The controversy comes less than a week after Google, Facebook and other advertising networks were caught circumnavigating users’ privacy settings on Apple’s Safari and Safari Mobile browser.

Microsoft had initially reacted to the news by trumpeting IE9s safety, but a blog post on Monday revealed its users had also fallen victim to the snooping, albeit in a slightly different way.

Stating intent

“Google is employing similar methods (to what it employed with Safari) to get around the default privacy protections in IE and track IE users with cookies,” said IE boss Dean Hachamovitch.

“We’ve also contacted Google and asked them to commit to honoring P3P privacy settings for users of all browsers.

“IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user.

“Google’s P3P policy causes Internet Explorer to accept Google’s cookies even though the policy does not state Google’s intent.”

Fix in place

While it waits for Google to respond, Microsoft already has a fix in place for IE9 users who want to protect themselves from the tracking.

Microsoft also said it is looking into reports that Facebook is guilty of the same tracking technique.

Google responded to the claims on Friday, claiming it was not harvesting personal information, but simply establishing which users were signed into Google.

“Microsoft omitted important information from its blog post today,” wrote Google’s Rachel Whetstone later. “Microsoft uses a “self-declaration” protocol (known as “P3P”) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form.

“It is well known – including by Microsoft – that it is impractical to comply with Microsoft’s request while providing modern web functionality. We have been open about our approach, as have many other websites.
“Today the Microsoft policy is widely non-operational.

“A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft.”

It’s an argument that is likely to run and run, but many will ask whether these public spats are ever really going to be acting in the best interest of the actual users rather than for political point scoring.

Via: Zdnet

Article source: http://www.techradar.com/news/internet/microsoft-says-google-bypassing-ie-security-too-1064918?src=rss

KANSAS CITY, MO —
FishNet Security announced today it will collaborate with Microsoft Corp. to provide new software functionality that enables health system customers to provision clinical applications through Microsoft Forefront Identity Manager 2010 (FIM 2010).

“For healthcare providers, the integration between identity management platforms and clinical applications plays an important role in improving caregiver effectiveness,” said Phil Lentz, chief identity strategist at FishNet Security. “Efficiencies are a result of fewer IDs and passwords, ‘zero day’ account set-up for newly hired caregivers, enablement of caregivers to reset their own passwords, and the establishment of the correct clinical system access demanded by a caregiver’s job responsibilities.”

FishNet Security is developing the Clinical Application Resource Extension (CARE) to connect the capabilities of proVision, acquired from Sentillion, with FIM 2010. Healthcare organizations soon will be able to use FishNet Security’s CARE to automate the provisioning of users’ accounts and access entitlements to key healthcare applications.

The accelerated adoption of IAM solutions in the healthcare sector has been spurred by HITECH ARRA, with the desire to best align with Meaningful Use and specifically address the increased HIPAA security requirements. In addition to regulatory alignment and caregiver benefits, maturing the security posture through IAM can help reduce user administration costs through automation and self-service.

“We’re pleased to collaborate with FishNet Security to ensure health systems can easily apply the power of FIM, an enterprise-class identity and access management solution, to their unique health IT environments,” said Nate McLemore, general manager, Microsoft health solutions group. “Hospital IT departments will be able to easily provision user accounts to the applications their caregivers rely on most while benefitting from the scale and self-service benefits of FIM.”

Earl Perkins, research vice president in the Security and Privacy group at Gartner, said: “Enterprises in healthcare delivery frequently have manual processes for creating identities that depend upon phone calls, emails, spreadsheets and other ad hoc tools. Recording and delivering an audit trail for these processes is very complex. An integrated IAM platform can provide transparency to the fulfillment process and go far in reducing security risks, avoiding delays in receiving vital access to resources, and improving overall productivity of IT and the business.”

While healthcare providers continue to leverage IAM platforms to improve organizational and clinical performance, further value in IAM is being found in support of the acquisition trends of physician groups. In addition to growth, healthcare providers are attempting to mature infrastructure and prepare for future cloud-based applications adoption. Combining these business drivers to an already challenging regulatory compliance roadmap further supports the strategic relationship between FishNet Security and Microsoft.

The development effort for FishNet Security’s CARE is underway and those considering adoption are encouraged to begin the planning process now. This will help providers address the “last mile” of user management, extending the value of FIM to such applications as EMR, CPOE, PACS and clinician portals.

About FishNet Security

FishNet Security is the No. 1 provider of information security solutions that combine technology, services, support and training. Since 1996, the company has enabled clients to manage risk, meet compliance requirements and reduce costs while maximizing security effectiveness and operational efficiency. FishNet Security is committed to information security excellence and has a track record of delivering quality solutions to over 5,000 clients nationwide. For more information about FishNet Security, visit www.fishnetsecurity.com, www.facebook.com/fishnetsecurity and www.twitter.com/fishnetsecurity.

© Marketwire 2012

Article source: http://www.msnbc.msn.com/id/46452638

advertisement

On Wednesday, the federal Department of Homeland Security’s “Secure Communities” program begins statewide in Connecticut and some state officials have concerns about it.

“Secure Communities” calls for state and local law enforcement agencies automatically share fingerprints with the U.S. Department of Homeland Security so Immigration and Customs Enforcement can check information against DHS immigration databases.

“What this program does is it essentially converts local law enforcement officers into defacto agents of the Immigration and Customs Enforcement Agency,” Mike Lawlor, Under Secretary for Criminal Justice Policy and Planning, said in a statement.

A report from U.S. Department of Homeland Security said the goal of the program is to strengthen the federal government’s ability to target criminals and ensure that resources are not focused on “low-priorities,” such as deporting young people who were brought to this country as young children.

Lawlor said Gov. Dannel Malloy shared the concerns that many police chiefs have that the policy could lead to a situation in which victims and witnesses in an immigrant community would be reluctant to cooperate with local and state law enforcement.

In response, Malloy has asked Leo Arnone, the Department of Corrections Commissioner, to review how the program is implemented, what the ramifications are and see if corrective action is needed going forward.

“Decisions on how to respond to each request will be made on a case-by-case basis,” Lawlor said. “As the report itself says: ‘DHS must ensure its immigration enforcement resources are focused on the removal of those who constitute our highest priorities, specifically individuals who pose a threat to public safety such as criminal aliens and national security threats, as well as repeat immigration law violators and recent border entrants. In fact, the expenditure of resources on cases that fall outside our enforcement priorities hinders our public safety mission by clogging immigration court dockets and diverting resources . . . .’”

The program begins just a week after the federal government settled with 11 men who were arrested in a series of ICE raids in 2007 in New Haven.  Legal aides for the men said the raids were done without warrants or consent, and were illegal.

Federal authorities said Monday that the program is meant to take dangerous people off the streets.

“Secure communities promotes the agency’s top enforcement priority of finding and removing those who are unlawfully present or otherwise removable and have criminal convictions by relying on an already-existing federal information-sharing program,” said Ross Feinstein, of Immigration and Customs Enforcement.

New Haven Mayor John DeStefano called on ICE to delay implementing the program.

“The same thing that they said to us in June of 2007, when we had the raids, was exactly that class of the worst of the worst.  Of those that were picked up, they had one common characteristic: they were brown,” DeStefano said.

Article source: http://www.nbcconnecticut.com/news/local/State-Officials-Have-Concerns-About-Secure-Communities--139720183.html

LAS VEGAS, Feb 20, 2012 (BUSINESS WIRE) –
Please replace the release with the following corrected version due to
multiple revisions.

The corrected release reads:

DRIVESAVERS HIGHLIGHTS RISKS OF DATA BREACHES AS HEALTHCARE GOES
DIGITAL

Data breach vulnerabilities overlooked when PHI data disclosed to
hospital “Business Associates”

HIMSS12, Booth #13521–DriveSavers Data Recovery, the worldwide leader
in data recovery
services, announced today risks that healthcare organizations should be
aware of when using third party data recovery service providers that are
not HIPAA compliant or not properly vetted for security protocols. As
the healthcare industry rapidly becomes digitized, the risks of data
breach are unprecedented. In 2011, health data breaches in the US
increased 97 percent over the year before, according to a recent report
by Redspin,
a leading provider of IT security assessments. Data breaches cost the
healthcare industry an estimated $6.5 billion last year. Redspin cites
insufficient oversight of PHI (protected health information) disclosed
to hospital “business associates” (third party vendors) as one of the
main reasons for the increase.

According to HIPAA federal law, the legal burden of protecting patient
data while at a business associate, falls on the health organization
that contracted the service with that business. Therefore, if a data
breach occurs while PHI data is being recovered at a third party data
recovery service provider, the healthcare organization that contracted
the service is responsible for what could turn out to be a very costly,
reportable data breach.

How Healthcare Organizations may be Vulnerable to Data Breaches Using
Data Recovery

There are several areas where a healthcare organization’s PHI records
may be vulnerable to data breach when using a data recovery service
provider.

–
Risk of permanent data loss if software tools are used improperly or
the device is not opened in a ISO-5 cleanroom and media platters are
exposed to airborne contaminants

–
Risk of improper downloading or ID theft of PHI data

–
Risk of outside breach from hackers if data is stored on an
unprotected network

–
Risk of PHI data exposure if damaged drives are not destroyed with a
DoD approved degausser or shredder

–
Risk of viruses or malware being returned on new drive with recovered
data

The consequence of using a data recovery vendor that does not have
proper protocols in place to protect PHI can lead to loss or theft of
sensitive and confidential information. As a result, the healthcare
organization could suffer major disruption in business, huge financial
and legal fees, damaged brand name, firing of management, IT staff and
IT security involved in data recovery selection process and in some
cases, a complete shut down.

NYC Hospital Properly Vets Data Recovery Firm and Safely Recovers
200,000 Patient Records

Healthcare organizations that have policy and guidelines in place for
selecting and using data recovery service providers can avoid the risks
of a data breach. A large public hospital in New York City had a RAID 5
server fail due to mechanical failure. The server stored the hospital’s
database of over 200,000 patient records.

Knowing that healthcare organizations must meet the most stringent data
security guidelines by law, the NYC hospital’s IT team thoroughly
vetted their prospective business associate, DriveSavers, to ensure that
the company adhered to HIPAA
Data Security Guidelines before sending PHI data to their
facilities. DriveSavers has achieved compliance with the data security
standards outlined in the Health Insurance Portability and
Accountability Act (HIPAA).

DriveSavers successfully recovered the hospital’s PHI data in a
Certified ISO 5 cleanroom that has been audited and certified to meet
ISO 14644-1 standards. Engineers and employees at DriveSavers have all
undergone background checks. The data recovered was stored on the
company’s certified secure network, which is audited annually as part of
a SAS
70 Type II certification process. The hospital’s IT team received
the restored data on a new storage device; the old, damaged drive was
permanently and securely degaussed following HIPAA guidelines for
destroying hard drives.

DriveSavers is leading the data recovery market by investing in
technology, research, equipment, new facilities and training so that it
meets the rigorous security demands of the healthcare industry. In
addition to being compliant with HIPAA Data Security Guidelines and
undergoing annual SAS 70 Type II audits, the company also adheres to US
Government security protocols, the Gramm-Leach-Bliley Act Data Security
Rule (GLBA), the Data-At-Rest mandate (DAR) and the Sarbanes-Oxley Act
(SOX). DriveSavers engineers have received certifications for completing
extensive training programs from leading encryption software vendors,
including GuardianEdge, PGP, Pointsec (Check Point Software Technology)
and Utimaco.

DriveSavers can successfully recover lost data from encrypted hardware,
software, email, network files, wireless device data and all
storage/backup devices. Companies that have trusted DriveSavers with
their critical data include: CompuCom Systems, Inc., eBay, NASA, Weill
Cornell Medical Center and UCLA Medical Center.

About DriveSavers

DriveSavers Data
Recovery, the worldwide leader in data recovery services, provides
the fastest, most reliable and only certified secure data recovery
service in the industry. DriveSavers is the only data recovery company
to post proof of annual company-wide SAS
70 Type II Audit Reports, the Corporate Industry’s standard for an
overall control structure. DriveSavers High Security Service adheres to
US Government security protocols to ensure that no data is ever
compromised during the data recovery process. DriveSavers maintains the
most technologically advanced Certified
ISO 5 (Class 100) cleanroom in the industry and is authorized to
open drives by all major storage device manufacturers without voiding
the warranty. DriveSavers engineers recover lost data from all storage
devices and all operating systems and are trained and certified in all
leading encryption and forensic technologies. Satisfied customers
include: Bank of America, Google, Lucasfilm, NASA, Harvard University,
Salvation Army and The Rolling Stones. (
http://www.drivesaversdatarecovery.com )

SOURCE: DriveSavers Data Recovery

        BLASTmedia for DriveSavers
        Molly Noonan, 317-806-1900 ext. 110
        Molly_noonan@blastmedia.com

Copyright Business Wire 2012

Article source: http://www.marketwatch.com/story/correcting-and-replacing-drivesavers-highlights-risks-of-data-breaches-as-healthcare-goes-digital-2012-02-20

BOSTON, MA, Feb 20, 2012 (MARKETWIRE via COMTEX) –
Votacall, the leading VoIP and cloud-based Unified Communications
Provider (UC), today announced that BeyondTrust, a global leader in
perimeter based IT security software with offices in California,
Washington, Massachusetts and the UK, has selected the Votacall VoIP
platform to deliver reliable voice communications amongst locations
and complete solution management while decreasing telecom expenses.
Designed, implemented and managed by All Business Communications, the
Votacall VoIP solution provides the scalability necessary to promote
the organizations’ growth plan while cost effectively addressing
future collaboration needs across the corporate landscape.

BeyondTrust is a security software company which has developed
products that enable IT administrators to eliminate the risk of
intentional, accidental and indirect misuse of privileges on desktops
and servers.

BeyondTrust was utilizing legacy PBX platforms with maintenance
contracts at each office and was considering entering into a contract
for data services to connect all locations seamlessly. This crucial
business communications initiative would have increased the
organization’s telecommunications expenses by more than 30%. This is
when BeyondTrust was introduced to the Votacall Hosted VoIP Platform.

“We needed a solution that would be secure, robust and provide a
consistently high quality voice experience,” said Jay Kaffai,
Director of Information Technology. “It was also critical that we
could roll out new locations and scale our operations quickly. The
provisioning process for a new location would have taken months with
our old on-premise solution — with Votacall the process is measured
in days and weeks.”

Being a security software company, BeyondTrust required that Votacall
have redundant platforms housed in geographically diverse
carrier-class data centers backed by state of the art security tools
to provide the most reliable and secure customer experience. “As is
the case with most businesses, the phones just need to work. We have
not had any disruptions in service since migrating to the Votacall
platform nearly six months ago. Any anxiety that I had moving such a
business critical service to a hosted platform has been put to rest
thanks to Votacall,” adds Kaffai.

The Votacall VoIP platform delivers enterprise level functionality,
reliability and ultimate redundancy with a guarantee of absolute
investment protection. Our mission is to enhance the end-user
communications experience now and into the future. Votacall will be
the last telecommunications decision you will ever make, innovate and
communicate with Votacall.

About BeyondTrust
Founded in 1985, BeyondTrust is the global leader
in privilege authorization management, access control and security
solutions for physical, virtual, cloud and infrastructure computing
environments. The company’s products mitigate insider threats and
secure the perimeter within across the enterprise, empowering IT
governance to strengthen security, improve productivity, drive
compliance and reduce expense. More than half of the companies listed
on the Dow Jones Industrial Average rely on BeyondTrust’s PowerBroker
suite of products to secure their enterprises. Five of the top ten
commercial banks and two of America’s largest private companies have
adopted PowerBroker to secure guest operating systems and ESX
hypervisors in a virtualized environment. For more information, visit

http://www.beyondtrust.com/

About Votacall
Votacall is a leading provider of business-class
VoIP and cloud-based Unified Communications (UC) solutions. Votacall
is committed to delivering the latest best in class offerings to our
end users through constant market and product research. Our approach
allows our customer base to stay ahead of the technological curve at
the lowest Total Cost of Ownership (TCO) in the industry. The
Votacall Cloud product suite is fully managed and through the
delivery of innovative Cloud applications, we aim to enhance the
end-user experience. The Votacall tag line states our vision; you
must INNOVATE to effectively COMMUNICATE. We base our organization
and its daily operations on those two words. The world is changing,
technology is changing, organizations are changing, it is of the
utmost significance that you partner with a company that respects and
embraces change. Think Big, Go Votacall. For more information, visit

http://www.votacall.com

        Contact Information:
        Andy DeAngelis
        (781) 693-0604
        Email Contact

www.abcna.com
www.votacall.com            

SOURCE: Votacall Inc.

http://www2.marketwire.com/mw/emailprcntct?id=3061BA2C98FFB27D

http://www.abcna.com/

http://www.votacall.com/

Copyright 2012 Marketwire, Inc., All rights reserved.

Article source: http://www.marketwatch.com/story/beyondtrust-selects-the-votacall-voip-platform-for-secure-reliable-and-enhanced-communications-2012-02-20

Please check the URL for proper spelling and capitalization. If you’re having trouble locating a destination on Yahoo!, try visiting the Yahoo! homepage or look through a list of Yahoo!’s online services.

Please try Yahoo Help Central if you need more assistance.

Article source: http://finance.yahoo.com/news/cisco-resell-citrix-xendesktop-deliver-130000870.html

Although Lumension security and forensic analyst Paul Henry are calling it a “pretty sweet Valentine’s Day” for Microsoft,
given the relatively light patch load for the month, additional patches from Adobe may spoil the mood for others.

VALENTINE’S DAY PATCH TUESDAY: Microsoft to issue 9 patches, 4 critical

As previously noted, four of Microsoft’s nine security bulletins are deemed “critical.” The most important, Henry says, are the two bulletins
that have been publicly disclosed. One is susceptible to remote code execution in Windows, while the other addresses a similar vulnerability in Silverlight and the .NET Framework.

Beyond that, Henry believes the two patches deemed “important” should receive higher priority because they have also been
publicly disclosed. Both are susceptible to remote code execution in Windows, one through the Color Control Panel and the
other through Indeo Codec.

However, given the recent spike in browser-based attacks, Qualys CTO Wolfgang Kandek says the patch for four privately discovered
vulnerabilities in Internet Explorer — MS12-110 — should receive the most attention.

“We have seen how quickly attackers can react to new vulnerabilities when exploits for MS12-004 appeared within 2 weeks of
its release on attack sites,” Kandek says. “So while none of the vulnerabilities in MS12-010 were publicly known, you should
install this fix as quickly as possible.”

Although it surpassed the seven bulletins released last month, the nine patches issued today is a low for the month of February
since 2009. That’s a sign that a focus on security may be paying off for Redmond, Henry says.

However, a happy Valentine’s Day for Microsoft doesn’t necessarily mean the same for the IT department. Citing Oracle’s concurrent
release of patches for 14 Java vulnerabilities, which have been targeted particularly frequently of late, Henry says some support teams may have their hands full.

“The light patch load from Microsoft does not mean IT can sit back and relax however,” Henry says. “A significant patch update
from Oracle came out recently and, as always, threats targeting Java must be addressed, as currently it is the bad guys’ most
popular attack vector.”

Similarly, Adobe released five security bulletins today as well. Four of the patches, specifically those addressing vulnerabilities in Shockwave Player, Flash Media Player Server, Flash Player and Photoshop, were deemed critical, while another targeting vulnerabilities in Robohelp was rated important.

Colin Neagle covers Microsoft security and network management for Network World. Keep up with his blog: Rated Critical, follow him on Twitter: @ntwrkwrldneagle. Colin’s email is cneagle@nww.com.

Read more about software in Network World’s Software section.

Article source: http://www.networkworld.com/news/2012/021412-microsoft-adobe-oracle-patches-256124.html

Microsoft Patches Out Google

Plus, February’s Security Update is here, don’t save personal info as plain text.

• By Chris Paoli
• 02/15/2012

Along with putting together this security blog every week, my duties also include writing any pertinent security news for MCPmag.com and RedmondMag.com. That includes covering Microsoft’s monthly Security Update, which I took care of Tuesday afternoon.

However, it seems like I missed one key feature in the rollout. Apparently the patch came with an update for Microsoft’s Forefront and Security Essentials antivirus software that now sees Google as a “severe” target.

Once the update has been installed, users visiting Google.com became alerted that the Web site was infected with a Blackhole Exploit Kit. I would give you more details on what this kit actually does, but I’m a little concerned that I may be left open to a Blackhole Exploit if I Google Blackhole Exploit.

What I do know about it is that a real one recently took down the U.S. Postal Service’s Rapid Information Bulletin Board System Web site.

Stories of false positives after updates are not a rare occurrence, and are usually fixed fairly quickly.

Microsoft Also Patches Out Real Vulnerabilities
Besides the bonus Google warning (MS REALLY wants you to use Bing), Microsoft’s February Security Update took care of 21 different holes across a myriad of MS software with four “critical” bulletins and five items deemed “important.”

The four high-priority items all deal with remote code execution flaws in Windows, Internet Explorer, .NET Framework and Microsoft Silverlight.

The one that stands out this month is bulletin MS12-013, which changes how the DLL calculates memory data so that attackers couldn’t gain access to your computer when you unknowingly click on a malicious media file from an e-mail or Web site.

Tyler Reguly, technical manager of security research and development at security firm nCircle, also thinks this item is worth your attention: “Everyone is likely to see this critical vulnerability and freak out,” he wrote. “However, it’s important to note that the attack vector is limited.”

While security vulnerabilities and critical patches are definitely something we should be concerned about, do they ever really garter a “freak out” response, especially when they haven’t done any damage to your system yet?

Let me know your plan of attack for this month’s Security Update. And also share with me your biggest security “freak out” moment. Send your responses to cpaoli@1105media.com.

How To Not Save Personal Information Online
The answer is in a plain text file.

Seems obvious enough. Unless you’re Microsoft.

Earlier this week it had its India online store attacked by hackers from a group named Evil Shadow Team (wasn’t that the name of the bad guys in Karate Kid II?). Not only did it gain unauthorized access to the company’s Web site, but it also made off with usernames and passwords of customers, which, as stated earlier, was completely unencrypted.

After the attack, Microsoft took the site online (which is still the case) and e-mailed users that their passwords had been automatically reset. It also confirmed that billing information, including addresses and credit card numbers, were safe.

Article source: http://mcpmag.com/Articles/2012/02/15/Microsoft-Patches-Out-Google.aspx?p=1

I like Microsoft, I appreciate and use Windows, but IE is a disaster, and has been the one thing standing in the way of progress. It started it’s life not adhering to the web standards, not adopting W3C outlines, and making the web a fragmented experience. To add to that, it has been the hacker’s focal point for the last few generations. Secure or not, it is the browser of choice for hackers, because it has the market share and is the default install (attractive to non-technical users).

The death of IE has been LONG overdue.

Article source: http://www.zdnet.com/blog/security/microsoft-warns-of-dangerous-ie-browser-vulnerabilities/10285