I was browsing an RSS feed this morning and found a great resource for low-tech users.
There’s a few dozen tips on the US CERT website that cover a wide range of topics at a level the layman can understand.
A good resource for your friends and family. Topics include everything from password choosing to VOIP.
http://www.us-cert.gov/cas/tips/
Bill
From Sans NewsBites:
Laptop in Lost Suitcase Holds Grocery Chain Retirees’ Pension Data
A laptop that was in a checked bag lost by a commercial airline last month contained personal data belonging to people who have retired from four US grocery store chains owned by Ahold USA. The affected former employees have been notified by letter, but the company is not releasing information about the number of people affected. An Electronic Data Systems Corp. employee lost the computer; that company provides data processing services for Ahold USA’s pension plan. An EDS spokesperson said the employee violated company policy by placing the computer in checked luggage.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000953
-http://www.usatoday.com/money/industries/technology/2006-06-02-lost-grocery-data_x.htm
[Editor's Note (Ranum): The important phrase here is: "the employee violated company policy by placing the computer in checked luggage." Since a great deal of security practice today is based on procedural "controls" rather than technical enforcement you can see exactly how effective it is: all you need is one person who ignores the procedures and you're in a world of hurt. A more pertinent question would be "why is it even possible for people to gain unfettered access to complete subsets of a database?" ]More Missing Laptops
A laptop lost on an airline flight contained data, including names, Social Security numbers and fingerprints, belonging to nearly 300 IRS employees and job applicants. The IRS plans to send letters to all people affected by the potentially exposed data.
-http://www.msnbc.msn.com/id/13152636/
(6 June 2006)
Four laptop computers stolen from the offices of Buckeye Community Health Plan in Columbus, Ohio contained data belonging to 72,000 subscribers in three counties and medical data belonging to 13,000 subscribers. The company plans to notify all those affected by letter.
-http://www.insurancejournal.com/news/midwest/2006/06/06/69179.htm?print=1
(1 June 2006)
Two laptop computers stolen from the offices of the YMCA of Greater Providence (RI) contained personal data, including names, addresses and some credit card, bank routing and Social Security numbers, belonging to more than 65,000 YMCA members. The YMCA plans to notify members of the security breach.
-http://www.projo.com/digitalbulletin/content/projo-20060601-ymca.4420eea2.html
Technologies such as EFS can solve this problem quite easily.
Yes, the data might still be stolen, but will be relatively secure from prying eyes. Especially if full-disk encryption can be used to ensure slack and swap space are encrypted.
Bill
Earlier, I ranted about the need for organizations to pay steep financial costs for insecure operations.
Veterans are filing a class-action lawsuit against the Department of Veterans Affairs.
( http://www.techweb.com/wire/security/188702623 )
This is a good first step, but this case, you and I pay the bill. I’d like to see the courts or DVA offload this burden onto the contractor who was negligent.
Note: This story starts by describing that the situation with the stolen Veteran information was even worse than originally revealed:
On the same day that a coalition of veteran’s groups filed a class-action lawsuit against the Department of Veterans Affairs over the theft of some 26.5 million identities, the federal agency admitted that the breach affected not only past members of the military, but also nearly 80 percent of the active-duty force.
Bill
Headlines like this are becoming more and more common. Last week it was the “misplacement” of data on every Veteran’s since the ‘70’s!
Lost laptop. Contractor steals data. Breach of security.
Full disclosure requirements like the laws in place in California and other states require companies to disclose to every potentially harmed individual when a suspected breach of information security occurs.
Laws like this are a good thing. In the US, you don’t have rights to your personal information. Strong laws to protect your information are needed. But more effective would be significant financial repercussions to an organization that looses data.
The technologies to prevent much of this theft of data exist. But organizations will not be compelled to adopt them until the fear of death is placed in them! So, hit a business where it hurts most, the bottom line.
Here’s an idea. $1,000 per customer record. The money will go to the school district where the victim resides. Of course, this doesn’t offset the cost to the victim in terms of credit restoration.
My girlfriend’s data was stolen in the Hotels.com laptop theft fiasco. The Hotels.com people offered free 3-bureau credit monitoring for a year. That’s a good start… EFS is another good start… lol
Bill
From the SANS Institute:
“In an effort to combat child pornography and terrorism, US Attorney General Alberto Gonzales and FBI Director Robert Mueller have asked Internet companies to retain data on people’s web activity for as long as two years. Justice Department spokesman Brian Roehrkasse said the government must have proper legal authority to obtain the records, which would include Internet searches and email traffic, but not the contents of the email.”
Privacy is a touch issue. Initially my thoughts on this were, “big deal.”
But the more I thought about it, the more absurd this request seems.
Here are some points to consider:
I’ll be interested to see how this shakes out.
Bill