Archive for Data Security
Author: Dave Lewis
August 21, 2008 at 3:08 pm · Filed under Apple, Data Security
Tom has a post that just has to be read on his experiences with the support folks at Apple. He called them when the hard drive on his wife’s laptop started to fail.
From spylogic:
“You agree and understand that it is necessary for Apple to collect, process and use your data in order to perform the service and support obligations under the Plan. This may include the necessity to transfer your data to affiliated companies or service providers located in Europe, India, Japan, Canada, People’s Republic of China or the U.S.”
Huh? People’s Republic of China? That’s nice. I couldn’t find any reference noting what Apple does with your personal “hard drive” data. They only mention your name, address, things you purchased, etc…
Now, the best part is the rather interesting transcript of his conversation with the support person. Be sure to read the full posting.
Article Link
Author: Dave Lewis
July 23, 2008 at 5:20 pm · Filed under Data Security, ID Theft
OK, I’m out of bed and starting to feel a little more human.
So, first up. It seems that employees of the pharma giant Bristol-Myers Squibb are a little uneasy today. It turns out that a backup tape containing personal info on former and current staff was pilfered from the back of a delivery truck.
Well, that’s gotta suck.
From Network World:
However, according to a security breach notification letter sent by the firm to the New Hampshire Attorney General’s office, personal data of 458 residents of that state was stored on the stolen tape.
Hortas declined to disclose where the theft occurred or any other circumstances regarding the incident, citing an ongoing investigation by Bristol-Myers and law enforcement authorities. She also would not identify the third-party storage vendor hired by Bristol-Myers to transport the sensitive data.
I hope it wasn’t Iron Mountain again. They could use a break. While the 458 affected might seem like a small number consider this,
included the names, addresses, birthdays, Social Security numbers, marital status, bank account numbers, salaries, and hiring and termination/retirement dates of the affected employees. In addition, the tape has Social Security and address information about dependents of former and current employees.
Now, that really sucks.
Article Link
Author: Dave Lewis
July 15, 2008 at 8:48 am · Filed under Data Security, Vulnerability
Well, today is the day. At 4 pm (EST) the folks at Oracle will release their list of patches 45 in all. Ryan Naraine has a nice synopsis of this over on ZDNet.
From Zero Day:
Database server giant Oracle plans to ship patches for a total of 45 security vulnerabilities on Thursday (July 17), bringing the vulnerability count for 2008 to a whopping 112.
Since January 2006 (this CPU included), Oracle has shipped fixes for a total of 572 vulnerabilities.
According to a pre-release analysis, the vulnerabilities affect hundreds of products, including all supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions.
This is the first Critical Patch Update that includes fixes for BEA WebLogic, Hyperion BI, and TimesTen Database.
My vulnerability made the cut for this release as well. Stay tuned.
Article Link
Author: Dave Lewis
July 11, 2008 at 3:31 pm · Filed under Data Security, Legal Aspects, Privacy
And the lawyers stand to rake in $1.8 million. This is amazing. $2 per?
Wow.just.wow.
From Wired:
“The settlement provides the class members with fair, reasonable and adequate compensation for their claims,” wrote lead counsel for the plaintiffs, Scott Kamber of KamberEdelson in New York.
Kamber, in a court filing (.pdf) in San Francisco federal court on Friday, is requesting $1,360 an hour — $1.8 million and counting for time worked by him and others in his and other firms for bringing the case and negotiating a proposed settlement to the breach-of-privacy class action.
The court filings came in response to a request by U.S. District Judge Vaughn Walker, who last month scuttled the proposed settlement agreement. Walker wanted an hourly accounting of the proposed legal fees, which are not unusually high by class action standards.
So, a “fair, reasonable and adequate compensation for their claims” is $2? Well, not entirely. To “sweeten” the pot they will provide a one-year subscription to anti spam software from Trend to affected folks.
Well then, I now know the going rate for your identity. Yes, I realize that there was “no evidence” that SSN or account numbers were pinched in addition to the personal details. That being said, no evidence does not equate to a definitive response to the question of whether or not the aforementioned data was also purloined.
Read the full story over on Wired.
Article Link
Author: Dave Lewis
July 7, 2008 at 8:17 am · Filed under Data Security, Education
It must be Monday.
How can you tell? Simple, another data breach in the news. Sadly, by that reckoning it could be any day of the week. This time a health care worker for NHS Lothian managed to lose the medical histories and other private information for 137 patients.
From The Herald:
Copies of letters sent to Edinburgh GPs by NHS Lothian over two years were stored on a computer memory stick in breach of data protection rules.
The NHS called in police and set up a helpline to support patients worried that their personal information was stored on the small USB device.
advertisement
The worker, who could now be sacked, owned up to the loss on Thursday last week.
“Only 137?” one might say. While the number might seem low, flip it on its head.
What if it had been your data?
This has prompted health care bosses in the UK to offer amnesty for workers to come clean.
From BBC News:
The amnesty is among a series of plans to highlight the security issue. It allows anyone who has illegally stored sensitive information to come forward and have it disposed of safely without being disciplined.
The NHS is also taking a roadshow around hospitals and credit card-sized leaflets are being sent out with payslips.
While the worker mentioned earlier will most likely get the gate I think it is a wise move to have an amnesty put in place for a limited time. If a house is starting to catch fire its better to put out the flames before you becoming engulfed. To beat the proverbial dead horse once more, (cliches are starting to pile up) it is the people that are the weakest link. No firewall in the world will keep them from being human. Organizations need to address the root of the problem before you can even worry about what appliance does what and for how much.
Article Link 1
Article Link 2
Author: Dave Lewis
June 17, 2008 at 5:39 am · Filed under Data Security, Disclosure, Legal Aspects
Well, a better headline might read “another warning for business”. Here’s an analysis piece of the Cotton Trader’s credit card breach story that broke last week.
From IT PRO:
In many ways, Cotton Traders is an ordinary, mid-sized British business. The company, which is based in Altringham, Cheshire, was founded in 1987 by two former England rugby captains, Fran Cotton and Steve Smith. Today, Cotton Traders operates a mail-order business, including online sales, a wholesale operation and a network of stores. Its turnover now exceeds £50 million. It is not involved in high finance or technology; nor is it an e-commerce pure play. It is typical of thousands of companies around the country that have used the internet to expand their sales, with some success. Its website is clean, simple and easy to use, and is designed to appeal to the mass market.
So if Cotton Traders could fall victim to an online criminal gang, so could almost any business that trades on the net. The security breach took place in January, although it was only confirmed by the company earlier this month, and attracted media attention over the last few days.
The company maintains that the data was encrypted. for their sakes I hope that is was. I’m a little surprised of how long it took for the company to disclose this breach. It apparently took place in January and it only now has come to light.
Read on for the full article.
Article Link
Author: Dave Lewis
June 9, 2008 at 9:31 pm · Filed under Data Security, Hardware, ID Theft
Um, whoops.
From Consumer Affairs:
A laptop containing personal information on AT&T employees and management was stolen from an employee’s vehicle last month, the company said.
The laptop, which had no encryption or security protection beyond a password lock, contained names, Social Security numbers, and salary information for an undisclosed number of workers.
Employees were notified of the theft on May 22, seven days after the theft, according to privacy watchdog PogoWasRight.org, which first reported the story. In a letter to employees, AT&T said that, “The measures and precautions we put in place to protect the security of company-owned property and our employees’ personal information were not followed.”
AT&T said that the responsible employee “has been disciplined.”
Disciplined you say?
Muawhaha!
Article Link
Author: Dave Lewis
June 4, 2008 at 10:18 pm · Filed under Data Security, Review
From InfoWorld:
I expect most Oracle Database shops will find at least five of these life changers in Oracle Database 11g. But there’s one feature, Real Application Testing, that’s so compelling, it’s almost enough reason to upgrade on its own. There’s not a shop out there that doesn’t make code changes, and they all need a solid way of reproducing production workloads to certify those changes without affecting the production environment. Real Application Testing does the trick.
Combining Database Replay and SQL Performance Analyzer, Real Application Testing allows you to capture a workload and its performance stats and replay it, either on the same box or on another box, and compare the performance results. This level of insight into comparative workloads is something that most database vendors are still struggling with.
OK, so there is great improvements in overall usability, data corruption protection in Data Guard and workload replay (cool feature) et cetera but, what about security? Nope no mention. I wonder what David Litchfield, Pete Finnigan and others will have to say about it?
Article Link
Author: Dave Lewis
June 4, 2008 at 10:09 pm · Filed under Data Security, Security Mgmt
Meh, they only handle the insurance for your money. No biggie right?
From FCW:
A key reason for the latest weaknesses the auditors found is that the FDIC did not always fully implement critical information security program activities, GAO said.
For example, multiple FDIC users shared the same login ID and password, had unrestricted access to application source code and used a password that was not adequately encrypted. The FDIC also did not fully test configuration controls, GAO reported,
Until the FDIC fully performs key information security program activities, GAO said there is an increased risk that it may not be able to maintain sufficient control over its financial systems and information.
Yeah, see that’s bad m’kay.
Article Link
Author: Dave Lewis
May 20, 2008 at 9:09 pm · Filed under Data Security
Of all the stoopid crap…
From Wired:
Once again, supposedly sensitive information blacked out from a government report turns out to be visible by computer experts armed with the Ctrl+C keys — and that information turns out to be not very sensitive after all.
This time around, University of Pennsylvania professor Matt Blaze discovered that the Justice Department’s Inspector General’s office had failed to adequately obfuscate data in a March report (.pdf) about FBI payments to telecoms to make their legacy phone switches comply with 1995 wiretapping rules. That report detailed how the FBI had finished spending its allotted $500 million to help telephone companies retrofit their old switches to make them compliant with the Communications Assistance to Law Enforcement Act or Calea– even as federal wiretaps target cellphones more than 90 percent of the time.
Read on.
Article Link
« Previous entries ·
Next entries »
