Group items tagged

"Federal agents can examine webcam photos and other information secretly collected from students' laptops and stored in the Lower Merion School District's computer network, a judge has ruled. Acting on a request from federal prosecutors, U.S. District Judge Jan E. DuBois agreed to broaden an earlier order that limited the release of the photos to the students or their parents and lawyers. His order was signed Friday and made public Monday. FBI agents and prosecutors want to review the images to see whether any laws were broken when school district employees activated a tracking system that snapped photos and copied screen images from lost or stolen laptops. Lower Merion school officials have acknowledged poor planning and oversight led the tracking system to capture at least 50,000 images - some showing teens or their relatives in their homes - from laptops that had already been returned to students."

Confused by the difference between privacy & security? What might your kid's laptop camera capture if it was secretly turned on by their school while searching for stolen laptops? Soon the FBI will be able to tell you.

More and more companies are recognizing that they're accumulating ever-increasing amounts of data but not necessarily gaining business insights from it. The missing link is the transformation of data into information that is comprehensive, consistent, correct and current. That isn't a problem technology can solve for you

"A simple search query has exposed Google Voice mail messages (audio and transcript) for anyone to see and hear. As first reported here, a user entering "site:https://www.google.com/voice/fm/*" into the Google search bar discovered random voice mail messages belonging to random Google Voice accounts (see screenshot below). Clicking on each revealed not only the audio file and transcript of the call, but it also listed the callers name and phone number as it would if you were checking your own Google Voice voice mail. I was able to replicate the issue and listen to several voice mail messages, including some legitimate ones with potentially sensitive information."

"Mozilla's flagship Firefox browser is vulnerable to at least 11 "critical" vulnerabilities that expose users to drive-by download attacks that require no user interaction beyond normal browsing. The open-source group shipped Firefox 3.5.4 with patches for the vulnerabilities, which range from code execution risk to the theft of information in the browser's form history."

Even a booster of electronic systems like David Blumenthal, who just started his Washington post as the national coordinator of health IT, points to a myriad of challenges when it comes to digitizing the nation's medical records. Just take a look at his piece this month in the New England Journal of Medicine, in which he cites technical concerns and worries about patient privacy, among other things. In an interview with the WSJ, he said problems can crop up if the systems are installed too quickly and without enough technical support. There are plenty of potential advantages that electronic records can bring, from helping hospitals and doctors get information quickly on patients' medical histories to making catches when two drugs are being prescribed that may interact dangerously together. But there are also risks: Take a look at a study in Pediatrics that cites the case of Children's Hospital of Pittsburgh, which initially saw a rise in the death rate for certain patients after computerizing its order-entry system, perhaps because it took longer to begin their treatment. (The hospital told the WSJ the study was "flawed," adding the mortality rate had fallen since then.) The WSJ also cites the case of a patient who was initially given an incorrect diagnosis based on a mix-up involving electronic records and a test result for another patient. Health Blog Question of the Day: What's been your experience with electronic records? Do they prevent safety problems or create new risks?

Data breaches are running at record levels, according to the San Diego-based Identity Theft Resource Center, a non-profit that tracks cybercrime. ITRC says it recorded 342 data breaches from Jan. 1 through June 24, up 69% from the same period in 2007. But, like the origins and perpetrators of so many individual data breaches, mystery also lies behind the aggregated numbers. "I'm not sure that this says breaches are increasing," ITRC founder Linda Foley tells Digital Transactions News. "What we know is the reporting of breaches is increasing." A handful of states now require some disclosure of data breaches to authorities, Alaska being the most recent. And some companies that have been hacked are starting to report breaches voluntarily, Foley says. While data breaches can compromise all manner of personal and business records, they often involve credit and debit card data and bank-account information. ITRC lists five major categories of breached entities, with the so-called banking/credit/financial sector accounting for 10% of 2008's breaches. Businesses, which include physical and Internet retailers, insurance companies and other private enterprises, accounted for 36.8%. Schools accounted for 21.3%; government and military facilities, 17%; and health-care facilities, 14.9%. IRTC also categorizes breaches by how they happened, such as through hackings-break-ins into computers and related systems, insider thefts, data lost in physical transit, and by other methods. The number of 2008 hackings through late June in the banking/credit/financial category was 10-double the five for all of 2007. The estimated number of records compromised as a result was 227,864. In 2007, the reported number of compromised records at financial institutions through hackings was 83,500. But Foley says not to put too much stock in the records numbers because so many breached organizations don't know or fail to report the number of compromised records when they report a bre

As they play in the global information economy, U.S companies stash away more data than they can handle effectively. The six-part 2009 New Data Center series opens with a look at how they're coping with the escalating problem.

Salesmen and parents know the technique well. It's called the takeaway, and as far as Keith Mularski is concerned, it's the reason he kept his job as administrator of online fraud site DarkMarket. DarkMarket was what's known as a "carder" site. Like an eBay for criminals, it was where identity thieves could buy and sell stolen credit card numbers, online identities and the tools to make fake credit cards. In late 2006, Mularski, who had risen through the ranks using the name Master Splynter, had just been made administrator of the site. Mularski not only had control over the technical data available there, but he had the power to make or break up-and-coming identity thieves by granting them access to the site. And not everybody was happy with the arrangement. A hacker named Iceman -- authorities say he was actually San Francisco resident Max Butler -- who ran a competing Web site, was saying that Mularski wasn't the Polish spammer he claimed to be. According to Iceman, Master Splynter was really an agent for the U.S. Federal Bureau of Investigation. Iceman had some evidence to back up his claim but couldn't prove anything conclusively. At the time, every other administrator on the site was being accused of being a federal agent, and Iceman had credibility problems of his own. He had just hacked DarkMarket and three other carder forums in an aggressive play at seizing control of the entire black market for stolen credit card information. ....In the end they would regret that decision. Iceman was right

Heartland Payment Systems, the sixth-largest payments processor in the U.S., announced Monday that its processing systems were breached in 2008, exposing an undetermined number of consumers to potential fraud. Meanwhile, Forcht Bank, one of the 10 largest banks in Kentucky, told its customers it would begin reissuing 8,500 debit cards after being informed by its own card processor of a possible breach. In the case of Heartland, while the company continues to assess the damages inflicted by the attack, Robert Baldwin, the company's president and CFO, says law enforcement has already noted that the attack against his company is part of a wider cyber fraud operation. "The indication that it is tied to wider cyber fraud operation comes directly from conversations with the Department of Justice and the U.S. Secret Service," Baldwin says. The company says it believes the breach has been contained. Heartland, headquartered in Princeton, NJ, handles approximately 100 million transactions per month, although the number of unique cardholders is much lower. "It is still a question as to the percentage of the data flow they were able to get," Baldwin says, adding he would not speculate on the number of cards potentially exposed. Specifics surrounding when the breach occurred are still being analyzed. But Baldwin says two forensic auditing teams have been working on the breach analysis and investigation since late 2008, after Heartland received the notification from Visa and MasterCard. The investigation began immediately after the credit card companies told Heartland they saw suspicious activity surrounding processed card transactions. Described by Baldwin as "quite a sophisticated attack," he says it has been challenging to discover exactly how it happened.

Google never fails to surprise. It's the scope and scale of their ambitions that impresses me ranging as they do from relatively simple applications that are just way cool such as Sky Map, through their Chrome Web browser (which is now looking pretty stable), to the subject of this newsletter: Google Health. Google Health, which was launched as a beta (of course) in spring 2008, is a free repository for your personal health information. Using the service you can create online health profiles for yourself, family members or others you care for (these profiles can include health conditions, medications, allergies and lab results), you can import medical records from hospitals and pharmacies, share your health records with "your care network" (which may include family members, friends and doctors), and browse an online health services directory to find services that are integrated with Google Health. After you sign up you can import your medical records from Allscripts, Anvita Health, The Beth Israel Deaconess Medical Center, Blue Cross Blue Shield of Massachusetts, The Cleveland Clinic, CVS Caremark, Healthgrades, Longs Drugs, Medco Health Solutions, Quest Diagnostics, RxAmerica and Walgreens. What you'll wind up with if you update all of the sections is a pretty complete health profile, which means that privacy has to be a concern. Interestingly, because becoming a subscriber is voluntary it appears that the service is exempt from the provisions of the Health Insurance Portability and Accountability Act of 1996.

Presentation from Peter Swire - Symposium on Enforcement, Compliance, and Remedies in the Information Society, Fordham Law School, New York, May, 2008.