Management didn't know how big the breach was or they are applying the TJX strategy.

http://www.pogowasright.org/article.php?story=20080328144146916

(follow-up) Administrative Systems Inc. breach affects 2,960 New Yorkers

Monday, March 31 2008 @ 07:46 AM EDT Contributed by: PrivacyNews News Section: Older News Stories

In February, over a month after the theft of a computer from their Seattle office, Administrative Systems, Inc. sent out notification letters to those affected. ASI, a third party administrator, also created a web site about the breach. On the home page, ASI reported that that the breach affected "several" of their clients. Notification letters were sent to the employees or customers of those clients.

But was it really only "several" clients? ASI's notification letter to New Hampshire, who had 439 residents affected, had an exhibit listing over 20 carriers or client firms affected by the breach. One of the carriers affected was Union Security Insurance Company, who also underwrites the group disability plan for the Milwaukee Teachers' Education Association. They reported that approximately 3000 of their teachers were affected by the theft.

Now PogoWasRight.org has obtained a copy of ASI's notification to New York State. The letter indicates that 2,960 NYS residents had personal information on the stolen computer. Attached to ASI's notification to NYS was an exhibit listing 36 carriers in NYS for whom ASI maintained information. The list includes American Family Life Insurance, Continental American Insurance, Fidelity Service Co., Transamerica Life Insurance Company and US Life, as well as Union Security Insurance Company, For Your Good Health, National Medical Health Card, and Physicians Plus Plans.

The stolen computer, which was password-protected, contained unencrypted names, dates of birth, Social Security numbers and according to ASI's web site, "certain other personal information." As reported to us by one of those affected who was advised by ASI's call center staff to contact her bank, at least some of the "other personal information" included banking information for those who pay their insurance premiums through direct debit from checking.

ASI has not responded to several requests for information on the breach. To date, there have been no media reports indicating the computer was recovered or that any arrest has been made.

File this one under responses to: “We are announcing the theft of your personal data, but don't worry because you haven't reported any crime to us!

http://www.pogowasright.org/article.php?story=20080330085456460

An “isolated” mistake by Chase leads to ID theft years later (commentary)

Sunday, March 30 2008 @ 08:54 AM EDT Contributed by: PrivacyNews News Section: Breaches

Dan McLean of the Burlington Free Press reports on an ID theft case that is troubling on a number of levels. I’ve previously blogged about cases where banks erroneously include someone else’s bank statement or misdirect a bank statement, but here’s a case where one of those “isolated incidents” that generally do not get much attention had serious consequences. And once again, consumers may have little recourse because of gaps in laws that protect consumers.

David and Jennifer Fountain’s problems started in 2001, when Chase Manhattan Mortgage Corp. sent their annual mortgage interest statement to a man in Michigan with the same name — David Fountain. That David Fountain returned the misdirected statement to the Vermont couple promptly, and they thought all was well until a collection agency came after them for an account in Michigan seven years later.

Source - Chronicles of Dissent blog

...because...

http://www.pogowasright.org/article.php?story=20080331060840373

Data “Dysprotection:” breaches reported last week

Monday, March 31 2008 @ 06:08 AM EDT Contributed by: PrivacyNews News Section: Breaches

A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee.

Source - Chronicles of Dissent

For your Security Manager...

http://www.f-secure.com/weblog/archives/00001409.html

Shedding (Black)Light on the Master Boot Record

Posted by Antti @ 13:47 GMT Monday, March 31, 2008

A while ago we blogged about the MBR rootkit, which has been getting attention from all the security vendors. We're glad to inform you that the latest version of the F-Secure BlackLight standalone rootkit scanner now detects MBR rootkit infections.

BlackLight has stood the test of time ever since it was released in the beginning of 2005. A new rootkit technique that has been able to evade detection has been a very rare event. The MBR rootkit is quite different from other rootkits we've seen over the years, so we had to add completely new technology into BlackLight to detect it successfully.

You can download standalone BlackLight here.

I wonder if this is a template that can be converted for a more general audience?

http://www.bespacific.com/mt/archives/017971.html

March 30, 2008

DHS Releases Privacy Technology Implementation Guide and Incident Handling Guidance

• Privacy Technology Implementation Guide (PTIG), August 2007 (PDF, 36 pages):

• [This is the correct link: http://www.dhs.gov/xlibrary/assets/privacy/privacy_guide_ptig.pdf Bob]"The Privacy Office developed a new general guide for technology managers and developers to integrate privacy protections into operational IT systems. This new guide, the Privacy Technology Implementation Guide (PTIG) combines elements of privacy protection from disparate privacy compliance requirements, as well as a administrative policies and procedures into a single document, contextualized for managers and developers of operational systems. The PTIG is designed to allow each Component the flexibility to adapt privacy considerations to the way that Component does business while retaining a common DHS approach. The result is a new guide that provides early awareness of privacy issues and the aspects of systems that can be managed and developed to address privacy issues and streamline the process of complying with existing privacy protection requirements."

• Privacy Incident Handling Guidance (PIHG), September 2007 (PDF, 109 pages): "The Department of Homeland Security (DHS) has a duty to safeguard personally identifiable information (PII) in its possession and to prevent the breach of PII in order to maintain the public’s trust. The Privacy Incident Handling Guidance (PIHG) serves this purpose by informing DHS organizations, employees, senior officials, and contractors of their obligation to protect PII and by establishing procedures delineating how they must respond to the potential loss or compromise of PII."

Additional documents from the DHS Privacy Policy Guidance, Action Memorandum released:

1. Attachment 2: Protecting & Handling Personnel-Related Data – Quick Reference Guide (PDF, 2 pages)

2. Attachment 3: Verification and Confirmation Memorandum Templates (Self-Assessment and Training Certifications), (PDF, 2 pages)

3. Attachment 4: DHS Employee Communication from Scott Charbo and Maureen Cooney regarding Data Security and Privacy, June 8, 2006 (PDF, 2 pages)

4. Attachment 6: OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007 (PDF, 22 pages)

Is this practice for CyberWar, and if not how do we tell the difference?

http://www.pogowasright.org/article.php?story=2008033015354794

Ca: Health agency crippled by computer bug last year

Sunday, March 30 2008 @ 03:35 PM EDT Contributed by: PrivacyNews News Section: Breaches

The federal agency that helps protect Canadians against epidemics came down with a devastating case of computer cramps last year that could have put lives at risk.

Hundreds of computers at the Public Health Agency of Canada fell victim to a "worm,'' a bit of malicious software that nearly brought operations to a halt.

The infection began with just a few computers but spread like a Prairie grass fire, eventually knocking out 1,308 work stations in three cities and taking more than a month to eradicate, say newly released documents.

[...]Government protocols require that sensitive, confidential information about patients, doctors, drugs, and so forth be stored on a highly secure server. But the injury assessment noted that "there is a lack of technical and administrative controls to control and audit the unauthorized storage of information on corporate desktops.''

The released file suggests officials could not determine for certain whether confidential information leaked out.

And spokespersons for the public health agency and for Health Canada did not immediately respond to requests for comment and clarification, such as what kinds of sensitive information was placed at risk by the worm infestation.

Source - CTV.ca

http://www.nytimes.com/2008/03/30/nyregion/30text.html?_r=2&oref=slogin&oref=slogin

City Subpoenas Creator of Text Messaging Code

By COLIN MOYNIHAN March 30, 2008

When delegates to the Republican National Convention assembled in New York in August 2004, the streets and sidewalks near Union Square and Madison Square Garden filled with demonstrators. Police officers in helmets formed barriers by stretching orange netting across intersections. Hordes of bicyclists participated in rolling protests through nighttime streets, and helicopters hovered overhead.

These tableaus and others were described as they happened in text messages that spread from mobile phone to mobile phone in New York City and beyond.

... Last month, however, the New York City Law Department issued a subpoena to Tad Hirsch, a doctoral candidate at the Massachusetts Institute of Technology who wrote the code that created TXTmob.

... Messages were exchanged by self-organized first-aid volunteers, demonstrators urging each other on and even by people in far-flung cities who simply wanted to trade thoughts or opinions with those on the streets of New York. Reporters began monitoring the messages too, looking for word of breaking news and rushing to spots where mass arrests were said to be taking place.

And Mr. Hirsch said he thought it likely that police officers were among those receiving TXTmob messages on their phones.

Yeah, it's a New York Time OpEd, but I'll probably toss it to my statistics students in any case... (and point out that the analysis is obviously flawed.)

http://www.nytimes.com/2008/03/30/opinion/30strogatz.html?ex=1364616000&en=96af12bdef4456f7&ei=5124&partner=digg&exprod=digg

A Journey to Baseball’s Alternate Universe

By SAMUEL ARBESMAN and STEVEN STROGATZ Published: March 30, 2008 Ithaca, N.Y.

... The sport’s most mythic achievement is Joe DiMaggio’s 56-game hitting streak, a feat that has never come even close to being matched.

... In a fit of scientific skepticism, we decided to calculate how unlikely Joltin’ Joe’s achievement really was. Using a comprehensive collection of baseball statistics from 1871 to 2005, we simulated the entire history of baseball 10,000 times in a computer.

... And Joe DiMaggio is nowhere near the likeliest player to hold the record for longest hitting streak in baseball history. He is No. 56 on the list. (Fifty-six? Cue “The Twilight Zone” music.) Two old-timers, Hugh Duffy and Willie Keeler, are the most probable record holders. Between them, they set the record in more than a thousand of the parallel baseball universes. Ty Cobb did it nearly 300 times.

DiMaggio held the record 28 times. Plus once more, when it counted.