<![CDATA[[SecurityRatty] tag: malfunction]]>

<![CDATA[[SecurityRatty] tag: malfunction]]> http://securityratty.com/tag/malfunction Wed, 01 Aug 2007 15:28:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[U of Texas Health Science Center takes responsibility for mailing error]]> http://securityratty.com/article/3649c53d9e7389c40a0c812fcd576dc7 http://securityratty.com/article/3649c53d9e7389c40a0c812fcd576dc7 Security Breach

Date Reported:
4/23/08

Organization:
University of Texas System

Contractor/Consultant/Branch:
University of Texas Health Science Center at Tyler
The CBE Group Inc.

Victims:
Patients

Number Affected:
Unknown*

*Roughly 2,000 medical bills were mailed, but the number of patients is not reported. Some patients may have received multiple bills.

Types of Data:
Names, addresses, and Social Security numbers

Breach Description:
"Some 2,000 medical bills were mailed around East Texas last week with patients' Social Security numbers visible on the envelope after a technical glitch skewed billing at the collection agency used by the University of Texas Health Science Center at Tyler. "

Reference URL:
Tyler Morning Telegraph

Report Credit:
Lauren Grover, Tyler Morning Telegraph with a special thanks to Attrition.org

Response:
From the online source cited above:

Some 2,000 medical bills were mailed around East Texas last week with patients' Social Security numbers visible on the envelope after a technical glitch skewed billing at the collection agency used by the University of Texas Health Science Center at Tyler.
[Evan] Why is it necessary to send someone a piece of mail with their Social Security number on it? The person receiving the bill probably already knows their Social Security number.

Chief Operating Officer Rob Marshall at UTHSCT said the problem was quickly addressed and fixed, but his disappointment in collection agency CBE Group Inc. might not be repairable.

"We're in negotiations ... I can't confirm or deny that we'll be with (CBE) in the future," he said Tuesday evening. "But we do have a different set of rules on handling issues like this and have already said how to safeguard this in the future."
[Evan] Is UTHSCT planning on sending a separate notification mailing to the people affected? No mention in the article.

The number of area residents whose numbers were exposed isn't known because multiple bills could have gone to one patient, said spokeswoman Rhonda Scoby.

The Social Security numbers were never floating around the public, but were sent from secure sites at UTHSCT to CBE and then straight to the post office and to the patient's home, she said.
[Evan] There are a few more steps along the way, such as post office routing and delivery. It used to be safer to send confidential information in the mail. Not so anymore.

The hospital is taking full responsibility for the error and asking all affected patients to contact their business office, Marshall said.
[Evan] The UTHSCT business office can be contacted by calling (903) 877-7172.

"It was a small glitch that we absolutely own up to and want to be able to take care of anyone who has issue as a result," he said.
[Evan] Then at the very least, put something on the UTHSCT web site for affected people to refer to (I couldn't find anything).

While CBE officials are still investigating the cause of the error, added software and quality control is in place to catch any further malfunction, Marshall said.

Commentary:
The one burning question is why are Social Security numbers present on billing statements to begin with? Or was this the problem all along, they were never supposed to be anywhere on the billing statement?

Past Breaches:
October, 2007 - University of Texas students exposed on FTP site

]]> Tue, 29 Apr 2008 11:55:24 +0000 social security uthsct uthsct web site collection agency collection agency cbe cbe cbe officials uthsct business office patients U of Texas Health Science Center takes responsibility for mailing error <![CDATA[Five-year-old wanders into bank branch after-hours]]> http://securityratty.com/article/9277631ebe279d10b96712f6288d23a0 http://securityratty.com/article/9277631ebe279d10b96712f6288d23a0 Security Breach

Date Reported:
2/6/08

Organization:
HSBC Group (UK)

Contractor/Consultant/Branch:
Market Place, Easingwold

Victims:
Potentially customers, but no confirmed loss or theft occurred

Number Affected:
Unknown

Types of Data:
Potentially customer banking records

Breach Description:
The HSBC branch in Easingwold was found unlocked during non-business hours on Saturday, February 2nd. A five-year-old boy wandered into the bank while his father was using the cash machine. The bank was closed and unattended since 4:30 the previous day and no alarms were sounded.

Reference URL:
The Northern Echo online story
The Press online story

Report Credit:
The Northern Echo

Response:
From the online sources cited above:

Little Oliver was at the HSBC with mum, Alison, and dad Daniel, when the family visited the cash machine at Easingwold, North Yorkshire, on Saturday afternoon.

Mrs Pettigrew said: "We usually go into the bank and so Oliver just pushed the door and wandered in.

"I was at the cash machine and it was Oliver's dad who started saying, 'where's Oliver? where's Oliver?' "Then Oliver appeared again. He and his dad ended up wandering around the place, which was totally deserted. There were computers everywhere and there was no alarms sounding.

The HSBC tried to downplay the breach saying the emergency services would have been summoned automatically if someone stepped inside.
[Evan] This did not appear to have happened. According to the news story, emergency services were not even aware of this physical breach until notified by the Pettigrews.

However North Yorkshire Police have confirmed that the only call received was from Daniel Pettigrew.

The bank had been closed for business at 4.30pm on Friday and Oliver opened the door at lunchtime on Saturday.

A spokeswoman for the bank said there had been a malfunction with the catch on the door.
[Evan] A malfunction is not an acceptable reason for a breach. System malfunctions need to be taken into account when designing secure systems (physical and technical), especially at a bank.

"When I realised the bank was empty and the service times said Monday to Friday I phoned 999."

He and Oliver also walked right up to the door of the vault where money is kept.
[Evan] It is important to note that they walked up to the door, not THROUGH the door. This would be a more sensational story if the vault were open too.

There were computers and walkie talkies lying around in there. Anyone could have stolen them.

"The hard drives were in there too. In the current climate it makes you wonder if anyone could have got the database with bank customers' details on it.
[Evan] There is chatter that HSBC employs centralized and secure data storage, meaning that there should be no sensitive information on the client computers. This may be true, but often there is much more information on these computers than people realize. I would guess that there is also a substantial amount of sensitive paperwork in the branch.

The Pettigrews stood guard at the bank until police officers arrived.

A spokesman for HSBC, which made profits of about £11bn in 2006, said there was no danger to bank customers.
[Evan] Not so. There WAS a danger to bank customers. It may not exist in this instance anymore, but the danger was there.

She said: "Basically, what happened was there was a malfunction with the door catch. Once the door was pushed open it would have alerted the police anyway.
[Evan] This was obviously not so. Malfunctions must be detected at the time of the occurrence.

She said: "There would have been no danger to customers in terms of cash or information being stolen. Obviously we don't want security issues but sometimes these things happen."
[Evan] Again, I disagree.

From Simon Davies, director of Privacy International:

"extraordinary state of affairs" which could have exposed thousands of customers to a "grave risk"

"I cannot believe that a bank would not have procedures in place to make sure all exits are sealed at close of business."

"This is a situation I have never encountered before. It is a failure on multiple levels, on the human level and on the technical level and what it does is expose thousands of customers to a grave risk."

"It could be that the computers are part of a central control system and are password protected and contain no information locally, in which case you don't have the same level of threat."

"But if they are just password protected then someone could have gained access to the whole central resource of data."

Commentary:
I added this breach to The Breach Blog because the potential for lost data confidentiality and intergrity was real and present. There appear to have been no customer-related victims, which is a very good thing. HSBC and/or their security team should have detected the door malfunction well before a five-year-old did.

How many times have we used a cash machine at the bank after-hours? Most of us just assume that the bank doors would be locked. Even if the door were unlocked, most of us would assume that alarms would go off as soon as I opened it.

I don't suggest that you drive from bank to bank looking for unlocked doors because this might get you in a lot of trouble.

Past Breaches:
Unknown

]]> Wed, 06 Feb 2008 07:24:03 +0000 bank customers bank customers bank after-hours branch door malfunction bank doors malfunction breach description Five-year-old wanders into bank branch after-hours <![CDATA[What's the Snag Behind the Spyware]]> http://securityratty.com/article/64ff31c1bb765cb05774ef53fed2a07f http://securityratty.com/article/64ff31c1bb765cb05774ef53fed2a07f
The concept behind the technology of spyware is that, a number of advertising companies take interest to install tracking software into the computer system, that illusions to call it host with aims to use all internet connections, get statistical or other information data to what they will claim "home" attesting assurance of company's security policies not to collect sensitive data for confidentiality, and with full promise to establish continuity of anonymity.

However, it is an establish fact that the PC functions as a "live" server that is open for any kind of information disseminations with or without the consent of the server; bottom lining the fact, there is always a risk for any transfer of any information even those covered by protection policies between the advertiser and the so called "mothership." In the end just as nobody would wish, it will be sending assimilated data that might escape the benefit of payment from the PC database.

Although spyware and adware could be two in one to front probable interference to the server's privacy, spyware could stage sole manipulation to indulge deeper in affecting the users privacy, prompting slow-down computer's effectiveness, windows' pop-ups of undesirable ads, and spam e-mails.

Several media companies are perennially seeking ways to eliminate large expense for web development and internet costs; but instead, tend to pay part of their revenue solicitations from reputable brands' banner sales to host servers by installing reputable piece software by way of so called "piggybacking," or tricking methods as the Trojan horse technique, installing some "rogue" anti-spyware program, eluding detection of its being a disguised security software.

A spyware no adware technology is an advertising copyright itself, can stand without having to do with any adware's vulnerability threats. The so-called "Web accelerator" or helpful software agents: Example, the Bonzi Buddy (quoted from: Wikipidea), targeted to children: "He will explore the internet with you as your own friend and sidekick. He can talk, walk, joke, browse, search, e-mail and download like no other friend you've ever had! . . Best of all, it is FREE."

This piece of copyright text is so deceptive for unknowingly, motives behind depict to pursue some ends in order to evade something that will disrupt the mobility of cash flow of the mother host.

Why is Spy ware Deceptive?

1. It does not self-replicate; instead, it invades infected computers for commercial gains purposes.
2. It monitors Web browsing activity (sales strategy) and routes of all HTTP to advertising agencies.
3. Delivery of pop-up advertisements
4. Theft of Credit and Identification card numbers in relation to the notorious identity theft around.
5. Spyware gets into the system by exploitations of other software vulnerability.

The Effects of the Spyware upon the Use of the Computer

There are so many complicated effects that are induced by spyware. It may not even be detected as an obvious virus infection, but comes in, a core factor of ineffective results of computers' performance; like network traffic, disk usage, CPU malfunction which may be mislead to be a PC crash, and finally resolving to replace the whole system with a new one.

The demand for technical support and assistance is another recourse for badly spyware-infected computers. Another option is to have a thorough "cleanup" of the whole system. It needs massive reinstalling on software in order to revitalize as new.]]> Wed, 01 Aug 2007 15:28:00 +0000 spyware software reputable piece software anti-spyware program helpful software agents information data information system computer system What's the Snag Behind the Spyware