Category Archives: Legal

The End of Fax Machines? Well Maybe. Why? Insecurity!

Seema Verma, the administrator of the Center for Medicare and Medicaid Services at the Department of Health and Human Services wants fax machines out of doctor’s offices by 2020.

CMS Administrator Verma

She wants them out of doctor’s offices because they are not cool.  She wants to replace them with super-non-secure apps for your phone that are way cool, but even less secure than that crappy fax machine.

She says that physicians are stuck in the 1990s, hence their use of fax machines, I guess.  She says that doctors are still taking notes on paper (not any doctor that I use, but I am sure there are some).  This is causing physician burnout.  Ask a physician about what is causing burnout – #1 is dealing with CMS and insurance companies and #2 is having to use those really bad apps that have already been developed Seema.

I guess she never heard of the breaches of all of the different Blue Cross affiliates a few years ago.  I am sure that if we collect all of that healthcare data in poorly written apps, no one will ever hack those repositories.  After all, what could go wrong?

We do have to remember that she is required to be a cheerleader for whatever the administration in power wants, so take all this with a grain of salt.

HOWEVER, it is fair to look at fax machines.

WHY do people still use them?  Because they are ubiquitous.  They are everywhere.  In Japan, something like a third of the private households have fax machines.  That is a feat that very few countries can match, but almost every business has a fax number (actually, we do not!).

One reason that people use them is that they are SECURE.  I am not sure what illegal substance the person who came up with that idea was ingesting, but they were not sharing.

Anyone ever get a fax that was not destined for them?

Anyone ever get a fax not destined for them that contained sensitive information?  VERY sensitive information?

Anyone ever see that sensitive fax just sitting on the fax machine?

Anyone ever see something on the fax machine, look at it, decide it was not for them and read it anyway?

How many people have a fax number that is tied to an electronic fax service like eFax or Concord fax?

So, the sender sends a fax to be secure.  Manages to dial the right number.  Sends the fax to some third party with unknown security.  Who takes that fax and sends it to you in an email.

WHY NOT JUST EMAIL IT IN THE FIRST PLACE.  THAT WOULD BE CHEAPER, FOR SURE, AND, GIVEN THERE ARE A LOT LESS MOVING PARTS, PROBABLY MORE SECURE, TOO.

To be fair, some fax services offer secure fax where they send you an email that you have a fax and then you have to log in and download it.  AND THEN YOU FORWARD THAT FAX VIA EMAIL TO YOUR COWORKERS.

Do you see a problem here?

Bottom line is faxes are not secure and should not be perceived to be secure.

So what is there to do?

First of all, if you are using faxes because email is not secure, do not use a fax to email service.

If you are using a fax to email service, you need to do a security risk assessment on the service provider.  IF YOU ARE A DOCTOR OR OTHER HEALTHCARE PROVIDER, THAT FAX SERVICE IS A BUSINESS ASSOCIATE UNDER HIPAA REGULATIONS AND YOU NEED TO HAVE A SIGNED AND AUDITED BAA WITH THAT SERVICE PROVIDER.  If the service provider won’t sign the BAA, you are breaking the law and risking a fine by using them!

Again, if you have to use fax to email, use a service that offers a secure mailbox that allows you to download the fax over an encrypted channel.

If you are using one of those old fashioned fax machines, make sure that the inbound faxes can be secured until picked up by the RIGHTFUL owner.

If you are using one of those new fangled multi-purpose print/copy/fax machines, understand those machines have a hard disk in them (except for the very cheapest ones) and must be disposed of securely at the end of the lease or when ready to be discarded.  Higher end machines have hard disks that can be removed by a technician and given to you to shred (yes, really).  Lower end ones are not designed that way and you may wind up destroying the machine to get the disk out.  But do that anyway.

A much better way to deal with the problem is to create a SECURE web portal to replace that fax machine.  Remember the goal is not to replace one insecure technology with another insecure technology.

By the way, IF THE PORTAL IS HOSTED, THEY ARE STILL A HIPAA BUSINESS ASSOCIATE.  Sorry!

If all of this gives you a headache, contact us to help you sort this out.

Source: Healthcare IT News

 

 

Facebooktwitterredditlinkedinmailby feather

Visit New Zealand – Fork Over Your Passwords or Risk Being Prosecuted

In what is thought to be the first country to do this, travelers entering New Zealand who do not turn over their phone passwords during searches could be arrested, prosecuted and fined more than $3,000.  This includes citizens and foreigners.

A New Zealand customs spokesperson said that the new fine is an appropriate remedy to balance individual’s privacy and national security.  I am not sure what the balance is here.

In many countries law enforcement can examine your digital devices, but it is up to them to figure out how to hack into them if you don’t unlock them.

I suspect that this will become a bit of a trend.

Once law enforcement has the phone, unlocked, you have to assume that whatever is on the phone – from nude selfies to business trade secrets – has been compromised.  There is no way to know whether that data is secure or not.  Given most government’s security track records, this is probably a sad reality.

In the case of New Zealand, the customs agent has to have some undefined suspicion of wrong doing in order to invoke the new law.

Things that you can do to minimize the pain –

Large companies that are concerned about security are giving their employees burner phones and burner laptops when they travel abroad.

These same companies require employees to get approval for any data files that they load onto these devices.

For private citizens, this applies as well.  Don’t take your laptop and buy a burner phone at Walmart or Best Buy and only load what you need.

Alternatively, store the data that you will need while abroad in the cloud, encrypted, download it while abroad, upload changes before you cross any borders and overwrite the deleted files with software like the free program CCleaner.

If you believe Snowden, intelligence analysts like sexy photographs and swapped them internally like baseball cards.  I would suspect that practice applies to customs agents as well.  If it isn’t there, they cannot do that.

It is likely that you will pass through customs unmolested – in the U.S. last year, customs only searched several tens of thousands of devices compared to the hundreds of millions of travelers –  but if you are concerned, there are some easy and inexpensive steps that you can take.

Source: NY Times.

 

Facebooktwitterredditlinkedinmailby feather

Facebook Hack Compromises 50 Million

Ancient Chinese Proverb: May You Live In Interesting Times.

Well welcome to interesting times.

Today, Facebook said that the accounts of 50 million users were compromised.

The hackers compromised the security “tokens” that Facebook uses to authenticate users and not the passwords themselves.  Facebook revoked those users “tokens” to stop them from continuing to be used.

Later in the day Facebook said that they revoked another 40 million user’s tokens because they might have been compromised.

Finally, to put a cherry on top of things, Facebook admitted that any site that you log into with your Facebook ID may have been compromised too.

So now not only does Facebook have to investigate, but so do sites like Tinder, Instagram, Spotify, AirBnB and thousands of other sites.

Here is why this is interesting.

Hacks are old school. YAWN!

This is the first mega hack after the effective date of GDPR.  Sure British Airways lost 380,000 credit cards, but this is 50-90 million users just on Facebook alone.  We DO NOT KNOW if other sites were affected that share logins, but if they do, this could affect dozens to hundreds of companies and hundreds of millions of accounts.  All of them COULD be fined under GDPR.  If that happens, they will likely sue Facebook.  Of course Facebook’s software license agreement with other sites like Tinder and Spotify probably says that they use the software at their own risk, but the courts MAY rule that this is negligence and not covered by that disclaimer.  If such a disclaimer exists.  Would companies like Spotify and AirBnB actually agree to terms like that?  Maybe.  That is why this is such an interesting day.  BTW,  my token was apparently hacked as login was revoked.  So was Zuck’s.  Karma. 🙂

Remember that fines could go (but likely would not go) as high as 4% of Facebook’s global revenue.

Facebook is already talking to Helen Dixon.  Helen is Ireland’s Data Protection Commissioner and in a large sense, Facebook’s destiny in this breach – and their wallet – is in Helen’s hands.  I would say, right now, her hands are full.

So what should you do?

Depends on your level of paranoia. 

First, I would change my Facebook password and the password on any other sites that use the same password.  Since we do not THINK that passwords were taken but rather tokens, this is a precaution.

Second, enable two factor authentication.  Facebook’s two factor process is really simple.  When you log in you get a pop up on your phone asking if it is you.  If you click yes, you are logged in.

Third – and this is the most painful one – those sites that you log into with your Facebook userid and password – create a local account.  I know.  It is a pain in the ….. but so is having multiple accounts compromised.  Even if they figure out in this case that didn’t happen, what about next time?  Security. Convenience.  Pick one and only one.

Information for this post came from Business Insider.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for Week Ending Sep 21, 2018

New Web Attack Will Crash Your iPhone, iPad or Mac

A new CSS-based web attack will crash and restart your i-device with just 15 lines of code.  The code exploits a weakness in iOS’ web rendering engine WebKit, which Apple mandates all apps and browsers use. Anything that renders HTML on iOS is affected. That means anyone sending you a link on Facebook or Twitter, or if any webpage you visit includes the code, or anyone sending you an email. TechCrunch tested the exploit running on the most recent mobile software iOS 11.4.1, and confirm it crashes and restarts the phone.  Source:  Techcrunch

Ajit Pai Says California Net Neutrality Law Radical and Illegal

Ajit Pai, Chairman of the FCC and the guy who repealed the FCC net neutrality policy said that California’s new bill replacing that repealed FCC policy is illegal.   Why?  Because, he says, that it is preempted by Federal law.  This is the same guy who said the FCC didn’t have the power to regulate net neutrality.  Do they?  Don’t they?  Are you confused too?

If Pai intervenes, I am sure this will go all the way up to the Supreme Court – who may or may not hear the argument.

He said this at a talk conservative think thank in Portland.  Maine, like about 30 other states, is in the process of creating its own net neutrality law.  If he thought that the states would bow down to him when he repealed the FCC policy, apparently, he was wrong.

Also apparently, his beef is with zero rating, a practice where a carrier doesn’t charge you if you use their service or use a service that has paid them a lot of money, but does charge you to use a service who has not written them a big check.  His theory, apparently, is that if poor people must (due to financial constraints) use only those services that write a carrier a big check, that will, somehow, promote an open and innovative Internet.  Source:  Motherboard

Another Day, Another Crypto Currency Exchange Hacked

Japanese crypto currency exchange Zaif was hacked to the tune of $60 Million of Bitcoin, Bitcoin Cash and Monacoin.  About a third of that was owned by the exchange;  the rest owned by customers.

For now, withdrawals and deposits have been halted, with no specified time when it might – or might not – resume.  If ever.

The company says that they will compensate  users who lost $40 million or so and have sold the majority of the company for $5 billion yen (roughly the amount of money not owned by them that was stolen).

Assuming that deal actually closes, they figure out how the attack happened and fix the problem … and, and, and.  Japan’s financial regulator has stepped into the poop pile.

I assume that if and when customers actually get access to their money – the part that wasn’t stolen – they will find someplace else to store their crypto currency.  That likely means the end of Zaif, no matter what.

In the mean time, they will just have to hang out and wait to see what happens.  Source: Bloomberg.

3 Billion Malicious Logins Per Month This Year

According to Akamai, there were over 3 billion malicious logins per month between January and April and over 8 billion malicious logins during May and June at sites that they front end.

Many malicious login attempts come from the technique of credential stuffing where hackers take credentials exposed during hacks and try them on other web sites.  For example, try the 3 billion exposed Yahoo passwords on Facebook or online banking sites.  Even though we tell people not to reuse passwords, they do anyway.

According to Akamai, one large bank was experiencing 8,000 accounts being compromised per month.

One bank experienced over 8 million malicious login attempts in a single 48 hour period.  I bet some of these attempts worked.  A load like that will impact the bank’s ability to serve real customers.  Source:  Help Net Security.

Facebooktwitterredditlinkedinmailby feather

California Poised to Make History Again – This One has Even Bigger Impact

In June Governor Brown signed Assembly Bill 375, the California Consumer Privacy Act which is the only law in the country that offers consumers far more control over their data in the hands of third parties such as Internet based companies.

Now AB 1906 is headed to Governor Brown to sign.  If he does, and there is no reason to think that he won’t,  it will require manufacturers of Internet of Things devices to implement “reasonable” (there is that undefined word again) security features that are appropriate to the nature and function of the device, appropriate to the information collected or stored and designed to protect the device and information from destruction, use, modification or disclosure.

At least it says appropriate to the nature and function of the device.  A light bulb is probably less sensitive than, say, a smart door lock.

One thing the law called out is the use of default userids and passwords like admin/admin or user/user.  It says that it would a reasonable security feature that the password required to access the device is UNIQUE to each and every device or requires the user to change the password before the device is available online.

It does not make the manufacturer responsible for software that the buyer installs on the device (thankfully) and also exempts any device that is regulated by a federal agency (like HIPAA) to the extent that the activity in question is covered by HIPAA. 

Unlike the California Consumer Privacy Act (CCPA), this law has no  private right of action.

It does, however, allow any California city attorney, county attorney, district attorney or the Attorney General to enforce the law.

While it does not say anything about making patches available, since there is a requirement to have security features that protect the device and  information, if there are bugs found after it is built, it would seem reasonable that the manufacturers will have to fix that.  If true, that would mean that they have to have a  mechanism to patch the software.

Unlike the CCPA, most companies who manufacture IoT devices will be impacted because they are unlikely to bar California residents from buying their products or California stores from selling them and it would be cost prohibitive to build two versions of a cheap IoT device unlike, say, two versions of car – one that meets California emissions requirements and one that does not.

For consumers across the country, this is a good thing because they will benefit from increased security of IoT devices based on California law.

Information for this post came from the National Law Review.

Facebooktwitterredditlinkedinmailby feather

Incident Response 101 – Preserving Evidence

A robust incident response program and a well trained incident response team know exactly what to do and what not to do.

One critical task in incident response is to preserve evidence.  Evidence may need to be preserved based on specific legal requirements, such as for defense contractors.  In other cases, evidence must be preserved based on the presumption of being sued.

In all cases, if you have been notified that someone intends to sue you or has actually filed a lawsuit against you, you are required to preserve all relevant evidence.

This post is the story of what happens when you don’t do that.

In this case, the situation is a lawsuit resulting from the breach of one of the Blue Cross affiliates, Premera.

The breach was well covered in the press; approximately 11 million customers data was impacted.

In this case, based on forensics, 35 computers were infected by the bad guys.  In the grand scheme of things, this is a very small number of computers to be impacted by a breach.  Sometimes, it might infect  thousands of computers in a big organization.  The fact that we are not talking about thousands of computers may not make any difference to the court, but it will be more embarrassing to Premera.

The plaintiffs in this case asked to examine these 35 computers for signs that the bad guys exfiltrated data.  Exfiltrated is a big word for stole (technically uploaded to the Internet in this case).  Premera was able to produce 34 of the computers but curiously, not the 35th.  The also asked for the logs from the data protection software that Premera used called Bluecoat.

This 35th computer is believed to be ground zero for the hackers and may well have been the computer where the data was exfiltrated from.  The Bluecoat logs would have provided important information regarding any data that was exported.

Why are these two crucial pieces of evidence missing?  No one is saying, but if there was incriminating evidence on it or evidence that might have cast doubt on the story that Premera is putting forth, making that evidence disappear might seem like a wise idea.

Only one problem.  The plaintiffs are asking the court to sanction Premera and prohibit them from producing any evidence or experts to claim that no data was stolen during the hack.

The plaintiffs claim that Premera destroyed the evidence after the lawsuit was filed.

In fact, the plaintiffs are asking the judge to instruct the jury to assume that data was stolen.

Even if the judge agrees to all of this,  it doesn’t mean that the plaintiffs are going to win, but it certainly doesn’t help their case.

So what does this mean to you?

First you need to have a robust incident response program and a trained incident response team.

Second, the incident response plan needs to address evidence preservation and that includes a long term  plan to catalog and preserve evidence.

Evidence preservation is just one part of a full incident response program.  That program could be the difference between winning and losing a lawsuit.

Information for this post came from ZDNet.

 

 

Facebooktwitterredditlinkedinmailby feather