Executive order increases information sharing

President Obama signed an executive order on February 12, 2013 that requires federal agencies to share information on cyber threats with each other and private companies.  This will include unclassified information on activities of known criminals and terrorists and cyber-attacks and some classified information for owners of critical infrastructure.  The order does not require private companies to share data with the government which alleviates some of the privacy concerns present in the Cyber Intelligence Sharing and Protection Act (CISPA).

Information will be collected and shared through two national critical infrastructure centers operated by the Department of Homeland Security (DHS); one for physical infrastructure such as fences, gates and checkpoints and the other for cyber infrastructure such as intrusion prevention systems, application gateways and firewalls.  These DHS centers will also assist with incident response and restoration efforts related to cyber-attacks.

Aspects of the executive order are unclear but there will be some requirement for owners of critical infrastructure to establish security metrics and guidelines as specified by the DHS and federal agencies.┬á Meanwhile, the National Institute of Standards and Technology (NIST) has been tasked with coming up with a preliminary framework for federal agency actions that are ÔÇ£prioritized, flexible, repeatable, performance-based and cost-effective.ÔÇØ (Sec. 7b)

This executive order is not the same as a law but it does show that the Obama administration is concerned about cyber security and it will impact further legislation in this area.  Upcoming legislation may carry this to the next phase and establish a long-term program of cyber security information sharing and awareness.

Another government data breach weakens public confidence

Two weeks ago hackers took control of 14 servers and 20 workstations at the U.S. Department of Energy (DOE), obtaining personal information including names, social security numbers, driverÔÇÖs license numbers, pictures, fingerprint and handwriting samples, dates of birth and family information for hundreds of DOE employees.┬á The hackers did not gain access to classified information which investigators believe was the target of the attack.

Until yesterday, the hacker group Anonymous was viewed as a potential perpetrator since one of their factions, Parastoo, claimed responsibility on pastebin.  However, the posted information was dated and investigators believe Parastoo is not responsible for the attack.  According to an article published on February 4 in the Washington Free Beacon, unnamed government officials confirmed that the attack involved a foreign nation state.  This nation state is most likely China based on repeated attempts by Chinese hackers to gain access to DOE information and the value such information has to Chinese efforts.  If so, this employee information will probably be used to launch further attacks and gain the confidence of DOE employees with access to sensitive information.

The DOE and FBI are still investigating the incident but speculation abounds as to how the attack on their systems took place including weak server security configurations, poor user training and an over-reliance on outdated methods.  The security of DOE systems has certainly been called into question and some suggest that government agencies such as the DOE should rely more on the help of industry experts and security firms.

What the changes in HIPAA Omnibus mean for you

The Department of Health and Human Services (HHS) released the HIPAA Omnibus rule on January 17, 2013 designed to give patients additional rights to their health information and increase penalties to organizations that fail to protect Personal Health Information (PHI).  The rule goes into effect on March 26, 2013 and it includes some changes to data breach response requirements.

HIPAA required covered entities to conduct a risk assessment when a data breach occurs.  The risk assessment would determine whether the breach impacted an individual enough to require notification.  If the risk assessment determined that the risk was low then the covered entity did not need to notify the individuals nor the Office of Civil Rights (OCR).  According to HITECH Answers, the HIPAA Omnibus rule now requires that covered entities retain documentation on the risk assessment performed that could be provided to the OCR if their decision not to notify is called into question, in other words, a burden of proof.  If the OCR finds that the covered entity did not meet the burden of proof, it may find the covered entity to be negligent and fine them accordingly or require them to perform corrective action.  The rule also adds new requirements for determining the harm to the individual.

Also of interest to HIPAA data breaches is the revised language that broadens the definition of business associates to include more downstream providers who touch PHI.  This increases the number of companies that will need to adhere to the HIPAA requirements.  These companies will need to become compliant before the rule takes effect but many may not even be aware that they will soon be subject to HIPAA.

Discussions continue on “hack back”

Back in November, I blogged about the hack back initiative here in the United States.  Well, similar debates are taking place in Canada.  In January of 2012, Public Safety Canada commissioned a report on hacking, specifically hacking related to online protesting and activism known as hacktivism.  The report recommended several exemptions to existing legislation to allow researchers, investigators and even journalists to hack into other computers.  Some of the hack back recommendations included allowing security researchers to attack and reverse engineer software in order to determine security concerns (Montreal Gazette), investigators to take additional actions in investigating attacks such as data breaches and malware and reporters to break into private computers to obtain information in the interest of public welfare (Postmedia).

Over the past year, a discussion has taken place between Public Safety Canada and the ministerÔÇÖs office on this subject resulting in a decision by Public Safety Canada on January 16, 2013 to reject the recommendations.┬á This is by no means a complete loss for those supporting hack back since such large scale initiatives often take years to implement.┬á Alana Maurushat, the author of the report wrote, ÔÇ£no surprise that there is no inclination to take up recommendationsÔǪthese things often take decades of slow changes.ÔÇØ┬á The past year of discussion will increase awareness of the hack back initiative and I will most likely see other proposals in the future that will address the shortfalls of this proposal which Public Safety Canada has not provided.

Ready for VandyLAN 8?

Are you ready for some great PC gaming? Bring your computer to VandyLAN 8 where we will game all day long and into the night. Come for the entire thing or just stay a while. Either way, you will have a great time. We will have the projector set up as a score board. Let me know what games you would like to play.

Things to bring with you to VandyLAN

1. Computer, Monitor and Keyboard for PCs or a Laptop
2. Mouse
3. Ethernet cable (the longer the better)
4. Power Strip
5. Game media for games you want to play

Optional but recommended
1. Headset (Headphones and microphone so you can speak only to your teammates)
2. Blank CD/DVDs for burning games. We can share ISOs too so this is not a requirement but some prefer a real disk.
3. Gaming pads, controllers and/or joysticks
4. Mouse pad (provides comfort)
5. External hard drive for file sharing

I would like to play some freelancer at the LAN party. Freelancer is a game from Microsoft that was abandoned years ago after a long wait for a sequel that never arrived. The modding community has extended the game over the years and added much more to the world including many ships, systems, bases and other things. One of the best mods is called Discovery. Another great thing about playing freelancer is that it won’t cost you a dime.

Here is what you need to do to run the game and discovery
1. Install Freelancer (http://theisozone.com/downloads/pc/windows-games/freelancer/)
2. Install the Freelancer 1.1 update (http://www.microsoft.com/games/freelancer/)
3. Installed the Discovery 4.86 Exiles

Instead of setting up my own server, we will be using a server that already exists. I set up an account on this server already and I will get a ship. I will also earn some money so that I can give each player at the LAN party enough money for a ship. The name of the server is “Discovery Free Play Non-RP 24/7”. I talked to the owners and they are fine with all of us connecting for the LAN party and you are all free to join early too. See this page for information on all the ships you can fly. http://discoverygc.com/wiki/Ship_Portal

We will form up as teams and then fly to an empty area of space so that we can do some team battles. We can also do some cooperative activities. We will balance the teams based on the ships we have so that a few powerful ships do not dominate the battle.

This video gives you an idea how combat works in Freelancer with the Discovery mod.

[embedplusvideo height=”480″ width=”960″ editlink=”http://bit.ly/1rkeMNB” standard=”http://www.youtube.com/v/x1OfhG2Rbqk?fs=1&vq=hd720″ vars=”ytid=x1OfhG2Rbqk&width=960&height=480&start=&stop=&rs=w&hd=1&autoplay=0&react=1&chapters=&notes=” id=”ep1138″ /]
Here is a demo of what Artemis looks like in the theater. I only have three laptops in this setup with the main screen and the camera did not operate well in the low light but I thought it made for a cool demo.
[embedplusvideo height=”480″ width=”960″ editlink=”http://bit.ly/1rkeUN0″ standard=”http://www.youtube.com/v/xTIWaeCPB10?fs=1″ vars=”ytid=xTIWaeCPB10&width=960&height=480&start=&stop=&rs=w&hd=0&autoplay=0&react=1&chapters=&notes=” id=”ep1190″ /]

HHS begins fining for lower impact data breaches

On January 2, 2013, the Department of Health and Human Services (HHS) fined the Hospice of North Idaho $50,000 for violations of the Health Insurance Portability and Accountability Act (HIPAA).┬á The primary violation was the loss of an unencrypted laptop containing Personal Health Information (PHI) for 441 patients but the fine included non-compliance areas such as the hospiceÔÇÖs failure to perform a risk analysis and the lack of mobile device security policies and procedures.┬á This is the first HIPAA fine issued for a breach of PHI from less than 500 patients.

HHS Office of Civil Rights Director, Leon Rodriguez, made it clear in his statement on the breach that HHS will hold businesses responsible for protecting PHI irrespective of their size.┬á ÔÇ£This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patientsÔÇÖ health information.ÔÇØ

This comes as shocking news to some who assumed that HHS would not take action on smaller breaches which comprise the majority of health care breaches.  According to the December 2012 U.S. Healthcare Data Breach Trends report, there have been only 500 breaches reported to HHS over the last 3 years involving more than 500 patients but the same period has seen 57,000 breaches involving less than 500 patients.  These businesses should be prepared not only for the cost of notification, lost customers, breach response and remediation, but also HHS fines in the years ahead.

When to call for help after a data breach | Network World

In spite of best practices, it is likely that your organization may experience a serious data breach at some time. Once the initial shock of a breach wears off, numerous decisions must be made; and one significant decision is whether to seek help from outside professionals such as attorneys, computer forensics investigators, information security consultants, privacy consultants, or law enforcement. Read more in this article in Network World.

POS vulnerabilities via Dexter malware

Security researchers have identified a new malware called Dexter that specifically targets Point of Sale (POS) systems such as cash registers and scanning stations to obtain credit card numbers.  As of December 12, 2012, Dexter had infected systems in 40 different countries with the majority of infected systems residing in North America and the United Kingdom.  The malware infected machines a few months ago, just in time to steal data from many of the holiday shoppers.

Dexter steals credit card data by recording downloaded files from the POS device and retrieving information from memory.  More specifically, it looks for Track 1 or Track 2 data which is read by most POS devices and contains the account holder name, account number and security code for a credit card.  The malware stores the data and sends it in batches every five minutes to the malware operator who can then use it to make false purchases or clone credit cards.

Malware researchers are still trying to determine how Dexter is infecting POS systems but POS owners are not defenseless.  They can protect themselves from the malware by using devices that encrypt the credit card data from the point at which the card is scanned through the processing stage in what is known as Point-to-Point Encryption (P2PE).  P2PE encrypts the data before it is placed in memory and Dexter is currently unable to decrypt the data so P2PE effectively stops Dexter from harvesting credit card numbers on the POS device.

Data breach fact gathering and intelligence

It is easy for miscommunication to happen after a data breach.  There could be many people working on the incident and those people may document differently and without guidance, critical facts could be lost due to inconsistent or ineffectual documentation procedures.  This can make it difficult for incident response teams to understand the relevant facts of the matter.  Here are some guidelines in documenting a breach.

It can be very helpful to start with a timeline.  Discuss the incident with those who first noticed it and those who validated that there was an incident.  Put the time of the reported incident and the validation on the sheet and then add the events that led up to the incident.  Keep adding events to the timeline as you progress and this will help show the incident flow and help you determine the cause and effect of the incident.  Review the timeline with the incident response team and receive feedback.  The timeline can be used similar to a murder board in a police investigation.  Post the known facts and their times on the wall in the incident briefing room and then tack on new facts to it as you progress.  You can do this digitally as well if the team is not all in one place.

Next, record the facts only.┬á DonÔÇÖt let personal opinions creep into the log.┬á Documented assumptions can lead the incident response team in the wrong direction.┬á They can also be detrimental if legal action is taken as part of the investigation as these documents could be part of the discovery process.

The National Institute of Standards and TechnologyÔÇÖs (NIST) Computer Security Incident Handling Guide suggests that teams should have a person designated as the documenter while another person performs tasks so that the critical facts are not left out.

Lastly, donÔÇÖt jump to conclusions.┬á There could be many explanations given the available data so care must be taken to eliminate available options.┬á Determine what data you will need to eliminate an option and then seek that out.┬á Keep track of the possible scenarios and their underlying criteria and whether those criteria have been proved or disproved.