I am available for limited public interviews on topics relating to information security. To schedule an interview, you can reach me via the contact page.

These are articles written for the benefit of the InfoSec community. Feel free to use these and publish them on your website or blog as long as you include a link to this website. This material carries a Creative Commons (CC) Attribution Share Alike CC BY-SA license.

• Important Components of Security Auditing
• Recovering data from a corrupted hard drive with McAfee Endpoint Encryption
• Infosec Considerations of Job Rotation
• Industry Compliance - HIPAA - PCI DSS
• Assessing Information Risk

• YouPorn passwords available for download, thousands of users exposed
  Want a free password for one of the world's most popular adult websites? YouPorn, one of the world's most popular porn video websites appears to have been caught with its pants down.
• IMP or CCDP? Who cares, it's still storing your data
  The Communications Capabilities Development Programme is the British government's attempt at rehashing the opposing Labour party's failed surveillance reforms. The Interception Modernisation Programme was the subject of much criticism; does this new programme look any better?
• IRS releases its top 'Dirty Dozen' tax scams
  Ushering in tax season, the U.S. Internal Revenue Service (IRS) has released its annual "Dirty Dozen" tax scams for 2012.
• Beware Changelog spammed-out malware attack
  Internet users are receiving emails claiming to contain a changelog - but the files attached are really designed to infect computers.
• Alleged fraudster has until next week to decrypt her hard drive for prosecutors
  Prosecutors are keen to discover what is on the encrypted laptop of Ramona Fricosu, a Colorado woman accused of committing financial fraud. The case has raised interesting questions of whether you can be forced by law to hand over your password, or decrypt your computer.
• Pirate Bay faces UK web block
  The High Court in London has paved the way for what could become a nationwide ban on accessing the notorious Pirate Bay file-sharing website.
• 'X' is named. Alleged computer hacker at the centre of News of the World scandal
  Security consultant Philip Campbell Smith is alleged to have used a Trojan horse to hack into a computer belonging to Ian Hurst, a former British army intelligence officer who handled IRA informers in Northern Ireland.
• Don't lose your Klingon inheritance. It's spam of the day
  Our Klingon anti-virus product has been told it could receive a massive inheritance. Hmm.. does anyone smell anything a bit Ferengi about this?
• Ex-girlfriend sex videos, browser plugins and Facebook survey scams
  Scammers are up to their old tricks on Facebook, tricking users into visiting revenue-generating survey scam websites by appearing to offer sex videos.
• Jail for 'ethical' hacker who bypassed Facebook security from his bedroom
  A British student who breached security at Facebook last year has been sentenced to eight months in jail, despite arguing that his intentions were not malicious.
• Central Oregon Community College Web Site Offline After Dual Security Attacks
  `Quick Facts
  • Date: 5/6/2011
  • Institution: Central Oregon Community College
  • Type of Incident: Penetration
  • Number Affected: Unknown
  • Source: ESI
  • Abstract Source: KTVZ

  Abstract
  Central Oregon Community College recently notified users after taking the college's web site down following a two security breaches. According to notices sent by COCC officials, the web site was taken down on Wednesday and then again on Thursday following security breaches of the site on both days. While originally COCC did not believe any personal information was at risk, additional investigation showed the attacker(s) may have had accesses to 2011 COCC nursing program applicant data and 2012 COCC Foundation scholarship data. According to the notices sent to students in each of these groups, the applications did not contain credit card or Social Security numbers, but did contain email addresses and COCC ID numbers. According to the college, investigations are still ongoing to make sure no additional personal or sensitive information is at risk following the breaches. COCC is working with local and federal law enforcement during the investigation.

• Error Exposes Trinity College Dublin Student Data To Campus Network
  `Quick Facts
  • Date: 4/29/2011
  • Institution: Trinity College Dublin
  • Type of Incident: Unauthorized Disclosure
  • Number Affected: Unknown
  • Source: DataBreaches.net
  • Abstract Source: Irish Times

  Abstract
  Trinity College Dublin recently announced the discovery of a file containing student and information was available to anyone on the college network. The file, which was accessible between August 2009 and March 2011, contained the names, addresses, ID numbers and email addresses of TCD students and staff. In the announcement to those affected, TCD officials stressed the fact that the file was not accessible via the Internet, only the campus network. As required by data privacy legislation, TCD reported this incident to the Data Protection Commissioner.

• File Cabinet Containing Central Ohio Technical College Student Records Found At Storage Facility
  `Quick Facts
  • Date: 4/18/2011
  • Institution: Central Ohio Technical College
  • Type of Incident: Unauthorized Disclosure
  • Number Affected: 617
  • Source: ESI
  • Abstract Source: The Columbus Dispatch

  Abstract
  Central Ohio Technical College recently notified students after educational records were discovered in a file cabinet at an area storage facility. The cabinet, found at the Apple Tree Auction Center, contained course registration cards containing the names and Social Security numbers of 617 students registered for classes in Fall 2010. The cabinet was accidentally sent to storage when the college moved the Student Records office. Since January 2011, the college no longer records Social Security numbers on course registration cards. According to Central Ohio Technical College spokeswoman Alice Hutzel-Bateson, the records were back in the college's possession within 24 hours. The college is offering 12 months of free credit monitoring to those affected by this accident. Students with questions are asked to contact the college's Registrar Jackie Stewart at 740-364-9599.

• Prank Results In Eastern Illinois University Data Breach
  `Quick Facts
  • Date: 4/18/2011
  • Institution: Eastern Illinois University
  • Type of Incident: Student Misconduct
  • Number Affected: Unknown
  • Source: ESI
  • Abstract Source: Eastern Illinois University Press Release

  Abstract
  Eastern Illinois University recently announced the potential exposure of sensitive information after the improper disposal of paper records. The records, contained in two bags taken by a student worker as part of a prank, contained the names and Social Security numbers of individuals employed by EIU in 2002. At this point, the university is working to identify the individuals affected. Coles County Sheriff's Department notified the university on Friday morning that coarsely shredded documents had been dumped roadside. The university responded quickly and staff were sent to find and collect the shredded documents. While the records were shredded in accordance with state guidelines, sensitive information may have been visible. The university is working to institute procedures to prevent a similar incident in the future.

• NUI Galway Student Information Exposed In Breach
  `Quick Facts
  • Date: 4/14/2011
  • Institution: National University of Ireland, Galway
  • Type of Incident: Unauthorized Disclosure
  • Number Affected: Unknown
  • Source: DataBreaches.net
  • Abstract Source: NUI Galway Notice

  Abstract
  The National University of Ireland, Galway recently announced that a file containing personal student information was accidentally made available. The file contained the names, student ID numbers, email address, and mobile phone numbers of students from 2008. The data was exposed after a security issue with the NUI Galway Clubs and Societies computer housing the file and the university believes the file was accessed multiple times between September 2008 and December 2009. The university setup a hotline - 091 492852 - to help answer questions those affected might have.

• [Update1]Financial Aid Computers Stolen From Albright College
  `Quick Facts
  • Date: 4/13/2011
  • Institution: Albright College
  • Type of Incident: Theft
  • Number Affected: 10,000
  • Source: ESI
  • Abstract Source: WFMZ
  • Update1 Source: Reading Eagle Press

  Abstract
  Albright College recently announced the possible breach of personal information following the theft of computers containing personal information. The computers, stolen from the college's Financial Aid Office in February, contained names, addresses, dates of birth, Social Security numbers and account information on as many as 10,000 current students, prospective students, former students, faculty and staff. According to Albright Vice President for Enrollment Management Gregory E. Eichhorn, the theft may also affect parents, spouses or joint account holders as well. In response to the theft, Albright Public Safety has increased evening and weekend patrols and the college's Information Technology Services are working with departments to reduce the amount of confidential information retained on desktops. The college is working with the Reading Police Department, the County District Attorney's Office and the FBI. Crime Alert Berks County has setup a hotline - 877-373-9913 - for individuals that have more information regarding the theft and is offering up to a $5000 reward for information leading to an arrest.

  Update1
  One of the two computers stolen from Albright College has been recovered by State Police. The suspect in the theft appears to have stolen the computers to fund a drug habit and was not after the information on the device. The recovered laptop appears to contain most of the sensitive and personal information exposed by the theft. According to Sgt. Raymond Guth, there does not appear to be any evidence that the information on the recovered drive had been compromised by the theft.

• Public Records Request Exposes Wenatchee Valley College Student Information
  `Quick Facts
  • Date: 3/31/2011
  • Institution: Wenatchee Valley College
  • Type of Incident: Unauthorized Disclosure
  • Number Affected: 3,800
  • Source: ESI
  • Abstract Source: The Wenatchee World

  Abstract
  Wenatchee Valley College recently contacted former students after an error processing a public records request released personal student information. In response to a request from a local law firm for 10 years of financial records, WVC forwarded 84,000 pages of information that contained the names and Social Security numbers of 3,800 students that attended the college in 2002. The error was discovered by Brent Magarrell on March 24th. Magarrell contacted WVC about the error and also filed a FERPA violation complaint with the Department of Education.

• Stolen Computer Contains NYU Langone Patient Data
  `Quick Facts
  • Date: 3/29/2011
  • Institution: New York University, Langone Medical Center
  • Type of Incident: Theft
  • Number Affected: 670 (2 Social Security Numbers)
  • Source: OSF DataLoss DB
  • Abstract Source: NYU Langone Medical Center Breach Notification

  Abstract
  New York University Langone Medical Center recently announced that patient information may be at risk following the theft of a computer from a physician's office. The computer, used for research and stolen from the NYU School of Medicine Faculty Group Practice on January 27, contained the names, diagnosis, results of diagnostic tests, and clinical information gathered during office visits on 653 patients between April 1999 and September 2008. An additional 26 letters were sent to individuals whose medical record numbers, home addresses, dates of birth, occupation and, in two cases, Social Security numbers may have been contained on the computer. A suspect in the theft has been arrested but the stolen computer was not recovered at the time. NYU Langone has setup a hotline - 1-877-698-2333 - to help provide more information to those affected by the theft.

• University of Regina Web Server Compromised, No Data Exposed
  `Quick Facts
  • Date: 3/29/2011
  • Institution: University of Regina
  • Type of Incident: Penetration
  • Number Affected: None
  • Source: ESI
  • Abstract Source: CBC

  Abstract
  The University of Regina recently announced that a security breach caused the university to shutdown its main web server. The breach appeared to effect only the web site. While the server was compromised university officials state that no confidential information was accessed by unauthorized individuals. Staff had corrected the problem causing the breach shortly after discovery.

• University of Kent Disability Services Email Discloses Patient Names
  `Quick Facts
  • Date: 3/18/2011
  • Institution: University of Kent
  • Type of Incident: Unauthorized Disclosure
  • Number Affected: 615
  • Source: ESI
  • Abstract Source: ZDNet

  Abstract
  The University of Kent recently responded to a mistake that exposed the personal information of students registered with the Disability and Dyslexia Support Services at the university. The email, sent to inform students of arrangement being made for final exams, contained the names of 615 students in the CC field, exposing their names, email addresses and the fact that they receive support from Disability and Dyslexia Support Services to the other students. In a second email university officials apologized for the disclosure of protected information and had reported the incident to the Office of the Information Commissioner.

• University of York Web Site Leaks Data On Entire Student Population
  `Quick Facts
  • Date: 3/14/2011
  • Institution: University of York
  • Type of Incident: Unauthorized Disclosure
  • Number Affected: 17,904
  • Source: ESI
  • Abstract Source: Nouse - University of York's Student Website

  Abstract
  The University of York is apologizing after a university website may have exposed personal student information. It was recently discovered that a student inquiry screening function enabled on the University of York web site disclosed personal details such as names, mobile phone numbers, home and university addresses, dates of birth, email addresses, and emergency contact information for 17,094 undergraduate, post-graduate and part-time students. The information was available to the general public and could be retried by entering as little as initials or course information. According to Stephen Town, University of York's Director of Information, the university rectified the situation as soon as it was notified and has notified the Information Commissioner about the breach. The university apologized for the incident and has launched an investigation to fully review data security at the university.

• Zeus Computer Virus Exposes Virginia Tech Social Security Numbers
  `Quick Facts
  • Date: 3/11/2011
  • Institution: Virginia Tech
  • Type of Incident: Penetration
  • Number Affected: 370
  • Source: ESI
  • Abstract Source: The Roanoke Times

  Abstract
  Virginia Tech recently notified a number of current and former employees after a computer virus may have exposed personal information. The infected computer, located in VT's controller's office, contained the names and Social Security Numbers of 370 current and former employees. The Zeus infection, which occurred on Feb 15, was discovered on Feb 23 during an audit of computers that store Social Security numbers. In the letters to those affected the university is offering 12 months of credit monitoring. According to VT spokesman Mark Owczarski, there have been no reports of identity theft relating to the breach.

• University of Windsor Mailing Mixup Send Tax Slips To Wrong Addresses
  `Quick Facts
  • Date: 3/10/2011
  • Institution: University of Windsor
  • Type of Incident: Unauthorized Disclosure
  • Number Affected: 650
  • Source: ESI
  • Abstract Source: CBC News

  Abstract
  The University of Windsor recently sent out notification letters after a mailing mixup exposed personal information. The university's Finance Department sent out 650 T4 tax slips, containing names, Social Insurance Numbers, and financial information, that were addressed to the wrong recipients. After discovering the mistake, the university sent out email messages and letters as well as placed phone calls to the recipients of these 650 tax slips and have received around half of them back. Executive Director of Communications Holly Ward said the university plans to increase communication efforts to get the rest of the 650 tax slips back.

• Stolen Midlands Tech Flash Drive Contains Personal Information
  `Quick Facts
  • Date: 3/9/2011
  • Institution: Midlands Technical College
  • Type of Incident: Theft
  • Number Affected: 500
  • Source: DataBreaches.net
  • Abstract Source: The State

  Abstract
  Midlands Technical College recently notified employees after the theft a flash drive containing sensitive information. The flash drive, stolen from the college's human resource office, contained HR data on 500 employees. The flash drive was later returned to the college, but it did not contain any of the information that was on the drive when it was stolen. According to Midland's Director of Human Resources and Legal Counsel Crystal Rookard the individual responsible for taking the drive indicated they did not open or view any of the files on the drive. As a precaution, Midlands is offering one year of credit monitoring to affected employees.

• [Update1]Former Eastern Michigan University Student Workers Investigated For Providing Personal Information To Third Party
  `Quick Facts
  • Date: 3/9/2011
  • Institution: Eastern Michigan University
  • Type of Incident: Employee Fraud
  • Number Affected: 64 (Updated)
  • Source: DataBreaches.net
  • Abstract Source: The Eastern Echo
  • Update1 Source: Detroit Free Press

  Abstract
  Eastern Michigan University is notifying students after investigating inappropriate student records access by former student workers. The individuals under investigation appear have to inappropriately used their access records containing the names, dates of birth and Social Security numbers to provide the information of 45 students to an unauthorized third party. The EMU Police are investigating the incident with assistance from Federal authorities and EMU is not in a position to disclose details. The individuals affected have been advised to place fraud alerts on their credit reports and the university has plans to notify the campus community when it is in a position to do so.

  Update1
  Eastern Michigan University has identified 58 individuals whose information was accessed without authorization by two former student workers. In addition, 6 students have come forward after unable to file Income Tax Returns since someone had already used their Social Security numbers on other returns.