According to a new Information Security report [PDF] from the US Government Accountability Office (GAO), 70% of the 24 major federal agencies surveyed last summer had not yet installed encryption technologies on laptops and handheld devices.

The report, which highlights data gathered from July - September 2007, indicates a confusion about encryption requirements. At the time of the survey, all agencies had initiated efforts to deploy encryption technologies, but none had documented a plan to guide the deployment activities.

“While all agencies have initiated efforts to deploy encryption technologies, none had documented comprehensive plans to guide encryption implementation activities such as installing and configuring appropriate technologies in accordance with federal guidelines, developing and documenting policies and procedures for managing encryption technologies, and training users. As a result federal information may remain at increased risk of unauthorized disclosure, loss, and modification.”

It is likely that governments will provide security solutions such as encryption for laptops before other devices such as mobile phones or thumb drives. Agencies and businesses alike will face increasing challenges in identifying and securing the myriad of mobile devices that could potentially breach sensitive information. Even then, device encryption is only one element of a comprehensive data security policy.

—

And some internal news - Absolute Software was selected for the CDW Sapphire Partners Program, which offers a proactive approach to embracing breakout technologies. Read about it here. And learn more about Absolute Software’s computer security solutions for Government here.

Via pogowasright, PC world ; image: mconnors @morguefile Tags: data security, device security, laptop security, laptops, encryption

The U.K. Ministry of Defence has revealed some startling figures about laptop loss for the last four years: 659 laptops have been reported stolen and 89 lost.

These figures contradict earlier investigations by the Ministry of Defence that put the new figures at double previous figures. Of the laptops lost since 2004, only 32 have been recovered. In addition to these lost laptops, 121 USB memory sticks have been lost or stolen since 2004, some of which held restricted / classified data. You can read more on these breaches here.

Liberal Democrat MP Sarah Teather stated to parliament that:

“It seems this government simply cannot be trusted with keeping sensitive information safe. It is frightening to think that secret MoD information can be lost or stolen.”

20,000 laptops have been recalled by the Ministry of Defence in order to be encrypted. But these figures highlight the importance of having a layered approach to computer security. Encryption alone is not enough to protect data. You need to be able to recover lost or stolen computers to make sure that information is not accessed by unauthorized users. Absolute Software can help companies / agencies like the MoD recover lost laptops - for more on how Absolute helped solve recent laptop thefts at US airports, read here.

Via intergovworld, computerweekly ; image: cohdra @ morguefile ; Tags: mod, ministry of defence, laptop security, laptop tracking, laptop loss, it security, data breach

According to a report by the State Department Inspector General, and the subsequent press briefing, a number of high profile celebrities have had their passport information breached.

In March, it was reported that the passport records for Barack Obama, Hillary Clinton and John McCain were breached in the same way. This announcement prompted an investigation by the Inspector General into passport security.

The report tested the prevalence of snooping by looking at 150 famous Americans and how many times their files were accessed in a 5.5 year period. The new report found that 127 celebrities, including Beyonce Knowles, have had their personal details illegally accessed by federal employees or contractors. One celebrity record has been breached 356 times by more than 6 dozen people.

Currently, over 20,500 employees and contractors have access to 127 million passport files, which include data such as Social Security Numbers. The report is critical of the lack of security surrounding passports and who has access to them, stating there were many “weaknesses, including a general lack of policies, procedures, guidance and training.” Five contractors have been fired and dozens are under investigation for alleged snooping.

The Inspector General laid out 22 recommendations for improving security, but much of the report has been redacted because officials fear it could provide a road map to further abuse. State Department officials plan to implement most of the recommendations, including adding random audits of passport files and reducing by half the number of people who can view records.

Here’s a video report on that story:

In other passport news, the Identity and Passport Service published its annual report (PDF) recently, announcing that there were 9382 fraudulent attempts to get a British passport, representing 0.25% of all applications.

Via computer weekly, cbs, privacy lives Tags: passports, passport security, inspector general, state department, breach, data breach, government breach

The Information Assurance Advisory Council (IAAC) in the UK was invited to conduct an investigation into the Ministry of Defence (MOD) data protection plans in the wake of the January 2008 data breach of 600,000 Royal Navy recruits on an unencrypted laptop. The report by Sir Edmund Burton, Chairman of IAAC, gave 51 recommendations to the MOD in the policy, practice and management of personal data. You can find the relevant documents here:

• IAAC Report into the loss of MOD Data [PDF, April 30 2008]
• MOD Action Plan in resposne to Report [PDF, June 20 2008]

The IAAC report, passed to the MOD on April 30th and made public recently, contained a detailed audit of events leading up to the January data breach. Such information revealed that 4 laptops containing the database of over 600,000 records for the Army Recruit & Training Division have gone missing since 2004, all from parked cars. Although this was against rules, existing rules did not dictate the encryption of the laptops - the existing policy is too open to interpretation.

Other issues include not treating information as an operational asset, not managing information risk, a lack of awareness of threats to information, a lack of understanding of the Data Protection Act, and more. The report was quite thorough, even looking to the rapid technological changes that affect the work culture & ways of working, and how these pose risks to security. The “Facebook Generation” is accustomed to “the rapid and often uninhibited exchange of information,” and these behaviors must be tempered by common sense and informed by data protection practice.

The IAAC report contains 51 recommendations and an action plan for implementation. The recommendations include new security procedures, audits, revising the data access & retention procedures, and better training & sharing of best practices.

The MOD has created an action plan to accept all 51 recommendations in Sir Edmund Burton’s IAAC report. The action plan breaks down into a set of workstreams that include doctrine, policy, awareness, compliance, technology, governance and more. They have paired up all 51 recommendations with the outcomes and the workstreams that will be responsible for acting upon them.

The IAAC has also recently published 3 guides to managing information risk. The guides cover organization, people and process and are meant to provide directors with information to understand the risks they face and how to address them.

Via intergovworld, computer weekly (2), daily mail logo © Crown Copyright/MOD 2008 ; Tags: mod, ministry of defence, iaac, data protection act, data security, data protection, security policy, data security policy, government security

Barack Obama has been a leader in his use of “web 2.0” techniques in his presidential campaign. Now that he has the presidential nomination, his campaign has a larger target on it than ever. Now, Barack is hiring a web security expert.

Barack Obama’s website was built by Facebook co-founder Chris Hughes and hinges on social networking. While this has been important in driving the majority of the campaign’s contributions, it does open them up with more avenues for attack. The site was hacked two months ago, and a similar attack could cost the campaign millions of dollars if it was heightened to breach status. Such an attack would also tarnish the reputation of Obama and his staff in this crucial time.

“Attacks like SQL injection would be far more of a concern,” said Oliver Friedrichs, a director with Symantec Security Response who has written about computer security and the 2008 presidential election. “If I was able to get access to the database that houses their donor information, that would be very concerning.”

Although Internet security is taken seriously in all political campaigns, Obama has used his website (for the first time in political campaign history) to advertise for a web security expert. The expert would be responsible for analyzing network architecture, overhauling existing security systems, developing a strategy to respond to attacks, and managing “the security posture of the online campaign.”

If you were a supporter of Barack Obama, would you be deterred in your vote by any web attack or breach?

Does Barack’s advertisement of the job position help him appear more transparent or authentic?

Via intergovworld Tags: obama, barack obama, web security, hacking, hack, barackobama.com, website, data security

A senior intelligence official in the Cabinet office in the UK is responsible for a serious breach of security after leaving Top Secret documents with the latest al-Qaeda intelligence on a London commuter train. The Cabinet Official has been suspended from his job.

A fellow passenger on the June 10 train found the documents and handed them to the BBC, who then passed them to the police. The envelope contained several pages, stamped “UK Top Secret”, with the latest government intelligence on al-Qaeda and Iraq’s security forces. The documents were also stamped “for UK/US/Canadian and Australian eyes only” and were dated June 5th. The documents were entitled “Al-Qaeda: Constraints and Vulnerabilities” and “Iraqi Security Forces: More or Less Challenged?”

An official investigation is being requested of Home Secretary Jacqui Smith. In light of the events, people are asking:

• Why were top secret documents allowed outside the office?
• Why were top secret documents printed (ie not encrypted in a data file)?
• Why were top secret documents read in a public place?

Given the string of serious security breaches by the UK government over the past several months, this only increases the public pressure to understand why security policies are being overlooked repeatedly. The employee in question here had the security authority to remove sensitive documents from the secure office environment if strict protocols were followed - perhaps it is time to ban such document removal altogether.

Via BBC, CNN, Reuters, Times Online Tags: al qaeda, iraq, top secret, uk top secret, data breach, breach, security breach, government security, secret information, intelligence

The Office of the Information & Privacy Commissioner (OIPC) of British Columbia published an investigation report concerning the Ministry of Health earlier this month.

On October 3, 2007 an employee of X-Wave, a contractor for health insurance billing in New Brunswick, packaged four unencrypted computer tapes into an envelope. The tapes, which contained personal information of residents of British Columbia and New Brunswick, were being sent to Health Insurance BC (HIBC). These tapes did not arrive.

The investigation reveals that this method of transferring personal information did not meet the security measures required under the Freedom of Information and Protection of Privacy Act. In addition to this, the existing policies at the Ministry of Health delayed the timely detection of the lost data tapes. Notification to affected individuals and to the OIPC was also delayed by nearly two months.

OIPC reports that the Ministry breached the Act in the following ways:

• Sending data on unencrypted magnetic tapes
• Not requiring the sender to notify the receiver of when the package would be received
• Not requiring the sender to use a courier with a tracking service
• Not instructing the sender to refrain from sending more unencrypted tapes while the issue was under investigation
• Taking 41 days to notify affected individuals of the breach

New Ministry procedures are aimed to counter these issues, and to ensure that personal information is no longer transferred in this way. You can read more here.

Via Dan Michaluk image: wikipedia ; Tags: data breach, data tape, magnetic data tape, oipc, bc, british columbia, ministry of health

Foreign Affairs Minister Maxime Bernier resigned on May 26th after admitting he left classified NATO documents at the apartment of his ex-girlfriend, Julie Couillard, a former model with past links to members of the Hells Angels.

The NATO documents included information from last April’s summit in Romania, including NATO’s military strategy in Afghanistan. Bernier did not realize he had forgotten the papers until they were returned by lawyers Sunday night, more than a month later, and delayed telling Prime Minister Stephen Harper until Monday afternoon. Bernier then resigned from his post.

“Mr. Bernier has learned and informed me that he left classified government documents in a non-secure location,” said Harper. “This is a serious error and the minister has accepted his responsibility.”

Stephen Harper called a news conference just hours before Julie Couillard made claims that Mr. Bernier had been careless with government papers. The government has received a lot of public criticism for Mr. Bernier’s relationship with Ms. Couillard, though Harper has been defending Bernier’s right to privacy.

“Let me be very clear: this is not to do with the minister’s life or the life of a private citizen, 99 percent of which I think is completely off bounds,” said Harper.

Maxime Bernier’s ministry position was replaced by David Emerson, and Bernier’s bio has been completely wiped from the Stephen Harper website. The police are looking into allegations raised about this and other matters, as described here, and to whether this will be considered a criminal offense in breach of national security.

hat tip: flyinghamster, via globe and mail, ctv Tags: harper, bernier, maxime bernier, data breach, security breach, canada, canadian government, government, canada government, foreign affairs, stephen harper

Who Breached: Chilean Government
Number Affected: 6 million Chileans
Information breached: Identity Card Numbers
How: Hacker

A hacker, known ironically as “Anonymous Coward”, has exposed the personal data of 6 million Chileans.

Police Chief Jaime Jara confirms that the data of 6 million people was stolen on Friday from servers at the Education Ministry, the electoral service and the military. The information was posted briefly (less than 24 hours) online in the comments section of a popular Chilean technology blog, Fayerwayer.com, in three compressed files. Data included identity card numbers (like SSNs), addresses and more.

Despite the fact that the data was quickly removed, it had been linked to by many other websites. Sever sites were re-posting the files almost immediately. The potential exists that the data was downloaded and that it could still appear on additional websites.

The hacker took the data to prove a point. According to a note online, he took it in order to “demonstrate how poorly protected the data in Chile is, and how nobody works to protect it.” The hacker even gave instructions on how to download the information without being traced.

Indeed, the point has been proven. Focus is now on government IT security and lax privacy laws, including the regular selling of election voter data. The news has garnered additional attention since the data contained the information on the daughter of the Chilean president.

A prosecutor, a specialist in high-tech crime, was appointed yesterday to investigate how the hacker gained access to the data. The government has announced plans to strengthen data protection with new legislation.

—

Another notable breach this week so far has affected 13,000 Pfizer employees after a company laptop and flash drive were stolen.

Via attrition, AP, ABC, AP Tags: chile, chile hacker, hacker, chilean, breach, data breach, breach government, data

In follow-up to the previous post regarding the missing laptops at the US Department of State, those laptops have now been found.

As many as 400 laptops were unaccounted for during the early stages of a recent audit. The laptops, which were destined for foreign police services, were located after a management count issue. The missing laptops were being held in storage before going overseas.

Thankfully, the US Department of State has avoided a massive fallout from the issue. However, it still points to a flawed asset management system, as the laptops went missing in the first place.

“I would expect many of the laptops to be ‘found’ in the sense that they may not have actually left a State Department facility,” the official said, “But if they don’t know where they are, that is bad management, and they may as well have disappeared,”

Asset tracking software, such as that provided by Absolute Software its Computrace products, could have avoided this entire situation.

The full audit has not been released by the Inspector General as to the state of laptop security in all its aspects at the US Department of State. The investigation is still ongoing.

Via CNet, CQ Politics ; Image: anendel @ morguefile ; Tags: state department, us department of state, laptop security, asset management, it security, laptop tracking