Still More on Laptop Security & Thefts, Encryption and Training

May 13th, 2006

Yes, I’m still on a qwest to learn about laptop thefts, losses, and other related crimes, mistakes, and oopses.  If you would do a study to determine the actual amount of business data and personal information stored

on these meandering data minefields I’m sure it would be mindboggling…

Today the Arizona Republic published a report, "Lost, stolen laptops bring security risks."  Agree…the title tells us nothing new. 

However, there are some interesting statistics within the report; organizations can put these into their info sec file and use them within their awareness efforts.

Some of the nuggets include:

"Last year, 1,970 laptops or laptop-related items were reported as stolen to the Phoenix Police Department, up from 1,667 in 2004. As of April 30, 663 reports of laptop or laptop-related item theft have been filed this year. "

This is just in one city!  I see every day in the police reports from across the U.S. reports of stolen laptops/notebooks/Blackberries/PDAs/etc. 

"Tom Liffiton, a special agent for the FBI who heads a cyber-crime squad in Phoenix, said that while most laptop thefts go unreported to the FBI, "I can tell you I recently talked to a very large bank that said they lose a laptop (to theft) every day." The good news for the bank and those who do their banking there is that, unlike Fidelity, the bank encrypts the information on its laptops."

Kudos to Fidelity for encrypting all data on their laptops!  Yes, another rallying cry of mine…encrypt data on mobile computing devices!  Disk encryption is really easier and more cost efficient than ever before.  Given how many of them are lost and stolen it just makes good business sense. 

"The International Data Corp. reported in 2005 that PC makers predicted laptops will account for more than 40 percent of the PC market in 2006-2007, and expected that figure to pass percent in 2008.  According to FBI reports, more than 97 percent of those laptops are never recovered."

Not surprising.  How many of you have your laptops/notebooks/etc. tagged so that they can be tracked and reclaimed whenever they are recovered by law enforcement authorities?  An untagged device is a prime target for easy resale.  Just look on eBay…as of this moment on 5/13 there are many different types of computers for sale:

Desktop PC Components (3592)
Desktop PCs (3063)
Software (2695)
Laptop Parts & Accessories (2104)
Laptops, Notebooks (1649)
Input Devices (1406)
Vintage Computing Products (522)
Monitors & Projectors (515)
Networking (501)
Apple, Macintosh Computers (404)

How many of these do you suppose were lost or stolen?

"Among the companies that take a serious approach to the matter of laptop security is Intel, where roughly 85 percent of employees use company laptops. All employees are required to participate in a security awareness class, which Intel updates every year."

Training is also of great importance for any security effort.  Wonder if Intel also requires all data on the laptops to be encrypted?

Also, remember encrypting data on laptops, and providing training and awareness, all contribute to compliance with numerous regulations.

Technorati Tags







Hackers Take Medical Records, SSNs and Other Personal Information From the Athen Ohio University health center…For the 3rd Time: HIPAA Violations?

May 12th, 2006

Today the Columbus Dispatch reported that hackers had broken in the Ohio University health center for the third time during the past 3 weeks.  Some of the people whose information was taken have already noticed their information being used fraudulently.  The potential exists for the information to continue to be used in the coming months…if it hasn’t been misused yet, it certainly is no assurance that it will not be misused.

The Department of Health and Human Services indicated they are going to investigate to see if HIPAA requirements have been violated.

Appears there have been some sanctions applied as a result…

"Three OU officials have been placed on paid administrative leave to help ensure a "full and fair" audit, OU spokesman Jack Jeffery said. The action is not disciplinary, and the employees are not suspected of wrongdoing, he said.  Duane Starkey, director of computer services; John Beam, assistant director of computer services; and Steve Ray, server administrator, were suspended Friday."

Technorati Tags





Proposed California Law Would Require Consumer Warnings & Info About How to Protect Personal Info for Wi-Fi

May 11th, 2006

There was an interesting report in California today about a proposed bill, AB 2415, that would, generally, require manufacturers and retailers of computers with wi-fi to include warnings within the OS, as well as, by default, turn off file-sharing.

Of course there are new bills proposed all the time…and many of them do not make it into law.  However, I find this one interesting because it is so narrowly focused to wireless security.  There are so many other risks that exist with computers, how long will it be until these are legislated also?  Will there be a law that requires all personal information to be encrypted at rest (in storage) and in motion (while in transit)?  Will the use of malicious code previous become legislated?  These issues are covered, at least through implications that require security to be implemented based upon the results of risk assessments, along with many others, in such laws as HIPAA and GLBA and even through the interpretations of the FTC Act.  However, this bill is different in that it is forcing computer manufacturers and retailers to, in effect, implement a customer awareness/protection program for each computer sold.

Even though this is a California bill, if enacted, it would impact basically all computer manufacturers to implement the consumer warnings and reset defaults within the computer software by stating, "This bill would prohibit a person or entity from manufacturing or selling a device in this state that enables connection to a network without including a warning in its software that alerts the consumer of certain security factors if he or she chooses to set up the device without security protections. The bill would also require a person or entity that manufactures or sells a computer in this state to distribute or sell the computer with the computer’s file-sharing feature in off mode."  I can’t think of any computer manufacturer who would not sell to California just because of this.

It’s curious why the bill was amended by striking "wireless technology" and replacing it with "network security" when it is specific to wi-fi security.

I think it is good to legally require businesses to protect information and implement security, but when it starts getting so narrowly scoped and technology specific there can be other more significant risks being overlooked (such as buggy, inadequately secured application code) in an effort to address only those very specific legal technical requirements.

The specific amended bill, with the stricken passages omitted, follows:

"   AB 2415, as amended, Nunez   Network security.
   Existing law, the Consumer Protection Against Computer Spyware Act, provides specified protections for the computers of consumers in this state against certain types of computer software. 
   
   This bill would prohibit a person or entity from manufacturing or selling a device in this state that enables connection to a network without including a warning in its software that alerts the consumer of certain security
factors if he or she chooses to set up the device without security protections. The bill would also require a person or entity that manufactures or sells a computer in this state to distribute or sell the computer with the computer’s file-sharing feature in off mode. The bill would also provide that if any part of these provisions or their applications are held invalid, the invalidity would not affect other provisions.
   Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.

THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

SECTION 1.    The Legislature finds and declares the following: 
   (a) With the increasing use of wireless technology, consumers are unknowingly allowing their personal information to be accessed by unauthorized users who piggyback onto their network connection.

   (b) Piggybacking occurs when an unauthorized user taps into a consumer’s network connection. The practice is becoming a serious issue for people who reside in densely populated areas or live in apartment buildings where WiFi radio waves can easily emit through walls, floors, and ceilings. 
   (c) Since there is no gauge that shows how many people are using a particular connection, it is impossible to determine when someone has tapped into a consumer’s network connection.   
   (d) In 2003, it was estimated that there were 3.9 million households with wireless access to the Internet.  Currently, there are about 7.5 million households with wireless access, and that number is expected to rise to 16.2 million households by the end of the year. 
   (e) In April 2004, Humphrey Cheung, the editor of a technology Web site, flew two single-engine airplanes over metropolitan Los Angeles with two wireless laptops. The laptops logged more than 4,500 wireless networks, only 30 percent of which were encrypted to lock out unauthorized users. 
   (f) In June 2002, there was only one major carrier that offered "hot spot" access. Recently, however, several other large carriers have announced plans to enter the market by the end of the year. Few people realize that hackers can take advantage of these wireless "hot spots" by redirecting E-mail traffic from its intended path to the hacker’s computer, thereby obtaining personal information without the consumer being aware of the hacker’s presence. 
   (g) There is disagreement as to whether it is legal for someone to use another person’s WiFi connection to browse the Internet if the owner of the WiFi connection has not put a password on it. While Section 502 of the Penal Code prohibits the unauthorized access to computers, computer systems, and computer data, authorized use is determined by the specific circumstances of the access. There are also federal laws, including the Computer Fraud and Abuse Act (18 U.S.C. Sec. 1030 et seq.), which also prohibit the intentional access of a computer without authorization.
SEC. 2.   Chapter 34 (commencing with Section 22948.5) is added to Division 8 of the Business and Professions Code, to read:      
CHAPTER 34.   NETWORK SECURITY

   22948.5.  For purposes of this  chapter, "computer"  means an electronic, magnetic, optical, electrochemical, or other high-speed data processing device that performs logical, arithmetic, or memory functions by the manipulations of electronic or magnetic impulses and includes all input, output, processing, storage, or communication facilities that are connected or related to the device. 
   22948.6.  A person or entity that manufactures or sells a device in this state that enables connection to a network shall include in its software a warning that comes up on the computer screen if the consumer chooses to set up his or her device without a password and other security protections. The warning should advise the consumer how to protect his or her personal information. These instructions may also be available in the product manual. 
   22948.7.  A person or entity that manufactures or sells a computer in this state may only distribute or sell the computer with the computer’s file-sharing feature in off mode.
   22948.8.   The provisions of this chapter are severable. If any provision of this chapter or its application is held invalid, that invalidity shall not affect any other provision or application that can be given effect without the invalid provision or application."

Technorati Tags





The Scorpio Sting: Telemarketer Uses Do-Not-Call List As a Marketing Tool…And the FTC Nails Him

May 9th, 2006

The FTC posted an interesting news release yesterday, "FTC Moves to Stop Telemarketer Using Phony Caller ID". 

It seems that a telemarketer, Scorpio Systems, Ltd., decided that the National Do Not Call Registry is a great source of marketing information!  When calling the people on the Do Not Call list, Scorpio fixed it so that his own number would not be identified by those answering the phone.  Oh, and to top it off, Scorpio did not pay to access the Registry, as is required. 

So…how did Scorpio get into the Registry if no payment was made?  Was there a breach?  Did Scorpio buy the list from another business that did pay?  Hmm…

Technorati Tags







What Businesses Need to Know About Compliance

May 8th, 2006

This whole concept of "compliance" is rather nebulous and fuzzy.  I see different vendors referencing it in different ways.  I hear different practitioners worrying about different things.  I wanted to speak with some IT compliance professionals with significant experience to see how they are handling this "compliance" responsibility.  I wanted to get the viewpoint of not only a practitioner responsible for an organization’s compliance efforts, but also a consultant who has worked with a wide range of organizations to see where the compliance efforts, successes and challenges are greatest.  On April 17, I had the opportunity to speak with two such folks, Chris Pick, Vice President of Corporate Strategy at NetIQ, and Wayne Crane, CIO, also from NetIQ, about a wide range of compliance issues, and what‚Äîfrom their perspectives and based on their experiences‚Äîthey believe businesses need to know about the whole concept of compliance.  As a publicly traded company, NetIQ must meet the same strict regulatory requirements, such as SOX, as many other organizations, so it was interesting to hear their thoughts. 

I posted my interview with Chris and Wayne in the Realtime IT Compliance reading room, "What Businesses Need to Know About Compliance." See their thoughts on:

  • What "compliance" means to businesses
  • International compliance approaches
  • Industry-specific compliance challenges
  • The most challenging compliance areas
  • The use of frameworks, such as ITIL, for compliance
  • The most challenging regulation for compliance
  • What executives need to know about compliance
  • Budgeting for compliance
  • Using automation for compliance
  • The single most important compliance activity
  • The importance of executive support for compliance activities

New Privacy Bill Proposed in Canada: Highlights Need for Organizations to Implement Global Data Protection Activities

May 8th, 2006

David T.S. Fraser has a great blog covering information privacy in Canada, The Canadian Privacy Law Blog.  He just posted the proposed Bill 16, the Personal Information International Disclosure Protection Act, that was introduced in the Nova Scotia legislature last week.

Just one of the interesting passages within:

"5(1)  A public body shall ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless
           (a)  where the individual the information is about has identified the information and has consented, in the manner prescribed by the regulations to it being stored in or accessed from, as the case may be, outside Canada;
           (b)  where it is stored in or accessed from outside Canada for the purpose of disclosure allowed under this Act; or
           (c)  the head of the public body has allowed storage or access outside Canada pursuant to subsection (2).

       (2)  The head of a public body may allow storage or acess outside Canada of personal information in its custody or under its control, subject to any restrictions or conditions the head considers advisable, if the head considers the storage or access is to meet the necessary requirements of the public body’s operation."

The proposed bill is 11 pages long, and there is much, much more.  However, this gives you a good indication and good flavor for how this *proposed* bill is incorporating more and more of the OECD privacy principles and aligning even more more with the types of requirements such as those found within the EU Data Protection Directive than their existing laws, such as Canada’s PIPEDA.

In the past few years it seems most U.S. organizations, with regard to international data protection activities, have been primarily concerned with data protection issues within their EU offices and for their EU customers.  This proposed Canadian bill is likely to be a bellwether for more and similar bills within other countries.  A good reason for organizations everywhere to start thinking more globally and in a more unified manner with regard to handling the personal information they collect.

Technorati Tags







Another Example of Insider Threat: Computer Security Specialist Uses Access to Snoop in the Department of Education Computer He Was Auditing

May 7th, 2006

I’m catching up on the news from this past week, and I ran across a story from March 1 on the Department of Justice site of a systems auditor who was given access to place software on the computer he was auditing, and he "used that access on numerous occasions to view his supervisor’s email and Internet activity as well as other communications, and to share those communications with others in his office. Kwak carried out his crime and invaded his supervisor’s privacy for personal entertainment; there is no indication he profited financially from his actions." 

The auditor pleaded guilty and "faces a maximum penalty of five years in prison and a fine of $250,000 for the crimes to which he pled guilty."  The crimes included "unauthorized access to a protected computer in furtherance of a criminal or tortious act."

"The prosecution was part of the ‚Äúzero-tolerance policy‚Äù recently adopted by the U.S. Attorney’s Office regarding intrusions into U.S. government computer systems."

I think this type of activity probably occurs quite often.  As just one example, I know of a situation in one company where the documents within the print queue were viewable, and one middle-manager who discovered this made it a daily practice of constantly monitoring the documents printed…and he was quite proud of always having the inside scoop after reading all the emails and confidential memos.  He was very disappointed when the print queue documents became unviewable, along with the document names and those printing them.  He had been using the information he got on the sly to make proposals using others’ ideas, joke about others in the organization, and worse.  Too bad the company did not have a policy at the time covering this and his activity.

Many people often only think of criminal activity or fraud when considering the insider threat.  An additional insider threat is clear violation of confidentiality and privacy of others in the workplace.

Notice the actions and the resulting crime to which he pleaded guilty.  Let’s see…what types of activities are defined as "unauthorized access to a protected computer in furtherance of a criminal or tortious act"?  Let’s look at US Code Title 18, 1030, Fraud and related activity in connection with computers.   Likely this clause:

 
"(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;"

But, wait…he had authorization…to the computer system…but was he also given authorization to the email and Internet logs to perform that work?

I wonder how the situation impacted that office? 

Yes, this news story is a few weeks old…but it is still a good example of one of the many types of insider threats that exist, and the consequences.

It is also an example of computer ethics…or the lack thereof.  Just because you have the ability to exploit the information to which you have access does not mean you should…ethics must be promoted and enforced in the workplace. 

Also something good for your awareness files, perhaps.

Technorati Tags




Using Airline Ticket Stubs for Identity Theft…or Worse…

May 5th, 2006

An interesting story was published in the Guardian Unlimited on Wednesday, "Q. What could a boarding pass tell an identity fraudster about you? A. Way too much."  So many little pieces of personal information floating around, and being tossed, it’s really amazing how much can be done with seemingly innocuous papers…such as those airline ticket stubs. 

The author of the article, Steve Boggan, indicated the stub contained the traveller’s name, was a discarded British Airways boarding-pass stub, contained the seat number, indicated he was a "Gold" standard passenger and had the frequent-flyer number.

The article author took the stub to a security guru, Adam Laurie, logged on to the BA website, bought a ticket in the traveller’s name and then, using the frequent flyer number on the boarding pass stub, without being required to submit a password, was given full access to all his personal details – including his passport number, the date it expired, his nationality and date of birth. The system also allowed them the opportunity to change the information.

They then used the information to find out on the Internet, within 15 minutes, where the traveller lived, who lived there with him, where he worked, the universities he had attended and how much his house was worth when he bought it.

Amazing…and scary…just a few pieces of seemingly innocent personal information can lead to so much…

Technorati Tags




Medical Identity Theft: Not Only Privacy Concerns, But Real Health Concerns According to Report Released Today

May 3rd, 2006

Over the years I’ve thought about the many different issues involved with privacy, but something I had not pondered before came to my attention today as I read the just-released World Privacy Forum report, "Medical Identity Theft: The Information Crime That Can Kill You."

It has always been a concern of mine, and many others, that lack of security controls within computer systems and lack of privacy protections can have real, physical impact upon people.  For example, some small modifications to the hospital databases for the amounts of medicine to administer to the patients could have insidious widespread and lethal impacts.  However, this new report brings up another possibility…having medical files modified and/or falsified by unauthorized persons, and then the real persons receiving the wrong, potentially fatal, medical treatment based upon the modifications in the records. 

The report indicates that, according to their research, between 225,000 and 500,000 people in the United States have been victims of this type of medical identity theft.

This is a 57-page report, quite intriguing reading.  Here are a few of the many findings I found interesting and sometimes somewhat shocking:

First, their definition of medical identity theft: 

"Medical identity theft occurs when someone uses a person’s name and sometimes other parts of their identity ‚Äì such as insurance information — without the person’s knowledge or consent to obtain medical services or goods, or uses the person’s identity information to make false claims for medical services or goods. Medical identity theft frequently results in erroneous entries being put into existing medical records, and can involve the creation of fictitious medical records in the victim’s name."

Now, just a few of the other excerpts:

"There have been 19,428 complaints regarding medical identity theft to the Federal Trade Commission since January 1, 1992, the earliest date the FTC began recording such complaints.

  • Data from government identity theft hotlines and from identity theft surveys containing questions about medical use of data point with some consistency toward a range of approximately 1.5 to 2 percent for the rate of medicallyrelated identity theft in comparison with other forms of identity theft.
  • Medical identity theft, as articulated by these numbers, translates in number of victims in 2003 to a range of a minimum of about 3,500 victims to up to a theoretical maximum of almost 3.25 million victims. However, our best estimate is that there could be as many as a quarter to a half million people who have been victims of this crime."

"Victims do not have clear pathways for recourse and recovery. The Fair Credit Reporting Act allows for greater recourse for victims of financial identity theft than the HIPAA health privacy rule provides for victims of medical identity theft. For example, victims do not have the legal right to demand correction of their medical information that was not created by the provider or insurer currently maintaining or using the information. This circularity can make it impossible for a medical identity theft victim to erase false entries from a medical or insurance record. This is true even when false entries were put in the record during the commission of a crime, such as health care fraud or medical identity theft."

Hmm…is this completely true?  CEs are supposed to investigate, with demonstrated reasonable care, all requests from patients to correct PHI.  Of course, if the fraud is committed by an insider (which it sounds like many times it is), these tracks can be covered pretty easily.

Remember that incident that occurred in January 2006, where Providence Health System notified 365,000 individuals that on December 31, 2005 their protected health information was stolen from an employee’s car?  Well, after reading this report seems that that is the type of data that could be used to commit medical identity theft and not be readily noticed.  So many of the companies who have such incidents, and even judges who make determinations of the penalties (or lack of) for such incidents, take into consideration if any known fraud has occurred.  In the instance of medical identity theft it would be very hard to know until long after the fact, as in the cases of the victims that are described in this report.

The report’s summary and findings include:

"This report finds that medical identity theft is deeply entrenched in the health care system. Identity theft may be done by criminals, doctors, nurses, hospital employees, and increasingly, by highly sophisticated crime rings. The report finds that medical identity theft victims need an expanded right to correct their medical files in order to recover from this crime, and need more specialized consumer education that is focused on correcting the specific harms of medical identity theft. Key recommendations in the report include:

  • Individuals‚Äô rights to correct errors in their medical histories and files need to be expanded to allow them to remove false information from their files.
  • Individuals should have the right to receive one free copy of their medical file.
  • Individuals should have expanded rights to obtain an accounting of disclosures of health information.
  • Studies are needed to determine what the incidence of medical identity theft is, how and where it is occurring, and how it can be detected and prevented.
  • Notification of medical data breaches to consumers has the potential to save lives, protect health, and prevent losses.
  • All working prototypes for the National Health Information Network need comprehensive risk assessments focused on preventing medical identity theft while protecting patient privacy."

Technorati Tags






How Often are National Security Letters Really Used?

May 2nd, 2006

Last Friday a news article was published in several places, "FBI sought information on 3,501 people last year using powerful investigative tool".  The story:

"The FBI secretly sought information last year on 3,501 U.S. citizens and legal residents from their banks and credit card, telephone and Internet companies without a court’s approval, the Justice Department said Friday. It was the first time the Bush administration has publicly disclosed how often it uses the administrative subpoena known as a national security letter, which allows the executive branch of government to obtain records about people in terrorism and espionage investigations without court approval.

Friday’s disclosure was mandated as part of the renewal of the Patriot Act, the administration’s sweeping anti-terror law.  The FBI delivered a total of 9,254 NSLs relating to 3,501 people in 2005, according to a report submitted late Friday to Democratic and Republican leaders in the House and Senate. In some cases, the bureau demanded information about one person from several companies.The department also reported it received a secret court’s approval for 155 warrants to examine business records last year, under a Patriot Act provision that includes library records. However, Attorney General Alberto Gonzales has said the department has never used the provision to ask for library records.  The number was a significant jump over past use of the warrant for business records. A year ago, Gonzales told Congress there had been 35 warrants approved between November 2003 and April 2005."

Hmm…well, curiosity led me to the Representative Fazio website, where I found a floor statement from November 8, 2005.  This statement indicates, among other things, that:

""Mr. Speaker, the Sunday Washington Post had an extraordinary story as a result of investigative journalism. The FBI has issued 30,000 national security letters. Now, we will have to back up for a moment to understand what that means. Four years ago, this Congress was stampeded under the anthrax attack and 9/11 into passing a bill it had not read, the U.S.A. PATRIOT Act, which contained many unconstitutional and dubious provisions, many bad ideas from past attorneys general, rejected by previous Congresses, passed in a hysterical time for the Congress.  Now it is about to be reauthorized, and, in fact, strengthened in many ways. This is one of the most disturbing aspects of that legislation. These national security letters used to be fairly rare. They used to issue about 300 a year. They are now issuing 30,000 a year, a 100-fold increase. This is an extraordinary intrusion into the personal lives of many Americans who are not accused of or even suspected of crimes."

I couldn’t find anything on the FBI site indicating 30,000 NSLs had been issued…but the first article indicated that this (2006) was the first year that the Bush adminstration publicly disclosed the number of NSLs…9,254 in 2005.  I’m trying to figure out the incongruity here…

I couldn’t find any official counts for the number of times NSLs have been used on the Dept of Justice site, nor on the FBI’s site, nor on the Government Accounting Office site.  Shouldn’t this information be available to the public under the FOIA, or does the USA PATRIOT Act trump that?  Is this information classified?

Just trying to figure out often NSLs really are used…

Technorati Tags