Archive for May, 2006

New Useful FTC Site for Wireless and Computer Security, Internet Fraud, Other Topics and Related Awareness Activities

Wednesday, May 17th, 2006

Yesterday the FTC announced the launch of a new website, OnGuard Online.  This site has some very good information not only for consumers, but also for organizations to use in their information security and privacy education programs; especially small and medium sized businesses who often don’t have a budget for an adequate education effort for their personnel.  What is also nice is that they provide all this in both English and Spanish versions.

Some of the useful items on this site:

  • Free Videos and Tutorials
    • Teaching Kids To Be Safe Online (video)
    • Protect Your Privacy, Your Family, and Your PC (video)
    • Reducing Spam (video)
    • Defend Yourself Against Viruses and Worms (video)
    • Security/Tools (tutorials)
    • Spam Filtering (tutorials)
    • Wireless Security (tutorials)
  • Interactive Activities (such as quizzes)
  • Topical Discussions
    • An Overview of Safer Computing
    • Identity Theft
    • Internet Auctions
    • Spyware
    • Wireless Security
    • Phishing
    • Social Networking Sites
    • Spam Scams
    • Online Shopping
    • Peer-to-Peer File-Sharing
    • VoIP (Voice over Internet Protocol)
    • Cross-Border Scams

And much more information.  Check it out!  You may find you can use a lot of the information.

Technorati Tags







Do Laws Protect Muffin Privacy?

Wednesday, May 17th, 2006

A story today in the Dallas Morning News, "18 fall ill from tainted muffins" reported the names of faculty and employees of Lake Highlands High who went to the hospital after eating muffins probably laced with marijuana that had been delivered to the school.  It also described the symptoms (nonstop laughter, increased heart rate, dizziness, etc.), and gave the age of the oldest, who is 86. 

What struck me was a statement made by the hospital,

"The muffins might have had marijuana and Benadryl in them, and tests were being done, said Terry Long, Presbyterian’s director of nursing administration and emergency services. He said he would not be able to confirm what was in the baked goods because of privacy laws. "We are suspecting some kind of street drug or over-the-counter drug," Mr. Long said."

So, the hospital could talk about the specific conditions and symptoms of named patients, but could not "confirm" what was in the muffins "because of privacy laws"?  Huh?  Well, perhaps they obtained consent form the patients to release their names.  Or, maybe the school provided the names and ages.  But what’s up with the muffin privacy?  They involved the FBI because food tampering could endanger the public.

Let’s see…I can’t think of anything in HIPAA that prevents hospitals from talking about the ingredients of tainted food that sends people to the hospital, as long as the individually identifiable health information (IIHI) is not discussed (e.g., it is de-identified)…muffin recipe ingredients, legal or not, are not included in the list of IIHI within the reg…

Wonder what the Texas Medical Practice Act, that is similar to HIPAA…but covers a wider range of businesses, says about this type of situation?  I got frustrated after spending way too much time searching the Texas state site for the text of this law and not being able to find it. 

If you are a CE, this would be a good example to discuss as part of your training and awareness efforts; particularly if you are a healthcare provider; what information would your organization release to the press in a situation such as this?

Technorati Tags







Information Security and Privacy Professionals MUST Work Together to be Successful

Tuesday, May 16th, 2006

Over the past few years, as the position of privacy officer has emerged and evolved, I have discussed the responsibilities and activities of privacy officers and information security officers with many of these professionals at various meetings, conferences and seminars.  Something that has concerned, and continues to concern, me is how these two positions often seem to be at odds with each other. 

Some of the things I have actually heard privacy officers say include the following:

  • "Information security is a necessary evil…you have to include them even if they make things harder than they need to be."
  • "All I need to be concerned with are the privacy laws; I couldn’t give a s**t about firewalls or viruses."
  • "Our CISO seams to speak a different language!  It’s easier to just avoid him than to try and figure out what he’s talking about."

Some of the things I have actually heard information security officers say include the following:

  • "It’s not my job to know the laws.  If I need to know something, Legal will tell me.  Otherwise, I don’t worry about it."
  • "We’ve had a privacy officer for a couple of years, but I’ve never met her."
  • "I don’t worry about the Privacy Rule…I only need to know about the Security Rule."

Yes…I carry an old-fashioned little note pad with me to capture these nuggets…don’t worry, I never write down names…and my handwriting is like a form of cryptography…  ๐Ÿ™‚

Do these comments sound familiar?  It’s very likely there are some major compliance gaps, information security risks and vulnerabilities, and privacy infractions in organizations where CPOs and CISOs do not work together.  They have far too many overlapping issues to address to not work together.

Of course, the fact that most CPOs are at much higher levels within the organization than CISOs creates an environment that does not support collaboration.  However, in the best interests of the company, and of customer and employee privacy, these areas MUST work as a team for their shared goals.  And there are many.

  • CPOs and CISOs BOTH must address how to safeguard personal information in all forms
  • CPOs and CISOs BOTH must ensure that privacy and information security protections are built into all the organization’s applications, systems, and processes
  • CPOs and CISOs BOTH must ensure all personnel and business partners with access to the organization’s information recieve appropriate training and awareness
  • CPOs and CISOs BOTH must ensure all privacy and information security activities support the business, and must make a business case for their requirements
  • CPOs and CISOs BOTH must comply with applicable laws, regulations and contractual requirements
  • CPOs and CISOs BOTH are managing risks related to information
  • CPOs and CISOs BOTH must establish a program that is effective, justifiable, and fits in with the rest of the business frameworks being used
  • CPOs rely upon CISOs to implement the security protections to meet privacy law requirements
  • CISOs rely upon CPOs to help justify the safeguards put in place
  • And many others…

And, in some organizations, the same person, sometimes coming from an IT background and sometimes coming from a legal background, is given responsibilities for both CPO and CISO duties.  Such a role must know the issues involved with both types of practitioners, not just one.

After much discussion and thought with several practitioners about these overlapping responsibilities and the need to harmonize activities throughout the organization to be most successful and provide business with true process improvement, I had the fortune to create a 2-day workshop with Christopher Grillo, Director of Information Security at Medica, who has also put much thought into these issues.  We will next be giving this workshop June 10 – 11 in Scottsdale, AZ.  We have put literally hundreds of hours of time into the tools, frameworks, content and methodologies we will be providing within this workshop.  I’m really excited for this workshop to be offered; so many issues are critical, such as making sure the frameworks used within the business address privacy and security, and that they are understood.  Also the typical hierarchy of the privacy and information security responsibilities within the organizations.  I am confident the concepts, tools, reference materials, and case studies we provide truly will help privacy and information security practitioners more successfully meet their program goals.

Can you tell I am passionate about this topic?  ๐Ÿ™‚

Well, I truly am.  If these are issues you are dealing, struggling, or coping with, I would look forward to seeing you in AZ.

Technorati Tags





NSA…Phone Call Surveillance…Lawsuits…

Monday, May 15th, 2006

Okay…you saw this coming!  "Telecoms face billion dollar wiretap lawsuits: Verizon sued for $50 billion over wiretap program."

Yes, we are a litigious society…the NSA is not immune, is it? 

"The legal experts said consumers could sue the phone service providers under communications privacy legislation that dates back to the 1930s. Relevant laws include the Communications Act, first passed in 1934, and a variety of provisions of the Electronic Communications and Privacy Act, including the Stored Communications Act, passed in 1986."

The USA PATRIOT Act widely increased surveillance capabilities without warrants…it changed at least 35 other laws were changed as a result.  It will be interesting to see if this comes into play for this, and other, lawsuits, and how.

And there are other lawsuits out there…and more coming…

  • Dozens of Lawmakers Back Suit Challenging NSA Program: "As debate renewed over the National Security Agency’s surveillance program, dozens of Democrats in the House of Representatives backed a lawsuit filed in New York that challenges the government’s program of wiretapping without warrants."
  • Hide and go seek: "The nonprofit Electronic Frontier Foundation filed the class action lawsuit in January on behalf of telephone subscribers against AT&T, charging the telecom illegally gave the NSA access to records. Many of the allegations were echoed in the USA Today story last week."

Here’s an interesting discussion of the legalities of the NSA surveillance…

* Online groups reveal details, legalities of NSA surveillance

Technorati Tags






Password and Laptop Loss Statistics for your Awareness Files…

Monday, May 15th, 2006

There were some interesting statistics in a Rediff India Abroad article today, "It takes 14 secs to crack your password."  Several of them good justification for business leaders to invest in more information security and privacy education for their personnel, and to invest in more information security resources and technologies. 

Some of the stats in the article:

  • "Over 60,000 mobile phones, 5,838 pocket PCs and 4,973 laptops were left in licensed taxicabs in London last year."
  • "Up to one in 10 laptops will be stolen during their lifetime."  See www.juststolen.net for more info.
  • "A Symantec report suggests that an ordinary laptop holds content valued at $972,000, and that some could store as much as $8.8 million in commercially-sensitive data and intellectual property."
  • "A Gartner study warns that the Windows password can be cracked in as little as 14 seconds. "
  • "With less than $100, anyone can purchase password-recovery tools on the Internet."
  • "The Symantec research also reveals that only 42 per cent of companies automatically back up employees’ e-mails"
  • "Peter Larsson, CEO of Pointsec Mobile Technologies, says they were able to read seven out of 10 hard-drives bought over the Internet at auctions such as eBay, for less than the cost of a McDonald’s meal, all of which had "supposedly" been "wiped-clean" or "re-formatted"."

Technorati Tags





Mother’s Day, Privacy and the NSA

Sunday, May 14th, 2006

Happy Mothers Day!  I enjoyed receiving some wonderful handmade gifts from my two beautiful young sons this morning.  They are the lights of my life.

Many people are calling their mothers today.  Ah, yes…these will be recorded into the largest database in the world…the NSA’s log of virtually all calls made through the U.S.  I thought I’d do a quick check on "mother" and "NSA" and see the various stories related to this…there were several!   Here is a short listing of some that were interesting:

  • In the Quad City Times, by the Washington Post, "Agency blurring lines on privacy":
    • "Colleen Holmes, a stay-at-home mother in Portland, Ore., reported an exchange with a Verizon Wireless customer agent that illustrated not only the dismay some Americans feel about the newly disclosed domestic surveillance but also the fear of terrorism that, for many, more than justifies the program.  Holmes said she was so angry about reports that the government was collecting telephone calling records on millions of Americans that she called Verizon Wireless to explore canceling her service and switching to Qwest.  โ€šร„รบIt’s your constitutional right to voice your opinion,โ€šร„รน she quoted the customer service agent as having told her. โ€šร„รบIf you want planes to fly into your building … โ€šร„รน"

Hmm…interesting customer service!

  • In the Decatur Daily, "Administration whittling away at Fourth Amendment":
    • "The theory of "Six Degrees of Separation" holds that any one person can be connected to any other person on the planet by a chain of acquaintances that has no more than four intermediaries. In other words: Somebody you know is familiar with someone else who knows another person who is acquainted with a fifth person who knows an al-Qaida operative. The goal of the government program is to "connect the dots.""

Yes, the NSA records, in conjunction with all the other gathered metadata, can certainly link basically anyone on the planet to anyone else…potentially providing a justification for anyone’s phone records, and subsequently other personal information, to be monitored or examined?  Are you really calling Mom today…or someone else…?

  • In the Twin Cities Pioneer Press, "Government has your number":
    • "So, when you are talking to your mother today for Mother’s Day, the conversation is safe, if you want to look at it that way.  But we have no privacy."

Well, I’m not that skeptical…not convinced we have NO privacy.  We don’t have privacy with regard to others knowing who we called and when.  However, there are many forms of privacy.  Not everything about each of us is digitally documented…yet…unless your name is Johnny Mnenomic… ๐Ÿ™‚

  • ABC News had some great NSA/Mother’s Day funnies:
    • "Bill Maher: There are more calls made on Mother’s Day than any other day of the year โ€šร„รฎ or as the NSA calls it, "Our busy season.""

Ah, yes…and now…it’s time to go do some laundry…dishes…cleaning…vacuuming…cooking…hey!  Reminds me of a cool tool I found…just in time for Mother’s Day; to those of you who are also mothers, enjoy.  ๐Ÿ™‚

The "Mom Salary Wizard"

Technorati Tags





Still More on Laptop Security & Thefts, Encryption and Training

Saturday, May 13th, 2006

Yes, I’m still on a qwest to learn about laptop thefts, losses, and other related crimes, mistakes, and oopses.  If you would do a study to determine the actual amount of business data and personal information stored

on these meandering data minefields I’m sure it would be mindboggling…

Today the Arizona Republic published a report, "Lost, stolen laptops bring security risks."  Agree…the title tells us nothing new. 

However, there are some interesting statistics within the report; organizations can put these into their info sec file and use them within their awareness efforts.

Some of the nuggets include:

"Last year, 1,970 laptops or laptop-related items were reported as stolen to the Phoenix Police Department, up from 1,667 in 2004. As of April 30, 663 reports of laptop or laptop-related item theft have been filed this year. "

This is just in one city!  I see every day in the police reports from across the U.S. reports of stolen laptops/notebooks/Blackberries/PDAs/etc. 

"Tom Liffiton, a special agent for the FBI who heads a cyber-crime squad in Phoenix, said that while most laptop thefts go unreported to the FBI, "I can tell you I recently talked to a very large bank that said they lose a laptop (to theft) every day." The good news for the bank and those who do their banking there is that, unlike Fidelity, the bank encrypts the information on its laptops."

Kudos to Fidelity for encrypting all data on their laptops!  Yes, another rallying cry of mine…encrypt data on mobile computing devices!  Disk encryption is really easier and more cost efficient than ever before.  Given how many of them are lost and stolen it just makes good business sense. 

"The International Data Corp. reported in 2005 that PC makers predicted laptops will account for more than 40 percent of the PC market in 2006-2007, and expected that figure to pass percent in 2008.  According to FBI reports, more than 97 percent of those laptops are never recovered."

Not surprising.  How many of you have your laptops/notebooks/etc. tagged so that they can be tracked and reclaimed whenever they are recovered by law enforcement authorities?  An untagged device is a prime target for easy resale.  Just look on eBay…as of this moment on 5/13 there are many different types of computers for sale:

Desktop PC Components (3592)
Desktop PCs (3063)
Software (2695)
Laptop Parts & Accessories (2104)
Laptops, Notebooks (1649)
Input Devices (1406)
Vintage Computing Products (522)
Monitors & Projectors (515)
Networking (501)
Apple, Macintosh Computers (404)

How many of these do you suppose were lost or stolen?

"Among the companies that take a serious approach to the matter of laptop security is Intel, where roughly 85 percent of employees use company laptops. All employees are required to participate in a security awareness class, which Intel updates every year."

Training is also of great importance for any security effort.  Wonder if Intel also requires all data on the laptops to be encrypted?

Also, remember encrypting data on laptops, and providing training and awareness, all contribute to compliance with numerous regulations.

Technorati Tags







Hackers Take Medical Records, SSNs and Other Personal Information From the Athen Ohio University health center…For the 3rd Time: HIPAA Violations?

Friday, May 12th, 2006

Today the Columbus Dispatch reported that hackers had broken in the Ohio University health center for the third time during the past 3 weeks.  Some of the people whose information was taken have already noticed their information being used fraudulently.  The potential exists for the information to continue to be used in the coming months…if it hasn’t been misused yet, it certainly is no assurance that it will not be misused.

The Department of Health and Human Services indicated they are going to investigate to see if HIPAA requirements have been violated.

Appears there have been some sanctions applied as a result…

"Three OU officials have been placed on paid administrative leave to help ensure a "full and fair" audit, OU spokesman Jack Jeffery said. The action is not disciplinary, and the employees are not suspected of wrongdoing, he said.  Duane Starkey, director of computer services; John Beam, assistant director of computer services; and Steve Ray, server administrator, were suspended Friday."

Technorati Tags





Proposed California Law Would Require Consumer Warnings & Info About How to Protect Personal Info for Wi-Fi

Thursday, May 11th, 2006

There was an interesting report in California today about a proposed bill, AB 2415, that would, generally, require manufacturers and retailers of computers with wi-fi to include warnings within the OS, as well as, by default, turn off file-sharing.

Of course there are new bills proposed all the time…and many of them do not make it into law.  However, I find this one interesting because it is so narrowly focused to wireless security.  There are so many other risks that exist with computers, how long will it be until these are legislated also?  Will there be a law that requires all personal information to be encrypted at rest (in storage) and in motion (while in transit)?  Will the use of malicious code previous become legislated?  These issues are covered, at least through implications that require security to be implemented based upon the results of risk assessments, along with many others, in such laws as HIPAA and GLBA and even through the interpretations of the FTC Act.  However, this bill is different in that it is forcing computer manufacturers and retailers to, in effect, implement a customer awareness/protection program for each computer sold.

Even though this is a California bill, if enacted, it would impact basically all computer manufacturers to implement the consumer warnings and reset defaults within the computer software by stating, "This bill would prohibit a person or entity from manufacturing or selling a device in this state that enables connection to a network without including a warning in its software that alerts the consumer of certain security factors if he or she chooses to set up the device without security protections. The bill would also require a person or entity that manufactures or sells a computer in this state to distribute or sell the computer with the computer’s file-sharing feature in off mode."  I can’t think of any computer manufacturer who would not sell to California just because of this.

It’s curious why the bill was amended by striking "wireless technology" and replacing it with "network security" when it is specific to wi-fi security.

I think it is good to legally require businesses to protect information and implement security, but when it starts getting so narrowly scoped and technology specific there can be other more significant risks being overlooked (such as buggy, inadequately secured application code) in an effort to address only those very specific legal technical requirements.

The specific amended bill, with the stricken passages omitted, follows:

"   AB 2415, as amended, Nunez   Network security.
   Existing law, the Consumer Protection Against Computer Spyware Act, provides specified protections for the computers of consumers in this state against certain types of computer software. 
   
   This bill would prohibit a person or entity from manufacturing or selling a device in this state that enables connection to a network without including a warning in its software that alerts the consumer of certain security
factors if he or she chooses to set up the device without security protections. The bill would also require a person or entity that manufactures or sells a computer in this state to distribute or sell the computer with the computer’s file-sharing feature in off mode. The bill would also provide that if any part of these provisions or their applications are held invalid, the invalidity would not affect other provisions.
   Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.

THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

SECTION 1.    The Legislature finds and declares the following: 
   (a) With the increasing use of wireless technology, consumers are unknowingly allowing their personal information to be accessed by unauthorized users who piggyback onto their network connection.

   (b) Piggybacking occurs when an unauthorized user taps into a consumer’s network connection. The practice is becoming a serious issue for people who reside in densely populated areas or live in apartment buildings where WiFi radio waves can easily emit through walls, floors, and ceilings. 
   (c) Since there is no gauge that shows how many people are using a particular connection, it is impossible to determine when someone has tapped into a consumer’s network connection.   
   (d) In 2003, it was estimated that there were 3.9 million households with wireless access to the Internet.  Currently, there are about 7.5 million households with wireless access, and that number is expected to rise to 16.2 million households by the end of the year. 
   (e) In April 2004, Humphrey Cheung, the editor of a technology Web site, flew two single-engine airplanes over metropolitan Los Angeles with two wireless laptops. The laptops logged more than 4,500 wireless networks, only 30 percent of which were encrypted to lock out unauthorized users. 
   (f) In June 2002, there was only one major carrier that offered "hot spot" access. Recently, however, several other large carriers have announced plans to enter the market by the end of the year. Few people realize that hackers can take advantage of these wireless "hot spots" by redirecting E-mail traffic from its intended path to the hacker’s computer, thereby obtaining personal information without the consumer being aware of the hacker’s presence. 
   (g) There is disagreement as to whether it is legal for someone to use another person’s WiFi connection to browse the Internet if the owner of the WiFi connection has not put a password on it. While Section 502 of the Penal Code prohibits the unauthorized access to computers, computer systems, and computer data, authorized use is determined by the specific circumstances of the access. There are also federal laws, including the Computer Fraud and Abuse Act (18 U.S.C. Sec. 1030 et seq.), which also prohibit the intentional access of a computer without authorization.
SEC. 2.   Chapter 34 (commencing with Section 22948.5) is added to Division 8 of the Business and Professions Code, to read:      
CHAPTER 34.   NETWORK SECURITY

   22948.5.  For purposes of this  chapter, "computer"  means an electronic, magnetic, optical, electrochemical, or other high-speed data processing device that performs logical, arithmetic, or memory functions by the manipulations of electronic or magnetic impulses and includes all input, output, processing, storage, or communication facilities that are connected or related to the device. 
   22948.6.  A person or entity that manufactures or sells a device in this state that enables connection to a network shall include in its software a warning that comes up on the computer screen if the consumer chooses to set up his or her device without a password and other security protections. The warning should advise the consumer how to protect his or her personal information. These instructions may also be available in the product manual. 
   22948.7.  A person or entity that manufactures or sells a computer in this state may only distribute or sell the computer with the computer’s file-sharing feature in off mode.
   22948.8.   The provisions of this chapter are severable. If any provision of this chapter or its application is held invalid, that invalidity shall not affect any other provision or application that can be given effect without the invalid provision or application."

Technorati Tags





The Scorpio Sting: Telemarketer Uses Do-Not-Call List As a Marketing Tool…And the FTC Nails Him

Tuesday, May 9th, 2006

The FTC posted an interesting news release yesterday, "FTC Moves to Stop Telemarketer Using Phony Caller ID". 

It seems that a telemarketer, Scorpio Systems, Ltd., decided that the National Do Not Call Registry is a great source of marketing information!  When calling the people on the Do Not Call list, Scorpio fixed it so that his own number would not be identified by those answering the phone.  Oh, and to top it off, Scorpio did not pay to access the Registry, as is required. 

So…how did Scorpio get into the Registry if no payment was made?  Was there a breach?  Did Scorpio buy the list from another business that did pay?  Hmm…

Technorati Tags