As the U.S. invests billions of dollars to convert from paper-based medical records to electronic ones, has the time come to offer everyone a unique health-care identification number?
Proponents say universal patient identifiers, or UPIs, deserve a serious look because they are the most efficient way to connect patients to their medical data. They say UPIs not only facilitate information sharing among doctors and guard against needless medical errors, but may also offer a safety advantage in that health records would never again need to be stored alongside financial data like Social Security numbers. UPIs, they say, would both improve care and lower costs.
Privacy activists aren’t buying it. They say that information from medical records already is routinely collected and sold for commercial gain without patient consent and that a health-care ID system would only encourage more of the same. The result, they say, will be more patients losing trust in the system and hiding things from their doctors, resulting in a deterioration in care. They agree that it’s crucial to move medical records into the digital age. But they say it can be done without resorting to universal health IDs.
Read more…
From compromised machines to mass email lists for spamming, electronically-transferring funds out of bank accounts to phishing attacks—India’s 100 million internet users have become prime targets for hackers across the globe.
A report, titled “Global Risks for 2012”, shows cyber attacks on governments and businesses are considered to be one of the top five risks in the world. Be it cybercrime, cyber-espionage or cyberwarfare — they are on a steady rise. The reason: highly lucrative payout hackers get from stealing data. “There are high profit margins and low-detection rate by law enforcement agencies. Further, half of the data thefts (on both individual PCs and enterprise PCs) are executed from remote or stolen server locations, which only makes prosecution difficult,” points an ethical hacker employed with a large Indian IT outsourcing company.
E-mails, personal data and financial data are the most sought after “goods” in the black market, says Pankaj Jain, director, ESET India. “The e-fraud business that has been traditionally flourishing in India is credit card cloning. The cloning itself is mostly performed by Nigerians living in India, though the card data they get are usually from Russian and former Soviet Union hackers on underground forums,” he says.
The fast-maturing cyber crime economy
Even as enterprises and individuals struggle with internet threats, the underground cybercrime economy has moved on to organised entrepreneurship. An ethical hacker from New Delhi, who regularly accesses the digital black market where cybercriminals advertise and trade stolen information and services, shared how the advertisements are done. “Search, compare, and if you find a better offer we will return your money…,” reads an ad selling user data in black market journals. With the economic crisis looming large, such claims and ads are on the rise.
“Today, the main concern for the data sellers is to generate trust among their clients,” the ethical hacker tells Business Standard. He added that data sellers have started offering free “trial” access to stolen bank or credit card details as well as money-back guarantees and free exchanges. “Since there is a great deal of competition in the cyber black market, the rule of supply and demand ensures that prices are competitive, with operators even offering bulk discounts to high-volume buyers,” says a security consultant at a leading pharmaceutical R&D unit in Bangalore.
Read more…
Cybercrime is on the rise, up 10% from 2009. In fact, PriceWaterhouseCoopers found that nearly half of all businesses had been a victim of fraud in the past year. For small businesses, these attacks can be especially harmful to your bottom line, putting your clients’ personal data at risk and threatening to take systems down for days at a time. Below are a few ways cybercrime can affect your business in 2012:
Website compromising.
Website hacking is dangerous because it can influence the way your clients see you. When PBS’s website was compromised in 2011, hackers not only posted a fake news story about deceased rapper Tupac Shakur, they released usernames and passwords for PBS affiliates. SonyPictures.com also suffered an attack last summer in which usernames and passwords were leaked. In both cases, outdated software and security measures were blamed, but it was also noted that many of the passwords being used were surprisingly simple. Small businesses should set strict password standards, enforced server-wide. As recommended by Microsoft, passwords should be at least six characters long and contain a combination of letters, numbers, and special characters.
Keylogging.
Imagine someone having a printout of everything you type, every time you log in to your computer. That’s what keylogging does and it’s one of the ways hackers can gain entry into your system. This is an especially dangerous hack, since it can allow outside entities to gain access to your customers’ credit card data, bank account info, and social security numbers, in addition to the passwords to your business’s databases and in-house software. Keylogging software can either be installed through a virus or directly installed by someone gaining inside access to your computer systems. It is important that small businesses keep all virus definitions up to date and make sure software applications like Java and Adobe Flash are consistently up to date on every PC and laptop in your organization. Having outdated versions of these applications can leave you open to vulnerabilities.
Read more…
With attacks on data and IT infrastructure on the rise — along with the costs and potential business impact of attacks — security professionals are starting to express a sense of futility in their work.
This is especially so following the past couple of years, which have included high-profile and successful attacks on companies that would be expected to have the wherewithal to protect their infrastructure, including RSA Security, Google, NASDAQ Directors Desk, Symantec, and many others.
“There’s a sense that no matter what you do, what steps are taken, if someone wants to hack your systems, your data, they can,” says the security analyst at a midwest manufacturer. “It’s becoming insanely frustrating.”
The U.S. — in what some have argued is a move that both shows the importance of the IT infrastructure and the futility of traditional electronic defenses — last year stated that the government would use military force in retaliation against certain cyber attacks.
“Frustration in the industry has certainly been growing, so much that more on the defensive side have been wondering what could be done to more proactively combat attackers,” the analyst says.
Read more…
Everything you type on your PC, whether it’s a Web address, your credit card information, user names and passwords – everything – is fair game for key loggers, the hacker-jerks who want to steal your identity and make your life miserable.
Rather than wasting your time reading the rest of this column, hie thee to www.keyscrambler.com and download the free version of KeyScrambler for Windows PCs. If you’re impressed, fork over either $30 or $45 for more powerful versions.
KeyScrambler is simple to use. Once it’s installed, you don’t have to worry about it. As you type in a Web address, user name, password or any other sensitive bit of information, KeyScrambler encrypts it – you can actually watch it generate nonsense character in a little window at the top of your Web browser. I installed it on both Internet Explorer and Firefox, and in both cases, it worked just fine.
Those nonsense characters are all a hacker can see, and that won’t do him a bit of good. Your password, for example, comes out as c&b% (or some such combination).
Unlike some commercial programs that protect against the key logging programs they know about, KeyScrambler protects against any key-logging program because it encrypts everything that’s typed into a browser window or other sensitive fill-in-the-blanks
Read more…
Columbia University researchers have found a new class of computer security flaws involving printers that could impact millions of businesses, consumers, and government agencies.
The researchers say that certain Hewlett-Packard (HP) LaserJet printers can be remotely controlled over the Internet, enabling computer hackers to steal personal information, attack normally secure networks, and cause physical damage to hardware.
HP’s Keith Moore says the initial research suggests the likelihood that the vulnerability can be exploited in the real world is low.
However, the Columbia researchers claim the security vulnerability is so fundamental that it could affect tens of millions of printers and other hardware that use flawed firmware.
The firmware flaw runs embedded systems such as computer printers, which increasingly include functions that make them operate more like computers.
Read more…
Do you watch the Supreme Court hearings on CPAC? No? Well I do.
I find it rather peculiar that the same Conservatives who were so concerned with the removal of the gun registration law are not at all concerned about warrantless wiretapping (intercept).
Warrantless means no judicial warrant obtained from a Judge, meaning no accountability to the Solicitor General through the checks and balances of recording and review. The authorization to establish and conduct a warrantless wiretap (Criminal Code s.184.4) can now be granted by a peace officer. (The definition of peace officer is not defined in the sections language and has a very wide range in the Criminal Code).
The argument by the Crown in the appeal that concerns warrantless emergency wiretaps (Criminal Code s.184.4 – Supreme Court Challenge -18 Nov 2011) was the need by peace officers to be able to initiate a warrantless wiretap if a threat to persons or property transpired and the threat level does not allow for Judicial authorization in a timely manner. The Crown used an example of an abduction where victims and suspects phones may be tapped without consent, warrant and notification.
Some would say this is an acceptable in an emergency situation – a valid argument if the law was defined in its language to indicate clear parameter in which the peace officer can authorize and conduct an emergency warrantless wire tap. The length of time the warrantless intercept can be in place, judicial review requirements, reporting procedures to the solicitor general, and the collection, distribution and deletion of data should be mentioned. But that language is just not there.
Read more…
To help prevent breaches, mobile devices should be encrypted even if storage of sensitive information on them is prohibited, says security expert Melodi Mosley Gates.
“Even with the best of intentions, and the most technically enforced policy, a ban for putting sensitive information on mobile devices is probably not going to be 100 percent effective,” the attorney contends. That’s because all mobile devices enable users to enter data and to receive e-mails that may, in some cases, contain sensitive information.
As a result, her advice is to “have a policy in place that minimizes the amount of sensitive information that can land on mobile devices and still encrypt mobile devices.” Although this approach “may feel like a belt and suspenders,” it’s the best way to minimize the risk of data breaches involving tablets, smart phones, laptops and other mobile devices, which can easily be lost or stolen, Gates says.
In an in-depth interview, Gates offers other practical insights on encryption, including:
•Consider conducting a small-scale encryption pilot that involves representatives of various departments. This can help overcome outdated perceptions about the practicality of encryption.
•Identify sensitive information that needs to be encrypted by using a two-pronged approach: Survey staff members to map their business processes and identify how they use data, and implement a data loss prevention application to scan all computers and pinpoint where sensitive data resides. Taking this approach, she says, also will help “build awareness for why it’s important to keep track of this sensitive data and where it lives.”
Read more…
Last week, an Indian hacker crew successfully broke into a secured Indian military government network. The group, the Lords of Dharmaraja, posted documents that infer Apple, Nokia, and Research In Motion gave the Indian government backdoor access to their devices in exchange for mobile phone market rights. Indian government officials say the files are forgeries; however, they fit in perfectly with what we know about mobile phone surveillance in 2012.
Fast Company has reported extensively on smartphone and computer security fears. In the documents, which have been posted on multiple mirrors, India military intelligence refers multiple times to a system known as RINOA SUR. According to ZDNet India’s Manan Kakkar, the RINOA portion of the acronym refers to “RIM, Nokia, Apple,” while the SUR portion is unknown. The documents describe a backdoor mobile phone surveillance system in great detail. The documents also infer that network access was granted to the Indian government in exchange for the right to sell to Indian consumers.
The pervasiveness of government smartphone and computer surveillance in the United States is unknown. Several days ago, a federal appeals court revived the Jewel vs. NSA [PDF] lawsuit, which alleges that the National Security Agency (NSA) routinely engages in warrantless surveillance of electronic communications. According to privacy watchdog group EPIC, a secret 2002 executive order granted the NSA the authority to conduct warrantless surveillance of electronic communications. The Jewel vs. NSA lawsuit was filed by Carolyn Jewel, a Los Angeles-area romance novelist who found evidence that showed details about her online activity were being given to the NSA by her Internet service provider.
Other intelligence agencies may be involved in warrantless surveillance of mobile telephone and Internet communications as well. The Electronic Frontier Foundation filed a lawsuit in late October alleging that the PATRIOT Act has “secret interpretations” that allow government agencies to conduct dragnets of e-traffic. Under these interpretations, it seems that large numbers of Americans–both individuals and businesses–can be targeted for surveillance if the FBI has determined they are “relevant to a government investigation.” No warrant is required.
Read more…
The public should be informed when a building or facility operator uses systems to track the location and movements of mobile phones, a data privacy expert has said.
Phone-tracking systems are used in some shopping centres and in other environments such as at stadium concerts and in refugee camps. The system helps to build up a picture about the mass movement of people, the chief executive of a company that operates such technology told Out-Law.com.
Data protection law only applies to information that qualifies as ‘personal data’. The information these systems gather is unlikely to qualify as personal data when read on its own but could identify individuals when combined with information from other sources, according to Kathryn Wynn, an expert in data privacy at Pinsent Masons, the law firm behind Out-Law.com.
This means that operators should inform mobile users when the technology is in use, she said, because some of the information gathered could later become personal data, depending on the processing of it.
“If the company is just tracking customers’ movements on a single visit to a shopping centre and is not able to collect shopping habit information about individuals on a long term basis it would appear that the information collected is more like geolocation data rather than technology which is akin to a [website] cookie,” Wynn said.
Read more…
The American Civil Liberties Union has brought a suit against the US government over its seizure of the laptop of a computer security consultant – a seizure carried out at a Chicago airport about a year ago without a search warrant or any charges of crimes.
According to a report in Sunday’s Boston Globe, the consultant – a former MIT researcher, David House – was returning from rest and relaxation in Mexico when federal agents seized his laptop.
According to the Globe, the government wanted to know more about House’s connections to Bradley Manning, the US Army private accused of leaking classified information to WikiLeaks.
The seizure comes as no surprise. As Globe writer Katie Johnston notes, United States ports of entry are dubbed “Constitution-free zones” by civil liberties advocates.
Barring invasive techniques such as strip seizures, government agents are free to disregard Fourth Amendment protection against unreasonable search and seizure. They don’t need reasonable suspicion or probable cause, and they can take what they like, be it laptops or smart phones.
Read more…
A new threat is looming for browsers and it’s not related to JavaScript.
Security researcher Mario Heiderich reported to the maker of Firefox last year that he had found an unusual vulnerability in the browser and two other Mozilla products that run on the Gecko engine, Thunderbird, and SeaMonkey. Based in the relatively new technology that allows for animated complex vector graphics in the browser, called SVG animation, the vulnerability allowed for a malware writer to detect key strokes even when JavaScript was disabled.
Basically, he found a way to turn innocuous Web pages into keyloggers. Mozilla patched the vulnerability in Firefox 9, Thunderbird 9, and SeaMonkey 2.6. Then, as is standard operating procedure, they announced to the public what the threat was and that it had been fixed. But the real threat may lie in what the threat wasn’t: it wasn’t based in JavaScript.
“The basic premise of my research currently is scriptless attacks, meaning attack vectors working in a post-XSS world,” Heiderich said in an e-mail. He defined a “post-XSS” world as one where the cross-site scripting attack had been more or less minimized by technologies like sandboxed iFrames, Mozilla’s e-mail client Thunderbird and Firefox’s Content Security Policy, the JavaScript blocking browser add-on NoScript, and Windows 8.
“The desired goal was to do keystroke logging in the browser, doing so without necessitating JavaScript, so even if you turned off JavaScript it would work,” said Jeremiah Grossman, Chief Technical Officer at computer security research firm White Hat Security. “All the browser developers are fixing cross-site scripting. What half a dozen researchers are exploring is what you can do attack-wise in a browser without JavaScript. They’re discovering that there’s still quite a lot you can do in the browser.”
Read more…
