Archive
Repeat Data Loss Offenders…
I was doing some data mining this week on the excellent DataLossDB.com site and it occurred to me to dig a little deeper into where the risky places to give your PII/PHI to are. I was hoping to find that some segments are cleaning up their act, but it seems not. The fact we’re seeing multiple entries by people could have two possible meanings: Read more…
Updates to the Map of Crypto Law.
Google Map of International Crypto Law
There have been a few updates to the famous map of crypto laws lately, for those new to the map, or who have forgotten it I’ve linked the picture above to it.
Fell free to mail me with corrections and additions.
H.R 2221 – The Federal Data Accountability and Trust Act
This week I’ve been working my way through H.R 2221 – the “Data Accountability and Trust Act” . This proposed legislation is making its way through the Committee on Energy and Commerce at the moment, and if passed, will rationalize data protection legislation across the USA at a federal level. Read more…
Missouri’s new Data Protection Disclosure Law.
Although maybe unnoticed, a month ago Missouri finally joined that heady club called “States which have Data Privacy Laws”.
On 28th August, the “Missouri Data Breach Notification Law”, or House Bill 62 took effect, not protecting, but at least enforcing care and attention of residents personal information (Social Security Numbers, Driver’s Licence Numbers, and information which could be used to access a residents financial accounts). Note I use the word “resident”, because, as with the other 47 or so State laws, this one applies to the Residents of Missouri, not to the businesses. If you have Missouri resident information in your datacenter in Tinbuktoo, you are still required (under civil and actual damages) to comply. Read more…
Speaking at GTC East: The New York Digital Government Summit
For those in the Federal space, I’ll be presenting practical data protection measures at GTC New York next week on the 23rd, in Albany. You can find out more about the GTC Conference from their web site, but it promises to be a packed day, with great speakers like Gene Kranz (Former Director, Mission Operations, NASA), Mark Allen (6-Time World Champion, Ironman Triathlon), and of course yours truly.
The conference also has a training track where you can swot up on the latest technologies and methodologies in topics as diverse as applying for grants, Rapid Application Development, and Project Managment to name only three.
Privacy By Design, Madrid 2009
Privacy By Design
For those interested in the “big picture” of privacy and technology, I’ll be at the PbD conference in Madrid this year, 2nd November, talking about privacy enabling technologies such as data protection, identity protection etc. You can get details about the conference from the PbD website, which is being run just ahead of this years 31st International Conference of Data Protection and Privacy.
Privacy by Design is a concept promoted by Ann Cavoukian, Ph.D, Information & Privacy Commissioner Ontario, Canada which aims to promote the idea of systems and processes built with privacy in mind, rather than retrofitted afterwards. I encourage all readers to browse her site which is quite informative, and gives you perhaps a “bigger picture” view than IT alone.
Firewire Attacks Revisited
For those who follow these kinds of things, you’ll remember that back in 2004 an enterprising group of people (Maximilian Dornseif, Michael Becher, and Christian Klein) gave a series of talks on how to bypass many kinds of computer security using the FireWire ports. This attack, though obvious from reading the specification of the Firewire / i.LINK / IEEE 1394 bus, simply used a computer acting as a “rogue” device to read and modify any memory location on a target PC.
Yes, ANY memory location, and that’s quite supported, even required by the FireWire/iLink specification, which needs direct-memory-access for some devices (like iPODs) to function.
Enterprising people have written attacks that use this “exploit” to get around encryption products, and locked workstations on Mac, Linux and PC.
McAfee Data Protection, HIPPA, HITECH and breach notification.
Last week, one of my colleagues asked me to comment on 45 CFR Parts 160 and 164, which for those of us who can’t remember all the code names for the various USA Federal docs, is the one in which the Department of Health and Human Services publishes its interim final rule under HIPPA and HITECH re what data falls under these regulations, what a “breach” means, and the conditions in which data is deemed to have been “protected”.
Under HITECH/HIPPA, basically there is a duty in the USA to care for the privacy of “unsecured protected health information” – this means that anyone electronically processing our heath information has a duty of care to make sure no unauthorised people gain access to it, and a legal duty to inform us if a breach (or possible breach) of trust occurs. Read more…
10 Things you don’t want to know about Bitlocker…
Nov 2015 Update – It seems bitlocker sans pre-boot has been trivially insecure for some time according to Synopsys hacker Ian Hakan, who found a simple way to change the Windows password and thus allow access to data even while Bitlocker was active.
So, with the forthcoming release of Windows 7, the ugly beast known as “Bitlocker” has reared its head again.
For those of you who were around during the original release of Bitlocker, or as it was known then “Secure Startup”, you’ll remember that it was meant to completely eliminate the necessity for third party security software. Yes, Bitlocker was going to secure our machines against all forms of attack and make sure we never lost data again.
What happened?
Army National Guard shows how much it cares about 131,000 identities…
National Guard Website
A busy week in the world of data loss, with the report from the Army National Guard Leaders that a personal laptop containing the records of 131,000 former and current guard members was stolen from a contractor on 27th July 2009. The information included the usual culprits – Name, Address, Social Security Number etc.
What this information was doing on a contractors personal device, and not locked up and restricted is undisclosed, but the important thing is that the Army Guard is showing it’s eagerness to resolve the situation and protect its members. Read more…
Who?
 | EVP Cyber Product Innovation for Mastercard. Formally the Chief Technology Officer for Intel Secure Home Gateways, CTO for McAfee Enterprise Endpoint, CTO McAfee Innovation team, and Founder/CTO SafeBoot Corp. |
Simon Says - Musings of a Technology CTO 
Comments