Archive
NIST 800-111. Practical Advice for Data Protection Projects
This week I want to take an opportunity to remind readers of the excellent NIST publication 800-111.
Yes, I know, another complex government sponsored report, but 800-111, for those implementing any kind of data protection project, is one of the best reports on the subject, dealing with technology, practical use of, and risk analysis. It’s really (for NIST publications anyway) a very good read.
The other reason to pay attention to 800-111, is quite simply it’s the document regulations mention when talking about “Good Practice”, “Industry Standard processes”, “Accepted Best Practice” etc. This document contains the advice that you’ll be measured against if you ever end up in court defending your Security Policy against something like Massachusetts 201 CMR 17.00. Read more…
HITECH Name-And-Shame goes up a gear…
Not content with naming-and-shaming companies who break the HIPAA/Hitech health regulations through the normal press, The U.S. Department of Health and Human Services is now reporting companies who lose control of more than 500 people’s records on their site.
A duty to do this comes via section 13402(e)(4) of the HITECH act .
4) Posting on HHS Public Website.—The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach described in subsection (a) in which the unsecured protected health information of more than 500 individuals is acquired or disclosed.
For those not in the know – HITECH is U.S act which enforces some duty of care on people’s health information. “Covered Entities” like Health Plan providers, Care Providers (hospitals, doctors etc) need to put safeguards in place to ensure that our individual health information is not seen or accessible by unauthorized people. You can find out about HITECH on their excellent consumer web site. Read more…
LiveLog – interactive near-real-time Log Monitor
EPE Log Reader for McAfee Endpoint Encryption v6
Packing code within code – a HTA exercise in string manipulation
I was working on a HTA tool this week, and to make things easier I wanted to encapsulate another HTA within it – really I just didn’t want to have to send two files to the user, I wanted everything in one, and rather than take the obvious approach of putting them both into a self-extracting zip, I decided to work out how to include the code of File B in File A.
Note – you can find the test files for this article on my companion site, CTOGoneWild
Pretty easy stuff I thought, just split B up into a string, and include a simple routine to write it out to the temp directory
1 : Dim s : s="Some text to output to a file" &_ 2 : " which is more than one line and go" &_ 4 : "es on a bit." 6 : Dim fso: Set fso = CreateObject("Scripting.filesystemobject") 8 : fso.createtextfile("test.txt").write s
TPM “Undressed..”
Recently it was announced with much fanfare that the now-ubiquitous “TPM” chip found in most modern computers had been hacked. This obviously unnerved a lot of people, especially those hanging the safety of their secrets on free solutions like Microsoft Bitlocker which use the TPM to provide convenience to their users.
The attack, invented about 60 years ago, but elegantly implemented by Christopher Tarnovsky of Flylogic involved attacking the hardware of the chip itself by uncasing it and probing its signal pathways – something that seems difficult until you read their blog and realize they do it every day.
Chris used a combination of off-the-shelf acids and rust-remover solutions to dissolve first the outer casing of the chip, then the wire grid tamper-proofing shields inside.
Once “undressed” he was able to probe and monitor what was going on inside anonymously. Read more…
Speaking at the “Security: The New Business Imperative” Event
For those in the area, I will be speaking next week (on the 23rd Feb) at the Security: The New Business Imperative event at the Westin Diplomat Golf Resort & Spar, Hallandale Beach FL.
The topic will be a review of current regulations, and practical steps you can take not to fall foul of them.
You can reserve a seat by contacting Tricia_Brown@mcafee.com, or (678) 653 9606
Shell Oil’s 170,000 Personnel list leaked to Activists..
Last week (13th Feb) Shell Oil announced that the personal details of all 170,000 employees and contractors had been leaked to a number of non-Government organizations via email, these included Greenpeace’s American office, Earthrights, Justice in Nigeria Now, Shell Guilty, Friends of the Earth (Netherlands). Also included was the anti-Shell website Royaldutchshellplc.com. The story was well covered in the UK national press.
The list included a limited number of personal addresses. Read more…
HTA Login Box and Question/Answer for EEPC5
NOTE: These are now used in the AutoDomain 5.5x script.
I was playing around with Autodomain recently, and it occurred to me how awful, unreliable, and generally perverse it is to use internet explorer to collect information from the user.
Over the last few years, I’ve found that using IE as a way of presenting information to users from a VBScript tool is just fraught with problems. I’ve had machines tell me that IE does not exist (even though it was running at the time), IE has crashed, baulked, appeared minimized, behind windows etc. Generally it’s proven to be really, really unreliable. Read more…
Shortest Scam ever, and worth $1,600,000!
This is a great one – short and to the point. I hope you can all understand that I’m going to cash in and spend the rest of my days on a desert island. How does this stuff get through my spam filter!
Date: Mon, 1 Feb 2010 15:36:00 +0100
From: British Telecom <15189085@users.siol.net>Your email ID has been awarded 1,000,000,00 GBP. in our British telecom Promo. Do send your:
Name:
Occupation:
Country:
Who?
 | EVP Cyber Product Innovation for Mastercard. Formally the Chief Technology Officer for Intel Secure Home Gateways, CTO for McAfee Enterprise Endpoint, CTO McAfee Innovation team, and Founder/CTO SafeBoot Corp. |
Simon Says - Musings of a Technology CTO 
Comments