Apr 15

I came across an interesting article today that touches on the topic of security, so I’d thought I’d write about it briefly. Christopher Boydon over at SpywareGuide.com found a phishing utility called Apheve up for download on Cnet.com. It allows phishers to disguise the program as an instant messaging program like Yahoo IM, Skype, or Live Messenger. The unexpecting victim then goes to log into this fake program and receives an error. After the victim has left, the phisher goes back to that computer and is able to retrieve the username and password the victim attempted to login with.

What is shocking is how this program is freely available for download on Cnet.com and probably a host of other websites. Somehow this program has squeeked through the filters. It has no other purpose other than to steal passwords. The creator of the program has also posted up youtube videos with tutorials on “How to hack Msn, Skype or Yahoo with Apheve 1.1″. I think it is pretty clear about the nature of the program.

This is just one more reason why you really need to be careful about what you access if you are using an internet cafe computer or a computer other than your personal one. You can never be too safe.

Posted in Identity Theft, Internet | No Comments »
Sep 15

An on/off switch has been developed for RFID cards by a UK firm that can help prevent RFID cards from being hacked. The risk comes from hackers being able to clone the transmissions sent from these devices and duplicate them to gain access to buildings. This can be done without the victim ever knowing it happened.

They have placed the switch on these devices that can be squeezed when it needs to be scanned by the reader. When it is done being scanned, the device is automatically shutoff when it is no longer
being squeezed. This prevents hackers from being able to clone the RFID card when they aren’t in use.

An on/off switch has been developed for RFID cards by a UK firm that can help prevent RFID cards from being hacked. The risk comes from hackers being able to clone the transmissions sent from these devices and duplicate them to gain access to buildings. This can be done without the victim ever knowing it happened.

They have placed the switch on these devices that can be squeezed when it needs to be scanned by the reader. When it is done being scanned, the device is automatically shutoff when it is no longer being squeezed. This prevents hackers from being able to clone the RFID card when they aren’t in use.

There are many attempts by companies trying to increase RFID card security. There are even wallets that you can place these cards in that are made from stainless steel that block the transmission from these cards from leaving the wallet. This new on/off switch provides one of the least bulky methods. FasTrak, the toll tag system in use in the San Francisco Bay Area, is trying to develop a similiar on/off switch that can activate the RFID card only when it is entering a toll. This can help prevent thieves from cloning other drivers’ toll tag and then using that tag ID to go through tolls and foot the cost to those drivers.

The problem with introducing new security measures to RFID cards is cost. Because these cards are cheap to manufacture to begin with and are usually manufactured on a large scale, even a penny’s difference can make implementing a new security mechanism not feasible. Peratech, the company that has developed this technology says that it should cost cents and not dollars to implement it. Time will tell if their technology catches on with manufacturers.

Posted in Identity Theft | No Comments »
Aug 27
So I was reading more on the latest information about the number of security breaches this year. I was reading an article by George Hulme over at Information Week about why additionals laws are needed for data protection compliance, particularly in the health care industry. HIPAA policies are beginning to be enforced, but it will be awhile before we start seeing accurate reports on the number of security breaches.
There has been better security compliance over the last few years, but there is still much more work that needs to be done. There are many industries that need the same type of attention applied as has been done with the financial quarter. Hulme mentions about how the Health Care industry is so far behind financial industry compliance. I believe that part of this reason is because the health care industry is generally behind the financial industry when it comes to technology.

While there have been strides made in the health care industry with HIPAA policies, there is still a ways to go with enforcement and auditing those standards. It was only last year (2007) that the Department of Health and Human Services conducted its first audit. As always with audits, it will take a little while until all the kinks are worked out and they can really be accurate with their final reports. This can clearly be seen with the financial sector’s lastest report from 2008’s security breach numbers; and SOX auditing has been around longer than HIPAA policy auditing.

The health care industry also reaches sectors where network technology is underutilized. This makes it hard to give accurate numbers on data breaches due to malicious software and attacks. Many private doctor’s offices don’t invest much of their resources into technology and because many offices are making a big push for technology, other offices don’t feel the need to make the push themselves. Often what causes a practice or company to upgrade their infrastructure is when their competitors or partners improve theirs. With much of the industry lagging behind, there is still a large portion that uses paper records as their main data repository method.

Many private practices also outsource their patient management systems to third-party companies. This means that patient data is crossing more networks and is thus exposed to more hands, eyes, and network nodes. All this adds to increased security risk while at the same time makes auditing across seperate networks difficult. Many of these smaller practices and health care providers don’t have a full-time IT staff and so security is not looked at as an ongoing chore as it should be.

So while adjustments have been made to increase security and privacy, there is still a lazy approach to enforcement in the health care industry. More laws are needed to enforce HIPAA policies otherwise this trend will continue.
Posted in Compliance, Data Protection, Identity Theft | No Comments »
Aug 26
According to the Identity Theft Resource Center, the number of reported data breaches for 2008 has already passed the amount that was reported for all of the year 2007. In 2007, the number of data breaches reported was 446. This number for 2008 has already surpassed the 450 mark.

The ITRC only reports on data breaches where more than 22 million records are exposed and in more than 40% of data breaches the number of records exposed is not fully disclosed. This means that the total number of records exposed from these data breaches is incomplete and can’t be used for any accurate research.

Not only is the number of records exposed inaccurate, but the actual number of breaches is fairly inaccurate as well. One of the reasons why the breach number for 2008 is 4 months ahead of 2007 is because the ITRC is much better at tracking these data breaches. The actual number of breaches is most likely much higher, due in part that some are never reported and some multiple events are actually records as single events. Because of all this, it is hard to say whether or not the number of data breaches is truly getting worse. A longer period of recording is needed to flush out any inaccuracy.

For more information on this report, visit the ITRC’s website.
Posted in Data Protection, Identity Theft | No Comments »