Technorati Profile

Okay…this has absolutely nothing to do with information security or privacy or compliance (at least as far as I can tell), but I thought it was pretty cool that CNN actually did a story about the butter sculptures (sorry, but there is a short commercial first in this link that I couldn’t figure out how to get rid of…you can find it on the CNN site in their recent video clips) done yearly here at the Iowa State Fair (I live "just a ways outside of Des Moines").

If you ever get the chance to visit the Iowa State Fair you will have a <bleepity bleep> great time!  🙂  It truly is a way to get away from all your work stuff, mind, body and soul, and just have fun for a while.  But, know that there is *SO* much more than butter here!  I can’t do it justice by trying to explain…it has to be experienced…

BTW, the butter Superman is being done because he (Brandon Routh in this summer’s Superman Returns movie), was born and raised in the Des Moines area.

Viva la Iowa! 

Okay…back to work stuff…

🙂

Technorati Tags
Iowa State Fair
butter cow

An interesting but short story was just published by the Malaysia Sun, and some other worldwide publications, "Penn State develops security software."  My interest piqued, I looked on the Penn State site, and yes, there was more information released about it there today.

"University Park, Pa. — Penn State researchers have developed software that allows databases to "talk to each other" automatically without compromising the security of the data and metadata because the queries, data communicated and other information are encrypted.  The Privacy-preserving Access Control Toolkit (PACT) acts like a filter but is resilient to eavesdropping or other attacks because of the encryption.  "The software automatically regulates access to data, so some information can be exchanged while other data remains confidential and private," said Prasenjit Mitra, assistant professor of information sciences and technology and member of the research team that developed the software. "Often when we implement security, we decide not to give access to data. This tool preserves security while allowing permitted access."

Organizations like government agencies, non-profits and corporations frequently need to access data belonging to other organizations. But sharing data is difficult because databases are typically constructed using different terms or vocabularies.  Consequently, in order to share data, organizations have to develop special-purpose applications. But organizations also need to protect sources, intellectual property and competitive advantages, so the applications must address security.  In addition to being time consuming to develop, such applications are expensive as they have limited use.  Unlike those special-purpose applications, PACT is more generic. That means it can be applied to a wide range of scenarios, Mitra said. It addresses security concerns through encryption and access control.

PACT is described in a paper, "Privacy-preserving Semantic Interoperation and Access Control of Heterogeneous Databases," given at ACM’s recent Symposium on Information, Communication and Computer Security in Taiwan. The authors include Mitra, a faculty member in the Penn State College of Information Sciences and Technology (IST); Chi-Chun Pan, a graduate student in Penn State’s industrial and manufacturing engineering department; Peng Liu, assistant professor, Penn State’s IST; and Vijay Atluri, associate professor, Rutgers University.

According to the researchers, PACT is the first software to provide a framework that protects metadata while enabling "semantic interoperation" or sharing of information. Additionally, results from the researchers’ experiments demonstrate that PACT can easily be extended to large database systems in practical applications, Mitra said.  Future research involving PACT will focus on performance enhancements for query processing and development of a new rule language for improving interoperability, Mitra said.""

Wow…sounds interesting and very promising! 

So…now…to find the paper… 

Yes!  Here it is, ""Privacy-preserving Semantic Interoperation and Access Control of Heterogeneous Databases."  Quite interesting indeed!

Technorati Tags
information security
access control
encrypt
Penn State
PACT
privacy

Today The Chilliwack Progress reported that a computer disk containing confidential information about Vancouver’s Fraser Health Authority (FHA) employees and their participation in counseling services was stolen in March along with the computer it was in from the Vancouver office of the Employee and Family Assistance Program (EFAP) run by the Vancouver Coastal Health Authority.

"Fraser Health Authority (FHA) employees have been warned that some of them who used an ultra-confidential counselling service may have had their privacy breached as a result of a theft of a computer.  The computer with a disk inside it went missing in March from the Vancouver office of the Employee and Family Assistance Program (EFAP) run by the Vancouver Coastal Health Authority.  The disk contained the names, birth dates, contact information and referral reasons for thousands of Lower Mainland health workers who sought help for intensely personal problems.  The service offers help with relationship counselling, drug or alcohol addictions, sexuality questions, abuse, loss and grief, and stress or emotional traumas – among other issues.  "People who use the EFAP program are often going through a crisis of some kind," said Hospital Employees’ Union spokesman Mike Old. "The theft of that information is of great concern to the union and its members."  Fraser Health Authority spokesman Paul Harris said the authority doesn’t know how many of its employees are affected.  "Because it’s a confidential service we have no idea who has used it," he said.  Old said the HEU is troubled that health authority employees weren’t notified of the theft until April 6 – 10 days after it happened.  The notification from EFAP indicated the data had some degree of encryption and might not be readily viewable.  "We have no reason to believe that the individual who stole the equipment is even aware or has any plans to use the information," it says.  EFAP says it is reviewing its security measures.  B.C.’s Information and Privacy Commissioner is investigating the theft and monitoring the response."

I wonder what "some degree of encryption" means?  Since it then goes on to say "and might not be readily viewable" I wonder if this really means the data was scrambled if viewed as a raw data file, but actually viewable through the software it is used with?

It will be interesting to see what actions the British Columbia Information and Privacy Commissioner takes.  Would this be a possible violation of PIPEDA?

Technorati Tags
privacy
law
PIPEDA
stolen laptop
health information
breach notification

A database with around 800 people’s email addresses and corresponding passwords was posted to the Internet accidentally in Australia by the NSW police.  Besides demonstrating how the vulnerabilities of individual actions impact information security, the details of the passwords posted also show more education is necessary to help people choose strong passwords…even if the password file had not been posted, it’s likely many of these could have easily been discovered with a password cracker, or guessed by someone who knows the corresponding people.  And…why weren’t the passwords encrypted in storage…?

Technorati Tags
e-mail security
email security
privacy
privacy breach
information security
data breach
encrypt

Last Thursday it was reported that the Social Security numbers of the 1,250 teachers and school administrators in the Connecticut Technical High School System were mistakenly sent via e-mail to staff. 

"The e-mail was sent to the system’s 17 principals…to inform them about a coming workshop.  The file with the Social Security numbers was attached to the e-mail by mistake".

"At least one principal…then forwarded the e-mail to 77 staff members without opening the attachment containing the Social Security numbers."

A few important lessons here…

• Humans are the weakest link in the information security chain…train them well…often…and in many ways.  Mistakes will still happen, but individuals will be more alert with good education by your organization.
• You may be tired of hearing me beat the encryption drum…but the beat goes on…if the file had been strongly encrypted, the data would have been unreadable by the recipients (at leash those without the decryption key…which you would hope would be virtually all of them), making this a non-incident.  Encrypt confidential data not only in motion, but also at rest.
• Confidential data in unstructured forms is highly vulnerable to being compromised.
• Once you send an email, you might as well consider it has been sent out into the wild…depending upon the email system and features used, you typically have no control over where the email is forwarded to; in this instance at least 94 people now have the SSNs of 1,250 people…and if any of them have also forwarded the email…the possibilities are exponential.

Technorati Tags
e-mail security
email security
privacy
privacy breach
encrypt

Another incident with hacking in Georgia…this time at Shorter College.  It would be a good exercise to look at the reasons why universities seem to be more susceptible to computer incidents, and think about how to address those vulnerabilities.  Of course their environment is typically much more open than other types of organizations…but would still be a good exercise…

Technorati Tags
information security
university
privacy
privacy breach
hacker

Yesterday Computerworld reported of a breach that occurred at the Georgia Technology Authority (GTA) as a result of "An unpatched flaw in a ‚Äúwidely used security program.‚Äù" 

Some interesting tidbits from the article:

• "involved a hacker who used ‚Äúsophisticated hacking tools‚Äù to break through several layers of security after accessing the server hosting the database via the software flaw"

Well, most of the widely available hacking tools are pretty sophisticated…and really require very little sophisticated knowledge on the part of the hacker using them to exploit vulnerabilities…allowing basically anyone to use them.  And, what is really meant by "several layers of security"?  Several different security products?  Or, just different features of this one "security program"? 

The vendor was not named, but the article reported the vendor had already "publicy disclosed" the vulnerability.  So, perhaps looking at CERT we can narrow it down?  The intrusion occurred "sometime between Feb. 21 and Feb. 23."  Look at the CERT vulnerability notes by date published…and the CERT technical security alerts…and the CERT technical security bulletins…hmm…definitely multiple possibilities through the bulletins…

• "The breached server contained information on a total of eight pension plans administered by the state. The core database itself was managed by the state Employees Retirement System, though the server it was hosted on was administered by the GTA. At this point, there is no evidence that confidential information, including names, Social Security numbers and bank-account details, have been misused, Goldberg said.  Even so, the GTA is sending out letters to 180,000 affected employees for whom it has contact information, she said. The state does not have current addresses for the remaining 373,000 individuals affected and is relying on media reports and its own outreach efforts to inform them of the potential compromise of data, Goldberg said."

Well, as with past incident reports, indicating there is "no evidence" of information misuse is really not reassuring…there are virtually an infinite number of ways in which the data can be misused…most of those ways would not produce evidence…at least not right away…

Odd that the state could not find addresses on 373,000 individuals given they have their "names, Social Security numbers and bank-account details."

So…the debate continues…who is at most fault here…the security software vendor or the GTA…or both equally?  Did the vendor have good procedures in place to incorporate security into their entire SDLC…and thoroughly test before production release…their un-secure security software?  Did GTA not get the patch applied quickly enough…or did they have inadequate patch procedures?

• "This is the second major breach involving the GTA in the past year. In April 2005, the GTA disclosed that a state employee had downloaded confidential information belonging to more than 450,000 members of the state’s health benefit plan onto a home computer."

Well…this is certainly another type of security issue altogether, but also one that is reported more and more.

• "Since that breach, the GTA has implemented several measures to tighten security, including stricter password controls, more timely reviews of logs and alerts, more extensive employee background checks and stricter control of access confidential data, according to the GTA’s Web site."
• Interesting, "more timely reviews of logs and alerts"

Just a few of many lessons that can be learned (again)…

• Security product vendors need to be held to a higher standard to properly and thoroughly test their software before releasing it.  Things will still get overlooked, but hopefully many fewer.
• Organizations should not rely upon only one security product…they should use layers of security from various vendors.
• Organizations need to establish formally documented patch procedures and consistently follow them to ensure the most timely application possible based upon the vulnerability and the potential business impact.
• Limit access to confidential information to only that necessary for specific groups/roles to perform job responsibilities.
• Don’t allow entire databases of confidential information to be downloaded to mobile computing devices or employee-owned computers.  If for some reason this is necessary, strongly encrypt it.
• Educate your personnel, on an ongoing basis and in a number of ways, about how they need to protect confidential data while they are performing their job responsibilities.
• And so much more…

Technorati Tags
information security
GTA breach
security software
privacy breach
SDLC