“Federal agents have arrested another member of the Cabin Cr3w hacking group, an offshoot of the Anonymous hacktivist network, for breaching two Utah police websites. John Anthony Borell III of Toledo, Ohio, has been charged with two counts of computer intrusion, according to an indictment unsealed yesterday (April 16) in a federal court in Utah. The indictment states that on two separate occasions in January, Borell hacked into the servers of the Utah chiefs of police and the Salt Lake City Police Department and leaked classified documents….”
Daily Archive: April 17, 2012
“How well do banks conform to the FFIEC's updated Authentication Guidance? Gartner analyst Avivah Litan says most have made progress, but they still struggle with the details. As she reviews banking institutions, Litan sees risk assessments being completed, as well as a focus on security enhancements to ACH and wire payments systems, customer education, and a review of which existing fraud-detection systems need to be updated.”I think they're well underway about knowing what they need to do,” Litan says….”
“When creating a patient portal that provides access to electronic health records, healthcare organizations must educate patients about the need for authenticating their identities, says Sharp HealthCare CIO Bill Spooner. In an interview with HealthcareInfoSecurity's Howard Anderson (transcript below), Spooner notes that some patients have complained that the authentication method for its patient portal is cumbersome.”It's a real communications issue to help the patients understand that we're trying to protect them,” he notes.
“Just how common are information breaches in healthcare? It's impossible to know for sure, but a new survey finds that 27 percent of healthcare organizations have experienced a reportable breach in the past 12 months.
“Organizers of health information exchanges must guard against underestimating the amount of time it takes to tackle privacy issues, says IDC's Lynne Dunbrack.”It takes some time to establish trust and to work through the data governance issues,” says Dunbrack, who recently wrote a report on HIE best practices.”Organizations need to work with each other and with their consumers and not underestimate the level of trust that's required in order to achieve successful exchange of information,” she says in an interview….”
“Cloud computing for governments in the United States, especially services tailored for the federal government, may not be as efficient or as cheap as many would hope, says Richard Falkenrath, a principal with the security consultancy The Chertoff Group.”Part of the appeal of a cloud architecture is the efficiency that comes from scale and locating your services where they are cheapest,” Falkenrath says in an interview with Information Security Media Group. “As you become more and more conservative on security and safety and sovereignty of the data, you deny yourself the ability to pursue that.”Limiting data to cloud computing servers located only within the United States means federal, state and local governments can't leverage cloud architectures built around consumer needs, driving costs higher, too….”
That’s a nice turn of phrase : Forever day is a play on “zero day,” a phrase used to classify vulnerabilities that come under attack before the responsible manufacturer has issued a patch. Also called iDays, or “infinite days” by some researchers, forever days refer to bugs that never get fixed–even when they’re acknowledged by the company that developed the software. In some cases, rather than issuing a patch that plugs the hole, the software maker simply adds advice to user manuals showing how to work around the threat.
“A member of the Anonymous hacking group has taken down the website of the US Department of Justice with a Distributed Denial of Service (DDoS) attack.
“Apple has released a malware removal tool for the most common variant of the Flashback Trojan, as well as security updates to mitigate the vulnerability exploited by the malware. The Flashback Trojan exploited three Java vulnerabilities to gain remote access to the infected systems and likely included a keylogger capability to capture authentication credentials, and is thought to have infected more than 600,000 systems. The removal tool will detect and automatically remove the malware from the infected device….”
“Last month, Microsoft teamed with a cross-sector coalition of interested parties in instigating the legal and technological assault that resulted in the seizure of multiple command and control servers operating a massive Zeus Trojan botnet. It was the second occasion where the tech giant Microsoft used the power of the courts to strike at the heart of a massive botnet operation.”In our most complex effort to disrupt botnets to date, Microsofts Digital Crimes Unit in collaboration with Financial Services Information Sharing and Analysis Center (FS-ISAC) and NACHA The Electronic Payments Association, as well as Kyrus Tech Inc