Category Archives: Best Practices

Does Quantum Computing Mean the End of Encryption

If you believe all of the news reports, quantum computers are here and can break Quantum Computing Mean the End of Encryption all of the encryption that we have ever used.

A bit hyperbolic.

Dorothy Denning, a very well know security researcher who has written 4 books and over 200 articles while teaching at Purdue, Georgetown and the Naval Postgraduate School wrote a very readable article on the subject.

She explains what is and what is not real and why.  In English.

She makes a distinction between symetric key encryption like AES and public key encryption.  For AES,  there are reasonable solutions to the problem.

For public key encryption, one algorithm is based on the supposedly hard problem of factoring numbers.  So far the largest number that they have factored is 15 (4 bits).  Given that most public key encryption is 1,024 or 2,048 bits, they are not quite there. yet.

One study said that quantum computers would need to be 100,000 times faster and 100 times less error prone.

But they will get there.

However, the National Institute of Standards (NIST) is evaluating 69 new potential post quantum encryption algorithms.  They plan draft standard by 2024 if not sooner.

So as long as quantum computers don’t get 100,000 times faster and 100 times more reliable in the next 5 years or so, we are probably OK.

Read Dr. Denning’s article here.  Put your mind at ease.

 

 

Facebooktwitterredditlinkedinmailby feather

Malware Disguises Itself as Amazon Order Confirmation Email

Merry Christmas!

The hackers, of course, do not take Christmas off and are working hard to ruin yours.

Today’s story is about a very active spam campaign that is disguised as Amazon order confirmations.  The first stage of the campaign looks something like this with different subject lines:

Notice that you have to click on ORDER DETAILS to see what the order is.  For many people thinking they didn’t order anything, they get concerned that their account has been hacked and will click on it.  From Amazon’s side, they are always changing things, so people might think “there the fools in Seattle go changing things again” and not give it much more thought.

If you hover over almost all of the links, it will show the legit Amazon links.  Except for the order details link.

It downloads a Microsoft Office Word document.

Think about that for a minute.   Times up!  Does that reasonably seem like something Amazon have ever done in their entire existence?  NO!  That is the first clue.

Then it tells the reader to enable macros (what Microsoft calls enable content now).  That should be a really big red flag.  But not to some.  They don’t read the software license agreements and other legal documents that they are bound by so why read this.

That fires off stage three.  A Powershell script downloads the Emotet malware.  The hackers give it different names, but so far it is always Emotet.

Emotet grew to fame as a banking trojan – stealing passwords to empty your bank account out.

Now it is logging all of your keystrokes, silently, sending your userids, passwords, contacts, emails, texts, etc. to Indonesia and U.S. servers which were previously compromised.

So what are my tips regarding this?

Hover over the link to validate what site it is going to.

Better still, open a new browser window and go to HTTPS://www.amazon.com yourself.  If you don’t see the order, it isn’t Amazon.

If someone asks you to enable macros, just don’t do it.  There are rare occasions, possibly at work, but make sure to validate it independently – like call the help desk.

This virus is particularly nasty and you really want to avoid it  if you can. 

Now that this has been exposed, look for variations on this theme – like a Netflix email instead of an Amazon email.

Information for this post came from Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

When Employees Leave

Here is a scary thought:

According to research, 59% of employees who leave will steal proprietary data, 20% will sell passwords to an outsider and 44% will do so for $1,000.

If you don’t already have a employee termination checklist, consider this the perfect start for that list:

  1. Cancel the employee’s accounts.  Now that companies are using a lot of cloud services, it is no longer sufficient to just cancel their Windows domain account or Google account.  Think Dropbox and Slack and a hundred other services.
  2. Disable the employees access badge.  This seems like a duh, but people sometimes forget.
  3. Remove people from any lists that a third party has.  If the person was authorized to call a vendor and make something happen, make sure that they are removed from ALL of those lists.
  4. Check system and building logs for the three months prior to the employee leaving for unusual activity.  That includes the logs for cloud services.
  5. Conduct an exit interview.  While you can’t force someone to do that, most people will and you might get some useful information.
  6. If the person is being terminated, document this contemporaneously in the employee’s personnel file.  These people are the most likely to sue and the most likely to steal data.  If the person had an idea that this was coming, see #4 above.
  7. If the person is being laid off, they are less likely to sue than if they are being fired, but equally likely to steal data.  See number 6 above, then number 4.
  8. Remind people that they still have to comply with any confidentiality agreements that they signed (they did sign one, right?).  Just because they are leaving for any reason does not remove the responsibility to keep confidential stuff confidential.
  9. Make sure that you pay the person what they are owned.  Every state has different rules, but sometimes if you fire someone you have to get them their check at that moment.  Not the next day or the next pay period.  That alone can give someone the right to sue you.   Make sure you give people back their possessions and collect all company property.   Even if you don’t get company property back, in most states you cannot withhold their paycheck.
  10. Make sure that the company and all employees don’t disclose confidential information about the departing employee.  Doing so can leave the company open to lawsuits.

Finally, if you have any questions, consult a knowledgeable attorney.

As you read this list, think about what you can and can’t do today and then fix it.  For example if you fired Joe tomorrow, do you know ALL (yes, ALL) of the accounts that he has access to.  That is just an example.

While this list is not complete, it is a good start.  Create your list now if you don’t have one or update your list if you do.  Then see if it needs to be updated periodically.

Information for this post came from the New Orleans City Business blog

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending December 21, 2018

Patches This Week

Microsoft issued an emergency out of band patch for an Internet Explorer zero day bug that affects IE 9, 10 and 11 on Windows 7,8,10 and the related server versions.  The bug allows a hacker to remotely execute code by getting a victim to view a web page, HTML document, PDF or other file that is rendered by IE’s scripting engine.  See details here.

The developers of the most popular database in the world based on the number of installations, SQLite, released a patch that fixes a bug that affects millions of distinct apps and billions of installations, including the Chrome browser on Windows, Macs, iPhones and Android devices.  Read the details here.

 

Taylor Swift Spies on Her Fans

In the turnabout is fair play department, Taylor Swift’s security team used facial recognition technology at (at least) one of her recent concerts to sniff out stalkers.  Using a kiosk of rehearsal videos with a spy cam embedded in it, Swift’s team took photos of everyone who watched the video and compared it to a database of suspected stalkers.  They did not report if they found any or what they did with the images after the concert. Since a concert is likely considered a public venue, customers probably have no expectation of privacy, so Swift would not need to disclose that she was using video surveillance.  Source: The Register.

 

Marriott Breach Traced to China

What do the Office of Personnel Management breach and the Anthem breaches have in common with the Marriott breach?  According to some sources, they are all traced back to China.  The Marriott breach is now being traced to China’s Ministry of State Security, China’s civilian spy agency.

Their objective is to build up massive dossiers on hundreds of millions of Americans to use in future attacks.  Like OPM, like Anthem, much of the Marriott data – like when you traveled, where you traveled, how long you stayed, who was at a particular hotel at the same time (mistresses, spies, information leakers and otherwise), all ages quite well.

All of this in spite of pressure being exerted by the Trump administration on China to stop hacking us.  Is the pressure just making them hack us even more?  Not clear, but it doesn’t seem to be helping much. (Source: the New York Times).

 

Muslim-American U.S. Citizen is Suing U.S. Government for Detaining Him at the Airport

A Muslim-American traveler was  detained at the Los Angeles airport (LAX) while trying to board a flight to the Middle East.  Customs asked him a bunch of questions, searched his luggage and wanted him to unlock his phone, which he initially refused.  He was handcuffed and detained for four hours and missed his flight.  When he asked if he was under arrest and needed a lawyer and was told no.  Eventually, after many hours, he relented and unlocked his phone.  CBP examined the phone and possibly imaged the phone.

Since he is a natural born U.S. citizen there are limits to what CBP can do, but it is interesting that he was leaving the U.S. and not entering it when he was detained,

He is now suing the U.S. government.  That is always a dicey deal, so I would doubt that this is going to go very far, but it is interesting.  Source: The Register.

 

Facebook Shared Your Data with 150 Partners Without Telling You

The Times is reporting that Facebook was sharing your messages, contact information and friends with around 150 vendors including Netflix, Spotify, Microsoft, the Royal Bank of Canada and many others.  Facebook says that they didn’t do that without users permission, but if they did ask for permission, it was not in a way that anyone was aware that they were granting it.  Facebook says they only did that to improve your Facebook experience (i.e. sell more ads) and that most of these programs have been terminated (since it was completely above board – not).  Facebook says this did not violate their 2012 consent decree with the FTC, but likely the FTC will decide whether that is true on their own.  Facebook did admit that this raises user trust issues.  Likely true.  Source: HuffPo.

Facebooktwitterredditlinkedinmailby feather

Seven Common Cybersecurity Mistakes to Avoid

Many companies do not have adequate cybersecurity protection on their website and systems.  Why?  Here’s some common misconceptions.

It won’t happen to us

While some attacks are targeted to particular companies, the overwhelming majority of attacks are targets of opportunity.  That means that you are just as likely to be attacked as a Fortune 500 company.  Realistically, smaller firms are an easier attack target because they do not have robust cybersecurity programs.

We Don’t Need to do monitoring

Marriott is the poster child of what happens if you don’t have adequate monitoring in place.  That mistake, possibly including the mistake above, caused hackers to be able to roam freely inside Marriott-Starwood’s customer information for FOUR YEARS before being detected. You have to monitor.  Everything.  All the time.

Not implementing the basics

One of the biggest breaches in U.S. history, Equifax, happened because they didn’t patch a known vulnerability in one of their servers.  Equifax also used a userid of Admin and a password of Admin for one of their servers. Implement the basics.

Failing to inventory where data is located

If you don’t know where it is, you can’t protect it.  You have to know where your data comes from, where it goes to and how it gets there.  That documentation must be kept current as well.  Once you have it you have to look at it to figure out where the weaknesses are.

Not testing the security

Assuming that things are secure is a big mistake.  We work with white hat (good guy) hackers.  Often it takes them 5-10 minutes to break in to their targets.  This includes physical intrusions as well as cyber intrusions.

One of the most important and least acted on testing is on applications that a company’s software development teams create.

Not making cybersecurity training mandatory and often

Users are the most common source cyber compromises.  Many companies still do training once a year.  Annual training is not very effective because people forget really quickly.  Train early and train often.

Not addressing the risk from your vendors

Vendors represent a huge risk to most companies.  A few really famous vendor induced breaches include Target, Home Depot and the Office of Personnel Management.  There are many more and many that are never disclosed.  Many of the recent retail point of sale breaches were the result of bad security on the part of vendors.  Maybe you can sue your vendors to recover your losses.  Maybe not.  If you do sue, expect not to see a dime, even if you win, for years.  And, your customers don’t care if one of your vendors caused the breach.  It is still your fault.

While just doing the basics won’t make you bulletproof, it will make it harder and hopefully the bad guys will go elsewhere.

Information for this post came from Compliance and Ethics.

Facebooktwitterredditlinkedinmailby feather

Colorado Healthcare Provider Fined $111,000 For HIPAA Violations

It seems that the US Department of Health and Human Services Office of Civil Rights is increasing enforcement actions against health care providers and their vendors (known as business associates).  While one might have suspected that enforcement actions would be down under this administration, in fact, the opposite is true and fines are up.

In this case, the Pagosa Springs (Colorado) Medical Center paid $111,000 plus for failing to terminate the access of a former employee to a patient calendar program.

The calendar only contained information on 557 patients, so this is not a massive breach.

They also did not obtain a signed Business Associate Agreement from Google, who’s software they were using.

The former employee accessed (but didn’t appear to do anything evil with the data) the data twice, two months apart.

The medical center had to enter into a corrective action program that included a number of items including improved policies, training and other items.

OCR Director Roger Severino said that enforcement will increase under his watch.

Evidence of this is that this is the third enforcement action in the last month.

On December 4th, a Florida based physicians group paid a $500,000 fine for various HIPAA violations.

A week prior to that, OCR settled with a Hartford based practice for $125,000 for impermissible disclosure of protected health information.

Putting this all together, it would seem to lend some credence to OCR’s claim that enforcements are up.

In the first case, only 557 records were involved.  That translates to a fine of $200 per record disclosed.

In addition, to fine someone for not having a BAA with a company like Google indicates that they definitely want people to obey the process, without regard to there being significant risk (on the part of Google).  After all, Google probably has as good a security as the best medical practices.

The HIPAA compliance process is complex and even daunting, but failing to follow it can be expensive.

It also appears that the Office of Civil Rights has a very long memory as one of these fines was for something that happened 7 years ago, in 2011.

Our recommendation is to follow the process and document what you have done.  Though that can be painful, so is writing a check to the government for $100,000 or even $500,000.

Information for this post came from Health IT Security.

 

 

Facebooktwitterredditlinkedinmailby feather