Much of the focus in recent news is on attacks on retailers and the financial industry. It is easy to see the results of these money-motivated attacks in the form of large thefts of money or credit cards. As a result, it may surprise you to know your health care information is under attack. You are mistaken if you think that HIPAA’s data security protections are working to protect it. Health care organizations are not meeting the security table stakes. By rushing to implement electronic health records without minimum viable security, health care organizations are leaving the door wide open for criminals. How Bad Is It? A recent study by the Ponemon institute revealed that 94% of medical institutions have[…]

Recently, an article came to my attention about social networks being gamed in order to hurt the reputations of competitors and enemies. With all the talk these days of search engine optimization, social media experts, and the “internet of things” we are looking to connect our information to as many people, and in as many ways, as possible. Have you considered the ways this might hurt you instead? We are beginning to get a handle, as a society, on the minimum viable security that every organization needs in order to stay in business and not be destroyed by the constant noise of attacks facing us on the Internet. But what happens when instead of facing a distributed denial of service[…]

I’ve had some interesting experiences with two companies recently that I’d like to share. We all do business with companies online: we buy from them, we schedule appointments, we put in support requests, and so on. Today, I very seldom use the mail, and don’t shop in person very often. How these businesses treat customer security is interesting. Some places are very technically savvy and have robust, secure online transactions. Being realistic, though, I know that my dentist’s office does not employ a full-time sysadmin. They buy an off-the-shelf customer care solution and hire someone to install it on their website. Sometimes that’s good, sometimes that’s bad… First was with my mechanic. I like my mechanic – they’ve saved me[…]

Suppose you want to send a letter to your brother. And let’s suppose it’s got some, oh, maybe potentially embarrassing financial information – he owes you some money and you’re having trouble paying the bills. Obviously, that’s not the sort of thing you want to put on a postcard; you’d put that in an envelope. (Your brother is notorious about checking his email). You want him to know that the letter is actually from you, so you sign it – you have a distinct signature that is very hard to forge. And, on top of that, you want him to know that nobody else read the letter, so you also sign across the fold of the envelope, so it can’t[…]

The following events are based on actual facts and actual events. Names have been changed to protect the oblivious. I would like to start off by stating that I take no pity on the individual this story is about. I refer to them as oblivious because to do what they did simply can’t be categorized in any other way. Let’s back up a week. I’ve been in need of another Android device to do some tinkering with, have a backup for my daily driver, and to have something that my son can play with and not fear total destruction (again of the daily driver). After checking with friends and co-workers if they had any spares – they didn’t – I[…]

As some of our readers are well aware, last year many leading browsers finally closed a major privacy hole involving browser history that has been around for more than ten years.  Essentially, would-be trackers used JavaScripts to scan links with functions like getComputedStyle() to determine whether each hyperlink was styled as a visited site or unvisited (e.g. visited links are often purple and unvisited are blue).  This practice represents a serious threat, since not only can stints of browsing history be logged, but individual users can be tracked and identified with ease (this is one of several ways you can be tracked without cookies).  Since this practice of changing styles for visited links has been around since the early days of[…]