Articles in the ‘Security’ Category

Believe it or not, a patient sued his dentist for charging him a fine of $100 simply because not liking the services of the dentist the patient submitted bad reviews at two consumer forums. The case is now up in theManhattanfederal court.

Stacy Makhnevich, the dentist made her patient Robert Lee sign a privacy contract before she proceeded to treat his infected tooth cavity. This happened in November 2010. After the cavity was filled Lee received a bill amounting $4,766 which he cleared that year itself. However Stacy the dentist did not mail him doctor’s copy of the operation which he wanted to file with his insurance company for medical reimbursement. Quite disgusted by the way things turned out Lee vented his frustrations over two popular consumer review forums: Yelp.com and DoctorBase. “Avoid at all cost!” “Scamming their customers!” Is what Lee wrote.

According to Lee’s attorney Paul Alan Levy, things began to turn worse post forum-review submission. Robert Lee was sent $100 fine notice for each day that hosted the review online. This was accompanied by the threat of a lawsuit for breaking the contract policy that Lee signed before he underwent the cavity operation. Apart from this Stacy Makhnevich also sent lawsuit threats to Yelp and DoctorBase pressurizing that they delete Lee’s comments from their respective pages.

Robert Lee saw no way of getting out of the doctor’s malice and therefore filed an official lawsuit against her and why would he not? “What Lee did is natural” supports Paul Levy. Privacy agreement contract like the one that Lee signed saying he would not circulate comments on Stacy’s work, compels people to suppress truthful facts. This however is quite a trend in recent business. Such contracts aim at “abusing” intellectual property laws aiming to cover consumer criticism opines Lee’s advocate.

Robert Lee was not very keen to sign the contract but because he had a painful tooth he did not see any immediate resolve to deal with the situation. So he signed. But what has become of the situation now is quite stressful for Lee to bear. According to Robert Lee’s lawsuit the contract prepared by dentist Stacy Makhnevich was quite against healthcare morals, was misleading and “not valid under state law”.

Another reason that Paul Levy pointed out is that websites such as Yelp.com is protected by copyright laws ad therefore such commentary a Lee posted is legally protected as “fair use”.

Lee proposes the court to put to void the contract he and many other patients signed for Stacy’s clinic. Also he demanded the Stacy to return his entire cost of medical treatment charges. 

Heard of internet banking, online stock account, money transfer via internet? These are ways how you can easily monitor your financial records without having to do a lot of running about. However most often clients are reluctant to use internet for online monetary transactions. This is because the fear of security breach is nightmarish and there are severe incidents where bank accounts have been hacked and all money went missing! Yes this can happen to you too. Given the financial crisis that the community faces it has become a tasking challenge to seek out cost effective ways to improve business procedures and to retain clients. The only question that crops up here: “How safe our informations are with the financial institutions?” Indeed this is a highly sensitive issue.

If you compare the IT security breach report of 2009 to 2010, you will be shocked to know that in about four months there has been on an average, 20 breaches amounting to loss of million of dollars. Most of the breaches resulted because of internal misuse of information or hacking by outsiders, people believe. However the case is otherwise. Most of the security breach incidents took place because of “accidental exposure” and “loss of data”.

Such breach incidents occurred both in small and big organizations all across the economic world. Data breaches covered loss of private information like names, address, birth date, SSN (social security number and PAN (Personal Account Number). of all breach records the common most incidents are: an outsider hacking a company’s central computing network or angry and vengeful ex- employees  taking away key customer information. Regardless of how the data is lost, stolen or misplaced, the people that are affected much by such security breaches in IT sector are the unaware customers.

The 2010 data breach report includes names such as

Citi Group: tax return paper of over 550,000 came with SSN sealed on the outside of the envelope.

US Bank: reported that a laptop went missing which contained important clients’ information

Securities and Exchange Commission: laptop containing names and SSN was stolen

ING Fund: for this institution it was most surprising and shocking that over 100 clients SSN and bank account number could be accessed through a common search engine.

John Hancock: an internal executive misplaced a CD that contained vital account information and social security numbers of 1,050 customers.

Wells Fargo: lost SSN and Bank account information of 953 clients.

Sun Trust Bank: Bank accounts of over 100 customers were compromised by ATM skimmers.

Despite repeated breaches often an institution tries covering up the lead. The reasons to this: fear of business downsize, loss of potential clients, fear of getting black listed and ultimately losing out their market stand.  

General attacks that can affect you

Apart from the most obvious ways of losing your personal financial information that has been discussed above, there are plenty of other things that can affect you in an equal bad manner.

Phishing: Professional hackers use this method to extract crucial information / financial report. Generally these hackers try to convince people to invest with their make-belief companies thus in a way deriving private information. The hackers might talk to you in person or you may receive mails asking for your date of birth, SSN, PAN, bank account number, credit card number, name, address etc.

SQL Injection:  This is one of the various tactful ways of gaining access to personal information stored in a computing system. This strategy is put to use in the form of web attack mechanism which provides a SQL query form as soon as you use a login name to open your account in a webpage. 

D Do S: This method is called the Distributed Denial of Service Attacks. In here when you open a webpage you will probably have a multiple number of systems attacking that single target. This slows down the system and often leads to complete shut down of the page. This way you will be denied access.

APT: known as Advanced Persistent Threat is one of the most intelligent cyber crimes that an antivirus can hardly detect. It’s a sensitive spyware that when infused to a system can collect data from hidden folders without any trouble.

Key Stroke Loggers: such design monitors what keys are typed on a keyboard and thus can easily collect passwords to private accounts. A person using the keypad won’t be aware of such malice.

Such sophisticated social engineering attacks are becoming popular everyday. Therefore it is essential that you learn the schemes before you operate from any unknown system.

Laws against cyber crimes:

If you detect something fishy it is advisable that you immediately check with your bank manager or the concerned people who can provide proper information. The state and the federal government in their effort to constraint cyber crimes have implemented severe laws against cyber-attackers. Let’s read through some of the options:

  • Gramm-Leach Bliley Act: civil lawsuits, fines and imprisonment
  • Payment Card Industry Compliance: fines of million of dollars
  • Fair and Accurate Credit Transaction Act: Lawsuits and imprisonment
  • Red Flag Rules: $10,000 fines on every incident and imprisonment
  • Federal Financial Institutions Examinations Council: Lawsuits and imprisonment

 

Aren’t the Laws good enough to protect information breaches?

The laws that are mentioned above are well schemed. However the reasons why organizations fail to provide guaranteed security is because of: cost, company rules and regulations and volume of data. Proper maintenance requires good money. This directly affects a company’s employment and available technical facilities; without which it gets real difficult to cope up with much required security measures.

 

The need to protect your information:

The need to protect yourself is no more a speculative affair. It is much of a necessity. With increased number of data breach events you need to ask yourself: can you afford to let your money get into wrong hands? Will you be able to recoup the future loss? No? Then consider going following reviews of

1. IT Security

2. Data sensitivity

3. Malware protection

4. Business impact analysis

5. Penetration Test

6. Assessment of Vulnerability

These factors if kept in mind and also if implemented assures quality security to protect customer information without much hassle. If your financial institution is not trust worthy then customers will turn away. There should be no doubt. In order to generate trust you need to build a secured transaction system first. The rest would follow. 

Report of numerous data breach events has created panic in people. Patients are no longer sure whether to trust doctors or the management authority. While HIPAA constituted safety rules against theft of Protected Private Information, no concrete implementation of Violation laws can be cited.  However with reputation at stake, hospitals and other medical care units are trying their best to follow HIPAA measures that has been designed to protect health care sector from external technical raids, interference and data breach incidents.

 HIPAA / Health Insurance Portability and Accountability Act focuses on security aspects of using electronic medical reports (for storage and transfer) . For an administrator of a hospital it is impossible to file records in the manual way. Therefore most hospitals have a computing system that can help with remote access, data collection, and maintenance and relocation of important documents and records. To secure such extensive information, HIPAA recommends using security tool-kits. One such tool was recently introuduced by The  National Institute of Standards and Technology.  You can download a free copy of here.

 HIPAA security tool-kits can be applied to both small and large scale business. Such tool-kits contain operation manual in the form of guide book, video etc. security tool kit   helps in thorough risk management. There are numerous HIPAA security tool kits in the market: CPRI kit, NCHIC’s HIPAA overview tool, SEI’s Self risk assessment tool, WEDI’s HIPAA security summit implementation and many more.

 CPRI kit can mitigate daily risks through constant updates on security laws, implementing deploy technology and augmenting patients co-operation. It also caters to issues in Electronic usage; like faxing, mailing, maintaining HCFA internet policy and prevention of internet hacking. Overall such program consolidates disaster recuperation and business expansion plans,

 To properly utilize security tools the first and foremost thing that the management can do is prepare a risk-assessment plan. This way identifying the problems will become easier. Designing appropriate policy and contracts pertaining to the industry (look up HIPAA, FTC, PPI, and HHS laws) is also an important step. security tool-kits are designed to perform such tasks in a calibrating manner.

 To avail HIPAA security tool kit, look up internet and start analyzing. To choose the right application/ tool-kit, you can consult online personnel. Security tool-kits should be able to address all HIPAA concerns. Another alternative is to check with NIST’s (National institute of Standards and Technology) advanced HIPAA toolkit that has been recently launched.

 This one encompasses all basic security issues, like access control, physical security and back-up; disaster-management program, like legal procedures to undergo after a breach event; risk management issues; and both employer and patient’s personnel issues.

Technology it is desired should improve to an extent that it can avert the related harm caused by its benefits. Emailing is a popular concept. It is a quick way to transfer or exchange data between two or more computing system. It is time saving, cost effective and a modest solution to distant employment.

 Many surveys have been conducted to prove how sending emails are a popular mode of communication between official and non-official people. Radicati group pronounced that in 2010 near about 294 billion emails were dispatched in a single day and about 90% of these emails were spam and contained virus. And therefore dawns the concern for email security.

 To be able to practically judge the distress first it is required that we understand the possibilities as to how a single email can corrupt an entire system.

  •  Emails can be forwarded in lot. At times this happens without the notice of a user. It needs to be noted that a few viruses have the capability to track stored addresses on the users profile and automatically operate a forward function. If the recipient opens the email, then the virus immediately attacks and disrupts the functionality of the PC.
  • As emails can carry loaded/ attached messages of all kind they invariably contain the risk of virus contamination. Also sometimes the user-friendly features of email might expose a system to undetected malwares or spywares.
  • Hacked email account can also be used to send messages to the entire “address list” containing friends, family and co-workers causing embarrassment, and great loss of trust.

 All these features of email can make it to be a cause of IT security breach. Now the next question is how to secure your emailing options?

 It is possible to secure your email in the following manner:

      Check upon the sender

  •      Install authentic firewall, anti-virus, anti-spam, antiphising and software patches.
  •      Store and examine an attached file before you open.
  •      Put off the option to automatically download files and attachment in emails.
  •       Consider email archiving with a robust VNP. Also it is a good option to install filtering softwares that will eliminate spam articles before they are stored to your inbox.
  •       do not use multiple-operator mode to prevent infringement

 Above all it is better to trust your innate sense while using /opening/ sharing an email. Many instances are recorded where personal data and information have been extracted with the help of an email. This has resulted in identity theft, monetary theft and message fiddling of the high priority business mails. National Institute of Standards and Technology provides guidance on technical leadership directed to meet welfare requirements of public. This institute works to formulate a fitting strategy that will secure the federal computing systems with sensitive and outright protection technology.

The importance of technical back-up to an administrative system is an unavoidable reality. The source and significance does not limit itself to prodigious multi-national business firms only. The need has become apparent in medical and health care units as well.

 A supporting case was reported a few days back when the Gwinnett Medical Center in Lawrenceville, Georgia turned down all patients with Non-urgent medical conditions from admission owning to a “Virus” attack in their computing system. This limited possibilities of technical application and the administration found it difficult to cope with quick manual filing of procedure papers. Nonetheless this particular case is not the only instance that rings a warning bell. A similar incident occurred at New Zealand’s St John ambulance service. A certain un-identified malware attacked their computing system and interrupted online connectivity. As a result workers had to use manual radios.

 The primary cause of disruption still remains undiscovered. In all probabilities the management stated that the virus (Conficker or its variants) spread either from a USB stick or a personal laptop that a staff might have used on the sly. In both the above mentioned incidents, situations were restored in due time and functionally the management tidied the matter quite well. Another major instance that can be cited in reference to such technical failure is the London incident in 2008 when three hospitals were pulled down with more than 4700 computers being infected by a malware: Mytob.

 The resolve of such matters is not to keep every worker under physical surveillance; it is not a feasible idea. Rather the use of potent anti-virus protection, robust firewall, Intrusion protection program, Virtual private network system, URL blocking etc are viable options. A strong IT setup is required that will execute periodic scrutiny to keep the system in place and to keep it running unhindered. Industrial usage necessitates an effective technical build-up plan, a supportive strategizing that can work as an alternative in case the central system runs kaput. This is more than essential for a field as important as medicine and health. A little delay can cause loss of life which will go much against the reputation of an institution.

 Serious observational takes require the concerned management to consider all legislative lay-outs, the mandated protocols charted by Public Health Care Act. Conformity and compliance is a must.

 Take a look at your network one more time and ask the following questions.

 What preventive systems do we have in place?

      •  Network Security Devices
      • End Point Security
      • URL Filtering/Blocking
      • Email Security
      • Network Segmentation
      • Strong Passwords

 Are Employees Trained and Aware of Security?

      •  Employees should be trained on monthly basis.  They should be made aware of current trends and attacks going on in market.  They should be aware of the risk and how it will affect the practice and patients.
      • Have a network security policy that should be reviewed with each new employee.

 What will you do if your server or computers malfunction?

      •  Have a plan in place.  Play out the scenario with employees and see how they react to it and how quickly they can move to contingency plan.

 Give Fixtro a call to get a free network assessment.  Learn and understand the risk you may be taking. 

 

How much a potential HIPPA security violation can cost a health care provider?

In a recent incident, HHS entered into a resolution agreement with the UCLA Health System to settle the potential violations of the Privacy and Security Rules.  UCLAHS agrees to settle the complaints for $865,500 and has dedicated to a corrective action plan that will fill in the gaps in its compliance with the rules.

Basis of investigation was complaints filed on behalf of two known celebrity patients claiming that University of California Los Angles Health System employees repetitively and without acceptable reason looked at the electronic protected health information of these and other UCLAHS patients.

Investigators also found that UCLAHS did not provide and/or document the provision of necessary and appropriate Privacy and Security rule training for all the members of its workforce to carry out their job duties

Authorities also pointed that UCLAHS failed to implement security measures sufficient to reduce the risk of such impermissible access to protected electronic health information by authorized users to a reasonable and appropriate level.

You can read the detail resolution here.

On wednesday California governor Jerry Brown has signed into law a bill that enhances existing data breach notification requirements for businesses.

State of California already requires that businesses and organizations notify residents if their personally identifiable information (e.g email address, phone number, social, address) is compromised. California was the first state to enact such a law, and since its introduction in 2003, nearly all of the other 50 US states have enacted similar laws to suit their needs.

The new enhancement to the California law requires that breach notification letters contains the specifics of the incident including what type of personal information was exposed, describe the incident, and offer advice to protect oneself from identity theft. In addition, breaches affecting 500 or more individuals must be reported to the state attorney general’s office in writing.

The enhancement bill has been vetoed twice before by former Governor Schwarzenegger.   Governor defended his decision by saying there was no proof the additional information required by legislation would actually help consumers.  In addition, he didn’t see why attorney general’s office needed to become a “repository” of breach notifications.

Businesses for years have ignored the importance of protecting their customer data.  And for the most parts customer didn’t care either until they became the victim of identity theft.  You hear about big banks and financial firm’s data breaches due to media coverage but very rarely you hear about a CPA whose server got infected with spyware or about a financial advisor whose laptop got stolen.  These are far more common instances where possibility of data breach is very likely due to lack of proper security.  Consequences of data breach are no longer confined to large organizations only. Small business owners are equally responsible.

According to the Ponemon Institute’s First Annual Cost of Cyber Crime Study, published in July 2010, Privacy-related breaches cost an average of $204 per customer record that is lost or stolen.

Do you have a system in place to recognize the data breach? Will you be able to properly describe the incident and notify the customers on time?  You have a document ready to advise your customer about the identity fraud ?

 

President of United States have special power to invade other countries like Afghanistan or Iraq.  And soon he will also have the power to kill the Internet.   

Cybersecurity is a serious challenge for congress this year.  There is a proposal floating around in Washington that would allow the president to deal with this challenge by partially shutting down the Internet.   

Critics are concerned about the emergency powers of this bill, stating it gives the president an Internet Kill switch. Many tech and civil liberties ground have found the language in proposal too ambiguous and are afraid of misuse of powers.  At the same time, leaders familiar with the proposal do not agree with “Internet Kill Switch” statement.    According to them President would not be able to shut the Internet traffic as Egypt did in past.

Still think I am joking, you can read the summary of this bill on Reuter. Don’t be shocked to learn  that the new powers would give Obama a free hand to not only shut down entire areas of the Internet and block all Internet traffic from certain countries, but under the amalgamated bill he would also have the power to completely shut down industries that don’t follow government orders.

Many government officials around the world consider Cyberspace as a National Asset.     In United States you can expect to see many bills to protect our Cyberspace.  One such bill is Cybersecurity Education Enhancement Act, which would allow Department of Homeland Security (DHS) to set up new Cybersecurity training programs.

Another important bill likely to be introduced is one that would require small, medium and large businesses with data breaches to notify affected customers.    Many states already have similar laws on the books.   Companies like Symantec and other security groups have long pushed for such laws.

Sounds like both the fedral government and state government have plans to deal with Cybersecurity.  What are your plans? How are you protecting your business and customer data?

 

In today’s world where competing for price, service and quality of product is hard, one may look for alternatives to survive in bad economy.  Someone may consider hiring a hit man to deal with their competition but this approach is expensive and dangerous.  Easier option is to launch an attack on a competitor website, it’s cheap, you can do it for as little as 10 dollars per hour.

There are automated tool you can use that can bring the website down or for couple hundred dollars you can hire a professional by visiting some underground forums. Automated tool or hacker can bring down a website by launching a distributed denial of service (DDoS) attack.

Denials of Service (DDos) attacks make use of botnets, or networks of compromised computers running malicious software that fire off requests to a website. The owners of those computers are almost never aware that their computer is compromised and they are part of an attack.

When attack is launched compromised computers start sending numerous requests to receiving site’s server.  The receiving site’s server gets overwhelmed and crashes, shutting the site down at least temporarily.  Big companies spend millions of dollars protecting their more-trafficked sites with better defenses, but a larger network of computers can take those down too.

News on the block is that going rate for an international hacker is about five to ten dollars per hour. Rate may vary, but for about 1,000 – 2,000 dollars one can hire a DDoS attacker for a month.   During one month a hacker with basic computer knowledge can easily bring down hundreds of small business websites with little defense in place.

According to the author of popular do-it-yourself hacking tool, Darkness, 20,000 bots in the network can take down just about any site.  In fact, you can download a free copy of software with limited functionality.   Automated tools can find the bots on the internet and launch an attack on website of your choice.  In other words,   there is pre-requisite to become a hacker in today’s world. Simply download a program, click run and you are done.

I am sure some of you may ask if I can provide a link or two to some automated tools that you may try. Allow me to politely decline any such request in advance.

 

Free Starbucks Gift Card

You may have seen many promotions claiming to give you a free Starbucks coffee. But often times these deals come pre-pack with many catches. (e.g subscribe to a magazine or sign up for credit card.) Well, here is an offer one cannot refuse. Get a Free Coffee at Starbuck with no strings attached. Jonathan Stark, generous programmer and writer (not affiliated with Stark Industries or Iron Man) has decided to share his preloaded Starbucks card with you.

How can I use his preloaded Starbucks card?

Download the above image of his Starbucks Card to your iPhone or any other smart phone and pay for your drink by simply scanning the barcode at Starbuck location within the United States. You can get latest updates about the Stark’s Starbucks card and balance by following Stark’s Twitter feed and Facebook page. Blog post on CNN stated that more than 500 people donated a total of $8700.00 as of last Wednesday.

However, there is chance that card may have zero balance by the time you visit your nearest Starbuck. So, hurry up and visit the Starbuck near you. Just kidding! Starbucks is not affiliated with Mr. Stark in any way but this experiment has sure created a buzz in media. Perhaps, Starbucks should hire Stark as a public relations manager or some other role.

What should you do after picking up your “free drink”?

Stark only request that people who use his card to share their experience by tweeting what they bought or take photo of receipt, drink or store. Want to share the joy? You can easily refill the card and share it with other s. Simply refill the card and update on twitter and/or facebook. Idea is to buy coffee for strangers, an Old Italian tradition (Caffe Pagato). According to Stark’s twitter feed, people have been refilling the card throughout the day. I guess American’s still believe in sharing in spite of high gas prices and high un-employment. At the very least, refilling the card may make you feel good about one thing – buying stranger a cup of coffee.

Sounds good but can someone abuse this?

Off course, there is always risk involved whenever you share information publicly. Starks card was hacked within couple days of its launch. Sam Odio, an entrepreneur, manipulated Jonathan Stark’s Starbucks card to transfer $625 of the balance to his own Starbucks Card. According to Sam there is no harm in taking the money donated by others for coffee purchases and donating it to charity instead. I am sure many readers will disagree with Sam’s point of view.

What do you think? Do you find this whole story to be a Strabucks viral marketing campaign, or do you find it ok for people like Sam Odio to use people’s money for whatever they want or do you think more can be done to protect the Johnathan Stark card. Tell me if you used the card and if you will refill the card in spite of security concern.