The Security Catalyst

It was disclosed last week that a vulnerability in the OpenSSL packages used by debian systems contained a flaw where random numbers were not actually random, paving the way for another attack vector.

Plenty of specific details and analysis can be found in different places, including:

http://wiki.debian.org/SSLkeys

http://www.us-cert.gov/cas/techalerts/TA08-137A.html

http://www.kb.cert.org/vuls/id/925211

http://secunia.com/advisories/30220/

For many, this signals the fire-drill of reaction and patching — just in time for a big holiday weekend (aka the “start of summer”) here in the United States.

Just days before this was announced, I was introduced to Venafi (as a direct result of my press pass at RSA). During the conversation, I realized they really own the niche of Systems Management for Encryption. As we shared a lively and informative conversation, I was reminded that SSL is not just something we stick on web servers; it goes deeper and wider in many enterprises today. As soon as you have to manage many of these encrypted connections, the process gains some complication – and is ripe for error. Step in Venafi.

When the debian vulnerability was announced, I immediately asked if Venafi would be willing to share some insights about how organizations should be handling this issue. This is bigger than patching (remember code red?) – and I wanted a discussion that provided insights into how to manage this in a way that brought immediate results but also good long-term gain.

During this program, Paul (from Venafi) and I start by exploring how to engage business users in the conversation. We progress to tactical and strategic ways to address this challenge while realizing this is an opportunity to make some improvements that bring better future results.

It comes from planning and following a process informed by experience – and we’ll share the insights with you in 30 minutes or less!

In the wrap-up, I suggest following the approach of plan-do-review, outlined in this podcast: http://www.securitycatalyst.com/blog/2008/01/31/the-security-catalyst-show-plan-do-review-your-way-to-success/

Tune in next week for the debut of the Pop Culture Security podcast – your monthly “how-to” for Security Awareness Training.

 

 Security Catalyst May 21 2008 [33:06m]: Play Now | Play in Popup | Download

By Patrick Romero

In 2004, President Bush set a goal that by 2014 most Americans would be using an Electronic Medical Record (EMR). In his vision, doctors would be using EMR systems with interoperable standards that would allow them to share lab results, images, computerized orders and prescription information with hospitals and other health facilities.

The Office of the National Coordinator for Health Information Technology was created by President Bush to guide the work on EMR standards and coordinate public and private efforts. Its job is to define minimally functional systems as those on which doctors can record and manage progress notes, order tests, record test results and electronically prescribe medications.

The reasons for the insufficient progress are many, according to the report, “Gauging the Progress of the National Health Information Technology Initiative.” They include slow adoption of EMRs by physician practices, the impractical nature of a national health information network, the difficulty of creating interoperability standards and Congress’ failure to pass legislation addressing health IT roadblocks.

A 2005 survey estimated that only 13 percent of solo practitioners and 16 percent of groups with 2–4 physicians have adopted EMRs, compared to 29 percent of groups with 10–19 physicians and 39 percent of groups with 20 or more physicians. The office, created by Bush to guide the work on EMR standards and coordinate public and private efforts, defines minimally functional systems as those on which doctors can record and manage progress notes, order tests, record test results and electronically prescribe medications.

Slightly more than a quarter of practices with 11 or more physicians — a situation that describes only 8% of doctors — used comprehensive EMRs in 2006, according to an October 2007 Centers for Disease Control and Prevention report based the National Ambulatory Medical Care Survey. Solo or single partner practices — which account for almost half of all doctors — reported much lower levels of comprehensive EMR use: 7.1% of solo practitioners, 9.7% of those with a partner.

Another reason for slow progress on EMR adoption is that a national health information network is impractical, said experts in the California foundation report. The system is intended to be a “network of networks” linking state, regional and other health information exchanges so they can share information.

According to the eHealth Initiative Foundation (eHI), 28 states have initiated Health Information Technology (HIT) planning and an additional seven states have progressed to the implementation stage.

Privacy Concerns

The Medicare Electronic Medication and Safety Protection Act (S 2408), sponsored by Sen. John Kerry, would require physicians to use e-prescribing for Medicare patients or face a 10% cut in payments. The bill is pending in the Senate Finance Committee.

Deborah Peel, head of the Coalition for Patient Privacy, said an e-prescribing bill would be an excellent opportunity to prohibit data mining.

Privacy advocates are concerned that the bill should come with more privacy protection. They would like to require that any prescription data transmitted electronically be used for the express purpose of prescription filling and submitting the necessary codes to the insurer for payment. Other provisions being sought are annual reports to patients listing everyone who accessed their data and mandated security breach notifications.

While EMRs are not a panacea to fixing our national medical system, they do offer more than traditional modes of storing information. The government should continue to encourage doctors toimplement EMRs in their practice through substantial grants and subsidization. There are currently such programs but more needs to be done to publicize them. While a mandate might eventually be necessary, there are less restrictive alternatives currently available. Nevertheless, it is time that the medical community catch up with other sectors of our economy that have embraced the use of digital information.

I had a great time at RSA 2008 this year, but didn’t attend any keynotes and only saw some snippets of sessions. Yet I took several *quality* briefings during the course of the week — and will be interviewing, profiling and sharing my impressions over the coming months. I started the week a bit sad — after walking the show floor, it felt to me that the industry was, en masse, running in entirely the wrong direction. I ended the week not only with renewed hope, but with new and powerful insights.

RSA carries a lot of hype. Now that the conference is over, Martin and I wanted to go beyond the hype and invited a panel with mixed experience to share with us their impressions, opinions and lessons learned. During this SRT, we cover the role of bloggers as media, the *real* value of RSA and a whole bunch of other interesting issues and perspectives.

I also share, near the end, what I thought the theme should have been. Thinking about it now, it is a good choice for next year, or even for a SCC conference!

This marks the return of the SRT. We already have the June SRT recorded — a great show with the Jericho Forum, dispelling a lot of myths and providing some good insight into how they are helping to drive change in the industry. In July we’ll tackle the issue of using botnets to fight botnets and August will revisit a topic raised during the May SRT — the responsibility of security bloggers and the role of new media.

Happy Listening.

 

 SRT May 2008 [54:34m]: Play Now | Play in Popup | Download

Hi Everyone,

Well, it took a little while but I just found out that I finally passed the CIPP exam!!! I am now officially a member of the privacy professional community!!!

For those of you keeping up, I have been posting about my experience studying for the exam. I honestly was not sure whether or not I had passed since some of the questions were more complicated than what I was expecting. I am fortunate that I had some background on various subjects and was able to utilize my legal education in determining the correct response. I think that I definitely benefited from having previous exposure to the topic, especially when the questions related to privacy laws and regulations.

I did best on the section dealing with Workplace Privacy, which was my least favorite topic. It was more relevant to professionals dealing with Human Resources than anything that I enjoy learning. I performed worse on one of my favorite sections: Web Privacy and Security. I enjoyed immensely learning about the various ways that data protection collected from the internet needs to be protected and stored. I am definitely going to pursue further education on this topic and it is a very complex issue that requires a technical and legal background to properly understand.

My certification is good for three year and I have to take 30 hours of Continuing Privacy Educations (CPE) per year. This is probably something that I would do voluntarily so it isn’t that many hours. Plus, the IAPP provides various ways to keep one’s membership current and I am already planning on going to some conferences in NYC.

So I want to thank everyone for the help in studying for the exam. I know that some of you are thinking about taking it. If you have any questions, please contact me.

Thanks again!

Patrick Romero

I’m about to head to the opening of Hershey Park for the 2008 Season. This is the celebration of the opening (we were here for the last day of 2007, too) and the culmination of our April Expedition of the Campaign Across America. I’ll compile the stats and experiences from the trip and share in the coming weeks.

In the meantime, I had two really cool experiences this week - at truck stops. First, en route to Charlotte, NC (to help a friend), it was pouring rain when we stopped to “diesel up.” The protocol at truck stops is simple: pull in, diesel up, pull forward for someone else to get to the pump, head in to pay. I did. When I hopped out of the RV to pay (now fully exposed to the rain), I was surprised to find a fellow driver (though he was driving a big rig) _waiting_ for me - umbrella in hand.

He didn’t want me to get soaked, so he waited for me and we walked in together. It was a two-minute conversation about where each of us was heading and the weather. No ulterior motive. Pure generosity on his part.

If it were raining - would you wait for someone you never met to offer them your umbrella?

When we stopped to diesel up before we got to the Hershey High Meadow Campground (we got in yesterday), we stopped at a BUSY Petro station (we have two favorites: Pilot and Petro). While I was fueling, a truck pulled in - and based on the way he drove, I sensed he might have been frustrated. Then he hops out of the cab and walks right at me! Well, he wasn’t mad - he wanted to make sure I wasn’t getting ripped off!! He asked me if I held a Pilot Driver’s Rewards Card, and then shared tips on how to use it more effectively! We talked about fueling up, cars, trucks, locations, the whole bit. It was actually pretty cool - and I learned a lot (and left with a smile on my face).

Do you go out of your way to make sure people get taken care of (especially a complete stranger)?

In both of these cases, I found some of the most generous and thoughtful people while on the road. Complete strangers looking out for me, no strings attached. I know we need more of this in the world, and I hope that you take even a few moments to ponder these two examples to look for ways we can all look out for each other.

Have a great weekend.

The Supreme Court of New Jersey has ruled that people have an expectation of privacy when they are online, and law enforcement officials need a grand jury warrant to have access to their private information. While the ruling only affects New Jersey state law, the holding will take precedence over weaker federal court decisions that hold there is no right to privacy on the internet.

The court ruled in the case of Shirley Reid of Lower Township, Cape May County, who was charged with second-degree computer theft for hacking into her employer’s computer system from her home computer. Township police obtained her identity from Comcast by using a municipal court subpoena. The Supreme Court held that law enforcement had the right to investigate her but should have used a grand jury subpoena.

The unanimous seven-member court held that police do have the right to seek a user’s private information when investigating a crime involving a computer, but must follow legal procedures. The court said authorities do not have to warn a suspect that they have a grand jury subpoena to obtain the information.

Writing for the court, Chief Justice Stuart Rabner said: “We now hold that citizens have a reasonable expectation of privacy protected by Article I … of the New Jersey Constitution, in the subscriber information they provide to Internet service providers — just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by phone companies.”

The case has significant implications for how courts could possibly interpret online privacy in e-mails and other forms of electronic communication. Federal courts have been reluctant to offer stronger protections in defense of online privacy except when there is a clear violation by the government under complicated statues like the Electronic Communications Privacy Act. This is the first ruling in the country that seeks to raise the bar on the privacy standards for online activities. It would help influence other state decisions and eventually could reach the Supreme Court.

Sorry for the lack of posting. We drove hard this weekend and have enjoyed two days in Lincoln, NE. I was honored to provide two keynote sessions today — and was made an Admiral in the Nebraska Navy!

I just looked at the travel plan for the next 24 hours - and I am making my way to southern Tennessee by nightfall tomorrow. It’s about 12 hours of driving, and brings me through Kansas City, St. Louis, Paducah (just love the name) and Nashville. After Talladega, we will swing to Nashville again…

Meantime - if you are in one of these cities and want to catch up - drop me a note and if I can, we’ll coordinate.

Michael

Special Segment by Brad Montgomery

Brad is a friend of mine who had worked to improve my ability to use humor. He’s witty, funny and nice. As a “corporate comedian” he always cracks me up - so I asked him for some advice on how to use what he knows to ease some stress and improve the workplace, and he agreed. Here is what he shared! — Michael

I love office harmless, victimless office pranks. Before I give you a couple cool pranks you can do today, let me tell you why I love them.

Practical jokes are fun, create fun, and inspire fun. When I talk to my clients about boosting humor in their workplace (which increases productivity, improves morale, and aids with employee recruitment and retention), one of the main points I teach is that humor doesn’t start spontaneously. It’s not like a lightning strike. It has to be created, nurtured, and fed.

If your goal is to LEAD the way to humor, the single best way to create an environment conducive to fun is to demonstrate an appreciation for humor yourself. In other words, if you want to have more fun at work, you don’t have to be able to tell jokes, wear clown shoes, or crack wise during meetings. (Though if those things float your boat, go for it!) Instead, show appreciation for a good joke or prank, and laugh at other people’s wise cracks.

Guess what happens when you demonstrate this appreciation of humor? You’ll hear more jokes, you’ll see (and fall victim to) more pranks, and you’ll be entertained by wise cracks. See the brilliance? In order to lead the way to more humor at work, you don’t have to be funny at all. All you have to do is DEMONSTRATE that you like it when other people are funny.

Ok… this is where pranks come in. When you pull a prank, you’re shouting to the world, “Take me on! I love to laugh! Go for it!” And lucky you … your people will listen.

So, how ‘bout a couple of easy, victimless won’t get you sent to the HR department pranks you can execute today? Easy. Here are three:

• Use tape loops to tape your workmate’s telephone receiver to their phone. (So when they try to answer the phone they can’t “pick up.”
• Put a small piece of tape over the laser on the bottom of somebody’s mouse. It will simulate a broken mouse.
• Change the height of a workmate’s desk chair. Do this one time and it’s funny. Do this twelve times over the course of two weeks, it’s hilarious.

Now all you have to do is to laugh. Smile. And wait for the joy — and pranks — to come back to you. And they will.

Good for you… now you’re doing your part to Lead the Way to Laughter.

==
Brad Montgomery is a motivational humorist speaker, author, and facilitator. He works with groups who want to laugh-out-loud while learning how to make their workplaces more fun. You can reach Brad at BradMontgomery.com and read his latest rants and ideas at his blog: Bradlaughs.com

An interesting decision came down last week by U.S. District Court for the District of Columbia that could potentially change the financial liability of data breaches by government agencies and private corporations. For the first time, the district court held that government employees who claimed that a data breach by the Transportation Service Agency (TSA) caused them harm have a valid cause of action against the government. Recent rulings in state courts have dismissed claims for lack of merit based on insufficient proof of emotional harm or financial damage.

In May of 2007, the TSA lost a hard drive containing the personal information of 100,000 of its employees. After the breach was disclosed, the TSA offered free credit-monitoring services to its employees and advised them to alert their financial institutions of potential cases of identity theft.

Since there is no federal law dealing with compensation for data breaches, employees of the TSA brought a civil action against the government under the Privacy Act of 1974. This piece of legislation governs how personal information is to be protected by federal government agencies. The act lays out requirements that the government must meet in order to establish appropriate safeguards in order to ensure the confidentiality of personnel records. It regulates the collection, maintenance, use, and dissemination of personal information by the government.

Employees of the TSA believed that the TSA had violated provisions of the Privacy Act and were negligent in protecting their personal information. TSA had argued that the lawsuit lacked merit because the employees had failed to demonstrate damages and that the “concerns about future harm are too speculative and dependent upon criminal actions of third parties.” The Supreme Court and other courts have left open the question of what constitutions damages and this continues to be a point of contention in litigation. However, in this instance, the court held that concern for identity theft, damage to financial suitability, and mental distress are not too speculative or dependent on future events to have the lawsuit dismissed.

This is the first time that a federal court has stated that non-pecuniary injuries would qualify as actual damages. Despite the fact that the employees did not show current or actual financial loss resulting from disclosure of their personal information, the court believed that their claim was valid to proceed with a lawsuit against the TSA.

While this is only the interpretation of a district court and will likely be appealed by the TSA, it does show that courts are beginning to realize the costs of data breaches on the public. Even though no immediate financial injury was demonstrated by TSA employees, the court defined more broadly what they consider to be actual damages. Hopefully, allowing the lawsuit to move forward will pressure other government agencies to have better security standards to protect information in their possession. If this ruling is affirmed, it would potentially impact not only government agencies but even corporations. If federal courts begin to redefine damages, it might not be too long before states courts hold companies liable for their data breaches as well.

Come join the security catalyst community members, meet each other in person:

Mel’s at 801 Mission St.
7 am

PS: The last few days have been excellent. I’ll be updating on the meetings I liked, some trends that I’m paying attention to and where I think the successful companies will be heading over the next few days.