Thursday, March 01, 2007

Was this a forbidden act? If so, why was it possible to use an external drive?

http://mdn.mainichi-msn.co.jp/national/news/20070301p2a00m0na026000c.html

Tokyo University of Science loses personal info on 8,800 students, graduates

March 1, 2007

Tokyo University of Science has lost personal information on about 8,800 students and graduates, including their names, addresses and scores, university officials said Thursday.

A 56-year-old associate professor, who leads the alumni organization of the university's pharmaceutical faculty, took an external hard disk containing the information out of the institution on the night of Feb. 24, according to officials.

While he was riding a train home, his bag containing the disk was stolen.

The university is set to take punitive measures against the associate professor. The officials said they have not confirmed if the information has been placed on any website. [Was that a rumor? Bob]



Perhaps they should check to see if anyone listened to their security lecture?

http://www.wmbb.com/servlet/Satellite?pagename=WMBB%2FMGArticle%2FMBB_BasicArticle&c=MGArticle&cid=1149193437207&path=!news!archives

Gulf Coast Med. Computer Theft

Jennifer Turk (jturk@wmbb.com) News 13 on your side Wednesday, February 28, 2007

BAY COUNTY, Fla.-While no identity cases have surfaced yet, the threat has. Gulf Coast Medical Center announced Tuesday, 1900 patient had personal information stolen back in November and 8,000 more were victimized in February. The information was in a computer that went missing in Nashville, TN in November and a computer stolen in Tallahassee in February.

Rod Whiting with Gulf Coast Medical Center says no one has come forward with identity theft problems thus far. The hospital is giving patients who's names and social security numbers where in those computers one free year of credit monitoring with TransUnion.

Gulf Coast did implement a new security system for laptop computers close to a year ago. Each laptop comes equip with a lock to secure the laptop. [Perhaps you need to revisit that plan... Bob]

Hospital Corporations of America runs Gulf Coast Medical Center along with 171 other hospitals around the country. 69 Hospitals and surgry center are located in Florida.



I wonder if TJX will become a case study?

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1245727,00.html

PCI DSS auditors see lessons in TJX data breach

By Bill Brenner, Senior News Writer 01 Mar 2007 | SearchSecurity.com

TJX Companies Inc. violated some of the basic tenets of the PCI Data Security Standard (PCI DSS) and according to several PCI auditors, it will pay a heavy financial price. They said companies should study the TJX security breach for clear lessons on what not to do with customer data.

Roger Nebel, director of strategic security for Washington D.C.-based FTI Consulting, said fines will almost certainly be imposed on TJX because it was clearly negligent in holding onto unencrypted cardholder data, a direct violation of the PCI DSS.

Framingham, Mass.-based TJX acknowledged in January that an attacker exploited a flaw in a portion of its computer network that handles credit card, debit card, check and merchandise return transactions.

The breach was worse than first thought, TJX officials admitted last week. The company initially believed that attackers had access to its network between May 2006 and January 2007. However, the ongoing investigation uncovered evidence that the thieves also were inside the network several other times, beginning in July 2005.

What not to do

Nebel and other PCI auditors said the breach offers some clear examples of the wrong way to treat sensitive data under the PCI DSS.

The standard sets out 12 basic security requirements, emphasizing the need for encryption, access controls and firewalls. Penalties for noncompliance range from fines of up to $500,000 to increased auditing requirements or even losing the ability to process credit card transactions.

Under the standard, Level 1 businesses -- those that process more than six million credit card transactions per year -- are subject to an annual on-site audit [and I doubt they would have missed this. Bob] and quarterly network scans performed by an approved vendor. Level 2 or 3 companies that process 20,000 to 6 million credit card transactions a year must fill out an annual self-assessment questionnaire and must also have an approved vendor conduct quarterly network scans.

TJX violated basic rules

In recent interviews, several PCI DSS auditors noted that while most of their clients are achieving PCI DSS compliance, many have been forced to address serious problems along the way. When reviewing what merchants are doing to protect their customers' credit card data, auditors are typically finding that:

  • Encryption is often inconsistent across a company's computer system. Credit card data may be protected in some instances, but not others.

  • Some companies unnecessarily store credit card data and, making matters worse, fail to isolate the data from traveling across less secure parts of the network.

  • Some IT shops fail to keep a log of network activity, making it nearly impossible to spot instances where malicious hackers or anyone without authorization are trying to access credit card data.

  • Some companies don't conduct regular scans for software vulnerabilities and abnormal activity.

  • Companies that thought they were all set after complying with such regulations as the Sarbanes-Oxley Act and HIPAA discovered their controls were not adequate to meet the PCI DSS.

At the very least, TJX violated the PCI DSS by storing unencrypted cardholder data, said James DeLuccia, an independent auditor based in Atlanta, Ga.

"Credit and debit card data is something the PCI Security Standards Council will be concerned about," he said. "You're not supposed to store that kind of data, and [TJX] had it online and unencrypted."

Price will be steep

Nebel and DeLuccia said TJX will pay a high price for the breach. So will the banks that do business with the retail giant.

"You have to remember how this works -- Visa and MasterCard only have a direct relationship with the member banks," Nebel said. "They can only fine the banks."

The banks though will almost certainly pass the fines on to TJX, he said. There is a process where violators can try to recover the fines, but Nebel said the bar is set pretty high.

"Before any fines are levied, Visa and MasterCard will require a forensic investigation to determine the extent and culpability," Nebel said. "The merchant must show that there was information not available to the forensic examiner that somehow shows they are not responsible." [I love it! “We're gonna look at the data you were supposed to monitor, then you can explain why all the indications that a breach was happening were ignored.” Gee, I hope they kept some of that data... Bob

Nebel said he's never heard of any fine being reversed.

He also said it's unlikely the public will hear details on the fines [Not fair! I want to be able to quote the numbers when I talk to my Security Management class. Bob] levied against the banks or TJX, and it can take anywhere from a few weeks to a few months for the forensic investigation to determine the scope and causes of such an incident, if they can be determined at all.

But in the end, DeLuccia said, TJX will end up having to spend a lot of money to put the issue to rest, namely due to numerous fines and fees, legal and otherwise.

"There's no question that 40 million accounts had problems," [Still unable to confirm that number... Bob] DeLuccia said. "The affected credit cards alone cost $25 each to re-issue. So the bank could say, 'Hey, it cost us $25 per card to re-issue 200 cards, and we're passing the bill to you.'"

TJX will also lose money from civil lawsuits, and for having to hire security firms to overhaul their systems, DeLuccia said, adding, "Even without punitive fines, they're still paying dearly." [attention Board members! When you hear “That's a risk we are willing to take.” Think TJX. Bob]

Lessons to be learned

Fortunately for other companies, the TJX case offers plenty of lessons on how not to approach the PCI DSS, the auditors said.

Joseph Krause, senior security engineer for Chicago-based AmbironTrustWave, said companies first have to get a fix on where customer data is on the network, where it travels and whether or not it's encrypted.

"Understanding where the data is and where it goes is a challenge for some, but it's a very important part of PCI DSS," he said. "If you don't know where your data is traveling and where it is stored, you can't secure it." [I like to see security strategies reduced to the “Well, DUH!” level. Bob]

Krause also said companies also have to be sticklers for network monitoring.

"Usually when we see an environment for the first time, we find they are deficient in this area," he said. "Just being able to help them understand which logs they need to have a close eye on, on a daily basis," is a lot of work.

Finally, companies need to understand that there's no single product or service that can alleviate an enterprise's PCI DSS compliance woes. Every business and every network is different, and PCI DSS controls must be tailored to an organization's particular make-up.

"I tell clients it's not an easy process and it is an educational experience," he said. "The requirements for every company on the path to PCI compliance are quite different.

"There's no one-size-fits-all approach."


Somewhat related...

http://www.securityfocus.com/brief/448?ref=rss

Digital forensics plagued by expanding storage

Robert Lemos 2007-02-28

ARLINGTON, VA. -- The increasing storage requirements of consumers and businesses has become a plague for computer-crime investigators, a former special agent told attendees at the Black Hat DC Conference on Wednesday.

While only one percent of crimes involved DNA evidence, a majority of cases involve some sort of digital evidence, said Jim Christy, a retired special agent and director of the Defense Cyber Crime Center. And that evidence keeps growing in size. In 2006, the Defense Computer Forensics Laboratory--the largest such lab in the world--processed 681 case, up from 269 cases in 2001. The number of investigations increased 130 percent, a number that seems modest when compared with the factor of 13 increase--to 156 terabytes--of data processed during the year.



“Chide” Thats not exactly “Fire the bums!” is it?

http://www.thestate.com/mld/thestate/news/nation/16804855.htm

Lawmakers chide VA over data security

BEN EVANS Associated Press Posted on Wed, Feb. 28, 2007

WASHINGTON - Veterans Affairs officials faced a fresh round of bipartisan criticism [both parties can see advantage... Bob] over data security Wednesday after auditors told a congressional committee that gaping holes persist and agency officials said they still don't know how a recent breach happened.

The department's inspector general's office told the House Veterans Affairs oversight subcommittee that even after a series of lapses in the past year, most VA data remains unencrypted and the department still doesn't know how many portable computers and hard drives are in use or what information is stored on them.

VA Deputy Secretary Gordon Mansfield also acknowledged that hundreds of thousands of medical providers whose sensitive information may have been compromised in Birmingham, Ala., more than a month ago have still not been notified they are at risk.

... Mansfield and several other VA officials tried to persuade the lawmakers they are making progress.

"We will get it done, sir. We will get it done," Mansfield said, emphasizing that the sprawling department has 235,000 employees and tens of thousands of contractors. "The problem we have is time." [“I want to make it to retirement and you want progress in your lifetime. Clearly not compatible concepts.” Bob

... Maureen Regan, counselor to the inspector general, said the VA still hasn't fully implemented any of its recommendations from reports dating back to 2001. The department also hasn't adopted five key recommendations issued shortly after a massive data breach last May involving nearly 27 million veterans.



The HP drama continues to bubble and everyone wants to write their own version of history...

http://news.com.com/2100-1014_3-6163179.html?part=rss&tag=2547-1_3-0-5&subj=news

Lawyer for former HP chairman vows revenge on Perkins

By Michael Kanellos Story last modified Thu Mar 01 06:00:05 PST 2007

Those former Hewlett-Packard board members aren't going to be exchanging a lot of Christmas cards this year.

A day after former HP board member and venture capitalist Tom Perkins lambasted the performance of former Chairman Patricia Dunn, the lawyer representing Dunn lashed out at Perkins, calling him a self-serving bully whose credibility will be impeached in court.

"I am sorry that Patricia Dunn must endure Mr. Perkins' cowardly attacks, but he has made the biggest mistake of his career. He is a bully, and he is bullying the wrong people," said James Brosnahan in a statement. "Mr. Perkins has rewritten the history of the Hewlett-Packard board and attacked its competence...Rarely has a prominent businessman uttered such an immediate self-refuting statement."

... Brosnahan asserted that Perkins is behind the charges.

"The case brought by the former attorney general at the insistence of Tom Perkins is pending in Santa Clara (County) Superior Court. Mr. Perkins generated an attack on Patricia Dunn, hired lawyers, hired a public relations firm and all because his colleague on the Hewlett-Packard board was found to be leaking information," Brosnahan said in a statement.

Brosnahan further claimed that because of the case, Dunn cannot publicly defend herself like Perkins and speak about the scandal.

The renowned lawyer, however, neglected to mention that Dunn has given lengthy interviews on the subject to The New Yorker magazine and the television news magazine 60 Minutes. The New Yorker piece and the 60 Minutes segment both became public after Dunn was charged with felonies in California.


http://hosted.ap.org/dynamic/stories/H/HP_VANGUARD?SITE=VALYD&SECTION=HOME&TEMPLATE=DEFAULT

Vanguard Opposes HP Director Proposal

By JORDAN ROBERTSON AP Technology Writer Feb 28, 3:30 PM EST

SAN JOSE, Calif. (AP) -- Hewlett-Packard Co.'s sixth-largest shareholder said Wednesday it opposes a proposal floated in the wake of the company's boardroom spying scandal that would allow shareholders to nominate candidates for the company's board of directors.


http://news.com.com/2100-1014_3-6163190.html?part=rss&tag=2547-1_3-0-5&subj=news

HP denies pretexting former employee

By Ina Fried Story last modified Thu Mar 01 06:00:53 PST 2007

In a court filing on Tuesday, Hewlett-Packard denied allegations that it pretexted a former employee with whom it is engaged in a legal dispute.

In 2005, HP sued Karl Kamb, a former vice president of business development and strategy, alleging he stole company trade secrets. In January, Kamb countersued HP alleging that his phone records were improperly obtained and also charging that he was instructed by HP management to spy on rival Dell.

"HP denies that the so-called pretexting alleged by Kamb in the counterclaim occurred," the company said in a filing made Tuesday with a federal court in Tyler, Texas. "HP denies that any so-called pretexting activities were part of a widespread pattern or practice at HP."

While HP denies pretexting Kamb, the company has said that as part of a separate--and now infamous leak probe--it obtained or tried to obtain the phone records of more than a dozen people including current and former directors, employees and journalists, including three CNET News.com reporters.

Last month, the judge handling the case, District Court Judge Michael Schneider ordered Kamb to withdraw his countersuit and issued an injunction barring both sides from publicly discussing the case. Schneider said that Kamb could refile the case under seal.

Significant portions of HP's filing Tuesday were also made under seal.

Among the things the company did note publicly, is the fact that former ethics attorney Kevin Hunsaker was terminated by HP. The company confirmed in September that he had left the company's employ, but declined to say whether he resigned or was terminated.

Hunsaker has emerged as a central figure in both cases. In the leak probe, he faces felony charges over his role in allegedly overseeing the investigation, including the pretexting. In the current case, Kamb alleges that Hunsaker initially denied pretexting Kamb, but later admitted that HP did pretext him.

In its filing Tuesday, HP denied that Hunsaker "ever acknowledged that HP had engaged in so-called pretexting against Kamb."



In light of the TJX breach, the Massachusetts law is particularly interesting – since they don't have one.

http://www.pogowasright.org/article.php?story=20070228131050686

United States: Six Additional State Data Security Breach Notification Laws Become Effective in 2007

Wednesday, February 28 2007 @ 01:10 PM CST - Contributed by: PrivacyNews - State/Local Govt.

With heightened awareness of the value and vulnerability of personal and financial information collected by businesses and governments, more states are enacting legislation to require consumer notification when there are security breaches involving this information. In 2006, 35 states and the District of Columbia introduced legislation addressing security breach notification. The latest legislation—Arizona, Hawaii, Maine, New Hampshire, Utah and Vermont—became effective in January 2007. Below is a brief summary of the newly effective laws. A full comparison matrix of the various state data breach laws is available here. [pdf]

Source - Mondaq


In the UK, it's a bit more interesting...

http://www.theregister.com/2007/02/28/ico_lawsuit_guidance/

Privacy slights should prompt lawsuits

By Mark Ballard Published Wednesday 28th February 2007 10:02 GMT

Seek compensation if someone breaches your privacy, the Information Commissioner's Office (ICO) urged today.

The ICO issued a guidance note to point people in the right direction if they want recompense for a slight under the Data Protection Act.

People who think they have suffered because someone has breached their privacy, can apply to the ICO for an opinion on whether there had been offence under the Data Protection Act - if they agree, it might be worth taking to court.

The ICO wasn't able to give any examples. [Ah well, their heart is in the right place. Bob]



Can't wait!

http://www.eweek.com/article2/0,1759,2099421,00.asp?kc=EWRSS03119TX1K0000594

DHS Confirms Real ID Act Regulations Coming; States Rebel

By Renee Boucher Ferguson February 28, 2007

Events at the state and federal level are converging around the Real ID Act, as a spokesperson from the Department of Homeland Security confirmed Feb. 28 that regulations outlining technology mandates could be handed down as early as March 1.

At the same time, as many as 38 states, under a coalition formed by Missouri Representative Jim Guest, have confirmed that they will rebel against the act through legislation in their own states.



It's a shame Microsoft couldn't build this in...

http://digg.com/microsoft/HUGE_Windows_Vista_Tweaking_Guide

HUGE Windows Vista Tweaking Guide!

"The guide is designed for novice and advanced users alike, containing 250 pages of objective descriptions, recommendations and tweaks for every aspect of Windows Vista. It is all laid out in plain English, and while it may take you a few days to work through, I promise you that at the end of it you will not only have a better system..."

http://www.tweakguides.com/TGTC.html



Perhaps these can be adapted to reflect less aggressive processes?

http://www.bespacific.com/mt/archives/014101.html

February 28, 2007

U.S. Army Field Manuals, War Department/Department of the Army Pamphlets

Library of Congress - U.S. Army Field Manuals, War Department/Department of the Army Pamphlets: "The full text of selected U.S. Army Field Manuals (FMs), War Department Pamphlets (WD PAMs), and Department of the Army Pamphlets (DA PAMs), which particularly address some of the current research needs and interests of The Judge Advocate General's Legal Center & School Library, U.S. Army, Charlottesville, Virginia, will be added regularly to this site."



Making your children feel loved...

http://techdirt.com/articles/20070228/075907.shtml

In-Car Surveillance Cam Gives Parents Peek Into Teen Driving Habits

from the they're-watching dept

While lawmakers continue to explore pointless laws and increased surveillance as means of improving road safety, one insurance company is experimenting with a new approach to get people to drive better. When the company sells insurance for teen drivers, it's offering to install a camera inside the car that parents can watch to monitor their kids' driving skills. The camera doesn't record everything, rather it only captures 10 seconds before and after a major event, such as a rapid deceleration. The point isn't to catch teens driving badly, rather it's to deter them from driving badly in the first place. And according to those who have participated in a study, the camera does have a deterrent effect. This of course raises all sorts of other issues. Will the insurance company watch the video or use its content to set rates? They say no, but it's conceivable that down the road, the company might be able to offer lower rates to those drivers that agree to have a camera installed. It's also the kind of thing that teen drivers aren't going to like very much, although the fact that it's not recording everything they do in the car might make it a bit more palatable. And if the driver gets the bright idea of taking down the camera, or covering it up, the parents will find out rather quickly. Still, even if this particular form of surveillance is less offensive than others, because it's voluntary, it still fits in with a broader societal theme, whereby safety, or the perception of it, trumps any other considerations.



While we're at it, could we add “use of a barbeque's grill” and “bungee jumping” to the list? (See next article)

http://techdirt.com/articles/20070228/072959.shtml

Brace Yourself For Laws Banning Laptop Use While Driving

from the just-wait dept

As legislators continue their pointless attempts to ban driving distractions one by one, rather than focusing on the underlying problem of unsafe and unintelligent drivers, hopefully at some point they'll realize that they can keep making laws all they want, but there's an infinite number of things to pull a driver's attention away from what they're doing. These sorts of laws and proposals typically follow some sort of incident, such as the recent proposal by a New York lawmaker to ban talking on a phone or listening to an iPod while crossing the street after two people got killed when they were crossing a street with headphones in. Keeping that in mind, don't be surprised when lawmakers start proposing laws to ban the use of laptops while driving, following a California accident that killed a man (who happened to be a computer tutor), and police think he might have been using a laptop while driving. The guy's Honda Accord went left of center, and hit an oncoming Hummer head-on. Investigators found his laptop plugged in to the cigarette lighter and still on, with some LED on it lit up as well. While they suspect he was using the laptop at the time of the crash, it is of course possible that he was simply charging it. But, most reasonable people would probably think that using a laptop while driving a car isn't a particularly safe thing to do -- just like plenty of other activities lawmakers have targeted with specific laws. These single-focus laws miss the point: that there are all sorts of activities that make driving less safe. The best way forward isn't to try and come up with laws banning each and every one, but rather to tackle the issue of unsafe driving as a whole.


Why would anyone use a laptop while driving? (Coming soon: Speed trap alerts. Satellite pothole cameras and my wife's favorite, Maps to garage sales

http://googleblog.blogspot.com/2007/02/stuck-in-traffic.html

Stuck in traffic?

2/28/2007 09:01:00 AM Posted by David Wang, Software Engineer

There's nothing worse than getting stuck in traffic when you have some place to go, so I'm happy to tell you about a new feature on Google Maps that can help. For more than 30 major U.S. cities, you can now see up-to-date traffic conditions to help you plan your schedule and route. If you're in San Francisco, New York , Chicago, Dallas, or any of the other cities we now include, just click on the traffic button to show current traffic speeds directly on the map. If your route shows red, you're looking at a stop-and-go commute; yellow, you could be a little late for dinner; green, you've got smooth sailing.


Even more...

http://www.out-law.com/page-7811

Cops may check crash drivers' mobile records

OUT-LAW News, 28/02/2007

The government may give police powers to check crash drivers' mobile phone records after a "routine accident", the Daily Telegraph reports.

By Lester Haines for The Register.

Currently, mobile phone records can be probed "only after a fatal accident and on the instruction of a senior officer".

The government says that in 2005, 13 road deaths, 52 serious and 364 minor accidents were linked to mobile phone use.

A Pontypool sales executive was recently jailed for two years following an accident which claimed the life of another driver. The prosecution said Michael Smith had sent a long text message just minutes before the head-on collision, and received a reply just as the incident occurred.

The new proposal is part of the Department for Transport's second review of road safety strategy, released to coincide with today's implementation of the increased £60 fine and three points for using a handheld phone. The paper says: "We will look at ways to make it easier for the police to be able to follow the process of investigating whether mobile phone use was a contributory factor in an accident and thus prosecute more offenders."



Yeah, sure... privacy concerns.. right...

http://www.ohio.com/mld/beaconjournal/16801570.htm

District withholding info out of privacy concerns

Associated Press Posted on Wed, Feb. 28, 2007

CINCINNATI - The city school district has refused to provide the state with addresses of students who are eligible for vouchers to attend private schools, an Ohio Department of Education spokesman said.

The district's refusal has hindered efforts to contact the more than 11,500 Cincinnati students who could receive the state-funded vouchers next year, education department spokesman J.C. Benton said.

... The district gave the state names and addresses of eligible students last year. But student directories that once included addresses and phone numbers now only have student names, activities and awards, and that information was given to the education department, Walsh said.

Cincinnati is the only major school district in Ohio not providing the other information, Benton said. A couple of smaller districts haven't provided it because of technical problems, he said.

... "I think that CPS is generally not speaking in favor of things that could promote students leaving CPS," she said. [I think she's got it! Bob]

No comments: