SANTA CLARA, Calif., Feb. 3 /PRNewswire/ -- WhiteHat Security, the leading provider of website risk management solutions, today announced that Erik Pace Birkholz, CISSP, has joined the sales team as director of sales for the Western region.  With expertise in enterprise risk management, host and network security, website and database vulnerability assessment and penetration testing spaces, Birkholz has the experience to drive growth and increase revenue in the Western region for WhiteHat.

Missing laptops and other security lapses are unfortunately commonplace in the health care industry today…and causing serious damage to the reputation and bottom line of organizations like yours. Increased fines and penalties under the HITECH Act, coupled with the Obama administration’s zeal to recover billions of dollars from its enforcement efforts, may soon transform simple IT lapses into living nightmares for health care entities. What steps should HIPAA covered entities and business associates take if they think unsecured protected health information may have been used or disclosed impermissibly? How should they respond to protect individuals whose information may have been compromised, to reduce the risk of severe fines and penalties, and to prevent further security breaches?

     Join us on Feb. 24 when two privacy experts set forth the details of a 10-step plan for recognizing and responding to potential security breaches. Rebecca Fayed, an attorney with Sonnenschein Nath and Rosenthal LLP in Washington, D.C., who specializes in privacy and security, will detail these complex new legal obligations. Greg Young, the privacy and information security officer at Mammoth Hospital in Mammoth Lakes, Calif., will mix in his tried-and-true security procedures and the practical strategies he provides to his own information management team.

     You’ll come away with a well-organized 10-point action plan for what to do if/when you suspect a breach has occurred at your organization, with coverage of:

Team-Wide Training at Its Best (and most cost- and time-efficient). Gather your management team around the table on February 24 for one low single-participant price. And photocopy for each of them as many copies of our printed materials as you need. Managers throughout your organization will learn the 10 steps your organization should take in the event of a security breach.

 

Speakers

     Rebecca Fayed is an attorney in Sonnenschein Nath & Rosenthal LLP’s Health Care Group. She is a leading expert on matters related to the privacy and security of health information. Fayed advises clients on issues such as compliance with the HIPAA privacy and security rules, the HITECH Act, breach-notification obligations and state health information privacy laws. She works with clients on internal investigations of potential privacy and security violations, as well as government investigations related to allegations of privacy and security violations. She regularly speaks and writes on topics related to the privacy and security of health information, and is the author of AIS’s Report on Patient Privacy monthly article “Patient Privacy Court Cases.”

     Greg Young has served as the head information security officer at Mammoth Hospital in Mammoth Lakes, Calif., for the last six years. Prior to that, he worked as a technology support supervisor at the hospital. In 1995, he contracted with several technology companies to become the first Internet provider in the Eastern Sierra and High Desert areas of California. Young also spent eight years as a security specialist with the Rockwell Corp., working on highly classified programs. He began his career as a police officer and detective with the Seal Beach Police Department, where he served on the SWAT and special enforcement details until retiring due to an injury after 12 years of service. 

by  Liana Heitin

View this article at: http://www.aishealth.com/Products/C0X05_022410ENLAD.html!

  Some Windows users reported on Thursday that they were getting the "blue screen of death" on their computers when they installed Microsoft's latest security updates released two days earlier.

   Most of the people complaining on a Windows forum said they had the problem on Windows XP, but one person also reported problems on Windows 7.

   Users posted a fix on the site that they said seemed to work, but that didn't necessarily quell the anger.

"Where at Microsoft do I send my invoice for hours spent fixing this BS?" one person wrote on Thursday.

   The problem appears to be with one specific update, which addresses a vulnerability in the 32-bit Windows kernel that could allow elevation of privilege that was disclosed last month.

   The fix requires users to have an install CD, but not all computer manufacturers ship systems with a disc for re-installing the operating system, according to the Krebs on Security blog, which first reported the problems on Wednesday.

   In addition, Netbooks do not have CD-ROM drives, making the problem even more difficult for them to fix, security blogger Brian Krebs wrote.

   Several people reported on the Windows forum site that Microsoft told them the company would not be providing a fix for Netbooks and that Netbook users would have to get support from the equipment manufacturer.

   Microsoft is investigating the reports to determine the cause of the problems, according to a statement from Jerry Bryant, senior security communications manager lead at Microsoft. 

by Elenor Mills

View this article at http://news.cnet.com/8301-27080_3-10452064-245.html

Security researchers have demonstrated a gaping security hole in Chip and PIN credit card authorisations which undermines trust in the technology as a means to verify retail purchases.

     Cambridge University security researchers have demonstrated how it might be possible to trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s authorised by chip-and-PIN. The flaw creates a means to make transactions that are "Verified by PIN" using a stolen (uncancelled) card without knowing the PIN number.

     Fraudsters would insert a "wedge" between the stolen card and terminal, tricking the terminal into believing that the PIN was correctly verified.

     It's not surprising that the attack works when a terminal is offline but it works when the terminal is connected too. Victims of fraud who complain of phantom transactions are denied refunds in cases where a purchase is PIN verified. The attack undermines faith in the banking industry’s claim that its systems are secure.

     Saar Drimer, one of the Cambridge researchers, warned: "The technical sophistication for carrying out this attack is low, and the compact equipment will not be noticed by shop staff. A single criminal can develop and industrialize a kit to be used by others who do not need to understand how the attack works.”

     The man-in-middle attack outlined by the Cambridge researchers doesn’t work at ATMs but it can work regardless of the amount spent in retail transactions. The security shortcomings apply to cards based on EMV (Eurocard Mastercard Visa), the most widely deployed standard for smartcard payments, which is used millions of credit and debit cards, mostly in Europe.

     The research was carried out by Steven J Murdoch, Saar Drimer, Ross Anderson and Mike Bond, researchers at the Computer Laboratory, University of Cambridge, and is due to be presented at the IEEE Symposium on Security and Privacy conference in Oakland in May (draft paper here in pdf). Researchers from the team demonstrated the attack in an episode of the BBC Newsnight programme on Thursday night.

     "There is a gaping hole in the specifications which together create the 'Chip and PIN' system... The EMV specification stack is broken, and needs fixing," the researchers conclude in a blog posting.

     "We’re really worried that if something isn’t done to fix this problem, and the many others we’ve found in EMV, other regions adopting it (like the USA) are going to make the same mistakes again and again – and that means customers stay vulnerable."

      "That’s why again we’re arguing that Chip and PIN is broken. We don’t want people keeping their money in shoe boxes – we want the problems fixed. That means getting decent governance for the system that involves all the stakeholders – banks, regulators, merchants and customers."

by By John Leyden

View this article at: http://www.theregister.co.uk/2010/02/12/chip_pin_security_unpicked/!

The Lower Merion School District's innovative program allowing students to take home laptop computers has had the unintended consequence of putting the district in the legal crosshairs. School officials stand accused of misusing the laptops' security system to spy on a student.

    At the center of the allegation and the security system is the webcam, a small device that can transmit pictures from a computer to a remote location. Webcams represent an obvious threat to privacy, which has caused the recent uproar. But the district's use of the devices was misguided for a second reason: They're not all that effective at actually recovering stolen laptops.

     We all cherish our right to be left alone in our homes, which is so basic that the Constitution codifies it in the Fourth Amendment. By surreptitiously putting cameras in laptop computers that students were to take home, the Lower Merion district breached this right.

     Although the monitoring program was to be activated only if a laptop computer went missing, the lack of any real institutional controls doesn't create confidence in school officials. With unlimited discretion comes the potential for unlimited abuse.

     Beyond that is the issue of the webcams' questionable efficacy as a security measure. The devices can tell you where a computer is only while it's connected to the Internet. Once the connection is closed, the laptop's whereabouts become murky - and, as everyone knows, laptops are portable.

     So Lower Merion's security system will tell you where your property once was, but not necessarily where it is. Such a system is as likely to give you a tour of the area's coffee shops as it is to find a missing laptop.

     The district has an obvious interest in recovering its missing or stolen property, but the method it chose is fraught with legal and practical problems. Automobile recovery systems offer a better model.

     The hallmark of a good automobile recovery system, such as LoJack or OnStar, is a transponder that enables tracking of a vehicle after a police report is filed. This technology works as well - and is used widely - in laptop computers, and it offers many advantages over the school district's approach.

     First, it would tell school officials exactly where a computer is at the moment, not the last time it was connected to the Internet. Second, the absence of cameras eliminates much of the concern about spying. Third, use of the security system is restricted to cases where a police report has been filed, greatly reducing the likelihood of misuse.

     Lower Merion deserves credit for trying to expand students' learning opportunities, but its laptop security system was ill-conceived. This could lead to civil and criminal sanctions, while scuttling a cutting-edge educational tool. Given the relative ease with which the district could protect students' rights as well as its property, that didn't have to be the case.

by Louis Lambardi

View this article at: http://www.philly.com/inquirer/opinion/85456377.html

Honeypot traps designed to protect computers from Botnets, which are used to carry out fraudulent and criminal activity on the Internet, are now vulnerable to attack because of advances in Botnet malware, computer scientists say.

Botnets are armies of networked computers that have been compromised by malicious software.

In the 1990s and early 2000s, viruses and worms were the main problems facing computer security experts, with the likes of Melissa, Love Letter, W32/Sircam, MyDoom, Netsky and Bagle familiar to anyone reading the computer press during that period.

There has not been a major outbreak of a conventional computer virus or worm on the internet since the Sassar worm of May 2004.

That is not because improvements in computer security have outstripped the skills of the virus writers but simply because the focus has shifted to taking control of computers invisibly.

Instead of erasing information from hard drives or causing other mischief, compromised computers are recruited into Botnets that track keystrokes and steal usernames, passwords, and credit card details with criminal intent.

Cliff Zou and colleagues of the University of Central Florida, Orlando (UCFO), explain that Botnets have become one of the major attacks on the internet today.

It permits those that control them to take control of tens of thousands of computers and websites, steal credit card and banking information, send millions of spam emails, and infect other computers, all for illicit financial gain.

     Moreover, those in control of the most powerful Botnets even hire out computer time on these illegal systems to other criminals.

The self-propagating nature of a Botnet means that the underlying software is always attempting to infect new computers.

This has allowed security experts to create “honeypot” traps - unprotected computers with hidden monitoring software installed - that attract Botnets and then extract data about the Botnet and the compromised computers it controls.

Honeypots set up by security defenders thus become spies in exposing botnet membership and revealing Botnet attack behaviour and methodology allowing security experts to find ways to block Botnet activity.

Zou and his team have now discovered that Botnet software could be developed to detect honeypots.

Given that security defenders have an obligation to dis-arm their own honeypot computers so that they do not become active components of the Botnet, the malicious software could, they explain, simply detect such a honeypot during initial activity as it will not send back appropriate information.

The Botnet would then either disable the honeypot computer or else simply ignore its existence and move on to the next target, says an Inderscience release.

By revealing this vulnerability to the computer security industry and presenting possible guidelines for creating honeypots that might be undetectable, the team hopes to pioneer a way to trap and block Botnet software before the Botnet controllers are able to exploit this technical loophole in legitimate computer systems employing honeypots.

These findings were published in the International Journal of Information and Computer Security.

by the Hindu

View this article at: http://beta.thehindu.com/sci-tech/article123401.ece

It is massively important NEVER to download software from anywhere except the software authors website. Be sure when you install, their is a digital certificate that is validated by Windows when you install ANY software.

Handy tip about how you can reduce spam from virus infected spam bots using MX record tricks. This simple DNS trick can get rid of as much as 1/3 of your spam.

In recent weeks, 43-year-old Terry Childs allegedly used his super–user access to lock out San Francisco City officials from their core computer systems. For a period of days, as he sat in Jail on $5,000,000 bail, he also refused to give up the passwords.