Network Technology and Security Blog

South Shore Hospital in South Weymouth, Massachusetts, will pay US
$750,000 to settle allegations that it did not take adequate precautions
to protect patient data. The case involves three boxes of tapes
containing unencrypted patient data that were shipped in February 2010
to a third-party contractor that would erase the data and resell the
tapes. South Shore Hospital learned in June 2010 that the contractor
received just one of the three boxes sent. The data on the taped
included SSNs, birth dates, health plan information, diagnoses, and
treatments. A statement released by the Massachusetts Attorney General’s
office said that South Shore Hospital violated the Health Insurance
Portability and Accountability Act (HIPAA) by failing to notify the
contractor about the sensitive nature of the data on the tapes and by
not ensuring that the contractor had appropriate security measures in
place to protect those data. South Shore Hospital has since taken steps
to improve data security practices.

http://www.scmagazine.com/hospital-agrees-to-pay-750000-over-data-breach-allegations/article/242920/

http://www.boston.com/businessupdates/2012/05/24/south-shore-hospital-pay-settle-data-breach-charges/ICLIzdBFD9ooE8ofaldimO/story.html

A Freedom of Information Act (FOIA) request filed by the Electronic
Privacy Information Center (EPIC) has forced the US Department of
Homeland Security (DHS) to reveal a list of words and phrases it uses
while monitoring social networking sites and other online media for
possible threats against the country. Apart from the obvious words, like
“terrorism,” and “dirty bomb,” the list also includes words that appear
to be innocuous, such as “cloud,” and “pork.” The analysis are trained
to look for evidence of emerging threats that include not only
terrorism, but natural disasters, public health issues, and other
threats.

http://www.dailymail.co.uk/news/article-2150281/REVEALED-Hundreds-words-avoid-using-online-dont-want-government-spying-you.html

The National Security Agency (NSA) has designated four US universities
as National Centers of Academic Excellence in Cyber Operations. NSA aims
to identify students with an interest in and talent for cyber security.
The agency will offer summer seminars for students who show potential.
The identified schools are Dakota State University in South Dakota, the
Naval Postgraduate School in California, Northeastern University in
Massachusetts, and the University of Tulsa in Oklahoma. The schools will
be required to use an integrated cyber security curriculum and to offer
a course on the legal and ethical issues inherent in cyber security.

http://www.nextgov.com/cybersecurity/2012/05/nsa-taps-schools-cyber-sleuths/55931/?oref=ng-channelriver

The personal information of more than 123,000 participants in the US
Federal Retirement Thrift Investment Board’s (FRTIB) Thrift Savings Plan
was exposed when a computer belonging to third party service provider
Serco was hacked. The FBI informed FRTIB and Serco of the breach in
April. The compromised machine was shut down and FRTIB and Serco
conducted forensic analysis to determine who was affected. There have
also been steps taken to improve security. The compromised data include
names, addresses, Social Security numbers (SSNs) and in some cases,
financial account and routing numbers.

http://www.computerworld.com/s/article/9227519/Information_of_U.S._federal_employees_exposed?taxonomyId=17

http://www.govexec.com/pay-benefits/2012/05/tsp-accounts-exposed-breach/55927/

Researchers at Kaspersky Lab say they have detected an espionage toolkit
called Flame that appears to be far more sophisticated than Stuxnet.
Flame is believed to have gone undetected for at least two years and has
been found on computers in the Middle East and North Africa. It is being
called the “next phase” of malware. It appears to be designed to steal
information. Because Flame is so complex, there is speculation that is
the product of a government-backed effort rather than a group of
hackers.

http://www.wired.com/threatlevel/2012/05/flame/

http://www.defenceiq.com/defence-technology/articles/new-super-cyberweapon-the-flame-discovered/

By an overwhelming margin, corporate auditors, IT advisors, and Federal Government OIGs have made AppDetectivePro their database scanning and vulnerability assessment solution of choice. Deployed in over 130 countries, AppDetectivePro has been used to assess hundreds of thousands of databases in every vertical market. A thorough examination of the databases that store and process critical business information is a critical component of any IT audit; AppDetectivePro enables auditors and advisors to complete the task quickly, reliably, and cost effectively.
http://www.appsecinc.com/products/appdetective/

The Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. Community participation is a great strength for SCAP, because the security automation community ensures the broadest possible range of use cases is reflected in SCAP functionality. This Web site is provided to support continued community involvement. From this site, you will find information about both existing SCAP specifications and emerging specifications relevant to NIST’s security automation agenda. You are invited to participate, whether monitoring community dialog or leading more substantive activities like specification authorship.

NIST’s security automation agenda is broader than the vulnerability management application of modern day SCAP. Many different security activities and disciplines can benefit from standardized expression and reporting. We envision further expansion in compliance, remediation, and network monitoring, and encourage your contribution relative to these and additional disciplines. NIST is also working on this expansion plan, so please communicate with the SCAP Team early and often to ensure proper coordination of efforts.
http://scap.nist.gov/