Tuesday, December 14, 2010

This is a data management failure. I suspect no one paid any attention to a machine that was “clearly not a computer.” Consider: The information may have been entered into this machine in order to “tag” the resulting data with the patients ID – to avoid mixing it up with another patient. What possible reason is there for capturing so much data and keeping it on the machine after the results are transmitted?


Mountain Vista Medical Center notifies 2,284 endoscopy patients of missing records

December 13, 2010 by admin

A few mainstream media news organizations such as Arizona Republic and KPHO are reporting a breach involving Mountain Vista Medical Center in Mesa, AZ. A notice posted to the medical center’s site dated December 10 says:

On October 13, 2010, Mountain Vista Medical Center became aware that compact memory data cards containing information related to procedures occurring January 1, 2008 through October 12, 2010, were missing from two endoscopy machines in the Endoscopy Unit. The compact memory data cards include the following information about the patients: full name, date of birth, age, sex, hospital medical record number, physician last name, date and time of procedure, type of procedure, and procedure image(s). We have no reason to believe that the information involved in this incident has been accessed or improperly used. [and no reason to believe it has not Bob]

Social security numbers, credit card numbers, addresses, and telephone numbers were not included on the data cards.


As of the time of this posting, the incident is not up on HHS’s breach reporting site, but I expect we’ll see it there by the end of this week.

[From the Medical Center's website:

In addition to conducting a thorough investigation of the incident, we have revised our security procedures involving storage of the compact memory data cards, have modified the endoscopy machines to no longer use the compact memory data cards, and have retrained our Endoscopy Unit employees on confidentiality and security procedures.

It's always good to use your assets at 100%, and so all network users get the same level of service but you can by-pass that lousy, congested old network for a fee. ...


Comcast Accused of Congestion By Choice

"A kind soul known as Backdoor Santa has posted graphs purportedly showing traffic through TATA, one of Comcast's transit providers. The graphs of throughput for a day and month, respectively, show that Comcast chooses to run congested links rather than buy more capacity. Keeping their links full may ensure that content providers must pay to colocate within Comcast's network. The graphs also show a traffic ratio far from 1:1, which has implications for the validity of its arguments with Level (3) last month."

I'll add a category: You are the government, and there ain't nothing I can do...


Evolution of Privacy Breach Litigation?

December 13, 2010 by Dissent

Sasha Romanosky writes:

In addition to empirical work on data breaches and breach disclosure laws, I’ve also become very interested in data breach litigation. While plaintiffs have seen very little success with legal actions brought against companies that suffer data breaches, I still believe there is some very interesting empirical work that can be done regarding these lawsuits.

In a recent post, Daniel Solove cited a paper by Andrew Serwin (found here) who described in great detail the legal theories and statutes that plaintiffs use when bringing legal actions against companies that suffer data breaches. It isn’t my purpose to repeat that work, but rather to identify an interesting pattern that appears to have emerged over the past 5 to 10 years of privacy breach litigation. Special thanks to Paul Bond of Reed Smith LLP who first brought this to my attention.

Read more on Concurring Opinions

So if you make up a story about me, I can treat that as a Privacy violation. How about if Bernie Madoff made up the story?


Opinion: “Defamation and False Privacy”

December 13, 2010 by Dissent

Hugh Tomlinson QC writes:

It is now well established in English law that a claim for misuse of private information can be brought in relation to information which purports to be private information about the claimant, whether or not the information is true. French privacy law has long recognised the actionability of such publications – for example, in the case of Bardot v Ici Paris (TGI Paris, 1st Chamber, 28 March 1984) where the actress recovered damages in respect of a false story of a suicide attempt.


In the leading case of McKennitt v Ash ([2006] EWCA Civ 1714; [2008] QB 73) the Court of Appeal confirmed that the English law took a similar approach. As Longmore LJ said in an oft quoted passage:

The question in a case of misuse of private information is whether the information is private not whether it is true or false. The truth or falsity of the information is an irrelevant inquiry in deciding whether the information is entitled to be protected and judges should be chary of becoming side-tracked into that irrelevant inquiry” [86].


There is, therefore, a potential overlap between privacy and defamation. In Terry v Persons Unknown ([2010] EWHC 119 (QB)) Mr Justice Tugendhat expressed the view that privacy and defamation only overlap in a limited class of cases. He identified four, there being no difficulty in the first three groups of cases:

Read more on Inforrm’s Blog.

So I really don't own the things I buy? Would this hold for patents, like those on my car?


Supreme Court Rules Against ‘First-Sale’ Copyright Doctrine

The Supreme Court on Monday said Costco could be liable for copyright infringement for selling foreign-made watches without the manufacturer’s authorization.

The high court — ruling 4-4, with Justice Elena Kagan recused — was interpreting the so-called “first-sale” doctrine (.pdf) of U.S. copyright law. Until Monday’s ruling, the doctrine was thought to allow the purchaser of a copyrighted work to re-sell the work without the copyright holder’s permission. That’s why we have used bookstores, record stores, GameStop (.pdf) and even eBay. (.pdf)

However, because there was no majority decision, Monday’s ruling solely affirms a lower court’s decision against Costco and does not adopt a nationwide precedent.

For my Computer Security and Ethical Hackers


Fortinet: Job outlook improving for cybercrooks

Cybercriminals are likely to find more jobs next year, one of five top trends forecast by security vendor Fortinet.

In an ironic twist in the job market, more positions will open up for developers who can write customized malware packers, people who can break CAPTCHA codes, and distributors who can spread malicious code, according to Fortinet.

And though cybercrooks have typically deployed their own botnets themselves, Fortinet believes this job will increasingly be farmed out to middlemen, citing the Alureon and Hiloti botnets as two examples of malware distributed this way. Money mules responsible for wiring funds and cashing checks will also need to be replaced as always.

In another trend predicted for next year, cybercriminals are expected to rely more on using existing source code to create new and slightly different strains of malware. Since similar malware today already appears under different names and aliases, this growing trend is likely to further confuse the meaning of names assigned by various security vendors.

The bad guys may end up fighting more amongst themselves as different botnets battle for spots on the same systems. The more control a certain botnet can have and the longer it can stay resident, the greater the cash flow, says Fortinet. Already, certain malware includes "bot killers," designed to eliminate competing bots found on the same machines. As a result, malware writers will increasingly need to keep their infections quiet and discrete and avoid impacting or crashing the machines on which they run.



What you need to know about the Gawker breach (FAQ)

This weekend's breach of Gawker has readers of the blogging empire's Web sites scrambling to see if their e-mail addresses have been publicly exposed, but even people who don't use the site can learn lessons from what happened.

What happened?

The Web site and back-end database of Gawker was published on the Pirate Bay Bit Torrent site on Sunday. It included Gawker source code, information about a possible site redesign, instant messages between employees, and about 1.3 million user account passwords, usernames, and e-mail addresses. While they were encrypted using DES (Data Encryption Standard), simple passwords may be vulnerable to a brute force attack.

Jon Oberheide, chief technology officer at Duo security, used a tool called John the Ripper on the passwords and wrote a blog post about some interesting patterns he found.

Tools & Techniques


RedPhone: Encrypt Your Phone Calls

RedPhone is a free to use smartphone application for Android running phones.

Tools & Techniques for anyone who doesn't know what a “sambolated cornab*” is...


WordWeb Makes It Easy To Define Words In & Outside Your Web Browser

Trying to keep up with lots of blogs and useful articles on the web can certainly help you learn lots of technical lingo and expand your vocabulary. Thus, it makes sense to want to find a seamless way to define words instead of having to Google search on a new tab every single time.

There are a few programs that make the searching experience a whole lot easier. MakeUseOf has previously reviewed Lingoes, a portable program that brings up dictionary definitions and translations in a convenient in-line popup. If you’re on a Mac, you might have just to expand the built-in Dictionary app. For Windows, there’s a very neat and highly-rated dictionary tool, WordWeb, that might just be a very capable solution.

You can download it from CNET here, where it has been rated 4.5 stars by users and 5 stars by the CNET staff.

… If you’re a Chrome user, there are two separate extensions that do some what this single program does (but sort of conflict if you use them together):

For Firefox users, there’s the QuickWiki extension.

[* Yes, I made that up. Bob]

No comments: