Friday, August 01, 2008

A bit of a rant (sorry)


There is clearly a trend to be vague about the number of victims – I guess organizations think that makes the breach seem trivial. In my opinion, this is a “Worst Practice” since it suggests that ALL of their customers were victims. Anyone who does not get a letter will be calling to find out why. Companies like COLT are poorly served by having their victims report their breaches individually over months (several today). And the cult of “I don't know” continues to convince me that “They don't care” about security.



As computers become commodities, we think of them as unimportant as a loaf of bread. It's the UNSEEN data that's important – but “out of sight, out of mind.” We need to connect the concept “important data” to the consequence “Fired!”


http://www.pogowasright.org/article.php?story=20080731142233151

Phase3 employee leaves laptop with Newedge client data in taxi

Thursday, July 31 2008 @ 02:22 PM EDT Contributed by: PrivacyNews

Through their attorneys, SunGard Data Systems reported that an employee of one of their business units, Phase3, left a company laptop in a taxi at a Florida airport on May 11.

Phase 3 processes trade data for retail/institutional brokerage firms and the lost laptop contained data belonging to Newedge USA, LLC.

The total number of individuals with data on the laptop was not revealed, but 350 Maryland residents were affected. The personal information may have included name, address, date of birth, Social Security number, telephone number, net worth, annual income, and Newedge account number. The laptop was password-protected, but the data were not encrypted. To their credit, SunGard's letter to those affected makes that distinction very clear.

Phase3 is offering those affected two years of free credit monitoring and credit restoration services (unless, of course, you're a NYS resident, in which case you can't get the identity theft insurance insurance and are just screwed if your data are misused).



This one seems to extend the “we don't know” response into new territory. Using aomeone else's report as a model is logical, copying it exactly seems like a new “Worst Practice”

http://www.pogowasright.org/article.php?story=20080731133549288

Sava Senior Care revises its breach report

Thursday, July 31 2008 @ 03:26 PM EDT Contributed by: PrivacyNews

As reported here previously, Sava Senior Care Administrative Service's breach report from April of this year was identical to that reported by another firm -- down to the exact number of individuals.

This site wrote to the Maryland Attorney General's office to point out the amazing similarity between the reports, and it seems that the firm has now revised or corrected some aspects of its report.

In correspondence to the AG dated June 25, Miriam Murray, Director, Compliance and Privacy Officer, explains that Sava had sent three years worth of data for auditing/analysis (Windham Brannon was the firm involved). According to Murray, during shipment via UPS, the box containing the disc was lost and never located. The disc was password protected and the data were in SQL format.

There were 4,850 Maryland residents affected. It is not evident from the letter whether there were non-Maryland residents also affected.

Although the email provided some clarification and correction, the attached notification letter raises more questions. The letter talks about a stolen laptop, and says that skilled nursing home residents had their names, Medicare and Medicaid numbers, and resident medical assessment information on the stolen laptop.

A call to Ms. Murray to ask her to clarify their clarification has not yet been returned.



http://www.pogowasright.org/article.php?story=20080731132058830

Fischbach backup disk lost; contained highly personal information

Thursday, July 31 2008 @ 01:20 PM EDT Contributed by: PrivacyNews

Fischbach LLC has notified the Maryland Attorney General's office that a backup media disk containing litigation records with personal information was lost in March of this year.

Glen Bronstein, Vice-President and General Counsel for the firm reports that the litigation records pertained to work done by Fischbach's subsidiaries and contained personal information such as Social Security numbers, dates of birth, work histories, medical records and mother's maiden name for individuals involved in either a lawsuit or workman's compensation claim against either Fischbach or a Fischbach subsidiary. The total number of individuals with personal data on the missing disk was not reported.

Fischbach first learned on March 21st that the disk had been lost during shipment due to damage to the shipping container, but did not notify those affected until the beginning of July. In their letter to those affected, they describe the process of reviewing thousands of legal documents to identify who to notify. They also conducted some analysis and informed those affected that an individual would have to have "intermediate database skills" to be able to extract the documents.

As a result of this incident, Fischbach says that it will encrypt data in the future and also use more secure packaging. [Because it's far cheaper to protect the data in the first place! Bob]

The company arranged for free one-year credit monitoring.



The article in the newspaper was written by “HOLLY HACKER,” too perfect. It also points out that UT had a breach in 2006 – a fact not mentioned on their website. I guess UT is not a “learning organization”

http://www.pogowasright.org/article.php?story=20080731151156128

Computer breach at UT Dallas may have exposed students' personal info

Thursday, July 31 2008 @ 03:11 PM EDT Contributed by: PrivacyNews

A computer network attack at the University of Texas at Dallas may have exposed Social Security numbers and other personal information for 9,100 individuals, school officials said today.

A security breach in UTD’s computer network may have exposed Social Security numbers along with names, addresses, email addresses or telephone numbers, officials said.

Source - DentonRC.com

Related - UT Dallas web page about breach



ANOTHER Colt client. (There were five other clients reporting to the Maryland AG in Pogo today.)

http://www.pogowasright.org/article.php?story=20080731124349495

ABHOW notifies employees of computer theft (Colt Update)

Thursday, July 31 2008 @ 12:43 PM EDT Contributed by: PrivacyNews

American Baptist Homes of the West, Inc. ("ABHOW") recently notified its employees that their unencrypted names, addresses, date of birth, and Social Security numbers were on computers stolen from Colt Express Outsourcing, Inc.

Like many other clients affected by the theft, ABHOW had terminated its contract with Colt prior to the burglary. In its letter to its employees, David B. Ferguson, President and Chief Executive Officer of ABHOW, writes, "While ABHOW had terminated its relationship with this vendor two years ago, they were required by law to maintain the data for six years."

Comment: I do not know California's data retention law, but I doubt that there is anything in the law that requires a firm to maintain data on-site on hardware that might be stolen for its hardware value, or to maintain it unencrypted. -- Dissent.



It's rare for Pogo to make a mistake, but you have to admit that it can be confusing.

http://www.pogowasright.org/article.php?story=20080731135624293

[CORRECTION] What a difference a report makes: AON Consulting breach affected over 57,000 (update)

Thursday, July 31 2008 @ 01:56 PM EDT Contributed by: PrivacyNews

Back in May, the Columbus Business First reported that 2000 current and former employees of Park National Corp. had personal information on a laptop computer lost by AON Consulting, Inc. The story did not seem to get picked up, but AON Consulting's notification to the Maryland Attorney General's office provides a very different impression of the incident.

According to the letter signed by Bobbie McGee Gregg, Vice President and Global Chief Privacy Officer for AON Consulting, the laptop was stolen from a restaurant in NYC on May 30, 2008. The company does not provide that detail in their notification letter to those affected, however, merely stating that a laptop was stolen from one of its employees.

The password-protected laptop contained personal information from pre-employment applications and screenings conducted by AON between July 2005 and February 2008 on behalf of Verizon. There is no mention as to whether the data were encrypted.

All told, the laptop contained names and SSN on 57,160 individuals.

CORRECTION, 7/31/08: it looks like there were TWO incidents involving AON. The first incident occurred in March (the lost laptop originally reported). The second incident occurred in May (the stolen laptop). Thanks to ITRC for alerting us to our error.



Just in case you thought I had too many breach reports today, I wanted you to know it could have been much worse.

http://www.pogowasright.org/article.php?story=20080801080001315

Most Security Breaches Go Unreported

Friday, August 01 2008 @ 08:00 AM EDT Contributed by: PrivacyNews

More than 89% of security incidents went unreported in 2007, according to survey of about 300 attendees at this year's RSA Conference.

... 29% of those answering the survey said their organizations experienced customer or employee data leakage. Twenty-eight percent reported insider threats or theft and 16% reported intellectual property theft.

Source - InformationWeek



In keeping with the “we don't know” theme...

http://www.pogowasright.org/article.php?story=20080731200740328

Inspector says TVA's computer tracking policy inadequate

Friday, August 01 2008 @ 06:06 AM EDT Contributed by: PrivacyNews

The TVA Inspector General office reports that the agency’s policies for tracking its computers are inadequate, and in “at least” one case, a stolen computer contained employee social security numbers.

According to the IG, Since TVA rolled out an inventory system for its computers in August 2004, called the HP Service Desk, TVA has been unable to track over 5,550 computers. “The inability to adequately track, as well as the lack of encryption, on these computers increases the risk for the disclosure of sensitive or restricted information,” the report stated.

Source - knoxvillebiz.com



You don't suppose this was paid for by the Class Action lawyers, do you?

http://www.pogowasright.org/article.php?story=20080801053925770

EFF Releases "Switzerland" ISP Testing Tool

Friday, August 01 2008 @ 05:39 AM EDT Contributed by: PrivacyNews

Hours before the Federal Communications Commission (FCC) is expected to take action against Comcast for violating the FCC's net neutrality principles, the Electronic Frontier Foundation (EFF) is releasing "Switzerland," a software tool for customers to test the integrity of their Internet communications.

Source - EFF

For more information and to download the Switzerland software:

http://www.eff.org/testyourisp/switzerland

For more about EFF's "Test Your ISP" Project:

http://www.eff.org/testyourisp



Still no attention to laptop confiscation on domestic flights... (Do they really think Osama is hiding in there?)

http://yro.slashdot.org/article.pl?sid=08/08/01/0958242&from=rss

DHS Allowed To Take Laptops Indefinitely

Posted by kdawson on Friday August 01, @08:08AM from the reasonable-expectation dept.

andy1307 writes with a Washington Post story giving details of Department of Homeland Security policies for border searches of laptops and other electronic devices (as well as papers). (We have been discussing border searches for a while now.) DHS says such procedures have long been in place but were "disclosed last month because of public interest in the matter," according to the article. Here is a link to the policy (PDF, 5 pages).

"Federal agents may take a traveler's laptop or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed. Also, officials may share copies of the laptop's contents with other agencies and private entities for language translation, data decryption, or other reasons, according to the policies, dated July 16 and issued by two DHS agencies, US Customs and Border Protection and US Immigration and Customs Enforcement... DHS officials said that the newly disclosed policies — which apply to anyone entering the country, including US citizens — are reasonable and necessary to prevent terrorism... The policies cover 'any device capable of storing information in digital or analog form,' including hard drives, flash drives, cell phones, iPods, pagers, beepers, and video and audio tapes. They also cover 'all papers and other written documentation,' including books, pamphlets and 'written materials commonly referred to as "pocket trash..."'"



Attention legal guys (and crooks?)

http://www.schneier.com/blog/archives/2008/07/why_you_should.html

July 31, 2008

Why You Should Never Talk to the Police

This is an engaging and fascinating video presentation by Professor James Duane of the Regent University School of Law, explaining why -- in a criminal matter -- you should never, ever, ever talk to the police or any other government agent. It doesn't matter if you're guilty or innocent, if you have an alibi or not -- it isn't possible for anything you say to help you, and it's very possible that innocuous things you say will hurt you.

Definitely worth half an hour of your time.

And this is a video of Virginia Beach Police Department Officer George Bruch, who basically says that Duane is right.



Hack-du-jour

http://www.infoworld.com/article/08/08/01/A_photo_that_can_steal_your_online_credentials_1.html?source=rss&url=http://www.infoworld.com/article/08/08/01/A_photo_that_can_steal_your_online_credentials_1.html

A photo that can steal your online credentials

By placing a new type of hybrid file on Web sites that let users upload their own images, researchers can circumvent security systems and take over Web surfers' accounts

By Robert McMillan, IDG News Service August 01, 2008

At the Black Hat computer security conference in Las Vegas next week, researchers will demonstrate software they've developed that could steal online credentials from users of popular Web sites such as Facebook, eBay, and Google.

The attack relies on a new type of hybrid file that looks like different things to different programs. By placing these files on Web sites that allow users to upload their own images, the researchers can circumvent security systems and take over the accounts of Web surfers who use these sites.

"We've been able to come up with a Java applet that for all intents and purposes is an image," said John Heasman, vice president of research at NGS Software.



Would this be a false criminal report (assuming they made a report?)

http://digg.com/tech_news/Band_Leaks_Track_to_BitTorrent_Blames_Pirates

Band Leaks Track to BitTorrent, Blames Pirates

torrentfreak.com — When we reported about the leak of a BuckCherry track last week, and specifically the band ’s response to it, we hinted that this could be a covert form of self-promotion. Indeed, after a few days of research we found out that the track wasn’t leaked by pirates, but by Josh Klemme, the manager of the band.

http://torrentfreak.com/band-leaks-track-to-bittorrent-blames-pirates-080731/



I've omitted a few, but these caught my eye...

http://www.bespacific.com/mt/archives/018933.html

July 31, 2008

New GAO Reports

  • Federal Information System Controls Audit Manual (FISCAM): Exposure Draft, GAO-08-1029G, July 31, 2008

  • United States Postal Service: Information on the Irradiation of Federal Mail in the Washington, D.C., Area, GAO-08-938R, July 31, 2008



At some point the pace of conversion to “Not Microsoft” will accelerate greatly. I think that 'tipping point' is getting close.

http://digg.com/microsoft/Firefox_market_share_exceeds_20

Firefox market share exceeds 20%!

tgdaily.com — A milestone for Firefox. IE down below 70%!

http://www.tgdaily.com/content/view/38653/113/



Techo-nomics I have proposed a neutral network organization rather than granting monopolies. I suspect this grass root approach will have a few problems. (If not, I'm gonna do one!)

http://techdirt.com/articles/20080731/0238291849.shtml

What If You Owned Your Own Fiber Connection?

from the not-a-ridiculous-suggestion dept

Almost five years ago, we wrote about a project in Burlington, Vermont to bring fiber optics to residents there. The idea was that, rather than a traditional "municipally-owned" network, this would actually be owned by the residents themselves. The article focused on the work of economist Alan McAdams, who (it needs to be admitted) was the guy who not only sent me down the path of better understanding the economics of information over a dozen years ago, but also convinced me to start Techdirt in the first place. McAdams has been pushing for the idea that if the end users actually owned the network itself, you would end up with much greater broadband, in part because you might still end up with a single fiber network, but there would be significant competition of service providers on that network. And, indeed, it appears that's where the Burlington fiber project has gone. A more recent case study on the project suggests that, with a slow and deliberate pace, thousands of residents in Burlington now have access to the fiber network, and can choose their own ISP, if they want.

Tim Lee has now written about another example as well, where there's an effort underway in Ottawa (which is only about 170 miles from Burlington), to string up 400 homes with fiber, but where the individual home owners will pay for and own the "last mile" connection to their homes. This is definitely a test on a small scale, but it's a similar situation to what McAdams has been pushing for all along. Let the customer own the connection itself, and then get to choose the service provider. In the Ottawa case, once again, service providers would no longer have to worry about wiring up your home (the most expensive part), but just need to offer service at various peering points, and each individual could choose who to get service from. [Could these also be “user owned?” Bob]

In this manner, you still get real competition, which is sorely lacking in the telco arena, and you get the benefits of higher speed networks. It's not as crazy as it might sound, either. As Lee points out, the telephone company used to own not just the wiring in your house, but the actual telephone as well. Over the years, that's been pushed back. Now you own your own phone -- and the wiring inside your house. So is it so crazy to think that you should own the wires outside of your house out to the main network as well? There are still plenty of practical issues that need to be resolved -- and the initial economics may be a bit daunting for many (the idea of paying, say, $3,000, to own your own fiber drop may freak some people out). But, it's experiments like these that are a real step in the right direction towards adding real competition, rather than the faux duopoly we all deal with today.



Tools & Techniques: I don't think I'll share this with the wife... I don't need life size pictures of her horses...

http://www.killerstartups.com/Web-App-Tools/homokaasu-org-rasterbator-create-life-size-posters

Homokaasu.org/Rasterbator - Create Life Size Posters

On the site, you will be able to create life-size printouts from your favorite images, quickly. Just select an image (either from your PC or from the internet), and upload it. The program will then make it life size and give you back easy to print PDF files. If you are having a hard time using the online version, or have limited internet access, you can download the program to your computer. If you want to know what you can do with this great app, you can check out the site’s gallery.

http://homokaasu.org/rasterbator/

[From the website: ...up to 20 meters in size.

No comments: