DISC InfoSec blog

Dec 28 2009

Hackers’ attacks rise in volume, sophistication

Category: Information Security — DISC @ 6:41 pm

Year in review for online security attacks – 2009 is going to be known as a year of change in tactics of exploitation, rather than creating more new tools in hacker’s community. They are utilizing social media as a tool to exploit and using built-in trust in social media to their advantage. That’s why stealing social media accounts are considered as a treasure trove in hacker’s community to spread malwares (rogue anti-virus) which helps them to steal personal and private information. This perhaps was another reason why social media community was busy in 2009 changing their security and privacy policy on a frequent basis. Do you think, as social media grow, so does the threat to personal and private information?.

At the same time 2009 comes to an end with a bang with an appointment of Howard Schmidt by Obama’s administration as a cybersecurity coordinator. A great choice indeed but why it took them a whole year to make this important decision. This indecision will cost them, no matter how you look at it. Now hopefully the current administration is going to keep the politics aside and take his recommendations seriously to make up for the lost time.

Alejandro Martínez-Cabrera, SF Chronicle

Security experts describe the typical hacker of 2009 as more sophisticated, prolific and craftier than ever. If anything, criminals will be remembered by the sheer number of attacks they unleashed upon the Web.

While the year didn’t see many technological leaps in the techniques hackers employ, they continued to expand their reach to every corner of the Internet by leveraging social media, infiltrating trusted Web sites, and crafting more convincing and tailored scams.

Although there were a handful of firsts – like the first iPhone worm – most attacks in 2009 were near-identical to tactics used in prior years, changing only in the victims they targeted and their level of sophistication.

One of the most preoccupying trends was personalized attacks designed to steal small and medium business owners’ online banking credentials. The scheme was particularly damaging because banks take less responsibility for the monetary losses of businesses than of individual consumers in identity theft cases.

In October, the FBI estimated small and medium businesses have lost at least $40 million to cyber-crime since 2004.

Attacks continued to plague larger organizations. The Wall Street Journal reported on Tuesday that the FBI was investigating the online theft of tens of millions of dollars from Citigroup, which has denied the incident.

Alan Paller, director of research at the SANS Institute, said criminals shifted the focus of their tactics from developing attack techniques to improving the social engineering of their scams.

“It’s not the tools but the skills. That’s a new idea,” he said.

One example is rogue antivirus schemes, which often trick computer users with a fake infection. Criminals then obtain their victims’ credit card information as they pay for a false product, all the while installing the very malicious software they were seeking to repel.

Even though these scams have been around for several years, they have become more a popular tactic among criminals because they pressure potential victims into making on-the-spot decisions.

“People have been told to look out for viruses and want to do the right thing. There’s security awareness now, but the criminals are taking advantage of their limited knowledge,” said Mike Dausin, a researcher with network security firm TippingPoint’s DVLabs.

Chester Wisniewski, senior adviser for software security firm Sophos, said social networks also continued to be an important target for attackers. Despite Facebook and Twitter’s efforts to beef up their security, it has become a common tactic for scammers to hijack Facebook accounts and post malicious links on the walls of the victim’s friends or distribute harmful content through tweets.

“We haven’t had this before – a place where all kinds of people go and dump their information, which makes it very valuable for criminals,” Wisniewski said. “It’s kind of a gold mine for identity thieves to get on people’s Facebook account.”

Using PDFs
Another common ploy was malicious software that piggybacked on common third-party applications like Adobe PDFs and Flash animations.

Although Adobe scrambled this year to improve its software update procedures and roll out patches more frequently, criminals have increasingly exploited the coding flaws in Adobe products in particular because of their ubiquity and the abundance of vulnerable old code, said Roel Schouwenberg, senior virus analyst at Kaspersky Lab.

By using ad networks or taking advantage of exploitable Web programming errors to insert malicious content, criminals cemented their presence in legitimate Web sites and made 2009, according to anti-malware firm Dasient, the year of the “drive-by download,” in which users only have to visit a compromised Web site to become infected.

An October report from the San Jose company estimated that 640,000 legitimate Web sites became infected in the third quarter of 2009, compared with 120,000 infected sites during the same period of 2008.

Damaging reputations
The trend was not only a security threat for consumers, but also stood to damage the reputation and traffic of the victimized Web sites. In September, a fake antivirus pop-up made its way into the New York Times’ Web site by infiltrating the company’s ad network.

Researchers also noted a high volume of attacks disguised as content related to popular news items – anything from Michael Jackson to the swine flu – to coax Web users into downloading malicious content. This closing year also saw a handful of notorious politically motivated online attacks, and the issue of national cybersecurity continued to gain prominence.

On Dec. 18, Twitter’s home page was defaced by hackers calling themselves the “Iranian Cyber Army,” although authorities said there was no evidence they were in fact connected to Iran. An August attack on a Georgian blogger also indirectly affected the popular microblogging site and brought it down for several hours.

In July, several U.S. and South Korean government Web sites went offline after being hit by a denial-of-service attack that South Korea has attributed to a North Korean ministry. U.S. defense officials revealed in April that hackers have stolen thousands of files on one of the military’s most advanced fighter aircrafts.

“Now it’s in the agenda of every government to pay attention to the cyberworld,” Schouwenberg said.

Security coordinator
On Tuesday, the White House announced the appointment of Howard A. Schmidt as the Obama administration’s new cybersecurity coordinator. Schmidt occupied a similar post under the Bush administration.

Even though crime continued to evolve into a more organized and compartmentalized operation this year, experts believe a new White House administration conscientious of threats and partnerships between law enforcement agencies and security firms offer encouraging signs for next year.

An example is the Conficker Work Group, an international industry coalition that joined to mitigate the spread of the Conficker worm. The group also collaborates with law enforcement agencies by providing them with forensic information.

“It’s the first time I’ve seen such partnership between countries. Typically it’s the Wild West and nobody is in charge of anything. Now it’s clear there’s a lot more international collaboration,” Dausin said.

Tempting You to Click (chris.pirillo.com)
Are iPhone Viruses Here To Stay? (techstartups.com)
Brief Insight Into the Life of a Convicted Hacker (mashable.com)
Fake security software ‘installed on millions of PCs’ (telegraph.co.uk)
Clampi Trojan could steal banking passwords (telegraph.co.uk)
Microsoft Hotmail leak blamed on phishing attack (telegraph.co.uk)
Using Facebook and Twitter safely (thaibrother.com)
Report: The “Web” Has NEVER Been More Dangerous! (pindebit.blogspot.com)

Tags: antivirus, cybersecurity coordinator, Denial-of-service attack, facebook, hacker, howard schmidt, Identity Theft, iPhone, Law enforcement agency, Malware, Michael Jackson, South Korea, Twitter

Comments (0)

Dec 22 2009

FBI Probes Hacks at Citibank

Category: Security Breach — DISC @ 4:45 pm

: Image by wallyg via Flickr

The Wall Street Journal

The Federal Bureau of Investigation is probing a computer-security breach targeting Citigroup Inc. that resulted in a theft of tens of millions of dollars by computer hackers who appear linked to a Russian cyber gang, according to government officials.

The attack took aim at Citigroup’s Citibank subsidiary, which includes its North American retail bank and other businesses. It couldn’t be learned whether the thieves gained access to Citibank’s systems directly or through third parties.

The attack underscores the blurring of lines between criminal and national-security threats in cyber space. Hackers also assaulted two other entities, at least one of them a U.S. government agency, said people familiar with the attack on Citibank.

The Citibank attack was detected over the summer, but investigators are looking into the possibility the attack may have occurred months or even a year earlier. The FBI and the National Security Agency, along with the Department of Homeland Security and Citigroup, swapped information to counter the attack, according to a person familiar with the case. Press offices of the federal agencies declined to comment.

Joe Petro, managing director of Citigroup’s Security and Investigative services, said, “We had no breach of the system and there were no losses, no customer losses, no bank losses.” He added later: “Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true.”

Citigroup is currently 27%-owned by the federal government.

The threat was initially detected by U.S. investigators who saw suspicious traffic coming from Internet addresses that had been used by the Russian Business Network, a Russian gang that has sold hacking tools and software for accessing U.S. government systems. The group went silent two years ago, but security experts say its alumni have re-emerged in smaller attack groups.

Security officials worry that, beyond stealing money, hackers could try to manipulate or destroy data, wreaking havoc on the banking system. When intruders get into one bank, officials say, they may be able to blaze a trail into others.

Continue reading at The Wall Street Journal

Tags: Business, Citibank, Citigroup, FBI, Federal Bureau of Investigation, Federal government of the United States, Government agency, Russian Business Network, United States, United States Department of Homeland Security, Wall Street Journal

Comments (3)

Dec 18 2009

Major security breach

Category: Security Breach — DISC @ 2:20 pm

drone
from AFP

Into The Breach

By Josh Rushing in Asia

When I was embedded with the US military in Helmand Province, Afghanistan, in August I wandered into a tent that I immediately recognized from my days in the military. It was an operations tent, but it was far more technologically advanced than any operations center I ever witnessed as a US Marine. There were rows of tables with soldiers at laptops all facing enormous television screens that were filled with video of a family compound in southern Afghanistan. I was amazed at how clear the drone’s video was, even though it was being filmed in the dark of night.

It was easy in that tent, in the middle of what locals call the desert of death, to see how vital drones had become to the US military for both intelligence gathering and for remote-controlled strikes – bombings that Al Jazeera continuously reports on from Pakistan and Afghanistan to Iraq and Somalia.

Standing in the back of the tent gave me cover to observe the video for about 10 minutes before an officer noticed me and escorted me out. He was obviously flummoxed that my embed credentials had allowed me to gain access to such sensitive video. Little did I know at the time, that with a $26 computer programme and a cheap television satellite dish, I could have been seeing everything that the drones were broadcasting. And why not? As the Wall Street Journal reports the signal from drones is unencrypted, a fact militants in Iraq have been taking advantage of and a fact the US military has known about for a decade or more.

Iraq insurgents hacked Predator drone video feed (telegraph.co.uk)
15 killed in US drone strikes in Pakistan (telegraph.co.uk)
Hillary Clinton faces angry criticism of US in Pakistan (telegraph.co.uk)

Tags: Afghanistan, Asia, drone, drone breach, Helmand Province, major security breach, pakistan, Unmanned aerial vehicle, Wall Street Journal, waziristan

Comments (5)

Dec 16 2009

Internet security breach found at UCSF

Category: hipaa,Security Breach — DISC @ 2:38 pm

: Image via Wikipedia

By Erin Allday, SF Chronicle

Hackers may have had access to personal information for about 600 UCSF patients as a result of an Internet “phishing” scam, campus officials said Tuesday.

The security breach occurred in September when a faculty physician in the UCSF School of Medicine provided a user name and password in response to a scam e-mail message. The e-mail had been sent by hackers and made to look as though it came from UCSF workers who are responsible for upgrading security on internal computer servers.

The university is not identifying the physician.

A UCSF audit in October found that e-mails in the physician’s account included personal information about patients, including demographic and clinical data, and the Social Security numbers of four patients. It is unknown whether hackers actually accessed the e-mails.

The patients have all been notified of the security breach.

Phishing scams are designed to get people to reveal private information – such as Social Security numbers, credit card information and passwords – when they reply to e-mails that pretend to come from legitimate organizations.

For years, financial institutions and other corporations have been educating people to be cautious of such scams and wary of revealing private information on the Internet.

In response to the latest scam, UCSF officials said the university has been re-educating employees about protecting their user names and passwords.

Here we have another unnecessary healthcare data breach in a university due to phishing which resulted in a loss of private data demonstrating poor baseline security and lack of security awareness training. Healthcare organizations are not ready for HIPAA (ARRA and HITECH provision) compliance. Checkout why Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges
Review my threats page and evaluate your current business and system risks to make sure this does not happen to you.

Considering healthcare standard electronic transaction (compliance date, Jan 1, 2012) and HITECH provision (compliance date, Feb 17, 2010) are in the pipeline for healthcare organizations. Do you think it’s about time for them to get their house in order?

Verified by Visa Phishing Scam (pindebit.blogspot.com)
Sophisticated phishing attack and countermeasures (deurainfosec.com)

Tags: arra and hitech, arra hitech provisions, Computer security, Credit card, Health Insurance Portability and Accountability Act, hipaa, Identity Theft, phishing, social security, Social Security number

Comments (2)

Dec 14 2009

Viruses That Leave Victims Red in the Facebook

Category: Malware — DISC @ 3:21 pm

: Image by Intersection Consulting via Flickr

By BRAD STONE – NYTimes.com

It used to be that computer viruses attacked only your hard drive. Now they attack your dignity.

Malicious programs are rampaging through Web sites like Facebook and Twitter, spreading themselves by taking over people’s accounts and sending out messages to all of their friends and followers. The result is that people are inadvertently telling their co-workers and loved ones how to raise their I.Q.’s or make money instantly, or urging them to watch an awesome new video in which they star.

“I wonder what people are thinking of me right now?” said Matt Marquess, an employee at a public relations firm in San Francisco whose Twitter account was recently hijacked, showering his followers with messages that appeared to offer a $500 gift card to Victoria’s Secret.

Mr. Marquess was clueless about the offers until a professional acquaintance asked him about them via e-mail. Confused, he logged in to his account and noticed he had been promoting lingerie for five days.

“No one had said anything to me,” he said. “I thought, how long have I been Twittering about underwear?”

The humiliation sown by these attacks is just collateral damage. In most cases, the perpetrators are hoping to profit from the referral fees they get for directing people to sketchy e-commerce sites.

In other words, even the crooks are on social networks now — because millions of tightly connected potential victims are just waiting for them there.

Often the victims lose control of their accounts after clicking on a link “sent” by a friend. In other cases, the bad guys apparently scan for accounts with easily guessable passwords. (Mr. Marquess gamely concedes that his password at the time was “abc123.”)

After discovering their accounts have been seized, victims typically renounce the unauthorized messages publicly, apologizing for inadvertently bombarding their friends. These messages — one might call them Tweets of shame — convey a distinct mix of guilt, regret and embarrassment.

“I have been hacked; taking evasive maneuvers. Much apology, my friends,” wrote Rocky Barbanica, a producer for Rackspace Hosting, an Internet storage firm, in one such note.

Mr. Barbanica sent that out last month after realizing he had sent messages to 250 Twitter followers with a link and the sentence, “Are you in this picture?” If they clicked, their Twitter accounts were similarly commandeered.

“I took it personally, which I shouldn’t have, but that’s the natural feeling. It’s insulting,” he said.

Earlier malicious programs could also cause a similar measure of embarrassment if they spread themselves through a person’s e-mail address book.

But those messages, traveling from computer to computer, were more likely to be stopped by antivirus or firewall software. On the Web, such measures offer little protection. (Although they are popularly referred to as viruses or worms, the new forms of Web-based malicious programs do not technically fall into those categories, as they are not self-contained programs.)

Getting tangled up in a virus on a social network is also more painfully, and instantaneously, public. “Once it’s delivered to everyone in three seconds, the cat is out of the bag,” said Chet Wisniewski of Sophos, a Web security firm. “When people got viruses on their computers, or fell for scams at home, they were generally the only ones that knew about it and they cleaned it up themselves. It wasn’t broadcast to the whole world.”

Social networks have become prime targets of such programs’ creators for good reason, security experts say. People implicitly trust the messages they receive from friends, and are inclined to overlook the fact that, say, their cousin from Ohio is extremely unlikely to have caught them on a hidden webcam.

Sophos says that 21 percent of Web users report that they have been a target of malicious programs on social networks. Kaspersky Labs, a Russian security firm, says that on some days, one in 500 links on Twitter point to bad sites that can infect an inadequately protected computer with typical viruses that jam hard drives. Kaspersky says many more links are purely spam, frequently leading to dating sites that pay referral fees for traffic.

A worm that spread around Facebook recently featured a photo of a sparsely dressed woman and offered a link to “see more.” Adi Av, a computer developer in Ashkelon, Israel, encountered the image on the Facebook page of a friend he considered to be a reliable source of amusing Internet content.

A couple of clicks later, the image was posted on Mr. Av’s Facebook profile and sent to the “news feed” of his 350 friends.

“It’s an honest mistake,” he said. “The main embarrassment was from the possibility of other people getting into the same trouble from my profile page.”

Others confess to experiencing a more serious discomfiture.

“You feel like a total idiot,” said Jodi Chapman, who last month unwisely clicked on a Twitter message from a fellow vegan, suggesting that she take an online intelligence test.

Ms. Chapman, who sells environmentally friendly gifts with her husband, uses her Twitter account to communicate with thousands of her company’s customers. The hijacking “filled me with a sense of panic,” she said. “I was so worried that I had somehow tainted our company name by asking people to check their I.Q. scores.”

Social networking attacks do not spare the experts. Two weeks ago, Lee Rainie, director of the Pew Internet and American Life Project, a nonprofit research group, accidentally sent messages to dozens of his Twitter followers with a link and the line, “Hi, is this you? LOL.” He said a few people actually clicked.

“I’m worried that people will think I communicate this way,” Mr. Rainie said. “ ‘LOL,’ as my children would tell you, is not the style that I want to engage the world with.”

Computer malware may capture your Facebook page (seattletimes.nwsource.com)
Social Networks a Security Risk for Organizations (arnoldit.com)
Is Facebook leaking notes? (thenextweb.com)
Finding the right mix between security and social media operations….. (mattscherer.blogspot.com)

Tags: Antivirus software, Computer virus, facebook, Google, Kaspersky Lab, Malware, malware 2.0, Online Communities, San Francisco, Security, Social network, Social network service, Spyware, Twitter

Comments (2)

Dec 10 2009

What is a risk assessment framework

Category: Information Security,Risk Assessment — DISC @ 5:46 pm

: Image by Adam Melancon via Flickr

The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments

Definition – A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure.

A good RAF organizes and presents information in a way that both technical and non-technical personnel can understand. It has three important components: a shared vocabulary, consistent assessment methods and a reporting system.

The common view an RAF provides helps an organization see which of its systems are at low risk for abuse or attack and which are at high risk. The data an RAF provides is useful for addressing potential threats pro-actively, planning budgets and creating a culture in which the value of data is understood and appreciated.

There are several risk assessment frameworks that are accepted as industry standards including:

Risk Management Guide for Information Technology Systems (NIST guide) from the National Institute of Standards.

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) from the Computer Emergency Readiness Team.

Control Objectives for Information and related Technology (COBIT) from the Information Systems Audit and Control Association.

To create a risk management framework, an organization can use or modify the NIST guide, OCTAVE or COBIT or create a framework inhouse that fits the organization’s business requirements. However the framework is built, it should:

1. Inventory and categorize all IT assets.
Assets include hardware, software, data, processes and interfaces to external systems.

2. Identify threats.
Natural disasters or power outages should be considered in addition to threats such as malicious access to systems or malware attacks.

3. Identify corresponding vulnerabilities.
Data about vulnerabilities can be obtained from security testing and system scans. Anecdotal information about known software and/or vendor issues should also be considered.

4. Prioritize potential risks.
Prioritization has three sub-phases: evaluating existing security controls, determining the likelihood and impact of a breach based on those controls, and assigning risk levels.

5. Document risks and determine action.
This is an on-going process, with a pre-determined schedule for issuing reports. The report should document the risk level for all IT assests, define what level of risk an organization is willing to tolerate and accept and identify procedures at each risk level for implementing and maintaining security controls.

Audit of security control and scoping (deurainfosec.com)
Control selection and cost savings (deurainfosec.com)

Tags: Business, COBIT, Computer security, Data, Fire and Security, Information Technology, iso 27001, iso 27002, National Institute of Standards and Technology, NIST, OCTAVE, Risk management, Security, security controls, Technology

Comments (0)

Dec 04 2009

Five ways to lose your identity

Category: Identity Theft — DISC @ 2:42 pm

beconstructive12

By Jaikumar Vijayan
The rush by shoppers to the Web makes the season a great time for online retailers. It’s also a great time for hackers looking to steal data and money from the unwary millions expected to search for great deals online.

Checkout huge savings on Today’s Hot Deals on Information Security Solutions for the holidays

The growth of holiday hackers has annually prompted security analysts, identity theft awareness groups, and various government agencies to come up with lists of precautions that consumers can take to avoid becoming a victim of online fraud. Such lists can prove a benefit to consumers, but unfortunately some people ignore it.

Below are the identity theft awareness tips which can help maximize your exposure to online fraud.

Tip No. 1: Open all attachments from strangers and click on all embedded links in such e-mail messages. Such actions remain one of the most effective ways to provide thieves with personal information and financial data. All a hacker needs to do is find computer users who instinctively open e-mail messages from strangers, even those who write in a foreign language. The action can open the door to keystroke loggers, rootkits, or Trojan horse programs. Crooks can also easily install backdoors to easily steal data without attracting any attention. Once installed, hackers gain unfettered access to personal data and can even remotely control and administer systems from anywhere.

Tip No. 2: Respond to Dr. (Mrs.) Mariam Abacha, whose name is used by many hackers who say they have close friends and relatives in Nigeria who have recently been widowed or deposed in a military coup and need your help to get their millions of dollars out of the country. Users are told they will undoubtedly be rewarded for helping to get their “well-packed trunk boxes” full of cash out of Nigeria. And to make sure to provide bank account information, login credentials, date of birth, and mother’s maiden name so that they can wire the reward directly into a checking account in time for the holidays.

Tip No. 3: Install a peer-to-peer file-sharing client on your PC and configure it so all files, including bank account, Social Security, and credit card numbers, along with copies of mortgage and tax return documents, are easily available to anyone on the same P2P network. Your personal data will stream over the Internet while you check out what songs you can download for free without getting sued by the RIAA.

Tip No. 4: Come up with passwords that are easy to crack. It saves hackers from spending too much time and effort trying to access your PC. Clever sequences such as “123456” and “abcdef” and your firstname.lastname all make fine, easy-to-remember default passwords for you and for hackers. For maximum exposure, keep passwords short, don’t mix alphabets and numerals, and use the same password for all accounts.

Tip No. 5: Avoid installing the latest anti-malware tools and security updates. Keeping operating systems properly patched and anti-virus and anti-spyware tools updated make life hard for hackers. Users can help them out by making sure their anti-virus software and anti-spyware tools are at least 18 months out of date or by not using them at all. Either way, it’s very likely that your computer will be infected with a full spectrum of malware.

For additional tips on how to shop securely on Christmas and holidays season:
How to shop safely online this Christmas
Identity theft tip-off countermeasure and consequence | DISC

Please comment below regarding any other new and emerging threat which needs to be addressed during holiday’s season?

Tags: antivirus, Christmas and holiday season, Computer security, Credit card, File sharing, hacker, Identity Theft, Malicious Software, Malware, Online shopping, Personal computer, Security, shop safely, shop securely, Spyware, threats, trojan, Trojan horse

Comments (1)

Dec 03 2009

2010 Compliance Laws

Category: pci dss,Security Compliance — DISC @ 2:13 am

: Image by purpleslog via Flickr

In 2010 there will be two important compliance laws introduced which will affect the majority of North American organizations and many global organization too.

45 US States followed California when they introduced “SB1386“, the Security Breach Information Act, which has specific and restrictive privacy breach reporting requirements.

From the 1st January 2010, ALL businesses that collect or transmit payment card information, will be legally obliged, by Navada Law, to comply with PCI DSS.

Every organization who collect, owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 (The Massachusetts Data Protection Law) on or before March 1, 2010.

Similarly to the SB1386 Law, California, Massachusetts & Texas are already looking at making PCI DSS Law and history tells us that when California moves, everyone else follows!
To help you comply with these impending laws ITG have developed a range of solutions which are aim to make the process as cost effective and simple as possible:

The Nevada PCI DSS Law:

The PCI DSS requires you to:

apply a number of specific controls, or safeguards.

These include documented policies and procedures; as well as

a number of technical IT and network configurations.

You will also have to provide staff with appropriate training; and

You will have to have quarterly scans.

PCI DSS v1.2 Documentation Compliance Toolkit
toolkit-book-pci-dss

This PCI DSS v1.2 compliance toolkit is specifically designed to help payment card-accepting organizations quickly create all the documentation required to affirmatively answer the requirements of the PCI DSS as set out in the Self Assessment Questionnaire (v1.2).

201 CMR 17.00 – The Massachusetts Data Protection Law:

201 CMR 17.00 & ISO 27001 Toolkit
mass_dpa_law

will save you months of work, help you avoid costly trial-and-error dead-ends, and ensure everything is covered to current 201 CMR 17.00 / ISO 27001 standard.

This version of the ISMS Documentation Toolkit is ideal for those who owns or licenses personal information about a resident of the Commonwealth.

A PCI-Compliant Cloud? Not at Amazon (datacenterknowledge.com)
Hacker Charged With Stealing 130 Million Credit Cards (wired.com)
Hackers steal credit-card numbers from restaurant customers (deurainfosec.com)

Tags: 201 CMR 17.00, california, iso 27001, ISO/IEC 27001, Law, Massachusetts, Massachusetts Data Protection Law, Nevada, Nevada PCI DSS Law, Payment Card Industry Data Security Standard, PCI Express, privacy, sb 1386

Comments (4)

Nov 30 2009

Hackers steal credit-card numbers from restaurant customers

Category: pci dss,Security Breach — DISC @ 2:44 am

Here we have another unnecessary credit card data breach in a small organization which resulted in a loss of customers data demonstrating poor baseline security of small organization in this case a restaurant. Small organizations are not ready for PCI Compliance. Checkout why PCI Compliance is essential and why small merchants have to comply. Review my threats page and evaluate your current business and system risks to make sure this does not happen to you.
Contact DISC for any question

By Theodore Decker
THE COLUMBUS DISPATCH

Diners who frequent a popular Downtown restaurant should review their charge-card statements because hackers broke into its computer system to loot debit- and credit-card numbers, police said today.

Between 30 and 50 people have reported fraudulent charges on their accounts, and Columbus detectives said that anyone who used a charge card at Tip Top Kitchen and Cocktails in July or August is at risk.

Detective Wyatt Wilson of the Columbus police fraud/forgery unit said police began linking reports of credit-card fraud in October. Cross-checking the victims’ accounts revealed Tip Top, which is on E. Gay Street, as a common denominator, he said.

The hackers have been traced to an overseas Internet address, and no Tip Top employees are involved, police said. Wilson said the business was as much a victim as its customers were.

The hackers found a weak point in the restaurant’s computer defenses, wormed their way in, and installed “malware” that stripped the numbers, he said.

The restaurant has fixed the problem, but customers who charged anything there in July or August should contact their credit-card companies or banks, cancel their cards and get new ones, even if they haven’t been victimized yet, police said.

New fraud reports have rolled in periodically until a few days ago, Wilson said, indicating that the card numbers are still in criminal circulation.

Elizabeth Lessner, the restaurant’s owner, said she has been told by investigators that the breach might have been the work of high-level hackers in Russia, and she wondered whether it was connected to a global case that surfaced this year.

Most of the small companies have trouble justifying their investments when it comes to security. At the same time PCI DSS for the “brick & mortar” merchants have been a blessing for security firms who sell hardware solutions to small merchants. The problem is these hardware point solution does not address the business issues of a small merchant on daily basis.
This is why small merchants need to build a security program and the in-house expertise with training and help of outside consultant to understand business issues related to information security clearly. You mature this process over time with an ongoing effort and full management support.
Do you think it’s time for small merchants to take information security seriously as a business limiting risk?

Identity theft: Three accused over biggest bank card scam in US history (telegraph.co.uk)
‘China using elite hacker community to build cyber warfare capability’ (deurainfosec.com)
Hackers set new high score for credit card theft at 130M (arstechnica.com)
Visa/MasterCard Telemarketing Scam Uncovered (pindebit.blogspot.com)
100,000 Cards Being Replaced After Car Park Hack in Auckland (pindebit.blogspot.com)
Why Businesses need to be PCI Compliant (wealthyways4you.com)

Prevent and Protect from Credit Card Fraud and Scams

httpv://www.youtube.com/watch?v=YS_jCET-YFA&feature=related

Tags: Banking Services, Business, Credit card, crime, Financial services, fraud, hacker, Information Security, Malware, Payment Card Industry Data Security Standard, Point of sale, Police, Security

Comments (21)

Nov 25 2009

ENISA Cloud Computing Risk Assessment

Category: Cloud computing — DISC @ 4:22 pm

: Image via Wikipedia

Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance

The ENISA (European Network and Information Security Agency) released the Cloud Computing Risk Assessment document.

The document does well by including a focus on SMEs (Small and Medium sized Enterprises) because, as the report says, “Given the reduced cost and flexibility it brings, a migration to cloud computing is compelling for many SMEs”.

Three initial standout items for me are:

1. The document’s stated Risk Number One is Lock-In. “This makes it extremely difficult for a customer to migrate from one provider to another, or to migrate data and services to or from an in-house IT environment. Furthermore, cloud providers may have an incentive to prevent (directly or indirectly) the portability of their customers services and data.”

Remember that the document identified SMEs as a major market for cloud computing. What can they do about the lock-in? Let’s see what the document says:

The document identifies SaaS lock-in:

Customer data is typically stored in a custom database schema designed by the SaaS provider. Most SaaS providers offer API calls to read (and thereby ‘export’) data records. However, if the provider does not offer a readymade data ‘export’ routine, the customer will need to develop a program to extract their data and write it to file ready for import to another provider. It should be noted that there are few formal agreements on the structure of business records (e.g., a customer record at one SaaS provider may have different fields than at another provider), although there are common underlying file formats for the export and import of data, e.g., XML. The new provider can normally help with this work at a negotiated cost. However, if the data is to be brought back in-house, the customer will need to write import routines that take care of any required data mapping unless the CP offers such a routine. As customers will evaluate this aspect before making important migration decisions, it is in the long-term business interest of CPs to make data portability as easy, complete and cost-effective as possible.

And what about PaaS Lock-In?:

PaaS lock-in occurs at both the API layer (ie, platform specific API calls) and at the component level. For example, the PaaS provider may offer a highly efficient back-end data store. Not only must the customer develop code using the custom APIs offered by the provider, but they must also code data access routines in a way that is compatible with the back-end data store. This code will not necessarily be portable across PaaS providers, even if a seemingly compatible API is offered, as the data access model may be different (e.g., relational v hashing).

In each case, the ENISA document says that the customer must develop code to get around the lock-in, in order to bridge APIs and to bridge data formats. However, SME’s generally do not have developers on staff to write this code. “Writing code” is not usually an option for an SME. I know – I worked for an EDI service provider who serviced SMEs in Europe – we would provide the code development services for the SMEs when they needed data transformation done at the client side.

But there is another answer. This bridging is the job of a Cloud Service Broker. The Cloud Service Broker addresses the cloud lock-in problem head-on by bridging APIs and bridging data formats (which, as the ENISA document mentions, are often XML). It is unreasonable to expect an SME to write custom code to bridge together cloud APIs when an off-the-shelf Cloud Service Broker can do the job for them with no coding involved, while providing value-added services such as monitoring the cloud provider’s availability, encrypting data before it goes up to the cloud provider, and scanning data for privacy leaks. Read the Cloud Service Broker White Paper here.

2. “Customers should not be tempted to use custom implementations of authentication, authorisation and accounting (AAA) as these can become weak if not properly implemented.”

Yes! Totally agree. There is already a tendency to look at Amazon’s HMAC-signature-over-QueryString authentication scheme and implement a similar scheme which is similar but not exactly like it. For example, an organization may decide “Let’s do like Amazon do and make sure all incoming REST requests to our PaaS service are signed by a trusted client using HMAC authentication”, but omit to include any timestamp in the signed data. I can certainly imagine this, because this would happen all the time in the SOA / Web Services world (an organization would decide “Let’s make sure requests are signed using XML Signature by trusted clients”, but leave the system open to a simple capture-replay attack). Cloud PaaS providers should not make these same mistakes.

3. STRIDE and DREAD
Lastly, the document’s approach of examining the system in terms of data-at-rest and data-in-motion, identifying risks at each point (such as information disclosure, eavesdropping, or Denial-of-Service), then applying a probability and impact to the risks, is very reminiscent of the “STRIDE and DREAD” model. However I do not see the STRIDE and DREAD model mentioned anywhere in the document. I know it’s a bit long in the tooth now, and finessed a bit since the initial book, but it’s still a good approach. It would have been worth mentioning here, since it’s clearly an inspiration.

Read the source entry…

Five competitive differentiators for cloud services (news.cnet.com)
The Future of collaboration platforms (vator.tv)
Is IaaS (as a term) Doomed? (elasticvapor.com)

Tags: Application programming interface, Business, Cloud computing, Platform as a service, Service-oriented architecture, Small and medium enterprises, Software as a service, Web service

Comments (1)

Nov 19 2009

Health Net healthcare data breach affects1.5 million

Category: hipaa,Security Breach — DISC @ 2:10 pm

: Image via Wikipedia

Here we have another unnecessary major security breach in a large healthcare organization which resulted in a loss of patient data demonstrating poor baseline security. They clearly are not ready for the new HIPAA provision ARRA and HITECH. Review my threats page and evaluate your current business and system risks to make sure this does not happen to you.
Contact DISC for any question or high level risk assessment.

The Practical Guide to HIPAA Privacy and Security Compliance

By Robert Westervelt, News Editor
19 Nov 2009 | SearchSecurity.com

Health Net Inc. announced Wednesday that it is investigating a healthcare data security breach that resulted in the loss of patient data, affecting 1.5 million customers.

The Woodland Hills, Calif.-based managed healthcare provider said the lost files, a mixture of medical data, Social Security numbers and other personally identifiable information, were collected over the past seven years and contained on a portable external hard drive, which was lost six months ago. The company said the healthcare data was not encrypted, but was formatted as images and required a specific software application to be viewed. The hard drive contained data on 446,000 Connecticut patients.

The company reported the breach Wednesday to State Attorneys Generals offices in Arizona, Connecticut, New Jersey and New York. Health Net said it was beginning the data security breach notification process of sending out letters to its customers. The company said it expects to send notification letters the week of Nov. 30.

Connecticut Attorney General Richard Blumenthal said he was investigating the matter and why it took Health Net six months to report the healthcare breach.

“My investigation will seek to establish what happened and why the company kept its customers and the state in the dark for so long,” Blumenthal said in a statement. “The company’s failure to safeguard such sensitive information and inform consumers of its loss — leaving them naked to identity theft — may have violated state and federal laws.”

Blumenthal said the hard drive also contained financial data, including bank account numbers. He is seeking coverage for comprehensive, long-term identity theft protection for those customers affected by the breach.

Health Net provides medical coverage for approximately 6.6 million people and its subsidiaries operate in all 50 states. In a statement, the company said the breach took place in its Connecticut office. So far there have not been any reports of fraud tied to the missing data..

“Health Net will provide credit monitoring for over two years – free of charge – to all impacted members who elect this service, and will provide assistance to any member who has experienced any suspicious activity, identity theft or health care fraud between May 2009 and their date of enrollment with our identity protection service,” the company said.

It is the second time in a month that a healthcare provider lost customer data. Anthem Blue Cross and Blue Shield of Connecticut reported a stolen laptop was to blame for a breach compromising the personal information of 850,000 doctors, therapists and other healthcare professionals.

Security experts have long been advocating that enterprises deploy encryption on laptops and other devices that contain sensitive data. Still, all the technology in the world won’t end employee mistakes and carelessness, said Mike Rothman an analyst with Security Incite.

“You can do full disk encryption and all sorts of things to protect the device, but you are still fairly constrained by user sophistication,” Rothman said. “You have to start asking questions from a process standpoint relative to why this stuff was on an external drive in the first place.”

In reality you could turn off all USB ports on your devices, but that could hinder employee productivity, Rothman said. Security always gets back to making sure you have the right processes and policies in place and the right training and awareness so that employees understand what those policies are and ways to audit those processes, he said.

Experts say encryption should be used as a last resort when all other security policies and processes fail. While many enterprises have focused on encrypting laptops at the endpoint, encryption can be a bit trickier for portable hard drives and other removable media. If the drive is being shared between different systems people need to have some way to access the key, said Ramon Krikken, an analyst at the Burton Group.

“A lot of these portable hard drives are older without built-in encryption and to the extent to which you can easily deploy encryption has been a challenge for enterprises,” Krikken said.

Some USB makers market the devices with built-in encryption software. In 2008, Seate Technology extended full disk encryption technology to all its enterprise-class hard drives. The company also began pushing for standards for hard drive encryption in storage systems.

Nagraj Seshadri, head of product marketing at Utimaco the encryption software division of Sophos Plc, said healthcare organizations need to be just as responsible as financial firms when it comes to protecting data.

Perhaps healthcare management still doesn’t realize that they might be potentially liable for lack of reasonable safeguards to protect organization assets. Do you think it’s time for healthcare management to take information security seriously as a potential business risk?

New HealthCare Data Breach Program Begins September 23rd (ducknetweb.blogspot.com)
ARRA – HITECH: Health Care Information Breach Notification Regulations Now In Effect (healthcarebloglaw.blogspot.com)
Son of HIPAA Breach Notification Rules and Business Associate Requirements: Who’s Ready? (healthblawg.typepad.com)
Laptop Heist Exposes Doctors’ Personal Data (deurainfosec.com)
HIPAA Enforcement Meets HITECH: HIPAA Administrative Simplification: Enforcement Rule (healthcarebloglaw.blogspot.com)

Tags: arra and hitech, data loss prevention, data security, disk encryption and file encryption, Health care, Health Insurance Portability and Accountability Act, Identity Theft, identity theft and data security breaches, Personally identifiable information, Security, security awareness training

Comments (14)

Nov 16 2009

Online gangs cash in on swine flu

Category: Cybercrime — DISC @ 2:33 pm

: Image by Bearman2007 via Flickr

The problem is not just buying a fake medicine on the internet, it has a potential of hurting people two ways – it is not the real Tamiflu and we don’t know what’s being falsely market as Tamiflu. DISC

By Kate Kelland Kate
LONDON (Reuters) – Criminal gangs are making millions of dollars out of the H1N1 flu pandemic by selling fake flu drugs over the internet, a web security firm said on Monday.

Sophos, a British security software firm said it had intercepted hundreds of millions of fake pharmaceutical spam adverts and websites this year, many of them trying to sell counterfeit antiviral drugs like Tamiflu to worried customers.

Tamiflu, an antiviral marketed by Switzerland’s Roche Holding and known generically as oseltamivir, is the frontline drug recommended by the World Health Organization to treat and slow the progression of flu symptoms. GlaxoSmithKline makes another antiviral for flu, known as Relenza.

Sophos said many of the gangs behind the sites were based in Russia and the top five countries buying fake Tamiflu and other medicines on the internet were the United States, Germany, Britain, Canada and France.

Sophos spokesman Graham Cluley said a “worrying trend” toward stockpiling Tamiflu had already been seen in Britain — Europe’s worst-hit country in the H1N1 pandemic so far.

“As more and more cases of swine flu….come to light, it is essential that we all resist the panic-induced temptation to purchase Tamiflu online,” he said.

“The criminal gangs working behind the scenes at fake internet pharmacies are putting their customers’ health, personal information and credit card details at risk.”

The Geneva-based WHO, which declared H1N1 swine flu a pandemic in June, updated its guidance to doctors last week to say that antiviral drugs should be given even before tests conclude that an at-risk patient has the pandemic virus.

Sophos said criminal gangs were operating medicines websites branded as the “Canadian Pharmacy” to try to appear genuine.

It said its research showed that on one network operated out of Russia, called Glavmed, it was possible to earn an average of $16,000 a day promoting pharmaceutical websites.

“But the criminals can be members of more than one affiliate network, and some have boasted of earning more than $100,000 per day,” it said in a statement.

The pandemic H1N1 flu virus has now spread to 206 countries since it was first discovered in March. There have been more than 6,250 deaths to date, mostly in the Americas region, according to the latest WHO toll.

Putting 22 Million Cases of Swine Flu in Context (blogs.wsj.com)
Long gestation of the swine flu vaccine (telegraph.co.uk)
Note to Cats: To Avoid Swine Flu, Stay Away from People (blogs.wsj.com)
Flu Vaccine Update: Beyond Chicken Eggs; Seasonal Shortage (blogs.wsj.com)

Tags: Antiviral drug, GlaxoSmithKline, h1n1, H1N1 swine flu, Health, Influenza, Influenza A virus subtype H1N1, pandemic, Relenza, Sophos, Tamiflu, WHO, World Health Organization

Comments (1)

Nov 13 2009

Cyber criminals deface 50 to 60 Indian websites a day

Category: Cybercrime — DISC @ 2:52 pm

: Image by Clopin via Flickr

Webnewwire.com report submitted on November 11, 2009

Has your girlfriend blocked you and you cant see her on-line? Wondering how to keep your email account protected? Or want to hide files from your annoying siblings? MTV’s got Ankit Fadia – the coolest Ethical Hacker in the world to give you everything from tips, tricks to cheat codes that will help make your life on the world wide web a whole lot simpler. Learn cool stuff that you can with your computers, Internet, mobile and other technology in your life!

This is India’s first tech show which does not review tech gadgets, websites or software instead it gives viewers a low down (or download!) on cool stuff that they can do with technology that will make their every day life cooler, simpler and stylish!

I am hosting “MTV What the Hack!” show with MTV VJ Jose, informed Ankit Fadia who was in city on a private visit. Watch it on MTV India every Saturday @ 8:20 PM. Repeat Telecasts every day, he appealed to the people

The show is a guy show with lots of typical MTV style humour. VJ Jose and Ankit Fadia shoot the episodes without a script and just naturally jam in front of camera and talk about technology. The show has got a very good response so far as it is being different from other shows. Most of the tech shows in India are review based shows where gadgets, software and websites are reviewed. This is the India’s first reach show that actually teaches viewers something. The show is on as part of MTV’s move to beyond music and beyond television. Since October 17 this year dropped ‘Music Television’ baseline which has been there in India for the past 13 years. Music contributes about 40 per cent of its programming and soon will go down to 25 per cent. This is happening as part of repositioning exercise MTV kicked off two years back. MTV is born of music, inspired by music, driven by music –but not limited by music. IT is now about new ideas, new formats, new ways of reaching people in new places they choose to live in.

Addressing the press conference Ankit Fadia spoke on various issues concerning Cyber Security in India. Speaking about Cyber security issues India is facing today he said Pakistani cyber criminals are able to deface 50 to 60 Indian websites a day, but, in retaliation only 10 to 15 Pakistani websites are defaced. And this has been going on since 2001. Nodoubt, India is IT capital of the world, but, as far as security is concerned India is far lagging behind, informed Ankit.

Speaking further he added that Terrorists are using most advanced technologies for communication. Which include mainly VOIP(Voice Over Internet Protocol) Chats, hiding messages inside photographs, draft emails, encrypted pen drives etc are some of the techniques to communicate with each other, he informed.

Cyber laws in India are quite good, b ut the problem is that the police who enforce those laws are ill equipped and are not trained properly. And he challenged media to visit the nearest police station and lodge a cyber crime complaint. And you will shocked that 9 out of 10 times, the officials attending you won’t follow what you are saying, said Ankit.

The biggest problem that the police worldwide face while solving cyber crime is the fact that the Internet has no boundaries, however, while investigating a cyber crime case a number of geographical, political, social and diplomatic boundaries come into the picture.

The next big security threat could be from Social Networking, Ankit declared. Everybody in India is on the social networking bandwagon. Even Karan Johar, Priyanka Chopra, Aishwarya Rai, Shashi Tharoor, Barack Obama and many other celebrities are updating Twitter daily. The latest viruses, worms, spyware and malware spread through social networking websites like Twitter, Facebook, Orkut and Myspace.

You will receive a private message from one of your friend (who is already infected) containing a link to a Youtube video. Halfway through the video, it will prompt you to download some Video Plugin or Code. Since the message came from your friend, most people tend to trust it and get infected!, said Ankit.

There are many financial scams and frauds happening on social networking websites. Get rich quick schemes, Earn Money Online Scams and various money laundering attacks now come to you through a Twitter update or a Facebook wall post!. Since Social Networking websites are all about your friends, many people are susceptible to the attack, Ankit said and added that Antivirus companies need to gear up to have a social networking aspect to them. People need to be made aware of the threats of social networking!

Another next big security threat could be People Hacking, he informed. People Hacking is all about sweet talking people to get things done. Especially things that they would normally don’t do or should not do!. People Hacking happens around us all the time. In the office, with your friends, at the check in counters at the airport or on the phone with the call centre. To carry out People Hacking you need to know what to say to whom and more importantly how to say it. Inducing fear, guilt, sympathy or just overpowering the victim with your words can lead to People Hacking, informed Ankit Fadia.

When asked about advise like Dos and Don’ts for average internet user he listed out the following.

– Use an Antivirus. More importantly, update it every week.

– Use an Anti Spyware. Update it every week.

– Use a Firewall. They are not as technical as they sound. A very good firewall that I recommend is Zone Alarm. Just do a Google search to download it.

– Use a strong password for all your accounts—a combination of alphabets, numbers and special characters. Use both lowercase and uppercase.

– Use Windows Update every fortnight to patch Windows.

– Use a Key Scrambler—a software the scrambles your keys in such a way that key loggers & other spying tools cant record what you type on your computer.

– Use a password on your Wi Fi network.

WARNING: Facebook Design Flaw Abused, Hundreds of Groups Hacked (mashable.com)
Google Navigation hacked onto T-Mobile G1 (engadget.com)
Top 5 Websites To Learn How To Hack Like A Pro (makeuseof.com)

Tags: Aishwarya Rai, Ankit Fadia, Barack Obama, cyber security, facebook, Google, MySpace, pakistan, Priyanka Chopra, Security, social engineering, Social Networking, Twitter, World Wide Web, YouTube

Comments (1)

Nov 10 2009

Facebook, MySpace users hit by cyber attacks

Category: Cybercrime — DISC @ 1:27 am

: Image by sitmonkeysupreme via Flickr

NZ HERALD reported that Facebook users – already being targeted in a malware campaign – are now under threat from a phishing scam.

Security specialists Symantec report that the company’s systems have picked up fake messages that appear to be sent by the social networking service.

Users will receive an email that looks like an official Facebook invite or a password reset confirmation.

If a duped user clicks on the ‘update’ button they will be redirected a fake Facebook site. They will then be asked to enter a password to complete the updating process.

As soon as the unwitting Facebook user does this, their password is in the hands of cybercriminals.

Dodgy subject lines for the phishing emails are: ‘Facebook account update,’ New login system’ or ‘Facebook update tool’.

The malware campaign that is still targeting Facebook is also propagated via email. This time, the message looks like a Facebook notification that the recipient’s password has been reset.

It includes a zip file that, if opened, launches an .exe file, which Symantec’s Security Response centre says is a net nasty called Trojan.Bredolab.

Once a users’ machine is infected by this malware, it secretly dials back to a Russian domain and, Symantec says, “is most likely becoming part of a Bredolab botnet.”

But it isn’t just Facebook that is being lined up by cybercriminals, News Corp’s MySpace is also under attack.

Potentially dangerous email subject lines to look out for are: ‘Myspace Password Reset Confirmation,’ ‘Myspace office on fire’ and ‘Myspace was ruined’.

Symantec believes their will be another attack on MySpace in the next day or two. “We also think that social networking sites with huge user bases are currently being targeted to infect maximum machines or gather passwords for more malicious activities in future,” the security team said in a statement.

It advised users to be extra-careful of suspicious attachments, especially those including password reset requests. Legitimate websites will not send an attachment for resetting a password, it said.

– NZ HERALD STAFF

Business use of Twitter, Facebook exploding (macworld.com)
Cyberthieves targeting Facebook, Twitter (cnn.com)

Tags: botnet, facebook, Malware, MySpace, News Corporation, phishing, Social network, Social network service, trojan, Website

Comments (0)

Nov 06 2009

Laptop Heist Exposes Doctors’ Personal Data

Category: hipaa,Security Breach — DISC @ 6:50 pm

doctor

Another stolen laptop puts thousands of people’s personal data at risk but this time it’s the caregivers — not the patients — who are at risk.

November 6, 2009
By Larry Barrett:

More than 10,000 physicians’ and dentists’ personal data was exposed last week in New Hampshire after an employee at Anthem Blue Cross and Blue Shield transferred the health care providers’ Social Security numbers and other data to a personal laptop that was later stolen.

Anthem spokesman Christopher Dugan said the security breach took place at the national level and the files did not include any patients’ personal data.

The Blue Cross Blue Shield Association said the employees’ ill-fated decision to transfer the sensitive information to a personal laptop violated the insurer’s security policies.

Just last week, more than 33,000 patients receiving care from a Daytona Beach, Fla. medical center were notified that their data may have been compromised when a laptop was stolen from an employee’s car.
New Hampshire is one of 43 states that require companies and organizations to notify people when their personal or financial information is accidentally or deliberately compromised.

Anthem officials said it will provide free credit-monitoring services to all the affected physicians and dentists for a year.

It’s not been the best of months for the insurer.

On Oct. 5, Blue Cross warned another 39,000 doctors that a yet another laptop stolen from the company’s Chicago headquarters could have potentially exposed an assortment of personal information including Social Security numbers and tax identification numbers.
A Ponemon Institute by Traverse City, Mich.-based data security researcher Ponemon Institute estimates that more than 12,000 laptops are stolen or lost at airports alone each week.

It also found that the average large company has 640 laptops, 1,985 USB memory sticks, 1,075 smart phones and 1,324 other various data devices stolen or lost each year — ;a total of 800,000 data-sensitive memory devices a year.

Tags: arra and hitech, crime, data breach, data security, Health Insurance Portability and Accountability Act, hipaa, laptop, Physician, Security, stolen laptop

Comments (5)

Nov 05 2009

Senate Panel Clears Data Breach Bills

Category: Information Privacy,Security Breach — DISC @ 6:29 pm

: Image via Wikipedia

Legislation Heads for a Senate Vote

November 5, 2009 – Eric Chabrow, Managing Editor
The Senate Judiciary Committee Thursday approved two companion bills that would require businesses and government agencies to notify individuals of security breaches involving sensitive personally identifiable information. Both bills go to the Senate for consideration.

The Personal Data Privacy and Security Act, or S. 1490, designates as fraud unauthorized access of sensitive personally identifiable information, which would lead to racketeering charges. The measure, sponsored by Committee Chairman Patrick Leahy (at left), D.-Vt., also would prohibit concealment of security breaches involved in fraud and prohibit the dismissal of a Chapter 7 bankruptcy case if the debtor is an identity-theft victim.

The other measure, the Data Breach Notification Act, or S. 139, would require federal agencies and businesses engaged in interstate commerce to notify American residents whose personal information is accessed when a security breach occurs. An exception: if notification would hinder national security or a law enforcement investigation. S. 139, sponsored by Sen. Dianne Feinstein, D.-Calif., also would require notice to the Secret Service if records of more than 10,000 individuals are obtained or if the database breached has information on more than 1 million people, is owned by the federal government, or involves national security or law enforcement.

Among the objections raised by Sens. Jeff Sessions of Alabama, the committee’s ranking Republican, and Jon Kyl of Arizona, the Republican whip, focused on the provisions defining personally identifiable information (PII) to include an individual’s full name along with at least two of the following: the person’s birth date, home address, telephone number and mother’s maiden name.

Sessions said this information is available from other public records, such as a telephone directory, and would place an undue financial burden on businesses to notify customers of the breach if that was the only information exposed. Kyl said if the bill results in too many notices being sent, consumers might ignore them, similar to how the public views the orange alert on terrorism. “With frequent notices, customers may not worry about it,” he said.

Another objection raised by a few Republicans – a point dismissed by some of their Democratic colleagues – was the bankruptcy provision in the Leahy bill. The consensus of committee members was that a person victimized by identity theft should face bankruptcy but several GOP members worried that the provision might be used to get persons facing bankruptcy for other reasons off the hook if they also had their identities compromised.

Still, Leahy said the legislation, first introduced four years ago, is overdue, and the public is clamoring for it. He cited a Unisys study that contends more Americans are concerned about identity theft than the H1N1 virus or meeting their financial obligations. Since 2005, the year the bill was first proposed, more than 340 million records containing sensitive PII have been involved in data breaches, he said, citing a Privacy Rights Clearinghouse report.

“This loss of privacy is not just a grave concern for American consumers; it is also a serious threat to the economic security of American businesses,” Leahy said. “The president’s recent report on Cyberspace Policy Review noted that industry estimates of losses from intellectual property to data theft in 2008 range as high as $1 trillion. The FBI’s latest annual report on Internet crime found that online crime hit a record high in 2008 – a 33 percent increase over the previous year. This loss of data privacy is a serious and growing threat to the economic security of American businesses.”

Tags: Cyberspace Policy, Data Breach Notification, Dianne Feinstein, Identity Theft, loss of privacy, Personal Data Privacy and Security Act, Personally identifiable information, S. 139, S. 1490, Senate Judiciary Committee, United States Senate

Comments (0)

Nov 03 2009

Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges

Category: hipaa — DISC @ 6:22 pm

medical-symbol
Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges
HIMSS News
The Healthcare Information and Management Systems Society releases its 2nd Annual Security Survey, sponsored by Symantec

CHICAGO (November 3, 2009) – With the American Recovery and Reinvestment Act underway, healthcare organizations face new challenges to maintain privacy and security of patient health data. However, data gathered from healthcare IT and security professionals indicate that many organizations may not be ready to meet some of the HITECH components of the ARRA legislation and other security challenges, according to the results of the 2009 HIMSS Security Survey, sponsored by Symantec Corp. (Nasdaq: SYMC).

While healthcare organizations recognize that patient data must be protected, the survey results show that:

Security budgets remain low

Organizations often don’t have a response plan for threats or a security breach

A designated Chief Security Officer or Chief Information Security Officer is not in place

In addition, the survey reveals that healthcare organizations are not using the current security technologies available to keep patient data safe. Respondents to this survey widely use audit logs with data from firewalls, application logs and server logs as common information sources. Yet, when analyzing the log data, only 25 percent of respondents reported electronic analysis of that data. Respondents indicate they are using firewalls and user access controls, but are not implementing all available technologies to secure data. Only 67 percent of responding organizations use encryption to secure data in transmission, and fewer than half encrypt stored data.

“Healthcare organizations are continually looking for ways to save money,” said David Finn, health IT officer, Symantec Corp. “One of the best ways to accomplish these goals is through investing in technologies that will automate and reduce the risks of a security incident and lower the chances of a compliance issue. Although awareness about these issues is high, many providers have not yet made significant moves to the address these concerns.”

Other key survey results include:

Security Budget: Approximately 60 percent of respondents reported that their organization spends three percent or less of their organization’s IT budget on information security. This is consistent to the level of spending identified in the 2008 study.

Maturity of Environment: Respondents characterized their environment at a middle rate of maturity, with an average score of 4.27 on a scale of one to seven, where one is not at all mature and seven is a high level of maturity.

Formal Security Position: Fewer than half of respondents indicated that their organization has either a formally designated CISO (Chief Information Security Officer) or CSO (Chief Security Officer).

Patient Data Access: Surveyed organizations most widely implement user-based and role-based controls to secure electronic patient information. Approximately half of respondents reported that their organization allows patients/surrogates to access electronic patient information. Patients/surrogates are most likely to be granted access to high level clinical information, such as diagnosis or lab results.

Management of Security Environment: Nearly all respondents reported that their organization actively works to determine the cause/origin of security breaches. However, only half have a plan in place for responding to threats or incidents related to a security breach.

Security Controls: Most respondents reported that they use the information generated in their risk analysis to determine which security controls should be used at their organization. About 85 percent of respondents reported that they monitor the success of these controls and two-thirds of these respondents measure the success of these controls.

Risk Analysis: Three-quarters of surveyed organizations conduct a formal risk analysis (only half of these conduct this assessment on a yearly basis or more frequently), which has remained the same in the past year. Three-quarters of organizations that did conduct risk assessments found patient data at risk due to inadequate security controls, policies and processes. Conducting this analysis positions organizations to identify gaps in their security controls and/or policies and procedures.

Security in a Networked Environment: Nearly all respondents reported that their organizations share patient data in electronic format. Respondents are most likely to report that they share data with state government entities. Respondents also reported that the area in which they are most likely to share data in the future is with Health Information Exchanges (HIEs)/Regional Health Information Organizations (RHIOs). Approximately half of these organizations (41 percent) indicated that these sharing arrangements have resulted in the use of additional security controls beyond those that were already in place at their organization. This is consistent with the data reported in the 2008 survey.

Future Use of Security Technologies: E-mail encryption and single sign on and were most frequently identified by respondents as technologies that were not presently installed at their organization but were planned for future installation.

Medical Identity Theft: One-third of respondents reported that their organization has had at least one known case of medical identity theft at their organization. However, only a handful of these organizations experienced direct consequences from the breach.

“Healthcare organizations must approach all IT activities, including data security, with effective management and efficient use of their budgets, staff and technologies,” said Lisa Gallagher, HIMSS Senior Director, Privacy and Security. “IT and security professionals must recognize the need for securing patient data by using available technologies and preparing for compliance with current ARRA laws and future regulations. This complex operating environment, as well as our national goals for health IT, demands such action to ensure quality, safety and improved healthcare delivery.”

Targeting Chief Information Officers and Chief Security Officers and other Information Technology (IT) executives, the 2009 HIMSS Security Survey focused on an assessment of 196 information technology (IT) and security professionals in the healthcare field of their own readiness for today’s risks and security challenges.

About Symantec
Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com.

About HIMSS
The Healthcare Information and Management Systems Society (HIMSS) is a comprehensive healthcare-stakeholder membership organization exclusively focused on providing global leadership for the optimal use of information technology (IT) and management systems for the betterment of healthcare. Founded in 1961 with offices in Chicago, Washington D.C., Brussels, Singapore, and other locations across the United States, HIMSS represents more than 23,000 individual members, of which 73% work in patient care delivery settings. HIMSS also includes over 380 corporate members and nearly 30 not-for-profit organizations that share our mission of transforming healthcare through the effective use of information technology and management systems. HIMSS frames and leads healthcare public policy and industry practices through its educational, professional development, and advocacy initiatives designed to promote information and management systems’ contributions to ensuring quality patient care. Visit www.himss.org for more information.

For more information, contact:
Joyce Lofstrom/HIMSS
312-915-9237 – jlofstrom@himss.org

Pamela Reese/Symantec
424-750-7858 – pamela_reese@symantec.com

Tags: arra and hitech, arra hitech provisions, arra hitech security "business associate", Chief Information Security Officer, Chief security officer, Computer security, Health care, Healthcare Information and Management Systems Society, hipaa laws, Information Technology, Security, status of arra and hitech, Symantec

Comments (0)

Oct 31 2009

Lawmakers and an accidental disclosure

Category: Security Breach — DISC @ 12:04 am

: Image via Wikipedia

By Ellen Nakashima and Paul Kane
Washington Post Staff Writer
Friday, October 30, 2009

House ethics investigators have been scrutinizing the activities of more than 30 lawmakers and several aides in inquiries about issues including defense lobbying and corporate influence peddling, according to a confidential House ethics committee report prepared in July.

The report appears to have been inadvertently placed on a publicly accessible computer network, and it was provided to The Washington Post by a source not connected to the congressional investigations. The committee said Thursday night that the document was released by a low-level staffer.

The ethics committee is one of the most secretive panels in Congress, and its members and staff members sign oaths not to disclose any activities related to its past or present investigations. Watchdog groups have accused the committee of not actively pursuing inquiries; the newly disclosed document indicates the panel is conducting far more investigations than it had revealed.

Shortly after 6 p.m. Thursday, the committee chairman, Zoe Lofgren (D-Calif.), interrupted a series of House votes to alert lawmakers about the breach. She cautioned that some of the panel’s activities are preliminary and not a conclusive sign of inappropriate behavior.

“No inference should be made as to any member,” she said.

Rep. Jo Bonner (Ala.), the committee’s ranking Republican, said the breach was an isolated incident.

The 22-page “Committee on Standards Weekly Summary Report” gives brief summaries of ethics panel investigations of the conduct of 19 lawmakers and a few staff members. It also outlines the work of the new Office of Congressional Ethics, a quasi-independent body that initiates investigations and provides recommendations to the ethics committee. The document indicated that the office was reviewing the activities of 14 other lawmakers. Some were under review by both ethics bodies.

Washington Post Accesses Online Files On Congressional Ethics Investigations (crooksandliars.com)
Leak Offers Rare Peek at Ethics Probes (online.wsj.com)

Tags: aides, breach, committe chairman, ethics committee, ethics violations, House ethics investigators, Lobbying, United States Congress, United States House Committee on Standards of Official Conduct, washington post

Comments (1)

Oct 30 2009

HIPAA and business associate

Category: hipaa — DISC @ 10:14 pm

medical-symbol
How ARRA and HITECH provisions affect HIPAA compliance
AIS reported taht the new HITECH Act requires hospitals, providers, health plans and other HIPAA covered entities (CEs) to meet a February 2010 deadline for revising their business associate (BA) agreements. New language in BA amendments should require BAs to comply with (a) the HIPAA Security Rule,(b) new security breach notification rules and related strategies that CEs choose to implement, and (c) new privacy obligations imposed on CEs by the HITECH Act. Developing and maintaining effective BA relationships should be a top compliance priority for CEs, since privacy and security breaches often take place at the BA level and can be just as damaging to a covered entity’s reputation. With February approaching and lots of tricky questions to resolve, covered entities need a quick crash course in what their options are for designing and implementing these amendments in the next three months.

While the HITECH Act did not come right out and say “business associate agreements must be revised,” it does stipulate that certain provisions “shall be incorporated into the business associate agreement between the business associate and the covered entity.” Among them: business associate agreements must be amended to reflect the new mandate that BAs must comply with the Security Rule, should be amended to provide the covered entity with adequate notice in the event of a security breach, and should incorporate new privacy obligations imposed on CEs by the HITECH Act

New HealthCare Data Breach Program Begins September 23rd (ducknetweb.blogspot.com)
ARRA – HITECH: Health Care Information Breach Notification Regulations Now In Effect (healthcarebloglaw.blogspot.com)

Tags: arra and hitech, arra hitech provisions, arra hitech security "business associate", breach of privacy, covered entities, health insurance, hipaa, hipaa privacy, hippa compliance, hitech, hitech act, hospital, privacy, SOX HIPAA, status of arra and hitech

Comments (5)

Oct 27 2009

Clear Policies and Effective Controls

Category: Policies & Controls — DISC @ 2:19 pm

: Image via Wikipedia

Writing Information Security Policies

Policy defines law of an organization what is acceptable and less risky way of doing business. Having a law in-place is one thing (a good start for an organization) but how you enforce or change policies over time is a key to successful policy implementation.

To control your environment context is everything, what you want to allow as well as actions that you will take to safeguard your environment to enforce suitable policies. The policies will determine who can access your infrastructure under what circumstances and what conditions and especially what actions needed to be taken when users or devices are in non-compliance.

Over the passage of time you need to re-access policies to determine what new policies need to be added and which one need to be edited or discarded based on current business needs. Policy control should be transparent to user and balance need to be maintained between usability and security. During maintaining this balance policy is more of an art than science. If security control cost more than the benefit attain from business activity, at that point we might need to readdress, how much we want to control the environment which is acceptable to current business needs and does not thwart business activity.

Regularly reassessing policies, education users and enforce current policies to help limit your organization liability. Make sure your practice matches your policies; you may be creating a liability that you believe you have protected yourself against.

You got to try out your new policies to see how well they work in your environment. In this regard you might want to issue policy position statement to receive open feedback from user community before adding into to your company policy. By re-assessing policies on regular basis, and issuing policy statement before enforcing a policy, you can achieve better control over your environment by understanding your user’s requirements and business needs. Deming PDCA (Plan-Do-Check-Act) model apply to the process of building policy, you build this process to perfection over time.

Managing Risks and NIST 800-53 (deurainfosec.com)
The Deming Cycle: an application to web design (woork.blogspot.com)
Simple Quality Improvement Techniques For South Carolina Businesses And Organizations (slideshare.net)
Audit of security control and scoping (deurainfosec.com)
Do people resist change? (change-management-blog.com)

Tags: clear policies, effective controls, information security policy, infrastructure control, PDCA, pdca model, position statement, secrity control

Comments (4)

« Previous Page — Next Page »

DISC InfoSec blog

Hackers’ attacks rise in volume, sophistication

FBI Probes Hacks at Citibank

Major security breach

What is a risk assessment framework

2010 Compliance Laws

Hackers steal credit-card numbers from restaurant customers

Prevent and Protect from Credit Card Fraud and Scams

Health Net healthcare data breach affects1.5 million

Online gangs cash in on swine flu

Laptop Heist Exposes Doctors’ Personal Data

Senate Panel Clears Data Breach Bills

Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges

Lawmakers and an accidental disclosure

HIPAA and business associate

Clear Policies and Effective Controls

Follow DISC InfoSec blog

Get new posts by email:

DISC online store for recommended InfoSec products

vCISO as a service

Related articles by Zemanta

Related articles by Zemanta

Related articles by Zemanta

Related articles by Zemanta

Related articles by Zemanta

Related articles by Zemanta

Related articles by Zemanta

Prevent and Protect from Credit Card Fraud and Scams

Related articles by Zemanta

Related articles by Zemanta

Related articles by Zemanta

Related articles by Zemanta

Related articles by Zemanta

Related articles by Zemanta

Related articles by Zemanta

Related articles by Zemanta

Get new posts by email:

vCISO as a service