Category Archives: Best Practices

The End of Fax Machines? Well Maybe. Why? Insecurity!

Seema Verma, the administrator of the Center for Medicare and Medicaid Services at the Department of Health and Human Services wants fax machines out of doctor’s offices by 2020.

CMS Administrator Verma

She wants them out of doctor’s offices because they are not cool.  She wants to replace them with super-non-secure apps for your phone that are way cool, but even less secure than that crappy fax machine.

She says that physicians are stuck in the 1990s, hence their use of fax machines, I guess.  She says that doctors are still taking notes on paper (not any doctor that I use, but I am sure there are some).  This is causing physician burnout.  Ask a physician about what is causing burnout – #1 is dealing with CMS and insurance companies and #2 is having to use those really bad apps that have already been developed Seema.

I guess she never heard of the breaches of all of the different Blue Cross affiliates a few years ago.  I am sure that if we collect all of that healthcare data in poorly written apps, no one will ever hack those repositories.  After all, what could go wrong?

We do have to remember that she is required to be a cheerleader for whatever the administration in power wants, so take all this with a grain of salt.

HOWEVER, it is fair to look at fax machines.

WHY do people still use them?  Because they are ubiquitous.  They are everywhere.  In Japan, something like a third of the private households have fax machines.  That is a feat that very few countries can match, but almost every business has a fax number (actually, we do not!).

One reason that people use them is that they are SECURE.  I am not sure what illegal substance the person who came up with that idea was ingesting, but they were not sharing.

Anyone ever get a fax that was not destined for them?

Anyone ever get a fax not destined for them that contained sensitive information?  VERY sensitive information?

Anyone ever see that sensitive fax just sitting on the fax machine?

Anyone ever see something on the fax machine, look at it, decide it was not for them and read it anyway?

How many people have a fax number that is tied to an electronic fax service like eFax or Concord fax?

So, the sender sends a fax to be secure.  Manages to dial the right number.  Sends the fax to some third party with unknown security.  Who takes that fax and sends it to you in an email.

WHY NOT JUST EMAIL IT IN THE FIRST PLACE.  THAT WOULD BE CHEAPER, FOR SURE, AND, GIVEN THERE ARE A LOT LESS MOVING PARTS, PROBABLY MORE SECURE, TOO.

To be fair, some fax services offer secure fax where they send you an email that you have a fax and then you have to log in and download it.  AND THEN YOU FORWARD THAT FAX VIA EMAIL TO YOUR COWORKERS.

Do you see a problem here?

Bottom line is faxes are not secure and should not be perceived to be secure.

So what is there to do?

First of all, if you are using faxes because email is not secure, do not use a fax to email service.

If you are using a fax to email service, you need to do a security risk assessment on the service provider.  IF YOU ARE A DOCTOR OR OTHER HEALTHCARE PROVIDER, THAT FAX SERVICE IS A BUSINESS ASSOCIATE UNDER HIPAA REGULATIONS AND YOU NEED TO HAVE A SIGNED AND AUDITED BAA WITH THAT SERVICE PROVIDER.  If the service provider won’t sign the BAA, you are breaking the law and risking a fine by using them!

Again, if you have to use fax to email, use a service that offers a secure mailbox that allows you to download the fax over an encrypted channel.

If you are using one of those old fashioned fax machines, make sure that the inbound faxes can be secured until picked up by the RIGHTFUL owner.

If you are using one of those new fangled multi-purpose print/copy/fax machines, understand those machines have a hard disk in them (except for the very cheapest ones) and must be disposed of securely at the end of the lease or when ready to be discarded.  Higher end machines have hard disks that can be removed by a technician and given to you to shred (yes, really).  Lower end ones are not designed that way and you may wind up destroying the machine to get the disk out.  But do that anyway.

A much better way to deal with the problem is to create a SECURE web portal to replace that fax machine.  Remember the goal is not to replace one insecure technology with another insecure technology.

By the way, IF THE PORTAL IS HOSTED, THEY ARE STILL A HIPAA BUSINESS ASSOCIATE.  Sorry!

If all of this gives you a headache, contact us to help you sort this out.

Source: Healthcare IT News

 

 

Facebooktwitterredditlinkedinmailby feather

Free Credit Freezes For All!

For years the big three national credit bureaus made buckets of money from people who were concerned about thieves stealing their credit.

You could “Freeze” your credit report which made it unavailable to creditors, with certain limited exceptions.  What this meant is that if someone stole your identity and tried to open a bank or credit account and that establishment tried to pull a credit report first, they would get a “no can do!” back from the 3 CRAs or Credit Reporting Agencies.  A smart creditor would not open an account for the fraudster at that point because they could not see if the person had good or bad credit.

This worked pretty good but not perfect because there are a hundred smaller credit bureaus that some small companies used, but, for the most part, it worked.

The only problem was that each of the credit agencies charged you to freeze your credit – as much as $10 at each bureau, each time and they also charged you to remove the freeze, which you would need to do if you were financing a car or buying a cell phone or whatever.

A FEW states prohibited the CRAs from charging for freezes, but still it was a multi-million dollar revenue stream.

Until last month.

After the Equifax breach, there was a demand for free freezes but nothing happened.  Then.

The problem is that the creditors want unrestricted access to your credit report and if you put a freeze on it, they can’t have it.

Until last month.

Now the CRAs cannot charge you to put on or take off a freeze.

What’s more, if you request a freeze online or on the phone, the agency has 24 hours to put the freeze in place.

And if you want to remove that freeze?  They have 60 minutes to do that.

And if they don’t?

The FTC takes complaints at 855-411-2372.

There are a lot more details, all good for consumers, in the link at the end of the post.

Bottom line, finally the credit bureaus are doing a LITTLE something good for consumers.

Information for this post came from the FTC.

Facebooktwitterredditlinkedinmailby feather

Remember the Old Days – When Laptops Had Chargers?

Back in the old days – like 2 or 3 years ago – laptops had power adapters that plugged into a charging connector and USB ports that allowed users to plug in USB peripherals like keyboards and flash drives and other devices.

In an effort to make things easier for users – and, in fairness, easier is good – computer and phone makers are making one universal connector which performs both functions.  This is actually being mandated in Europe.

There is only one problem and that is that the connector can perform both a power function and a data transfer function.

If YOU are the owner of the thingees that you are plugging into your computer or phone, then there is (probably) no security problem.

BUT, if you plug your phone or laptop into a USB-C cable in a public environment like an airport or hotel or something, then that is a different story.

I’m not saying that the airport or hotel is sinister, but how do you know that the cable or what it is connected to was not modified or, maybe, not even provided by the hotel or airport (or other public place)?

Since the connector is one and the same, it could charge your device.  OR, it could steal all your data.

Some operating systems can be set up to not allow data transfers, but that is likely not how most people configure them.  After all, that is inconvenient.

So…. New situation, new threat.

By the way, this is exactly how law enforcement extracts data from locked phones captured as evidence, so we know it works, at least some of the time.

And it could be an interesting attack vector for installing ransomware on your device.

What do you do?

First thing is, if you can, don’t use public charging stations, if possible.    That is not always possible.  Or convenient.

Second option is, if possible, configure your device to always ask if you want to allow charging ONLY or data transfer too.  Again, this may not be convenient or even possible.

The next option is to bring your own charging batteries.  These are affordably priced and come in all sizes.  I always carry one with me.  Here is an example of a pretty large one, although they come even bigger, for about $40 on Amazon.  Smaller ones are less expensive.  They can charge multiple devices at once and this one could charge your phone several times before it, itself, would need to be recharged.

The last option is a USB data blocker.  They come in many flavors such as this one at Amazon.  Some are a cable that you plug into the public charging station to protect yourself.  Others are an adapter.  In all cases, they only allow the charging pins to work and not the data transfer pins.  You will need to figure out what configuration works for you.

The point is that there are several options to choose from – pick the one that works the best for you but do not use a public charger without protection.  Source: The Conversation .

 

Last option is a very small gizmo that you can plug your

Facebooktwitterredditlinkedinmailby feather

Visit New Zealand – Fork Over Your Passwords or Risk Being Prosecuted

In what is thought to be the first country to do this, travelers entering New Zealand who do not turn over their phone passwords during searches could be arrested, prosecuted and fined more than $3,000.  This includes citizens and foreigners.

A New Zealand customs spokesperson said that the new fine is an appropriate remedy to balance individual’s privacy and national security.  I am not sure what the balance is here.

In many countries law enforcement can examine your digital devices, but it is up to them to figure out how to hack into them if you don’t unlock them.

I suspect that this will become a bit of a trend.

Once law enforcement has the phone, unlocked, you have to assume that whatever is on the phone – from nude selfies to business trade secrets – has been compromised.  There is no way to know whether that data is secure or not.  Given most government’s security track records, this is probably a sad reality.

In the case of New Zealand, the customs agent has to have some undefined suspicion of wrong doing in order to invoke the new law.

Things that you can do to minimize the pain –

Large companies that are concerned about security are giving their employees burner phones and burner laptops when they travel abroad.

These same companies require employees to get approval for any data files that they load onto these devices.

For private citizens, this applies as well.  Don’t take your laptop and buy a burner phone at Walmart or Best Buy and only load what you need.

Alternatively, store the data that you will need while abroad in the cloud, encrypted, download it while abroad, upload changes before you cross any borders and overwrite the deleted files with software like the free program CCleaner.

If you believe Snowden, intelligence analysts like sexy photographs and swapped them internally like baseball cards.  I would suspect that practice applies to customs agents as well.  If it isn’t there, they cannot do that.

It is likely that you will pass through customs unmolested – in the U.S. last year, customs only searched several tens of thousands of devices compared to the hundreds of millions of travelers –  but if you are concerned, there are some easy and inexpensive steps that you can take.

Source: NY Times.

 

Facebooktwitterredditlinkedinmailby feather

Home Internet Router Hack Steals Banking Credentials

An attack that was originally spotted in August affecting DLink routers has spread to over 100,000 routers including 70 different models.

The attack originally targeted Brazilian banking customers by compromising their internet router, changing the DNS server and pointing them to a bogus, look-alike banking site.  From there, they steal your credentials.

Not satisfied with the catch, the attackers are ramping up their attack.  It looks for default and easy to guess router admin passwords and other router vulnerabilities.

This attack is going to be difficult to stop if people do not deal with it.

What to do?

Make sure that your router’s admin interface is not accessible from the Internet.  It is difficult to secure it, so just make it invisible.

For banking, make sure that you use two factor authentication.  While not impossible, it makes the hacker’s job much harder.

Change default router passwords to ones that are hard to guess.

Finally, make sure that you patch your router regularly or configure it to automatically patch itself.

Make your local hacker work to get into your network.

Source: The Register .

Facebooktwitterredditlinkedinmailby feather

Voice Phishing Scams Are Getting Better

Former WaPo columnist turned security sleuth (after the Washington Post eliminated his position because cyber security was not important) reported on several recent vishing (voice phishing) scams, two of which involved large sums of money.

These are a word to the wise, both personally and for businesses.

In the first case, Matt Haughey, creator of the community blog MetaFilter and a writer at Slack received 3 calls in a row from his credit union.  After ignoring two of them, he answered the third and it was a phishing attack.

The scammer claimed that they had blocked two phony looking charges made in Ohio on his debit card.  She knew and was able to tell him the last four digits on his credit card.

He asked for a replacement card because he was about to travel and the caller said he could keep using his card until he got back, but they would block suspect charges.  The scammer read him his entire home address and then asked for his PIN (so that the caller could empty his bank account).  Also she asked for the CVV2 code on the back of his card (so that she could make phony cards and phony charges).

This information was all she needed to clone the card at an ATM.

When he visited his Credit Union in person, he discovered that he had been had and that his bank account was $2,900 lighter from a charge in Atlanta and $500 more lighter from an ATM withdrawal.  The very nice scammer left him with $300 in the bank.

The second attack was on Cabel Sasser, founder of a Mac and iOS software company called Panic.

Again he received a call, this time claiming to be from the Wells fraud department.    His corporate card had been charged for a $10,000 charge for metal air ducts (how, exactly, do you convert that to cash?).

After he disputed the charge the bank sent him a new card.  That card was hit for a $20,000 bogus charge for custom bathtubs.

He was trying to figure out how this was happening (I have an idea, but if you are curious, you will have to contact me) when he got the bogus fraud department call.

Do you have the card?  What is the CVV2 number?  Key in a new PIN.  Key in your current PIN.  The caller told him the last four of his social to calm his fears.

After $30,000 in fraud, his antennae were up so he told the fraudster he would call the bank back using the number on the card.  Surprise – no new fraud and they didn’t call.

The article goes on to give two more examples.  I regularly get these calls and love to have fun with the scamsters, but I am a little strange.

So what should you do?

#1 – Be aware that these scams are rampant.  The reason they are rampant is that they work very well.

#2  – DO NOT TRUST callerid.  There is no security whatsoever in the callerid system.  I could call you and have it appear that the call was from President Trump.  

#3 – Understand that with all of the breaches, there is virtually no information that is not in the wild.  One thing that I do is lie on security questions.  That definitely makes things harder, but you have to (a) not repeat the lies from company to company and (b) remember what your lie was.  I use my password manager for that.  If it asks what my favorite color is (I don’t have one), I might answer orange one time, blue the next and green the third time.  As long as I record my answers, I am good.  I do understand that this involves a lot of work, so most people are not up for that.

#4 – last, but most important, if you RECEIVE a call from <your bank> , DO NOT ASSUME that it is your bank.  I know that is a stretch, but $30,000 later, Cabel learned that lesson.  

Call back.  Visit your bank in person.  Call the local branch.  If you have a person at the bank that you have a relationship with (a personal banker), call that person.  

This whole scam model works because people are too quick to trust.

I know that is a terrible thing to say, but it is also terrible to get your bank account cleaned out.

All I can say is beware  —- Its out there on a massive scale.  BECAUSE IT WORKS!

Information for this post came from Brian Krebs.

 

Facebooktwitterredditlinkedinmailby feather