in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.
  • 47.5 GB of PHI Left Exposed on the Cloud. (That's 316,000 PDFs)

    According to gizmodo.com, security researchers at Kromtech Security Center found a wide-open Amazon Web Services (AWS) bucket that contained over 300,000 PDFs, each one a medical file that would fall under the governance of the Health Insurance Portability and Accountability Act (or HIPAA which, arguably, finally jumpstarted the drive towards encrypting sensitive digital files thanks to generous fines levied on hospitals and other legally-covered entities that screwed up their data security).
    There have been (too) many similar cases over the years, although we're beginning to see a transition of sorts: while the past showed incorrectly configured servers at the center of an "accidental" data breach (that is, the blame didn't lie on hackers but on what a company's IT staff decided to do…or not do), today's incidents increasingly tend to involve incorrectly configured cloud services, be it AWS, Microsoft's Azure, Dropbox, or others.
    Technically, they're the same problem – misconfigured settings on boxes connected to the internet – but the former was more complex than what one deals with today: nowadays, you click on a checkbox in a webform, hit the save button, and companies like Amazon take care of the rest.
    (Although, if one were to play Devil's Advocate, it should be pointed out that AWS does support programmatic read-write permissions which are similar, but nowhere close, to server configurations of yore).  

    Quick Remediation

    When Kromtech alerted the healthcare company of the error, the situation was corrected the very same day. However, they appear to have remained incommunicado to subsequent reach outs by the security company. Not necessarily the height of gratitude but, hey, it doesn't look like they're ignorantly suing Kromtech "for hacking" them, so that's a plus. The downside: the PDFs contained,
    In addition to names, addresses, and other contact information, many of the records contained dates of birth, diagnoses, as well as the names of physicians overseeing care of the patients…
    No SSNs or credit card details. However, with information like the above, obtaining such data is literally a phone call away. In a world where millions get scammed for computer tech support they don't need, how hard would it be to socially engineer sensitive data by posing as hospital staff that know real details about someone's recent medical history?
    The answer is "not very hard."  

    Prevention

    One easy way to lower the odds of suffering similar data breaches is to use file encryption prior to uploading digital documents to the cloud. This was the case when people set up their own internet-facing databases in the past and still is the case with cloud services. Granted, AWS's security options are more than adequate, at least when it comes to conforming to data security requirements and regulations across the US.
    But that's within the confines of the cloud service (and assuming one doesn't screw it up by unchecking the wrong box). If the internet is used as a cloud-based document repository, then those files will descend from the cloud at some point (which seems pretty likely for PDFs). Will they be downloaded to a laptop or a desktop? Backed up to tape? Copied over to a USB drive? Emailed as an attachment?
    In each case, encrypting a file is basically the only way to secure the data. And if so, if the files are being uploaded and downloaded from the cloud, why not encrypt them before doing anything at all? The risk of something going awry may be small, but the expected ramifications are huge if or when something does go wrong.
     
    Related Articles and Sites:
    https://gizmodo.com/data-breach-exposed-medical-records-including-blood-te-1819322884
     
  • Equifax Data Breach Continues To Bear Poisoned Fruit

    About two weeks ago, when Equifax first revealed their massive data breach, it was noted by many that the company didn't appear to be prepared nor equipped to deal with the demands of whatever contingency plans they had prepared for the day they would be hacked. That was on the first day after Equifax had gone public.
    In the two weeks since, those observations have proven to be more than prescient. Because so much has happened, I present you a list. Between then and as of September 19, 2017, the following are true:
    • The price of Equifax's stock has plunged 35% in response to the data breach and all the other news following it.
    • A couple of Equifax honcho's "retired" after the breach was made public, including the Chief Security Officer (CSO).
    • It turns out that Equifax's CSO has a bachelor's and master's degree in music.
      • It should be noted, however, that she has worked in security-related positions at other big companies.
      • Plus, plenty of programmers (security or otherwise) are music majors, philosophy majors, art majors… you get the idea. (On the other hand, this is apparently not the case for the ex-CSO, as far as one can tell).
    • More than 30 lawsuits have been filed.
    • The Federal Trade Commission announced an investigation into the data breach.
    • The US DOJ started criminal investigations to see if the three executives who recently sold nearly $2 million in stock violated federal law.
    • Security researchers found that Equifax's Argentinian branch had an employee portal that used "admin" and "admin" for the username and password.
    • Equifax initially blamed a vulnerability in Apache software for the hack. The latter immediately issued a press release pointing out that a security patch had been available since March.
    • Speaking of March, it turns out that there was an initial data breach at Equifax that occurred in that same month.
      • While currently being treated separately, it could possibly be the initial ingress into Equifax, well before the July data breach that was initially proclaimed.
    • Equifax revealed that up to 400,000 in England had been affected by the breach.
      • As well as 10,000 in Canada.
      • And let's not forget the 143 million in the USA.
    • The site Equifax set up to reveal whether a person was affected by the data breach gave inaccurate answers.
      • That site was set up outside of the main Equifax.com site. As certain security researchers noted, it made for easy phishing. One proved it by setting up a fake site, which ended up being passed via Twitter by whoever was managing Equifax's Twitter account.
    • Equifax tried to charge consumers for freezing their credit reports – and then announced that they wouldn't.

    Some of the reactions to the data breach are not unexpected, and yet surprising – like the lawsuits. It was expected, but thirty of them filed in less than a week? Wow.

    Other outcomes, such as charging people for freezing their credit reports, are mind-blowing. It's like no one thought to consult the PR department because… at this point, what's the use?

    The stock market seems to think that the other shoe has fallen. At the beginning of this week, Equifax's stock price stopped its losses and ever so slowly begun to rise, although some say that it's nothing but a dead cat bounce, either because the market hasn't effectively priced everything in or because there's more bad news on the horizon.

    Based on the last couple of weeks, it wouldn't be foolhardy to wait and see what other surprises spring up.  

    Related Articles and Sites: https://www.databreaches.net/equifax-data-breach-aftermath-lawsuits-and-criticism-mount-stock-prices-plummet/

     
  • Equifax Hack Affects 143 Million SSNs

    Equifax, one of the three largest credit reporting agencies in the US, announced yesterday that they have been hacked. The leaked information includes full names, SSNs, birth dates, and addresses, among other data.
    It's not the biggest hack to date – that dubious honor goes to Yahoo, which claimed 1 billion users and 500 million users (that's right; two data breaches involving over 100 million people each).
    However, the Equifax data breach is more worrisome since it involves truly sensitive information. If Yahoo's data conundrum gave the bad guys a phishing line, Equifax equipped them with a ordnance store full of dynamite.

    Nearly Half the US Population Affected, Took 2 Months to Raise Alert

    Per Equifax's admission, approximately 143 million Americans were affected by this data breach. Taking into consideration that the US population is somewhere around 300 million people, it means that nearly 50% of the entire US has been touched by this latest hack.
    And, when you consider that people are married, live together, etc, it wouldn't be surprising to find that close to 100% of American households are affected.
    Even more shocking: Equifax discovered the hack on July 29 (the hack itself was in May). It took them nearly a month to go public with the information. And while that's probably within the legal boundaries, Equifax more than other companies, probably knows that going public with the admission sooner would have been better.
    It is, after all, one of the go-to guys for other companies when they experience a data breach. One can only assume that Equifax knows all the ins and out of what to do when data breaches strike; they probably developed marketing and services around it. (Which brings up an interesting question: will Equifax, with a straight face, offer their own credit monitoring and identity protection services to 143 million people, "out of an abundance of caution," as the industry saying goes?)
    There are even reports that credit card numbers (for approximately 200,000 people) were also stolen in the hack. Which is weird because you're not supposed to be storing such data, at least not without encryption.

    Stock Down 12% After Hours, Insider Trading Accusations

    The news didn't go well. Aside from all the major (and minor) news networks reporting on this latest data incidence, people with access to after hours stock trading managed to push the price down by 12% (and today's pre-market is pushing it further down).
    This probably wasn't helped by reports that three executives sold $1.8 million worth of shares shortly after the data breach was discovered. It could very well have been "innocent" (the sales were not pre-scheduled) but such news incentivizes outsiders to start dumping shares now, ask questions later.
    All in all, these are not the actions of an organization prepared to meet head-on the demands of a data contingency plan.
    Which is surprising.
    Equifax and other similar companies know they are hacking targets for the digital data that they possess. They are the mother lode, so to speak. One would have expected them to plan accordingly, but if you look at tweets and whatnot, it's beginning to look like they were caught with their pants down in every aspect.
    For example, someone managed to reach Equifax's help, and the person on the end of the line admitted being hired outside help and not having access to a database for checking whether the caller was affected or not by the data breach. More than one month into discovering the data breach.

    The Silver Lining

    Can any good come out of this? When you consider that half of the US is affected, you just know that government officials are going to be swept up in this. Perhaps enough P.O.'ed congresspeople will lead to something (finally).
    But, if the past is the guide to the future, you're best off betting that remarkably little will change.
     
    Related Articles and Sites:
    https://www.bloomberg.com/news/articles/2017-09-07/equifax-says-cyber-intrusion-affected-143-million-customers
    http://digg.com/2017/equifax-hack
    https://arstechnica.com/information-technology/2017/09/why-the-equifax-breach-is-very-possibly-the-worst-leak-of-personal-info-ever/
    https://techcrunch.com/2017/09/08/equifax-breach-disclosure-would-have-failed-europes-tough-new-rules/
     
  • Delaware Updates Data Breach Notification Rules

    Delaware, the second-smallest state but the leader in business incorporations, at least within the USA, has updated its legal framework regarding data breach notifications. Beginning on August 14, 2018, companies that experience a data breach must notify any affected individuals in Delaware within 60 days. In addition, credit monitoring – free of charge, of course – is now a legal requirement, not a "favor" or "show of goodwill" on the part of the companies.

    And there's more, much more.  

    Changes, Long Time Coming

    Delaware is famous for being a pro-business state; there's a reason why over 60% of Fortune 500 business are legally incorporated there. Indeed, it's so pro-business that sometimes it seems that Delaware residents take a back seat to their "legally-people" brethren. Case in point: the original data breach laws Delaware passed in 2005, and all the problems it had.

    Well, in less than one year, real people will see their rights elevated:

    • Reasonable protection of personal information.
      • Includes an update on the definition of "encryption."
      • A change in the language so that, if encryption is compromised in the data breach, encryption as safe harbor doesn't kick in.
    • Updated definition of "personal information."
      • Under the new law, medical information; biometric data; user names and passwords; health insurance policy numbers; passport numbers; financial account routing numbers; and individual taxpayer identification numbers, among others, have been added as personal information.
    • Notification to residents within 60 days of a data breach.
    • Notification to the Attorney General if more than 500 people are affected.
    • Free credit monitoring for one year.
    Obviously, the above doesn't cover everything. The legislature included a handy synopsis in the bill, copied verbatim below. As you read over the list, you'll notice that an effort was made to remove certain things, which is interesting as well.
    This Act revises HB 180 to reflect input from a wide group of stakeholders. This Substitute Act differs from HB 180 as follows:
    • Terminology has been revised to be more accurate and consistent.
    • A definition of "person" is added and includes government, consistent with current law.
    • A definition of “determination of breach of security” is added.
    • Marriage certificates, full birth dates and birth certificates, shared secrets and security tokens, and digital or electronic signatures are removed from the definition of "personal information."
    • An application for health insurance is removed from the definition of personal information because all of the information in an application that is of concern is separately listed in the definition of personal information.
    • Removes the requirement that the Department of Justice develop regulations and a model form of notice.
    • Clarifies how to provide notice if a breach involves login credentials of an email account that is the basis of the breach.
    • Clarifies that notice of a breach can be provided after 60 days from discovery when it is determined at a later time that the breach includes additional residents.
    • Provides examples of federal laws that can be complied with to constitute compliance with this chapter.
    • Removes the private right of action for the failure of a person to provide notice under this chapter. The Common Law cause of action for actual damages as a result of a breach is unaffected by this change.

    Some Controversy

    On providing credit monitoring for free, some have pointed out the potential outsized effect on small and medium sized businesses.

    In this day and age when it's easier than ever to compile extremely large databases, even for the smallest mom-and-pop store, the concerns are more than valid. Indeed, when you think about it, many things work against small businesses, especially when it comes to data security. For example, they ostensibly have less money than a megacorporation, meaning they cannot afford the best digital security on offer. Nor can they afford to upgrade their existing security as often. Nor can they guarantee access to dedicated IT professionals who could potentially lower the risk of a data breach in their day-to-day jobs.

    On the other hand, hackers don't give breaks just because you happen to be an SMB. And, at the end of the day, if 100,000 people (or more!) are affected by a data breach, the damage is the same whether the breached entity is a business operated by two people or twenty-thousand people.

     

    Related Articles and Sites:
    https://www.bna.com/delaware-adds-stringent-n73014463341/
    https://www.lexology.com/library/detail.aspx?g=4a54016c-c241-4327-8127-e35a36bcb6a1
    http://legis.delaware.gov/BillDetail/26009

     
  • NIST Guy Who Came Up With Hair-Tearing Password Requirements Says He's Sorry

    The "NIST midlevel manager" who came up with the crazy password requirements – well, technically, recommendations. You know, must include special characters, uppercase and lower case letters, alphanumeric – says that he's sorry and that "much of what [he] did [he] now regret[s]."
    As the Wall Street Journal explains, Bill Burr was a manager at the NIST – not a security researcher – who was under a deadline to produce a document on password security. In addition to not being a security researcher, he was also hampered in his efforts by the lack of and access to data. In the end, he based his guide on an outdated white paper.
    And ever since, people all over the world have been struggling with passwords.  

    It Doesn't Work (But For the Lack of Trying… and Not)

    Burr should give himself a break. The reason why his requirements don't work is because people are quite tenacious when it comes to abusing loopholes in the digital realm. That, and the inexorable progress when it comes to the speed of computing hardware.
    The NIST document made its debut in 2003. We're living in 2017. When you consider that Moore's Law – the one regarding computer processing power, that it doubles every two years or so – is still valid as of right now, it means that today's processors are 128 times faster than those of 2003; password lengths, though, have barely budged from between 8 and 12 characters long.
    In addition, in the realm of brute-forcing passwords, pure CPU processing power has been surpassed by other approaches. GPUs have left them in the dust, as have distributed and parallel processing. In the face of tremendous brute-force processing power, there's only a handful ways to ensure that a password can retain its integrity in the face of attacks:
    1. Make the password longer,
    2. Increase the number of values for each character (e.g., lowercase alphabet is 26 values; upper and lowercase is 52 values; the addition of numbers to that is 62 values; etc.),
    3. Change your password frequently, or
    4. Slow down how quickly a password is processed (e.g., even if hardware can run through a gazillion passwords per second, the system is designed so that it can check one password per second).
    Data breaches the world over have shown that certain passwords are used over and over. Regardless of how long or crazily complicated a password is, if a sizable sample of the population uses the same passwords, #1 through #3 become meaningless.
    And, #4 becomes meaningless when you have data breaches the world over.
    People may complain that frequent password changes, complex passwords, etc. "don't work" but what's the option? Never change passwords? Make passwords as simple as possible?  

    Regarding That XKCD Comic…

    And, of course, the WSJ made a reference to the classic XKCD strip regarding "correcthorsebatterystaple" as a password.
    The problem with creating passwords using this approach is that, when enough people in the population start using it, it will become the weak link of passwords.
    As noted in the comic strip (which is a bit dated, from 2011), correcthorsebatterystaple has 44 bits of entropy, which is based on 4 words randomly chosen from a list of 2048 common words. It notes that it would take hundreds of years to break.
    A comparable way of looking at this is that it offers the same level of protection of a password that is 8 characters long, each character chosen from a list that is made from lower and uppercase alphabet letters; all numbers from 0 to 9; and four special characters.
    Here's the thing: researchers have shown that they can brute-force passwords with 10 characters or less within a couple of weeks. Indeed, passwords have to be about 22 characters long or so to pass muster.
    So, hitting on correcthorsebatterystaple wouldn't take hundreds of years; I doubt if it would take a week – using an iPhone, no less. Could people use words from a bigger, thicker dictionary? Sure. But they won't. Mesothelioma will show up – and its spelling be correctly recollected from memory – as often as Tr0ub4dor&3 (There is the advantage, though, that mesothelioma can be looked up in a dictionary).
    Of course, you could also use the same 2048 words but make the password longer (more than 4 random words)…but the equivalent to the 22 characters I mentioned above would be 12 randomly picked words. All of a sudden, it's not so easy to remember anymore.
    Take a bow, Mr. Burr. It's not that your guidelines don't work; it's just that technology razes everything in its path, and most humans are terrible at remembering anything that is unfamiliar and beyond a certain length

     

    Related Articles and Sites:
    https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118
    http://gizmodo.com/the-guy-who-invented-those-annoying-password-rules-now-1797643987

     
  • Customs and Border Protection Admits They Cannot Search Remote Data

    Earlier this week, the US Customs and Border Protection (CBP) responded to Senator Ron Wyden's inquiries regarding electronic device searches at US borders (more specifically, airports). As numerous media outlets have relayed, CBP "admitted" that they do not have the authority to search data that is "solely" in the cloud, data that is not the on a device itself but could easily be accessed via a smartphone.
    The implication, it appears, is that CBP does not want to risk accessing information that could exist in servers located on proper US or foreign soil – that is, outside of their own jurisdiction – and which could require a proper warrant.
    But aside from that, CBP reiterated that they have the right to conduct searches on data storage devices. The inclusion of the word "solely" in the response, experts surmise, means that emails, text messages, and other information that exist both in the cloud and a device is fair game.
    In addition, CBP apparently admitted:
    that travelers can refuse to unlock their devices or hand over their passwords, but if they do so, CBP officials have the right to detain the device. [neowin.net]
     

    A Couple of Things of Note

    As interesting as the above may be, taking a look at the actual letter(PDF) had plenty of surprising things to reveal that wasn't covered elsewhere.
    To begin with, it appears that CBP can search your belongings for absolutely no reason ("do not require a warrant or suspicion") – it wasn't "just a feeling" that they were doing it, it's actual policy. In addition, they will limit when they'll search a device's contents based on geographic location. In a footnote, the following can be found:
    Border searches of electronic devices do not require a warrant or suspicion, except that following the decision in Cotterman v. United States, 709 F.3d 952 (9th Cir.2013), certain searches undertaken in the Ninth Circuit require reasonable suspicion of activities in violation of a law enforced or administered by CBP.
    The implication here is that, somehow, entering the US via the west coast guarantees a little more rule of law than entering the US from elsewhere (the Ninth Circuit is comprised of Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, and Washington, as well as Guam and the Northern Mariana Islands).
    In addition, the letter pointed out that searches of devices are "exceedingly rare… less than one-hundredth of one percent of travelers arriving" to the US.
    This means that devices searches are less than one in 10,000 (which translates to 0.0001 or 0.01%); it also implies that searches are somewhere close to this number. That does seem rare indeed. Except, let's put that in context, shall we?
    According to the US's own government data (PDF), 77.51 million international visitors traveled to the US in 2015. For Americans going abroad, it was 32.78 million; one assumes most of them will return. Applying that 1 in 10,000 figure above, it translates to approximately 11,000 devices searched. It might be relatively small to the number of people entering the US, but it's a pretty big number in its own right. I mean, can you imagine 11,000 phones laid side by side? Where do they even store all this stuff?
    For an everyday comparison, take the instance of car crashes. According to this site, over 37,000 people die in road crashes each year. There are about 323 million people in the US. That means 1.15 in 10,000 people die in car crashes every year in the US. Those figures are pretty close to the number of devices searched by CBP.
    Now, ask yourself, does it feel to you as if car crash deaths are exceedingly rare in the US?  

    One Final Thing

    In a question, the Senator asked whether (my emphasis) "CBP is required to first inform the traveler that he or she has the right to refuse to disclose a social media or email account password or device PIN or password"?
    The CBP's answer, while long, does not address the issue. It would appear that the answer is "no, there is no such requirement."
    Not sure why you'd perform verbal jujitsu instead of coming right out and saying it. It wouldn't be unexpected of people who can perform "border searches of electronic devices [that] do not require a warrant or suspicion."
     
    Related Articles and Sites:
    http://www.nbcnews.com/news/us-news/border-patrol-says-it-s-barred-searching-cloud-data-phones-n782416
    https://arstechnica.com/tech-policy/2017/07/us-border-agents-we-wont-search-data-located-solely-on-remote-servers/
    https://www.pogowasright.org/border-patrol-says-its-barred-from-searching-cloud-data-on-phones/
     
More Posts Next page »