A story in the Fairview Observer illustrates a number of problems that plague more than just small county election offices.

In Davidson County, two laptops were stolen from the offices of the election commission. One of the laptops had a password taped to the top, though the election administrator, Ray Barrett, claims that it was an old password that had been changed. The other laptop was claimed to be broken. These systems were not secured - no hard disk encryption, no physical isolation - and contained approximately 337,000 Social Security numbers.

The Mayor has called for a government-wide security audit, but that may do little to allay the fears of voters and voter watchdog groups. Without encryption, the data on the disks inside those systems is completely accessible to the thieves. Beyond the PII loss, there is also a concern that the voting machine ballot testing software may also be loaded on the systems, potentially putting election results at risk.

There are reports that the security guards ignored their duties the night of the break-in and, in an audit of the access card key swipes, it was discovered that no guards had been watching the building at all on Saturday nights through early Sunday mornings for months.

What could they have done to prevent this?

• Physically secure the portable computers
• Employ full hard disk encryption
• Maintain an accurate and up-to-date inventory of what data and applications reside on all systems
• Never tape passwords/passcodes/passphrases to machines
• Have a tested incident response program in place
• Perform regular audits of the physical security controls

Would it have been *that* hard to lock the laptops in a desk or cabinet? Is hard disk encryption *that* expensive or difficult to employ? In such a small environment, is maintaining an asset database *so* time-consuming and intensive to make it not worth doing? Is it completely unreasonable to expect folks to remember a password? Should an organization not already be making sure outsourced functions are meeting expectations?

The only area that I am willing to give them a "bye" on is that of incident response procedures, and even that is not too difficult to get a handle on.

Unfortunately, Fortune 500 corporations make the same mistakes. Security is not that difficult, yet most folks pay little-to-no attention to even the fundamentals.

If someone broke into your store/small business would you have fared better than the Davidson County officials?

Hey folks... The last day of the year begins with an early roundup of some interesting bits from around the internets:

• If you think you're safer using your credit card at a restaurant than over the Internet, you're very, very wrong. You need to read this one.
• How exactly does 14,800 pounds of ground beef go missing? (Brings new meaning to "Where's the beef?")
• Maybe the DHS should stop oppressing the average folks and take a look inward instead.

When NPR decides to delve into the murky waters of security and technology, professionals should probably take some notice:

• Marketplace reported (wait a bit for the audio associated with that blurb to be posted) on the increased dangers of identity theft predicted for 2008.
• NPR's Morning Edition also covered identify theft and gave a brief nod to Netscape Navigator's demise.
• At the peak, Amazon was selling 17 Wii's per second this Christmas. That's quite a bit of Wii.

It's a gorgeous day out here and the posts may be few and far between for the rest of the day. Mary & I will be taking some time alone at Monsoon tonight and I'll be sure to post some comments on the cuisine.

One last note is that EVE Online looks amazing on a 46" Sony Bravia LCD HDTV. Booted Windows XP on the MacBook Pro and hooked it up with a DVI-to-HDMI cable, piped the stereo out to the receiver and worked the controls with Apple's Bluetooth keyboard (old school) and a Logitech wireless mouse. The Trinity expansion with the enhanced graphics make it look like you're watching a movie. Great fun!

Happy new year everyone!

The House introduced H.R. 4791 this week (these things have a way of cascading into the private sector, so it's good to watch what they're up to). Some "highlights" include:

• expands the definition of PII
• formalizes data breach/loss reporting requirements
• mandates encryption and/or obfuscation of records containing PII data
• requires keeping an accurate & current list of systems with PII data at rest or in transit
• outlines notification requirements
• forces protection on mobile devices
• ensures remediation plans are followed when gaps are identified
• *requires a yearly PII audit*
• extends the requirements to contractors that host or process PII data for the govt
• establishes many, many rules with data brokers

If made into a law and applied to private companies, this could generate a slew of additional work for anyone who isn't already doing all they can to protect our personal information.

I'm still trying to figure out why UK driver records were in *Iowa*. No presidential/caucus monkey-business, I'm sure...

From the Times Online:

The personal details of three million UK learner drivers have been lost in the American state of Iowa, the Government announced tonight.

Ruth Kelly, the Transport Secretary, told MPs this evening that the data was housed on a hard drive in the Iowa City offices of Pearson Driving Assessments Ltd, a company employed by the Driver and Vehicle Licensing Agency.

...

The learner drivers information went missing when the hard drive was lost in May, Ms Kelly said. The records contained the name of the test applicant, their postal address and telephone number but no details of any individual’s bank account or credit card.

Lost in May, reported in December? Egads! Given the strict regulations that many US state DMV's have on how their data is handled, I'm very surprised that the UK did not impose similar control requirements. C'mon people. It's just not that hard.

[props to DHS]