2014/08/22

Secret app takes mere minutes to hack, revealing anyone’s secret via simple vulnerability | foodonia

Do you trust the internet with your secrets?


Perhaps you shouldn’t, even if you’re using an app which professes to “deliver anonymously” secrets to your friends, and their circles, without identifying you as the owner of those secrets.


As Wired reports, researchers at Seattle-based Rhino Security Labs discovered a weakness in how the popular Secret app works, giving them a way of reading anybody’s supposedly anonymous postings.


At this point you’re probably imagining that for anyone to hack Secret, a popular app amongst iOS and Android users, would take ninja-like skills and advanced methods.


But in truth researchers found it remarkably easy, and the secrets of users can spill out within just a matter of minutes, as a Rhino Security researcher demonstrated to journalist Kevin Poulsen over lunch:



White hat hacker Ben Caudill is halfway through his sandwich when he casually reaches over to his iPhone, swipes the screen a few times, then holds it up to me. “Is that you?” he asks.


It is, but nobody was supposed to know. He’s showing me one of my posts to Secret, the popular anonymous sharing app that lets you confess your darkest secrets to your friends without anyone knowing it’s you. A few minutes ago I gave Caudill my personal e-mail address, and that was all he needed to discover my secret in the middle of a Palo Alto diner, while eating a BLT.



So just how did researchers manage to connect users’ email addresses with secrets they had posted via the Secret app?


Well, it’s breathtakingly simple.


Secret posts


When you create an account on Secret, the app requests access to your address book – so it can identify friends who might also be using the service.


And, as Secret’s FAQ explains, you need at least seven friends before the app will begin to say that a secret has been posted by one of your friends (although, of course, it doesn’t identify which one).


Part of Secret FAQ



Until you have 7 friends, posts will not be identified as coming from “friends” or “friends of friends” but will instead indicate “Your Circle.” We’ll never explicitly tell you which of your friends are on Secret to protect identities.



Does that sound reasonable to you?


Well, maybe this will make you think again.


Because what the researchers then did was create seven bogus Secret accounts – something that’s remarkably easy to do as Secret doesn’t require you to confirm your phone number or email address.


And then came the really clever part, as Kevin Poulsen of Wired explains:



Next, [Caudill] deleted everything from his iPhone’s contact list, and added the seven fake e-mail addresses as contacts. When he was done, he added one more contact: the e-mail address of the person whose secrets he wanted to unmask — me.


Then he signed up for another new Secret account and synced his contacts. He now had a new, blank Secret feed that followed eight accounts: seven bot accounts created and controlled by him, and mine. Anything that appeared as posted by a “friend” logically belonged to me.



Clever, huh? And, in retrospect, remarkably straightforward.


So all that was required to find out what secrets you had posted was your email address – something that, for most of us, cannot really be considered private or secret.


Secret CEO David Byttow told Wired that the vulnerability has now been closed, and claimed that they had no evidence that the privacy hole had been maliciously exploited.



“As near as we can tell this hasn’t been exploited in any meaningful way. But we have to take action to determine that.”



However, it’s worth bearing in mind that an absence of evidence is not evidence of absence. Just because Secret can’t tell if the flaw has been excused to embarrass or blackmail individuals who have posted compromising secrets, doesn’t mean that it hasn’t happened.


Secret appAnd the Secret app’s developers have confirmed that since a bug bounty was introduced in February, a total of 42 security holes have been identified and fixed.


Obviously it’s good that security and privacy vulnerabilities are being fixed, but when it’s your *secrets* which are at stake, wouldn’t you feel happier knowing that the app had been built on more sturdy ground in the first place?


One has to wonder whether Secret’s claims of “refined algorithms” to detect bots and suspicious activity on Secret are really enough to protect its users.


Secret is no stranger to controversy, of course.


Just this week a Brazilian judge has called for the app to be banned from official app stores, claiming that it encourages anonymous bullying.


But, in my mind, the problems lies not so much with the app but with the people who use it.


They clearly haven’t learnt the most basic rules of keeping secrets.


Don’t tell anyone. Don’t write it down. Don’t type it into an app. Never ever post it onto the internet.


As soon as you trust anyone or anything else with a secret, you’re doomed.


The post Secret app takes mere minutes to hack, revealing anyone’s secret via simple vulnerability appeared first on We Live Security.






Brought by: http://foodonia.com

2014/08/20

Traffic light – ‘easy’ to hack whole city’s systems | foodonia

The most famous traffic light ‘hack’ in history is in the classic film, The Italian Job (1969), a caper movie where the heist involves paralyzing Turin via its traffic control system. The plan’s author, played by Michael Caine, says, “It’s a very difficult job and the only way to get through it is we all work together as a team. And that means you do everything I say.”


The reality, it turns out, is much easier – at least according to researchers at the University of Michigan, who say that networked traffic systems are left vulnerable by unencrypted radio signals and factory-default passwords, and that access to individual lights – or even a city-wide attack, as in the film, is possible, according to Time’s report.


“This paper shows that these types of systems often have safety in mind but may forget the importance of security,” the researchers write. Technology Review points out that Michigan’s system, which networks 100 lights, is far from unique. Similar systems are used in 40 states.


An attacker focused, like the film’s ‘crew’ on robbery could control a series of lights to give himself passage through intersections, and then turn them red to slow emergency vehicles in pursuit, according to the BBC’s report.


Traffic light: Blow the bloody doors off


“Once the network is accessed at a single point, the attacker can send commands to any intersection on the network,” the researchers write.


“This means an adversary need only attack the weakest link in the system. The wireless connections are unencrypted and the radios use factory default user-names and passwords.”


Traffic light controllers also have known vulnerabilities, and attacks could paralyze cities: a traffic DDOS could, the researchers suggest, turn all lights to red, and cause “confusion” across a city.


Lights ‘go green automatically’ as thief escapes


“An attacker can also control lights for personal gain. Traffic lights could be changed to be green along the route the attacker is driving,” the researchers write.


“Since these attacks are remote, this could even be done automatically as she drove, with the traffic lights being reset to normal functionality after she passes through the intersection.”


“More maliciously, lights could be changed to red in coordination with another attack in order to cause traffic congestion and slow emergency vehicle response,” they write.They also suggest measures including encrypted signals and firewalls which could improve current systems.


Perhaps a film reboot is in order: after all, the 1969 version ends with Caine saying, “Hang on, lads; I’ve got a great idea.”


The post Traffic light – ‘easy’ to hack whole city’s systems appeared first on We Live Security.






Brought by: http://foodonia.com

2014/08/19

Banking security – new apps ‘know’ your touch | foodonia

Everyone hates passwords – even the guy who invented them – but some bank app users in the Nordic region are experiencing a taste of a future where they might not be necessary.


Password theft – on a massive scale – has become a near-weekly happening, and biometrics have their own disadvantages – such as inaccurate scanners which won’t work when wet, as well as hacks with latex fingerprints and other such gizmos.


But customers at Danske bank have been trialling a new “behavioral” form of identification, according to Forbes magazine. Rather than simply ID a customer using a PIN, the app tracks the pressure and speed they use to type it in.


Banking security: Touch too much?


The theory is that even if a PIN is weak, or stolen, the thief cannot mimic the distinctive pattern of pressure the user types theirs in with.


“Eventually mobile security may no longer hinge on whether a password is long enough, but on how well the device knows the user,” ComputerWorld comments.


“We’re monitoring the small stuff,” says Neil Costigan, founder of Behaviosec,. “The flight between the keys, which corners of the keys you tend to hit, where you pause. Do you circle in on a button or do you go straight to it and hit it?”


‘How well the device knows you’


As a security solution, it’s low-cost (it uses sensors already present in the phone) and demands nothing of the customer. The trial has been such a success that multiple banks in Sweden, Norway and Denmark will use similar apps shortly. The app scored 99.7% session acccuracy.


“Multilayered security can be achieved by combining the three pillars: something you have (i.e., the phone as a token), something you know (like your PIN), and something you are which is your physical or behavioral metrics,” says Behaviosec.


At present, Behaviosec’s technology can pick up a ‘false’ user within 20 to 60 seconds. The company said it could also have wider applications such as preventing children accessing inappropriate content on tablets.


The start-up is now investigating further behavioral tracking – such as monitoring the way in which a user picks up a smart device, using the gyroscope.


Our own daily routines could even be used as “passwords” some researchers believe. Google’s “predictive” Google Now system already offers Android users reminders to go to work (by monitoring their movments by GPS), and to go home. Could such data be used as a “password”?


“Most people are creatures of habit – a person goes to work in the morning, perhaps with a stop at the coffee shop, but almost always using the sameroute. Once at work, she might remain in the general vicinity of her office building until lunch time. In the afternoon, perhaps she calls home and picks up her child from school,” says Markus Jakobsson of the Palo Alto Research Centre.


Jakobsson analyzed several techniques for identifying users via smartphone use, and found GPS to be the most reliable.


Jakobsson claims that by combining techniques, it’s possible to lock out up to 95% of adversaries, even, “an informed stranger, who is aware of the existence of implicit authentication and tries to game it.”


The post Banking security – new apps ‘know’ your touch appeared first on We Live Security.






Brought by: http://foodonia.com

2014/08/15

Robin Williams last phone call? Sick Facebook video scam exploits celebrity suicide | foodonia

Be on your guard against yet another Facebook scam, this time exploiting the tragic death of comic actor Robin Williams.


The scam, which you may see shared by your Facebook friends oblivious to the fact that they are helping fraudsters earn money, claims to be a ghoulish video of Robin Williams making his last phone call before committing suicide earlier this week.


Of course, you might be fooled into believing it is genuine. After all, you have seen one of your Facebook friends share it on their wall.


But the truth is that they have been duped into sharing it by a simple social engineering trick, and you would be wise not to fall into the same trap.


The first thing you see is a post made by one of your Facebook friends:


Robin Williams Facebook scam



ROBIN WILLIAMS SAYS GOODBYE WITH HIS PHONE VIDEO BEFORE SUICIDE



If you click on the link you are taken to a third-party website, which claims to have a phone video made by the award-winning comedian in the minutes before his death:


Robin Williams Facebook scam



EXCLUSIVE VIDEO: ROBIN WILLIAMS SAYS GOODBYE WITH HIS CELL PHONE BEFORE HANGING HIMSELF WITH A BELT AND CUTTING HIMSELF WITH A POCKET KNIFE. HE CAN STILL MAKE EVERYONE LAUGH WITH THIS VIDEO BUT IT WILL MAKE EVERYONE CRY A RIVER AT THE END.



You would have to be pretty ghoulish to proceed any further, but the truth is that the internet has deadened our sensitivities and made many of us all too willing to watch unpleasant things on our computer screens.


However, the truth is also that no such video is known to exist, and if you click to watch it you will be told that you have to share the link on your Facebook wall – encouraging your friends and family to go through the same process that you have – and ordered to complete an online survey before you may watch the footage.


Robin Williams Facebook scam


And that’s the point of the scam.


By tricking thousands of people into taking a survey, in the misbelief that they will watch the final moments of a comedy legend whose life ended tragically, the scammers aim to make affiliate cash.


Because every survey that is taken earns them some cents – and the more people they can drive towards the survey (even if they use the bait of a celebrity death video), the more money will end up in their pockets. In other cases, scammers have used such tricks to install malware or sign users up for expensive premium rate mobile phone services.


The scammers have no qualms about exploiting the death of a famous actor and comedian to earn their cash, and give no thought whatsoever to the distressed family he must have left behind.


Always be extremely wary about what links you click on on social networks, and never Share or Like something before you have seen it for yourself, and decided whether it warrants sharing with your online friends.


Because you might not just be putting yourself at risk, you could also be endangering your friends and family.


The post Robin Williams last phone call? Sick Facebook video scam exploits celebrity suicide appeared first on We Live Security.






Brought by: http://foodonia.com

Russian PM has his Twitter account hacked, announces “I resign” | foodonia

There may be red faces in Red Square, after Russian prime minister Dmitry Medvedev had his Twitter account hacked.


The Russian-language account @MedvedevRussia, which has more than 2.5 million followers, was compromised on Thursday by hackers who posted messages suggesting Medvedev was immediately resigning, and making criticisms of Russia’s president Vladimir Putin.


The hackers tweeted out a resignation message from the Russian PM



I resign. I am ashamed for the actions of the government. I’m sorry



If such an announcement were genuine, of course, it would make headlines and raise eyebrows around the world.


But when the hackers followed up by posting messages on the account proposing the banning of electricity, and that the Russian PM would now pursue a career as a professional freelance photographer, it should have become obvious to everyone that Medvedev was no longer in control of his social media account.


According to media reports, the Twitter account was under the control of hackers for approximately 40 minutes yesterday before control was wrestled back by the PM’s office.


The only silver lining is that whoever hacked the account did not take advantage of the situation to direct some of the Medvedev’s 2.5 million followers to websites which might have contained malware designed to infect their computers.


A hacker calling themselves Shaltay Boltay (“Humpty Dumpty”) has claimed responsibility for the hack. Besides the attack on Medvedev’s Twitter account, Shaltay Boltay has also in the past published internal Kremlin documents and leaked private emails from government officials.


Shaltay Boltay's Twitter account


Shaltay Boltay, who describes him or herself as a member of Anonymous on their Twitter profile, posted a message claiming that they they had also managed to compromise the Gmail account and three iPhones belonging to the Russian prime minister. However, whether that is true or not is open to question.


In all likelihood, a busy chap like Dmitry Medvedev isn’t running his Twitter account on his own. Chances are that he has staff in his office who assist him with his social media presence.


And there lies the problem.


Although Twitter has introduced extra levels of protection like two factor authentication to better protect accounts from being hijacked, it doesn’t have good systems in place that work well when more than one person is accessing and posting from a Twitter account.


It would only have taken Medvedev, or one of his staff, to have been careless with their passwords once, or to have used an easy-to-guess password, or to have used the same password elsewhere on the web, for the hackers to have found the weak point necessary to break in and seize control.


Remember – you should always be careful with your passwords. Choose passwords wisely, make sure that they are hard to crack, hard to guess and that you are not using them anywhere else online.


If you find it hard to remember your passwords (which would be understandable if you are following the advice above) use a password management program which can remember them for you, and store them securely behind one master password that you *will* remember.


And once you’re following a strong password policy, ensure that you are always careful where you are entering your passwords, that you never enter them on a third-party site that could be phishing for your credentials, and be sure not to share passwords with friends or colleagues unsafely.


The post Russian PM has his Twitter account hacked, announces “I resign” appeared first on We Live Security.






Brought by: http://foodonia.com

2014/08/13

Wɑit! Stοp! Is that ℓιηκ what it claims to be? | foodonia

The human brain is a funny old thing, and remarkably smart.


But sometimes it’s too smart for its own good.


Take, for instance, the infamous “Face on Mars” photographed by the Viking 1 Orbiter in 1976, which lead to rampant speculation and excitable headlines in the media that it must be evidence of intelligent extraterrestrial life.


Face on Mars


But was it really an ancient giant statue left by former inhabitants of the Red Planet?


Or was it, in reality, evidence that humans are hardwired to seeing human faces, based upon minimal data, and are prone to seeing faces – in clouds, on the moon, on the surface of Mars – where none really exists? Scientists call this psychological phenomenon pareidolia.


Observations by other spacecraft visiting the Cydonia region of Mars in the decades since have revealed that there is no giant face carved into the rock. Our eyes decided us, and we saw what we wanted to see.


And, perhaps surprisingly, this is relevant to computer security.


Because, just as people can see a face where none is present – so people can be duped by fraudsters and online criminals into believing they are reading one thing when in fact they are not.


Take this URL for instance:



http://www.exɑmple.com



Nothing wrong with that, right?


Wrong.


You see, that’s not a link for example.com. It’s a URL for exɑmple.com.


UnicodeYour mind read “a”, when it was actually an “ɑ”.


And when it comes to computers there is a world of difference between Unicode character U+0061 (an “a”) and U+0251 (“ɑ”).


http://www.exɑmple.com and http://www.example.com are going to take you to entirely different places on the internet. And it could mean the difference between you visiting the right website, or visiting one created by cybercriminals to infect your computer with malware or phish your login credentials.


All this talk of extended character sets and the opportunities for abuse is relevant, because last week Google announced support for non-Latin characters in Gmail.


Fortunately, Google is aware that some scoundrels might take the development as an opportunity to make more effective spam campaigns.


As Google describes in a blog post, it’s trivial for internet attackers to exploit near-identical looking characters to dupe unsuspecting users into clicking on dangerous links:



Scammers can exploit the fact that ဝ, ૦, and ο look nearly identical to the letter o, and by mixing and matching them, they can hoodwink unsuspecting victims.* Can you imagine the risk of clicking “ShဝppingSite” vs. “ShoppingSite” or “MyBank” vs. “MyBɑnk”?



And it’s not just links, of course. I’ve lost count of the number of times that I’ve received emails mentioning vιαgяα. I instantly know that the bad guys are referring to the little blue pills that enhance bedroom performance, even though they didn’t spell it v.i.a.g.r.a.


Some attempts, naturally, are more sophisticated than others.


Spam enlargement


The truth is though that they don’t always have to fool you, the user.


The first task of any spam campaign is to fool the computer – most of them actually *want* to be human-readable, but they don’t want to be easily interpreted by the computer program that is filtering your inbox for spam.


As Google explains, its Gmail service will now be rejecting suspicious letter combinations that could have been deliberately used in spam and phishing attacks:



The Unicode community has identified suspicious combinations of letters that could be misleading, and Gmail will now begin rejecting email with such combinations. We’re using an open standard—the Unicode Consortium’s “Highly Restricted” specification—which we believe strikes a healthy balance between legitimate uses of these new domains and those likely to be abused.



Iτ’s gяεατ το sεε Gοοgℓε τακε sτερs το βεττεя ρяοτεςτ τнειя gмαιℓ μsεяs. Iτ ωιℓℓ βε ιητεяεsτιηg το sεε нοω ωεℓℓ ιτ ωοяκs, αηδ ωнετнεя sραммεяs ωιℓℓ ƒιηδ ηεω мετнοδs το gετ τнειя мεssαgεs ιη ƒяοητ οƒ мιℓℓιοηs οƒ ελεβαℓℓs.


Lετs нορε τнατ οτнεя οηℓιηε sεяvιςεs ƒοℓℓοω Gοοgℓε’s εχαмρℓε, αηδ ςοηsιδεя ωнατ sτερs τнεy ςαη мακε το βοτн sμρροяτ α мοяε “gℓοβαℓ” ωεβ, αηδ ατ τнε sαмε τιмε ςμяταιℓ τнοsε ωнο τяy το αβμsε ιτ.


Feel free to leave a comment below. You get extra points (sorry, no prizes) if you manage to use some εχτεηδεδ ςнαяαςτεяs in your response that we have to decode.


The post Wɑit! Stοp! Is that ℓιηκ what it claims to be? appeared first on We Live Security.






Brought by: http://foodonia.com

2014/08/09

Internet of Things: Google’s Nest hacked into “full-fledged” spy gizmo | foodonia

Yet another “connected” device was outed as a potential spy this week – as researchers showed how Google’s Nest thermostat could be turned into a “fully-fledged spying device”.


Tom’s hardware acknowledged that Nest, designed by Tony Fadelll, a product expert known as “the father of the IPod” is among the more secure connected devices – but said that physical access could turn it into a spy device which could inform attackers of when you were home – and provide access to the home Wi-Fi credentials.


The result: “A house fully controlled by the attackers.”.


The researchers say that measures put in place to prevent wireless hacks against the Internet of Things icon actually allow a simpler, wired hack by pressing the power button, then inserting a USB Flash Drive. “However, the smartness of the thermostat also breeds security vulnerabilities, similar to all other smart consumer electronics.”


Internet of Things: Feel the heat


The hack is not the first against Google’s successful Internet of Things thermostat device – and like the earlier attack, it requires physical access to the Nest.


Yahoo News reports, though, that the scope of the attack is wide-rangng: “”Entering into that mode allows you to upload your own code, your custom code, which allows you to attack existing code, implant your own and reboot normally, but maybe have something else running in the background. We have access to the device on the highest level, and we can send stuff that Nest sends to us as well.”


House fully controlled by attackers


Nest has previously been hacked, again using a USB device – allowing “total control” over the gadget. Any attacker would need physical access to the device, but once installed, the proof of concept code would allow an attacker to “make changes without ANY restrictions”,the researchers write.


ESET’s 2014 Mid-Year Threat Reportis to discuss the increasing security concerns over internet-connected devices in a segment entitled, “The Internet of (Infected) Things”. The full talk is available to download viahttp://ift.tt/1lSnxKi.


The post Internet of Things: Google’s Nest hacked into “full-fledged” spy gizmo appeared first on We Live Security.






Brought by: http://foodonia.com

2014/08/08

The state of healthcare IT security: are Americans concerned enough? | foodonia

With the health records of most Americans now stored, in whole or in part, on computers, it seems timely to ask how people feel about that. Are they happy with this aspect of healthcare evolution? Are they concerned? Do they have reasons to be concerned? This article examines these questions and supplies some numbers that may provide answers.


Cause for concern: numbers


When you ask people how they feel about anything health-related you tend to get a wide range of responses and some of them are, understandably, personal and even emotional. So let’s start with some relatively clinical facts, like 24,800. That is the average number of Americans who, by my calculation, had their Protected Health Information (PHI) exposed, per day, in 2013.


I refer to this as my calculation because I derived it from a spreadsheet that I built out of the database that is published by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on the web page known in the healthcare IT world as “the wall of shame” (seriously, just Google: OCR wall of shame). The database contains all of the reports of PHI exposure required under the Health Insurance Portability and accountability Act of 1996 also known as HIPAA.


Every time I quote that figure of 24,800 records breached, per day, on average, I go check my formulas to make sure I have this number right, and I’m pretty sure I do, with a couple of caveats,



  • First, the official title of the page is Breaches Affecting 500 or More Individuals, and that describes the content of the database they publish, which covers 2009 through May of this year. In other words, that average of 24,800 for 2013 does not include breaches that year which affected less than 500 people, of which there were score if not hundreds.



  • Second, my count is based on the year of the breach, or the final year in the case of a multi-year breach. Obviously, this could be different from the year in which the breach came to light. That’s one reason I am quoting 2013, because the numbers for 2014 are not going to be anything like “complete” until at least mid-2015.



  • For reference, my total count for 2013 is 9,054,35. The total for all reports, from late 2009 to the most recent posting I captured (Minneapolis VA Health Care System, 5/22/14) came to: 33,738,538. So far in 2014, the count is about 1.5 million, but sadly the year is yet young in terms of breaches coming to light.


To be clear, I am not equating breaches with harm, but harm definitely occurs in some cases (a good source for insight on this would be the Ponemon Institute Survey on Medical Identity Fraud which estimated the financial impact to consumers at $12 billion in 2013). Many of the millions of records that are exposed each year don’t end up in the hands of bad people, but we know for sure that some do, and nobody has a good handle on exactly how many. For a well-documented example of how criminals sell and exploit personal information stolen from medical companies, see Brian Krebs’ article on the doctors hit by tax fraud earlier this year.


I definitely think the current state of IT security in the healthcare world is cause for serious concern, although some would say medical data breach statistics pale in comparison to the number of premature deaths associated with preventable harm to patients (recently estimated at more than 400,000 per year). However, data breaches and medical errors are not unrelated, particularly when greater use of IT systems and digital devices is often put forward as a way to reduce preventable medical errors. That is not reassuring, given some of the attitudes toward information security that I have observed in different parts of the medical world.


Cause for Concern: Attitudes


The recent SANS Health Care Cyber Threat Report, sponsored by threat intelligence vendor Norse and reported in detail by Dan Munro on Forbes, contains not only troubling numbers about healthcare IT security, but also reminds us that medical devices, many of which are actually computers, are at risk. For example, I am writing this article at Black Hat, an annual security event in Las Vegas known for revealing new vulnerabilities in digital devices and systems. Yesterday I had a chance to talk to Jay Radcliffe, the man who opened a lot of eyes to the vulnerability of medical devices when he hacked his own insulin pump at Black Hat in 2011. So I asked Radcliffe, himself a Type 1 diabetic, if things had changed since then, “Not really,” said Radcliffe, who has tried to raise awareness of security issues among medical device makers, adding, “In fact, that’s the main reason I no longer use an insulin pump.” (You can read more about Radcliffe on the blog of Boston-based cybersecurity firm Rapid7 where his job title just happens to be the same as mine: Senior Security Researcher.)


Right before Black Hat, I was at an event called ChannelCon, put on CompTIA, the computer trade industry association. Channelcon is a great place to meet the people who actually sell and deliver IT products and services, from enterprises to small businesses. Those products and services include security, including firewalls, antivirus, encryption, authentication, backup and recovery and threat intelligence. I asked a number of IT integrators and managed service providers about selling security in the medical sector, specifically doctors’ offices. The answer I heard loudest and most often? “Doctors don’t care.” When I asked “But what about HIPAA?” The answer was: “They just don’t care.”


Obviously this is not true of all doctors, but I’ve now heard this refrain enough times to think there is a real problem here. After all, aren’t doctors required to protect electronic health records by professional ethics as well as law? Is there some sort of collective denial going on here? I think that question has probably come up at OCR, which continues to find that even large and well-funded hospital systems not meeting HIPAA privacy and security requirements. And before anyone says these are too onerous or were imposed too quickly, consider this:



“We are looking at a federally-mandated standard for security practices within companies involved in healthcare or handling health-related information. Note that these are considered practices necessary to conduct business electronically in the health care industry today. In other words, normal business costs, things you should be doing today…”



That is a direct quote from my first conference presentation on the importance of getting ready for HIPAA’s privacy and security requirements, delivered in March of 2001. That’s right, more than 13 years ago. The point being, health information on computer systems should have been protected in 2001, before the rules and regulations were finalized, before the compliance deadlines, before the first fines were levied, before the multimillion dollar fines, of which we are likely to see more before the year is out.


Signs of Concern


With all these causes for concern, how concerned are Americans? Not to be glib, but the answer really depends on whom you ask. For example, earlier this year we asked 1,734 American adults if they were concerned about the security and privacy of their electronic patient health records and 40 percent said they were, while 43 percent said they were not. However, the other 17 percent said that, to their knowledge, their health records were not in electronic format. So if we take them out of the equation, the “concerned or not?” question breaks down as 48 percent yes, versus 50 percent no.


Within these numbers, there are some interesting demographic variations. For example, those aged 45-54 are more likely to be concerned than those 18-44 years. Concern was greater among those with college education and among those with children in the household (54 percent vs. 46 percent). Concern was expressed more often among those at the upper and lower ends of the household income scale, with those in the $75K to 90K range concerned less often (45 percent).


I should point out that this survey population may not be entirely representative of the whole adult population. For a start, it is a subset of the 2,034 people to whom we put this question: “How familiar, if at all, are you with the recent NSA news about secret government surveillance of private citizens’ phone calls, emails, online activity, etc.?” The people we quizzed about medical records were “at least somewhat aware” of the Snowden/NSA revelations, about 85 percent of the original sample.


Just under half of American adults who are sufficiently in touch with news and technology tend to be aware of both the Snowden revelations and the fact that their health records are stored electronically are concerned about the privacy and security of those records. Shouldn’t we be seeing a greater level of concern than this? In my opinion, the answer is yes, but that alone is not likely to change many minds. What will change minds is something like the Snowden or Target of electronic health records, a revelation or incident so far-reaching and egregious that just about everyone in the country sits up and takes notice. If that happens there will be headlines, accusations, letters to congress, recriminations, investigations, jobs lost and eventually huge fines and damage awards.


It would be very sad to something like that embroil see the healthcare industry in America, in which so many people work so hard to improve the lives of others. But unless attitudes change and numbers improve, and unless our government decides to get serious about reducing cybercrime, the outlook is stormy at best.


Note that additional results from the survey referred to in this article, which was conducted by ESET in conjunction with Harris Interactive, were published here and additionally here.


The post The state of healthcare IT security: are Americans concerned enough? appeared first on We Live Security.






Brought by: http://foodonia.com

Common password mistakes we all make | foodonia

Passwords are critical to safeguarding our personal and financial information, but when using them so often it can be easy to make mistakes. Follow these five simple steps from We Live Security to keep your passwords safe.


The post Common password mistakes we all make appeared first on We Live Security.






Brought by: http://foodonia.com

2014/08/07

CyberVor hacking gang steals 1.2 billion usernames and passwords | foodonia

Somewhere in a small city in south central Russia, a group of men in their twenties have got away with what some are describing as one of the biggest cyber-heists in history.


The gang, which has been dubbed “CyberVor” (“vor” means “thief” in Russian) by security researchers, is thought to be in possession of the largest known haul of stolen internet credentials – 1.2 billion usernames and passwords, together with 542 million email addresses.


And the data has been stolen from some 420,000 different websites.


That’s the astonishing claim being made this week by Milwaukee firm Hold Security, who have used the backdrop of the Black Hat and Def Con conferences taking place in Las Vegas this week to announce their discovery, with a little help from reporters at the New York Times .


And naturally the company isn’t being entirely altruistic with its announcement – it’s also using the opportunity to promote its penetration testing and identity monitoring services.


Frustratingly, Hold Security isn’t saying what sites have been hacked, or given users any method to determine if their account credentials might have been included in the haul. So quite how the average computer user is supposed to respond to an announcement with such a lack of actionable detail is anybody’s guess.


All the researchers said is that the gang amassed its treasure trove by using botnets to identify websites with SQL injection vulnerabilities, and scooping up their data.


It seems unlikely that all of the websites have been informed of the problem either, considering the number said to have suffered breaches. Hold Security’s founder Alex Holden told the New York Times that websites around the world have been affected, including ones in Russia where the hackers are said to hail from.



“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites. And most of these sites are still vulnerable.”



I have no doubt that the scale of the CyberVor hacking gang’s ill-gotten gains will make numerous headlines over the coming days, but what I would rather see is Hold Security share comprehensive details of what it has discovered with the public, and for clear advice to be shared with organisations and individuals on how to avoid becoming victims in future.


Website developers, for instance, should ensure that they have reviewed their code for SQL injection vulnerabilities, as well as other commonly found flaws.


It’s also a shame that Hold Security didn’t work with a service like haveibeenpwned, created by researcher Troy Hunt, that helps users determine if any of their accounts had been compromised. Mind you, the scale of the alleged find might have made that problematical.


For the average man and woman in the street to determinine how best to protect the details they share with third-party websites is tricky.


Whenever you create accounts online you are putting trust in the hands of web developers that they are properly securing your information. The very best you can do is enable additional security measures (such as multi-factor authentication when made available), and ensure that you never reuse the same password nor choose a password that is easy to guess or crack.


Because one thing is clear: The Russian CyberVor gang may or may not be sitting on one of the largest cybercriminal hauls in history, but unless we all work harder to keep our private information safe and secure, this is not going to be the last time that you’re waking up to newspaper headlines of stolen passwords.


The post CyberVor hacking gang steals 1.2 billion usernames and passwords appeared first on We Live Security.






Brought by: http://foodonia.com

2014/08/05

Sharing documents… without sharing secrets | foodonia

Sharing documents through the web is essential in most occupations. When sharing sensitive information, though, it’s important you take the necessary precautions to keep you and your data safe. Here’s how to share documents without sharing secrets…


The post Sharing documents… without sharing secrets appeared first on We Live Security.






Brought by: http://foodonia.com

2014/08/02

Malware is called malicious for a reason: the risks of weaponizing code | foodonia

Should malicious code be used as a weapon of war? This is not a hypothetical musing but a question that has been under serious discussion in military and diplomatic quarters for some time. We already know from U.S. National Security Agency documents leaked by Edward Snowden that for several years now the NSA has been deploying Computer Network Attack “implants,” an agency pseudonym for Trojan code, i.e. malware.


I think it is common knowledge that some people in the armed forces of the United States would like to add malware to their armory, and I’m pretty sure this is true of a wide range of countries. The military appeal of malicious software, with its potential to infiltrate and disrupt digital systems, with no obvious risk to your own troops, is perhaps understandable. However, if you ask the folks who spend every day defending against, and cleaning up after, real world malware attacks, you will hear a lot of reasons why military deployment of malicious code is very risky proposition (a common expression used with respect to this phenomenon is “What could possibly go wrong?”).


Thankfully, there are folks in the military who ‘get’ that deploying malware is very risky. To assist them, and advance the conversation about malware in the context of cyber conflict, I worked with Andrew Lee, CEO of ESET North America, to produce a paper on this topic, titled: Malware is Called Malicious for a Reason: The Risks of Weaponizing Code (PDF).


cycon-bookThe paper was recently published in the 6th International Conference on Cyber Conflict (CyCon) Proceedings, P. Brangetto, M. Maybaum, J. Stinissen (Eds.) IEEE, 2014. The full conference proceedings will soon be available online along with the proceedings from previous conferences (which make for great reading if this topic interests you).


Recently, I had the good fortune to present the paper in person at the annual CyCon conference in Estonia. The conference is organized by the NATO Cooperative Cyber Defence Center of Excellence or CCDCoE, which is located in Tallinn, the Estonian capital.


The CCDCoE is the entity responsible for the project that produced The Tallinn Manual on the International Law Applicable to Cyber Warfare (which can be read online here). A quick search for references to malware in that work will give you an idea of how seriously some people have been taking the issue of malicious code deployment in the context of cyber conflict, from a variety of perspectives, including legal, ethical, technical, strategic, economic, military and diplomatic.


The human networking that occurred at CyCon was an opportunity to validate my concerns about a “risk awareness shortfall” in some quarters when it comes to deploying malicious code for “righteous” ends. As we argue in the paper, such deployment carries great risk of unintended consequences, not to mention loss of control over the code. While cyber criminals do not feel restrained by such concerns, and appear undeterred by moral dilemmas like collateral damage and spreading code that can be used by unscrupulous persons for all manner of illegal purposes, we argue that legitimate entities considering the use of malware for “justifiable offense” or “active defense” must fully understand the issues around scope, targeting, control, blowback, and “arming the adversary”.


In our paper we researched existing open source literature and commentary on this topic to review the arguments for and against the use of “malicious” code for “righteous” purposes, introducing the term “righteous malware” for this phenomenon. In our research we were pleasantly surprised to find that the antivirus community’s longstanding objections to the notion of “a good virus,” which Vesselin Bontchev analyzed and published in his 1994 EICAR paper, Are ‘Good’ Computer Viruses Still a Bad Idea? , (Proc. EICAR’94 Conf., pp. 25-47) were not only still valid, but in some instances quite prescient.


We hope that our paper will help to inform and advance debate about the use of malicious code in cyber conflicts. If you like, you can download a PDF of the slides I used when presenting the paper. The slides are also available on slideShare. In addition, I highly recommend Andrew Lee’s 2012 Virus Bulletin paper: Cyberwar: Reality, Or a of Weapon of Mass Distraction?


BTW, if your are heading to BlackHat next week, you might want to catch Mikko Hypponen’s “Governments as Malware Authors: The Next Generation.” It’s in Mandalay Bay D at 14:15 on Wednesday, and in my diary.


(Big hat tip to all who provided input on this paper, including Lysa Myers, David Harley, Aryeh Goretsky, Cameron Camp, and Righard Zwienenberg).


The post Malware is called malicious for a reason: the risks of weaponizing code appeared first on We Live Security.






Brought by: http://foodonia.com

Business Continuity Management 101 | foodonia