Archive for February, 2016

Network Vulnerability Analysis – Linux and Unix audit tools

All computers and applicable devices in a corporate environment should be periodically checked using the security audit process and applicable tools.  Some good resources are shared below to facilitate these needs for Linux and UNIX operating systems.

If you think that only computers running Microsoft Windows are targeted by attackers, you’re wrong! UNIX (used here as a generic term, not focusing on a specific distribution or brand) is a key operating system on the Internet. Many websites and other public services are relying on it (Netcraft is compiling interesting stats on this topic). UNIX web servers are constantly visited by bots which are looking for vulnerabilities. When new ones are discovered, it never takes a long time to see new scanners crawling the net.

Therefore it is mandatory to keep an eye on your servers by using proactive and reactive controls. Besides the classic monitoring of log files, reactive security controls may include a deeper check at the operating system level to look for suspicious activity like processes, files, … On the proactive side, misconfigurations must also be tracked.   A few days ago, Daniel Cid published an interesting article about the tool “rootcheck”. It is a component of the well known OSSEC suite but a stand alone version exists. To use it, just follow those simple steps …

Microsoft – Security improvements for Health care records

Microsoft is highlighting the need for improved protection of patient health care records and will be providing assistance in the coming months.

After a seemingly nonstop series of breaches affecting health care organizations, the software giant announces plans to engage with IT security professionals in the industry.   Overflowing with sensitive personal data and payment information, health care systems are a prime target for hackers.

In October, Accenture estimated that over five years, cyber-attacks will cost U.S. health systems $305 billion in cumulative lifetime revenue. One in 13 patients can expect to have their personal information stolen, including financial details or Social Security numbers, during that time.  Early last year, health insurance provider Anthem reported a data breach affecting 80 million users. Around the same time, fellow health insurer Premera disclosed a breach affecting up to 11 million people.

Faced with these risks, Leslie Sistla, chief information security officer of Microsoft Worldwide Health, is calling for “security intervention in health care.” One industry’s approach to data security can fall short in another industry, particularly health care, where personal, health and financial information often intersect. “The natural tension between safeguarding data and giving clinicians quick access to patient records, often in life-or-death situations, means the practices that serve other industries can’t just be mimicked in a healthcare setting,” said Sistla in a Feb. 24 advisory announcing a new outreach effort by her company.

In addition to new investments in security research and development, Microsoft intends to provide health care IT professionals with strategies and guidance with a new blog series. “In future posts, we’ll look at how to mobilize entire organizations, from the C-suite to the clinic, to support a shared culture of cybersecurity,” she pledged.  The company will be also sharing its findings, including “some surprising gaps in the kinds of data protected under HIPAA [Health Insurance Portability and Accountability Act],” along with recommendations on balancing security with the data accessibility demands of running a health care organization.

Ransomware – California Hospital network impacted

While a California hospital could have potentially went to backups to recover, they negotiated a $17,000 payment to decrypt key computers.  It was seen as the least expensive renemdy to bring systems back online without rebuilding systems and network controls. These encryption based attacks are increasing and data backups are critical along with strong malware detection and prevention controls.

After being knocked offline for nearly two weeks, officials at a California hospital that was hit with ransomware elected on Wednesday to pay attackers.  The Hollywood Presbyterian Medical Center (HPMC) shut down computers on its network on Feb. 5, after attackers allegedly asked for 9,000 Bitcoin, or just over $3 million USD, to unlock medical files stored on its system.

While the hospital didn’t pay anything close to that figure, they did pay 40 Bitcoin, or roughly $17,000 USD on Monday this week, according to a notice published last night by the center. HPMC president and CEO Allen Stefanek defended the hospital’s actions, saying it was the quickest way to solve their problem.“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek wrote, “In the best interest of restoring normal operations, we did this.”

While surprising, the move actually echoes sentiments made by Joseph Bonavolonta, Assistant Special Agent in Charge of the CYBER and Counterintelligence Program in the FBI’s Boston office, during a conference last fall.“To be honest, we often advise people just to pay the ransom,” Bonavolonta told a crowd at the Cyber Security Summit in October.

Leadership – Success requires good relationships within the team

As reflected in John Maxwell’s excellent blog, our human relationships are an important ingredient for success

If you want to truly succeed in this life, you need to ask yourself a question: Is your pursuit of success drawing you closer to – or farther from – the most important people in your life? If you want to redefine success the way I did, here are some ways to put your decision into practice:

Determine your priorities — How much of your calendar is devoted to your family and/or close friends? On your budget and to-do list, where do you write in your loved ones? No relationship can survive for long on leftovers. Early in my career, I focused so much on work that I neglected Margaret. After I realized this, I changed. I carved out time for her. I protected my day off. And we dedicated money in our budget to facilitate special times together. It’s been said that a lot can be learned about what a person values by examining two things: their calendar and their bank statement. They show where people spend their time and money. What do those things say about what you value?

Develop your problem-solving strategy — I think a lot of people go into marriage expecting it to be easy. Maybe they’ve seen too many movies. Marriage isn’t easy. Family isn’t easy. Close friendships aren’t easy. The best plan is to expect problems, stay committed, and develop a strategy for getting through the rough times. Talk to your loved ones about how you could improve your problem solving together. (NOTE: Do this during a calm time, not in the middle of a conflict!) Many problem-solving strategies exist, from family meetings to fair fighting rules. Use the ones that work for you. Just be sure that they foster and promote three things: 1) Better understanding, 2) Positive change, and 3) Growing relationships.

Social Media – Five Techniques to clean up Embarrassing Posts

As it is always important to be careful in online media postings, there are some beneficial techniques are noted at the Learnvest site, that can help clean-up prior history:

Whether it’s a celebrity Twitter feud or a corporate social media disaster, we’ve all seen how online posts can flare up into huge news. But you don’t need to have started an international career-ending media storm to have your online presence wreak havoc on your professional life.

In fact, the National Labor Relations Board has ruled in recent years that employers can justifiably fire you for comments you make on social media, even if they had nothing to do with work. Meanwhile, a 2015 CareerBuilder survey found that 48% of hiring managers have found something on a potential hire’s social media account (such as inappropriate photos or discriminatory comments) that caused them to pass on that candidate.

So what do you do if you’re feeling a bad case of social-media remorse? We asked a few experts to outline the steps to take if you find you need to do some damage control and reclaim control of your online brand

Step 1: Figure Out ASAP Who’s Likely to See and Take Issue With Your Social Media posting
Step 2: Get Rid of the Evidence – Deleting
Step 3: Apologize, As Needed
Step 4: Scrub Your Social Media
Step 5: Reinvent Your Online Self

So here’s a quick cheat sheet on how to do that across some of the most common social media platforms:

Facebook: Go to your Activity Log. From there, you can delete a post, hide it from your timeline or untag yourself from any questionable photos. (Better yet, ask your best buds if they’re willing to delete any photos of you that they posted.) For further control, you can enable your privacy settings to review posts or photos your friends tag you in before they hit your public timeline.

Twitter: Go to your tweets, open the offending tweet, choose the ellipsis symbol and hit “Delete Tweet.”

Instagram: Go to the incriminating photo, tap the ellipsis shown beneath it and hit “delete.”

LinkedIn: Go to the regrettable update and hover your cursor over the time stamp on your update. You’ll see the option to delete in the drop down menu.

Google+: Click on the post you wish never existed, click on the menu icon (the three vertical dots) and select “delete” from the drop-down menu.

Mobile technology – Samsung 256GB Flash memory chips

Mobile technology – Samsung 256GB Flash memory chips

Samsung is currently mass producing 256GB embedded flash memory chips for future phone systems and devices, as noted in article below

Samsung’s 256GB flash chips point to super-sized storage for future phones.  Samsung’s latest embedded storage chip for mobile devices puts 256GB within reach of smartphones.

Your next phone might pack a whopping 256GB of onboard storage thanks to Samsung. The Korea-based electronics maker announced on Thursday that it’s now mass producing 256GB embedded flash memory chips for smartphones and other devices. The new memory chips are smaller than a microSD card and can pack up to 256GB thanks to Samsung’s cutting-edge V-Nand technology.

Based on the Universal Flash Storage (UFS) 2.0 specification, the new memory is almost twice as fast as SATA-based solid state storage drives on PCS, Samsung says. The new memory uses two lanes of data transfer to reach speeds of up to 850 megabytes per second (MB/s).

Samsung says you’ll be able to transfer a full HD movie in about 12 seconds over a USB 3.0 cable at those speeds—assuming a 90-minute movie with an average file size around 5 gigabytes. The new memory also supports what Samsung calls “seamless ultra HD playback and multitasking functionality” on tablets and other large screen devices.

Malware – MouseJack wireless mouse and keyboard vulnerabilities

This new proof-of-concept attack requires the attacker to be physically near vulnerable workstations and for the workstation to not be password protected while user is physically away. While the are impracticalities for most attacks, this may provide conduits to inject malware into a system to weaken other security controls

Countless wireless mice and keyboards can be hacked from 100 yards away leaving their host machines and the networks they are attached to open to malware, Bastille has discovered.  The problem, which is being called MouseJack, affects Amazon, Dell, Gigabyte, HP, Lenovo, Logitech and Microsoft products, the company says, and likely more vendors’ gear that they haven’t tested. Logitech alone shipped its billionth mouse in 2008, so the problem is widespread.

The weakness lies in the protocols used between the devices and the USB wireless receivers attached to host computers, says Mark Newlin, the Bastille researcher who discovered the problem. They are unencrypted, leaving the devices susceptible to keystroke injection attacks.

That can be done from a remote computer equipped with an off-the-shelf USB wireless dongle sending keystrokes, he says. He says it took between days and weeks to reverse-engineer the protocols himself so he could send the keystrokes.

The remote machine can be 100 yards away as long as it has direct line-of-sight with the target. That distance could be increased considerably by adding an auxiliary antenna, he says. Users of the machines would have to be away from them and logged in for the attack to work. If they were there they’d see the attack strokes being entered.

Dell notes that if customers use a password on their login screens and don’t walk away from their computers while logged in, the attack won’t work unless the attacker can break the password.

Security Standards – PCI DSS 3.2 update for mid-2016

PCI DSS 3.2 will be more of an incremental than major standards update when it is later released in mid-2016.

The PCI Security Standards Council announced it will publish a new version of the PCI Data Security Standard sometime in either March or April, and PCI DSS 3.2 will be the only release for the year.  The aim, according to the council, is to release early and include long sunrise dates in order to allow organizations more time to deal with changes related to the EMV (Europay, MasterCard and Visa) chip rollout.

“First, we must address the revised migration dates away from SSL and early TLS [Transport Layer Security],” Leach said. “Second, the industry recognizes PCI DSS as a mature standard now, which doesn’t require as significant updates as we have seen in the past. Moving forward, you can likely expect incremental modifications to address the threat landscape versus wholesale updates to the standard.”

Organizations should be aware that PCI DSS 3.2 will become effective immediately when it is released, and version 3.1 will be retired a short three months later. This means any PCI DSS 3.1 assessments in progress would need to be completed by either June or July, depending on when version 3.2 is published.

Leadership – 2016 Secrets for Success RELATIONSHIPS

John Maxwell is sharing a new weekly series during 2016 called the “Secrets for Success”.  The third week focuses on building relationships with team members & other key stakeholders

Welcome to week three of my Secrets of Success blog series. If this is your first time reading, I won’t keep you in suspense: the secret of success is determined by your daily agenda. That means the key to your long-term success is found in your daily short-term decisions. When you choose to make wise decisions in key areas each day, you experience significant growth over time. That growth is what fuels your success.

Because it matters so much, I want to share four simple actions you can do each day, with everyone from your spouse to your kids to your co-workers. Hey – you can even do these four things with perfect strangers! If you want to transform all of your significant relationships for the better, you need to:

1. Listen – spend time trying to understand the perspective of others. Don’t rush to talk or solve problems; give them your full attention, your open mind, and your reservation of judgment.

2. Encourage – ask questions that draw out the opinions of others. What do they care about? What do they see? Why do they think or feel the way they do? Good questions help you uncover great insights.

3. Reason – carefully think through your response. You want to consider how the other person will react to your ideas. Don’t just rush to get an answer out; take time to reason through your ideas.

4. Respond – share your ideas with the other person, making sure to include your reasoning and how you took the other person’s ideas into account. Follow up with any action you propose

Wireless Technology – New high speed 5G standard initiatives

Some early pioneers have 5G standard initiatives which will could materialize in a couple of years.

Most people think that trying to download an entire movie to a mobile device is the act of a madman. Or the act of someone with plenty of time and money to burn. But in Europe work has begun on one of the first examples of a new generation of wireless technology that could make mobile movie downloads not quite so crazy. The work, headed by Samsung, Fujitsu and other big companies, on so-called fifth-generation or 5G is set to be completed in a town south of London by 2018.

The British project is hardly the only 5G effort underway. Wireless carriers like AT&T and Verizon are also working on 5G projects, and Facebook is even heading a project to bring an open-source version of 5G to consumers. Google is spearheading similar efforts to add rocket fuel to wireless networks.