Tenable Blog

When many people think about data breaches and personal information, they tend to think about the loss of credit card information or Social Security numbers rather than medical information. However, over 220 data loss incidents recorded by the DataLossDB involved medical information over the last several years and there are certain to be countless other incidents that were either not publicly reported or have not yet been cataloged in the database. To this end, the HITECH Act will also establish a new breach notice requirement that will go into effect in September of 2010:

Sec. 13402. Notification In The Case Of Breach.
(a) In General.—A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information (as defined in subsection (h)(1)) shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach.

It should be noted that many states do not include medical information in their data breach notification laws, but since the HITECH Act is federal legislation, all health care entities and their business partners are required to disclose a breach if it can be treated as “discovered”. Notification may include not only individual notices to those people affected, but also possibly notice to “prominent media outlets” and, where applicable, the Department of Health and Human Services.

ShmooCon has always been one of my favorite conferences. It is very well run and provides a small, intimate environment to discuss all things related to hacking and information security. You truly feel a part of this conference in every way. For example, you are encouraged to throw small stress balls called "Shmooballs" at any speaker you disagree with. The conference founders felt that many conferences had talks that were complete nonsense yet no one would stand up to say anything in opposition. As a speaker at ShmooCon you may literally find yourself running for cover. This year there was even a "Shmooball Launcher" contest,
that scored the homemade launchers in several different categories.

This year's ShmooCon had some excellent presentations and workshops, including one that reportedly used Nessus to find a directory traversal vulnerability in VMware (more to follow on that one). Some of the other highlights include:

Welcome to the Tenable Network Security Podcast - Episode 22

Announcements

• A new blog post has been released titled "HNAP Protocol Vulnerabilities - Pushing The "Easy" Button" that covers how this protocol can be used to collect information from devices on the network. Marcus Ranum also published a series of his now infamous Afterbytes posts, where he discusses everything from data leakage to Russian stealth fighters.
• A webinar is scheduled for February 25, 2010 titled, "Finding and Stopping Advanced Persistent Threats" where Tenable CEO Ron Gula and Tenable CSO Marcus Ranum will discuss strategies for preventing, finding and eliminating advanced persistent threats in enterprise networks.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments, and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions, there are currently 12 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

Moscow, Russia (CNN) -- Russia tested its fifth-generation Sukhoi fighter jet in the Russian Far East on Friday. The plane, provisionally called T-50, is the country's first fighter jet based on the stealth technology and is viewed by military experts as the Russian answer to the American F-35 and F-22 jets.

References: Russia tests its first stealth fighter jet

Recently, I had the chance to be interviewed for two different podcasts. 

In Risky Business #138, I had the opportunity to chat with show host Patrick Gray about the recent Google hack, why they may have been using IE6 and what this means for information security in general. This episode also features an interview with Dan Geer on the future of computing which I highly recommend.