A government laptop computer containing sensitive medical information on 2,500 patients enrolled in a National Institutes of Health study was stolen in February, potentially exposing seven years' worth of clinical trial data, including names, medical diagnoses and details of the patients' heart scans. The information was not encrypted, in violation of the government's data-security policy.
This is part of the Leo Laporte TWIT.tv podcasts that cover tech from various angles. Leo co-hosts Security Now! with Steve Gibson:
Steve Gibson, the man who coined the term spyware and created the first anti-spyware program, creator of Spinrite and ShieldsUP, discusses the hot topics in security today with Leo Laporte. Published every Thursday.
The most recent podcast was a Q&A from listeners and included such topics as IronKey (a hardware-encrypted USB flash drive), TrueCrypt (free open-source disk encryption software for Windows Vista/XP, Mac OS X, and Linux), and the news story that the FBI had confiscated 400 counterfeit Cisco routers exported from China.
This is the type of podcast, as one of the listeners noted, that you don't listen to in the background. They go into enough technical detail you would probably want to listen multiples times, but to make it easier to absorb the content Gibson puts up the transcript, a smaller MP3 file and other supporting material for each episode. So far, they're up to 136.
From Adrienne Felt at the University of Virginia:
When Jane installs a Facebook application, the application is given the ability to see anything that Jane can see. This means that the application can request information about Jane, her friends, and her fellow network members. The owner of the application is free to collect, look at, and potentially misuse this information. The Facebook Terms of Use agreement tells application developers not to do this, but Facebook has no way of finding out or stopping them.
This is John Halamka's take on the state of biometric authentication over the past 5 years:
-immature, hard to support technology
-challenged by false positive (granting access inappropriately) /false negative issues (denying access inappropriately), impacting user acceptance of the technology
-characterized by lack of integration with existing enterprise security systems
In the rest of the post he does point out that the convenience factor makes him consider the newer products that are being introduced. He talks about using a product for his ED which required a multi-step process for logging in. While this might work for someone using a tablet PC for hours, it eliminates the time-savings associated with a handheld if you're just using for minutes at a time.
The technologies worth exploring at this time:
For those seeking early experimentation with biometrics, I recommend a pilot of fingerprint scanning. Iris scanning requires more expensive hardware, hand geometry is harder to deploy, and facial recognition is much more experimental technology.
From Australia's ITnews.com.au:
Computer security expert Bruce Schneier took a swipe at a number of sacred cows of security including RFID tags, national ID cards and public CCTV security cameras in his keynote address to Linux.conf.au this morning.
These technologies were all examples of security products tailored to provide the perception of security rather than tackling actual security risks, he said.
His main beef is that he feels that public discussion is tainted with commercial and political self-interests (hmmm...sound likes health care) that may obscure the best workable solution.
He does waffle a little bit:
The best security solution will fail if it doesn't cater to both the reality and perceptions to do with security, Schneier warned.
So when you undo your belt buckle and take off your shoes at airport TSA checkpoint, it's partly to make you feel safe?
They're discussing this on Slashdot, where I first saw this story.
Here's a short video that illustrates public-key, AKA dual-key, AKA asymmetric cryptography, using tennis balls, padlocks and rubber gloves (I think just for a graphic effect).
It comes by way of BoingBoing.net, where Cory Doctorow mentions that it...
...does a good job, but it misses out on explaining the hardest --and most interesting -- concept: private/public key-pairs that have the mathematically provable capability of unscrambling one-another's scrambled messages. I have a long section on this in Little Brother, my forthcoming kids' book about hacking for democracy, and I had to rewrite it more than once to get it right.
Dr. Eric Cole from the SANS (SysAdmin, Audit, Network, Security) Institute says, "I like to compare it to being a fine chef" when he talks about Diffie-Hellman key exchange in this YouTube video.
Encryption is important for maintaining security was using VPNs, and this explanation at HowStuffWorks compares symmetric to asymmetric protocols.
After the Quechup fiasco, I think more people are aware that seemingly innocuous invitations are simply new ways of spamming. This is an e-mail message I received today that uses YouTube. If you follow the link to YouTube, you're asked to either accept or reject the invite from this member. If instead you click on the member name you see that their url is a dating site.
This also happens with folks commenting on the videos that you upload. If you select e-mail notification for comments on your videos, you'll see all the comment spam. I know YouTube is actively working to prevent this.
Hi Bill,
I've been using YouTube to share personal videos with my friends and family. I'm inviting you to become my friend on YouTube so I can easily share videos with you in the future.
To accept my invitation, please follow this link and login. If you're not already a YouTube member, you can sign up first.
Thanks,
marcellacromwell1156
Last night I received an e-mail invitation to join a "social networking platform sweeping the globe." Soon afterwards I received another from the same person warning me not to accept the invitation.
It's a really a dating site, but worse, if you accept an invitation all of the folks in your e-mail program address book will also get invitations.
IT'S A SCAM.
John Paczkowski has a video describing some of the gov't computer security problems, namely losing laptops and hard drives, on his Digital Daily blog which is part of the new WSJ All Things Digital group blog.
Being a video, it's hard to quote and comment, but he did say that in a recent reportcard on federal computer security, the Dept. of Homeland Security scored a "D." Actually, it scored an "F" along with some other agencies. (see link below) "D+" was the grade for the federal gov't overall for the past 2 years.
Federal agencies due for information security report cards
Last year, the federal government scored an overall grade of D+ for the second year in a row. Eight of the 24 agencies, including the Departments of Homeland Security, Defense, State, Energy and the Interior, received failing grades. Among the seven agencies that got at least an A- were the U.S. Department of Labor, the Social Security Administration and the Environmental Protection Agency.
WaPo has the complete reportcard for 2001-2005 in the form of a table.
Technorati Tags: DHS, computer security, All Things Digital, Digital Daily, John Paczkowski
