Archive for March, 2009

A laptop equipped with Computrace began calling into the Absolute Monitoring Center just one day after it was stolen from a school computer lab. The Absolute Theft Recovery Team was then able to extract information on the laptop’s unauthorized user – enough details for police to identify a residence and visit the user’s home. Let the lies begin.

When police first visited the residence, the user’s roommate denied that the user lived there. Nope. The officer called the residence the next day and was able to speak to the user directly. She reluctantly agreed to meet up with the officer, after he expressed the serious nature of the call.

The two met, and when the officer first asked the user how she obtained the laptop, she claimed to have purchased it from a friend five years ago. Wrong. The laptop had been stolen from the school just weeks prior and was not even five years old.

When the officer questioned this initial story, the user suddenly became fuzzy on the details. Maybe she had purchased the laptop from the friend just a year and a half prior? No – that story didn’t work either. The school was still in possession of the laptop at that time. Try again.

Her story slowly adjusted, with several more stabs at an appropriate purchase time. Eventually, after several failed attempts, the user reached a more probable explanation. Despite the transaction seeming suspicious, she had traded some of her jewelry for the stolen laptop. Bingo - that’s the one.

Police continue to work with the user to identify the thief who passed it on. The laptop has been returned to the school and charges are pending.

Learn more about the Absolute Theft Recovery process

Please note that indictments and criminal complaints are merely unproven accusations and the accused, in all cases, are presumed innocent until proven guilty.

I’m sure this is something we’re going to be hearing more about in the next few years: online identity security (for lack of a better description). This refers to someone pretending to be you online – whether it is someone setting up fake Facebook accounts in your name or hitting up Twitter pretending to be you. It happens all the time – sure, more to celebrities than to us “regular” folks (check out how many Britney Spears’ there are on Twitter), but that’s bound to change.

Though these posers are not taking money out of your pocket, they are damaging your reputation, which can be just as costly. Not only are they saying things which could be untrue, they could also use your profile to distribute worms or other malware. Who wants that associated with their name?

In order to ensure you can keep yourself safe online, there are a few things you can do:

1. Claim your name – sign up for each social network as it comes out, even if you don’t plan on using it.
2. Monitor for your name – search Google or set up an RSS feed for mentions of your name. You may spot if someone is pretending to be you.
3. Don’t be hasty - if someone has your name, make sure it’s an imposter and not a coincidence
4. Act wisely - if you spot an imposter, contact customer service to take down the fraudulent profile. Never contact the imposter, that will egg them on.
5. Restrict access – make it harder for people to find your info. Set your Facebook profile to private and don’t allow apps full access to your profile.
6. Type URLs - if you want to sign up for a new service, learn about it first, and then type that URL into your browser. Don’t follow links from emails, as that could be a phishing scam.
7. Be wary of new profiles - be wary of newly-set-up profiles of people trying to “friend” you. Many profiles are being created in order to distribute worms. Wait until you’re sure the profile belongs to who you think it does.
8. Don’t forget about ID Theft - keep your private information secure too! Don’t give people an easy way to commit identity theft or credit card fraud. This is a whole other topic, but worth re-mentioning here.

Via pcmag, RWW

Edweek.org has released their newest annual report, Technology Counts 2009: Breaking Away from Tradition, which looks at e-education and opportunities for raising achievement at the K-12 level.

The report indicates that online education is not just being used for advanced students but for struggling students too. On another positive note, the report found that school districts and teachers previously who felt threatened by online education are now embracing the new technologies and ways to hybridize the learning process.

Referencing a report from Sloan-C about K-12 Online Learning, it was shown that the number of K-12 students engaged in online courses in 2007-2008 was up 47% to over 1 million students.

The edweek.org report looks at the changing education environment, key findings from the 2009 State Technology Reports, analyses state-by-state grades and other state data, including use of technology and data access. Read more here.

Normally we hear about the massive data breaches that happen due to some loss of electronic data – whether it’s a lost data storage device or laptop or from hacking. However, we can’t forget that paper too is at risk for breaching data. This week there were 4 reports of data breaches the result of incidents with paper.

1. Dozens of files with Social Security Numbers for public housing residents were dumped on the street in New York. People were seen picking up the loose papers, raising concerns of identity theft. The New York Housing Authority has policies to shred documents for disposal, but that policy was overlooked. [read more]
2. Medical records were found discarded in a trash bin at a convenience store in Shreveport; Social Security Numbers were included. A Doctor has admitted to his mistake in improperly disposing of the files. [read more]
3. Files about seriously ill patients at a New York hospital were found 2 miles away on the pavement. The files contained name, age and medical history, breaching confidentiality though not risking identity theft. [read more]
4. A Dallas man found a box of medical records, including Social Security Numbers, the the parking lot at a storage business. The storage unit belonging to a doctor was broken into and the records left out. [read more]

I think we can learn some important things from these breaches of trust and data. Most indicate a lack of awareness about the data and how it should be treated for storage and disposal. Policies to restrict how data moves about – whether paper or electronic – should be considered. The data retention policy should define how information is disposed of, which can include policies on shredding or purging electronic devices. In terms of data storage for physical papers, standard consumer storage facilities may not have enough security; try looking for companies that specialize in business data storage.

As we shared in a report earlier this month, data breaches at small companies often go unreported. There’s a great deal of education that needs to be done to small business owners – including those practicing in the medical fields – about how to securely handle confidential data in all stages of its life cycle.

Hat tip to databreaches.net ; image: clarita @morguefile

I know you’ve seen the advertisements for “FreeCreditReport.com,” the catchy commercials prompting people to avoid being victims of identity theft by monitoring their credit reports. The catch – that site wasn’t free, the credit report came free in exchange for a monthly credit-monitoring cost from Experian. According to the Fair Credit Reporting Act, all the consumer reporting companies (Equifax, Experian, TransUnion) are required to provide you a free credit report upon request every year. As the FTC notes:

The Federal Trade Commission has received complaints from consumers who thought they were ordering their free annual credit report, but instead paid hidden fees or agreed to unwanted services. Don’t be fooled by TV ads, email offers, or online search results. Go to the authorized source when you request your free report.

Well, the Federal Trade Commission (FTC) decided to start up their own service, a free one, no catches. Their website? AnnualCreditReport.com. Yeah, if that’s not enough, their ads also parody the Experian ones.

Here’s the same FreeCreditReport.com ad overlaid with warnings to be aware of deals like these:

Checking your credit once per year gives you an opportunity to make sure the information is accurate and up-to-date. Not only that, it helps you spot identity theft. Because your credit is used to evaluate insurance, employment and more, it’s an important step to take in safeguarding your identity.

Via dunning letter, philly.com

A Computrace customer contacted Absolute to report a laptop theft, after a former employee who had left his company several months prior failed to return the leased machine.  Upon receiving the customer’s report, the Absolute Recovery Team deployed a series of forensic tools to extract information on the laptop’s user and location.

Absolute was quick to discover that the ex-employee was still the laptop’s primary user, although his use of the machine was all but professional. Further examination revealed that the user was conducting extensive online research to determine how homemade explosive devices are made. This information was passed on to authorities, who executed a search warrant on the former employee’s residence.

Police recovered the laptop from the residence, and further uncovered an expanse of improvised explosives. The bomb squad was called to the scene to ensure the safe disposal of the various dangerous devices. Charges will be laid.

Learn more about the Absolute Theft Recovery process

Please note that indictments and criminal complaints are merely unproven accusations and the accused, in all cases, are presumed innocent until proven guilty.

Absolute Software announced a whole series of improvements to the Absolute Customer Center, which is the web-based console that enables customers to secure and manage their computers, whether this be tracking their locations or reporting devices as missing.

The Absolute Care Center, which caters to corporate Computrace customers, is now available in 10 languages, 11 if you want to be smart and count U.S. English as different than U.K. English. ;)

In addition to the language support, which expands our capabilities within the EMEA, South American and Asia-Pacific markets, you can now access enhanced security, management and usability features as part of the Customer Center. Some of the new features include:

• Additional security features available with Intel Anti-Theft Technology-enabled computers (ability to unlock missing computers that are subsequently found)
• Support for Safari & Firefox browsers, in addition to Internet Explorer
• Quicker access to IT asset information with a cleaner, streamlined user experience
• Ability to export the most up-to-date and accurate inventory and computer population information to other systems via XML, as well as CSV

With these changes, the Absolute Customer Center is even easier to use, with access to new security and management features that provide Absolute customers with more ways to manage and secure their IT assets.

For more information on Absolute Software and its range of computer theft recovery, data protection and IT asset management solutions, please visit www.absolute.com

TRUSTe has published the results of a survey indicating that the majority of people consider online privacy a primary concern.

The survey, of more than 1000 respondents, indicates that 90% of Americans consider online privacy a “really” or “somewhat” important issue. 6% of respondents have had their identity stolen in the last year and 11% have experienced credit card theft in the same time period. 35% feel that information they shared online has led to an invasion or violation of their privacy. That said, an increase in concern hasn’t equally increased the precautions consumers take to protect their personal information. 39% of consumers admit they do not consistently take steps to protect their information.

The survey also looked at online advertising, showing that consumers are becoming more accustomed to behavioral targeting. Only 51% of consumers are uncomfortable with behavioral advertising, down from 57% last year, with users saying they prefer targeted ads from brands they know than intrusive, irrelevant ads.

Despite a softening towards targeted advertising, consumers are wary at advertisers using their browsing history to target them. 48% of consumers now delete their browser cookies at least once a week, up 6% from last year.

Hat tip to Dave ; via New York Times ; Image: Clipart

Sophos recently released a report on password security that indicates that only 19% of people use multiple passwords to access different websites (based on an online survey of 676 people). From the remainder, 33% use one password to access all websites and 48% use a few different passwords.

It is recommended that users assess their passwords for strength (read more about that here) and use different passwords to access different sensitive accounts. Doing so will help users protect their personal and corporate data. There are more advanced password strategies you can employ if you want an added measure of security – these can include the use of tools like PassSafe. Here’s a video that Sophos put together talking about password security:

Simple tips for better web password security from Sophos Labs on Vimeo.

As Sophos notes, password security should not be overlooked. Far too many people stick with dictionary words, or simple passwords such as “1234″. These passwords are easily guessed by hackers and can be used to exploit a computer network. For example, one Conficker-infected computer can be a risk to a whole network, with the worm using 200 common passwords to try to spread.

Dartmouth College’s Center for Digital Strategies recently released a study about “Data Hemorrhages in the Health-Care Sector“. The study examines the consequences of data breaches, from privacy violations to medical fraud to identity theft (financial and medical). The analysis demonstrates substantial vulnerability for the healthcare sector.

The report indicates that data breaches are coming from all sides of the healthcare sector: hospitals, physicians, laboratories, and outsourced service providers. The paper looks in particular at medical identity theft, a dangerous outcome we’ve discussed previously.

The report pays special attention to inadvertent data losses over peer-to-peer (P2P) networks. The analysis uncovered thousands of files containing medical information on publicly available file sharing networks. That data may have gotten there inadvertently – from malware or from a bad filesystem that had confidential files with music files.

“We found multiple files from major health-care firms that contained private employee and patient information for literally tens of thousands of individuals, including addresses, Social Security Numbers, birth dates, and treatment billing information. Disturbingly, we also found private patient information including medical diagnoses and psychiatric evaluations.”

The report indicates that the risk of patient information disclosures on P2P networks is higher than if a laptop or data device is lost. The report found that tracking and stopping medical data breaches is more complex given the fragmented nature of the US healthcare system.

This report reminds us of the importance of a strong data access policy. Who can access what data and where – can data be transfered to other devices? Computrace can help in that, with our Secure Asset Tracking® telling you where your devices are and what software/hardware is installed on them. Like with other aspects of data security, choose a layered process containing the right technology, processes and policies to help protect confidential information.

Hat tip to the privacy commissioner, SC Magazine ; Image: Clipart