Category: Security

26 or younger? Temple St Hospital has your DNA.

I’m surprised I haven’t seen any Facebook pwotest gwoups or Twatterfests about this subject. In a nutshell, a hospital in Dublin is storing a blood sample, name, address, date of birth, hospital of birth and test result from nearly every person born in Ireland since 1984.

That means if you’re under 26, there’s a good chance your DNA is in there: your health, any genetic diseases you might have, your behaviours and traits*, etc. Well, possibly. They had a couple of servers stolen in the 2007, so maybe it is there, maybe not. Sure it’s not all that important anyway, it’s just your entire personality*.

Is Mark Zuckerberg – the slimey douche, if you’ll pardon my Klatchian – ultimately right, do people really not give a shit about privacy any more? Are are people just too thick to realise the problems – current and future – that can result from this kind of thing?

Here’s two stories from Times Online with more details:

Hospital keeps secret DNA file: A DUBLIN hospital has built a database containing the DNA of almost every person born in the country since 1984 without their knowledge in an apparent breach of data protection laws.

The Children’s University hospital in Temple Street is under investigation by the Data Protection Commissioner (DPC) since The Sunday Times discovered it has a policy of indefinitely keeping blood samples taken to screen newborn babies for diseases.

Unknown to the DPC, the hospital has amassed 1,548,300 blood samples from “heel prick tests” on newborns which are sent to it for screening, creating, in effect, a secret national DNA database. The majority of hospitals act on implied or verbal consent and do not inform parents what happens to their child’s sample.

The blood samples are stored at room temperature on cards with information including the baby’s name, address, date of birth, hospital of birth and test result. The DPC said it was shocked at the discovery.

Records stolen from hospital that held secret DNA database: Two computer servers containing the records of almost 1m patients were stolen from the Children’s University hospital in Temple Street in 2007 and have never been recovered.

The data were far more than that lost on stolen bank laptops in recent years. The theft was investigated by the data protection commissioner (DPC) and the gardai after being reported by the Dublin hospital in February 2007. The organisations had decided that there was no need to inform the public, believing there was little chance of the thief being able to access the data.

Patients’ details, including names, date of birth and reason for admission are thought to have been included.

* To keep my wife happy: strictly speaking ‘behaviour’ is stretching it; and DNA probably accounts for about half of your personality, the other half being learned.

This is a stupid game; we should stop playing it.

On post-underwear-bomber airport security, as ever Bruce Schneier sets the fluff aside and gets to the point:

It’s magical thinking: If we defend against what the terrorists did last time, we’ll somehow defend against what they do one time. Of course this doesn’t work. We take away guns and bombs, so the terrorists use box cutters. We take away box cutters and corkscrews, and the terrorists hide explosives in their shoes. We screen shoes, they use liquids. We limit liquids, they sew PETN into their underwear. We implement full-body scanners, and they’re going to do something else. This is a stupid game; we should stop playing it.

DNA Evidence Can Be Fabricated

This is going around the security networks, but it’s kind of important to everyone else too. Note my emphasis in the quote.

New York Times: Scientists in Israel have demonstrated that it is possible to fabricate DNA evidence, undermining the credibility of what has been considered the gold standard of proof in criminal cases.

The scientists fabricated blood and saliva samples containing DNA from a person other than the donor of the blood and saliva. They also showed that if they had access to a DNA profile in a database, they could construct a sample of DNA to match that profile without obtaining any tissue from that person.

“You can just engineer a crime scene,” said Dan Frumkin, lead author of the paper, which has been published online by the journal Forensic Science International: Genetics. “Any biology undergraduate could perform this.”

Revenue Bouncy Castles

When renewing my Revenue On-Line Service digital certificate, I was presented with the following:

In order to renew your ROS digital certificate, ROS requires that you run third-party software provided by the Legion of the Bouncy Castle. The Legion of the Bouncy Castle is a well-respected supplier of security software that is approved by the Office of the Revenue Commissioners for use with ROS.

bc_warning

I’m sure the Legion produces wonderful software, and I applaud the Revenue for using open source software for security, but you’d think they’d be able to afford a developer to hack the source and change the bloody issuer to something a teeny bit less dodgy-looking…

Bord Gáis Muppets

Since nobody else has asked yet:

What in fuck’s name was that data doing on a laptop?

Some 75,000 Bord Gais customers have been warned to monitor their bank accounts for suspicious transactions after a laptop computer containing their account details was stolen.

The office of the data protection commissioner told those affected that fraudsters could potentially use their information to withdraw money from their accounts or take out loans in their name.

“The risk may be low but there is a risk,” said deputy data protection commissioner Gary Davis.

Four laptops were stolen from Bord Gáis offices on Foley St in Dublin’s north inner city in the early hours of June 5th.

One of the computers, containing the banking details of around 75,000 people, was not encrypted.

The laptop contains details such as account numbers, home addresses and branch details of people who had recently switched from the ESB as part of Bord Gais’s “big switch” campaign.

via The Irish Times

The Met Brother gets Bigger and Bigger

I don’t envy my sister in London, having to deal with the social problems this kind of idiocy propogates. The people responsible for commissioning and approving this should be forced to read 1984 a hundred times, Brazil style.

(Click for bigger.)

Via Boing Boing.

5 laptops stolen from HSE this year

More uncrypted laptops, this time with health information on them. How many more do Gov.ie need before they put laws in place to require encryption, immediate notification, etc?

Irish Examiner: FIVE laptops have been stolen from the Health Service Executive since the beginning of this year, the Irish Examiner has learned.

Confidential details of patients with lung disease, patients’ surgery, their diagnoses, treatment and other personal details were contained on some of the stolen laptops.

None of the five laptops were encrypted.

Health chiefs are to begin notifying patients and clients over the coming days about missing data on two of the laptops, more than two months after they were stolen. These two laptops were taken together in July this year in a HSE office in Mullingar.

Oyster Card Cracked

NXP sues to silence Oyster researchers

Chipmaker NXP, formerly Philips Semiconductors, is taking Dutch Radboud University to court on Thursday to prevent researchers publishing their controversial report on the Mifare Classic chip.

Recently researchers from Radboud University in Nijmegen revealed they had cracked and cloned Londons Oyster travel card. Earlier this year the researchers did the same to the Dutch MIFARE travel card. This card is to replace paper tickets on all trams, buses, and trains and is already undergoing trials in Rotterdam.

EDRI tells the BOI story like it is…

While the national media treat the story like a tiny little inconvenience and parrot the bank’s line that improper use of the data is unlikely, EDRI tells it like it is in just once sentence:

The personal data of about 10,000 customers of the Bank of Ireland are now in the possession of thieves as four laptops with the unencrypted data were stolen from the bank between June and October 2007.

The laptops were stolen by thieves. Bad people. People that will take every advantage that’s available to them.

Some crossover with the banks there, it seems…