Articles from June 2010



HIPAA encryption: meeting today’s regulations

Sang Lee, senior security analyst, AlertBootJune 30, 2010

If you work with an organization that must adhere to the Health Insurance Portability and Accountability (HIPAA), you know by now that encryption is now a de facto primary aspect of HIPAA compliance after the passing of the HITECH Act.

There are a couple of reasons for this increased focus on encryption.

Sang Lee

First, the U.S. Department of the Health and Human Services (HHS) issued guidance wherein “unsecure protected health information (PHI)” is essentially any PHI that is not encrypted or destroyed. Under this definition, it doesn’t matter how many chains, walls, doors, biometric gizmos and guards with lethal weapons you have at your service. As long as PHI is not encrypted, it is considered unsecured.

A second and more compelling reason why encryption is now a requirement is the introduction of HITECH‘s breach notification initiative, which requires HIPAA-covered entities to send notification letters if there is a breach of unsecured PHI. However, as HHS pointed out, the use of encryption grants safe harbor in the event of a breach because encrypted PHI is not unsecured PHI.

Oddly enough, in the same breath, HHS also notes that “covered entities and business associates are not required to follow the guidance.” However, cleaning up the mess behind a breach notification can cost millions of dollars, so one would have to be supremely confident — or reckless — in not taking advantage of the encryption safe harbor. With such mixed signals, though, it is not hard to see why encryption is called ade facto requirement.

For more information, read Sang Lee’s full post at SC Magazine

AppRiver Threat Landscape



AppRiver Threat Landscape: Quarter 1 and 2, 2010

By N DePofi June 29th 2010

AppRiver, the Gulf Breeze Florida based web security and email company, has issued a new report titled “AppRiver notes: Threat & Spamscape report Special 6-Month Edition: June 2010,” briefly covering online threats the company has monitored over the last six months.

Highlights of the report include the one-year anniversary of the Conflicker worm, phishing and spear phishing attacks based on natural disasters, carbon credits, lawsuits, the IRS and the FIFA World Cup.  The report includes a breakdown showing the origin of the 26 billion spam emails blocked by AppRiver in the first half of 2010, and the source region of both spam and malicious email messages, with the United States topping the spam chart at 2.5 billion spam emails, and Europe topping the Malware chart with 44.7%.

Virus activity has also been heavy for the six months reported, with AppRiver noting that more than 45 million virus messages had been blocked in the thirty days prior to the reports publication, or more than one out of every ten emails scanned.

In March, AppRiver blocked over five thousand emails purporting to contain information regarding a lawsuit with a link to a file named complaint.rtf, the link led to another file called complaint_docs.pdf, which actually contained a  Trojan.Dropper.

Scams masquerading as IRS messages utilized tokens to customize emails based on the recipient contained a link to a page with a download link to an .exe file. The file actually installed ZeuS, a phish-kit that is used to steal banking information.

” The Zeus crimeware toolkit has been around now for some time and is well established in the underground economy as being an easy-to-use and powerful tool for stealing personal data from remote systems. Initially linked to a group of criminals known as the “Rock Phish” group and targeting worldwide financial institutions, the toolkit has since become widely available both for sale and for free on underground forums.” (Peter Coogan “Zeus, King of the Underground Crimeware Toolkits” August 25th, 2009)

Other attacks that used ZeuS in the first half of 2010 included FaceBook, MySpace, UPS, DHL, the Royal Mail in the UK, and the Canada Post. ZeuS was prolific enough that US-CERT released a bulletin on March 17th, 2010.

One variation of an older attack style, named the ‘419 scam’ after Article 419 of the Nigerian Criminal Code (Advanced Fee Fraud), also known as the Nigerian Prince scam, started in January 2010 and targed FIFA World Cup fans.  These attacks claim that the recipient has won the Online Web Lottery held in South Africa in support of the World Cup, with a prize of one million dollars. The email contained a link to what looked to be an online gaming site, though most of the links were merely images, the ‘live help’ link led to a form asking for personal details. These details could be used to aid criminals in stealing the user’s identity.

U.S. Spends $8.8 Billion to Secure Classified Data

More Than Half Goes Toward Safeguarding IT Systems

June 28, 2010

More than half the money the government earmarked to safeguard state secrets last year went for information security, with nearly 90 percent of that was spent to protect IT systems against unauthorized access to or modification of information and the denial of service to authorized users, according to a report issued Friday by the Information Security Oversight Office.

Part of the National Archives and Records Administration, the Information Security Oversight Office receives policy and program guidance from the National Security Council and is responsible to the president for policy and oversight of the governmentwide security classification system.

“A responsible and efficient security classification program requires commitment, diligence and integrity.” Information Security Oversight Office Director William Bosanko wrote in a letter accompanying the report. “It is of particular importance that the classification system be implemented in a manner that makes for the most efficient and effective use of the finite resources available to departments and agencies.”

New spending on personnel, security management and classification management nudged expenditures upward for the classified information system by 1.3 percent. In its report, the office said that the government spent more than $8.8 billion on security classification and declassification costs in fiscal 2009, including nearly $4.8 billion on information security.

Visit Govinfosecurity.com for more information.

Today in Security #20 Niko DePofi – Chris Pope

The data you don’t even know you have

Senate Working To Consolidate Cybersecurity Bills

Phishers Celebrate Special Occasions

White House seeks comment on trusted ID plan

Google Releases Chrome 5.0.375.86

#023–Apptastic iGame Review – 6/26/10 www.ApptasticReviewers.com with TechJives.net, Produced by: Chris Pope

6/26/10 Reviews: iOS4 and iPhone4!!

018-WinFITTS.com 06-26-10 Windows Fast IT Tips with Chris Pope / TechJives.net

6-26-10 “Topic: Learn by doing! Without spending money” This podcast is provided by TechJives.net and produced by Chris Pope

#016–Learn to speak IT – 6/26/10 – By Chris Pope, See L2SpeakIT.com

6/26/10 – “EFS- Overview of Encrypting File System in Windows” Learn to speak IT is produced by the Tech Jives Network and hosted by Chris Pope L2SpeakIT.com

100 BEST PLACES TO WORK IN IT 2010

Find the top employer that best suits your needs. Sort the Best Places to Work by key criteria, such as training days, and add filters by region and/or organization size. Note that the more filters you add, the fewer organizations will be listed.

OVERALL RANK BEST PLACE TO WORK
1 USAA
2 Booz Allen Hamilton Inc.
3 JM Family Enterprises Inc.
4 General Mills Inc.
5 University of Pennsylvania
6 SAS Institute Inc.
7 Quicken Loans Inc.
8 Verizon Wireless
9 Securian Financial Group Inc.
10 Salesforce.com Inc.

For the rest of the list, and search options, visit Computerworld.com

#014 Certification Weekly 6-24-10 by CED Solutions produced by Chris Pope from The Tech Jives Network

6/24/10 “Exam taking tips by Chris Pope” Certification Weekly is a weekly podcast that includes valuable information about all of the latest and greatest Certifications that are available in the Technology field! By CED Solutions / TechJives.net

Microsoft shoots for the stars with Bing update

by Ina Fried – June 22, 2010 6:37 PM PDT

The event, hosted at Soho House on Sunset Boulevard, got off to a late start thanks to LA traffic.

WEST HOLLYWOOD, Calif.–Microsoft is hosting a celebrity-laden event here on Tuesday, announcing a variety of new entertainment features it hopes will give Bing a little more star power.

In truly LA fashion, the event started late as reporters battled the southland traffic to get to the Soho House on Sunset Boulevard. However, Microsoft’s blog post with the news posted promptly at the 6 p.m. starting time.

According to that, Microsoft is adding casual games, more TV content as well as Zune music and lyrics to the service. Each of several million songs can now be played once for free, with 30-second samples available thereafter. Songs can also be purchased from Amazon, iTunes or Zune.

The event, meanwhile, just kicked off at 6:30 p.m. PT, with Senior Vice President Yusuf Mehdi talking about Bing’s history and showing a clip from the promotion Bing recently did with Stephen Colbert.

In the clip, Colbert notes that Bing is for real, adding that he knows that because he “Googled it.” Mehdi said that despite a 47 percent gain in market share, Microsoft knows it still faces an uphill challenge.

“It isn’t like people wake up and say dang, if only I had another search engine,” he said. “We’re definitely humbled about a lot of work we have to do.”

Turning to entertainment, Mehdi said that there is a huge opportunity around entertainment and search, noting that there are some 1.5 billion entertainment-related queries per month.

For more, follow this link to Cnet.com