A colleague lent me his most recent copy of IEEE’s Computer magazine.  Inside was an article entitled A Web 2.0 Model for Patient-Centered Health Informatics Applications (IEEE membership required to read).  Some possible benefits of their proposed approach were listed, including:

• Run deeper analytics across physicians groups and facilities, which can include relevant patient data…
• Provide a wide community of health professionals with feedback on the use and effectiveness of protocols…
• Share similar and alternative protocols and their analyses across many medical facilities and individual providers…

Anyone want to guess what’s completely missing from their approach?  You guessed it, any mention of security.  The commonly misunderstood (and frequently misspelled) HIPAA makes it pretty clear that the privacy and confidentiality of personal health information must be protected.  Even without HIPAA, it would just make good sense to be extra careful when sharing information and running data mining and analytics across large sets of health information.

The only mention of keeping information safe in the article is the fact that there is a division of data between the protocol, protocol modifications, and actual patient data – but it is very difficult to draw such bright, clear lines considering medical records and information.  How can you be sure the protocol modification a doctor submits won’t include information on the patient he tried it on?  Without even mentioning or considering the need for the protection of privacy, confidentiality, and data integrity within such a system, the authors of this article have done themselves and the software community a disservice.  Security requirements and threats must be considered at every phase of the life cycle, especially during the architecture phase.  As Kenneth Van Wyck and Mark Graff put it in their book Secure Coding: Principles and Practices,

As a general rule, the hardest vulnerabilities to fix are those resulting from architectural or design decisions. You may be surprised at how many of the vulnerabilities you have heard of we ascribe to errors at “pure think” time.

By developing an 8 page article published in a respected technical journal without any mention of the need for security controls in such a system, the authors of this article have once again helped me with my job security.  It is still difficult for me to foresee the day where security and risk management training programs won’t be necessary, and we won’t need an information security industry.

If you haven’t already heard about LIGATT security, you need to.  I won’t do them a favor of linking to them from this blog post, but I would like to provide some information about why I’m afraid of them.  No, it’s not because they have the world’s #1 hacker.

There is a lot of terrific information about the company, its misgivings and wrongdoings on attrition.org’s Charlatan page for Gregory Evans, the LIGATT founder and CEO.  Convicted of wire fraud in the beginning of last decade, Mr. Evans made good upon his release from prison by… marketing a caller ID spoofing service starting two days after the US House of Representatives made caller ID spoofing illegal.

Another fantastic resource is the book review issued today by Ben Rothke on Gregory Evans’ book How To Become The Worlds No. 1 Hacker.  In the review, Rothke explains:

In short, this is merely a work of cut and paste.  In the parts of the book where the author attempts to write original text, it’s ripe with various errors.  I could list many such errors, but why bother… But the real offense is the author’s blatant use of unattributed sources.  I am not talking about a paragraph here or there, it is about wholesale plagiarism, often taking the form of an entire chapter.

So what scares me about them?  No, it’s not that they have the “#1 hacker for hire”.  I’m more scared of my own employees than this joker. It’s because they are a marketing machine that is escaping the ire of the media.  In fact, they’re getting fluff pieces on Fox News and publicizing frightening commercials, taking out full page ads in hakin9 magazine, talking on radio stations, and issuing press releases and ALL CAPS tweets regularly. There’s even a movement to get LIGATT profiled on Oprah.

They proclaim on their front page “LIGATT Security is a leader in cyber security.” If anyone treats and respects this company as a “leader” it will put the community of hard working information security professionals many steps behind.  Organizations like this give the whole security community a bad rap.

For starters, let me just say that I personally have three Mac systems and three Windows systems I interact with on a regular basis.  I’m writing this blog post from a Macbook Pro.  However, there is a wide and growing misconception about the security of Mac systems vs. the security of Windows systems.  I just came across the following post in PC Magazine’s Security Watch blog, and there is a lot of good information in there; specifically the following quote which I want to share:

In the abstract, Macs are every bit as vulnerable as Windows systems, perhaps more so. But in the real world Mac malware is so rare that it actually makes news. Hundreds of Windows trojans like OpinionSpy come out every day. Mac users are generally “irresponsible” about such things, but for now they can afford to be.

My neighbor mentioned the other day that she got a Mac and loved it because (a) it was easier to use, and (b) it was more secure. Point (a) can be argued both ways, some things are easier to do on Windows and some are easier on Mac… but point (b) is something that troubles me.  The lack of publicized vulnerabilities and attacks does not mean more security.  Joe User wasn’t concerned about the advanced persistent threat before Google released information about the Aurora attacks.

The bottom line I try to keep telling people: there are more vulnerabilities written for Windows because that is where the market share is; the attackers are going after the largest market out there.  As the market dries up they will focus their efforts on OSX, and when that happens, beware.  Mac users, don’t be too comfortable.  Get an anti-malware product. Turn on your firewall. Turn on FileVault. Disable automatic logon. Don’t make yourself the easy target when the bad guys turn their attention to Macs.

Today Slashdot had a story about how a news story about an Australian transportation plan was broken early by a newspaper. The transport minister said the access of this information was akin to the newspaper trying to “pick the lock off a secure office and take highly confidential documents”.  What was the brilliant security plan that was supposed to be protecting this information?  The information was all stored on an unpublished URL with no security or authentication in place.

We in the security industry call this “security by obscurity“.  And it is not security at all. (more…)

An uproar was recently started in reference to some privacy concerns about the new release from Google, Google Buzz. One of the first to sound the alarm was a blogger who was quite explicit about disliking some of its default options (and by explicit I mean “NSFW language” explicit, the post is here) which prompted some quick changes from Google.  In order to start using Buzz, you have to create/modify your Google public profile which will appear next to all of your activity in the Buzz feed.  By default, the public profile would display all those you follow. Chances are you’ve followed everyone in your contact list, so you just made your whole contact list public.  Now in the new behavior:

A box titled “How do you want to appear to others” will now include a check-box that says “Show the list of people I’m following and the list of people following me on my public profile.” To hide your followers, click the box, or click the “View and edit the people you follow” to customize your account.

The interesting thing here to me is that Buzz is essentially a service like Facebook or Twitter, designed to let other folks know what you are up to.  The fact that there is a privacy uproar around it is somewhat amusing, because it is designed to provide the opposite of privacy – to provide your followers information about what you are doing.  If you don’t want to share this information, don’t use Google Buzz!

I’ll enlist a famous quote from Scott McNealy, then CEO of Sun Microsystems: “You have zero privacy anyway. Get over it.”

It is amusing to me what people – especially young people – are willing to post online.  As a child, my parents once told me that once you say something you can’t take it back.  In today’s Internet-connected age, this holds true and is even more significant: once you say something online, hundreds if not thousands of people will see it instantly, and potentially billions of people will be able to track it down in archives, Google searches, the wayback machine, or in countless other ways.  Be careful what you share online.  Be careful what you say.  It might–probably will–come back to haunt you.

We have recently taken a look at Internet Explorer 6 (IE6) to try and help convince a customer of ours to stop deploying it on workstations.IE6 still holds about 33% of the browser market share, but Microsoft stopped mainstream support for it in April of 2009.  IE6 runs ActiveX controls at the same privilege as the browser, which is the same privilege as the user – typically administrator level.  And according to Secunia there are 23 known unpatched vulnerabilities in IE6 – including one which has been around since 2003.

And in a timely post from Brian Krebs on his new site krebsonsecurity.com, there’s a very simple way to crash IE6.

If you’re curious and have IE6 lying around, type or cut and paste the following into the address bar (that last character is a zero):  ms-its:%F0:

So, what are we missing? Are there any other reasons I can throw at this customer to put IE6 out to pasture? Let me know in the comments.

According to a new article on TechTarget, a study by the Ponemon Institute has revealed the cost of a data breach has increased once again, to $204 per compromised record. The study is available for download at http://www.encryptionreports.com/ after giving away some personal details.

The “Fifth Annual U.S. Cost of Data Breach Study,” funded in part by encryption vendor PGP Corp., determines the annual cost of the breach by establishing a company’s cost of lost business as a result of an incident; expenses incurred by notifying individuals and authorities of a breach; costs associated with legal fees and consulting firms and new investments made in technology and employee education.

In our down economy, it is interesting that the cost of data breaches have been rising for five years running.  If I were cynical, I might suggest that one of the reasons for the constantly increasing costs in this study is the partnership with PGP, who sells products designed to protect you in the case of a lost laptop or storage device.

That said, I’m not even sure that those items above can accurately represent the cost of data breaches, especially in certain environments.  The loss or damage of reputation caused by a data breach can be so devastating that the monetary cost can’t even be calculated.  If you don’t know what I’m talking about, what is the first thing that comes to your mind when I mention Heartland Payment Systems, TJX, or the Department of Veterans Affairs?  These organizations have suffered tremendously because of wide (and widely publicized) data breaches.  Imagine the firestorm of criticism if some of the most trusted companies were to suffer data breaches along the lines of Heartland’s breach?

In addition to the loss of reputation, what are other costs of data breaches that the Ponemon study doesn’t reveal? Let us know in the comments.

ISACA has introduced a new certification for risk managers – CRISC. I’ve got their CISA certification, and I’m not sure that CRISC is useful (other than as a way to make them money).

First off, risk management is not specific to the IT field, and most risk managers are not working in IT but in project management. Second, there are very few risk management methodologies in use, or even studied, so what exactly does this certification teach/require? There are scant details on the web site on what the test will cover, but they claim that these professionals will help enterprises design risk management controls for IS. Risk isn’t only about controls – that’s auditing – making sure the processes you put in place are being followed!

Risk management isn’t only about determining and mitigating risk, it’s all about what are the risks and what are we going to do about them? I’m not sure these skills are easily taught, except through case studies.

Any project manager is going to understand risks better than most IT people will (unless they’re also a PM). Go for the PMP cert rather than this one.

Google has just announced that HTTPS access would be “on by default” starting immediately. This is in response to the recently publicized attacks against Google and Gmail which are causing Google to reconsider their approach to China.

While I’m happy that Google will now be encrypting Gmail-related communication by default, I’m a little surprised and disheartened that it took an attack to cause this to be implemented. Sure, https has been an option since July of 2008, but Google had previously warned of a security / usability tradeoff with turning it on:

Because the downside is that https can make your mail slower. Your computer has to do extra work to decrypt all that data, and encrypted data doesn’t travel across the internet as efficiently as unencrypted data. That’s why we leave the choice up to you.

Today’s computers are fast enough to handle https without concern, thank you very much. And I think they meant to say your encrypted email “can’t be cached by proxy servers” instead of “doesn’t travel across the internet as efficiently” – which is a good thing, right? The use of always-on-HTTPS is an infrastructure problem – establishing and maintaining all those different secure sessions with different keys certainly takes time and processing power. It is unfair to solve your infrastructure problem by suggesting that the user might not want comprehensive security.

Are you aware of any other services that allow the user to make a poor security decision in the (perhaps unjustified) name of speedier access? Let us know in the comments!

Another iPhone killer is here. DROID. Whether you’re a fan of either product, or you’re still thumbing away on your Blackberry or WinMo device, there’s one thing to be said. There are plenty of apps now. A couple years ago it was a pretty daunting task to get any sort of application on your device that wasn’t already on your carrier’s supported list. WinMo users have been the only real open crowd here as every version of Windows Mobile has supported most of the older apps since the Windows CE days. But with the rise of more and more applications comes the rise of the risks associated with these applications.

(more…)