Archive for the ‘Identity theft’ Category

Medical record theft is on the rise, and according to  Reuters ( http://www.reuters.com/article/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924 ), a stolen medical record is worth ten times what a stolen credit card number on the black market. The reason medical records are worth so much more, is because they are used to steal benefits and commit identity theft and tax fraud.

How easy is it to steal medical records?

This morning, I read Brian Kreb’s report on True Health Diagnostics health portal, which allowed other patients’ medical test results to be read by changing one digit on the PDF link. The company—based in Frisco, Texas—immediately took the portal down and spent the weekend fixing it. https://krebsonsecurity.com/2017/05/website-flaw-let-true-health-diagnostics-users-view-all-medical-records/

While I think it is great they fixed the problem so rapidly, I am disgusted that our medical information is so often flapping in the breeze. Health professionals are notoriously lax about protecting their patients’ medical information. A security professional that I know defended medical people by saying they do not understand HIPAA/HITECH. Yes, I know they do not necessarily understand the technical details. But is ignorance an excuse? I do not think so. They have IT people to support those computers and medical professionals are supposed to attend HIPAA training on a regular basis.

For instance, upon reading the FAQs at http://www.holisticheal.com/faq-dna , I noticed that after a patient completes their tests (recommended by my doctor), this practitioner sent results in email. It is not a simple test like cholesterol; it contains information about someone’s DNA.

After I emailed them and told them I would not consider using their service because email is not secure unless encrypted and in my opinion this practice—sending medical results in unencrypted email—is contrary to HIPAA/HITECH, they changed their policy. While they now send the results for US patients on a computer disk through the mail, they still send international clients their results through email.

I have frequently caught my own medical professionals leaving their patient portals open when I am alone in the exam room or even away having tests. During one notable session, without touching the computer, I could see a list of all the patients being seen that day on the left, and the doctor’s schedule across the top (including 3 cancellations). Another medical professional texted me part of my treatment plan. (I thought we were limiting our text conversation to time, date, and location. Otherwise I never would have agreed to text. I had never even met this person!) Another provider grouped three receptionists with computers (no privacy screens) in a circle with windows on two sides. I could read two of the screens when signing in and the third when leaving and I saw them leave their screens open when they walked away from their computers so that the other receptionists can use those computers.

Granted, these incidents may not be breaches, but I think they are violations of HIPAA/HITECH and they could lead to breaches. What are the chances they are using appropriate access control, backing up their systems, encrypting their backups, thinking about third-party access? Are they vulnerable to phishing, crypto ransomware, hackers, employee malfeasance, someone’s child playing with the phone?

Yes, I get that people make mistakes. The problem is they have the ability to make mistakes! Set up fail safes. Require each employee’s phone to be physically encrypted and give them a way to send encrypted emails or texts or do not allow them to text or email patients. Make screens lock after five minutes or sooner. Give them training. Spot check what they’re doing.

I always discuss these issues when I notice them with the practice HIPAA Privacy Officer (and sometimes change medical providers if egregious). Does it help? Maybe. But it always makes me wonder what I have not seen.

Pay attention! Protecting your data helps protect everybody’s data.

A member of my family has recently been having some medical issues, and has been making the rounds of doctors and other medical practitioners. It is bad enough when someone doesn’t feel well, but what can make it worse? A medical professional being careless with our personal health information in spite of the medical privacy laws (HIPAA and HITECH). A visiting nurse called to make an appointment for a home visit, which turned into a SMS text dialogue. A question from the nurse left me speechless, “Have you received your {INSERT PRESCRIPTION BRAND NAME HERE} yet?”

Really? She really put part of the treatment plan in an unencrypted text message?

Text messaging by a medical professional should be limited to location and time of appointment.

I informed her that in my opinion putting a prescription name in an unencrypted text message was a violation of HIPAA, especially since the patient had never met the nurse or signed any HIPAA disclosures. She said she deleted the messages from her phone and gave me the name of her supervisor. I called the woman, who wasn’t available. I left a voice mail message, saying that I was concerned because putting treatment details in an unencrypted text message was a violation of HIPAA.

Strike two: A week later, no one from the nursing service has called me back.

I called the company that ordered the nursing service, explained what happened and asked that the service be cancelled. I took the patient to the doctor’s office—much less convenient—but a better option in this case. I was concerned that the nurse might be using a personal phone that did not have encryption on it, that she might have games installed (a common source of malware), that she did not use a pass code to lock her phone or that her phone did not automatically lock, or any of 100 different bad scenarios. What further concerned me is that I did not receive a call back from the nursing company. They are supposed to have a HIPAA Privacy Officer, who should have returned my call and explained what they were doing to protect the patient’s information in the future. At the very least, the nurse should have been required to re-take HIPAA Patient Privacy training (which is mandated to occur yearly anyway by the Office of Civil Rights).

Why is this such a big deal?

When you consider that your medical record is worth more to an identity thief than your credit card, it is a very big deal. A CNBC article published on March 11,2016, “Dark Web is fertile ground for stolen medical records,” stated:

While a Social Security number can be purchased on the dark Web for around $15, medical records fetch at least $60 per record because of that additional information, such as addresses, phone numbers and employment history. That in turn allows criminals to file fake tax returns.

Your credit card might be worth one or two dollars at most.

Another informative article, “Is Texting in Violation of HIPAA?,” appears in The HIPAA Journal.

If you feel that your medical privacy has been violated, you can file a complaint with the Office of Civil Rights.

I’m going to call the nursing service again on Monday and ask to speak with their HIPAA Privacy Officer and try to explain my concerns.

The Bottom Line: They lost a client!

The number one rule for safely using a debit card: Don’t! But, if you have to use a debit card, here are some suggestions from two of Austin’s leading computer security experts.

Michael Gough and Brian Boettcher are co-creators of LOG-MD, a sophisticated analytical tool used by computer security professionals. I recently had a conversation with them about how to use credit cards and debit cards more safely.

They said: Limit debit card use to only one local grocery store chain, especially if it has gas stations and stays open 24 hours a day. That way you can get cash without using the card in an outside ATM. Of course, the risk of being robbed is also much higher at an ATM. If you always use the same grocery store, then if the number is stolen, you know where it happened.

They said: Do not ever use a debit card at a self-service checkout, an ATM, or a gas pump. It is almost impossible to tell if the card reader has been compromised.

(Brian Krebs, who writes the blog KrebsOnSecurity, talks about card skimmers in this series of articles. Krebs updates these articles on a regular basis and they are well worth reading. In fact, as I have mentioned before, his column is a great place to find out about security issues.)

They said: You may also be able to buy store gift cards with your debit card to use at their gas pumps without having to pay a fee to use them the way you do with MasterCard or Visa cards. And the cards may even be reloadable. The one drawback? If the card is lost or stolen, the money on it is not replaced the way it would be if you used a credit card.

They said: Do not use a debit card at a restaurant. You have no idea if the person is using a hand-held skimmer on your card. Someone may have placed a skimmer on the restaurant’s card terminal.

 (Restaurants are weak in security because the staff holds your cards out of your sight and out of your control. The authors of this blog each had fraudulent charges placed on their cards after two visits to the same restaurant in the same week. We usually take turns paying. We had different servers each night. We think that they had a little ring going.)

They said: Debit cards are less secure than credit cards because debit cards are directly hooked to a bank account or credit union account. If a debit card gets compromised, your account can be drained. It may take some time—even months—to get the money replaced in your account. And the money may not be replaced at all since it is not insured as it is with a credit card.

They said: Most banks and credit unions are helpful about getting a new debit card, but if a credit card gets compromised, usually a new card can be received in 2 or 3 days, maybe even faster if you can pick it up at your financial institution.

Here are their recommendations for safer credit-card use:

They said: Get a second card with a low limit. This card should be mainly used at less safe locations: public kiosk use (think train tickets or parking) and online shopping, as well as automatic payments. If you have to use self-service checkouts, use the second card. Avoiding self-service checkouts is the best strategy.

They said: That second card can be a handy back-up, in case your main credit card is lost or stolen.

They said: Look over your statements on a regular basis for transactions that you did not make.

They said: Patronize companies that use chip and signature (in the US) card terminals, which in most cases was supposed to be in place in the US by October 2015. Europe uses chip and pin. If a company still has not upgraded from magnetic stripe terminals, tell them why you do not want to shop there. (Or only use cash there.) Gas pump card terminals are required by major credit card brands to be updated to use chip and signature (in the US) by October 2017.

They said: Keep a list of automatic payments, and when they renew. Cancel automatic payments as soon as possible when you switch to another card.

One problem with automatic payments is that they may move to a new card even if you did not authorize it.

They said: Some cards (American Express is one example) will allow you to set a daily limit on spending. They usually alert you as soon as possible if spending goes over that limit.

They said: Replace your cards at least every two years.

They said: Put a credit freeze on your credit. The FTC explains the pros and cons of credit freezes here. There may be a small charge for freezing and unfreezing your credit file, but it is cheaper than credit monitoring, which will not tell you about a breach until after it has already happened.

Michael said: Using credit monitoring is like going to a dentist who only monitors your teeth, but does not fix any cavities found.

They said: Get a copy of your credit report from each of the three credit bureaus yearly. You can cycle them so you get one every four months.

They said: As soon as you hear about a mass data breach that could involve your accounts, call your bank or credit union and request a new card. Do not wait for a notification.

They said: Keep records of each card, the card numbers, the customer service phone numbers and addresses. (It is pretty easy these days to make blow-up copies of the fronts and backs of your cards.)

Michael Gough has worked in the IT and Information Security field for over 18 years. He has a wide variety of experience that includes positions as a security analyst for the State of Texas and the financial and health-care sectors, and security consulting with Hewlett Packard. Michael currently works in the health-care sector as a Blue Team Defender, incident responder, and malware fighter.

Michael has created or co-created several tools used in the security industry, such as LOG-MD, which is a logging tool, and the “Malware Management Framework,” which is used to discover and manage malware. In 2012, Michael discovered a type of malware called Winnti that continues to plague gaming and pharmaceutical companies.

 Brian Boettcher, co-creator of LOG-MD and co-host of Brakeing Down Security, has worked in the IT and Information Security fields for a number of years. Brian currently works as a senior security engineer and incident responder. He is a member of several security groups and presents regularly at security functions.Do not ever use a debit card at a self-service checkout, an ATM, or a gas pump. It is almost impossible to tell if the card reader has been compromised.

Graham Cluley released an article today called “200 MILLION YAHOO PASSWORDS BEING SOLD ON THE DARK WEB?” about various web sites that have had stolen passwords recently posted on criminal web sites (the “dark web”).

While not really news—new password breeches are revealed quite often—but it brings some questions to mind. How do you know if your passwords have been stolen? And, what do you do about them?

If you haven’t changed your important passwords recently, you could just assume they have been stolen and change them.

Or, you can look up your email address or user name at a site like LeakedSource.com. When you put in a user name or email and click Search, it will show you possible accounts and the types of information contained in their databases for free, but not the actual information contained. You have to pay to see that.

Do you actually need to see those old passwords? Probably not; what you really need is the accounts that were compromised. If you look at those accounts and you have not changed your password in a while, here’s what to do:

  1. Install some kind of password manager on each of your devices, something well known, such as KeePass 2 or LastPass. Come up with a password for the manager that you will not forget. If you forget it, the password probably cannot be recovered (99.99% chance of no recovery). Keep a copy of the master password somewhere safe—your safe deposit box or even in your wallet if you need to. (Note: this may not protect you against family members or friends who want to know your secrets.) If your wallet gets stolen, you only have 1 password to change.

You can download those applications from the following sources. Note: Only download applications from the original site:

Personally, I prefer KeePass, but LastPass is much easier to synchronize between devices because it is web-based. LastPass has had recent vulnerabilities however.

The nice thing about a password manager is that it will autotype your password (unless the username and password are on separate pages, such as some bank accounts and credit card sites use). Even in those case you can drag your username and/or password to the proper place.

  1. Change your important passwords—email, Facebook, MySpace, LinkedIn (for example)—to something at least 15 characters long. Do not reuse it anywhere! A password safe will generate a password for you and you can customize length and character types.
  1. If the site offers some kind of multi-factor authentication (MFA), take advantage of it. Yes, it is painful! But you can often set it so that your devices will remember for at least 30 days (unless you clear your cache).
  1. Do not share your passwords with anyone! Not your spouse, kids, friends, boss, coworkers, or someone claiming to be from Microsoft support.
  1. Last, change your passwords at least yearly. A good day to change them? World Password Day at https://passwordday.org/ celebrates password security on May 5 every year. They have some funny videos starring Betty White! Check them out!

Save your information and your privacy. Practice safe MFA like Betty White!

Are your passwords strong enough to resist a brute force attack?

Passwords are just about dead. Many systems now offer “two factor identification.” You give them your cell phone number and you have to use both a password and a code number sent to  the phone for your log in.  But passwords continue. They are easy for administrators. They are part of the common culture.

Steve Gibson has the engineer’s “knack.” (See the Dilbert video here.) His company, Gibson Research Corporation (here), sells a wide range of computer security products and services. He also offers many for free. Among the freebies is Haystack: How Big is Your Haystack – and how well is your needle hidden? (here)  This utility provides a metric for measuring password security.

It is pretty easy to do yourself, if you like arithmetic. 26 upper case letters, 26 lower case, 10 digits, 33 characters (with the space) for 95 printable ASCII characters in the common set.  So, if you have an 8-character password that is 95 to the 8th power possible combinations: 6.634 times 10 to the 15th power or over 6-and-a-half quadrillion. If you could try a million guesses a second, it would take 6.5 billion seconds or just over 200 years. (60 seconds/minute * 60 minutes/hour * 24 hours/day * 365.25 days / year* 200 years =6.3 billion .)

Gibson Research makes all of that automatic. Just key in your password, and it tells you how long it would take to crack.

Cracking passwords is a “routine activity” for a hacker. They have tools.  At one meet-up for hackers, the speaker told us, “If you have to use brute force, you are not thinking.”  They do not type in a million guesses per second, of course. They have programs to do that. Also, most websites just do not allow that kind of traffic: you cannot do a million guesses per second. What the hackers do is break in to a site, such as Target, Home Depot, LinkedIn, or eHarmony, download all of the log files, and then, on their own time, let their software attack the data offline.

Also, hackers do not use the same computers that you and I do. They start with gaming machines because the processors in those are built for high-speed calculation. They then gang those multiple processors to create massively parallel computers.  The calculators from GRC show the likely outcome for brute force by both a “regular” computer and a “massive cracking array.”

If someone got hired today at a typical midrange American corporation, their password might just be January2016. If, like most of us, they think that are really clever, it ends with an exclamation point: January2016! Hackers have databases of these. They start with standard dictionaries, and add to them all of the known passwords that they discover.

One common recommendation is to take the first letters of a phrase known only to you and personal only to you. My mother had naturally red hair for most of her life. She was born in 1929 and passed in 2012. So, “My mother’s red hair came from a bottle” becomes mmrhcfab19292012. According to Gibson Research, brute force guessing with a massive cracking array would take over 26 centuries.

Gioachino Rossini premiered his opera, William Tell, in 1829. “William & Tell = 1829” would take a massive parallel cracking machine about 1 million trillion centuries to guess. On the other hand, a “false phrase” such as Five + One = 27 could not be done in under 1.5 million centuries.

TMAR Four 3c3c

Texas State Guard Maritime Regiment non-commissioned officers at leadership training.  Only the one on your far right is a real Marine.

Remember, however, that a dictionary attack will crack any common phrase.  With over 1.7 million veterans of the United States Marine Corp, someone—probably several hundred someones—has “Semper Fi” for a password. Don’t let that be you. A brute force attack would need only 39 minutes, but that is not necessary: a cracker’s dictionary should have “Semper Fi” in it already.

(Above, I said that cracking passwords is a “routine activity” for a hacker. “Routine activities” is the name of theory of crime.  Attributed to sociologists Marcus Felson and Lawrence E. Cohen, routine activities theory says that crime is what criminals do, independent of such “social causes” as poverty. (See Routine Activity Theory on Wikipedia here.) That certainly applies to password crackers. Like other white collar criminals, they are socially-advantaged sociopaths.  They are planfully competent, calculating their efforts against a selfish return.)

I had an interesting experience last week (my life seems to be full of them!). I signed up to take a class that purported to give me a better understanding of what I was looking for in a career.

The first day of class the instructor gave us the URL for an application that he had developed to collect a considerable amount of information about each of us: likes, desires, Myers-Briggs profile, and results from other assessment tests. During the class break, I asked him why the application was not using HTTPS. He said it did, but it used a referrer. I looked at the code of the web site. Hmm, not that I could see.

When I got home, I loaded up Wireshark so I could watch the interaction of the packets with the application. The application definitely did not use HTTPS. I emailed the instructor. Oh, he said, there was a mistake in the documentation, and he gave me the “real” secure URL.

Ok, so this application is sending his clients’ first and last names, email addresses, passwords, and usernames in clear text across the Internet. Not a big deal, you say?

It is a big deal, because many people use the same usernames and passwords on their accounts around the Web. Then add in their email address and their personal information is owned by anyone sniffing packets on any unsecured network they might be using, such as an unsecured wireless network in a coffee shop, an apartment building, a dorm room ….

So, next—because I now had their “secure” website URL—I checked their website against http://www.netcraft.com/, https://www.ssllabs.com/ssltest/, and some other sites—all public information. According to these tests, the application was running Apache version 2.2.22, which was released on January 31, 2012, WordPress 3.6.1 (released on September 11, 2013), as well as PHP 5.2.17 (released on January 6, 2011). It is never a good idea to run old software versions, but old WordPress versions are notoriously insecure.

Please note: I am not recommending either of these websites or their products; I merely used them as a method to find information about the application I was examining.

Not only that, but the app used SSL2 and SSL3, so the encryption technology is archaic. Qualys SSL Labs gave the app an “F” for their encryption, and that was after he gave me the HTTPS address.

(“It was harder to implement the security than we thought it would be,” he said.)

Although I did not find out the Linux version running on the web server, based on my previous findings—which I confirmed with the application owner—I would be willing to bet that the operating system was also not current.

So, then I tried creating a profile. I made up first and last names, user name, and a test email from example.net (https://www.advomatic.com/blog/what-to-use-for-test-email-addresses). I tried “test” for a password, which worked. So, the app does not test for password complexity or length.

He asked me on the second day of class if I now felt more comfortable about entering my information in his application since it was using HTTPS. I said no; I said that his application was so insecure that it was embarrassing, that it appeared to me that they had completely disregarded any considerations about securely coding an application.

He said that they never considered the necessity of securing someone’s information because they were not collecting credit card information.

I said that with the amount of data they collected, a thief could impersonate someone easily. I reminded him that some people use the same usernames and passwords for several accounts, and with that information and an email account, any hijacker was in business.

Then he said that he was depending on someone he trusted to write the code securely.

Although I believe in trust, if it were my application, I would verify any claims of security.

I told him he was lucky someone had not hacked his website to serve up malware. I said that I was not an application penetration tester, but that I could hack his website and own his database in less than 24 hours. I said the only reason it would take me that long is because I would have to read up on how to do it.

I told him I would never feel comfortable entering my information in his application because of the breach of trust between his application and his users. I said that while most people would not care even if I explained why they should care, I have to care. It is my job. If my information was stolen because I entered it in an application that I knew was insecure, I could never work in information security again.

So, what should you look for before you enter your information in an application?

  1. Does the web site use HTTPS? HTTPS stands for Hypertext Transfer Protocol Secure; what that means is that the connection between you and the server is encrypted. If you cannot tell because the HTTPS part of the address is not showing, copy the web address into Notepad or Word, and look for HTTPS at the beginning of the address.
  2. Netcraft.com –  gives some basic information about the website you’re checking. You do not need to install their toolbar, just put the website name into the box below “What’s that site running?” about midway down the right-hand side.
  3.  Qualys SSL Labs tests the encryption (often known as SSL) configuration of a web server. I do not put my information in any web site that is not at least a “C.”
  4. Another thing you should be concerned about is a site that serves up malware: Here are some sites that check for malware:

http://google.com/safebrowsing/diagnostic?site=<site name here>

http://hosts-file.net/ — be sure to read their site classifications here

http://safeweb.norton.com/

  1. Do not enter any personal information in a site when using an insecure Wi-Fi connection, such as at a coffee shop or a hotel, just in case the site doesn’t have everything secured on its pages.

Part 1 explains why you might decide to use secure messaging.

If you decide you want to use a secure messaging app, here are some factors you might consider:

  • How secure is the program? Does it send your messages in plaintext or does it encrypt your communications?
  • How user friendly is it?
  • How many people overall use it? A good rule for security and privacy: do not be an early adapter! Let somebody else work the bugs out. The number of users should be at least several thousand.
  • What do users say about using it? Make sure you read both positive and negative comments. Test drive it before you trust it.
  • How many people do you know who use it? Could you persuade your family and friends to use it?
  • How much does it cost?
  • What happens to the message if the receiver is not using the same program as the sender?
    • Does it notify you first and offer other message delivery options or does the message encryption fail?
    • For those cases where the encryption fails, does the message not get sent or is it sent and stored unencrypted on the other end?
  • Will it work on other platforms besides yours? Android, iOS, Blackberry, Windows, etc.
  • Does the app include an anonymizer, such as Tor?
  • While the app itself may not cost, consider whether the messages will be sent using data or SMS? Will it cost you money from that standpoint?

The Electronic Freedom Foundation recently published an article called “The Secure Messaging Scorecard” that might help you find an app that meets your needs. Here are a few of the protocols used by the applications listed in the article:

I picked out a few apps that met all of their parameters, and put together some notes on cost, protocols, and platforms. While I have not used any of them, I am looking forward to testing them, and will let you know how it goes.

 

App Name Cost Platforms Protocol Notes
ChatSecure + Orbot Free; open source; GitHub iOS, Android OTR, XMPP, Tor, SQLCipher
CryptoCat Free; open source; GitHub Firefox, Chrome, Safari, Opera, OS X, iPhone; Facebook Messsenger OTR – single conversations; XMPP – group conversations Group chat, file sharing; not anonymous
Off-The-Record Messaging for Windows (Pidgin) Free Windows, GNOME2, KDE 3, KDE 4 OTR, XMPP, file transfer protocols
Off-The-Record Messaging for Mac (Adium) Free Adium 1.5 or later runs on Mac OS X 10.6.8 or newer OTR, XMPP, file transfer protocols No recent code audit
Signal (iPhone) / RedPhone (Android) Free iPhone, Android, and the browser ZTRP
Silent Phone / Silent Text https://silentcircle.com/pricing Desktop: Windows ZRTP, SCIMP Used for calling, texting, video chatting, or sending files
Telegram (secret chats) Free Android, iPhone / iPad, Windows Phone, Web- version, OS X (10.7 up), Windows/Mac/Linux Mproto Cloud-based; runs a cracking contest periodically
TextSecure Free Android Curve25519, AES-256, HMAC-SHA256.

Sources
http://en.flossmanuals.net/basic-internet-security/ch048_tools-secure-textmessaging/
http://security.stackexchange.com/questions/11493/how-hard-is-it-to-intercept-sms-two-factor-authentication
http://www.bbc.co.uk/news/technology-16812064
http://www.practiceunite.com/notifications-the-3-factor-in-choosing-a-secure-texting-solution/
http://www.tomsguide.com/us/iphone-jailbreak-risks,news-18850.html

When you send a message, who controls your messages? You write them and you get them, but what happens in the middle? Where are they stored? Who can read them? Email, texts, instant messaging and Internet relay chat (IRC), videos, photos, and (of course) phone calls all require software. Those programs are loaded on your phone or your tablet by the device manufacturer and the service provider. However, you can choose to use other – more secure – programs.

In the old days of the 20th century, a landline telephone call (or a fax) was an example of point-to-point service. Except for wiretaps or party lines, or situations where you might be overheard or the fax intercepted, that type of messaging was reasonably secure. Today, messaging does not usually go from your device—whether it is a cell phone, laptop, computer, or tablet—directly to the receiver’s device. Landlines are becoming scarcer, as digital phones using Voice over IP (VoIP) are becoming more prevalent. Messages are just like any other Internet activities: something (or someone) is in the middle.

It’s a lot like the days when an operator was necessary to connect your call. You are never really sure if someone is listening to your message.

What that means is that a digital message is not be secure without taking extra precautions. It may go directly from your device to your provider’s network or it may be forwarded from another network; it often depends on where you are located in relation to a cell phone tower and how busy it is. Once the message has reached your provider’s network, it may bounce to a couple of locations on their network, and then—depending on whether your friend is a subscriber of the same provider—the message may stay on the same network or it may hop to another provider’s network, where it will be stored on their servers, and then finally be delivered to the recipient.

Understand that data has different states and how the data is treated may be different depending on the state. Data can be encrypted when it is transmitted and it can be encrypted when it is stored, or it can remain unencrypted in either state.

Everywhere it stops on the path from your device to the destination, the message is stored. The length of time it is kept in storage depends on the provider’s procedures, and it could be kept for weeks or even years. It gets backed up and it may be sent to offsite storage. At any time along its travels, it can be lost, stolen, intercepted or subpoenaed. If the message itself is encrypted, it cannot be read without access to the key. If the application is your provider’s, they may have access to the message even if it is encrypted if they have access to the key.

Is the message sent over an encrypted channel or is it sent in plain text? If you are sending pictures of LOLZ cats, who cares? But if you are discussing, say, a work-related topic, or a medical or any other confidential issue, you might not want your messages available on the open air. In fact, it’s better for you and your employer if you keep your work and personal information separated on your devices. This can happen by carrying a device strictly for work or maybe through a Mobile Device Management application your employer installed that is a container for your employer’s information. If you do not keep your information separate and your job suddenly comes to an end, they may have the right to wipe your personal device or you may not be able to retrieve any personal information stored on a work phone. Those policies you barely glanced at before you signed them when you started working at XYZ Corporation? It is a good idea to review them at least once a year and have a contingency plan! I have heard horror stories about baby pictures and novels that were lost forever after a job change.

Are you paranoid yet? If not, I have not explained this very well!

A messaging app that uses encryption can protect your communications with the following disclaimers. These apps cannot protect you against a key logger or malware designed to intercept your communications. They cannot protect you if someone has physical or root access to your phone. That is one of the reasons that jail-breaking your phone is such a bad idea—you are breaking your phone’s built-in security protections.

An app also cannot protect you against leaks by someone you trusted with your information. Remember: If you do not want the files or the texts you send to be leaked by someone else, do not send the information.

If you decide that you want to try one or more messaging applications, it is really important to read the documentation thoroughly so you understand what the app does and what it does not do and how to use it correctly. And, finally: Do not forget your passphrase!! Using a password manager such as KeePass or LastPass is a necessity today. Also back up your passwords regularly and put a copy—digital and/or paper—of any passwords you cannot afford to lose in a safe deposit box or cloud storage. If you decide to use cloud storage, make sure you encrypt the file before you upload it. Cloud storage is a term that means you are storing your stuff on someone else’s computer.

Part 2

On 11/24/2014, the Guardians of Peace (#GOP) announced on Reddit that they had hacked Sony Pictures Entertainment’s network, alleging that #GOP had stolen 100 terabytes of data. The stolen data laid out for public consumption in various data dumps around the Internet included both employee information—social security numbers, dates of birth, medical records, salary information—and corporate information—spreadsheets containing Sony layoff information, business plans, their network architecture, movie scripts, and even actual movies—and other confidential information. Then the attackers destroyed data to emphasize that their demands were serious.

While Sony has not commented much publicly except to yank The Interview (formerly scheduled to be released on Christmas Day), there has been considerable speculation on the person or groups responsible. The story—as we know it at this moment—sounds like a movie plot. (Are you listening Sony? When ya gonna make this movie?) There are spies, hacking, extortion … all the elements of a great plot … except a hero/heroine.

Sony, you get to play the whimpering coward sniveling in the corner. Who is going to step up to be the hero or heroine? That is the real question. Bonnie Tyler says it best, I am holding out for a hero/heroine.

As I see it there are four possible hacker group combinations:

  • The North Koreans hacked Sony because of the movie Sony produced called The Interview. It’s a comedy, and probably not a very good one.
  • One or more disgruntled Sony employees took the data. To look for possible disgruntled employees, let’s count: How many people has Sony laid-off?
  • The North Koreans and the disgruntled employees (and possibly other groups) separately hacked Sony.
  • The North Koreans managed to get someone inside Sony.

In my opinion, stealing 100 terabytes of data took some time and someone inside Sony had to help. How did they get the data out? USB drives? According to Numion.com, to download 100 terabytes at 10 Gbps with 50% overhead would take over 33 hours! Also, the data sounds like it’s very organized. Whoever stole it knew where to look and what to take and what to post first to make it hurt. It has a personal feel to it. No, it’s more than the North Koreans.

For a more in-depth analysis of the hackers, read Why the Sony hack is unlikely to be the work of North Korea.

North Korea: if you’re reading this, it’s just a movie. Get a sense of humor! Americans have made several movies about US presidents getting assassinated; here’s a few examples:

And of course, Wag the Dog cannot be left out of any movie list that discusses the death of a president’s political life.

I agree with President Obama that pulling the movie was a mistake. This is not a movie that I would have wanted to see, much less paid for. If you’d let it run, it would have been a brief news article, a week or two in the theaters and then … consigned to the $5 bin in Walmart. Now I want to see it!

However, there are some lessons we can all learn here:

  • Email is not private. Before you send any email, decide how you would feel if it ended up on the front page of the New York Times.
  • This is not the first time Sony has been publicly hacked. Remember the PlayStation Network debacle in April 2011, which affected 77 million customer accounts? This was followed by an attack May 2, 2011, on 24.5 million accounts at Sony Online Entertainment. Did Sony learn anything from those two incidents? Apparently not.
  • Compliance is not security! Doing the minimum necessary to comply with a law or laws is not enough to keep your corporate or personal information safe.
  • Just because you have a security breach doesn’t mean you have to lose a 100 terabytes of data. What were Sony’s security people doing?
  • If the company you work for does not take information security and privacy seriously, find someplace else to work. According to Forbes.com, Sony has had 195 security breaches from September 1, 2013 through June 30, 2014, according to leaked emails. However, it’s hard to determine the seriousness of the incidents from the information presented in the article. Were any of these breaches about tons of data spewing from Sony?

How can you tell if your employer is taking information security and privacy seriously? Do they say “information security is important” but cut the budget? Do they train employees on information security and privacy? Do they patch their systems and keep their software updated? Have they had a breach? What did they do?

  • If the company that you buy goods or services from does not protect your information, take your business elsewhere.

Vote with your feet and your money! Protect your information; there’s no one that it matters more to than you.

My bottom line? I’m outraged—both at Sony’s sloppy information security practices and their cowardice.

Information Leakage …

Posted: September 29, 2014 by IntentionalPrivacy in Identity theft, Tips, Vulnerabilities
Tags: , ,

Information leakage: what is it? It’s the unauthorized flow of information from a source to a recipient. Although unauthorized, it is not necessarily malicious, but it can still be detrimental.

Let me give you a couple of examples.

Our credit union is, in most cases, very accommodating. However, when it comes to paying bills online either through Bill Pay or the creditor’s site, I argued with them about printing my social security number on my account statement when I paid my Sally Mae loan.When I paid my credit card online, they printed my entire credit card number on my account statement. I called and talked to a  credit union customer service rep and could not convince her how bad using these numbers was. I wrote a letter to the credit union, the credit card company, and Sallie Mae, and Sallie Mae changed my account number (which they should have done in the first place). However, I could not convince the credit union to only print the last four digits of the card number.

Think about how many people could possibly see those numbers: database analysts, print and fold operators, customer service reps, postal clerks if the envelope rips … and if the credit union gets hacked, well, who knows?

I finally wrote letters to each member of the credit union board of directors, and voilà! The number displayed on my account statement is now only the last four digits.

Be persistent when this type of thing happens! It’s your information, and nobody else will care as much as you when your identity gets stolen. And other people’s information will be safer also.

Next up: our insurance company, who thinks it’s safe to use my social security number as our account number, as long as they add a three-digit number to it. Now my number is available to doctors, nurses, receptionists, technicians, customer service reps … the list goes on and on. Nobody will guess. Yup. The thinly-disguised-number-is-secure trick.