In today’s edition of, “how not to get a recommendation from a former employer”…
From The Chronicle of Higher Education:
University of Florida officials now say that the message was sent by a former employee of Mobile Campus, the vendor that the university uses to operate the text-message alert service. The employee was trying to show off to a friend that he still had access to the university’s system when he accidentally sent the message, according to a statement from the university.
“It raises a concern for us that a former employee was able to still access the system,” said Stephen F. Orlando, a spokesman for the university, in an interview today. “Clearly that’s an issue that needs to be addressed and fixed.”
Ya think? The absence of a staff exit procedure (or use thereof) is self evident. It’s bad enough that the former employee still had access to the aforementioned system. This is a system that is in place as an emergency alert mechanism. It’s a sad reflection on the vendor that this person could still get in.
But, then the requisite stupidity rears its ugly head. The “spin”.
But Mr. Orlando stressed that no one had hacked into the system, and he said the university was working with Mobile Campus to keep any further unauthorized messages from going out.
“No one had hacked”. An exercise in semantics. He didn’t write some buffer overflow. He got in because his access to the system was never removed. Call it a hack, breach or a bag of potato chips. It still happened. I would be less concerned if he accessed the system via a zero day hack than a piss poor procedural failure.
Just saying.
For the full article read on.
A former employee of the Texas Lottery said that “accidentally copied the personal data of more than 27,000 Texas lottery winners”. OK, I’m calling BS on his story.
Oops. How did that USB key get there? I must have tripped and fell and “voila”.
The ex-employee downloaded “his own work files off his computer and took them to his next job”. Um, OK. Never known work related files to have a person traveling ability from company to company. Especially when you include the personal info for 27K people.
From the Dallas Morning News:
The names and Social Security numbers of 27,075 mid-level lottery winners — people who have won prizes from $600 up to around $1 million — were on the employee’s hard drive. Also included were the names, Social Security numbers and, in some cases, bank routing and account numbers of 639 current and former commission employees and 534 lottery retailers.
There have been no reports that the information has been used inappropriately, but in a letter sent out on Sept. 11, commission officials advised that the recipients put a fraud alert on their credit reports and check their bank statements.
I smell a rat here. Apparently so did the Texas Attorney’s office otherwise we wouldn’t be having this discussion.
Only one in three? I would hazard that is being conservative.
From MSNBC:
One in three information technology professionals abuses administrative passwords to access confidential data such as colleagues’ salary details, personal e-mails or board-meeting minutes, according to a survey.
U.S. information security company Cyber-Ark surveyed 300 senior IT professionals, and found that one-third admitted to secretly snooping, while 47 percent said they had accessed information that was not relevant to their role.
Ah, there it is. One-third admitted to it. OK, that is more what I would expect. Now for the other two thirds get the electric cattle prod and some thumb screws and I’m sure they’ll start singing.
hyuk.
HSBC is back in the news again today. This time for a more positive reason than last we checked in on them. It appears that a rogue employee decided it was pay day. I guess he saw “Catch me if you can” one too many times.
From the Reg:
An HSBC worker has been charged after police were called in to investigate an alleged attempt to defraud the bank out of a whopping £70m.
City of London police have charged Jagmeet Channa, a 25-year-old from Ilford in Essex, with conspiracy to defraud, money laundering, and abusing a position of trust. Three other men have been bailed on related offences. Channa will appear in court on 25 June.
Channa was reportedly a back-office worker at the bank rather than a trader.
Nice and subtle. Well, never said he was smart.
The good ole insider threat cliche rings loud yet again.
From Internet News:
Apple’s 160GB iPod Classic, introduced last September, is a music and movie lover’s dream machine. But for IT departments, it’s a security nightmare.
That’s because any employee can plug this pocket-sized USB storage device into their computer and use it to steal vast amounts of corporate information, including mailing lists, databases, financial records and confidential customer data.
Of course you don’t need an iPod to steal data: 4GB USB memory sticks are cheap and ubiquitous, or, for employees intent on stealing really large amounts of data, devices like Buffalo’s recently announced LinkStation Mini offer a terabyte of storage in a case that fits in the palm of the hand.
Nothing all that new in this article. But, it does give me an opportunity to point to this piece on the Windows registry for locking out USB storage devices.
Here is an interesting piece from InfoWorld:
Corporations are woefully unprepared to counter attempts at corporate espionage, say experts who perform vulnerability assessments designed to uncover security weaknesses. U.S. corporations lose as much as $300 billion a year to hacking, cracking, physical security breaches, and other criminal activity, according to Ira Winkler, author of “Spies Among Us” (Wiley, 2005) and president of the Internet Security Advisors Group, which performs espionage simulations and provides other services.
Although espionage is usually associated with high-tech approaches involving wireless security breaches and zombified PCs, low-tech tactics such as walking into a building are common, says Johnny Long, a security researcher at Computer Sciences Corp. and author of “No-Tech Hacking” (Syngress, 2008).
“To me, computers are irrelevant,” Winkler says. “It’s about what data do I want, what form does it take, and how can I steal it?”
Any company can be a target, says Peter Wood, chief of operations at First Base Technologies, a U.K.-based consultancy that performs ethical hacking services. Spies are interested in anything from financial data to intellectual property and customer data. They might steal information for blackmail purposes, but “the most common motive for physical intrusion is industrial espionage,” he says.
Here are several of the most common ploys and the countermeasures you can put into place to spot — and possibly even stop — the work of a spy.
Karen Salmansohn wrote a piece for the Huffington post on “cyber” war (still hate that word) from within.
From Huffington Post:
By all mainstream press accounts, the U.S. remains focused on guarding against inbound attacks by large and small enemies, a classic defensive posture anticipating warfare coming from the outside-in: a War of Mass Destruction.
But what if it’s an inside-out job — a cyber-attack via the internet: a War of Mass Disruption?
Think about it: We’ve become a nation of “internet addicts.” Even the smallest of businesses is obsessively dependent on constantly accessing, transferring, and acting upon information via the Internet.
I confess to personally often feeling like a new millennium O.C.D. character in an Oliver Sachs book: “The girl who couldn’t stop watching my email” — with minor symptoms of “google junkie.”
And the more all of us Americans increase our dependence on the Internet, the more we make the Internet a prime target for “Hacktivists” — enemy cyber terrorists.
And, it really wouldn’t be that difficult to do. I would be more concerned with bored teens at this point than with a concerted attack. Think about it. The “bad guys” take out the internet? Not entirely likely as they need it for the same reasons that China wouldn’t hit Atlanta in a nuclear strike. They would want to watch their progress on CNN.
Read on.
Tags: Cyber War, Insider Threat
Printers. Not a fan of them in general. But, they are a necessary tool in our “paperless” society. One of the more annoying aspects of printers is the exorbitant price of replacement toner cartridges. One enterprising (now former) Xerox customer service rep. decided to launch a side business to make some extra cash.
Small problem though. He was doing it with stolen product from his own company.
From the Washington Post:
Between June 2005 and October 2005, Sampayo placed orders for 18 shipments of toner cartridges worth $490,000 using bogus names for a Boeing employee requesting the toners, the U.S. Department of Justice said in a statement. Sampayo at the time was servicing copy machines at Boeing’s Tukwila, Washington facility, the DOJ said.
Xerox became suspicious about the large orders as the cartridges requested were incompatible with the copiers at the facility. Xerox and Boeing security then observed the shipments of the toners and caught Sampayo, handing him over to federal officers.
This hammerhead now faces a possible 20 years in the clink for his troubles. He is due to be sentenced on May 23rd.
Tags: Xerox Toner Theft, Xerox Employee, Asdrubal Sampayo, Boeing Security
And people wonder why we security folks tend to use the “two missile key” analogy time and again. At the risk of jumping up and down on the dead horse insider threat issue here is an analysis piece on the incident.
From the Wall Street Journal:
In one of the banking world’s most unsettling recent disclosures, France’s Société Générale SA said Mr. Kerviel had cost the bank €4.9 billion, equal to $7.2 billion, by making huge unauthorized trades that he hid for months by hacking into computers. The combined trading positions he built up over recent months, say people close to the situation, totaled some €50 billion, or $73 billion.
Holy crap.
Early details, including accounts from executives at the French bank, paint a picture of an ordinary trader who used extraordinary means to game the bank’s own system and hide massive unauthorized trades on stock-index futures. Even as bank executives were scrambling to deal with the trail of destruction, they were at a loss to describe his motivations. Société Générale executives said that the early investigation indicated the trader didn’t earn a dime on his actions. They also said he appeared to be acting alone.
On his own and no one noticed? Come on now. Let go of my leg.
Read on.
Tags: Internal Threat, Security Protocols, Internal Controls
From Computer World:
A former employee of a small California canal system has been charged with installing unauthorized software and damaging the computer used to divert water from the Sacramento River.
Michael Keehn, 61, former electrical supervisor at the Tehama Colusa Canal Authority (TCAA) in Willows, Calif., faces 10 years in prison on charges that he “intentionally caused damage without authorization to a protected computer,” according to Keehn’s Nov. 15 indictment. He did this by installing unauthorized software on the TCAA’s Supervisory Control and Data Acquisition (SCADA) system, the indictment states.
Keehn accessed the system on or about Aug. 15, according to the indictment. He is set to appear in federal court on Dec. 4 to face charges of computer fraud.
As an electrical supervisor with the authority, he was responsible for computer systems and is still listed as the contact for the organization’s Web site.
With a staff of 16, the TCAA operates two canals, the Tehama Colusa Canal and the Corning Canal, that provide water for agriculture in central California, near the city of Chico. Both systems are owned by the federal government.
Tags: SCADA, SCADA Security, Insider Threat
