Maine breach reports obtained by DataBreaches.net
August 6, 2010 by admin
To follow up on my curiosity about what kind of year 2010 is turning out to be, I decided to use a primary source. Thanks to the cooperation of officials in Maine who responded promptly to my requests under Freedom of Information, I was able to obtain data on all breaches reported to them for this calendar year to date.
As background: Maine’s statutes require breach notification of breaches involving electronic data and use an “unauthorized acquisition” standard. Although financial institutions experiencing breaches are required to report to the state, the statute only applies to state-chartered banks and credit unions. Maine has approximately 30 state-chartered banks. Reportable breaches are reported to one of several state bureaus: Consumer Protection, Insurance, Financial Regulation, or Securities. There is no exemption for health care or HIPAA-covered entities, and health care insurers report breaches to the Insurance bureau.
Maine has received information on at least 93 breaches so far this year. In stark contrast to the recent Verizon report indicating that financial sector breaches accounted for over 90% of compromised records and 33% of all breaches in the merged Verizon-USSS dataset, there have been no reports from banks or credit unions in Maine so far this year. Although that may sound surprising, it is not as surprising when compared to last year’s figures when they received 2 reports from banks for the whole year. Of course, this doesn’t mean that there haven’t been any breaches affecting the financial sector, merely that there have been no reports from covered banks. The Securities bureau has received 3 reports so far this year, two of which were also submitted to Consumer Protection. The Insurance bureau has received 4 reports so far this year. The vast majority of the breach reports were submitted to the Consumer Protection Bureau.
Of the reported breaches, 58 of the incidents had previously been noted on DataBreaches.net or PHIprivacy.net, although for many of them, there were — and continue to be — no individual breach reports with sufficient details. Table 1 (pdf) summarizes these breach incidents with links to both the report to Maine and its previous coverage or note on my sites.
Table 2 (pdf) summarizes the 35 breach reports received by Maine this year that were either never reported in the media or on this site before. While a few of the breaches reported in Table 2 might have affected a large number of individuals, the total numbers were not reported and there was insufficient data to perform certain analyses.
Some observations on the 93 breaches reported to Maine since the beginning of this year:
47 incidents were reported as HACKS (51%). Four of these specifically cited malware, but information/details were not available for many of the hacking incidents.
10 incidents involved LOST/MISSING devices or records (11%). Of these, three involved loss by an employee, while the other 7 involved loss by carriers or third parties.
14 involved THEFT (15%). These included two incidents where laptops were stolen from vehicles, eight incidents of thefts from the organization’s offices, two thefts off-site, one theft from a field representative’s office, and one theft where the location was not reported.
14 incidents involved a Subcontractor, Affiliate, or Carrier (15%). Of these, 8 involved lost/missing incidents, 1 involved a burglary, 2 involved printing errors, and 3 involved employee misconduct.
7 incidents involved EMPLOYEE MISCONDUCT (8%). Four of these involved employees of the organization, while 3 involved employees of affiliates or vendors.
10 other incidents involved EMPLOYEE ERROR resulting in exposure (11%). These incidents included web exposure, accidental attachment of sensitive information to e-mails, etc. They do not include the 3 incidents where employees lost information. If those were included, the employee non-malicious error category would account for 14% of all reports. When employee conduct, error, and loss are combined, employee involvement was identified in 22% of reports. It is important to note that we cannot assume that employees were not involved in numerous hack/compromised systems reports where no details were provided, so the 22% may be an underestimate.
Businesses and Retail accounted for 57 incidents (61%), which is consistent with the studies’ findings. Of that figure, the Hospitality subsector had 18 incidents (19% of all breach reports). The hospitality sector represents a smaller percentage than I would have expected based on a Trustwave report and the two new studies.
Because there was so much information missing, it did not make sense to try to analyze records exposed or compromised.
Copies of the breach reports provided by Maine are being sent to the Open Security Foundation for the Primary Sources project, so hopefully, these should all also be available on their site as well as this one.
Update For my Ethical hacker class. The duties of “Custodians”
Ex-SF Admin Terry Childs Gets 4-Year Sentence
Posted by timothy on Saturday August 07, @08:13AM
"You remember Terry Childs, right? He was finally sentenced Friday. Childs got four years in prison for refusing to hand over passwords to his bosses. This is a denial of service under California law." [Even thought “service” to end-users was never interrupted. Bob]
For your Computer Security manager. A cautionary tale for senior managers who don't think it's worth spending money on logs...
Child Porn As a Weapon
Posted by Soulskill on Friday August 06, @11:59AM
"Want to get rid of your boss and move up to his position? Put kiddie porn on his computer then call the cops! This was the cunning plan envisaged by handyman Neil Weiner of east London after falling out with school caretaker Edward Thompson too many times. Thankfully, Weiner didn't cover his tracks quite well enough to avoid being found out — earlier boasts about his plan to friends at a BBQ provided the police with enough evidence to arrest him for trying to pervert the course of justice. Frighteningly, however, between being charged with possession of indecent images and being exonerated, innocent (if 'grumpy') Thompson was abused and ostracized for eight months by neighbors and colleagues. With computer forensics for police work often being performed by 'point 'n click'-trained, nearly-retired cops, or languishing in a 6-month queue for private sector firms to attend to it, the uncomfortable question is raised: how easily might this trick have succeeded if Weiner had been a little more intelligent about it?"
(Related) I've mentioned this before, but it would be a worthy accompaniment to the previous article.
'Porn mode' not necessarily anonymous
The private browsing options provided by the four major Web browser publishers aren't as anonymous and secure as most users might think, researchers at Stanford University's Computer Science Security Lab said in a new paper (PDF) to be published next week at the Usenix Security Symposium.
What action should we expect if “the company's own database” flags you as a car thief? All the usual questions apply: How do you correct bad data being the biggie. One mistake and you could find yourself subjected to a full cavity search every time you park you car.
UK: Big Brother facial recognition cameras being rolled out in NCP car parks
August 6, 2010 by Dissent
British citizens are the most watched people on Earth. Each UK citizen is caught on camera an average of 3,000 times a week.
And it’s about to get worse.
New facial recognition cameras are now being trialled in car parks in a bid to identify potential car thieves.
NCP is testing the controversial ‘Big Brother’ cameras in a number of Manchester car parks.
Footage of people entering the company’s car parks will be automatically scanned. Their faces will be checked to see if they match pictures of known or suspected car thieves held on the company’s own database.
Read more in the Daily Mail.
I guess this isn't being viewed as the electronic equivalent of “follow that car!” Would this mean other electronic means (OnStar, the car's BlackBox, traffic cameras, surveillance drone, etc.) are also suspect? Does it apply even to tracking individuals use of the Internet for “Behavioral Advertising?”
Court Rejects Warrantless GPS Tracking
August 6, 2010 by Dissent
From my heroes at EFF:
The U.S. Court of Appeals for the District of Columbia Circuit today firmly rejected government claims that federal agents have an unfettered right to install Global Positioning System (GPS) location-tracking devices on anyone’s car without a search warrant.
In United States v. Maynard, FBI agents planted a GPS device on a car while it was on private property and then used it to track the position of the automobile every ten seconds for a full month, all without securing a search warrant. In an amicus brief filed in the case, EFF and the ACLU of the Nation’s Capital argued that unsupervised use of such tactics would open the door for police to abuse their power and continuously track anyone’s physical location for any reason, without ever having to go to a judge to prove the surveillance is justified.
The court agreed that such round-the-clock surveillance required a search warrant based on probable cause. The court expressly rejected the government’s argument that such extended, 24-hours-per-day surveillance without warrants was constitutional based on previous rulings about limited, point-to-point surveillance of public activities using radio-based tracking beepers. Recognizing that the Supreme Court had never considered location tracking of such length and scope, the court noted: “When it comes to privacy…the whole may be more revealing than its parts.”
The court continued: “It is one thing for a passerby to observe or even to follow someone during a single journey as he goes to the market or returns home from work. It is another thing entirely for that stranger to pick up the scent again the next day and the day after that, week in and week out, dogging his prey until he has identified all the places, people, amusements, and chores that make up that person’s hitherto private routine.”
“The court correctly recognized the important differences between limited surveillance of public activities possible through visual surveillance or traditional ‘bumper beepers,’ and the sort of extended, invasive, pervasive, always-on tracking that GPS devices allow,” said EFF Civil Liberties Director Jennifer Granick. “This same logic applies in cases of cell phone tracking, and we hope that this decision will be followed by courts that are currently grappling with the question of whether the government must obtain a warrant before using your cell phone as a tracking device.”
“GPS tracking enables the police to know when you visit your doctor, your lawyer, your church, or your lover,” said Arthur Spitzer, Legal Director of the ACLU-NCA. “And if many people are tracked, GPS data will show when and where they cross paths. Judicial supervision of this powerful technology is essential if we are to preserve individual liberty. Today’s decision helps brings the Fourth Amendment into the 21st Century.”
Attorneys Daniel Prywes and Kip Wainscott of Bryan Cave LLP also volunteered their services to assist in preparing the EFF-ACLU brief.
For the full opinion: http://www.eff.org/files/filenode/US_v_Jones/maynard_decision.pdf
For more information on the case, formerly known as U.S. v. Jones: http://www.eff.org/cases/us-v-jones
W.D.Tex. clarifies USMJs’ position on cell phone tracking orders, summarizing all the case law
August 6, 2010 by Dissent
Oops — I missed this one on FourthAmendment.com the other day:
A Magistrate Judge of the Western District of Texas issues an opinion summarizing five years of case law to guide applications for cellular site location information (“CSLI”). In re United States for an Order: Authorizing the Use of a Pen Register and Trap and Trace Device, 2010 U.S. Dist. LEXIS 77319 (W.D. Tex. July 29, 2010).
(From the opinion:)
What is the significance of the conclusion that a cell phone acts as a tracking device when it transmits information about its location? The significance is that if cell phones squarely meet the definition of “tracking devices” it is time to stop treating them as something else, at least when the Government seeks to use them to track a person’s movements. Rule 41 contains express procedures governing tracking device warrants, and those procedures need to be followed with regard to future requests for CSLI. This means several things. First, in past applications, the Government has taken the position that it has no obligation to provide notice of the tracking to the cell phone user, as its notice obligation was met by service of the order on the telecommunications provider from whom it received the CSLI. This does not meet the requirements of Rule 41, which provides that when a tracking device warrant is authorized, “the officer must serve a copy of the warrant on the person who was tracked or whose property was tracked.” FED. R. CRIM. P. 41(f)(2)(C). 19 Thus, warrants seeking CSLI must meet this obligation of Rule 41. Similarly, a return must be filed, as with all other warrants. FED. R. CRIM. P. 41(f)(2)(B).
Read more on FourthAmendment.com.
Eventually, everyone is impacted by HIPAA. Probably should have started an organization to analyze the law and gather “best practices” – then sell that information to the
victims organizations impacted.
CDT breaks down proposed changes to HIPAA
By Dissent, August 6, 2010
The Center For Democracy and Technology (CDT) just sent out this announcement:
The U.S. Department of Health and Human Services (HHS) proposed a set of significant updates to health privacy rules. The proposed rule tackles how sensitive patient information is handled under the Health Insurance Portability and Accountability Act (HIPAA), which is the nation’s foremost health privacy law. The rule is open for public comment until September 13th, and CDT intends to file a set during this period.
Although the proposed rule does not clarify some outstanding issues in the health information technology (health IT) area, CDT is encouraged that HHS’ proposed rule would strengthen patient privacy, data security and enforcement of the law. The proposed rule contains numerous changes to the HIPAA Privacy Rule; of those changes, CDT considers the four discussed below to be the most consequential.
1) Business Associates
Read their analysis and commentary at http://cdt.org/policy/cdt-breaks-down-proposed-changes-hipaa
Thousands of ‘Subcontractors’ May Soon Have to Comply With HIPAA
By Dissent, August 6, 2010
AIS’s Health Business Daily has reprinted an article from REPORT ON PATIENT PRIVACY that talks about the expansion of mandates to subcontractors:
Perhaps the biggest surprise in HHS’s July 14 proposed rulemaking was a concept that went beyond language contained in the HITECH Act, namely the appearance of the term “subcontractors” in the list of organizations that would have to comply with the same privacy and security regulations as business associates.
“This will have a huge impact because it means that there are many, many people who have to comply with the HIPAA rules who didn’t have to before,” Kristen Rosati, a partner with Coppersmith Schermer & Brockelman PLC in Phoenix, tells RPP. “It really vastly expands the universe of organizations that have to comply with these regulations.”
Read more on AISHealth.com.
The Optimist in me says, “Thank God, they finally came to their senses.” The Pessimist says, “The data just moved to a secret database because this one is drawing too much attention.”
UK Switches Off £235M Child Database
Posted by timothy on Saturday August 07, @05:13AM
"The UK's controversial ContactPoint database has actually been switched off! It's rare that we hear anything this sensible from government about an expensive, privacy-destroying, 'think of the children' solution: 'The government argued the system was disproportionate to the problem, [Note that they did not say this solution is too big/intrusive. Perhaps they meant they wanted a bigger, more intrusive solution? Bob] so is looking at developing other solutions.' Perhaps the UK coalition government really is winding back Big Brother, as they had promised to do? Does seem unlikely."
I'm thinking that this might make an interesting research project for my IT classes. Do they even bother to consider grouping their data into categories like: “What should pass to my heirs,” “What should be returned to my employers,” and “What should be burned before reading?” Is there a business opportunity here?
Web-Based Private File Storage?
Posted by kdawson on Friday August 06, @02:14PM
"Recently, someone died in our company, and word is getting around that the admins who were given access to his Outlook account have found personal things that are embarrassing at best (the rumor mill differs on what was found). No matter, it raises a question. I have personal stuff in Outlook folders that I would not want someone in IT to see if I suddenly dropped dead: emails to the wife, photos of the kids, that kind of thing. I also keep a journal at home that I save to a server; personal reflections that I never want anyone else to see, especially if I die. So I was thinking that some sort of web-based storage for files, individual emails, and perhaps even Outlook folders would be perfect. All my most private personal stuff in one place. I found CryptoHeaven, which seems to offer some of what I'm looking for — but it is pricey. I'm willing to pay, but something less than $400/year would be nice. Best would be a service with a dead-man's switch, so that if I don't access it in, say, three months, it auto-purges. Any thoughts?"
Implications for the security of Cloud Computing!
Cache On Delivery — Memcached Opens an Accidental Security Hole
Posted by timothy on Saturday August 07, @02:00AM
"If you already know what memcached is, skim to slide #17. The jaw-drop will happen around slide #33. Turns out many websites expose their totally-non-protected memcached interface to the internet, including gowalla, bit.ly and PBS."
For my Geeks.
The 10 Best HighDef Video Podcasts For Geeks
Interesting. Not sure I like these, but my students may well.
aXmag.com - Create A Digital Magazine
The days in which starting and running a magazine was something that only a selected few could do are not just gone, they are completely inexistent. Now, the services provided by sites such as aXmag make the creation and distribution of your own publication over the WWW something as easy and instant as merely sending out an email.
aXmag will let you take a PDF and have it turned into a high-quality Flash file that will come with streaming page loading and stepless magnification. What’s more, the resulting file will be a small one - sharing it won’t be a problem at all.
This conversion process can be carried out in two different ways. You can either upload the PDF that you want converted and then retrieve the resulting file, or you can get the desktop converter that is provided and use it to convert your files from anywhere - even from places in which an Internet connection is limited, or completely unavailable.
Both options can be tried for free, and if you find that aXmag suits your needs you can proceed to buy a license through the site, and gain unlimited access to the application. Both a standard and a pro version are available, too.
I'm not sure this is a reason to use Chrome as your default browser, but I do keep a copy on my system “just in case”
3 Google Chrome Extensions To Make Great Screenshots
With the three Chrome extensions discussed below, you can snap and annotate screen snapshots without ever leaving your browser. With one of these tools, you can even take screenshots from your desktop and other applications!
When one of your students diagrams a brilliant idea on the whiteboard, you just snap a picture with your phone, email it to these guys and get back a clean, ready to share, image!
SnapClean: Simple Photo Cleanup Tool
Due to their rough background, images of drawings and texts on whiteboards or napkins are not as clear as one would prefer. If you have such a picture, you can use SnapClean to tidy it up.
SnapClean tidies up images which have an almost-white background. What SnapClean does is increase the contrast of the images until you see only the writing / drawing on a white background thereby ‘tidying up’ your image.
The process works in 4 easy steps:
You obtain a digital picture of the text or image on the whiteboard or napkin.
You email the image to firstname.lastname@example.org
SnapClean tidies up the image.
SnapClean emails back the tidied up picture to you.