All posts by mitch tanenbaum

Colorado Healthcare Provider Fined $111,000 For HIPAA Violations

It seems that the US Department of Health and Human Services Office of Civil Rights is increasing enforcement actions against health care providers and their vendors (known as business associates).  While one might have suspected that enforcement actions would be down under this administration, in fact, the opposite is true and fines are up.

In this case, the Pagosa Springs (Colorado) Medical Center paid $111,000 plus for failing to terminate the access of a former employee to a patient calendar program.

The calendar only contained information on 557 patients, so this is not a massive breach.

They also did not obtain a signed Business Associate Agreement from Google, who’s software they were using.

The former employee accessed (but didn’t appear to do anything evil with the data) the data twice, two months apart.

The medical center had to enter into a corrective action program that included a number of items including improved policies, training and other items.

OCR Director Roger Severino said that enforcement will increase under his watch.

Evidence of this is that this is the third enforcement action in the last month.

On December 4th, a Florida based physicians group paid a $500,000 fine for various HIPAA violations.

A week prior to that, OCR settled with a Hartford based practice for $125,000 for impermissible disclosure of protected health information.

Putting this all together, it would seem to lend some credence to OCR’s claim that enforcements are up.

In the first case, only 557 records were involved.  That translates to a fine of $200 per record disclosed.

In addition, to fine someone for not having a BAA with a company like Google indicates that they definitely want people to obey the process, without regard to there being significant risk (on the part of Google).  After all, Google probably has as good a security as the best medical practices.

The HIPAA compliance process is complex and even daunting, but failing to follow it can be expensive.

It also appears that the Office of Civil Rights has a very long memory as one of these fines was for something that happened 7 years ago, in 2011.

Our recommendation is to follow the process and document what you have done.  Though that can be painful, so is writing a check to the government for $100,000 or even $500,000.

Information for this post came from Health IT Security.

 

 

Facebooktwitterredditlinkedinmailby feather

News Bites for the Week Ending December 14, 2018

Patches This Week

Adobe’s December patch list fixed 87 separate bugs in Acrobat and Acrobat Reader.  39 of these are rated critical.  Last week they patched a critical zero day in Flash (Details here).

 

 

More Spy Cams

The other day I reported the the DEA was buying spy camera enclosures to hide inside of street lights (here), well that is not the only place they are hiding them.

Again, Assuming they follow the rules, there is nothing illegal about these efforts.  The Register is reporting that the DEA is buying high end spy cams built into seemingly ordinary shop vacs.  While we don’t know the brand of shop vac, we do know that the camera is a Cannon M50B, a high end camera that does remote pan, tilt and zoom.

The camera/shop vac could we just left around or it could come attached to a government agent/janitor.

Whatever it takes to catch a crook.

 

O2 and its Partners Take Cell Service Down Because They Forgot to Update an Encryption Certificate

Last week millions of European and Asian cell phone users – customers of O2 and its partners – went without cell service and Internet for around 24 hours because someone forgot to renew an encryption certificate.  He is probably looking for a new job right now.

The network equipment was made by telecom giant Ericsson, so you can’t blame the problem on lack or resources or not having the expertise.  Details at ZDNet.

Bottom line here is that managing the details of any operational system is critical, especially if your mistakes will be publicly visible.

 

Kay Jewelers and Jared Jewelers fix Data Leak

Sometimes the bad guys don’t need to break in to steal information; sometimes companies leave out a welcome mat.

In this case, these two jewelers, both owned by Signet Jewelers, sent confirmation emails that allowed anyone to change the link in a confirmation email to see another customer’s order information – name, address, what they orders, how much they paid and the last four of their card number.

I have seen this many times before and it is an easy problem to avoid if your developers are trained to look for these kind of issues.

While not the worst data leak in the world, not a good thing.  They have since fixed the problem.  Source: Brian Krebs.

 

Google + To Shut Down Even Earlier After New Breach

Sometimes even the great Google can’t catch a break.

After an API flaw in October exposed data on 500,000 users, Google fixed it but announced plans to shut down the struggling social network In August 2019.

But now Google announced another flaw that affects over 50 million users and Google has changed it’s mind and will shut down Google + in April instead of August.  The information visible includes name, email, occupation and age and possibly other information, but Google says that it doesn’t think anyone exploited this new bug, which was created when they fixed the old bug.  Source: The Hacker News.

House Oversight and Government Reform Committee Says Equifax Responsible for Breach

A House committee spent 14 months and an unknown amount of money telling us what we already knew:  The Equifax breach was totally preventable and that CEO Richard Smith (who walked away from the breach with a $90 million golden parachute) had a growth strategy that lacked a clear IT management structure, used outdated technology and was not prepared to respond to the breach.   The Democrats say that there was a  missed opportunity to recommend concrete reforms and Equifax says that while they agree with the report, there are lots of factual errors in .  Our government at work.  Source:  The Hill.

Facebooktwitterredditlinkedinmailby feather

The Swatters have Moved on to the Next Thing

Swatting is the practice of phoning in fake 911 calls about life threatening situations and having SWAT respond to random houses, scaring the crap out of the occupants and often times doing thousands of dollars of damage, which the municipality has to pay for using tax dollars.

Earlier this year a gamer swatted what he thought was another gamer that he was upset with, but he had the wrong address and when SWAT arrived, they shot and killed the homeowner.  The officers did not face any charges and 25 year old Tyler Barriss pleaded guilty and will be sentenced to at least 20 years in jail.

Not satisfied at making small amounts of chaos and killing small numbers of innocent people, authorities today were faced with hundreds of bomb threat emails directed at schools, businesses and government buildings.   While no one was killed by police responding today, a large amount of police resources were wasted and police were likely diverted from responding to other incidents.

Some police departments, like New York, treated the bomb threats as hoaxes, but that could backfire badly if next time any of the bombs are real.

Some buildings were evacuated like city hall in Aurora, Illinois, the News & Observer in Raleigh, North Carolina, a suburban Atlanta courthouse and businesses in Detroit.

In the Denver area, Columbine High School, the site of one of the first mass school shootings (in 1999) and the genesis of a total shift in police response tactics to active shooter incidents, went into lockdown as sheriffs and bomb squad techs looked for bombs.  That bomb threat was phoned in rather than sent by email.

Today’s events will likely give swatters more ideas and put police in more no win situations.

The FBI has mobilized a national investigation.

As a target of a swatting incident, the best advice is to remain calm and do as instructed by the police.  Let them sort it out and deal with the fallout later.  Since the police have no way to know if the threat is real and who the “bad guys” are, they, unfortunately, sometimes make mistakes.

In this case, building owners, in cooperation with police, sheriffs and other law enforcement agencies had to make decisions.  Those decisions, if wrong, have the potential for catastrophic consequences.  

It is interesting that different law enforcement agencies had different responses – from evacuation to shelter in place to ignoring the threat completely. 

Since swatting has been around for several years and continues to be a problem for law enforcement, I suspect that this new version of mass swatting will continue that trend.

Police are not saying if they think today’s events are the work of one person or group of people or many, but I doubt that even if they arrest and prosecute a few people that it will discourage other crazies from trying it.

What is unprecedented in today’s activities is the scale – going from coast to coast and encompassing schools, religious institutions, government buildings and private businesses – over a hundred in all.

It seems likely that if this becomes popular that it is inevitable that people will die in the chaos.

Unfortunately, there is not much that you can do preemptively to avoid these situations.  In the case of the Kansas man who was shot and killed by police, the emergency call was eventually traced to a phone in Los Angeles, but that took days to figure out.  When police get a 911 call, they have to react in seconds.

It is likely that police and sheriff’s dispatchers are looking at options after today, but I do not see many good options.

Information for this post came from the AP and The FBI.

 

 

Facebooktwitterredditlinkedinmailby feather

NSA Says US Companies Losing Ground to Chinese on Cyber Attacks

Rob Joyce, long time NSA cyber executive, former special assistant to the President for cybersecurity, cybersecurity coordinator for the National Security Council and all around cyber guru says that we are in trouble.

He said that Chinese cyber attacks have increased in recent months, targeting critical infrastructure.

He says that he is worried that they are preparing for disruptive operations against that critical infrastructure.

What is he considering critical infrastructure?

  • The US Energy sector (like lights, heat, water, etc.)
  • Finance (banking)
  • Transportation (Planes, trains and automobiles)
  • Healthcare (doctors, hospitals and clinics)

Other than that, things are pretty good.

This is, of course, in addition to Chinese theft of intellectual property and espionage.

These comments are in advance of what is likely new government charges of hacking by the Chinese and additional sanctions.

So as long as you don’t drive a car, take public transit, have lights and heat where you live, use a bank, need to see a doctor or use any technology, you have nothing to worry about.

What do you need to do?

If you own or manage a US business, you need to up your cybersecurity game.

What does that mean?  Patching, employee training and alerting are a good beginning – but just a beginning.

Probably over 99% of attacks are targets of opportunity, meaning that the bad guys have no idea who they are attacking.

This includes consumers.  We hear stories regularly of people losing thousands to hackers.  If you have thousands to spare so that you don’t care if you lose a few thousand to a hack, then don’t worry about it.

If that would be a problem, then you need to up your game too.  Learn when not to click and how to protect yourself, patch your computers and phones and take other precautions.

For the Chinese and others, they will keep hacking until they get in.  Somewhere.  Anywhere.

While this may not sound nice, you need to protect yourself so that the hackers attack your neighbor rather than attacking you.  They will attack the easiest target.  If you can help your neighbor too so that the hackers go to a different  town, that is OK, but number one is to protect your information and your money.

If you need assistance, contact us, but please take this seriously.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

Sextortion Campaign Adds a New Twist

Sextortion is malware that tries to convince you that the attacker has compromised your computer and has videos of you visiting adult web sites.  The attackers promise not to share the videos with your friends if you pay them money.  The videos do not exist, but scared people sometimes pay.

The new variant of the attack tells you to download a sample video to prove their claims.

In fact, the so called video is really malware.  The first piece of malware steals your account passwords, files and more.  The second piece of malware encrypts your data.

Before downloading the sample video you thought you had a problem.  After the download, you really do have a problem.

So, what should you do?

First of all, if you get a threatening email like the above, slow down, take a deep breath and consider things.

For most people – who don’t visit porn sites – keep your curiosity at bay and DELETE the email.  DO NOT OPEN THE ATTACHMENT!

I always recommend covering your webcam on your laptop.  If you have followed this advice, see the above.

For the very small group of people left, it you think that this video actually may exist, consult an expert.  They can safely deconstruct the attachment and figure out if it really what the attacker claims.

Lastly, as I always say, backup early.  And often.  Preferably multiple copies.  If possibly, at least one copy offline.  I keep at least one version of my backups in a bank vault.  Very hard to hack.

Source: Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

News Bites for the Week Ending December 7, 2018

Australian Parliament Passes Crypto Back Door Law Overnight

Politics always wins.  After the Prime Minister said that the opposition party was supporting terrorism, the opposition completely folded after claiming that Parliament would implement amendments after the first of the year.

Since politicians lie about 99.99% of the time, the party in power is now saying that they only might, possibly, consider some amendments.

It is not clear what software companies will do if asked to insert back doors.  One thing that is likely true is that they won’t tell you that they have inserted back doors into your software.  Source: The Register.

 

Sotheby’s Home is the Latest Victim of Magecart Malware

Magecart is the very active malware that has been found in hundreds of web sites and which steals credit card details from those sites before they are encrypted.

Sotheby’s, the big auction house, says that if you shopped on the site since, well, they are not sure, your credit card details were likely stolen.

They became aware of the breach in October and think that the bad guys had been stealing card data since at least March 2017.

Eventually governments will increase the fines enough (Uber just got fined $148 million – we are talking REALLY large fines) that companies will make the decision that it is cheaper to deal with security than pay the fines.  GDPR will definitely help in that department with worst case fines of up to 4% of a company’s global annual REVENUE (not profit).

Sotheby’s acquired the “Home” division about 8 months ago, so, like the Marriott breach, the malware was there when they acquired the company and their due diligence was inadequate to detect it. Source: The Register.

 

Sky Brazil Exposes Info on 32 Million Customers Due to User Error

I continue to be amazed at the number of companies that can’t seem to do the simple things right.

Today is it Sky Brazil, the telecom and Pay-TV company in Brazil.

They were running the open source (which is OK) search tool Elastic Search, made it exposed to the Internet and didn’t bother to put a password on it.  Is password protecting your data really that hard?  Apparently!

What was taken – customer names, addresses, email, passwords (it doesn’t say, so I guess they were not encrypted), credit card or bank account info, street address and phone number, along with a host of other information.

After the researcher told them about their boo-boo, they put a password on in quickly.  We are not talking brain surgery folks. How hard is it really to make sure that you put a password on your publicly exposed data?

Apparently the data was exposed for a while, so the thought is that the bad guys have already stolen it.  Nice.  Source: Bleeping Computer.

 

Yet Another Elastic Search Exposure – Belonging to UNKNOWN

Maybe this is elastic search week.  Another group of researchers found a data trove of elastic search data, again with no password.  Information on 50 million Americans and over 100 million records.

Information in this case is less sensitive and probably used to target ads.  The info includes name, employer, job title,  email, phone, address, IP etc.  There were also millions of records on businesses.

In this case, the researchers have no idea who the data belongs to, so it is still exposed and now that they advertised the fact that it is there, it probably has been downloaded by a number of folks.

That kind of info is good for social engineers to build up dossiers on tens of millions of people for nefarious purposed to be defined later.  Source: Hackenproof.

 

Microsoft Giving Up on Edge?  Replacing it with Chrome?

If this story turns out to be true – and that is unknown right now – that would be a bit of a kick in the teeth to Microsoft and a huge win for Google.

Rumor is that the Edge browser on Windows 10, which is a disaster, along with Microsoft’s Edge HTML rendering engine are dead.  Rumor is that Microsoft is creating a new browser, code named Anaheim,  based on the open source version of Chrome (called Chromium) which also powers the Opera and Vivaldi browsers.

If this is true, Google will effectively own the browser market or at least the browser engine market.  That could make them even more of a monopoly and a target for the anti-trust police.  Source: The Hacker News.

 

Turnabout is Fair Play

While the Democratic party seems to have escaped major hacks in this election cycle, apparently, the Republicans didn’t fare as well.

Several National Republican Congressional Committee senior aides fell to hackers for months prior to the election.  The NRCC managed, somehow, to keep it quiet until after the election, even though they had known about it for months.

Once way they kept is quiet is by not telling Speaker Paul Ryan,  Majority Leader Kevin McCarthy or other leaders about it.

In fact, those guys found out when the media contacted them about the breach.  I bet they are really happy about being blindsided.

Anyway, the cat is out of the bag now and the NRCC has hired expensive Washington law firm Covington and Burling as well as Mercury Public Affairs to deal with the fall out.  I suspect that donors are thrilled that hundreds of thousands of dollars of their donations are going to controlling the spin on a breach.

Whether the hack had anything to do with the NRCC’s losses in the past election is unknown as is the purpose of hacking the NRCC.  It is certainly possible that the hackers will spill the dirt at a time that is politically advantageous to them.  I don’t think this was a random attack.  Source: Fox News.

 

Another Adobe Flash Zero-Day is Being Exploited in the Wild

Hey!  You will never guess.

Yes another Adobe Flash zero-day (unknown) bug is being exploited in the wild.  The good news is that it appears, for the moment, to be a Russia-Ukraine fight. The sample malware was submitted from a Ukraine IP address and was targeting a Russian health care organization.  Now that it is known, that won’t last long.

The malware was hidden inside an Office document and was triggered when the user opened the document and the page was rendered.

Adobe has released a patch.  Source: The Hacker News.

Facebooktwitterredditlinkedinmailby feather