Compromise of a contractor's computer
system almost a year ago. What do you bet there will be no
consequences to the contractor...
Computer
security breach at Serco affects 123,000 Thrift Savings Plan
participants
May 25, 2012 by admin
Hazel Bradford reports:
A cyber attack on
a computer of a contractor for the $313 billion Thrift Savings Plan,
Washington, could have compromised account information for about
123,000 plan participants, the Federal Retirement Thrift Investment
Board, which oversees the plan, announced Friday.
The attack was
made on a computer at Serco Inc., a contractor helping to update
TSP’s disbursement system software, and was first
detected by the FBI in April. [See below Bob]
Serco and the
board performed a forensic analysis to see which TSP account holders
were affected, concluding that 43,587 participants had personal
information including Social Security numbers potentially
compromised, and another 80,000 may have had their Social Security
numbers accessed from the Serco computer. Those participants are
being notified in letters mailed on Friday.
Read more on Pensions
& Investments.
A statement
posted on Serco’s site today says:
Serco Inc., a
provider of professional, technology, and management services,
announced today that one of its computers used in support of the
Federal Retirement Thrift Investment Board (FRTIB) was subjected to a
sophisticated cyber attack.
There is no
evidence of any funds being diverted or identity theft resulting from
the incident. An extensive forensic analysis of the data also shows
no indication that the
TSP network, which supports TSP’s 4.5 million
participants, was
subjected to unauthorized access.
In April 2012, the
Federal Bureau of Investigation (FBI) informed Serco that one of its
computers used in support of the FRTIB was subjected to unauthorized
access. The FRTIB and Serco acted quickly and decisively to further
investigate the incident, take additional steps to protect the
integrity of FRTIB’s data, and ensure that FRTIB’s TSP continues
to be a safe and secure retirement plan for federal employees.
FRTIB and Serco
performed forensic analysis to determine which TSP participants and
payees were possibly affected and the extent of the possible
compromise of data. Steps taken included an immediate shut down of
the compromised computer, launch of a task force involving both Serco
and FRTIB senior executives to focus all capabilities and resources
in a coordinated system-wide review of the protection of data, and
fortification of the security systems.
… The FBI
supplied data to Serco and the FRTIB that required
extensive IT security expert analysis in order to determine which TSP
members were potentially affected. [Suggests they had no record of
the data stored on that computer? Bob] The analysis
required opening and reviewing thousands of files in order to
determine what personal information might be at risk and the identity
of the potentially affected individuals, as well as taking further
actions to determine the scope of the incident.
This incident fits
with the increasing number of cyber attacks in which the goal of
those seeking unauthorized access does not appear to include identity
theft or financial misappropriation. [They have no
idea what the hacker's motivation was Bob]
Not surprisingly, it doesn’t really
say anything about the attack itself, nor when the attack occurred.
At some point, Serco will need to explain why it
didn’t detect the attack via its own measures or audits if
it didn’t prevent it.
Update: MyFox
Detroit has some additional details, including a statement that
the attack occurred last
July.
Another “third party” compromise?
If it was the VISA network, this is gonna be HUGE!
Was
it or wasn’t it hacked: conflicting reports on a possible bank hack
May 25, 2012 by admin
WNYF reports:
The accounts of
hundreds of Community Bank customers may have been compromised in an
apparent identity theft attempt involving debit cards.
State police
investigators tell 7 News that a data base used by
the bank was apparently hacked into earlier this month
with personal account information of numerous north country customer
accounts obtained.
The bank’s
public relations firm denies that Community Bank’s computer systems
were compromised.
Read more on WNYF.
Guess we’ll have to wait for more
info on this one as they both can’t be right, can they?
[From the article:
Pat Spadafore of Eric Mower &
Associates, acting as a spokesman for Community Bank, tells 7 News in
an e-mail that the VISA debit card network was
apparently compromised.
I have absolutely no pity for managers
who can't even get the basics right.
"A fortnight ago the Bitcoin
financial website Bitcoinica was hacked and the
hacker stole $87,000 worth of Bitcoins. At the time the owner
promised that all users would have their Bitcoins and US dollars
returned in full, but one of the site developers has just confirmed
that they
have no database backups and are having difficulty figuring out
what everyone's account balance should actually be. A failure of
epic proportions for a site holding such large amounts of money."
Anything new?
May 24, 2012
Disappearing
Phone Booths - Privacy in the Digital Age
- "I will...explain why the confluence of at least four circumstances – (1) digital ubiquity, (2) the increasing number of parties that take part in our daily transactions, (3) the commodification and monetization of data, (4) and woefully out-of-date privacy laws – creates something of a perfect storm, leaving us as a nation poorly equipped, in our present state, to preserve any measure of a right to privacy. That is to say, I will be arguing that technology and policy both play powerful roles in framing what is possible and how we live our lives, and that changes in technology must be accompanied by changes to policy."
Tools for Privacy advocates?
CloudFlare
To Launch Service For Sites Dealing With Tortuous EU Cookie Law
The European “Directive
on Privacy and Electronic Communications” that regulates the
ways websites can track users, is coming to sites which serve
European users, which covers plenty out there. The
Directive requires that sites disclose the use of cookies on their
site and allows visitors to opt-in to their use. It could
be an immediate turn-off for users, but it’s here to stay. On
Saturday, May 26, the UK implements the first phase of the law, so
website owners are scrambling to ensure they are in compliance
(assuming they even know about it). As we’ve said before, we think
it’s dumb
and will make it much
harder on European startups.
Before you build a huge national
biometric database...
"The iris scanners that are
used to police immigration in some countries, like the UK, are based
on the premise that your irises don't change over your lifetime. But
it seems that assumption is wrong. Researchers from the University
of Notre Dame have found that irises
do indeed change over time, enough so that the failure rate jumps
by 153% over three years. While that means a rise from just 1 in 2
million to 2.5 in two million, imagine how that will affect a system
like India's — which already has 200 million people enrolled —
over 10 years."
Is this an indication that teachers are
unable to accurately record attendance? More likely, they hope
students give their “chips” to classmates when they are going to
miss school so the school can count them for “attendance related
funds.” See, it's not about the students, it's about the money!
Texas
schools expand RFID chipping of students
May 25, 2012 by Dissent
Back in October 2010, I commented
on a news report out of Houston on the use of RFID tags with
students. Yesterday, Francisco Vara-Orta reported
on the situation in San Antonio.
As I anticipated when I wrote, ” the
student’s’ RFID tag will register them as “in school” and
track their location throughout the day so that the
district can get all of its attendance-related funds from the
state.,” that appears to be precisely the motivation in
San Antonio.
Here’s the kicker:
Texas Education
Agency spokeswoman DeEtta Culbertson said no state law or policy
regulates the use of such devices and the decision is up to local
districts.
It might behoove the state to come up
with some guidelines or regulations about where such tracking cannot
be used and for how long data can be retained…. or whether it can
be shared.
And if RFID tagging is
used for attendance monitoring, does that make it part of the
student’s education record subject to FERPA??
An interesting expansion of liability.
Would a smarter lawyer tried for “conspiracy?”
"After mowing down a
motorcycling couple while distracted by texting, Kyle Best received a
slap on the wrist. The couple's attorney then sued Best's
girlfriend, Shannon Colonna, for exchanging messages with him when he
was driving. They argued that while she was
not physically present, she was 'electronically present.'
In good news for anyone who sends server-status, account-alerts or
originates a call, text or email of any type that could be received
by a mobile device, the
judge dismissed the plantiff's claims against the woman."
Interesting. I wonder if Colorado has
a secret court? (Should we really believe that defense lawyers have
never heard of this?)
Washington
lawyers challenge secret court proceedings
May 25, 2012 by Dissent
Gene Johnson reports:
A defense lawyer
in Eastern Washington was reading a detective’s statement in his
client’s drug case when he came across a curious line. In asking
to search the man’s house and cars, the detective revealed that he
had already seen the defendant’s bank records.
That’s odd,
thought the lawyer, Robert Thompson of Pasco. There’s no search
warrant for the bank records. How’d he get them?
The answer —
with a subpoena secretly issued by a judge — provides a window into
the little-known use of “special inquiry judge proceedings” in
Benton County and across the state. Prosecutors who use them say the
proceedings are authorized by state law, make for more efficient
investigations and have plenty of judicial oversight, but Thompson
and other defense attorneys say they raise questions about privacy,
accountability and the open administration of justice.
Read more on Seattle
PI.
[From the article:
The proceedings, created by the
Legislature in 1971, function as grand juries without
the grand jury: At the request of a prosecutor, a judge
can secretly hear from witnesses, review evidence or issue subpoenas
based on a reasonable belief that someone "may be able" to
provide testimony or evidence.
… Witnesses can be compelled to
testify, but are immune from prosecution for what they say —
important in complex public corruption or organized crime
investigations. If no charges are ever filed, no one aside from
those involved ever learns the proceedings occurred.
Managers: monitor your IT environment!
Spiceworks
Eyes Skunkworks, Keeps Tabs on Cloud
Bring-your-own-device (BYOD) may be the
concern du jour — what with employees’ devices running any old
app they please — but what about the cloud creep into the workplace
via that skunkworks project?
… With Spiceworks 6.0, IT pros can
automatically scan their networks more than 40 popular cloud services
“to see exactly which cloud services are in use and by whom,
providing an extra layer of control over sensitive resources,” the
company said in a press
release on Thursday.
For my Computer Security students
… Sure, your files may be encrypted
in transit and on the cloud provider’s servers, but the cloud
storage company can decrypt them — and anyone that gets access to
your account can view the files. Client-side encryption is an
essential way to protect your important data without giving up on
cloud storage.
For my “smartphone enabled”
students which as it happens are most of them.
TinyVox takes a retro tape recorder and
turns it into a digital format app for the very popular devices, iOS
and Android. The app can be quickly used to make notes, record
quotes from a friend or just make an audio log to share and promote
with your friends.
Similar tools: SaveMeeting
and NoteRec.
A techno-sea change?
"Dallas Mavericks owner and
media entrepreneur Mark Cuban thinks he knows the reason for
Facebook's
disappointing IPO; smart money has
realized that 'mobile
is going to crush Facebook', as the world's
population increasingly accesses the Internet mostly through
smartphones and tablets. Cuban notes that the limited screen real
estate hampers the branding and ad placement that Google and Facebook
are accustomed to when serving to desktop browsers, while phone plans
typically have strict data limits, so subscribers won't necessarily
take kindly to YouTube or other video ads. Forbes' Eric Jackson
likewise sees a
generational shift to mobile that will produce a new set of
winners at
the expense of Facebook and Google."
I want one!
Microsoft
to Offer 80-Inch Windows 8 Tablets for Offices
“Steve Ballmer has an 80-inch Windows
8 tablet in his office. He’s got rid of his phone, he’s got rid
of his note paper. It’s touch-enabled and it’s hung on his
wall.”