Friday, December 15, 2006

I'm not certain the data was on the laptop, but might have been in a briefcase with the laptop... Again the question: Why did the nurse have all these records if the data is available only on the server?

http://www.longmontfyi.com/Local-Story.asp?id=12861

SVVSD students' info with stolen laptop

By Victoria A.F. Camron The Daily Times-Call Publish Date: 12/14/2006

LONGMONT — Information identifying as many as 600 St. Vrain Valley School District students whose health care is paid by Medicaid was stolen with a school nurse’s laptop computer last month, a school district spokesman said Wednesday.

The paper records included students’ names and dates of birth; the names of their schools and what grade they are in; the students’ Medicaid numbers; and their parents’ names, said John Poynton, district spokesman.

No medical information was lost, he said. [Does this mean they have backup copies, or that none was stolen? Bob]

... Determining whose names were on the list was “a big part of the delay” [“Oue data is out of control “ Bob] in letting families know of the theft, Poynton said. The nurse’s list included only the names of students at schools where she worked, but Poynton said he did not know what those schools are.

Poynton said he was told no one can access students’ medical records with their Medicaid numbers.

No information was on the computer’s hard drive because the laptop was used only to access the school’s computer network, Poynton said. The district’s information technology staff was able to access the laptop remotely and change its password, [...what else should they have done? Bob] so that information should be protected, he said.



Did you ever notice that the number of people impacted by an organization's loss of data seems to grow over time? Perhaps this indicates that they don't actually know what information was stored on the target computer, or perhaps they think if they downplay the numbers no one will realize how badly they screwed up?

http://www.wfaa.com/sharedcontent/dws/news/localnews/stories/DN-utdhack_14met.ART0.North.Edition1.3eb1c28.html

UTD computer hack worse than feared

Campus officials now say 6,000 at risk of identity theft

12:00 AM CST on Thursday, December 14, 2006 By HOLLY K. HACKER / The Dallas Morning News

The University of Texas at Dallas said Wednesday that more people may be affected by a computer attack than first believed, raising the total to 6,000 current and former students, faculty, staff and others.



Managers can “consider themselves reprimanded” employees get fired. “'Cause managers aren't responsible for controlling the actions of their employees...”

http://blog.seattlepi.nwsource.com/aerospace/archives/109668.asp

Boeing fires employee whose laptop was stolen

The Boeing Co. has fired an employee whose laptop computer was stolen, prompting concerns about the security of private information on about 382,000 workers, mostly retirees.

Read this P-I account about the theft:

Here is a memo sent to Boeing employees Thursday by Boeing Chief Executive and Chairman Jim McNerney:

This message is being sent to all employees from Jim McNerney, Boeing chairman, president and CEO.

I've received many emails over the past 24 hours from employees expressing disappointment, frustration and downright anger about yesterday's announcement of personal information belonging to thousands of employees and retirees being on a stolen computer. I am just as disappointed as you are about it. And while I can't respond to each individual message I've received, I want you to know how serious I am about this matter and what we are doing about it.

First of all, this latest incident resulted from a clear violation of our data-protection policy. We have very strict and clear policies and procedures about how employee information is handled. An employee, despite proper training, failed to comply with those requirements and as a result is being dismissed from the company. I also believe strongly that management must be held accountable when repeated failures like this occur, so the employee's management chain will be reprimanded.

Our investigations and security teams have been working hard with law-enforcement officials to investigate this crime. Based on what we know at this point, we believe this incident was the result of petty theft, not an attempt at identity theft. However, as our communications yesterday described, we have put in place a series of actions that assumes the worst case. We are doing everything humanly possible to recover the laptop and our data, and see that an incident like this doesn't happen again. Rick Stephens and his Human Resources team will keep you informed as the investigation continues.

I know that many of us feel that this data loss amounts to a betrayal of the trust we place in the company to safeguard our personal information. I certainly do. When a similar theft occurred last year, Boeing implemented an aggressive, multi-phased plan to better safeguard employee information. But the best policies, procedures, encryption software and awareness-raising in the world can't force people to use them. It's a matter of leadership and individual responsibility. Cutting corners is never acceptable--especially when the trust of the whole team is at stake.

We know all too well--and see again now--that the actions of just one person can have a tremendous impact on our entire Boeing team. No one chooses to be the victim of a theft. But we can choose to protect ourselves and our co-workers. I firmly believe that Boeing is taking the right steps toward preventing the loss of sensitive data from happening again. But to ensure that all Boeing-sensitive information is safe--even in the event of theft--each and every one of us must actually follow the policies and procedures and use the tools available to protect information.



http://www.heraldsun.com/durham/4-799583.cfm

Students accused of hacking Durham Public Schools database

BY BRIANNE DOPART : The Herald-Sun bdopart@heraldsun.com Dec 14, 2006 : 11:46 pm ET

DURHAM -- Two Riverside High School students are accused of hacking into the Durham Public Schools computer database and downloading the Social Security numbers and personal information of thousands of school employees, the Durham Sheriff's Office said Thursday.

School system officials said two members of a computer class discovered a breach in the security protecting the DPS computer database and gained access through it while performing a class assignment. [I doubt it was a hacking class, so the “security flaw” must have been pretty obvious... Bob] The breach has since been plugged and no longer poses a threat to the system's security, said Nancy Hester, DPS associate superintendent of support services.

She said the information was never at risk of being accessed by anyone outside the school system. [However, it was accessed by unauthorized, non-employees with no legitimate reason to access the data. Bob]

Durham County Sheriff's deputies searched the home of an unidentified minor and the Knollwood Drive home of the Neplioueva family after being told about the breach by Riverside High School officials. Contacted for comment by The Herald-Sun Thursday, the latter boy's mother, Valentina Neplioueva, said she had been advised by her attorney not to speak about the investigation until further notice.

The latter boy's adult sister, Tatyana Neplioueva, said her 15-year-old brother and his classmate reported the breach to their teacher shortly after finding it [“We'll never make that mistake again!” Bob] and downloading the supposedly secure information.

Durham Public School officials said the teacher of the class immediately reported the boys' findings to the schools information technology specialists, who went to Riverside High School to meet with the boys to see how they had gotten through security to access the highly sensitive information.

The next day, the boy's father, Igor Neplioueva, returned home to find his son being interrogated by deputies, according to the boy's sister. Deputies searched the boy's home and seized the family's computers and related data-storage devices belonging to the boy's parents, she said.

When the boy returned to school, he was placed in in-school suspension, she added.

"I think it's ridiculous. He was doing the school a service and now they're punishing him," [“Hey, we gotta make it look like it ain't our fault!” Bob] she said.

School officials acknowledged the boys were forthright in their explanation to their teacher about discovering the breach. School board member Kirsten Kainz said she'd learned of the discovery and felt the students were "smart and honest boys."

DPS official Hester said the school system felt the boys "hadn't done anything wrong" [see previous sarcastic comment Bob] but contacted the Sheriff's Office out of concern for the safety of school employees' identity information.

Charles Douglass, executive director of technical services for the school system, said the hole would have only been accessible to individuals who already had a password to gain access to the school's computers, such as students and employees. [“Anything our employees can access our students can access too. We got no secrets.” Bob] Firewalls, which are barriers that prevent outside individuals from gaining access to a network's protected information, prevent [“slightly reduce” Bob] the possibility of other hackers from accessing the data, he added.

Despite Douglass' claim and the fact that Douglass and Hester said the boys only accessed the data through the school's password-protected computers, Sheriff's deputy Lt. Will Rogers said he believed the boys accessed some of the information via their home computer, which is why, he said, the computers were seized. [Given that the school apparently has no clue how to manage their system, I think the police are smart to take their “claims” with a grain of salt. Bob]

Attempts to reach DPS Superintendent Carl Harris, school board members Minnie Forte, Steve Schewel, Steve Martin, Heidi Carter, Omega Parker and Fredrick Davis, and Riverside principal Jim Key regarding the security breach were unsuccessful Thursday.



A sad, but quite believable story...If you have security responsibilities, you should read the article carefully.

http://it.slashdot.org/article.pl?sid=06/12/14/1917222&from=rss

MySpace Users Have Stronger Passwords Than Corporate Employees

Posted by Zonk on Thursday December 14, @03:36PM

from the hardly-surprising dept. Security The Internet

Ant writes "A Wired News column reports on Bruce Schneier's analysis of data from a successful phishing attack on MySpace, and compares the captured user-passwords to an earlier data-set from a corporation. He concludes that MySpace users are better at coming up with good passwords than corporate drones."

From the article: "We used to quip that 'password' is the most common password. Now it's 'password1.' Who said users haven't learned anything about security? But seriously, passwords are getting better. I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric. Writing in 1989, Daniel Klein was able to crack (.gz) 24 percent of his sample passwords with a small dictionary of just 63,000 words, and found that the average password was 6.4 characters long."



Okay, it's government conspiracy time! If this is true...

http://digg.com/business_finance/U_S_Mint_makes_law_against_MELTING_pennies_and_nickels

U.S. Mint makes law against MELTING pennies and nickels

parislemon submitted by parislemon 17 hours 20 minutes ago (via http://money.cnn.com/2006/12/14/news/melting/index.htm?section=money_topstories )

"The U.S. Mint has implemented a law against melting down pennies and nickels which, at current metal prices, could be worth more as metal than as currency. The new regulations authorize a fine of up to $10,000, or imprisonment of up to five years, or both, against violators."


...will the government issue each citizen a “free” electronic device that can be used to replace all that “pocket change?” The fact that it could also become your Social Security card, national ID, Drivers License, portable health record, GPS locater, etc. is purely coincidental...

http://news.com.com/2100-1039_3-6143975.html?part=rss&tag=2547-1_3-0-5&subj=news

Cingular turns cell phones into wallets in N.Y. trial

Company tests new service that will let Nokia phones be used in stores that accept MasterCard's PayPass contactless payment cards.

By Marguerite Reardon Staff Writer, CNET News.com Published: December 14, 2006, 5:01 PM PST

Some Cingular Wireless cardholders in New York City will be testing a new service that allows them to make purchases with their cell phones.



Think you have something to say? You might as well get paid for it! (Starving students take note: You might as well publish those papers you worked so hard on...)

http://mashable.com/2006/12/14/19-ways-to-make-social-sites-pay/

19 Ways To Make Social Sites Pay

December 14, 2006 Pete Cashmore

With the top YouTube users becoming paid shills for Coke, and the top Diggers being accused of taking ‘cash for Diggs‘, it seems that the users of social sites are looking to be rewarded for their efforts. In fact, there are already plenty of services that will pay you for your participation. Here are nineteen of the best, plus a few bonuses.

No comments: