The identity alert site at UCLA has some late breaking news:

A sophisticated computer hacker has illegally and fraudulently accessed a restricted UCLA database containing names and certain personal information. This database includes UCLA’s current and some former students, faculty and staff, some student applicants and some parents of students or applicants who applied for financial aid. The database also includes current or former staff and faculty of the University of California, Merced, and current or former employees of the University of California Office of the President, for which UCLA does administrative processing.

UCLA is notifying all of those individuals in the database, even though a continuing investigation indicates that the computer trespasser sought and obtained only some of the information. There is no evidence to suggest that personal information has been misused.

That’s a lot of data. Wonder if these big schools are considering breaking apart and isolating repositories in order to reduce the value of assets exposed by a single breach.

Did they really have to say “sophisticated” hacker? That seems to differ in tone from the detail in a breach notification message, distributed today:

Only designated users whose jobs require working with the restricted data are given passwords to access this database. However, an unauthorized person exploited a previously undetected software flaw and fraudulently accessed the database between October 2005 and November 2006. When UCLA discovered this activity on Nov. 21, 2006, computer security staff immediately blocked all access to Social Security numbers and began an emergency investigation. While UCLA currently utilizes sophisticated information security measures to protect this database, several measures that were already under way have been accelerated.

So which was more sophisticated, the hacker or the information security measures?

Unaccelerated measures. I know how that goes. Upper management often says “I know it’s required for compliance, and it sounds great, but can we do it later?” Costs more to do things late, but even more to do things late and fast. It’s hard to know where you need to accelerate the most if your budget isn’t able to cover all the lost time.

At the end of their email message is the following warning and advice:

This is an automated message regarding the recent identity alert at UCLA. We’re sorry, but we are unable to respond to emails. Please do not reply to this email. If you have questions or concerns and would like to speak with someone, please call (877) 533-8082. For additional information and steps to take, please go to the dedicated website at http://www.identityalert.ucla.edu.

Hard to tell if they do not want to respond to email because of the liability, vulnerability/compromise issues, or because phone line bandwidth tends to be far inferior to the unlimited capacity of email queues so they hope to throttle-down the amount of complaints coming into their inbox.

The letter also wisely points out that they will not be requesting any information from the victims:

Please be aware that dishonest people falsely identifying themselves as UCLA representatives might contact you and offer assistance. I want to assure you that UCLA will not contact you by phone, e-mail or any other method to ask you for personal information. I strongly urge you not to release any personal information in response to inquiries of this nature.

I’m sure more details will emerge over the next few days.

Just another day in the Office.

Here is an update to the Microsoft Word Remote Code Execution vulnerability announcement from just a few days ago. Another zero-day vulnerability has been found along with exploits in the wild:

…this attack used a new zero-day vulnerability in Microsoft Word. It is reported that the emails originated from a Yahoo! email account, which the hacker accessed through a mobile device CDMA link to conceal their identity. Security professionals claim the emails contain information about the political situation in Iran and attempts to entice recipients…

[…]

Experts claim the attack was designed to steal sensitive data through the recipient’s computer.

Moreover, Microsoft continues to investigate another proof-of-concept zero day flaw for Word discovered last week. However, neither of the vulnerabilities are expected to be tackled in tomorrow’s security update, Patch Tuesday.

It’s not clear what separates the two vulnerabilities, or if they are just variations of the same flaw.

I suppose the Microsoft advice is still to never open word attachments unless you can verify the sender’s identity and confirm their good intentions. Easy to do in an Office environment, right?

The December 12th security updates do not seem to mention either vulnerability, although they do show a re-release of MS06-059, which fixes a fix for an Excel remote code execution vulnerability.

Some Microsoft Excel 2002 users who have Microsoft Windows Installer 2.0 installed received indication that the original version of security update 923089 for Excel 2002 was installed successfully. However, the actual binary file, Excel.exe, was not updated to the secure version. The re-release version of security update 923089 for Excel 2002 corrects this issue.

Verifying the success of a patch should never be underestimated.