FTC issues warning about data loss over P2P
Yet another warning about data loss, company policy and how easily all your files can be liked over the internet comes into the security world, this time from the Federal Trade Commission. Long overdue some would say, including Robert Siciliano in a recent post on Information Security Resources.
Yes, it is quite bewildering to see how after warning after warning and a long line of data breach incidents, companies still allow the misuse of software and hardware resources. It is also confusing to see the FTC now getting ready to directly warn about 100 companies about the risks of peer-to-peer. It’s a bit late, years and years after the problems appeared. Read more
Who’s afraid of the big bad cyberattack?
There have been dozens of news on cyberattacks lately. From human rights websites from China being under attack, to the attacks on US sites and institutions, to a more recent article debating how a cyberattack will affect the UK public’s trust in their Goverment. (Check our Twitter profile for an extended list of such news).
A minor effect attack would make UK citizens not trust their representatives. It seems crazy and it tastes of instant panic, but is it? I’d say more cyberattacks would have the same effect on US citizens as well. Why? It’s simple! It’s not because people are scary and tend to run amok at the smallest of threats, it’s because of the created expectations that were never met. Read more
Breached server puts 170,000 at risk
A security breach estimated to have taken over one month has given unidentified individual access to the grades and social security numbers of students of the Valdosta State University, along with private details of faculty members. The breach discovered in December on a university server has put 170,000 individuals at risk, but the ongoing investigation is yet to reveal who was behind the breach and what was their purpose.
While the breach was discovered in early December, the official announcement was released on February 18th, after a prior release announcing an ongoing investigation. According tot the university site “the breached server and potentially breached data were secured and removed from the network. While we still do not have any evidence that personal information was taken, we are alerting affected individuals via email, web, and mass media of the potential theft of their personal information.”
Sudents and faculty can check if they have actually been affected here and consult quite a few identity theft resources, but no protection is offered to them bu the University from what we can tell form the site, press release and press coverage. At least they are sorry and planning to make security changes…
Was there or wasn’t there a loss of data?
A recent DOS attack on an Eugene School District server managed to succeed in breaching their security and access the said computer which contained the names, employee ID numbers and phone numbers of about 2500 current and former employees. While other sensitive information such as security numbers were not stored on the breached machine, the server was connected with others (apparently protected by other security systems as well), that contained private details on a total of 26000 people and vendors.
Luckily all student data are stored on different networks of the Eugene School District, so none of those studying in the region have been affected. The supposed breach seems to have only affected adults.
Yet the safetly of the 26000 different records is in no way guaranteed. There is no proof of further breaching, but there isn’t any to show there was none either. In the mean time, the breach is being investigated, while the school district’s website has been updated with information on the breach.
“A thorough investigation of the security breach has been initiated, police have been notified, and the district has taken measures to further safeguard the involved server,” the district said. “We are continuing to assess our information security systems to make certain that we have all appropriate measures in place to ensure that personal information is secure. We sincerely regret any inconvenience this may cause to our staff and vendors.”
More information here.
Long live the new Cybersecurity Czar!
A nice Christmas present wrapped up and delivered to the cybersecurity world. When we all started to doubt there will be a czar appointed in 2009, when all hopes were fading after months and months of delay (the initial announcement was made in May), the Obama administration finally chose Howard Schmidt to fill this position.
Schmidt is also a former member of the Bush administration and will be the leading star of the cybersecurity initiative, although experts fear the position does not come with any real power, says the Dark Reading. A little background info on the new czar:
Schmidt, who most recently served as president and CEO of the international nonprofit Information Security Forum and was previously chief information security officer at eBay and at Microsoft, said in a statement that he looks forward to bringing to the table all stakeholders in efforts to better secure U.S. networks and systems. He will work with the National Security Council and the National Economic Council.
Schmidt will have to settle all differences between the National Security Agency and the Department of Homeland Security, add a side of Deparment of Defense and other federal agencies involved in related projects, and serve a over common and effective US cybersecurity posture. And all this on a not so significant budget and with not so much power over these US security giants. We all wish him best of luck!
