Wednesday, October 13, 2010

Is this merely another case of poor security management or do companies truly believe that “it can't happen to us?”

Watch those portable devices, Tuesday edition

By Dissent, October 12, 2010

Maryland-based HomeCall Inc. recently notified the Maryland Attorney General’s Office that an employee’s portable point-of-care device was stolen. The device contained names, addresses, SSN, medical record number, diagnoses, and treatment information. HomeCall reports that the device was “multi-level password protected” (but not encrypted). In correspondence to those affected, HomeCall stated that the device required a user/pass to login and then a second user/pass to access the program containing the patients’ electronic medical records. Eleven Maryland residents were notified of the breach and the company subsequently encrypted all portable devices.

What a pity that so many entities wait until after they’ve had a breach to encrypt. After all this time, is there really still any excuse not to either have encrypted sensitive data on devices or have implemented some equally effective security?

Nothing says encryption solves all problems. Here the data was apparently encrypted with the wrong key.

Encryption didn’t prevent this breach

October 12, 2010 by admin

A report to the Maryland Attorney General’s Office from ING gave me pause because I don’t remember ever seeing a security issue like this before in a breach report. In their notification, ING writes (emphasis added by me):

ReliaStar Life Insurance Company (RLIC) is responsible for premium administration for RLIC insurance products purchased by employees of our clients. An encrypted electronic file containing the personal information of one client’s employees, including several Maryland resident (sic), was inadvertently made available to another company’s Human Resources (HR) department due to an isolated administrative error. The encrypted file included the individual’s (sic) name and social security number. Our password-based registration encryption system prohibits the wrong addressee from opening an encrypted e-mail. Because the e-mail was addressed to the wrong client, that client was able to open the e-mail.

The receiving (incorrect) employer notified ING on June 3 and ING worked with them to securely delete the file and protect the data.

Of the individuals affected, 473 were Maryland residents.

Why different rules to cover the same data?

Tuesday, October 12, 2010

Lots of health data breaches reported to HHS, only trivial ones to FTC

With just over a year having passed since the health data breach notification rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act went into effect, and interesting contrast has emerged between the breaches disclosed to the Department of Health and Human Services (HHS) by HIPAA-covered entities and business associates and those disclosed to the Federal Trade Commission (FTC) by organizations that provide personal health records (PHRs) and associated services, but are not covered by HIPAA. As reported on Monday and evidenced by the complete listing of breaches posted by the FTC, as far as the FTC is aware there have been no major breaches (those involving 500 or more individuals) in the past year. All 13 of the breaches reported to the FTC involved lost or stolen credentials, which presumably could result in an unauthorized party gaining access to a user's personal health information, but no actual loss of data seems to have been involved. It may or may not be interesting to note that all the breaches reported also came from one company: Microsoft. [Perhaps they are the only ones in compliance? Bob] In contrast, the current count of breaches reported to HHS is 181, all of which involve 500 or more individuals, many of which apparently involve loss or theft of data (or laptops or other paper or electronic record storage devices).

It seems fair to ask, can any substantial conclusions be drawn from the paucity of breaches reported to the FTC or their relative triviality? No one appears to be suggesting that the data protection practices of organizations subject to the FTC's data breach rule are superior to those of those covered under HHS' rules, so why so few breaches reported to the FTC? Several possible explanations come to mind, only some of which have anything to do with security or privacy practices:

  • The population of organizations subject to the rule is small. The FTC's Health Breach Notification Rule, following language in the HITECH Act (§13407), applies specifically to "vendors of personal health records" and third-party service provides who are not covered by HIPAA. The total number of these vendors is very small relative to the number of covered entities and business associates subject instead to HHS' rules.

  • Breaches of encrypted data do not have to be reported. Following HITECH (§13402), Both the HHS and FTC data breach notification rules apply to breaches of unsecured data, meaning data that has not been "rendered unusable, unreadable, or indecipherable" through the use of recommended technologies such as data encryption. It is possible that some PHR vendors who might have suffered relevant incidents had no cause for concern, and no reason to disclose them, because the data in question was encrypted.

  • Not many people use PHRs from non-HIPAA-covered vendors. This is not meant to imply that vendors like Dossia, Google, and Microsoft have so few users of their PHRs that there wouldn't potentially rise to the level of a major breach if a data loss occurred, but instead to suggest that there may be more attractive targets for malicious attackers to go after among health care organizations.

  • Technology company employees (may) have better security awareness. Surely a suggestion open to challenge, but with the frequency with which health data breaches occur do to intentional or inadvertent misuse by employees (that is, authorized users), PHR vendors whose business depends to a great extent on their ability to secure customer's data might logically make security and privacy awareness a higher priority among the employees who have access to the data. Also, it shouldn't be overlooked that, unlike employees of health care organizations, PHR vendor employees have little or no reason to access personal health information stored in their systems.

I seems to learn more about the law reading articles that claim the judge got it wrong than I do when reading articles the attempt to summarize the entire field.

Romano and Facebook: Muddling Toward the Law of Privacy on Social Networks

October 12, 2010 by Dissent

David K. Isom writes:

Those of us who watch the development of the law of electronic discovery, information security and privacy usually have nothing better to do on a Saturday night (except last Saturday when we saw the movie “The Social Network”) than kibitz about how information on Facebook and other social networks is impacting and will likely impact civil lawsuits. Last month, a New York trial court in Romano v. Steelcase took a crack at some of these issues. While the New York court got the bottom line right — relevant information on Facebook and other social media is generally discoverable — some of its reasoning is baffling, some wrong and some spot on.

Read more on InfoLawGroup. I had previously commented as a non-lawyer that I thought the judge reached the right decision but via faulty logic. I am delighted to see David try to explain what was confusing or wrong from a legal perspective.

If they monitored social networks without a specific threat (granted, for a high profile event) why would they just stop after the inauguration?

New FOIA Documents Reveal DHS Social Media Monitoring During Obama Inauguration

October 12, 2010 by Dissent

Jennifer Lynch of EFF writes:

This is part two of a two part series. Read part one.

As noted in our first post, EFF recently received new documents via our FOIA lawsuit on social network surveillance that reveal two ways the government has been tracking people online: Citizenship and Immigration’s surveillance of social networks to investigate citizenship petitions and the DHS’s use of a “Social Networking Monitoring Center” to collect and analyze online public communication during President Obama’s inauguration. This is the second of two posts describing these documents and some of their implications.

In addition to learning about surveillance of citizenship petitioners, EFF also learned that leading up to President Obama’s January 2009 inauguration, DHS established a Social Networking Monitoring Center (SNMC) to monitor social networking sites for “items of interest.” In a set of slides [PDF] outlining the effort, DHS discusses both the massive collection and use of social network information as well as the privacy principles it sought to employ when doing so.

Read more on EFF.

Dilbert brilliantly summarizes the ethical and privacy implications of Behavioral Advertising.

Interesting. Why not add Starbucks, libraries and unsecured home wifi?

Dutch Hotels Must Register As ISPs

Posted by timothy on Tuesday October 12, @11:00PM

"The Dutch telecommunications authority OPTA has announced that Dutch hotels must register as internet providers (original version, in Dutch) because that is what they formally are, according to Dutch laws. It is well possible that once hotels are officially internet providers, they will also have to abide by the European regulations on data retention and make efforts to link email headers and other data traffic to individual hotel guests. Could this also happen in other European countries? This is probably not likely to lead to a more widespread adoption of free WiFi services in hotels."

A preview of things to come?

IRS Servers Down During Crucial Week

Posted by timothy on Tuesday October 12, @07:30PM

"A planned server outage turned into an unplanned glitch for the Internal Revenue Service, and it comes at a very bad time. The IRS planned the server outage for the holiday weekend ... but today they couldn't get the system back into operation. This week is the deadline for filing 2009 tax returns for taxpayers who got extensions. So far it's not having a huge impact since the shutdown only involves the updated version of the e-filing system, and most programs used by large tax companies like H&R Block will default to the older version. There's no estimate on when the system will be back up."

Security AND surveillance Fun for my Computer Forensics students.

Canon Blocks Copy Jobs Using Banned Keywords

Posted by CmdrTaco on Tuesday October 12, @08:18PM

aesoteric notes that a future version of Canon's document management system will include the exciting breakthrough technology that will OCR your printed and scanned documents, and prevent distribution of keywords. Documents containing the offending words can be sent to the administrator, without actually telling the user just what word tripped the alarm. The article notes that simply using 1337 for example will get around it.

[From the article:

Uniflow allows printers, scanners, copiers and multifunction devices to be managed centrally.

This allows a record to be kept of how many documents have been printed and by whom for billing purposes - essential for professions that bill clients by the hour or by the amount of work done, such as lawyers and architects.

… Once configured by an administrator, the system can prevent a user from attempting to print, scan, copy or fax a document containing a prohibited keyword, such as a client name or project codename.

The server will email the administrator a PDF copy of the document in question if a user attempts to do so. [Perhaps a minor hack will allow me to receive a BCC copy of those emails... Bob]

(Related) The downside of a tool like this is huge. Think of it as “book burning” for e-book users. No more organizing political opposition via Twitter...

Apple Patents Anti-Sexting Device

Today the US Patent and Trademark Office approved a patent Apple filed in 2008, which, get this, prevents users from sending or receiving “objectionable” text messages.

… The “Sexting” patent background info states that the problem it solves is that there is currently “No way to monitor and control text communications to make them user appropriate. For example, users such as children may send or receive messages (intentionally or not) with parentally objectionable language.”

(Related) Lots of fun uses. Eliminate any sign of protesters, hide the assassin's face, etc.

Erasing Objects From Video In Real Time

Posted by timothy on Wednesday October 13, @08:09AM

Smoothly interpolating away objects in still pictures is impressive enough, but reader geoffbrecker writes with a stunning demonstration from Germany's Technical University of Ilmenau of on-the-fly erasure of selected objects in video. Quoting:

"The effect is achieved by an image synthesizer that reduces the image quality, removes the object, and then increases the image quality back up. This all happens within 40 milliseconds, fast enough that the viewer doesn't notice any delay."

(Related) Or we can put you at the scene of the crime, or put your face on the assassin...

MovieReshape: New abs for old actors

Want giant biceps in all those home videos you're posting to YouTube? Forget hassling with barbells and simply adjust the muscularity control slider in MovieReshape, an image alteration program developed at the Max Planck Institut Informatik in Germany. The system allows for "quick and easy manipulation of the body shape and proportions of a human actor in arbitrary video footage"--without frame-by-frame manipulation.

Common errors people make with passwords translates directly into a lecture on “How to access password protected systems” for my Ethical Hackers. (Your security is only as strong as your weakest user)

Survey Shows How Stupid People Are With Passwords

Posted by CmdrTaco on Tuesday October 12, @02:06PM

"Another study was released to today that once again shows how careless people really are online. When it comes to safeguarding personal information online, many people don't seem to care very much, or don't think enough about it. In the survey of more than 2,500 people, some interesting and scary trends were revealed in how users handle their online passwords..."

Welcome to the 21st Century!

October 12, 2010

GAO Pilots New Web-Based Format for Reports - E-Report project offers enhanced navigation for users

"Beyond the usual findings and recommendations for improving federal operations, a new report from the U.S. Government Accountability Office (GAO) is the first to offer a web-based E-Report format to help users navigate content more easily... The new pilot format, which is part of a report on geostationary environmental satellites (GAO-10-799), allows users to quickly access those sections of the report that are of interest to them. Using links on the sidebar and within the pages of the report, users will have instant access to the report’s highlights, objectives, findings, recommendations, agency comments, and supporting evidence. A podcast discussing the report can also be played directly from the E-Report page. The traditional PDF version can be downloaded there as well. The pilot also allows for enhanced use of color in charts and graphics and GAO is seeking direct feedback from users about the new format. The pilot E-Report can be found at"

If I knew THAT was what my students were saying, I'd have flunked them all.

10 Online Slang Dictionaries To Learn Jargon & Street Language

If I didn't mention this n my Ethical Hacking class, how would we know what rules to break? Mentions many useful resources.

The Internet and the death of ethics

No comments: