Kansas State loses ID computers, but IDs might be safe

I haven’t seen this in the press yet, perhaps because breaches are so common in the news that people have become desensitized, but Kansas State University just announced it had a fair amount of computer equipment stolen via social engineering:

About $25,000 of computers and equipment was stolen the evening of Wednesday, July 19, from the K-State ID Center in the K-State Student Union. Police are searching for two white males in their early 20s, according to a July 20 news release from K-State’s Media Relations. Anyone with information about the crime is asked to call Detective Donald Stubbings, K-State Police Department, 785-532-6412.

The two subjects, described as wearing blue jumpsuits with “Fox Business Systems” logos, gained access to the ID Center by showing the on-duty Union manager what may have been a forged document and saying they were hired to do repairs on the center’s computers. Several computers, monitors, cameras, and printers were later found missing from the center.

No personal data was lost because it’s stored on a secured server, said Craig Johnson, manager of the ID Center. “Although we have a very secure database, we added enhancements Thursday and Friday to ensure a higher level of security, including a firewall and IP lockouts on the specific workstations stolen,” he said.

I’m not sure why the ID Center announced to the world that they are using IP blocks for the stolen computers. I think the reporter should have stopped with “the center took extra precautions after the theft”. The less info about the exact counter-measures in the immediate aftermath the more chance you have of catching the perpetrators.

On the other hand it’s great to hear a University say they had several control measures in place to prevent (and detect?) loss of identities, especially since the attack appears to have been well planned and very specific to their ID Center. Incidentally, a Kansas breach notification law (SB 196) went into effect July 1st, 2006, a little more than two weeks before the breach.

I wonder how they arrive at the “very secure” description of the database, and of the safety of the IDs on the stolen computers. Is that an independent assessment? Does it conform to a standard? After all, we have to wonder if the stolen equipment was also considered “very secure”? Over thirty states now have breach disclosure laws so I expect the clarification of “reasonable” security precautions is likely to become an interesting issue.

Oh, and good luck to the police with that descripton of two white males in their twenties wearing jumpsuits on a college campus in Kansas. Hopefully someone will have more detail. Otherwise they might as well put a search out for wheat, no?

Defense department exposed (again)

A GAO study reported by the AFP suggests that the US Department of Defense could be leaking equipment secrets and weapons like a sieve:

The report said that GAO undercover investigators entered two warehouses where surplus military gear was stored and obtained about 1.1 million dollars in sensitive military equipment.

They included launcher mounts for shoulder fired missiles, body armor, a digital converter used in naval surveillance, an all-band antenna used to track aircraft, and circuit cards used in navy computers.

“At no point during GAO’s warehouse security penetration were its investigators challenged on their identity or authority to obtain DoD (Department of Defense) military property,” the report said.

I know, it’s easy to say “one man’s garbage”, especially with Rumsfeld’s plans to adopt disruptive and untested new technology, but GAO reports show that the DoD has a bad habit of throwing away equipment that they actually need and end up buying again:

Of $33 billion in excess commodity disposals in fiscal years 2002 through 2004, $4 billion
were reported to be in new, unused, and excellent condition. DOD units reutilized only $495 million (12 percent) of these items. The remaining $3.5 billion (88 percent) includes significant waste and inefficiency because new, unused, and excellent condition items were transferred and donated outside of DOD, sold for pennies on the dollar, or destroyed. DOD units continued to buy many of these same items. GAO identified at least $400 million of fiscal year 2002 and 2003 commodity purchases when identical new, unused, and excellent condition items were available for reutilization. GAO also identified hundreds of millions of dollars in reported lost, damaged, or stolen excess property, including sensitive military technology items, which contributed to reutilization program
waste and inefficiency.

[…]

Weaknesses in accountability leave DOD vulnerable to the risk of theft, and fraud, waste, and abuse with little risk of detection.

This is certainly not the first time that the military disposal system has been under scrutiny. According to the GCN, the GAO cited the DoD for classification issues in 1998:

The Defense Department is unwittingly selling to the public surplus parts containing sensitive military technology, the General Accounting Office said recently.

When DOD buys spare parts for aircraft, ships, vehicles and weapons, the department assigns a code to the parts to indicate whether they contain sensitive military technology. But Defense has a history of assigning the wrong demilitarization codes to the parts and selling them anyway, a GAO report said.

And yet things seem to have worsened since 2000, according to the latest audit papers. It gets really scary when you consider how Rumsfeld ignored the danger of surplus weapons in Iraq and that Hizbullah is bragging about a supply of American-made weapons:

[Deputy chief of the Hezbollah’s political arm, Mahmoud] Komati said Hezbollah has weapons made in various countries, including the United States, France, China and Russia.

“Some of our fighters carry M16s. So you think we buy them from America?” he asked.

No need, obviously, if you can just walk into the DoD warehouse unchallenged and pick up what you want.

Voting Machine Fraud Testimony

Interesting video (12 minutes) of sworn testimony by a programmer. He claims he was hired by Tom Feeney, the Republican Speaker of the House in Florida in 2000, to hack electronic voting systems. Many suspected Feeney helped orchestrate a Bush victory through nefarious methods, based on some of the language and actions at the time. For example, Florida State Senate President John McKay worked closely with Feeney to bypass the Florida Supreme Court decision and call for a special session of the Florida state legislature to pick the state’s electors:

a reasonable person could conclude that the recent [Florida] Supreme Court actions [calling for a recount] may cause Congress not to accept our electors that have already been sent to Washington.

Our sole responsibility will be to put forth a slate of electors that is untainted and ensures that Florida’s 25 electoral votes count in this election, regardless for whom they voted.

No one has ever established on what basis McKay claimed that the Florida electors would not be accepted by Congress if there was a recount. Such a claim seems absurd. Now we see that he may have had a very real reason to oppose a recount; Feeney could be a man who intentionally tainted the vote by corrupting electronic voting systems and feared a recount would expose him.

Google says click fraud “reasonable”

Actually, they point to an independent report that says they are doing a reasonable job stopping click fraud. Does that mean any click fraud that they allow is reasonable too? Here‘s the scoop, right off the Google blog:

As part of the settlement in the click-fraud case Lane’s Gifts v. Google, we agreed with the plaintiffs to have an independent expert examine our detection methods, policies, practices, and procedures and make a determination of whether or not we had implemented reasonable measures to protect all of our advertisers. The result of that is a 47-page report, written by Dr. Alexander Tuzhilin, Professor of Information Systems at NYU. The report was filed with the court in Texarkana, Arkansas, this morning.

The bottom-line conclusion of the report is that Google’s efforts against click fraud are in fact reasonable. At several points in his report, he calls out the quality of our inspection systems and notes their constant improvement. It is an independent report, so not surprisingly there are other aspects of it with which we don’t fully agree. But overall it is a validation of what we have said for some time about our work against invalid clicks.