Tennessee Breaks New Ground In Privacy Law

On March 24th, Tennessee Gov. Bill Hallam signed S.B. 2005 into law, breaking new ground in privacy law.  The law takes effect on July 1.

While there are a couple of interesting features of this amendment to the existing Tennessee privacy law, the biggest change is that, effective, July 1, companies that have a breach will have to notify Tennessee residents about the breach, even if the data that was taken was encrypted.  This makes Tennessee the first state in the country to have this requirement.  IF you have a breach, THEN you must notify the victims.

Other features of the amendment include a requirement to notify victims within 45 days unless the cops ask the company to delay that notification.  Many state laws just say you should notify people quickly.

The other major feature is a requirement to notify victims if the person taking the data was an employee, operating in excess of his authority and using it for an unlawful purpose.  This means that you can’t say that an employee accessing data inappropriately is okay – it is a breach.

My speculation is that this amendment is designed to stop companies from hiding the fact that they were breached.

Whether other states will follow suit is unknown.

In today’s world, many companies operate in every state, so if the company has a breach, it will have to notify victims.  If the data was encrypted, then technically, they will only have to notify Tennessee residents, but that could get sticky politically, so likely they will have to notify everyone.

We live in a dynamic world.

Information for this post came from National Law Review.

Paris Police Report Shows No Evidence Of Use Of Encryption

Over the weekend the New York Times ran a piece on the report created by the French anti terrorism police on the Paris attacks.  The report indicates that there is no evidence of use of encrypted email, devices or messaging solutions.

In fact, they used phones that they activated just before the attack (burner phones) and phones taken from the victims.  Since the phones were only active for a few minutes, they didn’t care if someone was able to track them.

The Times decided that since there was no evidence of encrypted email, the attackers must have used encrypted email.  That logic escapes me.  The Times figures that encrypted emails must be invisible.

Now this does not mean that future attackers won’t use encryption, but if they do, at least the smart ones will not use software from countries that require back doors.

Perhaps we need to ban cell phones.  After all, the root of all these issues is people using cell phones.  If we get rid of cell phones, then the attackers will be forced to meet with each other – a much riskier proposition.

There is no simple answer to these problems even though politicians will attempt to create a simplistic solution.

What is likely is that if U.S. companies are forced to put back doors in their software, companies in other countries will avoid buying U.S. technology products, costing profits and jobs.

Information for this post came from Techdirt.

Fifth Hospital This Month Hit By Ransomware

If last year was the year of attacks on health insurance companies, this year seems to be the year of attacks on  hospitals.

Hollywood Presbyterian Medical Center.  Henderson Kentucky Methodist Hospital.  Desert Valley and Chino Valley hospitals in Southern California.

Now it is Medstar Health.  Medstar runs 10 hospitals and 250 outpatient clinics and has more than 30,000 employees in the D.C. and Maryland area.

On March 28th, Medstar starting shutting down systems due to a what their P.R. department called a virus attack.

For some reason, the hospital refuses to call it a ransomware attack, but employees say that they saw a ransom note on the screen saying they wanted a ransom of 45 bitcoins or around $19,000.  The attackers say that if the hospital does not pay the ransom in 10 days, the attackers will delete the encryption key.

While the hospital P.R. folks say that patient safety was not at risk, employees disagree with that saying that critical safety controls are down.  Nurses say that the paper records that they are using are far less comprehensive than the electronic records they normally keep and as a result, vital pieces of medical information may be missing.

Likely, the hospital is worried about being sued if they say that patient care was affected, so they really have no choice but to say what they did say, even though it is likely less than honest.

The non patient safety issue had ambulances diverted to other hospitals in some cases.

While all of these hospitals CLAIM that patient records were not taken, based on HIPAA regulations, because the attackers may have had access to the patient records that were ultimately encrypted, Health and Human Services considers these events a reportable breach.

Medstar says that they are beginning to bring systems back online.  It is unclear if they paid the ransom.

These attacks are serious.  Some hospitals may not have effective disaster recovery plans and the attackers could move to other, less well prepared organizations such as clinics and doctors.

In addition, the attackers could choose to take copies of patient records and disclose them, adding to the problems.

So far, as far as we know, no patients have died as a result of these attacks, but that is a risk.

Five attacks in less than 30 days is NOT a good trend.

Information for this post came from the Washington Post.

ISPs Plan To Use Your WiFi Router To Create Public Hotspots

Juniper Research says that one in three home routers will be PUBLIC WiFi hotspots in the US and Europe by 2017.  ISPs such as Comcast and Cablevision have already started this process.

The ISPs say that the public use of your router won’t affect your speeds, but people are somewhat dubious.

The bigger issue is likely that these routers are typically models that cost the ISPs about $10-$20.  Do YOU think the security of such a router is going to be bullet proof?  I don’t.  Sorry.

Even if the routers require an upgrade, it likely won’t be patched on a regular basis.  Hackers will likely start war driving to see who’s router is acting as a public WiFi hotspot and target those boxes for attack.

In addition, ISPs are neither asking your permission nor obtaining your approval prior to doing this.

You should be able to see the public WiFi access point in the list of available hotspots from your phone.

In many ISP routers, you have access to the control panel and can turn off WiFi.  Whether that turns off the public hotspot is unclear.  I decided long ago to buy my own personal WiFi hotspot, so I don’t use my ISP’s WiFi.  Therefore, when I unscrewed and removed the antenna, it doesn’t affect me, but it beats the crap out of the distance their hotspot will support, no matter what they do.  You can’t beat out physics.

The ISPs are doing this to provide a service to their customers of “WiFi anywhere”.  I understand the concept, but I certainly would not recommend using that public WiFi any more than I would use public WiFi elsewhere.

If that home router has been hacked, both the public and private side of that router will likely be compromised, and a lot of home routers have been hacked.

Stay tuned as the ISPs roll this out.  No telling how this will play out.


Information for this post came from Network World.

Why Biometrics Are Good For Identification, Bad For Authorization

I have never been much of a fan of using your fingerprint or eyeball print as a way of gaining access to something – whether it be your phone or a data center.  There are a number of reasons why, but now we can add a new one to it.

The Chaos Computer Club demonstrated (see article in Tech Crunch) a way to capture a fingerprint and fake the iPhone’s fingerprint reader out.  Some fingerprint readers are even easier to fake – you can fool them with a fingerprint on a gummy bear.

Now mind you, their attack some some serious work and for most people, who don’t even put a PIN on their phone, the fingerprint is a serious upgrade.

For those people who are paranoid, the courts have held that you can be forced to stick out your finger to unlock your phone while you cannot be forced – without being given immunity – to give up your password.  Also, you can, conveniently, forget your password.  It is hard to forget your finger.

Suffice it to say, biometic information can be captured, with different levels of difficulty and if that information is used for authorization (i.e. unlock your phone), it is possible to unlock your phone without your approval.

One way to get around this is to use biometics to identify the user and a password to authorize that user, but that is inconvenient, so, except for high security environments – such as data centers – that is not often done.

Now today’s new problem.  Agic (see their web site) has created a technology that allows you to print a computer circuit board on your ink jet printer.  Swap out the ink cartridges with their ink and use their paper and you can print a circuit board.  Put some components on it and you have a real circuit.

How does this relate to biometrics.  Well, apparently, it turns out that the capacitance of this ink and paper combination is such that you can print a fingerprint on their paper, using their ink, and that fingerprint has the right capacitance to fool many fingerprint readers.

This means that you can take a picture of someone’s finger, invert the ridges and grooves and print it.  They claim to have unlocked a Samsung Galaxy S6 using this technique.

It also means that if you forget your finger and you took a picture of it and put it in your wallet, you can still unlock your phone.

The point is that there should be a distinction between IDENTIFYING who you are and AUTHORIZING your access – and vendors are collapsing the two.

That being said, given that many people don’t even put a PIN on their phones (Marissa Mayer, CEO of Yahoo famously said that it was too much work to do that (see article), so  using a fingerprint is a huge step up.  But for those people for whom security is important, I do not recommend using a fingerprint at this time.  An Alphanumeric password of at least 10 characters is a pretty safe bet.  Experts are recommending 16 characters.  It could be a phrase like “I Like Ice Cream!”, since those are a lot easier to remember.

Information for this post came from the Security Now podcast, episode 550.

Chinese National Hacks Boeing For 6 Years – Pleads Guilty

Su Bin, a Chinese national, pleaded guilty this week to hacking into Boeing and other companies in an effort to steal plans related to Boeing fighter jets and military transport planes.

While there were other co-conspirators, Su Bin appears to be the only one indicted.  The DOJ did say that the data was sent to China.

Su Bin was arrested in Canada in 2014 and stayed in jail in Canada for two years.  I am not sure what his thinking was, but he waived extradition last month and then plead guilty to those charges this month.

While I have no evidence of this, the Chinese government likely made him an offer he could not refuse, to quote the Godfather.  If he has family in China, that can be a powerful club for the Chinese government to Wield.  They just want this to disappear.

One of the things that came out from this is that he was inside Boeing’s network for 6 years.  For a company as security conscious as Boeing is, that is a long time to go undetected.

While he could get 5 years in U.S. prison, he could go home after that a hero for helping China build the Y-20, a knockoff of our C-17.  He also gets credit for the two years he spent in Canadian prison, so the 5 years is likely only 3 years.

Frank Cilluffo, director of GWU’s  Center For Cyber and Homeland Security, said that prosecuting hackers can serve as a deterrent to future theft of U.S. trade secrets.  I have bad news for him.  Soldiers, and that is what he is, get shot and blown up way too often, but we still have an army.  As does China.  To think think that this will deter soliders from completing their mission is naive.  That doesn’ t mean we shouldn’t indict and prosecute these guys, but I doubt it will make any difference, other than, possibly, having them conduct their hacking from countries that will not extradite them.  That is a bigger problem.  It is harder for us to see what they are doing halfway around the world.

We should also consider that our guys do the same things in China and other countries.  Espionage is a time honored theme.  In this country, we can trace it back to Benedict Arnold and in other countries, it goes back as far as recorded history goes.  I don’t think that sentencing a soldier to a few years in a relatively nice U.S. prison (unlike, say, Chinese prisons), is much of a deterrent.

The real question at hand is how many Su Bins are operating in this country and other countries, stealing industry’s intellectual property – whether that is technology, industrial process, financial or other data.  For U.S. businesses, this should be a reality check that yes, the bad guys are after our stuff and will take it if we let them.


Information for this story came from Federal Computer Weekly.