Friday, April 30, 2010

Healthcare Not Up To Task Of Securing Electronic Medical Records, Experts Say

Ericka Chickowski writes on Dark Reading:

As healthcare organizations work to earn the incentives dangled in front of them by the HITECH Act, the adoption of electronic medical records (EMR) has accelerated. But at the same time, healthcare fraud has also risen, and experts say if organizations don't effectively address data and database protection in healthcare's transition from paper to digital record-keeping, the threats to patient confidentiality and organizational security will skyrocket.

Two surveys in recent months punctuate the security pundits' warnings. The first, a survey conducted by SK&A in February, showed that adoption rate of EMRs within U.S. medical offices in the past year rose by more than three percentage points, to 36.1 percent. EMR adoption is more prevalent in hospital- or health system-owned sites: Hospital-owned and health-system-owned sites have adoption rates of 44.1 percent and 50.2 percent, respectively.

This data tracks with another poll by NaviNet, which showed small-healthcare organization use has jumped up by three percentage points in the last year, from 9 percent to 12 percent.

Meanwhile, a third poll released by Javelin Research and Strategy in March illustrates the darker side of EMR's uptick: Fraud based on exposure to health data rose from 3 percent to 7 percent between 2008 and 2009.

More here.

35 Years Ago Today: The Fall of Saigon

35 years ago today.

- ferg

Encryption Can't Stop The Wiretapping Boom

Andy Greenberg writes on

As encryption technologies have outpaced the mathematical methods of breaking crypto schemes, law enforcement has feared for years that scrambled messages between evildoers (or law-breaking activists) would thwart their snooping. But it seems that either lawbreakers aren't using encryption, or those privacy tools simply don't work.

In an annual report [.pdf] published Friday by the U.S. judicial system on the number of wiretaps it granted over the past year, the courts revealed that there were 2,376 wiretaps by law enforcement agencies in 2009, up 26% from 1,891 the year before, and up 76% from 1999. (Those numbers, it should be noted, don't include international wiretaps or those aimed at intelligence purposes rather than law enforcement.)

But in the midst of that wiretapping bonanza, a more surprising figure is the number of cases in which law enforcement encountered encryption as a barrier: one.

According to the courts, only one wiretapping case in the entire country encountered encryption last year, and in that single case, whatever privacy tools were used don't seemed to have posed much of a hurdle to eavedroppers. "In 2009, encryption was encountered during one state wiretap, but did not prevent officials from obtaining the plain text of the communications," reads the report.

More here.

Jury Convicts Palin e-Mail Hacker

Gregg Keizer writes on ComputerWorld:

After four days of deliberation, a federal jury today convicted 22-year-old David C. Kernell of two charges stemming from a 2008 break-in of an e-mail account used by former Alaska Gov. Sarah Palin.

The former University of Tennessee student was convicted of felony destruction of records to hamper a federal investigation and of a misdemeanor charge that he unlawfully accessed a protected computer, reported the Knoxville News Sentinel and WBIR Radio, also of Knoxville.

Kernell broke into Palin's Yahoo Mail account during the 2008 presidential campaign by using the service's password reset mechanism. At the time, Palin was the 2008 Republican vice presidential candidate.

He faces a maximum 20-year prison term on the felony charge, and a maximum one-year stint for the misdemeanor offense. Kernell also faces a fine of up to $250,000.

Kernell was acquitted today of a federal wire fraud charge.

More here.

Wednesday, April 28, 2010

Mark Fiore: Police State Pete

More Mark Fiore brilliance.

Via The San Francisco Chronicle.

- ferg

Texas Man to Plead Guilty to Building Botnet-For-Hire

Robert McMillan writes on PC World:

A Mesquite, Texas, man is set to plead guilty to training his 22,000-PC botnet on a local ISP -- just to show off its firepower to a potential customer.

David Anthony Edwards will plead guilty to charges that he and another man, Thomas James Frederick Smith, built a custom botnet, called Nettick, which they then tried to sell to cybercriminals at the rate of US$0.15 per infected computer, according to court documents.

On August 14, 2006, Smith and Edwards allegedly used part of Nettick to attack a computer hosted by The Planet. Apparently, that was just a test, to show that the botnet was for real. "After the test, the bot purchaser agreed to buy the source code and the entire botnet for approximately $3,000," prosecutors say in the indictment against the two men.

Edwards will plead guilty Thursday in federal court in Dallas, according to his attorney, Mick Mickelsen. Smith has pleaded innocent in the case and is set to go to trial on May 17. Both men face a maximum of five years in prison and a $250,000 fine on one count of conspiring to cause damage to a protected computer and to commit fraud.

More here.

EU Mulls New Central Cyber Crime Agency


The Council of Ministers has asked the Commission to look at its agreed set of cybercrime objectives and investigate whether a new, centralised agency is a better way of achieving those than the current inter-agency co-operation.

Its objectives include raising the standard of specialisation of investigators and prosecutors as well as judges and forensic staff; encourage information sharing between countries' police forces; and to harmonise the approaches taken to fighting cybercrime in the EU's 27 countries.

"[The Council] proposes that the Commission draw up a feasibility study on the possibility of creating a centre to carry out the aforementioned actions, where they have not already been achieved," said the text adopted by the Council this week. "The centre might also evaluate and monitor the preventive and investigative measures to be carried out."

"This feasibility study should consider, in particular, the aim, scope and possible financing of the centre and whether it should be located at Europol, "it said.

More here.

Tuesday, April 27, 2010

Indian National Recieves 81 months, $2.5M Fine for Stock Scheme

Jaikumar Vijayan writes on ComputerWorld:

An Indian national was sentenced Monday to 81 months in prison for hacking into online brokerage accounts and using those accounts to manipulate stock prices for personal gain.

Jaisankar Marimuthu, 36, of Chennai, India, was also ordered to pay close to $2.5 million in restitution to the more than 90 people and seven brokerage firms that were victims of his illegal capers.

In February, Marimuthu pleaded guilty in federal court in Omaha to one count each of conspiracy to commit wire fraud, securities fraud, computer fraud and aggravated identity theft.

Marimuthu was arrested in Hong Kong and extradited to the U.S. last June. He had initially pleaded not guilty to the charges, but changed his mind earlier this year.

More here.

The Price For A Digital Fake Passport: One Dollar

Andy Greenberg writes on

As Web registrars and digital currency companies try to weed out their cybercriminal customers, they're increasingly demanding proof of identity, often in the form of a passport. The problem with that safeguard: a shady industry of passport fraud has sprouted to provide those cybercriminals with throwaway identities, offering both digital scans and physical passport look-a-likes. The price of those forgeries: as little as one dollar.

In a paper [.pdf] posted Monday by the Illinois non-profit cybersecurity research firm Team Cymru, the authors dug into the underground passport economy, collecting information from online forums and Web sites--largely Russian--offering the documents.

Here's why cybercriminals need fake passports: When they hijack a victim's account or create a new one in his or her name, they face the problem of how to transfer the stolen funds. In some cases, they've used Western Union to wire the money, employing "money mules" to move it physically from one account to another through several countries and hide the source of the crime. But Cymru points out that the process is expensive, and that Western Union has tightened its security, requiring Social Security numbers to wire large payments from the U.S. and carefully monitoring its branches' physical security to catch money mules.

More here.

Monday, April 26, 2010

No 'Real' Security Issues to Report Today


That is all.

- ferg