What’s the difference between your laptop and your smartphone?

When it comes to information leakage, not much.

As the Wired article shows, cell phone wipes leave almost as much data behind as reformatting hard drives.

In both cases, the user thinks they have deleted data and purged traces.

In both cases, low cost tools can recover mountains of sensitive data.

Thinking about selling that old cell phone for cash?  Or donating it to charity?  You’d be better of getting it shredded…

Few things are more precious, intimate and personal than the data on your smartphone. It tracks your location and logs your calls. It’s your camera and your mobile banking device; in some cases it is a payment system in and of itself that knows what you bought and when and where and for how much. All of which explains why you wipe it before sending it off to a recycler or selling it on eBay, right? Problem is, even if you do everything right, there can still be lots of personal data left behind.

Simply restoring a phone to its factory settings won’t completely clear it of data. Even if you use the built-in tools to wipe it, when you go to sell your phone on Craigslist you may be selling all sorts of things along with it that are far more valuable — your name, birth date, Social Security number and home address, for example. You may inadvertently sell your old photos, nudes and all. The bottom line is, the stuff you thought you had gotten rid of is still there, if someone knows how to look.

“There are always artifacts left behind,” explains Lee Reiber,

via Break Out a Hammer: You’ll Never Believe the Data ‘Wiped’ Smartphones Store | Gadget Lab | Wired.com.

The NCSC conference 2013 was an amazing event #1

Michael Ahti’s presentation on how China controls their internet (and how other countries are copying their model) was education and slightly frightening.

He clearly explains why the Chinese government encourages copycat sites and how Beijing uses citizens and the internet to control the regional Mandarins.

HIGHLY RECOMMENED!

Welcome to the Balkanization of the internet.

While I’m no fan of Facebook, laws like these will hamper freedom & civil rights.

I’ve always said that with Social Media, you need to worry about your friends – even if you do everything right, and your friends make a mistake or break the law, you may be found guilty by association.

This law turns that premise into reality.  If you ‘like’ a friend’s post, and that friend is found guilty of ["cybersex," identity theft, hacking, spamming, or pornography], then you are automatically guilty of the same.

From CBSnews.com

With more than 25 million Filipinos on Facebook and close to 10 million on Twitter, Filipinos rank among the top 10 users of both sites in the world.

But if you’re one of those who seldom think twice about “liking” a friend’s post on Facebook or re-tweeting someone else’s tweet, think again. Doing so in the Philippines may land you in jail.

On Sept. 12, President Benigno Aquino III signed into law the Cybercrime Prevention Act, which defines several new acts of crimes committed online, including, among others, “cybersex,” identity theft, hacking, spamming, and pornography.But while all that’s good, certain provisions of the law have millions of Filipinos up in arms – foremost of which is online libel.

“If you click ‘like,’ you can be sued, and if you share, you can also be sued,” said Sen. Teofisto Guingona III, one of the lawmakers who voted against the passage of the law.

“Even Mark Zuckerberg can be charged with cyber-libel,” the senator said.

via Facebook’s “like” may land Filipinos in jail – CBS News.

In the 1990′s we spent $ 2.5 BILLION to sequence the human genome.

Thanks to Moore’s law (computing power doubles every 18 months) and revolutionary breakthroughs in DNA sequencing, pretty soon, DNA sequencing will cost less than $ 1,000 per sample.

And several companies, including easyDNA are marketing their services to employers, spouses and lawyers.

So, who’s been tracking YOUR DNA? No one knows.

What rights do you have to data about your DNA?  None.

They’re called discreet DNA samples, and the Elk Grove, California, genetic-testing company easyDNA says it can handle many kinds, from toothpicks to tampons.Blood stains from bandages and tampons? Ship them in a paper envelope for paternity, ancestry or health testing. EasyDNA also welcomes cigarette butts two to four, dental floss “do not touch the floss with your fingers”, razor clippings, gum, toothpicks, licked stamps and used tissues if the more standard cheek swab or tube of saliva isn’t obtainable.If the availability of such services seems like an invitation to mischief or worse – imagine a discarded tissue from a prospective employee being tested to determine whether she’s at risk for an expensive disease, for instance – the Presidential Commission for the Study of Bioethical Issues agrees.

via Citing privacy concerns, U.S. panel urges end to secret DNA testing | Reuters.

Cop posts his photo on Facebook.

Cop goes undercover, and a convict’s girlfriend outs him.

Umm…remind me again why cops need a facebook page?

A Texas woman (Melissa Walthall) has been arrested and charged with a felony for posting a publicly available photograph of an undercover police officer to her Facebook profile, reports say.According to the Associated Press, Melissa Walthall, 30, of Mesquite, Tex., was arrested last week and charged with retaliation, a felony, for posting the photo.

via Melissa Walthall, Texas Woman, Arrested For Posting Photo Of Undercover Cop On Facebook.

A Canadian Sub-Lieutenant pled guilty to selling secrets to the Russians.

What is amusing, is how he defeated the complex technical controls present within the Canadian military.

He simply copied information to NOTEPAD and saved it on a FLOPPY.

Furthermore, when he got home, he composed EMAIL DRAFTS in a shared email account that the Russians had access to.

The latter technique is an Al-Qaeda favorite – use shared webmail accounts and transfer information via DRAFT messages.

 

How Delisle spied

Information presented at Delisle’s bail hearing detailed how Delisle would browse for material on the secure computer at Trinity, save it in the notepad feature, then transfer it to a floppy disk drive. He would take the floppy out of the secure computer, transfer it to an unsecure system and make a USB copy. After taking the USB home, he would access an email account given to him by the Russians and write in drafts. None of the material was ever transmitted, but the Russians could access the account and read the drafts.

…

it seems Canada didn’t learn from the American experience with army private Bradley Manning. Manning copied hundreds of thousands of diplomatic notes as well as Iraq and Afghanistan war logs, and then leaked them to WikiLeaks. “In the aftermath of that, the Americans had been warning all their allies, don’t get caught out in the way we did, don’t let someone steal information in the way Bradley Manning has done.”

In the wake of Manning’s arrest, President Barack Obama issued an executive order to strengthen his government’s computer security policies for all federal agencies.

Wark also points out that the other members of the “Five Eyes”, the U.S., the U.K., Australia and New Zealand, might have reason to be upset by Delisle’s spying. “What Delisle might have been able to tell the Russians that’s very, very damaging is how the communications systems themselves worked and the codes and processes they used to protect secrets. If the Russians have that, it’s a huge advantage for them, it’s a key into communications systems of not just Canada but all of our allies.”

via Spy Delisle’s guilty plea preserves Navy secrets – Politics – CBC News.

HOW TO FILE A HEALTH INFORMATION PRIVACY COMPLAINT WITH THE OFFICE FOR CIVIL RIGHTS

If you believe that a person, agency or organization covered under the HIPAA Privacy Rule (“a covered entity”) violated your (or someone else’s ) health information privacy rights or committed another violation of the Privacy Rule, you may file a complaint with the Office for Civil Rights (OCR). OCR has authority to receive and investigate complaints against covered entities related to the Privacy Rule. A covered entity is a health plan, health care clearinghouse, and any health care provider who conducts certain health care transactions electronically. For more information about the Privacy Rule, please look at our responses to Frequently Asked Questions (FAQs) and our Privacy Guidance. (See the web link near the bottom of this form.)

Complaints to the Office for Civil Rights must: (1) Be filed in writing, either on paper or electronically; (2) name the entity that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable requirements of the Privacy Rule; and (3) be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show “good cause.” Any alleged violation must have occurred on or after April 14, 2003 (on or after April 14, 2005 for small health plans), for OCR to have authority to investigate.

Anyone can file written complaints with OCR by mail, fax, or email. If you need help filing a complaint or have a question about the complaint form, please call this OCR toll free number: 1-800-368-1019. OCR has ten regional offices, and each regional office covers certain states. You should send your complaint to the appropriate OCR Regional Office, based on the region where the alleged violation took place. Use the OCR Regions list at the end of this Fact Sheet, or you can look at the regional office map to help you determine where to send your complaint. Complaints should be sent to the attention off the appropriate OCR Regional Manager.

You can submit your complaint in any written format. We recommend that you use the OCR Health Information Privacy Complaint Form which can be found on our web site or at an OCR Regional office. If you prefer, you may submit a written complaint in your own format. Be sure to include the following information in your written complaint:

Your name, full address, home and work telephone numbers, email address.

If you are filing a complaint on someone’s behalf, also provide the name of the person on whose behalf you are filing.

Name, full address and phone of the person, agency or organization you believe violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy Rule.

Briefly describe what happened. How, why, and when do believe your (or someone else’s) health information privacy rights were violated, or the Privacy Rule otherwise was violated?

Any other relevant information.

Please sign your name and date your letter.

The following information is optional:

Do you need special accommodations for us to communicate with you about this complaint?

If we cannot reach you directly, is there someone else we can contact to help us reach you?

Have you filed your complaint somewhere else?

via HIPAA News, Regulations, Compliance, Complaints, Penalties, Privacy and Security.

Hospital Implements New Minimum Necessary Polices for Telephone Messages

Covered Entity: General Hospital

Issue: Minimum Necessary; Confidential Communications

A hospital employee did not observe minimum necessary requirements when she left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan. An OCR investigation also indicated that the confidential communications requirements were not followed, as the employee left the message at the patient’s home telephone number, despite the patient’s instructions to contact her through her work number. To resolve the issues in this case, the hospital developed and implemented several new procedures. One addressed the issue of minimum necessary information in telephone message content. Employees were trained to provide only the minimum necessary information in messages, and were given specific direction as to what information could be left in a message. Employees also were trained to review registration information for patient contact directives regarding leaving messages. The new procedures were incorporated into the standard staff privacy training, both as part of a refresher series and mandatory yearly compliance training.

via All Case Examples.

Private Practice Implements Safeguards for Waiting Rooms

Covered Entity: Private Practice

Issue: Safeguards; Impermissible Uses and Disclosures

A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room, thereby disclosing PHI to several other individuals. Also, computer screens displaying patient information were easily visible to patients. Among other corrective actions to resolve the specific issues in the case, OCR required the provider to develop and implement policies and procedures regarding appropriate administrative and physical safeguards related to the communication of PHI. The practice trained all staff on the newly developed policies and procedures. In addition, OCR required the practice to reposition its computer monitors to prevent patients from viewing information on the screens, and the practice installed computer monitor privacy screens to prevent impermissible disclosures.

via All Case Examples.

Radiologist Revises Process for Workers Compensation Disclosures

Covered Entity: Health Care Provider

Issue: Impermissible Uses and Disclosures

A radiology practice that interpreted a hospital patient’s imaging tests submitted a worker’s compensation claim to the patient’s employer. The claim included the patient’s test results. However, the patient was not covered by worker’s compensation and had not identified worker’s compensation as responsible for payment. OCR’s investigation revealed that the radiology practice had relied upon incorrect billing information from the treating hospital in submitting the claim. Among other corrective actions to resolve the specific issues in the case, the practice apologized to the patient and sanctioned the employee responsible for the incident; trained all billing and coding staff on appropriate insurance claims submission; and revised its policies and procedures to require a specific request from worker’s compensation carriers before submitting test results to them.

via All Case Examples.