Tag Archives: encryption

Online Privacy in Australia Takes a Major Hit. Who’s Next?

The latest law passed by Australian Parliament has outraged global privacy advocates. The Assistance and Access Bill (AA Bill) essentially allows Australian officials to access the content of end-to-end encrypted communications. While it may be an Australian law, global privacy advocates predict it will impact global privacy rights, and other countries may follow suit.

Here’s what you need to know. The most controversial parts of the AA Bill are the “frameworks for voluntary and mandatory industry assistance to law enforcement and intelligence agencies” that allow the Australian government to access encrypted communication content.

  • What does “industry assistance” mean?

It means the Australian government can force “designated communication providers” to use known capabilities to intercept communications or build a new interception capability.

  • Who is a “designated communication provider?”

In short, anyone who touches hardware, software, or data used in end-to-end communication, including online services like websites. Continue reading Online Privacy in Australia Takes a Major Hit. Who’s Next?

Over 2 Million Customers Affected by T-Mobile Data Breach

T-Mobile is warning customers of a data breach that occurred in late August 2018. The company reported to Motherboard that hackers stole the personal data of over 2 million people during the incident.

T-Mobile’s Response

T-Mobile released an official statement saying it quickly shut down a cyberattack on their database, but the incident may have exposed the personal data of 2.3 million of its 77 million customers, or slightly less than 3% of customers.

“We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access,” T-Mobile said. “We truly regret that this incident occurred and are so sorry for any inconvenience this has caused you. None of your financial data – including credit card information – or Social Security numbers were involved, and no passwords were compromised.” Continue reading Over 2 Million Customers Affected by T-Mobile Data Breach

SamSam Ransomware: A Continued and Growing Cyber Threat

The SamSam ransomware has affected far more victims than initially thought – raising nearly $6 million and counting in ransom demands. According to Sophos’ research of the SamSam ransomware, it’s estimated that roughly 233 victims have paid a ransom to the attackers so far.

Sophos Report

Sophos has uncovered new details about the SamSam ransomware, focusing on how it works and how it’s evolving. Most ransomware is spread out in large, untargeted spam campaigns sent to thousands of people. These attacks use simple techniques to infect victims, raising money through large numbers of relatively small ransom requests. SamSam, on the other hand, is used in specific, targeted attacks.

SamSam attackers break into a specific victim’s network and then run the malware manually. These attacks are tailored to cause maximum damage, with ransom demands in the tens of thousands of dollars – the largest individual victim so far shelled out $64,000.

Although initially thought to specifically target healthcare, government and education sectors, the Sophos report indicates that the private sector has been equally attacked. However, victims in the private sector have been more reluctant to come forward. Continue reading SamSam Ransomware: A Continued and Growing Cyber Threat

Encryption: Combating the Growing Threat of Data Breaches

Data breaches happen all the time, simply look to the headlines and you’ll find multiple examples of corporations struggling to protect their data. From Target and Equifax to Anthem – all these organizations have fallen victim to some form of data breach usually affecting customer data. Yes, many (most) of us have received a breach notification letter or, at the very least, know someone who has.

Every state in the U.S. now has a data breach notification law. This trend is a signal to organizations conducting business in the U.S. that they should start taking the necessary actions to protect the personal identifying information (PII) of their customers, clients and employees.

Encryption

One of the best ways to protect PII is through encryption; an algorithmic process which transforms readable data into unreadable data and that requires a confidential process/key to make the data readable again. An encryption key is a string of bits used to scramble and unscramble data, essentially unlocking the information and turning it back to readable data.  Continue reading Encryption: Combating the Growing Threat of Data Breaches

OCR Penalty: Unencrypted Laptops Result in Steep Fines for Small Breaches

The Office for Civil Rights (OCR) sent a strong message to the healthcare community with their third civil monetary penalty totaling $3.2 million.

Children’s Medical Center of Dallas – part of the seventh-largest pediatric health care provider in the nation – was on the wrong end of two data breaches caused by a lack of encryption. The hefty fine stems from the OCR’s investigation uncovering longstanding failures to comply with HIPAA’s rules.

Data Breaches

Children’s first filed a breach report with OCR in January 2010. An employee lost an unencrypted, non-password protected BlackBerry device at the Dallas airport in November 2009. The device contained the electronic protected health information (ePHI) of 3,800 individuals.

Children’s filed a separate breach report with OCR in July 2013. This time it was due to the theft of an unencrypted laptop from the premises in April 2013. The device contained ePHI of about 2,500 individuals.

In this case, it was determined several physical safeguards were in place to protect the laptop storage area – i.e. badge access and a security camera at one entrance. However, access to the area was given to members of the workforce who weren’t authorized to access ePHI.

HIPAA Violations

The OCR levied the civil monetary penalty, rather than coming to terms on a settlement, due to widespread failures related to HIPAA compliance. Specifically, OCR noted two crucial HIPAA failures:

  • Failure to implement risk management plans, contrary to external recommendations
  • Failure to deploy encryption or equivalent alternative measures of safeguard on laptops, work stations, mobile devices, and removable media until 2013

The key issue leading to the penalty was the medical provider’s failure to fix known problems for an extended period of time. Children’s had an independent firm conduct a gap analysis in 2006 and again in 2007, highlighting the risks to unencrypted ePHI by March 2007 at the latest. A separate analysis was performed in 2008 to address threats and vulnerabilities of certain ePHI.

Children’s was aware of the potential risks posed by their unencrypted devices, and failed to act until 2013.

Acting OCR Director Robinsue Frohboese noted, “Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential. Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”

Key Takeaway

OCR hasn’t slowed down in their HIPAA enforcement so far in 2017. But this case is unique for a few reasons: The total number of affected individuals was less than 6,000, but the case involved multiple breaches of unencrypted devices, and focused on Children’s failure to mitigate known security issues.

OCR demonstrates once again they aren’t afraid of heavy fines for widespread non-compliance in safeguarding ePHI. Healthcare organizations can take this enforcement as a warning: Fix the problems you’ve identified! When your risk assessments identify gaps and vulnerabilities, address and prioritize those areas during risk mitigation efforts.

PCI Council Releases ‘Best Practices for Securing E-Commerce’

Is your organization accepting credit card transactions online? Are those transactions secure according to the Payment Card Industry’s (PCI) Data Security Standards? 66% of consumers warn they won’t purchase from an organization after they’ve had a breach of payment card information.

The PCI’s Security Standards Council released a guidance document to help educate merchants on securely accepting payment cards online. The updated guidance, Best Practices for Securing E-commerce, comes at a time when online payments are a top target for cyber criminals.

E-commerce is a growing security concern for merchants. Online sales growth is rapidly increasing, and the EMV chip migration in the U.S. is causing fewer in person card transactions. Cyber criminals recognize these trends and have turned their attention to e-commerce to commit payment card fraud.

Best Practices for Securing E-commerce

A large portion of the guidance is dedicated to the topic of SSL and TLS. There’s still confusion regarding these encryption solutions and properly selecting a certificate authority.

The PCI Council announced in December 2015 that all merchants accepting payment cards are required to adopt TLS 1.1 encryption or higher by June 2018. Google added to the urgency by warning users of their Chrome browser when they visit a website without HTTPS.

Key encryption topics discussed in the guidance include:

  • Guidance on selecting a certificate authority
  • Descriptions of different certificate types
  • Questions to ask service providers regarding certificates and encryption

Key Takeaway

The PCI Council is taking a proactive approach to the encryption issue with SSL and TLS. The implementation deadline is still a year away, but merchants that aren’t compliant can use this guidance to help securely accept online payments.

What do NFL Players and Prison Inmates Have in Common?

 

An American football player with ball and paddingCartoon prisoner in jail behind the bars in striped uniform and robber in mask with sack for crime and punishment concept design

Answer: Both recently had their personal information compromised in incidents involving lost laptops that were… (surprise!) unencrypted.

NFL Incident

Every year teams in the National Football League send scouts and trainers to the NFL Combine – an event where college players try out for NFL teams. This year at the Combine, an athletic trainer for the Washington Redskins found his car broken into and his backpack stolen.

The backpack had the trainer’s laptop and paper documents. The laptop was password protected, but unencrypted. But here’s the kicker: the laptop had copies of medical exam results for players at the NFL Combine from 2004 to the present.

The NFL was quick to respond and work with the team and Player’s Association to assess the scope of the incident. They’re currently taking steps to notify anyone whose information is at risk. So far, there’s no evidence of the thief accessing the information on the laptop.

The team said no Social Security numbers, protected health information under HIPAA, or financial information was stolen or at risk.

The NFL has called on all teams to address the following concerns:

  • Review internal policies and procedures related to data protection,
  • Train employees on those policies and procedures if their job calls for access to medical information, and
  • Encrypt devices that store and transmit medical information.

It’s interesting to note that this incident falls outside the scope of HIPAA regulations. The football team doesn’t qualify as a covered entity or business associate under HIPAA. However, state laws may still apply requiring encryption of sensitive information, and the league could still face lawsuits.

Prisoner Incident

Another lost laptop incident managed to make it onto the Wall of Shame podium as the third largest healthcare breach so far in 2016. The California Department of Corrections and Rehabilitation had a laptop that was supposed to be issued to a new employee, but a thief got to it first.

The specific information on the laptop hasn’t been confirmed yet. But the laptop was unencrypted and potentially contained information relating to 400,000 inmates. That’s the total number of inmates who received healthcare services from the agency from 1996 to 2014. It’s possible the information could include names, addresses, Social Security numbers, and medical record information.

The agency is responding with the following steps:

  • Corrective discipline,
  • Information security training,
  • Procedural changes, and
  • Technology controls and safeguards.

The interesting note in this case is that notification might not be that easy for the agency. It’s highly likely the contact information on file for inmates and/or their addresses have changed. The agency says they’re trying to overcome these obstacles by posting notification to their website and using the media as a source of notification.

Key Takeaways

Encrypting portable devices – especially laptops – has become a no-brainer. We’ve read the “Lost Laptop” story too many times.

Since HIPAA’s breach notification rule came into effect six years ago, more than 60% of the large healthcare breaches were caused by an employee losing an unencrypted device with protected health information. And these stories are proof that the onus isn’t only on healthcare organizations.

Several state laws and federal regulations require organizations to use encryption to protect sensitive data. If you’re storing or transmitting sensitive information – e.g. medical or health information – use encryption and train employees to safeguard devices storing sensitive information.

For more news about cyber attacks in the NFL, check out the latest Roger Goodell scandal.

Free Encryption for All WordPress Sites

A bit of good news in the security world for a change. Owners of sites hosted on WordPress.com will get HTTPS protections without the hassle of paying for an SSL certificate of managing it. And the cherry on top… the changes will be automatic.

WordPress points out they have “supported encryption for sites using WordPress.com subdomains (like https://barry.wordpress.com/) since 2014. Our latest efforts now expand encryption to the million-plus custom domains (like automattic.com) hosted on WordPress.com.”

If you’re a WordPress.com site owner, keep a look out for this new feature. A green lock icon will begin to appear in the browser’s address bar (the URL will read “https://” instead of “http://”). The SSL certificates are provided by Let’s Encrypt.

Free encryption, increased security for web traffic, no certificate management, higher rankings on Google… all good news for site owners!

Are We Opening Pandora’s iPhone?

One of the more interesting debates in the privacy and security community these days ispandoras iphone the ongoing battle between Apple and the FBI. The big question being asked is, are we opening Pandora’s iPhone by asking Tim Cook and Apple to open the backdoor to the iPhone?

The media has reported on this endlessly over the past month, and it was the hottest topic during the highly touted RSA Conference. But there are conflicting views on what the so-called battle is actually about. So without taking sides, let’s run a play-by-play of what’s happened so far.

Court Order

The part that everyone knows – the FBI is looking to gain access to the phone of Syed Farook, one of the San Bernardino shooters.

Judge Sheri Pym of the Federal District Court in Central California issued a court order asking Apple to modify the iOS of Farook’s iPhone, creating a “backdoor” for the FBI. Typically on iPhones, after 10 wrong guesses for the passcode, the phone will wipe the symmetric encryption key. This is the key between the storage and the CPU that gives access to the contents of the phone.

The court ordered Apple to assist the FBI by disabling the 10 wrong guesses lockout. Again, this is part of the software and can theoretically be changed. There is still an 80 millisecond hardware-enforced delay to slow down brute force attacks. Additionally, they are seeking an electronic method of inputting the passcode guesses. This would basically allow them to brute force their way into the phone, instead of having some intern sit there and guess (e.g. 0000, 0001, 0002, and so on).

In laymen’s terms, the FBI wants to just hook Farook’s phone up to a brute force generator at 80 milliseconds per guess without the downside of potentially having the phone wiped if they guess wrong 10 times.

iPhone Technology

Of course, we all know Apple’s response – “No!” Apple has stated that they will do everything they can to fight this.

Now that we have looked at what the FBI wants and what the court order says, let’s clear up the confusion on what the current technology of the iPhone says. People are using loosely defined terms. “Backdoor” has become kind of a catchall phrase when talking about access to encrypted devices.

An iPhone periodically checks for updates. The iPhone sends it’s unique device ID and a randomly generated nonce (one-time code) to Apple. If Apple has an update to send to the iPhone it will accept the device ID along with the nonce and bundle those with the update package. Apple then signs it with their super-secret private key and pushes that back to the phone. The phone verifies the signature is correct and that the device ID and nonce both match.

So, why does all of this matter? Well, this means that every single update is customized. And Apple does this for a reason. Apple wants to prevent an older version of iOS from being cross installed and allowing a downgrade attack. This would allow an attacker to recreate old flaws in the iOS that are widely known to exist in earlier versions, but are now fixed in current versions.

Apple has accepted the burden of not being able to mass distribute any of their iOS updates.

What Does This Mean?

So the fundamental question in the original Apple vs. FBI debate… Can Apple respond uniquely to this singular request and provide the FBI, either in their facility or remotely, with a piece of software that answers the court’s demands and is not reusable ever again, not even on the same iPhone?

The answer is yes. They can do just that. That’s currently the way the technology works: it’s sound. It gives Apple the ability to open this single phone.

Apple’s Response

Apple has filed a formal response to the FBI request. One section beautifully states their position on the matter. Again in laymen’s terms:

Apple recognizes the struggle between the needs of law enforcement and the privacy interests of the public. They think the FBI has taken the wrong direction by bringing the matter into a public forum. Apple acknowledges the FBI’s request to make a brute force attack easier and calls the solution a backdoor to the iPhone. A backdoor would mean that criminals and foreign agents would have a way to access other iPhones.

Apple takes opposition to the government stance that this is a one-time-deal and points to many other cases looking for phones to be unlocked. Further, Apple says this is just the beginning and floodgates would open. They point to the government potentially overstepping other privacy boundaries as well by turning on the microphone or activating the video camera on iPhones.

Where We Stand Now

The reality is that the iPhone in question probably doesn’t have any valuable information. It was Farook’s business phone that his employer, the county, provided him. He destroyed his personal phone; that’s gone. And the iPhone the FBI wants to access wasn’t backed up in the 6 weeks prior to the incident.

The FBI actually went against Apple’s recommendation and requested that the county reset the iCloud password. Without a reset iCloud password, the phone would have backed up to iCloud on a trusted Wi-Fi network when plugged in.

Given what the court order is asking and what Apple’s technology is capable of, this one request sounds doable at face value. But the larger battle is really over the precedent this case creates.

Other law enforcement agencies are lined up, eagerly waiting for an FBI victory, so they can access other Apple devices in their investigations. Then, the question presents itself about foreign governments requesting access as well. Apple sells iPhones in China, and must adhere to Chinese law. What happens if the Chinese government sees what’s happening and sends a truck load of phones to Cupertino, California for Apple to unlock?

The FBI picked the perfect case to fight. When the government throws the word ‘terrorism’ around, it packs a punch like the right arm of Mike Tyson. However, Apple is working diligently to make sure that future versions of iOS don’t run into this problem.

Apple’s position is that a backdoor in future encryption technologies would cripple U.S. businesses like Apple and Google and compromise the privacy protections and security of consumers. The people who really want full encryption solutions will still be able to get it. There are hundreds of encryption solutions outside of the U.S., and they are free. Bad guys with something to hide will still use full encryption.

And that is Apple’s point and why they are fighting. We need to buckle up because this will be an up and down rollercoaster until the very end… which may be in the Supreme Court.

It’s 10 O’clock. Do You Know Where Your Hard Drives Are?

Centene Corp. – a health insurer that provides plans for government-sponsored programs including Medicaid – is reporting that six unencrypted hard drives containing protected health information for 950,000 individuals have gone missing.

The incident is the result of an employee not properly following the established procedures on storing IT hardware. There is currently no evidence that the information on the missing hard drives has been inappropriately accessed.

This incident highlights the challenges of tracking IT inventory, especially in larger organizations. Questions remain on the best practices for protecting various types of storage media.

Many organizations realize the need for encryption on laptops or other mobile devices that contain sensitive information. But most of the time, organizations are not encrypting their hard drives that never leave a certain physical location. Not surprisingly, one of the top causes of a data breach is a lost or stolen laptop that was unencrypted.

There are obligations in the HIPAA Security Rule for maintaining an accurate inventory and flow of protected health information within the organization. However, this is a difficult task as the inventory of where data is stored is constantly changing.

Key Takeaways

Data inventories are designed to identify which devices store the most sensitive information and help prioritize which safeguards to implement. They also reveal which devices are subject to the greatest risk of theft or loss.

Maintaining an accurate inventory for a large organization can be a tedious task and lead to security incidents like the one mentioned above. Amidst the costs involved, rather than spend the effort keeping the data inventory constantly up-to-date, organizations should consider encrypting all media that contains sensitive or protected health information.