Several years ago, I was working as a trainer in a Citibank call center. At least that was my job on paper. In reality, the employees were far too busy to attend training, so I just hung around and killed time.

The building was locked down. No phones, no email, no paper coming in or out of the building, no ports on the computers, and (most unfortunately for a guy stuck with nothing to do) no Internet.

It made sense, since every computer in the building had access to the complete financial history of every single person who’d ever done business with Citibank. Social security numbers. Passwords. The works.

But then one day, I saw one of the employees goofing off in some random chatroom. He explained that he had found it in the history tab after moving to a new computer. It was the site for a random radio station called Cities FM. I went to my own computer, and found many other sites I could access. The Center for Information Technology Integration. Cities Restaurant. The Cape IT Initiative. Random websites that had one thing in common. They started with the letters CITI.

See, the employees needed to access the sites for the company they worked at. CitiBank, CitiMortgage, CitiFinancial… but since the company was constantly expanding, their IT department had decided that rather than keep updating the firewall, they would simply allow any site that started with the letters CITI, assuming that they would probably own it.

That night, I registered citi.MyName.com.

I of course, not being a criminal mastermind, used it pretty much like I use Google Plus. I made it so my coworkers could read my comics while they were bored. After I left the company, I added an e-mail form so that I could post pictures of the places I traveled and they could e-mail me back.

Of course if I had been criminal mastermind, at any point any of them could have hit copy/paste and I would have had enough information to steal the identities of a large percentage of the American public.

I didn’t. But that my friends, is the illusion of security.

via Buzzblog: Firewall fail: A tale both funny and sad.

In March 2012, BCBS of Tennessee agreed to pay $ 1.5M for HIPAA data breaches.

BCBSoTenn failed to encrypt hard drives containing voicemail files.

 Is YOUR medical practice encrypting hard drives and flash drives embedded within

• Laptops
• Desktops
• Servers
• Copiers
• Voice Mail systems
• And other smart systems

The settlement is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/resolution_agreement_and_cap.pdf.?

Continue Reading

Still think HIPAA compliance is strictly for the big guys?

Still think your small medical practice or medical billing business is safe from hackers, criminals and litigators?

From the NY Times:

The New Year’s Eve burglary of a California office building has led to the collapse of a national medical records firm.

Impairment Resources LLC filed for bankruptcy Friday after the break-in at its San Diego headquarters led to the electronic escape of detailed medical information for roughly 14,000 people, according to papers filed in U.S. Bankruptcy Court in Wilmington, Del. That information included patient addresses, social security numbers and medical diagnoses.

Police never caught the criminals, and company executives were required by law to report the breach to state attorneys general and the Department of Labor’s Office of Inspector General. Some of those agencies, including the Department of Labor, are still investigating the matter, the company said in court papers.

via New Year’s Eve Burglary Triggers Medical Records Firm’s Bankruptcy – Bankruptcy Beat – WSJ.

What can we learn from the Dharun Ravi case?

1) All the evidence was digital / social media

2) Dharun’s computers & phones self-incriminated him

They relied primarily on statements that Ravi made through conversations and text messages with friends as well as actions that he took using technology and social media without Clementi’s initial knowledge, to establish his bias and intent to intimidate. It was questionable whether this unorthodox approach toward establishing Dharun Ravi’s mental state would hold water with the jury.
http://www.huffingtonpost.com/matt-semino/dharun-ravi-trial_b_1365027.html

3) Because of a teenager’s stupid mistakes, 2 families are destroyed. Tyler Clemente’s lost a son. Dharun Ravi’s lost a future.

4) Social media bullying is a new field of evidence capture and prosecution

5) Do YOU understand that a computer or smartphone is a loaded handgun or a live grenade? It can hurt others, and blow your hand off?

Can you teach your kids the important lessons from this trial?

Continue Reading

The FTC has notified Apple & Google that they actually need to read, abide by and enforce their own privacy policies.  Specifically, these two operators can’t turn a blind-eye to what data the cell-phone application developers collect, and what they do with that data.

From The Register:

FTC tears into Apple, Google over kids’ privacy – or lack of

‘Impossible’ to know data collected by apps, watchdog fumes

By Brid-Aine Parnell

US regulators have told smartphone software makers to do more to protect the privacy of kids using their apps – or face the watchdogs’ wrath.

In a report that acknowledged the “tremendous” growth of mobile software, the Federal Trade Commission said app developers are not making “simple and short” declarations of their privacy policies. As a result, young users – picked out for their vulnerability – could be giving up their mobile phone numbers, contacts, location and other data without knowing about it.

It also warned that app stores run by Apple and Google needed to do more.

“Although the app store developer agreements require developers to disclose the information their apps collect, the app stores do not appear to enforce these requirements. This lack of enforcement provides little incentive to app developers to provide such disclosures and leaves parents without the information they need,” notes the report.

“As gatekeepers of the app marketplace, the app stores should do more.”

via FTC tears into Apple, Google over kids’ privacy – or lack of • The Register.

In US vs Warshak, the DOJ argued in court that since email accounts are hacked into, people die, and people forget their passwords, email should have no 4th amendment protections.

By this logic, NO HOUSE or APARTMENT in the US is safe.  Houses get broken into, people lose house keys, and some people die alone. (no wills, no heirs)

The FBI applied similar logic when attaching GPS trackers, without warrants, to college student’s vehicles in the US.

Now, if you buy a phone with a fake name, or rent an apartment under a fake name, they argue you’ve forfeited your 4th Amemdment rights.

From Gizmodi & Wall Street Journal:

Feds Want to Warrantlessly Track Phones Bought with Fake Names

If the DOJ gets its way, it won’t need a warrant to monitor people who buy cell phones and other electronic services using a fake name, according to a story in today’s Wall Street Journal.

The DOJ is arguing that because a California man used a fake name when he bought a broadband card, service and a computer (and rented his apartment) he’s not entitled to protection under the fourth amendment.

The government used a device called a Stingray to locate the broadband card being used by Daniel David Rigmaiden. The Stingray mimics a cell phone tower, and pings the target device. It measures the signal strength, and then moves to another location and measures it again. It uses that data to triangulate the phone’s position. They are increasingly being used by law enforcement.

The FBI didn’t get a warrant when it used a Stingray to locate Rigmaiden’s location. At his apartment complex, it found he had used a fake ID on his rental application. It used that to get a search warrant, where it found the broadband card.

The government’s argument is that it didn’t need a warrant to locate Rigmaiden because he gave up his fourth ammendment rights and had no reasonable expectation of privacy when he used a fake name to rent and purchase his broadband card, service and computer.

It’s in the courts, but if the DOJ wins this one, it could mean that even if you use a fake name to buy something in a non-fraudulent matter—say a burner phone—it can track you down, and perhaps even listen in. Beware, Stringer Bell.

via Feds Want to Warrantlessly Track Phones Bought with Fake Names.

Do you recall how in The Minority Report, stores were trying to sell Tom Cruise products based on his retina scans?

What would you do if a Retailer knew you were pregnant, and when the due date was before you told your friends and family?

Or they figured out whether you got a bonus or were unemployed without you telling them?

This article in Forbes on Target’s Pregnancy Identifier database is eerily unsettling. Especially the way they created the “random coupons” baby book.

http://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/

Continue Reading

What the Supreme Court Giveth in 4th Amendment Protections (namely, GPS surveillance requires warrants), a lower court takes away in 5th Amendment protections.

Americans can be forced to decrypt their laptops

Declan McCullagh

by Declan McCullagh January 23, 2012 3:35 PM PST

American citizens can be ordered to decrypt their PGP-scrambled hard drives for police to peruse for incriminating files, a federal judge in Colorado ruled today in what could become a precedent-setting case.

Judge Robert Blackburn ordered a Peyton, Colo., woman to decrypt the hard drive of a Toshiba laptop computer no later than February 21–or face the consequences including contempt of court.

Blackburn, a George W. Bush appointee, ruled that the Fifth Amendment posed no barrier to his decryption order. The Fifth Amendment says that nobody may be “compelled in any criminal case to be a witness against himself,” which has become known as the right to avoid self-incrimination.

“I find and conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer,” Blackburn wrote in a 10-page opinion today. He said the All Writs Act, which dates back to 1789 and has been used to require telephone companies to aid in surveillance, could be invoked in forcing decryption of hard drives as well.

Ramona Fricosu, who is accused of being involved in a mortgage scam, has declined to decrypt a laptop encrypted with Symantec’s PGP Desktop that the FBI found in her bedroom during a raid of a home she shared with her mother and children (and whether she’s even able to do so is not yet clear).

via Judge: Americans can be forced to decrypt their laptops | Privacy Inc. – CNET News.

Data Privacy Day: Social media ‘private’ data is fair game for e-discovery in court

Microsoft Trustworthy Computing released data about how posting on social networking sites can impact more than online profiles and reputation; it can also cause negative consequences in the real world. All that data, even the allegedly ‘private’ social media data, is not private but is fair game as e-discovery in civil litigation. Another study found who you are digitally on Facebook is who you are offline in real life. Lastly, the more data we overshare on social media, the more it becomes the “norm” for society . . . meaning for society as a whole, it lowers what is considered a reasonable expectation of privacy.

via Privacy and Security Fanatic: Data Privacy Day: Social media ‘private’ data is fair game for e-discovery in court.