Thursday, January 11, 2007

Isn't the answer obvious? (If you think it is, ask your security manager what he is doing to mitigate the threat...) Gary Alexander sent this great summary. Think of it as a New Year resolution!

http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1168336934590

Are Mobile Devices Portable Security Threats?

Julie Machal-Falks & Robert Scott Law Technology News January 10, 2007

Think a data security breach is unlikely to hit your firm? Think again. One of the greatest risks facing organizations today is the proliferation of portable devices -- laptops, PDAs, USB jump drives -- that often contain personal customer or employee data.

In fact, a recent survey of 500 corporate IT departments, conducted by the Ponemon Institute, found that 81 percent of respondents had experienced a lost or stolen laptop or portable storage device. And, says the institute, about 60 percent of PDAs and laptops contain unprotected sensitive or confidential information.

These data losses can be very costly. Let's look at some recent reports:

A 2006 survey from Symantec Corp. found that the average laptop contains data worth approximately $972,000. [I find that hard to believe... Bob]

Another 2006 survey, produced by the Federal Bureau of Investigation, estimated the average annual cost of computer security incidents at $67.2 billion.

An earlier 2005 survey, from PGP Corp., reported that lost confidential customer information typically costs companies $14 million.

NOT JUST MONEY

But costs of lost or stolen data are not just monetary. They often include loss to business reputation and customer goodwill.

For example, PGP found that when companies notify customers that their data has been compromised, 19 percent terminate the relationship, 40 percent consider terminating the relationship and 27 percent of respondents express concern about the relationship.

Indeed, half of recovery costs after a data breach are attributable to loss of existing customers.

So what can you do to protect your firm?

You may be surprised, but protecting your data often involves some very simple, common-sense steps: [AMEN! Bob]

Encryption: To protect sensitive information and reduce the need to report security breaches, be sure your users routinely encrypt all names, addresses, account numbers and other personal information.

Passwords: Always protect information stored on the laptop with a secure password [Oxymoron alert! Bob]. To maximize safety, passwords should include a combination of numbers and upper- and lowercase letters.

Remote security tools: Be sure that everyone in your organization is using remote security tools that help your firm find and deactivate drives in the event a portable device is lost or stolen. Among the products available are MyLaptopGPS, by AIT Solutions and Inspice Trace and Inspice SmartProtec from Inspice.

Backup, backup, backup: It goes without saying that it's absolutely essential to do backups. Be sure that all important data contained on the laptop is backed up. Establish and enforce protocols.

Hardware: In addition to software security, use traditional hardware measures -- such as locks and cables. These security devices make theft more difficult and thereby discourage thieves from taking your machine.

Hide your device: Never leave a device on your desk or any other open, visible place. When leaving a laptop in your office, make sure it is hidden and secured.

Be inconspicuous: Always keep your laptop in an inconspicuous case. Flashy cases will expose your computer by attracting thieves' attention.

A simple, padded messenger bag can suffice as a protective container.

INSURANCE COVERAGE

Your organization may want to consider some of the new policies offered by insurance providers that are specifically designed to assist with data breaches. These may help you defray the costs associated with investigating a breach to determine whether state laws require notification, as well as help pay for the costs associated with breach notification requirements.

The new policies often include coverage for the following claims:

Failure of network security; [Note: Failure is not the same as non-existent... Bob]

Wrongful disclosure of private or confidential information;

Failure to protect confidential or private information;

Violations of federal, state or local privacy statutes.

Some corporate identity theft insurance policies also assist with the costs associated with defraying damage to the firm's reputation. Some also provide crisis management coverage and reimbursement for public relations expenses.

The coverage also may provide a defense in the event that a security breach results in a regulatory investigation or a civil lawsuit. For example, AIG's Corporate Identity Protection offers a product that covers administrative expenses resulting from a breach of personal information.

Like a traditional commercial policy, some security breach policies contain provisions that the insurance company will be required to pay for an attorney to defend the company in the event it experiences a data security breach.

Finally, look for policies that cover the costs associated with post-event services, like credit monitoring and identity theft education to the individuals affected by the security breach.



Not much information yet...

http://www.wric.com/Global/story.asp?S=5924191

Philip Morris ID Theft Alert

Jan 11, 2007 06:23 AM FROM 8NEWS

Thousands of local Philip Morris workers could be at risk of identity theft.

Philip Morris is warning thousands of local workers their personal information may have been accessed. The company began alerting employees this week that laptop computers have been stolen that included names, salaries and social security numbers of employees.

These laptops were taken from the offices of a New York City consulting firm that handles benefit programs for Philip Morris.



It's good to know that things are still moving along on this case..

http://www.chron.com/disp/story.mpl/ap/fn/4462410.html

Investigator Charged in HP Probe

By JORDAN ROBERTSON AP Business Writer Jan. 10, 2007, 10:28PM

SAN FRANCISCO — A private investigator accused of posing as a journalist to access the reporter's private phone records as part of the boardroom spying scandal at Hewlett-Packard Co. was charged Wednesday with federal identity theft and conspiracy charges, prosecutors said.

Bryan Wagner is accused of using the Social Security number of the unidentified journalist to illegally gain access to the phone logs, according to the criminal charges filed in San Jose federal court by U.S. Attorney Kevin V. Ryan's office.

Wagner is also accused of conspiring to illegally obtain and transmit personal information on HP directors, journalists and employees as part of the computer and printer maker's crusade to ferret out the source of boardroom leaks to the media.

... The federal charges accuse Wagner of obtaining a reporter's Social Security number from other unidentified coconspirators, using that information to set up an online account with the telephone company in the reporter's name and accessing the detailed phone logs.

Wagner, of Littleton, Colo., faces up to five years in prison if he's convicted on the conspiracy charge, and a mandatory minimum of two years in prison if convicted of identity theft.

... The way Wagner was charged _ he agreed to waive grand jury proceedings _ suggests he's likely cooperating with investigators aiming for more high-profile targets, said Matthew Jacobs, a former federal prosecutor in San Francisco who is now in private practice.



Wow! How very 1950's cold war-ish...

http://www.cbc.ca/technology/story/2007/01/10/rfid-defence.html

Canadian coins bugged, U.S. security agency says

Last Updated: Wednesday, January 10, 2007 | 8:52 AM ET The Canadian Press

They say money talks, and a new report suggests Canadian currency is indeed chatting, at least electronically, on behalf of shadowy spies.

Canadian coins containing tiny transmitters have mysteriously turned up in the pockets of at least three American contractors who visited Canada, says a branch of the U.S. Department of Defence.

Security experts believe the miniature devices could be used to track the movements of defence industry personnel dealing in sensitive military technology.

"You might want to know where the individual is going, what meetings the individual might be having and, above all, with whom," said David Harris, a former CSIS officer who consults on security matters.

"The more covert or clandestine the activity in which somebody might be involved, the more significant this kind of information could be."

The counter-intelligence office of the U.S. Defence Security Service cites the currency caper as an example of the methods international spies have recently tried to illicitly acquire military technology.

Nearly 1,000 'suspicious' contacts

The service's report, Technology Collection Trends in the U.S. Defence Industry, says foreign-hosted conventions, seminars and exhibits are popular venues for pilfering secrets.

The report is based on an analysis of 971 "suspicious contact reports" submitted in fiscal 2005 by security-cleared defence contractors and various official personnel.

"On at least three separate occasions between October 2005 and January 2006, cleared defence contractors' employees travelling through Canada have discovered radio frequency transmitters embedded in Canadian coins placed on their persons," the report says.

... Harris speculates recent leaps in miniaturization could allow for a sophisticated transmitter capable of monitoring a target's extensive travels.

"I think we can be pretty darn confident that the technology is there for the sorts of micro-units that would be required to embed these things in a coin," he said.

"It's a brave new world, and greatly concerning on so many levels."

... "It is important to recognize copiers and shredders can contain built-in scanners to copy the data."

Other common methods include placing listening devices in rooms, searching hotel rooms, inspecting electronic equipment and eavesdropping on conversations.

The report, which first came to light in a U.S. newspaper, has since been posted on the website of the Federation of American Scientists, [ http://www.fas.org/main/home.jsp ] an organization that tracks the intelligence world and promotes government openness.



Someone gets it?

http://www.crgazette.com/2007/01/10/Home/judiciary.htm

Chief Justice: E-filing raises security issues

Published: 01/10/2007 09:56 AM By: Rod Boshart - The Gazette

DES MOINES, IA - The head of Iowa's judicial system says the rapid changeover to an electronic court filing system utilizing the Internet may require the Legislature to re-examine privacy laws governing access to information contained in public records.

Marsha Ternus, delivering her first Condition of the Judiciary address today as chief justice of the Iowa Supreme Court, said the switch from a paper-based court system to new e-filing convenience has brought heightened concerns for information security and personal privacy.

"Individuals involved in court proceedings will be more vulnerable to identity theft and prying eyes," she told a joint convention of the Iowa General Assembly.

Ternus said the Iowa court system is slated to conduct two test projects for electronic filing later this year with plans to convert to a statewide e-filing system in five years. She suggested the switch may require special court rules and legislative changes to Iowa's public records statute to balance access and privacy issues.

... Currently, considerable information of a personal nature - such as birth dates, addresses, children's names, and financial account information - is part of the public record but not easily accessible without going to a courthouse and digging through records, she noted. That will change with instantaneous electronic access "24/7" from remote locations anywhere in the world via online court records.



Is there an American version of this report?

http://www.p2pnet.net/story/10966

Canadian 'privacy breach' notification

p2pnet.net News:- Of an estimated 49 million Americans notified of unauthorized access to their personal information during the past three years, about 9.3 million believe something bad happened to them as a result of the breach, said a recent Harris Interactive poll.

... Approaches to Security Breach Notification, a CIPPC white paper released today, reviews breach notification laws enacted by over thirty American states so far, and argues that the federal government should have similar protections in place for Canadians.



My barber greets me by asking for my phone number... Whatever happened to “Hi, Bob!”

http://www.computerworld.com/blogs/node/4323

Food services don't need my ID to serve me

By Martin McKeay on Wed, 01/10/2007 - 10:31am

This is a disturbing trend I've been hearing more and more lately: bars and restaurants are asking for ID's and/or storing your ID information in their database before they'll serve you. This is a trend that has to be nipped in the bud before smart criminals start taking advantage of this well intentioned but misguided attempt at safeguarding food service profits. The potential for abuse, either by simply stealing ID's or the databases containing the recorded data is too tempting to remain unexploited for long.

The first I heard of this practice was an IHOP in Massachusetts that was taking diner's ID's before they could be seated. It seems the restaurant had recently had a rash of dine-and-dash types running out before they paid for the meal they'd just eaten. For the manager of the IHOP, it made perfect sense to ask for ID, since the perceived risk to IHOP was minimal and it directly addressed the problem of finding the people who ran off without paying their bills. What he didn't take into account is the possible loss to the company if even one of those ID's that he'd take was used to steal an identity; Massachusetts ID's have Social Security Numbers on them

... Last week a friend and fellow security expert was down in the Florida Keys where a restaurant refused to put his family on the wait list unless they were willing to leave a military ID, drivers license or credit card. I'm not sure what risk the restaurant thought they were addressing here, since it cost them next to nothing to put a name on the wait list. What really concerns me is that this area apparently has a large community of active duty military personnel and was asking for military ID's; in a time where 'national security' is a bugaboo that every politician is using to scare the populace, did anyone think that asking military personnel to turn over their ID's might be a breach of security? If I wanted to get on a military base and knew that a local restaurant was taking ID's, it'd be a fairly simple task to get a job there and make copies of ID's as they came by or wait for someone to accidentally leave their ID behind. This case really makes no sense to me because the potential downside to taking the ID's is immense and does not appear to address any risk to the business, other than the 30 seconds lost when the hostess has to call out a name and then cross it off the list.

Finally, another security expert was out bar hopping after a college football game and was asked to present ID before being allowed into a bar. So far so good, except the bouncer at the bar was scanning the magnetic stripe information from the drivers licenses and storing the name, birth date and drivers license number. To add insult to injury, the bouncer was apparently so intent on his scanning process that he wasn't actually checking the faces on the ID's against the person holding them.



http://sunbeltblog.blogspot.com/2007/01/is-this-miscarriage-of-justice.html

Wednesday, January 10, 2007

Is this a miscarriage of justice?

A substitute school teacher in Connecticut has been found guilty of exposing children to porn.

She could face up to 40 years in prison.

However, there are some interesting aspects to this case:

  • The defense contends this was a case of spyware on the school machine — a barrage of popups.

  • The school did have content filtering but the license was expired.

  • According to another article, “Computer expert W. Herbert Horner, who performed a forensic examination of the computer for the defense, said Amero may have been redirected to the sexually-oriented sites through a hairstyling site accessed from the computer. He said the site allowed spyware to be downloaded onto the computer which allowed the pop-ups.”

  • And, according to one source, the Trial Judge, Hillary Strackbein, “was seen falling asleep during proceedings and made comments to the jury that she wanted the case over by the end of the week. It was also reported that Judge Strackbein attempted to pressure the defense into an unwanted plea deal, in place of a trial. The defense attorney for Amero, moved for a mistrial shortly before closing arguments Friday, based on reports that jurors had discussed the case at a local restaurant.”

Was justice done here? That’s not entirely clear. A bad spyware infestation can splatter a machine full of porn popups and it’s a bit unnerving to think that a teacher could get hard prison time for something that might have been completely innocent.



If you copy, copy from the very best...

http://www.bespacific.com/mt/archives/013549.html

January 10, 2007

Top 10 Court Web Site Awards Announced for 2006

The Justice Served 2006 Top 10 Court Website Award winners. Among the winners is the Connecticut Judicial Branch Law Libraries.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)