YNet reports that the phone company is trying to find a way to block the messages:

Dozens of Israeli customers of the Orange cellular service provider received unexpected SMS messages on their phones Wednesday evening, with the English message:

“Now Now Now…Go out from your home Hizballah willing shelling of the area, Israel Government Cheating you And refuse recognition Defeat.â€?

[…]

Rani Rahav, a spokesperson for Orange, responded that the text messages were coming from a small service provider “somewhere out there in the Pacific Ocean. We are working right now to block the provider from transmitting further messages to Orange customers.�

Who pays for those SMS threats? We always hear about the Internet being a concern in modern information warfare, but cellular phones clearly play a more significant role since they are so mobile and resilient. Blocking an entire provider sounds like the system does not have granularity, which may turn into a sticky problem for Orange if the attackers can spread the origin of their messages. Denial of service also blocks helpful messages.

I haven’t seen this in the press yet, perhaps because breaches are so common in the news that people have become desensitized, but Kansas State University just announced it had a fair amount of computer equipment stolen via social engineering:

About $25,000 of computers and equipment was stolen the evening of Wednesday, July 19, from the K-State ID Center in the K-State Student Union. Police are searching for two white males in their early 20s, according to a July 20 news release from K-State’s Media Relations. Anyone with information about the crime is asked to call Detective Donald Stubbings, K-State Police Department, 785-532-6412.

The two subjects, described as wearing blue jumpsuits with “Fox Business Systems” logos, gained access to the ID Center by showing the on-duty Union manager what may have been a forged document and saying they were hired to do repairs on the center’s computers. Several computers, monitors, cameras, and printers were later found missing from the center.

No personal data was lost because it’s stored on a secured server, said Craig Johnson, manager of the ID Center. “Although we have a very secure database, we added enhancements Thursday and Friday to ensure a higher level of security, including a firewall and IP lockouts on the specific workstations stolen,” he said.

I’m not sure why the ID Center announced to the world that they are using IP blocks for the stolen computers. I think the reporter should have stopped with “the center took extra precautions after the theft”. The less info about the exact counter-measures in the immediate aftermath the more chance you have of catching the perpetrators.

On the other hand it’s great to hear a University say they had several control measures in place to prevent (and detect?) loss of identities, especially since the attack appears to have been well planned and very specific to their ID Center. Incidentally, a Kansas breach notification law (SB 196) went into effect July 1st, 2006, a little more than two weeks before the breach.

I wonder how they arrive at the “very secure” description of the database, and of the safety of the IDs on the stolen computers. Is that an independent assessment? Does it conform to a standard? After all, we have to wonder if the stolen equipment was also considered “very secure”? Over thirty states now have breach disclosure laws so I expect the clarification of “reasonable” security precautions is likely to become an interesting issue.

Oh, and good luck to the police with that descripton of two white males in their twenties wearing jumpsuits on a college campus in Kansas. Hopefully someone will have more detail. Otherwise they might as well put a search out for wheat, no?

A GAO study reported by the AFP suggests that the US Department of Defense could be leaking equipment secrets and weapons like a sieve:

The report said that GAO undercover investigators entered two warehouses where surplus military gear was stored and obtained about 1.1 million dollars in sensitive military equipment.

They included launcher mounts for shoulder fired missiles, body armor, a digital converter used in naval surveillance, an all-band antenna used to track aircraft, and circuit cards used in navy computers.

“At no point during GAO’s warehouse security penetration were its investigators challenged on their identity or authority to obtain DoD (Department of Defense) military property,” the report said.

I know, it’s easy to say “one man’s garbage”, especially with Rumsfeld’s plans to adopt disruptive and untested new technology, but GAO reports show that the DoD has a bad habit of throwing away equipment that they actually need and end up buying again:

Of $33 billion in excess commodity disposals in fiscal years 2002 through 2004, $4 billion
were reported to be in new, unused, and excellent condition. DOD units reutilized only $495 million (12 percent) of these items. The remaining $3.5 billion (88 percent) includes significant waste and inefficiency because new, unused, and excellent condition items were transferred and donated outside of DOD, sold for pennies on the dollar, or destroyed. DOD units continued to buy many of these same items. GAO identified at least $400 million of fiscal year 2002 and 2003 commodity purchases when identical new, unused, and excellent condition items were available for reutilization. GAO also identified hundreds of millions of dollars in reported lost, damaged, or stolen excess property, including sensitive military technology items, which contributed to reutilization program
waste and inefficiency.

[…]

Weaknesses in accountability leave DOD vulnerable to the risk of theft, and fraud, waste, and abuse with little risk of detection.

This is certainly not the first time that the military disposal system has been under scrutiny. According to the GCN, the GAO cited the DoD for classification issues in 1998:

The Defense Department is unwittingly selling to the public surplus parts containing sensitive military technology, the General Accounting Office said recently.

When DOD buys spare parts for aircraft, ships, vehicles and weapons, the department assigns a code to the parts to indicate whether they contain sensitive military technology. But Defense has a history of assigning the wrong demilitarization codes to the parts and selling them anyway, a GAO report said.

And yet things seem to have worsened since 2000, according to the latest audit papers. It gets really scary when you consider how Rumsfeld ignored the danger of surplus weapons in Iraq and that Hizbullah is bragging about a supply of American-made weapons:

[Deputy chief of the Hezbollah’s political arm, Mahmoud] Komati said Hezbollah has weapons made in various countries, including the United States, France, China and Russia.

“Some of our fighters carry M16s. So you think we buy them from America?” he asked.

No need, obviously, if you can just walk into the DoD warehouse unchallenged and pick up what you want.