STE WILLIAMS

Graduate student Doug Mackey was starting to wonder whether his research on the security of one of the nation’s most ubiquitous electronic health records (EHR) software platforms was so interesting after all. A month of poking around for vulnerabilities in the simulated EHR system he had fashioned in a makeshift lab in his apartment hadn’t turned up anything out of the ordinary in the code.

But then one day this spring, he spotted something in a second interface he was testing that shocked him: “It was very quickly obvious that it had no real security at all,” says Mackey, a student in Georgia Tech’s information security program. “I was quite surprised.”

Mackey had discovered a major logic flaw in a key component of the code in the so-called VistaA (Veterans Health Information Systems and Technology Architecture) software, a platform originally built by the U.S. Veterans Administration for internal use at its hospitals and clinics, and later handed over to the open-source community to further its development and adoption across the entire health-care industry. It’s one of the most widely adopted platforms for EHR in the country by VA and commercial hospitals and clinics, and it has also gained some traction overseas.

The security flaw Mackey found allowed him to bypass most of the software’s security altogether, potentially allowing an attacker to use the system without having to authenticate or provide any proof of what he is authorized to access. It was an EHR system’s worst security nightmare: the potential for tampering with patient privacy and medical treatment.

“VistA at its heart is a database — you have a database of these EMRs and remote workstations where doctors use a protocol to communicate with the central database and access medical records, modify them, and that kind of thing. The remote system has to be authenticated to the central server, and the remote user needs to be authorized: That’s in the security policy of the system,” says Mackey, who had selected VistA for his thesis on the vulnerability of large critical infrastructure systems to nation-state or other sophisticated threats.

This policy ensures that nurses only access specific information and tools they are authorized to use, for example, not the breadth of treatment and other tools doctors can use. “But this vulnerability allows you to execute any of the thousands of operations in it without any authorization or authentication. It could allow you to view or edit or change patient records” and other tasks, he says.

VistA runs in an intranet, but the flaw could be exploited not only by a malicious or careless insider, but also by an outside attacker who already had gained a foothold in the network via another hack, such as a spear-phish that infected a client machine in the hospital’s or clinic’s network, he says.

Mackey knew the significance of his bug find was big — the VA manages the largest health-care system in the U.S., supporting 8 million veterans at 163 hospitals, 800 clinics, and 135 nursing care facilities. About half of all U.S. hospitals are VA hospitals running VistA, and the software also is run in non-VA hospitals and health-care facilities in several states, including California, Florida, New York, and Texas, plus Washington, D.C. Mackey first contacted US-CERT and got no reply, so he tried the VA Office of Inspector General — still no reply.

“It took months. I finished the semester and tried contacting various groups and waited quite a while [for a response]. I forgot about it for a little while and then thought I really should try to contact someone [else] who might be interested,” Mackey says.

So Mackey dug around and found a group of developers in a Google group called the “Hard Hats” — former VA developers and consultants who have worked with VistA and now support the open-source community development of the code. The group confirmed Mackey’s finding after evaluating his proof-of-concept, and alerted VA and Indian Health Service (IHS) security contacts about what they described as the “very serious” security flaw.

A patch for the VistA flaw was released on Oct. 25 by security experts at the VA and the Open Source Electronic Health Record Agent (OSEHRA), the organization that coordinates open-source efforts for VistA. Among the team that developed the patch was Medsphere, the EHR software vendor whose product Mackey had tested in his lab, iCare, Oroville Hospital in California, and members of OSHERA’s staff.

“When we got alerted, we alerted our corporate members who offer services to their customers, and also alerted the VA. We all agreed it was sensitive but important information. This was the first time government and private-sector engineers worked together under our auspices to come up with a solution,” says Dr. Seong Ki Mun, CEO of OSHERA. “This is the first time a patch was developed and tested involving all of the key community members … This is different because over the years, people in government were not sure how to engage with the private sector.”

Some 2,500 medical sites worldwide were affected by the vulnerability, Mun estimates. “Some parts of VistA are operational in most DoD medical centers” as well, he says.

There were no public reports of attacks exploiting the flaw, but Mun says he can’t confirm whether the vulnerability was ever used in any attacks on health-care organizations running VistA. “We don’t have any such information,” he says. “But it is unlikely it ever got exploited.”

The VA, like many federal agencies, already was in the bull’s eye of attackers. House Veterans Affairs Committee member Michael Coffman, R-Colo., told members in a hearing this summer that nation-states have breached an unencrypted VA database multiple times, according to a published report by NextGov. The director of IT and security audits for the VA IG told Congress that a nation-state had also hacked a VA domain controller that supports an email system used by VA officials, the report said.

[1.8 million Americans have been victims of medical identity fraud — including some from their own family members — new report finds. See Medical ID Theft Spreads.]

Mackey says the flaw he found had been in place in VistA since 2002. “VistA is a massive system. This was just an initial look at one way that system could remotely communicate,” he says of his research. “I kind of stopped my research after I found it.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/anatomy-of-an-electronic-health-record-z/240164441

CAMPBELL, Calif., Dec. 4, 2013 /PRNewswire/ — Barracuda Networks, Inc. (NYSE:

CUDA), a leading provider of cloud-connected security and storage solutions, today announced general availability of the Barracuda Message Archiver version 3.5. The platform integrates seamlessly with most existing corporate email systems and is now integrated with Exchange 2013, Office 365, Google Apps and Copy. Barracuda Message Archiver version 3.5 provides a simple yet powerful platform to offload email storage, streamline eDiscovery and compliance needs, and give users permissions-based access to any email message. Updated apps provide anywhere access to messages via Outlook 2013, Windows, Mac, iOS and Android.

(Logo: http://photos.prnewswire.com/prnh/20131113/SF16521LOGO)

According to Gartner, the Enterprise Information Archiving (EIA) market is healthy and growing rapidly. EIA has emerged as a commonly used technology underpinning for higher-level use cases supporting information governance, e-discovery, historical preservation of data and application retirement. [1]

Highlighted features of Barracuda Message Archiver 3.5 include:

— Support for Exchange 2013

— Support for Office 365 and Google Apps using Cloud Relay

— Updated apps for Outlook 2013, Windows, Mac, iOS and Android

— Integration with Copy file sync and share for message exports “User demand for message access from a variety of platforms continues to grow, putting pressure on IT beyond eDiscovery and storage management needs,” said Rod Mathews, GM Storage, Barracuda. “Barracuda Message Archiver 3.5 addresses IT’s need for powerful eDiscovery and storage management, while giving end-users easy access to their email anywhere from any device.”

By leveraging the powerful, full-featured Barracuda Message Archiver mobile apps, users have seamless access to their archived email. The Barracuda Message Archiver app allows users to easily search and retrieve emails – including those that have been moved off of the mail server to archived storage – with much faster access and a higher success rate than most native clients.

Users also have the option to save searches from the mobile app to avoid continuously typing in the same search terms. Additionally, users can reply to messages, forward messages and push messages back to their mailboxes directly from the mobile app.

As email use has exploded, so have the demands on the email server and capacity of its storage. Barracuda Message Archiver offloads storage of older messages and current attachments, provides a simple interface for permission-based access to the archive, and delivers a streamlined platform for quickly responding to eDiscovery requests. Barracuda’s powerful policy engine allows granular management of archiving actions and permissions while its simple GUI enables self-service data recovery by users. With Barracuda Message Archiver, IT can centralize and streamline message storage, reduce costs, offload basic recovery to users, support eDiscovery and compliance needs, and extend the life of their email server infrastructure.

Pricing and Availability

Barracuda Message Archiver version 3.5 is available immediately at no additional charge to existing customers on the current hardware platform with an active Energize Updates subscription. The Barracuda Message Archiver US list price starts at $1999USD for the appliance and list price of $499USD for Energize Updates. An optional Instant Replacement service featuring priority replacement of failed hardware and complimentary refresh of four-year old hardware units is available starting at US list price of $449USD per year. International pricing and availability vary by region.

Resources:

About Barracuda Message Archiver

The Barracuda Message Archiver is a robust email archiving solution that creates a complete, easily searchable archive of all email messages sent or received. To learn more, visit: http://www.barracuda.com/archiver.

About Barracuda Networks, Inc. (NYSE: CUDA) Barracuda provides cloud-connected security and storage solutions that simplify IT. These powerful, easy-to-use and affordable solutions are trusted by more than 150,000 organizations worldwide and are delivered in appliance, virtual appliance, cloud and hybrid deployments. Barracuda’s customer-centric business model focuses on delivering high-value, subscription-based IT solutions that provide end-to-end network and data security. For additional information, please visit http://www.barracuda.com.

This press release contains forward-looking statements, including statements regarding the functionality and performance of Barracuda products. You should not place undue reliance on these forward-looking statements because they involve known and unknown risks, uncertainties and other factors that are, in some cases, beyond the Company’s control and that could cause the Company’s results to differ materially from those expressed or implied by such forward-looking statements. Factors that could materially affect the Company’s business and financial results include, but are not limited to, a highly competitive business environment and customer response to the Company’s products, as well as those factors set forth in the Company’s filings with the Securities and Exchange Commission, including under the caption “Risk Factors”

in the Company’s prospectus filed with the SEC on November 6, 2013 pursuant to Rule 424(b) under the Securities Act of 1933, as amended. The Company expressly disclaims any intent or obligation to update the forward-looking information to reflect events that occur or circumstances that exist after the date of this press release.

Barracuda Networks, Barracuda and the Barracuda Networks logo are registered trademarks or trademarks of Barracuda Networks, Inc. in the US and other countries.

Article source: http://www.darkreading.com/applications/barracuda-releases-barracuda-message-arc/240164419

NEWPORT BEACH, Calif., Dec. 4, 2013 /PRNewswire/ — Cloud Security Corporation

(OTCBB: CLDS), an emerging technology company focused on the next generation of Internet and mobile security, today announced that the Company signed an asset purchase agreement to acquire the assets of Hong Kong-based App Ventures. The acquisition of App Ventures’ assets will allow Cloud Security the opportunity to expand its App and website security technology and marketing in North America, as well as give it access to critical Asian markets.

The two companies formed a joint venture agreement to pursue technology and intellectual property that was equally owned. Cloud Security Corporation and the joint venture filed a patent (US Serial Number 61/832,534) for a process and methods for one-time password generation on mobile computing devices. This patent-pending process reduces several risk factors related to current one-time password technology. Cloud Security Corporation now owns 100% of this patent following signature of the asset purchase agreement.

In addition to the aforementioned intellectual property, the Company also gains access to AppSecure(TM), part of the AppFence technology, a cutting-edge sensor technology with a secure communication framework that detects web-based attacks on web apps and websites. While continuing to vigilantly monitor security, the built-in intelligence provides analysis, affirmation and impediment of cyber attacks in real time instead of after the fact. The asset purchase agreement will include AppVentures’ interest in AppSecure(TM) and AppFence.

Safa Movassaghi, President of Cloud Security commented, “We are pleased to sign this asset purchase agreement adding to our product line with App Secure(TM) and other App Fence products from the App Ventures’ assets. A key advantage is that App Secure is ready-for-market and is already being used.”

Kerry Singh, President of App Ventures Ltd. stated, “Signing the asset purchase agreement completes our alignment with a growing Company in the cloud security sector and further provides access to new markets. As part of this asset purchase agreement, we will be offering our extensive developer and business relationships in Asia to Cloud Security Corporation.”

About Cloud Security Corporation

Cloud Security Corporation is an innovative cloud computing company whose technology and products allow for secure data connections to the cloud, through networks, traditional computers and mobile devices such as smartphones and tablets. The Company’s flagship product – MyComputerKey(TM) – provides the ability for remote access security to any computer around the world. The Company also develops online application security products and mobile security technology in the Bring-Your-Own-Device (BYOD) market, a growing trend in today’s mobile workforce. For more information about the Company, please visit www.cloudsecuritycorporation.com.

Article source: http://www.darkreading.com/cloud-security-corporation-and-app-ventu/240164404

Bethesda, MD – December 3, 2013. The SANS Technology Institute announced today that it is now accredited by The Middle States Commission of Higher Education (3624 Market Street, Philadelphia, PA 19104 – 267.284.5000) an institutional accrediting agency recognized by the U.S. Secretary of Education and the Council for Higher Education Accreditation. The SANS Technology Institute was established in 2005 as an independent subsidiary of the SANS Institute to offer Master of Science degree programs in Information Security Engineering and Information Security Management.

“Accreditation is an important achievement as we continue our mission to educate cybersecurity engineers and managers with the deep technical skills required to be effective in their organizations,” stated Alan Paller, President of the SANS Technology Institute. “Being accredited means that the SANS Technology Institute meets all of the Standards of Excellence used by Middle States in their peer-review of members, and expresses their confidence in our mission and goals, performance, and resources. Importantly, such accreditation may qualify SANS Technology Institute students to receive tuition reimbursement if their employers offer that benefit.”

The SANS Master of Science degree programs are tailored to develop the technically proficient cybersecurity leaders desperately needed to defend government and commercial organizations. SANS master’s students gain a deep technical understanding of how the underlying technology is exploited in order to determine how and where skills and resources should be allocated to defend against attacks. The SANS Technology Institute has graduated some of America’s most impressive cybersecurity leaders, and its graduates have proven capabilities validated by the successful acquisition of multiple GIAC certifications, high scores in NetWars simulations, multiple practical exercises and group projects, and demonstrated capabilities in communications and applied, peer-reviewed research.

The SANS Technology Institute offers the key qualities students seek in a cybersecurity master’s program:

World-class, cutting-edge technical courses that establish and specialize their skills;

Teaching faculty with an unparalleled reputation for industry leadership, who bring the material to life;

Simulation group projects that teach students to write, present and persuade effectively;

Flexibility to attend courses when and where they are most convenient, either live in classrooms or online from home; and

A reputation for excellence that employers know and respect, augmenting the value of the degree.

In 2014, the SANS Technology Institute will admit 100 students to its graduate cybersecurity programs. Learn more about SANS Technology Institute’s programs and admissions requirements at http://www.sans.edu/info/144857.

About SANS Technology Institute

SANS Technology Institute was established in 2005 to offer graduate programs leading to Master of Science degrees in Information Security Engineering and Information Security Management. The SANS Technology Institute is the only regionally accredited graduate institution focused solely on cybersecurity. Learn more at www.sans.edu.

Article source: http://www.darkreading.com/management/sans-technology-institute-is-now-accredi/240164405

With the networking world increasingly moving into the wireless realm, security becomes an utmost concern for protected entities including government agencies and enterprises. New methods meant to breach security and jam cellular airways pose a real risk for organizations that rely on a closed network to maintain business processes. In and around sensitive locations, there is a growing need to monitor and detect cellular usage and many entities require continuous visibility into the presence of cellular devices. With the exponential growth in mobile data and the rise in data breaches, finding a solution to help flag and remediate any vulnerability should be a top priority for organizations with high security needs.

To address these issues, Fluke Networks just released the Cellular Spectrum Security capability for AirMagnet Enterprise. A 24×7 scalable performance monitoring and security solution, AirMagnet Enterprise protects against wireless threats enforces enterprise policies and troubleshoots the WLAN. The new cellular spectrum security solution is designed to detect, alarm, report and remedy cellular security events such as unauthorized cellular devices and cell phone jammers. The solution allows proactive pinpointing of cellular spectrum security issues before they happen. It also helps enforce a no wireless zone policy which is a requirement at many government agencies and enterprises. Integrating Wi-Fi and cellular security in one easy-to-use interface offers one unified management system for both types of monitoring.

Without a strong monitoring service, breaches in security can go undetected and the ability for threats to infiltrate your network becomes easier. The AirMagnet Enterprise solution offers complete visibility and control over the wireless airspace.

Cellular Spectrum Security Key Capabilities

– 24×7 monitoring of spectrum activity in a broad frequency range including 3G, 4G LTE and CDMA

– Detection of cellular interference sources

– Reporting on performance status and violations

– AirMagnet Enterprise can include a mixed deployment of Wi-Fi only sensors and cellular sensors

– Detection and remediation of cell phone jammers and other security threats

– Forensic analysis for in depth investigation

– Enforce no wireless zones

Superior security across Wi-Fi and cellular spectrums is now attainable with a single system, the AirMagnet Enterprise. For more information about AirMagnet Enterprise and the new Cellular Spectrum Security release, click here.

About Fluke Networks

Fluke Networks is the world-leading provider of network test and monitoring solutions to speed the deployment and improve the performance of networks and applications. Leading enterprises and service providers trust Fluke Networks’ products and expertise to help solve today’s toughest issues and emerging challenges in WLAN security, mobility, unified communications and data centers. Based in Everett, Wash., the company distributes products in more than 50 countries. For more information, visit www.FlukeNetworks.com or call +1 (425) 446-4519.

For additional information, promotions and updates, follow Fluke Networks’ AirMagnet on Twitter @FlukeNetWIFI, Facebook, or on the LinkedIn Company or Group page.

Article source: http://www.darkreading.com/mobile/fluke-networks-rolls-out-airmagnet-enter/240164420

Tel Aviv, Israel (December 3, 2013) – Votiro, the provider the Secure Data Sanitization solution for protecting organizations against zero-day and other ongoing cyber-threats, today announced that the company has launched a free cloud-based file sanitization service.

Votiro’s new file sanitization service analyzes uploaded files for the presence of malicious code and facilitates the quick neutralization of zero-day exploits and the detection of trojans, viruses and worms. This new file sanitization service sanitizes an uploaded file by making micro-changes to its structure and metadata, which eliminates the possibility of malicious code running from the file, and then scanning it with a series of leading anti-virus programs.

This new file sanitization service is part of Votiro’s overall Secure Data Sanitization solution. Votiro’s Secure Data Sanitization solution automatically performs the same sanitization process as the new cloud service on all incoming files, including files attached to emails, downloaded from the Internet and transferred from removable media. This comprehensive process does not affect the usability of a file and is seamlessly integrated into an organization’s IT infrastructure.

“Our Secure Data Sanitization solution provides zero-day protection that eliminates malicious cyber-threats before they have a chance to penetrate an organization’s network and attack critical IT infrastructure and extract sensitive data,” explained Itay Glick, Founder and CEO of Votiro. “Our new cloud service allows organizations to experience the strengths of our sanitization process and understand the overall benefits of our Secure Data Sanitization solution.”

Votiro’s new file sanitization service is available at https://cloud.votiro.com/.

About Votiro

Votiro delivers organizations with essential zero-day protection against unknown and ongoing cyber-threats. The company’s Secure Data Sanitization solution provides a robust process and patent-pending technology for cleansing all incoming files from potential cyber-threats. The company was founded in 2009 by a team of senior security experts with backgrounds in the intelligence and security industries and is based in Tel Aviv, Israel. Customers include banks and other financial institutions, government agencies, energy and utilities companies, telecommunications service providers and large enterprises, who are relying on Votiro solutions to protect their critical IT infrastructure and sensitive data.

For more information, please visit www.votiro.com.

Article source: http://www.darkreading.com/vulnerability/votiro-launches-free-cloud-based-file-sa/240164406

ATLANTA – Dec. 3, 2013 – AirWatch, the largest Enterprise Mobility Management (EMM) provider, announces it has developed app reputation scanning technology into its platform for complete support of corporate-owned device and Bring Your Own Device (BYOD) deployments. AirWatch App Reputation Scanning is fully integrated into the AirWatch platform and the new capabilities built by AirWatch combined with the existing AirWatch Mobile Application Management solution portfolio, including app wrapping, Software Development Kit (SDK), custom app catalog and Volume Purchase Program (VPP), provide the most advanced, internally-developed solution on the market.

Enterprises deploy mobile applications to improve productivity, promote collaboration and connect employees to corporate resources. Before distributing mobile applications, IT administrators want to ensure that public, vendor-supplied and internally-developed applications are built properly, maintain user privacy and comply with company security standards for safe business use. AirWatch App Reputation Scanning works on public and internal applications, and it can be implemented with Mobile Device Management (MDM), as a separate dual persona container with AirWatch Workspace or as standalone app scanning.

AirWatch App Reputation Scanning allows organizations to quickly and easily run analysis on applications to determine if they exhibit risky behaviors, access privacy settings on the device, expose user contacts or geolocation information, or use insecure programming or design. Organizations can review app reputation scanning analysis results from the easy-to-navigate AirWatch console and then decide to allow or ban the app on managed devices.

AirWatch also features the most advanced ecosystem of technology partners and API integrations. Organizations can take complete advantage of AirWatch capabilities, while also leveraging seamless integrations to third-party app risk management providers, such as Appthority and Veracode, in the AirWatch Marketplace to fully embrace additional advanced capabilities.

“Every company has a different tolerance for risk depending on the sensitivity of the data involved, but every company needs to know what a mobile app is actually doing in order to set custom policies that match the organization’s requirements,” said Domingo Guerra, co-founder and president, Appthority. “AirWatch understands the criticality of app risk and is empowering its customers to take action by creating custom policies based on the behaviors of an app and the role of each group or individual’s needs within their organization.”

“We developed the most comprehensive solution for app reputation scanning into our platform to create a one stop shop for IT administrators,” said John Marshall, president and CEO, AirWatch. “With AirWatch native capabilities, all AirWatch customers can easily take advantage of this new module to perform basic analysis of their corporate applications. Enterprises that seek more advanced scanning or already use third party solutions can leverage the AirWatch APIs to integrate with solutions from our partner marketplace.”

To learn more about AirWatch’s capabilities and partner integrations, register to attend a webinar at www.air-watch.com/resources/webinars.

About AirWatch

AirWatch is the world’s largest mobile security and Enterprise Mobility Management (EMM) provider with more than 1,500 employees across nine global offices. More than 9,000 organizations in 150 countries leverage the AirWatch EMM platform, which includes industry-leading mobile device, email, application, content, laptop and browser management solutions. Organizations can implement these solutions stand-alone for unique Bring Your Own Device (BYOD) requirements, in the AirWatch Workspace containerized solution, or as a comprehensive, highly scalable enterprise-grade mobility platform. With the largest research and development team in the industry, AirWatch ensures the broadest mobile platform support, develops innovative solutions like Secure Content Lockertrade, and integrates with the leading device manufacturers and technology solution providers in the mobile ecosystem. For more information, visit www.air-watch.com.

Article source: http://www.darkreading.com/applications/airwatch-develops-app-reputation-scannin/240164372

SUNNYVALE, Calif., Dec. 4, 2013 – Juniper Networks (NYSE: JNPR), the industry leader in network innovation, today unveiled Junos Pulse AppConnect software development kit (SDK) that enables per-application virtual private network (VPN) connectivity from both Apple iOS and Google Android devices to Juniper’s Junos Pulse Secure Access Service.

Businesses are facing increasing demands from employees for easy access to corporate data and business applications from any device and anywhere. These demands make ensuring the proper level of security and access to information challenging for IT departments. As companies and government organizations are opening up access to sensitive data to a wider diversity of personal and corporate owned mobile devices, many are struggling to balance security with flexibility. It is imperative that they find ways to provide a level of control over Bring Your Own Device (BYOD) while not burdening end users with security that impairs productivity.

News Highlights:

Junos Pulse AppConnect –Junos Pulse AppConnect technology and SDK is the first solution to offer per-application SSL VPN connections on both Android and Apple iOS mobile devices. With AppConnect, enterprises will have more granular control over access to corporate networks and applications, preserving the security and integrity of their data, network and resources end-to-end.

o Application and data containerization on the device is a popular approach to MDM for companies that want to segment work and personal data on the device. However, this segmentation is often not extended to network communications.

o AppConnect enables companies, developers and application container solution providers, to secure data flowing from applications and application containers to enterprise networks through Junos Pulse Secure Access Service Gateways.

o Data privacy afforded by the container technology in AppConnect can be extended to the data in transit back to the corporate network– transparently and on a per-application basis – for Android and Apple iOS devices. The potential for corporate data leakage via applications on personally owned devices is subsequently greatly reduced.

o Juniper’s new technology allows for VPN sessions to be established per application versus per device, reducing personal traffic on corporate networks and protecting information that really matters to the organization.

o For users, AppConnect relieves employee concerns that personal data is flowing over the corporate network and makes it much easier to connect. Users no longer need to launch a separate application to connect to the corporate network securely via VPN; Applications and application containers connect automatically to the private network.

o The Junos Pulse AppConnect SDK is generally available next week.

Supporting Quotes:

“We believe the VPN market is undergoing a transition from securing devices to securing applications end-to-end. Juniper’s vision is that every user will securely and transparently access only authorized corporate data from any device (personal or company owned) through applications from anywhere,” said Tamir Hardof, senior director security product marketing, Juniper Networks. “With AppConnect’s per-application VPN technology Juniper is taking significant steps toward realizing this vision.”

Additional Resources:

Junos Pulse Website

About Juniper Networks in Security

Juniper Networks builds secure and trusted networks with end-to-end security across every environment–from the data center to campus and branch environments and to the device itself. Our security solutions give enterprise and service provider customers a competitive advantage as they set out to build the best networks on the planet.

About Juniper Networks

Juniper Networks (NYSE: JNPR) delivers innovation across routing, switching and security. From the network core down to consumer devices, Juniper Networks’ innovations in software, silicon and systems transform the experience and economics of networking. Additional information can be found at Juniper Networks (www.juniper.net) or connect with Juniper on Twitter and Facebook.

Juniper Networks and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks and Junos logo are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Article source: http://www.darkreading.com/mobile/juniper-networks-unveils-junos-pulse-app/240164456

PORTLAND, Ore. – Dec. 4, 2013 – iovation, stopping Internet fraud and identifying good online customers by leveraging the world’s largest device reputation database, today announced that it found 30% of all online retail purchases from Black Friday to Cyber Monday in 2013–November 29 to December 2–were conducted from a mobile device. This compares to 12% of all online retail purchases being conducted from a mobile device from Black Friday to Cyber Monday 2012–November 23 to 26–representing a 150% increase. To date in 2013, 15% of all online retail purchases have been conducted from a mobile device. The company characterizes a mobile device as a mobile phone or tablet; a non-mobile device as a desktop or laptop computer.

“Over the last couple years, we’ve seen a dramatic increase in the use of mobile banking and now, as evidenced by our holiday shopping stats, we’re seeing a similar rise for retail,” said iovation Vice President of Product Scott Olson. “This is a tipping point for online retail purchases.”

Besides tracking online retail purchases, iovation closely analyzed cyberfraud during the beginning of the holiday shopping season. According to iovation, from Black Friday to Cyber Monday 2013, 0.5 percent of all online retail purchases were fraudulent. This dramatically dropped from the same period in 2012, when 1.5 percent of all online retail purchases were fraudulent.

The top types of fraudulent online retail purchases from Black Friday to Cyber Monday 2013 were:

Credit card fraud–Using someone else’s unauthorized credit card to make a purchase.

Scams and solicitations–Sending a consumer to a fake retail site that phishes for personal information like credit card and social security numbers.

“Historically, we’ve found that cybercriminals prefer to use a ‘traditional’ computer to make their purchases,” said iovation Chief Technology Officer Scott Waddell. “The fact that the cyber fraud rate is down this holiday season could be a by-product of the uptick in mobile purchases along with the naturally higher rate of good transactions on these busiest shopping days of the year.”

The findings were the result of iovation analyzing millions of transactions from its customers by leveraging its flagship fraud-finding service, ReputationManager 360, the world’s most comprehensive solution for shared device reputation. ReputationManager 360 identifies potentially fraudulent transactions through the analysis of devices’ online behavior, helping to prevent credit card fraud, identity theft, account takeovers and other abuses.

About iovation

iovation protects online businesses and their end users against fraud and abuse through a combination of advanced device identification, shared device reputation and real-time risk evaluation. More than 2,300 fraud managers representing global retail, financial services, insurance, social network, gaming and other companies leverage iovation’s database of Internet devices and the relationships between them to determine the level of risk associated with online transactions. The company’s device reputation database is the world’s largest, used to protect more than 10 million transactions and stop an average of 200,000 fraudulent activities every day. The world’s foremost fraud experts share intelligence, cybercrime tips and online fraud prevention techniques in iovation’s Fraud Force Community, an exclusive virtual crime-fighting network. For more information, visit www.iovation.com.

Article source: http://www.darkreading.com/mobile/150-increase-in-mobile-online-shopping-b/240164440

Graduate student Doug Mackey was starting to wonder whether his research on the security of one of the nation’s most ubiquitous electronic health records (EHR) software platforms was so interesting after all. A month of poking around for vulnerabilities in the simulated EHR system he had fashioned in a makeshift lab in his apartment hadn’t turned up anything out of the ordinary in the code. But then one day this spring, he spotted something in a second interface he was testing that shocked him: “It was very quickly obvious that it had no real security at all,” says Mackey, a grad student in Georgia Tech’s information security program. “I was quite surprised.”

Mackey had discovered a major logic flaw in a key component of the code in the so-called VistaA (Veterans Health Information Systems and Technology Architecture) software, a platform originally built by the U.S. Veterans Administration for internal use at its hospitals and clinics and later handed over to the open source community to further its development and adoption across the entire healthcare industry. It’s one of the most widely adopted platforms for electronic health records in the country by VA and commercial hospitals and clinics, and it’s also gained some traction overseas.

The security flaw Mackey found allowed him to bypass most of the software’s security altogether, potentially allowing an attacker to use the system without having to authenticate or provide any proof of what he is authorized to access. It was an EHR system’s worst security nightmare: the potential for tampering with patient privacy and medical treatment.

“VistA at its heart is a database—you have a database of these EMRs and remote workstations where doctors use a protocol to communicate with the central database and access medical records, modify them, and that kind of thing. The remote system has to be authenticated to the central server and the remote user needs to be authorized: that’s in the security policy of the system,” says Mackey, who had selected VistA for his thesis on the vulnerability of large critical infrastructure systems to nation-state or other sophisticated threats.

This policy ensures that nurses only access specific information and tools they are authorized to use, for example, not the breadth of treatment and other tools doctors can use. “But this vulnerability allows you to execute any of the thousands of operations in it without any authorization or authentication. It could allow you to view or edit or change patient records,” and other tasks, he says.

VistA runs in an intranet, but the flaw could be exploited not only by a malicious or careless insider, but also by an outside attacker that already had gained a foothold in the network via another hack, such as a spear phish that infected a client machine in the hospital or clinic’s network, he says.

Mackey knew the significance of his bug find was big—the VA manages the largest healthcare system in the U.S., supporting 8 million veterans at 163 hospitals, 800 clinics, and 135 nursing care facilities. About half of all U.S. hospitals are VA hospitals running VistA, and the software also is run in non-VA hospitals and healthcare facilities in several states, including California, Florida, New York, Texas, and also Washington, D.C. He first contacted US-CERT, and got no reply, so tried the VA Office of Inspector General: still no reply.

“It took months. I finished the semester and tried contacting various groups and waited quite a while [for response]. I forgot about it for a little while and then thought I really should try to contact someone [else] who might be interested,” Mackey says.

So Mackey dug around and found a group of developers in a Google group called the “Hard Hats,” a group made up of former VA developers and consultants who have worked with VistA and now support the open source community development of the code. The group confirmed Mackey’s finding after evaluating his proof-of-concept, and alerted VA and Indian Health Service (IHS) security contacts about what they described as the “very serious” security flaw.

A patch for the VistA flaw was released on October 25 by security experts at the VA and the Open Source Electronic Health Record Agent (OSEHRA), the organization that coordinates open source efforts for VistA. Among the team that developed the patch was Medsphere, the EHR software vendor whose product Mackey had tested in his lab, iCare, Oroville Hospital in California, and members of OSHERA’s staff.

“When we got alerted, we alerted our corporate members who offer services to their customers, and also alerted the VA. We all agreed it was sensitive but important information. This was the first time government and private sector engineers worked together under our auspices to come up with a solution,” says Dr. Seong Ki Mun, CEO of OSHERA. “This is the first time a patch was developed and tested involving all of the key community members … This is different, because over the years, people in government were not sure how to engage with the private sector.”

Some 2,500 medical sites worldwide were affected by the vulnerability, Mun estimates. “Some parts of VistA are operational in most DoD medical centers” as well, he says.

There were no public reports of attacks exploiting the flaw, but Mun says he can’t confirm whether the vulnerability was ever used in any attacks on healthcare organizations running VistA. “We don’t have any such information,” he says. “But it is unlikely it ever got exploited.”

The VA, like many federal agencies, already was in the bull’s eye of attackers. House Veterans Affairs Committee member Michael Coffman, R-Colo, told members in a hearing this summer that nation-states have breached an unencrypted VA database multiple times, according to a published report by NextGov. The director of IT and security audits for the VA IG told Congress that a nation-state had also hacked a VA domain controller that supports an email system used by VA officials, the report said.

[1.8 million Americans have been victims of medical identity fraud — including some from their own family members — new report finds. See Medical ID Theft Spreads .]

Mackey says the flaw he found had been in place in VistA since 2002. “VistA is a massive system. This was just an initial look at one way that system could remotely communicate,” he says of his research. “I kind of stopped my research after I found it.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/anatomy-of-an-electronic-health-record-e/240164441