The requirements for supporting meaningful use of stage 1 data exchange consist of both core set and menu set transactions as outlined below:

1. Provide patients an electronic copy of their ambulatory, ED or inpatient summary of care record.

2. Transmit prescriptions.

3. Exchange clinical information among care providers and patient authorized entities.

4. Report clinical quality measures.

Menu Set

5. Incorporate clinical lab tests results into EHRs as structured data.

6. Provide summary of care record for patients referred or transition to another provider or setting.

7. Capability to submit data to immunization registries, provide surveillance and lab data to public health agencies.

Hopefully these national guidelines will reduce duplication of work that has been occurring at the state and regional level and accelerate the meaningful use of HIT and most significantly ensure that patient privacy is protected.

Hackers, red teams and experienced penetration testers have used OSINT (open source intelligence style information gathering) for years. But now that social media use has reached critical mass, it is relatively simple to garner information about your company’s employees, your organization and even your IT infrastructure. Using social profiles, information parsed from tweets, business directories, job postings, etc., cybercriminals can put together a complete dossier on employees of a target company without any ‘real’ hacking.

Employees most often use social media both at home and at the workplace without differentiating between the two. On social media networks, users create profiles, manage privacy settings, and grant permission to who can and can’t view their profiles. This creates a false sense of trust, where an individual feels comfortable disclosing detailed personal information about their life whether it be regarding relationships, issues at work, contact info, travels plans, likes and dislikes.

In addition, because they believe they are within a “walled garden,” they are more apt to click on unknown links (because they are recommended by a “friend.”) Link shorteners can heighten the risk as a full executable string can hide behind what appears to be an innocuous link. Clicking on an unverified link is a risk that could lead to a full system compromise if a malicious website is behind it and there is potential for the introduction of viruses and malware to the organization’s network.

The complete list of threats and vulnerabilities from social media in the workplace is long. Other examples include: phishing attacks, disclosure of private company info, brand/reputational damage, harassment and privacy violations.

Social media is not going away. More likely, the number of users and time spent on social networks will continue to rise exponentially, and your security risk will rise with it. Here’s what you can do about it.

Redspin’s 5 Tips to Improve Security Against Social Media Threats

1. Determine if social media use is necessary for your business. The security risk that social media presents for a company is significant. Whether or not to allow its use in the workplace is really a question of risk vs. benefit. If banning it outright seems too Draconina, consider limiting use to only the people that need it to perform their job function.
2. Provide training and security awareness to employees. This should include policies and procedures such as personal use in/out of the workplace, business use, nondisclosure of business content, and disallowed activities (installing apps, playing games, etc).
3. Use content monitoring technologies
4. Encourage URL lengthening tools like TinyURL to decode and verify shortened links.
5. Keep your hardware, software, anti-virus, and critical security patches up to date.

I think the most significant implication of this deal is that it another example of the fact that security is viewed by enterprise customers as part of a broader IT stack. Over time security technology will find its way into the broader computing and communications ecosystem. Certainly, Intel has current IT system management initiatives such as vPro that will benefit from security technology integration but that’s hardly enough reason to spend nearly $8M on a $2M revenue stream.

Intel’s mindset is and for many years now has been about protecting and growing the market opportunity for the x86 franchise. While the server business is doing well, the major growth business over the next several years is in mobile devices (or more specifically phones). The problem for Intel is that the dominant processor architecture in that market is not x86, but ARM. ARM has recently aligned with Microsoft thus creating a schism in the partnership that worked so well in building the PC ecosystem. So now, with the McAfee acquisition, Intel has a brand that is strongly associated with security and mechanism to use security as means to disrupt the next great target market.

Will it work? That’s hard to say. The phone market is different in that the dominant players such as Apple and RIM control the OS. One could argue that this is the right place for security capability to live and that the horizontal view of the market that makes Intel comfortable just isn’t reality.

Was McAfee a good choice? I would argue that there really wasn’t much of a choice once Intel convinced itself that security could become a differentiating element for the x86 architecture. Intel is a big McAfee customer for desktop protection, but I can assure you this move had little to do with technical merits. In this case brand was as important as technical merit.

What does it mean for enterprise customers? Probably not that much in the near term other than that as the deal goes through the approval process over the next few quarters McAfee will have to continue to make its numbers, so it’s a great time to negotiate favorable licensing terms with them.

Demo 1: Attacking a program vulnerable (Makefile) to a format string attack, we dump the stack of the program until we find our passed format string using the following code:
for i in {001..200}; do echo -n "offset $i (%$i\$08x) = "; ./printf "%$i\$08x" | python -c "import sys, struct; s=int(sys.stdin.read(),16); print '0x%08x: %s' % (s,repr(struct.pack('L',s)))"; done

Demo 2: Finding the address of our format string. This combined with the stack offset found in the previous step lets us associate any data on the stack with its address using the following code:
or i in {1..100}; do ./printf "offset $i = %$i\$p:%$i\$s"; echo; done | grep -v ^$

Demo 3: Video of our technique demonstrated in our previous POC tool automatically exploiting a program vulnerable to a format string attack by locating the stack offset and address of our exploit and overwriting a known return location.

Demo 4: Automatically exploiting a program vulnerable to a format string attack by locating the stack offset and address of our exploit and brute forcing address on the stack for a valid return location. This includes both a Python and Ruby implementation.

Demo 5: Metasploit demonstration of a remote server vulnerable to a format string attack exploited automatically by locating the stack offset and address of our exploit and brute forcing address on the stack for a valid return location. The Metasploit module and vulnerable server are available for download.

All of the above plus additional documentation can be downloaded in a single archive here: DEFCON-18-Haas-Adv-Format-String-Attacks.tar.bz2

Often security teams look to industry analysts for their views on trends and developments with respect to security, compliance, privacy and cyber crime in hope of educating executive staff and gaining funds. Such an approach can be useful. In fact, the Ponemon Institute released last week a study of the cost of cyber crime over the last nine months in 45 U.S. companies. The median annualized cost of cyber crime in these organizations was $3.8M and companies reported more than one successful attack per week. While such facts can help make the case for investment in security, I would recommend a more thoughtful, structured approach that has immediate impact but builds for the long term.

In terms of building a new application security program or improving an existing one, I am partial to focusing on two key areas: creating leverage with the organization and replicating what has been successful in other enterprises. Ultimately both these activities help gain executive support and form the foundation for a well structured and effective program.
Let’s look at the first area which seeks to maximize leverage with other organizations within the enterprise. In previous posts I have referenced the diagram below to illustrate the point of how information security interacts with other groups within an organization.



An effective application security program requires alignment with the lines of business as well as sponsorship and coordination between development, QA and operations. Ultimately, all the organizations need to be brought on board with the process and support of the application security program whose goals should include:

• Risk management driven decisions

• Clear direction on how to achieve application security

• Cost reduction through standard, repeatable process

• Increased code quality

The second area of focus is to evaluate what has been successful in other enterprises. An excellent resource for this is the Building Security in Maturity Model or BSIMM. This initiative is a descriptive look at application security programs across thirty companies in sectors such as financial services, healthcare, technology and independent software vendors. Participating companies include organizations such as Bank of America, Capital One, EMC, Intel, Google, Microsoft, Nokia, Thomson Reuters and VMWare.

BSIMM lays out a software security framework consisting of twelve practices organized into four domains. The domains consist of the following:

• Governance – the practices that enable management, organization and measurement of an application security program.

• Intelligence – the collection of knowledge used in carrying out the program.

• Secure software development lifecycle touchpoints – activities supporting the analysis and assurance of applications.

• Deployment – practices that interface with operations, security and support organizations.

The domains, practices and associated business goals are shown in the table below.

The BSIMM initiative further lays out a maturity model for each of these areas identifying three levels of maturity with various practices that reflect program development. Perhaps most interesting is to look at the practices that the companies participating in the program have in common. These may not be a direct fit for every program, but you can conclude that they are found in many highly successful application security programs.  The objectives and activities associated with the common practices are outlined below.

Hopefully these ideas will help to refine and develop your application security programs. I would encourage a close look at the BSIMM document.

My focus for this discussion has to do with privacy and security. Much of the discussion last week involved transport layer security. Clearly the problem is broader than that. In working on past projects with this sort of scope, I have found that a common understand can be found through the adoption and use of a threat model. There several strong approaches that can be considered for use. I have found the following to work well.

The general idea is to apply a threat model to a set of applications communicating over NHIN. The process recommends a step by step approach of identifying security objectives; reviewing the application in terms of components, data flows and trust boundaries; decomposing the application in terms of components to identify areas where security needs to be evaluated; creating a structured list of threats; and enumerating likely vulnerabilities associated with the class of application in development. Microsoft advocates a threat classification scheme known as STRIDE. This scheme aims to characterize the threats with respect to the exploit that may be employed. This acronym stands for:

• Spoofing Identity
• Tampering with data
• Repudiation
• Information disclosure
• Denial of service
• Elevation of privilege

These areas provide a helpful mechanism for enumerating threats to the application. Closely associated with this process is a scoring scheme to help evaluate risk to the application. Another acronym applies to this problem as well: DREAD.
DREAD attempts to quantify, compare and prioritize the amount of risk presented by a given threat. It stands for:

• Damage potential
• Reproducibility
• Exploitability
• Affected users
• Discoverability

Typically each of these areas is assessed on a scale of 1 to 10 with 10 referring to the most severe risk. As always risk needs to be evaluated in terms of both probability and impact.

Perhaps the application of these ideas will be helpful as NHIN takes shape.

It’s unfortunate that the healthcare space is subject to these flaws, as most of these applications house thousands of EPHI records. These systems commonly have SSN’s, Credit Card Numbers, addresses, DOB’s, essentially everything a nefarious bad guy would need to steal many identities. In addition many people consider their medical information to be their most private data.

Another example is an advisory we just published on Cross-Site Scripting Vulnerabilities and database access in OpenEMR an open source healthcare records application.

It’s not just the small players either, Anthem Blue Cross recently disclosed that over 200,000 records were potentially breached on their website. Many security problems we see are obvious and with basic effort, an organization can be much more secure. According to the report attorneys looking for information for a class action lawsuit against Anthem were able to gain access to the EPHI. This implies that the breach and the flaw were not complicated and didn’t require world class hacking skills. Given that the California Department of Public Health is starting to dole out fines (Healthcare Breach Fines), it will be interesting to see if they hit Anthem with the maximum fine.

The bottom line: if you have EPHI accessible via your Internet facing web applications, perform your due diligence. At Redspin we always recommend starting with the best practices that the Open Web Application Security Project (OWASP) has outlined in their Top 10 Web Application Vulnerabilities list.