Friday, July 23, 2010

Locals can fail just as easily as any one else.

http://www.databreaches.net/?p=12611

Colorado agency notifies 105,470 clients of stolen hard drive

July 22, 2010 by admin

The Colorado Department of Health Care Policy & Financing is notifying 105,470 clients receiving state-provided health insurance that a stolen hard drive contained some of their personal information. A statement on the agency’s web site does not provide much detail and simply says:

State officials discovered that there was an unauthorized removal of a computer hard drive housed at the Office of Information Technology (OIT).

The information did NOT include addresses, dates of birth, social security numbers or any other financial information that could be used for identity theft. It included name, state ID number and the name of the client’s program.

Approximately 111,000 clients, or one-fifth of those receiving public health insurance, will receive notification by first-class mail, as required by HIPAA.

Please email your questions to incident-info@state.co.us or call us at 1-866-668-2656 (toll-free) or 303-866-4431.

We take client privacy very seriously [but not to the point of actually encrypting the data. Bob] and are doing everything we can to recover the missing hard drive. To support our efforts, the Colorado Bureau of Investigation is conducting a criminal investigation based on our request.



...and I thought the solution would be heavenly.

http://www.databreaches.net/?p=12625

NZ: Hell – The Right Approach to a Data Breach

July 23, 2010 by admin

BarneyC writes:

There are any number of approaches to data breaches in business today. Whilst regulation is ever trying to get to the point where notification of breach is mandatory there are still plenty of businesses out there who will go to all sorts of lengths to sweep things under the carpet rather than own up.

Not so Hell – a truly rocking pizza company in New Zealand. Certainly no stranger to controversy – some of their marketing campaigns have been widely criticised, Hell seems to be taking the bull-by-the-horns and going all out to keep people happy.

Today I received an email from them…

Dear Valued Hell Customer,

We have been approached by a party claiming to be in possession of customer details from the previous Hell website which is no longer in operation. The samples that we received included details of four customers from 2006, including phone numbers and email addresses and order information. We can confirm that credit card data was not at risk as this is held independently on a secure banking website. [Shouldn't everyone do it this way? Bob]

Read more on Exponere.

See? It is possible to alert people to a breach or security problem and wind up with the customer feeling pleased with how the company handles things.



I'm no geneticist, but I'm pretty certain you can't breed a Horse and a dOG to make a HOG...

http://www.databreaches.net/?p=12617

Iowa Department of Agriculture and Land Stewardship Database Potentially Compromised

July 22, 2010 by admin

From the agency’s web site, dated today:

A computer and protective case has been stolen from a locked state vehicle of an Iowa Department of Agriculture and Land Stewardship employee. This theft has placed at risk the personal information of Iowans that are participating in the Department’s Horse and Dog Breeding Program. Through this program the Department provides financial awards to breeders of successful Iowa born racing greyhounds and racehorses at the close of each racing season.

On Thursday, July 22, the state vehicle used by an employee of the Department’s Horse and Dog Breeding Program was broken into in the State of Iowa parking ramp at the corner of Grand Avenue and Pennsylvania in Des Moines. While the computer did have an encryption protection, there is concern that unauthorized access could be gained [Suggesting that the encryption was optional? Bob] to the names, address, phone number and social security number of 3,404 Iowans who participate in the Iowa Horse and Dog Breeding Program.

As a result of this security breach, the Department is encouraging potentially affected Iowans to place a fraud victim alert on your credit report by contacting the following credit reporting companies. A letter will be mailed tomorrow to all those potentially affected.

Via The Des Moines Register.

Although it’s disturbing that once again, a device containing personal information has been stolen from a vehicle, it is noteworthy that we seem to be seeing more prompt and timely disclosures of breaches.


(Related) It's never hard to find shocking statistics of Computer Security failures.

http://www.databreaches.net/?p=12592

UK: MoD loses a staggering 340 laptop computers in TWO YEARS…and most of them were not encrypted

July 22, 2010 by admin

The Ministry of Defence has lost or had stolen 340 laptops worth more than £600,000 in the last two years, figures reveal today.

A total of 593 CDs, DVDs and floppy disks, 215 USB memory sticks, 96 removable hard disk drives and 13 mobile phones have also disappeared from the department since the release of a scathing report into MoD data losses. [Scathing perhaps, but not enough to motivate anyone to take action? Bob]

Only one in five of the hi-tech devices that disappeared was encrypted, leading security experts to criticise the ‘cavalier attitude’ to the protection of data.

Read more in the Daily Mail, where they print the results of the full survey. The survey results generally do not indicate how many devices contained personally identifiable information, but this entry caught my eye, as I don’t remember any media reports involving this agency:

Foreign and Commonwealth Office – six official laptops containing personal data.



The argument behind Behavioral Advertising? Isn't that the rapist's argument too?

http://www.pogowasright.org/?p=12260

Interview With Tim O’Reilly on Reasons to Give up Some Privacy

July 22, 2010 by Dissent

Marshall Kirkpatrick writes:

This Spring, Tim O’Reilly was surprised to find himself defending Facebook’s changes to its privacy policy. “There’s enormous advantage for users in giving up some privacy online and [so] we need to be exploring the boundary conditions,” the founder of O’Reilly Media and international technology thought leader wrote. “It’s easy to say that this should always be the user’s choice, but entrepreneurs from Steve Jobs to Mark Zuckerberg are in the business of discovering things that users don’t already know that they will want, and sometimes we only find the right balance by pushing too far, and then recovering.”

That’s an interesting argument when it comes to consumer products and innovation, but I got to sit down with O’Reilly on the first day of his big OSCON conference yesterday and talk about privacy in a different context: health care, government, global cultural change and a crisis of crises.

Read the interview on ReadWriteWeb. Via LawandLit


(Related) Does this mean we are becoming more concerned about our privacy or merely that we are more aware of the lack of privacy?

http://www.pogowasright.org/?p=12256

2010 Privacy Trust Study of the United States Government

July 22, 2010 by Dissent

A new study conducted by Ponemon, “2010 Privacy Trust Study of the United States Government,” reveals that Americans have less trust in the government’s commitment to protect our privacy than we did when the survey was conducted in 2004. Privacy trust declined from an average of 52% in 2005 to 38% in 2009. The survey was released June 30 and asked participants to rate specific governmental agencies:

Our list of top performing government organizations remains relatively consistent from 2009 with one notable exception – that is, the U.S. Census Bureau dropped from an average PTS [Privacy Trust Score] of 78 percent last year to 39 percent in 2010. The U.S. Postal Service once again earns top honors with a PTS of 87 percent. Albeit small declines from 2009, the Federal Trade Commission and the Internal Revenue Service earn second and third place, respectively.

Noteworthy is which agencies we don’t feel are committed to protect our privacy:

[Graphic omitted. Bob]

Read the entire survey here, courtesy of Federal Computer Week.


(Related) You can trust the government to give you the supporting facts...

http://www.wired.com/threatlevel/2010/07/foia-filtered?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Report: Political Appointees Vetted DHS Public Records Requests

The political appointees were allowed to vet records requests that were deemed politically sensitive and require career employees to provide them with information about who requested records — for example, where the requester lived and worked, whether the requester was a private citizen or journalist and, in the case of congressional representatives, whether they were Republican or Democrat.



This translates pretty well from the Canadian...

http://www.pogowasright.org/?p=12252

Ca: PIPEDA for Business

July 22, 2010 by Dissent

The Office of the Privacy Commissioner of Canada has created a new video for small businesses and organizations, “PIPEDA for Business: What You Need to Know About Protecting Your Customers’ Privacy.” You can view it on the OPC’s web site or on YouTube.



Being a true cynic, I wonder how long this has been going on before someone noticed? Lots of indications that IT was not working for the hospital – they were just playing with their computers.

http://www.phiprivacy.net/?p=3116

Patient treatment stopped due to faulty IT

By Dissent, July 22, 2010 6:52 am

A somewhat scary story out of Sweden. We want a facility’s IT department to routinely scan for viruses and security issues, but not in the middle of a procedure:

Doctors were forced to suspend treatment of a patient with a heart condition when the hospital’s IT department suddenly took control of a medical computer, the National Board of Health and Welfare (Socialstyrelsen) reported on Friday.

The incident has prompted Skåne Regional Council (Region Skåne) to change its routines [Note that this had been the routine procedure! Bob] regarding computers for medical treatments.

In January 2009, a patient who had an irregular heartbeat was connected to a medical treatment computer with electrodes. During a discussion with the patient, the council’s IT department suddenly took over the computer by remote control without warning.

The computer was not labelled as a medical computer, [Who made that decision? Bob] but a council one. Medical-labelled computers cannot be taken over by remote control with (sic) prior approval from the user.

After an investigation, it was revealed that the computer had been replaced in the summer of 2008. The previous computer had been marked as a medical computer and despite protests, the new computer, which had administrative privileges from the council IT department, was designated as a council one.

Read more in The Local (Se).


(Related) “...never do harm to anyone.” Hippocrates

http://hardware.slashdot.org/story/10/07/22/2346253/SFLC-Wants-To-Avoid-Death-by-Code?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

SFLC Wants To Avoid Death by Code

Posted by timothy on Thursday July 22, @07:37PM

"The Software Freedom Law Center has released some independent research on the safety of software close to our hearts, that inside of implantable medical devices like pacemakers and insulin pumps. It turns out that nobody is minding the store at the regulatory level and patients and doctors are blocked from examining the source code keeping them alive. From the article: 'The Food and Drug Administration (FDA) is responsible for evaluating the risks of new devices and monitoring the safety and efficacy of those currently on market. However, the agency is unlikely to scrutinize the software operating on devices during any phase of the regulatory process unless a model that has already been surgically implanted repeatedly malfunctions or is recalled. ... Despite the crucial importance of these devices and the absence of comprehensive federal oversight, medical device software is considered the exclusive property of its manufacturers, meaning neither patients nor their doctors are permitted to access their IMD's source code or test its security.'"



For my Ethical Hackers. Probably not the best way to defend yourself.

http://www.networkworld.com/community/node/64018

Town official doubly insulted by spyware allegation

On June 21, Mr. Garieri said at a selectmen's meeting his "IT guy" (which, he said, this week is the same person who hooked up his printer) picked up spyware attached to e-mails sent by Mr. Creamer. Given Mr. Creamer's "prior employment history" of making others' "personal information available," Mr. Garieri said, he felt it necessary to block all of Mr. Creamer's incoming e-mails.

The story describes Creamer as having been "a consultant" to the U.S. Department of Justice, but for purposes of this post we will leap to the entirely unsupported assumption that he was (if not still is) a full-blown government spook. Because not only does Creamer categorically deny sending any spyware, he contends that the mere fact Garieri's "IT guy" suspects him of doing so is proof he did not because -- are you following me here? -- if he had he would have left no fingerprints; he's that good.



...so you no longer need to surrender the soul of your first-born.

http://www.pogowasright.org/?p=12254

Court: Violating Terms of Service Is Not a Crime, But Bypassing Technical Barriers Might Be

July 22, 2010 by Dissent

Marcia Hofmann writes:

Good news: another federal judge has ruled that violating a website terms of service is not a crime. But there’s bad news, too — the court also found that bypassing technical or code-based barriers intended to limit access to or uses of a website may violate California’s computer crime law.

The decision comes in Facebook v. Power Ventures, a case in which Facebook is suing a company that offers a tool for users to access and aggregate their personal information across social networking sites. Because Facebook’s terms of service don’t allow users to access their information through “automated means,” Facebook claimed that Power accesses its service “without permission” in violation of California Penal Code Section 502. Facebook has also argued that Power broke the law by evading Facebook’s effort to block the Power browser’s IP address, which was meant to try to keep users from accessing their Facebook accounts though the Power website.

Read more on EFF.



For my Ethical Hackers What did you know and when did you know it?

http://it.slashdot.org/story/10/07/22/1819239/Microsoft-Makes-Major-Shift-In-Disclosure-Policy?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Microsoft Makes Major Shift In Disclosure Policy

Posted by timothy on Thursday July 22, @03:02PM

"Microsoft is changing the way in which it handles vulnerability disclosures, now moving to a model it calls coordinated vulnerability disclosure, in which the researcher and the vendor work together to verify a vulnerability and allow ample time for a patch. However, the new philosophy also recognizes that if there are attacks already happening, it may be necessary to release details of the flaw even before a patch is ready. The new CVD strategy relies on researchers to report vulnerabilities either directly to a vendor or to a trusted third party, such as a CERT-CC, who will then report it to the vendor. The finder and the vendor would then try to agree on a disclosure timeline and work from there."

Here's Microsoft's announcement of the new strategy.



For my Ethical Hackers and others... Lots of useful forensic features.

http://www.makeuseof.com/tag/6-cool-irfanview-plugins-enhance-simple-image-editor/

6 Cool IrfanView Plugins To Enhance This Simple Image Editor

IrfanView is a compact graphic viewer for Windows. It’s small, fast, and offers an incredible amount of features. Best of all, it’s freeware.

Per default, IrfanView comes with some basic features, including multi-language support, a large number of supported file formats, paint options, slideshow capability, batch conversion, and a lot more. The application can be enhanced further by installing a myriad of IranView plugins.

SLIDESHOW: Save Slideshows As An .exe or .scr file

EXIF: View Exif Data From JPGs Exchangeable Image File Format (Exif) data provide information about the camera settings used to take the respective picture. The EXIF plugin makes this information viewable for JPG images.

MPG: Extract Frames From MPEG Files

OCR_KADMOS: Adds OCR Features OCR_Kadmos is an optical character recognition (OCR) component for IrfanView. It will recognize and extract text from loaded images.

We have previously written about IrfanView:



Facebook Infographic

http://cdn.mashable.com/wp-content/uploads/2010/07/Facebooks-500-million-infographics.jpg



'cause no one takes the time to read the whole thing?

http://linux.slashdot.org/story/10/07/22/1852234/Open-Source-OCR-That-Makes-Searchable-PDFs?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Open Source OCR That Makes Searchable PDFs

Posted by timothy on Thursday July 22, @03:21PM

"In my job all of our multifunction copiers scan to PDF but many of our users want and expect those PDFs to be text searchable. I looked around for software that would create text searchable pdfs but most are very expensive and I couldn't find any that were open source (free). I did find some open source packages like CuneiForm and Exactimage that could in theory do the job, but they were hard to install and difficult to set up and use over a network. Then I stumbled upon WatchOCR. This is a Live CD distro that can easily create a server on your network that provides an OCR service using watched folders. Now all my scanners scan to a watched folder, WatchOCR picks up those files and OCRs them, and then spits them out into another folder. It uses CuneiForm and ExactImage but it is all configured and ready to deploy. It can even be remotely managed via the Web interface. Hope this proves helpful to someone else who has this same situation."


(Related) Tools & Techniques

http://www.makeuseof.com/tag/convert-pdf-file-flash-movie/

How To Convert A PDF File Into A Flash Movie

The Adobe PDF format is one of the most common document formats in the world today. It is versatile, portable, and allows for the creation of professional looking digital documents. MakeUseOf has an entire section devoted to PDF guides. E-books are also often distributed in PDF format.

However, while PDF is extremely common, it isn’t universal. There are some devices, such as some MP3 players, that don’t support PDF files. It is also not possible to view PDF files on a computer unless you download and install the PDF viewer software. Usually you’ll do this on your own computer, but you may not be able to on a public computer.

If you are in a situation where you’re using a device that can’t open PDF files, you can try to work around the problem with a tool that convert the PDF to a SWF (Shockwave Flash) file. Flash files can be opened by any web browser that has Flash installed and many portable devices. To do the conversion however, you’ll need to use conversion software such as PDF2SWF, one of the many tools made available by SWFTools.

No comments: