Anthem Blue Cross Hacked

I thought it had been quiet recently – apparently too quiet.

Anthem, the healthcare insurance company that operates in 14 states and is the second largest insurance company in the country, reported that it had been hacked.  Anthem operates under a lot of names including Anthem Blue Cross, a name well known in the Northeast.

According to a statement signed by Anthem CEO Joe Swedish,  the attackers did not take credit card information or healthcare information. Anthem said that possibly as many as 80 million customers, current and former, are affected.

The fact that no healthcare information was taken has to be a huge relief to Anthem’s board.  With the new HIPAA rules, the fine could possibly have been as much as 80 million records times $1.5 million fine per record.  That is $120 trillion.  Of course, they would never be assessed such a large fine or even a small percentage of that number, but that is the potential max.  Even 1/1000th of 1 percent of that number is a big number.

Another relief is the hackers did not use the Sony attack technique of thermonuclear information destruction and wipe all of Anthem’s systems.  That could have been a bit of a mess for them.  Think about an insurance company that could not pay claims for a couple of months.

What the hackers did take is names, addresses, social security numbers, email addresses, employer information and income and they did this for both current and former employees and customers.  Mr. Swedish said that it was in the tens of millions of people and maybe as many as 80 million.

They only discovered this last week, so there is probably more they don’t know than they do know, so the facts may change.  I give Anthem credit in announcing this so quickly.  For most companies, they would not even know what the hackers got after a week, so it is possible that they have a good information risk management process in place – we don’t know yet.

One question that you might ask is why the hackers stole what they did steal.  I don’t have any insider info and the FBI is investigating, along with the security firm Mandiant, but I have a thought.

When the hackers at Home Depot stole those tens of millions of credit cards – or one of the other thousands of attacks that did not make the news – some, but only some, credit card companies issued new cards.  Some of those cards are still live.  More importantly, credit card numbers by themselves don’t sell for a lot of money any more because they get turned off pretty quickly.

BUT, if besides the credit card info, you have name, address, employer, social, date of birth, etc. – what hackers call “fullz”, meaning the full credit info, it sells for a lot more.

While that won’t help the hackers much right now regarding last year’s hack of Home Depot, when the next attack comes, having a database of information on 20 percent or more of the U.S. population is a hugely financially valuable tool.  Merge this with the 75 million records stolen from Chase last year and you have a pretty nifty database.

Like healthcare information, fullz information doesn’t change anywhere as quickly as credit card information.  Are you going to change your blood type or sell your house and move because of the hack?  It is really hard to change your blood type and unlikely that you are going to move because of one.

What this means is that hackers, who are becoming good at using big data, have a great repository of information to merge with the next credit card or healthcare hack to make a whole lot more money.  And yes, hackers do work together – not so much for fun as for the collective profit, so my scenario is very realistic. That combined information makes it a lot easier for the hackers to create new credit in your name then just having a credit card number and even the PIN.

Only time will tell, but check back for updates over the next few weeks.


Yet Another Adobe Flash Bug

Trend Micro is reporting (see here) yet another Adobe Flash zero-day attack in the wild.  Yes, this is a new one.  No, this is not one I reported about last week.  I had to read the article three times to convince myself this was not the exploit I wrote about last week.  And,  Trend Micro has already caught about 3,300 instances of this attack among their user base.  Given their user base is huge, 3,300 is a small number, but there is not a fix for this yet.  Adobe is promising one this week.

To say that 2015 has not started out well for Adobe would be kind.  They released their normal Flash update in January that fixed 9 critical flaws.  Then 9 days later, they released an out-of-band patch to fix a critical flaw that was being exploited.  Last Saturday, they released another patch to fix a critical flaw and now they are saying they are going to release another patch this week.  That would be 5 patch releases in the first 5 weeks of the year.  Out-of-band patches are a huge pain for both developers and users, so software vendors like Adobe reserve them for critical problems.

This flaw is particularly nasty because, Trend Micro says, it is showing up in ads appearing on web pages and IT DOES NOT REQUIRE THE USER TO CLICK ON THE AD TO WORK.

Some people are suggesting you disable Flash, but that would make many web sites look like a blank page.  I would suggest, at a minimum, that you make sure that you are using a highly rated anti virus product (apparently Trend Micro does catch this and it is pretty cheap – I saw a version of Trend the other day on Amazon for $25/year for 3 PCs or $8 a PC a year).

And, yes, watch for yet another Flash update this week on a computer near you.


Internet Explorer 11 Vulnerability Opens Door To Phishing

Many sources are reporting (see here) a bug in Internet Explorer 11 that could support a very credible looking phishing attack.  Interestingly, this attack does not work on older versions of Internet Explorer, which is the reverse of what usually happens.  The problem was disclosed on Saturday with a proof of concept on the full disclosure mailing list, so the hackers even have example code to start from.

The exploit does require the user to click on a link to get it to work, but if the user does click, which is not hard to get a user to do, the web page for say ABC Bank does appear and the Bank’s URL appears in the address bar.  In the demonstration code, a few seconds later, a web page from the hacker appears, but the original web site URL still appears in the address bar.  What this means is that a victim would think he is still at the ABC Bank web site and so if the web page asks for some personal information, the user would think that he is giving that information to the bank but would really be giving it to the hacker.

Unfortunately, this attack even works with HTTPS based web pages (this is yet another way that SSL is broken;  see yesterday’s post for other reasons it is broken).

In concept, this is similar to the bug discovered in the default Android browser a few months ago that allows this same kind of attack.  Google has taken some heat over that one because they said that they are not using that code in the current version of Android (4.4), so they are not going to fix it.  The only solution for Android users using version 4.3 or earlier is to use Chrome or Firefox instead.

For Windows users, a simple solution would be to use another browser, at least until Microsoft fixes this bug.

Microsoft said that they are not aware of hackers using this bug (which is not a surprise since it was only published on Saturday), that they are working on a fix (which may take a couple of months, depending on the priority and the difficulty of fixing it) and that you shouldn’t click on links from “untrusted sources”.  By untrusted sources, they mean a link in a phishing email that appears to have come from your boss.  Good luck in getting that to happen.

Interestingly, the researchers who disclosed this bug said that there was a simple solution to this for web sites (like ABC Bank) to protect themselves simply by inserting a particular option in the web page header (X-Frame-Options with deny specified), but the researchers say that very few web sites do this.  Still, for web site owners, this might be a smart change to make to protect their visitors while Microsoft works on a fix.



BMW Fixes Bug That Would Allow Hackers To Unlock Your Car

BMW announced that it had fixed a bug that would have allowed hackers to compromise it’s ConnectedDrive car automation system.  The bug affected over two million BMWs, Minis and Rolls Royces, according to Mashable.

Apparently, the communications between BMW’s servers and your car were not even encrypted, so the solution was to use HTTPS to encrypt the traffic.

BMW claimed that the bug did not affect the driving, steering or braking functions of the car.  That’s great, but I am not sure that this is the bar that we should measure their security by.

ADAC, a German automotive group, discovered the bug in the middle of last year and decided not to announce the bug  until BMW came up with a solution.

BMW, the article says, patted itself on the back for coming up with a fix so quickly.  Others said that HTTPS should have been there in the first place.

The good news is that BMW owners do not need to take the car into the dealer to fix the problem;  the fix will be downloaded the next time the car connects to BMW’s servers.

Given how poor BMW’s security was around the car automation function, I am not sure that BMW’s being able to load new firmware into the car over the air is a good thing.  They may want to review the security of that process as well.  I can just see a hacker downloading new firmware into my car causing the car to do who knows what.

Unfortunately, I suspect that this problem will only get worse for a long time before it gets better.



Is SSL Broken

While every single bank and ecommerce provider tells you that SSL (or HTTPS) is wonderful and fully protects you, unless they are on drugs, they don’t really believe that.  From their perspective, the risk is manageable and they would rather reimburse you if you can prove their SSL connection leaked AND cost you money than tell you that it is not very secure.

Lets remove some of the reasons that people usually give for why HTTPS is not secure and get down to my pet peeve.  First, if you use a public WiFi hotspot, it can execute what is called a man in the middle attack and have your device exchange a handshake with the hotspot instead of the real site.  Your device will never know and the hotspot will see your data in the clear.

Next, there have been many instances of hackers operating fake WiFi hotspots.  Even if the real hotspot is clean, the fake one may execute a man in the middle attack on your traffic.

Next are the bugs in the software.  This year there have been several.  One example is  Heartbleed, which affected the server side of the connection and may have compromised the private half of the SSL lock and key for millions of servers.  Many servers have fixed the problem but many did not bother to create new private keys.  Many have not fixed it.

Next is the problem of revoked certificates.  After Heartbleed was fixed, hundreds of thousands of certificates were revoked because they may have been compromised.  The CRL (certificate revocation list) infrastructure was not and is not designed to handle that.  Firefox uses OCSP, the Online Certificate Status Protocol, but by default, it will accept a certificate if it does not get a speedy response to its request to find out if the certificate is valid.  Some browsers just ignore the CRL question entirely.

Which leads us to my pet peeve.

I looked inside Firefox on my Windows PC today and found HUNDREDS of certificate authorities loaded into the browser.  The Certificate Authority or CA is the (supposedly) trusted organization which certifies that your little SSL padlock – the one that says you are you – is really you.  So who is in the list?  China Telecom.  Hong Kong Telecom. Definitely trust China!  Not!  Actually I did until I deleted their records.  Korea (I hope that would be South and not North).  Many other somewhat friendly countries.  And many that are probably from the U.S. but whom I have never heard of.  I deleted probably 50 of them off Firefox today and there are still more than a hundred active.

Chrome and Internet Explorer use a different CA list than Firefox does.  Apple has their CA list.  If you delete it from your home computer that does not delete it from your phone.  Or your tablet.  Or your laptop.  Think of all the devices that your family uses and you are probably talking well over 1,000 trusted CAs (of course there is a bunch of overlap, but that doesn’t really matter, because even if you tell your desktop you don’t trust China Telecom, you also have to separately tell your phone and your tablet and if you use Chrome and Firefox both, you have to tell each of them separately, even on the same device).

If I had my way, I would have 4 or 5 entries in there and kiss the rest goodbye.

Of course, there is not a decent user interface to manage that and I don’t know, but would not be surprised, if after firefox does an update, China is back.   I will have to test that theory.

Many people agree that SSL is hopelessly broken.  Here is an article from The Register on the subject.  I Googled “is SSL broken” and got 12,400,000 hits.

The bad news is that no one is working on a replacement and even if they did, it would take years to get everyone to agree to it and then we would need to figure out how to do the transition.

Which is why the merchants all cross their fingers behind their backs and say “sure;  it’s secure”.



Verizon To Allow Opt Out Of Super-Cookie “Soon”

According to USA Today and the NY Times, Verizon has announced that it will allow users to opt out of their super-cookie program “soon”.

You may remember that both Verizon and AT&T were caught adding a unique tracking identifier into all web page requests last year as customers were  using programs such as ad blocker and ghostery to attempt to retain some semblance of privacy as they surfed the web.

Verizon’s super-cookie, dubbed a Unique Identifier Header (UIDH), was added to the web page request after the request left your phone or tablet, hence all the traditional methods for deleting them were ineffective.  Their advertising partner Turn was caught building user profiles of sites visited after Verizon publicly stately surely no one would do that.  Turn said that the fact that people were deleting their cookies did not mean that they did not want to be tracked.

AT&T announced in November that they were ending what they called in their press release an experiment in the use of super-cookies.

Turn announced last week that they would end their use of compiling profiles that way in February – but I assume they will not end the practice of creating user profiles.

Finally, as the story would not go away, Verizon announced that they are “listening to their customers” and would allow their customers to opt-out of the UIDH real soon now.  The only conclusion I can draw from this is that the UIDH does not serve any legitimate purpose other than tracking you and that they are counting on users to be too lazy to opt out.  I will report again when the option is actually available.