A laptop computer stolen last month endangered the personal information of over 8,300 current and former students and employees of P.K. Yonge Development Research School, a kindergarten-through-grade-12 laboratory school affiliated with University of Florida’s College of Education.

The files stored on the stolen laptop contained employee payroll, employee parking permit and student information dating back to 2000, along with names, Social Security numbers and, in some cases, Florida driver’s license numbers. PK Yonge officials have confirmed that no student academic or medical records, nor any credit card details, were on the computer.

The school has started an official mailing campaign with 841 letters already sent and more on the way, explaining to those affected by the breach that their information has been exposed by the theft.

“We regret that this incident occurred and are working diligently to notify the people who may be impacted by this theft,” P.K. Yonge Director Fran Vandiver said.

The incident happened on July 23 when the laptop was taken from a P.K. Yonge employee’s rental car in San Francisco. The good news is that, unlike other hardware theft cases, the computer files were password-protected, yet school officials have no way of knowing if the information was accessed.

And another piece of good news, P.K. Yonge is working on preventing similar breaches. They are installing  protective encryption software on laptops that contain restricted data, and the university continues to review and improve its policies and procedures for protecting information.

“Employees and students have entrusted us with their personal information, and we take that responsibility seriously,” said Elias Eldayrie, UF’s chief information officer. “We are committed, as always, to continuous improvement and doing everything that we can to protect university data.”

Those who think they might have been affected by the breach can find more information on how to act here: http://privacy.ufl.edu/incidents/.

In mid-August, Luxemburg-based Stidia has added Actively Managed Secure Hosting to its business to business web hosting and e-Commerce solutions suite. With this new addition, all Stidia corporate customers’ servers are actively monitored by human engineers to guarantee the best levels of website security, network redundancy, and bandwidth performance.

The new security service has been integrated with Stidia’s previous enterprise-class DNS hosting offering and all web hosting packages are now actively managed through this new offering.

“The Actively Managed Secure Hosting is vital in offering web hosting services that meet real business needs in multiple industries,” said Stidia’s Sales Manager, Mohamed Tazi: “In creating Actively Managed Secure Hosting we incorporated features that customers said were vital to them in terms of increasing server security and levels of protection, and website uptime.”

To ensure server continuity and top performance, Stidia’s team actively monitors logs, server access, website uptime, and fluctuations; they also simulate full scale attacks on Stidia servers and client websites to determine and then apply appropriate safeguards and fixes.

“Our customers no longer worry about web hosting security, since we offer a human powered service versus automated security patches,” said Nicolas van Beek, Stidia’s Sales Director.

The Pentagon has finally confirmed a security breach that happened back in 2008 and which one of their top officials has described as “the most significant breach of U.S. military computers ever.” The breach was caused when a foreign intelligence agent used a flash drive to infect US military computers, including those used by the Central Command to oversee combat zones in Iraq and Afghanistan.

The device in question was a cigarette-lighter-sized flash drive which was plugged into an American military laptop from a base in the Middle East amounted to “a digital beachhead, from which data could be transferred to servers under foreign control,” according to William J. Lynn 3d, deputy secretary of defense, quoted by the New York Times

“It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” Mr. Lynn wrote.

This serious security breach was first reported in November 2008 in Wired magazine’s Danger Room blog and according to The Los Angeles Times, the event was grave enough to have President George W. Bush briefed on it, also mentioning that Russian involvement was suspected.

Almost a year later, Mr. Lynn’s recent article was the first official confirmation of this breach which he called Operation Buckshot Yankee and said that the episode “marked a turning point in U.S. cyber-defense strategy.” One of the early countermeasures set in place was the fact that the Defense Department banned the use of portable flash drives in its computer network, yet the ban was later annuled.

“A dozen determined computer programmers can, if they find a vulnerability to exploit, threaten the United States’s global logistics network, steal its operational plans, blind its intelligence capabilities or hinder its ability to deliver weapons on target,” he wrote.
Against the array of threats, Mr. Lynn said, the National Security Agency had pioneered systems — “part sensor, part sentry, part sharpshooter” — that are meant to automatically counter intrusions in real time.

Two recent thefts of desktop computers belonging to the Montefiore Medical Center lead to the exposure of sestive information on patients and students stored by Montefiore’s Finance Department and School Health Program Administrative Offices.

The first incident happened in late May when two desktop computers were stolen from Montefiore’s Finance Department. The theft was discovered a couple of days later. Montefiore assessed the incident and concluded patient information had been stored on the computers, including patient names and medical record numbers. For some patients, the data stored also included social security numbers, dates of birth, hospital admission dates and/or insurer information.

The second incident was discovered on June 10, 2010. This time, three desktop computers had been stolen the day before the discovery from Montefiore’s School Health Program Administrative Offices. According to DatalossDB, 23,000 records including names, dates of birth, medical record numbers, parent or guardian contact numbers were exposed.

All stolen computers were password protected, but no other security measure has been mentioned by Montefiore. They are currently cooperating with the police investigations, but neither medical center representatives, nor the police believe the thieves were interested in the information stored on the computers. They might not be, but those buying the computers from them might!

Medicaid and Medicare patients, and parents, guardians or students can call Montefiore representatives at Identity Force, Toll free, at 800-295-0136, to find out if they are among the individuals whose information was stored on the stolen computers.

Keeping your company or home computer network safe from day to day threats that could lead to data theft, data loss, identity theft or malware infections has never been easier. My Endpoint Protector, software as a service device control and data security solution developed by CoSoSys, is now offering an app version available for iPads, iPhones and iPod touch devices through the iTunes store.

With a few touches, you can use the app’s centralized console to authorize new devices, monitor file transfers and access to sensitive data and block portable devices, making sure all common threats are kept at bay. In a world where the unsecured use of portable storageand lifestyle devices – smartphones, notebooks, USB sticks, digital cameras or extern HDDs – can lead to tremendous data breaches and severe losses for both companies and individuals, having a smart and effective app at your fingertips preventing it all is extremely important.

The iPhone and iPad app makes sure you can handle your security issues when being caught in a lengthy meeting, when being on the road and unable to plug in a netbook or reach a computer with an Internet connection. It saves time and works quickly, making it all easy.

“Lifestyle devices such as USB flash drives, mobile phones and portable computers started out as being smaller, portable and a lot more fun than their static predecessors, while fulfilling our need of communication. As they evolved, getting smarter and smaller, they have also changed our lifestyle. We can have business presentations on an iPad and send emails from our iPhone while keeping in touch with friends and partners, so why not go with the trend and offer the possibility of doing more important tasks from our mobile devices, such as handling the security of a business network or that of our home computers?” explained Roman Foeckl, CoSoSys CEO.

Key benefits of the My Endpoint Protector App

• Easily manage business or home computers through a centralized console available on your iPhone, iPad or iPod touch
• The My Endpoint Protector App and the cloud service powering it require no specific security expertise or complicated learning process
• Closely monitor access to your business and personal sensitive files regardless of location and available IT infrastructure; the portable and highly mobile devices you are already carrying are enough
• Allow or deny access to specific devices without needing to wait until you reach a desktop or plug in and start your notebook; for example, allow access to employee smart phones and deny access to your children’s USB sticks

More information about the My Endpoint Protector App can be found on iTunes:
http://ax.itunes.apple.com/us/app/my-endpoint-protector/id379244830

or on the Endpoint Protector website here:
http://www.endpointprotector.com/en/index.php/products/my_endpoint_protector_SaaS

If you think BP have their hands full with the oil spill and the whole environmental mess they’ve caused in the Gulf of Mexico, think again. It seems they lack all kinds of security – not only can’t they drill for oil in a safe environment, their data security is also poor.

The Defcon hacker contest organized in Las Vegas is a hacking competition that has its contestants trick employees of large companies into spilling out potentially sensitive information. The purpose is – and targeted companies should thank the organizers for that matter – to show how gullible people can be and how this becomes a major security vulnerability.

One of the contestants, Josh Michaels, made only two phone calls and got a computer support employee of BP into revealing data that could have helped launch a network attack against the oil giant. He managed to get details such as what model laptops BP used and the specific operating system, browser, anti-virus and even virtual private network software the company is using. He also won extra points for tricking the employee into visiting Social-Engineer.org.

“That was scary,” said Michaels, shortly after ending the call, in which he posed as a Louisiana-based employee handling claims stemming from BP’s massive oil spill in the Gulf of Mexico. “You never know what you’re going to get. There’s an adrenalin rush that comes with social engineering.”

What does the contest do? The Social Engineering Capture the Flag contest gives entrants 25 minutes to call a company chosen in advance by the organizers. They are free to make as many calls as they need and use what ever deceiving techniques they see fit. Awarded points depend on the types of collected “flags”: the version of Adobe Reader the company used, the garbage collector that hauled its trash, or success in getting the target to visit a website of the caller’s choosing.

Callers sat in a soundproof glass booth while about 80 people crammed into a conference room listened on, often chuckling and applauding as targets naively volunteered potentially sensitive information. Companies that were called during day one of the two-day competition included BP, Shell, Apple, Google, Microsoft, Cisco Systems, Proctor and Gamble, Pepsi, Coca-Cola, and Ford. Of the dozens of calls made to the 10 companies, only three of the targets refused to cooperate.

Contest organizers put great efforts into making sure the contest stays within legal boundaries. Requiring sensitive info such as credit card numbers or passwords is prohibited as is the strategy stating someone’s account has been compromised, or other such scenarios that might lead targets to believe they are at risk.

A thumb drive containing personal data of current and past graduate medical education residents and fellows at Cooper University Hospital has recently gone missing. Lost around July 8th, the incident has been reported to the proper authorites a few days later who are now looking into the potential security breach only two weeks later.

According to hospital sources, the lost data includes Social Security numbers, addresses, and phone numbers. As it always happens in such cases, the data was not in anyway encrypted or protected.

The University later released the following statement:

“Cooper University Hospital is investigating the circumstances surrounding a missing thumb drive. The thumb drive contained information with personal data about graduate medical education residents and fellows for the current and prior academic years. We have advised the residents and fellows who were advised to contact their local police. No other employee information was compromised. Further, No patient information or records were compromised. The incident was reported to the New Jersey State Police Cyber Crimes Unit on Friday, July 23 as per the state notification procedure. The hospital is conducting a thorough investigation and has initiated an aggressive plan to protect any personnel who could be affected by this potential security breach.”

As of yet there are no information on the number of individuals affected by the breach.

If you had any doubt that security breaches cost companies a lot, it is all clear now – the damages companies have to deal with after one breach are overwhelming! According to recent reports by te Ponemon Institute, organizations get hit by at least one successful attack per week, and the annualized cost to their bottom lines from the attacks ranges from1 million to 53 million USD per year. The reports were based on the analysis of 45 U.S. organizations hit by data breaches.

Ponemon Institute’s released two separate reports,  ”The First Annual Cost of Cyber Crime Study” (PDF), which was sponsored by ArcSight, “The Leaking Vault” (PDF) released today by the Digital Forensics Association, both showing troubling findings for companies’ finances:

• a median cost of $3.8 million for an attack per year, including all costs, from detection, investigation, containment, and recovery to any post-response operations.
• out of 2,807 publicly disclosed data breaches worldwide during the past five years, the cost to the victim firms as well as those whose information was exposed reached $139 billion.
• nearly half of all of the reported breaches came from a laptop, which in 95 percent of the cases is stolen
• hacks led to the most stolen records during 2005 to 2009, with 327 million of the 721.9 million covered in the report, although hacks represent  only about 16 percent of the data breaches
• Web-borne attacks, malicious code, and malicious insiders are the most costly types of attacks, making up more than 90 percent of all cybercrime costs per organization per year
• A Web-based attack costs 143,209 USD; malicious code, 124,083 USD; and malicious insiders, 100,300 USD.

“Information theft was still the highest consequence — the type of information [stolen] ranged from a data breach of people’s [information] to intellectual property and source code,” says Larry Ponemon, CEO of the Ponemon Institute. “We found that detection and discovery are the most expensive [elements].”

US President Obama and cybersecurity czar Howard Schmidt have both issued statements on cybersecurity presenting very optimistic progress reports and supporting increased activity in the private sector.

Some of the points discussed in the progress reports included the recent organizational changes and new cybersecurity initiatives of the Obama administration presented as evidence that the White House is making advances on the cybersecurity front.

“President Obama appointed a Cybersecurity Coordinator to provide White House leadership on cybersecurity issues,” the progress report says. “The Cybersecurity Coordinator leads a new Cybersecurity Directorate within the National Security Staff (NSS), works closely with the economic team, and has created a close partnership with the Office of Management and Budget (OMB) and the Office of Science and Technology Policy.”

As stated before while speding a year to decide who will be the czar everyone expected, cybersecurity is considered a “key management priority” by the white house.

“Enhancing cybersecurity is a central component of the Administration’s Performance Management Agenda,” the progress report says. “The Federal Chief Performance Officer has targeted key performance strategies for improving government operations, which include moving to real time monitoring and integrating cybersecurity into system design, rather than bolting it on as an afterthought.”

I am thrilled to see things are movig along just fine and the White House is also focusing on ecouraging cybersecurity projects in the private sector as well. Let’s hope they keep it up and others start following their lead.

For more details of the two statements, visit DarkReading.

New York-based Lincoln Medical and Mental Health Center is the center of attention in security news after exposing sensitive patient information. The lost data was the result of a failed FedEx delivery – CDs with unencrypted data was sent to the Center but never made it to its destination.

The lost data included medical and psychological diagnoses and procedures for over 130 000 patients, as stated in an official notification. An investigation trying to locate the missing CDs was launched back in April, but it failed to recover the data: names, addresses, social security numbers medical record numbers, dates of birth and more, enough for any half-decent identity thief to have a blast.

According to the Register, Licoln is at least note alone in this mess:

Lincoln’s notification to the US Department of Health website came the same day officials at the University of Maine said sensitive details for 4,585 individuals who sought services at the school’s counseling center have been stolen by hackers who compromised two servers. The exposed data included names, clinical information and social security numbers for people who used the service over an eight-year span ending last week.

Other medical facilities to fess up to losing patient data in the past 24 hours, according to the Department of Health website, include Silicon Valley Eyecare Optometry and Contact Lenses, with 40,000 people affected, Kentucky’s Our Lady of Peace Hospital, with 24,600 affected, and the Cincinnati Children’s Hospital Medical Center, which affected 60,000.