It appears to be an image from a medical practice, where the security and authentication of the Centricity EMR application was in conflict with the access needs of the clinical operators. When the proponents of electronic medical records adoption make the case for cost-effectiveness of making an online medical record for all patients, consider how the medical community will likely protect access to your medical data.

I originally was using the File Vault utility to encrypt the entire home drive folder set, and that covers any data that you would want to protect that is in attachments or download folders. Then you don't have to be entirely expeditious about saving all your sensitive data in a disk volume. This turned out to be a true risk mitigation for me a couple of years ago when I was in an automobile accident that resulted in my laptop bag and computer becoming launched out of the back of my car upon impact. Fortunately my injury was minor, but if I had been incapacitated, my data on the laptop would have been protected from disclosure should the laptop been lost.

I've been using this approach since OS-X 10.4 came out with that feature, mostly because disk backup challenges were simplified. However, I've been using Time Machine now I think I'll move to the file vault utility again, feeling confident about being able to back up and recover encrypted data.

I tend to agree with Google, even though they corrected the coding error. The recursive search is demonstrated here:
http://www.youtube.com/watch?v=5oCHxB8d20s

Google coordinates search results with stopbadware.org to provide end-users with 'friendly warnings' that search results host malicious content. The problem here is the sheer scale of malicious content, or legitimate content that has been poisoned by internet miscreants and/or criminals, will never be covered by any filtering mechanism.

The bottom line is the appearance of hazard in anything online.

As things turn out, she wanted to take an online course at the Madison Area Technical College, but couldn't figure out how to connect her laptop to her ISP at home, and then decided to drop out of her online course. Now, as the news broadcasters need a "story" here is how it plays out:

Victim: young woman, stymied by Ubuntu Linux, has education and career aspirations dashed by evil computer vendor.

Villain: Dell Computer, for sending her an evil and oppressive operating system that she cannot use.

The real story: Her ISP (Verizon) wanted to send her a Windows driver for her internet connection (802.11). It probably would have worked without any drivers, but the ISP help desk was also looking like a deer in the headlights at a consumer with Linux.

The bottom line: Taking an online course requires you 'get online.' The use of Ubuntu, IMHO the easiest OS to use (yes, even for Mac users), didn't really cause the problem, the people who could/should have helped this user caused the problem. They only know the scripts.

The support mechanisms for Verizon, Dell, and even the college could have easily guided her to get herself going. What was lacking was some local help (e.g. ask your friends, family, or even a friendly member of the Geek Squad).

This would never happen to a Case student. You'll always have others around to ask, and they'd love to help.

The message is from a "Professor David Hill" soliciting students to participate in a job marketing "opportunity."

The message arrived from a source in Bulgaria, not a hotbed of internet research, and is most likely a prequel to additional social engineering.

Click Delete.

Lux

The Ten Cannots

You cannot bring about prosperity by discouraging thrift.
You cannot help small men by tearing down big men.
You cannot strengthen the weak by weakening the strong.
You cannot lift the wage earner by pulling down the wage payer.
You cannot help the poor man by destroying the rich.
You cannot keep out of trouble by spending more than your income.
You cannot further the brotherhood of man by inciting class hatred.
You cannot establish security on borrowed money.
You cannot build character and courage by taking away men's initiative and independence.
You cannot help men permanently by doing for them what they could and should do for themselves.

-- Rev. William John Henry Boetcker, 1873

Information Security should be built on these key "Cannots" and I'll add a few of mine own:

You cannot protect all data everywhere by spending on technology alone.
You cannot defend a network from attack with out the understanding and cooperation of your users.
You cannot manage risk by avoiding all risk.
You cannot implement a technical security control without a policy and business rule that directs it.

Each of these "Cannots" identifes a particular equilibrium of processes, and as we look at making changes, hopefully for the better, we will do well to ascertain the side effects.

Dear Mordac,
Case is using an annual change cycle to prevent account sharing, and undected theft. There was a case of a former student who figured out his former classmate's password and was using it to do nasty things in her name. She had never changed it. Now you've got to protect your password or your academic record is at risk. The good thing for students, faculty, and staff at Case is that we've raised the bar. You will be expected to memorize a new password every year. I've met people who change majors more frequently. This will net you an advantage in the job market where these things happen every 45 to 60 days.
Maybe I can ban "Post It" notes via another Big Brother policy.

If you are lucky, you'll get job, and a job with a firm that has a system that uses 2-factor authentication. That is an investment that I've seen significantly reduces the instance of account compromise to near zero.

If you look up the foundational work of George Miller, you'll learn that the key to short term memory, in the case of passwords, is to "chunk" the information into 7, plus or minus two, bits of information. Using a phrase is the same approach to learning a group of words. If you need to remember a new password, link the code to something you know. And as most Case people, you'll likely have a strong visual element to your learning, so I suggest a map.

If you map out an imaginary path between buildings on campus where you have classes, which is something unique to you and it will change as your schedule changes, you could use the path between buildings as your password guide. You might start at Cutler, go to Leutner to fill you gullet, first class at SAGES (Crawford), then to Rockerfeller, then off to a workout at Veale, then to KSL for some study time. So you build a chunked phrase, "Cut to Leutner for food and to Craw the Rock and Veal," condensing to a password of "Cut2L4f00d!" or "cUtlEut^cR4w".
Then you tie your memorization to something easily linked or chunked.

Sincerely,
Lux

He get 3 months in jail.

He is fined $30,000.00

He owes the university $6,100.

He will never work in the IT industry, or the financial services industry, or for NASA, but he could become an author.

There is no "scared straight" program for students who come close to cybercrime. Maybe this could be a start.

When this was first reported, I thought it was going to indicate that personal information was leaked from a university-owned data source, but it turns out that the common factor among these students was their health insurance provider. Pretty much all the information needed to conduct this type of fraud, the filing of electronic tax returns, is maintained by health insurers.

According to the recently published "2008 Data Breach Investigations Report" by the Verizon Business RISK Team, key statistics of the 500 breaches studied had:
18 percent of the breaches studied were caused by insiders
30 percent involved multiple parties
39 percent were implicated by business partners
79 percent resulted from external sources

Without any facts at hand particular to the case, this looks to me like an "all of the above" incident.

In comparison to the data breaches of thousands or millions of personnel records, which are often observed as the result of a stolen laptop or server break-in, the actual impact to the victims is not easily measured. In this case, a relatively small group of persons experienced a tangible impact.

This type of data breach with resulting fraud commission highlights the increasing value of data, and reminds me that there is palpable risk in the IT operations between business partners and universities. As more economies of scale improve for data handling and service outsourcing, attention to the basics of security and information handling are well justified.

Identity Theft Mini-Quiz: True or False?

1. There is a higher incidence of identity fraud today than in past years.

2. There are more victims of identity theft and fraud today than there
have ever been before.

3. Identity fraudsters are stealing record amounts of money from their victims.

4. Most identity theft and fraud occurs online.

Read on to see the answers:

The SANS Internet Storm Center lists details, but users should be aware of unsolicited email messages with a link to web sites with an executable called "happy2008.exe" which will infect a windows-based client. The ones we've received seem to be sourced from consumer home-machines, examples of Storm Worm infected hosts.

Some of the messages have a link to a site: www.merrychristmasdude.com.

Despite the majority of compromised systems on campus being Win32 based, there are still unix/linux hosts that get '0wn3d' by remote attackers.

As users are beginning to use Ubuntu and other linux distributions, these steps are going to be necessary for all academic users.

The SANS site 'Handlers Diary'gives weekly security topics that are submitted by readers

For those fortunate enough to have survived an infection, this site also has a great guide for preventing re-infection.

Yes, it is windows-centric, but that is were most of the problem exists today.

It is somewhat unfortunate that the 'wild west' still applies to netizens, but take this as a learning opportunity.

There are various flavors of online resources, but just about anybody can start with with security awareness sites.

Newsletters

The SANS Institute has a newsletter called Ouch! which I regard as an extremely well done security awareness guide which covers a spectrum of users (home user, enterprise user, corporate user, etc.). SANS also has a portal where a person can create a user account and customize what they would like to see from SANS, including the web seminars, and articles from the Reading Room.

Technical Articles

The next layer for learning is in network understanding. A focused security portal could add the dimension to your knowledge: www.seurityfocus.com. There are also some great items in the Foundations area, where I recommend all those interested in understanding security issues get some grounding in TCP/IP.

SANS also has the Reading Room where people have published their research papers and white papers as part of their certification activities. These are very broad ranging, and can be helpful in anchoring some of a person's current experience into security layers. I also regularly check out the Special Papers room as well for choice tidbits.

Greater detail can be gleaned from the Computer Emergency Response Team CERT site, in particular the Virtual Training Environment or VTE.

In light of the TJ MAXX (TJX) breach of credit cards, which is clearly a fraud case with measurable impact, it is still pretty hard to determine if recent data losses result in measurable and confirmed cases of identity theft.

Security Myths Myth: I don't have to worry about identity theft because I never buy anything online using my credit card.

Truth: Not so, says, the 2006 Identity Fraud Survey Report, released by the Council of Better Business Bureaus and Javelin Strategy & Research.

Most personal information compromises--90 percent--take place through traditional offline channels and not via the Internet. Lost or stolen wallets, checkbooks, or credit cards continue to be the primary source of personal information theft (30%). Almost half (47%) of all identity theft is perpetrated by friends, neighbors, in-home employees, family members or relatives--someone known to the victim. Persons 65 years and older have the lowest rate of identity fraud (2.3%). The majority of victims are between the ages of 35 and 44, and within that group, the average amount of the fraud is $9,435 per incident.

Take the Quiz: http://www.bbbonline.org/IDTheft/safetyQuiz.asp

Case has an Identity Protection Guide where instructions for managing your credit reports and records can be found.