Group items tagged

With one in 10 information technology products on the market considered counterfeit, and software products developed across the globe at risk of subversion, it is hard to overstate the national security concerns regarding the use of IT products delivered through the global supply chain.

"Drug store chain Walgreens now enables its pharmacy patients to download their prescription history from the Walgreens.com Web site to a personal health record on the Microsoft HealthVault platform. The Deerfield, Ill.-based chain announced last June it would link to HealthVault. Patients registered on Walgreens' site already can access their complete prescription history. Now, that history can also reside in a HealthVault PHR and be automatically updated. Patients can enroll with HealthVault directly from the Walgreens site. The partnership will promote stronger collaboration among patients, pharmacists, physicians and other providers, says Don Huonker, senior vice president of health care innovation at Walgreens. More information is available at walgreens.com/pharmacy and healthvault.com. "

Think twice before giving MicroSoft your personal health care information.

At first glance, Chicago's latest crime-fighting strategy seems to be plucked from a Hollywood screenplay. Someone sees a thief dipping into a Salvation Army kettle in a crowd of shoppers on State Street and dials 911 from a cellphone. Within seconds, a video image of the caller's location is beamed onto a dispatcher's computer screen. An officer arrives and by police radio is directed to the suspect, whose description and precise location are conveyed by the dispatcher watching the video, leading to a quick arrest. That chain of events actually happened in the Loop in December, said Ray Orozco, the executive director of the Chicago Office of Emergency Management and Communications. "We can now immediately take a look at the crime scene if the 911 caller is in a location within 150 feet of one of our surveillance cameras, even before the first responders arrive," Mr. Orozco said. The technology, a computer-aided dispatch system, was paid for with a $6 million grant from the Department of Homeland Security. It has been in use since a trial run in December. "One of the best tools any big city can have is visual indicators like cameras, which can help save lives," Mr. Orozco said. In addition to the city's camera network, Mr. Orozco said, the new system can also connect to cameras at private sites like tourist attractions, office buildings and university campuses. Twenty private companies have agreed to take part in the program, a spokeswoman for Mr. Orozco said, and 17 more are expected to be added soon. Citing security concerns, the city would not say how many cameras were in the system. Mayor Richard M. Daley said this week that the integrated camera network would enhance regional security as well as fight street crime. Still, opponents of Mr. Daley's use of public surveillance cameras described the new system as a potential Big Brother intrusion on privacy rights. "If a 911 caller reports that someone left a backpack on the sidewalk, wil

Woonsocket-based CVS Caremark Corp., the largest U.S. drugstore chain, has agreed to pay $2.25 million to settle federal charges that company employees compromised customer privacy by throwing prescription records and drug bottles into open trash bins. The Federal Trade Commission said its investigation with the Health and Human Services Department followed media reports that trash bins behind CVS pharmacies contained pill bottles bearing patient names, credit-card and insurance information, and Social Security numbers. The company also did not have adequate policies for disposing of that information, and did not sufficiently train employees to dispose of the information properly, the agencies said. The items that were not properly discarded included pill bottles, medication instruction sheets, computer order forms, payroll information, job applications and credit-card and insurance information. Those labels and forms contained personal information including Social Security numbers and credit card and insurance information, and in some cases, driver's license numbers and account numbers. Names of the patients' doctors were also included. The settlement "will restore appropriate privacy protections to tens of millions of people across the country," FTC chairman William Kovacic said in a statement. "It also sends a strong message" that organizations "are required to secure consumers' private information," he said.

Educating consumers about what behavioral targeting is and is not up to, deep within the cookies of their browser, seems to be a bit like alternative energy development. Pretty much everyone says the industry should be doing more about it, and yet it is hard to see where and with whom it starts. Most online materials related to BT are pitched to one end of the value chain, marketers. It's not clear to me that most of the companies in this space are even comfortable talking directly to consumers, let alone taking the time to develop an accessible language to describe their process. Specific Media controls the BehavioralTargeting.com domain and uses it to educate marketers about its methods. Even the Wikipedia entry for this field is really an explanation for advertisers. This is understandable, since most people who are familiar with the term likely come from the industry. But it seems to me the industry misses an opportunity to practice more often, and in more places, what it knows ultimately needs to be done. You guys need to find better, clearer, simpler ways to explain what it is you are doing in our browsers -- and why you are doing it. And what are the real benefits and risks a consumer incurs by tacitly agreeing to your presence? Isn't every possible point of contact with a suspicious consumer a teachable moment? In an earlier post, I recounted how I struck some retargeting gold when FetchBack tagged and remarketed me during my travels online. An opt-out option is clearly available at the front page of the FetchBack site. Unfortunately, from there you either opt-out (kick over to the Network Advertising Initiative site) or click into a long scrolling privacy policy that doesn't actually get around to explaining retargeting until a few screens down.

Legal woes may be next for Heartland Payment Systems, a payment processor that reported a major security breach this week. Depending on the results of the ongoing investigation, Heartland is likely to face the threat of litigation from issuing banks, merchants and consumers, says Scott Vernick, an attorney with Fox Rothschild LLP in Philadelphia, who specializes in data theft cases. "The businesses that use Heartland as a credit card processor, as well as thousands of consumers, will be anxiously watching for any negative impact, including harm to their business reputations, and the real possibility of identity theft or fraud," says Vernick. The fact that Heartland's systems were certified as being fully in compliance with data handling rules, called the PCI standards, raises questions about the efficacy of such standards. Hannaford Brothers grocery chain was likewise fully PCI compliant when it had 300 stores hacked and 4.3 million record swiped..... "This latest incident shows how, despite companies being compliant with regulations such as PCI, they are still a long way from being secure," says Mike Rothman, senior vice president of strategy at elQnetworks.

A federal judge said he will decide in the next few days whether supermarket giant Hannaford Bros. is potentially liable for damages because of a data breach that exposed more than 4 million credit and debit card numbers to computer hackers. Judge D. Brock Hornby heard arguments on Wednesday at U.S. District Court. Attorneys for Hannaford asked the judge to dismiss the lawsuit, which was filed against the Scarborough-based company last year. Attorneys for the plaintiffs said Hornby should certify the case as a class-action suit and let it proceed toward trial. The upcoming ruling will determine whether parts or all of the suit will go forward. The case boils down to a couple of central questions: To what extent are merchants responsible for securing the electronic data that gets processed with every noncash purchase, and what should the consequences be when that data is stolen? "These are fascinating and difficult issues," Hornby said after hearing the arguments Wednesday. "I'll get a written decision out to you as soon as I can." Between Dec. 7, 2007, and March 10, 2008, hackers stole credit and debit card numbers, expiration dates and PIN numbers from people shopping at Hannaford supermarkets. The grocery chain operates more than 200 stores under various names in New England, New York and Florida. More than 4 million card numbers were exposed, and by the time Hannaford publicly announced the breach, on March 17, 2008, about 1,800 fraudulent charges had been made.

The following is an excerpt from the book The Truth About Identity Theft. In this section of Chapter 11: Social Engineering (.pdf), author Jim Stickley explains how easy it really is to hack a password. People often ask me how hard it is to hack a password. In reality, it is rare that I ever need to hack someone's password. Though there are numerous ways to gain passwords on a network and hundreds, if not thousands, of tools available to crack encrypted passwords, in the end I have found that it is far easier to simply ask for them. A perfect example of this type of attack was a medium-sized bank that I was testing recently. The bank's concern was related to the new virtual private network (VPN) capabilities it had rolled out to a number of its staff. The VPN allowed staff to connect directly to their secured network while at home or on the road. There is no doubt that a VPN can increase productivity, but there are some pretty major risks that can come with that convenience. The bank explained that the VPN was tied into its Active Directory server. For people who are not technical, basically this just means that when employees log in via the VPN, they use the same credentials they use to log on to their computer at the office. So I went back to my office, sat down, and picked up the phone. The first call I made was to find out the name of an employee in the IT department. I called the company's main line to the bank, pressed 0, and asked to speak with someone in the IT department. I was asked what I was calling about, so I told the employee I was receiving emails from that bank that seemed malicious. I could have used a number of excuses, but I have found that if you tie in an unhappy customer with a potential security issue, your call gets further up the food chain. In this case, I reached a man who I will call Bill Smith. I made up a story about the email, and after a few minutes, he was able to explain to me that I had called the wrong bank and it was actuall

The Federal Trade Commission today approved a final consent order settling claims that CVS Caremark violated customers' privacy and the Health Information Portability and Accountability Act (HIPAA) when it failed to dispose of records properly last year. Earlier this year, CVS Caremark agreed to settle FTC charges that it failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees, in violation of federal law. In a separate but related agreement, the company's pharmacy chain also has agreed to pay $2.25 million to resolve Department of Health and Human Services allegations that it violated HIPAA regulations. "This is a case that will restore appropriate privacy protections to tens of millions of people across the country," said FTC chairman William Kovacic following the settlement. "It also sends a strong message to other organizations that possess consumers' protected personal information. They are required to secure consumers' private information." Under the final consent order, CVS Caremark is required to rebuild its security and confidentiality program, which will be audited every two years for the next 20 years. The HHS settlement requires the company to develop a new training program to instruct employees on how to handle patient data.

Facebook's developer platform has been used for a zillion marketing campaigns so far, but this one is actually dead-on hilarious. Fast-food chain Burger King has created "Whopper Sacrifice," a Facebook app that will give you a coupon for a free hamburger if you delete 10 people from your friends list. Burger King has put out some interesting campaigns as of late ("Whopper Virgin," "Subservient Chicken"), but this one piques our interest because of how gleefully it pokes fun at our social-networking obsessions. "Now is the time to put your fair-weather Web friendships to the test," the Whopper Sacrifice site explains. "Install Whopper Sacrifice on your Facebook profile, and we'll reward you with a free flame-broiled Whopper when you sacrifice ten of your friends. The funniest part: The "sacrifices" show up in your activity feed. So it'll say, for example, "Caroline sacrificed Josh Lowensohn for a free Whopper." Unfortunately, you can't delete your whole friends list and eat free (however unhealthily) for a week. The promotion is limited to one coupon per Facebook account. My Facebook friends had better appreciate the fact that I made a New Year's resolution to cut out red meat. Hint, hint.

The man accused of masterminding the largest identity theft in U.S. history agreed to plead guilty to related charges, according to court papers filed in Boston federal court on Friday. Albert Gonzalez is accused of helping to steal millions of credit card and debit card numbers from major U.S. retail chains, leading to tens of millions of dollars in fraudulent transactions. A former government informant who is already in jail, Gonzalez, 28, agreed to plead guilty to 19 counts in Massachusetts by September 11. The agreement also resolves charges pending in federal court in New York.

Did we need more proof that a chain is only as strong as its weakest link?

A secure Web mail company that challenged hackers to break into the company's Web mail system is paying out a US$10,000 prize, just days after launching the contest. A team of hackers managed to hack into StrongWebmail CEO Darren Berkovitz's Web mail account, using what's known as a cross-site scripting (XSS) attack, the company confirmed Monday. "They did it using an XSS script that took advantage of a vulnerability in the backend webmail program," StrongWebmail said in a statement. StrongWebmail launched the contest at the end of May as a way of promoting the voice-based identification technology sold by its parent company, Telesign. Hackers were given Berkovitz's e-mail address and password and challenged to break into the account. The company thought this would prove difficult because StrongWebmail requires a special password that is telephoned to the user before e-mail can be accessed.