All posts by mitch tanenbaum

PHP Users Beware

Normally I would send this out as a client alert, but given the enormity of this, I think it needs wider distribution.

PHP is the “P” in the LAMP web server stack as in Linux, Apache, MySql and PHP.  PHP is the scripting language turned programming language that many web servers run on.

January 1, 2019 is a date that needs to be etched into your (virtual) daytimer.  It is the date on which support for older versions of PHP will end.

php-eols.png

Version 5.6 of PHP will no longer get security patches as of December 31 – about 10 weeks from now.  Version 7.0 will stop getting patches in about 8 weeks.

If you are running Version 5 of PHP after the end of the year, ZDNet asks “do you feel lucky?”

W3Techs says that 78% of websites using PHP are using Version 5.

Of course you have to consider whether upgrading your website to a supported version of PHP will break anything, so you do have to test things, but, in general, it will probably work.

So, the question to ask is are you running an old version of PHP?  Many sites are.  If you are, do you have plans to upgrade?

If you don’t plan to upgrade, the only question to ask is

WHY?

Information for this post came from ZDNet.

Facebooktwitterredditlinkedinmailby feather

The End of Fax Machines? Well Maybe. Why? Insecurity!

Seema Verma, the administrator of the Center for Medicare and Medicaid Services at the Department of Health and Human Services wants fax machines out of doctor’s offices by 2020.

CMS Administrator Verma

She wants them out of doctor’s offices because they are not cool.  She wants to replace them with super-non-secure apps for your phone that are way cool, but even less secure than that crappy fax machine.

She says that physicians are stuck in the 1990s, hence their use of fax machines, I guess.  She says that doctors are still taking notes on paper (not any doctor that I use, but I am sure there are some).  This is causing physician burnout.  Ask a physician about what is causing burnout – #1 is dealing with CMS and insurance companies and #2 is having to use those really bad apps that have already been developed Seema.

I guess she never heard of the breaches of all of the different Blue Cross affiliates a few years ago.  I am sure that if we collect all of that healthcare data in poorly written apps, no one will ever hack those repositories.  After all, what could go wrong?

We do have to remember that she is required to be a cheerleader for whatever the administration in power wants, so take all this with a grain of salt.

HOWEVER, it is fair to look at fax machines.

WHY do people still use them?  Because they are ubiquitous.  They are everywhere.  In Japan, something like a third of the private households have fax machines.  That is a feat that very few countries can match, but almost every business has a fax number (actually, we do not!).

One reason that people use them is that they are SECURE.  I am not sure what illegal substance the person who came up with that idea was ingesting, but they were not sharing.

Anyone ever get a fax that was not destined for them?

Anyone ever get a fax not destined for them that contained sensitive information?  VERY sensitive information?

Anyone ever see that sensitive fax just sitting on the fax machine?

Anyone ever see something on the fax machine, look at it, decide it was not for them and read it anyway?

How many people have a fax number that is tied to an electronic fax service like eFax or Concord fax?

So, the sender sends a fax to be secure.  Manages to dial the right number.  Sends the fax to some third party with unknown security.  Who takes that fax and sends it to you in an email.

WHY NOT JUST EMAIL IT IN THE FIRST PLACE.  THAT WOULD BE CHEAPER, FOR SURE, AND, GIVEN THERE ARE A LOT LESS MOVING PARTS, PROBABLY MORE SECURE, TOO.

To be fair, some fax services offer secure fax where they send you an email that you have a fax and then you have to log in and download it.  AND THEN YOU FORWARD THAT FAX VIA EMAIL TO YOUR COWORKERS.

Do you see a problem here?

Bottom line is faxes are not secure and should not be perceived to be secure.

So what is there to do?

First of all, if you are using faxes because email is not secure, do not use a fax to email service.

If you are using a fax to email service, you need to do a security risk assessment on the service provider.  IF YOU ARE A DOCTOR OR OTHER HEALTHCARE PROVIDER, THAT FAX SERVICE IS A BUSINESS ASSOCIATE UNDER HIPAA REGULATIONS AND YOU NEED TO HAVE A SIGNED AND AUDITED BAA WITH THAT SERVICE PROVIDER.  If the service provider won’t sign the BAA, you are breaking the law and risking a fine by using them!

Again, if you have to use fax to email, use a service that offers a secure mailbox that allows you to download the fax over an encrypted channel.

If you are using one of those old fashioned fax machines, make sure that the inbound faxes can be secured until picked up by the RIGHTFUL owner.

If you are using one of those new fangled multi-purpose print/copy/fax machines, understand those machines have a hard disk in them (except for the very cheapest ones) and must be disposed of securely at the end of the lease or when ready to be discarded.  Higher end machines have hard disks that can be removed by a technician and given to you to shred (yes, really).  Lower end ones are not designed that way and you may wind up destroying the machine to get the disk out.  But do that anyway.

A much better way to deal with the problem is to create a SECURE web portal to replace that fax machine.  Remember the goal is not to replace one insecure technology with another insecure technology.

By the way, IF THE PORTAL IS HOSTED, THEY ARE STILL A HIPAA BUSINESS ASSOCIATE.  Sorry!

If all of this gives you a headache, contact us to help you sort this out.

Source: Healthcare IT News

 

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending Oct. 12, 2018

Data Aggregator Apollo Loses Data on 200 Million

Apollo’s business model is to aggregate both publicly available data and company private data to build profiles used to market to people.

Apollo’s 212 million contacts, 10 million companies and 9 billion data points are now public.  In addition to names and email addresses, the company also scrapes sites like LinkedIn and Twitter and then combines that data with company private data from Salesforce.  Billions of data points.

Because Apollo has tied together all kinds of data that was never tied together before, there have very complete profiles on people and their relationships.  This data is all in the wild now.  Source: Wired.

CA SB 327 Bans Weak Passwords on Internet of Things Devices

California is making history again.  It is the first state to ban the sale of IoT devices in California (note that the article says manufacture of devices in California – this is just wrong) that have weak passwords.  In particular, they are banning the sale of devices that come preloaded with userid/password combinations like Admin/admin or user/password or, even worse, default to no password.

It does allow a weak password if the system forces the user to change the password before it connects online.

It also says that devices should have reasonable security, but doesn’t say what that means other than the password idea.

While this is good, it does not address the issue of forcing devices to be patchable or automatically patched (which would be even better).

Some people, like Prof. Eric Goldman of Santa Clara Univ. Law suggest that this is inherently an interstate commerce issue and may be struck down by the courts.  Since Congress has totally abdicated any responsibility for cybersecurity (like passing a national cybersecurity law, perhaps?), the states are filling the void.

I am pretty pessimistic that Congress will act unless they are somehow forced to and I don’t see any path forward where that is likely.  After all, if Congress could not get off it’s collective tushies after the Equifax breach, what might it take to get them to act?  Source: The Register

Web Sites Using Symantec HTTPS Certificates Beware!

As the process of ramping down Symantec’s SSL certificate business continues, the next phase starts in a few days.  When Google roles out version 70 of Chrome, Symantec’s SSL certificates will be no longer trusted by Google’s browser.  If a user visits a web site that still uses a Symantec certificate, the user will get an error message that says that the site is no longer trusted.   Site owners need to replace the SSL certificate to get rid of the error message.  Source: Google’s Blog .

Firefox, on the other hand, decided to delay its rollout of the distrust of Symantec certificates.  I am not sure that this will make a difference since Chrome is the majority browser.  Firefox estimates that 1 percent of the top million web sites are still using Symantec certificates and will not change until the last possible moment – making the delay seem really stupid.  Source: The Register .

Well, I Was Wrong – U.S. Snares Chinese Spy

In last week’s news bytes I said that indicting Russian spies was pretty much useless since, after all, how dumb could a spy be to travel to, say, the EU where some country friendly to us would throw a butterfly net over the spy and hand him over to the Feds.

WELLLLLLLLLL.

A high level Chinese spy created a relationship with an engineer at GE and invited him to visit China to give a talk.  The spy represented himself as an official of a Chinese university.

The GE engineer, who is not named, brought a few documents with him to China and the spy asked him if he could bring more to a meeting in Belgium.  The GE engineer baited the spy by sending him a list of document names that he had put on his computer with the spy’s hope that he could copy those documents to a flash drive in Belgium.  It is not clear if the GE engineer reported the spy’s effort and was cooperating with the feds or if the Feds were shadowing him.

However, all the spy got in Belgium was a gift of a pair of chrome plated handcuffs and an all expense paid trip to a federal penitentiary in the United States.

Of course, he has not been tried, has not been convicted and could be used as exchange bait by the administration.  As long as he is not acquitted, it would be a very rare win for the Feds.

Still, it does point out that occasionally (this may actually be the first time ever), spies can be VERY stupid.  Score one for the good guys.  Source: WaPo .

Fixmetrix Breach – Amazon Elastic Search Servers Leak 100 Million+ Records

One more time, an Amazon database with its permissions intentionally changed to make it visible to the public with no password.  113 million records from Fixmetrix, recently purchased by Mindbody, publicly visible.  The data includes name, birth date, email, emergency contact information, height, weight,  phone numbers and a bunch of exercise stats.  If this includes residents of the European Union, we will have another GDPR related breach.

And, one more time, it took almost a week to get someone’s attention at Mindbody.  Once they did get someone’s attention the databases were quickly secured.

Source: Hacken .

Facebooktwitterredditlinkedinmailby feather

Free Credit Freezes For All!

For years the big three national credit bureaus made buckets of money from people who were concerned about thieves stealing their credit.

You could “Freeze” your credit report which made it unavailable to creditors, with certain limited exceptions.  What this meant is that if someone stole your identity and tried to open a bank or credit account and that establishment tried to pull a credit report first, they would get a “no can do!” back from the 3 CRAs or Credit Reporting Agencies.  A smart creditor would not open an account for the fraudster at that point because they could not see if the person had good or bad credit.

This worked pretty good but not perfect because there are a hundred smaller credit bureaus that some small companies used, but, for the most part, it worked.

The only problem was that each of the credit agencies charged you to freeze your credit – as much as $10 at each bureau, each time and they also charged you to remove the freeze, which you would need to do if you were financing a car or buying a cell phone or whatever.

A FEW states prohibited the CRAs from charging for freezes, but still it was a multi-million dollar revenue stream.

Until last month.

After the Equifax breach, there was a demand for free freezes but nothing happened.  Then.

The problem is that the creditors want unrestricted access to your credit report and if you put a freeze on it, they can’t have it.

Until last month.

Now the CRAs cannot charge you to put on or take off a freeze.

What’s more, if you request a freeze online or on the phone, the agency has 24 hours to put the freeze in place.

And if you want to remove that freeze?  They have 60 minutes to do that.

And if they don’t?

The FTC takes complaints at 855-411-2372.

There are a lot more details, all good for consumers, in the link at the end of the post.

Bottom line, finally the credit bureaus are doing a LITTLE something good for consumers.

Information for this post came from the FTC.

Facebooktwitterredditlinkedinmailby feather

Remember the Old Days – When Laptops Had Chargers?

Back in the old days – like 2 or 3 years ago – laptops had power adapters that plugged into a charging connector and USB ports that allowed users to plug in USB peripherals like keyboards and flash drives and other devices.

In an effort to make things easier for users – and, in fairness, easier is good – computer and phone makers are making one universal connector which performs both functions.  This is actually being mandated in Europe.

There is only one problem and that is that the connector can perform both a power function and a data transfer function.

If YOU are the owner of the thingees that you are plugging into your computer or phone, then there is (probably) no security problem.

BUT, if you plug your phone or laptop into a USB-C cable in a public environment like an airport or hotel or something, then that is a different story.

I’m not saying that the airport or hotel is sinister, but how do you know that the cable or what it is connected to was not modified or, maybe, not even provided by the hotel or airport (or other public place)?

Since the connector is one and the same, it could charge your device.  OR, it could steal all your data.

Some operating systems can be set up to not allow data transfers, but that is likely not how most people configure them.  After all, that is inconvenient.

So…. New situation, new threat.

By the way, this is exactly how law enforcement extracts data from locked phones captured as evidence, so we know it works, at least some of the time.

And it could be an interesting attack vector for installing ransomware on your device.

What do you do?

First thing is, if you can, don’t use public charging stations, if possible.    That is not always possible.  Or convenient.

Second option is, if possible, configure your device to always ask if you want to allow charging ONLY or data transfer too.  Again, this may not be convenient or even possible.

The next option is to bring your own charging batteries.  These are affordably priced and come in all sizes.  I always carry one with me.  Here is an example of a pretty large one, although they come even bigger, for about $40 on Amazon.  Smaller ones are less expensive.  They can charge multiple devices at once and this one could charge your phone several times before it, itself, would need to be recharged.

The last option is a USB data blocker.  They come in many flavors such as this one at Amazon.  Some are a cable that you plug into the public charging station to protect yourself.  Others are an adapter.  In all cases, they only allow the charging pins to work and not the data transfer pins.  You will need to figure out what configuration works for you.

The point is that there are several options to choose from – pick the one that works the best for you but do not use a public charger without protection.  Source: The Conversation .

 

Last option is a very small gizmo that you can plug your

Facebooktwitterredditlinkedinmailby feather

Google Plus Breached Last March – Will Shut Down in 10 Months

You have to admire the gall of some marketing departments.

Today, Google announced that it was shutting down the consumer version of Google Plus after a breach of 500,000 users information.  SIX MONTHS AGO.

They said they shut it down because user engagement was low – I guess that means that no one was actually using it and that 90 percent of the sessions lasted less than FIVE SECONDS.

Of course, up until today, Google Plus was wonderful.

Now that they have to deal with a breach – including, likely, an investigation under GDPR (joining Facebook), from the FTC and likely from Congress, they say that it wasn’t important to them.

The good news is that the information that was breached was less sensitive – name, email, gender, occupation and age.

Still, it is hard to spin this in a positive light.

In an effort to do so, they also announced that they are implementing some new privacy controls – more granular ones – to control what developers can with your data.

They are also limiting what apps can do once you give them access to your GMail.

Oh, yeah, the reason that they didn’t tell you before now was because of fear of government regulation and being compared to Cambridge Analytica.  It said that it couldn’t tell exactly which users were affected and didn’t find evidence of misuse.  I am sure that all of this will sit well with regulators and Congress.

As these data platforms get bigger, it is going to be a challenge to deal with any breach.

I can’t see how hiding this for more than 6 months is going to work out well for Google, but stay tuned.

For those few users that logged into it for five seconds – you are going to have to find a new platform.

Information for this post came from CNBC, The Verge  and CNBC again.

Facebooktwitterredditlinkedinmailby feather