NIST Site Search
Search NIST.GOV
Custom Search
[Official NIST.GOV TIME]
Product Research

Advertise on this site
Non-Encrypted Hall of Shame
print the content item {PDF=create pdf file of the content item^plugin:content.54}
in General IT Security > Non-Encrypted Hall of Shame


February 21, 2007 Seton Healthcare Network
Seton Healthcare Network – A laptop containing the personal information of approximately 7,800 former patients was stolen from one of their Austin, Texas offices. The information included Social Security numbers, dates-of-birth and insurance program numbers like CHIP or Medicaid may also have been included. This is actually a second incident for this hospital system in less than a month (see below).


February 16, 2007 KXAN.COM
Seton Highland Lakes Hospital – A laptop was stolen from an employee's car at the Burnet, TX hospital. The laptop contained about 2,500 child patients' names, medical information and some social security numbers. A hospital spokesperson was quoted as saying "You cannot access that data. It's just gibberish. It's meaningless without the software. Then, you need the four different passwords to get into the different levels." However passwords do not equate to data encryption and do not adequately protect sensitive data.


February 13, 2007 Government Executive
U.S. Department of Veterans Affairs – Turns out that the stolen VA hard drive reported below (Feb 5th) may have had up to 1.8 million veterans and doctors personal information. Encrypting the original computer hard drive but not encrypting the backup drive doesn't do much good.


February 13, 2007 DelmarvaNow.com
St. Mary's Hospital – Leonardtown, Maryland. A laptop with names, birth dates, and social security number on as many as 130,000 patients was stolen from the Hospital in December. The data was not encrypted. The Hospital is paying National ID Recovery up to $425,000 “to help patients keep track of their personal information such as credit card usage patterns”. Take note of this, data encryption software would have cost them far less.


February 12, 2007 Security Fix – Washington Post
Federal Bureau of Investigation - A U.S. Department of Justice Inspector General report comes down hard on the FBI's loss of 160 laptops over the course of 44 months. The report contained the following statement “Perhaps most troubling, the FBI could not determine in many cases whether the lost or stolen laptop computers contained sensitive or classified information. Such information may include case information, personal identifying information, or classified information on FBI operations.” At least 8 laptops were identified as containing “sensitive or classified” information, 43 laptops may have contained such information. Even some laptops that were reported as not containing sensitive or classified information were later found to have contained “sensitive but unclassified” information. Of those laptops identified as containing sensitive or classified information only 3 were identified as using data encryption.

The fact that the FBI does not even know what laptops contained classified “National Security Information” (NSI) is completely unsatisfactory. Nor could they say with any level of confidence if data encryption was in use on most of these laptops. Most were not even reported to NCIC (National Crime Information Center) as required (85% were not reported). The fact that 160 laptops were lost or stolen out of a total of more than 25,000 is not troublesome in and of its self. But the fact that FBI doesn't know which laptops are used to process classified NSI information nor do they know which one's use data encryption is very troublesome. Properly encrypted the laptops could fall in to the hands of a enemy nation and still hold their secrets. OMB Memorandum M-06-16, Protection of Sensitive Agency Information (June 23, 2006) requires that agencies “Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may designate in writing”. These measures were suppose to be in place in August 2006. Lets see how well the FBI and other Federal agencies do from here on out. Reports from various agencies seem to indicate that few agencies are in OMB compliance at this time.


February 8, 2007 The Baltimore Sun
Johns Hopkins – Backup tapes being sent from the Hospital to a contractor that makes microfiche archives of the data have been lost. Some of the tapes included Social Security numbers, addresses and direct-deposit bank account information for 52,567 former and current employees. One tape had names, dates of birth, sex, race and medical record numbers for 83,000 hospital patients. In all 135,000 people are being notified that their information was on the lost tapes. Hospital officials believe that the tapes were were likely misplaced by a courier and later destroyed. But no one has any real evidence to support that conclusion. The tapes were not encrypted. Hospital officials state that the tapes would require special equipment to read, but as mentioned here before that equipment is readily available at data recovery companies. The tapes could be sent overseas where the data could be transferred to a hard drive for minimal cost. It took all of about 3 minutes to find a company in Budapest, Hungary that looked more than capable of handling the job.


February 5, 2007 CNET.COM
U.S. Department of Veterans Affairs – A portable hard drive used for backing up an employee's computer has turned up missing at a Alabama VA medical facility. The hard drive contained up to 48,000 veteran's data records. In a confusing statement Rep. Spencer Bachus (R-Ala.) is saying that up to 20,000 of those records weren't encrypted. OK, the consensus here is some people at the VA are probably confused. If they were using whole disk encryption the way they're suppose to be doing then everything on that drive is encrypted. If they have created an encrypted volume on the portable drive and only used it for half the data then that is a problem. But its also possible they aren't sure how the encryption works. Since the drive was being used for backup purposes its possible that it contained a backup of the employee's computer from before they started using encryption on the desktop computer and a backup after they started using encryption. If that is the case then its possible nothing on the backup drive is encrypted. The desktop computer would have unencrypted the data during the backup process and if the external drive wasn't protected by whole disk encryption then the data is unencrypted. The IG has the employee's computer now so we'll probably find out soon.



article index
page 1 : March 2007 to Present
page 2 - current : February 2007
page 3 : January 2007
page 4 : December 2006
page 5 : November 2006
page 6 : October 2006
page 7 : September 2006
page 8 : August 2006
page 9 : July 2006
page 10 : Prior to July 2006
Translate to: {GOOGLETRANS}
Google Ads




Headlines

»CVE-2014-9970
jasypt before 1.9.2 allows a timing attack against the password hash comparison.
»CVE-2015-1529
Integer overflow in soundtrigger/ISoundTriggerHwService.cpp in Android allows attacks to cause a den ...
»CVE-2015-4045
The sudoers file in the asset discovery scanner in AlienVault OSSIM before 5.0.1 allows local users ...
»CVE-2015-4046
The asset discovery scanner in AlienVault OSSIM before 5.0.1 allows remote authenticated users to ex ...
»CVE-2015-4054
PgBouncer before 1.5.5 allows remote attackers to cause a denial of service (NULL pointer dereferenc ...
»CVE-2015-4455
Unrestricted file upload vulnerability in includes/upload.php in the Aviary Image Editor Add-on For ...
»CVE-2015-4704
Directory traversal vulnerability in the Download Zip Attachments plugin 1.0 for WordPress allows re ...
»CVE-2015-5241
After logging into the portal, the logout jsp page redirects the browser back to the login page afte ...
»CVE-2015-5381
Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x be ...
»CVE-2015-5382
program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows ...
»CVE-2015-5383
Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by read ...
»CVE-2015-5401
Teradata Gateway before 15.00.03.02-1 and 15.10.x before 15.10.00.01-1 and TD Express before 15.00.0 ...
»CVE-2015-5468
Directory traversal vulnerability in the WP e-Commerce Shop Styling plugin before 2.6 for WordPress ...
»CVE-2015-5469
Absolute path traversal vulnerability in the MDC YouTube Downloader plugin 2.1.0 for WordPress allow ...
»CVE-2015-5609
Absolute path traversal vulnerability in the Image Export plugin 1.1 for WordPress allows remote att ...


Date published: 2017-05-23T16:00:01Z
Details

»ICS-CERT Releases WannaCry Fact Sheet
Original release date: May 17, 2017 | Last revised: May 19, 2017 The Industrial Control Syste ...
»Joomla! Releases Security Update for CMS
Original release date: May 17, 2017 Joomla! has released version 3.7.1 of its Content Managem ...
»Cisco Releases Security Updates
Original release date: May 17, 2017 Cisco has released updates to address vulnerabilities aff ...
»WordPress Releases Security Update
Original release date: May 17, 2017 WordPress versions prior to 4.7.5 are affected by multipl ...
»FTC Releases Alert on Fraudulent Emails
Original release date: May 16, 2017 The Federal Trade Commission (FTC) has released an alert ...
»Apple Releases Security Updates
Original release date: May 15, 2017 Apple has released security updates to address vulnerabil ...
»Multiple Ransomware Infections Reported
Original release date: May 12, 2017 | Last revised: May 15, 2017 US-CERT has received multipl ...
»Cisco Releases Security Update
Original release date: May 10, 2017 Cisco has released a security update to address a vulnera ...
»FTC Announces Resource for Small Business Owners
Original release date: May 09, 2017 The Federal Trade Commission (FTC) has released an announ ...
»Microsoft Releases May 2017 Security Updates
Original release date: May 09, 2017 Microsoft has released updates to address vulnerabilities ...


Date published: not known
Details

»WannaCry shows we need to understand why organizations don't patch
Perhaps the question we should be asking about WannaCry is not ...
»Modern security software is not necessarily powerless against threats like WannaCry
The WannaCry ransomware has affected many organisations around the ...
»Throwback Thursday: CARO: A personal view
This week sees the 11th International CARO Workshop taking place in ...
»VB2016 paper: Uncovering the secrets of malvertising
Malicious advertising, a.k.a. malvertising, has evolved tremendousl ...
»Throwback Thursday: Tools of the DDoS Trade
As DDoS attacks become costlier to fix and continue to increase in ...
»VB2016 paper: Building a local passiveDNS capability for malware incident response
At VB2016, Splunk researchers Kathy Wang and Steve Brant presented ...
»VB2016 video: Last-minute paper: A malicious OS X cocktail served from a tainted bottle
In a VB2016 last-minute presentation, ESET researchers Peter Kalnai ...
»Consumer spyware: a serious threat with a different threat model
Consumer spyware is a growing issue and one that can have serious c ...
»VB2016 paper: Debugging and monitoring malware network activities with Haka
In their VB2016 paper, Stormshield researchers Benoît Ancel and Meh ...


Date published: not known
Details
Main Menu
· Home
Current Security News
 
US-CERT Current Activity

» ICS-CERT Releases WannaCry Fact Sheet
[17 May 2017 09:14pm]

» Joomla! Releases Security Update for CMS
[17 May 2017 11:48am]

» Cisco Releases Security Updates
[17 May 2017 11:31am]

» WordPress Releases Security Update
[17 May 2017 07:09am]

» FTC Releases Alert on Fraudulent Emails
[16 May 2017 03:10pm]

» Apple Releases Security Updates
[15 May 2017 03:33pm]

» Multiple Ransomware Infections Reported
[12 May 2017 01:05pm]

» Cisco Releases Security Update
[10 May 2017 11:33am]

» FTC Announces Resource for Small Business Owners
[09 May 2017 07:14pm]

» Microsoft Releases May 2017 Security Updates
[09 May 2017 02:50pm]

***
US-CERT Alerts

» TA17-132A: Indicators Associated With WannaCry Ransomware
[12 May 2017 07:36pm]

» TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors
[27 Apr 2017 04:50pm]

» TA17-075A: HTTPS Interception Weakens TLS Security
[16 Mar 2017 06:40am]

» TA16-336A: Avalanche (crimeware-as-a-service infrastructure)
[30 Nov 2016 10:00pm]

» TA16-288A: Heightened DDoS Threat Posed by Mirai and Other Botnets
[14 Oct 2016 05:59pm]

» TA16-250A: The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations
[06 Sep 2016 04:29pm]

» TA16-187A: Symantec and Norton Security Products Contain Critical Vulnerabilities
[05 Jul 2016 08:50am]

» TA16-144A: WPAD Name Collision Vulnerability
[23 May 2016 05:38am]

» TA16-132A: Exploitation of SAP Business Applications
[11 May 2016 05:31am]

» TA16-105A: Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced
[14 Apr 2016 01:48pm]

***
Computerworld Security

» 4 ways blockchain is the new business collaboration tool
[23 May 2017 04:01am]

» Connecting with work from the road? Here's how to stay safe
[23 May 2017 04:00am]

» 5 ways to stop future global malware attacks
[22 May 2017 03:06pm]

» No, Windows XP didn't fuel WannaCry
[22 May 2017 01:57pm]

» IDG Contributor Network: Winning the war on ransomware
[22 May 2017 12:00pm]

» Leak: Secret Facebook rules on what violence, self-harm and child abuse can be posted
[22 May 2017 07:18am]

» For enterprise protection, antivirus software is no longer enough
[22 May 2017 04:00am]

» Windows Defender does not defend Windows 7 against WannaCry
[21 May 2017 06:37pm]

» The ransomware epidemic: How to prep for a shakedown
[19 May 2017 02:37pm]

» The Windows firewall is the overlooked defense against WannaCry and Adylkuzz
[19 May 2017 10:25am]

» IDG Contributor Network: Who you gonna call?: Getting ready for the next cyber disaster
[19 May 2017 07:03am]

» CW@50: Vint Cerf on his 'love affair' with tech and what’s coming next
[19 May 2017 04:00am]

» Get 72% off NordVPN Virtual Private Network Service For a Limited Time - Deal Alert
[18 May 2017 09:29am]

» 55% off Panda Security Ransomware and Virus Protection Products for Home Users - Deal Alert
[18 May 2017 07:49am]

» IDG Contributor Network: FTC to crack down on bogus ‘tech support’ lines
[17 May 2017 12:30pm]

***
Microsoft Security Advisories

» 4022345 - Identifying and correcting failure of Windows Update client to receive updates - Version: 1.3
[12 May 2017 11:00am]

» 4021279 - Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege - Version: 1.1
[10 May 2017 11:00am]

» 4010323 - Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11 - Version: 1.0
[09 May 2017 11:00am]

» 3123479 - SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 2.0
[14 Mar 2017 11:00am]

» 4010983 - Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of Service - Version: 1.0
[27 Jan 2017 11:00am]

» 3214296 - Vulnerabilities in Identity Model Extensions Token Signing Verification Could Allow Elevation of Privilege - Version: 1.0
[10 Jan 2017 11:00am]

» 3181759 - Vulnerabilities in ASP.NET Core View Components Could Allow Elevation of Privilege - Version: 1.0
[13 Sep 2016 11:00am]

» 3174644 - Updated Support for Diffie-Hellman Key Exchange - Version: 1.0
[13 Sep 2016 11:00am]

» 3179528 - Update for Kernel Mode Blacklist - Version: 1.0
[09 Aug 2016 11:00am]

» 2880823 - Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 2.0
[18 May 2016 11:00am]

» 3155527 - Update to Cipher Suites for FalseStart - Version: 1.0
[10 May 2016 11:00am]

» 3152550 - Update to Improve Wireless Mouse Input Filtering - Version: 1.1
[22 Apr 2016 11:00am]

» 3137909 - Vulnerabilities in ASP.NET Templates Could Allow Tampering - Version: 1.1
[10 Feb 2016 11:00am]

» 2871997 - Update to Improve Credentials Protection and Management - Version: 5.0
[09 Feb 2016 11:00am]

» 3109853 - Update to Improve TLS Session Resumption Interoperability - Version: 1.0
[12 Jan 2016 11:00am]

***


***
Network World Security

» IDG Contributor Network: Do you know where your data is?
[23 May 2017 12:00pm]

» IDG Contributor Network: Educating the public about security – are we doing it all wrong?
[23 May 2017 10:35am]

» IDG Contributor Network: How security executives can feel comfortable in the boardroom and server room
[23 May 2017 10:15am]

» IDG Contributor Network: How quantum computing increases cybersecurity risks
[23 May 2017 10:00am]

» Network monitoring tools: Features users love and hate
[01 May 2017 04:51am]

» Fight firewall sprawl with AlgoSec, Tufin, Skybox suites
[10 Apr 2017 04:32am]

» Review: Canary Flex security camera lives up to its name
[24 Mar 2017 07:01am]

» Smackdown: Office 365 vs. G Suite management
[16 Mar 2017 07:01am]

» Zix wins 5-vendor email encryption shootout
[13 Mar 2017 04:00am]

» Review: vArmour flips security on its head
[06 Mar 2017 03:50am]

» 5 open source security tools too good to ignore
[21 Feb 2017 07:12am]

» Review: Samsung SmartCam PT network camera
[15 Feb 2017 07:00am]

» Review: Arlo Pro cameras offer true flexibility for home security
[09 Feb 2017 07:01am]

» IDG Contributor Network: Educating the public about security – are we doing it all wrong?
[23 May 2017 10:35am]

» IDG Contributor Network: How security executives can feel comfortable in the boardroom and server room
[23 May 2017 10:15am]

***


More IT Security
News Feeds
More Sponsors

Advertise on this site
RSS Feeds
Our news can be syndicated by using these rss feeds.
rss1.0
rss2.0
rdf

NIST.org is in no way connected to the U.S. government site NIST.gov

This site is © John Herron, CISSP. All Rights Reserved.

Please visit daily to stay up to date on all your IT Security compliance issues.

http://www.nist.org -
Hosted by BlueHost. We've never had a better hosting company.
{THEMEDISCLAIMER}