Tuesday, June 29, 2010

What does it take to encourage management to take security seriously?

http://www.databreaches.net/?p=12289

WellPoint Security Breach Put At Risk Information For 470,000 Nationwide

June 29, 2010 by admin

The latest revelations on the Anthem/Wellpoint breach raise some questions for this blogger.

Matthew Sturdevant reports that the recently disclosed Anthem breach may affect many more than the 230,000 recently reported:

An online security breach put at risk the personal, financial and medical information of 470,000 WellPoint customers nationwide, including 5,600 in Connecticut, customers are learning this week in notification letters from the company.

The breach only affects those who used the company’s Web portal to apply for individual-market health insurance through WellPoint subsidiaries, mostly Anthem Blue Cross or Anthem Blue Cross and Blue Shield, in 10 states. It doesn’t affect those who have group-based insurance through WellPoint or Anthem, such as plans offered through an employer, union or some other organization.

BUT: A commenter on a previous thread on had PHIprivacy.net noted that they got the letter and they were not an applicant but an existing customer, so there is still some question in my mind as to exactly who was affected.

In October, WellPoint hired a computer company to update security on its online application process, but the work left a flaw that allowed some to tinker with the system and see other people’s applications, said WellPoint spokesman Cindy Sanders.

Somewhat disturbingly, it seems that after a customer discovered the problem after the upgrade, she got a lawyer and filed suit. But did she ever notify the company so that they could secure the database or did she and her lawyer just file suit? The news story reports:

The company learned of the security flaw in March when it received a subpoena for a lawsuit seeking class-action status in a California court, Sanders said. The security flaws were fixed in March. An internal WellPoint investigation discovered that the information was accessed by fewer than 10 unidentified computers [It only takes one! Bob] — someone other than the health insurer’s employees and affiliates.

Wellpoint had a major breach back in 2008 that had been exposed by PogoWasRight.org where data were seemingly left with inadequate security for over a year, even after a customer reported the problem to them and even after they had supposedly secured the database. In that case, and this one, the contractor responsible for the security was not named. Was it the same one? The current breach exposed a lot of sensitive data:

Those who hacked into the system could have seen applications, which include a person’s name, Social Security number, credit card information, health information and medical history. Besides Connecticut, the breach affected Anthem and WellPoint customers in California, Colorado, Indiana, Kentucky, Missouri, Nevada, New Hampshire, Ohio and Wisconsin.

Read more in the Hartford Courant.



For my Ethical Hacking class?

http://news.cnet.com/8301-13578_3-20009101-38.html?part=rss&subj=news&tag=2547-1_3-0-20

Alleged Russian agents used high-tech tricks



Not sure which breach this refers to – apparently not significant enough to have been reported here.

http://www.databreaches.net/?p=12297

Canadian teen charged with hacking U.S. server

June 29, 2010 by admin

The Associated Press reports that a London, Ontario teen has been charged with hacking into a server in Colorado. Canadian police reportedly acted on a complaint from the sheriff’s department in Castle Rock, Colo.

Police say the complaint involved unauthorized access and damage to a private server that contained sensitive data, including tax records.



Which can of worm should we discuss? We have the “I don't know how to secure Facebook” can, the “What terms and conditions?” can and the “Is failure to opt out the same as opting in” can.

http://www.pogowasright.org/?p=11893

SEO and legal experts point to Google Analytics privacy issues

June 28, 2010 by Dissent

Patrick Stafford reports:

SEO and privacy experts have raised questions about a feature in Google’s Analytics Dashboard that allows website operators to find information on individuals who have linked to their site through social media sites such as Facebook and Twitter.

The Google Analytics tool, highlighted by SEO expert and SmartCompany blogger Chris Thomas in his blog today, allows websites to track who has linked back to their site. While most of these links come from blogs and websites, a significant number now come from Facebook profiles where users have shared a link with their friends.

As a result, not only can websites identify the Facebook and Twitter profile names who have visited their site, they can identify the specific pages those users have linked. Additionally, websites can then potentially visit these Facebook or Twitter profiles and gather further information, including potentially personal details.

Read more on SmartCompany. So far, they seem to be the only ones raising this as a privacy concern. Chris Thomas cites Google Analytics’ T&C:

7. PRIVACY. You will not (and will not allow any third party to) use the Service to track or collect personally identifiable information of Internet users, nor will You (or will You allow any third party to) associate any data gathered from Your website(s) (or such third parties’ website(s)) with any personally identifying information from any source as part of Your use (or such third parties’ use) of the Service. You will have and abide by an appropriate privacy policy and will comply with all applicable laws relating to the collection of information from visitors to Your websites. You must post a privacy policy and that policy must provide notice of your use of a cookie that collects anonymous traffic data.



An amusing debate topic: Ignorance of technology is similar to ignorance of the law.

http://www.pogowasright.org/?p=11907

Germany Asks Apple About iPhone’s Data-Gathering

June 29, 2010 by Dissent

Kevin J. O’Brien reports:

The justice minister of Germany expressed concern on Monday over Apple’s practice of compiling data on users of its new iPhone, making the company the latest technology giant to fall afoul of the country’s strict privacy laws.

[...]

The justice minister, Sabine Leutheusser-Schnarrenberger, asked Apple to tell state data protection officials about the kind of data the company was gathering on individual iPhone users in Germany. The company is also being asked to outline how long the data is being stored and for what purpose.

Read more in the New York Times.


(Related) Also ignorance of simple test protocols... “Did it work?” is one of those very useful questions. And this isn't a high-tech question...

http://tech.slashdot.org/story/10/06/28/2340237/22-Million-SSL-Certificates-In-Use-Are-Invalid?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

22 Million SSL Certificates In Use Are Invalid

Posted by kdawson on Monday June 28, @09:43PM

"While SSL certs are widely used on the Internet today, a new study from Qualys, set to be officially released at Black Hat in July, is going to show some shocking statistics. Among the findings in the study is that only 3% of SSL certs in use were actually properly configured. Quoting: '"So we have about 22 million SSL servers with certificates that are completely invalid because they do not match the domain name on which they reside," Ivan Ristic, director of engineering at Qualys, said.'"


(Related) Just plain ignorance? I haven't seen the creation of a false Facebook (or other tool) trail to “prove” innocence or provide an alibi, but some TV show will think of it...

http://yro.slashdot.org/story/10/06/28/2255201/Facebook-Friend-of-Divorce-Lawyers?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Facebook, Friend of Divorce Lawyers

Posted by kdawson on Tuesday June 29, @08:03AM

"A lot of Facebook users going through divorces have learned a very costly lesson about their privacy settings. In fact, for many of them their Facebook pages helped lead to the divorce in the first place. More than 80% of the members of the American Academy of Matrimonial Lawyers say they've used or run into evidence gathered from Facebook and other social networking sites over the last five years — and some of them have some very entertaining stories to tell. 'Facebook is the unrivaled leader for turning virtual reality into real-life divorce drama,' said AAML's president."



Apparently, they are not convinced.

http://www.phiprivacy.net/?p=2964

UK: Doctors in database boycott threat

By Dissent, June 29, 2010 6:15 am

Doctors are threatening to boycott the NHS’s electronic patient database amid fears of security breaches. Plans to upload all personal medical records on to a centrally-stored network have been met by controversy since they were announced by the last Government.

Now GPs in the North East are fighting the proposals by saying they will not allow their own or their families’ records to be included,

A survey in Sunderland, South Tyneside and Gateshead asked doctors and practice managers to consider whether they would become part of the Summary Care Record. Of the 152 who responded, 74 per cent said they would not allow their own medical data to be uploaded and 70 per cent said they would not permit either their own or their families’ records to be uploaded.

Fears were raised that medical records would no longer be confidential, and could result in a “gross invasion of privacy”.

The SCR database has been plagued with such concerns from the git-go. Do they need to go back to the drawing board?

Read more in Sunderland Echo.



Could be useful...

http://www.bespacific.com/mt/archives/024598.html

June 28, 2010

New on LLRX.com - Basic Legal Research on the Internet

Basic Legal Research on the Internet: This article explores the corner of the Internet landscape that concentrates on legal research. For the most part, these databases and search tools are free, although some might require a library card. Essentially, this is a short list of "go to" sites that most researchers will find useful. Before delving in, author Ken Strutin also examines a few time tested research concepts for the Internet age.



I'm going to start collecting these for my Risk Analysis class. Small Businesses who do electronic banking shouldn't have more in their accounts than they are willing to lose. And banks need to develop better procedures!

http://www.databreaches.net/?p=12299

e-Banking Bandits Stole $465,000 From Calif. Escrow Firm

June 29, 2010 by admin

Brian Krebs writes:

A California escrow firm has been forced to take out a pricey loan to pay back $465,000 that was stolen when hackers hijacked the company’s online bank account earlier this year.

In March, computer criminals broke into the network of Redondo Beach based Village View Escrow Inc. and sent 26 consecutive wire transfers to 20 individuals around the world who had no legitimate business with the firm.

Read more on KrebsOnSecurity.



You should select at least two, in different states for your encrypted backups.

http://www.makeuseof.com/tag/4-best-sites-10gb-free-online-storage/

4 Best Sites To Get 10GB Free Online Backup & Storage

No comments: