Here’s an interesting breach notification case from 2011.

The UCLA Health System is notifying thousands of patients by mail that on Sept. 6, 2011, an external computer hard drive that contained some personal information on 16,288 patients was among a number of items stolen during a home invasion. Although this information was encrypted, the password necessary to unscramble the information was written on a piece of paper near the hard drive and cannot be located. There is no evidence suggesting that the information has been accessed or misused.

And now for the punch-line:

The individual whose hard drive was stolen, left employment at UCLA in July 2011.

It was their own personal hard drive with three years of data. Not sure if it’s worse to know that a current employee/user is so careless with a password to the encrypted data or that a former employee has retained encrypted data and a password to still decrypt it.

Kudos to UCLA for their reporting (a better response now than what we saw from them in 2008, which resulted in AB 211 and SB 541).

I suspect they will be looking at whether large data sets really need to be on personal removable equipment instead of remotely accessed on virtual desktops and how they should rotate/expire encryption keys. My guess is the user was given the encryption capability for the data so their key should have been revoked (rendering the password paper useless) when they left employment.

One of my favorite projects last year, I have to confess, was rooting the Motorola Defy. It came bundled with all kinds of crazy software that tries to force the owner to link their email accounts and data into “Blur”, Facebook, Gmail, yada, yada before you can even power on and use the phone for the first time. Instead, I shut it down, connected it to my computer and fifteen minutes later I had Cyanogenmod running on a beautiful new machine.

Liberating the phone felt like going to the gym and in no time turning 40 pounds of fat into pure muscle…a bit like what installing Linux used to feel like.

I wasn’t going to mention my joy tinkering with the Motorola. It felt like a Rubik’s cube solution story. I mean taking it over for fun to install a more open system seemed like what you’re supposed to do with one (for real phone use I’m still loving my N9).

Michael Coppola drives that point home in a beautifully written and well documented case of how much joy he found in finding a simple file permission change to root the Samsung Infuse, and how you can do it too.

The interesting thing here is that the .wmdrm directory is also 0777, so we have full control over its contents. Let’s create a symlink to /data where sample.hds is supposed to be and reboot…Success!

[…]

A one-click root script for Linux is available here: http://www.poppopret.org/dl/Infuse4G-root.tgz . If this exploit works for other phones, contact me and I’ll update the post.

On the one hand we could say Samsung should have caught such a simple, known issue. Their security review is suspect. On the other hand, it is so obvious it could be argued they must have put it in place to be found by those who are curious and want to get the most out of their hardware. Rooting a phone is not illegal in most cases, as stated by the U.S. Congress.

…where circumvention is accomplished for the sole purpose of enabling interoperability of such applications, when they have been lawfully obtained, with computer programs on the telephone handset.

All that being said, if you’re not into playing games, the N9 just gives you a radio button for root access.

Alan Renouf has posted a PowerShell Module and a video with instructions on how to install and use it for VMware vShield. He shows clearly how to easily assess and report on current settings (i.e. “Get-vShieldSecurityGroup | Select -ExpandProperty Member”) as well as modify them.

Now I had the Rest API details I knew I could easily write some PowerShell code in the form of an advanced function to work with the API, the first piece of code I wrote was a generic function which allowed me to GET, PUT, DELETE and POST to a Restful API. I know PowerShell v3 will include cmdlets for this but I didn’t want to wait or add a dependency on something which wasn’t available as yet.

With this completed the rest of the advanced functions were easily created, it was just a case of sending the correct parameter to my function and the correct URL and my results would be returned.

vShield PowerShell Module from Alan Renouf on Vimeo.