This week I want to take an opportunity to remind readers of the excellent NIST publication 800-111.
Yes, I know, another complex government sponsored report, but 800-111, for those implementing any kind of data protection project, is one of the best reports on the subject, dealing with technology, practical use of, and risk analysis. It’s really (for NIST publications anyway) a very good read.
The other reason to pay attention to 800-111, is quite simply it’s the document regulations mention when talking about “Good Practice”, “Industry Standard processes”, “Accepted Best Practice” etc. This document contains the advice that you’ll be measured against if you ever end up in court defending your Security Policy against something like Massachusetts 201 CMR 17.00. Read more…
Not content with naming-and-shaming companies who break the HIPAA/Hitech health regulations through the normal press, The U.S. Department of Health and Human Services is now reporting companies who lose control of more than 500 people’s records on their site.
A duty to do this comes via section 13402(e)(4) of the HITECH act .
4) Posting on HHS Public Website.—The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach described in subsection (a) in which the unsecured protected health information of more than 500 individuals is acquired or disclosed.
For those not in the know – HITECH is U.S act which enforces some duty of care on people’s health information. “Covered Entities” like Health Plan providers, Care Providers (hospitals, doctors etc) need to put safeguards in place to ensure that our individual health information is not seen or accessible by unauthorized people. You can find out about HITECH on their excellent consumer web site. Read more…
I was working on a HTA tool this week, and to make things easier I wanted to encapsulate another HTA within it – really I just didn’t want to have to send two files to the user, I wanted everything in one, and rather than take the obvious approach of putting them both into a self-extracting zip, I decided to work out how to include the code of File B in File A.
Note – you can find the test files for this article on my companion site, CTOGoneWild
Pretty easy stuff I thought, just split B up into a string, and include a simple routine to write it out to the temp directory
1 : Dim s : s="Some text to output to a file" &_ 2 : " which is more than one line and go" &_ 4 : "es on a bit." 6 : Dim fso: Set fso = CreateObject("Scripting.filesystemobject") 8 : fso.createtextfile("test.txt").write s
Recently it was announced with much fanfare that the now-ubiquitous “TPM” chip found in most modern computers had been hacked. This obviously unnerved a lot of people, especially those hanging the safety of their secrets on free solutions like Microsoft Bitlocker which use the TPM to provide convenience to their users.
The attack, invented about 60 years ago, but elegantly implemented by Christopher Tarnovsky of Flylogic involved attacking the hardware of the chip itself by uncasing it and probing its signal pathways – something that seems difficult until you read their blog and realize they do it every day.
Chris used a combination of off-the-shelf acids and rust-remover solutions to dissolve first the outer casing of the chip, then the wire grid tamper-proofing shields inside.
Once “undressed” he was able to probe and monitor what was going on inside anonymously. Read more…
For those in the area, I will be speaking next week (on the 23rd Feb) at the Security: The New Business Imperative event at the Westin Diplomat Golf Resort & Spar, Hallandale Beach FL.
The topic will be a review of current regulations, and practical steps you can take not to fall foul of them.
You can reserve a seat by contacting Tricia_Brown@mcafee.com, or (678) 653 9606