How Viral Is That?

In my earlier post today, I blogged about the loss of memory cards at an Arizona hospital that had information on some 2,200 patients who had endoscopies. Now the California Department of Public Health reported that it lost data for more than 2,500 facility residents, department employees and other healthcare workers. How viral is that?

This past year the CDPH fined hospitals guilty of losing patient records. It was supposed to beef up its efforts to protect this from happening again, but that hasn't happened. In this case, the information that was lost was stored on magnetic tape that was not encrypted. The data on this tape contained more information than the memory cards in the Arizona health center. Names, Social Security numbers, e-mail addresses, background and medical health information -- all you need, and then some, for identity theft.

Two things happened to compromise the safety of this data. First, the field office, where the tape originated, failed to encrypt the files, as per normal procedure. Then they sent it to the central office via USPS instead of by courier. The envelope arrived, but it was unsealed and empty.

When there is vulnerability in security, it's often because a company doesn't want to spend the money on upgrades. As everyone knows, California is in dire financial straits. But this time lack of sufficient funding wasn't the culprit. It was just a lack of following proper procedures. All that's really required are reminders everywhere -- on posters and on every computer monitor:

MIND THE SECURITY GAP

On the Alert

Call me paranoid, but I believe that people have to be alert 24/7 about their personal data. Recently I posted a blog about how information stolen in Fort Hood, Texas about 20 soldiers led to more than 2,000 attempts to use their identities to make money. Here's a more staggering statistic: 2,284 endoscopy patients' information is missing because two data cards were lost or misplaced at the Mountain Vista Medical Center in Meza, Arizona two months ago.

People tend to think in a linear fashion. Health care workers concentrate on their patients, as they should, but they need to be trained to think of every component in their workplace as cash to be guarded. No doubt they are careful about the equipment they use insofar as they try to avoid physical damage. But, like every worker I've dealt with in offices, they don't think too much about the IT part. If there's a problem, they just call IT to fix it. In this case, the issue is the privacy of the patients' medical information (names, dates of birth, ages and genders), not their addresses, Social Security numbers and credit card information. Still, it was enough for the medical center to notify patients of the incident and to offer them the standard patch -- one year of free credit monitoring services.

Fortunately, the hospital has revised security procedures for storing compact memory cards and are retraining employees on procedures related to confidentiality and security. That said, there is reason to be concerned about other security vulnerabilities at the hospital. Hackers don't give up. Just yesterday, my wife was at a small credit union in Stamford and one of the top employees said, "You can't simply throw out papers anymore. You have to shred them." She went on to explain that if a hacker isn't successful right away, he or she will wait a few months to use the information he has. Time is on the side of the hackers.

Think Your Money Is Safe? Read This.

Loss of savings is a daily concern for many people since the economic meltdown more than two years ago. Lately, there have been more threats of loss of savings due to security vulnerabilities in the U.S. government. A new report by the Government Accountability Office states that the Federal Deposit Insurance Corporation lacks adequate encryption of "sensitive information transmitted over its network." It also found that the FDIC has "inconsistent identification and authentication user controls" and needs to beef up its internal monitoring and auditing practices. One example the GAO cited was the existence of default installation user ideas on some of its UNIX servers. Another is that the data network and voice network are both on the same network.
I'm not a heavy duty UNIX administrator, but I know enough about UNIX. It's an open system that is widely used in servers, on workstations and in mobile devices. It's critical that companies have policies and firewalls in place to avoid unauthorized penetration of their systems.

It's ironic that after all these years, the FDIC increased its insurance protection in case banks went under. Now people have to worry that their savings might be lost because of inadequate data security.

Identity Theft Problem Goes Global

Some people think I go overboard in trying to protect my Social Security number. Several weeks ago I blogged about an audit in the Social Security department which uncovered issues in the process of procuring and installing software. Now West Point Professor Lt. Col. Gregory Ponti, a former Army intelligence officer, released a scathing report about the appalling careless in the military with regards to personal information.

Apparently, since the 1960s, military personnel use their Social Security numbers in everyday settings. Checking out sports equipment? Your Social Security number, please. Yes, sir. Flu shot? We need your Social Security number. Yes, sir. The New York Times reported that "thousands of soldiers in Iraq even stencil the last four digits onto their laundry bags." Although the Department of Defense claimed two years ago that it would limit the use of Social Security numbers, it hasn't happened. Only last week did the Defense Department put an end to using Social Security numbers on military ID cards, and that isn't scheduled for another five months. Moreover, Col. Conti noted, "The farther you get away from the flagpole at headquarters, these policies get overturned by operational realities."

I have never served in the military or navy, but it doesn't take much imagination to think of scenarios in which soldiers the idea of identity theft is the last thing on their mind. But soldiers don't have to be in combat to be at a heightened risk for identity theft. Last June, a Staten Island D.A. indicted a gang who stole the identities of 20 soldiers in Fort Hood, Texas.The theft was traced to a former Army member who moved to New York. The gang made more than 2,500 attempts to use the soldiers' identities.

20 soldiers, 2,515 attempts total = 125 attempts per identity theft victim

It gets worse. It's not just the possible carelessness of a soldier or the bureaucracy of the military. Children as young as 10 years old whose parents are in the military carry ID cards that have Social Security numbers. As every parent knows, young children aren't always careful.

The Defense Department is trying a new campaign to make its personnel aware of the problem but, in my opinion, it's moving at snail's pace. The biggest threat is to those who are stationed overseas. They have no control over what's going on here if someone has their Social Security numbers. If the Defense Department asked me, I would immediately issue new identity cards without Social Security numbers and have the old ones shredded and have the bags of shredded paper hauled away with a military police escort.

Call me paranoid about identify theft, but I don't want to have the burden of proof on me that I didn't authorize credit card charges. I'm proud of my credit rating and want to keep it perfect.

http://www.nytimes.com/2010/12/07/technology/07identity.html
http://smallwarsjournal.com/blog/2010/12/the-militarys-cultural-disrega/

Audit!

It wasn't anything like an IRS audit. It was far worse. According to an evaluation late last month by none other than the Office of the Inspector Attorney General of the Social Security Administration, two Trojan horses and five keyloggers penetrated all the way onto agency workstations. That's right. Everyone's Social Security number is at risk and everyone is more vulnerable than ever to being a victim of identity theft.

These penetrations came via unauthorized installation of non-standard software, according to the report. Non-standard software doesn't mean it's bad. It just means than it was either not developed by in-house programmers or that it wasn't bought through the agency's regular acquisition process. Still, the story gets worse. Two of the workstation workers knew that the software they were installing were potentially unsafe. The other five installed it unintentionally. The SSA uses Microsoft tools to inventory executable files on Windows machines used by both employees and contractors. This tool scans well over 100,000 devices every week to detect unauthorized software. The policy at the SSA permits non-standard software to be installed as long as agency security officers approve it. Some users simply believed that all they had to do was submit their request to the CIO. OK, they were wrong, but it appears that the CIO simply rubber stamped the request instead of issuing reminders about the standard operating procedures of the department.

This makes me wonder what other protocols exist at the SSA. Who writes the policies? Why aren't they being implemented correctly Do the contract workers have Errors & Omissions Insurance? Are they using other firewalls? How often is testing done to detect vulnerabilities? Are they going to make the CIO accountable for this potential disaster?

Everyone who reads this blog knows that I am a fanatic about my personal security. I'm horrified that seniors' Social Security numbers are on their Medicare cards. Many company websites require job applicants to type in their Social security numbers. I mentioned this to someone in my network who works in HR. She said smart applicant type in 000-00-0000. I give my EIN when I'm hired as a consultant. Unless a job offer is on the table, no prospective employer even knows my real birthday. It's just not something that I'm going to make easily available. Suppose my resume or on-line application is printed out and tossed into a waste paper basket instead of shredded? I also block my credit report so that in case my personal information gets out, along with my address and checking account number (for direct deposit), no one can apply for credit in my name. It's easy to block and unblock and the fee is far less than what it would cost me to deal with my identity being stolen.

As for my birthday, just send me presents all year long. One of these days you'll get it right!

http:www.ssa.gov/oig/ADOBEPDF/A-14-10-21082.pdf

Uh, Oh. And It's Election Time.

Republican, Democrat, Independents, Tea Party supporters, coffee drinkers and anyone in IT security all agree on one thing: cyberscurity is critical. That said, Andrew McLaughlin, White House Deputy CTO said that the multi-jurisdictional, multi-stakeholder certificate-based web browsing model poses a problem that the government can't fix.

"Government can't fix it and government shouldn't fix it," he told the New America Foundation. "So this is not an area where public policy is going to be able to waltz in with a thunder set of regulations, or some kind of rule set perpetrated down through the system by an authority -- it's just not going to happen."

Uh, oh. Normally phrases that tell businesses that they don't have to worry about regulations bring out loud cheers. Not so in this case, even though he added the magic words most business leaders love to hear. "You don't want government to try to be your front line. We have a history of screwing things up."

Cybercrimes are growing and every business that has been a victim wants the government to be its front line, side line and back line. Hackers will not stop trying to break to bank accounts. They don't do it for fun. They do it for one reason only: quick money and lots of it. If the government takes a back seat, it's definitely going to screw up. There is only one justification for government: and that is to protect it citizens -- all of them. Businesses of all sizes are vulnerable. Many large corporations, including big banks, have had their data hacked into and possibly (read: probably) compromised. Ditto for a consortium of hospitals in New York City. Cybertheft has surpassed half a billion dollars, double from the year before. Ari Schwartz, senior Internet policy advisor at the National Institute of Standards and Technology notes that the Internet is comprised of "voluntarily interconnected networks" and one organization's lax practices cane make the entire network vulnerable, even if all the other parties are up to snuff on security. Nevertheless, Mr. McLaughlin is throwing his arms up because it's difficult to detect the weak link among the players, jurisdictions, standards, hardware and physical interconnections that allow browsing. Hey, wasn't President Obama vocal about going almost completely digital, including medical records? It's ironic that when he ran for office, his opponent, John McCain was living in static black and white, totally computer literate. (At least he's now tweeting.) Anyway, the last I checked, robbery is robbery, no matter how it's committed. You wouldn't want your local government to announce that the police department isn't going to protect you from robber because it's not the government's job. Tell us again why the government shouldn't be the front line, Mr. McLaughlin? Maybe you should have a web chat with Mr. Schwartz.

Identity Theft Protection Week

October 17-21 is Identity Theft Protection Week. This is a problem that costs individuals and companies millions of dollars each year. Moreover, for an individual, it's hell. Many people whose homes or cars have been robbed describe it as having felt raped. Identity theft is similar, even if the victim did not come home to drawers that were left open after being rummaged through. Identity theft is like having your personal mail and diaries read. The perpetrator need only know four basic things -- your name, address, date of birth and Social Security number -- but those four things are more than you want him or her to know. That perp can drain your savings and damage your credit score.

No reputable business wants to let that happen, but it does occur because the powers might be so determined to keep costs down that mid-level decision-makers choose not to upgrade their security. In the medical community, it's worse. Hospitals are usually non-profit entities, but they run on thin margins even if they are, for all practical purposes, making money. Most private practices don't make huge profits because they have at least one receptionist, one nurse, one medical secretary and one billing clerk. There is no consensus on Electronic Medical Records -- say, the Microsoft Office equivalent that's the standard in the industry. Even though the system for EMR is about $10-12K, many doctors are reluctant to put the money into it, especially if they are going to have to change in a few years.

Note to anyone who does get electronic records: When asking for medical information by e-mail, make sure it is encrypted. Standard e-mail is not protected by PHI (Personal Health Information) compliance standards. Chances are, those e-mails won't contain items that the identity theft perp wants, but there is no reason why anyone other than immediate family or health providers should have information about your personal health.

Mergers and VDR

It's not uncommon for people to lose their jobs when a merger between two companies occur. From a business standpoint, it makes sense to consolidate some jobs. But management should think hard and long before making decisions to cut staff in some areas, particularly when it comes to Virtual Data Rooms. Here are some of the issues that I see:

1) Different companies probably have different levels of security. Staff members of both IT departments should compare every level of security. For example, it's a well-known fact that banks own shares in each other, as do insurance companies. Let's say that a regional bank merges into another regional bank. The bank with the more advanced IT security may or may not be the one that swallowed the other one. If its IT security is vulnerable, there could be a major problem because often computer systems are changed.

2) Software requires licenses. In an effort to save additional costs, the dominant company may not want to spend money upgrading security or buying additional licenses for software.

3) No one really knows what's going to happen once Obamacare takes effect. The president has talked about having all medical records go digital, but the truth is that hospital computer systems are often incompatible with each other. In addition, many doctors are reluctant to go digital because of the cost and the fact that there is no standard, like Microsoft Office for administrative office work.

Most lawyers use MS, but there are some that still use WordPerfect. If two lawyers can't send each other documents that are readable by their systems, imagine what it would it be like if two financial or insurance firms merged and their security was incompatible. It's an invitation to a security disaster.

Right now I'm doing some research on ShareVault, a leader in Virtual Data Room products. Supposedly, the company has the experience of handling billions of dollars in transactions. If anyone has experience in it, please contact me and let me know your thoughts.

Stop, Thief!

I just came across this frightening and interesting statistic: online fraud more than doubled to $559.7 million in 2009, up from $255 million stolen in 2008.

This should come as no surprise. Online purchases are a way of life. Just try buying some ordinary things, such as tires or wedding gifts at stores. Hardly anyone keeps inventory at each store, so you have to pay for things in advance and, preferably online. Moreover, as apps have become more popular, guess what? If they're not free, you need to pay for them by credit card.

In theory, it is very easy to detect fraud and to prevent future fraud with a sound strategy. But that costs money and most companies are not willing to part with it if it doesn't bring in immediate revenues. If you are a small business owner, you may not have much budget to combat fraud through the use of intrusion detection systems, but here are things you can do:

• Look for unusual account activity.
• Call customers to notify them if you suspect there is a problem. Give them the option of verifying their account activity before they receive nasty surprises on their statement. It will save you a lot of angry calls later.
• Arrange to have all revenues go in a deposit only account. You would be surprised that company employees innocently give away wiring instructions which have bank routing numbers and your company's account number to anyone who calls. It is easy for a thief to take money out once he or she has your company's account number.
  

You need to take this evolving security threat seriously or everything you worked hard to achieve will vanish.

Virus Alert - For Real

We all get e-mails from well-meaning family members and friends. A huge virus is going around. Don't open this or your hard drive will be destroyed.

But something really is going around. Three different people I know were affected by a virus that cracked their free e-mail account and then sent out e-mails with their address books with a link to a website. Social media sites, such as twitter.com, have also been affected by this virus. The link contains a virus that reads both Outlook and proprietary address books (such as that of AOL) and send out e-mails.

How do you prevent it? Use a complex password and change it often. When you create or change your password, use upper case and lower case letters as well as numbers and punctuation, such as underscores or dots). Another good idea is to create an e-mail address on a free e-mail service and use this e-mail for all your junk e-mails. Finally, keep your spam filter on high. Somehow, e-mails from disreputable people and companies will get through, but it's one of the best measures you can take.

Speaking of hacking, some high profile hospitals in New York City admitted that patient data was compromised. Somehow it got on an open server. Hospital officials claim that no information was used inappropriately, but that remains to be seen. The real danger is not that someone is going to sell information about a celebrity's health problems to the National Enquirer, but that patients are at risk of identity theft. All a perpetrator needs is a name, address, social security number and date of birth. For a while it was available on an open server at large hospitals in one of the biggest cities in the nation. This is why they need to hire experienced security analysts and keep up to date on security software.

Imagine if there were a virus that sucked out a hospital's patient database. If that hospital were in a large city where people go to for the top specialized care, identity theft would be made easier and more widespread than ever. If you can, give only the last two or four digits of your Social Security number when asked for it by a doctor's office or medical institution. Don't make it easier for local amateurs to steal your identity. You don't know how safe your doctor's computer system really is.

Google's Breach of Trust

Google's recent internal security breach is raising questions about cloud computing. While Google claims they trust the company's Site Reliability Engineers, the fact is that the company does not have enough control over the employees who have access to its systems. Naturally, Google is trying to contain costs, but this is one of many areas where corporate decision-makers have to choose both their priorities and their misery. The company claims it regularly upgrades its security controls by auditing logs, but it won't define regularly. Is it regularly as in daily, weekly, monthly, quarterly, annually or regular when there's a problem?

In my experience as a consultant between full-time employment, I can see where there are gaps. Someone accepts an assignment for three months or six months, or even two years. If the pay isn't worth his while, he is going to keep one foot on the gas pedal, ready to take off as soon as a better offer comes in. If a company relies on consultants, the hiring managers must know that there is not going to be any loyalty on the part of the contract worker. Why would there be? What Samuel Goldwyn said about a contract not being worth the paper it's printed on was a laughable remark some 70 years ago. It turns out Goldwyn was a prophet. I had a one-year contract become worthless after nine months. I wasn't singled out. At various networking meetings, I met four other victims of the same company with the same contract. And, no, we were not spying on minors or tapping into call logs. We were putting out fires.

Cloud computing isn't going away. Companies that are thinking about using it are going to have to take security measures very, very seriously. What Google's David Barksdale did was unpleasant and immoral, but it's nothing compared to what can and does happen.

For the past several years, I've worked to prevent identity thefts. In order to prevent people from hacking into bank accounts and medical records so that they can get another person's name, address and social security, I've installed and tested various intrusion detection systems. Sometimes a company doesn't want to spend the money on upgrades, but here's what happens. Suddenly there's an announcement that ABC Financial Corporation or XZY Bank is offering free credit monitoring to its customers "because its data may have been compromised." Now you know what you mean by compromise. And that credit monitoring is only free for customers, not for the corporation. Where's the savings? it's certainly not financial. And the company's reputation among its customers has also been compromised. There's no free monitoring for that.

http://www.readwriteweb.com/cloud/2010/09/googles-internal-security-brea.php

Redundancy is Welcome, Indeed

As a writer, my wife grits her teeth when she sees or hears redundancies. Example: 8:00 p.m. in the evening. But in IT, redundancy is welcome, indeed. Redundancy is instant backup. Without it, a trading company can lose millions of dollars in just seconds or viewers will miss that exciting maneuver in a football game on TV.

I designed, installed and implemented Avon's website (not the graphics) for e-commerce. Later, at Gartner, I designed the redundancy network infrastructure for e-commerce websites so that the sites can function in the event that one site is down. Almost everyone who does online banking has experienced the frustration of trying to check balances, pay bills or schedule transfers at 8:30 p.m., only to get a message that the site is down. At 3:00 a.m., it's understandable, even though many on the West Coast may still be up. Chances are, that bank has a redundancy program that is simply inadequate. The customer won't lose money because the site is down, but the bank may lose customers if it develops a reputation for failure when the end-user needs it at a reasonable time.

Here's the bottom line: get your redundancy infrastructure so that's it's available when customers need it, whether it's 9:00 a.m. in the morning or 9:00 p.m. in the evening.

iFixes

It always amuses me to see people rush into the newest technology when it's common knowledge that there are bugs in first models. So what's with the bars on the iPhone 4? Users have been complaining of low signal strength and busy towers since the first iPhone came on the market. Last week, Apple shouted Eureka! They found the problem. It was a formula error. The company posted a statement on its website that explained "our formula, in many instances, mistakenly displays 2 more bars than it should for a given signal strength." They added, "Their big drop in bars is because their high bars were never real in the first place." Huh?

Apple will send a fix, but as far as I'm concerned, the company's explanation is a non-answer. I can just imagine if I gave such an answer as to why a security patch didn't work. "I called the company and was told that the indicators weren't real to begin with." Or "They said that there's an error in the coding." And my supervisor would take that at face value? I don't think so. I think I'd be shown the exit sign.

In Apple's case, it hasn't been officially determined whether the fix has to do with the software or the hardware. Critics claim that the problem is because of the new iPhone's external antenna. When a person's skin comes into contact with it, you know what happens. Other smartphones, including previous iPhones, have internal antennas, which have a natural buffer between the antenna and the hand that holds the phone. A possible solution is a rubberized case, but that means that show offs can't flaunt their trophy phones as easily.

I am in no rush for an iPhone, even when other carriers will be able to sell it. My wife and I have BlackBerry phones and we're pretty happy with them. The browser is hard to read, though, but for the most part, it serves our purposes. My wife has worked on Apple computers at her newspaper and reports that while their physical structure is "seductive," they are underwhelming in their claims of what they can do, even for graphics. My advice: hold onto your current phone until the bugs are out -- and you have a choice of carriers.

What Does a Security Breach Cost?

Someone finally assigned a dollar value for security breach that we can relate to. Not in millions or billions or gazillions, but in three figures - $204 per lost record. This is according to a recent report by the Poneman Institute. At 66%, loss of business is the biggest cost. Customers lose trust. Then there's the cost of spin to control bad publicity.

What can companies do to minimize costs? It helps to put a chief information security officer at the helm. It also helps to keep up to date on the most advanced firewalls and penetration software. There will always be someone who thinks he's a better hacker. Oh, and for those who like figures in the millions, the average cost to an organization is $3.43 million. The figure of $204 per record is for the U.S. because of notification laws, but the sum varies among nations. Read the Ponemon Institute's "2009 Annual Study: Cost of a Data Breach" http://www.encryptionreports.com/.

Visa's M-Bet

Visa, meet CyberSource. More than 40% of online payments are done through Visa, and e-commerce is getting old. Cell phone companies are pushing smart phones because they can increase their revenues as we become increasingly tethered not only to our cells phones, but to our computers.

CyberSource, Visa needs you. At $2 billion, this is the largest amount of money Visa ever paid for anything. But, hey, Visa needs to compete with PayPal. As much as people complain about the fees, they know they're stuck with it if they want to buy something on eBay. M-commerce is not going away and CyberSource may even be able to serve those who refuse to embrace BlackBerry devices and iPhones.

Now it comes down to data protection. There will be be a new level of penetration tests those of us in IT security need to learn. I hope Visa doesn't skimp on this. Otherwise, they will be in the same embarrassing -- and costlier -- position as other financial institutions that decided to gamble on security. They ended up paying for "free" credit monitoring. It wasn't free for them.

Read more at: http://www.nytimes.com/2010/04/22/business/22visa.html

Toast

Yesterday's article in The New York Times about concern over nuclear arms in Asia is long overdue. This is something that I have been concerned about for years. Any American company that has a data center in India could be toast. This risk is bigger than the ones many financial institutions have taken by not allocating money for better security domestically. How many times have you heard that a particular company will offer its customers free credit monitoring for a year because their data has been compromised. That's nothing compared to the potential physical meltdown of a company's data center. As an investor, I worry about that.

There are backups, but that may be too little too late in this scenario. It wasn't just jobs that have been outsourced to India; it's security. It's a company's lifeline. Whatever money the company has saved by not upgrading firewalls and penetration software and by hiring cheaper labor overseas and temporary workers domestically can be gone in one explosion. Not a pretty picture and that's without even thinking about the consequences to the land and to people's health.

iAm Not Surprised

The initial excitement over the iPad is beginning to settle down. Apple is, without a doubt, the most innovative company when it comes to visual design, applications and marketing. A few people will admit to buying Macs because of their seductive designs, but the majority justify buying the overpriced hardware because they think that Macs are flawless, never crash and never get viruses. Those are myths, something my wife, who has worked on one for years at a newspaper, can attest to that. My main complaints against Apples are the pricing, which I think is exorbitant in comparison to PCs which are equally good for graphics and the fact that PC desktops are expandable.

But I digress. The point of this blog is to address the first issue that has come up with the much-hyped iPad. There's a problem with the WiFi connection. You would think that the company did better testing, but at least it can be fixed. That said, I'd be livid if I spent all that money and it didn't work. One of my pet peeves is when sales people don't know enough about a product, you buy it and then have to return it because no one mentioned that the product doesn't work with your standard software.

I am a very cautious consumer. I've always embraced new technology, but at arms length at least until the second generation came out to remove the bugs from the first one.

Can Software Avoid Fraud?

With the recent 2200 page report about the accounting gimmicks at Lehman Brothers, it's worth looking at the merger of EMC and Archer Technologies. I'm not suggesting accounting fraud. On the contrary, the merger should take Archer's SmartSuite financial data security and EMC's own services from RSA Security Practice and boost standards and compliance to the next level. The Virtualization and Private Cloud Security services are supposed to assess secure virtual desktops and private clouds. A Fraud Assessment and Strategy offers recommendations to mitigate risk. A Risk Operations Service helps companies build security centers.

It isn't easy to create a corporate entity that's in the league of companies such as Lehman Brothers, Enron, MCI WorldCom or others that fell after accounting scandals, but it is possible to nip problems in the bud. You need ethical management and auditors. But it also helps tremendously to plug security breaches. All you need is vulnerability and one sticky fingered employee or financial whiz who thinks he can razzle-dazzle upper management by falsifying data, and you've got a potential disaster.

A new survey by the Ponemon Institute and Guardian Analytics found that 55% of businesses admitted that they have experienced fraud in the past year, with 58% enabled by online banking. A full 80% of banks failed to catch the fraudulent transactions before the funds were transferred out. Slightly more than one quarter of these companies were not compensated for their losses. The bottom line is that cybercrooks are targeting online bank accounts of small and medium-sized businesses and financial institutions are not protecting their customers' assets.

While new technologies such as virtualized data centers and cloud computing are exciting and are supposed to be cost-effective, they carry additional security and risk management issues. Companies cannot wait for auditors to identify weaknesses. There must be constant automated analysis and encryption of information from multiple sources. Who can benefit from such a product? A credit card processing company such as First Data, which is testing TransArmor. It will be able to take card numbers out of merchants' point-of-sale systems just as a transaction occurs. The software encrypts the data credit card companies and card-issuing banks for approval. Stores won't have to worry about protecting their customers' credit card information.

As an investor, I look forward to the potential of other software development that makes me feel confident that when the auditors sign their standard statement in a company's annual report, the figures are indeed accurate and that my investment won't go the way of Enron.

Cloudy or Sunny?

There's a lot of buzz lately about cloud computing. While it sounds like a new and improved way of forecasting the weather, the people at The Weather Channel have nothing to worry about.

Cloud computing is basically anything which involves delivering hosted services over the Internet, such as IaaS (Infrastructure-as-a-Service), PaaS (not Easter eggs, but Platform-as-a-Service) and SaaS) Software-as-a-Service (SaaS). Computer people like cute and catchy names, and this one comes from the cloud symbol that represents the Internet in various flow charts and diagrams.

So what does this really mean? The whole point of the Internet is to deliver services efficiently. If it's a public cloud, it sells to anyone and everyone. Amazon.com is a public cloud. There are private clouds which are proprietary, such as a hospital portal that allows access only to doctors who are affiliated with that hospital. What's really key about cloud computing are the forces that are driving it.

Microsoft is seriously looking at a new way for large corporations to buy MS Office under a new license called "Union." It would charge companies the same amount for software whether it is hosted on-site or in the cloud. SD Times reported that this new license would address various degrees of software usage. Regular and heavy users may require an on-premise server version. Light users may be able to use a version that is hosted by Microsoft. The "Union" bundle might combine Office 2010 (which is currently in the beta stage) with office web applications and store it from Sharepoint Online. It sounds, well, nebulous, but it's all about the money. Microsoft is hoping to maximize revenue without driving customers to seek inexpensive or free solutions.

More small and mid-size banks are paying considerable attention to cloud computing because it may be cost-efficient for regulation, compliance and security. Accessibility is also a driving force. Yet a survey by the think-tank, The Financial Services Club, reported that 37.9% of retail banking firms are not even considering cloud computing, in part because they are unsure of what it is. A survey by Wall Street & Technology found that that 12 percent of executives in the capital markets are dismissing cloud computing as a marketing gimmick.

The bottom line is that until there is more evidence for effective cost-cutting and until more large companies use it, cloud computing is remain a niche for people in IT. A word to the wise: Learn!

Two, Four, Six ... Eight?

Most consumers are happy with duo-core processors. Bump up a computer to dual-quad and they're even more thrilled with the performance. But the news that Intel will soon launch six-core processors has people like me higher than a kite. The "Westmere," which sounds like a luxury real estate development, is expected to be out by the end of the month. Advanced Micro Devices is trailing slightly behind with its Phenom II X6. The Westmere is not the first six-core chip from Intel, but the Core i7-980X is targeted for dual-socket platforms and more advanced than the six-core Extreme Edition chips, which is based on 32-nanometer process technology. Hyper-threading will, for all practical purposes, double the number of threads executed per core. Pricing? Just over a thou and you need 12MB of memory on your computer. Some industry experts think it's overkill for most people. But then, didn't Bill Gates once say that no one will ever need more than 640MB of hard drive? Westmere, Eastmere. Phenom. Extreme. Whatever the name, they'll set new standards.

How Fast Do You Need It?

Fast wireless is usually talked about in conjunction with sending photos, videos and music from cell phones. But what about wireless networks in hospital IT infrastructure?

Across the country, hospitals -- despite financial scares -- have been piloting or deploying wireless VoIP handsets, PDAs, phones and even badges to improve communication. The problem is that the more wireless devices, the more chances of dropped calls and choppy sound, something that iPhone users have been experiencing because of its popularity.

The newest standard in wireless is the 802.11n. Its proponents claim it has real world throughput that's about seven times faster (at 160 Mbps) than the older 802.11g networks, and even at 300 feet and 70 Mbps, it's 70 times faster.

The reason for this fast speed is multiple input/multiple output (MIMO), which requires multiple antennas to send and receive data in simultaneous radio streams.

This is all in theory. In reality, the 802.11 network sometimes operates at just 130Mbps or below. In order for the network to run at full force, you need Wireless N routers and network adapters linked and running in a channel bonding mode, which uses two adjacent WiFi channels simultaneously.

Nothing is perfect. With channel bonding, there is a risk of interference with nearby WiFi networks. By running in traditional single channel mode, the risk is kept low. The network needs to include only 802.11n users, not b or g, or the entire network's performance may suffer, depending on the router. The bottom line is that technology is always changing. The issue is where to prioritize.

Faster, smaller, better

Can't wait to get the feedback on the new Atom N470 processor that Intel will release this week. It's supposed to bump up the performance on netbooks slightly to 1.83GHz. Every nanosecond counts today.

The real question is why is it next to impossible to find a netbook with more than 1G of memory? When they first came out, it was easier to find 2G. Windows needs 1G to run. For some, the netbook could be more than just a box with e-mail and Internet capabiilty. My wife used to work in the investment business when Psion (remember them?) had spreadsheet capability. A netbook with enough power to run MS office is perfect for business travelers who need spreadsheets, Word and PowerPoint because it gives them almost everything they need yet is lighter than most laptops. At least the Atom N470 processor is more power efficient and will allow improved system and graphics performance.

The Future of UNIX Servers Announced

I am not a super duper UNIX admin, but I do have expertise in the entire spectrum of network administration tasks in the UNIX, LINIX and Solaris environments. When I read that IBM will introduce the next generation of Power Systems, I got excited. This is to be the first family of systems and storage that offer virtualization capabilities all the way through to the operating system and middleware. This is supposed to be groundbreaking to support complex workloads with technology that's flexible as business needs evolve.

If anyone knows more about this, please contact me at kenjcohen@gmail.com. I always like to keep abreast of new technology.

Oops! Someone Forgot About Security!

It's mind boggling that after years of hearing and reading about identity theft, it's all too easy to let it happen. I have several friends and many, many acquaintances who are in transition -- that is, unemployed and looking for work. Most of them are in IT. Gone are the days when you sent a cover letter and resume by snail mail. Today you go online. Sites such as www.dice.com send you daily job leads. Some of those direct you to recruiters; others direct you to the web sites of large organizations such as Citibank. Recruiters are efficient because they just want the resume so they can forward it to hiring managers. Corporations and other large organizations such as hospitals have long, complicated online forms which require you to reinvent the wheel each time.

That's bad enough, but I was surprised to learn that some of these web sites require the job applicant to put his entire Social Security number and date of birth. Unless someone works in network security in that organization, there is no way to gauge its vulnerability to intrusion.

As I mentioned in an earlier post, The Great Pretenders, all you need to steal someone's identity is the name, Social Security number, date of birth and current address. All of the above are on those online job applications, which go to Human Resources. If the organization is also a health care provider and the security is outdated and/or weak, there is more opportunity for identity theft from hacking into medical records. Oops! Someone forgot about security or the powers that be did not want to spend the money on upgrades.

Part of the problem is that these online applications were written and authorized by individuals who were trying to make things easy for themselves. It's understandable, but they really need to talk the network security people in IT. There are ways to prevent identity theft, but once it happens, it's a nightmare for the victim. A quick fix by the company is all that's needed: remove the part that requires the Social Security number. It's that simple.

Where Are We With EMR's?

One of the goals of the Obama adminstration is to put all medical records in a digital format. It's a noble goal, but one that has a long way to go.

For starters, many doctors are reluctant to spend upwards of $10,000 to go from paper to digital. They have huge overheads (malpractice insurance premiums, facility rental costs, equipment costs, disposal costs and labor -- nurses, receptionists, secretaries and billing clerks). The last thing they want to do is add to that, especially since they are unclear about the advantages. And the dirty little secret is that many doctors are not that computer-literate.

The other problem is that there is no standard yet for medical records. The point of electronic medical records (EMR's) is to become more efficient. A specialist should be able to e-mail a patient's records to the GP. A doctor should have access to the patient's records, even if the patient had been admitted to an out-of-state hospital, say, with a heart attack. If the patient were at a VA hospital, that's doable, from Maine to Hawaii. If the patient was taken to a regular hospital, good luck.

My son's pediatrician not only relies on EMRs, but encourages patients to take advantage of access. There's an annual tech fee of $25.00, but it's worth every penny. If we visit relatives in Florida and we need to double check on the dosage of Children's Tylenol that he recommends, we can access it from any computer or smart phone with a good browser.

If we are to make visible progress with EMR's, we need a consortium of government, insurance and tech firms to come up with standards for software that is both user-friendly and flexible. Standards change. Twenty-some odd years ago, Lotus ruled the world of spreadsheets. It interfaced with Quicken and other software. Excel was able to capture the market not just because it is easier to use, but because people could easily convert. That's the direction we need to take with EMR's.