Friday, July 01, 2011

Local breach. “We don't need no stinking encryption!”

Lost in transit: Colorado Department of Health Care Policy and Financing notifies over 3,500 of missing disk

By Dissent, July 1, 2011

Michael Booth reports:

The state Department of Health Care Policy and Financing has lost thousands of applicant names on a computer disk for the second time in a year, triggering a public notice under federal privacy rules.

HCPF officials said the names of 3,590 medical-aid applicants were on the lost disk, though the data did not include dates of birth, Social Security numbers or other personal information that could lead to identity-theft cases. Some of the lost information includes health data protected under the privacy rules of the Health Insurance Portability and Accountability Act.

The data did include the addresses and the state identification numbers for the applicants. The disk was lost on its way between two state agencies, the HCPF notice said, and was discovered May 6.

Read more on Denver Post.

A notice dated June 30 on the agency’s web site says:

The Department of Health Care Policy and Financing announced today that a computer disk containing applicant name, state identification number, and address has been lost in transit between two state agencies. The computer disk did not contain dates of birth, social security numbers, or other financial information that could be used for identity theft or fraud.

State officials discovered the loss on May 6, 2011.

The department has determined that some of the information on the computer disk is considered Protected Health Information and is protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Approximately 3,590 applicants’ information was lost and applicants will receive notification by mail as required by HIPAA.

[From the article:

Last summer, HCPF sent apology letters to 100,000 residents after a computer hard disk was discovered missing from equipment returned as surplus.



Perhaps perceptions are changing – or maybe they just do things differently in Canada?

Canadian data breach causes Durham residents to ‘not be another victim’

By Dissent, June 30, 2011

A follow-up to a breach first reported in December 2009.

Dan Raywood writes:

With every data breach there is a victim.

While it may often ‘just’ be a username, password or email address that is leaked, someone is bound to be affected. The announcement of a potential compromise of data could scare some more than others.

That said, some people are blase about data breaches so probably don’t really care. So in an ‘anonymous henchman’ style, does anyone really care about the victim?

Well maybe a recent class action suite could cause someone to take action. In a report I read recently, around 80,000 people are seeking $40 million in compensation for their data lost by the Canadian Durham region on an unencrypted USB flash drive.

According to durhamregion.com, the data was personal information about people who had been vaccinated against the H1N1 flu virus. The class action suit was given the go-ahead by Justice Peter Lauwers of the Ontario Superior Court of Justice in late April, with Bowmanville resident John Sherlock Rowlands appointed as the ‘representative’ of the class.

It said that among the claims in the suit are that the region was negligent, there was a breach of a fiduciary duty, violation of privacy and breach of the Canadian Charter of Rights and Freedoms.

Read more on SC Magazine.

[From DurhamRegion.com:

The USB key was lost in the parking lot of the Regional headquarters. [How would they know that? Bob]

… The court has already ordered the Region to pay almost $63,500 to the plaintiffs to handle some costs.

The lawyer retained by the Region, David Boghosian, said in an interview the "class has been certified, which we largely consented to."

… More information is available at www.durhamhealthclassaction.com



I'm gonna bet NO! Think of unencrypted data as sending a message on a postcard, whereas any encryption puts the data in an envelope.

http://www.pogowasright.org/?p=23585

Lawsuit Over Google WiFi Data Breach Will Move Ahead

July 1, 2011 by Dissent

Joe Mullin reports:

Google apologized long ago for the accidental collection of personal WiFi data by its Street View cars, but the snafu continues to produce headaches for the company. Now a San Jose federal judge has refused to throw out a class-action lawsuit against Google arguing that the data breach violated federal wiretapping laws.

This lawsuit is one of the more closely-watched ones in privacy circles, because it appears to be the first time a court has considered the issue of whether unencrypted WiFi data sent over public networks can be protected by privacy laws or not.

Read more on PaidContent.org

Related: Order in In re Google Inc. Street View Electronic Communications Litigation (NO. C 10-MD-02184 JW)



I doubt asking (even demanding) will be sufficient, so I suspect we'll see another lawsuit that I would like to see. Amazing how long these things can continue without anyone taking action.

NYC Mayor Demands $600M Refund On Software Project

"New York Mayor Michael Bloomberg is demanding that systems integrator Science Applications International Corporation reimburse more than $600 million it was paid in connection with the troubled CityTime software project, a long-running effort to overhaul the city's payroll system. 'The City relied on the integrity of SAIC as one of the nation's leading technology application companies to execute the CityTime project within a reasonable amount of time and within budget given the system's size and complexity,' Bloomberg wrote in a letter Wednesday to SAIC CEO Walter Havenstein. CityTime was launched in 2003 at a budget of $63 million, but costs swelled dramatically as the project stumbled along for nearly a decade."

[From the article:

The recent indictment of SAIC's leader project manager on the CityTime job, Gerard Denault, as well as the guilty plea to criminal charges made by SAIC systems engineer Carl Bell, who designed the software, are "extremely troubling and raise questions about SAIC's corporate responsibility and internal controls to prevent and combat fraud," he added. Denault and Bell were charged with were charged with taking kickbacks, wire fraud and money laundering.

Also recently indicted were Reddy and Padma Allen, a couple who head up New Jersey systems integrator TechnoDyne, which was SAIC's primary subcontractor on the CityTime project. Federal authorities allege that the Allens and others conducted an elaborate overbilling and kickback scheme that siphoned millions of dollars from the project.



Better. Now all we need is an MBR restore kit.

Microsoft Says Reinstall Overkill In Removing Rootkit

"Microsoft has clarified the advice it gave users whose Windows PCs are infected with a new, sophisticated rootkit dubbed Popereb that buries itself on the hard drive's boot sector, noting Wednesday that a complete OS reinstall is not necessary. 'If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state,' MMPC engineer Chun Feng wrote in an updated blog entry. Feng provided links to instructions on how to use the Recovery Console for Windows XP, Vista and Windows 7. Once the MBR has been scrubbed, users can run antivirus software to scan the PC for additional malware for removal, Feng added. Several security researchers agreed with Microsoft's revisions, but a noted botnet expert doubted that the advice guaranteed a clean PC. But an internationally-known botnet expert disagrees. Joe Stewart, director of malware research at Dell SecureWorks, said, 'Once you're infected, the best advice is to [reinstall] Windows and start over ... [MBR rootkits] download any number of other malware. How much of that are you going to catch? This puts the user in a tough position.' MBR rootkit malware is among the most advanced of all threats."



Let me draw you a picture...

How Phones Get Phished [INFOGRAPHIC]

A phishing attack — wherein a user is prompted by a seemingly legitimate page to enter certain log-in credentials such as PayPal or banking information — isn’t a sophisticated hack that programmatically sifts through your data or bricks your hardware. Rather, it relies on a certain lack of caution and naiveté on the part of users.



Wiretaps were approved 99.9% of the time, and no bad guy was smart enough to use strong encryption (or those who did were handled in other ways)

http://www.bespacific.com/mt/archives/027646.html

June 30, 2011

2010 Wiretap Report Shows Increase in Authorized Intercepts

"Federal and state applications for orders authorizing or approving the interception of wire, oral or electronic communications increased 34 percent in 2010, compared to the number reported in 2009. The interceptions are reported in the 2010 Wiretap Report, released today by the Administrative Office of the United States Courts (AOUSC). The current report covers intercepts concluded between January 1, 2010 and December 31, 2010. A total of 3,194 intercept applications by federal and state courts were authorized in 2010, with 1,207 applications by federal authorities authorized and 1,987 applications by 25 states authorized. One application was denied. Installed intercepts totaled 2,311."

[From the report:

Public Law 106-197 amended 18 U.S.C. § 2519(2)(b) in 2001 to require that reporting should reflect the number of wiretap applications granted in which encryption was encountered and whether such encryption prevented law enforcement officials from obtaining the plain text of the communications intercepted pursuant to the court orders. In 2010, encryption was reported during six state wiretaps, but did not prevent officials from obtaining the plain text of the communications.



Just because this is so obvious even a caveman can understand it does not mean anyone in Congress will. (Unless it comes wrapped in campaign contributions)

http://www.bespacific.com/mt/archives/027649.html

June 30, 2011

FTC: Consumer Confidence in Internet Marketplace Depends on Privacy Protections

News release: "The Federal Trade Commission told Congress that consumers must be confident that their privacy will be protected if they are to be willing to take advantage of all the benefits offered by the Internet marketplace. Commission testimony to the Senate Committee on Commerce, Science and Transportation, delivered by Commissioner Julie Brill, states that, “Privacy has been an important component of the Commission’s consumer protection mission for 40 years. During this time, the Commission’s goal in the privacy arena has remained constant: to protect consumers’ personal information and ensure that they have the confidence to take advantage of the many benefits offered by the dynamic and ever-changing marketplace.”

  • "Ioana Rusu, regulatory counsel for Consumers Union, the nonprofit publisher of Consumer Reports, shared new poll results when she testified at a Senate committee hearing on online privacy and data security tomorrow. A May poll conducted by Consumer Reports shows that two-thirds of consumers feel that the government should be involved with safeguarding their online privacy, while 81 percent of respondents agreed that they should be able to permanently opt out of Internet tracking from a single location."



Free is good!

Thursday, June 30, 2011

Many Books - 29,000 Free eBooks

Many Books is a service that has indexed more than 29,000 free ebooks that are available in a variety of formats for a variety of devices. The books that you will find through Many Books are works that are either in the public domain or have been licensed for free distribution. You can search Many Books by title, author, genre, or language.


No comments: