaded, which strongly suggests they have no logs of user activity. Didn't bother with encryption... Way too much data accessible over the Internet... I wonder what else they did wrong?
University of Nebraska breach needs to reverberate in Washington, D.C.
May 28, 2012 by admin
The University of Nebraska disclosed a breach last week, which I dutifully entered on DataLossDB. The breach sounded like it could be huge, despite the university’s statement that it had no evidence (at that time) that any data had been downloaded:
The NeSIS database includes Social Security numbers, addresses, grades, transcripts, housing and financial aid information for current and former NU students as well as student applicants who may or may not have attended NU. The database includes information for alumni as far back as spring 1985.
The financial aid information included bank account data.
Today, as the university continues to investigate the hack, it disclosed more details. And while the thrust of the latest update, reported by Maggie O’Brien of Omaha World-Herald, is that the university is closer to identifying the hacker, what struck me was the sheer magnitude of the breach and how avoidable it all was:
The computer database holds 654,000 Social Security numbers as well as other personal information. It serves all four NU campuses — one in Lincoln, two in Omaha and one in Kearney — and includes alumni information from as far back as 1985.
At stake is not only personal information such as grades, but potentially critical information like Social Security numbers — which can be used for identity theft — and, in some cases, bank account numbers.
Mauk said that as of Sunday, officials had not been notified of any identity theft cases stemming from the breach. Even so, 21,000 people whose bank account information was on the student information system have been alerted.
What were 654,000 Social Security numbers doing being connected to the Internet? Why wasn’t the old data going back 25 years moved offline? Why weren’t the SSN converted to non-sensitive identification numbers? Is there really any justification for 21,000 bank account numbers to still be in an accessible database?
The U.S. Department of Education has never been firm enough in prohibiting the use of SSN as student identifiers. And this is what happens.
It’s time for the U.S. Department of Education and/or Congress to act. Data such as bank account numbers should not be retained/stored past its intended use or freshness date. And SSN should be replaced with unique identifiers that even if stolen, could not be used for fraud or ID theft.
Enough is enough. Attending a university shouldn’t put students and their parents at needless risk of ID theft.
[From the website NU established:
What happened?
On May 23, 2012, a staff member of the Computing Services Network detected a security breach in the Nebraska Student Information System, indicating that an individual had gained access to the database. This was a sophisticated and skilled attack on our system that was discovered and shut down within hours of its discovery. [No indication when the breach happened. Bob]
Is the data in the NeSIS encrypted?
… However, we are confident that the type of attack we experienced would have bypassed any encryption that was in place. [In other words, there was no encryption. And probably the hacker logged in as an authorized user. Bob]
[From the Omaha World article:
Mauk has said only a short time elapsed between the breach and its discovery.
Sunday, he declined to say whether the suspected hacker acted alone or was part of a group. Whoever did it was a skilled hacker whose intent was elaborate and malicious, Mauk said. [“We know what he intended because we can read his mind!” Bob]

For my Computer Security students. This technique has implications for avoiding Denial of Service attacks too.
"Last week The Pirate Bay added a new IP address which allows users to circumvent the many court-ordered blockades against the site. While this proved to be quite effective, the Hollywood backed anti-piracy group BREIN has already been to court to demand a block against this new address. But that won't deter The Pirate Bay, who say they are fully prepared for an extended game of whac-a-mole using the hundreds of IP addresses they have available. Courts all around the world have ordered Internet providers to block subscriber access to the torrent site, and the end is still not in sight."

I wonder what is left after the lawyers get theirs?
By Dissent, May 28, 2012
Emily Jackson reports:
A proposed settlement in a class action lawsuit against Durham Region Health puts a $5.99 price tag on the patient data doctors are privy to.
The lawsuit was filed against Durham Region after a nurse lost a USB key laden with the unencrypted personal information of 83,524 people in December 2009.
According to the proposed settlement, which still must be approved by a judge but was signed by lawyers for both parties on May 3, the region will pay $500,000 in costs, disbursements and taxes.
Read more on Toronto Star.

“Insecurity by design” because no one ever check to see that chips are manufactured as designed? Yesterday it was “Flame” so today is a good time to sell your malware detector...
"Information Age reports that the Cambridge University researchers have discovered that a microprocessor used by the US military but made in China contains secret remote access capability, a secret 'backdoor' that means it can be shut off or reprogrammed without the user knowing. The 'bug' is in the actual chip itself, rather than the firmware installed on the devices that use it. This means there is no way to fix it than to replace the chip altogether. 'The discovery of a backdoor in a military grade chip raises some serious questions about hardware assurance in the semiconductor industry,' writes Cambridge University researcher Sergei Skorobogatov. 'It also raises some searching questions about the integrity of manufacturers making claims about [the] security of their products without independent testing.' The unnamed chip, which the researchers claim is widely used in military and industrial applications, is 'wide open to intellectual property theft, fraud and reverse engineering of the design to allow the introduction of a backdoor or Trojan', Does this mean that the Chinese have control of our military information infrastructure asks Rupert Goodwins? 'No: it means that one particular chip has an undocumented feature. An unfortunate feature, to be sure, to find in a secure system — but secret ways in have been built into security systems for as long as such systems have existed.'"
Even though this story has been blowing-up on Twitter, there are a few caveats. The backdoor doesn't seem to have been confirmed by anyone else, Skorobogatov is a little short on details, and he is trying to sell the scanning technology used to uncover the vulnerability.

“We need more fingers in more pies.”
May 27, 2012
FTC Testifies on Efforts to Protect Consumer Privacy
News release: "The Federal Trade Commission testified before Congress about the agency’s efforts to protect consumer privacy, including the FTC’s support for implementation of a “Do Not Track” mechanism that would allow consumers to control the tracking of their online activities across websites, and other approaches recommended in its recent privacy report. In delivering Commission testimony before the Senate Committee on Commerce, Science and Transportation, FTC Chairman Jon Leibowitz said the current time is a “critical juncture” for consumer privacy, and described the FTC’s recent privacy report, including its call for final implementation of a Do Not Track mechanism. The testimony notes that the Commission recommends Congress consider enacting general privacy legislation, and that it enact data security and breach notification legislation and targeted legislation to address data brokers."

It only took 64 complaints to change the rules? Are they complete wimps or did they realize the rule was unenforceable?
"Privacy watchdog, the Information Commissioner's Office, has already received 64 complaints under the UK's Cookie Law, which requires sites to get permission to track users with cookies. The law only came into effect on Saturday, and many sites do not expect to comply soon. To make life more complicated, the ICO has updated its advice, apparently allowing 'implied consent' instead of actually making a user click a box to give permission for cookies."
(updated PDF version here)
[From the article:
“For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred,” the updated cookies guidance read. “This might, for example, be visiting a website, moving from one page to another or clicking on a particular button. The key point, however, is that when taking this action, the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set.”

If they could be made cheaply enough, we could cover the world and then access the data on our cellphones.
This Rock Could Spy on You for Decades
Palm-sized sensors, developed for the American military, will remain littered across the Afghan countryside — detecting anyone who moves nearby and reporting their locations back to a remote headquarters. Some of these surveillance tools could be buried in the ground, all-but-unnoticeable by passersby. Others might be disguised as rocks, with wafer-sized, solar-rechargeable batteries that could enable the sensors’ operation for perhaps as long as two decades, if their makers are to be believed.

“We have this big book that we use with our 100 hour class on 'How to watch TV' that will allow us to learn about events like Hurricane Katrina almost as soon as they happen! And we kinda spy on your Facebook page...
May 28, 2012
DHS National Operations Center Media Monitoring Capability Desktop Reference Binder 2011
Via EPIC FOIA release, Analyst’s Desktop Binder 2011 Redacted, Department of Homeland Security National Operations Center Media Monitoring Capability, Desktop Reference Binder.
  • "MMC [media monitoring capability] coverage focuses primarily on providing information on incidents of national significance, which are usually defined as catastrophic events that result in wide-scale damage or disruption to the nation’s critical infrastructure, key assets, or the Nation’s health; and require a coordinated and effective response by Federal, State, and Local entities. For the most part, coverage of international incidents is limited to that of terrorist activities and infectious diseases that impact a wide population of humans or animal stock, such as mad cow disease or H5N1, and catastrophic weather events around the globe (Category 5 Hurricanes, Tsunami, and Large Magnitude Earthquakes). An Item of Interest (IOI) is generated whenever an MMC search or alert produces information about an emergent incident that should be brought to the attention of the NOC [National Operations Center]."
  • Related - UK Mail Online - "The Department of Homeland Security has been forced to release a list of keywords and phrases it uses to monitor social networking sites and online media for signs of terrorist or other threats against the U.S."

Great background music for Blogging...
"MuseScore, the open source music notation editor, and pianist Kimiko Ishizaka have released a new recording and digital edition of Bach's Goldberg Variations. The works are released under the Creative Commons Zero license to promote the broadest possible free use of the works. The score underwent two rounds of public peer review, drawing on processes normally applied to open source software. Furthermore, the demands of Bach's notational style drove significant advancements in the MuseScore open source project. The recording was made on a Bösendorfer 290 Imperial piano in the Teldex Studio of Berlin. Anne-Marie Sylvestre, a Canadian record producer, was inspired by the project and volunteered her time to edit and produce the recording. The project was funded by a successful Kickstarter campaign that was featured on Slashdot in March 2011."

So why aren't we using them more?
Google Apps For Business Gets ISO 27001 Certification
Google just announced that its Google Apps for Business service has earned ISO 27001 certification. This certifies that Google is following the standard ISO information security management protocols and best practices “for the systems, technology, processes and data centers serving Google Apps for Business.”

It's easy to hate PowerPoint, it's much more difficult to find a useful replacement...
Death To Powerpoint! Piccsy Rethinks The Pitchdeck, Gets Tons Of Pageviews
Your Powerpoint pitchdeck is so boring. So. Freaking. Boring. Although tech bloggers aren’t sent startup’s actual pitchdecks as often as investors are (thankfully), we’re still walked through them on dreadful, “let me read to you from my Powerpoint” phone calls more often than should be socially acceptable. That’s why when image aggregator Piccsy, which is simultaneously a competitor to Pinterest as well as a top 20 content source for the site, pinged us to take a look at its pitch deck, we were pleasantly surprised. A pitchdeck that’s actually fun to read? Can such a thing exist?
Piccsy.com/investors hosts the company’s public pitchdeck, and it’s a striking, visual representation of the data that would be typically found in bullet-pointed slideshows. The format leads you to wander through content and explore, much like Piccsy itself does.
The full site is here.

No comments: