Same old same old.
Security alert as thousands told bank details have been stolen
THOUSANDS of county council staff are at risk of identity theft after their highly confidential bank and national insurance details were stolen.
A lap top computer containing the personal information of up to 19,000 staff - complete with names and addresses - was taken in a street robbery.
... "We will be raising issues about the council's practices and policies and asking if they will be looking at how this sort of thing is done in the future," he added. [Suggests there was no problem with this employee having all those records on his personal computer... Bob]
“Can you hear me now?”
Feb. 23, 2007, 10:30PM
County clerks could face jail, fine in privacy breaches
By POLLY ROSS HUGHES Austin Bureau
AUSTIN — County clerks could spend six months in jail and be fined $1,000 for releasing records historically accessible to the public that contain Social Security numbers, according to the state attorney general.
Representatives of county officials statewide called the ruling "huge" in its implications, saying compliance could cost local taxpayers millions of dollars, including countless extra hours of labor.
... Attorney General Greg Abbott, responding to questions raised by Fort Bend County officials, said it is mandatory for county clerks and other government officials to remove Social Security numbers before distributing public documents.
The question arose because state public information law was amended two years ago to say county clerks "may" remove Social Security numbers on documents they archive and distribute to the public.
Abbott, citing other portions of state law and federal law, said Texans have a right to keep their Social Security numbers private. Therefore, county officials are required to delete them before releasing documents to the public.
... Abbott's opinion warns that disclosure of confidential information such as Social Security numbers is a criminal offense under the Texas Public Information Act, and that applies to all county clerk records.
Clerks are not required to redact Social Security numbers from original, certified documents, but are they required to remove the numbers and note they have done so when releasing them to the public, the opinion says.
... Even so, it will cost local taxpayers at least $17.4 million for new software and servers to remove Social Security numbers from the electronic documents, he said. [Nonsense! What are they trying to do? Store LESS information in exactly the same applications. No new software or hardware needed. Bob]
... "The direction the attorney general gives is very expensive in some cases, impractical in other cases and impossible in the rest," Lee said. [In other words, you don't know how to manage it. Bob]
Is there a good way to tell your customers/patients/whoever that you “lost” their data? Perhaps not, but some efforts are better than others.
Data Breach Hits Close to Home
I took some time off work last fall to spend with my wife, who had just been diagnosed with a golf-ball-sized tumor in her brain that needed to be removed. With the help of a few well-connected friends, we were privileged to have her seen by one of the top neurosurgeons in the world, a surgical ninja at The Johns Hopkins Hospital in Baltimore.
The surgery was a great success, and the wife is just fine now. She carries nary a lingering symptom, visible scar or traumatic memory from the ordeal, save perhaps for the seemingly endless stream of bills and letters from our health insurance provider.
That is, until last week, when she returned from the mailbox with a letter from the hospital alerting us that she was among some 83,000 Hopkins patients whose hospital records may have been compromised on account of a lost backup tape.
According the letter, the lost tape contained data on new patients seen between July 4 and Dec. 18, 2006, or who had changes to their demographic information during that time. Among the data stored on the tape was the patient's name, mother's maiden name, father's name, race, sex, birth and medical record number. However, Hopkins was emphatic that there was no medical or Social Security data on the tapes.
I must have read the letter three times in all, and at first I was pretty alarmed. But looking back now, I must say I don't think I've ever read a more thorough breach notification. The letter explained in detail what they thought happened to the backup tape and listed a number of reasons why Hopkins believed the risk to patient privacy was low in this case (many other medical data breach notifications I've read ask you simply to accept their pat answer that there is little chance of the data being misused). The hospital created a very informative Web site for affected patients, and listed a toll-free number for people who don't have Internet access.
More importantly, the letter took the time to clearly explain what steps patients can take to protect themselves. Rather than stating merely that patients have the right to a free copy of their credit reports, the letter lists the steps consumers need to go through to get a copy of their credit report, what a fraud alert means, and how it may affect patients who later seek to obtain new lines of credit. In addition, the notification suggests patients stagger the ordering of their free credit reports from each of the credit bureaus over an entire year. Finally, the letter reminds recipients that scam artists may try to call victims pretending to offer "assistance," and that the hospital will not contact patients by telephone, e-mail or ask for personal information related to the incident.
The approach Hopkins took in response to this incident stands in stark contrast to the way some other health care providers have handled patient data losses of late. Two different Kaiser Permanente hospitals had lost laptops over the past nine months that endangered patient data, but I could find no Web site set up to alert affected patients about either incident, nor could I find any mention of either incident on Kaiser's news releases page.
Maybe the company was still reeling from a fine last year by the California Department of Managed Health Care, which found that that Kaiser created a systems diagram Web site used as a testing portal by its IT staff that contained confidential patient information, including names, addresses, telephone numbers and lab results.
The phone number Kaiser set up for affected patients leads to a voice mailbox asking the caller to leave a message; the message promises a call back at some point. The Hopkins line explains pretty much everything in the letter, and then allows callers to speak with a real, live person at Hopkins' "identity safeguards" division.
Kaiser executives also were quoted in the press downplaying one of the incidents without any information to back up their claims. Of a stolen laptop containing patient medical records for patients in Colorado, company officials were quoted as saying that the still-missing laptop was stolen merely for its "street value," not for the data contained within it.
02/23/07 -- 04:06 PM
Skinner: DHS needs to shield personal information
By Alice Lipowicz Staff Writer
The Homeland Security Department is not doing enough to protect personal identifying information within its computer systems, according to a new report from DHS Inspector General Richard L. Skinner.
Lots of interesting comments. My favorite: “$100 says this guy has a huge short on ebay stock.”
Hacker May Be Exposing eBay Back Door
Posted by Zonk on Friday February 23, @04:30PM from the maybe-buy-a-hackerproof-door dept. Security The Internet
pacopico writes "A hacker specializing in eBay cracks has once again managed to masquerade as a company official on the site's message boards, according to The Register. A company spokesman denies that 'Vladuz's' repeated assaults on eBay point to a larger problem with the site's security. Of course, eBay two days ago claimed to have found a way to block Vladuz altogether, only to see him pop up again. The hacker himself made comments indicating that the company's email servers are connected somehow to the financial information eBay hosts."
Interesting and useful read...
What would you do as chief information security officer
Ellen Messmer, Network World 19/02/2007 14:38:52
Becoming the chief information security officer (CISO) of a corporation makes you a strategic IT advisor to business management, the chief information officer, and the rest of the information technology staff. Just as no company is the same as another, the job of CISO -- or alternately, "chief security officer," which might include physical security as well -- isn't either. The four security professionals who share their priorities with us make it clear there's nothing cookie-cutter about the top IT security job.
The Dissection of a Rootkit
February 23, 2007 By Lisa Vaas
Kasslin explains in detail what kernel malware is, how it works, and what makes its detection and removal so challenging. He also details two malware cases that use kernel-mode techniques to escape detection and to bypass personal firewalls.
If we make the firefighters do it, then we can convince the kids that they “can be just like a real firefighter!” and eventually all second class citizens will be chipped, just like a heard of cows...”
FDNY TRACKING CHIP A BRAVEST NEW WORLD
By DAVID SEIFMAN, City Hall Bureau Chief
February 24, 2007 -- If a new Fire Department plan works out, every firefighter will have a chip on his shoulder - or near some other body part - capable of transmitting data to a firetruck [not the “few inches” the industry claims? Bob] and eventually to FDNY headquarters.
The high-tech plan is aimed at insuring that no firefighter ever goes missing, as occurred when off-duty and former firefighters rushed to the World Trade Center on 9/11.
... The FDNY already has the capability of displaying the schematics of virtually every building in the city.
Scoppetta said the idea is to "see the figures actually in the building. You'd know what floor they're on. How many are on the floor. You'd be able to communicate, warn them of conditions developing. That's what we're shooting for."
... The FDNY has already installed GPS devices in its ambulance fleet and on many firetrucks.
"We can now see over 57 of the engines as they move back and forth," Scoppetta said.
"Once we have computer-aided dispatch for fire, [What do they use now, homing pigeons? Bob] police and EMS, we can avoid multiple dispatches."
Scoppetta said privacy objections would be misplaced in this case.
They asked the wrong question. They should have asked for evidence that any vote was recorded as cast.
Audit: Fla. Voting Machines Didn't Err
Feb 23, 6:08 PM EST updated Sat, Feb 24, 2007
By STEPHEN MAJORS Associated Press Writer
TALLAHASSEE, Fla. (AP) -- An audit of touch-screen voting machines at the center of a dispute in a congressional election found no evidence of malfunction, [They ripped off the election just like they were supposed to... Bob] the Florida secretary of state said Friday.
... The audit report released Friday said an independent study of the source code of the machines used in the election found no evidence of malfunction.
Tips on text message security from your friendly police department spokesperson...
Feb 24, 6:24 AM EST
Text Messages Land Teacher in Hot Water
MURRAY, Ky. (AP) -- A middle school teacher trying to buy pot was arrested after she sent text messages to state trooper instead of a dealer, police said.
... "She learned her lesson. Program your dealers into your phone, [We'd like the evidence stored neatly... Bob]" Meadows said.
Dilbert sums up the RIAA, MPAA and many others.