Wednesday, July 15, 2009

Follow-up They don't say it wasn't a mainframe, but unless they had cameras every few yards throughout Texas, they wouldn't need one. Interesting that the computer belonged to “Security”

http://www.databreaches.net/?p=6168

CORRECTS and REPLACES: Mainframe computer stolen from local TVCC campus

July 14, 2009 by admin Filed under Breach Incidents

Yesterday this site posted a story from and link to The Palestine Herald about a breach at Trinity Valley Community College. I just received this email, however, that the original source was in error:

Good Afternoon,

It has been brought to my attention that your website has posted as Associated Press news item regarding a potential security breach at Trinity Valley Community College in Palestine, Texas. That article contained completely erroneous information. The computer that was stolen was used exclusively for security surveillance. No personal, confidential or student information was stored on that computer. TVCC has had no breach of security at all.

If you have any questions, please feel free to contact me at the number below or on my cell phone at [redacted].

Thank you,

Jennifer Hannigan
Public Information Officer
Trinity Valley Community College



One of the primary justifications for buying laptops for employees is that they can take them with them when they leave the office. Why were all these left in the office?

http://www.databreaches.net/?p=6177

Laptops stolen from Springfield (OH) schools

July 14, 2009 by admin Filed under Breach Incidents, Education Sector, Theft, U.S.

Ten laptop computers stolen from Keifer Alternative School June 30 contained information about students with disabilities, but not social security numbers, Springfield City Schools Interim Superintendent Don Thompson said.

The district sent letters home to parents of students who were affected following the theft, said Thompson. The laptops belonged to employees of the district’s special education department, including psychologists, which relocated to Keifer as part of a plan to move all administrative offices out of the South High School building.

Read more on Springfield-Sun.



Isn't this the basis for all “data breach” cases? Either deliberately or through gross carelessness the custodian of the data leaked it.

http://www.pogowasright.org/?p=1830

Woman threatens suit against Tigo over info leak

July 14, 2009 by Dissent Filed under Breaches, Non-U.S.

Millicom Ghana, operators of Tigo could soon be in the dock for allegedly releasing confidential information about a subscriber.

A married woman, name withheld, accused the network operator of providing her ‘jealous’ husband with details of her call records.

[...]

She was however surprised when the husband produced a detailed account of all calls she had made, the duration of those calls and and text messages she sent.

Upon further investigation she found a white envelope with the inscription ‘Tigo’ containing all the details of the calls.

Read more on ModernGhana.com.



(Could have been worse, could have been a Western Diamondback.) I doubt the virus story. More likely, the Superintendent's userid and password were stolen (keylogger?) from his computer. But it does look like there was a weakness in the bank's controls...

http://www.databreaches.net/?p=6179

Western Beaver Sues ESB Bank

July 14, 2009 by admin Filed under Breach Incidents, Education Sector, Malware, Of Note, U.S.

Western Beaver School District has sued Ellwood City-based ESB Bank, saying the bank allowed someone to siphon more than $700,000 from two accounts while school administrators were off during the Christmas break in December and January.

The district says it’s still missing nearly $450,000.

According to the suit filed in Beaver County Court, someone infected Western Beaver’s computer system with a virus, which deceived the bank’s computer system into thinking that Superintendent Robert Postupac requested 74 electronic fund transfers totaling $704,610.35. Postupac was unaware of the transfers, the suit said.

Money was deposited from Dec. 29 through Jan. 5 into the bank accounts of 42 separate individuals from as far away as California and Puerto Rico. The suit did not identify the people who received the money, but noted that none of them had had any connection to Western Beaver.

Read more on iStockAnalyst.com.

[From the article:

In May, Pittsburgh's FBI office confirmed that it was investigating a computer crime within the school district. A phone call to the FBI on Friday was not returned.

… The suit alleges that ESB should have immediately realized that the transfers were fraudulent for the following reasons:

The bank's contract with Western Beaver stipulates that it can electronically transfer money only from the district's payroll account. The transfers in question came from the district's tax account and general fund account.

The contract stipulates that only certain board members and the district business manager -- not Postupac -- are permitted to authorize withdrawals from the tax and general fund accounts.

In the five months prior to the incident, Western Beaver had requested only 29 third-party fund transfers, and the unusual number of transfers should have raised a red flag.

The suit alleges that ESB eventually learned of the transfers on Jan. 2 only through a phone call from an unidentified out-of-state bank, which called after becoming suspicious when a large electronic deposit showed up in a customer's account.

At that point, the suit says, ESB had permitted 55 transfers.

It permitted about 19 more transfers after the call, the suit says.



For your Security Manager and my Excel class.

http://it.slashdot.org/article.pl?sid=09/07/14/1932234

Attacks Against Unpatched Microsoft Bug Multiply

Posted by kdawson on Tuesday July 14, @06:59PM from the how-not-to-excel dept. Security Microsoft

CWmike writes

"Attacks exploiting the latest Microsoft vulnerability are quickly ramping up in quantity and intensity, several security companies warned today as they rang alarms about the developing threat. Symantec, Sunbelt Software, and SANS' Internet Storm Center bumped up their warnings yesterday after Microsoft announced that attackers were exploiting a bug in an ActiveX control used by IE to display Excel spreadsheets. There is no patch for the vulnerability; Microsoft didn't release one in today's Patch Tuesday. A temporary fix that sets the 'kill bits' of the ActiveX control is available, but experts believe it's likely most users won't take advantage of the protection. Symantec raised its ThreatCon ranking to the second of four steps. "We're seeing it exploited, but currently on a limited scale," said Symantec's Ben Greenbaum. Sunbelt also bumped up its ranking, to high."

Firefox users can't be too complacent; Secunia is warning of a 0-day in version 3.5.



Updating (but not resolving) the issue.. Reminds me of “The Cuckoo's Egg” Let's hope the Military (somebody) has better tools! Or we could depend on the Vietnamese...

http://it.slashdot.org/story/09/07/14/1715252/UK-Not-North-Korea-Is-Source-of-DDoS-Attacks?from=rss

UK, Not North Korea, Is Source of DDoS Attacks

Posted by kdawson on Tuesday July 14, @02:16PM from the one-master-to-rule-them-all dept. security military

angry tapir writes

"The UK was the likely source of a series of attacks last week that took down popular Web sites in the US and South Korea, according to an analysis performed by a Vietnamese computer security researcher. The results contradict assertions made by some in the US and South Korean governments that North Korea was behind the attack. Security analysts had been skeptical of the claims, which were reportedly made in off-the-record briefings and for which proof was never delivered."

The Vietnamese security site's blog is linked from the article, but it is very slow even before Slashdotting. The researchers observed 166,908 zombies participating in the attacks — a number far larger than most earlier estimates.

Update: 07/14 21:24 GMT by KD : Wired is reporting that the UK owner of the IP address in question is pointing a finger at a server in Florida, which it says opened a VPN to the UK machine for the attacks. Once again, the attacker could be anywhere.



Ethics. We can, therefore we must (publish) What happened to the “fit to print” part?

http://www.pogowasright.org/?p=1839

TechCrunch reveals confidential Twitter docs

July 15, 2009 by Dissent Filed under Breaches, Businesses, Featured Headlines

Michael Arrington of TechCrunch discusses the dilemma they grappled with when they received a zip file from “Hacker Croll” containing hundreds of confidential corporate and personal documents of Twitter and Twitter employees.

There is clearly an ethical line here that we don’t want to cross, and the vast majority of these documents aren’t going to be published, at least by us. But a few of the documents have so much news value that we think it’s appropriate to publish them.

Marie Boran of Silicon Republic comments on the controversy about publishing the documents:

Plans to publish the stolen confidential corporate documents were met with some disapproval from Twitter users, some of whom labelled this action ‘going too far’, a ‘bad move’, and ‘wrong and unethical’.

In light of the recent scandal in the UK involving phone tapping by the press, this action by TechCrunch continues to raise questions on what role the media plays in the violation of privacy laws. Is this publishing in and of itself a criminal act? Where are the police with a court injunction to stop one firm publishing the stolen, private documents of another?



We're lawyers, we don't need to know nothing! Discusses social media as 'advertising'

http://www.bespacific.com/mt/archives/021819.html

July 14, 2009

Five Things Lawyers Should Know About Social Media

Five Things Lawyers Should Know About Social Media: Lawyer, writer and blogger Nicole Black advises fellow professionals about important core techniques and goals to consider before jumping on the “social media” bandwagon.



Cyborg: part man , part machine. I don't think I'd want this on record anywhere. (I don't think their last paragraph has much basis in reality either.)

http://www.pogowasright.org/?p=1814

Anonymous web data can be personal data

July 14, 2009 by Dissent Filed under Featured Headlines, Internet, Non-U.S.

The Register has a story on a fascinating legal analysis by Chris Pounder of Amberhawk Training (report here, pdf) as to how identifying yourself as being the individual associated with a particular IP address might be used to force companies such as Google and Yahoo to treat your data as being under the UK Data Protection Act. According to the report:

This analysis is valid for countries where the national data protection legislation is based on the Data Protection Directive 95/45/EC or on the OECD Guidelines; Google’s privacy policy suggests that the analysis applies to it.

According to the report’s overview:

In outline, an individual user can, at any time, send an Internet service provider his name, address, time the service was used, and any relevant URL, reference number or IP address associated with that user session. If this information is sent, then the service provider possesses all the identifying information needed to link any related service data or profiling data derived from a user session to that individual. That individual has become unambiguously identifiable and any further processing of the personal data related to the user session will engage the usual data protection obligations.

As more and more users of a service send a service provider these details, there will become a threshold of user contact after which a service provider should assume that personal data are processed on ALL users of a service without the need for user identifying information to be sent. This is because the rate of user contact is such that a service provider can anticipate that he is likely to be sent the identifying information about an individual user.

Report: IP ADDRESSES, REFERENCE NUMBERS, URLs AND THE UK’s DATA PROTECTION ACT 1998



Failure to have a clear policy or failure to ensure employees understand the policy.

http://www.pogowasright.org/?p=1826

Employee sacked for smutty emails is reinstated

July 14, 2009 by Dissent Filed under Non-U.S., Workplace

A worker sacked for sending dozens of grubby emails has got his job back after successfully arguing that the correspondence was part of a wider work culture.

Philip Walker said a culture of sending emails “where the content was not likely to offend and was banter between colleagues” existed at his Safe Air workplace in Blenheim.

The Employment Relations Authority (ERA) found in Mr Walker’s favour, awarding him $1000 for “a loss of dignity and injury to his feelings’ and ordering Safe Air to reinstate him.

Read more in The New Zealand Herald. There is some commentary on the case and its implications by an employment lawyer here.

If I apply the logic described, it seems that if a company does not make its policies clear to employees about appropriate use of its computer network or databases, it may be difficult to fire an employee for misuse. Just another reminder on the importance of ensuring that employees know and acknowledge privacy and security policies.

[From the article:

Click here for infamous email incidents



“I've been studying for my Psych test” takes on a whole new meaning...

http://yro.slashdot.org/story/09/07/14/1829231/Wikipedia-Debates-Rorschach-Censorship?from=rss

Wikipedia Debates Rorschach Censorship

Posted by kdawson on Tuesday July 14, @04:38PM from the guy-drawing-the-dirty-pictures dept. censorship internet

GigsVT writes

"Editors on Wikipedia are engaged in an epic battle over a few piece of paper smeared with ink. The 10 inkblot images that form the classic Rorschach test have fallen into the public domain, and so including them on Wikipedia would seem to be a simple choice. However, some editors have cited the American Psychological Association's statement that exposure of the images to the public is an unethical act, since prior exposure to the images could render them ineffective as a psychological test. Is the censorship of material appropriate, when the public exposure to that material may render it useless?"



Tools & Techniques

http://www.makeuseof.com/tag/10-websites-for-free-mobile-phone-ringtones-other-mobile-downloads/

10 Websites For Free Mobile Phone Ringtones & Other Mobile Downloads

Jul. 14th, 2009 By Saikat Basu



Tools & Techniques Crowd sourcing with source code. Could be used for other things...

http://ushahidi.com/

Ushahidi

Welcome to Ushahidi, which means “testimony” in Swahili, where we are building a platform that crowdsources crisis information. Allowing anyone to submit crisis information through text messaging using a mobile phone, email or web form.

No comments: