Should

I recently read that HIPAA regulations require organizations to follow NIST guidelines and standards. Is this true?...

How does HIPAA incorporate NIST guidelines? Should healthcare organizations follow the NIST regardless?

Although HIPAA does not directly require that covered entities follow NIST guidelines and standards, it references many of them as strong practices. NIST guidelines provide technical information and advice to organizations trying to meet common security objectives that overlap with those of HIPAA. NIST publications can therefore be valuable resources for organizations that must comply with HIPAA, helping them better understand their HIPAA obligations and how to meet them.

In particular, NIST offers its Special Publication 800-66, a document of over 50 pages entitled "An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule." Describing each HIPAA requirement in turn, this guide provides details on the administrative and technical safeguards that a HIPAA covered entity can put in place for compliance.

As NIST indicates, SP 800-66 was prepared for use by government agencies, and may be used by nongovernment agencies on a voluntary basis. The document contains a disclaimer stating that it is intended for federal organizations, and that it is not intended to be, nor should it be, construed or relied on as legal advice for any other organization or person. In other words, HIPAA is the still the law. The NIST publication is a helpful guide, but is one interpretation of the law, not the law itself. Consequently, it cannot be used as legal validation of a position or actions undertaken to comply with HIPAA.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out why HIPAA controls don't do enough for privacy and security

Learn how NIST standards can help with penetration testing

Find out how well the NIST Cybersecurity Framework is being received

This was last published in November 2016

Dig Deeper on HIPAA

  • All
  • News
  • Get Started
  • Evaluate
  • Manage
  • Problem Solve

PRO+

Content

Find more PRO+ content and other member only offers, here.

Related Q&A from Mike Chapple

Is a no-SMS 2FA policy a good idea for enterprises?

Now that NIST has deprecated the use of SMS 2FA, should nongovernment organizations follow suit? Expert Mike Chapple discusses the risks of SMS-based...continue reading

How does the Safeguards Rule pertain to SEC cybersecurity regulations?

The SEC claimed Morgan Stanley violated the Safeguards Rule, but what does that mean? Expert Mike Chapple discusses the federal regulation and what ...continue reading

Is destroying a decryption key a strong enough security practice?

Destroying a decryption key isn't the same as destroying the data, but which method is more secure? Expert Mike Chapple explains the best way to ...continue reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.


SearchSecurity: Security Wire Daily News

Versus16 Silicon Valley should work with the US government in Washington to arrive at a solution that gives law enforcement access to encrypted comms, but that respects individual privacy.

That's according to former White House counterterrorism and cybersecurity official Daniel Rosenthal, who was debating where the issue of encryption should go next.

Nonsense, responded Cindy Cohn of the Electronic Frontier Foundation (EFF), on stage at the Versus conference in San Francisco. If the tech sector offers some form of compromise now, the government will only come asking for more later.

In the week since Donald Trump was elected president, tech companies have reported a 25 per cent spike in people encrypting their communications.

The reason why is not hard to discern: on the campaign trail the Republican nominee repeatedly stated that he would be prepared to use the full power of the federal government to carry out his policy goals, which includes the forced deportation of millions of people, the surveillance of millions of others, and the pursuit of terrorism above all else.

What's more, Trump weighed in on the biggest showdown in the past decade between law enforcement and the tech industry, telling crowds that they should boycott Apple over its refusal to bypass its own security and grant the FBI access to a locked phone that belonged to San Bernardino shooter Syed Farook.

Risk

Both Rosenthal and Cohn acknowledged that the likelihood of the executive branch of the US government pushing for a backdoor into encryption was "significantly greater" under the Trump Administration.

Although both offered some consolation: Rosenthal said there still remained forces within the executive branch that would argue for the value of strong encryption and the importance of privacy; Cohn promises that the EFF will continue to fight – as it has for decades – to prevent government overreach.

But while both agreed in general, Rosenthal and Cohn represented two very different viewpoints, themselves reflecting two very different attitudes on the East and West Coasts of the United States.

Both agreed that the bill put forward by Senators Dianne Feinstein and Richard Burr in April was a horrible piece of legislation (it eventually died, but not without significant effort being made to kill it).

Rosenthal warned, however, that if the tech industry rules out working on ways to open up access to encrypted data, it may find itself left out the conversation when the "inevitable" next terrorist attack hits the United States and the government reacts to it with new laws.

Cohn stuck with well-worn arguments about the mathematics of encryption: weakened encryption is weak for everyone, and a backdoor is a backdoor as much for bad actors as for law enforcement.

She also warned that if the US government pushes a law to undermine encryption, it sends a signal to the rest of the world's governments, and makes it impossible for tech companies to stand up to other, inevitable demands from across the world.

Déjà vu

This is not the first time this debate has played out – for months this year the back-and-forth over encryption turned into fixed positions.

Rosenthal fell back on flattering the West Coast as being "much smarter" and urging tech companies to figure out a way to make breakable encryption possible. In response, Cohn offered the logic of math and argued that everyone has access to prime numbers. She shook her head at the Washington, DC policy process of finding a middle ground between opposing sides: there is no middle ground on encryption – it works or it doesn't.

Fortunately, neither fed into the familiar insults traded between the coasts – but they did reference them: Silicon Valley doesn't care about terrorism; Washington, DC doesn't care about its citizens' privacy.

Rosenthal thinks that Apple should feel an obligation to be a "good citizen"; Cohn notes that law enforcement agencies should be obliged to follow the law and run all requests for information through the legal process – "because companies are not always in the best position to evaluate requests or know if the system is being misused."

In short, despite the best efforts of two very knowledgeable individuals actively looking to find some common ground, nothing new was uncovered.

It's also notable that neither Cohn nor Rosenthal currently possess government or tech industry roles. It is, of course, possible that there are lots of positive conversations going on behind closed doors between DC and Silicon Valley. But it seems unlikely.

What seems even more unlikely is that the conversation will start with the arrival of the Trump Administration. Trump's stated policies are in many ways antithetical to both the politics and the finances of Silicon Valley.

Trouble ahead

When that inevitable next terrorist attack does come, we can expect to see the Apple versus FBI argument return – but this time with much greater odds and carried out in much louder voices. Just as with the election itself, there is increasingly less room for compromise. One side will win, and one side will lose.

Where will it fall? It will come down to Trump and whether he can persuade Congress to enact a new law. The Obama Administration was split on the issue and the President very publicly sat on the fence. That is far less likely to happen with the President-elect.

If there is a large terrorist attack, as Rosenthal noted, the people's concerns about privacy will fall away if they are offered a firm hand and a clearly stated solution.

And while Tim Cook has taken a principled stance on privacy and encryption, and Google and Facebook and many other tech companies have said they support that view – no one has ever said they will ignore the law of the land. ®

Sponsored: Transforming software delivery with DevOps


The Register - Security

Symantec's annual "Internet Security Threat Report" highlighted some major enterprise concerns, with one of the...

biggest being a lack of proper vulnerability patching. Specifically, the report stated that over the last three years, more than 75% of websites scanned by Symantec contained unpatched vulnerabilities. What should CISOs do to make security patch management a bigger priority for enterprises? Can CISOs work with IT administrators and website managers to tackle the problem, and if so, how?

Patching is a prevention measure that protects systems from unauthorized users, malware or errors that adversely affect normal processes. Products such as Microsoft Office, antivirus, network devices, Linux and Windows servers, midrange computing, and large mainframes all need security patching, program temporary fixes or updates. Updates are different from patches, but it's helpful to discuss them since some updates not only provide enhancements to products but may also eliminate errors and possible vulnerabilities. Security patching can be automated but many organizations choose to selectively patch due to limited time or system availability constraints. Selective security patching is typically done manually during scheduled system outages.

Some organizations are diligent about security patching on Patch Tuesdays, while others may still have patches to implement that are over three months old. Most organizations make every effort to maintain current patches within 30 days of patch notices. However, there are a significant number of companies that do not consider patching a priority until the vulnerability has been exploited and results in an outage or breach, or until it's required to attain a compliance with standards such as PCI DSS. Vulnerability scanners are helpful tools that can identify critical patches and provide enterprises with better patch management.

Security patching can and should be done by system administrators, but security teams may be in charge of monitoring critical security patches. Security teams may also request the testing and application of patches within the standard 30-day period. Where automatic patch updates are not used, patch implementation should be subject to the installation's change control procedures.

In addition to maintaining current patch levels, enterprise CISOs should take certain steps to strengthen the patching process, including:

  • Outline a vulnerabilities and patching policy that the enterprise uses to handle the identification of vulnerabilities, roles and responsibilities related to patching activities, sources for identifying vulnerabilities and the sources for identifying required patches;
  • Establish a patching committee of technical management and staff who are responsible for identifying vulnerabilities and ensuring that the requisite patches or mitigating actions are prioritized and applied;
  • Update the patch management software that automatically keep desktops, laptops and remote users up to date with the latest security patches and software updates;
  • Subscribe to an alerting service -- typically from vendors for software requiring patches -- that will supply information of new vulnerabilities and associated patches; and
  • If it is subject to PCI DSS compliance, make sure the enterprise meets PCI DSS requirement 6.2, which requires all system components and software to install applicable vendor-supplied security patches within one month of release.

Security patching can be tedious and seemingly unrewarding work, but when they're kept current, patches effectively -- and without fanfare -- prevent major vulnerabilities from being exploited. However, if security patching is neglected, eventually it will result in expensive interruptions that will require remediation resources after a breach or outage.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Check out this introduction to automated patch management software

Find out why software deployment tools and patching are critical to endpoint security

Discover the best combination of methods to make patch management easier

This was last published in November 2016

Dig Deeper on Business Management: Security Support and Executive Communications

  • All
  • News
  • Get Started
  • Evaluate
  • Manage
  • Problem Solve

PRO+

Content

Find more PRO+ content and other member only offers, here.

Related Q&A from Mike O. Villegas

Is it possible to get a new CISO position after being fired?

CISO turnover is common after a security incident, but it's not the end of a career in security. Expert Mike O. Villegas discusses how to increase ...continue reading

What CISO certifications are the most important to have?

There are multitudes of cybersecurity certifications, but which are the best CISO certifications? Expert Mike O. Villegas discusses the most ...continue reading

Which are the best cybersecurity certifications for beginners?

There are an overwhelming number of cybersecurity certifications available, so which one should people just beginning their career start with? Expert...continue reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.


SearchSecurity: Security Wire Daily News

The Yahoo sign in front of the company's campus in Sunnyvale, Calif.

Yahoo's announcement that state-sponsored hackers have stolen the details of at least 500 million accounts shocks both through scale -- it's the largest data breach ever -- and the potential security implications for users.

That's because Yahoo, unlike MySpace, LinkedIn and other online services that suffered large breaches in recent years, is an email provider; and email accounts are central to users' online lives. Not only are email addresses used for private communications, but they serve as recovery points and log-in credentials for accounts on many other websites.

[ Safeguard your data! The tools you need to encrypt your communications and web data. • Maximum-security essential tools for everyday encryption. • InfoWorld's encryption Deep Dive how-to report. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

An email compromise is one of the worst data breaches that a person could experience online, so here's what you should know:

Fifty shades of hashing

Yahoo said that the "vast majority" of the stolen account passwords were hashed with bcrypt. Hashing is a one-way cryptographic operation that transforms data into a set of random-looking characters that serves as its unique representation -- this is called a hash.

Hashes are not supposed to be reversible, so they're a good way to store passwords. You take input, such as a password, pass it through a hashing algorithm and compare it to a previously stored hash.

This provides a way to verify passwords at log-in time without actually storing them in plain text in the database. But not all hashing algorithms offer equal protection against password cracking attacks that attempt to guess which plaintext password generated a specific hash.

Unlike the ageing MD5, which is quite easy to crack if implemented without additional security measures, bcrypt is considered a much stronger algorithm. This means that in theory, the likelihood of hackers cracking "the vast majority" of Yahoo passwords is very low.

But here's the problem: Yahoo's wording suggests that most, but not all passwords were hashed with bcrypt. We don't know how many passwords were hashed with another algorithm, or which one it was. The fact that this hasn't been specified in Yahoo's announcement or FAQ page suggests that it's an algorithm that's weaker than bcrypt and that the company didn't want to give away that information to attackers.

In conclusion, there's no way to tell if your account was among those whose passwords were hashed with bcrypt or not, so the safest option at this point is to consider your email compromised and to do as much as damage control as possible.

Don't keep emails just because you can

Once hackers break into an email account they can easily discover what other online accounts are tied to that address by searching for sign-up emails. These are the welcome messages that most websites send when users open a new account, and which users rarely delete. These days most email providers offer enough storage space that users won't ever have to worry about deleting messages.

Aside from exposing the links between an email address and accounts on various websites, those sign-up emails can also expose the specific account names chosen by the user, if different from their email address.

If you're among the people who don't delete welcome emails and other automatic notifications sent by websites, such as password resets, then you might want to consider doing so and even go back to clean your mailbox of such communications.

Sure, there might be other ways for hackers to find out if you have an account on a certain website, or even a number of websites, but why make it easier for them to compile a full list?

Be careful when asked for your personal details

Among the account information that hackers stole from Yahoo were real names, telephone numbers, dates of birth and, in some cases, unencrypted security questions and answers. Some of those details are sensitive and are also used for verification by banks and possibly government agencies.

There are very few cases when a website should have your real date of birth, so be judicious about providing it.

Also, don't provide real answers to security questions, if you can avoid it. Make something up that you can remember and use that as answer. In fact, Yahoo doesn't even recommend using security questions anymore, so you can go into your account's security settings and delete them.

Check your email forwarding rules regularly

Email forwarding is one of those "set it and forget it" features. The option is buried somewhere in the email account settings that you never check and if it's turned on there's little to no indication that it's active.

Hackers know this. They only need to gain access to your email account once, set up a rule to receive copies of all your emails and never log back in again. This also prevents the service from sending you notifications about repeated suspicious log-ins from unrecognized devices and IP addresses.

Two-factor authentication everywhere

Turn on two-factor authentication -- this is sometimes called two-step verification -- for any account that supports it. This will prompt the online service to ask for a one-time-use code sent via text message or generated by a smartphone app, in addition to the regular password, when you try to access the account from a new device.

It's an important security feature that could keep your account secure even if hackers steal your password. And Yahoo offers it, so take advantage of it.

Don't reuse passwords; just don't

There are many secure password management solutions available today that work across different platforms. There's really no excuse for not having unique, complex passwords for every single account that you own. If you do want memorable passwords for a few critical accounts use passphrases instead: sentences made up of words, numbers and even punctuation marks.

Here comes phishing

Large data breaches are typically followed by email phishing attempts, as cybercriminals try to take advantage of the public interest in such incident.

These emails can masquerade as security notifications, can contain instructions to download malicious programs that are passed as security tools, can direct users to websites that ask them for additional information under the guise of "verifying" their accounts and so on.

Be on the lookout for such emails and make sure that any instructions that you decide to follow in response to a security incident came from the affected service provider or a trusted source.


InfoWorld Security

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

New Gmail Alerts Warn of Unauthenticated Senders

August 11, 2016 , 2:10 pm

New Trojan SpyNote Installs Backdoor on Android Devices

July 29, 2016 , 12:21 pm

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

Critical MySQL Vulnerability Disclosed

September 12, 2016 , 11:00 am

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm

Android Patch Fixes Nexus 5X Critical Vulnerability

September 2, 2016 , 12:49 pm

Browser Address Bar Spoofing Vulnerability Disclosed

August 17, 2016 , 12:54 pm


Threatpost | The first stop for security news

Seagate NAS hack should scare us all Credit: Wikimedia

No fewer than 70 percent of internet-connected Seagate NAS hard drives have been compromised by a single malware program. That’s a pretty startling figure. Security vendor Sophos says the bitcoin-mining malware Miner-C is the culprit.

I’m surprised this story hasn’t garnered more attention. Perhaps it’s because we’re talking only 7,000 hard drives possibly in total, or perhaps it’s because the mainstream media doesn’t understand what NAS means. Either way, it has colossal implications. Apparently, storage admins:

  • Aren’t very diligent about scanning for malware
  • Fail to change default NAS passwords
  • Allow direct connections to their huge network storage arrays without another authentication requirement
  • Put their companies at risk of attack by malicious intruders

[ Make threat intelligence meaningful: A 4-point plan. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

More to the point, this attack means that over the last 13 years we’ve learned nothing. We are no more prepared for a bad malware outbreak than before. We’re lucky that Miner-C program is only a bitcoin miner. It’s bad. It’s unethical. It’s illegal. But it’s not intentionally killing data and bringing down businesses.

Unfortunately, the minimal effort expended by Miner-C attackers to break into Seagate NAS software is identical to that needed by those wielding a highly malicious program. In fact, hackers reading about this particular attack could use the exact same tricks to bring those companies down. Ransomware, anyone?

If I were a ransomware maker and read that many of the world’s hard drives were unprotected, including those at large companies, the first thing I’d do is recode my ransomware to take advantage of it.

Of course, anyone who falls victim to ransomware should be able to restore the data from the latest known good backup and call it a day without paying the ransom -- except that, uh-oh, even corporations often lack good backups. If they can’t prevent malware from infecting hard drives, are we supposed to believe they actually have good backups?

It doesn’t stop with Seagate NAS

When you see a major instance of any type of vendor-specific exploitation, one of the first questions to ask is how many other similar products could be impacted. News of this Seagate hack didn’t alarm me because 70 percent of 7,000 Seagate hard drives were involved -- it was the realization that many other hard drives arrays have the same issues. They're connected to the internet, allow remote connections, come with default passwords, and so on.

Even “little data” needs to be concerned. A lot of small businesses are eating up “consumer level” NAS devices that have the same feature sets. The customer plugs them in and forgets they connect to the internet and have default passwords that need to be changed. They have no idea that they are running little computers exposed to the internet. They will have no idea when those hard drive arrays become compromised -- until the attacker decides to do something more malicious than generate bitcoins with them.

Besides, we’re really talking about much more than storage arrays. We’re talking every internet-connected device running an embedded computer. It’s the internet of things, wireless routers, security cameras, and more. Most of these items run unpatched versions of insecure software -- software that would be very insecure even if fully patched -- accessible to the internet. I would venture to guess that a lot of us are unintentionally hosting massive bot net nodes because we really don’t know what’s running on those devices.

How to protect yourself

The list of how to protect your company from these sorts of threats simply reflects all the best practices you should have already been following, including:

  • Install latest security patches, including latest firmware
  • Change default passwords
  • Don’t allow regular, unauthenticated connections from the internet
  • Make sure you have regular, confirmed offline backups of all your critical data
  • Plan ahead for how your company would respond if its data was deleted or held for ransom

Seagate NAS devices are canaries in the coalmine. What the Seagate story tells me is that the professionals who are supposed to be minding the store aren’t minding the store. If they aren’t doing what they should be doing, then the rest of the world -- whose primary job isn’t to provide safe and reliable data storage -- is faring far worse. I bet a 70 percent infection rate wouldn’t be the highest infection rate if we were to do a massive internet-connected inventory.

Whenever I look at today’s internet-connected world, I realize that the security problems and risks are far worse and far more pervasive than anything I could have predicted 10 years ago. We’ve not only failed to make our internet lives safer, we haven’t fixed any of the problems and behaviors we’ve known about for decades.

Previous Post

Afraid of online hacks? Worry more about your phone

Security researcher Kafeine says one of this week's Microsoft patches addresses a vulnerability it knew of since last year, and may only have pulled the patching trigger after a spate of banking trojan attacks.

The attacks utilised the low-level flaw (CVE-2016-3351) for cloaking purposes among an arsenal of exploits.

The earliest attacks using the since-defeated exploit date back to January 2014, and as recently as July when it was stopped by Kafeine and others.

The most recent of the malvertising campaigns, AdGholas, sent up to a million users every day to the local banking trojans.

The bug was first reported last year and only received a CVE from Microsoft in July when Proofpoint and Trend Micro collaborated on research into the AdGholas and GooNky groups.

Attackers deployed the dangerous Nutrino exploit kit before dropping Terdot.A when they detected UK victims, Gozi ISFB for Canadians, DELoader for Australians, and Gootkit for users browsing from Spain.

The commended Proofpoint malware prober says the low-level bugs fixed this week allowed the now dead Angler exploit kit gang, along with current actors AdGholas and GooNky, to reduce the likelihood their "massive, long running" malvertising campaigns would be detected.

Kafeine says it is an example of why patching small bugs is important.

"The bottom line? As much as possible, software vendors need to maintain comprehensive patching regimens, organisations and users must rethink patching prioritisations, and researchers need to look for new avenues to detect malicious activity," Kafeine says.

The flaw allowed attackers to obtain browser fingerprinting information which could help reveal if virtualised systems were used by potential targets.

Malvertising scams are known for profiling victim machines before deploying payloads in a bid to avoid white hats and extend the amount of time attack campaigns can operate undetected.

Kafeine says researchers found attacks using the flaw back in 2014 after "additional archeological work".

"Threat actors are increasingly exploiting non-critical bugs and low-level vulnerabilities that may remain unpatched for months or years at a time,"Kafeine says.

"In this case, the AdGholas group used such a bug specifically to avoid detection by researcher and vendor automated systems and thus stay below the radar even while they conducted a massive, long-running malvertising operation."

The bank trojans were being dropped until Kafeine and fellow researchers reported the attacks to advertising networks whose infrastructure was being abused. ®

Sponsored: Optimizing the hybrid cloud


The Register - Security

blog_cmd_tools_err_SQInstead of looking for answers all over the Internet, old-school sysadmins like to rely on command-line tools. With err.exe, figuring out error codes has never been easier.

One of the absolutely most useful command-line tools I have ever seen, and which I use almost every day, is one that actually came out so long ago. If it were an operating system, it would be in extended support today; it will run on anything from Windows 2000 all the way up to Windows 10, and can be used to troubleshoot so much more than just Exchange, so it’s a real shame it’s not included by default in every O/S build Microsoft releases.

Fortunately, you can easily grab it from Microsoft whenever you need it, so it’s never too far away, and it weighs in at a surprisingly slim 1.6MB when extracted, or 809KB to download. And yes, I am talking about the Microsoft Exchange Server Error Code Look-up tool, or err.exe for short, one of the best tools you can have when working with any Microsoft product.

What is err.exe?

The err tool is a little command line based tool that performs lookups for error codes against around 170 sources, including operating system and application headers. Despite its 2008 release date, it actually was last compiled in early 2003, which you would think would make this tool ancient and archaic and relatively useless.

Fortunately, that is NOT the case, as the error codes used by the devs at Microsoft have a rich legacy and lineage that extends through to today, so even though you may be using Windows 10, most of the numeric errors you encounter today in logs or the cmd prompt can still be checked for more information using this tool.

How do I get it?

You can download the err tool from https://www.microsoft.com/en-us/download/details.aspx?id=985. It’s only 809KB to download, and is, for all intents and purposes, self-contained. The self-extracting executable does include the EULA and a very basic Word document (and it’s so old it still uses a DOC instead of a DOCX format), but all you really need is the .exe file.

Where should I put it?

Copy the err.exe to anywhere that is in your %PATH%, %systemroot%system32 or to your home directory, or anywhere else from where you’d be able to call it from the cmd prompt. I also keep a copy in a “cmdlinetools” directory in my Dropbox, which I install on every workstation I use, and then update my %PATH% to include so I can get to err.exe and a bunch of other great tools right at my fingertips. Just remember it’s a cmdline tool, so don’t go double-clicking it and expect to get anywhere.

How do I use it?

Open a command prompt (administrative level is not required) and simply type err followed by the particular error code you are curious about. Those codes can be in just about any format you could encounter, including:

  • decorated hex (0x54f)
  • implicit hex (54f)
  • ambiguous (1359)
  • exact string (=ERROR_INTERNAL_ERROR)
  • substring (:INTERNAL_ERROR)

Err will go check each of the header tables from 172 sources it is compiled with, and return all matches. If you want to narrow the results down, you can specify a particular table using “/<tablename>” but frankly, I have never done that. I can usually parse the responses quicker than I can go and search online which specific tablename I might want to use. Here’s an example for one of my favorite errors:

blog_cmd_tools_err_tool_screenshot

Err shows me right away that this means “Access is denied” and, as it turns out, I’ve tried several times to get that as my vanity license plate, only to get an error 5 back from the DMV. Oh well!

You’ll find the err tool to be much faster to use than your favorite search engine, and often, just getting the meaning of an error code is enough for you to know what you need to do next. So, don’t waste another moment, download err from https://www.microsoft.com/en-us/download/details.aspx?id=985, drop it into your path, and the next time you get an ugly hex string error, look it up the easy way.

You may also like:

  • 10 new Windows 10 features for sysadmins
  • The top 10 IT tools every power user should have…
  • The top 23 Cmd-line tools on my computer, and where…


GFI Blog

Today, almost all hacking is done by professional criminals. In many countries, illegal hacking accounts for more crime, dollar-wise, than noncomputer crime. The United Kingdom recently joined that club.

Why is this important? First, if you find malware on your system, there's a good chance it's trying to steal your money. Second, no one is getting arrested anytime soon. If you lose anything to cybertheft, don’t expect to get it back -- most cybercriminals operate in foreign countries outside U.S. legal jurisdiction.

[ Roger Grimes' free and almost foolproof way to check for malware. | Make threat intelligence meaningful: A 4-point plan. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

A friend’s Facebook account got hacked last weekend, probably because he gave up his password in response to a fake Facebook email. The hacker used my friend’s account to say hello to his Facebook friends and trick them into installing malware or sending money. My friend sent threatening emails to the hackers, telling them they messed with the wrong person and he would spend his last red cent making sure they got arrested. I have no doubt he gave them a good laugh.

In my nearly 30 years of fighting cybercrime, I’ve never heard of a victim getting money back from a hacker. Today’s world doesn’t work that way.

The good news is that arming yourself with basic information can drastically reduce the risk you’ll become a victim. Consider these four points:

1. Two starting points lead to the vast majority of attacks

Unpatched software provides the main entry point of entry for hackers or malware, in part because very few computers have the latest updates for every commonly hacked program. The victim surfs to a web page or opens an email, and their computer is instantly, silently compromised. The second-most-common attack method: The user gets tricked into installing a Trojan. Together, these two methods account for almost all successful hacks.

Sure, there are hundreds of other methods: SQL injection attacks, password guessing, and so on. But nearly everything besides unpatched software and downloaded Trojans is statistical noise. In fact, if you fix the main two issues, you almost don’t need to do anything else.

2. Trojans make up the biggest proportion of malware

Most malware can be broken down into viruses, worms, Trojans, or hybrids that combine features of two or more of those. Viruses spread by infecting other host files, which when run or accessed, fire off the malware program. Worms, once executed, are self-replicating; they don’t need someone to do anything once they are started.

Trojans don’t spread themselves. They rely upon each victim to execute the malicious program. The originating hacker must spread each and every copy to each victim separately, usually via email.

Why is this important? Well, unless the Trojan is ransomware, Trojans are easier to remove than the other malware types. Years ago most malware programs were viruses, and getting rid of them meant removing the virus from each infected host and trying to put back the legitimate program back to its original state. It was a hard to impossible task, and it significantly complicated removal and cleaning.

These days, because most malware programs are Trojans -- as long as they aren’t ransomware that hasn’t already locked up your computer -- you can identify the malicious programs and remove them (although Trojans may contain self-protection techniques to hamper removal). Still, there isn’t a malware removal pro or program that doesn’t mind messing with Trojans as compared to the other types of malware.

3. Most people give away their logon credentials

A significant percentage of users give their legitimate logon credentials to hackers every year. Typically this happens because the user is sent a phishing email that claims to be from the legitimate website asking for credentials -- or the user will lose the service.

Never give your logon credentials in response to an email request. When in doubt, go directly to the legitimate website and see what it tells you to do. Trust the website, not the email.

4. Antivirus programs are a necessary evil

Longtime readers know I don’t put a lot of faith in antimalware programs. Hackers create millions of new malicious programs each month, and signature-based antimalware can’t keep up.

That doesn’t mean people should disable or uninstall their antivirus program. They may not be 100 percent accurate, but they catch some malware, and for that alone, most computers should have one installed.

As I’ve reported several times in the recent past, I’m a big fan of periodically running running 57 antivirus programs all at once (and it's free!). A single antivirus program can’t be accurate, but 57 of them together do pretty darn well.


InfoWorld Security Adviser

Oct 16 2015   4:45PM GMT

Ken Harthun Ken Harthun Profile: Ken Harthun

Tags:

Thanks! We'll email you
when relevant content is
added and updated.

Following

Follow

LastPass

Thanks! We'll email you
when relevant content is
added and updated.

Following

Follow

Security

Gosh, I’ve been busier than a centipede on a tightwire and now this. The big news last week is that LastPass was purchased by LogMeIn. LastPass is the #1 rated password manager that I have used for years. This caused quite a stir with many of its users, given LogMeIn’s not-favorable reputation after removing free account support from products in 2014 and starting to cross-sell products to increase revenue.

Thanks to an        


Security Corner