<![CDATA[[SecurityRatty] tag: shortcut]]>

<![CDATA[[SecurityRatty] tag: shortcut]]> http://securityratty.com/tag/shortcut Fri, 14 Mar 2008 07:39:01 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Used your CCleaner lately?]]> http://securityratty.com/article/757d7505f67debca656ad5270d6b0308 http://securityratty.com/article/757d7505f67debca656ad5270d6b0308 Great way to insure a lil extra security besides the AntiVirus and AntiSpyware thats running on your puter.

clipped from www.howtogeek.com

Setup CCleaner to Automatically Run Each Night in Vista or XP

clipped from www.howtogeek.com

After writing the article yesterday about how to run CCleaner silently through a shortcut or a hotkey, many people expressed to me that they’d like to know how to run it every single night on a schedule, so I’m writing that up for everybody’s benefit.

]]> Sat, 26 Jul 2008 11:59:42 +0000 lil extra security night single night everybodys benefit article yesterday ccleaner silently setup ccleaner howtogeek antispyware Used your CCleaner lately? <![CDATA[Windows Admin Goodies From Microsoft]]> http://securityratty.com/article/8b99cbff598abd26fee789464d831e4b http://securityratty.com/article/8b99cbff598abd26fee789464d831e4b Sysinternals Live web page. You'll see a directory listing of the current files in the Sysinternals set. For instance, the current version of Process Explorer is http://live.sysinternals.com/procexp.exe. In IE you can choose to run directly from the browser, but you can also create shortcuts on the desktop or in the Start Menu system to these files, and every time you run that shortcut you'll be running the current version. You do need to go through some confirmations, agreeing to the license, etc. The second trick is the Elevation PowerToys for Windows Vista. These expand the Windows RunAs functionality to some popular 3rd party admin tools, like KiXtart and ActivePerl. Some examples combine it with the Elevate power tool to allow you to do RunAs for programs, like the MMC, which are often resistant to RunAs. There is also a PowerToy for running a CMD shell or PowerShell as the SYSTEM account.

]]> Mon, 02 Jun 2008 14:03:05 +0000 sysinternals set windows runas functionality runas sysinternals microsoft current version files current files sysinternals tools Windows Admin Goodies From Microsoft <![CDATA[Windows Admin Goodies from Microsoft]]> http://securityratty.com/article/fb03a5be7a319bcb264ae433443bee91 http://securityratty.com/article/fb03a5be7a319bcb264ae433443bee91 Sysinternals Live Web page. You'll see a directory listing of the current files in the Sysinternals set. For instance, the current version of Process Explorer is http://live.sysinternals.com/procexp.exe. In IE you can choose to run directly from the browser, but you can also create shortcuts on the desktop or in the Start Menu system to these files, and every time you run that shortcut you'll be running the current version. You do need to go through some confirmations, agreeing to the license, etc. The second trick is the Elevation PowerToys for Windows Vista. These expand the Windows RunAs functionality to some popular third-party admin tools, like KiXtart and ActivePerl. Some examples combine it with the Elevate power tool to allow you to do RunAs for programs, like the MMC, which are often resistant to RunAs. There is also a PowerToy for running a CMD shell or PowerShell as the SYSTEM account.
]]> Mon, 02 Jun 2008 14:03:05 +0000 sysinternals set windows runas functionality runas sysinternals microsoft current version files current files sysinternals tools Windows Admin Goodies from Microsoft <![CDATA[Stolen University Health Care laptop requires notification of 4800]]> http://securityratty.com/article/e9555f16d1d087d7b85993176f2956f2 http://securityratty.com/article/e9555f16d1d087d7b85993176f2956f2 Security Breach

Date Reported:
3/13/08

Organization:
University of Utah

Contractor/Consultant/Branch:
University Health Care

Victims:
patients

Number Affected:
4,800

Types of Data:
"names, social security numbers and personal health information"

Breach Description:
"Possibly 4,800 patient’s information could be compromised, when a laptop with names, social security numbers and personal health information was stolen from University Healthcare"

Reference URL:
KUTV Channel 2 News

Report Credit:
KUTV Channel 2

Response:
From the online source cited above:

Possibly 4,800 patient’s information could be compromised, when a laptop with names, social security numbers and personal health information was stolen from University Healthcare over two weeks ago.

The hospital says that someone broke into a locked office and took a lap top and a flash drive.

The hospital does not believe that whoever stole the laptop was searching for the patient’s information.
[Evan] What leads the hospital to believe this? There's no money in selling or using compromised confidential information, right? WRONG!

The hospital also says that the laptop is password protected and it is confident that the person who stole the laptop will not be able to access the information.
[Evan] Seriously, remarks like this demonstrate complete information security incompetence.

The information on the laptop is varies for patients. Not all patients have social security numbers listed with the hospital.

University Healthcare began mailing out letters to people affected by the theft this week

The University Healthcare is trying to figure out which patients had information on that computer and what the information was. The hospital says that this process caused the notification delay.
[Evan] Not knowing what confidential information is where is a very common problem in today's organizations.

University Healthcare is providing the 4800 patients with a year of free credit monitoring and is making changes in their policy.
[Evan] I feel like doing some math. The cost for full disk laptop encryption, maybe $100 - 150. The cost for investigation of the breach (say 20 hours @ $100/hr.), reconstruction (say 20 hours @ $100/hr.), notification ($300 to draft letter and maybe $2,400 to address and mail), and credit monitoring ($15/mo. x 12 months x 4800 customers) might cost $870,000. Maybe the hospital didn't believe they would ever lose a laptop or have one stolen that contained sensitive information. Risk management anyone?!

Employees will no longer be allowed to download sensitive information onto laptops, even if they're password protected.
[Evan] This is not the root of the problem. We have an information security governance and management problem. No easy fix.

University Healthcare apologizes for the problem and the notification delay.

Commentary:
It's Friday! I have some time on my hands, and I am getting tired of poor security of personal information. I go through phases.

One thing that is worth mentioning, we (meaning information security personnel) must go through the arduous task of data inventory and classification if we are to be effective. We should know what confidential information we create, collect, store, transfer, and/or destroy. We need to know where confidential information is throughout the lifecycle. We need to know what the threats are. We need to know what the vulnerabilities are. We need to know what the risks are. We need to know the costs of compromise (hard and soft dollars) when possible. We need to know the costs of protection. Maybe most importantly, we need to measure all of our efforts against the organizational goals and objectives. The list goes on and on and on.

If you are charged with securing your company's information assets, you need to understand that this is a serious business and not for the faint of heart. We don't just password protect and install firewalls for a living. We solve complex technical and political problems every day. If you need additional training (we all do) then get it. Don't look for shortcuts, because there aren't any. The dichotomy is that most effective solutions are simple and not complex. Simple sometimes gets confused with shortcut, but a shortcut is lazy. The money is good, but the challenges are GREAT.

OK, I've rambled enough. I'm stepping down from the podium now. Thanks for reading!

Past Breaches:
Unknown

]]> Fri, 14 Mar 2008 07:39:01 +0000 information information assets personal information confidential information information security governance patients information university sensitive information information security personnel Stolen University Health Care laptop requires notification of 4800