uncompiled.com

A theft of nearly $1 million from bank accounts of the University of Virginia’s College at Wise is being investigated by the FBI.

While the agency – as per their official policy – does not confirm or deny that such an investigation is underway, the college’s media relations director refused to divulge any details but confirmed an internal investigation, while also mentioning that as far as they can tell, no student data has been compromised.

Unofficial sources say that the cyber thieves managed to compromise a computer belonging to the university’s comptroller by infecting it with a data-stealing “virus”, which then forwarded them the online banking credentials for the accounts in question, reports Brian Krebs.

Once they were able to access the account, they initiated a single wire transfer that transferred $996,000 to an account opened at the Agricultural Bank of China.

Source

A Texas-based network security service provider and product manufacturer has reached an agreement to acquire Arbor Networks, an information technology security firm founded 10 years ago by two University of Michigan professors.

Arbor Networks, which was in the midst of an expansion in Ann Arbor, will be sold to Plano, Texas-based Tektronix Communications, a subsidiary of $12.2 billion Washington, D.C.-based conglomerate Danaher Corp. (NYSE: DHR), the companies announced today.

“Arbor Networks is ideally positioned to continue on its growth path by protecting the availability of networks and services around the world as the size, complexity and frequency of network security threats continues to grow,” Rich McBee, Danaher group executive, said in a statement. “Arbor Networks expands our portfolio of leading companies in the communications and enterprise markets.”

Terms of the deal were not immediately available. It’s expected to be finalized in September.

Arbor Networks, founded by U-M engineering professor Farnam Jahanian and then-doctoral student Rob Malan in 2000, is a major source of network security services.

The company, whose security software monitors traffic on more than 70 percent of the world’s Internet service providers, is based in Massachusetts. But the firm had 72 employees locally when it signed a 7-year lease for a 22,000-square-foot office at the South State Commons complex in Ann Arbor two years ago.

“We intend to grow and expand (in Ann Arbor) as part of Tektronix and Danaher,” Arbor spokesman Kevin Whalen said in an e-mail.
Arbor Networks officials said in January 2008 that the company would add 56 jobs over the next few years to its existing research-and-development operation in Ann Arbor.

That expansion was tied to a $193,200 tax abatement distributed by the city of Ann Arbor and a 10-year, $1.5 million tax credit awarded to the company by the Michigan Economic Development Corp.’s Michigan Economic Growth Authority board.

“This is a great fit for Arbor Networks employees and our customers,” Arbor CEO Colin Doherty said in a statement. “Tektronix Communications has significant presence in the global carrier market, a worldwide support infrastructure and a strong financial position.

This should help Arbor accelerate the delivery of infrastructure security solutions that are critical to the success of converged carrier network operators and next-generation data centers.”

Arbor, spawned by U-M’s software systems lab, is “a wonderful example of how the innovation economy can work when universities, government and entrepreneurs align behind great ideas and great technology,” Jahanian said in May in U-M’s University Record publication.

“The technology transfer program here was a highly effective link in facilitating the commercialization of technology for Arbor, demonstrating clearly how federally funded university research can result in a powerful engine for economic growth.”

The deal marks the third consecutive year in which a U-M startup companie with a local presence has enjoyed a major acquisition.

In 2008, U-M health care software startup HealthMedia was sold to Johnson & Johnson, and in 2009 U-M medical devices startup HandyLab was sold for $275 million to Becton, Dickinson and Co. Both companies have maintained their local operations.

Source

Oregon State University is notifying 34,000 current and former employees that a computer containing some of their personal information was recently infected by a virus.

In a press release issued Wednesday, the university said its computer experts believe it is “highly unlikely that the virus put any of that information in the hands of unauthorized users.”

However, the release added, “records for many of those employed between 1999 and 2005 contained Social Security numbers as the ‘unique identifier’ in each employee’s record, and the presence of those numbers raises the potential, however remote, of identity theft.”
Jon Dolan, chief information security officer for OSU, said the university doesn’t want to unnecessarily alarm anyone.

“We really found no evidence of (information) being removed,” he said. The notification was the result of extra caution and to comply with the Oregon Consumer Identity Theft Protection Act.

“Since we can’t prove that (the data) wasn’t lost, we felt it was the best thing to do,” he said.

Letters explaining the situation, and what people can do to protect themselves from identity theft, were mailed out to affected employees Tuesday.

OSU was notified of the possible data breach on June 28 after an employee reported the anti-virus software on her computer was alerting her to a virus.

Dolan, who received a notification letter of his own, said Wednesday afternoon that only a few hotline calls had been received.
It is the first time the university has had this type of situation.

“We have never sent notifications on this scale,” Dolan said.

He only knew of two other similar incidents at the university. In one case, the data at risk had been collected by a student, and OSU assisted the student on how to notify affected people. In the other incident, two Social Security numbers were possibly exposed when a laptop was stolen.

Two years ago, hackers breached the computer system of the OSU Bookstore, which is a separate legal entity from OSU, and accessed credit card numbers, names and addresses. The store contacted about 4,700 customers that their information may have been compromised.

Source

More than 53,000 people, who did business with the University of Hawaii at Manoa parking office’s data base from 1998-2009, are being notified by mail that they may be affected by a computer security breach.

The FBI and Honolulu Police Department are investigating the breach that was discovered on June 15 during a routine audit. University officials say the unauthorized access to a computer server used by the Manoa parking office occurred on May 30.

Affected are 53,000 records, which included 41,000 Social Security numbers and 200 credit card numbers.

To protect personal information from further unauthorized access, social security numbers are no longer used for parking transactions, and are being purged from all current and past parking office databases, the university said.

The university said the main group of affected people included faculty and staff members employed in 1998; anyone who had business with the parking office between Jan. 1, 1998 to June 30, and who purchased parking permits, including staff of the East-West Center, UH Foundation, and Research Corporation of the University of Hawaii; and any campus visitor who had a vehicle towed or appealed a parking citation.

UH Manoa has also posted a list of frequently asked questions and answers on a website http://www.hawaii.edu/idalert/ . The questions and answers are re-printed below:

1. What happened?

A routine audit conducted on June 15, 2010, discovered unauthorized access to a computer server used by the UH Manoa Parking Office had occurred on May 30, 2010.

2. Am I affected?

Approximately 53,000 records were stored in the database. Of this total, approximately 41,000 Social Security numbers and 200 credit card numbers were exposed. The database contained data on two main groups of individuals:

>>UH Manoa faculty and staff member employed in 1998.

>> Anyone who had business with the UH Manoa Parking Office between January 1, 1998, and June 30, 2009. This includes:

>> Anyone who purchased parking permits, including staff of the East-West Center, UH Foundation and Research Corporation of the University of Hawaii.

>>Any campus visitor who had a vehicle towed or appealed a parking citation.

3. What information was in the compromised database?

The database contained personal information, including names, Social Security numbers, addresses, driver’s license numbers, vehicle information, and credit card information. Information on other individuals included their UH identification numbers, which are not sensitive.

4. Has the data been misused?

At this time, UH Manoa has no evidence that personal information was actually accessed, but we also cannot determine with certainty that it was not accessed.

5. Is there an investigation into this incident?

A forensic computer expert has been retained to further investigate this matter. The Honolulu Police Department and FBI have been notified, and have been asked to investigate any potential criminal activity related to this incident.

6. What is the campus doing to prevent future security breaches?

Social Security numbers are no longer used for parking transactions, and are being purged from all current and historical Parking Office databases. Additional security measures being taken include strengthening internal automated network monitoring practices, and performing extensive evaluations of systems to identify other potential security risks.

7. How will affected individuals be notified?

Letters to affected individuals were mailed on Saturday and should be received starting today. In addition, an e-mail notice will be sent to affected individuals at their most recent e-mail address on record.

8. What should affected individuals know and do?

Carefully monitor your financial information and take protective measures against identity theft, which include:

>>Obtaining and carefully reviewing credit reports. Free credit reports from all three credit agencies may be obtained at http://www.annualcreditreport.com or by calling 877-322-8228.

>>Reviewing bank and credit card statements regularly, and looking for unusual or suspicious activities.

>>Contacting appropriate financial institutions immediately upon noticing any irregularity in a credit report or account.

If your identity or account has been compromised, you may take actions such as requesting refunds, closing accounts, and placing your credit records in a state of fraud alert or freeze. Please know that we are making every effort to ensure that this incident does not recur.

9. If I did not receive a notification letter, does that mean my information was not in the compromised database?

Not necessarily. The campus has been collecting addresses of affected individuals, but not all addresses could be located predominantly visitors to the campus who either appealed parking citations or who had vehicles towed at UH Manoa between January 1, 1998, and June 30, 2009.

10. How can I get more information?

On weekdays between the hours of 8:00 a.m. to 4:30 p.m., call (808) 956-6000, or go to the webpage at http://www.hawaii.edu/idalert/. Updates will be posted as new information becomes available.

Source

University of Maine police are investigating the breach of two UMaine computer servers holding the names, social security numbers, and clinical information of students who attended the university’s Counseling Center from Aug. 8, 2002 to June 21 of this year.

According to a university press release, data linked to approximately 4,585 students, four to five percent of UMaine students over that time period, was exposed.

Dean of Students Robert Dana said at a Tuesday news conference there was “no indication” that data was viewed or downloaded from the servers, but officials are preparing for a worst-case scenario.

“This is an insidious affront to the rightful privacy expectations of our students,” Dana said. “The criminals who make it their business to exploit our society’s need and ability to store information are beneath contempt. Because of this, we are engaging all possible resources to find the source of these attacks.”

Dana said colleges and universities are “prime targets” for hackers because of large bandwidth and high-speed connections.

Robotic computers, he said, make “literally thousands of attempts per day” on UMaine’s vast computer network, but safeguards, such as firewalls and alert systems, usually hold.

“It’s the Wild West out there and every day a new approach is invented to help control the frontier,” Dana said.

He said the first breach happened as early as March 4. Once the hacker gained access to the second computer, a second server, which carries the active version of the center’s 2002-2010 database, was compromised.

The police investigation started June 16, according to news release, after Counseling Center staff reported trouble accessing files. The UMaine police are working with the U.S. Attorney’s office and computer crimes experts from the U.S. Secret Service.

“In any case like this, identity theft must be a top concern and consequently we are taking strong measures to assist those whose information may have been exposed and to prevent further security intrusions,” Dana said.

The university is now working on a customized letter to each person in the database. The letter will detail how to access services from Debix, a credit-monitoring company hired by the university, according to the press release.

For at least the next year, the company will look for signs of identity theft in each affected person’s credit. They will provide immediate alerts if suspicious activity is detected and offer insurance against identity theft.

The company’s services will be provided by the university at no cost to affected individuals. Dana said the cost to UMaine would be in the “multi-thousands of dollars.”

Det. Sgt. William Flagg from the UMaine police, who is conducting the investigation along with Internet crime expert Officer Bill Mitchell, said the potentially anonymous nature of these crimes makes finding a specific suspect very difficult.

“This is not an investigation that is going to be measured in days or weeks. It will be measured in months,” Flagg said.

In the press release, the university said any student, current or former, who visited the Counseling Center since Aug. 8, 2002 should assume they are affected. Information on the breach and how to receive services is available at http://umaine.edu/informationcenter/.

Source

New York City’s Department of Education was defrauded out of more than $644,000 by hackers who targeted an electronic bank account used to manage petty cash expenditures, investigators said.

The DOE’s small item payment process account at JPMorgan Chase was supposed to be limited to purchases of less than $500, but an oversight by officials allowed electronic transfers of any amount, according to investigators who probed the theft. The crooks were able to perpetrate the scam for more than three years because education officials didn’t bother to reconcile account statements on a regular basis.

“It is difficult to understand how the DOE accumulated years of account statements, reflecting hundreds of thousands of public dollars spent to pay bills, but did not review them,” the report, which was written by Special Commissioner of Investigation for the New York City School District, stated. “A cursory examination would have shown that the charges were not normal school expenses.”

The individual who headed the theft was Albert Attoh, who in April was sentenced to 364 days in federal prison after pleading guilty to Bank Larceny. He was also ordered to pay more than $275,000 in restitution and be on probation for two years following his release.

According to the report, Attoh provided the account and routing information to others so they could use it to pay student loans and invoices for purchases at Home Depot and other retail outlets. In return, Attoh demanded cash payments. Because DOE officials failed to block the use of electronic transfers, the account was wide open. All that was required what the account number and the bank routing number.

The scheme started in October 2003 and only came to the attention of officials in February 2007 when Chase received a tip that someone was trying to pay bills using the DOE account. In all, $644,313.69 was stolen, but $128,228.49 was eventually recovered. A PDF of the report is here.

Source

The National Institute of Standards and Technology will coordinate a nationwide cybersecurity education program recently started by the Obama administration.

Commerce Secretary Gary Locke said April 29 that NIST, part of the Commerce Department, would coordinate the administration’s National Initiative for Cybersecurity Education (NICE). In that role, the institute will work with agencies to lead programs to bolster cybersecurity awareness, education and training, Locke said.

The administration’s new program expands from a federal to a national focus the cybersecurity education programs started under the Comprehensive National Cybersecurity Initiative, the administration said in a document describing NICE. The administration said the decision to expand the government’s computer security education program and make NIST its overall coordinator is in response to the White House’s review of cyberspace policy, released in May 2009.

Source

The Adaptive Cyber-Security Training Online (ACT-Online) courses are now available on the TEEX Domestic Preparedness Campus. This DHS/FEMA Certified Cyber Security Training is designed to ensure that the privacy, reliability, and integrity of the information systems that power our global economy remain intact and secure.

The 10 courses are offered through three discipline specific tracks targeting everyday non-technical computer users, technical IT professionals, and business managers and professionals.

These courses are offered at no cost and students earn a DHS/FEMA Certificate of completion along with Continuing Education Units (CEU) at the completion of each course.

Source

If you’re young, breaking into the security industry can be hell.

Companies have either suffered a data security breach or live in fear of one. So when they’re hiring new IT security personnel, they want years of experience. If you’re fresh out of college, that’s a problem.

Another problem is that security practitioners are control freaks by nature. They have to be, if you stop and think about it. They have a huge responsibility, and delegating some of the work to younger pups is a lot to expect.

But here’s the problem: The future of information security is in the hands of the youth. That may seem a clichéd statement; so obvious it sounds stupid. But it’s a fact.

This column isn’t an invitation for young upstarts to cry and lament about the disadvantages they have. Instead, it’s about a few things you can do to break through and make it in the industry. Think of it as suggestions for becoming a security rock star, which you almost have to be to make a difference these days.

This morning I’m at Security B-Sides Boston, listening to a talk from someone who is fighting this battle right now. Joseph Sokoly, a security analyst at NetBoundary, recently gave a talk at the Austin, Texas B-Sides event about the troubles of being young in the security industry. This time, he’s in Boston giving an update on where his career trajectory has taken him in the weeks since then.

He has found that breaking into the security community is not nearly as hard as it first seemed. In fact, his career got a big boost simply because he had the guts to stand up in front of people and give his talk. “Giving the talk in Austin helped me tremendously,” Sokoly said. “It has opened doors. My being here is a result of that. First, the positive reaction from the community encouraged me not just to listen but to speak again.”

His Austin talk has also inspired security heavyweights like Chris Hoff and James Arlen to look at establishing a mentor program to coincide with this summer’s B-Sides Las Vegas event.

“Being proactive works. Put yourself out there and things will open up, but speaking doesn’t have to be it. Use Twitter. Start blogging,” Sokoly said. He’s absolutely right.

His suggestion young security practitioners speak up and force others to take notice isn’t a new concept. But it’s advice that too few people take.

Instead, prospective employees try to let their raw technical ability do the talking. They get so bogged down on the technical that they ignore the cultural. It’s unfair to be frozen out, especially if you’re skills are well above someone who gets the job simply because they’ve been kicking around as employed security practitioners for five or more years. In other words, because they’ve simply managed to survive.

But life is always going to be unfair, so it’s better to focus on ways to get ahead. In that spirit, here are some suggestions, which I’ve admittedly borrowed from Sokoly. Call this imitation that’s meant to be a form of flattery, because what he said makes sense.

1. Learn how to write: Like it or not, writing is part of your job in the information age. You can’t make a difference simply by knowing how to configure a NAC system or do penetration testing. You have to be able to tell colleagues, bosses and business partners what you are doing, in their language. You’ll have to do this in board presentations and in reports. And if you really want to make a difference, you can share your experience by blogging. That gets you noticed, and in many cases will get you hired.

2. Learn How to Talk: The days of a security administrator holing up in a dark room shut off from the outside world is over. You have to be able to articulate what you’re trying to do in the spoken world. This isn’t just about learning how to be a good public speaker, though that is of high value. Learning to talk means learning to speak the language of those who decide how much budget you get for security or who gets hired.

3. Learn how to dress: This might sound weird, because most practitioners will dress according to the requirements of their employer. That could mean suit and tie, business casual, or something in between. But then there are times to dress to match the crowd you are in, particularly at security conferences. Business attire won’t help you network in a crowd of hackers at ShmooCon or DEFCON. Dressing like a punk rocker won’t cut it at a more C-level event.

4. Master social networking: You can be shy as can be and still be heard thanks to the world of social networking. Set yourself up on Twitter, Facebook and LinkedIn and share what you know. If you know what you’re talking about, people will follow you, including prospective employers.

5. Learn to work with suits AND mohawks: One of the problems in security today is that the profession is split into two groups who don’t communicate well: The executive-level suit and tie CSOs working for billion-dollar corporations or high-level government agencies, and the torn jeans-wearing, ear-pierced researchers. You can see the cultural chasm clearly when you go to a conference like ShmooCon and then something like CSO Perspectives. If you work on being able to communicate and work in both crowds, your stock will rise considerably.

6. Get to conferences: This one is easier said than done, because conferences cost money that you may not have. There are ways around that. Some companies will send interns to security events to get some real-world experience. If you blog, some conferences will give you a free press pass so long as you write about the conference in your blog. Then there are events like B-Sides, which is free and ongoing around the country. These events are full of knowledge. But just as importantly, these are places to meet people. The more people you meet, the more you know, and the more you know, the better your career prospects.

None of this is scientific advice, backed up with statistics and other data. It’s my personal observation as a security journalist. I hope it helps.

Source

If you’re the kind of person who worries about the security of computer networks, you should know that the National Security Agency is worrying about it too.

Since Tuesday, the NSA has been conducting its 10th annual Cyber Defense Exercise, a competition that pits students from a series of military academies against each other–and against the competition’s leaders at NSA–in a bid to see who has the best cyberdefense skills. The idea? To “build and defend computer networks against simulated intrusions by the National Security Agency/Central Security Services Red Team.”

The competition will last until Friday when that Red team, or “red cell,” as it’s known, will cease its attacks on the students’ newly-built networks. The goal is to help the students learn about the topic of Information Assurance, and how it is used to protect the most vital information systems in the United States and Canada. As they work, the students must defend their networks and offer up consistent reports on what they’re doing and on the attacks they’re identifying.

This year, eight academies are competing: the United States Military Academy (West Point); the United States Naval Academy; the United States Air Force Academy; the United States Coast Guard Academy; the United States Merchant Marine Academy; the Naval Postgraduate School; the Air Force Institute of Technology; and the Royal Military College of Canada.

The exercise is being hosted by Lockheed Martin in Greenbelt, Md., and during the four days of the competition, NSA and U.S. Department of Defense personnel are acting as evaluators–even as the NSA’s red team challenges the students with constant network attacks, all of which must be “publicly-available, well-documented vulnerabilities.” The competition takes place on a closed network that does not access the Internet.

At the Air Force Academy, one of the instructors helping the students learn how to construct cyberdefenses–and prepare for the NSA’s exercise, is Air Force Capt. Michael Henson. He agreed to answer some questions from CNET about the competition, which has been won by West Point for the last three years. However, the Air Force Academy won in 2006, and Henson surely believes that his charges will take the crown in 2010.

Source