IT Support and Hardware for Clinics
32.1K views | +1 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

House Panel Passes Cyberthreat Info Sharing Bill

House Panel Passes Cyberthreat Info Sharing Bill | IT Support and Hardware for Clinics | Scoop.it

After beating back amendments by Democratic members to limit liability protections for businesses, the House Homeland Security Committee on April 14 unanimously approved cyberthreat information sharing legislation on a voice vote.


The bill, sponsored by Committee Chairman Mike McCaul, R-Texas, now goes to the full House, where differences with another cyberthreat information sharing measure approved by the House Intelligence Committee last month will be worked out. House leaders indicated that the full House could vote on cyberthreat information sharing legislation as early as next week.


In the Senate, a version of its cyberthreat information sharing bill could come up for a vote shortly. Senate Majority Leader Mitch McConnell included the Cybersecurity Information Sharing Act passed last month by the Senate Intelligence Committee as among several bipartisan bills that the Senate is "working hard to advance."


The National Cybersecurity Protection Advancement Act of 2015, approved by the House Homeland Security Committee, provides many of the privacy and civil liberties protections sought by President Obama that were absent in earlier versions of cyberthreat information sharing legislation that passed the House and the White House had threatened to veto in the two previous congresses.

Limits Placed on Shared Data

The House committee approved one amendment that explicitly states that shared cyberthreat information processed through the National Cybersecurity and Communications Integration Center - known as NCCIC, the Department of Homeland Security portal - could not be used for law enforcement or intelligence purposes. Civil liberties groups have raised concerns that some cyberthreat information sharing bills could allow the use of collected cyberthreat data to spy on Americans, violating their privacy and liberties.


The legislation would require private companies to remove personally identifiable information unrelated to the cybersecurity risk before sharing information with the NCCIC or other private entities. It would also require the NCCIC to conduct a second scrub and destroy any personal information that is unrelated to the cybersecurity risk before further sharing with other government agencies or private organizations.


The aim of the cyberthreat information sharing legislation is to encourage businesses and other private organizations to share voluntarily threat data with the government and other businesses to mitigate damaging cyber-attacks. But some businesses are reluctant to share the information unless they are protected from legal actions, which led to the various provisions to offers liability protections.

Liability Provisions Remain Intact

The Democratic minority on the House Homeland Security Committee, along with the Obama administration, contend that the liability protections offered to businesses in the committee's bill were too broad, providing legal protections when not warranted. An amendment offered by Rep. Cedric Richmond, D-La., would have removed liability protection for businesses that received threat data but failed to act on it. "If you abide by the provisions of this act," Richmond said, "then you're exempt from liability. It's just that simple. Instead of adding all these other concepts to the liability language, if we take the time to pass a bill and you abide by it, you have liability exemption. If you don't, then you don't have exemption."


But the bill's cosponsor, Republican Rep. John Ratcliffe of Texas, said the broader liability protections in the bill are aimed to get the greatest number of businesses to participate in cyberthreat information sharing. "Stakeholders are concerned about putting their customers or consumers at risk, and their information at risk; they're concerned about exposing their own sensitive business information by sharing," Ratcliffe said. "And, they're also concerned about possibly violating federal privacy laws. Having strong liability protection is going to be absolutely critical and vital to the success of this bill, and the phraseology in this bill is absolutely critical and essential to that point."

The bill originally provided liability protection for businesses that conducted its network security awareness in "good faith," but the committee voted to excise those words from the measure because, as McCaul noted, the term is too ambiguous and could lead to confusion in enforcing the measure should it become law.

Awaiting Word from White House

The White House has not said whether it would support or veto any of the cyberthreat information sharing bills winding their way through Congress. Statements of Administration Policy, such as the ones containing the earlier veto threats, usually are issued shortly before one of the chambers is set to vote on the legislation.

After the committee vote, the Financial Services Roundtable called for swift floor action on the legislation. "Congressional action to better protect consumers from cyber-attacks is long overdue," said Tim Pawlenty, CEO of the Roundtable, a financial services industry advocacy group. "We applaud the House for addressing gaps in our nation's cybersecurity laws and urge both chambers of Congress to quickly put a bill on the president's desk."


more...
No comment yet.
Scoop.it!

A security firm claims it was Russia that hacked Sony — and that it still has access

A security firm claims it was Russia that hacked Sony — and that it still has access | IT Support and Hardware for Clinics | Scoop.it

There's a new twist in the story of the devastating hack on Sony Pictures late last year: A security firm says Russian hackers also secretly played a part in the attack. And, the firm says, the hackers still have access to the movie studio's computer systems.

Taia Global released a report Wednesday alleging that Russian hackers managed to gain access to Sony Pictures Entertainment's computer systems at the same time the hacking group known as Guardians Of Peace launched a massive attack on the studio, as reported by PC World.

Vast quantities of confidential company information were published online in the hack in December, including movie screeners and executive emails. The prevailing consensus is that North Korea was responsible, as retribution for the James Franco comedy "The Interview." The American government has publicly blamed the reclusive authoritarian state for the hack. Some security researchers had previously disputed this, and Taia is now challenging the narrative.

Taia CEO Jeffrey Carr says he has received multiple files from a source, Russian hacker "Yama Tough," that appear to be internal Sony Pictures documents that were not included in any Guardians Of Peace data dumps. At least one document has been verified as legitimate by its author, Taia says.

Tough allegedly received the documents from a member of the "assault team" behind the hack, referred to as "Unnamed Russian Hacker," or URH. URH is a Russian "long-time black hat hacker who does occasional contract work for Russia's Federal Security Service."

Perhaps most significantly, Taia says Sony Pictures is "still in a state of breach." Taia's report says it has received documents from Sony from late January 2015, long after the hack supposedly ended. URH "appears to have at-will access to the company," the security firm says. (Sony Pictures would not comment on Taia's findings.)

Why would the Russians hack Sony? One theory is that before people began linking the hackers to North Korea, the hackers had originally demanded money from Sony. (Sony execs didn't read that email ... until it was too late.)

From this, the Taia Global suggests two possibilities:

  • Russian hackers attacked Sony Pictures Entertainment, either at the same time or shortly after the attack from (the presumably North Korea-linked) Guardians Of Peace.
  • North Korea was not involved with the Sony attack after all, and it was Russian hackers after all.

There is a third option, however, that Taia does not consider. It's that North Korea (or North Korean-affiliated hackers) was solely responsible for the attack but at some later date the previously unseen documents left their possession, eventually reaching Taia. An unknown intermediary may have fooled Yama Tough by falsely claiming to be URH. Or Tough could be lying to Taia about where he got the documents from (he could have even stolen them himself). Either possibility would mean there is not necessarily any Russian involvement — but if the documents are legitimate, it would nonetheless provide a new avenue of investigation.

Carr told Forbes he had "full trust in his source," though he conceded the material could come from "Yama Tough himself, but he's denying that."

Taia has pushed alternative theories on the origins of the Sony hack before. A "linguistic analysis" it carried out on the known statements of Guardians Of Peace shows, the company says, that the hackers are likely to be Russian speakers.


more...
No comment yet.
Scoop.it!

Obama Imposes Sanctions on North Korea for Hack

Obama Imposes Sanctions on North Korea for Hack | IT Support and Hardware for Clinics | Scoop.it

Holding North Korea responsible for the cyber-attack on Sony Pictures Entertainment, President Obama imposed sanctions on 10 individuals and three entities associated with the North Korean government.

The president ordered on Jan. 2 the seizing of property held by the individuals and organizations in the United States, a mostly symbolic action because few, if any, assets of those designated in the order are likely located in the U.S.


The organizations facing sanctions include the Reconnaissance General Bureau, North Korea's primary intelligence agency; Korea Mining Development Training Corp., or KOMID, North Korea's primary arms dealer; and Korea Tangun Trading Corp., the North Korean agency primarily responsible for the procurement of commodities and technologies to support its defense research and development programs.

"Our response to North Korea's attack against Sony Pictures Entertainment will be proportional, and will take place at a time and in a manner of our choosing," a White House statement says. "Today's actions are the first aspect of our response."

Further Isolating North Korea

The executive order authorizes Treasury Secretary Jack Lew to impose the sanctions. Lew, in a statement, says the sanctions are driven by the government's commitment to hold North Korea accountable for its destructive and destabilizing conduct.

"Even as the FBI continues its investigation into the cyber-attack against Sony Pictures Entertainment, these steps underscore that we will employ a broad set of tools to defend U.S. businesses and citizens, and to respond to attempts to undermine our values or threaten the national security of the United States," Lew says. "The actions taken today ... will further isolate key North Korean entities and disrupt the activities of close to a dozen critical North Korean operatives. We will continue to use this broad and powerful tool to expose the activities of North Korean government officials and entities."

An administration official told The New York Times that these sanctions are a first step to punish the North Koreans for the Sony breach. "The administration felt that it had to do something to stay on point," the official said. "This is certainly not the end for them."


more...
No comment yet.
Scoop.it!

10 million stolen passwords were just released – here’s how to see if yours is one of them

10 million stolen passwords were just released – here’s how to see if yours is one of them | IT Support and Hardware for Clinics | Scoop.it

Earlier this week, noted security researcher and consultant Mark Burnett made waves when he posted 10 million stolen usernames and passwords on his blog. Of course, the security expert didn’t post the passwords with malicious intent. Instead, his goal was to “release a clean set of data” that gives the world insights into user behavior, and also to draw attention once again to the arrest and prosecution of Barrett Brown.

Burnett didn’t steal the passwords in question, of course, but they’re now easily accessible to anyone and everyone — here’s how you can quickly and easily find out if you are affected.

Burnett posted the 10 million leaked usernames and passwords in one big torrent file that anyone with a computer can download in a matter of minutes. Thankfully, one of the people who downloaded that file used it to create a simple site where anyone can check to see if their accounts have been compromised.

Here’s how you can check:

Simply visit this page on programmer Luke Rehmann’s website, where you’ll be able to search for your usernames and passwords in the leaked file.

Now, before you start wondering if Rehmann is just using this page to collect the usernames and passwords people input, it’s important to note that you can (and should) search with partial entries. So, for example, if your password is “trustno1,” you can simply search “no1″ or “trus” and see if one of your accounts comes up.

As Burnett notes in his blog post, the usernames and passwords he posted are a small sample pulled from earlier username and password dumps containing upwards of 1 billion sets of stolen credentials. As a result, running a check on the site linked above doesn’t guarantee that your usernames and passwords aren’t floating around on the deep web.


more...
No comment yet.
Scoop.it!

Five Best Password Managers

Five Best Password Managers | IT Support and Hardware for Clinics | Scoop.it

A while ago, all it took to be a great password manager was to keep your passwords in an encrypted vault. Now the best password managers give you the option to sync or keep them local only, change web passwords with a click, log in to sites for you, and more. This week, we're looking at five of the best options.

Earlier in the week, we asked you to tell us which password managers you thought were the best. Like we mentioned, the best come with the flexibility to go single-device with no web or online components at all, or the option to sync across your devices. Some log in to sites for you, others audit your passwords to make sure you're not using the same in too many places. All of them come with features designed to improve your security across the board, while offering their own kind of security to protect your data—yes, even if you have everything stored in one place.



It's been a long time since we've looked at some of the best password managers available, … Read more


You offered tons of great nominations, but we only have room for the top five—and we definitely had some leaders. Here they are, in no particular order.

LastPass

LastPass is clearly the juggernaut here, and for good reason. The service was one of the first well-rounded password managers available, and one of the first that really made it easy to store all of your passwords either online and synced with other computers and devices, or locally on one device. In short, LastPass remembers your passwords so you don't have to, and makes it easy to audit your passwords, use stronger passwords in general, and even automatically change a password for you if a service has been hacked or compromised. LastPass supports two-factor authentication for your password vault using Google Authenticator, USB devices (using a method we've outlined before), or a YubiKey, The service picked up a much-needed update a year or so ago to streamline the UI and make it easier to use, and sports a number of additional features like credit monitoring, secure password and document storage (and sharing), notifications when a site you have an account with has been hacked, tools to autofill forms and streamline online shopping, and more. LastPass supports Windows, OS X, Linux, Android, iOS, Windows Phone, and Blackberry, and has plugins for Chrome, Firefox, Safari, Opera, and Internet Explorer. It's free to download and use, but if you want its best features and the mobile apps, you'll need to upgrade to LastPass Premium, at $12/yr.


How to Audit and Update Your Passwords After a Service Gets Hacked

When something like a password database compromise happens, it's a good time to reassess your… Read more


LastPass' nomination thread was huge, with many of you showing your support for the app because it's made securing your online life easier in some shape or form. Many of you explained that you use LastPass so you don't use the same password on every site (which you absolutely shouldn't do), or so you don't have to write down passwords and risk losing them in a disaster, misplacing them, or accidentally letting someone else get a hold of them. Many of you praised LastPass' own security for keeping your data safe, and for—that one time they thought they may have been hacked—promptly locking everyone's data down, making sure they were in the clear, and encouraging users to take additional steps to protect themselves. If you want to learn more about LastPass, they stopped by to tell us the story behind the app not too long ago, and you can read their nomination thread here.


Dashlane

Dashlane launched in beta back in 2012, and has risen to prominence since largely because of its attention to its interface (which is sharp and easy to use), simple security, easy auto-login, form auto-fill, and logging of purchases and orders from online shops. It's picked up a number of updates since then, including support for two-factor authentication, the ability to share passwords with emergency contacts in case you can't access your accounts, and most recently, the ability to change multiple passwords on dozens of websites with a few clicks. Dashlane will also notify you if you have an account on a site that's hacked, and with its built-in password changer, you can have Dashlane reset the password to a new, unique, strong one without leaving the interface. If you want to change all your passwords at once, you can do that too. The purchase tracking and digital wallet features make it easy to make online purchases even at retailers you don't have accounts with, and search all of your online orders in one place, while secure note and document sharing gives you a place to store passwords that can't be automatically filled in. Dashlane also gives you the option to store your passwords locally only in an encrypted vault (where only you have the master key), or to sync them to your devices and access them on the web. Dashlane supports Windows, OS X, Android, and iOS, and has plugins for Chrome, Firefox, Safari, and Internet Explorer. It's free to download and use, but if you want your passwords synced across devices, you'll need Dashlane Premium, at $40/yr.



Windows/Mac: There are plenty of services that promise to keep your passwords safe, secure, and…


Dashlane's nomination thread was also pretty popular, with many of you praising the tool for making password management simple and easy to do—almost an inviting task that you'll actually want to do, which is an accomplishment on its own. Making people actually want to take control of their security because the interface is easy enough to use is a big deal, and Dashlane's UI shows you right up front what your overall security "score" is, and gives you easy tips to improve it right then and there. Those of you who use it praised it for its seamless syncing, digital wallet, auto-fill across all of your devices, and its new multi-site password changer. It's not perfect though—a number of you noted that it's great...as long as you were grandfathered into its free plan (when syncing was still free), and noted that $40/yr was steep considering the competition is generally less and on-par feature-wise. You can read more in its nomination thread here.

KeePass

If free (as in speech and as in beer) and open source are your go-to requirements for a security product, KeePass is perfect for you. Your passwords in KeePass are stored inside an encrypted database that you control, on your own system, and are never synced or uploaded anywhere unless you want to take them from machine to machine. KeePass is also a portable app, meaning it's super easy to take with you and use on multiple computers, even if that machine is locked down and all you have is a thumb drive. It has its own password generator, to help you change passwords and make sure every one of them is unique and strong. Passwords database in KeePass can also be configured with multiple keys so you can share access among privileged users, and exported in plain text for quick importing elsewhere (or backups). Plus, KeePass has tons of third-party plugins and tools to extend its functionality and bring it to more devices, browsers, and platforms. Most notably, KeePass' auto-type functionality works in all windows and all browsers, which means that KeePass can log in to sites that other password managers can't, and can log in to applications, system dialogs, and other password prompts that you'd otherwise have to copy/paste a password into.

Several years ago, KeePass was your favorite password manager, largely because of that open-source approach and its user-controlled approach to security. KeePass officially supports Windows, OS X, and Linux, and there are unofficial (it is open source, after all!) ports with different features available for Windows, OS X, Linux, iOS, Android, and Windows Phone, including KeePass X, which earned its own nomination thread. This time around, those of you who nominated KeePass praised it for its offline access, strong encryption, and ability to log in to any password dialog that appears on your system, whether it's on the web or a network login somewhere. Many of you shared your KeePass configurations, with some of you using Dropbox to sync your encrypted vaults across devices, and others preferring to use KeePass for everything while using other tools for day-to-day logins. One of you specifically mentioned that it's great to be able to use the tool cross-platform, completely free, and keep a backup of your data on your own—all while being in complete control of your data and security. You can read more in its nomination thread here.



1Password

1Password is well loved and well-regarded for offering a powerful and secure password manager and digital wallet in a really sharp-looking package that shines on every platform it runs on. It's flexible, easy to use, works seamlessly in just about every web browser, and packs in the same features that you've come to expect from a premium password manager and secure document storage tool. 1Password looks great, comes with a strong password generator to help you pick good passwords every time you change one, secure notes for other passwords or notes that you want to keep private, a digital wallet for bank accounts and payment info, and a password "recipe" builder that lets you customize your passwords to your demands instead of just accepting whatever algorithm the password generator spits out at you. Perhaps best of all, 1Password can be used locally only, without syncing any information to the web, or you can use it across all of your devices by syncing your encrypted vault via Dropbox, iCloud, Wi-Fi, or shared network folders—it's completely up to you. You can also set up emergency contacts and share passwords with authorized users. You can even keep multiple vaults for different types of passwords. 1Password supports Windows, OS X, Android, and iOS, with plugins for Chrome, Firefox, Opera, and Safari. One of 1Password's stand-out features is that you get a premium product for a one-time fee—you can download and try it out for free, or buy a single license for $50 (or buy a Mac and Windows license bundle for $70.) Mobile apps and extensions are free, but require a license to use.



Mac: 1Password, one of your favorite password managers, just got a huge update on OS X with a brand … Read more


Those of you who nominated 1Password almost universally praised the app's interface and ease of use. Like some of the other password managers mentioned here, it's a joy to use, and it works seamlessly with multiple browsers, systems, windows, and other password dialogs. Most of you called out the "watchtower" feature, which notifies you of breaches around the web, and its support for TouchID on iOS. Many of you approved of the combination of local encryption and the option to sync when you want to, without talking to a central authority, while simultaneously looking great and being a well-developed product. Some of you dinged it because your password database isn't editable on mobile devices, and the starter price—although it's a one time cost—set some of you back, but the overwhelming opinion is that 1Password is a premium application from a dedicated team of developers, and worth the price tag. If you're curious, you can read the story of 1Password here, or check out its nomination thread here.



RoboForm

RoboFform has been around a long time (since 1999), and has always had a large number of dedicated, die-hard users who've rallied around it, both as a great tool for form-autofill on the web, and as a password manager. Roboform also gives you the option to keep your passwords and data encrypted and local, or sync to the web and across devices if you choose to, but the choice is completely up to you. It supports multiple identities, so you can autofill form information based on different users, addresses, or any other mix-and-match of data you choose. You can also take RoboForm with you on a USB drive from computer to computer. The app's most recent major update was a few years ago, but it gave it a great-looking interface, brought it to more browsers, and delivered both online and offline password management options. RoboForm also has bookmarking features to help you keep track of your favorite sites. RoboForm supports Windows, OS X, Linux, Android, iOS, and Windows Phone (with older versions available for platforms like the Blackberry and SymbianOS), with plugins available for Chrome, Firefox, Safari, Internet Explorer, and Opera. It's free to download and use—for the first 10 logins. If you need more (and who wouldn't), or need to sync or access passwords on multiple devices, you'll need RoboForm Everywhere, which will set you back $20/yr for all of your devices and computers (and you get a break, it's onlt $10 for the first year.)


Windows/Mac: RoboForm, a fairly popular all-in-one password manager, has updated to a version 7… Read more

Those of you who nominated Roboform did so because of its long history of good security, utility, and because many of you felt the app was underappreciated and underrated, even though it offered all of the features that many other tools do. You praised it for its legacy device support (especially those of you who have used it since its earlier days), its password generator, secure note storage, and more.

more...
No comment yet.
Scoop.it!

The Year of the Data Breach - HIPAA-HITECH Compliance Software & Consulting - Clearwater Compliance

As early as July, 2014 was already being called “The Year of the Data Breach”. Big brands like Home Depot and Target were the headliners, but they weren’t alone.  Retailers and financial institutions of all sizes were combating cyber crime after cyber crime. Meanwhile, the healthcare industry suffered its share of incidents as well. In fact, 2014 saw the U.S. Department of Health and Human Services’ database of major breach reports (those affecting 500 people or more) surpass 30.1 million people.

The good news is that 2014 is over. The bad news is that in 2015, things could get even worse.


It seems that 2014 was more of “a sign of things to come” than it was “a moment in time.” This rings especially true for those of us who are safeguarding protected health information.

We have entered an unprecedented era where cyber attacks are becoming more frequent and more sophisticated with every passing day.

In a recent 60 Minutes special, FireEye CEO David DeWalt estimated that 97 percent of companies are getting breached, with hundreds of thousands of attacks happening on a weekly basis across the globe.


Retailers, banks and others are consistently increasing their spending related to security. They are trying diligently to prevent attacks. But in today’s environment, DeWalt believes that breaches “are inevitable.”

The burden that breaches place on the economy, individual organizations and consumers is significant. Widespread compromises of data are driving $11 billion plus in fraud each year. Just as costly is the fact that we are teetering on a crisis of confidence. Can anyone really protect sensitive data?

Given all this, should we just waive the white flag and surrender?

Obviously, the answer is no. While breaches may indeed be “inevitable” at the macro level, there are absolutely things that can be done to reduce the amount of breaches that occur, and to give your organization a better chance of not being part of the statistics. What’s more, the eventual damage a breach causes is highly contingent upon how well you respond to it.

Consider this scary statistic. From the time a “bad guy” hacks into sensitive data, it typically takes 229 days for the breach to be detected. 229 days!

DeWalt argues, as do we, that trying to prevent a breach is only part of what your organization should be doing. A comprehensive approach means that you are assessing your risk of falling victim to a breach, identifying ways to mitigate that risk from coming to life and appropriately planning for how you will respond if you do experience a breach. In other words, how are you assessing and managing information risk within your organization?

The criminals eventually are going to find their way into organizations.

So, the task at hand if you’re among the unlucky ones is to make sure the bad guys don’t gain access to your most important information, that you identify breaches much more quickly and that you stop the criminals from leaving with valuable information. In short, limit the damage.

The plain truth is that the year ahead promises more of the same. A cybersecurity war is being waged, and your data is at the center of it. Make sure you are prepared for battle. If you haven’t done so already, I’d encourage you to download Clearwater’s whitepaper explaining our Information Risk Management Capability Advancement Model. It’s a free resource, and it offers an extensive framework for determining how well you are equipped to manage information risks, and what steps you should consider in the year ahead to strengthen your internal programs.

Here’s to hoping 2015 is a breach-free year for you!


more...
No comment yet.