Wednesday, April 30, 2008

Can the Media Move the Ball on HIPAA?

I finally have a serious prediction for 2008: I predict that unauthorized access of medical records will be the new lost laptop story.

Reporting on the compromise of data through laptop loss/theft over the past few years has raised public awareness around data breaches and disk encryption. The upswing in incidents involving hospital employees accessing celebrity medical records will have a similar affect on awareness. I mention this because a former UCLA Medical Center employee was indicted yesterday on charges stemming from similar activity. What made this a criminal case and not just another firing is that the employee sold these records to a "media outlet" (tabloid).

The reason this is significant is that stories like this in the media raise public awareness about HIPAA requirements and medical provider capabilities. Those capabilities being the ability to review who accessed a patient's medical record and when, and that the hospitals have a way of determining whether or not the access was appropriate. The end result will likely be two-fold. First, more patients will be aware of these capabilities, and will start doing things like asking doctors and hospitals for this information. And secondly, the hospitals that aren't currently reviewing the logs from their EMR systems will feel some pressure to start doing so.

Monday, April 28, 2008

Don't Read My Blog

At least, don't read it this week. I don't have anything to say that you should read before you read the transcript of Clay Shirky's "Looking for The Mouse" keynote at Web 2.0.

But I do have this to say - feeling inspired by Clay's speech, I've revived 2 old projects and started a new one and am making it my goal to finish them this year. Thanks to Dave Aitel for posting a link to this on Twitter.

Wednesday, April 16, 2008

Cool Things To Do In West Michigan This Spring

Sorry in advance if Google sent you here looking for tourist attractions. Blame it on the title's lack of creativity or specificity. But while I have your attention, if you like security and/or beer, and will be in the vicinity of Grand Rapids within the next 6 weeks, this could be your lucky day.

That's because...

  • This Friday, April 18th, Matt Carpenter of Intelguardians is presenting to the Grand Rapids ISSA. His talk will basically be like drinking from the SANS 504 firehose. The best parts of a 6-day course, condensed into 90 minutes or less. Matt was my instructor for 504, and he's awesome. This will be an excellent talk.
  • The following Tuesday is GRSec at Graydon's Crossing. Amazing pub food and a great beer selection. I like this place a lot.
  • And there's a pretty good chance that there will be another GRSec the Tuesday after that!

Friday, April 11, 2008

It's The End of The (Security) World As We Know it... And I Feel Deja Vu?

If you've been following blogs or online trade press coming out of this week's RSA conference, then you no doubt have heard about the keynote that IBM's Val Rahmani gave in which she declared that, "The security business has no future." Now, that's the punch line she used to get into the trade press and onto the blogs (including mine), but the real gist of the talk was that the future of security is for vendors to bake security into infrastructure products, and that that's what IBM would be doing.

I'm not going to dissect Val's talk, but I do want to point out two interesting things. First is that Val is Tom Noonan's replacement at the security branch of IBM Global Services (formerly ISS). So why the GM of a consulting practice is talking about her offerings' futility in a public way is a little confusing and not good for morale. I'm sure that's not what she intended, but still.

Second, and perhaps more interesting, is that this year's keynote is eerily similar to the Bill Gates keynote from RSA 2006. Now, he didn't open with a shock-jock style punch line the way Rahmani did, but he could have. And he would have had the high ground. But Gates did talk a lot about what Microsoft was doing at the time to build secure, sustainable infrastructure. He also dragged out OneCare (now Forefront) and Vista as examples of Microsoft's advances in platform security. The stories I have read seem to indicate that Rahmani did not mention specific products or tactics that IBM would be sending to market.

So I guess if you're looking for a take away, it is that platform security has gained traction at least as a talking point. And IBM is at least 2 years behind Microsoft in product positioning for security.

Friday, April 4, 2008

ArcSight Logger: CEF vs. Raw

Here's something for potential ArcSight Logger customers to ponder. The issue is whether you should use CEF formatted logs (post-Connector) or raw logs (pre-Connector) or both in your Logger environment. In this case, a picture is worth at least a few hundred words:



If you look carefully at that image, you can see that it shows the same event in both its raw syslog format and it's Connector-ized CEF format. From my point of view, it boils down to use case. Analysis versus troubleshooting. Reporting versus response. The CEF formatted message is chock-full of metadata-and-labeling goodness. It's also overkill on the eyes. Log messages are already cryptic to the point of questionable usefulness. CEF amplifies that. The raw format, on the other hand, is easier to read due largely to the fact that it's what your UNIX admins are used to seeing. But that's where the positives end. Raw syslog is all but unformatted and trying to write a small chain of regexes that do a good job of parsing large quantities of syslog is a headache and a half.

Of course, you may have already realized that there is a right answer to this problem: Do both. Sure there's some overhead to consider, since you're going to pass syslog to a Connector that will then send raw events to Logger, CEF events to Logger, and CEF events to ESM if you have it. Or you could send raw syslog to Logger, have Logger forward it to a Connector and then configure the Connector to send CEF to Logger and ESM. There are probably many other complicated flows that you could implement as well, but you get the idea.

Tuesday, April 1, 2008

Binary File Visual Analysis Redux

I got a great comment on my post regarding simple binary file visual analysis from Erik Heidt. Erik made the very valid point that visual analysis of ciphertext is not a highly reliable way to distinguish "good" crypto from "bad." He used the example of an 8-bit XOR of a file as an ineffective method of encrypting data that also has random byte distribution.

Since there's nothing good on TV, I decided to see what an XOR-ed file data looks like in gnuplot. So here's what I did.



Like before, I used the Netcat nc.exe binary. I then encrypted it using GPG and also encoded it using Luigi Auriemma's Xor utility. I then ran the three files through the Perl script from my previous post and then plotted them with gnuplot.

Here's the plot of the original binary:



Here's the plot of the GPG-encrypted file:



And here's the plot of the XOR-encoded file:



As you can see, the XOR plot has peaks and valleys that are characteristically similar to the original binary. I don't want you to take away from this that this visual analysis method is highly reliable in all situations. I only wanted to share that basic XOR encoding does stand out visually.