Gosh, Friday already?
Records of 2,000 Westerly Hospital patients posted online
March 1, 2007
WESTERLY, R.I. --Two-thousand patients at Westerly Hospital had their names, Social Security numbers and medical records posted on a publicly accessible Web site, and the hospital said it doesn't know who did it.
"We don't know why it happened. We don't know how it happened. But we will," hospital President and CEO Charles Kinney told The Westerly Sun.
The Web site included detailed information about patients' surgical procedures and medical histories, as well as people's home addresses and insurance information.
... Westerly Police learned of the problem on Wednesday afternoon when a woman looked up her phone number on the Internet search engine Google and found a link to the site. Police called the hospital, then the FBI and State Police. [The Hospital probably never even looks at their web site Bob]
The hospital worked with several Internet companies, including Yahoo Inc., to take the site down, and it was taken offline five hours later, [In most circumstances, this is as simple as pulling a plug, even if you do it electronically Bob] according to the Sun. It's not clear how long the site was up or how many people saw the information.
Kinney said there was a breach in the hospital's computer database system that allowed hackers to access the information. [And another that allowed the hackers to access the hospitals computers? And another that allowed them to change the web site? Bob] The hospital plans to send a letter to every affected patient as soon as possible, Kinney said.
Note that they detected the attack themselves (see TJX, it can be done) although why they think changing the passwords (if the hacker has already broken the encryption) would make things secure again I don't know...
http://www.theeagle.com/stories/030107/am_20070301003.php
A&M computer system attacked
By LAURA HENSLEY Eagle Staff Writer Updated March 1, 2007 7:08 AM
Texas A&M University officials ordered all 96,000 users of the school's computer system to change their passwords Wednesday after an attempt was made to gain unauthorized access to electronic files over the weekend.
Officials said they believe no data - including Social Security numbers and financial information - were stolen. But, officials cautioned, if the person responsible was able to crack the encrypted passwords they could have access to individual accounts.
... Interim University President Ed Davis would not give specific details about the computer system break-in, citing an ongoing criminal investigation, but he said a monitoring system first discovered the problem within the NetID system early Saturday.
Davis said it took a few days to determine if the security breach was intentional, [I wonder what made them even consider “accidental hacking” Bob] but computer personnel quickly disabled the compromised campus computer Saturday morning. He said they decided to delay an announcement because they didn't want to disrupt the criminal investigation. He said they also needed to give staff members time to devise a plan for how to proceed.
The hacker was attempting to access files that contained encrypted passwords, according to Davis, who said financial, payroll and student administrative systems were not impacted.
... Tom Putnam, executive director of computing and information services, said this is the first time the university's computer system has been compromised on such a large scale. It remained unclear late Wednesday how much, if any, information the person was able to retrieve. [You did log that activity, right? Bob]
... Putnam said officials know how the hacker was able to infiltrate the system, and there already have been technical changes to the system to address the weakness.
"We learn from our mistakes," said Pierce Cantrell, vice president and associate provost for information technology. "These are complicated systems, and there is a huge learning curve. It's a computer cat-and-mouse game in this business, and I think we do a really good job handling account security."
I wonder when the doctor noticed it was gone?
http://www.newswire.ca/en/releases/archive/March2007/01/c5924.html
SickKids notifies study participants of stolen laptop
TORONTO, March 1 /CNW/ - The Hospital for Sick Children (SickKids) is notifying patients that have participated in 10 different research studies about a stolen laptop that contained their personal health information. The laptop was stolen on January 4, 2007 from the car of a physician who was doing data analysis.
SickKids reported the incident to Ontario's Information and Privacy Commissioner (IPC) and is working in full cooperation with the IPC in an independent review of this incident.
The laptop was password protected and it is not likely that the data could be easily understood by someone who lacks clinical training. [Name and address is too technical for hackers? Bob] Patient care is not affected by this incident since the stolen laptop contained research data and not patient charts.
The studies involved patients in the rheumatology, endocrinology, infectious diseases and cardiac program. Many of the patients in the cardiac studies were treated in the cardiac program at SickKids as children.
Notification letters were sent to study participants who are active patients. In certain circumstances, patients were notified in person at clinic appointments.
The hospital is committed to the protection of patient privacy and is pleased to be working with the IPC on a review of applicable policies and practices to ensure appropriate privacy and security safeguards are in place and that they are clearly and consistently communicated to hospital staff.
Public inquiries may be directed to the hospital's privacy office Monday to Friday 8:30 a.m. to 5:00 p.m. at 416-813-7474, or by email to privacy.office@sickkids.ca. Inquiries may also be directed to the IPC at 416-326-3333, or by email to commissioner@ipc.on.ca.
Not all personal information is stolen. (I bet there will be a new law forbidding this in record time.)
March 01, 2007
D.C. Madame to Sell 10,000 Phone Records of High-End Washington Clients
Deborah J. Palfrey is unhappy. And, if you know who Deborah J. Palfrey is—and especially if you know her by Jeane—you probably don’t want her unhappy. From 1993 until this past summer, Palfrey ran Pamela Martin and Associates, a “high-end adult fantasy firm which offered legal sexual and erotic services across the spectrum of adult sexual behavior,” according to a statement she put out today hoping to raise funds for her legal defense.
The way she plans to raise those funds could reverberate through Washington’s power corridors. She is considering “selling the entire 46 pounds of detailed and itemized phone records for the 13 year period,” reports The Politico's Ryan Grim. In October, the Internal Revenue Service seized her assets; the sale of the records would fund her fight against the seizure.
Palfrey released what she said were a sample of the records, which don’t include names, but do feature a number of Washington area exchanges.
Her attorney, Montgomery Blair Sibley, said that prices have yet to be set for the data. “We don’t actually know that yet,” he said, “because we haven’t finished mining the data to identify the individuals. Obviously if Bill Clinton’s on the list that’s a different matter than you know, somebody nobody’s ever heard of before.”
But, he said, chances are good that some interesting names will pop up. “Statistically, if you have 10,000 people, and given the structure of this particular service, these weren’t people beckoning from car windows,” he said. “The escorts only responded to four and five star hotels or private residences. And so the landlines will show up on the private residences real quickly.”
He'll probably find a sympathetic jury, too.
http://blog.al.com/spotnews/2007/03/alabama_guard_sergeant_brings.html
Alabama Guard sergeant brings class action suit on VA
Posted by Birmingham News staff March 01, 2007 11:34AM
WASHINGTON -- A staff sergeant in the Alabama National Guard has sued the U.S. Department of Veterans Affairs on behalf of the 535,000 veterans whose personal data were contained on a computer hard drive missing from the Birmingham VA Medical Center since late January.
The case, filed in federal court in Birmingham as a class action, alleges the VA knew or should have known about long-standing security problems that threatened the privacy of veterans. [Congress agrees... Bob]
The VA still has not found the hard drive, which contains data on the veterans plus 1.3 million health-care providers. "With each passing day the chance increases for the plaintiff and those similarly situated to become victims of identity theft," the lawsuit states.
The plaintiff, Greg Fanin, was on active military duty twice in Iraq and once each in Jordan and Qatar, and he has received medical services at VA hospitals between 10 and 15 times since Nov. 2001, the lawsuit states.
I wonder how common this is? An earlier article hinted the same thing had been done in other states, but gave no indications if it was these same guys.
http://www.pogowasright.org/article.php?story=20070301231339442
Stop & Shop keypad theft suspects charged federally
Thursday, March 01 2007 @ 11:13 PM CST - Contributed by: Lyger - In the Courts
Four men suspected of replacing checkout lane keypads at Stop & Shop supermarkets to steal more than 1,000 card numbers of customers were charged in federal court for the alleged scheme.
The four California men appeared Thursday afternoon before U.S. Magistrate David Martin on federal charges of aggravated identity theft and conspiracy to fraudulently traffic in access devices. Martin ordered all four men detained pending a court hearing Tuesday afternoon. They did not enter pleas.
Statistics
http://www.cbc.ca/consumer/story/2007/03/01/identify-fraud.html
1 in 6 Canadians hit by identity theft, survey suggests
About one-third of adults have been suckered by marketing frauds, poll indicates
Last Updated: Thursday, March 1, 2007 | 5:27 PM ET CBC News
Identity theft has hit one out of every six adult Canadians — more than 4.2 million people — either directly or within their immediate households, a survey suggests.
The poll, conducted in 2006 by the Strategic Counsel for the Competition Bureau of Canada, suggests that 17 per cent of Canadians aged 18 or older have either been victimized themselves or had an incident affect someone in their homes.
Even more people have been hit by marketing fraud, according to the survey: 31 per cent or about one in three adults.
Here's a must read.
http://www.bespacific.com/mt/archives/014112.html
March 01, 2007
REAL ID Proposed Guidelines Issued
Press release: "The Department of Homeland Security (DHS) has announced draft regulations in the form of a Notice of Proposed Rulemaking to establish minimum standards for state-issued driver’s licenses and identification cards in accordance with the REAL ID Act of 2005. These proposed regulations set standards for states to meet the requirements of the REAL ID Act, including: security features that must be incorporated into each card; verification of information provided by applicants to establish their identity and lawful status in the United States; and physical security standards for locations where licenses and identification cards are issued."
Notice of Proposed Rulemaking - Minimum Standards for Driver’s licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes (PDF, 162 pages)
Related postings on REAL ID
Seems like a useful guideline – I wonder if there is a US version?
http://www.workplacelaw.net/display.php?resource_id=8322
Are you disposing of confidential waste securely?
1 March 2007
The British Security Industry Association (BSIA) has published guidelines for compliance with the new British Standard 8470.
BS 8470:2006, which came into force last year, gives recommendations for the management and control of the collection, transportation and destruction of confidential material to ensure that such material is disposed of securely and safely.
... The BSIA’s guide to BS 8470:2006 is available to download from: www.bsia.co.uk/publications.
Related?
http://news.com.com/2100-7355_3-6163666.html?part=rss&tag=2547-1_3-0-5&subj=news
Your Wi-Fi can tell people a lot about you
By Joris Evers Story last modified Fri Mar 02 03:34:27 PST 2007
ARLINGTON, Va.--Simply booting up a Wi-Fi-enabled laptop can tell people sniffing wireless network traffic a lot about your computer--and about you.
Soon after a computer powers up, it starts looking for wireless networks and network services. Even if the wireless hardware is then shut-off, a snoop may already have caught interesting data. Much more information can be plucked out of the air if the computer is connected to an access point, in particular an access point without security.
"You're leaking all kinds of information that an attacker can use," David Maynor, chief technology officer at Errata Security, said Thursday in a presentation at the Black Hat DC event here. "If the government was taking this information from you, people would be up in arms. Yet you're leaking this voluntarily using your laptop at the airport."
There are many tools that let anyone listen in on wireless network traffic. These tools can capture information such as usernames and passwords for e-mail accounts and instant message tools as well as data entered into unsecured Web sites. At the annual Defcon hacker gathering, a "wall of sheep" always lists captured login credentials.
Errata Security has developed another network sniffer that looks for traffic using 25 protocols, including those for the popular instant message clients as well as DHCP, SMNP, DNS and HTTP. This means the sniffer will capture requests for network addresses, network management tools, Web sites queries, Web traffic and more.
"You don't realize how much you're making public, so I wrote a tool that tells you," said Robert Graham, Errata Security's chief executive. The tool will soon be released publicly on the Black Hat Web site. Anyone with a wireless card will be able to run it, Graham said. Errata Security also plans to release the source code on its Web site.
The Errata Security sniffer, dubbed Ferret, packs more punch than other network sniffers already available, such as Ethereal and Kismet, because it looks at so many different protocols, Graham said. Some at Black Hat called it "a network sniffer on steroids."
Snoops can use the sniffer tools to see all kinds of data from wireless-equipped computers, regardless of the operating system.
For example, as a Windows computer starts up it, it will emit the list of wireless networks the PC has connected to in the past, unless the user manually removed those entries from the preferred networks list in Windows. "The list can be used to determine where the laptop has been used," Graham said.
Apple Mac OS X computers will share information such as the version of the operating system through the Bonjour feature, Graham said. Bonjour is designed to let users create networks of nearby computers and devices.
Additionally, computers shortly after startup typically broadcasts the previous Internet Protocol address and details on networked drives or devices such as printers that it tries to connect to, Graham said.
"These are all bits of otherwise friendly information," Graham said. But in the hands of the wrong person, they could help attack the computer owner or network. Furthermore, the information could be useful for intelligence organizations, he said.
And that's just the data snoops can sniff out of the air when a laptop is starting up. If the computer is then connected to a wireless network, particularly the unsecured type at hotels, airports and coffee shops, much more can be gleaned. Hackers have also cracked basic Wi-Fi security, so secured networks can't provide a security guarantee.
In general, experts advise against using wireless networks to connect to sensitive Web sites such as online banking. However, it is risky to use any online service that requires a password.
It may not be obvious why my study of single malt Scotch is important to Homeland Security, but I assure you I will continue my diligent study until I find out!
http://www.bespacific.com/mt/archives/014107.html
March 01, 2007
New Report Reveals Homeland Security Boondoggles Coast To Coast
Press release: "Today, Rep. Anthony Weiner (D-NY), a member of the House Subcommittee on Crime, Terrorism, and Homeland Security, and Rep. Jeff Flake (R-AZ) released a report detailing some of the most outrageous homeland security spending boondoggles from coast to coast. The Congressmen also announced the Homeland Security Transparency Act, which would require public disclosure of all anti-terror spending by cities and states."
Security of Pork? A Review of National Homeland Security Funding Boondoggles (PDF), March 1, 2007
See also the Targeting Homeland Security Resources Effectively Against Terrorism Act, H.R. 911 - "to secure more urban homeland security funds for New York City, which would be accomplished by limiting eligibility for high threat grants to the 15 cities most at risk of a terror attack."
Perhaps well intentioned, but unlikely to address the problem (see last sentence)
http://www.greenwichtime.com/news/local/newyork/ny-nyclub015113247mar01,0,1729301.story
Legislation eyes nightclubs
BY JUSTIN ROCKET SILVERMAN amNewYork March 1, 2007
Invoking the name of the woman who was raped and killed after leaving a Manhattan bar last year, the City Council passed a package of legislation yesterday aimed at changing the way nightclubs operate.
... Pending the mayor's signature, which is expected, all clubs where dancing is permitted will be required to install surveillance cameras at entrances and exits. While some Council members raised privacy concerns, the overwhelming majority agreed the surveillance tapes would be an invaluable deterrent and aid police if a crime is committed.
All surveillance tapes must be securely stored, and clubs could be fined up to $50,000 if the footage makes its way onto TV or gossip Web sites.
Industry representatives welcomed the surveillance camera vote, but pointed out that 90 percent of clubs with dancing already have such cameras installed.
The bar where Saint-Guillen, a graduate student, was last seen, The Falls, did not have a cabaret license, and would not have been required to have a surveillance camera.
Amusing.
http://news.com.com/Police+blotter+E-spying+OK+in+divorce+case/2100-1030_3-6163368.html
Police blotter: Wife e-surveilled in divorce case
By Declan McCullagh Story last modified Thu Mar 01 11:30:06 PST 2007
"Police blotter" is a weekly News.com report on the intersection of technology and the law.
What: Husband uses keystroke logger to spy on wife's suspected relationship with another woman, who sues to prevent the records from being used in the divorce case.
When: U.S. District Judge Thomas Rose in the southern district of Ohio rules on February 14.
Outcome: Rose denies request for injunction preventing the electronic documents from being introduced as evidence in the divorce case.
What happened, according to court documents:
Once upon a time, tempestuous divorces might have included one spouse snooping through the other's private correspondence or eavesdropping on private conversations taking place in another room.
That kind of snooping was, for the most part, entirely legal. But when the same kind of snooping happens in electronic form, it can be a federal crime. (Last year, Police Blotter covered the case of the Garfinkel divorce. Another case involving spyware arose a year earlier.)
That may or may not be the case here. Jeffery Havlicek filed for a divorce from his wife Amy Havlicek in Ohio's Greene County Common Pleas Court. Amy had been chatting through e-mail and instant messages with a woman named Christina Potter. Jeffery suspected that Potter and his wife, Amy, were romantically involved in a lesbian "relationship of some sort," his attorney would later say in a legal brief.
Around that time, Jeffery installed some sort of monitoring software on the family computer--a Dell Precision 220 that was located in the guest room, was used by multiple family members including teenage children, and did not have a password on it most of the time. (There is disagreement about why the software was installed; Jeffery says it was in part because of his daughter's increased use of the Internet.)
Jeffery has admitted this much. In a sworn affidavit (PDF), he said that he installed an unnamed monitoring utility in September 2005, three months before his wife moved out of their home. The affidavit said the utility "collects keyboard typing, screen shots, and requested access to Web sites... The keyboard typing utility logs the time and sequence of keystrokes... The screen shot logging feature is similar to hitting the 'print screen' button on most keyboards. It saves an image of what appears on the monitor."
He also admitted to downloading e-mail from his wife Amy's Web-based e-mail account, but claimed it was authorized because she had chosen to save her username and password through the browser's "remember me" feature.
In total, Jeffery has acknowledged compiling 80 keyboard and Web site log files in HTML format, more than 2,000 individual screen snapshots in JPEG format, six video tapes, six audio tapes, and numerous other files including "24 electronic documents from diaries, love letters, etc."
He planned to use that vast array of electronic evidence as ammunition to win his divorce case. Eventually his lawyer showed some of the correspondence between Amy Havlicek and Christina Potter to Amy's own attorney. In an affidavit (PDF), Potter claims that the correspondence was also shown to neighbors and a court-appointed custody evaluator "to harass, annoy, and inflict emotional injury on me."
Potter, his wife's alleged paramour, responded by filing a federal lawsuit designed to shut Jeffery up. She asked for an injunction barring any "disclosure" or "dissemination" of the electronic documents, including preventing them from being used in the divorce case taking place in state court.
The Electronic Communications Privacy Act, a federal law, was violated during the recording, Potter claimed. ECPA (18 USC Section 2511) bans anyone from disclosing "to any other person the contents of any wire, oral, or electronic communication" that was obtained illegally.
Potter lost. U.S. District Judge Thomas Rose said that ECPA does not permit courts to disallow such evidence, saying that appeals courts "have concluded that Congress intentionally omitted illegally intercepted electronic communications from the category of cases in which the remedy of suppression is available." He also rejected her request for a broader injunction, saying it would violate Jeffery's freedom of speech as protected by the First Amendment.
Rose did say, however, that "disclosure of the information in state court by Jeffery Havlicek or his attorney" might be "actionable civilly or criminally." He suggested that the "remember me" option probably didn't give Jeffery an implied right to view his wife's e-mail messages. And he ordered Jeffery to provide Potter, his wife's alleged paramour, with the complete set of electronic evidence that he had planned to use in the divorce case.
Excerpt from Rose's opinion:
Because the suppression provision excludes illegally intercepted wire and oral communications from the courtroom, but does not mention electronic communications, several courts, including the Sixth Circuit, have concluded that Congress intentionally omitted illegally intercepted electronic communications from the category of cases in which the remedy of suppression is available.
With this distinction in mind, the court finds that it does not have the authority to forbid the disclosure of the allegedly intercepted communications to the state official determining custody of the Havliceks' children or any other state court proceeding. This is not to imply, however, that disclosure of the information in state court by Jeffery Havlicek or his attorney might not be actionable civilly or criminally under 18 USC (Section) 2511. In any event, the court's inability to enjoin the presentation of this evidence in state court does not resolve the question of whether the injunction on disclosing this information in other context should issue. Therefore, the court will proceed to consider the appropriateness of relief in this case, beginning with plaintiff's chances of succeeding on the merits.
Defendant's response to the motion for preliminary injunction claims that the keystroke recording and screen shot recording software do not record communications contemporaneously with the transmission of the communications. Contemporaneousness was an element originally introduced to 18 USC (Section) 2511 when the law applied only to wire and oral communications...
We conclude that the term "electronic communication" includes transient electronic storage that is intrinsic to the communication process for such communications. That conclusion is consistent with our precedent...
Moreover, the court views the screen shot software as distinct from the keystroke software in regards to the interstate commerce requirement. In contrast to the keystrokes, which, when recorded, have not traveled in interstate commerce, the incoming emails subjected to the screen shot software have traveled in interstate commerce. Additionally, there is no evidence before the court to allow any conclusion that the technical aspects of the instant case result in Potter's claim being defeated by a lack of contemporaneousness, even if the court were to find this element necessary...
Defendant raises another hurdle to success on the merits, however, by referring to the case of United States v. Ropp, which focuses on the requirement in 18 USC (Section) 2510(12) that the interception be of an interstate or foreign communication or be of a communication affecting interstate commerce. Ropp notes that keystroke software records the entirely internal transmission from the keyboard to the CPU, and records all keystrokes, whether they initiate signals destined to travel in interstate commerce or not. The decision, however, seems to read the statute as requiring the communication to be traveling in interstate commerce, rather than merely "affecting" interstate commerce. It seems to this court that the keystrokes that send a message off into interstate commerce "affect" interstate commerce...
Because the ECPA does not provide for the relief of suppression of illegally intercepted electronic communications sought to be used as evidence in a court case, and because a balancing of plaintiff's impending irreparable harms and the public interest in the requested injunction against plaintiff's likelihood of success on the merits of her claims weighs in favor of not granting the requested injunction, plaintiff's motion for preliminary injunction, Doc. 16, is denied.
Very un-amusing. I guess these judges don't use e-mail. Perhaps the teacher in Connecticut who claims the images on her (the school's) computer were spam is also doomed.
http://law.enotes.com/decision-blog/2007-03/another-reason-to-hate-spam
Another Reason to Hate Spam
March 1st, 2007 by Robert Loblaw
U.S. v. Kelley, 05-10547 (9th Cir., Mar. 1, 2007) http://www.ca9.uscourts.gov/ca9/newopinions.nsf/DFBE33482E8C5FA5882572910008EA61/$file/0510547.pdf
Here’s an interesting Fourth Amendment decision about whether law enforcement has probable cause to search based solely on the fact that a suspect has received emails containing images of child pornography. A divided panel of the Ninth Circuit concludes that the answer is yes. Judge Rymer writes the majority decision, which is joined by the busy retiree herself, Justice Sandra Day O’Connor.
Judge Thomas dissents, arguing that the scourge of unsolicited emails means that anyone could be a target for a search under today’s decision. Here, the only evidence in the warrant affidavit was that the defendant received emails with unlawful images. Judge Thomas believes that Ninth Circuit precedent requires some additional showing that the emails were solicited or that the defendant would be inclined to view and keep them.
...perhaps red or blue depending on your political leanings?
Ohio Sex Predators May Get Green Car Tag
Mar 1, 3:18 PM EST updated Fri, March 02, 2007
COLUMBUS, Ohio (AP) -- Ohio already tags repeat drunken drivers' cars with bright yellow license plates. Now it wants to make convicted sexual predators use fluorescent green ones.
... Christine Link, executive director American Civil Liberties Union of Ohio, criticized the proposed requirement as political grandstanding. She said it could leave children with the idea that anyone without the special plates was safe to approach. [Perhaps we could paint these people fluorescent green? Bob]
Attention virtual lawyers!
http://blog.johnedwards.com/story/2007/2/27/21847/2507
John Edwards Second Life HQ vandalized.
user icon robinrising in News Feed of 2/28/2007 at 3:51 PM EST
Vandalism at John Edwards SL HQ
Shortly before midnight (CST) on Monday, February 26, a group of republican Second Life users, some sporting "Bush '08" tags, vandalized the John Edwards Second Life HQ. They plastered the area with Marxist/Lenninist posters and slogans, a feces spewing obsenity, and a photoshopped picture of John in blackface, all the while harrassing visitors with right-wing nonsense and obsenity-laden abuse of Democrats in general and John in particular.
I witnessed this event, taking names and photos, [The lead vandal was named D. Duck, and had a speech impediment. Bob] including the owners of the pictures. I also kept and saved a copy of the chat log. I have filed an abuse report with Linden Labs, and am awaiting their investigation.
Useful?
http://digg.com/microsoft/Microsoft_Launches_New_Web_Site_for_Beginner_Developers
Microsoft Launches New Web Site for Beginner Developers
The Beginner Developer Learning Center (BDLC) is a free, one-stop shop for learning Windows and Web programing fundamentals. It includes a learning path which starts with the absolute basics like how a Web browser works and builds on that with videos, tutorials, and downloadable sample projects using CSS, JavaScript, HTML, ASP.NET, VB, and C#.
No comments:
Post a Comment