March 13th, 2010
Posted in Security News | Comments Off
March 13th, 2010
Posted in Security News | Comments Off
March 13th, 2010
Posted in Security News | Comments Off
March 13th, 2010
Posted in Security News | Comments Off
March 13th, 2010
Posted in Security News | Comments Off
March 13th, 2010
Posted in Security News | Comments Off
March 13th, 2010
|
Twitter aims to push securityPeriscope ITIn a proactive step to improve security and perhaps cut down on the need for website monitoring, Twitter is taking an innovative approach to the security of …and more »
|
Posted in Security News | Comments Off
March 13th, 2010
Posted in Security News | Comments Off
March 13th, 2010
Posted in Security News | Comments Off
March 13th, 2010
Posted in Security News | Comments Off
March 13th, 2010
Posted in Security News | Comments Off
March 13th, 2010
Posted in Security News | Comments Off
March 13th, 2010
There is a grade changing scandal over at Walt Whitman High School locally in Montgomery County Maryland. A teacher noticed that the grades in the system did not match what he or she entered. Investigation has found 54 changes.
Montgomery County Schools CTO Sherwin Collette said they believe teacher’s passwords were obtained through the use of hardware keystroke logging.
Hardware keystroke loggers are readily available online. Check out this video from irongeek if you aren’t familiar with hardware keystroke loggers. Basically its just like it sounds. A transparent USB or PS2 device that sits between the keyboard and the computer port.
Remember Microsoft’s Immutable Laws of Security number 3. If a bad guy has unrestricted physical access to your computer, then its not your computer anymore.
The best solution to this sort of problem is multifactor authentication. The thinking is that if the password is stolen then it cant be used again later. Of course some systems will allow concurrent logons allowing an attacker to immediately use the learned password. (That wouldn’t work with this device, but keystroke loggers can also use wireless/bluetooth to send the learned information immediately.
People who don’t use multifactor authentication always thinks it costs too much. I wonder how much Montgomery County has spent on this incident. The cost of securing the data should have been part of the original decision to put the grade system online.
Even without strong authentication, other things could be done to protect against this sort of attack. Its not clear if the attackers used the teachers computer. If they didn’t that might get flagged in anomaly detection. Noting that the account was normally used during the day from location A but suddenly was also used from location B at another time.
Displaying last logon and location to the user might have helped. If someone was unusually observant they might notice they didn’t use the account then.
The Post reports that Montgomery County Schools will now have a 120 day password expiration policy. That indicates before they didn’t expire passwords at all. This means a stolen password is only good for one school year. Still a long time.
Some people are taking a “boys will be boys” attitude about this. They dont understand why the police are investigating this as a criminal matter. If they’d stolen a facebook password and vandalized the teachers Facebook page, I might be laughing. With grades they had to know they were doing wrong. And worse yet these false grades were likely used to fraudulently gain admission to college potentially depriving a more deserving person.
Right now all we can do is speculate based on media reports. And worry about whether the businesses we deal with are ready for 21st century attacks.

Posted in Security News | Comments Off
March 13th, 2010
Posted in Security News | Comments Off
March 13th, 2010
Posted in Security News | Comments Off
March 12th, 2010
Posted in Security News | Comments Off
March 12th, 2010
Posted in Security News | Comments Off
March 12th, 2010
This makes no sense to me, even though — I suppose — it’s a squid cryptography joke….
Posted in Security News | Comments Off
March 12th, 2010
Posted in Security News | Comments Off
March 12th, 2010
This one on simple-talk.com….
Posted in Security News | Comments Off