The register has an article about three London hospitals shutting down their computer systems due to a worm. However, except for transportation, all functions of the hospital seem to be continuing despite the lack of computer systems.

I took away three things from this article: computer systems are not essential for health care, someone wasn’t patching or following security policies, and the worm provides a back door for attackers. The doctors and the hospital are still providing medical care to patients. The computer systems certainly help them do this job more efficiently, but they’re not required. I think this points out the importance of security vs convenience. The doctors just want to help their patients, and if they have to do that without computer systems, so be it. Most of the computerized equipment they really need should not be (and usually isn’t) connected to a network. If the computer systems become difficult to use because of security – the doctors will just not use them.

The second thing I noticed, but wasn’t mentioned directly in this story was that the worm had to get on those systems in the first place. That was either over the network, or brought in from a user. Either way, it tells me that patches weren’t applied and anti-virus was not running on access. Someone wasn’t following policy.

The final piece of information that was glossed over in the Register’s article is that the worm opens back doors on systems and contains spyware. Now, I’m sure the writers of the worm didn’t think that it would end up on a healthcare system, so they’re probably not looking for Personally Identifiable Information (PII), but that information is still there, and likely accessed by the users of those systems. If a keylogger was installed, all of that is now “public” to the botnet’s users. I think the hospitals will have a larger job of cleaning up after this and determining what the worm did with that information than they do now in getting the systems back up and running.

Recovering from an “attack” is not as simple as restoring last known good configurations. You have to duplicate the drives, re-install the systems, then restore data (and hope you have good recent backups). If you want any chance of prosecuting the individual(s) responsible, duplicating the drives for forensic analysis is one of the most important steps. And until that’s done, these hospitals will be without computer systems.

If you ever find yourself in front of a public computer connected to the Internet and are concerned about the security of the path between you and a website you wish to visit, a SOCKS proxy can come in handy.

SOCKS proxies generally allow you to “bounce” a TCP connection off another server transparently—basically instructing another computer to make a connection on your behalf. When used in combination with Secure Shell (SSH), it can form an encrypted tunnel that insulates you from anyone attempting to grab traffic off the wire.

The following is a simple step-by-step tutorial about how to do this.

You will need:
-Putty SSH client: http://www.putty.org
-An account on an Internet-accessible server that accepts SSH connections and allows connection forwarding (enabled by default)
-A popular web browser or other software that supports SOCKS communications

Step 1:
Fire up Putty and navigate to the Session Category

Step 2:
Enter the hostname/IP address and port of the server on which you have an account.
(Note: The default SSH port is 22)

This tells Putty how to connect to the SSH server.

Step 3:
Under the SSH->Tunnels Category
Enter the following:
Source port: 8888 (or any port of your choosing. Just be sure to remember what it is)
Destination: hostname/IP address of the server on which you have an account

Also, select the “Dynamic” radio button.

This tells Putty that, upon a successful connection, a SOCKS tunnel should be opened from a port on the computer you are using to the SSH server.

Step 4:
Click “Add”
The forwarded port is now added to the connection settings.

Step 5:
Click “Open” to start the connection

Putty will ask for your login credentials. In most cases, this will be a username and password. (For extra security and bonus cool points, have your SSH server only accept certificates)

At this point, your Putty-enabled SOCKS proxy should be active. But how do we test it out? Keep reading…

Step 6:
Fire up your web browser and navigate to its proxy connection properties menu.

For Firefox 3, it is in Tools->Options->Advanced->Network(tab)->Connection, Settings

For IE6, it is Tools->Internet Options->Connections(tab)->LAN Settings(button)->Advanced(button)

Step 7:
Find the SOCKS settings text box and enter the following:
Proxy Address/Host: localhost OR 127.0.0.1
Port: 8888 (or whatever port you decided to use in Step 3)
Ensure SOCKS Version 4 is selected

Note: DO NOT enter any other proxy settings for other protocols (this includes the “use proxy server for all protocols” option. Don’t enable it. I’m serious. If you do, things might not work correctly.)

Step 8:
Click “OK” until you’re back to your browser.

Go to http://ipchicken.com and check your IP address. It should be different from the machine you’re on. In fact, it SHOULD be the IP address of the SSH server (or whatever machine is handling its connections).

Step 9:
Pat yourself on the back. Or have your buddies do it for you—they’ll no doubt be impressed by your newfound computer skills. Enjoy browsing the web using your own personal SSH proxy.

NOTE: Although this could be useful when using a public computer—it won’t protect you from local machine monitoring tools (keyloggers, screen captures, etc). Always exercise due diligence when using untrusted computers.

Each Tuesday, Security Musings features a topic to help educate our readers about security.  For more information about Gemini Security Solutions’ security education capabilities, contact us!

In 2007 a handful of companies (including Google, Microsoft, and Yahoo) decided to draft a set of guidelines influencing the behavior of online businesses when it comes to the subject of policies and regulations dealing with human rights. It was to be a kind of unofficial voluntary code of conduct initiative thing.

According to this letter(pdf) from Yahoo to Senators Durbin and Coburn:

Principles on Freedom of Expression and Privacy [...] provide direction and guidance to the ICT industry and its stakeholders in protecting and advancing the enjoyment of freedom of expression and privacy globally. The Principles describe key commitments in the following areas: Freedom of Expression; Privacy; Responsible Company Decision Making; Multi-Stakeholder Collaboration; Governance, Accountability & Transparency

Along with censorship and freedom of speech, the idea was also to provide general requirements for privacy. The idea also calls for a way to determine if a company is compliant with the code and a way to hold companies accountable if they violate it.

This is important because it shows that some of the most relevant internet-based companies are taking the rights of their users seriously. So seriously, in fact, that they are willing to sponsor a set of guidelines that help other companies protect THEIR user’s rights as well. If more companies get on board, this could be a step in the right direction in helping to strengthen the trust between service provider and user.

I’ve always been a bit skeptical about single sign-on solutions, especially when they are the only thing standing between a would-be attacker and their goal. To me, the idea of a single sign-on solution linking a user to multiple subsystems represents a dangerous risk. A compromise at one point would propagate to other systems instantaneously. However, that doesn’t stop people from relying on them.

For example :

Winchester and Eastleigh Healthcare NHS Trust has deployed a single sign-on solution from Evidian to simplify access to key hospital applications, enabling 2,500 staff to better focus on the delivery of essential frontline healthcare services.
...
With 1,700 clinicians at the Trust requiring access to up to 14 different healthcare applications on a day-to-day basis to carry out key services, the Enterprise SSO solution from leader in identity and access management Evidian enables clinicians to use all web-based services with a single user log-in and password.

A single sign-on solution for a hospital or clinic may certainly make things easier for staff— potentially decreasing mistakes and allowing things to flow more smoothly. However, the idea that one person’s password holds so much power is disturbing. I think perhaps it may be best to find some way to compromise. The inherent risk of a single sing-on solution can’t necessarily be overcome— accounts are linked, so access to one means access to all. However, I do believe the risk can be reduced through other methods. A multi-factor authentication system could help harden a single sign-on system like this. Especially when the private data of patients might be at stake.

Making things more convenient doesn’t always mean making them less secure.

According to the Federal Trade Commission’s report (pdf), it gets the job done.

Of the 72% of Americans who had registered their telephone numbers for the “Do-Not-Call Registry,” 18% reported that they currently received no telemarketing calls, 59% reported that Implementation of the national Do not Call Registry they still received some, but far fewer than before they signed onto the Registry, and 14% said they received some, but a little less than before they registered. In addition, when asked about renewing their registrations, 25% of registered consumers had already renewed and 71% were planning to renew.

I’ve never actually added my number to the registry because I didn’t feel a need to. I rarely get calls from solicitors and I tend to screen calls from unknown numbers anyway. But recently, I’ve been experiencing an increase in strange calls with unrecognized numbers. My typical reaction is to google the number or visit whocallsme.com — this usually tells me if it’s a telemarketer or not. But if this keeps up, I might consider adding my number to the list.

From a privacy standpoint, the existence of the list itself is important. Many people view unsolicited calls as an invasion of their privacy. The fact that so many people have placed their numbers on the registry indicates that people respond well to methods of privacy protection that are both easy to use and effective. If protecting your bank statement from dumpster divers, or protecting your phone from wiretaps was as simple as signing an opt-out list, perhaps there would be a decrease in cases of privacy violations and an increase in the number of citizens that feel secure.

Last week, the world’s top computer scientists gathered to discuss security and the weaknesses created by putting it in the hands of people. It was the first “Security and Human Behavior” conference, and many experts on human behavior were invited to help the attendees understand how criminals use social engineering to circumvent security technology.

Here are some interesting topics that came out of this conference:

A study soon to be published will reveal when we are more likely to surrender private information about ourselves. One conclusion was that we are more likely to answer private questions when we are not given any assurance of confidentiality because it makes us suddenly aware of our privacy.

Another set of research looks into the question of improving the fallback password system that many sites employ. Instead of asking questions that might even be difficult for the true user to answer, the proposed method has the user choose things that they like and dislike from a list.

Finally, this MSNBC posting reveals a new idea in security training that was presented at the conference. Instead of periodic reminders to be wary of phishing and e-mail attachments, companies may attempt to fool their own employees. Those who fail the tests would learn by shame or possibly by hearing about it in an employee review.

Dell recently sponsored a study on the number of laptops lost in airports. The findings are a little surprising— apparently, they estimate that over 12 thousand laptops are lost each week at airports across the United States.

The source study can be read here. (pdf)

Potentially more frightening is the fact that the majority of these laptops go unclaimed and are eventually “disposed of.” According to the study:

Only 33% of laptops lost and found in airports are reclaimed. The other 67% of subsequently found laptops remain in the airport until they are disposed of. As a result, there are potentially millions of files containing sensitive or confidential data that may be accessible to a large number of airport employees and contractors.

This goes beyond the loss of physical data. Sure, the laptops cost money, and losing one will always carry at least the monetary cost of the hardware. But, the fact that these laptops can (and probably do) contain some sensitive information is certainly more worrisome. Either private data belonging to the owner, or private data belonging to the company the owner might work for may be at risk.

It seems perfectly possible for a shady individual to walk up to the “lost and found,” give a detailed description of a common laptop make and model, and walk away with a shiny new laptop that might contain information worth more than the device itself.

With the rapid explosion of the laptop / portable-computer industry, it becomes more and more important for users (and companies) safeguard the information stored on them. For the average user with little technical knowledge, an often over-looked technique would be the simple act of labeling the laptop with their contact information. At least this would allow a good Samaritan or the airport staff to potentially return it to the rightful owner.

This is probably off-topic for this blog. You’d probably expect this on Schneier’s blog instead.

If you have some time, go download and read this excellent paper: “I’ve Got Nothing to Hide” and Other Misunderstandings of Privacy written by Professor Daniel Solove of the George Washington University Law School.

[T]he problem with the nothing to hide argument is the underlying assumption that privacy is about hiding bad things. Agreeing with this assumption concedes far too much ground and leads to an unproductive discussion of information people would likely want or not want to hide. As Bruce Schneier aptly notes, the nothing to hide argument stems from a faulty “premise that privacy is about hiding a wrong.”

The deeper problem with the nothing to hide argument is that it myopically views privacy as a form of concealment or secrecy. But understanding privacy as a plurality of related problems demonstrates that concealment of bad things is just one among many problems caused by government programs such as the NSA surveillance and data mining.

Your government is working so hard to prevent terrorism that they are trampling your rights to privacy. I used to be in the ‘nothing to hide’ camp, but we are clearly slipping quickly down this slope into dangerous territory. Another quote from the paper:

The potential future uses of any piece of personal information are vast, and without limits or accountability on how that information is used, it is hard for people to assess the dangers of the data being in the government’s control.

Election day is coming, folks. Making changes in Washington is the only way to tell the government we are more afraid of losing our rights than we are of terrorism. Ben Franklin said “Those who desire to give up freedom in order to gain security will not have, nor do they deserve, either one.”

My colleague pointed out an interesting article on CNN. As it reads it’s pointing out the fact that many health insurance providers are already making available patients information on-line. There would be many, who didn’t even know what sorts of information is already available about themselves.

It points out some of the advantages like, easy access for travel, the ability to better get second opinions, and always having a readily available source for your health information. Some of the obvious disadvantages would be major privacy issues, which could include the sale of information or the disclosure of information that could potentially be used against you for future endeavors.

Amanda Angelotti, a spokeswoman for Google Health, sums up a great deal here.

“In some sense, no one can ever really know about the data they hand over, whether it’s financial data or medical data or anything else,” Angelotti says. “In some sense you can never be truly protected. But if we can’t protect people’s personal information, they wouldn’t trust us and use our products.”

The main issue here, is the fact that most of this information is already readily available, even to those other then yourself.

All I needed to get them was a phone call to my insurance company and information other people might know, such as my Social Security number, date of birth and address.

It wouldn’t take much for anyone who actually knows you, or simply sifts through some garbage to come up with enough information to obtain your records.

This is one area where we in the US are falling behind the rest of the world in the privacy sector. Mainly because of the privatized health care systems we have. In other areas where the health care is run by the government, they have much stronger, and stricter requirements in place for protecting your personal information.

So, as a precaution if this is something your worried about, take the time to contact your insurance company and determine if your records are available, and what information is actually available. Then you yourself can make the decision as to what information you want out there.

Sadly this is one area where those without health insurance can feel a little better about their privacy, in the sense that at least their information isn’t already available.

The entire town of North Oaks, Minnesota was recently removed from Google’s Street View feature on the Google Maps website.

Minutes of the City Council’s Jan. 10 meeting indicate that Google sent a driver in a camera-equipped vehicle to record images of the city’s streets last summer, in violation of the city’s trespassing ordinance. Mayor Tom Watson then contacted Google representatives and asked that they remove Street View of North Oaks images from Google Maps.

The article goes on to talk about how users can request that images be removed and about others who have sought to have images removed.

I’m not sure what is upsetting about someone seeing your house from the street, but maybe this is a sign of something good. People are becoming more aware of what other people know about them. By raising their awareness of how they are and are not protected, the average person can begin the process of attaining their preferred level of privacy.