[SecurityRatty] tag: jon

Four signs your security program's gone too far

Tue, 24 Jun 2008 09:00:00 +0000

Security's important, and risk must be addressed, right? Sure, but Jon Espenschied suggests you watch for four signs your policies go a bit overboard.

Podcast Party with Shimmy & Mitchell

Fri, 20 Jun 2008 13:28:00 +0000

I guess Alan was bored, or couldn’t find a guest for last night’s podcast, so he grabbed me ;)

Of course, I was still trying to get work done at 10:30pm, but it was a nice 45-minute distraction from my dozens (or hundreds) of 802.1X technical pages.

You, too, can bask in the amusement that is Shimel and Ashley’s SSAATY Podcast and hear a few of my random thoughts and ramblings. I have a few more thoughts to throw on the Rohati pile probably, but we’ll get to that another day.

Below if from Alan’s blog post.

StillSecure, After all these years, #55 - JJ in the house
Episode 55 of SSAATY is a fun one. Mitchell and I are joined by JJ, Jenifer Jabbusch of Security Uncorked blog. JJ is someone I have gotten to know over the last year or so and she is a lot of fun. On top of that she is very technical and huge supporter of 802.1x, NAC and security in general.
JJ, Mitchell and I talk about Rohati, NAC, 802.1x and a bunch of other stuff in our usual rambling, stream of consciousness style. It is about 40 minutes of informative good times.
If you like the content of these shows or have any other comments or questions, please drop us a line at podcast@stillsecure.com
Thanks to ClickCaster for hosting our podcast. Tonight’s music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at http://www.jonschmidt.com. Music transitions between segments are by our own Mitchell Ashley.

Listen online here:
http://www.clickcaster.com/channel/item/stillsecure—after-all-these-years—podcast-55-with-jj

# # #

StillSecure, After all these years, #55 - JJ in the house

Fri, 20 Jun 2008 06:01:37 +0000

Episode 55 of SSAATY is a fun one. Mitchell and I are joined by JJ, Jenifer Jabbusch of Security Uncorked blog. JJ is someone I have gotten to know over the last year or so and she is a lot of fun. On top of that she is very technical and huge supporter of 802.1x, NAC and security in general.

JJ, Mitchell and I talk abour Rohati, NAC, 802.1x and a bunch of other stuff in our usal rambling, stream of consciousness style. It is about 40 minutes of informative good times.

If you like the content of these shows or have any other comments or questions, please drop us a line at podcast@stillsecure.com

Thanks to ClickCaster for hosting our podcast. Tonights music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at http://www.jonschmidt.com. Music transitions between segments are by our own Mitchell Ashley!

Or download here:

mp3

StillSecure, After all these years, #55 - JJ in the house

Fri, 20 Jun 2008 05:02:02 +0000

JJ, Mitchell and I talk abour Rohati, NAC, 802.1x and a bunch of other stuff in our usal rambling, stream of consciousness style. It is about 40 minutes of informative good times.

If you like the content of these shows or have any other comments or questions, please drop us a line at podcast@stillsecure.com

Or download here:

mp3

Castlecroft Medical Practice patient information at risk

Thu, 19 Jun 2008 07:54:50 +0000

Technorati Tag: Security Breach

Date Reported:
6/18/08

Organization:
NHS Trust

Contractor/Consultant/Branch:
Wolverhampton City Primary Care Trust
Castlecroft Medical Practice

Victims:
Patients

Number Affected:
~11,000

Types of Data:
"names, dates of birth, addresses, contact details and confidential medical records"

Breach Description:
"A laptop containing confidential medical records of all 11,000 Wolverhampton patients at a city surgery has been stolen from a GP’s house, police revealed today."

Reference URL:
The Press Association
The Express & Star

Report Credit:
The Press Association

Response:
From the online sources cited above:

A laptop containing confidential information about 11,000 patients has been stolen from a GP's home.
[Evan] This is now the 11th breach reported on The Breach Blog concerning NHS Trust and affiliated organizations. What is the excuse? Can the GP and/or Primary Care Trust and/or Medical Practice claim to not know the risks involved?

Contrary to Department of Health guidelines, the information was not encrypted, which would have made it unreadable without a special code to unscramble it.
[Evan] Are medical personnel aware of and required to follow the guidelines? Are there penalties or sanctions for non-compliance?

The laptop was among items stolen in a recent burglary at the home of the unnamed doctor, who works at the Castlecroft Medical Practice in Wolverhampton.

The details of when and where the laptop was taken from are not being released, but a helpline has been launched for worried patients
[Evan] I could not find the helpline phone number; otherwise I would publish it for people.

The information on the computer, which belongs to the practice, included patients' names, dates of birth, addresses, contact details and confidential medical records.

The practice has written to all of its 11,000 patients to inform them that information about them was on the stolen computer.

Dr Peter Wagstaff, senior partner at the practice, said: "The practice is treating this issue very seriously and we are extremely sorry for any distress or concern that it may cause our patients. Though not encrypted, the confidential information on the laptop was protected by a complex password system, which only a person with specialist computer knowledge would be able to crack."
[Evan] If the organization were "treating this issue very seriously", and if it was "truly sorry" then why attempt to minimize the situation (risk) by using the password protection argument. In my opinion (and that shared by many information security professionals), password protection is NOT an adequate preventative control to ensure the confidentiality of the information stored on a laptop computer. This holds especially true in instances where the password protection is controlled by the operating system. See: "Laptop stolen from a Quest Diagnostics employee" and "Not to worry: the stolen laptop was 'password-protected'".

He said the laptop appeared to have been stolen for its re-sale value, rather than for any information stored upon it.
[Evan] In my opinion, this is another attempt to minimize the situation and imply that the risk of confidential information disclosure is less than it may actually be.

Jon Crockett, chief executive of Wolverhampton City Primary Care Trust, said the trust was "extremely concerned" about the theft.

He said: "Patients and the public have the right to expect that those dealing with confidential information maintain the highest levels of security and we are carrying out a full and urgent investigation into this incident."
[Evan] Mr. Crockett makes a very valid point.

National guidance from the Department of Health is that any confidential information about patients must be stored in a safe and secure environment, and mobile devices - including laptops - which contain such data must be fully protected by encryption, he said.
[Evan] Again, Mr. Crockett seems to "get it".

Commentary:
The 11th breach for NHS Trust-affiliated organizations in less than 10 months and the fact that the cause of this one is so well publicized in other breaches does not instill much confidence.

The eleven breaches are only what has been reported on The Breach Blog, there may be more.

Past Breaches:
NHS Trust:
May, 2008 - Sandown Health Centre backup tape is missing
March, 2008 - Stolen NHS flash drive contained adolescent information
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
January, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Highly sensitive medical information found in the road
December, 2007 - Laptop stolen in Royal Bolton Hospital break-in
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay

Those wild and crazy guys are back! - SSAATY #54

Fri, 30 May 2008 08:03:54 +0000

Mitchell and I are back! It has been a few months, but the stars finally lined up to allow us to record a show. It was great being back behind the microphone again. Mitchell and I discussed a number of topics:

1. Recent penetration of the FBI
2. TJX fires an employee for disclosing lax security
3. Barracuda makes an offer for Sourcefire
4. G.hos.st

Along with the usual back and forth. Hopefully it will spur us on to do more of podcasts!.

If you like the content of these shows or have any other comments or questions, please drop us a line at podcast@stillsecure.com

Or download here:

mp3

Those wild and crazy guys are back! - SSAATY #54

Fri, 30 May 2008 07:04:59 +0000

1. Recent penetration of the FBI
2. TJX fires an employee for disclosing lax security
3. Barracuda makes an offer for Sourcefire
4. G.hos.st

Along with the usual back and forth. Hopefully it will spur us on to do more of podcasts!.

If you like the content of these shows or have any other comments or questions, please drop us a line at podcast@stillsecure.com

Or download here:

mp3

Parents can't afford to let their guard down when it comes to their children's safety

Fri, 23 May 2008 00:35:00 +0000

I was very fortunate last night to have been able to attend a presentation in Richmond by the well known Criminal and Behavioral Profiler, Dr. Clinton Van Zandt.
Dr. Van Zandt adressed a dinner which was organized by the Private Investigators Association of Virgina. Attendees were kept spell bound by inside sories involving the Jon Bennet Ramsey murder, The Unibomber, The Beltway Snipers and more.

Last month I was also fortunate to have been able to hear Col. Dave Grossman speak eloquently and passionately about the tragic school shootings in which he has been called in to assist educators and parents understand. One thing is clear from listening to both men, parents need to be ever mindful of the fact that they are their children's protectors. They are the sheepdogs, ever on the lookout for marauding wolves.

If you are a parent, or an educator or a security professional, I strongly urge you to read up on the teachings of these learned men and jump at the opportunity to hear them live if at all possible. I personally guarantee you that you will not be disappointed.

Silver Bullet Talks with Jon Swartz

Thu, 22 May 2008 10:32:01 +0000

Silver Bullet host Gary McGraw chats with USA Today reporter, Jon Swartz about security.

Opinion: Where are those infosec jobs?

Thu, 22 May 2008 09:00:00 +0000

Those news reports of vastly increased information security spending just around the corner may sound awfully cheerful, but Jon Espenschied detects some lazy -- or is it wishful? -- thinking.