The breaches — amounting to about seven a day, or about five per year at every airport — include everything from people who accidentally leave a bag on a checkpoint conveyor belt to those who purposefully evade security and get onto airplanes without proper screening.

A TSA spokesman did not contest the figure, but questioned its significance, saying all breaches are investigated and resolved. The agency said it did not have a breakdown of breaches by severity.

This is the spin that the TSA puts on a real problem. They dismiss it by saying that it’s not significant because they’ve been investigated and resolved. It doesn’t address the original problem of preventing security breaches to begin with. These breaches occur in places where they should never happen in the first place.

– 14,322 breaches into secure entries, passages or other means of access to the secure side of the airport.

– Approximately 6,000 breaches involving a TSA screener failing to screen a passenger or a passenger’s carry-on property, or doing either improperly.

– 2,616 instances involving an individual getting past the checkpoint or exit lane without submitting to all screening and inspections. Some 1,388 of these have occurred at the perimeter areas of airports.

None of these breaches should even be possible if the people the TSA hired actually did their job. There is no excuse. For the TSA to simply say that they don’t matter because they’ve been investigated and resolved confirms to many people that the TSA is incompetent and should no longer exist as a force to protect airport security.

TSA spokesman Nicholas Kimball said the figures represent a “tiny fraction of 1% percent of the more than 5.5 billion travelers at the more than 450 airports nationwide that we have screened effectively since 9/11.”

It doesn’t matter if it is a tiny fraction. The TSA is often quick to point out that new procedures that have included taking off your shoes and full body scanners, are put into place precisely to catch that tiny 1% that might do something wrong. You cannot use that 1% to defend intrusions of privacy and then dismiss them as trivial and still expect to be taken seriously. Either that 1% is important or it is not.

25,000 security breaches. 0 terrorist attacks prevented. Those two facts illuminate just how ineffective and unnecessary the TSA really is.

I work at an airport, and sometimes, while working on computers near a security point, a TSA person will come and chat to me. Yesterday, a TSO told me that last week, a person from the street (not even a passenger! Just a deranged guy who walked into the airport) had slipped through a security checkpoint by basically just walking between the wall and the checkpoint, ducking under or going around those black retractable belt things they use to make lines.

The kicker is, it took TSA 2 hours to figure it out, and it wasn’t anything to do with their amazing skills, either. The crazy guy was making trouble in the gate area and an airline employee called the police. The guy didn’t have a boarding pass or anything like that. Good job, TSA! Way to justify that budget.

If true, and there’s no reason not to believe otherwise, it just highlights how useless security is at the airport.

Sensitive login credentials – stored in plain text – were left exposed because of a SQL injection bug in RockYou’s website. RockYou admitted the breach, which applied to user password and email addresses for widgits it developed, and pledged to improve security in order to safeguard against future problems.

From over 32 million passwords, the results were, sadly, not surprising. The top ten were:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

While the top ten shouldn’t surprise you, the fact that over fifty percent of the passwords used regular names, slang, and common dictionary words should. Even worse, the admins stored the information in plain text, something that should never be done. Hashing the passwords is not difficult, yet RockYou failed to do such a basic task. RockYou also didn’t have simple security protocols in places, such as minimum password length, and alphanumeric passwords.

Users should be looking to create more difficult passwords or suffer the consequences of further breaches.

“I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh For $10 million, I will gladly send along the password.”

Virginia now has a statement [pdf] clarifying that the backups are fine and details [pdf] on what was stored on the files.

In October 2008, a similar event occurred.  Though smaller in nature, these types of breaches will become commonplace if everyone’s medical information is digitized.  It’s just too easy for criminals to access.  There’s so much information in medical files that it’s a goldmine just waiting to be dug through.  Sometimes, low tech, i.e. paper, is still the best way to go.

Here’s something to think about.  Identity theft.  Hacking people’s medical records.  Getting hit by a car and sent, barely conscious, to the hospital.  Do you trust electronic medical records now?

Sometime on Feb. 11, hackers changed the Govtrip.com Web site to redirect visitors to a site that installed malicious software…..Govtrip.com also is used to reimburse workers via direct deposit, which means that many federal employees’ checking account information is stored there as well.

Fortunately, as soon as the problem was noticed, the site was shut down.  On February 12th, many employees were being told how to manually book trips until the problem was solved.

According to an analysis shared with Washingtonpost.com, the compromise of govtrip.com came from multiple sources and was fairly extensive.

The government hopes to have the site fully restored by Monday, February 23rd.  Until then, Northrop Grumman, the company that had run the site, has had its authority revoked.  It seems that Northrop Grumman isn’t the best company for this sort of situation, yet, they keep being awarded contracts to do so.

“This remote server held over 1.6 million entries with personal information belonging to several hundred thousands of candidates, mainly based in the US, who had posted their resumes to the Monster.com website,” reported Symantec.

Symantec said it had seen reports of phishing e-mails sent out to Monster.com users which were “very realistic” and contained “personal information of the victims”.

The e-mail encouraged users to download a Monster Job Seeker Tool, which was in fact a program that encrypted files in their computer and left a ransom note demanding money for their decryption.

The program used to access Monster.com user data was a Trojan, which are commonly used to gain access to bank details, usernames and passwords.

Monster.com will also not be sending out emails to users to know of the breach, despite the fact that this is illegal in most states.  Instead, there is a small security update on the site’s main page.  It’s also easy to miss.

Though the company is offering help, there’s little to be done by users who don’t keep their software up to date and IT administrators who haven’t kept up with the latest reports of attacks or tried to actually make the site more secure.

One major way they could have made the site more secure is by using simple password security.  If you happen to use the account on a public terminal and forget to log out, anyone can go back into your account and change your password to a new one.  There is no prompt for you to type in your old password before creating a new one.  Passwords are also not encrypted.  These are the basics of security and Monster.com continues to fail at them miserably.

My advice is to go and log into your account, if you have one.  Delete your resume and cover letter.  Then, change your password to some random alpha-numeric string.  Then, cancel your account and explain to Monster.com that three breaches of security in less than two years is completely unacceptable.  Also explain that not notifying its customers of the breach, not taking responsibility, and, in general, the overall decline in usability are the reasons they have lost you as a customer.  Incompetence and a lack of integrity are what got Monster.com into this mess.  It’s the reason why you should be leaving Monster.com as well.

If you are, or were, a patient at Preston Prison in Lancashire, there’s a good chance that your medical records are out in the open.  The USB drive went missing on 30 December 2008 and has yet to be found.

The stick may have contained information of up to 6,360 patients. However, in some cases, individual patients had more than one entry.

The information included prisoners’ surnames, prison number, cell location, age range, prison clinic appointment times and references to medical conditions such as asthma, diabetes, mental health and even sexual health references.

Health chiefs have apologised for the breach and have taken urgent action to prevent it happening again.

“Even though there is no risk to anyone’s ongoing treatment or care, we have plans in place to contact those affected to inform them of the breach and apologise.”

Uh, this happened two weeks ago and you still haven’t contacted those who may be affected?

Anyone with concerns should contact the PCT’s confidential information line on: 0845 609 9866. It is open 9am to 5pm seven day’s a week until January 23, 2009.

Because after the 23rd, the police will go back to not caring about this problem anymore.

You might be thinking, “Who cares, they’re just prisoners and the information was lost somewhere in the prison,” but what you aren’t thinking about is that this isn’t the first time something like this has happened.  The British government seems to have a habit of losing the private data on all of its citizens, from baby to adult, law-abiding to prisoner.  The USB drive was also lost in a place full of criminals.  Do you really think that anyone, prisoner or guard, isn’t going to be tempted to take this information and sell it?  How likely is it that it’s going to turn up anytime soon?  I believe that it would have already happened if an honest person had found it.

This is a huge problem that the British government doesn’t seem to care to fix.  Because it happened to prisoners, they seem to care even less.  Just remember, your private, personal information is only as secure as the idiot carrying it.