This has to be embarrassing. Note that the response isn't exactly what you would expect from a school like Carnegie Mellon...
http://www.pogowasright.org/article.php?story=20071009093641404
[Carnegie Mellon] Professor’s laptops stolen; contained unsecured student information
Tuesday, October 09 2007 @ 09:36 AM EDT Contributed by: PrivacyNews News Section: Breaches
The first weekend in September was notable for most students as it was the end of the first week of classes. For a small percentage of the student body population, it was the weekend that their social security numbers left campus, stored in the unencrypted files of two stolen laptop computers.
According to University Police reports filed on Sept. 2, the laptops were stolen from the office of a computer science professor in Wean Hall. The door is believed to have been locked and there were no signs of forced entry, according to case officer Lieutenant John Race of the Carnegie Mellon University Police.
... One student, who preferred to remain anonymous for this article, was concerned that students were not notified of the theft until almost a month after it occurred. He asked Carnegie Mellon to pay for a credit monitoring service, which would examine past credit history to determine if fraud had already occurred. The university refused, he said.
Source - The Tartan Online
Of course, it could be worse...
http://www.pogowasright.org/article.php?story=20071009115748500
Personal info for thousands of Tenn. students accidentally put online
Tuesday, October 09 2007 @ 11:57 AM EDT Contributed by: PrivacyNews News Section: Breaches
A man working on his dissertation this past summer accidentally posted personal information for about 17,000 K-12 students in Tennessee, along with the names of several hundred teachers.
The Web site, http://tnweb.org/, has been taken down since this happened on August 28.
One file of information contained: the grade levels, elementary school names, Social Security Numbers, students' full names, genders and test scores for around 2,247 elementary school students.
Another file contained: the names, Social Security numbers and composite scores for approximately 3,000 K-12 students.
A third file contained: the grade levels, elementary schools, teacher's names, students' birth dates, students' full names, students' genders and test scores for around 11,789 students.
Source - WATE
Wow! What a massive penalty! The poor guy probably gets only 6 weeks of vacation a year... Fortunately he probably will get two weeks of comp time because he assisted in covering up... er... determining the extent of the data spill.
http://www.pogowasright.org/article.php?story=20071010063133599
(update, Ohio) State supervisor docked 1 week of vacation over data theft
Wednesday, October 10 2007 @ 07:03 AM EDT Contributed by: PrivacyNews News Section: Breaches
A supervisor for the state’s massive new online financial system will lose a week of vacation over the theft of a computer backup device carrying the Social Security numbers of thousands of Ohioans and other sensitive data, officials said.
Jerry Miller, 49, a team leader for Ohio’s new payroll and accounting system, didn’t follow an order [and NO ONE NOTICED? Bob] given nearly three months before the theft to move the sensitive data from a common computer drive to a secure directory.
Source - CantonRep.com
The Tooth Fairy is on our Board of Directors. Pigs can fly! We are in control.
http://www.pogowasright.org/article.php?story=20071009133418461
Pfizer Employee Data Released by Outside Company
Tuesday, October 09 2007 @ 01:34 PM EDT Contributed by: PrivacyNews News Section: Breaches
Pfizer Inc. employees, already wracked by three data breaches this year, have been hit by yet another security problem, this time with no direct connection to the company. [Except for the contract? Bob]
The spouses and domestic partners of about 1,800 Pfizer employees learned late last month about a data breach at Wheels Inc., which provides cars to the company, mostly for use by its sales force. The breach, caused by a “temporary encryption error” [We forgot to encrypt? Bob] at the Wheels Web site, released names, addresses, birth dates and driver’s license numbers, according to the Pharmalot Web site, a source of drug-industry news.
Source - TheDay.com
Electronic ambulance chasing? Break in and leave your business card? Certainly a great way to advertise you Hacking course...
http://www.pogowasright.org/article.php?story=2007101006535155
Australia's top enterprises hit by laymen hackers in less than 24 hours
Wednesday, October 10 2007 @ 07:02 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News
A penetration test of 200 of Australia's largest enterprises has found severe network security flaws in 79 percent of those surveyed.
The tests, undertaken by University of Technology Sydney (UTS), saw 25 non-IT students [Article says they were “predominately law practitioners” Bob] breach security infrastructure and gain root or administration level access within the networks of Australia's largest companies, using hacking tools freely available on the Internet.
Faculty of Law lecturer and LogicaCMG chief security officer, Ajoy Ghosh, who commissioned the test said students were able to breach 24 enterprises or 12 percent in less than an hour, in fact most systems were foiled in the first few minutes.
Source - Computerworld (AU)
Imagine how may people would have accessed the medical data if it had been a real celebrity. Perhaps we could count the accesses an establish a “Celebrity Index?”
http://www.pogowasright.org/article.php?story=20071010063915523
Hospital Staffers Suspended Over Clooney
Wednesday, October 10 2007 @ 07:05 AM EDT Contributed by: PrivacyNews News Section: Breaches
Several hospital staffers have been suspended for allegedly peeking at George Clooney's confidential medical information after he was hurt in a motorcycle accident last month.
Clooney, 46, suffered a broken rib and scrapes in the Sept. 21 crash, while his passenger, Sarah Larson, 28, broke her foot. Both were treated at Palisades Medical Center in North Bergen.
WCBS-TV in New York reported Tuesday night that as many as 40 staffers, including doctors, were suspended without pay, accused of accessing Clooney's medical records and possibly providing information to the media, a violation of federal law. [HIPAA? Bob]
Source - Associated Press
YES! YES! YES! Someone gets it!
http://www.pogowasright.org/article.php?story=20071009180104703
Nevada Law Mandates Encryption of Electronically-Transmitted Personal Information
Tuesday, October 09 2007 @ 06:01 PM EDT Contributed by: PrivacyNews News Section: State/Local Govt.
Even though a company has not experienced an unauthorized access or acquisition of its customer information (and thus has not been subject to Nevada’s breach notification law), in 2008 merely transmitting customer information in an unencrypted format may violate a separate Nevada data security law.
Nevada has enacted a data security law that mandates encryption for the transmission of personal information (see Nev. Rev. Stat. § 597.970 (2005)). Specifically, the Nevada encryption statute generally prohibits a business in Nevada from transferring “any personal information of a customer through an electronic transmission,” except via facsimile, “unless the business uses encryption to ensure the security of electronic transmission.”[1] The Nevada encryption law goes into effect on October 1, 2008.
Source - Morrison|Foerster (Props, HIPAA Blog)
[From the article:
Companies that do business on a nationwide basis, which are already required to have an information security policy that complies with the laws of several states, should employ standards that do not leave them inadvertently out of compliance with this new Nevada law.
Governments would never read your email...
http://today.reuters.com/news/articlenews.aspx?type=technologyNews&storyID=2007-10-09T152238Z_01_L0959103_RTRUKOC_0_US-JORDAN-DISSENT.xml
Jordan jails royal critic over e-mails
Tue Oct 9, 2007 11:22am ET
AMMAN (Reuters) - A critic of Jordan's royal family was sentenced to two years in jail on Tuesday for sending e-mails abroad that the court ruled to be carrying "false news" and harmful to the dignity of the state.
Gee, I can't imagine why anyone would be concerned to get a message from Der Führer...
http://www.pogowasright.org/article.php?story=20071010063442307
Ca: Many Jews unsettled over Harper holiday greetings
Wednesday, October 10 2007 @ 07:00 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News
When Michelle Kofman found a Rosh Hashanah greeting card from Prime Minister Stephen Harper in her mailbox last month, she was left with one puzzling question: How does he know I'm Jewish?
Ms. Kofman was one of several Jewish people who have expressed discomfort with the colourful greeting card sent out by the Prime Minister's Office to celebrate the religious new year holiday.
... A Conservative official, speaking on condition of anonymity, said the mailing lists the Prime Minister's Office uses are drawn from community directories, free publications available to the general public or word of mouth from friends and relatives, but not government records. Congratulatory messages for religious or cultural holidays are routinely sent out, the official said.
But Ms. Kofman said she is not a member of any Jewish organizations and, to her knowledge, isn't listed in any directories catering to the Jewish community.
Source - Canada.com
As I've said before, they're not trying to prevent crime. Their objectives are 1) Look like you're doing something 2) Use technology, because it looks impressive and you can leak video clips to the news media 3) Take advantage of DHS grants (free money) to install hardware that requires a tax increase to support. 4) Put the (untrained) police “in charge” so you have a fall guy when you need one...
http://www.pogowasright.org/article.php?story=20071010065839953
Study shows video surveillance on the Berlin underground has not improved safety
Wednesday, October 10 2007 @ 06:58 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News
In April 2006, a pilot project was launched in Berlin, in which train operators on three lines of the Berlin underground aimed to test the extent to which 24-hour video surveillance could reduce criminality. The pilot project included the U2, U6 and U8 lines. The Social Democratic Party, which strongly supported the project in the state parliament, anticipated a "general preventive effect."
... BVG, the company responsible for public transport in Berlin, stated that the pilot project had proved its worth in the detection of assaults and criminal damage and decided to extend the project to all 170 underground stations in Berlin by the end of the year.
Civil rights group The Humanist Union has now forced the BVG, which had previously declined to do so, to release the report (PDF file). According to the report, video surveillance and recording on the three underground lines did not reduce the incidence of criminality, but in fact led to a small increase.
Source - Heise
[From the article:
Of a total of many thousands of criminal incidents, video material was available in only 78 cases. In only a third of these was the recording of sufficient quality to allow suspects to be identified.
Yeah, but is it useful?
http://healthcare.zdnet.com/?p=346
PrivacyPlace fisks HealthVault
Posted by Dana Blankenhorn @ 12:51 pm October 9th, 2007
The term fisking, a detailed rebuttal of someone else’s statements and assertions, is fairly common to blogging but uncommon in health care.
Today The Privacy Place gave a good fisking to Microsoft’s HealthVault.
The group’s problems are these:
HealthVault is not covered by HIPAA, only its own privacy statement.
The privacy statement lets HealthVault move your data offshore, where there is no privacy protection.
HealthVault will not promise to keep your health data separate from other data Microsoft may have on you.
HealthVault access controls are easy to legally breach. If you give someone else permission to access your records, they can have them all, even change them.
It should be noted that these are not technical problems, but legal and ethical problems. Whether HealthVault delivers on its promises is not the issue. The issue is whether anyone should trust Microsoft with their health information based on current privacy statements.
The answer The Privacy Place delivers is a resounding no.
This is not just some blogger talking. The Privacy Place has a dozen major authors, and this piece was written by director Annie Anton. It is sponsored by the National Science Foundation and a unit of North Carolina State University.
It’s pretty amazing that Microsoft either did not contact these people, or did not run their policies by them, before launching. [I don't find it amazing... Bob] Microsoft did considerable homework in advance of this launch, and the company knows its privacy policies are suspect. Microsoft also has many lawyers.
It’s the kind of fiasco that could set the movement toward electronic health records back years. That kiss on the top of the HealthVault home page could prove the kiss of death.
For my Business Continuity class... (Isn't this “obvious?” The Army was doing this years ago.)
http://yro.slashdot.org/article.pl?sid=07/10/09/1543256&from=rss
Google Patents Shipping-Container Data Centers
Posted by Zonk on Tuesday October 09, @12:43PM from the pick-it-up-and-move-it-out dept. Patents Google IT
theodp writes "Two years ago, Robert X. Cringely wrote that Google was experimenting with portable data centers built in standard shipping containers. The idea, Cringely explained, wasn't new and wasn't even Google's, backing up his claim with a link to an Internet-Archive-in-a-Shipping-Container presentation (PDF, dated 11-8-2003) that was reportedly pitched to Larry Page. Google filed for a patent on essentially the same concept on 12-30-2003. And on Tuesday, the USPTO issued the search giant a patent for Modular Data Centers housed in shipping containers, which Google curiously notes facilitate 'rapid and easy relocation to another site depending on changing economic factors'. That's a statement that may make those tax-abating NC officials a tad uneasy."
For my Security Management class
http://techdune.com/2007/10/09/amazing-xp-tools-to-arm-your-pc/
Amazing XP Tools to Arm your PC from Hackers
Posted on October 9th, 2007 by techjohn
Hackers have newer methods to hack into your systems. They are smart enough to detect security loop holes in your PC and enter through open ports,unencrypted Wi-Fi connections,malicious websites or internet servers. It is better you check your PC periodically for invasions and protect your system to prevent pilfering and damage of data.
Read the following tools that will rescue your PC when it is in danger.
What's out there?
http://www.bespacific.com/mt/archives/016207.html
October 09, 2007
First Internet Census Since 1982
62 Days + Almost 3 Billion Pings + New Visualization Scheme = the First Internet Census Since 1982: "Researchers at the University of Southern California Information Sciences Institute, one of the birthplaces of the Internet decades ago, have just completed and plotted a comprehensive census of all of the more 2.8 billion allocated addresses on the Internet -- the first complete effort of its kind in more than two decades, they say."
"Starting in 2003, researchers at ISI ANT Lab (the ANT Lab is a research group spanning USC/ISI, the USC and Colorado State University Computer Science Departments, the USC Electrical Engineering department, and USC's Information Technology Services)have been collecting data about the Internet address space. As part of this work [they] have been probing all addresses in the allocated Internet address space. This web page summarizes this research, the datasets, and related papers."
How do we protect it? (Note computer infrastructure is a short sidebar...)
http://www.bespacific.com/mt/archives/016217.html
October 09, 2007
White House: National Strategy for Homeland Security
Fact Sheet: National Strategy for Homeland Security - A Comprehensive Guide For Securing the Homeland: "Today, the President issued an updated National Strategy for Homeland Security, which will serve to guide, organize, and unify our Nation's homeland security efforts. This Strategy is a national strategy – not a Federal strategy – and articulates our approach to secure the Homeland over the next several years. It builds on the first National Strategy for Homeland Security, issued in July 2002, and complements both the National Security Strategy issued in March 2006 and the National Strategy for Combating Terrorism issued in September 2006. It reflects our increased understanding of the threats confronting the United States, incorporates lessons learned from exercises and real-world catastrophes, and articulates how we should ensure our long-term success by strengthening the homeland security foundation we have built. This includes calling on Congress to make the Foreign Intelligence Surveillance Act (FISA) reforms in the Protect America Act of 2007 permanent."
Is this anywhere in the catalog of most law schools?
http://www.law.com/jsp/article.jsp?id=1191920593093
An Open Source of Legal Business
Jessie Seyfer The Recorder October 9, 2007
Last year, business software maker Terracotta Inc. abandoned traditional sales models and dived into the complicated legal waters of open source.
Selling software this way attracted "an explosion" of customers [Why we want to do it... Bob]-- and brought a whole array of new legal questions, [We'll worry about that when we're rich... Bob] said Terracotta General Counsel Tim McIntyre. For instance, now that anyone can tinker with the company's software and suggest changes, Terracotta must make sure the changes don't infringe on anyone else's copyrighted software code, McIntyre said.
For this and other questions, Terracotta turned to attorneys in the open source practice at Cooley Godward Kronish.
Cooley is just one firm that has seen its open source practice increase significantly over the last couple of years, buoyed by a growing acceptance and popularity of open source software.
For my Web Site class... (but you can use them too – some VERY useful tools here)
http://www.virtualhosting.com/blog/2007/webmaster-intel-basics-25-tools-to-compile-an-in-depth-dossier-on-a-competitors-site/
Webmaster Intel Basics: 25 Tools to Compile an In-Depth Dossier on a Competitors’ Site
By Jessica Hupp
Your rankings don’t just depend on how good your site is. They depend on the quality of your competitors’ sites as well. As a result, keeping an eye on your competition should be a regular part of every webmaster’s tactical plan. Use these 25 tools to get the lowdown on their sites.
Free is good! (Also a great design for a phishing site...)
http://www.killerstartups.com/Web20/freenormous--Find-Free-Offers-Online/
Do you love getting free stuff? I mean who doesn’t. Freenormous.com is a site that has information on where on the web you can find free stuff, from offers to samples to limited time give aways, Freenormous.com lists it. Once you o to the homepage you have a list of the recently posted free offers. There are contests, free shoe give aways, free popcorn and shampoo samples, basically anything you can imagine. Click on the free product of your choosing and you will see what user posted it and when, the url of the site that is offering the free sample, comments, related links, and who voted. You can decide to discuss the free sample, or send it to a friend or if it is a fake offer you can bury it. You can search for free sample by category or tag or use the search engine. You must register to submit a free offer or sample. You can take a look at the top users and see their karma, which is a score that is created by how active and useful they are on the site. Take a look at Freenormous.com and see what cool free stuff you can find.
http://www.freenormous.com/
http://www.researchbuzz.org/wp/2007/10/09/visual-exploration-of-medical-vocabularies/
Visual Exploration of Medical Vocabularies
9th October 2007
If you’re interested in researching medical conditions, this might be a good place for you to spend a little time. The Visual Medical Dictionary takes your search for a medical term, gives you a definition and provides you with even more terms.
An example is order. Start at the medical dictionary at http://www.curehunter.com/public/dictionary.do and enter a drug, disease, or therapy name. I tried shingles. I got two potential results — one for a disease and one for a drug (a vaccine). When I held my mouse over each word, I got a definition and some additional information. But even cooler is what I got on the right side of the screen.
Makes your screen doggone clean!
http://comedyoption.com/pics/monitor_cleaner.swf