On Q Professional Investigations

In song, the gifts of Christmas include partridges, turtle doves and French hens. But scammers seek a different type of bird — pigeons who’ll fall for their holiday-themed hoaxes. To commemorate those lyrical dozen days, here are 12 tips to avoid getting plucked this holiday season.

12 ways to avoid cons and fraud this shopping season.

1. When doing online searches for names of popular gifts — or even words like “toys” and “discount” — never click on links before you carefully read the website’s address.

Beware of unfamiliar vendors or ones whose addresses have missing letters, misspellings or other tweaks of a legitimate company’s name (such as www.tiffanyco.mn instead of the legit www.tiffany.com). Click on these bum addresses and you may be steered to a scammer-run site that unleashes rogue programs known as malware onto your computer. Or you may be taken to a “cybersquatting” site that poses as a legitimate company’s online outpost to sell cheap counterfeit goods and collect credit card numbers.

2. Before ordering, check the site’s “Contact Us” page for a phone number and physical address and a “Terms and Conditions” page for return policies and such. Bogus websites often don’t have those pages at all or have crude imitations (being loaded with grammatical errors is one tip-off).

3. When buying gifts online, don’t provide your credit card or other information unless the page’s address begins with “https://” The “s” is for “secure.”

4. Never trust offers that come after you lose a bid in an online auction. You may be told you can get the same thing offsite. It’s probably a scam.

5. At online marketplaces sites such as Craigslist, deal only with sellers who provide a phone number. Call the number and speak with the person. Don’t rely solely on email correspondence. Assume that any request for wire-transfer payment means a scam.

6. Don’t believe “too-good-to-be-true” prices from sellers who claim to be soldiers needing a quick deal before deployment overseas or cite hard-luck stories. They are common tricks to get advance payment — and you’ll likely get no merchandise.

Read More

Earlier this week, Sophos released the latest edition of its Security Threat Report, summing up the biggest threats seen during 2012, along with five trends that are likely to factor into IT security in the coming year.

Regarding the malware rides we experienced in 2012 and the thrills we can expect in 2013, there will be cross-over, for sure: Blackhole was huge in 2012, and it’s not going away, barring the law nailing the person/s running it, the report notes.

Between October 2011 and March 2012, out of all threats detected by SophosLabs, nearly 30% either came from Blackhole directly or were redirects to Blackhole kits from compromised legitimate sites, as Naked Security’s coverage of Blackhole exploits attests.

This adroit exploit kit rapidly mutates to thwart security efforts against it, while its software-as-a-service business model is, as the report notes, something for business school grads to drool over.

The professionalization of crimeware such as Blackhole marks a major shift as we head into the new year.

Read More

Many people rely heavily on the internet for running their daily lives. And every day, the number of internet-dependent people increases. From studying, socializing or shopping, many technologically savvy individuals use their computers or mobile devices to run errands and to entertain themselves. While technology has vastly improved our lives, countless dangers lurk on the internet. Cybercrime is on the rise and has already affected many individuals and companies.

Stu Sjouwerman, founder of KnowBe4, a site dedicated to cyber security awareness and training, stated that it has been a challenge to compete with the dynamic “industry” of cybercrime, but it is a challenge that Sjouwerman welcomes.

“There are people in Eastern Europe who go to work, punch the clock, work all day, get health benefits, leave at 5 p.m., and what they do is steal your identity or hack into your network,” Sjouwerman said.

Cybercrime has completely professionalized over the last few decades, in contrast to when only a handful of individuals had the time and money to hack into systems.

While cybercrime evolves into a larger industry, some people have yet to adapt. They are not aware of Sjouwerman’s number one rule in cyber security, “There is no security.”

Additional layers of good security can alleviate an individual’s stress regarding cyber-attacks, but security is no good replacement for human vigilance. It only takes one human error to let criminals into the system.

Professor Sean Peisert, a research computer scientist from the Lawrence Berkeley National Laboratory and a faculty member of the UC Davis Computer Security Lab, said that most anti-virus or anti-malware software only protects from known threats. As long as a hacker has enough time and resources, he or she can crack through any security system by creating something that security programs have not been programmed to deal with yet.

However, various computer and internet security companies and programmers adapt quickly in response to the challenge, studying from past hackers. Some computer security programmers work directly with hackers to improve security. For example, KnowBe4 has worked together with infamous computer hacker Kevin Mitnick. Mitnick was one of the first true computer hackers, breaking into company networks belonging to Motorola, NEC, Nokia, Sun Microsystems, Fujitsu and Siemens.

As for UC Davis, the busy people of the UC Davis Cyber-safety Program and the UC Davis Computer Security Lab work for better internet security.

The professors involved in the UC Davis Computer Security Lab explore and research various areas of internet security. Some, like Professor Hao Chen, work with mobile computing and mobile app security, while others, like Professor Karl Levitt, work on a variety of projects from intrusion detection to network tracking, and even election security.

Professor Peisert helped with the cyber attacks on the San Diego Supercomputer Center perpetrated by “Stakkato,” the alias of a group of hackers who broke into systems belonging to the U.S. Military, White Sands Missile Range, NASA and multiple universities.

In particular, Professor Matt Bishop of the UC Davis Computer Security Lab detects weaknesses in security systems.

“I look for vulnerabilities, break into things and try to fix them,” Bishop said.

He often looks at certain aspects of internet security, such as how people hide personal information. In addition, he is interested in computer security education, which includes teaching robust coding, a class of software in which the program can respond elegantly to unknown situations instead of crashing.

“Campus folk are good with security,” Bishop noted when asked about UC Davis’ status.

In the frontline for UC Davis’ cyber security is Robert Ono, IT security coordinator of the UC Davis Cyber-safety Program. Currently, the campus staff upholds the adopted Cybersecurity policy of 2005 through governance models and stringent security standards for campus network devices. While maintaining the program’s website and handling security risks, Ono oversees campus security training.

“A biennial security symposium [hosting] hands-on training and lecture seminars for technologists,” Ono said, is one of the methods for training new staff.

Along with the symposium, training includes log management, threat management and coding techniques.

Although there are companies, professors and staff all working hard to improve cyber security, they provide steps and advice to help the general public to protect themselves.

“Make sure you patch your computer and applications. If there is an update, do the update. Last but not least, use strong passwords and for god’s sake don’t use the same password all over the place,” Sjouwerman said.

Bishop gave an apt analogy regarding passwords.

“Use common sense. Realize that there are nasty folks on the internet. You wouldn’t give your car keys to someone you didn’t know very well, and you shouldn’t do the same with your password.”

Peisert said computer owners don’t need to buy loads of security software, since most end up ignoring the security alerts anyway.

“So, rule number one is back up your systems: Time Machine, CrashPlan, BackBlaze, Mozy, Dropbox and others are simple, inexpensive means for doing this.”

Ono suggested that the public “identify files on [their] computer that contain personal identity information (e.g. your name, Social Security number or credit card/financial account number) and remove the files if at all possible. There are free tools for personal use, such as IdentityFinder, that are available for scanning your Mac and Windows computer(s) for identity information.”

The overall lesson is this: practice caution and be wary, but do not be too paranoid since the internet is still a wonderful tool.

View Source

You have a secret that can ruin your life.

It’s not a well-kept secret, either. Just a simple string of characters—maybe six of them if you’re careless, 16 if you’re cautious—that can reveal everything about you.

Your email. Your bank account. Your address and credit card number. Photos of your kids or, worse, of yourself, naked. The precise location where you’re sitting right now as you read these words. Since the dawn of the information age, we’ve bought into the idea that a password, so long as it’s elaborate enough, is an adequate means of protecting all this precious data. But in 2012 that’s a fallacy, a fantasy, an outdated sales pitch. And anyone who still mouths it is a sucker—or someone who takes you for one.

No matter how complex, no matter how unique, your passwords can no longer protect you.

Look around. Leaks and dumps—hackers breaking into computer systems and releasing lists of usernames and passwords on the open web—are now regular occurrences. The way we daisy-chain accounts, with our email address doubling as a universal username, creates a single point of failure that can be exploited with devastating results. Thanks to an explosion of personal information being stored in the cloud, tricking customer service agents into resetting passwords has never been easier. All a hacker has to do is use personal information that’s publicly available on one service to gain entry into another.

This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle: @mat. As a three-letter username, it’s considered prestigious. And to delay me from getting it back, they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.

Since that awful day, I’ve devoted myself to researching the world of online security. And what I have found is utterly terrifying. Our digital lives are simply too easy to crack. Imagine that I want to get into your email. Let’s say you’re on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in, info that’s easy to find in the age of Google. With that, AOL gives me a password reset, and I can log in as you.

First thing I do? Search for the word “bank” to figure out where you do your online banking. I go there and click on the Forgot Password? link. I get the password reset and log in to your account, which I control. Now I own your checking account as well as your email.

This summer I learned how to get into, well, everything. With two minutes and $4 to spend at a sketchy foreign website, I could report back with your credit card, phone, and Social Security numbers and your home address. Allow me five minutes more and I could be inside your accounts for, say, Amazon, Best Buy, Hulu, Microsoft, and Netflix. With yet 10 more, I could take over your AT&T, Comcast, and Verizon. Give me 20—total—and I own your PayPal. Some of those security holes are plugged now. But not all, and new ones are discovered every day.

The common weakness in these hacks is the password. It’s an artifact from a time when our computers were not hyper-connected. Today, nothing you do, no precaution you take, no long or random string of characters can stop a truly dedicated and devious individual from cracking your account. The age of the password has come to an end; we just haven’t realized it yet.

Passwords are as old as civilization. And for as long as they’ve existed, people have been breaking them.

Read More

Defense technologists are most successful when they hone in on specific problems. The Pentagon’s research agencies and their contractors were asked in 2003 to come up with ways to foil roadside bombs in Iraq and Afghanistan, and although they did not defeat the threat entirely, they did produce a number of useful detectors, jammers and other counter-explosive systems. More recently, military researchers received marching orders to help tackle the so-called “anti-access area-denial” threats, which is Pentagon-speak for enemy weapons that could be used to shoot down U.S. fighters and attack Navy ships.

The next wave of national security threats, however, might be more than the technology community can handle. They are complex, multidimensional problems against which no degree of U.S. technical superiority in stealth, fifth-generation air warfare or night-vision is likely to suffice.

The latest intelligence forecasts by the Obama administration and other sources point to five big challenges to U.S. and global security in the coming decades.

Biological Weapons: The White House published in 2009 a National Strategy for Countering Biological Threats with an underlying theme that biological weapons eventually will be used in a terrorist attack. To prevent deadly viruses from being turned into mass-casualty weapons, officials say, one of the most difficult challenges is obtaining timely and accurate insight on potential attacks. The Defense Threat Reduction Agency has a team of researchers working these problems. But they worry that the pace of research is too slow to keep up with would-be terrorists.

Nukes: Large stockpiles of nuclear weapons are tempting targets for nation-states or groups set on attacking the United States and its allies, officials assert. Black-market trade in sensitive nuclear materials is a particular concern for U.S. security agencies. “The prospect that al-Qaida or another terrorist organization might acquire a nuclear device represents an immediate and extreme threat to global security,” says an administration report. No high-tech sensors exist to help break up black markets, detect and intercept nuclear materials in transit and there are no financial tools to disrupt this dangerous trade. A much-hyped Department of Homeland Security effort to detect radioactive materials at U.S. ports has been plagued by technical hiccups. Analysts believe that although a full-up nuclear weapon would be nearly impossible for an al-Qaida like group to build, a more likely scenario would be a low-yield “dirty bomb” that could be made with just a few grams of radioactive material.

Cyber-Attacks: The drumbeats of cyberwarfare have been sounding for years. Network intrusions are widely viewed as one of the most serious potential national security, public safety and economic challenges. Technology, in this case, becomes a double-edge sword. “The very technologies that empower us to lead and create also empower individual criminal hackers, organized criminal groups, terrorist networks and other advanced nations to disrupt the critical infrastructure that is vital to our economy, commerce, public safety, and military,” the White House says.

The cybersecurity marketplace is flooded with products that promise quick fixes but it is becoming clear that the increasing persistence and sophistication of attacks will require solutions beyond the traditional.

Climate Change: The national security ramifications of climate change are severe, according to Defense Secretary Leon Panetta. While the topic of climate change has been hugely politicized, Panetta casts the issue as a serious security crisis. “In the 21st century, we recognize that climate change can impact national security — ranging from rising sea levels, to severe droughts, to the melting of the polar caps, to more frequent and devastating natural disasters that raise demand for humanitarian assistance and disaster relief,” Panetta said. The administration projects that the change wrought by a warming planet will lead to new conflicts over refugees and resources and catastrophic natural disasters, all of which would require increased U.S. military support and resources. The scientific community, in this area, cannot agree on what it will take to reverse this trend. There is agreement, though, that there is no silver bullet.

Transnational Crime: U.S. defense and law-enforcement agencies see transnational criminal networks as national security challenges. These groups cause instability and subvert government institutions through corruption, the administration says. “Transnational criminal organizations have accumulated unprecedented wealth and power through the drug trade, arms smuggling, human trafficking, and other illicit activities. … They extend their reach by forming alliances with terrorist organizations, government officials, and some state security services.” Even the United States’ sophisticated surveillance technology is not nearly enough to counter this threat, officials say.

Read More

When hackers broke into computers at Abilene Telco Federal Credit Union last year, they gained access to sensitive financial information on people from far beyond the bank’s home in west-central Texas.

The cyberthieves broke into an employee’s computer in September 2011 and stole the password for the bank’s online account with Experian Plc, the credit reporting agency with data on more than 740 million consumers. The intruders then downloaded credit reports on 847 people, said Dana Pardee, a branch manager at the bank. They took Social Security numbers, birthdates and detailed financial data on people across the country who had never done business with Abilene Telco, which has two locations and serves a city of 117,000.

The incident is one of 86 data breaches since 2006 that expose flaws in the way credit-reporting agencies protect their databases. Instead of directly targeting Experian, Equifax Inc. and TransUnion Corp., hackers are attacking affiliated businesses, such as banks, auto dealers and even a police department that rely on reporting agencies for background credit checks.

“This is profoundly important, because it illustrates a growing problem when it comes to data breaches and security –the chain is only as strong as its weakest link,” Senator Richard Blumenthal of Connecticut, a former attorney general who has investigated credit-rating agencies before, said in an interview. “If their customers have inadequate security practices, so do the credit bureaus.”

Six States

This approach has netted more than 17,000 credit reports taken from the agencies since 2006, according to Bloomberg.com’s examination of hundreds of pages of breach notification letters sent to victims. The incidents were outlined in correspondence from the credit bureaus to victims in six states — Maine, Maryland, New Hampshire, New Jersey, North Carolina and Vermont. The letters were discovered mostly through public-records requests by a privacy advocate who goes by the online pseudonym Dissent Doe and who asked not to be identified to preserve the separation between profession and advocacy.

Experian, based in Dublin, and Chicago-based TransUnion said in statements that the breaches began with infections of customers’ computers, an area over which they have little control. The credit bureaus said that their databases weren’t breached directly.

Tim Klein, a spokesman for Atlanta-based Equifax, and Clifton O’Neal, a spokesman for TransUnion, declined to comment on specific cases. Neither would provide details about any breaches they’ve had involving the compromised log-ins of clients.

Protect Consumers

“We continue to invest in the security systems we have in place to protect our clients and consumers,” Gerry Tschopp, a spokesman for Experian, said in an e-mailed statement. “Of course, the first line of defense lies with end users who are obligated to manage and protect their credentials, which in all these instances were compromised through malware that infected their hardware and other illegal means.”
Representatives of Abilene Telco said no bank employees were involved in the data breaches.

“We don’t know what happened and we don’t know how it happened — we just know we didn’t do it,” said Pardee, the branch manager at Abilene Telco, now renamed First Priority Credit Union, recalls telling victims who called the bank after discovering that someone had viewed their credit reports.

Experian’s database was breached 80 times for a total of almost 15,500 credit reports, Equifax’s was breached four times for more than 1,200 reports, and TransUnion’s was breached two times for almost 500 reports, according to the DataLossDB.org website, where Dissent Doe and other advocates have posted the documents. All of the incidents involved hackers stealing online log-in credentials from the credit bureaus’ customers.

Congress Investigation

The incidents shed new light on security weaknesses at credit bureaus at a time they are under investigation by both houses of Congress over how much data they collect and how it’s used. While security hasn’t been a focus of the probes, the breaches are cause for further investigation, Blumenthal said.

Dissent Doe has filed a complaint with the Federal Trade Commission, arguing for a formal investigation into Experian’s security practices and urging lawmakers to enact legislation that creates a national database of breach reports.

The FTC declined to comment specifically on the incidents. The agency has punished data brokers when hacking attacks on their customers led to the theft of credit reports. Last year, the FTC sued three credit-report resellers when compromised client log-ins resulted in more than 1,800 stolen reports. The agency also filed a lawsuit in 2008 against a mortgage lender after at least 400 credit reports were stolen.

Failure to Check

The commission faulted the companies for failing to check whether their customers had sufficient security and for not adequately monitoring suspicious behavior coming from them. The cases were settled, with the companies agreeing to 20 years of security audits.

“If you are providing access through an online portal, it’s your responsibility to secure that portal,” Maneesha Mithal, associate director of the FTC’s division of privacy and identity, said in an interview.
Credit reports are highly coveted in an identity theft industry that the U.S. Department of Justice estimates affected more than 8.6 million people and cost U.S. households $13.3 billion in direct financial losses in 2010.

FTC Crackdown

When criminals steal a credit report, they get enough information to take out new credit cards, qualify for loans, get a driver’s license and even obtain medical treatment, according to Chris Jay Hoofnagle, director of information privacy programs for the Berkeley Center for Law & Technology.

“One basic problem is that unsophisticated companies tend to treat their own customers as insiders, and not treat them with the type of skepticism and controls aimed at outsiders (hackers),” he wrote in an e-mail. “Of course, the insider risk is a massive problem.”

A crackdown by the FTC almost a decade ago led to stronger security measures among information brokers, including credit bureaus, according to Jay Foley, a partner with the consulting firm ID Theft Info Source, who has followed the industry since 1999. Those efforts, though, have focused mostly on preventing the data providers from being tricked into giving criminals accounts that give them access to credit reports, Foley said.

A series of breaches at ChoicePoint and Seisint, data brokers that were bought by LexisNexis parent Reed Elsevier Plc, led to landmark settlements that served as a warning to the industry. The newly disclosed breaches show that credit bureaus haven’t invested enough in fraud-detection technology to spot odd behavior coming from customers, Foley said.

The company has since improved its security with a number of measures including audits and additional fraud-detection technologies, Stephen Brown, a spokesman for Reed Elsevier’s LexisNexis division, said in a statement.

“The industry has cleaned up its act, but the act it was cleaning up was who they were allowing to have credentials,” Foley said in an interview. So instead, criminals are going through the third parties that have already gotten approval, he said.

View Source

As the rest of the nation’s citizens sit on on pins and needles about who will win the presidential election — Barack Obama or Mitt Romney — information security pros are even more anxious in their wait to see whether this is the year that hackers find a way to subvert or disrupt the increasingly electronic-voting process. According to security experts, the situation is ripe for the bad guys to strike.

Hacktivist groups like Anonymous and LulzSec have perfected their crowdsourced attack methods, and nation-state hackers have more resources than ever to carry out complicated attacks. Meanwhile, voter databases are increasingly interconnected within complex and often insecure local and state IT infrastructure, while the electronic voting systems many states depend on are plagued with vulnerabilities that the security community has been warning citizens about for the better part of a decade.

“If big, Internet-based companies like Yahoo, LinkedIn, or Sony can fall to hackers, then, yeah, big government databases and local authorities who actually administer the election process can be hacked,” says Stephen Cobb, security evangelist for ESET. “I’m somewhat surprised it hasn’t happened yet.”

First on some security experts’ watch list is the potential for hacking online or networked voter databases. Some experts expressed worry that thieves could steal these databases for financial gain, but as Rob Rachwald, director of security strategy for Imperva, put it, “Most voter databases don’t contain a whole lot of sensitive data; they typically contain your name and address, which isn’t terribly private.”

However, if bad actors were able to make changes in the database, that’s where the real trouble would start. If attackers can gain access to these databases to switch addresses for the sake of disenfranchising certain select groups of voters who’d find themselves missing from precinct list on election day, or to institute wide-scale mail-in voter fraud, then they could still affect an election’s outcome.

Such scenarios are hardly far-fetched or improbable, numerous experts warned. And with states like Washington and Maryland opening up data voter registration online, the potential threat surface only increases.

“Any system that is networked, especially to the Internet, is inherently vulnerable to attacks on its availability, and the confidentiality and integrity of its data,” says Steve Santorelli, director of global outreach for the security research group Team Cymru.

Read More

Google has launched a new effort to warn its users that they could be the victims of cyberattacks from hostile governments.

Account-holders working in international relations, development and other sensitive areas have received messages from the search giant informing them of recent efforts to spy on their online history.

The move comes after the company started detecting ‘tens of thousands’ of new hacking attacks originating in the Middle East.

Google is a tempting target for hackers, as it is not focussed solely on search but also offers its users services such as email, mapping and Chrome, one of the most popular web browsers.

This week, according to the New York Times, users thought to have been targeted saw a message attached to their accounts saying, ‘Warning: We believe state-sponsored attackers may be attempting to compromise your account or computer.’

Read More

The U.S. Secret Service is looking into claims that someone stole presidential nominee Mitt Romney’s income tax returns and is threatening to release them if he doesn’t pay up.

Secret Service spokesman George Ogilvie told CNET today that the agency is investigating, but had no further comment.

The claim was made in a post on the Pastebin site on Sunday that alleged that Romney’s federal tax returns were taken from the offices of PriceWaterhouse Coopers in Frankin, Tenn., on August 25 by someone who snuck into the building and made copies of the document. The message author threatened to release the files publicly on September 28 and said copies of the files had been given to Democratic and Republican leaders in that county. Democrats have made Romney’s refusal to release his tax returns a key point in their criticism that he is not in touch with working class voters.

Part of the message, which was not signed, reads:

Romney’s 1040 tax returns were taken from the PWC office 8/25/2012 by gaining access to the third floor via a gentleman working on the 3rd floor of the building. Once on the 3rd floor, the team moved down the stairs to the 2nd floor and setup shop in an empty office room. During the night, suite 260 was entered, and all available 1040 tax forms for Romney were copied. A package was sent to the PWC on suite 260 with a flash drive containing a copy of the 1040 files, plus copies were sent to the Democratic office in the county and copies were sent to the GOP office in the county at the beginning of the week also containing flash drives with copies of Romney’s tax returns before 2010. A scanned signature image for Mitt Romney from the 1040 forms were scanned and included with the packages, taken from earlier 1040 tax forms gathered and stored on the flash drives.

A follow up message posted yesterday said the files were accessed from the PWC network file servers and would be released in encrypted form to major news media outlets. The encrypted key to open the files would be released publicly unless Romney paid the hackers $1 million by transferring that amount — in the virtual currency called Bitcoins — to a specific account. However, if someone else wants the information to be released publicly sooner than that, they would need to transfer the same amount to a different Bitcoin account, the message said.

PricewaterhouseCoopers released a statement saying it had not found evidence of a system breach.

“We are aware of the allegations that have been made regarding improper access to our systems,” statement said. “We are working closely with the United States Secret Service, and at this time there is no evidence that our systems have been compromised or that there was any unauthorized access to the data in question.”

Romney’s campaign headquarters in Fairfax, Va., did not respond to a CNET request for comment. The news was first reported in The City Paper in Nashville.

Read More

A US mother is facing six felony counts for allegedly hacking into her children’s school computer, changing their grades, and accessing the school’s human resources system to open thousands of personnel files that contained contracts, employee reports and other information.

The mother, Catherine Venusto, 45, from New Tripoli, Pennsylvania, worked as a secretary for the Northwestern Lehigh School District from 2008 through April 2011 and has at least two children in the district, according to the District Attorney’s office.

Venusto is accused of changing her daughter’s grade from an F to an M for “medical,” of allegedly boosting her son’s grade of 98 percent to 99 percent, and of using the superintendent’s information to log onto the district email system and to access Northwestern Lehigh’s human resources system.

According to Lehigh Valley Live.com, Venusto allegedly used the superintendent’s password 110 times over the course of a year and a half to conduct the mischief.

Authorities told news outlets that Venusto also used the information of nine other Northwestern Lehigh employees, most of whom were in the guidance department, to access computer systems.

According to Lehigh Valley Live, officials first suspected a problem in January after the high school principal told superintendent Dr. Mary Anne Wright that teachers didn’t understand why she was checking their computer-based gradebooks.

Wright told the principal that she hadn’t looked at the books. That’s when the jig was up.

The district immediately shut down the student information system, quickly initiated steps to bolster security, and turned the matter over to state police, Wright told Lehigh Valley Live:

“Within three hours of suspecting unauthorized access, email, student information system and the district shared drive were shut down until we were able to fully identify the issue. New security measures were put in place before the systems were accessed again by staff, students or parents.”

A plus gradeVenusto is facing three counts each of unlawful use of a computer and computer trespass, which are third-degree felonies.

She was arraigned on Wednesday and released on $30,000 unsecured bail, which she’ll only have to pay if she fails to appear in court for her preliminary hearing on July 26.

If she’s convicted, Venusto could face a maximum of 42 years in prison or a $90,000 fine, District Attorney’s office spokeswoman Debbie Garlicki told ABC News Radio.

Garlicki said that the maximum penalty on each count is seven years or a $15,000 fine.

The school district may well have acted promptly to clamp down systems and improve security after they discovered the trespassing and tinkering, but the plain fact is that leading up to this incident, employees seemed to play fast and loose with security.

Perhaps it’s necessary for a superintendent’s secretary to know her boss’s login information. Even if it is, it’s hard to imagine why Wright failed to change her password after Venusto left her job.

This is a good reminder that a password that walks out the door inside the brain of an ex-employee (as well as a current employee, insider-threat-wise) could well come back to haunt us.

Read more