PI Newswire

According to Reuters, former Ferrari engineer Nigel Stepney has been sentenced to a 20 month prison sentence as punishment for his role in the 2007 “Stepneygate,” issue, in which confidential technical information was passed from Ferrari to McLaren.

The scandal was unveiled after the 2007 Monaco Grand Prix, after a white powder was discovered in the Ferrari fuel tanks of Felipe Massa and Kimi Raikkonen, who finished the race in third and eighth positions. After police searched Stepney’s house in England, the engineer was subsequently fired by Ferrari, who consequently charged him with technical theft and issued a search warrant. The Briton was then questioned by the Italian police in an industrial espionage investigation while on holiday, and further speculation was fuelled when Stepney revealed his association with senior McLaren engineer Mike Coughlan. As a result, McLaren was required to supply the Fédération Internationale de l’Automobile (FIA) with all upgrades on their chassis since the Monaco race. Stepney later admitted to having access to McLaren’s setup, pit stop, and weight distribution during the 2007 season.

McLaren’s offence landed the team with a $100 million fine and exclusion from the constructor’s championship, but Stepney and Coughlan were allowed to continue work, though teams were discouraged from employing them by FIA. Stepney eventually released an apology to the FIA and acknowledged the allegations, while the High Court case in England was dropped after Coughlan reached a settlement with Ferrari.

Despite FIA closing the door on the case, the Italian court in Sassuolo pursued the issue, and reached an agreement with Stepney’s lawyers of a fine of 600 euros and 20 months in prison. Due to the Italian court system, it will be unlikely that Stepney will be expected to serve the sentence, although further details are to be expected.

View Source…

How confident are you that your computer is safe from an online attack?

Chances are you rely on vendors like Microsoft and Apple to let you know when a security update is ready to be installed. (Google updates systems automatically.)

But until a patch is released, that hole–known as a zero-day vulnerability–in effect makes your computer a sitting duck for anyone who writes an exploit for it and bothers to distribute it via e-mails and drive-by downloads on Web sites.

EEye Digital Security launched a Web site yesterday that lists current zero-day vulnerabilities and offers an archive on ones that have been patched. The Zero Day Tracker compiles information on publicly disclosed security holes and provides details on them including what software they affect, how severe they are, the potential impact and suggestions for workarounds and other protection techniques.

Marc Maiffret, co-founder and chief technology officer of eEye, describes the free site as a “one-stop shop” for zero-day information.

“For the longest time the only company that would notify you about zero-days was Microsoft, and recently Adobe has started doing that,” he said. “But there are still many other companies that have zero-day vulnerabilities that go unreported.”

The most widely used database of software vulnerabilities is the National Vulnerability Database sponsored by the Department of Homeland Security’s National Cyber Security Division/US-CERT and run by the National Institute of Standards and Technology. There is also the Open Source Vulnerability Database, the US-CERT Vulnerability Notes Database and one run by SecurityFocus. But you have to do some digging on the sites to find the vulnerabilities that are unpatched.

Read more…

Lucile Salter Packard Children’s Hospital at Stanford University has been fined $250,000 by California health officials for failing to report within five days a breach of 532 patient medical records in connection with the apparent theft of a hospital computer by an employee.

Under state law, that amount is the maximum penalty allowed for failing to report such an incident, according to spokesman for the California Department of Public Health, Ralph Montano. The penalty is assessed at the rate of $100 for every day of delayed reporting after the first five days for each patient medical record that was breached, he said.

These failure-to-notify penalties are unique in the country, according to officials for the National Academy for State Health Policy. So far, state health officials have issued more than $1.8 million in fines against 143 hospitals that failed to report an adverse event or breach of a medical record, a wrong-site surgery or a foreign object left inside a surgical patient.

State officials on Thursday released a document, called a “2567,” summarizing the results of the state’s investigation of the Lucile Packard incident. It said an unauthorized hospital employee and her husband, another employee, were observed Jan. 5 in the hospital’s Heart Center removing a computer that contained protected health information on 532 patients.

Read more…

Computerworld – The Lucile Packard Children’s Hospital at Stanford University is appealing a whopping $250,000 fine imposed by California Department of Public Health (CDPH) for its alleged delay in reporting a data breach that exposed confidential patient data.

In a statement Thursday, the hospital contended that it had reported the breach in accordance with requirements.

“We are appealing the timeline,” a hospital spokesman said today. He added that the breach was self-reported by the hospital to CDPH.

The fine was levied in April under a state statute passed in 2008 that allows state agencies to, among other things, penalize organizations that fail to report data breaches as required by the state.

Under the statute, health care organizations must report a breach that could expose protected health information to appropriate government agencies and affected individuals within five days of its discovery. The penalty for failing to meet the deadline is $100 per day per breached record up to a maximum of $250,000.

A CDPH spokesman said that affected patients at Lucile Packard Hospital were not informed of the breach for 19 days after it was discovered. The hospital was assessed the maximum penalty, the spokesman said.

The breach occurred on Jan, 11, 2010, when a computer containing protected health information on 532 patients was stolen from the hospital’s heart center by an employee, according to CDPH documents.

Read more…

The federal agency in charge of protecting other agencies from computer intruders was found riddled with hundreds of high-risk security holes on its own systems, according to the results of an audit released Wednesday.

The United States Computer Emergency Readiness Team, or US-CERT, monitors the Einstein intrusion-detection sensors on nonmilitary government networks, and helps other civil agencies respond to hack attacks. It also issues alerts on the latest software security holes, so that everyone from the White House to the FAA can react quickly to install workarounds and patches.

But in a case of “physician, heal thyself,” the agency — which forms the operational arm of DHS’s National Cyber Security Division, or NCSD — failed to keep its own systems up to date with the latest software patches. Auditors working for the DHS inspector general ran a sweep of US-CERT using the vulnerability scanner Nessus and turned up 1,085 instances of 202 high-risk security holes (.pdf).

“The majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed on … computer systems located in Virginia,” reads the report from assistant inspector general Frank Deffer.

Einstein, the government’s intrusion-detection system, passed the security scan with flying colors, as did US-CERT’s private portal and public website. But the systems on which US-CERT analysts send e-mail and access data collected from Einstein were filled with the kinds of holes one might find in a large corporate network: unpatched installs of Adobe Acrobat, Sun’s Java and some Microsoft applications.

In addition to the 202 high-risk holes, another 106 medium- and 363 low-risk vulnerabilities were found at US-CERT.

“To ensure the confidentiality, integrity, and availability of its cybersecurity information, NCSD needs to focus on deploying timely system-security patches to mitigate risks to its cybersecurity program systems, finalizing system security documentation, and ensuring adherence to departmental security policies and procedures,” the report concludes.

Read more…

This is a true story: In 2008, the Newfoundland and Labrador government exposed the personal information of more than 150 people over the Internet for a period of more than three weeks. The data breach was caused when an outside consultant installed LimeWire, a popular file-sharing program, on a laptop computer that was being used to work with data for the Workplace Health, Safety and Compensation Commission. This disturbing revelation came on the heels of a similar incident that same year, in which data from the public health lab was exposed over the Internet after a consultant brought home a government-owned computer.

These events are noteworthy because a similar incident recently played out in British Columbia. Last week, the B.C. Lottery Corp.’s online casino PlayNow. com was shut down hours after it was launched. The reason was that the personal information of more than 130 people was inadvertently shared with other customers on the website. The problem was apparently caused by a “data crossover” that made the names, contact information and, in some cases, credit card and banking information visible to other gamblers.

This incident should be the tipping point in the discussion of notification and data breach, not because it was so damaging, but because our governments hold a wide variety of data about us of enormous scope and scale.

Read more…

The Justice Department has arrested 94 people and charged them in a heath care fraud crackdown involving Medicare and Medicaid. Authorities have called it the largest healthcare sting in U.S. history. The sting was held in five states and nabbed defendants who have been committing fraud against the government. Federal agents says that those arrested fraudulently received $251 million in false claims from Medicare and Medicaid. Many of the services were never even provided, others were unnecessary. Doctors and health-care executives were arrested in the sweep.

“Countless Americans rely on Medicare for their well-being,” said FBI Director Robert S. Mueller III, in the Washington Post. Mueller added that the FBI and other federal agencies are determined “to stop those who would illegally manipulate the system.”

Attorney General Eric Holder and Human Services Secretary Kathleen Sebelius have stepped up enforcement of health care fraud. President Obama has said that reducing fraud is a crucial part of the health care reform. The Obama administration hopes to eliminate $60 billion to $90 billion a year in Medicare fraud to help pay for the overhaul of the health care system, the Detriot Free Press reports.

Read more…

Local Expert Supports Survey* Findings New Zealand computer forensics experts support the findings of a recent international survey in which 35% of IT staff believe that sensitive information has been passed into the hands of competitors. Commenting on the survey findings, Brian Eardley-Wilmot of Computer Forensics NZ says that whilst human error does play a part, by far and away the biggest culprits are likely to be disgruntled employees and ex-employees. “Many companies are blissfully unaware of the risk they face when a disgruntled employee leaves the company” said Eardley-Wilmot.

“The risk is equally high across all departments and for large or small companies. ”

“Management may never know that deletion or theft of data has taken place until it is too late.”

The survey reports that databases and confidential R&D documents were the most-at-risk sensitive information. Equally alarmingly there has been a major rise in IT professionals using their privileges to access confidential or sensitive information about their company’s business operation or HR related records.

According to Eardley-Wilmot databases are easy pickings as they can be copied and taken off site by users without being seen. “Companies are lax about protecting the lifeblood of their company.

“It’s just far too easy in most companies for an employee to copy confidential data to a USB stick or email it off-site” says Eardley-Wilmot

He believes it is unlikely that the findings would be significantly different should the survey be replicated here in New Zealand.

Read more…

Wikileaks is back in business for leakers, with two revamped ways to submit secret documents, the group announced Saturday.

The security certificate for uploading by HTTPS has been replaced, after expiring in early June. When the old certificate expired, it disabled Wikileaks’ upload system for over a month without any notice on the site.

Those with particularly sensitive documents can also once again cloak their uploads over the anonymizing system Tor. Wikileaks’ Tor Hidden Service had been a much-touted feature of the site, but was taken down without notice several months ago.

After Wired.com reported on Wikileaks’ technical issues last month, Julian Assange, the site’s leader, said that both outages were part of an upgrade to Wikileaks’ infrastructure.

The changes and other additions to Wikileaks were announced Saturday at the HOPE hacker conference in New York City by prominent Wikileaks volunteer Jacob Appelbaum, who tacitly acknowledged that Wikileaks had been less than transparent about the outages. In a spirit of communicating more with supporters, he announced a new blog for Wikileaks, supplementing its active Twitter feed.

Read more…

LOS ANGELES (CN) – A grieving widow claims an insensitive insurance agent stood up before 250 mourners at her husband’s funeral and said, “Who would have ever thought 10 years ago, when David and Irene signed up, that Irene would be set for life at such a young age?” Irene Cervantes says the mourners were “uniformly horrified.” She sued the agent, Primerica Life Insurance and Citigroup for intentional infliction of emotional distress and other charges.

Cervantes claims that after her husband died of cancer, Anna Maria Lonigro stood up at his service at St. Cecilia’s Catholic Church and said, “Hello, my name is Anna Lonigro, and I’m with Primerica Life Insurance. I am so happy to pay out this policy to Irene. It’s the first one I’ve ever paid out. Who would have ever thought 10 years ago, when David and Irene signed up, that Irene would be set for life at such a young age?”

Cervantes adds, “The audience was uniformly horrified at Ms. Lonigro’s statements,” which she calls “offensive, false and misleading.”

She also claims that the statement violated the insurer’s confidentiality policy.

And in a final twist of the knife, the widow claims, her family believes she is “set for life,” and several of them have asked for money, which she gave them, because she feared losing the relationships if she didn’t pay.

Cervantes claims she received $140,000 from her husband’s life insurance policy. She says that amount is not only not enough to make her “‘set for life,’ this meager amount was not enough to even pay off her mortgage.”

She says that since the funeral she has not had a moment’s peace, and was deprived the chance to mourn her husband properly. She suffers from insomnia and has needed medical help to deal with the stress.

Read more…

Today the Eleventh Circuit issued an unfortunate amended decision in Rehberg v. Hodges. The case arose from an egregious situation in which, among other misconduct, a prosecutor used a sham grand jury subpoena to obtain the private emails of whistleblower Charles Rehberg after he brought attention to systematic mismanagement of funds at a Georgia public hospital.

The Court held that Mr. Rehberg’s privacy interest in his emails held by his ISP was not “clearly established” and therefore his claim against the prosecutors could not proceed. The Court relied on a legal doctrine called qualified immunity, which holds that lawsuits against government officials for violations of constitutional rights cannot proceed unless those rights were “clearly established” at the time. The Court declined to rule on whether individuals have a privacy interest in the content of their emails.

We’re disappointed in this decision. Not only is it wrong for Mr. Rehberg, who had his emails turned over to a prosecutor based on a sham subpoena, but it’s troubling for the millions of individuals in the Eleventh Circuit who have their email stored with ISPs. Our most sensitive and private thoughts, ideas and correspondence are contained in our emails. The Fourth Amendment requires judicial supervision (usually a warrant) before the government can access your personal papers in order to protect against just the sort of abuse that Mr. Rehberg suffered — a rogue government official seeking get your emails from your ISP with no court oversight and then turning it over to others who seek to harm you.

Read more…

SAN FRANCISCO – eBay has been slapped with a $3.8-billion lawsuit by a company that claims the online auctioneer stole its ideas for online payments and then tried to patent them as its own, according to a news release for the plaintiffs Wednesday.

In the lawsuit, lawyers for XPRT Ventures claimed that it shared details of its online payments system with the company after eBay signed a confidentiality agreement, only to find that the retail giant later applied for patents for that same technology. The application was denied because of XPRT’s prior patents, the lawsuit said.

The lawsuit named PayPal, as well as other eBay subsidiaries BillMeLater, Shopping.com, and StubHub, as defendants in the lawsuit.

eBay said the case was without merit.

“We are reviewing the complaint filed today,” an eBay representative said. “We believe it is without merit, and intend to defend ourselves vigorously.”

View Source…