County Coroner in Handcuffs - Gave out his password

Dynamic Security could have easily identified that the person logging in was not the coroner, since he or she was in the wrong place at the wrong time, or there were multiple logins.

---

Trust Isn’t Security

Frank Hayes February 12, 2007 (Computerworld) -- In Lancaster, Pa., last week, the county coroner was brought to court in handcuffs. A grand jury indicted Dr. Gary Kirchner, charging him with giving out his account name and password for a county Web site that contained confidential police 911 information. What kind of information? Names of accident victims and police informants, medical conditions, witness accounts, autopsy reports and not-yet-substantiated accusations. The site was the access point for real-time data generated and used by firefighters, ambulance crews and other emergency responders.

And who did the coroner allegedly give his password to? Newspaper reporters. Now there’s a trusting user.

Wait, it gets scarier. According to the grand jury, the reporters said Kirchner gave them the password because he didn’t want to be bothered with their phone calls asking for details about homicides, fatal accidents and suspicious deaths.

The reporters weren’t charged with illegally accessing the Web site, because they testified under immunity from prosecution. Kirchner has denied the charges against him.

But the grand jury report quotes e-mails and computer forensic evidence that paint an ugly portrait of the coroner (who apparently ignored security policies and gave away his password within weeks of taking office in 2004) and the reporters (who ignored “authorized personnel only” warnings and accessed confidential information hundreds of times over an 18-month period).

And where was IT all this time? Not noticing, mostly. Eventually, an IT staffer checked Web site logs and discovered that the site was accessed more than 50 times in two weeks from computers at a newspaper office. But that was only after one reporter mentioned in a news report that some information came from the Web site, and a reporter from a competing newspaper called the county to find out why he didn’t have access.

That’s when a supervisor realized there had been a security breach, a police investigation began, logs were checked, passwords were changed, and the grand jury went to work.

Until then, everyone apparently assumed that because users were trusted with the information on the emergency 911 Web site, they could be trusted to keep it secure. Now there’s a trusting IT department.

That trust was misplaced. And not just trust in the coroner. After the reporters’ intrusion was discovered, logs were scrutinized more carefully. In 2006, four emergency responders were prosecuted for giving out their passwords, and two other people were arrested for accessing the site.

According to the grand jury report, the results of those password leaks weren’t trivial. In one incident, a 911 caller reported suspicious drug activity in his neighborhood. His name was supposed to be kept confidential. Because of the password leaks, it wasn’t. “That caller’s name was made known on the streets, and the caller was severely beaten in retaliation,” the grand jury report said.

We want to trust our users. We have to trust them, mostly — we can’t afford to watch them every second. And most of them are worthy of that trust.

But some aren’t.

Trusting is nice. It’s sociable. It’s convenient.

Don’t do it.

We have the technology to control network access to confidential information. Beyond passwords, we can limit users’ access with IP address whitelists and blacklists. We can use VPNs. We can scan logs after the fact, looking for IP addresses that don’t belong. We can’t catch every breach, but we likely can discover some accounts that have been compromised — and some users who can’t be trusted.

Yes, that gets ugly and unpleasant. So does what comes after: the why, the how-bad and the what-to-do-now.

But the alternative is a lot uglier. The results could be lost business and exposed customer information.

Or — as they’re learning in Lancaster — assaults and handcuffs. Frank Hayes, Computerworld’s senior news columnist, has covered IT for more than 20 years. Contact him at frank_hayes@computerworld.com.

Johns Hopkins Loses Data On 130,000 Patients, Employees

Dynamic security integrated with RFID tracking could have prevented this loss.

An outside contractor lost nine backup tapes that held sensitive personal information on 52,000 workers and 83,000 employees. The data is thought to have been destroyed.

By Sharon Gaudin
InformationWeek

Feb 9, 2007 01:55 PM

Johns Hopkins disclosed this week that it has lost the personal data on roughly 52,000 employees and 83,000 patients.

The Maryland-based organization, which comprises Johns Hopkins University and Johns Hopkins Hospital, has reported that nine backup computer tapes were not returned from a contractor, which routinely takes them and makes microfiche backups of them. Eight of the tapes, according to a notice on Johns Hopkins Web site, contain "sensitive" personal information on employees, and a ninth tape contains "less sensitive" personal information on the hospital's patients.

All nine tapes had been sent to the contractor's Baltimore-area facility on Dec. 21, according to the organization's release. Both the contractor and Johns Hopkins investigated the incident and reportedly determined that the tapes never reached the facility. "It also concluded that it is highly likely that the tapes were mistakenly left by a courier company hired by the contractor at another stop. They were thought to be trash, collected and later incinerated," reads the statement on the Web Site.

Johns Hopkins says it has no evidence that the tapes were stolen or that the information on them has been misused. The statement also calls the risk of identity theft "very, very low."

"Our best information is that the tapes have been destroyed," said William R. Brody, president of Johns Hopkins University, in a written statement. "Nevertheless, we are concerned that there was ever even a possibility that the information on them was out of authorized hands. On behalf of Johns Hopkins, I apologize to all affected employees and patients. We will review our processes and procedures and make any appropriate changes in an effort to ensure that this does not happen again."

University payroll information, including Social Security numbers, and, in some cases, bank account information for present and former employees was among the lost tapes, according to Johns Hopkins. That includes retirees and students who held campus jobs. Employees with information on the lost tapes worked in every university unit, except the Applied Physics Laboratory.

The tape with hospital information held personal information on all new Johns Hopkins Hospital patients first seen between July 4 and Dec. 18, 2006. However, it also has data on any patients who had changed their demographic information in that same time period. The patient information included names and dates of birth. It did not include addresses, Social Security numbers, or financial or medical information, according to Johns Hopkins.

Letters are being sent to all affected Johns Hopkins University employees, current and former, and to all affected Johns Hopkins Hospital patients with available addresses.

Patients may obtain more information at this Web site, and employees may get information at this site.

VA investigating another missing hard drive

Cybercrime pays and repeats itself. Dynamic Security could protect against unauthorized removal of equipment.

Grant Gross February 05, 2007 (IDG News Service) -- The Department of Veterans Affairs (VA) is investigating a missing hard drive containing the personal records of 48,000 military veterans, the agency said.

The external hard drive contained about 20,000 personal records that were not encrypted, according to information from Rep. Spencer Bachus (R-Ala.). A VA employee reported the hard drive missing from a Birmingham, Ala., agency facility on Jan. 22, according to a VA press release.

The VA and the FBI are investigating the missing hard drive, the VA said in its Friday press release. The VA's Office of Information and Technology is conducting a separate investigation, Secretary of Veterans Affairs Jim Nicholson said in a statement.

"We intend to get to the bottom of this, and we will take aggressive steps to protect and assist anyone whose information may have been involved," Nicholson added.

In May 2006, the VA reported a laptop and hard drive containing the personal records of 26.5 million military veterans and their families had been stolen from an employee's home. Police later recovered the hardware, and the VA said computer forensics tests indicated thieves had not accessed the data. However, the theft set off criticism from several members of Congress about the VA's cybersecurity practices.

The hard drive in Alabama was used to back up information contained on an employee’s office computer and may have contained data from research projects the employee was involved in, as well as personal information, the VA said.

The VA Office of Inspector General has seized the employee’s computer and is analyzing its contents, the VA said. The VA is prepared to notify affected people and provide free credit monitoring, the agency said.

The VA will continue to aim to be a leader in protecting personal information, Nicholson said in his statement.

In August, the VA also reported that a desktop computer containing the personal information of 38,000 veterans was missing from the office of Unisys Corp., the subcontractor assisting at the agency's medical centers in Pittsburgh and Philadelphia.

The lost VA hardware prompted a congressional review of other U.S. government agencies, and agencies reported thousands of l