Tuesday, September 20, 2011

NHS loses CD of 1.6 MILLION patients' records

'We reassure you it was old data'. Sure, my DOB's changed By Guardian Healthcare Network Posted in Government, 20th September 2011 An NHS trust has told patients that it is acting to improve its data handling practices after a rebuke from the Information Commissioner's Office (ICO) for losing a CD containing details on 1.6 million people. Chief executive of NHS Kent and Medway Ann Sutton said that information is now more secure following the implementation of encryption systems to replace the use of floppy discs and CDs. Last week the trust was handed an undertaking by the information watchdog after sending the personal information to a landfill during an office move in March. The ICO said the data contained the names, addresses, dates of birth, NHS numbers and GP details of those affected. In a statement on the trust's website, Sutton said that the data had not been recovered and that the trust had accepted the ICO's report on the incident. She said: "While the breach was unfortunate, I would like to reassure patients that the data stored in the filing cabinet was not current - the most recent information was from 2002. Sutton added: "We have already strengthened our information governance policies, procedures and training on the basis of our internal investigation of the incident. The information commissioner's recommendations to improve them further will be implemented fully." ® This article was originally published at Guardian Professional. Join the Guardian Healthcare Network to receive regular emails on NHS innovation.

Hackers break SSL encryption used by millions of sites

By Dan Goodin in San Francisco Posted in ID, 19th September 2011 Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser. The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he's visiting. At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they're protected by SSL. The demo will decrypt an authentication cookie used to access a PayPal account, Duong said.

FISMA compliance to require monthly reports

FISMA compliance to require monthly reports Dan Kaplan September 19, 2011 Federal agencies soon will be required to report on their information security health on a monthly basis, instead of annually, according to a memo from the federal Office of Management and Budget. As part of their compliance with the Federal Information Security Management Act (FISMA), agencies must, beginning next month, submit data from their automated security management tools into CyberScope, an application that went online in 2009, and is used to securely and efficiently report security-related information and provide analysis. "This shift from the once-a-year FISMA reporting process to a monthly reporting of key metrics through CyberScope allows security practitioners to make decisions using more information – delivered more quickly than ever before," OMB Director Jacob Lew wrote in the memo, issued last week. The monthly requirements also include answering questions in CyberScope that address risk. They are meant to determine whether an agency effectively is implementing its security functionality. In addition, under the reporting mandates, agencies must work with government specialists through sessions and interviews to improve their security stance. Marcus Sachs, a former U.S. government cyber official, said increased reporting requirements, in both the private and public sector, tend to occupy man-hours that would be better served working the problem. But he said that forcing senior management to sign off on regular reports could shine a light on the need for more security resources. "I think it one sense, increasing the [reporting] burden does take away from the few people who are really good at cybersecurity," he told SCMagazineUS.com on Monday. "On the other hand, it does increase the awareness of the senior leaders. Nobody is going to sign off on it unless it's accurate."

Sunday, September 11, 2011

History of DOS -Denial of Service Attack

http://uscyberlabs.com/blog/?p=811

DigiNotar SSL Hack Diagram | Cyber Chatter

This is an ongoing diagram of the DigiNotar SSL Hack. I will update this as I work on it. I just think that this will help some people to understand the scope of this attack. This is from the spreadsheet I got from the TORProject… http://uscyberlabs.com/blog/?p=840

Email encryption for iPad and iPhone

Email encryption for iPad and iPhone