Wednesday, June 24, 2020

Secure the Attack Surface | HackerOne

Secure the Attack Surface | HackerOne

Secure the Attack Surface

Secure the Attack Surface - Secure Existing Applications

Secure Existing Applications

Keep your applications secure and demonstrate your commitment to security. HackerOne offers a suite of products designed to fit your needs and integrate into your systems: public and private bug bounty programs, vetted security researchers, pentesting, and more.

Move to the Cloud with Confidence

Cloud migration is challenging. Even in a best case scenario, your organization has to apply new firewall solutions, integrate new security systems, and transfer data. Each change opens up new attack surfaces. Avoid exposing yourself to risk by inviting ethical hackers to vet your application security. Strengthen your cloud security posture and avoid misconfigurations known to cause security breaches.

Secure the Attack Surface - Move to the Cloud with Confidence
Secure the Attack Surface - M&A Agility Minus the Risk

Less is More: Consolidate Tools & Cut Costs

Security teams must stay ahead of advanced threats and increased vulnerability sophistication. To increase visibility, reduce clutter, and manage costs, many teams are looking to consolidate their security solutions. Thousands of companies rely on hacker-powered security to address evolving threats and scale while reducing their reliance on point solutions.

Recommended HackerOne Solutions

Vulnerability Disclosure

Vulnerability Disclosure

Establish the process for and receive reporting of unknown or harmful security vulnerabilities to the proper person or team in your organization.

Learn More

HackerOne Clear

HackerOne Clear

Partner with proven, background-checked security researchers with the skills and reputation to match your specific needs.

Learn More

Bug Bounty

Bug Bounty

Let trusted hackers continuously test for vulnerabilities with defined scope of coverage.

Learn More

Do You Have Hackers on Your Side?

Every 5 minutes, a hacker reports a vulnerability. Every 60 seconds, a hacker partners with an organization on HackerOne. That's more than 1,000 interactions per day towards improved security. Our CISOs Guide to Reducing Risk with Responsible Disclosure details why hacker-powered security is a must for scaling security across your attack surface.

Get the Guide

"Our HackerOne bug bounty program has one of the most permissive scopes in the industry. This allows us to work with security researchers to test the broadest attack surface possible. The impressive contributions from the community have made Dropbox, and the internet as a whole, a safer place."

Rajan Kapoor, Former Director of Security at Dropbox



Elyssa 

Just me, e. ELyssaD

Just me, e. ELyssaD™

Top Down Policy Failure in Public Education – Elyssa D. Durant, Ed.M.

Top Down Policy Failure in Public Education
Elyssa D. Durant, Ed.M.

MNPS does not have the answers, nor does our newly elected Mayor who recently launched an aggressive media campaign to recruit new teachers willing to work within the constraints our over-regulated, under-funded public schools.

This article glossed over the magnitude of the desperate situation in Metro Nashville Public Schools (MNPS).

But it does raise questions about the hiring and retention practices by the Board of Ed.

The basic fact that students are not making adequate progress is a reflection of the top-down policy failure by MNPS and the Board of Ed.

Students are not making adequate progress, and teachers are being shuffled around in a desperate attempt to fix a problem that they do not fully understand.

This data seems to support the need for performance based incentives such as the study on performance incentives at the National Center for Performance Incentives on the Peabody Campus at Vanderbilt University.

Teachers in the experimental group receive a $15,000 bonus if their students demonstrate a pre-determined level of achievement and demonstrate proficiency.

In conjunction with the RAND corporation, data will be collected twice a year: at the beginning of the academic term to establishing the baseline level of competency for each student.

Data is then collecting at the end of the year to measure achievement.
Several waves of data will be collected and evaluated over the next several years will be evaluated in conjunction with the RAND Corporation.

In order to fix our broken schools, we need to look at schools that work.

There are in fact public schools in urban neighborhoods that are successfully educating the students despite limited budgets, supplies, and adequate funding.

So what is it about these schools that allows them to successfully educate disadvantaged, at-risk students and how can we replicate their success?

As an educator employed by MNPS, I earn $10.46 / hour (without benefits) teaching at-risk students. What does this say about the fiscal priorities of our community?

My graduate degree in education is from the very same university that Mayor Karl Dean attended in New York City. What does that say about our values as a society? What does that say about the value of a graduate degree from the Ivy League?

I called HR and the "Certificated Office" to inquire about obtaining a provisional teaching license and alternative certification, I was simply told that I was not eligible for alternative certification and without additional course work, and tuition and fees, I was not deemed qualified to teach in Metro.

I am not qualified to teach in Metro since, apparently, Metro "does not teach education." What a joke. To make matters worse- I had to pay them to find out that I was not even qualified to work with Head Start.

I went to Head Start! Shouldn't that be enough? I find it difficult to believe that a city so desperate for teachers is not willing to bend the rules just a little or waive the application fee for anyone who is willing to work in such a hostile environment.

The state Department of Education could not offer any realistic solution to the simple fact that I cannot afford to pay the fees associated with the application fees certification requirements.

If the Mayor really needs applicants, perhaps the city should comp the application fees necessary to be considered for employment.

They are strangely unfamiliar with the political process, and teachers are expected to implement and carry out policies that were designed by academic professionals or educational consultants.

If MNPS truly wants a better-qualified staff, then the Mayor, the Board of Education, and school administrators need to take a closer look at the methods used to recruit, retain, and reward qualified individuals willing to sacrifice their financial stability for a career in public service.

The high rate of student mobility is compounded by the constant shifting of school personnel. Many schools may just lose the few experienced, dedicated teachers they still have left have, to surrounding districts, cities, and states.

Such instability in the system may even prompt the younger set to leave the profession all together and discourage future teachers from applying for jobs in Metro.

Now that I realize my education was a complete waste of time and money, is it any wonder that I am ready to give up on teaching and maybe even ready to leave Nashville for good. The local hardware store has more to offer including benefits!

Everything we know about the positive outcomes in neighborhood schools is their strong reliance upon community buy-in and parental involvement.

One thing that makes magnet, lottery, charter schools, parochial, and private schools so good is the fact that parents, teachers, students, and administrators fight to get in, and fight to stay there.

The act of choosing, in effect, leads to an enhanced sense of community and builds a supportive, consistent, and structured environment.

Calling rezoning and teacher shuffling in Metro "Project Fresh Start" is ridiculous– it would be more accurate.

Sent from my BlackBerry® RIM Job



Elyssa 

Sunday, June 21, 2020

Cyber-attack: Is my computer at risk? - BBC News

Cyber-attack: Is my computer at risk? - BBC News


Cyber-attack: Is my computer at risk?

Your PC is at risk screen PA

Experts are warning that there could be further ransomware cases this week after the global cyber-attack. So, what has happened and how can organisations and individuals protect themselves from such attacks?

What is the scale of the attack?

Ransomware - a malicious program that locks a computer's files until a ransom is paid - is not new but the size of this attack by the WannaCry malware is "unprecedented", according to EU police body Europol.

It said on Sunday that there were believed to be more than 200,000 victims in 150 countries. However, that figure is likely to grow as people switch on their computers on Monday if their IT has not been updated and their security systems patched over the weekend.

There are also many other strains of ransomware which cyber-security experts say they are seeing being given new leases of life.

In the UK, the NHS was hit hard, but by Saturday morning the majority of the 48 affected health trusts in England had their machines back in operation. The NHS has not yet revealed what steps it took.

The malware has not proved hugely profitable for its owners so far. The wallets set up to receive ransom payments - $300 (£230) in virtual currency Bitcoin was demanded for each infected machine - contained about $30,000 when seen by the BBC. This suggests that most victims have not paid up.

Is my computer at risk?

WannaCry infects only machines running Windows operating systems. If you do not update Windows, and do not take care when opening and reading emails, then you could be at risk.

However, home users are generally believed to be at low risk to this particular strain.

You can protect yourself by running updates, using firewalls and anti-virus software and by being wary when reading emailed messages.

Regularly back up your data so you can restore files without having to pay up should you be infected, as there is no guarantee that paying the ransom will result in your files being unlocked.

The UK's National Cyber Security Centre website contains advice on how to apply the patch to stop the ransomware - MS17-010 - and what to do if you can't.

How did the attack spread so fast?

The culprit is malware called WannaCry and seems to have spread via a type of computer malware known as a worm.

Unlike many other malicious programs, this one has the ability to move around a network by itself. Most others rely on humans to spread by tricking them into clicking on an attachment harbouring the attack code.

WannaCry Webroot
The ransomware has been identified as WannaCry

Once WannaCry is inside an organisation, it will hunt down vulnerable machines and infect them too. This perhaps explains why its impact is so public - because large numbers of machines at each victim organisation are being compromised.

It has been described as spreading like the vomiting bug norovirus.

Why weren't people protected?

In March, Microsoft issued a free patch for the weakness that has been exploited by the ransomware. WannaCry seems to be built to exploit a bug found by the US National Security Agency.

When details of the bug were leaked, many security researchers predicted it would lead to the creation of self-starting ransomware worms. It may, then, have taken only a couple of months for malicious hackers to make good on that prediction.

It was originally thought that a number of victims were using Windows XP, a very old version of the Windows operating system that is no longer supported by Microsoft.

However, according to cyber-security expert Alan Woodward, from Surrey University, the latest statistics suggest this figure is actually very small.

Large organisations have to test that security patches issued by the provider of their operating systems will not interfere with the running of their networks before they are applied, which can delay them being installed quickly.

Who was behind the attack?

It's not yet known, but some experts are saying that it was not particularly sophisticated malware. The "kill switch" that stopped it spreading - accidentally discovered by a security researcher - may have been intended to stop the malware working if captured and put in what's called a sandbox - a safe place where security experts put computer malware to watch what they do - but not applied properly.

Ransomware has been a firm favourite of cyber-thieves for some time as it lets them profit quickly from an infection. They can cash out easily thanks to the use of the Bitcoin virtual currency, which is difficult to trace.

However it's unusual for an expert criminal gang to use so few Bitcoin wallets to collect their ransom demands - as in this case - as the more wallets there are, the more difficult the gang is to trace.



Elyssa 

Global cyber-attack: How roots can be traced to the US - BBC News

Global cyber-attack: How roots can be traced to the US - BBC News

Global cyber-attack: How roots can be traced to the US

File image of a man using a computer keyboard Reuters
Organisations have been blamed for not keep their systems updated

The flaw in Windows behind a huge cyber-attack affecting organisations around the world, including some UK hospitals, can be traced back to the US National Security Agency (NSA) - raising questions over the US government's decision to keep such flaws a secret.

Elements of the malicious software used in Friday's attacks were part of a treasure trove of cyber-attack tools leaked by hacking group the Shadow Brokers in April.

One of the tools contained in the Shadow Brokers leak, codenamed EternalBlue, proved to be "the most significant factor" in the spread of Friday's global attack, according to cyber-security firm Kaspersky Lab.

The tool was said to have been created by the NSA - though, as is typical, the agency has neither confirmed nor denied this.

EternalBlue was made public on 14 April, and while Microsoft had fixed the problem a month prior to its leak, it appeared many high-profile targets had not updated their systems to stay secure.

Friday's attack has reignited the debate over whether or not governments should disclose vulnerabilities they have discovered or bought on the black market.

"It would be deeply troubling if the NSA knew about this vulnerability but failed to disclose it to Microsoft until after it was stolen," said Patrick Toomey, a lawyer working for the American Civil Liberties Union.

"These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies, but by hackers and criminals around the world.

"Patching security holes immediately, not stockpiling them, is the best way to make everyone's digital life safer."

Edward Snowden, who famously leaked many internal NSA files in June 2013, criticised the NSA on Friday in a series of tweets.

"In light of today's attack, Congress needs to be asking [the NSA] if it knows of any other vulnerabilities in software used in our hospitals," he wrote.

"If [the NSA] had privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, this may not have happened."

Outdated systems

However, others focused the blame at institutions for being too slow in updating their systems, given that this attack happened almost two months after a (free) fix was made available by Microsoft.

"Say what you want to say about the NSA or disclosure process," said Zeynep Tufeki, a professor at the University of North Carolina.

"But this is one in which what's broken is the system by which we fix."

For the UK's National Health Service, the problem is perhaps more acute.

Security firms have continually raised alarms about the NHS's reliance on Windows XP, an operating system that is no longer supported by Microsoft.



Elyssa 

Saturday, June 20, 2020

Global cyber-attack: Security blogger halts ransomware 'by accident' - BBC News

Global cyber-attack: Security blogger halts ransomware 'by accident' - BBC News

Global cyber-attack: Security blogger halts ransomware 'by accident'

LISTEN: How 'Malware Tech' became an 'accidental hero'

A UK security researcher has told the BBC how he "accidentally" halted the spread of the malicious ransomware that has affected hundreds of organisations, including the UK's NHS.

The 22-year-old man, known by the pseudonym MalwareTech, had taken a week off work, but decided to investigate the ransomware after hearing about the global cyber-attack.

He managed to bring the spread to a halt when he found what appeared to be a "kill switch" in the rogue software's code.

"It was actually partly accidental," he told the BBC, after spending the night investigating. "I have not slept a wink."

Although his discovery did not repair the damage done by the ransomware, it did stop it spreading to new computers, and he has been hailed an "accidental hero".

"I would say that's correct," he told the BBC.

Cyber-attack scale 'unprecedented'

NHS 'robust' after cyber-attack

"The attention has been slightly overwhelming. The boss gave me another week off to make up for this train-wreck of a vacation."

What exactly did he discover?

The researcher first noticed that the malware was trying to contact a specific web address every time it infected a new computer.

But the web address it was trying to contact - a long jumble of letters - had not been registered.

MalwareTech decided to register it, and bought it for $10.69 (£8). Owning it would let him see where computers were accessing it from, and give him an idea of how widespread the ransomware was.

World map MalwareTech
Owning the web address let MalwareTech monitor where infections were happening

By doing so, he unexpectedly triggered part of the ransomware's code that told it to stop spreading.

Analysis: How did it start?

What is the ransomware?

This type of code is known as a "kill switch", which some attackers use to halt the spread of their software if things get out of hand.

He tested his discovery and was delighted when he managed to trigger the ransomware on demand.

"Now you probably can't picture a grown man jumping around with the excitement of having just been 'ransomwared', but this was me," he said in a blog post.

MalwareTech now thinks the code was originally designed to thwart researchers trying to investigate the ransomware, but it backfired by letting them remotely disable it.

Does this mean the ransomware is defeated?

While the registration of the web address appears to have stopped one strain of the ransomware spreading from device-to-device, it does not repair computers that are already infected.

Security experts have also warned that new variants of the malware that ignore the "kill switch" will appear.

"This variant shouldn't be spreading any further, however there'll almost certainly be copycats," said security researcher Troy Hunt in a blog post.

MalwareTech warned: "We have stopped this one, but there will be another one coming and it will not be stoppable by us.

"There's a lot of money in this, there is no reason for them to stop. It's not much effort for them to change the code and start over."



Elyssa 

Australia jet and navy data stolen in 'extensive' hack - BBC News

Australia jet and navy data stolen in 'extensive' hack - BBC News

Australia jet and navy data stolen in 'extensive' hack

A Royal Australian Air Force F-35 aircraft taxis at an airshow in Victoria AFP
The theft included details about Australia's F-35 Joint Strike Fighter programme, authorities said

Sensitive information about Australia's defence programmes has been stolen in an "extensive" cyber hack.

About 30GB of data was compromised in the hack on a government contractor, including details about new fighter planes and navy vessels.

The data was commercially sensitive but not classified, the government said. It did not know if a state was involved.

Australian cyber security officials dubbed the mystery hacker "Alf", after a character on TV soap Home and Away.

The breach began in July last year, but the Australian Signals Directorate (ASD) was not alerted until November. The hacker's identity is not known.

"It could be one of a number of different actors," Defence Industry Minister Christopher Pyne told the Australian Broadcasting Corp on Thursday.

"It could be a state actor, [or] a non-state actor. It could be someone who was working for another company."

Mr Pyne said he had been assured the theft was not a risk to national security.

Weaknesses exploited

The hack was described as "extensive and extreme" by ASD incident response manager Mitchell Clarke.

It included information about Australia's new A$17bn (£10bn; $13bn) F-35 Joint Strike Fighter programme, C130 transport plane and P-8 Poseidon surveillance aircraft, as well as "a few" naval vessels, he said.

Mr Clarke told a Sydney security conference that the hacker had exploited a weakness in software being used by the government contractor. The software had not been updated for 12 months.

The aerospace engineering firm was also using default passwords, he said.

ASD officials began repairing the system in December.

A report by ZDNet said officials referred to the months before ASD intervention as "Alf's mystery happy fun time".

"For those visitors overseas to Australia, Alf is Alf Stewart from an horrific Australia soap opera called Home and Away. It's just a thing we do," Mr Clarke told his audience, according to BuzzFeed.

'Salutary reminder'

The government distanced itself from the Adelaide-based firm, saying it had most likely been employed by another contractor.

"I don't think you can try and sheet blame for a small enterprise having lax cyber security back to the federal government. That is a stretch," Mr Pyne said.

"Fortunately, the data that was taken was commercial data, not military data, but it is still very serious and we will get to the bottom of it."

However, he said "we don't necessarily let the public know" about the identities of hackers, because such investigations often involve confidential information.

The incident was a "salutary reminder" about cyber security, he added.

Last year, Australia announced a surge in defence spending, a move that reflects concern over military expansion in the region.

Military spending would grow by A$29.9bn over 10 years, including plans to buy 72 Joint Strike Fighters, the 2016 Defence White Paper outlined.



Elyssa 

Australia cyber attacks: PM Morrison warns of 'sophisticated' state hack

Australia cyber attacks: PM Morrison warns of 'sophisticated' state hack




Australia cyber attacks: PM Morrison warns of 'sophisticated' state hack

Scott Morrison said the "malicious" activity had been increasing over months

Australia's government and institutions are being targeted by ongoing sophisticated state-based cyber hacks, Prime Minister Scott Morrison says.

Mr Morrison said the cyber attacks were widespread, covering "all levels of government" as well as essential services and businesses.

He declined to identify a specific state actor and said no major personal data breaches had been made.

The attacks have happened over many months and are increasing, he said.

The prime minister said his announcement on Friday was intended to raise public awareness and to urge businesses to improve their defences.

But he stressed that "malicious" activity was also being seen globally, making it not unique to Australia.

Who has been targeted?

Mr Morrison did not name specific cases but said it had spanned "government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure".

He did not give further details. Previously, defence manufacturers, government contractors and accounting firms have been among those to report data breaches.

Australia's parliamentary network was the subject of an attack in 2019

Last year, the Australian National University said it had been hacked by a sophisticated operation which had accessed staff and student details.

Australia's main political parties and parliament were hit by a "malicious intrusion" earlier in 2019, also attributed to a "sophisticated state actor".

Who is behind it?

Speaking on Friday, Mr Morrison said officials had identified it as a state hack "because of the scale and nature of the targeting and the trade craft used".

"There are not a large number of state-based actors that can engage in this type of activity," he said, without giving specifics.

When asked to identify a country, Mr Morrison said he would not make "any public attribution".

Cyber intelligence experts have long linked various hacks in Australia to China.

They say China is one of the few states, along with Russia, Iran, and North Korea, which have the capacity for such attacks - and are not allied with Australia. However, they also note that cyber espionage between countries and even allies is common.

"There's always simmering tensions between Russia and China so really it comes down to those being the key actors they [Australia] would be referring to," expert Joshua Kennedy-White told the BBC.

The Reuters news agency has previously reported that Australian intelligence agencies suspected China of carrying out the parliament hack in 2019. Canberra declined to comment.

The unsaid part of the story: China

Shaimaa Khalil, BBC News Australia correspondent

The headline itself was clear. Many political, educational and health organisations have been targeted by a state-based cyber actor with "significant capabilities". However, much about Mr Morrison's press conference was understated.

For example, it was not clear why this announcement was made at this particular moment - given these attacks have been going on for a while. Mr Morrison made a similar announcement early last year.

Despite blaming a "sophisticated state actor", he refused to name names - even after being directly asked about the country almost everyone was thinking about: China.

Relations between the countries have grown tense in recent years but have significantly worsened after Australia echoed the US in calling for an inquiry into the origins of the coronavirus, first detected in China late last year.

China has since imposed tariffs on Australian barley, stopped beef imports and warned Chinese citizens and students about the "risks" of travelling to Australia for tourism or education because of racist incidents.

Australia has also ratcheted up its rhetoric. Last week, Mr Morrison said he would not give in to "coercion" from Beijing.

It's hard to be 100% sure that China could be behind this, but what we know is that Australia's leadership has chosen a moment when its relationship with its powerful trading partner is at an all-time low to announce publicly that it is under cyber-attack from a powerful state.

Which actions did Mr Morrison urge?

He said businesses - particularly health infrastructure and service providers - should improve their technical defences.

Cyber defence agencies had thwarted "many" hacking attempts but protection required "constant persistence and application", he added.

"We raised this issue today not to raise concerns in the public's mind, but to raise awareness in the public's mind," Mr Morrison said.

"We know what is going on. We are on it, but it is a day-to-day task."

Major cyber attacks in Australia

2020: Incidents reported across major Australian firms, including steel maker BlueScope, logistics firm Toll Group, and state government agency Services New South Wales

June 2019: The Australian National University revealed a "highly professional" group of up to 15 hackers gained access to student and staff details, as well as academic research, for about six months

February 2019: Australia's parliamentary computer network and political parties were subject of an attempted attack by a "state actor"

2017: Information about fighter planes and navy vessels was stolen from an Australian government contactor.

2015: Foreign spies attacked the Australian Bureau of Meteorology.



Elyssa 

Quest Diagnostics breach: What to do if you may have been affected

Quest Diagnostics breach: What to do if you may have been affected

Quest Diagnostics breach: What to do if you may have been affected

Visit IdentityTheft.gov/databreach to learn what you can do to protect your identity.

Federal Trade Commission

A data breach of one of Quest Diagnostic's billing vendors has left as many as 11.9 million people worried, wondering if their personal and medical information has been compromised. 

On Monday, Quest Diagnostics said that AMCA, a billing collections vendor, informed the company that there had been unauthorized access on AMCA's web payment page and that information from Quest Diagnostics and Optum360 customers may have been compromised.

The information stored on AMCA's affected system includes credit card numbers, bank account information, medical information and personal information, including Social Security numbers.

News of the breach has customers from across the country concerned .

"This is the 2nd time in two years that my information has been affected and it is becoming increasingly frustrating that more isn't being done to protect my personal information and raises another question as to if they really need this information in the first place?" said Will Becker, in an email.

In an email, Edwin Padilla, from Orlando, Florida, asked a reporter if there was a way to find out if he had been affected by the breach. Several other emails asked the reporter the same question.

So what can concerned customers do? Here are a few answers.

Who is affected?

Since Monday, neither Quest nor AMCA has put out a list of those affected or distributed instructions on how to find out if you've been affected.

As the story unfolds, start here.

Don't miss your chance for unlimited digital access to exclusive content.

99¢ per month. Save 90%.

However, AMC said that they are planning to send letters to those affected.

"AMCA is sending out letters to affected customers who need to know certain information about their data."

Quest did narrow down the field of those potentially affected, clarifying that AMCA is a vendor used by Optum360, which in turn provides billing services to Quest.

As a collection agency, the individuals who might be impacted would be those who had a potentially "delinquent" account, said Wendy Bost, a spokeswoman for Quest. 

"We're waiting for more information, but to the best of our knowledge, it would be individuals who were late in their payment and are therefore delinquent," she said.

What is Quest doing?

Quest insists that since the security breach was at one of AMCA's systems, they have little information about the breach. 

"Again, we would not be in a position to clarify information on specific individuals as we await more details from AMCA," said Bost.

Quest released a statement on their website summarizing the incident and does provide a general service number, 866-MYQUEST. But if customers call, Quest would not be able to provide information on specific individual's accounts, said Bost.

What is AMCA doing?

Emails to an AMCA spokesperson requesting information on what to do if you have an account with AMCA were not immediately returned.

However, AMCA announced that it would be providing 24 months of credit monitoring to anyone who had a social security number or credit card account compromised, even if the relevant state does not require it.

What can you do?

Those people impacted should consider adding a fraud alert to the credit reporting agencies and a credit freeze, said Darren Hayes, Assistant Professor at Pace University's Seidenberg School of Computer Science and Information Systems.

Email: torrejon@northjersey.com



/ed70

Friday, June 19, 2020

DailyDDoSe: A Voice for the Voiceless: Privatized Foster Care in Tennessee

DailyDDoSe: A Voice for the Voiceless: Privatized Foster Care in Tennessee

A Voice for the Voiceless: Privatized Foster Care in Tennessee

Privatized Foster Care

I am deeply disturbed by the recent press coverage regarding what is going on in the foster care system today.

Having worked for a private foster care agency (profit-driven) company contracted by the Department of Children's Services through the State of Tennessee, I would like to share what I've learned through my experience

Working with older adolescents reaching the age of majority-18-who are being released from state custody with the Department of Children's Services.

One child, now twenty, is pregnant and moves from place to place every few days or so (photos attached). When I first got her case, 5 years or so ago, she had concrete goals, dreams and aspirations. She had hope. She wanted to go to college. Now, today, she is homeless, pregnant, and has been without services since the day (and I do mean day!) she turned 18. (Pictures of her currrent "home" are posted next to this article.)

On her 18th birthday, Ms. DB was dropped off at a Food Lion parking lot in Gallatin, TN without any money, clothing, food, healthcare, benefits, e.g., food stamps, transportation and no where to go. She was on her own with a 10th grade education and no GED.

CG is a young man who was diagnosed with a brain tumor at 19, shortly after leaving custody. He was denied TennCare 4 times before I made the decision to get involved at any cost. Like all of my other former DCS clients (at least those who have contacted me over the years) CG is also chronically homeless, unemployable, and has only a 10th grade education, epilepsy, and a mental illness. He TennCare is ending 3/31/2008-not quite enough time to plan and execute the brain surgery he needs to help him live a relatively normal life...

I'm still involved, but tomorrow I will turn his case file over to two new case managers and hope that they can keep up the pace. I have to let go. I can't pay my internet bill!

I hope and pray that all of the hard work I have put into his case: applying for benefits, social security, Medicaid, Food Stamps, even a library card and a voter registration card (which are a dime a dozen in this town; Nashville, TN; these days) so that he can get the brain surgery and medical treatment he needs and deserves does not get lost when I go back to work next week. I have assured him that I will not abandon him like everyone else in the past-besides, I hold his history-his memory-his voter registration, TennCare and Social Security cards[1].

These children and young adults (DB, CG, CW, and CB) and a few other exceptional children left an imprint on my heart long after I left my position with the Department of Children's Services...

After leaving the private (contract) agency I was working for, it took a very long time for me to decide whether I should continue in the field of social services for children. You see, I was under the impression that foster care was about children. Wrong.

Unfortunately, I came to realize that it was more about money than children. Private agencies pay barely there, barely trained "people" upwards of $40-60/day per child tax-free. One foster parent I worked with kept ten children in a four-bedroom home in Madison. She also kept chains on the refrigerator door so the children wouldn't eat too much food. Another family had multiple complaints of sexual assault filed against them, but those complaints were mysteriously absent from my case file when I left the agency. As was my actual signature on my case reports-they didn't even try to color between the lines when falsified my records with white out. Who can be that lazy? Who can be that reckless? Who can be that person?

I was deeply saddened by this realization because I was unsure what to do with the information I had acquired throughout the years. However, at this point in my life, I do feel that I have some ethical obligation to either speak out or take action to work towards resolving the systemic problems in the privatized foster care environment.

I came to the realization that I may be able to use my own voice to speak for the children who have been repeatedly silenced by our society: our schools, our courts, our social service system, and the adults they relied upon to have their most basic needs met.

Of course, I would have to speak with DB and CG about their willingness to meet with you to discuss their experience while in the custody of the children's services.

However, if you believe (like I do) that sharing these stories (albeit anecdotal) may ultimately lead to profound changes and reform within the foster care system, then I am quite certain my former clients would be more than willing to speak with anyone who has the capacity to make things better for their natural and foster siblings still in the system, I do not see a problem so long as we can create a space where they can speak freely without fear of repercussions.

DB is not alone in her experience, and for whatever reason, these children seem to feel comfortable sharing their stories with me.

There is another young man, Cody G, who is an incredibly gifted writer that deserves to be heard and recognized. Much like DB, he has experienced a great deal of difficulty finding stable living arrangements once discharged from DCS custody. Because he was constantly in motion, moving from place to place to place-- I agreed to hold onto his personal journals documenting his experience in DCS.

His voice deserves to be heard along with a chorus of others! Some of these children develop such fascinating ways to cope with the pain, the isolation and the abandonment issues they grow up with, and I try to do the best I can to steer them in the right direction.

Talent such as Cody's and perseverance like DB's should be revered, celebrated, respected, and validated-- not thrown away or ignored..

Foster care is mess. What happens next is a complete and utter tragedy. I hope you are deeply disturbed by the contents of this letter-if so-my job is done for the day!

Let your voice be heard-- contact your representatives, the press-- shout it from the rooftops!!! This despicable state of affairs and this not so well hidden secret about privatized foster care in the state of Tennessee must come to an end!

This is how Cody writes:

The Leaveless Plant:by Cody Gambill© 2006 I am a plant without any rootsI bring no syrup I bear no fruits I am not much to look at without any flowersAll I do is sit and stare for hours Every so often, I wander off to find a new spotFeeling no attachment to anything I've got Every time I move, I lose a leaf or twoBut no one will notice because here I am new After moving a while, I look down to seeHow oblivious I am to my nudity All of my moving has shaken me bareEmbarrassed and all I ignore the stares But the more I think the better I feelBecause the leaves from me provided a meal So I am important like all on this earthThink I'll settle down and show this world what I'm worth

And this is how DB lives: pregnant at age 20:

The bathtub. No door. No curtain.

The sink.

The mold.

The baby...

[1] I must give kudos to Judge Dan Eisenstein from the Mental Health Court of Davidson County who has paved the way to make getting CG Transitional Services as he ventures out into the world alone-if only I could get reimbursed for my time! Judge Eisenstein is untraditional, compassionate, and by far the most client-centered Judge I have ever had the honor of working with, no matter how briefly. Judge Eisenstein is paving the road for CG to have a chance-a chance at a future-a chance at a life-- a real one-free from Grand Mal seizures, self-injury, hypomania, rapid cycling, and suicidal ideations.

I also would like to express my gratitude to The Tennessee Justice Center, Tony Garr of the Tennessee Health Care Campaign, Lane Simpson, and Dave Aguzzi with the Department of Children's Services who are helping CG get transitional living services so he can get the care and treatment he did not receive while in custody. Kim Crane (from the Vanderbilt Center for Child & Family Policy Center) has also been instrumental in serving as a liaison with Transitional Youth Programs and helped me get connected to the right people and programs efficiently and effectively. Thanks to you all!.




/ed70