[ISN] State's laptops vulnerable?

From: InfoSec News (isn@private)
Date: Tue Jul 04 2006 - 22:10:49 PDT


http://www.columbusdispatch.com/news-story.php?story=dispatch/2006/07/03/20060703-C1-00.html

By Randy Ludlow
THE COLUMBUS DISPATCH 
July 03, 2006

Data thieves don't always sneak in through a digital back door.

Sometimes, their work is decidedly low-tech, such as strolling through
a real door and snatching a laptop computer.

In Ohio, some state agencies and universities appear to be lagging the
technological curve as the federal government tightens the security of
data on portable computers.

The feds' action was prompted by the lifting of a laptop and external
hard drive, recovered

The Department of Job and Family Services and Department of
Administrative Services are planning to encrypt data, but are not
there yet.

Ohio State University and Ohio University also do not use scrambling
software on portable devices, but appear to be on the verge.

Securing portable data appears to have evolved slowly in Ohio, said
Marc Mezibov, a Cincinnati lawyer who is suing OU and the Department
of last week, that held the Social Security numbers of about 26.5
million military veterans.

New security guidelines require civilian agencies to encrypt sensitive
data to make it nearly impossible to steal identities should laptops
and handhelds disappear.

Among a sampling of state agencies handling personal information on
millions of Ohioans, only the Department of Taxation boasts of nearly
impenetrable data encryption. Veterans Affairs over data thefts.

"I'm sure there will be a lot of finger-pointing and wondering why
some of these institutions and organizations are behind the curve," he
said.

State agencies and contractors have been handed a financial incentive
to encrypt data under a state law that took effect early this year.  
They can escape mandatory, costly noti- fication of data-theft victims
if the data is encrypted.

The Ohio Office of Information Technology prescribes minimum security
standards for state computers and encourages that they be exceeded,
but does not require the use of encryption software.

With Social Security numbers and employment, investment and income
information, the tax collectors hold the most far-reaching personal
information of any agency.

The data, says taxation spokesman Gary Gudmundson, is encrypted with
state-ofthe-art software on both servers and laptops, and is
considered virtually hack-proof.

Four state laptops used by taxation employees were stolen during the
past three years, but only one contained data on individual taxpayers,
he said. That computer held information on an audit of one taxpayer,
but it was deemed inaccessible because of encryption, he said.

The Department of Jobs and Family Services works with personal data
involving welfare, Medicaid, child-support and unemployment
recipients.

Plans call for installing dataencryption software on portable devices
before the end of the year, spokesman Dennis Evans said.

Only one department laptop with personal information - on 20 Medicaid
recipients - has been stolen. It was taken from an employee's car in
December 2004, prompting a directive not to leave computers in
vehicles, he said.

The Department of Administrative Services functions as the centralized
human-resources office for the state and handles other sensitive
material involving state contracts and bidding.

It, too, is moving to add encryption software to its list of security
features protecting laptops, said spokesman Ben Piscitelli. No
computers with personal data have gone missing.

Ohio State and OU do not require encryption software to protect
sensitive information on laptops, but are studying a move toward such
protection, officials said.

OSU is working with a consortium of Big Ten and other universities to
identify best practices, likely to include stepped-up security, said
Robert Kalal, director of information technology policy and services.

OU has made headlines with a series of computer security breaches in
which hackers stole vast amounts of personal information, including
Social Security numbers on more than 173,000 students, alumni, faculty
and others.

Neither university has experienced the theft of laptops containing
personal data, officials said.

What about the Bureau of Motor Vehicles and its voluminous files on
drivers and online vehicle registrations involving banking
information?

The bureau does not allow any sensitive information to be stored on
laptop computers or other portable devices, spokesman Fred Stratmann
said.



_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue Jul 04 2006 - 22:40:37 PDT