North American Medical Records At Risk

While you are sitting patiently during your typical 5-6 hour emergency room visit, ever wonder just how safe your records are at the doctor’s office?  Are ya ready to puke?

91% of small healthcare practices (less than 250 employees) in North America say they have suffered a data breach in the past 12 months.

The Ponemon Institute recently conducted a survey, commissioned by MegaPath, asking more than 700 healthcare organizations’ IT and administrative staff about breaches.  Among the findings:

  • 70% say their organizations either don’t have or are unsure if they have, sufficient budget to meet governance, risk, and compliance requirements.
  • 55% of respondents had to notify patients of a data breach in the previous 12 months.
  • 52% of respondents rated their security technology plans as “ineffective”.
  • 43% of respondents had experienced medical identity theft in their organizations.
  • 31% say management considers data security and privacy a top priority.  (69% not so much?)
  • 29% say breaches have resulted in medical identity theft.
  • More than a third have not assigned responsibility for patient data protection to anyone in particular.
  • Approximately half say less than 10% of IT’s budget goes to data security tools.

Data breaches of patient information cost healthcare organizations nearly $6 billion annually, and many breaches go undetected.  Protecting patient data appears to remain a low priority for hospitals and doctors’ offices, and these organizations have little confidence in their ability to secure patient records.  They are putting individuals at increased risk for medical identity theft, financial theft, and exposure of private information.

Are ya feeling warm and fuzzy yet?  Read the whole report.

Advertisements

Canadian’s Online Privacy At Risk

From the “I can’t believe this is Canada” file, the government is pushing a new “lawful access” bill, basically granting the police and government officials the rights and means to freely and on a hunch, spy on your internet usage.  Assuming that if you have nothing to hide, you should have no fear of arbitrary search and seizure, of course.

Michael Geist has a good article about the bill and why it is crazy.  The insanity first becomes evident when Public Safety Minister Vic Toews tells people “You can stand with us, or you can stand with the child pornographers“.   As if everyone with a desire for online privacy and against widespread internet surveillance is somehow automatically “for” child pron!  Yep, there is no middle ground here.  Line up with the rest of ’em, mate.

I agree with Tech Dirt’s post, this is totally ridiculous, and a cynical political move that assumes the Canadian public is stupid and will just roll over.  I sincerely hope that is not true, that there is enough outcry against this bill that it is thrown out faster than last week’s Metro.  Yes, it may be difficult and time consuming to obtain a judge’s consent in the form of a warrant, but you don’t just subtract an individual’s rights from the equation in the name of expediancy and convenience for law enforcement.  You cannot and should not assume that the entire public is suspect, and then launch a witch hunt to see who floats and who sinks! Continue reading

Foxconn Hacked

As if it wasn’t toxic enough out there, it looks like we have another group of hackers playing their little games on the Internet.  They claim that they are only in it for the thrill of destroying networks and impacting businesses.  Their claim to fame target?  Foxconn, the Asian firm that is under the microsocope after a NY Times article exposing dismal working conditions and recent deaths of employees.

The Swagg Security group has released information on both Foxconn and its clients, which include Microsoft and Apple, stolen during an attack on the company, through Pastebin and Pirate Bay posts.

“Now as a first impression Swagg Security would rather not deceive the public of our intentions.  Although we are considerably disappointed of the conditions of Foxconn, we are not hacking a corporation for such a reason and although we are slightly interested in the existence of an iPhone 5, we are not hacking for this reason.  We hack for the cyberspace who share a few common viewpoints and philosophies. We enjoy exposing governments and corporations, but the more prominent reason, is the hilarity that ensues when compromising and destroying an infrastructure”.

The information released contains contact details of a number of Foxconn’s global sales managers, usernames, IP addresses, credentials, and a list of clients’ purchases.

2011 PCI Breach Research

There is a very good article regarding research into 2011 breach statistics by Trustwave over at InfoWorld Security Central.  A great source for much IT & Security information, by the way.  According to the article, hackers infiltrated 312 businesses making off with customer payment-card information.  Their primary access point was through 3rd-party vendor remote-access apps, or VPNs setup for remote systems maintenance.  Seventy six percent!  These external ingress paths introduced security deficiencies that were exploited by attackers.

The vast majority of the 312 companies were retailers, restaurants or hotels, and they came to Trustwave for incident response help after one of the payment-card organizations traced stolen cards back to their businesses, demanding a forensics investigation within a matter of days.  Only 16% of the 312 companies detected the breach on their own!

The businesses hit claimed to be compliant with Payment Card Industry (PCI) security standards, when in reality there were gaps.  The remote-access provisions were poorly protected by simple, re-used, shared, and seldom changed passwords.

I will leave the most scary statistics, how long the attackers were able to maintain their ownership of the networks in these cases, for you to seek out yourself on the second page of the article.  It is not a happy number!

The lesson to take away from this article is, PCI compliance is the bare minimum that an organization should do, and DOES NOT equate to comprehensive security.  A PCI-DSS pass score does not ensure actual compliance either.  It is a good starting point to ensure that the bare minimum, common sense, security controls are implemented at a single point of time, but good security practices must spread out from the center.  If your security efforts don’t include other servers and the workstations that access them AND the Internet, you are not managing security, you are faking it for compliance sake.  Russian roullette with a fully loaded gun.

pcAnywhere Source Posted

According to the Register, hacktivists affiliated with Anonymous have uploaded what they claim is the source code of Symantec’s pcAnywhere software today, after negotiations broke down with a federal agent posing as a Symantec employee.  Symantec confirmed that it had turned the case over to the Feds as soon as the hackers made contact.

According to the article, the release of the 1.27GB file coincides with the breakdown of the “negotiations” – which the group has now published on Pastebin – that took place between “Symantec” and the spokesperson of hacker group Lords of Dharmaraja, an Indian hacking crew affiliated with Anonymous.

Catch the details in the original article.  Beware downloading anything purporting to be a source code cache.  These things are tracked by the vendor, law enforcement agencies, and others, and are most often laced with some type of malicious software.  Stories like this are news-worthy, generating a lot of interest, and anything that generates conversation and controversy is fair game for miscreants.  And what better way to get their hooks into your computer than to offer you something enticing, like a peak at some commercial source code?

How Was FBI Call Compromised?

I am pretty sure that everybody knows that the FBI and Scotland Yard were embarassed recently by the notorious hacking group, Anonymous, when they spilled the beans that they were now watching the watchers, listening in to a confidential phonecall taking place between investigators accross the pond.  If you haven’t heard it, find it here.  The New Statesman has an overheated article here that can provide additional details.

So how did this brazen and seemingly high tech hack take place?  A conference call was arranged two weeks earlier by FBI agent Timothy Lauster, who wanted to discuss on-going investigations into Anonymous and other hacktivist groups.  In an email to Scotland Yard’s e-crimes unit, the time, date and phone number to call were provided, along with the pass code for entry. Continue reading

Law Enforcement Sites Hacked

The “Anonymous” group of hackers have attacked the websites of several law enforcement agencies worldwide.  In Boston and Salt Lake City, police say personal information on confidential informants and citizen drug crime complaints, amongst other personal information was compromised.

The attacks come after Anonymous published a recorded phone call between the FBI and Scotland Yard early Wednesday, claiming to have had access to confidential information for months, and in Greece, the Justice Ministry took down its site Friday after a video by activists was displayed there for at least two hours.  In Boston, a message posted on the police website said, “Anonymous hacks Boston Police website in retaliation for police brutality at OWS,” referring to the Occupy Wall Street movement, and claimed that hundreds of passwords were released in retaliation for brutality against Occupy Boston participants.

Boston police acknowledged in October that websites used by members of the police department may have been compromised.  It had asked all department personnel to change their passwords on the police department’s network.

The Salt Lake City website remained down Friday as the investigation continues, and criminal charges are being considered.  Police blamed the attack on Anonymous’ opposition to an anti-graffiti paraphernalia bill that failed in the state Senate.  The bill would have made it illegal to possess any instrument, tool or device with the intent of vandalism.

The hacktivists say they attacked the website of a Virginia law firm which represented a US Marine convicted in a 2005 attack in Iraq that resulted in the deaths of 24 unarmed civilians.

Action really needs to be taken, these hooligans are being allowed to run amok around the Internet, interfering with all manner of systems, and potentially causign life threatening consequences.  Their lack of good judgement and disregard for who suffers as a result of their exploits makes these people a serious threat to businesses, innocent by-standers, and law enforcement officers alike.