Archive for April, 2010

9-year-old hacks the school superintendent

April 18th 2010

Jeremy Epstein reported this terrific report to Peter Neumann’s Risks List: a school kid logged in as superintendent of schools. This was in Fairfax County, where I grew up. They use Blackboard, just like the college where I teach.

And yes, we’re talking about a nine-year-old. It turned out to be a security policy problem. A teacher can add a student to a class, and a teacher has the power to change a student’s password.

The kid found out his teacher’s Blackboard password. They don’t say how in the news, but it may have been written on a post-it, or some other piece of paper, or it may be the same as a password the kid watched the teacher use somewhere else, or it could just be an easy-to-guess choice.

Continue Reading »

Posted under Security & Tech Teaching | No Comments »

Security Versus Compliance: Old Guard Versus Digital Natives?

April 6th 2010

Forrester Research and RSA have published an interesting report on corporate security priorities and compliance programs. The bottom line is no real surprise: companies spend more money on compliance with external requirements like PCI-DSS or HIPAA than they do on protecting their own secrets. These compliance requirements are tied to obvious business needs – you can’t do much retail work unless you take credit cards – so it’s hard to argue against such expenses. Forrester and RSA show statistics arguing that companies lose more money through lost company secrets. Yet a lot of companies focus their security efforts exclusively on compliance and really don’t make a special effort to protect company-specific assets.

Kapersky Labs posted a reasonable summary of the report.

Slashdot’s title writers dramatically misread the report, summarizing it under the title “Compliance is Wasted Money.” I tend to think of Slashdot as being edgy in a digital native sort of way, so I’m surprised they spun it that way.

I think the report reflects two things. First, companies don’t want to spend money to assess their losses from leaked company data, unless they’re already inclined to be a secrecy-oriented company. If a company is more inclined towards openness and information sharing, then they don’t want to collect such information: bad news makes management look bad, and there’s no countervailing data to show a measurable benefit to being a more open company.

Continue Reading »

Posted under Security | No Comments »