Archive for the ‘Personal Identifiable Information (PII)’ Category

States becoming more aggressive in HIPAA enforcement

Monday, July 19th, 2010

Connecticut Attorney General Richard Blumenthal has sued Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach.

Blumenthal is also seeking a court order blocking Health Net from continued violations of HIPAA (Health Insurance Portability and Accountability Act) by requiring that any protected health information contained on a portable electronic device be encrypted.

This case marks the first action by a state attorney general involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health Act (HITECH) authorized state attorneys general to enforce HIPAA.

Obviously, the best policy is to ensure safeguards are in place to prevent these breaches from happening in the first place.

Administrative policy combined with technical controls and employee education are key to preventing these episodes from occurring. Breaches can effect an organization financially and can result in decreased productivity.

Tags: , ,
Posted in Administrative Safeguards, Cyber Risk Management, HIPPA, Personal Identifiable Information (PII) | No Comments »

Is it possible to measure IT security success?

Friday, May 28th, 2010

It is a commonly held principle in many areas of business that if you can’t measure something “quantitatively”, it will be difficult to raise the quality objectively. The applicability of this statement to the world of IT security is clear. Without having some form of metrics in place, it is tough, if not impossible, to judge whether security is getting better over time. Indeed, it is probably fair to say that many organisations have only one way to assess security – namely, “did anything go wrong” – but this is hardly a metric for the forward-looking.

Meanwhile, of course, the drivers for proactively monitoring ’security’ and the associated effectiveness of security solutions are becoming increasingly high-profile. Regulatory pressures on organisations to secure their operations are more explicit than in the past, while customers and shareholders are less prepared to tolerate IT security breaches. The continuing spread of legislation dictating that organisations actively notify affected parties when data is potentially lost or at risk is certain to add to the pressure to demonstrate that security measures are properly established.

This is exactly what RiskAnalytics Cyber Risk Tools does. It monitors and defends in real time but also offers a wealth of quantifiable information on exactly which way is IT security headed in an organization. Is it getting better or worse? More importantly from a productivity standpoint, the system will tell you what areas represent the largest risk to the organization and thus IT should focus efforts to “clean up” those issues first.

We have many clients that when they started with us, they would swear their network was clean, in reality, most are massively infected with malware and employees often engage in electronic policy violations that can lead to information leakage.

CRT will alert in real time to security and policy issues that face an organization. Over time, the combination of real time alerting of events, shunning malware and addressing user policy issues will lead to a measurable reduction in security issues.

Tags: ,
Posted in Administrative Safeguards, Botnets, Cyber Risk Management, Personal Identifiable Information (PII), Physical Safeguards, Technical Safeguards | No Comments »

Researchers spy on BitTorrent users in real-time

Tuesday, May 25th, 2010

Researchers have devised a way to monitor BitTorrent users over long stretches of time, a feat that allows them to map the internet addresses of individuals and track the content they are sending and receiving.

In a paper presented earlier this week at the Usenix Workshop on Large-Scale Exploits and Emergent Threats (http://www.usenix.org/events/leet10/tech/), the researchers demonstrated how they used the technique to continuously spy on BitTorrent users for 103 days. They collected 148 million IP addresses and identified 2 billion copies of downloads, many of them copyrighted.

The researchers, from the French National Institute for Research in Computer Science and Control, also identified the IP addresses where much of the content originated. They discovered the the vast majority of the material on BitTorrent started with a relatively small number of individuals.

The real danger of these systems is the ease in which malware can be introduced to content that is distributed, all copyright concerns aside.

The researchers said the information leak is built in to the very core of most BitTorrent systems, including those used by ThePirateBay and IsoHunt. They support commands such as “scrape-all” and “announce started/stopped,” which when used repeatedly can be used to identify the IP addresses where content originates or is being distributed once it has proliferated.

By collecting more than 1.4 million unique .torrent files, they were able to identify specific pieces of content being distributed by particular IP addresses. The results are about 70 percent accurate.

“At any moment in time for 103 days, we were spying on the distribution of between 500 and 750K contents,” they wrote. “In total, we collected 148M IP addresses distributing 1.2M contents, which represents 2 billion copies of content.”

The insecurities baked into BitTorrent allowed the researchers to discover IP addresses even when they were hidden behind the Tor (https://blog.torproject.org/) anonymity service. It should be pointed out that this isn’t the fault of Tor, which has long urged people to refrain from using BitTorrent over the virtual privacy tunnels. In light of the new research, project managers renewed that admonition (https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea) on Thursday.

P2P network clients can also be mis-configured by inexperienced users allowing them to share their entire “C” drive contents which may contain personally identifiable information.

Tags: , ,
Posted in Cyber Risk Management, Personal Identifiable Information (PII) | No Comments »

Microsoft SharePoint bug exposes credentials, sensitive data

Friday, April 30th, 2010

A cross-site scripting vulnerability has been confirmed in SharePoint Server 2007 and is likely also present in earlier versions of the content management system software, a Microsoft advisory warned. It allows adversaries to inject malicious javascript into the application by appending commands to the address of the targeted system.

“The vulnerability exists due to failure in the ‘/_layouts/help.aspx’ script to properly sanitize user-supplied input in ‘cid0′ variable,” the advisory states. “Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.”

Microsoft was notified of the bug on April 12, but only made the report public on Thursday.

A Microsoft spokeswoman said Thursday that researchers are in the process of drafting a security advisory that includes mitigation and workaround details. With 17 days notice, it’s unclear why Redmond’s security team didn’t already have that information ready to go.

XSS bugs are by far the most common form of vulnerability plaguing the web. Web masters and software makers often downplay them as insignificant, because the severity of many of them is minimal in their opinion. What they tend to not understand is the ability for compromised sites to hand out malware to unsuspecting users and redirector type attacks.

Tags:
Posted in Cyber Risk Management, Passwords, Personal Identifiable Information (PII), Phishing, Technical Safeguards | No Comments »

PC malware targeting iTunes, iPad users

Monday, April 26th, 2010

Here’s a cute trick. Some PC owners are getting emails alerting them to a new version of iTunes that has been updated “…for best iPad performance, newer features and security.”

The email provides a link, asking recipients to download a “new” version of iTunes. You see where this is going, of course. Those who follow through actually download a counterfeit version of iTunes which contains malicious code that opens up a backdoor allowing unauthorized access to a PC.

The code, called Backdoor.Bifrose.AADY, attempts to read the keys and serial numbers of the various software installed on the affected computer. It also logs the victim’s ICQ, Messenger and POP3 mail account password plus protected storage login.

Mac owners can rest easy. This Malware only hits on PCs.

Tags: , ,
Posted in Botnets, Cyber Risk Management, Email Scams, Passwords, Personal Identifiable Information (PII), Spyware | No Comments »

Banner Ad Re-Direct Attacks

Wednesday, March 3rd, 2010

Independent security researchers have found an on-going ad site bot net re-direct attack has turned for the worse over the past two months.

This has been going on for at least two months. It’s only recently that the effectiveness has jumped because they’re getting the injected ads displayed on popular websites.

Here’s a quick rundown on how it works.

You visit msnbc or foxsports or mtv.net or yahoo email and an ad banner silently redirects your browser to a google.analytics.com.randomcharacters.info site. The google….info site attacks you with exploits for windows, java, flash,
pdfs, etc., etc. (basically the kitchen sink)

If you’re vulnerable, you succumb to the attack and get one or more of the
following installed: Torpig, Tidserv, Gozi, FakeAV, Hiloti or Bredolab.

This really highlights the need to have some form of dynamic blacklisting of known hostile addresses. Malware Domains hosts Blackhole DNS. This is blacklisting by domain name. The other important fact is to patch and do not do business banking with a windows machine, use a live linux disk.

Posted in Botnets, Cyber Risk Management, Personal Identifiable Information (PII), Spyware | No Comments »

Ongoing Botnet Penetration: 2500 companies and counting

Friday, February 19th, 2010

Large scale botnet penetrations continue to make the news. This really highlights the fact that what the mainstream security industry is offering is not working. Botnet infestations can easily be defeated by passive monitoring and a dynamic blacklist, components included in Cyber RiskTools.

Criminal hackers have penetrated the networks of almost 2,500 companies and government agencies in a coordinated campaign that began 18 months ago and continues to steal email passwords, login credentials, and other sensitive data to this day, a computer security company said.

Criminal hackers have penetrated the networks of almost 2,500 companies and government agencies in a coordinated campaign that began 18 months ago and continues to steal email passwords, login credentials, and other sensitive data to this day, a computer security company said.

The infections by a variant of the Zeus botnet began in late 2008 and have turned more than 74,000 PCs into remote spying platforms that have siphoned highly proprietary information out of at least 10 federal agencies and thousands of companies, according to research from NetWitness, a Herndon, Virginia-based network forensics firm. Many of the victims are Fortune 500 firms in the financial, energy, and high technology industries.

Company researchers have already reported the attacks to federal authorities and are in the process of notifying individual victims.

Tags: ,
Posted in Botnets, Cyber Risk Management, Personal Identifiable Information (PII), Phishing, Physical Safeguards, Technical Safeguards | No Comments »

Lincoln National Discloses Breach Of 1.2 Million Customers

Friday, January 15th, 2010

Lincoln National Corp. (LNC) last week disclosed a security vulnerability in its portfolio information system that could have compromised the account data of approximately 1.2 million customers.

The company disclosed the breach via letter and did not offer technical details.

“This username and password had been shared among certain employees of [Lincoln Financial Services] and employees of affiliated companies,” the letter says. “The sharing of usernames and passwords is not permitted under the LNC security policy.”

Such policy violations can be detected and reported with a robust monitoring/software solution.

The forensic team that investigated the breach found no evidence that the data had been used outside of the company, either by hackers or former employers, according to the letter. The portfolio management system consolidates data about customer accounts — and therefore contains a good deal of personal information — but it doesn’t allow the user to actually access those accounts, the letter says.

Lincoln says it has “discontinued” all shared usernames and passwords in its systems, and it is notifiying customers, offering them identity theft services.

Tags: ,
Posted in Administrative Safeguards, Cyber Risk Management, Passwords, Personal Identifiable Information (PII), Physical Safeguards, Technical Safeguards | No Comments »

Rogue phishing app smuggled onto Android Marketplace

Friday, January 15th, 2010

A phisher hoping to harvest bank login details managed to smuggle his app onto the Android app store.
Malicious apps posted by Droid09 were quickly identified, prompting a warning to legitimate users and a ban for the VXer. The incident raises questions about whether a tighter vetting process is needed for the Android Marketplace.

The banking app posed as a real banking application, but also intercepted users credentials and forwarded them on for phishing purposes.

Apple has been the target for much criticism as being too heavy handed in the application approval process. Past exploits against Blackberry devices involved the rubber stamping of applications that were designed to capture credentials and take over handsets.

Android fans who downloaded any of Droid09’s apps are advised to purge them from their phones before consulting their mobile phone firm for further advice.

The incident happened in December, but became public after news outlets picked up on First Tech Credit Union’s fraud alert on Monday.

Tags: ,
Posted in Cyber Risk Management, Personal Identifiable Information (PII), Phishing | No Comments »

Domain name extension opens fresh opportunities for cyber-crime

Friday, January 8th, 2010

The introduction of Internet addresses in non-Roman scripts could offer fresh opportunities to cyber-criminals, experts have warned.

The Internet Corporation for Assigned Names and Numbers (ICANN) will for the first time accept Internet domain names in non-Roman scripts.

The new internationalized domain names will open up the Internet as never before to users whose native language does not use the Roman alphabet. But Roman-reading users face a possible deluge of phishing and e-mail scams.

To a Roman-reading eye, an e-mail containing a link to any one of these sites might appear genuine, while to a Russian-reading eye, “paypal”, for example, reads as “raural”. An e-mail link could thus lead to a clone site constructed by unscrupulous thieves, who could then use it to harvest personal and financial details, or to steal cash.

At present, most e-mail phishing does not use anything that resembles the real site name. We could see the level of sophistication in phishing attacks increased by the use of foreign languages.

Tags:
Posted in Cyber Risk Management, Email Scams, Personal Identifiable Information (PII), Phishing | No Comments »