Today it was announced that the personal information of 83,000 users of the Durham health systems became exposed when an unprotected USB stick containing their information was “lost”.
Not too uncommon you might think, but in this case, Ann Cavoukian, the Ontario privacy commissioner (who I had the pleasure of speaking with last year at than annual Privacy-By-Design conference), stepped in, demanding that they
“immediately implement procedures to ensure that any personal health information stored on any mobile devices [laptops, memory sticks, etc] is strongly encrypted.”
CBC news further reported that Commissioner Cavoukian expected every health authority in her province to follow suit.
This week, datalossdb.org reported the first major suspected PII breach of the year, reported by George Russel, Superintendant of the Eugene School District of Oregon. You can find the full story on the KVAL news site.
Apparently some suspicious activity was noticed on one of their internal servers, which was subsequently shut down and isolated before being analyzed. The server in question had PII related to around 2,500 individuals, but was connected to other servers containing records of 13,000 former employees of the school district, and around 13,000 vendors. Total possible exploit of around 26,000 records.
This week Ghana News reported some sweeping changes proposed in the countries telephony infrastructure, designed to reduce fraud and increase the revenue contribution to the Ghana budget. There has been some talk in the past re Ghana adopting legislation along the lines of the UK Data Protection Act, but this is one of the first clear indications of sponsorship at a ministerial level.
The Minister (Mr. Haruna Iddrisu, the Minister of Communications) also said plans were afoot for a number of supplementary legislations including data protection/privacy, cyber security legislation, intellectual property legislation, and e-transaction regulations.
Recently a whole slew of news sites announced a newly discovered vulnerability (care of the German Security firm SySS) on a range of “supposedly” secure consumer USB sticks.
These models from SanDisk, Kingston and Verbatim were apparently easy to defeat and retrieve the data from without knowing the users password or having any prior knowledge or touch on the stick.
The exploit was simple – it seems the software tool shipped with the sticks validates the password, not the stick itself, and the sticks use a fixed authentication key. Yes, ALL sticks use the same auth key. By simply sending this known ack key to the stick, you can unlock it, or any other stick.
Interestingly, some of these insecure devices had been through FIPS 140-2 Level 2 security certification, so should really have been immune to this kind of attack.
This page is mostly machine readable by my various tools and utilities so they know when to tell you there’s a new version.
But, if you find it interesting, well, all the better.
Livelog|1.50|10th Feb, 2010|http://wp.me/pyGw9-cd| Asynchronous update notifications
EEPCFSExplorer|1.09|10th Feb 2010|http://mcafee-int.hosted.jivesoftware.com/docs/DOC-1123|Changes to add menus and better error handling\nAsynchronous update notifications
ProductUpdate|9.99|4th Feb, 2010|No URL|Test update text\nwith\na couple of new lines.
EPELogReader|1.12|15th April, 2011|https://simonhunt.wordpress.com/2010/02/17/epe-log-reader-for-mcafee-endpoint-encryption-v6/|Updated to have a built in search for incompatible product messages.
EEFFMigrate|1.01|7th April 2010|http://planet.mcafee.com/docs/DOC-1273|Minor changes to support update notifications
McAf.ee GUI|1.40|19th October 2010|http://mcaf.ee/about|Added ieSpell Support\n\nAdded the ability to enter a block of text, for example if you want to make a tweet and shorten all the links at once\n\nAdded the ability to expand all the links in a block of text