Department of Homeland Security News

Department of Homeland Security Press Releases

Department of Homeland Security Speeches

Department of Homeland Security Testimony

Wednesday, June 28, 2006

Secure the Damn Data Already

Your Data - Your Choice - Your Security


There is almost not a day that goes by that we don’t hear about a Government Agency, Corporation or other entity losing a device with private data. Most, if not all of this data is confidential and should never be on a non-encrypted or non-secure portable disk, however this is the world in which we live. Data Analysts need to take their work home. Business Managers need customer and sales data for planning, forecasting and business modeling. Even on a personal level, we often need to transport files from PC to PC or synchronize data amongst mutliple platforms - laptop, desktop, etc.


Your data is valuable. Your data is in demand. Your private data is everywhere.


From the purchases you made using the “Club Card” at the local supermarket to the last oil change you had done at the SuperCenter, the plane ticket you bought online, and even the last pizza you ordered from the national chain. little pieces of your life are recorded, quantified and analyzed. It’s a process called “Data Mining”. Data Mining is used to establish probability grids and forecasting future events based upon known factors and analyzing trends within the data.


For instance, if you own a coffee shop and you know that customer X buys an average 6 Drinks a week for the last 3 months, but now they are only consuming 1 or 2, wouldn’t you as a business owner want to know why? Maybe Customer X found a new coffee shop or has changed his patterns based upon a new job, commuting route, lifestyle change, or other event. Maybe the change co-incided with a change in staff that didn’t have the same training on making the product in the way the customer was used to.


Likewise, if you managed the local supermarket and knew that your “Club Card” members buy 1000 boxes of a toasty flakes during certain periods of the year and you are forecasting purchasing decisions for products that are perishable you would probably look at the data over time to establish trends and develop a probability scale for the sell-through of an upcoming promotion.


Similarly, health care providers, insurance companies and employers can analyze the usage of drugs to treat disease, alternate treatment options, patient recovery rates, patient satisfaction and other factors to formulate new and streamlined treatment methods, reduce or contain costs.


By anayzing trends in the data and looking at your own business model, you can determine pretty accurately what is going on and make changes to your buying patterns, advertising, promotion, training, product offering or customer service to improve the efficiency and profitability of your operations and retain a loyal customer base.


There are several basic kinds of data and for the purposes of this article we will only touch on a few - Personal, Empirical, Aggregate and Summary Data. Each has its own value both to the person that gives up the data and the person that is using the data.


The most valuable one for all parties is Personal Data. This includes information such as your name, address, credit card, ID number, email address, medical records, receipts, bills, income, expenses, spending habits and other uniquely identifiable data. Personal Data is highly prized by commercial and government eliments because it can be used to increase profitability, streamline operations, quantify habits, establish patterns and make unique predictions about individuals and how they live. With this information you can specifically market to an individual or group and offer a product or program that meets a specific need. The Criminal element loves this data too because it is rich with personally identifiable information and can be used to open fraudulent bank accounts, credit card accounts or use the data in other ways in Idenity Theft schemes.


The second type of data is Empirical Data - this is data that is gained through observation or recording of events without personal involvement of the individual in providing the data. An example of this would be sitting outside of a competitors store and counting the number of individuals entering or leaving with purchases over time or viewing other events as they occur and recording the results.


Combining Personal and/or Empirical Data in a group (or Data Set) we get Aggregate Data or Summary Data. Aggregate Data is simply ALL of the data generally segmented by individuals or groups whereas summary data is generally only a small subset or group of the data rolled-up into summarized form. Aggregate Data is used by data miners to search for specific anomolies within trends, changes in specific groups patterns, quantifying individual customer value, or other data that requires the entire data set to model against. Summary Data is generally only a small subset of the aggregate and is used for planning, simple modeling and other general research.




No matter what business you are in, it is all about the Data. Your Data. Exactly how much of this data you are willing to give is up to you, but some, if not most of it can be gleaned through empirical means and recorded or worse yet, purchased from Data Mining Companies without your expressed consent or knowledge.


Some privacy advocates decry this as an Orwellian threat, however there are some things that you can do to protect yourself and there are substanial laws already on the books and financial industry guidelines to protect individual data.


Government regulations including HIPAA (Health Insurance Portability and Accountability Act) and other Federal, State and Local laws regulate the secure access to ANY individually identifiable data held by Healthcare Professionals, Employers, Banks, Financial Institutions, Brokerage Houses, and just about every other type of entity that stores or uses this data. There are heavy financial penalties and JAIL time involved for breaches of these offenses (or so we are told). Yet NO ONE is holding any person or organization accountable for their rampant stupidity, ignorance of the laws and incompetence.


Visa for example has had the CISP (Cardholder Information Security Program) since June of 2001 that requires that merchants:



  • Build and Maintain a Secure Network
  • Protect Cardholder Data (Including Transmission and Storage Encryption)
  • Maintain a Vulnerability Management Program (Test their networks for intrusion)
  • Implement Strong Access Control Measures (Including Restricing Physical Access To Cardholder Data)
  • Maintain an Information Storage Policy that complies with secure storage and access to customer data.

Newer and more stringent guidelines from Visa and other card processing companies include that NO individually identifiable card numbers are left on unencrypted systems and that individually identifiable data is protected from breaches in security.


So when Hotels.com lost the customer and credit card information for customers that purchased through their website from 2002, 2003, 2004 and 2005 that was stored and left in an automobile on a laptop with a non-encrypted hard drive by an Ernst & Young employee, it was in clear violation of their agreement with Visa. It also was a clear violation of the law. At the very least the data should have been encrypted and protected by strong password security, but evidently it wasn’t.


Again, when Marriott lost the same type of data in January 2006 from customers of its time-share division, they simply gave customers a phone number and web address to “find out more information”. Worse yet, IBM lost an un-encrypted hard drive with the personal data including BANK ACCOUNT information of 180,000 of their clients. Yet no one is holding these companies accountable for serious breaches in security, lapses in judgement and just downright stupidity with regard to their stewardship of client data. Here are a few more Gems from just the last few months:



Enough Already - SECURE YOUR DATA. Secure your Customers Data. This stuff is out there, it is valuable. The devices are disposable but the data isn’t.


Today, iQBio, Inc. is announcing the latest in our secure storage series of products that incorporates AES Encryption and Fingerprint Recognition to secure Portable Data. Introducing the iQBioDrive - a 100GB external hard drive that encrypts and secures your data using your fingerprint. Read about this product and don’t take chances with your data.

Monday, June 26, 2006

SPP Could Mark the Single Greatest Threat to Our National Security

Hello there - allow me to introduce myself. I'm Joe Small Business Owner - Mr. Middle Income American Tax-Payer. Remember me?


I am not a Xenophobe nor am I under the mistaken belief that no-one but an American can build a quality product.


I believe and practice the theory that "Global Trade" should mean that everyone benefits - and that markets are open to goods from both directions. Sadly this is not the case most of the time...maybe I am a bit of a pollyanna.


This is the point in the commentary that I must tell you that I am engaged in import and export of products that cannot be competitively manufactured here in the USA because of the lack of industrial base and economic incentive to keep the manufacturing and technology here at home. As a security technology provider, we have to look to other countries to produce most of our solutions because our politicians have sold our souls and our technology to multi-national corporations and foreign governments under the mantra of "economic development".


Although, because of our ability, focus and our expertise, we even export our solutions to countries around the globe. Fortunately a growing number of our solutions will be made or at the very least assembled in the USA. We are working with our partners to grow this list of solutions daily. Thankfully we still employ a local sales force and support staff here - not in a third world sweatshop. We try to keep as much of our focus on people and their benefit, but damnit, it is getting more difficult.


I know we live in a Global Economy, with vast and furious market forces and a cross-border ebb and flow of capital that must be managed through cooperation and collaboration not simply a sell-out, especially a sell-out that has been going on quietly for the last several years in the deepest corners of our government. Welcome to the SPP - The Security and Prosperity Partnership of North America. http://www.spp.gov - that's right .GOV! The United States Government under the guise of the Commerce Department has quietly and unilaterally without the approval of Congress or the States has instituted a program that quite simply put plans to "eliminate all borders" between the US, Canada and Mexico for the purposes of their so-called "Prosperity Agenda"


Item one on the Prosperity Agenda - Improving Productivity - Whose productivity are we actually going to enhance? The United States is already losing American Jobs by the thousands daily to our dear friends in Mexico and other third world nations because of their low wages, rampant corruption, environmental abuse and lax government regulations. Although Mexico is not a member of OPEC, Mexico has some of the world’s richest deposits of Oil and exports of petroleum account for over 10% of Mexico's export earnings, yet even with these riches, the Mexican economy is so bad that their citizens are over-running our borders looking for minimum wage jobs. With regard to productivity in Mexico, the Maquiladoras (or "export processing zones" as they are known) have been operating since 1965 all along the border with the USA. These zones produce consumer products by US Companies who pay their employees in these sweatshops as little as $6 per day for distribution to the USA under NAFTA with little regard for the environmental, personal or economic tragedy they are inflicting upon both nations. The Maquiladora allows the US Company to take advantage of low cost labor, lax regulations, brutal enforcement of its agenda and minimal oversight to cut costs which in this case means cutting their number one expense - Labor (That means PEOPLE) - yet like we're jacked up on this heroin and looking for our next fix we are injecting this crap as fast as our politicians can give it to us. These politicians are quite literally sacrificing our families, friends and neighbors on the altar of increased profits as soylent green for the corporations and placating a voting block to solidify their own lust for power.


The US Department of the Treasury's own website points out some of the chief benefits of this program by lowering costs of labor and heck, our government even gives the companies a tax break for exporting the machinery and raw materials to make the products - what a bargain! Does any rational human being believe that these multi-national corporate interests focused on the "bottom line" will improve people’s lives or improve productivity at the expense of investment in PEOPLE, PLANET and PROSPERITY? This gift to the corporations is simply a shell game to hide their greed and cloud our vision. Move the shell again, we got a glimpse of where the pea is hidden. You remember the mammoth American companies like Bethlehem Steel and others that used to have high paying manufacturing and engineering jobs for folks here at home? - Well, they don't exist anymore or at the very least are on life support. Most of these companies have a DNR order faxed in from their Bermuda, BVI or Cayman Headquarters.




These high skilled and high wage jobs are "outsourced" to the Maquiladoras dotted along the southern US border just far enough inside Mexico to avoid US Law. These factories are usually run by the US Company in concert with a Mexican contract partner that actually manages the factory. This way the US Company can feign ignorance when their "partner" beats an employee or violates a minor safety protocol that kills or injures a worker. Some of these partners are brutal or even criminal in the way they treat their employees, the environmental negligence that is creating "a virtual cesspool and breeding ground for infectious disease" that lines our national border to the south and an society rife with corruption, influence peddling, intimidation and yes, even murder.


Let's look at their second objective - to reduce the cost of trade through the "Efficient movement of goods and people". I doubt anyone would deny that the US/Mexico border already is anything less than extremely efficient at moving people and goods, especially when it comes to traffic in illegal aliens, drugs, fake gucci's or other contraband. Now the US Government is quietly implementing "six FAST/Express lanes at the US-Mexico border, a new lane in Nogales, and (they) are working on a project for a lane in Matamoros" to move these people and products faster into the USA without any serious regard for national security, legality or social morality. While the working people of our country are clamoring for the government to put up a fence and patrol the border to protect our national soverignty, our government is going behind our back and putting in a super highway as wide as two football fields from Mexico to Canada to expedite the invasion.


And for the final objective of the program - this is laughable - to "Enhance the quality of life". If working at W__Mart for minimum wage, 31.5 hours per week without paid benefits, buying cheap, foreign made consumer goods is your idea of an enhanced life - brother, you got your dream come true! Always at a low price and high cost - Siempre! The focus of this program is to provide quick access to the US market for cheap labor imports that compete directly with goods made in this country and to make it easier for the US to rationalize illegal immigration through the "strengthening (of) the integrity and security of asylum and refugee status" from Mexico ... or maybe they were talking about the refugees from Canada?


Which reminds me - Even when we get done with a very menial examination of our Mexican partner, we haven't even looked at our rock solid ally to the north - Canada. Canadian government policy is directly responsible for lax immigration that allowed Ahmed Ressam to come to our shores to try to blow up LAX in 2000 and many other breeding grounds for terror. Canada is the preferred destination of those wanting to set up a terror cell. For an interesting read about these policies and effects within our neighbor to the north, a country that exports more than just Celine Dion, Hockey and Maple Syrup, read this report from the investigation arm of Congress. And please, please don’t let us forget the Language police, Merci.


This SPP program is bad for business, bad for Americans, bad for our national identity, bad for our national security and bad policy for BOTH of our neighbors - except the VERY wealthy and of course the politicians that have again divided us and solidified their voting block for the next National Election. But hey, we junkies did just get a new syringe.

Sunday, June 11, 2006

VA To Recall All Laptops After Data Breach

VA To Recall All Laptops After Data Breach In TechWeb: Security


By Gregg Keizer, TechWeb News


The Secretary of Veterans Affairs (VA) on Thursday told Congress that his agency will take a number of security-related measures, including recalling every laptop in its inventory, to make sure the loss of 26.5 million veteran and active-duty personnel isn't repeated.


In testimony before the House Government Reform Committee Thursday, James Nicholson said that during the week of June 26, all laptops will be returned to the VA for a security review. Additionally, no personal laptops or desktops will be allowed to access the agency's network via VPN (Virtual Private Network) connections.


"VPN settings will be changed every 30 days, forcing laptop users to return the laptop to VA for updating and security screening," Nicholson said in his prepared statement read to the committee. That same week every VA facility -- in Nicholson's words, "every hospital, CBOC, regional office, national cemetery, field office, and VA's Central Office -- will close in a "stand-down" he called "Security Awareness Week." During the week, VA managers and supervisors will "review information security and reinforce privacy obligations and responsibilities with their staff," he added.


The various initiatives are in reaction to the May 3 burglary of a VA data analyst's home in which a laptop and external hard drive containing 26.5 million identities were stolen. Since then, Congress has held several hearings on the data breach, and new information -- including the fact that 80 percent of active-duty military members' data was among that stolen -- has come to light. Nicholson has also done some personnel housecleaning. The data analyst's supervisor, for instance, has stepped down, while another high-level official in the agency has been placed on administrative leave.