http://healthitsecurity.com/2013/07/29/ohsu-alerts-patients-of-google-cloud-security-concerns/ By Patrick Ouellette HealthITSecurity.com July 29, 2013 In a rare data patient privacy issue involving patient data stored in the cloud, Oregon Health and Science University (OHSU) alerted 3,044 patients on July 26 that it had stored their data using a non-business associate (BA) in Internet-based service provider Google. According OHSU, Google Drive and Google Mail have security features in place that include password protection and it doesn’t appear as though any data has been inappropriately accessed. But since Google isn’t a OHSU BA and there’s no contractual agreement in place to use or store OHSU patient health information, the organization isn’t sure that Google has the proper privacy policies in place to handle protected health information (PHI). Google’s terms of service apparently say that the data stored with its infrastructure can be used for the “purpose of operating, promoting, and improving [its] Services, and to develop new ones.” Since OHSU can’t get Google’s word (as of now) that its PHI hasn’t been, and will not be in the future, used to develop Google’s services, it removed all PHI from Google’s services and sent out this letter to all affected patients: […]

Tags: business, cloud, com, data, infrastructure, Internet, oh, Protection, Security, service, use

[ISN] NASA falls short on its cloud computing security

July 30, 2013 Lawrence Pingree

http://news.cnet.com/8301-1009_3-57596053-83/nasa-falls-short-on-its-cloud-computing-security/ By Dara Kerr Security & Privacy CNET News July 29, 2013 In its move to cloud computing, NASA has experienced some difficulties meeting security guidelines. A new report by the agency’s Office of the Inspector General says that NASA needs to work on strengthening its information technology security practices. “We found that weaknesses in NASA’s IT governance and risk management practices have impeded the Agency from fully realizing the benefits of cloud computing and potentially put NASA systems and data stored in the cloud at risk,” the report reads. A few examples of poor practices include NASA moving data into public clouds without notifying the Agency’s Office of the Chief Information Officer and also working with contractors that didn’t “fully address” cloud computing IT security risks. In one incident, data was on the public cloud for two years without authorization or a security plan and test system. Additionally, more than 100 of NASA’s internal and external Web sites didn’t have proper security controls. “This occurred because the Agency OCIO lacked proper oversight authority, was slow to establish a contract that mitigated risks unique to cloud computing, and did not implement measures to ensure cloud providers met Agency IT security requirements,” the report reads […]

Tags: cause, cloud, com, computing, data, ensure, internal, management, practice, risk, Security, site, systems, technology, use

Security

[ISN] Nato urges military to recruit white hat hacker army to boost defences

July 30, 2013 Lawrence Pingree

http://www.v3.co.uk/v3-uk/news/2285459/nato-urges-military-to-recruit-white-hat-hacker-army-to-boost-defences By Alastair Stevenson V3.co.uk 29 Jul 2013 Nato has called for military and private industry to recruit more ethical hackers, listing their skills as an essential weapon in its ongoing anti-black hat war. Nato deputy assistant secretary general Jamie Shea issued the statement in video review exploring the ethical hacking community. He said: “In order to have a defence you need to have a much wider group of people with a much broader set of skills working for you than as in the old days when we were talking about the man from the ministry with a set identity. That’s not the case anymore.” A Nato spokesman added in the video that the community is currently an under-tapped source that could help temporarily plug the global cyber skills gap. “Traditionally, ethical hackers, known as white hats, have disclosed security bugs for free and many continue to do so just for the prestige. But with industry and governments around the world looking to beef up their cyber defences, ethical hackers can now have the pick of jobs in a booming industry.” […]

Tags: com, continue, cyber, day, government, industry, just, review, Security

Security

[ISN] Car hacking scientists agree to delay paper that could unlock Porsches

July 30, 2013 Lawrence Pingree

http://www.theguardian.com/technology/2013/jul/30/car-hacking-ignition-injunction By Lisa O’Carroll theguardian.com 30 July 2013 The University of Birmingham says it will defer any publication of an academic paper which reveals secret codes to bypass the security on top-end cars including Porsches and Bentleys following a high court injunction. It said it was “disappointed” with the judgement in a statement following the Guardian’s revelation that the cryptography research of three British and Dutch academics had prompted legal action by the cars’ manufacturer Volkswagen. The motoring giant had argued that the work of Birmingham’s computer scientist Flavio Garcia and two Dutch colleagues from the Raboud University could lead to the theft of not just the luxury cars but also of lower-end people-carriers and other makes, including Audis which use its Megamos Crypto algorithm. That algorithm allows the car to verify the identity of the ignition key. Volkswagen complained to the judge that the publication could “allow someone, especially a sophisticated criminal gang with the right tools, to break the security and steal a car”. […]

Tags: car, com, end, just, Security, special, technology, theft, tools, use

Security

[ISN] Symantec slams Web Gateway back door on would-be corporate spies

July 30, 2013 Lawrence Pingree

http://www.theregister.co.uk/2013/07/29/symantec_web_gateway_vulns_fixed/ By John Leyden The Register 29th July 2013 Symantec has plugged a series of critical flaws in its Web Gateway appliances which included a backdoor permitting remote code execution on targeted systems. The flaws, discovered during a short crash test by security researchers at Austrian firm SEC Consult, created a means to execute code with root privileges – or the ability to take over a vulnerable appliance. In an advisory note, SEC Consult Vulnerability Lab warns the flaws posed a huge spying risk to corporate users of Symantec’s technology, which is designed to prevent malware and other threats from getting inside corporate networks. […]

Tags: able, door, Law, malware, oh, risk, Security, symantec, systems, target, technology, threats, use, vulnerability

Security

[ISN] InfoSec community mourns the loss of well-known hacker Barnaby Jack

July 28, 2013 Lawrence Pingree

http://www.csoonline.com/article/737044/infosec-community-mourns-the-loss-of-well-known-hacker-barnaby-jack By Steve Ragan Staff Writer CSO Online July 26, 2013 The security community remains in a mixed state of grief and confusion this morning, as word of Barnaby Jack’s passing spreads. Known for his work on embedded devices, from the financial world to the medical one, the 35 year-old hacker was a beloved family member to the InfoSec community. According to the San Francisco Medical Examiner, Barnaby Jack passed-away on Thursday, at 7:50 p.m. local time, but the office would not discuss any further details. The news was confirmed by his sister, Amberleigh, Friday morning. The lack of information has left many of his friends and peers — his extended family — in confusion as they struggle to deal with his sudden loss. He is best remembered by much of the public for his research in 2010, where he disclosed flaws that enabled a person to force ATMs to spit out cash, a process he called Jackpotting. Video of that talk, along with slides, is available here. His career and research interests went beyond financial hacking however, as he focused on embedded devices including those used by the medical world. After the ATM presentation, Jack went on to deliver research on vulnerabilities within SCADA systems, implantable insulin pumps, and more recently, ICDs, or Implantable Cardioverter Defibrillators. […]

Tags: able, car, com, day, device, EDD, end, Law, process, ROC, Security, systems, time, use, vulnerabilities

Security

[ISN] Western spooks’ banned Lenovo PCs after finding back doors

July 28, 2013 Lawrence Pingree

http://www.theregister.co.uk/2013/07/29/lenovo_accused_backdoors_intel_ban/ By Phil Muncaster The Register 29th July 2013 Chinese PC giant Lenovo has been banned from supplying kit for the top secret networks of western intelligence agencies after security concerns emerged when backdoor vulnerabilities were detected, according to a new report. Unnamed intelligence and defence “sources” in the UK and Australia confirmed to the Australian Financial Review that a written ban was slapped on the firm almost a decade ago in the mid-2000s. The timeframe offered matches Lenovo’s 2005 acquisition of IBM’s PC business. Serious backdoor vulnerabilities in hardware and firmware were apparently discovered during the tests which could allow attackers to remotely access devices without the knowledge of the owner. The ban applies to various agencies in the Five Eyes alliance (UK, US, Canada, New Zealand and Australia) where such rules are normally implemented across the board given the interconnected nature of some of their classified networks, AFR said. […]

Tags: business, class, device, door, review, Security, time, use, vulnerabilities

Security

[ISN] Pentagon Says Asian Spies Are Targeting Radiation-Hardened Electronics

July 28, 2013 Lawrence Pingree

http://www.defenseone.com/technology/2013/07/pentagon-says-asian-spies-are-targeting-radiation-hardened-electronics/67505/ By Rachel Oswald Global Security Newswire July 26, 2013 The Pentagon has documented a sharp increase in military espionage from the Asia-Pacific region that focuses on specialized electronics designed to withstand radiation, such as that caused by nuclear warfare or accidents, according to an official review released last week. For a number of years, foreign entities from East Asia and the Pacific “have demonstrated a strong interest in obtaining export-controlled U.S. rad-hard circuitry,” states the report by the Pentagon’s Defense Security Service, referring to radiation-hardened electronics. Radiation hardening is a process by which electric components are made to withstand the effects of ionizing radiation released in a nuclear explosion, by commercial atomic reactors or the sun. These strengthened circuits “have applications in nuclear weapons, aerospace vehicles, ballistic missiles, and other electronics used in environments subject to radiation,” the review reads. A number of Asia-Pacific nations with growing space programs could be motivated to seek out information about radiation-resistant technology. […]

Tags: application, applications, cause, com, process, program, review, ROC, Security, service, special, target, technology, use

M	T	W	T	F	S	S
« Jun				Aug »
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30	31

Pingree On Security

Monthly Archives: July 2013

[ISN] Nato urges military to recruit white hat hacker army to boost defences

[ISN] Car hacking scientists agree to delay paper that could unlock Porsches

[ISN] Symantec slams Web Gateway back door on would-be corporate spies

[ISN] InfoSec community mourns the loss of well-known hacker Barnaby Jack

[ISN] Western spooks’ banned Lenovo PCs after finding back doors

[ISN] Pentagon Says Asian Spies Are Targeting Radiation-Hardened Electronics

Advanced & Persistent Security

Buy a copy of my book!