Jaime Chanaga, CISSP, CISA

An Indian computer hacker known as Yash K.S., has found a way to manipulate a computer to thwart the virtual keyboard user authentication security mechanism which Citibank had employed in its online banking presence in India.  Yash has published details of this exploit at http://www.tracingbug.com/index.php/articles/view/23.html. 

Ok, enough for the technology jargon geek speak.   I'm confident Citibank spent allot of time and money developing this security mechanism to ensure the security of its online banking services.  For being proactive in developing new methods of securing online banking, Citibank gets my sincere thanks as a banking industry consumer.   

The biggest lesson is that no matter what a business or organization does to protect their technology systems, there will always be someone willing to spend allot of effort (time and/or money) finding ways to breach your information security mechanisms.  Risk cannot be avoided only managed and minimized.

Recently I had the opportunity to hear a presentation on the efforts of the North Texas Crime Commission (NTCC - http://www.ntcrimecomm.org).  The NTCC's mission is to bring together the law enforcement community at all levels (local, state, and federal), media, and citizens in the fight against crime in communities throughout the Dallas/Ft. Worth (DFW), Texas metropolitan area.

I'm grateful the DFW area has a dynamic organization like NTCC and local, state, and federal law enforcement agencies willing to share information and cooperate openly with private industry and the general public.  In a post September 11 world we live in, it is imperative that the general public, private industry, and the law enforcement community work together to provide safer communities and contribute to our national security efforts.

The NTCC is sponsoring a community event called Scam Jam 2007, which is open to the general public (free admission) on June 2, 2007 from 9:00 a.m. to 1:00 p.m.  This event is focused on how everyone can protect themselves from fraud and identity theft.  With permission of the NTCC, I'm posting a copy of the brochure for this event, Scam Jam 2007.  Click this link to Download ScamJam2007.pdf  to view the brochure announcing the event. The keynote speaker will be U.S. Congressman Pete Sessions.

It is good to see private industry, concerned community outreach organizations such as NTCC, and the law enforcement community work together for the good of every citizen.

Officials at the University of Missouri have acknowledged a second electronic attack this year that has compromised 22,000 social security numbers of students and alumni.  Currently the FBI is investigating this incident.

News reports (http://www.msnbc.msn.com/id/18561756/)  indicate the information was accessed by manipulating a web page that allowed users to query an internal software application to compile reports for help desk issues.  The attack originated with IP addresses originating from China and Australia.

Educational institutions should be more proactive in protecting personal information.  Due to their open academic culture, educational institutions are prime targets for social engineering and technical attacks by persons with intent on stealing personal information such as social security numbers.  Perhaps educational institutions would do well to reconsider their business practices, operational procedures, and technical measures around the use and protection of personal information.

Official Statement from University of Missouri
http://www.umsystem.edu/ums/news/releases/news07050801.shtml

University of Missouri - Division of Information Technology / Computer Security
http://doit.missouri.edu/computersecurity/

The social security numbers, direct deposit bank information, and payroll data for 100,000 employees of the United States Transportation Security Administration (TSA) have been lost by the agency on a missing computer hard drive.

According to ABC News (http://abcnews.go.com/Politics/wireStory?id=3142155), the hard drive was lost from a "secured area" at the TSA's headquarters in Washington, D.C. 

While the U.S. White House and the U.S. Department of Homeland Security attempt to reassure the American People that they are doing everything possible to secure our country from people who wish to harm us, it is not reassuring knowing that even secure government buildings can have security breaches.   The TSA is not publicly commenting if the missing computer hard drive is only misplaced inside TSA headquarters or had been stolen. 

Until this computer hard drive is found, as  a law abiding United States Citizen, I'm concerned about someone being able to use the information on this device to somehow gain access and circumvent the security of facilities monitored and protected by the TSA (including airports, ports of entry into the United States, etc.).