DISC InfoSec blog

by Edward Wyatt
provided by – NYTimes.com

Lifelock, the company that brazenly broadcast its chief executive’s Social Security number as part of its claim that it could protect anyone against identity theft, agreed on Tuesday to pay $12 million to settle charges that it misled consumers about the effectiveness of its service.

The settlement, announced by the Federal Trade Commission and a group of 35 state attorneys general, requires Lifelock to refrain from making further deceptive claims and take more stringent measures to safeguard the personal information that it collects from customers.

Jon Leibowitz, the chairman of the trade commission, said that “several hundred persons, at least,” who were Lifelock customers had become victims of identity fraud while using the company’s services. Customers typically paid $10 a month for the services, he said.

The commission also claimed that the “fraud alerts” Lifelock placed on individuals’ credit files protected only against certain types of identity theft, mainly the opening of new accounts, which is the cause of fewer than 1 in 5 cases of identity theft.

Lifelock’s customers were left vulnerable to having their current accounts misused, the most common form of the crime. About eight million Americans have their identity used illegally each year, the officials said.

“This was a fairly egregious case of deceptive advertising from our perspective,” Mr. Leibowitz said.

In an interview, Todd Davis, the Lifelock chief executive, said that the company had adopted a new advertising campaign that complied with the trade commission’s request. “We have differing views on what the intent of the message was” of the earlier ads, Mr. Davis said, adding that he believed the commission’s actions “set a standard for the entire industry to follow.”

Lisa Madigan, the Illinois attorney general, who joined Mr. Leibowitz in announcing the action at a news conference in Chicago, said that while Lifelock did provide some legitimate services, “most of what they did, you can do on your own and you can do it free.”

The biggest problem with the company’s claims, she said, was its guarantee to prevent identity theft from ever happening. “There is nothing you can do or you can purchase that is a 100 percent guarantee against identity theft,” Ms. Madigan said.

Mr. Davis knows the truth of that. After he began broadcasting his Social Security number, dozens of attempts were made to secure credit or identification using the information. At least one attempt succeeded, when a man in Texas secured a $500 payday loan using Mr. Davis’s Social Security number.

Chinese, North Koreans suspects in security breach
By Mike Maloof

WASHINGTON, D.C. – A message that North Korea had conducted a nuclear attack on the Japanese island of Okinawa turned out to be false, but the fact it was delivered via U.S. military communications has prompted a high alert, according to U.S. officials who asked to remain anonymous.

U.S. military channels were hacked either by the Chinese or North Koreans, the source said. Access to such communications – even unclassified military systems – suggests a serious breach of technology security.

A Pentagon spokesman declined comment.

A purportedly “U/FOUO” or “Unclassified but For Official Use Only” message claimed to have been put out Saturday by the Office of National Intelligence and prepared by the Defense Intelligence Agency. It said:

“Today, March 06, 2010 at 11.46 AM local time (UTC/GMT -5 hours),US seismographic stations recorded seismic activity in the area of Okinawa Island (Japan). According to (sic) National Geospatial-Intelligence Agency, Democratic People’s Republic of Korea has carried out an average range missile attack with use of nuclear warhead (sic). The explosion caused severe destructions (sic) in the northern part of the (sic) Okinawa island. Casualties among the personnel of the US military base are being estimated at the moment.”

An analyst noted the grammatical errors suggested the text was written by someone who has not yet mastered the English language use of articles.

The report included a long list of U.S. agencies that should be on alert, from the Central Intelligence Agency, the Department of State and the Department of Homeland Security to the Air Force, Army, Coast Guard, Marine Corps and Navy.

U.S. officials have expressed growing concern over cyber attacks, especially from China. The attacks have targeted not only Google and other Western companies but also the Pentagon.

Chip Gregson, assistant secretary of defense for Asian and Pacific affairs, said that in addition to their nuclear and space programs, the Chinese have undertaken an aggressive cyber assault that presents “an asymmetrical threat to our ways of doing business.”

The latest hacking effort follows urgent warnings that also have gone out through the North Atlantic Treaty Organization to protect all classified databases due to the recent surge of Chinese cyber attacks.

Last Friday, a U.S. report said that the number of cyber attacks on U.S. government agencies and Congress rose exponentially in the past year to an estimated 1.6 billon a month.

Only a few months ago, there were reports that a powerful cyber attack overwhelmed computers at U.S. government agencies and South Korean agencies for several days. The report said the attacks also targeted the White House, Pentagon and the New York Stock Exchange.

Howard Schmidt
U.S. Cybersecurity Coordinator

In a keynote address at RSA, national cybersecurity coordinator Howard Schmidt announced that the White House was releasing an unclassified version of its plan for securing government and private industry networks which is called Comprehensive National Cybersecurity Initiative, and now available for download from the White House Website (PDF).

Among Schmidt’s priorities are the “resilience” of federal government networks and ensuring those networks are properly secured, and ensuring that private-sector partners also have sufficiently secured systems and networks. “The government is not going to secure the private sector,” Schmidt said. “But we are making sure our private sector partners have more security as part of what we’re doing.”
View Video

Panel Discussion: Big Brother
Panel includes Richard Clark, Michael Chertoff and Marc Rotenberg

Panelists agreed that the U.S. faces rapidly escalating problems with cyber warfare and cyber espionage, data theft and malware attacks on corporations and federal infrastructure that will persist as long as glaring vulnerabilities in government networks remain.

Clarke said that U.S. networks are continually under attack, citing last year’s logic bomb hack on the U.S. electrical grid. Clarke said that the attack indicated the likelihood of future assaults on U.S. infrastructure. “That’s not cyber espionage, that’s preparation for warfare,” he said.

“We’re talking about the cloud as if it’s the most important issue,” Clark continued. “We are being attacked. We’re being attacked by the governments and criminal gangs from China and Russia.”

However, viewpoints diverged on how to address the problem. Rotenberg argued that while U.S. networks are plagued with security holes, imposing sweeping security restrictions, monitoring systems and security policies on users’ online behavior would inevitably create a myriad of privacy issues that could violate Constitutional law.

“Privacy is what ends up being collateral damage,” Rotenberg said. “Every one of those (security) scenarios becomes a justification for some kind of intrusion for the user that has done nothing wrong.”

Clarke suggested that the government have oversight on an outside agency or private organization that would conduct deep packet inspection on tier 1 ISP networks in search of malware.

Rotenberg warned that NSA deep packet inspection could give the agency carte blanche to search for other information and could potentially lead to unlawful surveillance.

“I think we have to be careful if we go down that road,” Rotenberg said. “The folks at NSA are not just interested in looking for malware.”
View Video

Janet Napolitano
U.S. DHS Secretary

US secretary of homeland security Janet Napolitano says a secure cyber environment is as much about people, culture and habit as it is about machines.

“Even the most elegant technological solution will ultimately fail unless it has the support of talented professionals and a public that understands how to stay safe online,” she told the RSA Conference 2010 in San Francisco.

“We need to have an ongoing multifaceted effort with the public at large,” she said, but added that government needs to be mindful of the fact that it is addressing a wide variety of audiences, from teenagers to grandparents.

On the technology side, IT security professionals have an important role to play, she said, in helping to ensure that the information systems are safe and secure by improving the level of performance of the supporting technologies”
View Video

by Marcia Savage
The health care industry was buzzing with the news: For the first time ever, a hospital was being audited for compliance with HIPAA security requirements. The audit of Piedmont Hospital in Atlanta by the U.S. Department of Health and Human Services’ inspector general in 2007 was surprising for hospitals, health insurers and others in an industry accustomed to a lack of enforcement of federal privacy and security requirements.

A year later, HHS took another unusual step, meting out a $100,000 fine to Seattle-based Providence Health & Services for HIPAA security and privacy violations. The organization had lost backup tapes, optical disks and laptops containing unencrypted protected health information on more than 360,000 patients.

But those enforcement actions could be small potatoes compared to what’s ahead. The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act signed into law last year, earmarks about $19 billion in incentives to encourage adoption of electronic health record technology but also expands on HIPAA’s security and privacy requirements. In addition to instituting new breach notification rules and extending the rules to health care business associates, HITECH implements a new tiered system that increases civil monetary penalties for noncompliance and also allows state attorney generals to file civil actions for HIPAA violations.

“HITECH is perceived as the enforcement arm of HIPAA,” says Barry Runyon, research vice president covering health care providers at Gartner. “The stakes are higher and more people can enforce it.

“What it’s done has kind of jump started HIPAA. Health care delivery organizations’ programs languished for a while,” he adds. “When there’s no enforcement, people tend to get complacent. HITECH is making them revisit their security plans and look at their controls — essentially what they should have been doing.”

Let’s take a look at the ramifications of the HITECH Act on security and privacy in the health care industry and its impact so far.

To read further on HITECH Act increases HIPAA security requirements

Phishing: Cutting the Identity Theft Line

When TippingPoint’s president and chief technology officer, Marc Willebeek-Lemair, received an e-mail from the Federal Trade Commission informing him that a client was filing a complaint against his network security company for overcharges, he was directed to download the complaint – a Microsoft Word file – from an FTC Web page and return the attached form with any questions about the process.

The message, sent in 2008, was an elaborate scam targeting top-level executives.

TippingPoint researchers discovered the sender’s address had been “spoofed” (faked) and the link didn’t lead to the FTC’s Web site. In fact, the document – which looked like an FTC complaint – was infected with a data-stealing Trojan horse. Because the message referred to Willebeek-Lemair by name and no one else in TippingPoint received the message, the company concluded that criminals studied its chain of command and selected their target.

“It specifically said something that a C-level executive would get immediately alarmed about,” said Rohit Dhamankar, director of security research at TippingPoint’s DVLabs.

The message is an example of an increasingly common hacker technique known as spear-phishing, a much more effective and carefully crafted variation of the phishing lures that seek to trick victims into surrendering their private data.

Researchers believe that as spam-filtering technology has improved and people have become savvier at recognizing phishing ploys (such as the classic Nigerian e-mail scam), criminals are now dedicating more time and resources to going after specific groups of individuals. They often trick users into downloading malicious software from infected Web pages or e-mail attachments like Adobe Reader PDFs and Microsoft Office documents.

Carefully planned
In these attacks, the hackers identify specific individuals or groups of people with something in common. To make their attacks more effective, criminals take pains to impersonate credible sources, adorning messages with professional graphics and composing well-written stories to hook their targets.

To personalize the messages and make them more convincing, security researchers believe criminals run simple search queries to find biographical information, including a person’s position within an organization and their responsibilities. Hackers can also learn names of friends.

“This is very easy to do. Google, Facebook, LinkedIn and other sites can provide valuable information about anybody,” Dhamankar said.

The extra homework pays off. The Anti-Phishing Working Group estimates that less than 1 percent of people who receive one of the billions of generic phishing schemes sent every day take the bait. Meanwhile, estimates from several experts place the success rate of these tailored attacks between 25 and 60 percent.

In a 2006 experiment by the department of computer science at Indiana University, researchers sent e-mails with test links to almost 500 students purporting to come from friends with the intent of finding out how many would unwittingly have fallen for a real attack.

Even though researchers placed obvious clues to recognize the test – like prominently displaying the word “phishing” in the phony Web site – 72 percent of respondents gave their user names and passwords away.

“That is a dramatic yield. That’s the power of using the spear,” said Markus Jakobsson, principal scientist at the Palo Alto Research Center and one of the experiment’s authors.

Nilesh Bhandari, product manager at Cisco IronPort Systems’ security technology unit, estimated targeted attacks comprise less than 1 percent of all phishing schemes, but he said criminals intentionally keep the volume low. The fewer of these ploys there are, the more difficult it is for researchers to study and filter them out.

“The challenge is really finding the needle in the haystack,” Bhandari said.

Targeted attacks can go after anyone: from job seekers, gamers and gamblers to military contractors, pro-Tibet activists and people who just happen to live in a geographical area selected by the criminals. Last year, the FBI said that small and medium-size businesses have lost at least $40 million since 2004 to criminal exploits like spear-phishing.

“Most advanced users do not fall for regular phishing but (they) do fall for targeted attacks,” said Mikko Hypponen, chief research officer at Finnish security firm F-Secure. “You get an e-mail from someone you know, talking about real events and pointing to a normal-looking attachment. Would you open it? Of course you would.”

In spear-phishing samples collected by F-Secure, criminals hacked e-mail addresses from the domains of George Washington University, the Washington Post and even the State Department.

Attack on Google
The most notable instance of spear-phishing recently is the January attack on Google that attempted to hack into the Gmail accounts of Chinese human rights activists and steal valuable source data from the search giant and more than 30 other tech companies.

Researchers now know that criminals identified key Google staffers, found out who their friends were and fashioned attacks to lure them to infected Web pages.

“They were all attacked for a particular reason. (The hackers) knew the machines and networks they wanted to access. They knew who was sending e-mails to their targets and who they were receiving them from. It speaks to the reconnaissance they did beforehand,” said David Marcus, director of security research at McAfee Labs.

These types of attacks are particularly dangerous because, as the attack on Google demonstrated, anyone can fall for them.

“In terms of internal security, it’s the weakest link – people who might not be involved with security technology – who fall for these attacks,” Dhamankar said. “If someone was targeting an entire company and sends spear-phishing to all employees, even if one or two people click on that link, (the tactic) succeeds because the criminal has gotten a foothold in the enterprise.”

Dodging the spear
It is difficult to fend off an attack from a crook determined to steal your information, but security experts suggest a few simple precautions that can go a long way:

– Above all, keep your security software up to date.

– If a link is malicious, rolling the cursor over it without clicking sometimes reveals a URL leading to a different address than the one it promises.

– Never share personal information solicited through e-mail. When in doubt, go to the Web site of the organization purporting to send the message instead of clicking on any links.

– Be suspicious of links and attachments sent through e-mail or social networks.

Sources: Cisco Systems and TippingPoint

By Alejandro Martínez-Cabrera: Read more: http://www.sfgate.com

The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments

The following are the common steps that should be taken to perform a security risk assessment. These are just basic common steps which should not be followed as is but modified based on organization assessment scope and business requirements.

• Identify the business needs of the assessment and align your requirements with business needs.
• Assess the existing security policies, standards, guidelines and procedures for adequacy and completeness.
• Review and analyze the existing assets threats and vulnerabilities
• Analyze the impacts and likelihood of threats and vulnerabilities on assets
• Assess physical controls to network and security infrastructure
• Assess the procedural configuration review of network and security infrastructure based on existing policies and procedures
• Review logical access and physical access and other authentication mechanism
• Review the level of security awareness based on current policies and procedures
• Review the security controls in service level agreement from vendors and contractors
• At the end of review develop a practical recommendations to address the identified gaps in security controls

To address the existing gaps in infrastructure we have to select the appropriate countermeasures to address the vulnerability or thwart a threat of attack. Four types of techniques are used by countermeasures:

• Deterrent controls reduce the likelihood of an attack. Blocking phishing sites at ISP is an example of deterrent control
• Preventive controls reduce exposure. Firewall is an example of preventive control
• Corrective controls reduce the impact of successful attacks. Antivirus is an example of corrective control
• Detective controls discover attacks and trigger preventive or corrective controls. IDSs and SIEM systems are example of detective control.

Related articles by Zemanta

• What is a risk assessment framework (deurainfosec.com)
• Way beyond the edge and de-perimeterization (deurainfosec.com)

Alejandro Martínez-Cabrera

Online security firm Websense has released a report on the cyberthreat landscape during the second half of 2009, and some of the findings are jaw dropping:

The firm, which scans millions of Web sites and e-mails a day looking for malicious content, found that 95 percent of all user-generated content came laced with some kind of spam or malicious link.

“The notion that the Internet could be the great equalizer turned out to be true after all; unfortunately, it’s mostly making suckers out of all of us,” tech Web site Ars Technica said.

Also surprising: Remember last year when the New York Times said a page on its Web site had been sending malware through its ad network? That was the most high-profile example of how criminals have managed to infiltrate trusted Web sites through a tactic known as drive-by downloading, in which a Web user picks up a virus simply by visiting an infected page. According to Websense, 71 percent of all Web sites generating malware in the second half of 2009 were infected legitimate Web sites.

Echoing what other research has found, the report said the number of infected Web sites went through the roof last year. Websense estimated there was a 225 percent growth in the number of malicious sites in 2009 compared with the year before.

The problem declined slightly in the second half of the year, with the decrease attributed to criminals moving away from attacks on traditional Web sites and attempting to exploit social-networking sites.

Websense also found that 85.8 percent of all e-mails sent in the second half of 2009 were spam.

More surprising is that 81 percent of all e-mail sent during the same period had some kind of malicious link. That means there was a 4-in-5 chance that a link pasted into an e-mail would lead you to download an infected file or take you to an infected Web site. (You usually don’t see all of the junk mail because it’s often filtered by your e-mail provider, browser or antivirus software.)

Finally, Websense found that in the second half of 2009, it took security vendors an average 46 hours – almost two days – to repair damage by malware after it had been identified (compared with 22 hours in the first half of 2009).

“The idea that computer users are not protected for days at a time, or even weeks or a month, may be compared with leaving your laptop in a public space for three weeks and hoping it won’t be used or abused,” the report said.

On Feb 1oth this article appeared on page D1 of the SF Chronicle

Related articles by Zemanta

• 95% of user-generated content was malicious in 2H 2009: Websense report (sfgate.com)
• Top search results riddled with malware (v3.co.uk)
• Websense Security Labs Report – State of Internet Security, Q3-Q4 2009 (pindebit.blogspot.com)
• Spam and Malware Protection (bit.ly)
• How To Prevent & Remove Facebook Malware or Virus (makeuseof.com)

The long awaited international standard to the implementation of an information security management system, ISO/IEC 27003:2010, is now available.

It’s a must have –

Buy the hard copy here:
or the download here:

Key Features and Benefits:

Get your copy today >>

Buy the hard copy here:
or the download here:

The Associated Press

SAN FRANCISCO—The medical records of more than 4,000 patients at the University of California, San Francisco may have been compromised after a laptop they were on was stolen.
Officials with the university said Wednesday the laptop was recovered earlier this month after it was taken from a medical school employee during a flight in November. It does not appear that anyone gained access to the computer or the confidential patient information, but officials say the records still could have been exposed.

The files contained patients’ names, medical record numbers, ages and clinical information, but no Social Security numbers or financial data.

School officials say they are notifying the 4,400 patients whose records were on the computer. They were all treated in 2008 and 2009.
———
Information from: San Francisco Chronicle, http://www.sfgate.com/chronicle

Here we have another unnecessary major security breach in a large healthcare organization which resulted in a loss of patient data demonstrating poor baseline security. They clearly are not ready for the new HIPAA provision ARRA and HITECH. Evaluate your current business and system risks to make sure this does not happen to you.
Contact DISC for any question if you think, this may apply to you.

The Practical Guide to HIPAA Privacy and Security Compliance

Related articles by Zemanta

• UCSF Doc Falls for Phishing Scam, Exposes Patient Data (blogs.wsj.com)
• Physician Practices Gain EHR Connectivity, Interoperability with New McKesson Offering (eon.businesswire.com)

By Jordan Robertson, AP

The recent hacking attack that prompted Google’s threat to leave China is underscoring the heightened dangers of previously undisclosed computer security flaws — and renewing debate over buying and selling information about them in the black market.

Because no fix was available, the linchpin in the attack was one of the worst kinds of security holes. Criminals treasure these types of “zero day” security vulnerabilities because they are the closest to a sure thing and virtually guarantee the success of a shrewdly crafted attack.

The attackers waltzed into victims’ computers, like burglars with a key to the back door, by exploiting such a zero-day vulnerability in Microsoft Corp.’s Internet Explorer browser. Microsoft rushed out a fix after learning of the attack.

How did the perpetrators learn about the flaw? Likely, they merely had to tap a thriving underground market, where a hole “wide enough to drive a truck through” can command hundreds of thousands of dollars, said Ken Silva, chief technology officer of VeriSign Inc. Such flaws can take months of full-time hacking to find.

“Zero days are the safest for attackers to use, but they’re also the hardest to find,” Silva said. “If it’s not a zero day, it’s not valuable at all.”

The Internet Explorer flaw used in the attack on Google Inc. required tricking people into visiting a malicious Web site that installed harmful software on victims’ computers.

The attack, along with a discovery that computer hackers had tricked human-rights activists into exposing their Google e-mail accounts to outsiders, infuriated Google and provoked a larger fight over China’s censorship of the Internet content. Google has threatened to shut down its censored, Chinese-language search engine and possibly close its offices in China.

Pedram Amini, manager of the Zero Day Initiative at the security firm TippingPoint, estimated that the IE flaw could have fetched as much as $40,000. He said even more valuable zero-day flaws are ones that can infect computers without any action on the users’ part.

Zero days refer to security vulnerabilities caused by programming errors that haven’t been “patched,” or fixed, by the products’ developers. Often those companies don’t know the weaknesses exist and have had zero days to work on closing the holes.

In this case, Microsoft actually knew about the flaw since September but hadn’t planned to fix it until February, as companies sometimes prioritize fixing other problems and wait on the ones they haven’t seen it used in attacks.

Microsoft often fixes multiple vulnerabilities at once because testing patches individually is time-consuming and costly, said Chris Wysopal, co-founder of security company Veracode Inc.

But criminals know how the patch cycle works, and Wysopal said the Google attackers may have realized their zero-day flaw was getting old — and thus struck in December just before they thought Microsoft was going to fix it.

“They likely thought the bug would be fixed in January or February,” he said. “They were right.”

Microsoft certainly could have fixed the bug earlier and prevented it from being used on Google, but security experts caution that an adversary that is well-funded or determined could have easily found another bug to use.

“Zero days aren’t difficult to find,” said Steve Santorelli, a former Microsoft security research who now works with Team Cymru, a nonprofit research group. “You don’t have to have a Ph.D. in computer science to find a zero-day exploit. It really is a factor of the amount of energy and effort you’re willing to put in.”

In fact, such exploits are widely available for the right price. VeriSign’s iDefense Labs and 3Com Corp.’s TippingPoint division run programs that buy zero-day vulnerabilities from researchers in the so-called “white market.” They alert the affected companies without publicly disclosing the flaw and use the information to get a jump on rivals on building protections into their security products.

There’s also another, highly secretive market for zero days: U.S. and other government agencies, which vie with criminals to offer the most money for the best vulnerabilities to improve their military and intelligence capabilities and shore up their defenses.

TippingPoint’s Amini said he has heard of governments offering as high as $1 million for a single vulnerability — a price tag that private industry currently doesn’t match.

Little is publicly known about such efforts, and the U.S. government typically makes deals through contractors, Amini said. Several U.S. government agencies contacted by The Associated Press did not respond to requests for comment.

One researcher who has been open about his experience is Charlie Miller, a former National Security Agency analyst who now works in the private sector with Independent Security Evaluators. Miller netted $50,000 from an unspecified U.S. government contractor for a bug he found in a version of the Linux operating system.

Whether to pay — and seek payment — is hotly debated among researchers.

“I basically had to make a choice between doing something that would protect everybody and remodeling my kitchen — as terrible as that is, I made that choice, and it’s hard,” Miller said. “It’s a lot of money for someone to turn down.”

Companies whose products are vulnerable generally won’t pay outside researchers for bugs they’ve found. Microsoft said offering payment “does not foster a community-based approach to protecting customers from cybercrime.” The company declined further comment on its practices and the timing of the fix for the flaw used in the Google attack.

On Thursday, Google announced that it will start paying at least $500 to researchers who find certain types of bugs in its Chrome browser, calling the program an “experimental new incentive.” That mirrors a reward that Mozilla has been offering for critical bugs found in its Firefox browser.

Computer vulnerabilities are so dangerous that one day private companies such as Microsoft might be pressured into buying from the black market to prove they’re doing all they can to keep customers secure — especially the most critical ones such as the military and power companies.

“I think it’s only a matter of time,” said Jeremiah Grossman, founder of WhiteHat Security Inc. “Something really bad has to happen first, and it hasn’t yet. When a virus runs through a children’s hospital and causes loss of life, it’s going to matter a lot.”

Related articles by Zemanta

• Web browser flaw used in Google attack highlights black market for ‘zero-day’ vulnerabilities (taragana.com)
• Core Security Expert to Detail Critical IE Browser Security Issues at Black Hat DC 2010 Conference (eon.businesswire.com)
• China attacks exploited Microsoft IE vulnerability (seattlepi.com)
• Microsoft to issue emergency patch today for IE flaw (computeractive.co.uk)