Archive for May, 2008

In follow-up to the previous post regarding the missing laptops at the US Department of State, those laptops have now been found.

As many as 400 laptops were unaccounted for during the early stages of a recent audit. The laptops, which were destined for foreign police services, were located after a management count issue. The missing laptops were being held in storage before going overseas.

Thankfully, the US Department of State has avoided a massive fallout from the issue. However, it still points to a flawed asset management system, as the laptops went missing in the first place.

“I would expect many of the laptops to be ‘found’ in the sense that they may not have actually left a State Department facility,” the official said, “But if they don’t know where they are, that is bad management, and they may as well have disappeared,”

Asset tracking software, such as that provided by Absolute Software its Computrace products, could have avoided this entire situation.

The full audit has not been released by the Inspector General as to the state of laptop security in all its aspects at the US Department of State. The investigation is still ongoing.

Via CNet, CQ Politics ; Image: anendel @ morguefile ; Tags: state department, us department of state, laptop security, asset management, it security, laptop tracking

The Genetic Information Nondiscrimination Act of 2008 (HR 493), recently passed by Congress, has inadvertently legalized the sharing of genetic information without patient consent.

Sue Blevins, President of the Institute for Health Freedom, notes that the new bill applies the Health Insurance Portability and Accountability Act (HIPAA) regulations to genetic data. HIPAA regulations permit data sharing without consent with in connection with treatment, payment, or oversight of health-care operations.

The intent of the HIPAA regulations is to protect medical records in the digital age, but many HIPAA critics argue that it opens up privacy issues as a result of the routine sharing of personal health information. Regardless of the validity of this argument, qualifying genetic test results as health information can be problematic. Genetic information can be used to determine rates for health plans, and as the new bill provides this data to health care companies, it could be cause for discrimination.

This is a controversial topic, to say the least. HIPAA has its critics, though its intentions are great. Health information, in and of itself, is controversial, and in particular genetic information is about as personal as information gets. Some advocates are fighting for personal ownership of genetic information, in order to avoid genetic privacy issues such as those presented here.

Via FOX Business ; Image: clarita @ morguefile Tags: genetic, genetic privacy, genes, genetic testing, privacy, health privacy, health information, genetic information

Kudos to the writer over at Chronicles of Dissent for connecting the dots between two data breaches related to the loss of a single laptop.

The two data breaches were reported separately – one by SavaSeniorCare Administrative Services and one by Mariner Health Care. Both reported that employee 401k data was compromised from a computer stolen from Windham Brannon, P.C., a firm that provides audit services.

The single computer apparently held data for both companies, affecting exactly 2199 Maryland residents for both breaches. Kind of an odd figure to have in common, questioning the accuracy of the data reported.

The computer, which was stolen on December 31, 2007 and recovered on January 7, 2008, had been reformatted a few hours after it was stolen and consultants were unable to determine if files had been accessed before they were destroyed. The details about it all are a little fuzzy, however. It is not clear how many “other clients” were affected, as mentioned in the report.

You can read about the breaches here and here [PDF].

Tags: data breach, data breaches, id theft, breach, breaches, breach notification

The black market for data is much more sophisticated than most people realize. It’s not a “one price fits all” scenario. There are price points, just like in any advanced market. And, just like the same markets, there are services provided to prospective customers.

Francois Paget of McAfee’s Avert Labs blog has shared a discovery about the prices going on different “quality” levels of data on the black market.

Avert Labs has discovered a “price list” for everything from credit card numbers to bank account logins and other personal data that is sold in the underground economy. A tip led them to a website that was auctioning off data, including bank logons and credit card information, with prices such as:

• Washington Mutual (US), balance $14,400 (sell price 600 euros/$924)
• Citibank (UK), balance 10,044 pounds/$19,626 (sell price 850 euros/$1,310)

If you buy a bank account login, and the data owner has cancelled the account within 24 hours, they’ll even give you a replacement stolen account.

So, the black market is an organized system with value for quality, and even customer service. The same website sold information in “bundle prices” and offers free data only a daily basis, as “goodies” to entice their sale.

Visit the Avert Labs site for more information and screen shots of the system in question.

Via CNet Tags: black market, data, data resale, underground economy, data breach, personal data, data resale, identity theft, fraud

I love audits, don’t you? What an eye opener they can be. Like, when an audit exposes that the U.S. Department of State has hundreds of employee laptops unaccounted for. The U.S. Department of State. No sensitive data there. Just all US foreign relations.

According to officials, as many as 400 of the unaccounted for laptops belong to the Anti-Terrorism Assistance Program, administered by the Bureau of Diplomatic Security (DS), that provides counter-terrorism training and equipment (including laptops) to foreign police, intelligence and security forces. The DS is responsible for securing the US Department of State computer networks and equipment, in addition to protecting foreign diplomats when visiting the US.

So, it would seem there is a flaw in the DS security policy regarding laptops. Currently, DS officials are going around the Washington-area offices to register employee laptops. The laptops are not officially lost until the current searches are completed.

The Inspector General’s audit is still ongoing, but it is clear from this early news that the State Department does not have good records of its inventory.

So, do you consider this to be a data breach at this stage? Or, is it a data breach only when the laptops are officially considered lost?

Via CQ Politics ; Image: click @ morguefile Tags: department of state, us department of state, missing laptops, laptop security, laptop management, it security, government security, terrorism, breach, data breach

Absolute Software has been named a finalist for “Company of the Year” in the 2008 Technology Impact Awards.

The TIAs celebrate innovation and high-tech excellence within British Columbia, as hosted by the British Columbia Technology Industry Association (BCTIA). Awards are given in three groups: technology, company and personal recognition.

The three finalists for Company of the Year are:

• Absolute Software
• Gemcom Software
• Sierra Wireless

Congratulations to all the finalists for highlighting excellence in the BC technology sector!

The winners of the TIAs will be announced at an awards ceremony here in Vancouver on June 12th.

Tags: absolute software, tia, bctia, awards, company of the year, nomination, finalist, tias, bctia awards

Hardware Logic has done a very in-depth review of Computrace LoJack for Laptops, the consumer laptop security software offered by Absolute Software.

The review looked at the performance of an HP Pavillion laptop before, and then after, install of LoJack. They compared startup, shutdown, use of computer while gaming, and much more. The conclusion: LoJack has no discernible impact on system performance. Hardware Logic gives LoJack a stamp of approval and a strong recommendation for any laptop owner:

“It won’t prevent your laptop from theft, but it will do everything it can to get it back. From IP tracking to assisting local authorities with obtaining a search warrant, having LoJack on your side gives you a serious advantage over any unsuspecting crook. High tech thieves will find themselves at a disadvantage too, as LoJack is nearly undetectable and virtually impervious to most attempts at thwarting the software.”

LoJack for Laptops is considered by Hardware Logic as a “no-brainer” ending the review with “can you afford not to have LoJack on your side?”

A very good question indeed. You can learn more about LoJack for Laptops here, or alternatively corporate customers can upgrade to the compliance-level Computrace suite.

Tags: absolute software, lojack, lojack for laptops, computrace, computrace software, absolute software review, lojack for laptops review, computrace review, laptop security, laptop theft prevention

CSO Online’s Michael Overly has a good article about businesses trusting their sensitive information to consultants, and what best practices to follow. The first guideline: do not let your consultant store any of the information on a laptop.

There are practical considerations that make it difficult to ban the use of laptops in all situations. Consultants may need to move from site to site easily, with constant access to the data. One solution is to provide laptops to the consultant yourself – that way you can be satisfied with the security systems in place. When that is cost prohibitive, here are some suggestions offered for a laptop security policy to enforce with contractors:

• WiFi access should be limited to approved secured means, and used only when necessary
• Hard disk must be encrypted
• All ports on laptops to be disabled
• Strong authentication required (e.g. biometric)
• Security software installed and kept up-to-date
• Secure and irreversible erasure of data to be enforced at end of data-use period
• Tracking software with remote data delete should be used (like Absolute Software’s Computrace products)
• Breach notification protocols should be in place in the event that the laptop goes missing

You can read more suggestions here.

Tags: breach, data breach, security, data security, laptop security, it security, business security, contractors, security policy

Bankrate’s recent poll about the consumer knowledge of identity theft indicates that 80% of Americans are worried about identity theft.

Gfk Roper America conducted a random survey of American households, compiling results from 1006 adults (524 women, 482 men). According to the survey, respondents who know someone who has been a victim of identity theft (34% of the respondents) are more likely to fear becoming victims of identity theft themselves.

Respondents who are concerned about identity theft are more likely to be taking steps to prevent it. These steps include shredding documents and monitoring credit reports.

Surprisingly, 35% of people who are concerned about identity theft have taken no steps to avoid identity theft. This number shows a great deal more avoidance of the issue than I expected. Indeed, for people not concerned about identity theft, only 19% haven’t made any changes to avoid identity theft. So, the data is indicating that although some people concerned with identity theft go above and beyond to protect themselves, in some cases the knowledge of identity theft leads to an increase in the "head in the sand" approach.

In terms of defining which avenue of identity theft most scares the respondents, information obtained over the web (45%) and information obtained from a business (25%) dominated the results. The data indicates a strong fear of e-commerce as leading to identity theft, which is largely unsupported by the data breaches happening today.

"Consumers tend to blame security breaches and incidents on the ‘Internet’ and they are more likely to change their online behavior than their behavior in the physical world as a result. This reaction is not based on the facts. The fact is that the large security breaches are happening at brick-and-mortar companies like TJX and Hannaford." – Avivah Litan, VP and Analyst, Gartner

Identity theft is misunderstood by consumers - both how it happens and what the consequences are. Much more consumer education is needed, in addition to safeguards that service providers can put in place to proactively protect consumers.

Via I’ve Been Mugged Tags: identity theft, id theft, id theft prevention, theft prevention, breach, security, online security, internet security, data security