About 70 percent of federal agencies’ laptop computers and mobile computing devices were unencrypted as of September, according to a new report (pdf) from the Government Accountability Office (the investigative arm of Congress). This isn’t a surprise. In May, I discussed news that the federal government admitted 60 percent of its mobile computing equipment was unencrypted.

Besides the lack of encrypted devices, the GAO also found that, of the 24 major federal agencies surveyed, "none of the agencies had documented comprehensive plans to guide encryption implementation activities, such as inventorying information to determine encryption needs; documenting how the agency plans to select, install, configure, and monitor encryption technologies; developing and documenting encryption policies and procedures; and training personnel in the use of installed encryption."

The federal government has been embarrassed by a string of losses (pdf) or thefts of unencrypted computing devices, yet it continues to ignore this basic security practice. The agencies get up to an 85 percent discount on the price of encryption software through the government’s SmartBuy program, so they cannot use cost as an excuse. (more…)

US House Judiciary Committee’s Subcommitee on Constitution, Civil Rights, and Civil Liberties will hold a hearing on: “H.R. 5607, the “State Secrets Protection Act of 2008.”

Date: July 31, 2008 at 12:30 pm
Location: Room 2141, Rayburn House Office Building; Washington, DC
For more information: http://judiciary.house.gov/hearings/calendar.html

The New York State Assembly has passed and the governor has signed S. 4053, which makes impersonation on the Internet a crime. The new law has amended the New York penal code makes it a crime for a person to "impersonates another by communication by internet website or electronic means with intent to obtain a benefit or injure or defraud another, or by such communication pretends to be a public servant in order to induce another to submit to such authority or act in reliance on such pretense."

As justification, the assembly cited to "an incident [that] occurred in Suffolk county where a police officer hacked into a woman’s computer he briefly dated and posed as her. He was indicted on 197 charges of stalking and unauthorized use of the computer." Also, "Websites such as Myspace, Friendster, and Facebook, make it easy to upload someone else’s photo and pretend to be that person," the assembly said. (more…)

The Cabinet of Germany (the country’s chief executive organization), has approve a new electronic ID card for citizens. German citizen currently carry mandatory national ID cards, but the electronic cards will include a host of features. A chip on the card will include the cardholder’s name, address, date of birth and biometric photo; cardholders can choose to include two electronic fingerprints and an electronic signature on the chip, as well. The government is urging citizens to use the card for online commerce and banking, as well as with online government programs. Cardholders would be able to authorize payments from their home computers by placing the card on a reader and entering a personal ID number. More coverage here and here.

Numerous financial institutions’ Web sites are insecure, according to a University of Michigan study (pdf) released at the Symposium on Usable Privacy and Security. In 2006, the researchers reviewed the Web sites of 214 U.S. financial institutions and found 76 percent of those sites had at least one security flaw.

We specifically chose financial websites because of their high security requirements. We found a number of flaws that may lead users to make bad security decisions, even if they are knowledgeable about security and exhibit proper browser use consistent with the site’s security policies. [...] This indicates that these flaws are not widely understood, even by experts who are responsible for web security.

The design flaws found included bank sites “[p]resenting secure login options on insecure pages” and “E-Mailing security sensitive information insecurely.” Such flaws cannot be fixed with a simple security patch, but involve changes in layouts and designs of the Web sites. (more…)

The US House Homeland Security Committee’s Subcommittee on Management, Investigations, and Oversight will hold a hearing on “The Quadrennial Homeland Security Review.”

Witnesses:
Alan Cohn, Deputy Assistant Secretary for Policy (Strategic Plans), Department of Homeland Security
Christine E. Wormuth, Senior Fellow, Center for Strategic & International Studies
Major General Michael Sumrall, Assistant to the Chairman, Joint Chiefs of Staff for National Guard Matters

There will be a webcast of this hearing.

Date: July 30, 2008 at 2 pm
Location: Room 311, Cannon House Office Building; Washington, DC
For more information: http://homeland.house.gov/about/schedule.asp