Sunday, November 29, 2009

Incriminating yourself, Internet style

Ah, the joys of social networks. Sharing your favorite activities, legal and not so legal, with family, friends and the police.

Yes, the police.

It seems that law enforcement has been unusually ready to embrace change when it comes to social networks like Facebook. Frankly, I'm glad they have. They catch sexual predators using chat and social networking sites. Very good thing. They also catch under age drinkers, particularly stupid drug dealers, and various other criminals (advice: posing for pictures with the loot you stole is not smart).

In the Lacrosse, WI Times this weekend I read about officers browsing Facebook to catch underage drinkers. College students post pictures on Facebook, officer sees picture, profile tells the story, and student gets an invitation to the police station where they get a ticket which they can pay or fight. The practice is not popular with students:

“I feel like it is shady police work and a waste of taxpayer money to have him (an officer) sit on the computer on Facebook when he could actually be doing police work,” said Luebker.

Uhm, dude, that cop sitting on the computer just busted you. That would be "doing police work. " You incriminated yourself by putting the evidence up on a public forum. It may seem like I have something against Facebook, but I will continue to talk about this the public nature of social networking as long as I see frequent quotes like this one:

“I feel like it is a breach of privacy,” Stenholt said. “You feel like you should be able to trust cops.”

Despite their best efforts to claim otherwise, Facebook provides no privacy. If it did, you wouldn't see quotes like that practically every day.

[Edited by Bert @ 6:52am for clarity and 12:27pm to provide link I thought was already done]

The scam-happiest time of the year

With cyber-Monday tomorrow, and the ever-increasing number of people doing their Christmas shopping online, McAfee - the security software company - has provided a list of the twelve most common ways holiday cybercriminals scam the rest of us. Here they are:

1. Charity Phishing. It is more blessed to give than to recieve, but before you give, make sure the people receiving it are who you think they are.

2. Fake Invoices from Delivery Services. It is very difficult to ship COD these days, so unless cousin Joe from Jersey told you he was shipping you something that way, don't pay without calling the shipping company - from the number in the phone-book. And if you don't remember sending it, don't pay for it without double-checking.

3. Social Networking. Scammers send legit looking “friend requests” that contain links designed to infect your computer. However tempting it might be to have one more friend than your boss, don’t open links from “friends” you’ve never heard of.

4. Holiday eCards. Everyone loves a nice holiday card. What you should know, however, is that some of the most destructive holiday viruses have been attached to fake eCards. Never open eCards from unknown senders. Frankly, I'd think twice before opening an eCard from someone I knew without making sure they'd actually sent it first.

5. Luxury Jewelry. Man, you can find some incredible bargains online. And scammers take full advantage of that fact by offering even more incredible deals than you can usually find during the holidays. Of course, the deals they offer get you an empty wallet and maybe a cheap (disgustingly obviously cheap) piece of costume jewelry if you're lucky.

6. Online Identity Theft. I love shopping online. Quick, easy and convenient. But always make sure you're shopping a reputable site, and never shop from Starbucks - or at least never purchase - while at Starbucks, the library, or other public wifi locations. It's surprisingly easy to access other computers over an open wireless network.

7. Christmas Carol Lyrics. If you don't already know that ring-tone and mp3 download sites can be a hotbed for malware, you do now. Before downloading anything from one of these sites make sure they are legit. If they are offering the latest Taylor Swift ringtones for free, run away.

8. Work from Home. Beware of e-mails that offer jobs you haven’t applied for or work at home “opportunities.” After they steal your info and a setup fee, you’ll be right back where you started with a few extra headaches.

9. Auction Site Fraud. Internet scammers will post unbelievable deals in hopes of getting an unlucky bidder to bite. That 50" LCD TV for $299 "Buy it Now" will either never arrive or it will arrive in pieces, or as a 13" black & white CRT television.

10. Password Stealing. Change your password often. People can look over your shoulder, from the table next to you, or even using cell phone cameras to record you type.

11. E-mail Banking Scams. Beware of any e-mail that asks for your banking information. I don't know of a bank that will ask for you for your information via email. If I find one that does, I will post it here and give it tell you to avoid it.

12. Ransom Scams. If hackers gain access to your computer through any of the means listed in this article, they may demand a ransom to get your computer back in working condition. They won't call it that, of course. They will say that they are selling you the means to remove what the malware you downloaded.

Facebook: Waiving Miranda & the Fifth

Friday, November 27, 2009

For privacy, keep your face off Facebook

In an opinion piece on Carmi Levy tells us, briefly, the story of Facebook user Natalie Blanchard, a woman who was on long term disability leave from IBM for depression. After a year and a half of receiving benefits from IBM Canada's insurer, the checks suddenly stopped coming. Why? Because the insurance company checks things like Facebook accounts, and despite her account being set to "private" were able to find pictures of her looking decidedly un-depressed. Was miss Blanchard committing fraud? Is she the victim of an overzealous investigator looking at a few snapshots in time that don't reflect her overall state of emotional well-being? I don't know. I do know that if she had followed a simple - in theory, not so simple in practice - rule of online life she would not be having this problem. The rule? Don't put anything on line that you wouldn't want your mother/wife/children/boss/insurance investigator to see. And if you have to put it online, don't put it on Myspace, Facebook, or any other 'social' networking site. It's in the name, folks. By definition, social networking is anathema to privacy. Everything you put on Facebook will make it into the wider wild web. Count on it!

Some people have a right to know

A letter on points out that there are some persons who should be given automatic access to health records. Spouses should always have access to each others records. Parents should, once their children are old enough, have either a living will or a signed power of attorney granting one or all of their children access to their medical records. Everyone should prepare for the worst case scenario - should you be incapacitated, who takes care of you and your affairs? Living wills and medical/financial/total power of attorney specify the answers to those questions. Don't make them lightly, and make sure you really trust the peolple you are giving such power to, but if at all possible, have these documents on file with an attorney and/or your doctor.

So much for a 'light weight' rest of the week. :)

Thursday, November 26, 2009

Just 'cause you work in a hospital...

Just last week I wondered how many healtcare workers didn't know they were affected by HIPAA. Apparently 16 workers at Ben Taub General, part of the Harris County Hospital District, didn't. The hospital district hasn't given specifics, but anonymous sources say they were looking up a 1st year resident who was shot in a robbery. One of the dismissed workers said, "I helped a doctor locate a patient/friend and that's it!”

The point these now unemployed workers missed is that no one not involved in the care of the patient is allowed to access those records without express permission of either the patient or the patients representative. This is the kind of breach that doesn't necessarily need public disclosure, but the patient needs to be notified. And the rest of the workers need a refresher in HIPAA, with a strong emphasis put on not accessing accounts you are not involved with and using the proper channels to access those you are. I don't want to allow any practice that could cause workers to relax their guard about using the proper channels to access patient records - even their own.

Which brings up another point. A comment on an earlier post said that current regulations require a report if a hospital employee looks up their own record. Hospital policy might require that - and it should at least require a refresher in proper policy - but other than going outside of protocol, looking at your own record is not a breach of HIPAA.

Wednesday, November 25, 2009

Circle the wagons

It's a wild web out there. Largely unmapped with outlaws lurking in every shadow, it's been said that an unprotected computer will be compromised within 15 seconds, but that is probably an exaggeration. A USA Today study done in 2004 - very old by Internet standards - found that unprotected computers were compromised in minutes. It hasn't gotten better in the last five years. It used to be safe to stay on the 'main path,' but that's no longer true.

We're going to go over a few simple things you can do to protect yourself when you venture out into the outlaw known as the Internet:

1. Get a firewall. Most modern operating systems such as Windows (XP and up), MacOS X and Linux all come with a firewall, and it is usually on by default - but check it. That firewall is good, but it is even better to get a hardware firewall. If you have a router, you probably have a firewall. If you don't, getting one is as simple as going to your favorite electronic store (Best Buy, Wal-Mart, etc) and buying a router. Most router default settings leave something to be desired, but that's a post for another day. Usually the manual is on a CD in the box and has instructions for turning on security features. The actual method will vary with manufacturer and sometimes even different models from the same manufacturer will have different ways of doing things.

2. Create strong passwords. strong passwords use letters, numbers and special characters. Pass phrases are even better. They can be easier to remember and harder to guess or crack. But "ILoveMyWife" isn't much better than "Lenore!@". No, my wife's name isn't Lenore. Here are some password creation tools:

  • Windows: Atory Password Generator Freeware password generator that creates passwords as secure and as long as you want.

  • MacOS: Make-a-Pass A Dashboard Widget that creates passwords as secure and as long as you want.

3. Save your passwords, either in your browser or in a password manager. For many years wise men (and women) said not to allow your browser to save your login info because if someone compromised your browser got on your computer (with or without your permission) they had your password. While that is still a concern the increase in trojan keyloggers makes that the lesser of two evils. If you don't hit the keys, a keylogger can't log them, and on home computers getting a keylogger is often the greater threat.

4. Keep up to date anti-virus and anti-spyware. Today it isnt' unusual for a big name site to be compromised and spreading malware, so surfing unprotected is a bad idea. My favorite anti-virus programs are avast! Home Edition and AVG Free. For anti-spyware I use Spybot S&D and Adaware.

5. DON'T CLICK THAT LINK! Be careful where you go. I went for years without Anti-virus on my PC. My firewall provided all the protection I needed. Then a guest started coming by and using the computer. He went to Java game sites and picked up 2 or 3 bugs every day. So I had to get anti-virus to protect my network from him. You can't count on any site being safe, but why go to high risk sites?

That's enough for today. The rest of the week will probably be pretty light weight, but we'll get into a few more of the basic ways you can protect yourself next week.

[updated at 7:20am for clarity and additional information and at 2:00pm 11/26 because I reread it and it didn't say what I meant to say]

Tuesday, November 24, 2009

Every little thing you do...

One of the more exciting trends in social networking is the ability to use software on your phone or iPod to report your location to your favorite social network account so your friends can see where you are. Personally I don't think it's a good idea, but I'm into protecting privacy. I do think people are not thinking enough about what they are revealing about themselves as they surf the web, and now they're making it easy for the obsessive, the stalker, the thief to track them down. Last spring a reporter tracked a women using the positioning data that was being posted by her phone at set intervals - he never met her and did not know her, but was able to see where she went and even view what he thought was her apartment through a webcam - and he knew the location of the apartment because it was fed through her cell phone. He didn't even have to dig, she was giving it all up voluntarily. Imagine if he had been a serial criminal of any sort. She was handing herself to him.

I was reading two articles, one in the Examiner about the nifty things that are so useful, but potentially so invasive to our privacy, and one at TechCrunch that talked about attaching your location to your Twitter, Facebook or MySpace account. Both point out that as we move to an online society it will become harder and harder to keep anything to ourselves. And most of us apparently don't understand that we are giving it up voluntarily. From students at Oxford to teachers in North Carolina screaming "invasion of privacy" because they got in trouble for pictures and statements on their Facebook pages, it is becoming more an more obvious that the average person online does not realize that once it's online it is out, and it can't be put away again. Is the answer stricter privacy controls? Is it tighter oversight of the social networks? I don't believe it's either. I believe it's education. Children and adults need to learn to keep some things private. They need to know that, while it might be neat to have your whereabouts posted where your friends can see them, unless you can make sure that only your friends see them, it can be painting a target on your back.

Tomorrow we'll start looking at ways to make that target a little harder to see.

Monday, November 23, 2009

ACTA Mattah, You!

The Anti-Counterfeiting Trade Agreement is a treaty-in-progress between the United States, the European Community, Switzerland, Japan, Australia, the Republic of Korea, New Zealand, Mexico, Jordan, Morocco, Singapore, the United Arab Emirates and Canada. Nothing has been ratified as yet, and because it is a "trade agreement" there has been almost no disclosure about what it contains. Leaked documents are quite frightening, however. There appears to be a "Three Strikes" rule on the table. The three strikes rule would require that any home accused of accessing or providing pirated works would lose internet access for a year. In entry on the Center for Democracy and Technology blog, "We Are Not Amused" we see that the Queen of England has voiced her approval of such a rule for the UK. According to Britains Department for Business Innovations and Skills (download PDF), apparently the cutting off of internet access would include any type of communication that accesses the web:
"although we continue to regard the uptake and use of Internet services as essential to a digital Britain, we are considering the case for adding suspension of accounts into the list of measures that could be imposed. This does not necessarily mean that suspension would be used - this step would obviously be a very serious sanction as it would affect all members of a household equally, and might disrupt access to other communications, so it should be regarded as very much a last resort."

This is in reference to Britain's Digital Economy Bill. If you're interested, it's Chapter 10 - the amendment to Britains Communications Act of 2003. I'd have provided a direct link, but it wouldn't save in the blog. This type of law has been passed by other countries such as France, and is being looked at by the European Union, independent of ACTA. In some versions, including ACTA, the suspension occurs if you have been accused three times. Convictions are not required.

That is just one of the problems with ACTA. The only review is by the negotiators and lobbying groups - groups that have pushed such anti-consumer legislation as the DMCA. Recently a small number of others have been allowed to see the proposed ACTA document, but only after an approved application and signing a non-disclosure agreement. Why is secrecy for this document so important? Consider:

One of the proposed regulations makes ISP's responsible for the content provided by their customers - contrary to US legal precedent.

Will treat "technical protective measure" (TPM) infringements differently (presumably more severely) than "general infringements". TPM is what we commonly refer to as Digital Rights Management (DRM) in the US.

There will be no requirement for hardware manufacturers to ensure interoperability of TPM's. Imagine having to have a player for each major studio - one for Disney, one for Paramount, one for Dreamworks, etc.

Not part of the agreement, but part of the way trade agreements work - if ACTA is signed by the US Trade Representative (USTR) it is binding. The US will have to enforce it as law, without congress (our representatives) having any say in the matter. The RIAA, MPAA and their foreign counterparts have found a way to get around the laws of their respective countries.

This is something that we really need to jump on and speak to our representatives. We need to demand that they demand the ACTA negotiations be opened up to public scrutiny.

To contact your senator (if you don't already have the info):

Your Representatives:
Enter your zip code in the box in the upper left and click on "go".

Sunday, November 22, 2009

Cash, anyone?

BBC News reports that ANYONE who has used a credit card in Spain may have had their credit card data stolen. Apparently the company that verifies cards in Spain may have been part of the scam. Why would a legitimate company take part in identity theft? Identity theft is big business. Apparently big enough to tempt a legitimate company to commit fraud.

You can steal my cash, but once you spend it, that's all you've got.

Saturday, November 21, 2009

6 Months to report?!!!

The Chicago Tribune reports that Health Net lost a portable, external hard drive with data on 1.5 million customers dating back to 2002. The loss was reported to the Connecticut Attorney Generals office Wednesday. The drive was lost SIX MONTHS AGO!!!

And they were keeping patient data on a portable hard drive? Apparently unencrypted? If that's not a violation of some type, it should be.

Despite some legitimate concerns about absolute notification, is it any wonder I don't want the hospitals and insurance companies deciding what and when they should report?

Friday, November 20, 2009

Who will watch the hen house?

In an article Thursday, the Huffington Post went to some length to examine the tug-o-war occurring between the health industry (hospitals and insurance companies) and privacy/security advocates. The health industry wants a federal rule on health data breach notification to contain a "harm threshold" that says how many records are breached, or how much harm is done by the breach before notification is required. The reason there was anything to argue about is a piece of legislation crafted to encourage the move to electronic medical records. The article doesn't mention the bill by name, or any of it's authors, but apparently the original bill did not specify just how much data had to be mishandled before notification was required - and that is the same as saying ANY lost data meant notification was necessary. The HC industry lobbied the Department of Health and Human Services to add a "harm threshold" because if one bill went to the wrong address, that patient would have to be notified. Such stringent requirements scare hospital administrators and health insurers: "Such a requirement, they say, not only would be costly but also would overwhelm consumers and make them less likely to notice when a real problem occurred."

How many mistakes do they make every month? It sounds to me like hard-nosed notification requirements are overdue. Strict requirements with real consequences for failure to comply will force healthcare providers and insurers to fully train their employees in the regulations and give them the tools to do it right. If they are making so many mistakes right now that being required to send notifications of any mishandled data would overwhelm me with notifications there is a big problem. I don't trust the health care industry to police themselves and notify people any sooner than they absolutely have to. I think it's time to contact our congressman and tell them we want notification. The easiest way to contact your senator (if you don't already have the info):

Your Representatives:
Enter your zip code in the box in the upper left and click on "go".

Thursday, November 19, 2009

Healthcare workers not hip to HIPAA

According to the Modern Healthcare website, a significant number of healthcare employees don't know that they are subject to HIPAA regulations. It's apparently a failure to communicate. The American Recovery and Reinvestment Act of 2009 extended who has to comply to HIPAA regulations, but as many as 50%+ of newly affected workers failed to get the memo. I'd be less concerned if I didn't wonder how many of the employees who were already affected by HIPAA haven't got the memo yet.

England has had it's worst consumer data breach in a while courtesy of a Verizon T-Mobile employee who sold customer info. Hey Verizon T-Mobile, I want better controls over my data! Can you hear me now?

[Edited @ 1:57pm because apparently I have subconscious issues with Verizon]

Tuesday, November 17, 2009

National Security vs. Personal Freedom

Watching C-Span this morning (or late last night) I saw the House Republicans Press Conference on the Fort Hood Shooting. Rep. Peter Hoekstra was asking for a look into the failings in the processes that failed to prevent the shootings at Fort Hood. and stated that congress needs to have their own investigation NOW. Peter King decried the lack of communication between intelligence agencies and the military - a failing that was supposed to be taken care of long ago. All well and good. Then Mike Rogers spoke.

Rep. Mike Rogers of Michigan stated that tools and procedures that have worked for intelligence agencies in the past have been prohibited and are therefore no longer available. He believed those tools needed to be made available again. Mr. Hoekstra agreed, but refused to elaborate on what those tools might be.

I have to wonder what those tools are. The Patriot Act greatly expanded surveillance ability of federal agencies. The federal government illegally tapped virtually every phone in America and congress rewrote the law so the telecoms who aided and abetted the atrocious invasion of privacy could not be sued or held criminally accountable for their actions.

Rep. Mac Thornberry responded to reporters questions about "why the rush to take action" by pointing out that 2 provisions of the Patriot Act will lapse at the end of December, and immediate action is needed both to learn the lessons about what went wrong and fix it, and because the families of the victims at Fort Hood and the American people as a whole deserve to know that their government is doing everything it can to prevent tragedies like Fort Hood and to prove the importance of extending pieces of the Patriot Act as they reach their end of life.

The amazing thing about all of the comments was the obvious blinders the Representatives have when it comes to intelligence failures that led to Fort Hood. Indeed, the more news stories I read about Major Hasan the more it looks like 9/11 in miniature. The number of red flag items that are being bandied about in the media seem to indicate Major Hasan should have been taken out of circulation long ago. The reason he was not appears to be (but appearances can deceive) a breakdown of communications, whether between agencies or internally in specific agencies.

There were many things that made 9/11 possible. Among them were lack of communication between agencies and even departments within agencies. Another was the sheer volume of information being gathered. In the Fort Hood shootings the similarity is that there was apparently a wealth of information. Apparently the FBI was aware that Major Hasan was communicating with someone in Pakistan. Apparently he was involved in money transfers to Pakistan. The person he was contacting, Anwar al-Awlaki, was an imam who has been implicated in terrorist attacks, but never arrested.

Atrocities like the 9/11 attacks and the Fort Hood shootings are used to justify, even demand, increased erosion of personal liberty in the name of greater security. More surveillance powers will make us safer, is the claim. But both 9/11 and Fort Hood could have been prevented without granting intelligence agencies more tools and greater power to spy on citizens. Simply paying attention to the warning signs instead of waving them away, presumably because Major Hasan has been a good citizen and soldier, could have made all the difference.

This was a bit farther away from obvious personal security than I intended for today, but this is an issue that I believe is very important. Security is important. But I believe Benjamin Franklin knew what he was talking about when he said, "Any society that would give up a little liberty to gain a little security will deserve neither and lose both."

[edited @ 8:25 am to correct 3am grammar and spelling errors]

In the beginning

There were only two people, plus God and the angels (good and bad), and privacy wasn’t much of a concern. As time passed that changed. People began to expect to be able to keep some things to themselves, and for most of history were able to with varying degrees of success. More time passed, and technologies (such as the telescope) were invented that allowed others to see things that you might think were known only to you. Still more time passed, and people are now able to expose themselves almost completely to the world at large while maintaining the illusion (some would say delusion) of privacy.

My purpose here is to make you aware of how you are exposing yourself by keeping an eye on things that affect privacy and security, whether it is personal privacy or national security. So at times I will dabble in politics, and possibly even religion, but mostly I will be keeping an eye on technologies effect (real and potential) on privacy and security, and on any legislation, court cases, or government actions that impact privacy and security. I will also be giving advice on limiting your exposure and protecting yourself from the bad guys, and hopefully entertaining you while doing it. That’s all for now.