Archive
McAfee Data Protection, HIPPA, HITECH and breach notification.
Last week, one of my colleagues asked me to comment on 45 CFR Parts 160 and 164, which for those of us who can’t remember all the code names for the various USA Federal docs, is the one in which the Department of Health and Human Services publishes its interim final rule under HIPPA and HITECH re what data falls under these regulations, what a “breach” means, and the conditions in which data is deemed to have been “protected”.
Under HITECH/HIPPA, basically there is a duty in the USA to care for the privacy of “unsecured protected health information” – this means that anyone electronically processing our heath information has a duty of care to make sure no unauthorised people gain access to it, and a legal duty to inform us if a breach (or possible breach) of trust occurs. Read more…
Is Encryption enough? Why just encrypting data doesn’t solve today’s information security concerns.
“But if it’s encrypted, why do I need to login?” the customer across the desk asks me with incredulity.
I realise that I’m about to get into a discussion which boarders on theological and raises passion in both security and business leaders alike. A discussion that I’ve had many times over the last two years, and will have many more times in the near future.
“Because, without authentication, there’s no point to encryption”. I reply, knowing full well that this isn’t an answer that’s wanted, or understood.
With a stifled sigh I start to explain.. Read more…
Bitmask searches in LDAP, or How to exclude disabled users..
Following on from my post on Bindings and connector settings, I thought I’d expand on how to use bit-mask searches in the connector Object filter.
Bit-masks are not complex for those who know Boolean arithmetic, and there are a million resources on the web to teach you that, but how to use them in an Active Directory search is obtuse to say the least.
To do a boolean “AND” search, you use the tag “1.2.840.113556.1.4.803”, to do “OR” the tag is “1.2.840.113556.1.4.804”.
Easy eh? I guess I should give you a practical example. Read more…
10 Things you don’t want to know about Bitlocker…
Nov 2015 Update – It seems bitlocker sans pre-boot has been trivially insecure for some time according to Synopsys hacker Ian Hakan, who found a simple way to change the Windows password and thus allow access to data even while Bitlocker was active.
So, with the forthcoming release of Windows 7, the ugly beast known as “Bitlocker” has reared its head again.
For those of you who were around during the original release of Bitlocker, or as it was known then “Secure Startup”, you’ll remember that it was meant to completely eliminate the necessity for third party security software. Yes, Bitlocker was going to secure our machines against all forms of attack and make sure we never lost data again.
What happened?
Disaster Recovery, WinTech and WinPE
A long while ago, probably back in 2006 I wrote an article about how to add WinTech (the diagnostic and disaster recovery toolkit for the “SafeBoot”, or McAfee Endpoint Encryption for PCs) to a BartPE CD Image. At the time WinPE was only available to system integrators, and not to the likes of you and me. The steps to create custom WinPE CDs were obtuse, thanks mainly to a lack of documentation from Microsoft as to how WinPE worked, and thus many people migrated to the simple and easy BartPE system.I wanted to provide an easy way for people to make these useful bootable recovery CDs Read more…
New S.M.A.R.T Monitor Tool for Hard Drive Health
Simon's SmartInfo Monitor
Further to my post on S.M.A.R.T, I got around to making a simple little HTA which uses my SMART class to display useful info on your drives. You can get it from CTOGoneWild. It gives you an example of how to make a useful HTA, and how to embed VBScript classes in a way where they can be used in either a normal VBScript, or a HTA itself. You can also find the SmartDump script which does much the same thing, but outputs to a file name (either set on the command line, or in the script itself).
About Bindings in McAfee Endpoint Encryption / SafeBoot
A few people came to me this week and independently asked how to link EEM (SafeBoot) users to directory counterparts, or how to switch them to other directories or user names. Bindings are a key part of the EEM Encryption environment, as they allow automated user management to take place by tracking changes to the user identity in some other system, most commonly Active Directory. Read more…
Army National Guard shows how much it cares about 131,000 identities…
National Guard Website
A busy week in the world of data loss, with the report from the Army National Guard Leaders that a personal laptop containing the records of 131,000 former and current guard members was stolen from a contractor on 27th July 2009. The information included the usual culprits – Name, Address, Social Security Number etc.
What this information was doing on a contractors personal device, and not locked up and restricted is undisclosed, but the important thing is that the Army Guard is showing it’s eagerness to resolve the situation and protect its members. Read more…
TrueCrypt vs Peter Kleissner, Or Stoned BootKit Revisited..
Peter Kieissner
This weeks flame war between TrueCrypt and Peter Kleissner had me both upset and laughing at the same time.
For a start, hats off to young Peter (18 years old according to his site), who recently presented at Black Hat his concept for a “universal rootkit” exploit, which, using that older-than-he-is technology of MBR replacement, manages to subvert Windows in such a way as to be able to drop a payload into memory as the computer boots.
I’m not sure, but isn’t that what MBR viruses have done since day one? I guess Peter agrees because his new “Stoned Bootkit” rootkit is named “Stoned” in homage to one of the original MBR Viruses of 1987 Read more…
iPhone 3GS and BlackBerry (In)securities..
This weeks (potential) major fail goes to Apple for the iPhone 3GS security. As reported by Wired and others, it seems the new 3GS encryption touted by Apple in their “iPhone Security Overview” isn’t so secure after all.
The offical description of the new feature sounds pretty good:
iPhone 3GS offers hardware-based encryption. iPhone 3GS hardware encryption uses AES 256 bit encoding to protect all data on the device. Encryption is always enabled, and cannot be disabled by users.
But this excellent 2nd video demonstration by Jonathan Zdziarski shows plainly that there could be something very flawed about it. Read more…
Who?
 | EVP Cyber Product Innovation for Mastercard. Formally the Chief Technology Officer for Intel Secure Home Gateways, CTO for McAfee Enterprise Endpoint, CTO McAfee Innovation team, and Founder/CTO SafeBoot Corp. |
Simon Says - Musings of a Technology CTO 
Comments