STE WILLIAMS

The author of recent guidance on using social media for nurses and midwives says NHS managers should be able to actively respond to issues around how their staff use social media.

Andy Jaeger, assistant director of public and professional communications at the Nursing and Midwifery Council (NMC) and author of recent guidance on social media, says that NHS managers must be better equipped to handle issues around social media.

The regulator has seen an increase in the number of enquiries from nurses and midwives about social media and referrals that directly relate to social networking, but despite this there are still managers who are “social media refuseniks”.

“One of things that we say in our advice is that if a manager has responsibility for investing in a complaint about the use of a social networking site, that they should join the social networking site so that they understand the mechanics of how it works. People need to familiarise themselves with this kind of thing,” he says.

“I think actually what it needs is a robust response at a local level. In our advice much of what we’ve done is interpret the standards that already exist around conduct, performance and ethics. We’re just helping people to understand what it is that is going on and then act appropriately.”

But he says: “that really is better done not with a set of national guidelines from the Department of Health, but with local managers taking responsibility and understanding the issue and dealing with it for themselves.”

Last month a snapshot survey of some of England’s biggest trusts by the Guardian’s healthcare network showed that 72 separate actions were carried out by 16 trusts against staff who inappropriately used social media between 2008-09 and October 2011, suggesting social networking sites are presenting some challenges to the health service.

Jaeger say one of the things that prompted the guidance over the summer were questions from employers about issues of confidentiality and when it was appropriate or not to be friends with a patient on Facebook. This led to guidance being created largely based on the NMC’s code of conduct for nurses and midwives.

“We heard from students, nurses and midwives about the inconsistencies in the way that their managers were dealing with problems that they were raising about colleagues or other students’ use of social networking sites,” Jaeger says. “So some of what we’ve included in our advice is around the managers who are having to deal with these issues. It’s actually for them to have some understanding of social networking sites and how they work, but also to take the issues that are raised with them as seriously as if they had happened in a real world scenario.”

The British Medical Association (BMA) also issued guidance around the same time as the NMC as it said it felt that with more people using social media, advice and guidelines were lacking.

The NMC’s guidance has proved a success among healthcare professionals, and the guidance has received 50,000 page views since it was published in July.

From his own experience, Jaeger explains that while there are some managers who use Facebook and Twitter, there are some that are “social media refuseniks”. This becomes an issue when these managers fail to understand the ethics around social media, which makes it hard for them to tackle problems that arise as they might not see why something may be inappropriate.

Jaeger says: “When I’ve given talks on this I’ve used the example of somebody taking photographs of their colleagues, changing them and putting rude captions on them and sharing them online.

“If you view that as seriously as if somebody had done that and pinned it on a staff noticeboard, it gives you as a manager a better steer about how important it is that you deal with those kinds of things robustly and not just think because it happened on a social networking site like Facebook that it’s not important, because it is.”

Jaeger says he believes that staff misuse of social media is largely unintentional, but there are cases that the NMC deals with which are “absolutely deliberate” – which is perhaps not surprising given that the regulator deals with referrals relating to nurses and midwives that may not be fit to practice. Such instances include pursuit of relationships with patients and bullying and harassment of colleagues.

Looking to the future, Jaeger says that the NMC is currently helping the British Psychological Society to produce its own set of social media guidelines for psychologists. He says the NMC is also interested in encouraging healthcare professionals to use social networking sites to positively engage with patients and share good health stories. He adds that it would be disappointing if some health professionals stayed away from sites like Facebook just because they were scared of misusing it.

“We’re starting to think about, organisationally, the kind support we can give to nurses and midwives who are positively using social media as a way of talking about health,” he says. “There are potentially so many positive benefits. It’s an area we’re looking at, and we’ll be publishing something in the new year on the subject.”

This article was originally published at Guardian Professional. Join the Guardian Healthcare Network to receive regular emails on NHS innovation.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/14/nhs_facebook_twitter/

An electronic device used to control machinery in water plants and other industrial facilities contains serious weaknesses that allow attackers to take it over remotely, the US agency that safeguards the nation’s critical infrastructure has warned.

Some models of the Modicon Quantum PLC used in industrial control systems contain multiple hidden accounts that use predetermined passwords to grant remote access, the Industrial Control System Cyber Emergency Response Team said in an advisory (PDF) issued on Tuesday. Palatine, Illinois–based Schneider Electric, the maker of the device, has produced fixes from some of the weaknesses and continues to develop additional mitigations.

The PLCs, or programmable logic controllers, reside at the lowest levels of an industrial plant, where computerized sensors meet the valves, turbines, or other machinery that’s being controlled. The default passwords are hard-coded into Ethernet cards the systems use to funnel commands into the devices, and temperatures and other data out of them. The Ethernet modules also allow administrators to remotely log into the machinery using protocols such as telnet, FTP, and something called the Windriver Debug port.

According to a blog post published on Monday by independent security researcher Rubén Santamarta, the NOE 100 and NOE 771 modules contain at least 14 hard-coded passwords, some of which are published in support manuals. Even in cases where the passcodes are obscured using cryptographic hashes, they are trivial to recover thanks to documented weaknesses in the underlying VxWorks operating system. As a result, attackers can exploit the weakness to log into devices and gain privileged access to its controls.

Hard-coded passwords are a common weakness built into many industrial control systems, including some S7 series of PLCs from Siemens. Because the systems control the machinery connected to dams, gasoline refineries, and water treatment plants, unauthorized access is considered a national security threat because it could be used to sabotage their operation.

The FBI has said it’s investigating claims a Houston, Texas–based water utility was breached last month by someone claiming to have accessed the internet-connected computers that control its generators, blowers, and other sensitive gear.

“Hard-coded backdoor credentials that give you administrator rights to a system are pretty severe,” said K. Reid Wightman, a security assessor with Digital Bond, a consultancy that focuses solely on ICS security. He said it can be hard for attackers to exercise too much control over an ICS by taking over the PLC alone, because there’s often no indication what kind of equipment is connected to it.

“You don’t have the human machine interface so you don’t really know what the PLC is plugged into,” he explained. “I really don’t know if the [device] is a release valve, an input valve, or a lightbulb.”

Research Wightman plans to release next month at the SCADA Security Scientific Symposium in Miami could increase the damage that attackers can do after gaining access to many widely used PLCs. Among other things, he said his findings would show how to tamper with the device so that they attack other systems they are attached to.

Indeed, in Monday’s blog post, Santamarta said the hard-coded credentials could be exploited to install malicious firmware on the controllers. He also alluded to “non-documented functionalities with security implications” in the Schneider devices. He said he discovered the hidden accounts by reverse engineering the firmware that controls the PLCs.

A rudimentary search on the server search engine known as Shodan revealed what appear to be working links to several of the vulnerable Schneider models. Santamarta said there is no fix for the devices other than to retire the faulty Ethernet cards and replace them with better-designed ones. Tuesday’s ICS-CERT advisory said the fixes from Schneider removes the telnet and Windriver services. The advisory made no mention of changes to FTP services. ®

Follow dangoodin001.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/14/scada_bugs_threaten_criticial_infrastructure/

25 commentsPost a comment

• 
• 

Article source: http://go.theregister.com/feed/www.reghardware.com/2011/12/13/windows_phones_debilitated_with_killer_sms/

Winamp mends trio of old-school security holes

• 
• 
• 
• 

Heap overflow? Winamp? Party like it’s 1999

By John Leyden • Get more from this author

Posted in Software, 13th December 2011 14:02 GMT

Free whitepaper – Centre Hospitalier d’Avignon Secures Patient Records

An update to Winamp closes a terrible trio of critical security holes in the popular media player application.

The rather old-school vulnerabilities involve a brace of integer overflow cockups in the in_avi.dll plug-in and a heap-based buffer overflow vulnerability in the in_mod.dll plug-in library. All three flaws create a means to inject hostile code into systems running vulnerable versions of the software, which is developed by Nullsoft, a division of AOL Music. Exploits would involve tricking victims into attempting to play malformed media files.

Users are advised to upgrade to version 5.623 of Winamp media player for Windows, as explained in an advisory by security notification firm Secunia here. More details can be found in a post on Winamp’s forums here. ®

Free whitepaper – IBM System Networking RackSwitch and IBM System Networking solutions

• 16 commentsPost a comment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/13/winamp_update/

Microsoft is offering free Windows phones to Android malware victims, providing they are prepared to tell world+dog about their problems.

The marketing stunt – already given the hashtag #droidrage on Twitter – follows a run of publicity about android malware.

Ben Rudolph (@BenthePCGuy), the Microsoft Windows Phone “evangelist” behind the social network ploy, is offering the five people with the worst stories free Windows smartphones as an alternative. It’s unclear if the Android virus victims will be either asked or required to take part in advertising campaigns.

The marketing initiative has already attracted comment from security watchers. Graham Cluley, senior consultant at anti-virus firm Sophos, described the move as a “somewhat below-the-belt” attempt to highlight the possible security deficiencies of Android rather than the benefits of Windows Phones.

The hubristic promotion also rather overlooks the fact that the vast majority of malware samples (tens of millions against thousands on Android) only affect Windows desktops. Perhaps Microsoft is getting back at all those Apple ads from a few years back.

“I guess it must be kind of thrilling for Microsoft – which has endorsed the #droidrage campaign – to find the malware boot on the other foot for once,” Cluley writes. “After all, they have long suffered having the Windows desktop operating system negatively compared to the likes of Unix and Mac OS X when it comes to the levels of malware infection.”

As the Windows Phone-using population grows, Redmond may well find itself dealing with a mobile malware problem of its own. Some Windows malware samples, largely proof-of-concept creations admittedly, have already targeted the platform. The Android malware outbreaks we’ve seen of late largely involved Trojanised versions of popular games designed to send premium-rate SMS texts or harvest personal information. In addition, the launch of the #droidrage campaign on Monday coincides with the discovery of a Windows Phone bug that reportedly disables messaging.

One security consultant joked that Android malware victims ought to be the last people who receive Windows Phone smartphones, even free ones. “Haven’t they suffered enough?” writes Security BSides co-founder, Jack Daniel. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/13/microsoft_android_malware/

The ISIS Consortium has awarded the contract for running its NFC platform to Dutch specialist Gemalto, claiming that two thirds of proximity transactions will end up being routed through the company’s service.

ISIS can make that claim as it counts ATT, T-Mobile USA and Verizon as its members, and will be managing the deployment of secure applications using Near Field Communications, including proximity payment systems from the likes of Visa and MasterCard. That puts ISIS in competition with Google Wallet, and while ISIS may come late to the table it still plans on eating the biggest portion.

Near Field Communications is a short-range radio technology being built into high-end smartphones, amongst other things, and once it’s linked to a secure element then it can be used to make payments with a tap of the phone. The location of that secure element is still open to debate – Google Wallet embeds it in the telephone, while ISIS would (unsurprisingly) prefer to see it embedded in the (operator-owned) SIM.

Gemalto makes SIMs capable of supporting an NFC secure element, but that’s not part of this deal. This announcement is that the company will be providing management software, capable of securely communicating with applications (including payment applications) running within a secure element of any kind, and relaying that communications to a payment provider or similar.

So MasterCard might, for example, create an ISIS-compatible version of it’s PayPass (proximity payment) application. MasterCard won’t distribute that application, it will be the banks which offer it to their customers (just as credit cards are offered today). That application will be distributed to ISIS-compatible wallets, from when all communications will (for as long as this contract lasts) fall to Gemalto’s Allynis Trusted Service Manager software.

No one is saying how much the deal is worth to Gemalto, or how long ISIS has committed to using the company’s software, but Gemalto did tell us it’s investing considerable resources into the USA to support the expected avalanche of users and that the contract is long enough for it to recoup that investment. ISIS expects the first users to come on line next year, but mass deployment will follow as the technology gets more support from handsets, and the general public.

But it is a big win for Gemalto: ISIS will probably be the world’s biggest Trusted Service Manager for some time to come, so Gemalto is now in a very strong position to mop up a decent proportion of other NFC platforms as they launch around the world. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/13/gemalto_isis_nfc/

More than two months after the discovery of an organized malware campaign targeting dozens of companies in the defense and chemical industries, the espionage hack attack shows no signs of letting up.

According to a blog post published on Monday, the same group that targeted at least 38 companies between July and September is continuing its assault with emails that attempt to trick recipients at sensitive companies into installing backdoor trojans on their employer-issued computers. In the latest iteration, the emails contain a malicious attachment of the very document Symantec issued in late October warning of the so-called Nitro attacks.

“Despite the publishing of the whitepaper, this group persists in continuing their activities unchecked,” Symantec researchers Tony Millington and Gavin O’Gorman wrote. “They are using the exact same techniques – even using the same hosting provider for their command and control (CC) servers.”

The domains used in the attacks have been disabled, and Symantec officials have contacted the hosting providers used in the attacks. The company’s email scanning service continues to block the malicious messages.

Monday’s report comes two months after Symantec warned that dozens of companies in the defense and chemical industries had been hit by attacks that installed a variant of the publicly available Poison Ivy backdoor trojan on network-connected PCs. Once installed, the program uploaded proprietary data to servers under the control of attackers. Symantec said at the time that it disrupted the campaign in the middle of September. The latest report didn’t say how the attackers were able to revive the attack.

The Symantec report came around the same time that an IT manager for Shell told the World Petroleum Conference that the industry is experiencing an uptick in online attacks. “We see an increasing number of attacks on our IT systems and information and there are various motivations behind it – criminal and commercial.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/12/chemical_defense_firms_attacked/

Russian data loss prevention firm InfoWatch has bought German software firm cynapspro.

InfoWatch, a spin-off of Kaspersky Lab, said the deal will help to sell its technology to more customers in western Europe, particularly small and medium-sized businesses.

cynapspro offers a range of enterprise security products including software that provides control of endpoint devices as well as data protection technology for mobile devices and removable media. The products are tied together with management console technology.

Cynapspro’s partner network includes about 50 distributors and resellers. Its main market is in the German/speaking regions of Europe (Germany, Austria and Switzerland).

Financial terms of the deal, announced Monday, were undisclosed. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/12/infowatch_buys_cynapspro/

Google security crews have tossed at least a dozen smartphone games out of the Android Market after discovering they contained secret code that caused owners to accrue expensive charges for text messages sent to premium numbers.

The malicious apps, uploaded to the Google-hosted service by a developer named Logastrod, masqueraded as wildly popular games such as Angry Birds, Assassin’s Creed Revelations, and NEED FOR SPEED. The developer allegedly cloned the titles, including the accompanying graphics and descriptions, and added malicious code that caused handsets to surreptitiously send and receive premium messages.

By the time Google removed the titles – more than 24 hours after they were first made available – more than 10,000 people had downloaded them, according to a blog post published on Monday by Sophos.

“We have already stated several times that the requirements for becoming an Android developer that can publish apps to the Android market are far too relaxed,” Sophos blogger Vanja Svajcer wrote. “The cost of becoming a developer and being banned by Google is much lower than the money that can be earned by publishing malicious apps. The attacks on the Android Market will continue as long as the developer requirements stay too relaxed.”

In all fairness to Google, users who installed the counterfeit games saw permission screens that warned the apps were able to “edit SMS or MMS, read SMS or MMS, receive SMS” messages. The apps also came with terms of service that disclosed users would be subscribed to premium services that cost as much as €4.50.

The revelation that Google hosted the malicious titles for more than a day and allowed them to be downloaded more than 10,000 times is ample evidence that these protections aren’t enough to secure the Android Market. Google has steadfastly declined to scan apps available in its online store for malicious code that logs users’ keystrokes or racks up expensive charges.

Google has long counseled users to carefully examine the permissions screen of each app before it’s installed. And at least one of its employees has lashed out at companies providing antivirus products for Android handsets, calling them “charlatans” who play on users’ fears.

With so many Android apps requiring access to geographic-location data, messaging functions, and other sensitive resources, Google has yet to educate users how to tell legitimate requests from illegitimate requests. What’s more, Google’s caveat emptor approach means it’s up to users to make sure they don’t get swindled while shopping in the company’s official apps bazaar. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/12/android_market_malware/

The Carrier IQ scandal is a gift that just keeps giving: a US FOI report suggests that the FBI is using data captured by the creepy smartphone snooping app.

The discovery was made by FOI blog MuckRock, which asked for “manuals, documents or other written guidance used to access or analyze data gathered by programs developed or deployed by Carrier IQ”.

The FBI said “no”, but not because they didn’t have the information. Rather, the feds didn’t want to release the data because it could impact a current investigation:

“I have determined that the records responsive to your request are law enforcement records,” the response states, “that there is a pending or prospective enforcement proceeding relevant to these responsive records; and that release of the information contained in these responsive records could reasonably be expected to interfere with the enforcement proceeding” (The Register’s emphasis).

MuckRock’s conclusion is that it’s likely that the FBI is using data gathered by Carrier IQ in an investigation – unless, of course, it’s Carrier IQ that’s under investigation.

Given the claim and counter-claim surrounding Carrier IQ – from its original hostility to the blogger who first turned up its software on Android phones to the later, more conciliatory tone adopted by the company – this latest angle must surely be regarded as giving an unwelcome impetus to the story. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/12/carrier_iq_and_the_fbi/