FBI Public Service Announcement Warning of IoT Apps

Earlier this month on September 10, 2015, the FBI put out a Public Service Announcement (PSA) entitled “Internet of Things Poses Opportunities for Cyber Crime.” warning companies and the general public to be aware of Internet of Things (IoT) vulnerabilities cybercriminals could exploit and encourages the use of strong passwords. The PSA included the following example:

Cyber criminals can take advantage of security oversights or gaps in the configuration of closed circuit television, such as security cameras used by private businesses or built-in cameras on baby monitors used in homes and day care centers. Many devices have default passwords cyber actors are aware of and others broadcast their location to the Internet. Systems not properly secured can be located and breached by actors who wish to stream live feed on the Internet for anyone to see. Any default passwords should be changed as soon as possible, and the wireless network should have a strong password and firewall.

The FBI identifies these IoT devices:

Automated devices which remotely or automatically adjust lighting or HVAC
Security systems, such as security alarms or Wi-Fi cameras, including video monitors used in nursery and daycare settings
Medical devices, such as wireless heart monitors or insulin dispensers
Wearables, such as fitness devices
Lighting modules which activate or deactivate lights
Smart appliances, such as smart refrigerators and TVs
Office equipment, such as printers
Entertainment devices to control music or television from a mobile device
Fuel monitoring systems

The FBI recommends the use of “Strong Passwords” to secure these devices.  According to the traditional advice — which is still good — a strong password is:

Has 12 Characters, Minimum: You need to choose a password that’s long enough. There’s no minimum password length everyone agrees on, but you should generally go for passwords that are […]

By |October 6th, 2015|Security|0 Comments|

Why Security and Development staff should work together

In many large companies and even small ones, the application development staff and the security staff do not generally work together on a project team. The developers see themselves as architects and creators of an application, making sure it does what the customer wants.  The security folks often see themselves as more of a compliance role, testing code after it is developed and making sure it is protected on the network. Security also has the reputation of telling folks what they “can’t” do rather than helping the developers make good security decisions.

Unfortunately this scenario is very true in many companies. Code could be developed in a more secure fashion if the developers and security staff worked as a team rather than as adversaries. When developing code, you end up with both bugs and design flaws. Bugs can be caught in testing using a variety of software tools. Flaws in the design and architecture of an application are harder to identify and are responsible for 50 % of security defects.

By encouraging the team to include security in the initial design of the product and putting security first, many design flaws can be avoided. Gary McGraw and Jim DelGrosso of Cigital, Inc. believe adding an architecture risk analysis process has proven to be useful in finding and fixing flaws. They recommend starting the process with an architectural diagram.  With the architecture diagram in hand, they undertake three specialized analysis steps:

1) Known-attack analysis – Take a list of known attacks relevant to your architecture and go through them. Microsoft’s STRIDE approach (part of what they mistakenly call threat modeling) is a good example. STRIDE is an acronym for spoofing, tampering, repudiation, information disclosure, denial of service, and […]

By |September 28th, 2015|Security|0 Comments|

For Better Password Policies: OWASP Passfault

OWASP Passfault improves on password strength and password policies.

By |September 9th, 2015|General, Security|0 Comments|

There is an “I” in Security

There has been a lot of discussion in the news lately about cybersecurity threats and big company security breaches. These cases are really scary and should result in consequences for the people involved, but a lot of security comes down to personal responsibility. There is an “I” in security.

I need to make sure I password protect my laptop, tablet and cell phone.

I need to make sure I don’t share my password with others or write it down on a piece of paper that can be easily discovered.

I need to make sure I don’t leave my work station while logged into sensitive corporate data.

I need to make sure I read that email and verify it is from a trusted person before I open that attachment.

I need to pay attention when clicking on links that appear to be sent from my bank.

I need to remember that NO reputable institution such ask my bank, the IRS, FedEx or Facebook would ever as me to provide personal information or my password.

No matter how good my firewall, spam filter, or antivirus software is, there is nothing in the world that will protect me from a momentary lapse in judgment as I use my computer. Everyone needs to have frequent education and training on how to keep you safe. There are SO many ways that security can be compromised by literally inviting malware or viruses onto your computer. We need to be vigilant and constantly think about what we are doing as we use our computer systems and mobile devices both at work and at home.

It is hard to admit it but I might just be the weakest link in my security system.

By |August 20th, 2015|Security|0 Comments|

Patient Verification vs. Identity Fraud

A recent article in the Healthcare Info Security discusses a study conducted by the Ponemon Institute, sponsored by Experian’s ProtectMyID. The study asserts that nearly 70 percent of the medical ID theft incidents involved others fraudulently using credentials to obtain healthcare services. In more than half of the medical ID theft cases, the victims didn’t report the incidents to law enforcement, often because they knew the person who stole their identity.

This is often called the “Robin Hood effect” because family members are allowing the use of their insurance card to cover uninsured relatives. It is understandable why someone might help out an ailing relative, however, cases have been found where cards were used to purchase medical devices and equipment like scooters that were later sold on eBay.

The Affordable Care Act estimates that healthcare reform could bring coverage to 30 million uninsured who lack coverage. By covering more people with healthcare, we should see a substantial drop in the number of uninsured but will we see a corresponding drop in medical ID theft? That may be optimistic.

That’s because not all health insurance policies are created equal. Some of the least expensive new offerings expected to be obtainable on the market, or provided through the expansion of state-level Medicaid and Children’s Health Insurance Programs, might not offer all the benefits someone wants, Ponemon says. There could still be a motivation to fraudulently gain access to better polices which have more benefits.

One way to deter medical identity fraud is to add advanced technologies like biometrics to insurance cards. The biometrics would be used to verify the identity of the patient at every visit and would prevent fraudulent use of the insurance plan. Biometric identification would also support […]

Improve Cybersecurity with Continuous Monitoring

Cybersecurity has now superseded terrorism as our country’s #1 threat. Can continuous monitoring save the day?

Utah Getting Act Together on Healthcare IT Security

Healthcare IT security has been a sensitive subject for the past 12 months in Utah’s health care community with two major healthcare security breaches.

The Future of EHR Security: Good and Bad News

The future of Electronic Health Records (EHR) security will be impacted by the findings of several studies conducted in the past year. From what I can tell, these studies bring with them both good and bad news.

The Case for a Biometric Identifier on Health Care Records

Americans have long been concerned about privacy and have never supported a National Identity Card of any kind. But when it comes to electronic health records, we might have to give that a second thought. Right now Health and Human Services is taking comments on Conditions for Trusted Exchange (CTE) of Electronic Healthcare Care records within a Nationwide Health Information Network. They are trying to determine how to verify that your health care records are indeed Your Health Care records when they transfer information between parties.

The complexity of verifying personal identity without biometric authentication on a national level is mind-boggling. How many thousands of John Smiths and James Johnsons are there in this country? According to Howmanyofme.com there are 45,354 people named John Smith in the United States and 35,933 people in the U.S. named James Johnson. What is the probability that hundreds of those individuals also share the same birthdate?

The HHS is recommending a goal of achieving a 99.9% match rate, but no matter how sophisticated the demographic matching algorithm might be, no CTE could be expected to achieve a specificity of 99.9% when dealing with the population of the whole country. Adding some sort of biometrics, whether it be iris scans, hand scans or finger prints, will add the needed level of identification that is mandatory in life and death situations.

If every person had a medical card, which carried electronic identification data, they could have access to their medical records wherever they went. They could give access to new medical practitioners while avoiding the need to fill out the packet of forms at each appointment.

Today thousands of individuals who work in private industry and government have such a card that allows them […]

Sans AppSec Summit 2012: What you can learn from Partnet about AppSec

I’ll be representing Partnet at the SANS AppSec Summit at the end of this month.  We will participate on a panel called What you can learn from small businesses about AppSec.  I love working for a smaller company.  I think the flexibility, and the “buck stops here” mentality makes small businesses more effective than larger businesses.  But I think there is a misconception that small companies are not disciplined – that they have a “wild-west” like attitude.  That may be true generally, but not here.  Discipline and ownership of security are what I think is the “secret sauce” to a successful AppSec program.  We’ll talk about it at the SANS AppSec summit.  If you are attending, please come by and say hello.


By |May 2nd, 2012|Security|0 Comments|