Category Archives: Compliance

Covid-19 Does NOT Mean No Ransomware

Three separate ransomware stories – all against healthcare organizations, even though SOME hackers SAID they weren’t going to hack healthcare. Of course, what makes you think you can trust folks who break the law for a living.

#1 – Largest Private Hospital Company in Europe Hit By Ransomware

Fresenius, is Europe’s largest hospital operator and a major provider of dialysis equipment and services. The company said that the hack has “limited some of its operations but that patient care continues”

You can’t expect them to say anything different, but the part of its operations that are limited are likely those that use computers. Which is pretty much everything.

They have four business units – kidney patient care, operating hospitals, pharmaceutical provider and facilities management. I am sure that none of those depend on those ransomed computers.

Fresenius employs nearly 300,000 people.

To make matters worse, the particular malware, SNAKE, targets Internet of Things devices. None of those in your average hospital.

SNAKE is one of the family of ransomware 2.0 hacks that threaten to publish your private data if you don’t pay up – so backups are not a complete defense from these attacks. Credit: Brian Krebs

#2 and #3 – Two other Ransomware 2.0 attacks went after plastic surgery clinics.

One was Dr. Kristin Tarber’s clinic in Bellevue, Washington.

There the hackers published patient medical histories.

The other is in Nashville, TN and attacked the Nashville Plastic Surgery Institute D/B/A Maxwell Aesthetics. There the hackers stole patient history data, health insurance info, surgery info an other information.

I haven’t seen the stolen/published data from these hacks, but in other plastic surgery hacks, they have published photos of plastic surgery of body parts that are not usually exposed, if you get what I mean.

The challenge for the healthcare industry is that the insurance companies and government reimbursements are really reducing margins.

Until the folks that control their reimbursements decide that getting shutdown for weeks or operating off paper charts with no visibility to patient history is a not a good thing, expect there to be a lot more breaches.

For the hackers, this is very lucrative. I would not be surprised if this is a revenue stream for North Korea.

I definitely feel for the healthcare providers. They want to do the right thing, but they don’t have the money.

This year the Department of Defense, which has had its own problems with hackers, decided that security is not optional and will actually reimburse defense contractors for the costs of implementing security.

The healthcare industry hasn’t gotten there yet. Hopefully it will. Otherwise, expect your medical information to be available for sale on the web. Credit: SC Magazine

Security News for the Week Ending October 18, 2019

Less Than Half of Mississippi State Agencies Even Have a Cybersecurity Policy

In Mississippi’s first ever state cybersecurity audit, the state auditor reported dismal results.   54 state agencies did not respond to the audit.   38% of those responding did not encrypt sensitive data.  22 agencies had not conducted a third party security risk assessment.  11 did not even have a cybersecurity policy plan.  Overall, over half of the respondents (remember 54 agencies did not even respond) were less than 75% compliant with state law.  State agency heads know that, unlike you or me, they are not going to get hauled into court for breaking the law and if they get fined, it isn’t their money.  I wonder how typical this is in other states.  Source: Govtech

 

Karma Wins

Dark web website BriansClub (named after former WaPo journalist turned security author, columnist and speaker Brian Krebs, but which has no relation to him) was hacked,

BriansClub is in the business of selling stolen credit cards and apparently they do very well, thank you.  In the first 8 months of this year, the site sold about 9 million stolen credit cards netting the site’s operator $126 million (in 8 months).   If we assume an average loss to the credit card issuer of $500, that represents a $4 billion loss.

But now hackers hacked the hacker and stole 26 million credit cards from them.  Needless to say, BriansClub can’t ask the cops for help.

Remember that this is only ONE site on the dark web, so you can kind of get an idea of the massiveness of online fraud.

Krebs shared this data with the fraud folks from the credit card industry, so hopefully they can shut off these cards and make live a little better for the victims.

Source: Brian Krebs

 

Hotel [NON] Security

Kevin Mitnick, the Chief Hacking Officer of security training company KnowBe4, posted a video on YouTube about the security – or more accurately the lack of security – of hotel room safes.  I always assumed that they had backdoors because people are pretty likely to forget whatever they set the combination to.

On the other hand, why bother to change the backdoor combination from all zeros.  See the video on YouTube.

 

One Of President Trump’s Websites Was Leaking Donor Information and Open to Attack

One of the President’s web sites left a debugging tool enabled which allowed an attacker to hijack the site’s email server and intercept, read or send emails from that domain.  Trump’s website is one of hundreds that have left the tool enabled.

The researcher who discovered it worked very hard – much harder than he should have had work to – in order to get the Trump campaign to fix the bug.  How long the data on the site was exposed is unknown.  Source: Threatpost.

 

Samsung Issues Alert for Fingerprint Reader Fail

Apparently Samsung is in trouble because if you put a silicone gel screen protector on the front of your S10 anyone’s fingerprint will unlock the phone.

Samsung’s response was that you should only use official Samsung accessories.  FAIL!!!   Early Samsung branded screen protectors had a hole over the fingerprint sensor to fix this problem.  Why fix the problem if you can die cut the screen protector for a whole lot less?

Samsung is working on a fix, but this is another example of convenience over security.  Fingerprint and facial scan readers on inexpensive (relatively) consumer devices are low security.  In fact, biometrics should never be used to authenticate you, only to identify you.  Source: Ars

 

California Poised to Make History Again – This One has Even Bigger Impact

In June Governor Brown signed Assembly Bill 375, the California Consumer Privacy Act which is the only law in the country that offers consumers far more control over their data in the hands of third parties such as Internet based companies.

Now AB 1906 is headed to Governor Brown to sign.  If he does, and there is no reason to think that he won’t,  it will require manufacturers of Internet of Things devices to implement “reasonable” (there is that undefined word again) security features that are appropriate to the nature and function of the device, appropriate to the information collected or stored and designed to protect the device and information from destruction, use, modification or disclosure.

At least it says appropriate to the nature and function of the device.  A light bulb is probably less sensitive than, say, a smart door lock.

One thing the law called out is the use of default userids and passwords like admin/admin or user/user.  It says that it would a reasonable security feature that the password required to access the device is UNIQUE to each and every device or requires the user to change the password before the device is available online.

It does not make the manufacturer responsible for software that the buyer installs on the device (thankfully) and also exempts any device that is regulated by a federal agency (like HIPAA) to the extent that the activity in question is covered by HIPAA. 

Unlike the California Consumer Privacy Act (CCPA), this law has no  private right of action.

It does, however, allow any California city attorney, county attorney, district attorney or the Attorney General to enforce the law.

While it does not say anything about making patches available, since there is a requirement to have security features that protect the device and  information, if there are bugs found after it is built, it would seem reasonable that the manufacturers will have to fix that.  If true, that would mean that they have to have a  mechanism to patch the software.

Unlike the CCPA, most companies who manufacture IoT devices will be impacted because they are unlikely to bar California residents from buying their products or California stores from selling them and it would be cost prohibitive to build two versions of a cheap IoT device unlike, say, two versions of car – one that meets California emissions requirements and one that does not.

For consumers across the country, this is a good thing because they will benefit from increased security of IoT devices based on California law.

Information for this post came from the National Law Review.

Complying with GDPR and California’s CCPA – Step 3

For those companies who have customers in California – independent of where the company is located – or are doing business in Europe, you have new privacy regulations to deal with.  While California’s law doesn’t go into effect for another 16 months and it is possible that there will be changes to the law before it goes into effect, it is important to start getting ready for the law because complying with all of the requirements will take a significant effort.  For businesses operating in Europe, you should already be compliant with GDPR.

Step 1 was to create a vendor data inventory (see article here).

Step 2 was to create a vendor cyber risk management program (see article here).

Now, here is step 3.

Step 3 – Map the flow of data between systems and between vendors.

Both CCPA and GDPR have requirement to delete data, stop processing data and provide a copy of data that you have, in a machine readable format if possible, if the user requests it.

You have to do this quickly and you have to track and document what you have done.

If you do not know what data you have, who you share it with and all of the places it may be stored, you are unlikely to be able to comply with these laws and you could wind up getting sued.

Where it is stored, for example, could include on web servers, on internal servers, on workstations and at cloud service providers.

Building and maintaining a map will assist in designing the process of complying with those requests when we get to those steps.

If you need assistance with this, please contact us.

Land Rover Telematics Not Secure – Gee, I Am Surprised

While I have written about this in general before, this item is specific to the Land Rover and its “Discovery” model.  If this is a surprise to you, it should not be.

If you buy a used Land Rover, it is possible (likely) that the previous owner can still control your car through the Land Rover app or web site.

In *THEORY*, if you trade your Land Rover to an *AUTHORIZED* dealer, they are supposed to reset the telematics module to disconnect the previous owner.  That does not always happen.

In addition, in the case of a private sale or a sale through a used car dealer, that probably never happens.

When the writer of the article liked below tried to link his newly acquired used Land Rover to the app, it said it was still connected to the previous owner.

That previous owner could unlock the care, adjust the climate and using the nav system see where he had gone and where he currently was.

Land Rover’s call center is apparently not trained to deal with it because they told him to find the previous owner.  Sure!  Right!

After the Register contacted Land Rover’s press office, sensing a PR disaster, they said that they could have handled it better.

They did say that he could take the car to the dealer and the dealer would reset it.  Probably for a not-so-nominal fee, but they did not address that.

So, as a buyer of a used car, what do you need to do?

First of all, hopefully, if the car is a new car from the dealer, this should not be a problem.  This is only a problem with used cars.

If you buy a used car from a dealer, at the time of sale you should ask the dealer to confirm that they have reset the telematics.  To be safe, you can get the dealer to help you download the app and connect the car to the app.  That way if the dealer is lying, you can call him on it right then, right there.

If it is a private party sale, you can ask the seller if he released the car from the app, but again, the best way to do it is to download the app while the previous owner is still within arms length and you can strangle him (figuratively, please).

One other note.

With laws like the EU’s General Data Protection Regulation and California’s Consumer Privacy Act, it is likely completely illegal for the car’s manufacturer to continue to collect data after the car is sold on the used car market.  After all, even if the first buyer granted the manufacturer permission to collect data, the second buyer almost certainly did not and both laws have very explicit requirements for how the disclosure and opt in/opt language has to read.  I think the courts will side with the used car buyer saying that the manufacturer did not provide “clear and conspicuous notice”. Expect a nice, juicy class action soon.

Information for this post came from The Register.

Complying with GDPR and California’s New Privacy Law (CCPA) – Step 1

This is step one of a multi-part series on complying with the new privacy rules, both in Europe and, just recently, in California.  Watch for further steps over the next several weeks.

While companies are supposed to be compliant with GDPR already, many are not and the California law’s effective date is still almost 18 months away.  In either case, these tips should be useful in either case.  With regard to California’s law, the steps needed are complex and far reaching, so getting started now is a good idea, even if the law changes a little bit before it goes into effect.

While there are many differences between the two laws, there are many similarities as well.  These similarities allow us to cover major aspects of both laws together.

The core component of both laws is to give consumers more control – a lot more control – over what companies do with the data that is collected about them and, in many cases, sold.  For both laws, while there are aspects of the law that only apply if your data is sold (with the term “sold” having an extremely broad definition), there are many aspects that apply even if the data is never, ever sold.

One of the requirements of the law is to give consumers a right to ask a company what data the company has collected about them, where the data is stored, who they shared it with and to obtain a copy of it.

Another right is, in at least some cases, to request that the company delete the data,  again, no matter where it lives.

These rights make it critical that a company understands what data it has, where it lives and what the data “flows” are.

For both laws, it does not matter where the company is located, but rather where their customers are located.  For GDPR, those customers who live inside the European Union are covered.  For CCPA, those customers who live in California are covered.  For CCPA alone, there are probably over a half million businesses that are impacted.

With all that background, here is our recommendation for step 1.

STEP 1 – CREATE A VENDOR DATA INVENTORY.

Our vendor data inventory or VDI process identifies all vendors that a company does business with – from the Post Office to some niche cloud based software service.

For each vendor, we collect information such as what type of data is collected, how it is shared, where it is stored, what the risk level of the exposure is, whether there is a contract with the vendor, who in the company is ACCOUNTABLE for that vendor relationship and many other fields.

Even for a small company, we have found that there are often 100-200 vendors in this list.

For larger companies, it could be up to a thousand.

The company identifies a point person to work with us and the process begins.

In many cases, we discover that NO ONE is accountable for a particular vendor relationship.  In some cases, very few people are even aware that it exists.

Often accounting is a good place to start because usually,  but certainly not always (Ex: Gmail is free) vendors get paid.

Of course, even the free vendors have to be accounted for.  Also the vendors that are paid for by someone in a branch office on a personal credit card which is later reimbursed have to be captured.

One way to catch the personal credit card payment is for accounting to refuse to reimburse employees for these charges.  Once the particular account is turned over by the employee to IT or vendor management and the company has control of the account and the data, then accounting will be authorized to reimburse the employee.

Remember, whether the account is free, employee paid for or company paid, the company still owns the liability in the case of both laws.

If this seems daunting, it can be, but we can make the process less painful.

Watch for the next step – create data flow maps.