Archive for Data Security
Author: Dave Lewis
August 22, 2008 at 3:32 pm · Filed under Data Security, Dumbass, Politics
That purveyor of all things craptacular, as it pertains to electronic voting, is in the news again. Diebold Premier Election Solutions has admitted that there is a problem with the touch screen voting machines in Ohio. Originally the vendor had blamed antivirus software for the problems that they were experiencing.
(natch)
From The Columbus Dispatch:
But in a letter Tuesday to Brunner, Premier President David Byrd admitted that further testing showed a source-code error that can cause votes not to be recorded when memory cards are uploaded to computer servers under certain circumstances.
“We are indeed distressed that our previous analysis of this issue was in error,” Byrd wrote.
Brunner is suing to recover the millions of taxpayer dollars spent to buy Premier touch-screens after she said an investigation this year showed that votes in at least 11 counties had been dropped in recent elections.
Recovering tax payer dollars for a start. What about auditing the results of past…oh, who am I kidding?
Silly me.
So, these machines that “lose” votes will not be fixed in time for the election? I say it’s time for one helluva refund for the State of Ohio. Get those pencils sharpened. Time to roll back to tried and true voting methods.
Article Link
Author: Dave Lewis
August 21, 2008 at 3:08 pm · Filed under Apple, Data Security
Tom has a post that just has to be read on his experiences with the support folks at Apple. He called them when the hard drive on his wife’s laptop started to fail.
From spylogic:
“You agree and understand that it is necessary for Apple to collect, process and use your data in order to perform the service and support obligations under the Plan. This may include the necessity to transfer your data to affiliated companies or service providers located in Europe, India, Japan, Canada, People’s Republic of China or the U.S.”
Huh? People’s Republic of China? That’s nice. I couldn’t find any reference noting what Apple does with your personal “hard drive” data. They only mention your name, address, things you purchased, etc…
Now, the best part is the rather interesting transcript of his conversation with the support person. Be sure to read the full posting.
Article Link
Author: Dave Lewis
July 23, 2008 at 5:20 pm · Filed under Data Security, ID Theft
OK, I’m out of bed and starting to feel a little more human.
So, first up. It seems that employees of the pharma giant Bristol-Myers Squibb are a little uneasy today. It turns out that a backup tape containing personal info on former and current staff was pilfered from the back of a delivery truck.
Well, that’s gotta suck.
From Network World:
However, according to a security breach notification letter sent by the firm to the New Hampshire Attorney General’s office, personal data of 458 residents of that state was stored on the stolen tape.
Hortas declined to disclose where the theft occurred or any other circumstances regarding the incident, citing an ongoing investigation by Bristol-Myers and law enforcement authorities. She also would not identify the third-party storage vendor hired by Bristol-Myers to transport the sensitive data.
I hope it wasn’t Iron Mountain again. They could use a break. While the 458 affected might seem like a small number consider this,
included the names, addresses, birthdays, Social Security numbers, marital status, bank account numbers, salaries, and hiring and termination/retirement dates of the affected employees. In addition, the tape has Social Security and address information about dependents of former and current employees.
Now, that really sucks.
Article Link
Author: Dave Lewis
July 15, 2008 at 8:48 am · Filed under Data Security, Vulnerability
Well, today is the day. At 4 pm (EST) the folks at Oracle will release their list of patches 45 in all. Ryan Naraine has a nice synopsis of this over on ZDNet.
From Zero Day:
Database server giant Oracle plans to ship patches for a total of 45 security vulnerabilities on Thursday (July 17), bringing the vulnerability count for 2008 to a whopping 112.
Since January 2006 (this CPU included), Oracle has shipped fixes for a total of 572 vulnerabilities.
According to a pre-release analysis, the vulnerabilities affect hundreds of products, including all supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions.
This is the first Critical Patch Update that includes fixes for BEA WebLogic, Hyperion BI, and TimesTen Database.
My vulnerability made the cut for this release as well. Stay tuned.
Article Link
Author: Dave Lewis
July 11, 2008 at 3:31 pm · Filed under Data Security, Legal Aspects, Privacy
And the lawyers stand to rake in $1.8 million. This is amazing. $2 per?
Wow.just.wow.
From Wired:
“The settlement provides the class members with fair, reasonable and adequate compensation for their claims,” wrote lead counsel for the plaintiffs, Scott Kamber of KamberEdelson in New York.
Kamber, in a court filing (.pdf) in San Francisco federal court on Friday, is requesting $1,360 an hour — $1.8 million and counting for time worked by him and others in his and other firms for bringing the case and negotiating a proposed settlement to the breach-of-privacy class action.
The court filings came in response to a request by U.S. District Judge Vaughn Walker, who last month scuttled the proposed settlement agreement. Walker wanted an hourly accounting of the proposed legal fees, which are not unusually high by class action standards.
So, a “fair, reasonable and adequate compensation for their claims” is $2? Well, not entirely. To “sweeten” the pot they will provide a one-year subscription to anti spam software from Trend to affected folks.
Well then, I now know the going rate for your identity. Yes, I realize that there was “no evidence” that SSN or account numbers were pinched in addition to the personal details. That being said, no evidence does not equate to a definitive response to the question of whether or not the aforementioned data was also purloined.
Read the full story over on Wired.
Article Link
Author: Dave Lewis
July 7, 2008 at 8:17 am · Filed under Data Security, Education
It must be Monday.
How can you tell? Simple, another data breach in the news. Sadly, by that reckoning it could be any day of the week. This time a health care worker for NHS Lothian managed to lose the medical histories and other private information for 137 patients.
From The Herald:
Copies of letters sent to Edinburgh GPs by NHS Lothian over two years were stored on a computer memory stick in breach of data protection rules.
The NHS called in police and set up a helpline to support patients worried that their personal information was stored on the small USB device.
advertisement
The worker, who could now be sacked, owned up to the loss on Thursday last week.
“Only 137?” one might say. While the number might seem low, flip it on its head.
What if it had been your data?
This has prompted health care bosses in the UK to offer amnesty for workers to come clean.
From BBC News:
The amnesty is among a series of plans to highlight the security issue. It allows anyone who has illegally stored sensitive information to come forward and have it disposed of safely without being disciplined.
The NHS is also taking a roadshow around hospitals and credit card-sized leaflets are being sent out with payslips.
While the worker mentioned earlier will most likely get the gate I think it is a wise move to have an amnesty put in place for a limited time. If a house is starting to catch fire its better to put out the flames before you becoming engulfed. To beat the proverbial dead horse once more, (cliches are starting to pile up) it is the people that are the weakest link. No firewall in the world will keep them from being human. Organizations need to address the root of the problem before you can even worry about what appliance does what and for how much.
Article Link 1
Article Link 2
Author: Dave Lewis
June 17, 2008 at 5:39 am · Filed under Data Security, Disclosure, Legal Aspects
Well, a better headline might read “another warning for business”. Here’s an analysis piece of the Cotton Trader’s credit card breach story that broke last week.
From IT PRO:
In many ways, Cotton Traders is an ordinary, mid-sized British business. The company, which is based in Altringham, Cheshire, was founded in 1987 by two former England rugby captains, Fran Cotton and Steve Smith. Today, Cotton Traders operates a mail-order business, including online sales, a wholesale operation and a network of stores. Its turnover now exceeds £50 million. It is not involved in high finance or technology; nor is it an e-commerce pure play. It is typical of thousands of companies around the country that have used the internet to expand their sales, with some success. Its website is clean, simple and easy to use, and is designed to appeal to the mass market.
So if Cotton Traders could fall victim to an online criminal gang, so could almost any business that trades on the net. The security breach took place in January, although it was only confirmed by the company earlier this month, and attracted media attention over the last few days.
The company maintains that the data was encrypted. for their sakes I hope that is was. I’m a little surprised of how long it took for the company to disclose this breach. It apparently took place in January and it only now has come to light.
Read on for the full article.
Article Link
Author: Dave Lewis
June 9, 2008 at 9:31 pm · Filed under Data Security, Hardware, ID Theft
Um, whoops.
From Consumer Affairs:
A laptop containing personal information on AT&T employees and management was stolen from an employee’s vehicle last month, the company said.
The laptop, which had no encryption or security protection beyond a password lock, contained names, Social Security numbers, and salary information for an undisclosed number of workers.
Employees were notified of the theft on May 22, seven days after the theft, according to privacy watchdog PogoWasRight.org, which first reported the story. In a letter to employees, AT&T said that, “The measures and precautions we put in place to protect the security of company-owned property and our employees’ personal information were not followed.”
AT&T said that the responsible employee “has been disciplined.”
Disciplined you say?
Muawhaha!
Article Link
Author: Dave Lewis
June 4, 2008 at 10:18 pm · Filed under Data Security, Review
From InfoWorld:
I expect most Oracle Database shops will find at least five of these life changers in Oracle Database 11g. But there’s one feature, Real Application Testing, that’s so compelling, it’s almost enough reason to upgrade on its own. There’s not a shop out there that doesn’t make code changes, and they all need a solid way of reproducing production workloads to certify those changes without affecting the production environment. Real Application Testing does the trick.
Combining Database Replay and SQL Performance Analyzer, Real Application Testing allows you to capture a workload and its performance stats and replay it, either on the same box or on another box, and compare the performance results. This level of insight into comparative workloads is something that most database vendors are still struggling with.
OK, so there is great improvements in overall usability, data corruption protection in Data Guard and workload replay (cool feature) et cetera but, what about security? Nope no mention. I wonder what David Litchfield, Pete Finnigan and others will have to say about it?
Article Link
Author: Dave Lewis
June 4, 2008 at 10:09 pm · Filed under Data Security, Security Mgmt
Meh, they only handle the insurance for your money. No biggie right?
From FCW:
A key reason for the latest weaknesses the auditors found is that the FDIC did not always fully implement critical information security program activities, GAO said.
For example, multiple FDIC users shared the same login ID and password, had unrestricted access to application source code and used a password that was not adequately encrypted. The FDIC also did not fully test configuration controls, GAO reported,
Until the FDIC fully performs key information security program activities, GAO said there is an increased risk that it may not be able to maintain sufficient control over its financial systems and information.
Yeah, see that’s bad m’kay.
Article Link
Next entries »
