Saturday, June 16, 2007

It's becoming clear that computer security is a figment of the imagination at most organizations. We need something massive to serve as a motivator.



Can we shoot them now? Please? (This happened in January, they just didn't bother telling Congress...)

http://blog.wired.com/defense/2007/06/los_alamos_mana.html

Los Alamos Managers E-Mail Nuke Secrets

By Noah Shachtman Email June 15, 2007 | 2:26:27 PM

Because hiding secrets in a meth lab is just too secure...

Officials with the contractor that runs Los Alamos National Laboratory sent top-secret data regarding nuclear weapons through open e-mail networks, the latest potentially dangerous security breach to come to light at the birthplace of the atomic bomb, two congressmen said...

But [Energy Department] and lab officials who subsequently appeared before a congressional committee investigating security problems at the nuclear weapons lab never mentioned it, according to a letter the congressmen sent Energy Secretary Samuel Bodman...

The breach occurred when a consultant to the LANS [Los Alamos National Security LLC] board, Harold Smith, sent an e-mail containing highly classified, non-encrypted nuclear weapons information to several board members, who forwarded it to other members, according to a Washington aide familiar with the investigation who asked not to be named because the information is sensitive.

The notice went out that there had been a breach, an official was pulled out of a White House meeting and told, and Lawrence Livermore National Laboratory flew a team across California and recovered the laptops within six hours, [Did they get the copies the ISPs make? Bob] the aide said.

Lawmakers were assured no damage was caused, [Usually it's the politicians who do the lying... Bob] according to the aide.



Deny, deny, deny! Also try some obfuscation...

http://news.yahoo.com/s/ap/20070615/ap_on_hi_te/data_theft;_ylt=AhgLs7pWq7pTw.JOZzb4qIYE1vAI

Disk with Ohio state worker data stolen

Fri Jun 15, 11:28 AM ET

A disk carrying the Social Security numbers and other personal information on all 64,000 Ohio state employees was stolen from a state worker's car last weekend, Gov. Ted Strickland said Friday.

Strickland said it takes special equipment to access the information on the disk, [Wait! Don't tell me! It takes a CD reader, right? Bob] so he doesn't believe the workers' privacy is in jeopardy.

... Strickland said the Ohio employee mistakenly left the disk, a backup, in a vehicle parked outside an apartment Sunday.

The employee is being investigated, [How common is this? Bob] but there is no reason to believe there was a security breach, [...other than our announcement of a security breach. Bob] he said. He also issued an executive order [“Be more careful! “ Bob] that would change state procedures for handling the data.


More...

http://www.consumeraffairs.com/news04/2007/06/oh_data.html

64,000 Ohio Workers Caught In Data Breach

By Martin H. Bosworth ConsumerAffairs.Com June 15, 2007

... The unidentified intern had been incorrectly authorized to take the copied data home with him as part of the state government's regular policies on backing up sensitive data. [I can't seem to parse that sentence. Is it policy to take backup file home? (Yes. See below) Could the intern have been “correctly authorized?” Does anyone in Ohio know what's happening? Bob]

... Strickland said. "There's no reason to believe a breach of information has occurred." Nevertheless, Strickland authorized all affected employees to be provided with free credit monitoring for one year, at a cost to the state of $660,000. [That's a $660,000 “nevertheless” Bob]


More... Including telling the CPO to do what he should have been doing all along!

http://www.ohio.gov/ohioportalnews.stm#061507

Ohio.gov News June 15, 2007 –

Governor Reports Theft of State Data Storage Device

... It was determined the device contained personal employee information after reviewing 338,634 files in 24,333 folders over four days. [Why was this necessary? Because they don't have a data management system! Bob]

Tuesday it appeared that some of those 338,634 files might have contained names and social security numbers. After two days of review, it was determined that the names and social security numbers for all state employees were on the device.

... Electronic data management standards at the intern’s worksite call for one set of backup data to be stored off-site and the intern had been inappropriately designated to store the data at his home. [Fire that manager! Bob]



Does this make you feel all warm and fuzzy, or are you thinking it would be a great way to slow down the investigation? Could they at least check to see if the guy who took the device passed anywhere near the place it was found?

http://www.themonitor.com/news/university_3086___article.html/security_device.html

Missing UTPA mobile drive found; security scare declared over

Daniel Perry June 15, 2007 - 8:51AM

EDINBURG — A University of Texas-Pan American groundskeeper was credited Friday with finding a portable storage device that had gone missing more than a week earlier, causing an information security scare for 1,500 full-time employees.

... An employee took the storage device home to do work the weekend of June 2-3 and discovered it lost June 4. University police were notified June 5, according to a statement UTPA released Thursday. The device contained the names, salaries and Social Security numbers of more than two-thirds of the university’s 2,200 employees.

... Langabeer said he has now banned employees from taking thumb drives and other Internet technology off campus. And university leaders are considering putting limits on how much work employees can do at home. [Tossing out the baby with the bathwater? Bob]



Tools & Techniques

http://www.bespacific.com/mt/archives/015138.html

June 14, 2007

Investigations Involving the Internet and Computer Networks

"This National Institute of Justice Special Report is intended as a resource for individuals responsible for investigations involving the use of the Internet and other computer networks. Any crime could involve devices that communicate through the Internet or through a network. Criminals may use the Internet for numerous reasons, including trading/sharing information (e.g., documents, photographs), concealing their identity, and gathering information on victims. The report is among a series of guides on investigating electronic crime."



You CAN have it both ways! (OR) Why you need a lawyer.

http://techdirt.com/articles/20070613/163636.shtml

Is Banning Bootlegs Constitutional? No... But, Yes

from the say-again? dept

Apparently, the Second Circuit Court of Appeals has taken on the issue of whether or not a law banning concert bootleg recordings is unconstitutional. The court found that it actually is unconstitutional. It violates the copyright clause of the Constitution ("promote the progress... for a limited time...") because it does not set a limited term on the rights of the content producer. However, even after admitting that, the court then turns around and says that the law is constitutional, as long as you ignore the copyright clause and focus instead on just the commerce clause, which allows Congress to make laws regarding commerce. This seems like an odd sort of ruling, and basically suggests that Congress can now start passing more draconian, unconstitutional intellectual property laws... as long as they're related to commerce. That seems problematic since it opens up quite a loophole in the limitations that the Constitution put on intellectual property laws.



Is this common?

http://www.omaha.com/index.php?u_page=2798&u_sid=10043031

Patrol's subpoena power bringing calls for change

BY MARTHA STODDARD

WORLD-HERALD BUREAU Published Friday | June 15, 2007

LINCOLN - Laws allowing the Nebraska State Patrol to gather information on people without a court order give that agency a troubling amount of power, some legal and communication experts say.

On the Web: Attorney general's opinion on State Patrol administrative subpoenas



Am I reading this right? The law sucks?

http://www.eweek.com/article2/0,1759,2146674,00.asp?kc=EWRSS03119TX1K0000594

Judges Back Retailers in Credit Card Cases

By Evan Schuman, Ziff Davis Internet June 15, 2007

Unless the U.S. Court of Appeals for the Ninth Circuit intervenes early next year, retailers who have been sued for printing federally prohibited information on consumer credit card receipts will almost certainly get off the hook.

Two federal judges this week rejected a critical class-action certification request from the consumers suing the retailers.

Those two federal judges are in addition to a third federal judge who recently ruled in an almost identical manner.

In the initial lawsuits filed early this year, nearly 50 of the nation's top retailers—including Rite Aid, Harry & David, Ikea, KB Toys, Disney, Regal Cinemas and AMC Theaters—were accused of printing full credit card numbers and expiration dates on printed customer receipts, violating a provision of the FACTA (Fair and Accurate Credit Transactions Act) that makes it illegal for a retailer to print more than the last five digits of a credit/debit card number. It also forbids printing the card's expiration data on that receipt. This is known as masking or truncation. The rule took effect in phases, but by December 2006, the latest of its phases kicked in.

More recently, at least two of those defendants have filed lawsuits against their POS vendors, saying that the POS firms should have protected the retailers when writing their POS software. [...and they couldn't find one who did? Bob]

... Three of this week's decisions came from cases in front of U.S. District Court Judge R. Gary Klausner. Klausner—ruling in Taline Soualian v. International Coffee and Tea, Frida Najarian v. Charlotte Russe and Fredrick Najarian v. Avis Rent-A-Car—said that the retailers involved couldn't afford to pay the fines involved in the case if it were certified to proceed as a class-action. [Is that a defense? Bob]

"A finding of willful violation would create liability of up to $1.66 billion in the absence of actual harm," Klausner wrote in the Avis decision. "The potential statutory damages would be particularly excessive here, since Plaintiff alleges no actual injury on behalf of himself or any class member, admits he has suffered no actual damages and expert analysis shows that it is impossible for there to be any injury."

In his Charlotte Russe decision, Klausner also said that the retailer changed its procedures after being sued, which showed good faith. [So, ignorance of the law IS a defense. Bob]

... "Apparently, some of the judges think our cases are too good to be certified. We’ll see what the Ninth Circuit thinks about this sort of legislating from the bench," Moore said. "The Ninth Circuit is going to have to decide whether judges can deny class certification because they don’t like the laws passed by Congress."



Some really interesting “guidelines” Can we expect this to broaden to all “employee monitoring? Lots of risk here!

http://www.eweek.com/article2/0,1759,2147078,00.asp?kc=EWRSS03119TX1K0000594

NYSE, NASD Propose E-Communication Guidelines

By Brian Prince June 15, 2007

The New York Stock Exchange and NASD have proposed new guidelines to help companies supervise and review electronic communications.

The 12-page document, released June 14, is the result of work by a committee that included representatives from securities firms.

... Among the highlights: Companies should review and supervise any communication between employees and customers made through non-company e-mail, such as Web-mail; they should have policies relating to message boards and e-faxes, and should clearly delegate who is responsible for reviewing the communications.



How dare they enforce the law! (The last couple of paragraphs are interesting...

http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=privacy&articleId=9024921&taxonomyId=84

HIPAA audit at hospital riles health care IT

Industry on edge after feds examine data security procedures at Atlanta facility

June 15, 2007 (Computerworld) -- An audit of Atlanta's Piedmont Hospital that was initiated by the U.S. Department of Health and Human Services in March is raising concerns in the health care industry about the prospect of more enforcement actions related to the data security requirements of the federal HIPAA legislation.

The audit was the first of its kind since the Health Insurance Portability and Accountability Act's security rules went into effect in April 2005, joining data privacy mandates that were already in place. The security rules require organizations that handle electronic health data to implement measures for controlling access to confidential medical information and protecting it against compromise and misuse.

... But an HHS document obtained by Computerworld shows that Piedmont officials were presented with a list of 42 items that the agency wanted information on.

Among them were the hospital's policies and procedures on 24 security-related issues, including physical and logical access to systems and data, Internet usage, violations of security rules by employees, and logging and recording of system activities.

... The fact that the audit appears to have been conducted by the Office of the Inspector General (OIG) at the HHS is puzzling, said Lisa Gallagher, director of privacy and security at the Healthcare Information and Management Systems Society in Chicago. She said most people in the health care industry had assumed that any security-related enforcement actions would be taken by the CMS, which administers the HIPAA security rules.

... However, it isn't just enforcement by the HHS that health care providers and other organizations handling medical data need to be concerned about, said Peter MacKoul, president of HIPAA Solutions, a Sugar Land, Texas-based firm that offers tools and services to help companies comply with the law.

MacKoul said that increasingly, law enforcement authorities and courts are using and interpreting HIPAA in ways that could have broad implications for organizations handling health care data.

For instance, the North Carolina Court of Appeals last year overturned the decision of a trial court to dismiss a HIPAA-related complaint brought by an individual against a psychiatrist's office. The verdict basically allowed the plaintiff to use HIPAA as "a standard of care" to bring an individual action against an organization, MacKoul said.

In addition, he noted that HIPAA initially applied only to electronic medical records. But, MacKoul said, courts have extended the law to cover paper records as well -- a fact that some health care providers may not be aware of.



Go figure!

http://news.com.com/8301-10784_3-9730291-7.html?part=rss&subj=news&tag=2547-1_3-0-5

Avvo lawyer-rating site slapped with class action

Posted by Declan McCullagh June 15, 2007 1:19 PM PDT

A lawyer-rating site that inexplicably gave convicted felons higher numeric scores than law school deans is, in a move that was entirely predictable, being sued.



For those of us getting into video...

http://news.com.com/Democracy+Player+wants+to+replace+your+TV/1606-2_3-6191446.html?part=rss&tag=2547-1_3-0-5&subj=news

Video: Open-source video player works for all file types

Democracy Player wants to replace your TV

Democracy Player, set to be called Miro Player with its next release, is an open-source video player that works for almost every type of video file. With an interface similar to iTunes, it also has a channel guide where you can set up automatic downloads of your favorite Web shows, from "Ask a Ninja" to National Geographic Wild CNET.com's Seth Rosenblatt takes a look.

2 minutes 4 seconds Jun 15, 2007 4:00:00 PM

No comments: