If this is what it costs to lose an
unencrypted laptop, and encryption is really really cheap, is the
failure to encrypt negligence? Somehow I think there is much more to
the story.
By Dissent,
December 28, 2012 11:48 am
I was surprised to read this morning
that Hospice of North Idaho
had settled charges by HHS over a laptop stolen from
an employee’s car in the summer of 2010.
I was surprised, in part, because I was
not aware of this incident at all as it had not appeared in HHS’s
breach tool. Since it occurred after HITECH went into effect, it’s
possible that the breach affected less than 500 patients.
According to a statement from the hospice reported by David Cole of
the Coeur
d’Alene Press, the hospice had appropriately reported the
incident at the time to HHS.
So why did HHS fine this hospice
$50,000? Was it to make some point about leaving laptops in
unattended cars? If so, I approve in principal, but why
this hospice instead of one of the many other covered entities that
have had laptops stolen from cars? At least in this case,
it is somewhat more understandable that an employee would have
removed patient data from the office as they provide home-based
hospice services.
Should the data have been encrypted or
otherwise protected? Obviously. And do I agree with the hospice’s
statement that “The theft of the laptop was out of our hands?”
Obviously not. If you wouldn’t leave your wallet with all your
credit cards and IDs in your car to be stolen, you shouldn’t be
leaving a laptop with patient information in your car to be stolen.
And if you would leave your wallet in your car, I personally
don’t think you should ever be trusted with patient data.
But a $50,000 fine for a hospice that
self-reported a breach seems harsh, particularly when we think of all
the other cases where no fine was imposed.
There is no statement on the hospice’s
web site at this time. Nor on HHS’s. I’ve
e-mailed both requesting a statement or explanation as to why this
breach resulted in a fine and hope we’ll find out more. [I'll
watch for that... Bob]
Tools & Techniques Who should have
these installed? (Each has a free version)
… What exactly is a
keylogger? Forgive me for using the term in the definition, but it’s
a malicious infection that resides on your computer, logging a
record of your keys as you press them. It saves every key
pressed on your keyboard then sends that information back to a home
server somewhere. A hacker then uses this information to break into
your personal accounts and dig through your information.
The cold and honest truth, however, is
that preventative software will never catch 100% of keylogger cases.
Hackers are constantly creating new keyloggers and new malware to
infest computers all over the globe. Protective software will always
be playing a game of “catch up”.
So if you want to maximize your safety,
be sure to read Matt’s article on 4
ways to protect yourself against keyloggers.
What ever you do, don't broadcast on
104.7 FM (without recording
it all on your smartphone!)
"For months, dozens of people
could not use their keyless entry systems to
unlock or start their cars when parked in the
vicinity of the eight-story Regents bank building in Hollywood, FL.
Once the cars were towed to the dealership for repair, the problem
went away. The problem resolved itself when police found
equipment on the bank's roof that was broadcasting a bootleg radio
station. A detective and an FCC agent found the equipment hidden
underneath an air conditioning chiller. The man who set up the
station has not been found, but he faces felony charges and fines of
at least $10,000 if he is caught. The radio station was broadcasting
Caribbean music around the clock on 104.7 FM."
A concise summary, with lots of links.
December 28, 2012
TrendMicro
- The Trends in Targeted Attacks of 2012
Nart Villeneuve (Senior Threat
Researcher): "Throughout 2012, we investigated a variety of
targeted attacks including several APT campaigns such as LuckyCat and
Ixeshe, as well as updates on some long running campaigns such as
Lurid/Enfal and Taidoor. There was a lot of great research within
the community related to targeted attacks published this year, and
I’ve clustered the research I found to be the most interesting into
six themes that I think also encapsulate
the trends in targeted attacks of 2012."
Ah, if only... Meanwhile, have fun
imagining the various scenarios that could result in a cloned
profile.
There’s a story in the Cranberry
Eagle by Jared Stonesifer about a
man who has sued LinkedIn because his information was displayed
in a profile that he hadn’t created, and LinkedIn wouldn’t tell
him who created it – even though they removed the page:
The lawsuit, which
was filed Thursday, says that Senft keeps his personal contact
information private.
The
Point Daily also covers the lawsuit.
So what do you think will happen here?
Will LinkedIn try to settle the suit by giving the plaintiff the
information he requested, or will it hold out for a court order? And
what should be the consequences of this breach? Can Senft show harm?
Or will this breach, too, gets dismissed?
I can’t wait to see what Venkat
Balasabrumani thinks of its chances.
[From the PointDaily
article:
… the supporters of improved
privacy on social media are taking this development very seriously,
because other people can also be effected by similar results as well.
On the other hand, Linkedin Corp. is not reacting to the legal
action proactively and is looking to bury the matter under the dust
of time, analysts added.
Soon, everyone will have at least one
drone. Perhaps we should get into the “Rent a Drone” business?
In January of this year, we posted news
of a major pollution site in Texas that was the subject of some
anonymous amateur sleuths with drones, who
used their UAVs to document the release
of a "river of blood" (pig blood, that is) into the
Trinity River as it flows through Dallas. Now, garymortimer
writes, that documentation has resulted in legal action in the form
of an indictment
from a Dallas grand jury.
"The story
went viral and continues to receive hits nearly a year later. I
believe this is the first environmental crime to be prosecuted on the
basis of UA evidence. Authorities had to act
because of the attention the story was receiving." [Not
entirely true, but an invitation to activists with drones... Bob]
(Related)
Texas
UAV Enthusiast Uses Pilotless Aircraft to Uncover River Contamination
… The contamination was noticed by
the operator after reviewing images he’d taken of the Trinity River
while flying a homemade UAV, according to
Small
Unmanned Aerial Systems News (sUAS), a Web site that tracks
unmanned vehicle-related news.
“This flight was undertaken
completely within the law, below 400 feet and visual line of sight,”
wrote Gary Mortimer of sUAS.
… The UAV used to photograph
Trinity River was created by mounting a point-and-shoot digital
camera onto a
$75 airframe.
… Mortimer says UAS technology
gives operators the "ability to look over a fence" that
didn't exist years ago, so privacy issues are inevitable.
I wonder who gave them this idea?
"Prenda Law — one of the most
notorious copyright trolls — has sued hundreds of thousands of John
Doe defendants, often receiving settlements of thousands of dollars
from each. Prenda Law principal John Steele has reportedly made a
few million dollars suing BitTorrent file-sharers. Prenda Law
has been accused in federal court of creating
sham offshore corporations using
the identity of his gardener. In other words, it is alleged that
the law firm and their client are the same entity, and that Prenda
law has committed identity theft and fraud. Now, a judge in
California has granted
a John Doe defendant's motion to
further explore the connection between the offshore entity and
the law firm."
This is very wrong students. I'm only
pointing out the details so you can avoid doing wrong (under your own
name)
… Amazon’s official Kindle
Store Terms of Use are very clear about this, stating “Kindle
Content is licensed, not sold, to you by the Content Provider”.
Technically speaking, Amazon can take the book away at any time
– simply remove it from your device remotely and delete your
account, which wouldn’t
be a first for them.
… After you de-DRM your Kindle
books, you will be able to read them on your Kindle as per usual, but
you will also be able to convert them to PDFs, ePubs (for reading on
a Nook, for example), and any other format. Most importantly, Amazon
would never be able to take those books away from you – you get to
keep what you bought.
- Stripping DRM violates Amazon’s ToS.
- Stripping DRM may be illegal in your country or state.
- If you are a decent human being, I trust that you will not distribute the content you de-DRM.
- Last but not least: DRM is a cat-and-mouse game. This method
works at the time of this writing, and may stop working tomorrow, as
soon as Amazon change things.
End of year lists...
Because nobody will ever create an
Infographic of “Bob Quotes” (I particularly like number 13)
Well, I find it interesting...
… As of January 1, 2013, we can
welcome
to the public domain (in countries that follow
the “life plus 70 years” copyright period) the works of writers
and artists like anthoplogists Franz Boas and Bronisław Malinowski
and Anne of Green Gables author L. M. Montgomery. Mike Masnick has
pulled
together the list of new items in the public domain for the U.S.
— empty.
… A competition
on the machine learning site Kaggle is looking for
folks to “visually uncover trends in the Colorado public school
system” by using 3 years of school grading data supplied by the
Colorado Department of
Education. The prize is $5000. The deadline, January 19.