Category Archives: Personal Data Security

Posts relating to how government and business are keeping your personal information secure. (Or not.)

Virus Attack

Leave a reply

Got the following emails at work in relation to the attack by a virus on the city’s computers. This looks a bit more widespread than “16 computers” as they were claiming to the Chronicle.

PWE Employees,

The City of Houston network is currently experiencing connectivity issues with the following departments/divisions due to a virus outbreak:

* 311 Call Center
* Municipal Courts (Court View Connection)
* Jail Processing Units
* Legal Department
* Parking Management

These departments and divisions have been quarantined and/or isolated by our Information Technology Department who is working diligently to eradicate this problem.

We are asking all PWE users to contact our helpdesk at 713.xxx.xxx, if you experience any problems with your system or if you receive any messages regarding a “Microsoft Installation.” Please do not access Microsoft website for any updates at this time until we receive an “all clear” from Information Technology Department.

If you have a laptop, please ensure your system has the latest updates before your connect to the network.

Thank you for your continued support.

PWE Information Technology Department

The first thing I notice is that the media haven’t said anything about the 311 system. That’s the main call-taking system for non-emergency services. If 311 is compromised, is 911 safe? One hopes they use better security at the HEC, but then, it is the HEC, which has never seemed all that technically savvy.

The second thing I notice is, how do these idiots expect anyone to update their laptop BEFORE connecting to the city’s network? They have to connect to the network to get online! Oh, right, connect to your own network at home and compromise it. Sure. Look, any laptop, anywhere, at any time, is an infection vector because they’re not connected to the network at the time you’re trying to clean it. Since many viruses will spike the update features or spoof AV programs, the odds of an infection never making it back into the network from a hiding place on someone’s laptop are close to nil.

The second email I received Friday said this:

PWE Employees,

Due to the recent virus outbreak that has occurred in various areas in the City; the PWE IT staff is working diligently to ensure the safety of our user community. We are in the process of deploying the necessary security updates to your computer.

We are asking you to shut down your computer before leaving for the day. If you see the option to install updates and shut down please do so.

If you have any questions or concerns, please contact the help desk at 713-xxx-xxxx.

Thank you for your continued support.

PWE Information Technology

I don’t envy our IT people their job right now… I’ve been fighting an unrelated (I think) virus infestation for the last few days, which I wasn’t able to solve until I junked the major commercial solutions and went to Brand X online. (Specifically: AVG antivirus, and I returned to Zone Alarm for my firewall. Screw you Norton, you couldn’t solve it, and left dozens of tracking cookies you were supposed to remove.)

It will be interesting to see if the city can get the problem solved by Monday.

Your SSN: Not Confidential

Leave a reply

The Attorney General ruled some weeks ago that your social security number was confidential and could not be disclosed under a Texas Public Information Act. “Well, hell,” you say, “That only makes sense.”

Of course, it made too much sense to last for long. Only a few weeks after putting it into effect, TX AG Greg Abbot has suspended the decision for sixty days, meaning it has no force. Why? Because of the huge number of old records containing people’s Social Security numbers that are on file in various county clerks’ offices.

Earlier, Abbott had said Social Security numbers for living people are confidential and must be exempted from required disclosure under the state’s Public Information Act. But the ruling created unmanageable complications for county clerks responsible for decades-old documents that often contain many Social Security numbers, publicly filed during previous eras when they weren’t valuable tools for identity thieves.

Many county clerks closed their operations, which halted real estate and other transactions.

Long-time readers know that I don’t have much sympathy for elected or appointed officials that don’t want to do their job because it’s inconvenient. This comes across as not much more than holding a “snit-fit” to force Abbot to change his mind–and it seems to have worked for now. In truth, I know this is going to be extremely inconvenient because we’re facing much the same issue where I work. We’ve got tens of thousands of legacy records with SSN’s on them, and there’s no reasonable (or legal) way to delete them all. The original source file cannot be deleted; we have to have the information, so we’re changing procedures to prevent SSNs and TDLs from getting into permanent records that are subject to TXPIA requests. County clerks are in an even worse position; the records they keep can’t be deleted at all, since they’re THE records for property, taxes, and many other official items.

The only way to handle it is to require a close inspection of every document handed over under request. Unfortunately, some of those requests are not small, but may encompass hundreds, even thousands, of records. And not every county has the resources of Harris or Fort Bend to review them carefully. The problem is, with identity theft becoming a bigger problem all the time, old records like these represent a potential gold mine for thieves, yet clerk’s offices don’t want (and in some places can’t) bite the bullet and request increases in personnel to either expunge the records, or inspect and redact confidential information prior to handing them over to requesters.

“I do appreciate the attorney general staff’s willingness to work with us on this. The process can work if people don’t go nuclear,” [House Ways and Means committee chairman] Keffer said.

Look, you don’t want to see nuclear? Then make damn sure SSN’s are protected. If clerk offices need help funding the removal of such records, postphone a freeway somewhere to come up with state money to give to the clerks, and devise a properly wasteful program to hire some cronies of the local Commissioner’s Court to come in and do the job. (What, cynical? Me?) Whatever it takes.

And you, dear reader, should not let the Legislature take this up in a vaccuum. Make damn sure your state senator and representative hear from you on this score.

After all, it’s only your life, your fortune (such as it is), your good name, your credit, and your peace of mind at stake here. Think about it: Do you live in a municipality? Have you ever given your SSN or TDL to a governmental utility? Or to any government agency? Oh wait, TXDOT has your TDL don’t they? After all they issued it….

Be afraid. Be very afraid. And contact your representative now.

A Cost Analysis of Content Protection in Windows Vista

Leave a reply

via Pixy Mixa:

Peter Gutmann has a few words to say about the content protection in Bill Gates next epic O/S

“The Vista Content Protection specification could very well constitute the longest suicide note in history.”

For the record, ALL of my systems are still on Win2k, and I have no intention of upgrading further until Bill Gates personally beats me over the head with a few million dollars to make up for the grief his next O/S would cause.

Mr. Gutmann makes some very important points about the vulnerabilities of such an O/S, along with dire predictions of what might happen the first time someone slips a CD into a PC also used to view medical scans/imagery. I don’t know how common it is to make diagnoses on a Windows PC, but they’re sure trying to make it less common. Bill Gates better hope that a significant number of Fortune 500 companies never get so tired of the constant security problems and forced upgrades that they decide to get together and jointly declare that they plan to standardize around “Flavor X” of Linux…

Chump Change

Leave a reply

In what has to be the lamest excuse for a “penalty” ever, Sony BMG has been fined all of a whopping $1.5 million dollars for massively FUBARing at least hundreds of thousands of computer systems, and making them vulnerable to hackers.

Sony BMG Music Entertainment will pay $1.5 million and kick in thousands more in customer refunds to settle lawsuits brought by California and Texas over music CDs that installed a hidden anti-piracy program on consumers’ computers.

Not only did the program itself open up a security hole on computers but attempts to remove the software also damaged computers.

Announced Tuesday, the settlements cover lawsuits over CDs loaded with one of two types of copy-protection software — known as MediaMax or XCP.

Personally, I regard this as way too little punishment for what is no less that utterly callous disregard for the security of computer systems everywhere. Sometimes, people can listen to music CD’s at work. What if this piece of crap had made systems containing crucial private data vulnerable? Like, for instance, the computers at a medical or insurance company? Simply put, computer security isn’t going to become a top priority in many places until some companies are burned, and burned badly in civil court. Until then, all we can do is be as careful as possible with our personal data. It won’t stop abuse in the long run, but there’s no reason to make it ridiculously easy for the bad guys.

Just to note: the article is from the AP, and out of Los Angeles. You’d think that the “world class” Chronicle could at least try to localize it by getting some commentary from Richard Garfield, or something.

Cell Phone Insecurity

Leave a reply

Forget about your personal information being retrieved from a stolen laptop. The real danger? Your discarded cell phone.

A popular practice among sellers, resetting the phone, often means sensitive information appears to have been erased. But it can be resurrected using specialized yet inexpensive software found on the Internet.

A company, Trust Digital of McLean, Va., bought 10 different phones on eBay this summer to test phone-security tools it sells for businesses. The phones all were fairly sophisticated models capable of working with corporate e-mail systems.

The problem? A common shortcut taken by every cell phone manufacturer.

The 10 phones Trust Digital studied represented popular models from leading manufacturers. All the phones stored information on “flash” memory chips, the same technology found in digital cameras and some music players.

Flash memory is inexpensive and durable. But it is slow to erase information in ways that make it impossible to recover. So manufacturers compensate with methods that erase data less completely but don’t make a phone seem sluggish.

Worse, they were stupid and careless about including the logical “full erasure option.”

Palm Inc., which makes the popular Treo phones, puts directions deep within its Web site for what it calls a “zero out reset.” It involves holding down three buttons simultaneously while pressing a fourth tiny button on the back of the phone.

But it’s so awkward to do that even Palm says it may take two people.

Seriously, how damn difficult is it to program the phone to respond:
“WARNING: You are about to erase ALL DATA on your phone, including stored phone numbers, contact lists, e-mails, and ring-tones! If you wish to erase your phone’s memory, enter the following 4 digit number: 1234 followed by *. To cancel, press any other button. Full deletion may take several minutes.”

Trust Digital found no evidence thieves or corporate spies are routinely buying used phones to mine them for secrets, Magliato said. “I don’t think the bad guys have figured this out yet.”

Well, they damn sure know now. At least some folks in the government aren’t stupid, though.

President Bush’s former cybersecurity adviser, Howard Schmidt, carried up to four phones and e-mail devices — and said he was always careful with them. To sanitize his older Blackberry devices, Schmidt would deliberately type his password incorrectly 11 times, which caused data on them to self-destruct.

So what should you do? I’d recommend listening to this guy:

Peiter “Mudge” Zatko, a respected computer security expert, said phone owners should decide whether to auction their used equipment for a few hundred dollars — and risk revealing their secrets — or effectively toss their old phones under a large truck to dispose of them.

Actually, that’s overkill. Just get the flash memory chip out, and smash that little bugger. Or burn it.

Laptop (In)Security IV

2 Replies

Now the laptop thieves have hit D.C.’s municipal employees.

A laptop containing the Social Security numbers and other personal data of 13,000 District of Columbia employees and retirees has been stolen, officials said.

The computer was stolen Monday from the Washington home of an employee of ING U.S. Financial Services, said officials with the company, which administers the district’s retirement plan.

The company did not notify city employees of the theft until late Friday because it took officials several days to determine what information was stored on the laptop, ING spokeswoman Caroline Campbell said.

The laptop was not password-protected and the data was not encrypted, Campbell said.

Ok, it’s about time that the City of Houston and HMEPS (Houston Municipal Employee Pension System) got off their collective asses and addressed this problem. I have no way of knowing if my personal data is secure or not, and frankly, from a discovery I made this week while looking for some records, I would wager NOT. (Appropriate authorities were notified.)

The city of Houston, with 22,000 current employees and who knows how many retirees, needs to get on top of this problem ASAP, and assure it’s employees and retirees that it is actively protecting their personal data. Not only that, it needs to work harder to keep the personal data of all its citizens private. In our department, such records control is “under review” but the truth is, it’s a low priority–we’re “going to fix it,” but right now our attention is focused on our day-to-day processes and coping with the stress they’re under, plus the federally mandated disaster training and the SAP change-over.

Little things like ensuring that everyone’s private data remains private are for “when we get a minute.” And for some businesses working for cities and pension boards, it doesn’t even rate that high.

City officials said they were disturbed about how the data was stored and that the company waited to report the theft.

“We are concerned that this information was being managed without protection,” said Mary Ann Young, spokeswoman for [D.C.’s] chief financial office….Two other ING laptops containing information on 8,500 Florida hospital workers were stolen in December, but the employees were not notified until this week, said ING spokesman Chuck Eudy. Neither laptop was encrypted, he said.

I looked through the last yearly report from HMEPS, but I find no mention of ING. Of course, any of the agencies listed there could be local, branch, or affiliate offices; I have no way of knowing and it’s too many to try running internet searches; I still have to get the Agenda report done and some personal matters are significantly in the way (I may be a day late with it, unfortunately.)

It’s times like this I really have a problem with not being able to do primary research by asking important people inconvenient questions….

Laptop (In)Security III

3 Replies

Some folks just do not learn. Unsurprisingly, they’re with the federal government.

But speaking of government, what has the city been doing to keep our records safe lately? From what I’ve heard, the Health Department’s recordkeeping is fairly lax (almost as bad as HPD’s storage rooms)–but I don’t know how much of that is lax paperwork security and how much is lax computer security. And I have no idea about the city’s Human Resources department — which scares me. I’m also concerned we’re not moving fast enough either, but right now lots of employee time and effort are being taken up in the SAP change-over and the federally mandated disaster training.

Laptop (In)Security II

1 Reply

You had to know it was coming after all that.

On June 6, the Department of Veterans Affairs was hit with two class action lawsuits related to the theft of an employee’s laptop computer. The theft, reported in late May, held the information of 26.5 million current and former servicemen. The veterans behind the suit are seeking $1,000 for each person whose information was stolen.

I recommend that anyone who owns a credit card go read this article. This is exactly what I was afraid of: a fig-leaf policy that wasn’t enforced.

According to information in the complaint, the VA employee whose laptop was stolen had been taking the personal information home routinely for at least three years despite organizational policies that forbid it.

“Even though the federal government has been after the VA to do something about this for years, it’s clear they felt they could thumb their noses at the existing regulations,” said Rosinski. “This wasn’t an issue of ignorance; it was an issue of people who refused to improve data security policies even when told to do so.”

Would the Human Resources, Police, Health, and Public Works Departments like to comment on what they’re doing to safeguard citizen and employee records? Especially the HR Department. Inquiring minds want to know. I can tell you, we’ve looked at it in Public Works, and the reaction when we realized how deep the problem is, was “Yikes!”

There will be changes, oh yessssss…..

Laptop (In) Security

1 Reply

I think, at this point, any company that allows employee data to be loaded onto a laptop should be held liable for damages if that information is compromised due to the the theft of the laptop. As some of the above companies did have such a policy, and their employees or auditors violated it, clearly the company must also have an enforcement strategy, not merely a “fig-leaf” policy.

Update 6/7/06: Thieves strike again. H/T to SDB.