Security Roundup: How Did 9/11 Change IT?; Microsoft Premature Patching; HIPAA Gets Nasty

The 10th anniversary of the infamous Sept. 11, 2001, terrorist attacks on America is prompting reflection on those who died on that day of mass murder, and what changed in our society because of it.

The youngest victim was Christine Lee Hanson, 2 years old, from Groton, Mass., a passenger on United Airlines Flight 175 when it was hijacked by al-Qaeda terrorists who sent the plane smashing into the South Tower of the World Trade Center. A decade later, the rubble has been cleared, and the memorial to this little girl and the thousands of other victims is opening on that exact site in New York City.

MORE ON SECURITY: 9/11: Attacks changed the way companies view IT

The idea -- the reality -- that everything could be wiped out in a moment changed the way that businesses and government view security and data protection, storage as well for emergency response, reports Grant Gross in his thoughtful piece, "9/11: Attacks changed the way companies view IT."

But U.S. emergency-response communications systems are still not up to snuff, though there are attempts to improve that, writes Carolyn Duffy Marsan.

The Department of Homeland Security says it's monitoring signs of terrorist threats right now against New York and Washington, D.C., on the anniversary of the 9/11 attacks. Heightened vigilance is still the mood, including some warnings that cyberattacks could be part of the destructive mix in the future.

Whoops! Microsoft leaks patch info four days early

Computerworld reports that Microsoft jumped the gun Friday by prematurely releasing information on all five of the security updates it plans to ship next Tuesday.

The gaffe is unprecedented, said Andrew Storms, director of security operations at nCircle Security. "I don't remember this ever happening," said Storms.

Microsoft normally publishes the lengthy writeups -- called "bulletins" by the company -- only when it ships the actual patches that fix the described problems. Under normal circumstances, the bulletins would have appeared around 10 a.m. Pacific Time, 1 p.m. Eastern Time, on Tuesday, Sept. 13.

Although the bulletins went live Friday, the updates did not: A quick search of Microsoft's download center, where the updates are typically posted for manual download, did not show any available patches. Nor did the updates apparently reach users through Windows Update or the business-oriented Windows Server Update Services (WSUS).

Yesterday, Microsoft rolled out its usual advance notification for next week's Patch Tuesday, saying that it would issue five updates to patch 15 vulnerabilities in Windows, Excel, SharePoint and other products in its portfolio.

The bulletins confirmed what Microsoft said Thursday: The updates will quash 15 bugs, all rated "important," the second-highest threat ranking in the company's four-step scoring system.

Two of the vulnerabilities are in Windows; five in Excel, the spreadsheet included with Office; two in non-application Office components; and six in SharePoint and associated software, such as Groove and Office Web Apps.

Of the 15, at least two are "DLL load hijacking" vulnerabilities, a term that describes a class of bugs first revealed in August 2010. Microsoft has been patching its software to fix the problem -- which can be exploited by tricking an application into loading a malicious file with the same name as a required dynamic link library, or DLL -- since November 2010.

The bulletins appeared complete, although there were errors that presumably would have been caught during a final edit: In MS11-074, for example, the bulletin's summary claimed that only five vulnerabilities were patched. Deeper into the bulletin, however, six vulnerabilities were listed.

Microsoft did not immediately reply to questions about how the bulletins appeared four days early, or what it planned to do about the mistake.

The SSL server certificates cyberattack mess

The fragility of some foundational security technologies, such as use of SSL certificates, has become more exposed in the assault on SSL certificate providers DigiNotar and GlobalSign alleged to have come from a 21-year-old Iranian student calling himself "Comodohacker."

DigiNotar is a Dutch-based SSL provider owned by Vasco Data Security. It came to light last week that DigiNotar had been hacked.

What's known is that the attacker on July 10 got hold of a certificate valid for the domain (Google says it doesn't even use the Dutch SSL provider DigiNotar). The fake Google certificate, since revoked, allowed the attacker to capture the log in details for a person's Gmail account without a warning from a browser that the site might not really be Google. Some say the attack requires "poisoning" a Domain Name System cache to work, and in this case, it appears this attack has been centered on Iran. Others beyond Google likely also are affected.

Comodohacker now also claims to have hacked into certificate authority GlobalSign and four others. GlobalSign said it has stopped issuing certificates but anticipates bringing its systems back online next week.

Microsoft, Apple, Mozilla and Adobe -- and the Dutch government, as well as Google -- are all reacting in various ways to what's a crisis of the hacked SSL certificate authorities.

Mozilla is demanding that dozens of certificate authorities report back on their security.

Microsoft took steps to blacklist all DigiNotar certificates but is also rolling out a patch next week that will allow specifically signed DigiNotar certificates to be recognized. In a security post today, Adobe said it's removing DigiNotar certificates from its approved "trust" list and offered advice on manually extracting them. However, certificates for Apple iPhone and Google Android appear not to be revoked, according to one report last week.

The Dutch government has banned use of DigiNotar certificates in its systems. Last week the Dutch government agency Vereniging Nederlandse mistakenly issued the statement that the CA Thawte (now owned by Symantec, which also holds brands VeriSign and GeoTrust) had also been breached, but retracted the statement later. Symantec Vice President of Trust Services Fran Rosch says this is part and parcel of a "panic" that's ensued from the hack on the Dutch SSL provider, noting, "It highlights the fear and knee-jerk reactive actions proliferating as a result."

One of the targets in all of this, Google, has contacted Gmail users in Iran it believes were impacted by a man-in-the-middle attack on Gmail by Comodohacker.

So, Comodohacker, if that is who is doing all this, has a successful attack mode in progress. Most of the action seems centered on Iran, with one estimate that as many 300,000 Iranian IP addresses have been compromised. Though this attack seems to be mainly about an Iranian (and some suspect perhaps the Iranian government involved) compromising the privacy and security of Iranians in use of public mail systems, what's to say this couldn't be used more broadly?

Warning: HIPAA has teeth and will bite over healthcare privacy blunders

Healthcare organizations that are performing risk assessments as a way to craft patient-privacy policies might want to consider a new potential attack vector: federal regulators.

Later this year, the Department of Health and Human Services is expected to start auditing up to 150 health providers at random through December 2012 in an effort to find medical entities that fail to comply with HIPAA and HITECH regulations about how personal data must be handled securely.

While the audits don't represent attacks on the personally identifiable information (PII) the regulations are supposed to protect, they do expose non-compliant providers to the potential for heavy fines and reputation-damaging publicity.

For instance, earlier this year Massachusetts General Hospital paid $1 million to settle a patient-privacy complaint with HHS due to an employee leaving patient records in a subway car.

That's a big switch from the way healthcare privacy regulations have been handled since 2003, says Abner Weintraub, president of HIPAA Group, a compliance consultancy to healthcare organizations. Until this year, HHS had received about 50,000 complaints but levied no fines, preferring to take remedial actions instead, he says.

Levying fines now has an upside for HHS, says Kelly Hagan, a healthcare attorney with law firm Schwabe, Williamson & Wyatt in Portland, Ore.: The agency gets a cut of whatever fines are levied. That, combined with the proactive auditing, marks a sea change for what healthcare CIOs and CISOs face when dealing with HIPAA. "Suddenly HIPAA has teeth and is willing to bite," Hagan says.

Despite this, instances of healthcare data breaches continue to flourish. Just this week, it was revealed that emergency room records from Stanford Hospital in Palo Alto, Calif., were posted for most of a year on a website where students can hire help to do schoolwork.

Is a new era of cloud-based single sign-on services on the way?

With Symantec for the first time describing what it has planned for its cloud-based single sign-on service next year, and VMware talking about its SSO development activity known as Project Horizon during the recent VMworld conference, can it be that a dramatically new way of controlling access to cloud-based applications is going to arrive next year? Certainly sounds like new possibilities are coming ...

In other security news, a startup named Co3 Systems is rolling out a software-as-a-service application for data-breach management. The idea -- quite a novel one -- is once you're breached, you record the incident and the steps taken to recover, remedy and reach closure related to it. Unfortunately DigiNotar wouldn't be able to beta test it yet because it only covers U.S. law, not European.

Cybercrime: The cost

Not sure how you tally up the cost of cybercrime when you look at how far it extends, including things like fake SSL certificates, but Symantec took a stab at it last week in releasing its 2011 Norton Cybercrime Report. The report claims the total cost of cybercrime is $388 billion per year, which includes $114 billion in direct theft and time spent resolving attacks plus another $274 billion for productive time victims lost due to cybercrimes being committed against them.

Read more about wide area network in Network World's Wide Area Network section.

Copyright © 2011 IDG Communications, Inc.

The 10 most powerful cybersecurity companies