Tuesday, September 20, 2011

“etc.” is a weasel word that makes me (and the victims?) suspect much more was taken.
By Dissent, September 19, 2011
Yanez Dental Corporation in California recently reported a data breach to HHS.
In a notice on their web site dated June 15, they write, in part:
Our dental office was burglarized (5/22/2011). We have reported this incident to the police for investigation. The vandals stole three of our computers among other things. Personal information stored in these computers included names, birthdate, address, Social Security Number, telephone number, etc. It is important to mention that we are not aware that any personal information has been accessed or used inappropriately. For the purpose of security, each of the three computers has four level of passwords protection. However, we feel it is important for us to inform you of any potential situation, and explain steps you can to prevent or reduce any potential risk of identity theft or fraud loss.
According to HHS’s breach tool, 10,190 patients had information on the stolen computers.
I’m not quite sure I understand what the practice means by the “etc.” in types of information. Does “etc” include insurance account numbers, any financial information, etc.? It would have been helpful for them to be more inclusive in their description.

When will the default be “Encrypt sensitive data?” Demanding that one of their “Business Associates” improve their security isn't sufficient. All of their associates should be required to follow reasonable security practices.
By Dissent, September 19, 2011
On August 8, the Saint Barnabas Health Care System in New Jersey publicly disclosed a breach involving a Business Associate, MedAssets:
MedAssets, Inc., an independent revenue management and supply chain company that provides certain administrative and business services to the Saint Barnabas Health Care System, informed us on July 1, 2011 that an unencrypted external computer hard drive was stolen on June 24, 2011, from a MedAssets employee’s car, parked in a restaurant parking lot. The hard drive contained personal information used to determine eligibility for governmental benefits for certain patients of our six acute care hospitals.
The data contained patient names and for each such patient, information from one or more of the following categories: Medical Center account number, medical record number, date of birth, Medical Center charges incurred, amounts paid to the Medical Center, information on health insurance, eligibility for applicable governmental benefit programs and/or Medical Center admission and discharge dates. Social security numbers were included for about seven percent of the affected patients. The hard drive did not include any patient addresses, other financial information, or any clinical information regarding the patient’s care.
… MedAssets has provided written confirmation that it is implementing improved privacy safeguards to avoid similar incidents in the future, including eliminating the use of all unencrypted hard drives used for data back-up by its employees and strengthening the enforcement of its existing policy prohibiting their use.
… This is not the first time that Saint Barnabas has reported a breach involving a business associate. In September 2010, they disclosed a breach involving KPMG. Also last year, Newark Beth Israel Medical Center disclosed a web exposure breach involving Professional Transcription Company.
Saint Barnabas wasn’t the only hospital system affected by the MedAssets breach, however. Patients at the Cook County Health and Hospitals System in Chicago, Illinois was also affected.
… An unencrypted drive left in a car in a restaurant parking lost. Heads should have rolled for that one. What did this breach cost in terms of investigation and notifications? Those costs will ultimately drive up the cost of our health care. I find this type of breach inexcusable in this day and age and wish HHS/OCR would hand out a hefty fine or two to send the word that entities had damned well make compliance with good security practices more of a priority.

Think of it as an automated sideshow barker...
Inspired By ‘Minority Report,’ Immersive Labs Raises $810K For Digital Display Recognition
Immersive Labs is working on futuristic advertising displays like those in the well known book and film Minority Report, which tailor advertising to the individual viewer. Immersive Labs’ digital signs use cameras and facial recognition technology to determine viewer characteristics like gender, age, distance and time spent viewing the ad in order to then serve up the advertising that would be most relevant (see the demo video below).
The targeting technology has shown an over 60% increase in viewer attention time during pilot tests, according to CEO Jason Sosa.

What is the cost of a security breach? I'm sure it was a “separate” company to firewall the liabilities, but there must have been some assets...
twoheadedboy writes
"DigiNotar, the Dutch certificate authority which was recently at the centre of a significant hacking case, has been declared bankrupt. The CA discovered it was compromised on 19 July, leading to 531 rogue certificates being issued. It was only in August that the attacks became public knowledge. Now the company has gone bankrupt, parent firm VASCO said today. VASCO admitted the financial losses associated with the demise of DigiNotar would be 'significant.' It all goes to show how quickly a data breach can bring down a company."
Adds reader Orome1:
"This is unsurprising, since a report issued by security audit firm Fox-IT, who has been hired to investigate the now notorious DigiNotar breach, revealed that things were far worse than we were led to believe."

What is a violation of Privacy worth?
News Corp. Paying Phone Hack Victim’s Family $4.7 Million
September 19, 2011 by Dissent
Damon Poeter reports:
News International will reportedly pay the family of a British murder victim about £3 million ($4.7 million) in a settlement to close a phone-hacking case that led to the closure of the News of the World tabloid and rocked Rupert Murdoch’s News Corporation media empire to its core.
The settlement includes a £2 million payment to Milly Dowler’s family and the donation of an additional £1 million to charity, Reuters reported Monday, citing “sources close to the case.”
Read more on PC Magazine.

(Related) Hacking a phone is so easy, even a caveman could do it...
Il: Police Arrest 22 in Phone Tapping Case
September 19, 2011 by Dissent
Gavriel Queenann reports:
Israel’s Hebrew-language Maariv reported Monday that Israel Police arrested 22 ‘private investigators’ for installing spyware on mobile phones allowing access to private conversations and text messages.
Documents filed in a Rishon Letzion court revealed the Israel Police Lahav 433 unit and Computer Crimes unit conducted a covert protracted investigation into 11 detective agencies allegedly using software previously reserved for the security services.
Read more on Arutz Sheva.
[From the article:
The software allows mobile phones to be remotely accessed without leaving a trace or revealing to the owner they are being surveilled. All calls, text messages, and e-mail messages are transmitted to and from the infected phone can be received and recorded in real time.
A spokesman for the Israel Police said investigators believe hundreds of people across the country are using similar software to spy on competing businesses, family, or romantic partners.
[Try it yourself!
Tap A Cell Phone To Track Your Spouse Or Significant Other
How To Tap A Cell Phone | Can You Really Tap A Cell Phone?
Is Your Cell Phone Bugged?

I'm not sure I'd be bragging about this just yet. However, it does look like “location tracking” is getting some Privacy consideration.
Location based social network Foursquare has quietly released a new feature that allows places user categorize as their homes to be included in the system but not expose their exact addresses. Venues categorized as homes will now show up as a general area on a map, instead of a pin and street number, as restaurants and stores are displayed. The move was first reported by the independent blog AboutFoursquare.
It's a great little change that will enable users to check in at home without exposing too much information. This new feature will also allow people whose homes were listed on Foursquare against their wishes to easily obscure their addresses. [How does one learn if their home address is listed on Foursquare? Bob] Respecting home/away privacy is a key part of making people feel safe enough to expose their location at all, anywhere. Foursquare's approach is reminiscent of the new private location geofences Flickr launched earlier this month.
[From the AaboutFoursquare blog:
It appears foursquare has gone through and properly categorized lots of venues that appear to be homes, either by name or by checkin pattern (i.e., only one person has checked in). The number of venues named “home” but without a category has declined drastically over the past few days.
Venues that didn’t get caught by foursquare won’t receive any of the privacy protections, so it’s important for users to take the time to make sure their homes are properly categorized. If you have friends who’ve abandoned foursquare but left their miscategorized home venues in place, it might be worth a nudge to get them to come back to foursquare to get their home updated properly, too.
This is a great enhancement to user privacy on foursquare. Thousands of users have added their homes without realizing the privacy implications of posting that information on the internet, so it’s nice that foursquare has taken these proactive steps to help increase the security of their homes.
[In the same article, but completely(?) unrelated:
Below, a video about Flusquare - an interesting mash-up between Foursquare and CDC flu reports. Foursquare integration lets the app determine where you went when you were contagious! This little app hints at the potential of consumer geolocation technologies for the future.

The data is public and as far as I know legal to aggregate. So, aside from self-promotion, what;s the fuss about? (Or do the Senators have something they want to hide?)
"Social Intelligence Corp's online employment screening service, which preserves users' social media profiles and other data for use by potential employers, infringes on consumers' privacy and could be a violation of the law according to Senators Richard Blumenthal (D-CT) and Al Franken (D-MN). The Senators wrote to Social Intelligence Corp on Monday demanding answers to a host of questions about the service and how it collects data."
[From the article:
The firm says it looks for publicly posted content that is racially insensitive, sexually explicit, or demonstrates clearly illegal activity. Flagrant displays of weaponry are also flagged. Content limited only to users' friends is not included in the searches.
… The letter also suggests that Social Intelligence's practice of taking screenshots of social media profiles and pictures may violate the sites' terms of service.
"More troubling than the apparent disregard of these websites’ terms of service are what appear to be significant violations of users’ intellectual property rights to control the use of the content that your company collects and sells," the letter states, noting that pictures taken from sites like Flickr and Picasa are often licensed by the owner for a narrow set of uses.

Politicians without paper?
"The British government is examining whether it could save money by getting rid of its printers and giving civil servants free iPads instead. The head of the UK government skunkworks told silicon.com that if he got rid of all of a major government department's printers and gave staff iPads, the savings on printing costs would pay for the tablets in less than 18 months. The UK parliament has already let tablets into the debating chamber, with politicians already starting to choose to use tablets rather than bundles of papers in debates."

For my Ethical Hackers...
How To Change The Apple ID On Your iPod Touch/iPhone

For my Math students
Desmos, a free online graphing calculator that I reviewed in June, recently added a handful of new options that should be appealing to mathematics instructors and students. The new features enable better handling of strict inequalities, polar inequalities, internalization, slider bars, and graph tracing. The video below provides an overview of the Desmos graphing calculator.

“I know it's here somewhere...”
Figure Out Folder Contents With Better Directory Analyzer
Better Directory Analyzer, which I will from now on call BDA, is a simple freeware program that scans through the contents of any selected folder and spits out more information about it than you thought was possible. All scanned files can be sorted in a handful of different ways, which helps you quickly find certain files that you may be looking for. So how is this helpful compared to Windows Search?
Although Windows XP‘s version of Windows Search actually packed more of a punch, Windows 7‘s version only lets you search by filename, file size, and date modified (without using hidden operators). Windows 7 users can find benefit the most by using BDA as there are many different parameters to search and select files.

Worth a look?
3 Light & Simple Ways To Take Screenshots In A Snap

A word to the wise...
Transfer Your Delicious.com Bookmarks By September 23 Or Lose Them [News]

No comments: