Liudvikas Bukys

HIPAAction – Steps for Providers: HIPAA Gap Assessment/Risk Analysis

HIPAAction Resources: Security

Via Counterpane: Crypto-Gram:
“Good seven-page summary of the 289-page HIPAA regulations”
[Introduction]
[Outline(PDF)]

Clay Shirky: Enter the Decentralized Zone
“The IT workers of any organization larger than 50 people are now in an impossible
situation: They are rewarded for negative events-no crashes or breeches-even as workers
are inexorably eroding their ability to build or manage a corporate sandbox. The obvious
parallel here is with the PC itself; 20 years ago, the mainframe guys laughed at the
toy computers workers were bringing into the workplace because they knew that computation
was too complex to be handled by anyone other than a centralized group of trained
professionals. Today, we take it for granted that workers can manage their own computers.

But we still regard network access and configuration as something that needs to be
centrally managed by trained professionals, even as workers take network configuration
under their control. There is no one right answer-digital security is a trade-off. But
no solution that requires centralized control over what network users do will succeed. ”

VNUNet: Security swallows a twelfth of IT budgets

IT directors have been advised to spend three to eight per cent of their IT budgets on ongoing security costs.

The figures are best practice guidelines given by analyst Meta at its 14th annual forum in Barcelona earlier this week.

Meta explained that the figure does not include special events, nor projects such as public key infrastructure implementations.

The analyst added that security budgets will increase by 10 per this year, as they had done in 2001 and 2002.

Financial services firms should spend eight per cent of their IT budget on security to cover ongoing costs. Energy companies should allocate 6.5 per cent, e-commerce companies six per cent, retailers five per cent and manufacturing companies three per cent.

These figures do not cover business continuity and disaster recovery, which should take up another 2.5 to four per cent, according to Tom Scholtz, vice president of security and risk strategies at Meta.

…
Meta’s nine components for a security programme:

• A governance structure that ties security to the business.
• A vision, reduced to quarterly deliverables, that drives toward an appropriately secured environment; an architecture that is adaptable.
• An organisational approach that supports accountability and the correct separation of duties.
• A plan to generate continuous cultural change.
• A maturity programme for security-related processes.
• An approach to supporting local management discretion in determining the appropriate level of security.
• The execution of processes that determine just how secure the environment is – right now!
• The execution of projects that make the environment more secure.
• The execution of processes which ensure that security is servicing the current needs of all aspects of the business.

The Register: LSD puts Sendmail bug under the microscope:
“Polish ethical hackers Last Stage of Delirium (LSD) yesterday published proof of concept code for a serious flaw in Sendmail which emerged this week.
In a posting to BugTraq yesterday, LSD provides a detailed analysis of the buffer overflow vulnerability for the first time. ”

The Wired News article “Gambling on Private Data Search” includes many naive-sounding quotes regarding hashing and data mining. Obviously hashing alone is not enough to avoid serious privacy problems. So is there more to this than the vendor quotes below? (I hope so.)

Systems Research and Development, a company known for helping casinos spot fraud, has developed a product called Anonymous Entity Resolution. It claims the technology can help investigators determine whether a terrorist suspect appears in two separate databases — say, a government watch list and a hotel reservation system.

…

It not only finds the information by comparing records in multiple databases, but also scrambles the information using a “one-way hash function,” which converts a record to a character string that serves as a unique identifier like a fingerprint.

“All it tells them is that they have somebody in common,” said Jeff Jonas, founder and chief scientist at SRD. “It doesn’t tell them who.”

Once a match is found, which happens when disparate records produce the same character string, agents can isolate those particular records without examining any other information.

A record that has been one-way hashed cannot be “un-hashed” back to the original record — any more than “a sausage can be turned back into a pig,” Jonas said.

Internet2 ListProc-WWW: Archives for I2-NEWS:
Washington, DC–February 21, 2003–The first higher education-focused Information Sharing Analysis Center today was established by Indiana University through an agreement with the National Infrastructure Protection Center (NIPC). The Research and Education Network Information Sharing Analysis Center (REN-ISAC) operated by Indiana University will focus on the high performance network infrastructure dedicated to research and education. The “National Strategy to Secure Cyberspace” announced by President Bush last week calls for establishing ISACs to facilitate communication, develop best practices, and disseminate security-related information.

New tool puts lid on worms:

“With CounterMalice, information technology administrators can divide their organization’s network into cells and prevent worms from spreading from one cell to the next, said Stuart Staniford, Silicon Defense’s president.”

Ross Anderson:

Citibank is trying to get an order in the High Court today gagging public
disclosure of crypto vulnerabilities:

citibank_gag.pdf

I have written to the judge opposing the order:

citibank_response.pdf

The background is that my student Mike Bond has discovered some really
horrendous vulnerabilities in the cryptographic equipment commonly used
to protect the PINs used to identify customers to cash machines:

UCAM-CL-TR-560.pdf

These vulnerabilities mean that bank insiders can almost trivially find
out the PINs of any or all customers. The discoveries happened while Mike
and I were working as expert witnesses on a `phantom withdrawal’ case.
The vulnerabilities are also scientifically interesting:
http://cryptome.org/pacc.htm

For the last couple of years or so there has been a rising tide of phantoms.
I get emails with increasing frequency from people all over the world whose
banks have debited them for ATM withdrawals that they deny making. Banks in
many countries simply claim that their systems are secure and so the
customers must be responsible. It now looks like some of these
vulnerabilities have also been discovered by the bad guys. Our courts and
regulators should make the banks fix their systems, rather than just lying
about security and dumping the costs  on the customers.
Curiously enough, Citi was also the bank in the case that set US law on
phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope that’s
an omen, if not a precedent …

Security gap found in SSL…(In an upcoming paper, Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge
Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion) describe and
demonstrate a timing-based attack on CBC ciphersuites in SSL and TLS.
Patched in OpenSSL 0.9.6i and OpenSSL 0.9.7a.)