__MAIN_TEXT__

Page 1

Privacy & Security eMagazine January 2015


Foreword

This material do not constitute legal advice and is for educational purposes only. The information in this packet is based on current federal law and subject to changes based on changes in federal law, the effect of state law or subsequent interpretative guidance. Other material corresponds to Industries’ best practices.

Privacy is the foundation for Security

Visit our Portal: http://recpr.org


INDEX 4 Security Concepts and Relationships 5 Shared data will transform healthcare 6 Computer and Information Security Checklist 8 How opening your wireless to strangers can improve your privacy 11 Healthcare Predictions For 2015 15 Understanding Encryption 17 App lets anyone be an encryption expert 23 The Unpatchable Malware That Infects USBs Is Now on the Loose 24 How to Protect Deleted Data From Hackers 26 How mobiles can hack our most sensitive data 29 Hackers Have Figured Out A Major Security Flaw In USB Sticks 31 FREE SECURITY CHECK UPS 32 How to choose a strong password 34 WORKPLACE SECURITY RISK CALCULATOR 35 The Basics of Cloud Computing 38 HIPAA Compliant Cloud Storage 39 Avoid Getting Hacked 42 52 IDEAS 45 Emergency Situations: Preparedness, Planning, and Response 47 Head-controlled smartphone is perfect for the disabled 50 Fake early warning Ebola tools are spreading malware 52 Bioprinted blood vessels pave way to organs-on-demand 54 Web GLOSSARY


Shared data will transform healthcare

Shutterstock Founders Forum Healthtech brought together 130 investors, entrepreneurs and innovators in healthcare. The recurrent theme was data When a patient with pneumonia arrives to a hospital, current guidelines state that he should be given antibiotics within four hours of arrival. “There was this US hospital that was doing a terrible work in giving patients antibiotics within four hours,” says Marty Kohn, who previously worked as Chief Medical Scientist at IBM Research, and has recently joined Jointly Health, a remote patient monitoring company. “Then they started giving antibiotics to any patient with a cold and fever at triage. They did very well in the performance tables, but were giving antibiotics unnecessarily to a lot of patients.” The corollary? With data, size doesn’t matter — what matters is whether the data is informative. Kohn was speaking as part of a panel session at the first Founders Forum Healthtech, an event which took place in London on Friday 13 June, gathering about 130 investors, entrepreneurs and innovators in healthcare. The recurrent theme was data. Don’t miss “When I was flying from the US to London I started thinking about the hundreds of sensors that constantly monitor the engines of an airplane,” says Jack Kreindler, founder of the Centre for Health and Human Performance, co-founder of Jointly Health and one of the hosts of the event. “In comparison, every person does a medical check-up typically once every 30 years. What kind of technologies will we need to implement data-driven healthcare?” “We need to make medicine predictive,” said Iya Khalil, co-founder of Gene Network Science. Khalil


“We need to make medicine predictive,” said Iya Khalil, co-founder of Gene Network Science. Khalil was part of a panel at the first Founders Forum Healthtech that took place in London this Friday. “A lot of the times, doctors are just guessing. Where are the algorithms that tell me what the best treatment is?” Kohn’s Jointly Health, for instance, is trying to optimise health outcomes by combining home monitoring data and longitudinal data on scientific literature. “In the scientific literature, coronary disease and asthma, I will find lots of studies about, say, coronary disease and asthma, but very little about patients with both. When you have data about lots of patients, we can define a cohort with both conditions and create new evidence that will optimise their health.” It’s not just about new data. There’s valuable data that is already available but it’s neglected by physicians. An example is the environment. “70 percent of your health has nothing to do with your genetics or personal profile. It has to do with context,” says Bill Davenhall, Senior Health Advisor at ESRI. “We’re producing reports that give local information like proximity to toxic sources. The practical implication of this is that you also make a smarter partnership with your physician.” Also present at the event was the secretary of state for Health, Jeremy Hunt. Hunt announced that patients in England will soon be able to access their data online. “In countries where this happens, patients often correct mistakes because a lot of the information is wrongly annotated. Five percent deaths in health are avoidable. That’s a jumbo jet crashing out of sky every fortnight. We will stop that by sharing data, that’s what the aviation industry did.” Hunt also announced the government will soon start publishing a safety league table for every hospital to create behaviour change, making the UK the first country to do so. Towards the end of the year, the government will also be taking surgeons and physicians’ data and evaluating their performance. “Surprisingly, it’s something that the medical profession has accepted well,” he said.


How opening your wireless to strangers can improve your privacy

Shutterstock In an age of surveillance anxiety, the notion of leaving your Wi-Fi network open and unprotected seems dangerously naive. But one group of activists says it can help you open up your wireless internet and not only maintain your privacy, but actually increase it in the process. At the Hackers on Planet Earth conference next month, the Electronic Frontier Foundation plans to release software designed to let you share a portion of your Wi-Fi network, password-free, with anyone nearby. The initiative, part of the OpenWireless.org campaign, will maintain its own flavour of free, open-source router firmware called Open Wireless Router. Good Samaritans can install this firmware on a cheap Wi-Fi router, creating a public slice of bandwidth that can be dialled up or down with a simple smartphone interface. “We want to encourage a world of open wireless, sharing Wi-Fi with each other for privacy, efficiency, and innovation in devices that don’t have to fall back on subscriptions to wireless carriers,” says EFF activist Adi Kamdar. Many locked wireless networks sit idle for much of the day, Kamdar argues. OpenWireless.org would put that untapped bandwidth to use while still allowing the router’s owner to take priority when needed, limiting freeloaders to as little as 5 percent of the pipe. And just how does opening your network protect privacy, as Kamdar claims? One goal of OpenWireless.org, says EFF staff attorney Nate Cardozo, is dispelling the legal notion that anything that happens on a network must have been done by the network’s owner. “Your IP address is not your identity, and your identity is not your IP address,” Cardozo says. “Open wireless makes mass surveillance and correlation of person with IP more difficult, and that’s good for everyone.” On the other hand, mixing a stranger’s traffic with your own can be risky. In 2011, for instance, a man in Buffalo, New York saw his home raided by a SWAT team that accused him of being a pornographer


in Buffalo, New York saw his home raided by a SWAT team that accused him of being a pornographer and a pedophile. The police eventually realised he’d simply left his Wi-Fi router unprotected, and a neighbour had used it to download child porn. For anyone wary of home invasions by similarly misguided cops, OpenWireless.org says it will at some point integrate an option to route guest traffic over the anonymity software Tor or a VPN that ties it to a different IP address. But Cardozo hopes the open routers will for most users cement the idea that network owners aren’t responsible for passersby who use their connection. “If everyone runs open Wi-Fi, there’s no real argument that anyone is being negligent by doing so,” he says. “If you’re not the person doing the illegal activity, you have no liability.”

A screenshot of OpenWireless.org’s router interface with the group’s explanation of its features OpenWireless.org OpenWireless.org won’t be the first attempt to create a network of open guest access points. But others who have tried the strategy, like the Spanish company Fon and British Telecom, have required users to be subscribers or pay for access. The EFF’s option will be free for all. The first version of the software is to appear on OpenWireless.org in mid-July. The initial download will be compatible with one specific cheap Wi-Fi router that the OpenWireless developers declined to reveal until the HOPE talk. If the idea catches on, the group says it will eventually update the firmware to work on other models and eventually offer its own router with pre-installed hardware. Anyone wishing to use the initiative’s free Wi-fi hotspots should search for networks called “OpenWireless.org,” the label the project is encouraging people to give their networks. For guest users, the router software is also designed to offer better-than-average security: Each user’s link will be individually encrypted with a protocol called EAP-TLS, the equivalent of HTTPS on every connection. The price of that encryption, however, is that users must download a certificate from OpenWireless.org before accessing the free networks, a tradeoff that will no doubt limit use in favour of privacy. “Part of the goal here is to make open Wi-Fi as secure as logging on to a private network,”


of privacy. “Part of the goal here is to make open Wi-Fi as secure as logging on to a private network,” says Ranga Krishnan, an EFF technology fellow working on the project. Network owners may ask what incentive beyond altruism might motivate them to share limited Wi-Fi resources with strangers. The Open Wireless Router creators argue their software will be more convenient and secure than the buggy default firmware in typical Netgear and Linksys devices. Unlike those rarely-updated devices, the OpenWireless.org router firmware will be security-audited and allow users to check for updates on the devices’ smartphone-friendly web interface and quickly download updates. “We want to get a much better router in peoples’ hands that will improve their overall experience and security,” says Krishnan. Krishnan argues that users also will benefit, both personally and on a societal level, from the barrier to surveillance that comes from sharing their network with strangers. “This is not just a neighbourly good thing to do,” he says. “If you allow this kind of guest usage, it will make your traffic part of the mix and not associated with you. That gives you some protection.” But Kamdar points instead to security guru Bruce Schneier’s famous argument that despite the security risks, leaving your Wi-Fi open is an act of civic hospitality. “To me, it’s basic politeness,” Schneier wrote in 2008. “Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea.” Given the kind of widespread network surveillance that’s been revealed in the years since Schneier wrote that line, no one would be considered rude for keeping their network locked down. With the right tools and protections, though, sharing Wi-Fi might become as common as any other baseline social kindness. “For some users,” Kamdar says, “A smile from a friend or neighbour is incentive enough.”

This article originally appeared on Wired.com


Healthcare Predictions For 2015

Editor’s note: Julie Papanek is a principal at Canaan Partners where she invests in healthcare startups. Next year will be big for healthcare. We felt small tremors in 2014 of the seismic changes underway. In 2015, I predict five changes to the core of the U.S. healthcare system: insurance, pharmaceuticals, supplies, medical services and payments. Let’s take a look at each of these trends, what they mean for the healthcare sector, and what they mean for you.

Walmart becomes your healthcare insurer This October, Walmart tipped its hand by launching a healthcare insurance exchange online. However, the insurance products currently sold on its exchange do not have Walmart as the carrier, which will change in 2015. Walmart’s public announcements thus far provide a clear preview of the insurance plan’s future design. Primary care through retail clinics and $4 generic drugs at the pharmacy will drive traffic into stores. For specialty care, the plan will leverage the Centers of Excellence program that Walmart already offers to its 1.2 million insured employees. In this program, consumers pay little to nothing out-of-pocket for knee, hip surgery, and cancer treatment if they go to a short list of high-quality medical centers like Mayo, the Cleveland Clinic, Mercy and Geisinger. With a store within five miles of 95 percent of all Americans and retail transactional data from its consumers, Walmart can provided tailored population health services and incentivize healthier shopping decisions to prevent diabetes and heart disease.


shopping decisions to prevent diabetes and heart disease.

Startups sell into big pharma and become profitable Despite a 5x increase in venture investments, most digital health companies are not profitable. Digital health CEOs should look at pharma as its paying customer. Despite their vast differences, pharmaceutical manufacturers are starting to pay tech startups to solve their complicated problems. One major issue pharma wants your help with is accessing and selling to physicians. In person detailing by trained sales representatives has been the core of pharma’s sale strategy for decades. Yet, one-fourth of all MD’s offices and two-fifths of all offices with 10 or more MDs refuse to see pharmaceutical sales reps in their offices. The Sunshine Act, which compelled every pharma company to disclose what it spends on each MD, accelerated the problem. The problem of customer awareness and engagement is ripe for tech companies, particularly those focused on social media, mobile advertising and video, to capitalize on. Next year is going to be a tipping point, because spending and hiring within pharma’s commercial organizations are changing fast. Plus, the FDA published draft guidance on social media in July 2014. Suddenly, these corporations have large eMarketing teams and VPs of digital health. We are seeing CIOs from companies like Dell working at Merck. These indicators tell me that 2015 will be the year when pharma is willing to shop for best-in-breed companies that address their business problems.

Amazon undercuts the medical supply chain Amazon sells a dizzying array of products. Catheters and surgical gloves are not on the market yet, but they will be soon. Doctors and practice managers are just like the rest of us — they love Amazon Prime for their homes, so why not for their practices? Amazon will first target small practices and cutout group-purchasing organizations that take an undeserved cut of savings that could be passed on to physicians. If Amazon can ship you toilet paper in two hours, it can supply a small practice with gloves and gowns. The volume from these accounts will justify free shipping, especially when Amazon moves upstream into higher-margin products such as sutures, syringes and other commoditized supplies. While medical professionals and business managers will be driven by price and convenience, Amazon’s motivations will be financial. General surgical supply company Owens & Minor generated $9 billion in annual revenue last year. Amazon isn’t known for letting glaring business opportunities go untouched, especially those that can move its stock price.

Hospitals become a channel for peer-to-peer lending If you understand the flow of payments in healthcare, you can predict the trends. Consumers and employers are purchasing insurance plans with high deductibles. As a result, the first dollar that hospitals earn is now coming from consumers. Actually, the first $17,000 is coming from consumers. With an average income of $55,000, most American consumers simply can’t pay their medical bills. When they don’t pay, it hurts providers financially. What consumers don’t pay shows up as accounts receivable on hospital balance sheets and eventually turns into bad debt. Since many hospitals are financed by debt and their credit worthiness is partially determined by the health of their balance sheet, the problem of getting patients to pay is urgent. This raises the question — how can we find the money to help consumers finance their health care payments? Many consumers are able and willing to pay their medical bills, they just can’t do it all at


payments? Many consumers are able and willing to pay their medical bills, they just can’t do it all at once. Peer-to-peer lending companies have paved the way for unsecured structure notes, where an individual’s loan can be financed by others. These have shown impressive growth. Peer-to-peer lending is already being used to finance plastic surgery and other cash-pay procedures. Now it could be used for the majority of medical expenses in the U.S.

Latinos become the most desired healthcare segment in the U.S. There are 54 million Latinos living in the United States, constituting 17 percent of the population. Politicians have taken notice and are paying attention to Latinos as an important voting demographic. Healthcare providers are beginning to do so, too. Latinos have been disenfranchised by the U.S. healthcare system because of legal status, English language skills and financial constraints. Fewer than 4 percent of healthcare providers speak Spanish and most do not know how to approach the cultural and economic diversity within the Latino population. Even native English speakers can’t make sense of PPOs vs. HMOs. As a result, Latinos are 1 out of every 5 uninsured individuals in the U.S. and leverage healthcare services differently than other demographic cohorts As hospitals compete for volume, they cannot ignore 1 out of 5 Americans. In order to win the loyalty of this untapped customer segment, we will see Latino-branded services with evening and weekend hours to serve dual-income families. Since these services will be built from scratch to provide highquality care at low prices, they might leap frog the care that the rest of the population currently receives. Change has historically come slowly and reluctantly to the healthcare industry, but thanks to widespread demand from the government, payers, and consumers for improvement in coverage and care, it seems to be speeding up. These five predictions represent a power shift in the world of healthcare, where new players emerge as forces to be reckoned with, and consumers gain greater control over their care. I predict, and hope, that 2015 will be the year when leaders across the healthcare spectrum will welcome innovation and embrace much-needed change. Featured Image: Hasloo Group Production Studios/Shutterstock


The two independent security researchers, who declined to name their employer, say that publicly releasing the USB attack code will allow penetration testers to use the technique, all the better to prove to their clients that USBs are nearly impossible to secure in their current form. And they also argue that making a working exploit available is the only way to pressure USB makers to change the tiny devices’ fundamentally broken security scheme. “If this is going to get fixed, it needs to be more than just a talk at Black Hat,” Caudill told WIRED in a followup interview. He argues that the USB trick was likely already available to highly resourced government intelligence agencies like the NSA, who may already be using it in secret. “If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it,” he says. “You have to prove to the world that it’s practical, that anyone can do it…That puts pressure on the manufactures to fix the real issue.” Like Nohl, Caudill and Wilson reverse engineered the firmware of USB microcontrollers sold by the Taiwanese firm Phison, one of the world’s top USB makers. Then they reprogrammed that firmware to perform disturbing attacks: In one case, they showed that the infected USB can impersonate a keyboard to type any keystrokes the attacker chooses on the victim’s machine. Because it affects the firmware of the USB’s microcontroller, that attack program would be stored in the rewritable code that controls the USB’s basic functions, not in its flash memory—even deleting the entire contents of its storage wouldn’t catch the malware. Other firmware tricks demonstrated by Caudill and Wilson would hide files in that invisible portion of the code, or silently disable a USB’s security feature that password-protects a certain portion of its memory. “People look at these things and see them as nothing more than storage devices,” says Caudill. “They don’t realize there’s a reprogrammable computer in their hands.” In an earlier interview with WIRED ahead of his Black Hat talk, Berlin-based Nohl had said that he wouldn’t release the exploit code he’d developed because he considered the BadUSB vulnerability practically unpatchable. (He did, however, offer a proof-of-concept for Android devices.) To prevent USB devices’ firmware from being rewritten, their security architecture would need to be fundamentally redesigned, he argued, so that no code could be changed on the device without the unforgeable signature of the manufacturer. But he warned that even if that code-signing measure were put in place today, it could take 10 years or more to iron out the USB standard’s bugs and pull existing vulnerable devices out of circulation. “It’s unfixable for the most part,” Nohl said at the time. “But before even starting this arms race, USB sticks have to attempt security.” Caudill says that by publishing their code, he and Wilson are hoping to start that security process. But even they hesitate to release every possible attack against USB devices. They’re working on another exploit that would invisibly inject malware into files as they are copied from a USB device to a computer. By hiding another USB-infecting function in that malware, Caudill says it would be possible to quickly spread the malicious code from any USB stick that’s connected to a PC and back to any new USB plugged into the infected computer. That two-way infection trick could potentially enable a USB-carried malware epidemic. Caudill considers that attack so dangerous that even he and Wilson are still debating whether to release it. “There’s a tough balance between proving that it’s possible and making it easy for people to actually do it,” he says. “There’s an ethical dilemma there. We want to make sure we’re on the right side of it.”


Understanding Encryption

Understanding Encryption Encrypting data is a good way to protect

else, the message looks like a random series of letters, numbers, and characters.

sensitive information. It ensures that the

Encryption is especially important if you

data can only be read by the person who

are trying to send sensitive information

is authorized to have access to it.

that other people should not be able to access. Because email messages are sent

WHAT IS ENCRYPTION? In very basic terms, encryption is a way to send a message in code. The only person who can decode the message is the person with the correct key; to anyone

over the internet and might be intercepted by an attacker, it is important to add an additional layer of security to sensitive information.


HOW IS IT DIFFERENT FROM DIGITAL

HOW DOES ENCRYPTION WORK?

SIGNATURES?

1.

Obtain the public key for the

Like digital signatures, public-key

person you want to be able to read the

encryption utilizes software such as PGP,

information. If you get the key from a

converts information with mathematical

public key ring, contact the person directly

algorithms, and relies on public and private

to confirm that the series of letters and

keys, but there are differences:

numbers associated with the key is the

The purpose of encryption is

correct fingerprint. 2.

confidentiality—concealing the content of

Encrypt the email message using

the message by translating it into a code.

their public key. Most email clients have a

The purpose of digital signatures is

feature to easily perform this task.

integrity and authenticity—verifying the sender of a message and indicating that the content has not been changed. Although encryption and digital signatures can be used independently, you can also sign an encrypted message. ▪

When you sign a message, you

use your private key, and anybody who has your public key can verify that the signature is valid (see Understanding Digital Signatures for more information). When you encrypt a message, you use the public key for the person you’re sending it to, and his or her private key is used to decrypt the message. Because people should keep their private keys confidential and should protect them with passwords, the intended recipient should be the only one who is able to view the information.

3.

When the person receives the

message, he or she will be able to decrypt it.


This simple app lets anyone be an encryption expert

Shutterstock Encryption is hard. When NSA leaker Edward Snowden wanted to communicate with journalist Glenn Greenwald via encrypted email, Greenwald couldn’t figure out the venerable crypto program PGP even after Snowden made a 12-minute tutorial video. Nadim Kobeissi wants to bulldoze that steep learning curve. At the HOPE hacker conference in New York later this month he’ll release a beta version of an all-purpose file encryption program called MiniLock, a free and open-source browser plugin designed to let even Luddites encrypt and decrypt files with practically uncrackable cryptographic protection in seconds. “The tagline is that this is file encryption that does more with less,” says Kobeissi, a 23-year old coder, activist and security consultant. “It’s super simple, approachable, and it’s almost impossible to be confused using it.” Kobeissi’s creation, which he says is in an experimental phase and shouldn’t yet be used for high security files, may in fact be the easiest encryption software of its kind. In an early version of the Google Chrome plugin tested by Wired, we were able to drag and drop a file into the program in seconds, scrambling the data such that no one but the intended recipient — in theory not even law enforcement or intelligence agencies — could unscramble and read it. MiniLock can be used to encrypt anything from video email attachments to photos stored on a USB drive, or to encrypt files for secure storage on Dropbox or Google Drive. Like the older PGP, MiniLock offers so-called “public key” encryption. In public key encryption systems, users have two cryptographic keys, a public key and a private one. They share the public key with anyone who wants to securely send them files; anything encrypted with that public key can only be decrypted with their private key, which the user guards closely.


only be decrypted with their private key, which the user guards closely. Kobeissi’s version of public key encryption hides nearly all of that complexity. There’s no need to even register or log in — every time MiniLock launches, the user enters only a passphrase, though MiniLock requires a strong one with as many as 30 characters or a lot of symbols and numbers. From that passphrase, the program derives a public key, which it calls a MiniLock ID, and a private key, which the user never sees and is erased when the program closes. Both are the same every time the user enters the passphrase. That trick of generating the same keys again in every session means anyone can use the program on any computer without worrying about safely storing or moving a sensitive private key. Don’t miss “No logins, and no private keys to manage. Both are eliminated. That’s what’s special,” says Kobeissi. “Users can have their identity for sending and receiving files on any computer that has MiniLock installed, without needing to have an account like a web service does, and without needing to manage key files like PGP.” In fact, MiniLock uses a flavour of encryption that had barely been developed when PGP became popular in the 90s: elliptic curve cryptography. Kobeissi says that crypto toolset allows for tricks that haven’t been possible before; PGP’s public keys, which users have to share with anyone who wants to send them encrypted files, often fill close to a page with random text. MiniLock IDs are only 44 characters, small enough that they can fit in a tweet with room to spare. And elliptic curve crypto makes possible MiniLock’s feature of deriving the user’s keys from his or her passphrase every time it’s entered rather than storing them. Kobeissi says he’s saving the full technical explanation of MiniLock’s elliptic curve feats for his HOPE conference talk. Despite all those clever features, MiniLock may not get a warm welcome from the crypto community. Kobeissi’s best-known previous creation is Cryptocat, a secure chat program that, like MiniLock, made encryption so easy that a five-year-old could use it. But it also suffered from several serious security flaws that led many in the security community to dismiss it as useless or worse, a trap offering vulnerable users an illusion of privacy. But the flaws that made Cryptocat into the security community’s whipping boy have been fixed, Kobeissi points out. Today the program been downloaded close to 750,000 times, and in a security ranking of chat programs by the German security firm PSW Group last month it tied for first place. Despite Cryptocat’s early flaws, MiniLock shouldn’t be dismissed, says Matthew Green, a cryptography professor at Johns Hopkins University who highlighted previous bugs in Cryptocat and has now also reviewed Kobeissi’s design spec for miniLock. “Nadim gets a lot of crap,” Green says. “But slighting him over things he did years ago is getting to be pretty unfair.” Green is cautiously optimistic about MiniLock’s security. “I wouldn’t go out and encrypt NSA documents with it right now,” he says. “But it has a nice and simple cryptographic design, with not a lot of places for it to go wrong… This is one that I actually think will take some review, but could be pretty secure.” Kobeissi says he’s also learned lessons from Cryptocat’s failures: MiniLock won’t initially be released in the Chrome Web Store. Instead, he’s making its code available on GitHub for review, and has taken special pains to document how it works in detail for any auditors. “This isn’t my first rodeo,” he says. “[MiniLock’s] openness is designed to show sound programming practice, studied cryptographic design decisions, and to make it easy to evaluate MiniLock for potential bugs.” If MiniLock becomes the first truly idiot-proof public key encryption program, it could bring sophisticated encryption to a broad new audience. “PGP sucks,” Johns Hopkins’ Green says. “The ability for regular people to encrypt files is actually a valuable thing…[Kobeissi] has stripped away the


ability for regular people to encrypt files is actually a valuable thing‌[Kobeissi] has stripped away the complexity and made this thing that does what we need it to do.�

This article originally appeared on Wired.com


Cyber Security Tips

10 Cyber Security Tips from the Federal

Establish basic security practices and

Communications Commission

policies for employees, such as requiring strong passwords, and establish appropriate Internet use guidelines that

The Federal Communications Commission is oering tips to help physician practices and other small businesses improve their cyber security.


1. Train employees in security principles

detail penalties for violating company cyber security policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.


2. Protect information, computers and networks from cyber attacks Keep "clean machines": having the latest security software, Web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available.

3. Provide firewall security for your Internet connection A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system’s firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall.

4. Create a mobile device action plan Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.

5. Make backup copies of important business data and information Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either osite or in the cloud.


Work with banks or processors to ensure 6. Control physical access to your computers and create user accounts for each employee Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up

the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet.

when unattended. Make sure a separate user account is created for each employee and require strong passwords.

9. Limit employee access to data and

Administrative privileges should only be

information, and limit authority to install

given to trusted IT sta and key personnel.

software Do not provide any one employee with

7. Secure your Wi-Fi networks If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi

access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.

network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password-protect access to the router.

10. Passwords and authentication Require employees to use unique passwords and change passwords every three months. Consider implementing

8. Employ best practices on payment cards

multi-factor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial


The Unpatchable Malware That Infects USBs Is Now on the Loose

Alex Washburn / WIRED It’s been just two months since researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas, showing that it’s possible to corrupt any USB device with insidious, undetectable malware. Given the severity of that security problem—and the lack of any easy patch—Nohl has held back on releasing the code he used to pull off the attack. But at least two of Nohl’s fellow researchers aren’t waiting any longer. In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they’ve reverse engineered the same USB firmware as Nohl’s SR Labs, reproducing some of Nohl’s BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable. “The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill told the Derbycon audience on Friday. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.” The two independent security researchers, who declined to name their employer, say that publicly


Never Really Gone: How to Protect Deleted Data From Hackers By Melissa Rudy, September 24, 2014 Takeaway: Deleted data may be more accessible than you think. Here are some ways to keep that data from prying eyes.

Source: Flynt/Dreamstime.com It’s a brave new world in this digital era, with more data stored electronically and flowing across the Internet than it would be possible to consume in several lifetimes. For most people, digital is now a way of life - everything from shopping and banking to working, organizing, researching and entertaining is accomplished through an electronic device. Of course, you don’t want all of your digital information shared with the world. Electronic security is essential, and aside from password protection and encryption, data deletion is a common way to remove information that shouldn’t fall into other hands. But did you know that simply deleting files from your hard drive, or emails and Web content through your browser, is not enough to actually get rid of the data? There are tools out there for recovering deleted data at several levels. Some of them, such as forensic computer tools, are used by government and law enforcement agencies for investigation. Others are used by hackers to gain access to sensitive information, resulting in damage and data theft.

Hard Drive Storage: What Happens to "Deleted" Files Most everyone knows when you "delete" a file on your computer, it doesn’t leave your hard drive. Instead it goes to the trash or recycle bin. But even if you empty the trash folder, those deleted files still reside in your computer. Deleting files from a hard drive only removes the "pointers" that make it easy for you to access the data. The actual data is still stored, and there are several fairly simple ways to access them. If a hacker gains remote access to your hard drive - a very common method for stealing private information - they can use simple file restoration programs to get it all back. This holds true for personal computers, workstations and even discarded equipment with hard drives that have been deleted.

When You "Delete" Your Emails Another fairly common piece of knowledge is that nothing on the Internet is ever truly gone. Immense caching - a storage system that saves all content and previous versions - through major search engines like Google ensures that the digital collective is preserved constantly. When you delete email


engines like Google ensures that the digital collective is preserved constantly. When you delete email messages (and empty your "Trash" folder), it may seem like there’s no way to get that data back, but that isn't entirely true. The good news here is that for the most part, hackers can’t access emails that are deleted permanently from the Trash folder. However, email ISPs keep backup copies of client inboxes, and in some cases these deleted messages can be retrieved, usually through a court order. Hackers typically use other methods to break into email and steal sensitive information, either through phishing scams, password breaks or remote access that lets them log into your live account and read through messages.

What About Text Messages? It would seem that deleting text messages works about the same as deleting email, but that often isn’t the case. Today’s cell phones, especially smartphones, are highly sophisticated machines. They have larger hard drives, capable of storing more data - and that includes deleted text messages. Forensic technology is available to recover deleted text messages from phone hard drives. And while cell phone companies claim not to store the contents of text messages, court-ordered subpoenas can still turn up records of texts. As with computers and desktops, cell phone data is never truly gone. And if your phone is stolen, the thief may be able to access deleted texts.

Protecting Your Deleted Data Making deleted data practically inaccessible from hard drives on your computer or smartphone is not an impossible task. It simply requires a few extra steps. For computers, you can use a wiping program that "scrubs" or overwrites all of the unused data spaces on your hard disk where your deleted files used to be. There are several free programs that can accomplish this task. Some of the most popular include CCleaner, Spybot Search & Destroy, Eraser and BleachBit. When it comes to smartphones, the key is to take steps to prevent theft and have precautions in place in case your phone is stolen. Make sure you lock your phone with a strong password that will at least slow down a thief. And have remote wiping capabilities installed so that, if necessary, you can erase the contents of your phone’s hard drive from any computer. Being aware that deleted data is never really gone is an important first step to protecting your sensitive electronic information. Even deleted files can fall into the wrong hands. Take the steps to ensure they don't.


How mobiles can hack our most sensitive data

Shutterstock Computers housing the world’s most sensitive data are usually “air-gapped” or isolated from the internet. They’re also not connected to other systems that are internet-connected, and their Bluetooth feature is disabled, too. Sometimes, workers are not even allowed to bring mobile phones within range of the computers. All of this is done to keep important data out of the hands of remote hackers. But these security measures may be futile in the face of a new technique researchers in Israel have developed for stealthily extracting sensitive data from isolated machines — using radio frequency signals and a mobile phone. The attack recalls a method the NSA has been secretly using for at least six years to siphon data in a similar manner. An NSA catalogue of spy tools leaked online last year describes systems that use radio frequency signals to remotely siphon data from air-gapped machines using transceivers — a combination receiver and transmitter — attached to or embedded in the computer instead of a mobile phone. The spy agency has reportedly used the method in China, Russia and even Iran. But the exact technique for doing this has never been revealed. The researchers in Israel make no claims that theirs is the method used by the NSA, but Dudu Mimran, chief technology officer at the Israeli lab behind the research, acknowledges that if student researchers have discovered a method for using radio signals to extract data from hard-to-reach systems, professionals with more experience and resources likely have discovered it, too. “We are doing research way behind people [like that],” he told WIRED. “The people who are doing that are getting a lot of money and are doing that [full time].” Dubbed “AirHopper” by the researchers at Cyber Security Labs at Ben Gurion University, the proof-ofconcept technique allows hackers and spies to surreptitiously siphon passwords and other data from an infected computer using radio signals generated and transmitted by the computer and received by


an infected computer using radio signals generated and transmitted by the computer and received by a mobile phone. The research was conducted by Mordechai Guri, Gabi Kedma, Assaf Kachlon, and overseen by their advisor Yuval Elovici. The attack borrows in part from previous research showing how radio signals(.pdf) can be generated by a computer’s video card (.pdf). The researchers in Israel have developed malware that exploits this vulnerability by generating radio signals that can transmit modulated data that is then received and decoded by the FM radio receiver built into mobile phones. FM receivers come installed in many mobile phones as an emergency backup, in part, for receiving radio transmissions when the internet and cell networks are down. Using this function, however, attackers can turn a ubiquitous and seemingly innocuous device into an ingenious spy tool. Though a company or agency may think it has protected its air-gapped network by detaching it from the outside world, the mobile phones on employee desktops and in their pockets still provide attackers with a vector to reach classified and other sensitive data. The researchers tested two methods for transmitting digital data over audio signals but Audio Frequency-Shift Keying (A-FSK) turned out to be the most effective. “[E]ach letter or character was keyed with different audio frequency,” they note in a paper released last week (.pdf) that describes their technique. “Using less than 40 distinct audio frequencies, we were able to encode simple textual data — both alphabetical and numerical. This method is very effective for transmitting short textual massages such as identifiers, key-stroking, keep-alive messages and notifications.” The data can be picked up by a mobile phone up to 23 feet away and then transmitted over Wi-Fi or a cellular network to an attacker’s command-and-control server. The victim’s own mobile phone can be used to receive and transmit the stolen data, or an attacker lurking outside an office or lab can use his own phone to pick up the transmission. “With appropriate software, compatible radio signals can be produced by a compromised computer, utilising the electromagnetic radiation associated with the video display adapter,” the researchers write. “This combination, of a transmitter with a widely used mobile receiver, creates a potential covert channel that is not being monitored by ordinary security instrumentation.” How to leak sensitive data from an isolated computer (air-gap) to a near by mobile phone – AirHopperCyber Security Labs @ Ben Gurion University The researchers note that the chain of attack “is rather complicated,” but it’s not beyond the skills and abilities already seen in advanced attacks conducted by hackers in China and elsewhere. Or by the NSA. Generally the most common method for infecting air-gapped machines is a USB flash drive or other removable media. Once one air-gapped machine is infected, the malware can spread to other machines on an air-gapped network. Data can be extracted the same way, though this is more of a challenge. The malware stores stolen data on the machine until a flash drive is inserted, at which point data is copied to the drive. When the flash drive is then inserted into another computer that’s connected to the internet, the data gets transmitted back to the attackers’ command-and-control center. This method takes time, however, since it requires the attacker to wait until someone inserts a flash drive into the air-gapped machine and carries it to an internet-connected machine. AirHopper, however, doesn’t require repeated action like this once the malware is installed. An attacker only needs to get their malicious transmitter code onto the targeted machine and then either install the malicious receiver component on the victim’s mobile phone or use the attacker’s own mobile phone in the vicinity of the computer to receive the data and transmit it to the attacker’s command-and-control server. The malware can be programmed to store siphoned data on the infected machine for later transmission at specified hours or intervals. The researchers also devised


infected machine for later transmission at specified hours or intervals. The researchers also devised methods for hiding the data transmission on the targeted machine to avoid detection, including transmitting data only when the monitor is turned off or in sleep mode and altering the FM receiver on the phone so that there is no audible tone when data is transmitted to it. Although the distance for transmitting data from an infected computer to a mobile phone is limited — due to the limitations of the receiver in phones — attackers could use a stronger portable receiver, set up in a parking lot for example or installed on a drone flying overhead, to pick up data from greater distances. There are other limitations, however. The proof-of-concept test allows for data to be transmitted at only 60 bytes a second — about a line of text per second — which limits the speed and volume at which attackers could siphon data. But Mimran notes that over time, a lot of sensitive data can still be extracted this way. “We can take out whatever we want,” he told WIRED. “That only depends on the malicious software that resides on the computer. If it is a keylogger, then you can take out whatever the user types.” A 100-byte password file takes 8-10 seconds to transmit using their method, and a day’s worth of keystrokes takes up to 14 minutes to transmit this way. But a document just .5 megabytes in size can take up to 15 hours to transmit. Extracting documents “would be very slow and it will take a long time,” Mimran acknowledges, “but this [demonstration] is just a proof-of-concept. I guess the bad people can make it more sophisticated.” Indeed, the NSA catalogue of surveillance tools leaked last year, known as the ANT catalogue, describes something called the Cottonmouth-I, a hardware implant that resembles an ordinary USB plug except it has a tiny transceiver, called the HowlerMonkey, embedded in it for extracting data via RF signals. According to theNew York Times, which published additional information about the Cottonmouth-I, the transceiver transmits the stolen data to a briefcase-sized NSA field station or relay station, called the Nightstand, which can be positioned up to eight miles away. Once the data is received by the relay station, it’s further transmitted to the NSA’s Remote Operations Center. Available since 2009, the Cottonmouth-1 is sold in packs of 50 for about $1 million (£63k). This method of data extraction may have been used in Iran to siphon intelligence about the nuclear program there, the Times reports — perhaps in preparation for the Stuxnet attack, which sabotaged computers controlling centrifuges used to enrich uranium gas in Iran. A USB plug, however, requires physical access to a targeted computer in the field or it requires the victim to unwittingly insert the USB plug into the computer before the transmission can occur. An alternative method to this, the leaked document notes, is embedding tiny circuit boards in the targeted computer to do the transmission. One way to compromise the machine would be to intercept new equipment enroute to a customer so that it arrives to the victim already equipped to transmit stolen data. According to the document published by the Times, the RF transceiver can also be used to implant malware on a targeted system, not just extract data from it. Radio frequency hacks are difficult to mitigate, short of physically insulating computers and cables to prevent emissions from being picked up by receivers. This may be practical for military and other classified facilities to do, but not for commercial companies that are trying to protect sensitive data from such attacks. Prohibiting mobile phones from work areas will not help, since outside receivers can be used in place of mobile phones to extract data. “We’re disclosing there is this danger,” Mimran says, “but the biggest problem that we are really working hard on is finding mitigation for that. From preliminary results, it’s not easy.”

This article originally appeared on Wired.com


Hackers Have Figured Out A Major Security Flaw In USB Sticks

A vast number of USB devices — whether they’re USB sticks or keyboards — could now be vulnerable to malware after security researchers published code that spreads itself by hiding in the firmware that controls how USB devices connect to computers. Wired reports that the “BadUSB” vulnerability, first developed by security researchers, has been released online. This means that hackers can now start using it to infect computers. The “good” news is that vulnerability only comes from one USB manufacturer, Phison of Taiwan. The bad news is that Phison USB sticks can infect any device they’re inserted into, and it’s not clear whether those devices can then go on to infect any other USB device that is plugged into them afterward. Phison does not disclose who it makes USB sticks for — so it’s not yet clear how widespread the problem might be. The vulnerability in USB works by modifying the firmware of USB devices, hiding malicious code in USB sticks and other devices in a way that’s impossible to detect. Even completely deleting the contents of a USB stick wouldn’t get rid of the dangerous code. According to Wired, the vulnerability is “practically unpatchable.” Once infected, each USB device will infect anything it’s connected to, or any new USB stick coming into it.

Hackers Could Use This To Take Over Your Computer


Hackers Could Use This To Take Over Your Computer “BadUSB” can be used to force computers into thinking that a USB device is a keyboard, allowing hackers to type whatever they like on your computer. Alternatively, it can replace legitimate software installed on a computer with a corrupted version that hackers can use to control a computer. Another use for the exploit is monitoring all internet traffic through a computer, allowing a hacker to spy on what you’re doing.

The Manufacturer Denies It’s a Problem The only way to fix the vulnerability would be to completely redesign the way that Phison USB devices are built. Security researchers have already contacted Phison, the specific manufacturer of the USB devices that were found to be vulnerable, but the company “repeatedly denied that the attack was possible.”

The NSA May Have Been Using This Exploit Edward Snowden’s leaks revealed that the NSA possesses a spying device known as “Cottonmouth” that uses a vulnerability in USB to monitor computers and relay information. It’s possible that Cottonmouth works using a similar vulnerability as the discovery outlined above.

It Could Start Spreading Very Quickly The BadUSB malware spreads two ways: From the infected USB device to a computer, and from an infected computer to a USB device. This means that if hackers start infecting people using the malware, it could soon be found around the world. Join the conversation about this story » See Also: Celebrities Victimized In The iCloud Naked Photo Hack Want To Sue Google For $100 Million The Hackers Behind The Naked Celebrity iCloud Photo Leak Have Regrouped, And They Are Unhappy Hackers Are Already Preparing New Attacks On iCloud


FREE SECURITY CHECK UPS Many computer security vendors offer free computer security checks for your computer. Visit a link below to check your computer for known viruses, spyware, and more and discover if your computer is vulnerable to cyber attacks. AOL Computer Checkup Audit My PC avast! Free Antivirus (for PCs) avast! Mobile Security (for Android) AVG AntiVirus FREE 2015 Bitdefender ESET Online Scanner Kaspersky Virus Scanner McAfee Security Scan Microsoft Safety Scanner nCircle PureCloud Vulnerability Scanner Norton Security Scan Panda Security Antivirus Scan Qualys Browser Check QualysGuard Malware Protection Secunia PSI Sophos Free Security Tools StopTheHacker Free Application Vulnerability Scan Symantec Security Scan Trend Micro HouseCall Virus Scan Trend Micro Security Assessment Vipre Internet Security 2013 Webroot Secure Anywhere Antivirus


How to choose a strong password

Jan Kallwejt

This article was taken from the December 2014 issue of WIRED magazine. Be the first to read WIRED’s articles in print before they’re posted online, and get your hands on loads of additional content by subscribing online. Brilliant move, using the same password on Gmail, Amazon and that fixie forum! WIRED really enjoyed reading your email and taking over your bank account. Here’s how to stop us. Use a manager The best passwords are long strings of letters, numbers and symbols that you can’t remember. You need a tool to keep track — ideally, one you can access from any device. Look for one that not only stores passwords but generates them for you, like 1Password, which works on OSX, Windows, iOS and Android. Perform an audit Import all your passwords into your password manager. Search for reused passwords; these are a security risk. Eliminate every repetition. Then search for schemes (such as 1234Google). A hacker — or cracking program — will get past those in seconds. Rate your passwords by strength and change the weak ones. Search your email Your inbox is a treasure trove of simply deduced passwords. An easy solution: do a simple search for “password” and delete all of the results returned. Also search for “login” and “username”. This way, even if someone does get into your email, they’ll have a much harder time finding all your accounts. Take the two-step Your bank, email, phone, ISP and data-storage accounts are critical. Take extra steps to protect these. If you haven’t done so, set up two-step verification for these. Two-step requires an additional code


If you haven’t done so, set up two-step verification for these. Two-step requires an additional code that’s sent to your phone (the code changes each time). If your bank doesn’t offer two-step, change to one that does.


WORKPLACE SECURITY RISK CALCULATOR To view or download a PDF version, click here.

Are you unwittingly putting your company at risk? We partnered with our friends at EMC2/RSA (an NCSA Board Member Company) to bring you the Workplace Security Risk Calculator. Do you realize how easily you could compromise your company's security without meaning to? Play our game to find out how some of the things many of us do every day could be exposing your organization to risk. Just answer 12 questions to calculate your workplace security risk score. Discover how behaviors like sharing passwords, or using your computer to check personal emails or download music could make your organization vulnerable to hacking, malware and other attacks. Click on the image below to play!


The Basics of Cloud Computing

One way to think of cloud computing is to

What is the cloud? Cloud computing is receiving a great deal of attention, both in publications and among users, from individuals at home to the U.S. government. Yet it is not always clearly defined.1 1

consider your experience with email. Your email client, if it is Yahoo!, Gmail, Hotmail, and so on, takes care of housing all of the hardware and software necessary to support your personal email account. When you want to access your email you open your web browser, go to the email client, and log in. The most important part

Cloud computing is a subscription-based

of the equation is having internet access.

service where you can obtain networked

Your email is not housed on your physical

storage space and computer resources.

computer; you access it through an


internet connection, and you can access it anywhere. If you are on a trip, at work, or down the street getting coffee, you can check your email as long as you have access to the internet. Your email is different than software installed on your computer, such as a word processing program. When you create a document using word processing software, that document stays on the device you used to make it unless you physically move it. An email client is similar to how cloud

There are different types of clouds that you can subscribe to depending on your needs.

computing works. Except instead of accessing just your email, you can choose what information you have access to within the cloud. For more information please see The NIST Definition of Cloud Computing at http://csrc.nist.gov/publications/nistpubs/ 800-145/SP800-145.pdf How can you use the cloud? The cloud makes it possible for you to access your information from anywhere at any time. While a traditional computer setup requires you to be in the same location as your data storage device, the cloud takes away that step. The cloud removes the need for you to be in the same physical location as the hardware that stores your data. Your cloud provider can both own and house the hardware and software necessary to run your home or business applications. This is especially helpful for businesses that cannot afford the same amount of hardware and storage space as a bigger company. Small companies can store their information in the cloud, removing the cost of purchasing and storing memory devices. Additionally, because you only need to buy the amount of storage space you will use, a business can


purchase more space or reduce their subscription as their business grows or as they find they need less storage space. One requirement is that you need to have an internet connection in order to access the cloud. This means that if you want to look at a specific document you have housed in the cloud, you must first establish an internet connection either through a wireless or wired internet or a mobile broadband connection. The benefit is that you can access that same document from wherever you are with any device that can access the internet. These devices could be a desktop, laptop, tablet, or phone. This can also help your business to function more smoothly because anyone who can connect to the internet and your cloud can work on documents, access software, and store data. Imagine picking up your smartphone and downloading a .pdf document to review instead of having to stop by the oďŹƒce to print it or upload it to your laptop. This is the freedom that the cloud can provide for you or your organization. Types of clouds There are dierent types of clouds that you can subscribe to depending on your needs. As a home user or small business owner, you will most likely use public cloud services. 1.Public Cloud -A public cloud can be accessed by any subscriber with an internet connection and access to the cloud space. 2.Private Cloud -A private cloud is established for a specific group or organization and limits access to just that group. 3.Community Cloud -A community cloud is shared among two or more organizations that have similar cloud requirements. 4.Hybrid Cloud -A hybrid cloud is essentially a combination of at least two clouds, where the clouds included are a mixture of public, private, or community. (Continue Reading) http://www.us-cert.gov/sites/default/files/publications/USCERTCloudComputingHuthCebula.pdf


HIPAA Compliant

Layered Tech clients were able to utilize

Cloud Storage

thought possible.

The following list does not constitute an endorsement. It is meant to make you aware of some of the choices availble in the market. CareCloud’s http://www.carecloud.com/ hipaa-compliant-cloud-storage/ cloudbased healthcare software is 100% HIPAA compliant, meeting and exceeding government security standards for data transmission and storage. We protect electronic data against unauthorized retrieval with 256-bit SSL file encryption – twice the level mandated by the government. Since 2004, Layered Tech http:// www.layeredtech.com/ has been redefining what can and should be expected from a managed services provider. Opening our doors with a range of hosting hardware and software options, Layered Tech saw rapid growth in our first years of operation. Anticipating the industry impacts soon to emerge from virtualization, in 2006 we introduced our innovative cloud hosting and virtualization solution portfolio. With this approach,

server resources to an extent never before

The Final Security Rule is the one part of HIPAA that can apply to the backup and disaster recovery services that Symform http://www.symform.com/our-solutions/ compliance/hipaa-compliance/ offers. The Final Security Rule governs the processes that should be used to keep Protected Health Information (PHI) safe. It requires that Covered Entities–our customers–have sufficient Administrative Procedures, Physical Safeguards, and Technical Safeguards to protect access to PHI. Hundreds of thousands of customers have joined the Amazon Web Services (AWS) http://aws.amazon.com/solutions/awssolutions/ community and use AWS solutions to build their businesses. The AWS cloud computing platform provides the flexibility to build your application, your way, regardless of your use case or industry. You can save time, money, and let AWS manage your infrastructure, without compromising scalability, security, or dependability.


Avoid Getting Hacked

1. Don't trust cloud providers. Do you

Google oďŹƒcials that anyone concerned

think that cloud services oer security or

with government surveillance of their

privacy by default? Think again, as cloud-

documents or communications--such as

storage businesses are in business to

journalists--shouldn't rely on services like

make money, and that can lead to

Google Docs just out of the box. But the

business decisions which prioritize

same goes for anyone who's concerned

information sharing and ease of access

about the security of information they store

over security or privacy concerns. Notably,

at Google, or with any other cloud storage

"Google's services are not secure by

service.

default," said security and privacy researcher Christopher Soghoian in a blog post that points to comments made by

2. Use fake personal data. Mother's maiden name? Name of your favorite pet?


Place where you were born? Thanks to the

4. Avoid daisy-chaining accounts. Don't

Internet, the personal information that

link online accounts. Notably, Honan's

many websites ask you to input--in case

attacker came gunning for his Twitter

they later ever need to verify your identity--

account, which by the way was still linked

can be discovered by motivated online

to the Twitter account of Gizmodo, where

researchers. For example, Mitt Romney's

he'd formerly worked. To get to the Twitter

personal Hotmail account was reportedly

account, the attackers essentially worked

hacked thanks to the attacker guessing

backward. "My accounts were daisy-

the name of his favorite pet. Accordingly,

chained together," wrote Honan. "Getting

consider not just using unique passwords

into Amazon let my hackers get into my

for every website that requires a password,

Apple ID account, which helped them get

but also inputting fake personal data for

into Gmail, which gave them access to

each one as well. Then use a password

Twitter. Had I used two-factor

manager or password wallet to help track

authentication for my Google account, it's

all of this information.

possible that none of this would have

3. Regularly make local backups. Honan said he lost photos, emails, and documents that he'd been storing on his

happened, because their ultimate goal was always to take over my Twitter account and wreak havoc."

laptop, iPhone, and iPad, because the

5. Consider Google's two-factor

data existed only there or on cloud

authentication system. Per Honan's

services. To prevent this from happening,

advice, Google users should employ

the related fix is clear: regularly back up to

Google's two-factor authentication

an external hard drive—or, preferably, two.

system, a.k.a. "two-step authentication." It

"Had I been regularly backing up the data

works by either having Google text a

on my MacBook, I wouldn't have had to

temporary password to a user whenever

worry about losing more than a year's

they attempt to log on to their Google

worth of photos, covering the entire

account, or else by using a Google two-

lifespan of my daughter, or documents and

factor password generator smartphone

emails that I had stored in no other

app. According to user reviews of the

location," said Honan.

service, however, it's prone to losing tokens, which then requires the user to reauthorize every device or application


that's tied to Google. Still, the extra

Phobia was able to see the last four digits

authentication might slow or stop would-

of Honan's actual credit card number,

be attackers.

which he used to validate his identity with

6. Disable remote wiping for laptops. Honan's attacker was able to not only remotely wipe his iPhone and iPad, but also his laptop, using the iCloud "Find My Mac" service. But use that type of service with caution, because if breached, it gives attackers inordinate power. "Consider an

Apple technical support, which--together with a billing address (retrieved via a whois lookup of Honan's personal site)--was all he needed to have Apple generate a temporary password, despite his not being able to answer the security questions that Apple had on file.

independent remote wipe service, rather

8. Keep fingers crossed. Unfortunately,

than relying on one which is part of the

the hack of Honan's Apple, Amazon,

cloud offering it aims to protect," said

Google, and Twitter accounts

Ducklin at Sophos.

demonstrates that a determined attacker--

7. Press cloud providers for better

Phobia told Honan he was only 19--can find ways to circumvent cloud service

password practices. In the wake of the

security. As Soghoian noted in a blog post,

hack of Honan's accounts, Wired reported

the incident offers "a clear demonstration

that Amazon and Apple have reportedly

of how difficult it is for users to protect

discontinued the password-reset practices

their data even when using tools and

that Phobia used in his social engineering

services created by billion-dollar

attack.

corporations." Thanks to internal

Apple, for example, has temporarily discontinued password resets by phone, and Amazon has stopped taking new credit card numbers by phone. That's important, because Phobia had added a bogus credit card number to Honan's Amazon account, then later called back and used the bogus credit card number to "verify" that he was Honan. From there,

customer-service changes made by Amazon and Apple, these types of attacks might be more difficult, but whenever using cloud services, always consider what would be possible if an attacker does manage to gain access to your account.


52 IDEAS

52 ideas 1. Display computer security posters. 2. Present computer security briefings. 3. Change your password. Cambie su contrasena. Modifier votre mot de passe. 4. Check for computer viruses. Controler la presence du virus. 5. Show computer security videos, films or slides.

6. Protect against static electricity. 7. Modify the logon message on your computer system to notify users that Cyber Security Month is November. 8. Vacuum your computer and the immediate area. 9. Clean the heads on your disk drives or other magnetic media drives.


10. Back-up your data. (after being certain

22. Verify your inventory of computer

that it is virus-free.)

applications.

11. Delete unneeded files.

23. Verify your inventory of computer

12. Initiate a computer security poster design contest for next year. 13. Demonstrate computer security software. 14. Publicize existing computer security policy. 15. Issue new and improved computer security policy. 16. Declare an amnesty day for computer security violators who wish to reform. 17. Announce COMPUTER SECURITY DAY in your internal newsletter. 18. Examine the audit files on your computers. 19. Verify that the "Welcome" message

utilities and packaged software. 24. Verify your inventory of computer hardware. 25. Install and inspect power surge protection as appropriate. 26. Install fire/smoke detection and suppression equipment in computer areas. 27. Eliminate dust from computer areas, including chalk dust. 28. Provide dust and water covers for personal and larger computers. 29. Post "No Drinking" and "No Smoking" signs in computer areas. 30. Develop a recovery plan for all computer systems that require one.

that is normally used on your computer is

31. Verify that passwords are not "Posted"

appropriate for your organization.

and all other keys are secured.

20. Write-protect all diskettes that are not

32. Verify that backup power and air

to be written to.

conditioning fit your needs.

21. Take the write-protect rings out of the

33. Have a mini training session to provide

tapes in your library.

all computer users with a basic understanding of computer security.


34. Verify that all source code is protected

45. Register and pay for all commercial

from unauthorized changes.

software that is used on your computer.

35. Verify that each computer has trouble

46. Register and pay for all shareware that

log and that it is being used.

you use regularly.

36. Verify that appropriate o site storage

47. Install all security-related updates to

exists and is being used.

your computer's operating system.

37. Remove all unnecessary items such as

48. Help a computer novice backup their

extra supplies, coat racks, and printouts

files.

from the computer room. 38. Select a computer system on which to perform a risk analysis. 39. Begin planning for next year's COMPUTER SECURITY DAY. 40. Change the FORMAT command in DOS to avoid accidentally FORMATing of disks. 41. Protect the computer on your storeand-forward phone message system. 42. Hold a discussion of ethics with computer users. 43. Volunteer to speak about computer security at a local computer club or school. 44. Collect Computer Security Day memorabilia to trade with others.

49. Protect all cabin computers from floating droplets of liquid. 50. Plan to attend a computer security meeting or seminar. 51. Consider the privacy aspect of the data on your computer and protect it. 52. Update your anti-virus program.


Emergency Situations: Preparedness, Planning, and Response The Privacy Rule protects individually identifiable health information from uses and disclosures that unnecessarily compromise the privacy of an individual. The Rule is carefully designed to protect the privacy of health information, while allowing important health care communications to occur. These pages address the release of protected health information for planning or response activities in emergency situations. In addition, please view the Civil Rights Emergency Preparedness page to learn how nondiscrimination laws apply during an emergency.

Planning

Access an interactive decision tool designed to assist emergency preparedness and recovery planners in determining how to gain access to and use health information about persons with disabilities or others consistent with the Privacy Rule. The tool guides the user through a series of questions to find out how the Privacy Rule would apply in specific situations. By helping users focus on key Privacy Rule issues, the tool helps users appropriately obtain health information for their public safety activities. The tool is designed for covered entities as well as emergency preparedness and recovery planners at the local, state and federal levels. Emergency Preparedness Planning and the Privacy Rule: Press Release: HHS Announces New HIPAA Privacy Decision Tool for Emergency Preparedness Planning HIPAA Privacy Rule: Disclosures for Emergency Preparedness - A Decision Tool

Response

In this section, access guidance about sharing patient information under the


Response

In this section, access guidance about sharing patient information under the Privacy Rule in emergency situations, such as to assist patients in receiving the care they need, as well as to assist in disaster relief, public health, and law enforcement efforts. November 2014 Bulletin: HIPAA Privacy in Emergency Situations [PDF – 30KB] September 2013 HIPAA Guide for Law Enforcement [PDF – 177KB] September 2005 Hurricane Katrina Bulletins Disclosing PHI in Emergency Situations [PDF - 30KB] Compliance Guidance and Enforcement Statement [PDF - 148KB]

Waivers

If the President declares an emergency or disaster and the Secretary of HHS declares a public health emergency, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the Privacy Rule. The Privacy Rule remains in effect. The waivers are limited and apply only for limited periods of time. Frequently Asked Question: HIPAA waiver during a national or public health emergency


Head-controlled smartphone is perfect for the disabled

Sesame Enable Shortly after appearing on Israeli television with a new computer game you control merely by moving your head, Oded Ben Dov got a phone call. It came from a complete stranger who just happened to see this TV appearance, and he had a question. “I wasn’t sure if it was a prank call or not, but then he started to say some serious stuff,” Ben Dov remembers. “So I listened.” The man on the other end of the line was Giora Livne, a former Israeli navy commander and electrical power engineer. He’d been quadriplegic for seven years, he explained, which made it impossible to use a smartphone without help. That meant, among other things, seven long years without a private phone call or email or text message — seven years without much privacy at all. Then Livne asked for help. “Could you make a smartphone that I could use?” he asked. It’s taken two years, but Ben Dov has done just that. The Sesame Phone is a smartphone designed specifically for the mobility impaired. It uses computer vision technology to allow someone like Livne to access any app simply by moving his head. The phone is from Sesame Enable, a startup Ben Dov and Livne founded to bring the idea to life, and today the company is launching an Indiegogo campaign to raise the $30,000 needed to continue developing the phone. The Sesame phone uses computer vision technology to allow someone like Livne to access any app just by moving his head. Sesame Phone is the latest example of how gesture and facial recognition technology are turning things like smartphones and tablets into vital communication devices for people with special needs.


things like smartphones and tablets into vital communication devices for people with special needs. Just last month startup MotionSavvy launched an Indiegogo campaign for a device that translates sign language into spoken word. Many of the companies, like Microsoft and Intel, that have pushed this recognition technology along have done so for the general consumer. They see gesture recognition as a way to make the computing experience more immersive while removing a level of friction between man and machine. Yet all of this work is culminating in entirely new ways for disabled people to interact with gadgets the rest of us take for granted. According to research from the Christopher Reeve Foundation, about six million people are living with some form of paralysis. Of that six million, a little more than two million report having a lot of difficulty moving, while one million of them say they’re unable to move at all — and that’s just in the US. These are the people Ben Dov wants to help. Open Sesame The Sesame Phone is a Google Nexus 5 phone customized to include facial recognition capabilities and a cursor that floats over the home screen, allowing people to click on apps without using their hands. Users open the Sesame Enable app by saying, “Open Sesame,” which opens a window that capture’s key points on the user’s face.

CEO Oded Ben Dov with phone user Sesame Enable When the phone has a good read of a user’s face, a cursor appears. Turn your head slightly to the right and the cursor moves right. Stop, and a navigation icon appears, allowing you to click, drag, swipe, or exit. During a demo at WIRED’s office in Manhattan, Ben Dov made what seemed like a telepathic call to his wife in Israel. I used it to open Chrome, and Ben Dov says one young tester recently used it to play Angry Birds for the first time. “At one point he went into my account and tried purchasing more birds. I


Angry Birds for the first time. “At one point he went into my account and tried purchasing more birds. I was like: ‘Hey!’,” he says. “It was impossible to take the device away from him.” A Long Way to Go That said, Ben Dov admits the Sesame Phone has a long way to go. It crashed repeatedly during the demo, and while Livne can use it, the company still needs to ensure the phone works for a variety of disabilities. “One big challenge is making sure it will be accessible to as many people as possible,” says Sharon Besser, one of Sesame Enable’s investors. The system will have to recognise, for instance, the broad sudden movements of people with cerebral palsy as effectively as the slight, slow movements of people with severe spinal cord injuries. Down the line, Besser says, it will also be important for Sesame Enable to accommodate people with severe ALS, who can’t move their heads at all, using vision-tracking technology. Meanwhile, Ben Dov also is working with smartphone manufacturers to integrate Sesame Enable’s technology into existing phones. That not only will expand the options that disabled customers have, but it could also bring down the price of the phone, which now costs a hefty $900. In the meantime, he’s developed an SDK that other app developers can integrate into their own products. Rovio, for instance, could build face recognition capability right into Angry Birds, so that users could use any phone to control the game with their heads. Ben Dov knows there could be plenty of other applications for technology like this in industries like gaming. And yet, he wants to perfect it with the special needs market first, primarily because of that phone call he got two years ago. “It’s a project that’s really close to my heart,” he says. “Giora’s not a family member or anything, but just knowing I have the skills that could help someone like him, it’s become a calling.”

This article originally appeared on Wired.com


Fake early warning Ebola tools are spreading malware

Cybercriminals are jumping on the Ebola fear-mongering bandwagon by using a fake portal to get the public downloading erroneous products and malware. Anyone tempted to enter ebolawarnings.com into their search bar, please don’t. Malwarebytesanalyst Jovi Umawing spotted the fake site earlier today, 24 October, and has been tracking its behaviour ever since. According to the analyst, the site cropped up not long after news spread about a New York City doctor, Craig Spencer, who was diagnosed with Ebola after returning from a trip volunteering with Médecins Sans Frontières in Guinea. The malware universe swept into action, taking one of the most Googleable subjects of the moment and constructing a fake “quick fix” to all our fears It might look blindingly obvious as a fake to many, but pages like this rely on hitting enough people to get a few mistaken clicks and desired results to benefit from. “The domain name alone will drive people to visit the site and see social pickup,” Umawing warned WIRED.co.uk. “We also earlier saw it appearing highly in Google, which will drive traffic. In addition, cybercriminals maintain huge spam lists, so it becomes a numbers game at that point.” When users visit the site, they are presented with a prompt: “Download the Ebola Early Warning System Toolbar to know immediately when a threat is in your area.” Currently, there’s a low detection rate for the file in security systems (four out of 53), says Umawing, probably “because it is an early stage threat”. Malwarebytes own system detects it but it’s investigating the file content further. Once clicked, the interface asks users to install an “ONLY Search” toolbar, with links to its privacy policy and other admin notices. It is, says Umawing, “seemingly a fake search tool, displaying affiliate sites as opposed to anything useful”. Don’t miss


Don’t miss If users get this far and click agree, they are presented with other options including yet more scaremongering products — such as filter tools to protect kids from adult material. “Unfortunately we commonly see malware and unwanted programs bundled together around hot topics such as safety and personal threats,” said Umawing. “Keeping your children safe is unfortunately just another fear lever that criminals pull to convince people to engage with their products.” If the programs are installed, Umawing has recorded that all default search pages switch to “ONLY Search”; affiliate sites open every time a new tab is opened; and more browser windows open to prompt users to install yet more programs. The result is a slower machine, shortcut files created on the user’s desktop and, of course, zero sign of a wishful thinking “Ebola Early Warning System toolbar”. These types of tools are, of course, in development. Wired.co.uk wrote about an attempt by one doctor to launch an SMS system that records symptoms texted into a support network, to help medical institutions and local governments maximise resources and spot the next outbreak location. Unfortunately, this sting plays on the desire for systems like that to spring into existence today. As with operations Malwarebytes has identified in previous years, the trend for playing on fears and morbid curiosity on social media, is driving these types of ploys. “People will comes across this site in the usual variety of ways, which nefarious individuals use to drive traffic to their site, through social media, spam and other human engineering,” Umawing tells us. “The fact that it plays on Ebola will unfortunately convince more people to engage with it, using their fears against them.”


Bioprinted blood vessels pave way to organs-ondemand 3D Printing at BWHBWH Public Affairs Researchers believe that we may be one step closer to being able to use 3D-printed tissue in organ transplant surgery. Over the last year or so we’ve seen a remarkable number of situations in which 3D printing technology has been deployed in the medical world, including the bioprinting of liver tissue. One problem that has yet to be overcome though is the vascularisation of printed organs — that is, making sure that the cells within any tissue are connected to the blood supply so that the organs are capable of surviving on a long-term basis. Researchers from Harvard, MIT, Stanford and the University of Sydney have been working together to try to find a solution that will allow them to overcome this hurdle and eventually create organs grown from patient stem cells that can be successfully transplanted into their own bodies. The University of Sydney has now announced that the research has led to the bioprinting of artificial vascular networks that mimic those found within the human body’s circulatory system, bringing hope that eventually physicians will be able to print fully working organs on-demand. The deficit of transplantable organs causes thousands of deaths that could otherwise be averted every year, and others are subjected to invasive surgery involving the removal of tissue or entire organs due to cancer or injury. “Imagine being able to walk into a hospital and have a full organ printed — or bioprinted, as we call it — with all the cells, proteins and blood vessels in the right place, simply by pushing the ‘print’ button in your computer screen,” says University of Sydney researcher, Luiz Bertassoni. “We are still far away from that, but our research is addressing exactly that. Our finding is an important new step towards achieving these goals.” Currently the research teams are printing prototype systems and focussing on the challenge of growing an adequate network of blood vessels and capillaries capable of servicing large organs. “To illustrate the scale and complexity of the bioengineering challenge we face, consider that every cell in the body is just a hair’s width from a supply of oxygenated blood,” says Bertassoni. “Replicating the complexity of these networks has been a stumbling block preventing tissue engineering from becoming a real world clinical application.” Don’t miss Already though, the team has managed to fabricate a multitude of interconnected fibres using a bioprinter. These fibres serve as a mould for the artificial blood vessels, and the printed structure is completely covered in a cell-rich protein-based material. This is solidified using light before the printed fibres are removed. What is left behind is a network of tiny channels covered with endothelial cells — the cells that line the interior surface of all blood and lymphatic vessels in the human body. Within a week, the cells had self-organised to form stable blood capillaries and a subsequent study has shown that these bioprinted networks promote significantly better cell survival, differentiation and proliferation than had previously been possible. “While recreating little parts of tissues in the lab is something that we have already been able to do, the possibility of printing three-dimensional tissues with functional blood capillaries in the blink of an


the possibility of printing three-dimensional tissues with functional blood capillaries in the blink of an eye is a game changer,” says Bertassoni. “Of course, simplified regenerative materials have long been available, but true regeneration of complex and functional organs is what doctors really want and patients really need, and this is the objective of our work.” http://player.vimeo.com/video/70042201?title=0&byline=0&portrait=0


Web GLOSSARY Avatar—a personalized graphic file or rendering that represents a computer user or user’s alter ego, often used on Web exchange boards and in online gaming; can be a real-life digital photo, but is more often a graphical representation. App—a web application, accessed over the Internet, for a mobile device (e.g., smartphone, tablet) that works much like user-installed software on a computer allowing the device to perform specific tasks. Bandwidth –also called “data transfer rate,” the amount of data that can be carried online from one point to another in a given time period, usually expressed in bits (of data) per second (bps) or bytes per second (Bps). Dial-up Internet accounts, which use a standard telephone line to connect to an Internet Service Provider (ISP), have a very narrow bandwidth (about 50 Kbps or 50,000 bits per second) and take a long time to download data. A broadband Internet account can move data at anywhere from 128 Kbps to 2,000 Kbps or more and can download large files, such as video files, much faster. Blog—from “web log,” a regularly updated personal journal, conversation, commentary, or news forum on virtually any topic that is published on the Web and may include text, hypertext, images, and links; typically displayed in reverse chronological order, blog posts invite comments from readers creating online communities of individuals with shared interests over time; updating a blog is “blogging,” someone who keeps a blog is a “blogger,” and blog entries are called “posts.” Botnet—a network of private computers, each of which is called a “bot,” infected with malicious software (malware) and controlled as a group without the owners' knowledge for nefarious and, often, criminal purposes; computers are typically infected when users open up an infected attachment or visit an infected website. Browser—short for Web browser, a software application that locates, retrieves, and displays information resources on the World Wide Web. An information resource is identified by a URL (Uniform Resource Locator), and may be a web page, image, video, or other piece of content. Popular browsers include Microsoft Internet Explorer, Firefox, Google Chrome, and Apple Safari. Byte—a unit of digital information commonly consisting of eight “bits” (a binary unit and the smallest increment of computer data) used as a measurement of computer memory size and storage capacity (usually in terms of MBs or “megabytes,” and GBs or “gigabytes”). Bits and bit rates (bits over time, as in bits per second [bps]) are also commonly used to describe connection speeds. (See bandwidth.) Cloud computing—a technology that uses the Internet and remote servers to maintain data and applications, allowing users to access applications without installation and access to their personal files from any computer with Internet


installation and access to their personal files from any computer with Internet access; centralizes storage, memory, processing, and bandwidth; examples include Yahoo email or Gmail with the software managed by the cloud service providers Yahoo and Google. Computer virus—a software program that is designed to replicate itself, spread from one computer to another, and interfere with computer operation; a computer virus may corrupt or delete data on a user’s computer, use an email program to spread itself to other computers, or even erase everything on a user’s hard disk. Computer viruses can be spread by attachments in email messages or instant messaging messages; disguised as attachments of images, greeting cards, or audio and video files, and hidden in illicit software or programs that are downloaded to a computer. Cookie—also referred to as an “HTTP cookie,” is a small text file that contains a unique ID tag placed on the user’s computer by a Web site to track pages visited on the site and other information; “tracking cookies” and “third-party tracking cookies” are used to compile long-term records of individuals’ browsing histories. CPU—the central processing unit, the “brain” of the computer, is the hardware within a computer system that carries out the instructions of a computer program by performing the basic arithmetic, logic, and other operations of the system; on personal computers, the CPU is housed in a single chip called a “microprocessor.” Cyberbullying—bullying that takes place using electronic technology, including the Internet, and related technologies to harm other people, in a deliberate, repeated, and hostile manner; may involve text messages or emails, rumors sent by email or posted on social networking sites, and embarrassing pictures, videos, Web sites, or fake profiles. Cyberstalking—a criminal offense that involves using the Internet or other technology to stalk or harass an individual, a group of individuals, or an organization; it may include false accusations, monitoring, making threats, identity theft, damage to data or equipment, or harassment. Cyberspace—the global network of interdependent information technology infrastructures, telecommunications networks, and computer processing systems; a metaphor for describing the non-physical terrain created by computer systems, it has come to mean anything associated with the Internet and the diverse Internet culture. Content management system—a software system that allows website publishing, editing, content storage and modification, database management, and site maintenance from a central Web page; allows multiple users with little knowledge of web programming or markup languages may collaborate to create and manage website content with relative ease. Computer actions: Clicking—to tap on a mouse button, press it down, and immediate releasing it;


Clicking—to tap on a mouse button, press it down, and immediate releasing it; to click on means to select a computer screen object by moving the mouse pointer to the object’s position and clicking a mouse button; some operations require a double click, clicking a mouse button twice in rapid succession. Downloading—the transmission of a file from one computer system to another; to download a file is to request it from one computer (or from a Web page) and to receive it on another computer. Uploading is the transmission of a file in the other direction, from one computer to another. Posting—to publish a message in an online forum, such as a blog, or newsgroup; a post is a message published in an online forum or newsgroup. Logon—also called logging in or on, the process used to get access to an operating system or application; most logon procedures require a user to have a user ID and a password. Denial of Service Attack—type of online computer attack designed to deprive user or groups of users normally accessible online services; generally involves effort by hackers to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. Digital—term commonly used in computing and electronics, describes any system in which data is converted to binary numeric form as in digital audio and digital photography; computers are digital machines because at their most basic level they can distinguish between just two values, 0 and 1, or off and on. All data that a computer processes must be encoded digitally as a series of zeroes and ones. The opposite of digital is analog; a typical analog device is a clock in which the hands move continuously around the face. Digital Signature—an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document; can also be used to ensure that the original content of the message or document that has been sent is unchanged; often used for software distribution, financial transactions, and in other cases where it is important to detect forgery or tampering. Domain Name System (DNS)—a database system that translates Internet domain and host names to IP addresses; DNS automatically converts the name typed into a Web browser address bar to the IP addresses of Web servers hosting those sites. E-book reader—a portable electronic device that is designed primarily for the purpose of reading digital books and periodicals. Email—short for electronic mail, the transmission of digital messages over communications networks, including the Internet; consists of three components: the message envelope, the message header, and the message body. Encryption—the conversion of digital information into a format unreadable to anyone except those possessing a “key” through which the encrypted information is converted back into its original form (decryption), making it readable again. Firewall—software or hardware that, after checking information coming into a


Firewall—software or hardware that, after checking information coming into a computer from the Internet or an external network, either blocks the transmission or allows it to pass through, depending on the pre-set firewall settings, preventing access by hackers and malicious software ; often offered through computer operating systems. Geotagging—the process of adding geographical location, or label, to photographs, videos, website, SMS messages, QR Codes, or RSS feeds; a geotag usually consists of latitude and longitude coordinates, altitude, distance, place names, and other details about the origin of the media being tagged helping users find a variety of online location-specific information. Global Positioning System (GPS)—space-based satellite navigation system that provides positioning, navigation, and timing/distance information; maintained by the United States government and freely accessible to anyone with a GPS receiver. Hardware—specifically, computer hardware, is the collection of physical elements that comprise a computer system, including a CPU, monitor, keyboard, hard disk, and printer. In contrast, software (specifically, computer software) is a collection of computer programs, procedures, algorithms, and its documentation that provides instructions for telling a computer what to do and how to do it. Hashtag—words or phrases prefixed with the symbol # (the pound sign); used to mark keywords or topics in a Tweet or social networking service. Hyperlink—an element in an electronic document that links to another place in the same document or to an entirely different document; typically, you click on the hyperlink to follow the link. Hypertext is text with hyperlinks. HTML—HyperText Markup Language is the main markup language for displaying web pages and other information that can be displayed in a web browser; HTML elements, which form the building blocks of all Web sites, consist of tags enclosed in angle brackets (e.g.,); browsers do not display the HTML tags, which provide instructions about the appearance and content of the page, but use the tags to interpret the content of the page. HTTP—Hypertext Transfer Protocol, the foundation of data communication for the World Wide Web, defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. For example, when an URL is entered into a browser, an HTTP command is sent to the Web server directing it to retrieve and transmit the requested Web page. HTTPS—Hypertext Transfer Protocol Secure, provides secure communication over a network, such as the Internet; basically layers additional security measures over HTTP; used by financial and online commerce Web sites to ensure the security of private information. IP Address—a unique identifier in the form of a numerical label assigned to each device, such as a personal computer or server, participating in a network, such as


device, such as a personal computer or server, participating in a network, such as the Internet. Intellectual property—usually governed by patent, trademark, and copyright law, a set of rights that are recognized for owners of various property (e.g., machines, musical, literary and artistic works, discoveries and inventions, and applications); applicability to digital realm is hotly contested area of the law. Internet—a worldwide collection of computer networks that use the standard Internet Protocol Suite to serve billions of users interconnected by a broad array of electronic, wireless, and optical networking technologies; the Internet carries an extensive range of information resources and services, including inter-linked hypertext documents of the World Wide Web and the infrastructure to support email. Internet Service Provider (ISP)—an organization, usually a private business, that provides personal and business computers access to the Internet; users usually pay a monthly fee to an ISP for this service. Keylogger—also called keylogging and keystroke logging, is the action of tracking (or logging) the keys struck on a computer keyboard; usually runs hidden in the background and automatically records all keystrokes so that users are unaware of its presence and that their actions are being monitored. Keyword—in computer programming, a word or identifier that has a particular meaning to the programming language; also a term that captures the essence of the topic of a document used by a search engine to retrieve online documents related to that term or terms. JPEG—a standard method of compressing photographic images for storing and transmitting on the World Wide Web; JPEG is also the file format which employs this compression (with the following file extensions: .JPEG, .JFIF, .JPE, .JPG); the term is an acronym for Joint Photographic Experts Group, which created the standard. Laptop –a personal computer for mobile use that integrates most of the typical components of a desktop computer (i.e., display, keyboard, touchpad); sometimes called notebook computers, notebooks, or netbooks. Malware—short for malicious software, software that disrupts or damages a computer’s operation, gathers sensitive or private information, or gains access to private computer systems; may include botnets, viruses, worms, Trojans, keyloggers, spyware, adware, and rootkits. Botnet—a network of private computers, each of which is called a “bot,” infected with malicious software (malware) and controlled as a group without the owners' knowledge for nefarious and, often, criminal purposes. Virus—type of malware that has a reproductive capacity to transfer itself from one computer to another spreading infections between online devices. Worm—type of malware that replicates itself over and over within a computer. Trojan—type of malware that gives an unauthorized user access to a computer.


Trojan—type of malware that gives an unauthorized user access to a computer. Spyware—type of malware that quietly sends information about a user’s browsing and computing habits back to a server that gathers and saves data. Adware—type of malware that allows popup ads on a computer system, ultimately taking over a user’s Internet browsing. Rootkit—a type of malware that opens a permanent “back door” into a computer system; once installed, a rootkit will allow more and more viruses to infect a computer as various hackers find the vulnerable computer exposed and attack. Mobile device—also called a handheld, handheld device, or handheld computer, a pint-sized computer device, typically having a display screen with touch input or a miniature keyboard; most common types are smartphones, PDA, pagers, and personal navigation devices. Modem—an electronic device that converts a computer’s digital signals into specific frequencies to travel over telephone or cable television lines; computers use modems to communicate with one another over a network; often used to link home computers to the Internet through an Internet Service Provider. Network—also called a computer network, is a collection of computers interconnected by communication channels that allow sharing of resources (hardware, data, and software) and information; most common is the local area network or LAN, anywhere from a few computers in a small office to several thousand computer spread through dozens of buildings; a wide area network orWAN connects computers across multiple geographic locations, even on different continents. Online gaming—any type of game played through the Internet, over a computer network, or on a video game console (e.g., Xbox 360 and Playstation 3); usually refers to video games played over the Internet, where multiple players are in different geographic locations. Open source software—software often developed and distributed to users at no cost in a public, collaborative manner; permits users to study, change, improve, and at times also distribute the software. Operating system—a set of software or software platform on top of which other programs, called application programs, can run. PDF—developed by Adobe Systems, a portable document format file that is a selfcontained cross-platform document so that files will look the same on the screen and in print, regardless of the computer or printer being used or software used to originally create the file. Personal computer (PC)—any general-purpose computer whose size, capabilities, and cost make it useful for individuals; PC software applications include, but are not limited to, word processing, spreadsheets, databases, databases, Web browsers, email, and games; may be a desktop computer, laptop, table, or a handheld PC. The


email, and games; may be a desktop computer, laptop, table, or a handheld PC. The term PC has been traditionally used to describe an “IBM-compatible” personal computer, in contrast to an Apple Macintosh computer. Phishing—sending emails that attempt to fraudulently acquire personal information, such as usernames, passwords, social security numbers, and credit card numbers, by masquerading as a trustworthy entity, such as a popular social website, financial site, or online payment processor; often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Plug-ins—sometimes called add-ons, are software modules that add functionality to an application; commonly used in web browsers to play video, scan for viruses, and display new file types; well-known plug-in examples include Adobe Flash Player, QuickTime, and Microsoft Silverlight. Podcast—an audio digital file that is received from the Internet and then downloaded and synced to a portable media player or computer; files are received by subscribing to a podcast feed (sometimes called an RSS feed); the term combines “broadcast” and “pod” from the success of the iPod, although podcasts can be listened to on any portable media player. Pop-ups—or pop-up ads, are a form of online advertising on the World Wide Web intended to attract web traffic or capture email addresses; created by advertisers, pop-ups generally appear unexpectedly in a small web browser window when a user is linking to a new Web site. Pop-up blockers—a web browser feature, software, or application that allows users to limit or block pop-up ads; users may often set the preferred level of blocking, from total blocking to minimal blocking. RSS—Really Simple Syndication is a family of web feed formats used to publish frequently updated works, such as blog entries, news headlines, audio, and video— in a standardized format; users subscribe to RSS feeds, which automatically send favorite content to users who have signed up for the feeds. Search engine—program that searches documents for specified keywords and returns a list of the documents where the keywords were found; often used to describe systems, including Google, Bing, and Yahoo! Search that enable users to search for documents on the World Wide Web. Security software—a generic term referring to any computer program that secures a computer system or computer network; the two main types of security software are virus protection software and software that removes adware and spyware (both require regular updating to remain effective). Server—a computer program or physical computer that services other computers over a local network or the Internet; network servers typically are configured with additional processing, memory, and storage capacity; specific to the Web, a Web server is a computer program (housed in a computer) that serves requested HTML


server is a computer program (housed in a computer) that serves requested HTML pages or files. SMTP—Simple Mail Transfer Protocol is a protocol for sending e-email messages between servers. Smart phone—handheld device built on a mobile computing platform that features, typically, a digital camera, video camera, Global Positioning System (GPS), e-mail, and all the features of a standard cell phone; usually equipped with a high-definition, touch pad screen and miniature keyboard, smartphone allows downloading of apps for a wide range of uses. Social networking—using Internet-based tools that allow people to listen, interact, engage, and collaborate with each other; popular social networking platforms include Facebook, MySpace, YouTube, LinkedIn, and Twitter. Software—specifically, computer software, is a collection of computer programs, procedures, algorithms, and its documentation that provides instructions for telling a computer what to do and how to do it. In contrast, hardware (specifically, computer hardware) is the collection of physical elements that comprise a computer system, including a CPU, monitor, keyboard, hard disk, and printer. Spam—the use of electronic messaging systems to send unsolicited bulk messages (usually advertising or other irrelevant posts) to large lists of email addresses indiscriminately. Spyware—a type of malware (malicious software) installed on computers that collects information about users without their knowledge; can collect Internet surfing habits, user logins and passwords, bank or credit account information, and other data entered into a computer; often difficult to remove, it can also change a computer’s configuration resulting in slow Internet connection speeds, a surge in pop-up advertisements, and un-authorized changes in browser settings or functionality of other software. SQL—structured query language, a special-purpose programming language designed for managing data in relational database management systems. TLS—transport layer security (and its predecessor, secure sockets layer/SSL), are cryptographic protocols that provides communication security over the Internet. Sexting—the act of sending sexually explicit messages or photographs primarily between mobile phones. Syncing—the process of copying all electronic files and folders from one device to another (e.g., from a smartphone to a personal computer) through an Internet connection. Tablet Computer—a kind of mobile computer, larger than a mobile phone or

personal digital assistant, usually having a flat touchscreen or pen-enabled interface.


personal digital assistant, usually having a flat touchscreen or pen-enabled interface. Twitter—an online social networking service that enables users to send and read text-based posts of up to 140 characters, known as “tweets.” URL—the Uniform Resource Locator is the global address of documents and other resources on the World Wide Web; a URL contains the name of the protocol to be used to access the file resource, a domain name that identifies a specific computer or server on the Internet, and a pathname, a hierarchical description that specifies the location of a file on that computer or server. USB Flash Drive—also called a jump drive or thumb drive, is a data storage device that is typically removable (plugged into a USB/Universal Serial Bus port on a personal computer) and rewritable, and physically much smaller than a floppy disk. USB Port—Universal Serial Bus port, a single, standardized way to connect devices (modems, printers, scanners, digital cameras, etc.) to a personal computer. Virtual reality—an artificial environment created with computer software that can simulate physical presence in places in the real world, as well as in imaginary worlds, primarily through sight and sound experiences; may range from a three-dimensional image that can be explored interactively at a personal computer to more sophisticated approaches involving wrap-around display screens, rooms with wearable computers, and devices that let you feel the display images. Voice chat—a modern form of communication using the Internet through services such as Skype, Yahoo! Messenger, AOL Instant Messenger, or Windows Live Messenger. VoIP—Voice over Internet Protocol, a technology that allows voice calls using a broadband Internet connection instead of a regular (or analog) phone line. Wi-Fi—a technology that allows an electronic device (personal computer, video game console, smartphone, tablet, digital audio player) to exchange data wirelessly (using radio waves) over a computer network. Wi-Fi Hotspot—a wireless access point to the Internet or other computer network over a wireless local area network through the use of a router connected to a link to an Internet service provider; frequently found in coffee shops and other public establishments, a hotspot usually offers Internet access within a range of about 65 feet (20 meters) indoors and a greater range outdoors; many smartphones provide built-in ability to establish a Wi-Fi hotspot. Webcam—a video camera that feeds images in real time to a computer or computer network; can be used to establish video links permitting computers to act as videophones or videoconference stations; also used for security surveillance, video broadcasting, and social videos (such as many viewed on YouTube). WWW—the World Wide Web (commonly known as “the Web” or the “Information


WWW—the World Wide Web (commonly known as “the Web” or the “Information Superhighway”), a vast collection of linked files accessed over the Internet using a protocol called HTTP (Hypertext Transfer Protocol); the system supports documents specially formatted in a markup language called HTML (Hyper Text Markup Language) that supports links to other documents, as well as graphics, audio, and video files. With an Internet “web browser,” one can view “web pages” that may contain text, images, video, and other multimedia, and “navigate” between them via “hyperlinks.” World Wide Web is not synonymous with the Internet. The WWW is just one of many applications of the Internet and computer networks. Web server—computer hardware and software that runs a website and is always connected to the Internet; using HTTP (Hypertext Transfer Protocol), a Web server delivers Web pages to browsers and other data files to Web-based applications; every Web server has an IP address and often a domain name. Website—a collection of specially formatted, related Web files (or pages) on a particular subject or organization that are stored on a computer known as a web server and accessible through a network such as the Internet; include a beginning file called a home page; a web page can contain any type of content, including text, color, graphics, animation, and sound. ZIP—a file format used for data compression and archiving; a zip file contains one or more files that have been compressed to make file size considerably smaller than the original file; the zipped version of files have a .zip file extension; can significantly reduce e-mail transmission time and save on storage space.

Profile for Danny Picart Laguer

Privacy and Security eMagazine - January 2015  

HIPAA, Privacy and Security information

Privacy and Security eMagazine - January 2015  

HIPAA, Privacy and Security information

Profile for picartsan
Advertisement