August 04, 2006

Data Security: An Oxymoron - continued

Richard Kuper
The Kuper Report

Just a couple of the latest news items, reported by ComputerWorld, showing the continued disregard for data security. I've excerpted and consolidated the main points of both articles below, and provided the links to the full articles. Sadly this continues to support my presentation and summarized article "Data Security - An Oxymoron".

E-voting security under fire in San Diego lawsuit

The suit requests that a special election be invalidated. You see, rather than ensuring that all voting machines were secured prior to and after the election, the machines were given to poll workers to take home, which they did, from three days to more than a week! In addition, keys for touch-screen voting machines were released to poll workers -- which is a violation of state and federal law. And, if that were not enough, there is a switch in the circuitry of the Diebold TS touch-screen system that allows the machine to boot from an external source, which would circumvent the software and safeguards inside completely.

Two IT execs at Ohio University fired after data breaches

The first breach involved a server containing patent data and intellectual property files at the university's Innovation Center. That breach was discovered when the FBI told the university it had been provided with disk drives from the server.

A server supporting alumni relations and development was compromised and was being used to launch distributed denial-of-service attacks against an external target. The personal data on 137,000 alumni was exposed.

A system belonging to its Hudson Health Center had been broken into, potentially exposing Social Security numbers, dates of birth, patient IDs and clinical information on nearly 60,000 current and past students and faculty.

The discovery of the three break-ins prompted the school's IT organization to bring in outside experts to conduct a sweeping review of systems housed in the school's Computer Services Center. The review led to the discovery of two more breaches: One involved a computer that contained IRS 1099 forms for nearly 2,500 vendors and contractors that had done work for the university in 2004 and 2005; the other involved a computer that hosted a variety of Web-based forms, including some that processed online business transactions.