Penn State team receives Google grant for app security
3/20/13
An international research team including Penn State computer engineers has received a $50,000 Google Faculty Research Award focusing on smartphone application security.
privacy
privacy
Malware opens door to possible information exposure
2/8/13
A computer at Penn State Harrisburg that contained 808 Social Security numbers (SSNs) was found to be infected with malware that enabled it to communicate with an unauthorized computer outside the network. The SSNs were found in archived documents related to conference registrations from 1999 to 2001. "Malware" is short for malicious software and refers to any software designed to cause damage to a single computer, server, or computer network, whether it's a virus, spyware, worm or other destructive program.
As soon as the University became aware of the malicious software on this computer, it immediately was taken off line. Although it cannot be determined with certainty that any data was pulled from the computer by the infectious software, the University's policy is to take a cautionary stance and notify individuals who may have been affected. This response is in line with the Pennsylvania Breach of Personal Information Notification Act, which went into effect in 2006 and mandates that the University notify anyone whose personally identifiable information is potentially disclosed when a computer is lost or compromised.
Driver's license data found to be part of prior information exposure
1/25/13
Continuing investigation has revealed that 5,904 driver's license numbers, belonging to current and former students at Penn State Altoona, may have been compromised during a previously reported attack on an application hosted on a server on Penn State's University Park campus. The application was compromised using a technique known as SQL injection, which allows an attacker to gain unauthorized, database-level access to vulnerable applications.
As the University reported in December (report available at http://live.psu.edu/story/63362), 1,406 Social Security numbers, all of which belong to students who were enrolled at Altoona campus before 2005, were present in the database that was compromised during the same attack.
As soon as the University became aware of the issue, the server was immediately taken offline. Although there is no evidence that the information has been used by unauthorized individuals, the University's policy is to take a cautionary stance and notify individuals who may have been affected. This response is in line with the Pennsylvania Breach of Personal Information Notification Act, which went into effect in 2006 and mandates that the University notify anyone whose personally identifiable information is potentially disclosed when a computer is lost or compromised.
Slavkovic gains membership to International Statistical Institute
1/7/13
Aleksandra Slavkovic, an associate professor of statistics and public health sciences at Penn State, has been honored with membership in the International Statistical Institute. Members are elected "by virtue of their distinguished contributions to the development or application of statistical methods, or to the administration of statistical services, or the development and improvement of statistical education."
Slavkovic conducts research focusing on developing and applying statistical methods for issues of data privacy and data confidentiality. One goal of her research is to limit the release of sensitive information from statistical databases about individuals and groups, while allowing for accurate statistical analysis of the data. Slavkovic is a lead investigator on the National Science Foundation Cyber-Enabled Innovation and Discovery program for a research project on integrating statistical and computational approaches to privacy.
Information exposure reported
12/28/12
An application hosted on a server on Penn State's University Park campus that contained 1,406 Social Security numbers, all of which belong to students who were enrolled at Penn State Altoona before 2005, was found to have been compromised using a technique known as SQL injection.
As soon as the University became aware of the issue, the server was immediately taken offline. Although there is no evidence that the information has been used by unauthorized individuals, the University's policy is to take a cautionary stance and notify individuals who may have been affected. This response is in line with the Pennsylvania Breach of Personal Information Notification Act, which went into effect in 2006 and mandates that the University notify anyone whose personally identifiable information is potentially disclosed when a computer is lost or compromised.
Interface could help Facebook members limit security leaks
12/4/11
A sign-up interface created by Penn State researchers for Facebook apps could help members prevent personal information -- and their friends' information -- from leaking out through third-party games and apps to hackers and identity thieves.
Smartphone apps harvest, spread personal information
9/29/10
Publicly available cell-phone applications from application markets are releasing consumers' private information to online advertisers, according to a joint study by Intel Labs, Penn State and Duke University. Researchers at the participating institutions have developed a realtime monitoring service called TaintDroid that precisely analyzes how private information is obtained and released by applications "downloaded" to consumer phones. TaintDroid is an extension to the Android mobile-phone platform that tracks the flow of sensitive data through third-party applications.
Malware continues to be a challenge to computer security
2/5/10
Identity theft continues to be a serious problem nationwide, and according to the nonprofit Identity Theft Resource Center, (ITRC) the economic recession may be a cause in the rise in scams, thievery and hacking. Breaches have hit virtually everywhere, including the federal government, major credit card companies, businesses and higher education institutions. Penn State has experienced computer breaches due to malware. The most recent breach occurred in the Student Aid Office in January, when malware exposed 5,600 records containing Social Security Numbers of current and former students. "The scary part is, you don't have to do anything wrong anymore to infect your computer," said Kathy Kimball, senior director in Penn State's Security Operations and Services Office. "The threat has changed such that you do not need to click on anything, just visit a compromised page."
Malware infections continue to be problematic for University
12/23/09
Although most offices are winding down for the holidays, Penn State's privacy office remains active. The University currently is working to notify nearly 30,000 individuals about privacy breaches that may have exposed their personally identifying information. Malware infections to University computers caused all of the breaches, which occurred in the Eberly College of Science (7,758 records), the College of Health and Human Development (6,827 records) and one of Penn State's campuses outside of University Park (roughly 15,000 records).
Malware opens door to possible information exposure
12/18/09
A computer in the Dickinson School of Law that contained 261 Social Security numbers from an archived class list was found to be infected with malware that enabled it to communicate with an unauthorized computer outside the network. As soon as the University became aware of the malicious software on this computer, it immediately was taken off line. Although it cannot be determined with certainty that any data was pulled from the computer by the infectious software, the University's policy is to take a cautionary stance and notify individuals who may have been affected.
Hazleton break-in results in stolen laptops and information
11/25/09
Several computers were among items stolen during a recent break-in at a building on the Penn State Hazleton campus, and a subsequent investigation determined that the archives of one of the computers contained personally identifying information. A total of 348 Social Security Numbers were included in a historical document buried in the computer's archives. Because a number of items were taken in the break-in, it appears that the thieves were targeting the computers, not any information that may have been on them. "We have no reason to believe that this information was accessed by anyone, but those affected should be alert in the event that an individual attempts to use their identity," said Gary Lawler, chancellor at Penn State Hazleton. "We have sent letters to everyone who may have been affected, to arm them with information and steps to take to lessen their risk of identity theft -- even if that theft is only a remote possibility."
Data breaches emphasize need for scanning, encryption
3/17/09
Recent news reports indicate a computer containing confidential information about the helicopter that transports President Barack Obama was breached by a computer in Iran. In January, Heartland Payment Systems, a company that provides credit and debit card, payroll and related processing services to more than 250,000 business locations nationwide, announced it had a data breach that potentially exposed credit card numbers, expiration dates and other data. The Heartland breach includes about 700 Penn State purchasing cards, which are in the process of being replaced. As the nationwide problem of identity theft continues to evolve and grow, Penn State is not immune. Malicious software, downloaded by unsuspecting employees who click on messages containing links to fake greeting cards or other seemingly harmless sites, has compromised computer networks at University Park and other campuses. "We cannot stress enough the importance of not clicking on links in e-mail if you do not know for sure who sent the e-mail to you," said Kathy Kimball, senior director of ITS Security Operations and Services. "The most common of these e-mails state that a friend sent you an e-card, and you need to click on the link to view it. When you click on the link, you're redirected to a Web site that downloads malicious software onto your computer without your knowledge, opening up security breaches that can affect every computer on the network to which your computer is connected."
Student records still protected with FERPA clarification
9/9/08
When the Family Educational Rights and Privacy Act (FERPA) was signed into law by President Gerald R. Ford in 1974, it changed the way higher education institutions handled student record privacy. The intent of the federal law was to protect the privacy of student education records, and it applied to all schools that receive funds under an applicable program of the U.S. Department of Education. Because compliance with the details of the law was directly tied to federal funding, higher education institutions including Penn State over the years have chosen to err on the side of caution when dealing with student records. "The provisions of FERPA are complex and here at Penn State we tended, as many other institutions have done, to follow a conservative, narrow interpretation of the law to ensure full compliance," said Karen Schultz, University registrar and FERPA compliance officer for Penn State. "In the wake of the tragedy at Virginia Tech, we are re-visiting our approach."
Penn State team receives Google grant for app security
3/20/13
An international research team including Penn State computer engineers has received a $50,000 Google Faculty Research Award focusing on smartphone application security.
Malware opens door to possible information exposure
2/8/13
A computer at Penn State Harrisburg that contained 808 Social Security numbers (SSNs) was found to be infected with malware that enabled it to communicate with an unauthorized computer outside the network. The SSNs were found in archived documents related to conference registrations from 1999 to 2001. "Malware" is short for malicious software and refers to any software designed to cause damage to a single computer, server, or computer network, whether it's a virus, spyware, worm or other destructive program.
As soon as the University became aware of the malicious software on this computer, it immediately was taken off line. Although it cannot be determined with certainty that any data was pulled from the computer by the infectious software, the University's policy is to take a cautionary stance and notify individuals who may have been affected. This response is in line with the Pennsylvania Breach of Personal Information Notification Act, which went into effect in 2006 and mandates that the University notify anyone whose personally identifiable information is potentially disclosed when a computer is lost or compromised.
Driver's license data found to be part of prior information exposure
1/25/13
Continuing investigation has revealed that 5,904 driver's license numbers, belonging to current and former students at Penn State Altoona, may have been compromised during a previously reported attack on an application hosted on a server on Penn State's University Park campus. The application was compromised using a technique known as SQL injection, which allows an attacker to gain unauthorized, database-level access to vulnerable applications.
As the University reported in December (report available at http://live.psu.edu/story/63362), 1,406 Social Security numbers, all of which belong to students who were enrolled at Altoona campus before 2005, were present in the database that was compromised during the same attack.
As soon as the University became aware of the issue, the server was immediately taken offline. Although there is no evidence that the information has been used by unauthorized individuals, the University's policy is to take a cautionary stance and notify individuals who may have been affected. This response is in line with the Pennsylvania Breach of Personal Information Notification Act, which went into effect in 2006 and mandates that the University notify anyone whose personally identifiable information is potentially disclosed when a computer is lost or compromised.
Slavkovic gains membership to International Statistical Institute
1/7/13
Aleksandra Slavkovic, an associate professor of statistics and public health sciences at Penn State, has been honored with membership in the International Statistical Institute. Members are elected "by virtue of their distinguished contributions to the development or application of statistical methods, or to the administration of statistical services, or the development and improvement of statistical education."
Slavkovic conducts research focusing on developing and applying statistical methods for issues of data privacy and data confidentiality. One goal of her research is to limit the release of sensitive information from statistical databases about individuals and groups, while allowing for accurate statistical analysis of the data. Slavkovic is a lead investigator on the National Science Foundation Cyber-Enabled Innovation and Discovery program for a research project on integrating statistical and computational approaches to privacy.
Information exposure reported
12/28/12
An application hosted on a server on Penn State's University Park campus that contained 1,406 Social Security numbers, all of which belong to students who were enrolled at Penn State Altoona before 2005, was found to have been compromised using a technique known as SQL injection.
As soon as the University became aware of the issue, the server was immediately taken offline. Although there is no evidence that the information has been used by unauthorized individuals, the University's policy is to take a cautionary stance and notify individuals who may have been affected. This response is in line with the Pennsylvania Breach of Personal Information Notification Act, which went into effect in 2006 and mandates that the University notify anyone whose personally identifiable information is potentially disclosed when a computer is lost or compromised.
Interface could help Facebook members limit security leaks
12/4/11
A sign-up interface created by Penn State researchers for Facebook apps could help members prevent personal information -- and their friends' information -- from leaking out through third-party games and apps to hackers and identity thieves.
Smartphone apps harvest, spread personal information
9/29/10
Publicly available cell-phone applications from application markets are releasing consumers' private information to online advertisers, according to a joint study by Intel Labs, Penn State and Duke University. Researchers at the participating institutions have developed a realtime monitoring service called TaintDroid that precisely analyzes how private information is obtained and released by applications "downloaded" to consumer phones. TaintDroid is an extension to the Android mobile-phone platform that tracks the flow of sensitive data through third-party applications.
Malware continues to be a challenge to computer security
2/5/10
Identity theft continues to be a serious problem nationwide, and according to the nonprofit Identity Theft Resource Center, (ITRC) the economic recession may be a cause in the rise in scams, thievery and hacking. Breaches have hit virtually everywhere, including the federal government, major credit card companies, businesses and higher education institutions. Penn State has experienced computer breaches due to malware. The most recent breach occurred in the Student Aid Office in January, when malware exposed 5,600 records containing Social Security Numbers of current and former students. "The scary part is, you don't have to do anything wrong anymore to infect your computer," said Kathy Kimball, senior director in Penn State's Security Operations and Services Office. "The threat has changed such that you do not need to click on anything, just visit a compromised page."
Malware infections continue to be problematic for University
12/23/09
Although most offices are winding down for the holidays, Penn State's privacy office remains active. The University currently is working to notify nearly 30,000 individuals about privacy breaches that may have exposed their personally identifying information. Malware infections to University computers caused all of the breaches, which occurred in the Eberly College of Science (7,758 records), the College of Health and Human Development (6,827 records) and one of Penn State's campuses outside of University Park (roughly 15,000 records).
Malware opens door to possible information exposure
12/18/09
A computer in the Dickinson School of Law that contained 261 Social Security numbers from an archived class list was found to be infected with malware that enabled it to communicate with an unauthorized computer outside the network. As soon as the University became aware of the malicious software on this computer, it immediately was taken off line. Although it cannot be determined with certainty that any data was pulled from the computer by the infectious software, the University's policy is to take a cautionary stance and notify individuals who may have been affected.
Hazleton break-in results in stolen laptops and information
11/25/09
Several computers were among items stolen during a recent break-in at a building on the Penn State Hazleton campus, and a subsequent investigation determined that the archives of one of the computers contained personally identifying information. A total of 348 Social Security Numbers were included in a historical document buried in the computer's archives. Because a number of items were taken in the break-in, it appears that the thieves were targeting the computers, not any information that may have been on them. "We have no reason to believe that this information was accessed by anyone, but those affected should be alert in the event that an individual attempts to use their identity," said Gary Lawler, chancellor at Penn State Hazleton. "We have sent letters to everyone who may have been affected, to arm them with information and steps to take to lessen their risk of identity theft -- even if that theft is only a remote possibility."
Data breaches emphasize need for scanning, encryption
3/17/09
Recent news reports indicate a computer containing confidential information about the helicopter that transports President Barack Obama was breached by a computer in Iran. In January, Heartland Payment Systems, a company that provides credit and debit card, payroll and related processing services to more than 250,000 business locations nationwide, announced it had a data breach that potentially exposed credit card numbers, expiration dates and other data. The Heartland breach includes about 700 Penn State purchasing cards, which are in the process of being replaced. As the nationwide problem of identity theft continues to evolve and grow, Penn State is not immune. Malicious software, downloaded by unsuspecting employees who click on messages containing links to fake greeting cards or other seemingly harmless sites, has compromised computer networks at University Park and other campuses. "We cannot stress enough the importance of not clicking on links in e-mail if you do not know for sure who sent the e-mail to you," said Kathy Kimball, senior director of ITS Security Operations and Services. "The most common of these e-mails state that a friend sent you an e-card, and you need to click on the link to view it. When you click on the link, you're redirected to a Web site that downloads malicious software onto your computer without your knowledge, opening up security breaches that can affect every computer on the network to which your computer is connected."
Student records still protected with FERPA clarification
9/9/08
When the Family Educational Rights and Privacy Act (FERPA) was signed into law by President Gerald R. Ford in 1974, it changed the way higher education institutions handled student record privacy. The intent of the federal law was to protect the privacy of student education records, and it applied to all schools that receive funds under an applicable program of the U.S. Department of Education. Because compliance with the details of the law was directly tied to federal funding, higher education institutions including Penn State over the years have chosen to err on the side of caution when dealing with student records. "The provisions of FERPA are complex and here at Penn State we tended, as many other institutions have done, to follow a conservative, narrow interpretation of the law to ensure full compliance," said Karen Schultz, University registrar and FERPA compliance officer for Penn State. "In the wake of the tragedy at Virginia Tech, we are re-visiting our approach."