Archive for August, 2008

Insider Threat Examples: HIPAA Violations Go UnPenalized In Iowa

Sunday, August 17th, 2008

When I got my Sunday Des Moines Register out of the orange box across the road this morning, the front page headline leaped out at me, “Medical privacy law fails to stop snooping.”
In one of the incidents described, a woman was incredibly embarrassed and humiliated after all the intimate details about an operation she had on her uterus, including her full name, that were in her doctor’s files were apparently published in marketing material…

(more…)

Is Your Accountant Sending Your Information Offshore?

Friday, August 15th, 2008

Is your accountant or tax preparer sending your personally identifiable information (PII) offshore? Possibly.
Here is the second part of the first article, “(Mis)Using Social Security Numbers in Business,” within my August issue of IT Compliance in Realtime Journal, which discusses the use of SSNs (get the nicest version of the full journal here)…

(more…)

An Example of Google’s Street View Crossing The Privacy Line…?

Thursday, August 14th, 2008

Recently I wrote about the privacy implications of Google Street View after communicating with John Grogan (from Popular Science and Computer World) about this topic; see here and here.
Today I saw an ABC news video…

(more…)

How Do You Use Social Security Numbers?

Wednesday, August 13th, 2008

Recently I got a call from a representative of one of the free IT magazines I subscribe to. The rep wanted to renew my subscription, and needed to ask me a few “qualifying” questions first. Fine.
When she asked, “What is your Social Security number?” I responded, “You don’t need to know.”
She replied, “Yes, I do. We must verify that you are, indeed, who you say you are, so we need your Social Security number to do that. It is our standard procedure.”
“Well,” I told her, “Don’t you think it is poor business practice to make an unnannounced call to your subscribers and ask them for a Social Security number? After all, you made the contact with me, not the other way around. I answered my phone, didn’t I? And besides, how do I know *YOU* are who you say you are? Can you please give me your Social Security number so I can verify that you are, indeed, who you say you are?”

(more…)

What Happens On The Internet Stays On The Internet…No Matter What A Judge Says!

Tuesday, August 12th, 2008

For those of you that weren’t aware, this past weekend the long-running Defcon convention (historically started with only “hard core” hackers in attendance, but now huge numbers of information security pros and law enforcement attend) was held in Las Vegas.
Some MIT students, Zack Anderson, R.J. Ryan and Alessandro Chiesa, were scheduled to talk about “Anatomy of a Subway Hack,” detailing a school project they did, and received an “A” on, that showed how the Massachusetts Bay Transportation Authority (MBTA) cards could be hacked to basically change a $1.25 MBTA fare card to a $100 fare card.
Well, the MBTA got wind of this…actually the MIT students contacted them in July to tell them about this security flaw, as well as let them know they were giving a presentation about it…and filed an injunction last Friday to keep the MIT students from giving their presentation on Sunday.
But guess what? Yep…I bet you can see this coming…

(more…)

Missouri Dept of Revenue Sued (Under DPPA) For Releasing PII That Was Posted for Sale on the Internet

Monday, August 11th, 2008

It used to be very common for various state and local government agencies, such as the Department of Motor Vehicles, to sell their records, containing vasts amounts of personally identifiable information (PII), as a revenue stream. That changed when Rebecca Schaeffer’s stalker killed her in 1989 after paying $250 to get her address, and other PII on file, from the California Department of Motor Vehicles.
After this horrible, tragic demonstration of how very bad things can happen when people have full reign to get access to PII, states started enacting drivers protection acts to keep the PII the agencies had on file from being accessed in such egregiously irresponsible ways. Finally, a U.S. federal law, the Drivers Privacy Protection Act (DPPA) was enacted to help protect the PII in drivers’ records.
So, I found the following inappropriate release from a state agency to be very interesting…

(more…)

Social Engineering Suckers Security Sages

Friday, August 8th, 2008

Yesterday at Black Hat a couple of the presenters, Shawn Moyer and Nathan Hamiel, reportedly discussed their experiment that revealed how easily they got some prominent Chief Information Security Officers (CISOs) to fall for a social engineering scam played out using social networking sites.
Here’s a short excerpt…

(more…)

Social Engineering, Ethics, and Why You Should Never Put Anything Online That You Don’t Want Others To See

Thursday, August 7th, 2008

Okay, now here’s an example of how people will take information you’ve given them, under false pretenses, just because they can, and post it for the world to see, with no regrets about how it hurts other people.

(more…)

40+ Million Credit Cards Stolen Using Wardriving…This Is Nothing New, Folks!

Wednesday, August 6th, 2008

Okay, lots and LOTS has already been written about the DoJ press release yesterday, “Retail Hacking Ring Charged for Stealing and Distributing Credit and Debit Card Numbers from Major U.S. Retailers: More Than 40 Million Credit and Debit Card Numbers Stolen.
But, I still want to put a few thoughts out about this…

(more…)

40+ Million Credit Cards Stolen Using Wardriving…This Is Nothing New, Folks!

Wednesday, August 6th, 2008

Okay, lots and LOTS has already been written about the DoJ press release yesterday, “Retail Hacking Ring Charged for Stealing and Distributing Credit and Debit Card Numbers from Major U.S. Retailers: More Than 40 Million Credit and Debit Card Numbers Stolen.
But, I still want to put a few thoughts out about this…

(more…)