Archive for the ‘Vulnerabilities’ Category

Carrots and Sticks! How to improve your security culture …

Posted: November 3, 2018 by IntentionalPrivacy in Compliance, HIPAA - HITECH, Privacy, Security or Privacy Initiatives, Tips, Vulnerabilities
Tags: , ,

Originally written for Third Rock

Sticks

Just like technology controls, administrative controls work better when they are layered. Almost every organization has an administrative control “stick” in the form of policies. The purpose of policies is to explain the rules as well as the consequences if the rules are not followed.

But do the employees really understand what every policy means? Some may be too embarrassed to ask for an explanation if they do not understand a particular policy. Another issue with policies may occur if an employee does not remember what they agreed to five minutes after they handed in their signed policy understanding statement.

Carrots

This is where a security awareness program can help improve an organization’s security culture enormously. It does not have to be expensive to be effective. The program will also be more effective if security awareness training can involve employees. Here are some techniques:

  • Make security training interactive. Use only a small number of PowerPoint slides, tell relevant stories, and keep it short and engaging.

Look for ways to make security important to an employee’s personal life; for instance, show how they can better protect their families online. Employees who practice good security hygiene at home will be better at understanding and implementing security at work.

People learn different ways! The more types of senses used during the training, the better it will be remembered by the audience. Break up the training monotony with focus groups, table-top exercises, and question-and-answer sessions. Instead of having a once-a-year marathon, have sessions monthly or even quarterly. If they are held during lunch make sure you provide food.

There are several places to find resources online. StaySafeOnline.org is one example; they have tip sheets and videos for all age groups and even for businesses. The FTC also offers resources at their Stick with Security blog.

  • Encourage employees to turn in social engineering attempts. Give a small reward, such as a coffee cup, to the first employee who turns in a security issue, such as a phishing email or a social engineering phone call. Maybe your organization will want to stipulate that an employee would be eligible to win a prize once a quarter to give other employees a chance to win. Add the names of each submitter to a list for a prize drawing to be held at the end of the year or at an employee meeting. Send out emails with sample snapshots of the latest attacks, so others can avoid them.
  • Staff are human; if someone makes an honest mistake, reward them for reporting it immediately. The sooner it gets turned in, the faster the issue can be resolved. Of course, the staff person needs to understand what happened and how to avoid it in the future. Organizational controls should also be reviewed to help avoid that issue in the future. Maybe a policy needs to be changed, some staff need retraining, or maybe a technical control can be added to eliminate the issue.
  • Have a process for reporting lost or stolen devices that includes who to contact and how. Decide if the process should include automatic wiping of the device. Make sure that employees are aware of the process.
  • Have a response plan for when a security issue is reported, whether an employee, a customer, a vendor, or a volunteer is the person reporting.. Ensure that a contact is always available for found security or privacy issues.
  • Post a short list of actions for possible security and privacy issues in a prominent place like a break room or a kitchen. Also give the list to employees so they know what to do in an emergency.

Peopleyour customers, your employees, your partners—make a security program work!

New Year’s Resolution: Find Your Blind Spot!

Posted: January 1, 2018 by IntentionalPrivacy in Automobile hacking, Cell phone, Ethics, Issues, New Year's Resolutions, Privacy, Theft, Vulnerabilities
Tags: , , ,

Today is New Year’s Day, a day typically devoted to hangovers and making resolutions.

I recently saw a presentation about automotive computer forensics that made me think about New Year’s resolutions. In spite of my background in computer forensics, I had not considered that automotive computers were advanced enough to conduct forensic investigations on. I enjoyed the presentation and I seriously considered taking the class even though it would not advance my career in Texas.

But then the instructor ruined the class for me by doing two things.

The first was when the presenter—an instructor for a world-famous IT school—talked about driving his yellow muscle car at 65 MPH in a 15-MPH school zone and getting a ticket.

Does he use the ticket as an agent of change? Take his punishment? Learn to drive his car on a racetrack?

No, he was standing up there bragging about his yellow car and getting away with driving fast in a school zone. He is just like those rich-and-powerful gropers that have been lately in the news. They do it because they can and because they (at least used to) get away with it. I do not admire them and I do not admire him.

I appreciate that traffic tickets are expensive (particularly tickets in a school zone), that such a ticket would cause the recipient’s insurance rates to go through the roof, that such a driver might be required to attend traffic school, and that there might be other consequences. I understand the desire to avoid those consequences. I understand that he has a legal right to hire an attorney who will reschedule the court hearing until the police officer could not attend.

Since the police officer could not attend, the ticket was dismissed.

When he was talking about this experience, I was nodding right along with everyone else, but on the way home, I started thinking about what he said and who he is. This presenter possesses several certifications (such as a CISSP), many of which require the possessor to agree to abide by strict ethical standards. In fact, (ISC)2, the certifying body of the CISSP certification, issues just such a code of ethics. The relevant portion is listed below:

Code of Ethics Preamble:
  1. The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
  2. Therefore, strict adherence to this Code is a condition of certification.
Code of Ethics Canons:
  • Protect society, the common good, necessary public trust and confidence, and the infrastructure.
  • Act honorably, honestly, justly, responsibly, and legally.
  • Provide diligent and competent service to principles.
  • Advance and protect the profession.

Driving 50 miles above the speed limit obviously breaks several of those tenets (even though this situation was probably not what (ISC)2 had in mind). Another problem I have with his crazy driving is that this man appeared to be in his late sixties. Does he have the reflexes necessary to drive like this?

How far does a car going 65 mph travel before coming to a complete stop? According to Government-Fleet.com, “it takes the average driver from one-half to three-quarters of a second to perceive a need to hit the brakes, and another three-quarters of a second to move your (sic) foot from the gas to the brake pedal. Nacto.org states that “… if a street surface is dry, the average driver can safely decelerate an automobile or light truck with reasonably good tires at the rate of about 15 feet per second (FPS).” Let’s examine how that plays out.
Stopping65MPH
To put this in perspective, a football field is 300 feet long from goal post to goal post. A vehicle traveling 65 MPH (given average conditions) will take 396 feet to stop—more than the length of a football field!

The laws of physics apply to everyone. It does not matter how well you drive. If a six-year-old child steps in front of a vehicle traveling 65 MPH, he or she is dead. If the vehicle is traveling 15 MPH, the kid at least has a chance to learn a lesson.

The second thing he said that I had an issue with was when he was talking about how vehicle forensics is now appearing in court cases. As an example, he talked about a case in Texas where a minister regularly connected his phone to the car infotainment center over Bluetooth, which meant that things maintained on the phone such as contacts and photos are transferred to the car’s computer. He claimed that even if a picture is deleted from the phone, it stays on the vehicle computer. When the preacher took his car into the dealership for service, some of the dealership’s service people stole nude pictures of the clergyman’s wife from the car’s infotainment computer and posted them on a swingers’ site as a joke. One of the preacher’s parishioners told him about the pictures being posted. The clergyman and his wife were understandably upset about this and were suing the dealership.

Since I wanted to write an article for this blog about vehicle computer forensics and the amazing amount of information that can be obtained from an automobile’s computer systems, I looked for articles about that incident.

Except the articles I found about a Texas preacher whose wife’s nude pictures were posted on a swingers’ website had nothing whatsoever to do with the vehicle’s infotainment computer. The photos were stolen from the customer’s phone. When I realized that he had twisted the story to fit his theme, I was appalled.

What really happened: A preacher and his wife went to a Dallas Toyota dealership to buy a car. The minister had gotten a preapproval for the loan from an app on his phone. The salesman took the customer’s phone to show the manager the preapproval. While the salesman was out of sight, he found some nude pictures of the wife on the phone and emailed them to himself and the swingers’ site. Then erased the email. The couple were outraged—rightly so!—about this intrusion into their privacy and the theft of pictures of a “private moment.” They hired attorney Gloria Allred to sue Toyota, the Dallas dealership, and the car salesman. You can read more about it here.

A computer forensics professional is required to present the facts fairly and accurately. Given these two stories, would you trust this man to represent the facts fairly and accurately? Would you trust him to act ethically and honorably?

I am asking you to add these New Year’s resolutions to your list this year:

  1. Drive the speed limit. Drive as if it could be your child, your grandmother, or your dog in that crosswalk!
  2. Check the accuracy of your information before you give a presentation. Give citations, so that other people can verify your work. If I am in the audience, I will.
  3. Find your blind spot and change it to something positive.
  4. Do not allow anyone access to your phone, especially if that person is out of your sight.

Have a wonderful new year!

References

“Driver care: Know Your Stopping Distance,” http://www.government-fleet.com/content/driver-care-know-your-stopping-distance.aspx

“Vehicle Stopping Distance and Time,” https://nacto.org/docs/usdg/vehicle_stopping_distance_and_time_upenn.pdf

“Couple Sues Grapevine Car Dealership Claiming Salesman Shared Their Photos on a Swingers Site,” http://www.dallasobserver.com/news/couple-sues-grapevine-car-dealership-claiming-salesman-shared-their-photos-on-a-swingers-site-8957090

“Texas pastor claims Toyota car salesman stole his wife’s nude photos and emailed them to a swingers’ site,” http://www.dailymail.co.uk/news/article-3994292/Texas-pastor-claims-Toyota-car-salesman-stole-wife-s-nude-photos-emailed-swingers-site.html

Credit freeze vs Credit lock – which is best?

Posted: October 4, 2017 by IntentionalPrivacy in Equifax, EquiMess, Security Breach, Vulnerabilities
Tags: , , , , , ,

Equifax and the other credit bureaus are trying to convince consumers to put “credit locks” on their credit files instead of credit freezes. Credit locks are – I think – a really bad, bad idea. Why?

  1. Why would you trust anything a company tells you that did not encrypt a database with 145 MILLION records in it? Former Equifax CEO Smith testified yesterday at the House of Representatives that Equifax has a poor record of encrypting data. To read the latest about the EquiMess, click on Wired‘s “6 Fresh Horrors From the Equifax CEO’s Congressional Hearing.” Talk about dancing on the head of a pin!
  2. The credit bureaus claim a lock is “free” and simple to use through an app on your phone … the problem is that nothing is free, and again, why would anyone trust them? They’re selling your information somehow to pay for that lock.
  3. What’s the difference between a lock and a freeze? Well, nobody seems to know. While credit freezes have a cost to set up and remove (which varies from state to state), they’re regulated by state and federal law. When you sign up for a freeze, you do not have to agree to arbitrary credit bureau terms and conditions (such as giving up your right to sue or participate in class-action law suits).

More on credit freezes vs credit locks: “Myths vs. facts: Sorting out confusion surrounding Equifax breach, credit freezes.”

Equifax breach: UPDATE

Posted: September 9, 2017 by IntentionalPrivacy in Financial vulnerabilities, Identity theft, Privacy, Security Breach, Vulnerabilities
Tags: , , , , , , ,

The newest large breach, potentially affecting 143 million people in the US, was announced Thursday by Equifax at https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628 . It also affected a small number of consumers in Great Britain and Canada. According to the Equifax PR statement, “Criminals exploited a U.S. website application vulnerability to gain access to certain files.”

There’s been at least one potential class-action suit already filed. The New York State Attorney General, Eric T. Schneiderman, has also opened an investigation.

Based on US Senator Al Franken’s Facebook post on Equifax, it might be a good idea to wait to sign up for Equifax credit monitoring until Equifax clarifies that you are not trading your rights to sue them or join a class-action suit in return for accepting their credit monitoring service. However, you should still visit the Equifax site (http://www.equifaxsecurity2017.com/) to find out if you are one of the affected parties. If your information was not affected (although I would not trust that completely), the site will continue on to give you the date when you will be allowed to sign up for credit monitoring if you should decide to do so. Make sure you note the date, because you will receive no other notice.

Since I cannot sign up for the TrustedID service yet, I have not personally read the agreements that Equifax has put in place.

Furthermore, credit monitoring usually just alerts you to an event that has already happened. It is not always accurate or even timely. Although good to know that something has happened, taking preventive action is better.

What should you do?

Act as if your information was stolen and move to block access to your credit and financial accounts. Yes, it’s painful, but far less painful, expensive, and time-consuming than dealing with identity theft. We need better oversight of credit bureaus, but in the meantime protect yourself. Your personal information is important for credit and insurance availability and costs, getting a job, and even renting an apartment or buying a home.

Brian Krebs has an article about credit freezes and credit monitoring at How I Learned to Stop Worrying and Embrace the Security Freeze. The FTC article on credit freezes is good, but Kreb’s article is more thorough and he explains about his personal experience with credit monitoring services. Here are the actions he recommends:

Update: Unfortunately, the pin that Equifax automatically assigns starts with the date you call you to start the credit freeze (i.e, 090917xxxx). The automatic pin is not random. To change it, you have to call 888-298-0045; the line is only available Monday – Friday 9 am to 5 pm (and the message doesn’t even tell you which time zone). You cannot change the pin on their website.

While Fraud Alerts are free, they have to be updated again every 90 days.

NPR.org is reporting that three Equifax executives sold small amounts of stock shortly after the breach was discovered. You can look at the SEC filings here; open the Beneficial filings to see what the stock sales were. Even though all 3 only sold a small portion of their holdings, it is still a lot of money – about $1.8 million. I find it hard to believe that the CFO was not alerted to a breach of the company. The stock price was $145.09 on July  28, 2017, before the breach (discovered on July 29, 2017); yesterday the stock closed at $123.23.

 

No security anywhere …

Posted: May 19, 2017 by IntentionalPrivacy in Conferences, Privacy, Theft, Vulnerabilities
Tags: , ,

I was at a conference yesterday. When I went to register, the computer system being used had a label with the username and password right next to the touchpad. There was a problem with my registration, so the conference sent me an email. It contained the names of three other people–unknown to me–at the conference.

Next, we went to the exhibits. The first trailer we went to was open and no one was there. On a table inside was an open, logged-in laptop and a cell phone. Who would have known if I had taken the laptop or phone, or worse, taken information from the laptop?

Pay attention to what you do. Always lock your laptop (press the Windows and L keys simultaneously) when you have to leave it with someone you trust and do not leave your belongings unattended in a vehicle, or at a conference, a restaurant, or a coffee shop.

It’s not just WannaCry: Thieves are opportunists

Posted: May 19, 2017 by IntentionalPrivacy in Financial vulnerabilities, Personal safety, Ransomeware, Vulnerabilities, WannaCry
Tags: , , , ,

WannaCry has effectively died down according to Wikipedia < https://en.wikipedia.org/wiki/WannaCry_ransomware_attack&gt;. However, if you do not WannaCry about some other malware, take some preventive actions now to make your systems less vulnerable to future attacks. If it is not easy to attack you or your computer systems, in most cases a thief will look for an easier target.

Organizations

  • Keep system and application versions up to date and patched, especially critical patches
    • If the organization still has to run computers running XP (or older operating systems), get them off the network
  • Keep antivirus software current and scan daily
  • Make regular, consistent backups (and test them to ensure files are recoverable)
  • Create network zones
  • Place public-facing web servers in DMZs
  • Restrict administrator rights
  • Change default passwords and enforce password rules on users
  • Train users in security awareness, especially how to avoid clicking harmful links
  • Take infected machines off the network and clean them up as soon as possible, so that the infection does not spread to other machines on the network

These actions alone will stop a considerable amount of malware and other attacks. They do not require expensive equipment or software, just the time to set them up. And these practices will help any organization better comply with regulatory requirements.

For instance, Microsoft came out with a critically rated security patch for Microsoft Windows SMB Server on March 14, 2017. This patch would have made Windows systems resistant to WannaCry. The WannaCry attack started on Friday, May 12, 2017, almost two months later. While I understand the need to test patches to ensure they will work in an environment, testing for a couple of weeks should be adequate, especially for critical updates.

Individual systems

Many of the same actions will keep your systems safe:

  • Keep system and application versions up to date and patched; in fact, set updates to run automatically and schedule them for  a convenient time frame
    • If you are running an older operating system such as XP, take it off the Internet
    • Uninstall applications that you no longer use from both your phones and computers
  • Keep antivirus software current and scan daily
  • Make regular, consistent backups (and test them to make sure files are recoverable)
  • Do not run with administrator rights
  • Change default passwords on routers and modems, and choose long, strong passwords for all your accounts
  • Do not click harmful links in email, on Facebook, or other websites

Prevention is the key for physical theft also.

Our neighborhood has been experiencing a recent rash of car break-ins and theft of items on porches. Many of these thefts happened when someone forgot to lock their car.

Be a little paranoid! Assume that someone is always watching you. For instance, you might not realize the dog walker walking by your house was watching you put a computer case in the trunk or that the 16 year old who lives next to you tries car doors at one am because he is bored or has a drug problem. Leaving a laptop in the car is not ever a good idea, but if you have to leave valuables in your car, put them in your trunk before you get to your destination. Lock your house and car as soon as you shut the door. Do not leave extra keys on your property or stashed on the car. Do not leave the garage door opener in the car. When you are working on that report in a coffeehouse, take your laptop, phone, keys, and wallet with you when you go to the restroom. Do not leave your purse or phone in a grocery cart when you turn around to pick out items for dinner.

Medical Records Flapping in the Breeze!

Posted: May 11, 2017 by IntentionalPrivacy in HIPAA - HITECH, Identity theft, Privacy, Private Health Information (PHI), Security Breach, Vulnerabilities
Tags: , , ,

Medical record theft is on the rise, and according to  Reuters ( http://www.reuters.com/article/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924 ), a stolen medical record is worth ten times what a stolen credit card number on the black market. The reason medical records are worth so much more, is because they are used to steal benefits and commit identity theft and tax fraud.

How easy is it to steal medical records?

This morning, I read Brian Kreb’s report on True Health Diagnostics health portal, which allowed other patients’ medical test results to be read by changing one digit on the PDF link. The company—based in Frisco, Texas—immediately took the portal down and spent the weekend fixing it. https://krebsonsecurity.com/2017/05/website-flaw-let-true-health-diagnostics-users-view-all-medical-records/

While I think it is great they fixed the problem so rapidly, I am disgusted that our medical information is so often flapping in the breeze. Health professionals are notoriously lax about protecting their patients’ medical information. A security professional that I know defended medical people by saying they do not understand HIPAA/HITECH. Yes, I know they do not necessarily understand the technical details. But is ignorance an excuse? I do not think so. They have IT people to support those computers and medical professionals are supposed to attend HIPAA training on a regular basis.

For instance, upon reading the FAQs at http://www.holisticheal.com/faq-dna , I noticed that after a patient completes their tests (recommended by my doctor), this practitioner sent results in email. It is not a simple test like cholesterol; it contains information about someone’s DNA.

After I emailed them and told them I would not consider using their service because email is not secure unless encrypted and in my opinion this practice—sending medical results in unencrypted email—is contrary to HIPAA/HITECH, they changed their policy. While they now send the results for US patients on a computer disk through the mail, they still send international clients their results through email.

I have frequently caught my own medical professionals leaving their patient portals open when I am alone in the exam room or even away having tests. During one notable session, without touching the computer, I could see a list of all the patients being seen that day on the left, and the doctor’s schedule across the top (including 3 cancellations). Another medical professional texted me part of my treatment plan. (I thought we were limiting our text conversation to time, date, and location. Otherwise I never would have agreed to text. I had never even met this person!) Another provider grouped three receptionists with computers (no privacy screens) in a circle with windows on two sides. I could read two of the screens when signing in and the third when leaving and I saw them leave their screens open when they walked away from their computers so that the other receptionists can use those computers.

Granted, these incidents may not be breaches, but I think they are violations of HIPAA/HITECH and they could lead to breaches. What are the chances they are using appropriate access control, backing up their systems, encrypting their backups, thinking about third-party access? Are they vulnerable to phishing, crypto ransomware, hackers, employee malfeasance, someone’s child playing with the phone?

Yes, I get that people make mistakes. The problem is they have the ability to make mistakes! Set up fail safes. Require each employee’s phone to be physically encrypted and give them a way to send encrypted emails or texts or do not allow them to text or email patients. Make screens lock after five minutes or sooner. Give them training. Spot check what they’re doing.

I always discuss these issues when I notice them with the practice HIPAA Privacy Officer (and sometimes change medical providers if egregious). Does it help? Maybe. But it always makes me wonder what I have not seen.

Pay attention! Protecting your data helps protect everybody’s data.

Thwarting Vehicle Keyless Fob Attacks

Posted: May 2, 2017 by IntentionalPrivacy in Automobile hacking, Issues, Traveling, Vulnerabilities
Tags: , , ,

A recent article in Wired called “Radio Attack Lets Hackers Steal 24 Different Car Models” at https://www.wired.com/2016/03/study-finds-24-car-models-open-unlocking-ignition-hack/ talks about how thieves can steal some car models by attacking keyless entry fobs.

It is a very informative article, but they do not talk much about possible solutions. Want to wait around while your automobile manufacturer comes up with a solution?

Our own cars—a 2015 Honda Accord and a manual-everything 2005 Honda Civic—are not on the list of vulnerable vehicles. While the 2005 Honda, which does not have keyless entry, is not susceptible to this type of radio attack, the 2015 Honda Accord might be. Although it was not one of the vehicles listed in the article, it might not have been one of the models tested. I looked at my key fob to see if there was some easy way to shut off keyless entry. Aside from taking out the battery, none was apparent. A switch on the key fob in a location that is not easily turned on or off (maybe inside the battery case) would be a great solution to this problem. Another possible plus? It might make the battery last longer!

When I Googled “2015 Honda Accord turn off keyless entry,” there were not many new solutions. Possible solutions include:

  • Removing the key fob battery. According to a YouTube video by Honda Pro, https://www.youtube.com/watch?v=kXiyku7Ye-c, the car will not start when the key is not in the car. However, it will still start when the key fob is present even if the battery is inoperative or removed. The key fob also contains a manual key, so entry is still available.
  • Making or buying a faraday cage. There are several types of faraday cages. According to Wikipedia, a faraday cage “is an enclosure used to block electromagnetic fields.” I tried wrapping my key in aluminum foil. Standing next to the 2015 Honda with the key wrapped in aluminum foil, I could still unlock the car. However, while I did not test it, it might limit the accessible distance for the key signal.

I do not like the option of putting my keys in the freezer, which is often touted as an easy faraday cage. For one thing, the moisture and the cold could be hard on the key electronics. Replacing the key is expensive and you would still have the problem with the new key. Another problem with this solution is that it only works when you have access to a refrigerator. Probably would not work at Starbucks!

Amazon.com offers Faraday pouches for sale for as little as $9 (plus shipping). There is a DIY faraday cage Instructable at http://www.instructables.com/id/Faraday-Cage-Phone-Pouch/ if you would like to make one yourself.

If anyone has other ideas about possible solutions to a keyless entry attack, leave a comment and I will update the article.

Remember, always lock your car, do not leave extra keys in hidden places on the vehicle, and remove or hide your valuables before you leave your car. It is also a good idea to remove your garage door opener from the car, especially if you leave the door between the house and the garage open.

Data Privacy Day 2017: remember to protect your medical information!

Posted: January 28, 2017 by IntentionalPrivacy in HIPAA - HITECH, Identity theft, Privacy, Private Health Information (PHI), Vulnerabilities
Tags: , , ,

A member of my family has recently been having some medical issues, and has been making the rounds of doctors and other medical practitioners. It is bad enough when someone doesn’t feel well, but what can make it worse? A medical professional being careless with our personal health information in spite of the medical privacy laws (HIPAA and HITECH). A visiting nurse called to make an appointment for a home visit, which turned into a SMS text dialogue. A question from the nurse left me speechless, “Have you received your {INSERT PRESCRIPTION BRAND NAME HERE} yet?”

Really? She really put part of the treatment plan in an unencrypted text message?

Text messaging by a medical professional should be limited to location and time of appointment.

I informed her that in my opinion putting a prescription name in an unencrypted text message was a violation of HIPAA, especially since the patient had never met the nurse or signed any HIPAA disclosures. She said she deleted the messages from her phone and gave me the name of her supervisor. I called the woman, who wasn’t available. I left a voice mail message, saying that I was concerned because putting treatment details in an unencrypted text message was a violation of HIPAA.

Strike two: A week later, no one from the nursing service has called me back.

I called the company that ordered the nursing service, explained what happened and asked that the service be cancelled. I took the patient to the doctor’s office—much less convenient—but a better option in this case. I was concerned that the nurse might be using a personal phone that did not have encryption on it, that she might have games installed (a common source of malware), that she did not use a pass code to lock her phone or that her phone did not automatically lock, or any of 100 different bad scenarios. What further concerned me is that I did not receive a call back from the nursing company. They are supposed to have a HIPAA Privacy Officer, who should have returned my call and explained what they were doing to protect the patient’s information in the future. At the very least, the nurse should have been required to re-take HIPAA Patient Privacy training (which is mandated to occur yearly anyway by the Office of Civil Rights).

Why is this such a big deal?

When you consider that your medical record is worth more to an identity thief than your credit card, it is a very big deal. A CNBC article published on March 11,2016, “Dark Web is fertile ground for stolen medical records,” stated:

While a Social Security number can be purchased on the dark Web for around $15, medical records fetch at least $60 per record because of that additional information, such as addresses, phone numbers and employment history. That in turn allows criminals to file fake tax returns.

Your credit card might be worth one or two dollars at most.

Another informative article, “Is Texting in Violation of HIPAA?,” appears in The HIPAA Journal.

If you feel that your medical privacy has been violated, you can file a complaint with the Office of Civil Rights.

I’m going to call the nursing service again on Monday and ask to speak with their HIPAA Privacy Officer and try to explain my concerns.

The Bottom Line: They lost a client!

Passwords

Posted: January 29, 2016 by uszik11 in Identity theft, Password need-to-knows, Personal safety, Uncategorized, Vulnerabilities
Tags: , , ,

Are your passwords strong enough to resist a brute force attack?

Passwords are just about dead. Many systems now offer “two factor identification.” You give them your cell phone number and you have to use both a password and a code number sent to  the phone for your log in.  But passwords continue. They are easy for administrators. They are part of the common culture.

Steve Gibson has the engineer’s “knack.” (See the Dilbert video here.) His company, Gibson Research Corporation (here), sells a wide range of computer security products and services. He also offers many for free. Among the freebies is Haystack: How Big is Your Haystack – and how well is your needle hidden? (here)  This utility provides a metric for measuring password security.

It is pretty easy to do yourself, if you like arithmetic. 26 upper case letters, 26 lower case, 10 digits, 33 characters (with the space) for 95 printable ASCII characters in the common set.  So, if you have an 8-character password that is 95 to the 8th power possible combinations: 6.634 times 10 to the 15th power or over 6-and-a-half quadrillion. If you could try a million guesses a second, it would take 6.5 billion seconds or just over 200 years. (60 seconds/minute * 60 minutes/hour * 24 hours/day * 365.25 days / year* 200 years =6.3 billion .)

Gibson Research makes all of that automatic. Just key in your password, and it tells you how long it would take to crack.

Cracking passwords is a “routine activity” for a hacker. They have tools.  At one meet-up for hackers, the speaker told us, “If you have to use brute force, you are not thinking.”  They do not type in a million guesses per second, of course. They have programs to do that. Also, most websites just do not allow that kind of traffic: you cannot do a million guesses per second. What the hackers do is break in to a site, such as Target, Home Depot, LinkedIn, or eHarmony, download all of the log files, and then, on their own time, let their software attack the data offline.

Also, hackers do not use the same computers that you and I do. They start with gaming machines because the processors in those are built for high-speed calculation. They then gang those multiple processors to create massively parallel computers.  The calculators from GRC show the likely outcome for brute force by both a “regular” computer and a “massive cracking array.”

If someone got hired today at a typical midrange American corporation, their password might just be January2016. If, like most of us, they think that are really clever, it ends with an exclamation point: January2016! Hackers have databases of these. They start with standard dictionaries, and add to them all of the known passwords that they discover.

One common recommendation is to take the first letters of a phrase known only to you and personal only to you. My mother had naturally red hair for most of her life. She was born in 1929 and passed in 2012. So, “My mother’s red hair came from a bottle” becomes mmrhcfab19292012. According to Gibson Research, brute force guessing with a massive cracking array would take over 26 centuries.

Gioachino Rossini premiered his opera, William Tell, in 1829. “William & Tell = 1829” would take a massive parallel cracking machine about 1 million trillion centuries to guess. On the other hand, a “false phrase” such as Five + One = 27 could not be done in under 1.5 million centuries.

TMAR Four 3c3c

Texas State Guard Maritime Regiment non-commissioned officers at leadership training.  Only the one on your far right is a real Marine.

Remember, however, that a dictionary attack will crack any common phrase.  With over 1.7 million veterans of the United States Marine Corp, someone—probably several hundred someones—has “Semper Fi” for a password. Don’t let that be you. A brute force attack would need only 39 minutes, but that is not necessary: a cracker’s dictionary should have “Semper Fi” in it already.

(Above, I said that cracking passwords is a “routine activity” for a hacker. “Routine activities” is the name of theory of crime.  Attributed to sociologists Marcus Felson and Lawrence E. Cohen, routine activities theory says that crime is what criminals do, independent of such “social causes” as poverty. (See Routine Activity Theory on Wikipedia here.) That certainly applies to password crackers. Like other white collar criminals, they are socially-advantaged sociopaths.  They are planfully competent, calculating their efforts against a selfish return.)

Older Entries