[SecurityRatty] tag: cumbersome

Enhanced Domain Protection Services Emerge

Wed, 24 Sep 2008 04:23:16 +0000

Registrars are beginning to offer new services to protect against domain name loss. Are they worth it? Well, they're worth something, but maybe not all the money being charged. Yesterday, Domain Name Wire revealed that GoDaddy has filed for a patent for "Domain Name Hijack Protection." The basic idea of the service is that domain name transfer-out requests are automatically ignored. The customer gets a notice that the request was received and ignored. The user then has the option of turning off the service, and must supply photo ID in order to do it. Comments on the Domain Name Wire article say it's an intentionally cumbersome process, which certainly works out well for GoDaddy, but I'm not so sure I'd call this innovative. This application may be related to GoDaddy's Protected Registration service, which similarly protects against casual transfers, a service they call Deadbolt Transfer Protection. In order to perform a transfer, more thorough verification procedures are required, probably involving genuine human beings. GoDaddy also claims to protect the domain in case of billing problems, such as "credit card expiration, failed billing or outdated contact information." If your domain expires and cannot be renewed because the credit card expired or some other such reason the domain will be placed in "invalid, protected status" for up to one year. In other words, it will be taken off-line, but not made available for anyone else to register. If you've parked it you may not notice, but if you're using the domain you will, because it won't work anymore. At this point you can go back to GoDaddy and make things right. All this costs $24.99 a year, which is a lot of money compared to the base registration. You'd be much better off with a standard domain lock and just being responsible about your domains and reading the e-mail GoDaddy sends you. And thanks to DomainNameNews for reporting that Moniker, a registrar aimed at higher-volume domain name owners, has launched their DomainMaxLock service. DomainMaxLock, like GoDaddy's Deadbolt, makes you provide more stringent identification for transfers. According to the company you must:

Provide a government I.D. number for verification of your identity.
Set up custom security questions and answers, further safeguarding your domain assets.
Provide special verification instructions and artifacts to ensure that your unique business or ownership interests are protected.
When you request that your domains be unlocked, our security team works directly with you to verify all of the above off-line - further eliminating risks of doing business in an online world!

It's essentially an admission of the failure of automated services with respect to security. The idea is we can trust humans in person, not software. The service costs $34.95 per domain per year for a limited time, but the cost will increase later to $59.99. These verification services are similar in many ways to those performed by CAs (certificate authorities). Since GoDaddy is also one of those, it's likely they can get better utilization out of that staff by offering such services.

Patient information on index cards is missing

Mon, 26 May 2008 07:20:51 +0000

Technorati Tag: Security Breach

Date Reported:
5/16/08

Organization:
State of Alabama

Contractor/Consultant/Branch:
Department of Mental Health and Mental Retardation
Greil Hospital

Victims:
Patients

Number Affected:
"hundreds of records"

Types of Data:
"name, social security number, and date of birth"

Breach Description:
"The Alabama Department of Mental Health and Mental Retardation has recently discovered that a group of index cards from Greil Hospital in Montgomery, Alabama that contact a limited amount of patient information is missing"

Reference URL:
Alabama Department of Mental Health and Mental Retardation Press Release
Alabama Department of Mental Health and Mental Retardation Breach Notification
WSFA Channel 12 News

Report Credit:
Alabama Department of Mental Health and Mental Retardation

Response:
From the online sources cited above:

The Alabama Department of Mental Health and Mental Retardation has recently discovered that a group of index cards from Greil Hospital in Montgomery, Alabama that contain a limited amount of patient information is missing.
[Evan] Index cards seems like an "old school" method for storing confidential information.

"Several months ago we noticed something irregular in some patient records," explained Dr. John Ziegler of the Alabama Department of Mental Health and Mental Retardation.

Although the cards do not record health information, they contain personal information such as the person's name, social security number and a date of birth.

"We're looking at records and patient information that goes back 5 or 6 years," Ziegler explained.

The department's Bureau of Special Investigations has launched an investigation regarding the matter and affected individuals are being directly notified.

"If these items were stolen, this behavior was not only in violation of our policies but Federal law as well. We have zero tolerance for violation of these policies and if criminal activity has occurred we will pursue prosecution vigorously. We apologize for any anxiety this may cause to patients of their family members.", Commissioner John Houston of the Alabama DMH/MR

To every extent possible, individual notification letters will be sent to the affected individuals.
[Evan] It will be very difficult if not impossible to notify some people.

the department has set up a call center that individuals may use to get information about this situation and learn more about consumer identity protections. The toll free number is 1-866-577-7299. The call center will be open beginning Monday, May 19, 2008, and will operate from 8 am to 8:00 pm Monday-Friday as long as it is needed.

policies and procedures are being scrutinized to determine necessary modifications to help minimize the possibility of any recurrence.

The department has been proactive in staff training and consumer training regarding potential identity theft. The Office of Consumer Rights and Advocacy Protection conducted trainings on "Identity Theft" prevention as recently as last month at the annual consumer Recovery Conference. More than 900 people with mental illnesses attended the conference and had the opportunity to receive the training.

"We take issues surrounding the rights and privacy of the people we server very seriously"

"So far there is no indication that illegal activity has occurred through the use of personal information contained on the missing group of cards"

Commentary:
What controls would need to be in place to adequately protect confidential information stored on index cards? I started to think about this question and came up with so many controls and procedures that I don't think I could make security cost-effective. Electronic security is much less cumbersome.

Does anyone really need access to Social Security numbers at the hospital besides billing?

Past Breaches:
Unknown

Learning from Ghana

Fri, 09 May 2008 06:27:18 +0000

Its always interesting to see where the developed world can learn from emerging economies. A lot of the best engineering work comes from having to deal with harsh constraints (opposite of architecture astronomics). I blogged awhile ago about using smart cards for digital cash in Africa

Looks like there is a new system in Ghana as well

E-zwhich smart launched
-ZWICH smartcard, a universal electronic system that facilitates easy access to and transfer of money has now become part of financial transactions in Ghana.

The new system which is also designed to remove the cumbersome and insecure processes of using cash, was launched in Accra yesterday by President J.A. Kufuor, with a call on corporate bodies and government agencies to use it to ensure transparency and integrity on payrolls.

E-zwich is an electronic payment system that allows one to make payments for goods and services or transfer money to others without having to carry physical cash.

Available at all banks countrywide, the system involves the loading of money onto the smart card after registering with any bank without necessarily having an accounts with that bank.

President Kufuor said the introduction of the system has the potential of transforming the payments landscape, the financial services industry and the general conduct of business in the country.

He said accessing the technology was an integral part of government’s overall vision of making Ghana the gateway to the West Africa sub-region and transforming her into a major financial hub.

The President said that globalisation has come with a major challenge of adopting best practices in all spheres of endeavour especially within the macro economy in order to survive in the market.

He said it was against that background that the government has pursued polices to develop and modernise the financial sector to enable it to play a key role in resource mobilisation for increased investment.

With the reforms and the stability of the macro-economy, President Kufuor said the nation was witnessing dramatic growth in the banking sector.

He pointed out, however, that inspite of the impressive growth of financial institutions, an estimated 80 per cent of the eligible population was still "un-banked" or "under-banked" and seemed not to have access to financial services.

Wonder when we will see US, UK, and other first world banks and brokerages catch up to Ghana and South Africa on these technologies? Is it really a good idea in 2008 to have everyone type their username and password into a web browser?

Voltage offers public-key encryption without certificates

Wed, 23 Apr 2008 20:00:00 +0000

Voltage Security has an encryption plan that it says avoids the need for cumbersome databases of public keys and certificates, by making public keys as needed, from users' identities.

Adware and Spyware Such a Pain

Wed, 01 Aug 2007 15:17:00 +0000

Adware and Spyware Such a Pain

Spywares and adwares are not only annoying but more often than not tend to damage your computer software and sometimes can even cause some damage to your hardware too. These annoying bugs have become a bane for internet browsers worldwide. They have become a normal occurrence that we sometimes tend to ignore but God forbid we should never accept.

Spyware is computer software that spies on your internet usage. It collects highly personal and confidential information like credit card numbers, IPs and even addresses. The spyware program gets the credit card entries as the user logs them on a web form or an online application. Some spyware are even programmed to record your usage of the internet, what sites you visit, what files you download and how long you stay online.

The information are then sent or sold to advertisers which make good use of them for advertising campaigns that targets specific markets or audience. Usually, Spyware records IP addresses and shopping habits covertly or without the knowledge or consent of users. They do that in a number of ways. Some uses logging keystrokes to get information while some access the documents found in your computer's hard disk.

The term spyware first came to use in 1995 but the adoption of its present meaning came five years later. Spyware has been identified as the top security threats to computers using the Microsoft Windows operating systems. And Internet Explorer users were found to be the ones more susceptible to spyware attacks. Because of the popularity of IE and Windows, spyware programs were created to specifically attack and find its way from the internet into IE and into the important parts of the Windows operating system.

The threats are real and that's why the anti-spyware industry is flourishing. For every new spyware discovered, an anti-spyware program or update is created. These anti-spyware products usually disable or remove the existing spyware from the user's computer system. Once installed, they also provide protection preventing a variety of spyware programs from installing themselves in your computer.

However, there's a need to update these anti-spyware programs regularly. The World Wide Web is a fast pace medium. Everything in there changes quickly and even sporadically. The same goes with spyware. You never know when advertisers, web developers or even the government will come out with newer versions of spyware or adware that have improved ways of accessing your files and personal information. Some spyware program offer an uninstall option together with the program.

Most of the time, however, these uninstall options don't work. Some even installs more spyware instead of removing that particular one. So, it is best that you rely on services of anti-spyware programs to fully remove them from your operating system.

But while it is good that there are various anti-spyware programs at your disposal, it is better that you prevent the installation of these spyware in the first place. Some of the techniques that you could use are to disable the automatic installations of programs in your internet browsers and to install pop-up blockers.

Spyware and adware attaches themselves more frequently on those rather annoying advertising pop-ups. When accessing your email, it is a good practice to ignore mails that came from persons that you do not know or those that contain a vague subject. It is best that you delete these emails without opening them. It is quite cumbersome, but you really need to take time doing these things to make sure that your computers are free from spyware.

To Remove the Worse You Need the Best (best free spyware adware removal)

Imagine yourself walking along a busy street, minding your own business. You stop by a men's clothing store. You look at the window display, point at a new pair of shoes. After a few minutes of gawking at the window display you move on home.

As you go inside your house, you noticed a flyer on your porch. The flyer is on the exact pair of shoes that you saw in the men's store. How did they know? Was it coincidence? If this all happened in the internet, then it's probably not a coincidence. Your computer has been watched and your "movement" in the Web has been recorded. Your operating system has some spyware in it.

Spyware are computer programs that attach themselves in whatever things you download online. They are designed to track you wherever you go online. Spyware is a little different from adware. Adware are also referred to as freeware and are basically ads that pop-up when you open a website or webpage or open a program.

Spyware are similar in that they are also freeware, however, spyware programs have embedded tracking programs which reports your activity in the internet to the spyware agent which in turn provides the information to advertisers and web developers. With this information, advertisers and web developers and even the government can feed your computers with any information they want without your consent and even without you noticing it.

It is best, therefore that you employ some precautionary measures yourselves to stay free from spyware and adware attacks. First you need to disable auto installation of software programs in your internet browsers and you need use pop-up blockers and firewall protection.

This is your first line of defense against such spyware programs. The next thing to do is to get decent anti-spyware programs. It shouldn't be too hard, there are a lot of them nowadays and most of them are free or at the very least have free trial accounts.

Among the most popular free anti-spyware and adware programs are Ad Aware and Active Shield. Ad Aware offers advanced protection against Data-mining, Parasites, aggressive advertising, Scumware and some traditional viruses and tracking systems like Trojans, Dialers, Malware and Browser hijackers. Active Shield on the other hand targets trojans and spyware.

Other popular anti-spyware software include Spy-Ad Exterminator Free which searches the computer's memory, hard drives, and registry for spyware, adware, worms, hijacks, keyloggers, among others; Spy Cleaner Lite which identifies and removes programs that has been covertly installed in your systems; Spyware Doctor is an advanced adware and spyware removal program; Free Spyware Scanner tells the user how their computer got infected and the best solution for spyware removal; Doctor Alex Antispyware; Spyware Begone; 1-2-3 Spyware Free; and Easy Spyware Scanner.

Most of the time, these anti-spyware scanners and removal utilities will locate spyware and adware in your computer and will delete, ignore, or quarantine each and every one of them. Some anti-spyware programs will remove spyware automatically while other provides a user interface option where you can customize specific actions the anti-spyware would perform.

Some other popular spyware removal software includes Anti-Hijacker, Spyware & Adware Removal, Max Secure Spyware Detector, and Deluxe Spy-Kill utilities. These are just some of the more popular spyware removal software. It's up to you which one you choose, but try to look for reputable ones. Look at reviews and ask for referrals from friends.