Wednesday, January 31

Hospitals as Popular ID Theft Target

Hospitals Becoming Popular ID Theft Target:


News of the theft of a computer containing the personal data of 38,000 cancer patients across five states highlights the evolution of identity theft. Medical data is now more prized than Social Security numbers, privacy advocates tell internetnews.com.

While Social Security numbers are increasingly common, a medical record of cancer or AIDS patients is worth its weight in gold, Pam Dixon, executive director of the World Privacy Organization, told internetnews.com. "Cancer patients are big money." The reason: fraudulent medical charges can easily hide among the many legitimate costs.

The stolen computer belonged to Cincinnati-based Electronic Registry Systems (ERS), a private company that maintains federally mandated cancer patient records. The computer contained the records from five hospitals, three of which are in Georgia, Tennessee and Pennsylvania. ERS refused to identify the other two.

Emory University-owned Emory Healthcare, which contracted with ERS, advised cancer patients to place a fraud watch on their credit records. Emory Hospital, Emory Crawford Long Hospital and Grady Memorial Hospital are part of the health care group.

However, checking credit records won't alert patients to fraudulent medical charges. Affected patients need to check their medical files, Dixon said.

Despite assurances that the computer had two passwords and the data was encrypted and usable only with proprietary ERS software, Dixon said gaining access was a simple matter.

"We're beyond that level of innocence," she said, adding that files could be read and copied and leave no fingerprints.

ERS said the patient data was stored on the computer unencrypted to convert the information to its proprietary format. As a result of the theft, the company said it has made changes to improve security.

In May, a Veteran's Administration laptop containing the personal data of 29 million veterans was stolen. But the largest medical data breach happened in 2005 when a laptop holding the personal information of 365,000 patients was stolen from an employee of Oregon's Providence Health System. The data was unencrypted.

Last year, Providence settled with Oregon's Attorney General, agreeing to spend millions to correct the blunder.

By Ed Sutherland Internetnews.com

Cisco Adds E-mail Security For $830M

Cisco Adds E-mail Security For $830M


Leave it to one of the most acquisitive IT companies to start 2007 off with a bang.

Cisco Systems (Quote) agreed to purchase IronPort Systems, which makes appliances to quash spam and spyware, in an $830 million in cash and stock deal.

The IronPort appliances and associated security software will join Cisco's threat mitigation, policy control, and management solutions, further fleshing out the company's "self-defending network."

"We feel there is enormous potential for enhanced e-mail and message protection solutions to be integrated into the existing Cisco Self-Defending Network framework," said Richard Palmer, senior vice president of Cisco's Security Technology Group.

Securing e-mail is a top priority for businesses these days, particularly with the proliferation of e-mail-based scams and viruses.

Corporations are especially responsible for protecting e-mail in the wake of new record retention regulations. Rules such as Sarbanes-Oxley, HIPAA and Basel II require companies to preserve the integrity of records.

Should the deal close in the third quarter 2007 as expected, Cisco will retain most of IronPort's 408 employees.

The IronPort team and product portfolio will operate as a business unit in Cisco's Security Technology Group, run by Palmer.

Cisco will enter a new realm of competition with IronPort; SonicWall, Secure Computing (which leapt into the fray last year by buying CipherTrust), Sophos, Seagate, MiraPoint, SurfControl and Tumbleweed all make appliances that combat spam and viruses, spyware, Trojans and worms.

Cisco will also compete with IT security powerhouse Symantec, which launched its line of e-mail security appliances two years ago this month.

The market can bear a lot of competition for the time being. IDC expects the market for messaging security gateway appliances to top $1.7 billion in 2009.

Cisco, an aggressive acquirer that has set its sights on IT markets in an attempt to broaden its portfolio, has been casually bulking up its security portfolio for years, particularly on the software side.

Four years ago this month, the networking giant agreed to acquire network security software maker Okena for $154 million in stock. In 2004, Cisco purchased Perfigo for $74 million in cash, adding network admission control products.

Just last year, the Cisco bought Meetinghouse Data Communications, a maker of wireless security software, for $43.7 million in cash and stock.

Those purchases, along with a successful IronPort bid, significantly bulk up Cisco's security war chest.

By Clint Boulton Internetnews.com

Google on Security Alert

Google on Security Alert


Though the New Years holiday was a long vacation for many, it was a long work weekend for those in Google's security operations.

A flaw was reported and fixed over the weekend, and there are allegations in the wild that a new crop of security issues may still exist.

Heather Adkins, information security manager at Google, said in a statement e-mailed to internetnews.com that over the holiday weekend Google was notified of a vulnerability that spanned multiple Google products.

"We were first notified that this issue affected Google Video and fixed it within a few hours of receiving the report," Adkins stated. "We were then notified that the same issue affected other Google products. The problem with the other products was resolved within 24 hours of the second report. To our knowledge, no one exploited the vulnerability and no users were impacted."

The vulnerability, if exploited, could have allowed Google users' Gmail contact lists and other information to be exposed to malicious attackers. Adkins noted that the vulnerability related to how Google uses certain JSON (JavaScript Object Notation) (define) object within some of its product code.

"The fix we employed made sure the objects could not be abused," Adkins said. Google engineer Matt Cutts wrote in a blog that Google fixed the JSON vulnerabilities with a number of different approaches.

"On some of them, we immediately fixed the code to properly stop JavaScript," Cutts wrote. "On others, the urls were blocked until the next push of that service will happen."

Cutts noted that since the issues were server side, as Google's applications are Web-based, the fixes were deployed much faster than they would have been had the vulnerabilities appeared client-side.

"Even this situation (where several Google properties needed to be changed) yielded a much faster fix than patching so many client-side applications, and much of this was happening on New Year's Eve and New Year's Day when most normal people are sleeping off the night before," Cutts wrote.

Google has a solid track record of fixing vulnerabilities rapidly, especially of late. In mid-December Google moved quickly ahead of a weekend to fix an alleged flaw in its money-making AdWords solution.

In that case the security researcher alerted Google before the vulnerability was publicly disclosed, a move that Google applauded.

Responsible disclosure is something that Google's Adkins is certainly very keen on. "We strongly encourage anyone who is interested in researching and reporting security issues to follow responsible disclosure practices, including giving vendors ample time to respond to reports," Adkins commented.

"Responsible disclosure allows companies like Google to keep users safe by fixing vulnerabilities and resolving security concerns before they are brought to the attention of the bad guys."

There are currently perhaps two other issues lurking in the security shadows for Google. In one particularly active thread in a Google Groups discussion list, posters have alleged that their Gmail e-mails have gone missing or have been deleted. Google apologized in the thread for any inconvenience the issue may be causing.

"Regretfully, a small number of our users -- about 60 -- lost some or all of their email received prior to December 18th," Google spokesperson Courtney Hohne told internetnews.com. "Once we found out about this issue, we worked day and night to confirm that only a few accounts were affected and to do whatever we could to restore as much of the users' accounts as we could."

"We also reached out to the people who were affected to apologize and to work with them to restore the email from any personal backup they might have," Hohne added. "We know how important Gmail is to our users - we use it ourselves for our corporate email. We have extensive safeguards in place to protect email stored with Gmail and we are confident that this is a small and isolated incident."

Security research Rajesh Sethumadhavan posted on another security mailing list that Google's "blacklist" of phishing URLs was now publicly accessible.

Google's Safe Browsing extension is built into the Google Toolbar and integrated into Mozilla Firefox 2.0. Safe Browsing validates URLs against a constantly updated list of known phishing URLs. The problem apparently is that Google may also be catching a bit too much information.

"I just played around a bit with those lists and as it seems, Google did a splendid job, even capturing some people's login data," a poster noted in response to Sethumadhavan.

By Sean Michael Kerner Internetnews.com

Money For Vista, IE Bugs

Money For Vista, IE Bugs


The race to pick holes in Microsoft's newest operating system and browser is on.

VeriSign's iDefense Labs has kicked off its Vulnerability Contributor Program (VCP), a challenge to find remote arbitrary code execution vulnerabilities in Vista and Internet Explorer 7.0. VCP will pay $8,000 for the first six confirmed vulnerabilities.

It will pay an additional $2,000 to $4,000 for those who also provide working exploit code for the submitted vulnerability, bringing the total potential bounty to $12,000.

IDefense is looking for vulnerabilities that are remotely exploitable and allow arbitrary code execution without additional user interaction (like clicking an e-mail attachment for example). Social engineering and other attacks that require the user to do something other than actually just browsing a site are not valid for this contest.

IDefense expects to receive well more than six reports of vulnerabilities, but iDefense spokesman Jason Greenwood said the VCP stops at six because of budget constraints.

"We receive hundreds of vulnerability research submissions each month as part of our normal contributor program," Greenwood told internetnews.com. "We expect to get many more than six submissions that may qualify for this promotion."

Microsoft does not endorse the challenge, and Greenwood said the company has not contacted VeriSign about the challenge. "We have a close working relationship with Microsoft and responsibly make them aware of vulnerabilities as we discover them," Greenwood said.

That's not to say that Microsoft isn't aware of the iDefense challenge.

A Microsoft spokesperson told internetnews.com that Microsoft is aware of iDefense offering compensation for information regarding security vulnerabilities. The spokesperson added that Microsoft does not offer compensation for information regarding security vulnerabilities and does not encourage that practice.

"Our policy is to credit security researchers who report vulnerabilities to us in a responsible manner," the spokesperson said.

Though Microsoft will not pay for vulnerabilities, it won't ignore the vulnerabilities exposed by the challenge, either.

"Microsoft doesn't want to speculate on the motives of third-party researchers but will say it is committed to working with them closely on the issues they bring to our attention," the spokesperson said. "Whoever handles vulnerabilities, Microsoft does encourage them to responsibly disclose the vulnerability to the affected software vendor in order to protect all customers/users."

VeriSign's iDefense customers, however, may well get the leg up on Vista and IE7 vulnerabilities, ahead of regular Microsoft users.

"Early notification of vulnerabilities is just one aspect of the research the iDefense team does," iDefense's Greenwood said. "Our customers will benefit from the challenge by knowing about potential threats before they are exploited and giving them information to assess the potential risk prior to a patch being put out by Microsoft."

By Sean Michael Kerner Internetnews.com

Friday, January 12

Image Spam - A Growing Challenge

Image spam becoming a growing challenge:


There are hundreds of millions of spam email messages being sent every day. This has been a significant problem as spam covers 90% of all emails worldwide. Now this has become an even bigger challenge due to increased volume of image spam.

Image spam is a serious and growing problem, not least because of its ability to circumvent traditional email spam filters to clog servers and inboxes. In just half a year, the problem of image spam has become general enough to be representative of 35 per cent of all junk mail. Not only this, but image spam is taking up 70 per cent of the bandwidth bulge on account of the large file sizes every single one represents.

Apart from taking up valuable bandwidth, the time taken to filter out and destroy spam represents a significant burden on both IT staff and personnel in businesses and organizations. At the same time, operators themselves are building ever more efficient email servers and bandwidth capacity in order to deliver emails that nobody wants

Ironically, at the heart of the problem are ordinary computer owners completely unaware that their computers are being used to launch the very attacks that end up in their inboxes. This is achieved through botnets, where computers are silently infected and activated as part of a larger raft of computers to do the spammers' bidding. Vast majority of all the spam is being sent from these botnets of zombie computers.

To give some idea about the scale of the problem a typical Warezov-based botnet can send 160 million spam messages in just two hours. And last year botnets raised the volume of spam in circulation by 30 per cent. For enterprises, often the target of spam attacks, that figure was 50 per cent.

Spam originally used basic text captured in a GIF image to bypass standard dictionary-based content filters but this has now morphed into image spam. Image spam is characterized by patchwork colours, multicolour characters with pixel-level randomization. It also features the use of random nonsensical text messages sampled from legitimate web sites between the hard sell of products like Viagra and other popular pharmaceuticals.

From : F-Secure.com

Security threats for Company Networks

Security threats to Protect Networks from in 2007


According to GFI, a leading provider of network security, content security and messaging software, every IT manager should make it part of their New Year's Resolution to protect their networks from the following threats in 2007:

Piracy: To protect themselves from legal action companies need to monitor networks more effectively, to ensure employees do not copy illegal material

Targeted data theft: Even more then before crime cartels are realising that information can be as valuable, if not even more so, than drugs and weapons so companies need to take adequate steps to protect data

Phishing: This is an easy way for criminals to harvest credit card and other personal information and companies need to protect themselves from such threats

USB: The proliferation of USB devices and improvements in storage technology lead to the inevitability that targeted attacks using techniques such as hacksaw or pod slurping will increase

Malware: Although Microsoft Vista is more secure, third-party software can be targeted as a means of infecting a system through the back door. Security vendors need to catch up, and quickly

Vista IPv6 Windows Internet Computer Name: This technology will allow every Vista installation to have its own internet domain name, exposing users to the threat of "man-in-the-middle" attacks and spoofing. While users will have the option of two running modes, the secure mode is just too complex for most users, making it unlikely that many people will choose that option

Wireless: Is the next evolutionary step of pod slurping and hacksaw-like attacks that they will involve wireless devices? Watch out for this in 2007.

Games Consoles: Playstation 3 and Xbox 360 both have extensive processing power as well internet connections and it is only a matter of time before malicious attacks start targeting these systems with DDOS attacks as well as traditional spam.

Net-Security.org