In a press release issued Wednesday, the university said its computer experts believe it is “highly unlikely that the virus put any of that information in the hands of unauthorized users.”

However, the release added, “records for many of those employed between 1999 and 2005 contained Social Security numbers as the ‘unique identifier’ in each employee’s record, and the presence of those numbers raises the potential, however remote, of identity theft.”
Jon Dolan, chief information security officer for OSU, said the university doesn’t want to unnecessarily alarm anyone.

“We really found no evidence of (information) being removed,” he said. The notification was the result of extra caution and to comply with the Oregon Consumer Identity Theft Protection Act.

“Since we can’t prove that (the data) wasn’t lost, we felt it was the best thing to do,” he said.

Letters explaining the situation, and what people can do to protect themselves from identity theft, were mailed out to affected employees Tuesday.

OSU was notified of the possible data breach on June 28 after an employee reported the anti-virus software on her computer was alerting her to a virus.

Dolan, who received a notification letter of his own, said Wednesday afternoon that only a few hotline calls had been received.
It is the first time the university has had this type of situation.

“We have never sent notifications on this scale,” Dolan said.

He only knew of two other similar incidents at the university. In one case, the data at risk had been collected by a student, and OSU assisted the student on how to notify affected people. In the other incident, two Social Security numbers were possibly exposed when a laptop was stolen.

Two years ago, hackers breached the computer system of the OSU Bookstore, which is a separate legal entity from OSU, and accessed credit card numbers, names and addresses. The store contacted about 4,700 customers that their information may have been compromised.

Source

The FBI and Honolulu Police Department are investigating the breach that was discovered on June 15 during a routine audit. University officials say the unauthorized access to a computer server used by the Manoa parking office occurred on May 30.

Affected are 53,000 records, which included 41,000 Social Security numbers and 200 credit card numbers.

To protect personal information from further unauthorized access, social security numbers are no longer used for parking transactions, and are being purged from all current and past parking office databases, the university said.

The university said the main group of affected people included faculty and staff members employed in 1998; anyone who had business with the parking office between Jan. 1, 1998 to June 30, and who purchased parking permits, including staff of the East-West Center, UH Foundation, and Research Corporation of the University of Hawaii; and any campus visitor who had a vehicle towed or appealed a parking citation.

UH Manoa has also posted a list of frequently asked questions and answers on a website http://www.hawaii.edu/idalert/ . The questions and answers are re-printed below:

1. What happened?

A routine audit conducted on June 15, 2010, discovered unauthorized access to a computer server used by the UH Manoa Parking Office had occurred on May 30, 2010.

2. Am I affected?

Approximately 53,000 records were stored in the database. Of this total, approximately 41,000 Social Security numbers and 200 credit card numbers were exposed. The database contained data on two main groups of individuals:

>>UH Manoa faculty and staff member employed in 1998.

>> Anyone who had business with the UH Manoa Parking Office between January 1, 1998, and June 30, 2009. This includes:

>> Anyone who purchased parking permits, including staff of the East-West Center, UH Foundation and Research Corporation of the University of Hawaii.

>>Any campus visitor who had a vehicle towed or appealed a parking citation.

3. What information was in the compromised database?

The database contained personal information, including names, Social Security numbers, addresses, driver’s license numbers, vehicle information, and credit card information. Information on other individuals included their UH identification numbers, which are not sensitive.

4. Has the data been misused?

At this time, UH Manoa has no evidence that personal information was actually accessed, but we also cannot determine with certainty that it was not accessed.

5. Is there an investigation into this incident?

A forensic computer expert has been retained to further investigate this matter. The Honolulu Police Department and FBI have been notified, and have been asked to investigate any potential criminal activity related to this incident.

6. What is the campus doing to prevent future security breaches?

Social Security numbers are no longer used for parking transactions, and are being purged from all current and historical Parking Office databases. Additional security measures being taken include strengthening internal automated network monitoring practices, and performing extensive evaluations of systems to identify other potential security risks.

7. How will affected individuals be notified?

Letters to affected individuals were mailed on Saturday and should be received starting today. In addition, an e-mail notice will be sent to affected individuals at their most recent e-mail address on record.

8. What should affected individuals know and do?

Carefully monitor your financial information and take protective measures against identity theft, which include:

>>Obtaining and carefully reviewing credit reports. Free credit reports from all three credit agencies may be obtained at http://www.annualcreditreport.com or by calling 877-322-8228.

>>Reviewing bank and credit card statements regularly, and looking for unusual or suspicious activities.

>>Contacting appropriate financial institutions immediately upon noticing any irregularity in a credit report or account.

If your identity or account has been compromised, you may take actions such as requesting refunds, closing accounts, and placing your credit records in a state of fraud alert or freeze. Please know that we are making every effort to ensure that this incident does not recur.

9. If I did not receive a notification letter, does that mean my information was not in the compromised database?

Not necessarily. The campus has been collecting addresses of affected individuals, but not all addresses could be located predominantly visitors to the campus who either appealed parking citations or who had vehicles towed at UH Manoa between January 1, 1998, and June 30, 2009.

10. How can I get more information?

On weekdays between the hours of 8:00 a.m. to 4:30 p.m., call (808) 956-6000, or go to the webpage at http://www.hawaii.edu/idalert/. Updates will be posted as new information becomes available.

Source

According to a university press release, data linked to approximately 4,585 students, four to five percent of UMaine students over that time period, was exposed.

Dean of Students Robert Dana said at a Tuesday news conference there was “no indication” that data was viewed or downloaded from the servers, but officials are preparing for a worst-case scenario.

“This is an insidious affront to the rightful privacy expectations of our students,” Dana said. “The criminals who make it their business to exploit our society’s need and ability to store information are beneath contempt. Because of this, we are engaging all possible resources to find the source of these attacks.”

Dana said colleges and universities are “prime targets” for hackers because of large bandwidth and high-speed connections.

Robotic computers, he said, make “literally thousands of attempts per day” on UMaine’s vast computer network, but safeguards, such as firewalls and alert systems, usually hold.

“It’s the Wild West out there and every day a new approach is invented to help control the frontier,” Dana said.

He said the first breach happened as early as March 4. Once the hacker gained access to the second computer, a second server, which carries the active version of the center’s 2002-2010 database, was compromised.

The police investigation started June 16, according to news release, after Counseling Center staff reported trouble accessing files. The UMaine police are working with the U.S. Attorney’s office and computer crimes experts from the U.S. Secret Service.

“In any case like this, identity theft must be a top concern and consequently we are taking strong measures to assist those whose information may have been exposed and to prevent further security intrusions,” Dana said.

The university is now working on a customized letter to each person in the database. The letter will detail how to access services from Debix, a credit-monitoring company hired by the university, according to the press release.

For at least the next year, the company will look for signs of identity theft in each affected person’s credit. They will provide immediate alerts if suspicious activity is detected and offer insurance against identity theft.

The company’s services will be provided by the university at no cost to affected individuals. Dana said the cost to UMaine would be in the “multi-thousands of dollars.”

Det. Sgt. William Flagg from the UMaine police, who is conducting the investigation along with Internet crime expert Officer Bill Mitchell, said the potentially anonymous nature of these crimes makes finding a specific suspect very difficult.

“This is not an investigation that is going to be measured in days or weeks. It will be measured in months,” Flagg said.

In the press release, the university said any student, current or former, who visited the Counseling Center since Aug. 8, 2002 should assume they are affected. Information on the breach and how to receive services is available at http://umaine.edu/informationcenter/.

Source

The DOE’s small item payment process account at JPMorgan Chase was supposed to be limited to purchases of less than $500, but an oversight by officials allowed electronic transfers of any amount, according to investigators who probed the theft. The crooks were able to perpetrate the scam for more than three years because education officials didn’t bother to reconcile account statements on a regular basis.

“It is difficult to understand how the DOE accumulated years of account statements, reflecting hundreds of thousands of public dollars spent to pay bills, but did not review them,” the report, which was written by Special Commissioner of Investigation for the New York City School District, stated. “A cursory examination would have shown that the charges were not normal school expenses.”

The individual who headed the theft was Albert Attoh, who in April was sentenced to 364 days in federal prison after pleading guilty to Bank Larceny. He was also ordered to pay more than $275,000 in restitution and be on probation for two years following his release.

According to the report, Attoh provided the account and routing information to others so they could use it to pay student loans and invoices for purchases at Home Depot and other retail outlets. In return, Attoh demanded cash payments. Because DOE officials failed to block the use of electronic transfers, the account was wide open. All that was required what the account number and the bank routing number.

The scheme started in October 2003 and only came to the attention of officials in February 2007 when Chase received a tip that someone was trying to pay bills using the DOE account. In all, $644,313.69 was stolen, but $128,228.49 was eventually recovered. A PDF of the report is here.

Source

Commerce Secretary Gary Locke said April 29 that NIST, part of the Commerce Department, would coordinate the administration’s National Initiative for Cybersecurity Education (NICE). In that role, the institute will work with agencies to lead programs to bolster cybersecurity awareness, education and training, Locke said.

The administration’s new program expands from a federal to a national focus the cybersecurity education programs started under the Comprehensive National Cybersecurity Initiative, the administration said in a document describing NICE. The administration said the decision to expand the government’s computer security education program and make NIST its overall coordinator is in response to the White House’s review of cyberspace policy, released in May 2009.

Source

The 10 courses are offered through three discipline specific tracks targeting everyday non-technical computer users, technical IT professionals, and business managers and professionals.

These courses are offered at no cost and students earn a DHS/FEMA Certificate of completion along with Continuing Education Units (CEU) at the completion of each course.

Source

Companies have either suffered a data security breach or live in fear of one. So when they’re hiring new IT security personnel, they want years of experience. If you’re fresh out of college, that’s a problem.

Another problem is that security practitioners are control freaks by nature. They have to be, if you stop and think about it. They have a huge responsibility, and delegating some of the work to younger pups is a lot to expect.

But here’s the problem: The future of information security is in the hands of the youth. That may seem a clichéd statement; so obvious it sounds stupid. But it’s a fact.

This column isn’t an invitation for young upstarts to cry and lament about the disadvantages they have. Instead, it’s about a few things you can do to break through and make it in the industry. Think of it as suggestions for becoming a security rock star, which you almost have to be to make a difference these days.

This morning I’m at Security B-Sides Boston, listening to a talk from someone who is fighting this battle right now. Joseph Sokoly, a security analyst at NetBoundary, recently gave a talk at the Austin, Texas B-Sides event about the troubles of being young in the security industry. This time, he’s in Boston giving an update on where his career trajectory has taken him in the weeks since then.

He has found that breaking into the security community is not nearly as hard as it first seemed. In fact, his career got a big boost simply because he had the guts to stand up in front of people and give his talk. “Giving the talk in Austin helped me tremendously,” Sokoly said. “It has opened doors. My being here is a result of that. First, the positive reaction from the community encouraged me not just to listen but to speak again.”

His Austin talk has also inspired security heavyweights like Chris Hoff and James Arlen to look at establishing a mentor program to coincide with this summer’s B-Sides Las Vegas event.

“Being proactive works. Put yourself out there and things will open up, but speaking doesn’t have to be it. Use Twitter. Start blogging,” Sokoly said. He’s absolutely right.

His suggestion young security practitioners speak up and force others to take notice isn’t a new concept. But it’s advice that too few people take.

Instead, prospective employees try to let their raw technical ability do the talking. They get so bogged down on the technical that they ignore the cultural. It’s unfair to be frozen out, especially if you’re skills are well above someone who gets the job simply because they’ve been kicking around as employed security practitioners for five or more years. In other words, because they’ve simply managed to survive.

But life is always going to be unfair, so it’s better to focus on ways to get ahead. In that spirit, here are some suggestions, which I’ve admittedly borrowed from Sokoly. Call this imitation that’s meant to be a form of flattery, because what he said makes sense.

1. Learn how to write: Like it or not, writing is part of your job in the information age. You can’t make a difference simply by knowing how to configure a NAC system or do penetration testing. You have to be able to tell colleagues, bosses and business partners what you are doing, in their language. You’ll have to do this in board presentations and in reports. And if you really want to make a difference, you can share your experience by blogging. That gets you noticed, and in many cases will get you hired.

2. Learn How to Talk: The days of a security administrator holing up in a dark room shut off from the outside world is over. You have to be able to articulate what you’re trying to do in the spoken world. This isn’t just about learning how to be a good public speaker, though that is of high value. Learning to talk means learning to speak the language of those who decide how much budget you get for security or who gets hired.

3. Learn how to dress: This might sound weird, because most practitioners will dress according to the requirements of their employer. That could mean suit and tie, business casual, or something in between. But then there are times to dress to match the crowd you are in, particularly at security conferences. Business attire won’t help you network in a crowd of hackers at ShmooCon or DEFCON. Dressing like a punk rocker won’t cut it at a more C-level event.

4. Master social networking: You can be shy as can be and still be heard thanks to the world of social networking. Set yourself up on Twitter, Facebook and LinkedIn and share what you know. If you know what you’re talking about, people will follow you, including prospective employers.

5. Learn to work with suits AND mohawks: One of the problems in security today is that the profession is split into two groups who don’t communicate well: The executive-level suit and tie CSOs working for billion-dollar corporations or high-level government agencies, and the torn jeans-wearing, ear-pierced researchers. You can see the cultural chasm clearly when you go to a conference like ShmooCon and then something like CSO Perspectives. If you work on being able to communicate and work in both crowds, your stock will rise considerably.

6. Get to conferences: This one is easier said than done, because conferences cost money that you may not have. There are ways around that. Some companies will send interns to security events to get some real-world experience. If you blog, some conferences will give you a free press pass so long as you write about the conference in your blog. Then there are events like B-Sides, which is free and ongoing around the country. These events are full of knowledge. But just as importantly, these are places to meet people. The more people you meet, the more you know, and the more you know, the better your career prospects.

None of this is scientific advice, backed up with statistics and other data. It’s my personal observation as a security journalist. I hope it helps.

Source

Since Tuesday, the NSA has been conducting its 10th annual Cyber Defense Exercise, a competition that pits students from a series of military academies against each other–and against the competition’s leaders at NSA–in a bid to see who has the best cyberdefense skills. The idea? To “build and defend computer networks against simulated intrusions by the National Security Agency/Central Security Services Red Team.”

The competition will last until Friday when that Red team, or “red cell,” as it’s known, will cease its attacks on the students’ newly-built networks. The goal is to help the students learn about the topic of Information Assurance, and how it is used to protect the most vital information systems in the United States and Canada. As they work, the students must defend their networks and offer up consistent reports on what they’re doing and on the attacks they’re identifying.

This year, eight academies are competing: the United States Military Academy (West Point); the United States Naval Academy; the United States Air Force Academy; the United States Coast Guard Academy; the United States Merchant Marine Academy; the Naval Postgraduate School; the Air Force Institute of Technology; and the Royal Military College of Canada.

The exercise is being hosted by Lockheed Martin in Greenbelt, Md., and during the four days of the competition, NSA and U.S. Department of Defense personnel are acting as evaluators–even as the NSA’s red team challenges the students with constant network attacks, all of which must be “publicly-available, well-documented vulnerabilities.” The competition takes place on a closed network that does not access the Internet.

At the Air Force Academy, one of the instructors helping the students learn how to construct cyberdefenses–and prepare for the NSA’s exercise, is Air Force Capt. Michael Henson. He agreed to answer some questions from CNET about the competition, which has been won by West Point for the last three years. However, the Air Force Academy won in 2006, and Henson surely believes that his charges will take the crown in 2010.

Source

This year’s conference really gave me a smack on the head. It reminded me of not only how many friends and colleagues I had missed, but also the blast of energy you get by seeing so much passion for such a diverse group of topics in one short weekend. NOTACON allows someone like myself to speak about education, while another person is showing off their electronically-infused clothing, and another to do demos of PDF exploitation. Few places short of a local hacker-space will you find such a menagerie of content.

Presentations That Rocked
To start, I thought Sacha DeAngeli’s presentation called “Mine’s Smaller Than Yours: Nanotechnology and Chemistry in a DIY Setting” was super interesting and appropriate for this kind of conference. He combined not only live chemistry on a topic most people were fairly captivated by, but also integrated the message that we really need to save chemistry experimentation as a culture. He had great parallels between ‘hackers’ and chemists (hobby and professional), invigorating at least my opinion that saving chemistry as something that everyone should dabble in as part of their youth is important. Toss it up there with music education as something that is being cut out of schools in lieu of safer and cheaper alternatives — computer simulated chemistry. Boring.

It was really fun to see int eighty (who’s the rapper for Dual-Core) drop the mic, so to speak, and instead give a really easy-to-follow explanation and demonstration of how to deconstruct PDF files and look for potential malicious code streams. His presentation had great structure and provided the tools to follow-along with his demonstrations, making for an interactive presentation that was really fun to watch. He was both humbled by the work of other’s in this field (such as the often mentioned Didier Stevens) and highly competent on the topic, making for an enjoyable hour. It was great to see someone I’ve watched rap so many times really come into his own in another light.

Saturday started early with Adrian Crenshaw covering aspects of Anti-Forensics. While I had personally heard a lot of these areas in a previous Cybercrime class, it was nice to get a more technical overview of some techniques. He provided some interesting notes about ‘data recovery’ and I really enjoyed his muted humor throughout. Seems like a really nice guy in general, too.

Later in the day, I was really impressed with James Arlen, Chris Clymer, Mick Douglas, and Brandon Knight’s skit-based presentation called “Social Engineering Security Into Your Business”. It was a collection of situations in which they demonstrated the right & wrong ways to have security people interact with various members of their company/organization. In one example, they showed how and how not to speak with a developer about an XSS issue. Another, they spoke to management about purchasing a new product to help their infrastructure. I found their examples and dialogs both realistic (at least 90% of it) and accurate to situations I have been in. Frankly, some scenes were uncanny! They did a great job of integrating humor and reality. I think they certainly got a message across which is very important: don’t be an asshole if you want to get stuff done.

The end of the day comprised of “Surviving the Zombie Apocalypse”, another in the series of conference talks put on by Tom Eston, Chris Clymer, and Matthew Neely. Hilarious as ever, and now with costumes, props, and a cast of zombie actors. A great 30 minutes of just pure fun and energy. Might I add, this was just prior to my own presentation so I appreciated not only the relaxing fun it provided for me, but also that they were done way before my presentation which gave me extra prep time.

My presentation, “What’s a Linux?: Creating & teaching college courses at 24″
I was pumped to be able to speak to what was quite a large crowd in the palace east room of the hotel. While it was the smaller of the two rooms, it seemed to be quite filled which was great. I’d guess probably 40+ people showed up and they were all really attentive, appreciative, and fun. It seemed like everyone enjoyed my random humor and appreciated what I had to say on education in general. It was a really rewarding experience. I hadn’t spoken at NOTACON since 2005 so I was both glad to be back at the conference as an attendee, but pumped to have had another opportunity to talk about something I was passionate about. A sincere thanks again to everyone who attended my presentation as well as was wearing my uncompiled.com stickers throughout the weekend!

As promised, here are my presentation slides in PDF and if anyone has any questions or follow-ups, feel free to give me a shout. My e-mail is mark.stanislav@gmail.com and my Twitter is mstanisl. It was great seeing so many of you guys again and even better meeting a lot of great new people as always. Feel free to send me any pictures or video you have have from my presentation; I appreciate it.

See everyone next year!

1. A1: Injection
2. A2: Cross-Site Scripting (XSS)
3. A3: Broken Authentication and Session Management
4. A4: Insecure Direct Object References
5. A5: Cross-Site Request Forgery (CSRF)
6. A6: Security Misconfiguration
7. A7: Insecure Cryptographic Storage
8. A8: Failure to Restrict URL Access
9. A9: Insufficient Transport Layer Protection
10. A10: Unvalidated Redirects and Forwards

Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the world!!!
As you help us spread the word, please emphasize:
* OWASP is reaching out to developers, not just the application security community
* The Top 10 is about managing risk, not just avoiding vulnerabilities
* To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation
* We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.

Source