Saturday, March 24, 2007

An unusual situation. This technique is probably not limited to the military, but at least they could and did determine that it was occurring. Would your bank notice it?

http://www.blackanthem.com/News/International_21/DoD_Investigates_Hacking_of_Troops_Personal_Computers5189.shtml

DoD Investigates Hacking of Troops' Personal Computers

By Carmen L. Gleason, American Forces Press Service Mar 23, 2007 - 9:59:56 AM

Blackanthem Military News, WASHINGTON, D.C. - Defense Department officials have launched an investigation into recent computer hackings of servicemembers' home computers that compromised personal information and led to the redirection of funds from their military pay accounts.

Over the past eight months, nearly two dozen [Low numbers indicate a good and timely security response. Bob] Defense Finance and Accounting Service "myPay" participants have had their accounts accessed by unauthorized personnel, officials said. The myPay program allows DFAS users to manage pay information, leave and earnings statements and W-2s online.

The compromise likely came from personal information being stolen from home computers via spyware and keystroke-logging viruses, DFAS officials said.

A hacker redirected one servicemember's pay to a credit card vendor by changing account information the day before pay day, Tom LaRock, DFAS spokesman, said. However, he added, DFAS quickly worked with his bank to have funds returned to his account within two days.

... DFAS plans to launch a new program soon that will increase the ability to detect unauthorized changes prior to processing by pay systems.

... "This won't completely stop compromises," he said, "but it will help alert us more quickly so appropriate actions can be taken." [Proper attitude! Bob]



Another case of stealing just the (portable?) hard drives... Perhaps the computers were locked down?

http://www.komotv.com/news/consumer/6678947.html

Hard drives with hundreds of patient files stolen

By Connie Thompson Watch the story

KOMO 4 News has learned a thief or thieves have stolen computer hard drives with personal files on hundreds of local patients.

Police aren't saying much, but it appears to involve someone that has access to offices in the building.

This week, Swedish Urology Group notified hundreds of patients and former patients about potential identity theft at its office in Seattle.

... In its letter to patients, the group says "three external hard drives, which we use to back up our data, were stolen from our locked office suite."

"Although we have security measures in place, the hard drives were taken as a result of an unforeseen intentional criminal activity."

Data Goes Back As Long As 3 or 4 Years

Based on our contact with patients and former patients who got the notice, the stolen computer go back as long as 3 or 4 years.

It's another example of how easily identity theft can happen, because in this case there's no sign of forced entry. The property management has sent notices to every office in the building, alerting them of the theft and urging them to make sure valuables are secured before the offices are closed for business.

... Because of the complexity of its hard drive technology, [Ooo! A new meaningless phrase! Bob] The Swedish Urology Group stresses the likelihood of patient information being retrieved is extremely low.



Note this is from the same TV station as the last article... Crime wave?

http://www.komotv.com/news/6681342.html

Group Health laptops missing, 31,000 identities at risk

By Joe Furia Watch the story

SEATTLE - Group Health Cooperative Health Care System said Friday two of its laptop computers containing the personal information of 31,000 people are missing. The computers are said to contain the names, addresses, social security numbers and Group Health ID numbers of local patients and employees.

,,, The letter also stated one of the computers disappeared on Feb. 26, and the second on March 7. [Stealing the first one was so easy the thief came back for another? Bob]

Now Donnelly wants to know why it took Group Health nearly a month to let her know.

... Group Health would not agree to an on-camera interview with KOMO 4 News, but the company did release a statement which, in part, read:

"Our investigation has not produced evidence that the missing laptops were deliberately taken for an illegal purpose, nor any evidence that the information they contained has been accessed by any unauthorized person." [These are old meaningless terms. They should learn form the guys in the previous story. Bob]



Would this have been lost if it was a package of cash?

http://www.49abcnews.com/news/2007/mar/23/khpa_informing_consumers_alleged_loss_data_cd/

KHPA informing consumers of an alleged loss of data CD

Additional steps being taken to ensure private health information is kept secure in the future [In retrospect, we think the barn door should have been closed. Bob]

Story by KHPA News Release 5:09 p.m. Friday, March 23, 2007

The Kansas Health Policy Authority (KHPA) began notifying a small number of individuals that a computer disk containing information about their health records and identity may have been lost within the agency. A letter sent to the affected individuals should be received in the mail Friday.

The password-protected disk was mailed to the KHPA by a company that helps process information about people receiving benefits. KHPA did receive the package with the disk, but the disk did not reach the person who was supposed to receive it. There is no evidence that the disk went beyond our office, the password was broken, or any information was taken off the disk.

... KHPA is taking every step to ensure that individuals’ information is kept private and is not compromised Friday and in the future. KHPA has conducted its own investigation, and as a result, is changing how it manages mail and other processes. Even though KHPA has a privacy officer, the agency will hire an additional person to help protect the privacy and security of customers’ information.



Why not? Obviously it's so simple a child could do it. This first article is interesting for what it does NOT say... Makes it seem that the State didn't stand a chance against such a serious threat...

http://www.informationweek.com/news/showArticle.jhtml;jsessionid=OJW2PYPIEJXTYQSNDLRCKHSCJUNN2JVN?articleID=198500410

Hacker Suspected Of Multistate Break-In Spree

... The hacker being investigated for stealing the personal identification information of 71,000 health-care workers certified in Indiana is suspected of breaching other state government sites.

... The credit card information had been accidentally stored against state IT policy, said Cotterill in an interview.

... Cotterill, who wouldn't say how the hacker got into the system, called the breach a "sophisticated" attack.

"It took a level of expertise we hadn't seen before," he said. "We have Web sites under attack every day, and our Web site has not suffered an attack like this before."


However...

http://www.theindychannel.com/news/11334932/detail.html

State: Web Site Breach May Have Been Prank

Investigators Have Suspect; Charges Pending

POSTED: 8:44 pm EDT March 22, 2007 UPDATED: 8:49 pm EDT March 22, 2007

INDIANAPOLIS -- A state Web site security breach in which thousands of Social Security numbers and credit card numbers were exposed may have been a prank by a teenager, the Indiana Office of Technology said Thursday.

Investigators have identified a teen they believe hacked into IN.gov and gained access to Social Security numbers for 71,000 health-care workers and credit card information of about 5,600 people and businesses, the office said.

"It appears like it was a teenage hacker that was out just trying to prove something," [Looks like he proved their security was not adequate... Bob] the office's Gerry Weaver said.



Should make for a great who-dun-it... Kinda like a “locked room” mystery.

http://www.nctimes.com/articles/2007/03/24/news/state/17_32_223_23_07.txt

State investigates leaks of Centinela prison employee data

By: Associated Press - Saturday, March 24, 2007 Last modified Friday, March 23, 2007 7:49 PM PDT

SEELEY, Calif. -- A document with personal information on more than 800 corrections officers was discovered in the ceiling panel of a watch command office at Centinela State Prison.

The document, discovered March 15, included names, addresses, telephone numbers and next-of-kin details.

California Corrections Secretary James Tilton toured the prison facility Thursday and promised an investigation. [A tour and a promise. Sounds like the perfect solution. Bob]

... Authorities are also investigating two other document leaks at the prison, located about 100 miles east of San Diego.

On March 16, an inmate was found with documents in his work boot listing 20 names of corrections staff and their Social Security numbers. Officials recently found a Post-It note inside a light socket in a minimum security area that included the names and Social Security numbers for 12 additional prison employees.



Citizen surveillance: Given tools with the potential to violate privacy, what would you expect?

http://www.ksdk.com/news/news_article.aspx?storyid=115253

Man Put Camera In Shampoo Bottle, Filmed Rommates, Police Say

created: 3/22/2007 4:40:52 PM updated: 3/22/2007 7:22:49 PM

Click here to watch this video story. ........[No, not the videos... Bob]

A Connecticut man is in hot water over something he left in his shower.

"That is absolutely one of the most horrible things I've ever heard. A complete violation of privacy," says a neighbor of Steven Thibodeau.

The 25-year-old Manchester, Connecticut resident was arrested after his female roommate discovered a camera hidden inside of a shampoo bottle in their shower.

Police say that Thibodeau used the camera to record his two female roommates showering, and that they were filmed at least 15 times. He made at least one compilation video of the shower scenes, but so far there is no evidence that he posted any of his files on the Internet. [I'll check a few hundred porn sites – to assist the police... Bob]

One roommate told police she became suspicious after noticing that the bottle of shampoo hadn't been moved over a period of several months. When she finally picked up the bottle to inspect it, wires fell out, revealing the camera.

Thibodeau originally told police that he was filming himself in the shower in order to keep track of an abnormal mole, but changed his story after failing a polygraph test.

Investigators are now combing through Thibodeau's computer hard drive searching for more evidence of his illicit movie making.

... Thibodeau is facing 15 charges of voyeurism and one count of evidence tampering. Police say he attempted to delete some of the movie files stored on his computer.


Citizen surveillance: Cameras are cheap – start your child's surveillance at birth!

http://news.bostonherald.com/localRegional/view.bg?articleid=190314

Patient’s candid camera sends shockwaves through hospitals

By Jessica Fargen Boston Herald Health & Medical Reporter Friday, March 23, 2007 - Updated: 12:46 AM EST

A nurse’s discovery of a Webcam hooked up by parents in their child’s Boston hospital room has stunned the patient’s doctor, raised a mound of privacy issues and potentially left medical staff looking over their shoulders.

Dr. Samuel Blackman, a pediatric oncologist at Dana-Farber Cancer Institute, would not speak for the record when contacted by the Herald about the incident at Children’s Hospital.

But in an entry on his blog titled “Hemorrhage! You’re On Candid Camera,” Blackman strongly questioned the use of the camera in the child’s room, asking, “Should parents have the right to a hospital version of a NannyCam?” [Sure, why not? Bob]

According to Blackman’s blog account - an incident confirmed by hospital officials - the unidentified parents set up the camera so the child’s favorite relative could see what was going on during the long hospital stay. It captured, among other things, the child suffering a bloody nose and vomiting.

The parents were asked by the doctor to take the camera down. Blackman removed the blog entry yesterday afternoon.

“How far can a parent or relative go in taping the health care of their loved one?” he asked in the blog, adding that, while the filming of births is commonplace, there are questions about whether graphic procedures or even a patient’s death should be allowed to be taped.

Steps must be taken to protect the privacy of both patients and hospital staff, he wrote. [Isn't that why they wear masks? Bob]

Direct-to-Web sites like www.youtube.com, have allowed just about anyone to bring millions of Internet junkies into a hospital room with a few key strokes.

At Beth Israel Deaconess Medical Center, chief information officer Dr. John Halamka said, “Webcams wouldn’t be something we would want to allow in a patient room. We don’t want someone walking into an OR and saying, ‘Here’s mom’s operation.’ How (would) mom feel about that?”

Every patient room has free wireless access, he said, but the hospital bans cameras and Webcams. [Unlikely they have technology in place to stop their use... Bob]

Children’s Hospital families are free to film their own child, but must have permission to record staff or other patients, said spokeswoman Anna Gonski. Blackman consulted a staff attorney about the Webcam incident, she said.

Dr. Deborah Peel of the Patient Privacy Rights Foundation said as long as a patient isn’t recording other patients, she doesn’t see violations of the federal Health Insurance Portability and Accountability Act, or HIPAA, which protects patient privacy.

“Many people are very concerned that the quality of care in hospitals has decreased so much. I could understand the family wanting a Webcam to prove what care their family did or didn’t get,” she said.

Dr. Kenneth Peelle, president of the Massachusetts Medical Society, said hospitals have adopted their own policies as the technology emerges. “It’s a relatively new area,” Peelle said.

But he said, “If it goes over to someone hiding a camera, that would be stepping over the line.”


Citizen surveillance: “Eventually, a whole range of attachments and inserts for employees will be available. See our spring catalog!”

http://www.rfidjournal.com/article/articleview/3170/1/1/

New RFID System Takes Security to Heart

The new security system from Third Eye alerts casinos, banks or convenience stores if an employee's heart begins racing, indicating a possible robbery or theft in progress.

By Claire Swedberg

March 23, 2007—Portable surveillance systems company Third Eye has released a Security Alert Tracking System (SATS) that allows casinos, banks or convenience stores to be alerted if one of their employees' hearts begins racing. The purpose is to add intelligence to security and surveillance, alerting management to the fact that an employee is under stress [What new liability does this information create? Bob] and could be in an emergency situation, or even planning a theft against the business.

The system, designed and manufactured by biosensor and microprocessor maker SPO Medical, includes a wristband employees wear that measures the pulse rate and can send an RF signal alerting surveillance if that rate changes suddenly.

... The RFID chip is constantly beaconing its ID number, as well as the heart rate of the wearer, to receivers installed within a facility. The receivers send the data wirelessly to a PC or laptop, which forwards it to the central monitoring system.

... In the case of a facility such as a large casino, the system's purpose is to monitor the behavior of the employee and prevent theft by the employee. In this case, with multiple employees in a large area, the system can be configured to trigger cameras in the area in which the employee with the fluctuating heart rate is located to pan or zoom in on that individual, and to send an alert to security personnel.

... Receivers can pick up the signal from the transponder in the wristband from approximately 300 feet away.



“We're eventually serious about security.”

http://www.infoworld.com/article/07/03/23/HNwindowssecuredeadline_1.html?source=rss&url=http://www.infoworld.com/article/07/03/23/HNwindowssecuredeadline_1.html

White House issues deadlines to secure Windows

Government agencies have been instructed to implement a common secure configuration on their Windows XP and Vista systems to improve security and reliability

By Jaikumar Vijayan, Computerworld, IDG News Service March 23, 2007

Federal agencies have until Feb 1, 2008 to implement a common secure configuration setting for all Windows XP and Vista systems based on standards from the National Institute of Standards and Technology (NIST) and other organizations.



I suspect he's right...

http://www.esecurityplanet.com/views/article.php/3666951

How Big A Crime is Invasion of Privacy?

By Ray Everett-Church March 21, 2007

With the dismissal of charges against former Hewlett-Packard chairman Patricia Dunn, and the assignment of 96 hours of community service to each of three other defendants, the saga of the HP board of directors spying case is drawing to a close.

Or is it?

... The brutal wrist-slaps doled out by Santa Clara County Superior Court Judge Ray Cunningham send a clear message that fraud, identity theft, and invasion of privacy are inconsequential when they’re done for white-collar reasons.

The message being sent by the judge’s decisions is pretty clear: try harder not to get caught next time or you too may have to spend two weeks picking up roadside garbage.

... Indeed, this is a common occurrence when privacy-related problems arise: how do you quantify the harm?

The reality is that most privacy issues have a high shock value, but people have a much more difficult time assessing a “real” value to a privacy problem.

... As long as privacy is undervalued as an individual right, it will be difficult to argue that its protection is worth the effort. And as long as privacy is undervalued, it will be difficult to justify harsh penalties for those who willfully breach it for their own petty purposes.

When given the opportunity to assign a value to the fraud, privacy invasions, and breaches of ethics exhibited in the HP spying case, the judge weighed everything and concluded that it was roughly equivalent to the quantity of trash three people could collect during 96 hours of community service.



Seriously!

http://news.com.com/2061-10801_3-6170169.html?part=rss&tag=2547-1_3-0-5&subj=news

The next wave in design: Gadgets that won't bug you

March 23, 2007 2:48 PM PDT

Add to your del.icio.usdel.icio.us Digg this storyDigg this

Genevieve Bell, who has been Intel's chief in-house anthropologist for a decade, says she's noticed an interesting phenomenon in recent studies. People want gadgets that don't keep them up-to-date.

... In some cases, though, technology could become part of a vacation hobby, if it was similar to a more traditional hobby. Bell met one 75-year-old woman in France who wanted to convert her albums and family photos to digital, and was partitioning a hard drive. Her behavior, though, was similar to people who build scrapbooks for fun.

Some national differences exist. The French often found it easier to completely get away from gadgetry than people from the U.S. Part of that is a reflection of the French vacation system: they take whole months off at a time. Men and women in the U.S. also argued more over when to turn off or turn on gadgets.



One of the problems with representative government is the representatives – until the next election. (Perhaps he should have just ignored the law?)

http://digg.com/politics/Voters_Appalled_Over_Forced_Amendment_to_Marijuana_Law_Passed_by_the_People

Voters Appalled Over Forced Amendment to Marijuana Law Passed by the People

Missoula, MT has fallen victim to the illusion of democracy. Initiative 2, passed on November 7th, 2006 was passed to recommend a lower priority to marijuana-based crimes.. Now, on March 22nd, 2007, the County Commissioners have voted (2-1) to alter the initiative. The reason? "A gut feeling" that voters weren't aware of what they voted for. [Or who... Bob]

http://www.grupthink.com/topic/5605



Research tool? I think it is worth a look

http://www.statelocalgov.net/index.cfm

State Government Offices, Local US Government, City Government and Federal Government... *

The State and Local Government Internet directory provides convenient one-stop access to the websites of thousands of state agencies and city and county governments. Use the drop-down menus on the left to view directory pages for:

States: State Government Offices - View all the websites in a given state -- from a state's home page or governor's site to the smallest counties or townships.

Topics: The websites of state government constitutional officers, state legislatures, state judiciaries and departments across ALL states.

Local Govt.: Local Government Links by County Government

No comments: