Archive for the ‘Government Security’ Category

The Liberal Democrats in the UK have publicized the results of their research into computer security across Whitehall. According to their results, 3,000 computers have been lost or stolen across Whitehall in the past 7 years. That’s a staggering average of at least one computer lost per day. The data includes an additional 238 laptops and 40 desktops missing or stolen, a very minor improvement in Government laptop security despite continued public breaches and promises of security upgrades, and even laptop bans.

The figures, which were released in Parliamentary answers, include:

• Since 2002, 1,774 laptop computers and 1,035 desktop computers have been lost or stolen across Government, at a rate of nearly five a week and three a week respectively
• In 2008 (as of December 29), 238 laptops and 40 desktops went missing
• Since 2002, 676 mobile phones, 202 hard drives and 195 memory sticks have also been lost or stolen
• The worst offenders are the Ministry of Defence (which handles very sensitive information), which has had 866 laptops stolen and has lost 178, as well as 157 desktops stolen and seven lost

Liberal Democrat Home Affairs Spokesman, Paul Holmes said:

“Everyone understands that things go astray but it is truly staggering that over the last seven years a laptop has been lost every working day across government.

It demonstrates a culture of carelessness across Whitehall that ministers have done nothing to curtail.”

It is clear that fundamental changes need to happen in the Government in terms of the way data is handled. This includes a ‘culture of change‘, changing attitudes and knowledge of security practices, as well as upgrading technology that protects data devices (like Absolute’s Computrace can).

Also in troubling Government security news, the IRS in the US has failed to patch more than half of the cybersecurity problems identified in November. Only 49 of the 115 issues found by the Government Accountability Office have been addressed. Read more here…

Via Daily Mail, ITV ; image: mconnors @morguefile

According to The Local, the German government has admitted to losing 332 top secret files over the past 10 years. Problem is, the files were so top secret that nobody knows what was in them.

The German Interior Ministry was forced to admit to the loss of files during a parliamentary session when they were questioned by the Free Democrats (FDP). The government admits that the 332 files are still missing, and that the files were of “considerable significance.”

The questioning also revealed that nearly 3,200 top secret files were destroyed rather than archived during the last legislature period. These files covered topics such as organized crime, surveillance, and ‘research’ of other states. This, as well as the breach / loss of the 332 files, points to issues with having a firm data retention policy. Although the two issues may not be related, given that the top secret files may have been destroyed in order to avoid any 30 year information release rule that may be created, it’s clear that governments all around the world are struggling to stay on top of information security.

In other Government data loss news, a FOX reporter was able to buy a McCain campaign Blackberry loaded up with confidential information – Computrace Mobile would have erased all of it. And Fergie, Duchess of York, is the victim of laptop theft and worries about private photos leaking – see what Absolute’s Bill Pound had to say about it.

The Financial Times reports that Chinese hackers penetrated the White House computer network on multiple occasions, obtaining emails between government officials. On each hacking incident, the cyber criminals were able to steal information before the White House security systems and professionals could patch the security holes.

The new insight comes on the heels of another report that the presidential campaigns of Barack Obama and John McCain were hacked over the summer. The FBI and Secret Service revealed to each Obama and McCain that large amounts of files had been stolen as related to policy positions – information that may be useful in future negotiations with the U.S. administration. The hack came from a “foreign entity”, either Russian or Chinese.

Subsequent reports indicated that the attacks on the Obama and McCain systems came from China, and that other cyber attacks have been made on the White House from the same source. E-mail archives were attacked several times in recent months, a constant “cat and mouse” game with defenses going up each time a new attack was detected.

It is difficult to trace the exact source of the attacks. It is reported that, as far as the White House attacks go, only the unclassified network was breached. That doesn’t mean the information was not valuable or sensitive, nor that classified information was not present.

Also in Government related news:

• Google shares health searches with government (CNet)
• Inmate hacked prison network, broke into employee database (Register)
• Hackers buy their way into Obama search results, seed malware (Times Online)
• FTC grants delay in enforcement of ‘red flags’ identity theft program (TFC)
• IRS rolls out system with known security issues [PDF] (.Gov)
• Nevada, Massachusetts roll out new data privacy laws (WSJ)

For more information on Absolute’s services for the Government sector, read here.

Via CNet image: barackobama.com

Corporations, government agencies and academic institutions have formed together to study issues surrounding cybercrime, terrorism, narcotics trafficking and identity management. Together they have formed the Center for Applied Identity Management Research (CAIMR).

CAIMR is hosted by Indiana University and is a non-profit corporation of thought leaders who share a common interest in identity management. Their mission is to “study identity issues impacting commerce, government, and national security, their social implications, and the processes, technologies and policies designed to deal with them.” However, despite all that, the goal is to develop real world solutions to these issues. The outcomes may be in the form of industry or law enforcement best practices, technologies, policy adjustments or training and educational materials.

CAIMR notes that the goal is to be able to adapt more quickly to evolving identity fraud and cyber crimes, understanding the constraints and challenges faced by each set of stakeholders. Gary R. Gordon, scholar in identity management at Indiana University School of Law, will be executive director at CAIMR.

Four initial areas of study will be:

1. Public safety: identity theft, cybercrime, fraud, sexual predator detection, etc.
2. National security: cybersecurity, human trafficking, terrorist tracking, etc.
3. Financial and corporate fraud: mortgage fraud, data breaches, insider threats, healthcare fraud, etc.
4. Individual protection: identity theft, fraud, etc.

Partners in CAIMR include the US Secret Service, VISA, Wells Fargo & Company, and many more.

Via network world, security watch

According to a new report out of the Brennan Center for Justice, many states are not well prepared to secure the vote on November 4th.

The report, entitled “Is America Ready to Vote?” was released by Common Cause and Verified Voting. The report issues a 50-State report card that grades each state on its preparedness for election system breakdowns and to ensure the accuracy of votes over electronic voting machines. 10 states received inadequate grades in 3 out of 4 categories of safeguards.

“Our elections are so complex and involve so many jurisdictions, technologies, voters, poll workers, technicians and election workers that some concerns are inevitable. As the machinery of our democracy becomes more complicated, however, the opportunity for error increases – and we should be prepared.” – Pamela Smith, president of Verified Voting Foundation.

The report evaluated each state on four areas:

• procedures for issuing emergency paper ballots
• reconciling ballot tallies
• providing paper records of votes cast
• post-election audits.

Currently 24 states use voting machines. Of those states, 8 have no guidance on stocking emergency paper ballots at the polls in case the voting machines break down. This could mean that voters will not be able to cast their ballots, if breakdowns were to occur. Breakdowns can, and do, occur in a number of ways – memory cards that can’t be read, mis-tallied votes, lost votes and more.

The report found that 10 out of the 50 states fall short of best practices when it comes to ballot accounting and reconciliation – the provisions to ensure every vote is counted, and only once, are not well in place. This is just one instance that shows that, while protections against voting fraud and e-voting machine failure have improved in general since 2004, not all states are taking even basic precautions to protect their systems.

You can download the report here. [PDF]

Via CSO Online

The Information Commissioner’s Office (ICO) in the UK, with Information Commissioner Richard Thomas, have made a public statement calling on CEOs to take responsibility for data protection safeguards.

The Information Commissioner, Richard Thomas, announced that the number of data breaches reported since November 2007 has reached 277. November 2007 marks when HMRC lost 25 million child benefit records (story here). Of those 277 breaches, 28 are attributed to the central government. The ICO is investigating 30 of the most serious breaches of this past year.

In a speech delivered to the RSA Conference, Commissioner Robert Thomas talked about the state of data security, or “data insecurity“, he adds. The HMRC data breach of 25 million child benefit records merely brought the existing data security issues to public and political attention, Thomas notes.

“The number of breaches brought to our attention is serious and worrying. I recognise that some breaches are being discovered because of improved checks and audits as a welcome result of taking data security more seriously. More laptops have now been encrypted and thousands of staff have been trained. But the number of breaches notified to us must still be well short of the total.”

Arguing that information can be a “toxic liability” as well as an asset, Robert Thomas challenges CEOs to ensure that they are minimizing the amount of data they hold and that appropriate data security measures are being taken. He says this responsibility lies with the CEO, not with the IT department or other staff.

“It’s no good saying the IT boys are looking after this, it’s no good saying the lawyers are sorting out the policies, it’s no good saying human resources are doing the training – it’s right across the organisation.”

Richard Thomas notes that personal information is the lifeblood of both government and business, but that more responsibility needs to be taken to assure that data remains safe. The first step in that is to understand the risks being faced associated with the vast centralized stores of data and its portability across networks and devices.

The ICO continues to offer advice on data security, from the encryption of laptops to improved data access policies. As noted several times by the ICO in their report, the actual figures for data breaches probably are much higher than 277. Currently there is no legal obligation to report data losses in the UK, and many data breaches may go undetected.

Out of the 277 reported breaches, 67 were due to the loss or theft of a computer or laptop. The National Health Service (NHS), the worst breach offender so far for 2008 with 75 breaches, has had 27 of those breaches the result of lost or stolen computers. Learn how Computrace can help provide multi-layered security solutions for your computers here.

Further Reading:

• ICO Press Release – Privacy watchdog calls on CEOs to take responsibility for data protection safeguards [PDF]
• Transcript – Speech to RSA Conference Europe on data breaches
  Richard Thomas, Information Commissioner [PDF]
• ICO Chart – Data security breaches since November 2007, by breach type and sector

Via BBC

According to a new Information Security report [PDF] from the US Government Accountability Office (GAO), 70% of the 24 major federal agencies surveyed last summer had not yet installed encryption technologies on laptops and handheld devices.

The report, which highlights data gathered from July – September 2007, indicates a confusion about encryption requirements. At the time of the survey, all agencies had initiated efforts to deploy encryption technologies, but none had documented a plan to guide the deployment activities.

“While all agencies have initiated efforts to deploy encryption technologies, none had documented comprehensive plans to guide encryption implementation activities such as installing and configuring appropriate technologies in accordance with federal guidelines, developing and documenting policies and procedures for managing encryption technologies, and training users. As a result federal information may remain at increased risk of unauthorized disclosure, loss, and modification.”

It is likely that governments will provide security solutions such as encryption for laptops before other devices such as mobile phones or thumb drives. Agencies and businesses alike will face increasing challenges in identifying and securing the myriad of mobile devices that could potentially breach sensitive information. Even then, device encryption is only one element of a comprehensive data security policy.

—

And some internal news - Absolute Software was selected for the CDW Sapphire Partners Program, which offers a proactive approach to embracing breakout technologies. Read about it here. And learn more about Absolute Software’s computer security solutions for Government here.

Via pogowasright, PC world ; image: mconnors @morguefile Tags: data security, device security, laptop security, laptops, encryption

The U.K. Ministry of Defence has revealed some startling figures about laptop loss for the last four years: 659 laptops have been reported stolen and 89 lost.

These figures contradict earlier investigations by the Ministry of Defence that put the new figures at double previous figures. Of the laptops lost since 2004, only 32 have been recovered. In addition to these lost laptops, 121 USB memory sticks have been lost or stolen since 2004, some of which held restricted / classified data. You can read more on these breaches here.

Liberal Democrat MP Sarah Teather stated to parliament that:

“It seems this government simply cannot be trusted with keeping sensitive information safe. It is frightening to think that secret MoD information can be lost or stolen.”

20,000 laptops have been recalled by the Ministry of Defence in order to be encrypted. But these figures highlight the importance of having a layered approach to computer security. Encryption alone is not enough to protect data. You need to be able to recover lost or stolen computers to make sure that information is not accessed by unauthorized users. Absolute Software can help companies / agencies like the MoD recover lost laptops – for more on how Absolute helped solve recent laptop thefts at US airports, read here.

Via intergovworld, computerweekly ; image: cohdra @ morguefile ; Tags: mod, ministry of defence, laptop security, laptop tracking, laptop loss, it security, data breach

According to a report by the State Department Inspector General, and the subsequent press briefing, a number of high profile celebrities have had their passport information breached.

In March, it was reported that the passport records for Barack Obama, Hillary Clinton and John McCain were breached in the same way. This announcement prompted an investigation by the Inspector General into passport security.

The report tested the prevalence of snooping by looking at 150 famous Americans and how many times their files were accessed in a 5.5 year period. The new report found that 127 celebrities, including Beyonce Knowles, have had their personal details illegally accessed by federal employees or contractors. One celebrity record has been breached 356 times by more than 6 dozen people.

Currently, over 20,500 employees and contractors have access to 127 million passport files, which include data such as Social Security Numbers. The report is critical of the lack of security surrounding passports and who has access to them, stating there were many “weaknesses, including a general lack of policies, procedures, guidance and training.” Five contractors have been fired and dozens are under investigation for alleged snooping.

The Inspector General laid out 22 recommendations for improving security, but much of the report has been redacted because officials fear it could provide a road map to further abuse. State Department officials plan to implement most of the recommendations, including adding random audits of passport files and reducing by half the number of people who can view records.

Here’s a video report on that story:

In other passport news, the Identity and Passport Service published its annual report (PDF) recently, announcing that there were 9382 fraudulent attempts to get a British passport, representing 0.25% of all applications.

Via computer weekly, cbs, privacy lives Tags: passports, passport security, inspector general, state department, breach, data breach, government breach

The Information Assurance Advisory Council (IAAC) in the UK was invited to conduct an investigation into the Ministry of Defence (MOD) data protection plans in the wake of the January 2008 data breach of 600,000 Royal Navy recruits on an unencrypted laptop. The report by Sir Edmund Burton, Chairman of IAAC, gave 51 recommendations to the MOD in the policy, practice and management of personal data. You can find the relevant documents here:

• IAAC Report into the loss of MOD Data [PDF, April 30 2008]
• MOD Action Plan in resposne to Report [PDF, June 20 2008]

The IAAC report, passed to the MOD on April 30th and made public recently, contained a detailed audit of events leading up to the January data breach. Such information revealed that 4 laptops containing the database of over 600,000 records for the Army Recruit & Training Division have gone missing since 2004, all from parked cars. Although this was against rules, existing rules did not dictate the encryption of the laptops – the existing policy is too open to interpretation.

Other issues include not treating information as an operational asset, not managing information risk, a lack of awareness of threats to information, a lack of understanding of the Data Protection Act, and more. The report was quite thorough, even looking to the rapid technological changes that affect the work culture & ways of working, and how these pose risks to security. The “Facebook Generation” is accustomed to “the rapid and often uninhibited exchange of information,” and these behaviors must be tempered by common sense and informed by data protection practice.

The IAAC report contains 51 recommendations and an action plan for implementation. The recommendations include new security procedures, audits, revising the data access & retention procedures, and better training & sharing of best practices.

The MOD has created an action plan to accept all 51 recommendations in Sir Edmund Burton’s IAAC report. The action plan breaks down into a set of workstreams that include doctrine, policy, awareness, compliance, technology, governance and more. They have paired up all 51 recommendations with the outcomes and the workstreams that will be responsible for acting upon them.

The IAAC has also recently published 3 guides to managing information risk. The guides cover organization, people and process and are meant to provide directors with information to understand the risks they face and how to address them.

Via intergovworld, computer weekly (2), daily mail logo © Crown Copyright/MOD 2008 ; Tags: mod, ministry of defence, iaac, data protection act, data security, data protection, security policy, data security policy, government security