Skip to main content

The WiKID Blog

Viewing posts tagged Information Security


Hat Tip to Valley Wag for pointing out this must read Newsweek article "Intrigue in High Places" about how the chairwoman of HP's board spied on other directors, including gaining access to the call logs of their personal cell and residential phone lines by "pretexting". (The investigators pretended to be the board members to the phone companies to get access.) The targeted board member who was the source of leaks to CNet is still on the board, but Tom Perkins of Kleiner Perkins fame resigned in protest.


According to MessageLabs via ZDNet:

During March, MessageLabs intercepted 716 e-mail messages that were part of 249 targeted attacks aimed at 216 of its customers, the Gloucester, England-based provider of hosted e-mail filtering services said in a research report. Of the attacks, almost 200 consisted of a single malicious e-mail designed to infiltrate an organization, MessageLabs said.
Emphasis added.


Turns out even if you don't have a teleworking offering for your workers, they probably do it anyway by loading their laptop up with private, unencrypted information and taking it home. At least that seems to be the case in the Federal government according to a recent study by the Telework Exchange:

The report found that 63 percent of respondents who worked from home unauthorized -- more half of the non-teleworkers surveyed -- used their home computers in doing that work. "People were saving documents on their home computers that were unprotected," said Josh Wolfe of Utimaco, a data security company that underwrote the study.
I wonder how people get to telework if they are not authorized? I assume telework means that they are connecting via a VPN, right? Are over half of Federal employees technically able to remotely connect to their internal network, but on the honor system to not do it? Registering for the doc gets some answers. Teleworkering means that you are working away from the office. That could mean on your blackerry. However, the point of the study stands: unsanctioned teleworking occurs:
  • 54% of non teleworkers carry files home
  • 41% of non teleworkers log onto their agency’s network from home
Holy Cow! How do people log in to their agency network if they are not allowed! And unsanctioned teleworkers are less likely to be protected from malware:
When teleworkers and nonteleworkers where asked if they had antivirus protection on their laptop or desktop computers, 94 percent of teleworkers responded yes, while only 75 percent of non-teleworkers said yes.
I think implementing two-factor authentication for remote access in federal government agencies would be a huge win - it would immediately eliminate the 41% of unauthorized users accessing the network.


The healthcare world is abuzz with the news that the Department of Health and Human Services is auditing Atlanta's Piedmont Hospital:

Neither Piedmont nor the HHS has confirmed that the audit was launched, and few details about it have been disclosed publicly. But an HHS document obtained by Computerworld shows that Piedmont officials were presented with a list of 42 items that the agency wanted information on.

Among them were the hospital's policies and procedures on 24 security-related issues, including physical and logical access to systems and data, Internet usage, violations of security rules by employees, and logging and recording of system activities. The document also requested items such as IT and data security organizational charts and lists of the hospital's systems, software and employees, including new hires and terminated workers.


One reason for the lack of posts recently has been that I have written a how-to on securing WebDAV with SSL and two-factor authentication. Dealing with WebDAV was more of a pain than I anticipated. First, there seems to be a bug in recent versions of apache that breaks mod_auth_radius and mod_auth_xradis. Second, I spent a lot of time figuring out the ways that WebDAV does not work on Windows ;).

Recent Posts







RSS / Atom