Friday, December 29, 2006

Hope you weren't in a hurry for that passport...”

http://www.wsoctv.com/news/10622504/detail.html

Bag With Passport Applications Headed To Charlotte Is Found

POSTED: 11:58 am EST December 28, 2006

SALT LAKE CITY -- A bag with hundreds of passport applications was found at Los Angeles International Airport, nearly after a month after it was supposed to be shipped to a processing center in Charlotte, N.C.

"The applications appear to be intact and undamaged," said Kate Goggin, spokeswoman for consular affairs at the U.S. State Department.

The bag with more than 700 applications was reported missing Dec. 1. Most applications were from Texas and California but a handful were from Utah.

Before the bag was found, the State Department had notified people that it would pay for another round of applications.

The documents had personal information, including Social Security numbers. Goggin said she was unaware of any reports of identity theft.

"We're feeling very much that it was an isolated incident," she said, declining to disclose how the bag was found or what changes the department plans to make to ensure it doesn't happen again.



An article worth reading...

http://www.pogowasright.org/article.php?story=2006122820140131

First Line of Defense Against Data Security Breaches: Employees

Thursday, December 28 2006 @ 08:14 PM CST - Contributed by: PrivacyNews - Businesses & Privacy

As headlines continue to report data security breaches at an alarming rate, discussion often focuses on the need for enhanced technical controls, such as two-factor authentication and encryption, to protect sensitive, personally identifiable information. The role of the company employee, both as the cause of, and the first line of defense against, security breaches is often lost in the analysis. Yet developing law is increasingly requiring administrative or procedural controls, particularly those directed at employees, as a component of a legally compliant security program.

Source - Law.com



Another document for your security manager

http://www.infosecwriters.com/texts.php?op=display&id=526

Making Effective Use of Your Intrusion Detection System

by Jamie Riden on 23/12/06

The attacker has a lot of advantages on the Internet; he or she may be hard to trace and may have a great deal of time and equipment to spend mapping out a network's weak points before they launch an attack. Worms and viruses may be able to exploit weaknesses very rapidly before a human can carry out a proper incident response. However, the defender has two big advantages. Firstly, the administrator can achieve excellent visibility of what is happening on their network, via logs, audit trails and other monitoring systems. The second advantage is domain knowledge - the defender should have a good idea of what traffic can be expected from the various computers on the network, which makes it easier to detect attacks.

This document is in PDF format. To view it click here.



Who manages your web site?

http://www.seacoastonline.com/news/10282006/nhnews-ph-dov-church.website.html

Church's old Web domain converted into porn site

By Emily Aronson earonson@seacoastonline.com 12-29-2006

DOVER -- Hope Community Church is trying to spread the word about its new Web site and disavow its former domain name.

Because of an error, [This was a management failure, not a simple mistake. Bob] a pornography company bought the church's old domain name unbeknownst to the church.

... Pastor Steve Spearing said Friday the mix-up happened a few weeks ago when the church changed Internet service providers. Spearing said he believed [Blind faith is not a management tool Bob] the church could keep its Web site name, which contained the words "life" and "Christ."

But the old service provider put the address up for sale and it was bought by a pornographic Web site.

Spearing said he didn't realize the site had been sold [Failure to monitor? Bob] until he got a call from a Massachusetts woman who was interested in moving to the area and was doing research on the Internet about local churches.

"She asked what kind of a church we were and then she said, 'Do you know that your Web site is connected to a porn site,' and I said 'No, ma'am,'" Spearing said.

He said he was aghast, especially because the church had just handed out fliers with the old Web site name at Dover's Apple Harvest Day.

... "It will be interesting to see who shows up to church now," he said.



This approach makes it easier for Subway, and they likely gave no thought to privacy...

http://www.geekzone.co.nz/sbiddle/1923

**WARNING** Subway Subcards Privacy Issues.

General, posted: 28-DEC-2006 10:03

... Sunway launched these cards a few weeks ago but I only got around to picking mine up yesterday and the concept is cool - you buy your goods and card is scanned which credits your card/account with money for every sub you purchase and these can be used towards the purchase of a product once you have a minimum of $3.

... The scary part? Access to the website is by entering the 16 digit card number and 4 digit security code that is printed ON THE BACK of your Subcard for anybody to see! http://thor.evolution.co.nz/Subway-Customer/Login.html

If you lose your card anybody who finds it now has access to your personal details and can change them instantly online to be their own and also has access to any credit you have loaded onto the card.



Corporations ain't people?

http://www.pogowasright.org/article.php?story=20061228182157914

No Privacy for Sex Club Owner

Thursday, December 28 2006 @ 06:21 PM CST - Contributed by: PrivacyNews - Court Opinions

The federal appeals court in San Francisco has rejected an attempt by a Phoenix gay sex club's corporate owner to assert the privacy rights of its patrons in order to invalidate a city law that may be used to shut down the establishment. Ruling on December 22, the U.S. Court of Appeals for the 9th Circuit held that corporations do not themselves have privacy rights, and that the club cannot bring suit to vindicate the privacy rights of its "members."

Source - Gay City News



Tools & Techniques: Is your organization safe? (Note: The author is CEO of an encryption company)

http://scmagazine.com/us/news/article/623768/encryption-perfect-response-year-breach

Encryption a perfect response to the Year of the Breach

Phillip M. Dunkelberger, president and CEO, PGP Corporation Dec 27 2006 21:54

2006 will be recorded as the year that security breaches reached the consciousness and awareness of the mainstream consumer.

... A recent report by The Ponemon Institute showed that 81 percent of U.S. companies surveyed reported the loss of one or more laptop computers containing sensitive information during the previous 12 months.

... Take a look at just five of the reported stolen laptop incidents from this year:

· Metropolitan State College of Denver, Colorado - stolen laptops with names and Social Security numbers of students from 1996-2005: 93,000 records

· Fidelity Investments - stolen laptop with information of Hewlett-Packard, Compaq, and DEC employee retirement accounts: 196,000 records

· YMCA - stolen laptop with credit card and checking account information and names, addresses, and medical information of children in the program: 65,000 records

· U.S. Dept. of Transportation - a special agent's laptop was stolen with personally identifiable information for 80,000 Miami-Dade County residents, 42,000 Florida residents who hold FAA pilot certificates, and 9,000 other Florida residents: 132,470 records

· Mercantile Potomac Bank - laptop with confidential customer information was stolen when a bank employee removed it from the bank's premises, in violation of policy: 48,000 records

What jumps out from this list is that no industry is more prepared than any other when it comes to security breaches. In fact, consider this breakdown of breaches from 2006:

· 31 percent occurred at government or military agencies

· 30 percent involved educational institutions

· 19 percent took place at "general business" organizations

· 11 percent affected health care facilities or companies

· 9 percent involved banking, credit, or financial services institutions

... Additional Ponemon Institute research showed that even a small breach of 2,500 records can result in $1 million of immediate direct costs for the affected organization, and a significant breach compromising 150,000 customer records can result in more than $10 million in immediate direct costs. ... Hopefully by now, you've determined your organization is ready to deploy a full disk encryption solution across your enterprise. If so, here are some best practices to consider:

· Deploy non-intrusive software: Avoid software that replaces critical Windows system files, such as the Microsoft GINA (Graphical Identification and Authentication). Proprietary code increases the risk of system failure and incompatibility with important operating system security updates and patches.

· Enforce strong passwords: Select a solution that can leverage existing domain password requirements. This approach reduces administrative efforts and provides consistent enforcement of policies across the organization.

· Create policy based on an assessment of risks and threats: Single sign-on is convenient for users, but may not be appropriate for all use cases. Consider which users or systems require additional levels of security, such as two-factor pre-boot authentication, and apply security policy, as necessary.

· Consider future projects: Will the solution scale and expand to meet not only current security requirements, but also the requirements for future encryption projects?

· Educate users: Take the time to educate end users and management on the threats to the business and the ways solutions such as full disk encryption are protecting the company and its customers.


Your tax dollars at work...

http://it.slashdot.org/article.pl?sid=06/12/28/154247&from=rss

U.S. Gov't to use Full Disk Encryption on All Computers

Posted by timothy on Thursday December 28, @10:48AM from the double-secret-probation-rot-13 dept.

To address the issue of data leaks of the kind we've seen so often in the last year because of stolen or missing laptops, writes Saqib Ali, the Feds are planning to use Full Disk Encryption (FDE) on all Government-owned computers. "On June 23, 2006 a Presidential Mandate was put in place requiring all agency laptops to fully encrypt data on the HDD. The U.S. Government is currently conducting the largest single side-by-side comparison and competition for the selection of a Full Disk Encryption product. The selected product will be deployed on Millions of computers in the U.S. federal government space. This implementation will end up being the largest single implementation ever, and all of the information regarding the competition is in the public domain. The evaluation will come to an end in 90 days. You can view all the vendors competing and list of requirements."



I've been suggesting this for 10 years or more...

http://techdirt.com/articles/20061228/100058.shtml

Muni Fiber Keeps Helping Economies Grow

from the well-look-at-that dept

While we've discussed repeatedly why WiFi might be the wrong technology for municipal networks, that doesn't mean the idea of municipal networks is a bad thing. While there have been some reports claiming that municipal networks never work, they've generally been written by astroturfing groups, who cherry pick their information, and often are flat out wrong. A number of the cases they cite as failures, turned out to actually be success stories. In general, though, as with any bit of government intervention, there are plenty of ways for governments to screw things up, and they often do. However, if you set it up right, a muni-broadband offering can actually be a very, very good thing. The key is recognizing two things.

First, there isn't a competitive market in most of these places.

Second, that's often because of the natural monopoly issue.

It's simply inefficient to have every new competitor rip up a city to place their own network infrastructure in the ground. As with the highway system, sometimes it just makes sense to work out a deal to get a single top-notch fiber network in the ground and let everyone compete on it. You get true competition, which leads to better services, and you get much faster broadband.

While not many places have yet adopted this type of system, there is increasing evidence that (unlike many of the muni-WiFi efforts), muni-fiber efforts are turning out to be a big boost for local economies. We've already discussed how muni-fiber in Oregon helped bring Google to town (and plenty of new jobs), and now Broadband Reports runs through a number of other examples of muni-fiber installations boosting the local economy by attracting new companies and increasing jobs. While many of us are naturally averse to government involvement in things, it does seem like, when the market has failed to create competitive situations (sometimes because of dumb government involvement that tilted the initial playing fields, it can help if a well thought-out plan creates the infrastructure that others can compete on.

No comments: