Tag Archives: software

Health Information Technology (HIT) HIPPA Security Rule Self Assessment Toolkit – Federal Business Opportunities: Opportunities

The National Institute of Standards and Technology wants industry help to develop a Web-based tool that would let users determine if they met the security requirements of the Health Insurance Portability and Accountability Act (HIPAA)

… The contractor shall gather requirements, design, develop, test, and integrate a software application for use as a web based application and for download for CSD customers to conduct a self assessment of their work environment against the security requirements of the HIPAA Security Rule.

via RECOVERY – Health Information Technology (HIT) HIPPA Security Rule Self Assessment Toolkit – Federal Business Opportunities: Opportunities.

More holes found in Web’s SSL security protocol – Network World

Security researchers have found some serious flaws in software that uses the SSL (Secure Sockets Layer) encryption protocol used to secure communications on the Internet.

At the Black Hat conference in Las Vegas on Thursday, researchers unveiled a number of attacks that could be used to compromise secure traffic travelling between Web sites and browsers.

via More holes found in Web’s SSL security protocol – Network World.

PCI breaches shed light on cloud securityi – Network World

Credit card numbers compromised in an attack against Web hosting provider Network Solutions exposes one of the security problems faced by cloud computing.The company says its infrastructure complied with payment card industry PCI standards when the data was possibly stolen via software installed on is servers.

via PCI breaches shed light on cloud securityi – Network World.

FISMA Efficacy Questioned – Federal CIO Vivek Kundra

Recent breaches at the Federal Aviation Administration and at the vendor that hosts USAjobs.gov demonstrate that the state of federal information security is not what citizens should expect, federal CIO Vivek Kundra testified before the House Committee on Oversight and Government Reform’s Subcommittee on Government Management, Organization and Procurement. He said the seven-year-old Federal Information Security Management Act has raised awareness to agencies of information security but suggested in outlived its usefulness.

via FISMA Efficacy Questioned.

Air traffic systems vulnerable, IG states

An audit of the Web applications connected to air-traffic control networks found hundreds of critical vulnerabilities in the software and documented dozens of cyber incidents that continue to be unresolved, auditors stated in a report to the Federal Aviation Administration released this week.

During the investigation, auditors from the Office of the Inspector General for the U.S. Department of Transportation and accounting firm KPMG found 763 high-risk security issues in the Web servers set up to deliver information to the public and to FAA employees. The investigation also discovered more than 3,000 other vulnerabilities, according to the report (pdf). The vulnerabilities include incorrectly configured Web applications and software with known security issues that were not regularly patched.

via Air traffic systems vulnerable, IG states.

NIST Issues Draft Guide for Automating Computer Security Verification – 7thSpace Interactive

The National Institute of Standards and Technology (NIST) has issued for public comment a draft publication describing a new method to automate the task of verifying computer security settings. Known as the Security Content Automation Protocol (SCAP), the specification has recently been incorporated into software scanners for checking security settings in federal computers.

The new publication provides an overview of SCAP, discusses programs for ensuring that products implement SCAP properly and recommends how federal agencies and other organizations can use SCAP effectively.

“You can do a lot of things with SCAP,” said NIST computer scientist Matthew Barrett, the publication’s lead author. “An organization can express vulnerability assessment instructions in a machine-readable format, and SCAP-validated tools can use that information to automate many computer security activities.”

via NIST Issues Draft Guide for Automating Computer Security Verification – 7thSpace Interactive.

Call centres ‘failing on credit card security’

24 April 2009 04:20:00

Survey finds many companies are not complying with PCI standards.

Many UK call centres could be putting customers at risk of credit card fraud because of a failure to adhere to payment card industry (PCI) standards, according to new research.

Technology firm Sabio surveyed a number of call centre operators and found that more than half were either non-PCI compliant or were unsure if they met the PCI Data Security Standard (DSS).

DSS was created by the industry to help tackle debit and credit card fraud by ensuring that organisations which handle card data do so correctly.

Adam Faulkner, Sabio director, explained that the problem of ‘cardholder not present’ fraud is a “key challenge for payment card providers and their merchants”.

He added: “As an industry, however, the contact centre sector still has a lot of work to do in helping organisations to meet their PCI compliance obligations.”

According to the UK payments organisation Apacs, cardholder not present fraud was one of the main growth areas for card fraud in 2008.

via Call centres ‘failing on credit card security’.

Unknown hackers steal details on U.S. Joint Strike Fighter project: Scientific American Blog

An unknown cyber criminal (or group of them) has broken into computer systems housing information about the U.S. Defense Department’s $300 billion Joint Strike Fighter project, the Wall Street Journal reports today, citing a number of “current and former government officials familiar with the attacks.”

It’s unclear how much damage the attacks have caused to the jet-fighter project, given that the cyber intruders were able to download “sizable amounts of data” related to the aircraft’s (also called the F-35 Lightning II) in-flight maintenance diagnostics but weren’t able to access the most sensitive information, related to flight controls and sensors (which is stored on computers not hooked up to the Internet), according to the Journal. The Air Force is currently testing prototypes of the aircraft, said to be the most expensive ever commissioned by the Pentagon.

The attackers allegedly access the Joint Strike Fighter information by exploiting vulnerabilities in the networks of two or three contractors helping to build the high-tech fighter jet, the Journal reports, citing “people who have been briefed on the matter.” Although none of the contractors have commented publicly on the computer compromise, Lockheed Martin is the lead contractor on the program, while Northrop Grumman Corp. and BAE Systems PLC are also playing important roles in its development. “Computer systems involved with the program appear to have been infiltrated at least as far back as 2007,” according to the Journal, which cites unnamed sources who state that the intruders appear to have been interested in data about the design of the plane, its performance statistics and its electronic systems. The guilty party loaded software onto the Pentagon’s computers that encrypts the data as it’s being stolen, which means investigators don’t know exactly what data has been taken.

This latest alleged cyber intrusion comes less than two weeks after the Journal reported that spies from China, Russia and other countries have hacked into the U.S. electricity grid and installed software that could cause mass outages, a story that has been criticized by some computer experts as hype perpetuated by government officials looking for more funding.

It’s unlikely that U.S. investigators will be able to ascertain the identities of those behind the attack, unless they can get the cooperation of China and any other countries that might be involved, says Dorothy Denning, a professor of defense analysis at the Naval Postgraduate School in Monterey, Calif. Of course, it’s also possible that computers in China were hacked into in order to make it look like China is to blame, she adds.

State-sponsored spies aren’t the only ones who’ve successfully hacked into U.S. government computers though. Scottish computer hacker Gary McKinnon, 42, has for years been fighting extradition to the U.S. for in 2001 and 2002 allegedly breaking into networks owned by NASA, the US Army, Navy, Department of Defense, and the Air Force, causing about $800,000 in damage and ruining 300 computers. McKinnon, who suffers from Asperger’s Syndrome and could face life in prison in the U.S. if convicted, says that he hacked into U.S. government systems that had no password or firewall protection to search for information on “UFOs, free energy and anti-gravity technology,” Sky News reports.

There’s no silver bullet for protecting sensitive information, Denning says. Encrypting data might help, she adds, but an “adversary may be able to fool the system into decrypting the data or plant malicious code on the system that captures keys.”

Government computer security is a big problem, but some agencies do better than others, according to Denning, who points to the annual FISMA report (mandated by the Federal Information Security Management Act of 2002). The 2007 report gave five federal agencies (the Social Security Administration, Justice Department, Environmental Protection Agency, Agency for International Development, and National Science Foundation) an “A+” for their security efforts, but the average score was a “C” (and the Defense Department received a “D-“).

Image of an F-35 Lightning II Joint Strike Fighter taking off from a Lockheed Martin facility in Fort Worth, Texas, © U.S. Air Force

via Unknown hackers steal details on U.S. Joint Strike Fighter project: Scientific American Blog.