Tuesday, March 15, 2011

I can't wait for nation-wide electronic health records. I'm not certain this is “Cloud Computing” but IBM appears to be involved at some level.

http://www.databreaches.net/?p=17077

Yet another Health Net breach raises disturbing questions

March 14, 2011 by admin

More is starting to come out about the Health Net breach involving missing server drives that we first learned of earlier today in a press release from CT’s Attorney General. His press release was followed by a press release from Health Net. Now a few more details have emerged:

Kathy Robertson of the Sacramento Business Journal reports that the breach may affect 1.9 million people and that:

The California Department of Managed Health, the regulatory agency that oversees HMOs, announced Monday it has launched an investigation into Health Net’s security practices.

The agency estimates records for more than 622,000 members in health plans regulated by the Dept. of Managed Health Care may have been compromised, as well as records for 223,000 members in products regulated by the Department of Insurance. Records for some Medicare beneficiaries also may be lost.

The Dept. of Managed Heatlh Care’s press release can be found on their site.

The fact that we’re getting our information from sources other than Health Net does not speak well for Health Net, in my opinion. Indeed, the fact that their press release references “several” drives while Attorney General Jepsen’s press release and California’s press release indicate nine drives suggests that Health Net officials haven’t gotten the message about transparency and may be trying to downplay the extent of the incident rather than controlling the story by getting the details out in their own statements. In addition to failing to be straightforward about the number of drives involved:

  • Health Net’s press release did not provide any numbers - even though they know they have to provide numbers to HHS that will be revealed publicly on HHS’s web site. As the Los Angeles Times reports:

Health Net would not say how many computer drives or people were affected. The managed health care department, citing Health Net as its source, said nine drives were missing, with information on 1.9 million current and former members.

  • Additionally, Health Net has not publicly revealed precisely when they first became aware of the unaccounted for drives and when those drives were last accounted for.

Of course, even though it is Health Net whose name is in the news for this breach, they really may be entitled to some empathy if the breach should turn out to be IBM’s responsibility as their IT vendor. But — assuming for now that these drives weren’t encrypted or they wouldn’t be reporting this breach and offering two years’ of credit protection services:

  • Why weren’t the drives encrypted? Even if it was IBM’s responsibility to encrypt the drives (and I’m not sure it was), Health Net should still have been auditing or checking its vendor’s compliance with any security protocols in the contract.

There is much more we need to learn about this breach. And hopefully, HHS will do a thorough investigation that considers Health Net’s past track record on losing devices with unencrypted PHI. A 2009 breach that occurred before the new HITECH reporting requirements went into effect resulted in fines and actions by both Connecticut and Vermont for late notification of both affected individuals and the states and failure to comply with HIPAA security requirements. Will HHS take any enforcement action against Health Net over this breach? Only a lot of time will tell.

[From the Health Net press release:

This investigation follows notification by IBM, Health Net’s vendor responsible for managing Health Net’s IT infrastructure, that it could not locate several server drives.

[From the Sacramento Business Journal:

Health Net Inc. has launched an investigation into a security breach at its Rancho Cordova data center... [Leading me to conclude that IBM was running their data center rather than hosting their data in the cloud. Bob]



Sounds like they never considered security when they set this up.

http://www.databreaches.net/?p=17070

UK: University of York leaks private details of entire student body

March 14, 2011 by admin

The University of York’s student publication, Nouse, blows the whistle on a breach at the university involving exposure of student information:

On a student enquiry screening function enabled on the website, and open to the general public, the private details of any registered student were made freely accessible. This included all their personal details such as mobile numbers, home and term-time addresses, and date of birth.

In addition, particular concern was raised over the publication of the details of all students’ registered emergency contacts, including the disclosure of names, email addresses and mobile numbers. Most emergency contacts are close relatives or friends who do not attend the University themselves.

The search also disclosed the AS and A-Level results of all students, as well as their personal photo submitted for the University card.

[...]

The information has been available and accessible for over a week, though after being alerted of the security breach this morning, the University has since disabled the system

The details of 17,094 students, including all those in undergraduate, post-graduate and part-time study could be accessed via the University website, without the need to even enter a University login.

Read more on Nouse.



How easy it is to ignore the doomsayers.

http://mobile.slashdot.org/story/11/03/15/0432226/Richard-Stallman-Cell-Phones-Are-Stalins-Dream?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Richard Stallman: Cell Phones Are 'Stalin's Dream'

"Cell phones are 'Stalin's dream,' says free software pioneer Richard Stallman, who refuses to own one. 'Cell phones are tools of Big Brother. I'm not going to carry a tracking device that records where I go all the time, and I'm not going to carry a surveillance device that can be turned on to eavesdrop.' Even the open source Android is dangerous because devices ship with proprietary executables, Stallman says in a wide-ranging interview on the state of the free software movement. Despite some progress, Stallman is still dismayed by 'The existence and use of non-free software [which] is a social problem. It's an evil. And our aim is a world without that problem.'"



Wow! Even more than the UK?

http://www.motherboard.tv/2011/3/11/china-s-largest-city-will-double-its-surveillance-cameras-to-510-000--2

China's Largest City Will Double Its Surveillance Cameras to 510,000

Across the country, governments have installed more than seven million CCTV cameras, with another eight million expected by 2015; together, Beijing and Shanghai operate more than three million cameras. It’s hard to compare these figures with American cities, where a fair number of surveillance cameras are privately owned and where no reliable records are kept. A 2005 survey of Lower Manhattan by the New York Civil Liberties Union found 4,176 cameras below 14th Street, an area about one-sixth the size of the island (Greenwich Village and SoHo were the most surveilled areas, with a rate of three cameras per acre, or one for every 84 residents).



Doomed to failure? Don Quixote lives?

http://www.pogowasright.org/?p=21639

TSA protester files lawsuit against Richmond Intl Airport and TSA

March 15, 2011 by Dissent

Remember the young man who stripped down to his underwear to protest TSA’s invasive security screening procedures? Pictures of him with the text of the Fourth Amendment painted on his chest got national attention at the time, and although he was charged with disorderly conduct, the charges were later dismissed. Well, they may have dismissed their charges against him, but he still has something to say about them, and he’s saying it in court. Frank Green reports in the Richmond Times-Dispatch:

A Charlottesville man arrested last year for taking his clothes off at a security checkpoint at Richmond International Airport has filed a lawsuit against the airport and federal officials.

In a complaint filed in U.S. District Court in Richmond on Thursday, Aaron B. Tobey, 21, alleges that the U.S. Department of Homeland Security, the Transportation Security Administration and airport officials violated his constitutional rights.

Read more in the Richmond Times-Dispatch.


(Related) Another wasted effort?

http://www.pogowasright.org/?p=21623

NH bill aimed at TSA screeners survives vote in committee

March 14, 2011 by Dissent

Garry Rayno reports that what is mostly a symbolic gesture has survived a committee vote:

A bill that would allow federal transportation security agents to be charged with sexual assault may help draw attention to problems with enhanced security screenings at airports, backers say.

The House Criminal Justice and Public Safety Committee Thursday voted 14-3 to retain the bill after voting down an attempt to kill it, 13-4.

Read more on SecurityInfoWatch.com



USAID is attempting to overthrow the government in Cuba? No wonder third-world countries are suspicious.

http://yro.slashdot.org/story/11/03/15/0253257/Internet-Spreading-American-Gets-15-Year-Sentence-In-Cuba?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Internet-Spreading American Gets 15-Year Sentence In Cuba

"American social worker Alan Phillip Gross, who has spent years connecting developing countries to the internet, has been sentenced by a 'Security Court' in Cuba to 15 years in prison. His crime: 'Acts against the Independence and Territorial Integrity of the State.' The Cuban government also claimed he was trying to 'destroy the Revolution through the use of communication systems out of the control of authorities.'"

[From the WSJ article:

Alan Gross, 61, worked as a contractor for a USAID program that secretly provided technology like computers and communications equipment to encourage democratic reforms.


(Related)

http://www.wired.com/dangerroom/2011/03/activists-want-state-dept-to-control-dissent-tech-cash/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Activists Want State Dept. to Control Dissent-Tech Cash

The State Department gets its share of criticism for how it oversees millions of dollars in grants for keeping the internet open to dissidents. But a group of activists wants to make sure that Foggy Bottom keeps control of cash that some in Congress think could be better spent by the United States’ foreign broadcasting arm.

In a letter sent to Capitol Hill on Monday, activists warned that moving the funding for the Obama administration’s Internet Freedom Agenda to the Broadcasting Board of Governors, which oversees pro-American radio, TV and internet programming abroad, would undermine the goal of a “free and open internet.” The letter even has its very own Tumblr.

Last month, just as Secretary of State Hillary Rodham Clinton unveiled a $25 million “venture capital approach” to fund the development of new circumvention and anonymity tools for online activists, Sen. Richard Lugar issued a report questioning State’s inability to disburse millions left over from previous efforts — just before internet-enabled activists essentially recast the Middle East.



Adding a “Do not track” flag still requires the tracking organization to honor the request.

http://www.pogowasright.org/?p=21632

Microsoft Adds Do-Not-Track Tool to Browser

March 14, 2011 by Dissent

Nick Wingfield and Julia Angwin report:

A new version of Microsoft Corp.’s Internet Explorer to be released Tuesday will be the first major Web browser to include a do-not-track tool that helps people keep their online habits from being monitored.

Microsoft’s decision to include the tool in Internet Explorer 9 means Google Inc. and Apple Inc. are the only big providers of browsers that haven’t yet declared their support for a do-no-track system in their products. In January, Mozilla Corp. said it would include a do-not-track feature in an upcoming version of its Firefox browser. Internet Explorer is the most widely used browser.

Read more in the Wall Street Journal.



We don't have a graduate Data Analysis concentration. Perhaps we should?

http://science.slashdot.org/story/11/03/15/001250/DHS-Chief-Wants-Better-Algorithms-For-Analyzing-Intelligence-Data?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

DHS Chief Wants Better Algorithms For Analyzing Intelligence Data

"Better algorithms to spot patterns and trends within the mass of information the Department of Homeland Security sees everyday are key to national security. That was but one of the talking points DHS chief Janet Napolitano focused on in a lecture on the role of science and technology at the Massachusetts Institute of Technology today. 'DHS is part of the nation's Intelligence Community, which receives more terabytes of data each day than the entire text holdings of the Library of Congress. The National Counterterrorism Center's 24-hour Operations Center receives 8,000 to 10,000 pieces of counterterrorist information every day. We receive data about all of this, and it is clearly too much to suggest that the simplistic "connect the dots" analogy accurately represents what an analyst must do. Very quickly, you can see that "Big Data" – more so than the lack of data – becomes the most pressing problem. At the same time, the threats implicated by the data are not static.'"


(Related) Won't they just move?

http://www.pogowasright.org/?p=21653

MA: Rep. Lewis Files Legislation to Protect Privacy and Personal Data

March 15, 2011 by Dissent

Laura Richter writes:

State Representative Jason Lewis has filed legislation to protect Massachusetts residents’ privacy, personal data, and First Amendment rights in the context of government data collection. The bill would prohibit law enforcement from collecting information about individuals’ political and religious views, associations, or activities without reasonable suspicion of criminal conduct.

The bill, known as An Act to Protect Privacy and Personal Data, has been introduced to provide important safeguards in response to the proliferation of massive data-banking operations, funded by the federal government, that collect and store a vast array of information about ordinary Americans. Two of these so-called “fusion centers” are located in Massachusetts. The U.S. Department of Homeland Security has explicitly stated that it is up to individual states to provide appropriate privacy protections for these operations.

Read more on WinCentral.org. The bill is H01336.

The ACLU of Massachusetts is supporting the bill.



How can you protect yourself from risks you don't know exist.

http://www.wired.com/threatlevel/2011/03/hayden-cyber/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Former NSA, CIA Chief: Declassify Cyber Vulnerabilities

The former head of America’s most powerful and secretive intelligence agencies thinks the U.S. government classifies too much information on cybersecurity vulnerabilities.

“Let me be clear: This stuff is overprotected,” writes retired four-star Gen. Michael Hayden, in the new issue of the Air Force’s Strategic Studies Quarterly. “It is far easier to learn about physical threats from U.S. government agencies than to learn about cyberthreats.”

… The statement is part of Hayden’s introduction to the spring edition of Strategic Studies Quarterly, which explores the strategic issues of cyberwar.



For my Computer Security students

http://tech.slashdot.org/story/11/03/14/1720208/The-Life-of-a-Cybercrime-Investigator?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

The Life of a Cybercrime Investigator

"Steve Santorelli gets computing experts and law enforcers to cooperate in a global fight against organized Internet crime. This article talks about the role of law enforcement in identifying and battling online threats as they change and evolve. Quoting: 'The common wisdom about hacking and cybercrime is, in Santorelli's view, severely out of date. He says cybercriminals aren’t lone wolves; they are financed and directed by international criminal syndicates. ... Organized crime also has vast resources derived from its traditional operations to finance the hiring of quality hackers around the world. There is even evidence that some syndicates are investing in research and development, looking to create proprietary, next-generation hacking tools, Santorelli says.'"



Of course, I never tell the truth so I have no worries...

http://yro.slashdot.org/story/11/03/14/2331226/Blogger-Fined-60K-For-Telling-the-Truth?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Blogger Fined $60K For Telling the Truth

"'Johnny Northside,' a Minneapolis blogger with less than 500 readers a day, revealed that a University of Minnesota researcher studying mortgage fraud had been involved in a fraudulent mortgage himself; the blog post was at least partially responsible for the researcher losing his job. The researcher then sued the blogger and won — despite the blogger having his facts straight. Johnny Northside plans to appeal the verdict."



Build that Techie Toolkit.

http://www.makeuseof.com/tag/windows-users-linux-live-cd/

Windows Users: Here Is Why You Need A Linux Live CD


(Related) A “must have” for Computer Forensic students

http://www.makeuseof.com/tag/hex-editor-technology-explained/

What A Hex Editor Is & Why You Might Use It [Technology Explained]


No comments: