Subscribe: AlertBoot Endpoint Security
http://feeds.feedburner.com/AlertbootEndpointSecurity
Preview: AlertBoot Endpoint Security

AlertBoot Endpoint Security



AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mob



 



Penn Medicine Sending Breach Notifications To 1000 Patients Over Stolen Laptop

Mon, 08 Jan 2018 09:16:00 GMT

Penn Medicine has revealed this past week that a laptop computer with protected health information (PHI) was stolen on November 30. While the details are meager (aside from a short entry at philly.com, which is referenced by databreaches.net, an online search comes up empty), the following was revealed: About 1000 people were affected. The laptop was stolen from a car at a parking lot. Breached information includes "patient names, birth dates, medical records, account numbers, and some other demographic and medical information." It does not include "Social Security numbers, credit card or bank account information, patient addresses or telephone numbers stolen." Penn Medicine promised to review procedures to ensure that patient information is protected on portable devices.   What is This, 2009? In an age when breaches can – and do – involve tens of millions of people, Penn Medicine's data breach almost feels quaint. And, yet, that's why it's also not so easy to forgive. Consider servers with massive amounts of data that are hooked up to the web, and thus, "hackable" by anyone with a decent internet connection, in both theory and practice. Indeed, a small group of network and security professionals are exploring the build-out of a separate, "better" (better secured?) internet, seeing how our current global communications web will be forever playing security catch-up to the bad guys. So, even if millions of people are affected by a breach, it's "understandable:" it shouldn't be happening, and we feel outraged when it happens, and lawsuits are going to be filed left and right, but we get it: there's very little that can be done unless we redesign everything. But when it comes to an individual laptop computer, there is a proven method of ensuring that its contents as a result of a burglary. It's the same method that led to the Apple vs. FBI face-off two years ago: full disk encryption. It's a very well established technology that's been around forever. Indeed, most hospitals, clinics, and medical practices routinely use full disk encryption to protect not only their laptops but also their desktop computers, which have been proven less than immune from theft. And, larger organizations have been more aggressive and thorough than smaller concerns, not in small part due to lawsuits brought by the federal government. For example, BlueCross BlueShield of Tennessee knows that they should encrypt any hard drives that are used to store phone call recordings, an insight they obtained after being embroiled in what was one of the largest data breaches in history at the time. This lesson was learned in 2009. So, when one reads, in 2018, that one of the bigger hospitals in the US is looking to review their procedures to ensure that patient information is protected on portable devices... it sounds tone-deaf. Technically, as a HIPAA covered-entity, they should be doing this periodically or whenever security conditions change.   Related Articles and Sites: http://www.philly.com/philly/health/penn-medicine-patient-information-stolen-identity-theft-hipaa-20180102.html https://www.databreaches.net/penn-medicine-computer-with-patient-info-stolen/[...]



24,000 Affected After UNC Health Care Desktop Computer Stolen

Fri, 15 Dec 2017 08:21:00 GMT

We're on the cusp of 2018, yet data breaches that smell like 2008 are still making an appearance. According to various news outlets, UNC Health Care has announced a data breach that involved approximately 24,000 patients when a computer – a desktop computer – was stolen during a break-in. The breached data: …includes names, addresses, phone numbers, employment status, employer names, birthdates and Social Security numbers, said UNC Health Care, adding that it does not believe any treatment, diagnosis or prescription records were kept on the computer other than diagnosis codes used for billing. [bizjournals.com] That last part may be somewhat comforting, but SSNs, names, addresses, and birthdates… that information can be easily used for fraud, as pretty much everyone knows. Acquisition Headaches? It's hard to believe that an institution the size of UNC Health Care can still be embroiled in a data breach that involves an unencrypted desktop computer. It's been years since HIPAA regulators showed that they mean business when it comes to data breaches involving private health information (PHI), via the issuance of fines and other penalties. As a result, many HIPAA covered entities have gone a long way towards ensuring that they've at least fulfilled the minimum security requirements, which generally involves the use of full disk encryption for computers and laptops. Had the computer in question been encrypted – which it's safe to assume it wasn't, per the media coverage surrounding it – it would have been a non-event; tantamount to losing, say, a chair. On the other hand, when you see that UNC Health Care is a network of hospitals, and realize that such fragmentation brings its own challenges when securing data, perhaps it's not so surprising. And yet, safeguarding PHI, even in such situations, is not impossible. With the proliferation of wireless and mobile internet, logistical nightmares of years past are far from insurmountable. Deploying and installing disk encryption on endpoints, even those that never come in from the field, can be done quite easily. But, there's a twist here. Apparently, the building from which the computer was stolen was a relatively new acquisition, which tends to bring it's own set of problems: A break-in at the UNC Dermatology & Skin Cancer Center in Burlington resulted in the theft of a computer …. The center – formerly known as Burlington Dermatology Center or Burlington Dermatology – is located on Vaughn Road and was acquired by UNC Health Care in 2015. [chapelboro.com] For a lot of people, that last figure, 2015, would likely prevent them from giving UNC Health Care the benefit of the doubt on whether they were negligent regarding PHI security. Even if the acquisition had taken place in December of 2015, they had nearly two years to do something regarding the security of digital data. It's especially egregious when you consider that: UNC Health Care … ensured that all remaining computers acquired from, or kept for use by Burlington Dermatology have been properly secured. UNC Health Care has also implemented process improvements to ensure that future acquisitions of physician practices include a process to properly secure legacy computers and electronic patient information. [wfmynews2.com] The break-in occurred on October 8. The above statement was present in wfmynews2.com's article dated December 8. They managed to secure in two months what they did not in two years? Granted, it looks like they missed the boat because they had not set a process "to ensure that future acquisitions…include a process to properly secure legacy computers"… but why didn't they? Based on their patchwork of hospitals, it feels like Burlington is not their first acquisition. So, one imagines that they should have had something per HIPAA's Administrative Safeguards, where "…a covered entity must identify and analyze potential risks to e-PHI, and it must implement security m[...]



Uber Being Investigated For 2016 Data Breach

Fri, 01 Dec 2017 09:28:00 GMT

Uber, the ride-sharing Silicon Valley unicorn, is… still in the news. They say that all publicity is good publicity – even the bad ones – but Uber is really taking that saying to its limits, it seems. This week, it was revealed that the company had been hiding a massive data breach that occurred over a year ago. The breach involved personal information including names, email addresses, and phone numbers of 57 million customers worldwide. In addition, driver's names and their license numbers were illegally accessed as well (7 million in total; 600,000 drivers in the US alone). According to bloomberg.com, Here’s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company. Unsurprisingly, many states – including Illinois, Massachusetts, Missouri, New York, Connecticut, and Washington – have announced an investigation into the matter. Data security regulators in other countries have done the same.   A Checkered Past It was just this past August that Uber agreed to a settlement with the FTC, closing a probe into how Uber misled customers regarding its privacy practices: the company allowed employees to access riders' personal information, including the details of trips, via a tool called "God View." The problem was described by some as a "lapse" in the ride-hailing company's security practices. In addition, the company had to deal with a data breach (smaller than the one being discussed here). The FTC looked into the issue and concluded, per recode.net: For years, Uber stressed it had taken great steps to protect its driver and rider data — all stored using Amazon’s cloud service. Until 2015, however, some of that information was saved as "clear, readable text, including in database back-ups and database prune files, rather than encrypting the information," the FTC said. The end result? Uber agreed to 20 years of oversight, the implementation of a comprehensive privacy policy, etc. The usual stuff that Big Tech companies agree to. An "onerous" slap on the wrist. (However, as recode.net points out, the settlement hasn't been finalized. The FTC must vote on it, and some lawmakers had urged the FTC to increase the penalties, perhaps even open a new investigation based on what the probe had revealed. This was before the latest revelation).   Hackers Bad. Lawyers Even Worse? When Bloomberg broke the news about Uber's latest transgression, two people were fired, including Uber's Chief Security Officer, Joe Sullivan. When approached by the hackers, Sullivan and Craig Clark, a lawyer with the company, made the decision to pay the attackers $100,000 to delete the data and to stay quiet about the incident. While none of that is illegal – paying off the hackers, asking them to be quiet, the hackers actually keeping quiet, and the hackers deleting the data they had acquired – what Uber did afterwards is. The US has 48 separate data breach notifications laws. Most of them are similar. For example, most have a specific definition of what "private data" is and is not, and generally require a notification to be sent within 60 calendar days of discovering the breach. Also, they provide safe harbor from notifying clients after a data breach if the data was encrypted. Unfortunately, not all states offer the same protection, meaning that if your business is big enough, you're going to have to come clean anyhow: while people may be willing to believe that a Brooklyn-located mom-and-pop store's data breach affected New York residents only, it'd be very unusual that only New York residents were affected by a Uber hac[...]



Smartphone Encryption: FBI and Apple At It Again?

Fri, 17 Nov 2017 07:32:00 GMT

Following the worst mass shooting in Texas history, the Federal Bureau of Investigation has announced in a press conference that they're unable to get into the smartphone of the shooter. The reason? Encryption. While the brand of the smartphone was not officially revealed at the time (so as to not alert the "baddies" which one is giving the FBI difficulties), Gizmodo and others have reported that it's an iPhone. Of course, this is not the first time that the FBI and Apple have crossed paths.   There's a History There Last year, the FBI and Apple went head-to-head in court: The FBI was looking to compel Apple to write a backdoor to its encryption (they denied this; however, the end result would have been the same). A magistrate ordered Apple to create a way to hack into the San Bernardino shooter's iPhone 5c. Apple refused. The parties involved went to a bigger court. Things were growing into a crescendo in court when the FBI suddenly announced it didn't need Apple's help after all. They had acquired software that could hack into an iPhone 5c (but not newer models). Some critics at the time accused the FBI of backing out, not because it had found another way to get to the encrypted data, but because it looked like the case would set a precedence against the FBI's interests. Today, we see a situation that is very similar: a mass shooting, a smartphone that's encrypted, the FBI unable to access it. But if you're looking for a repeat of last year's court drama, it probably won't happen. With the San Bernardino case, the FBI argued that they needed to access the device to see if the shooter was linked to other terrorists; if memory serves, the FBI concluded before going to court that this was not the case. Regardless, a legal decision was sought (and dropped, as mentioned earlier). In the more recent Texas shooting, we know it's not an act of terrorism – at least not the one the US regularly rallies against. Indeed, if one follows the news, it looks like the FBI is building its case of what happened quite readily, without the need to access the encrypted smartphone. The usual argument for "there could be an additional threat out there, ready to pounce soon" cannot be made. It would fall upon deaf ears and so there really isn't much impetus for the FBI to make a scene like it did last year. But complain about encryption? It's been doing that any chance it can get, so it's not surprising that they're bringing it up.   Cat and Mouse Games What is surprising, perhaps barely, is that the FBI still appears to be playing games designed to sway public opinion. According to various media outlets, Apple reached out to the FBI to offer assistance – which feels oxymoronic, the two having gone to court over that same issue – but the FBI never acknowledged it. While some insinuated that Apple did this before the FBI complained about the encrypted phone in the press conference, it was clarified that the Cupertino-based tech giant reached out afterwards, when they finally realized that an iPhone was involved. Regardless, the offer was for naught. Apparently, the FBI did not reach out to Apple at all. All reports suggest that the FBI did not completely stop seeking Apple's help after the duo's legal showdown last year, so it is quite surprising that the government did not seek Apple's help in one of the year's most high-profile cases. Did the FBI do this because they thought that Apple wouldn't help? Or couldn't help? Or because they forgot about it? Or was it a measured tactic that they're using to carve more notches in their "encryption is aiding criminals" pole? The answer, short of another legal loggerheads extravaganza, will depend on how much Konspiracy Kool-Aid you're willing to drink. As usual, some degree of sympathy goes out to the FBI and other law-enforcement agencies. Nobody denies that encryption[...]



Hilton To Pay $700,000 Over 2015 Data Breach, Slow Notifications

Fri, 03 Nov 2017 04:43:00 GMT

The New York attorney general has announced a $700,000 settlement with Hilton Worldwide Holdings over issues related to the two data breaches that occurred in 2014 and 2015. $400,000 will go to New York. The remaining goes to Vermont which collaborated in the investigation.   Reported Breaches Late, In November 2015 Multinational corporations being hacked is old news. It happened to Yahoo, Target, Merck, Equifax, etc. – the list is endless and varied. No industry is exempt, no company is free from the internet renegades who are willing to compromise a network for financial rewards, to make political statements… or just because they're bored and they can. When a company is fined hundreds of thousands of dollars in this day and age by the government for a data security breach, it means the victimized companies must have grievously erred somehow. In Hilton's case, they were apparently employing lax security practices and were slow with their data breach notifications. The famed hospitality company became aware of a data breach in February 2015 (the actual hack occurred sometime between November and December 2014). Another breach was discovered in July 2015, with the intrusion occurring between April and July of the same year. The notifications were not sent out until late November. If your yardstick starts from the second breach, it's about two months after discovery; if you're measuring from the first data breach, it's nine months. Which one to use? Common sense would dictate that it's the first. Especially considering that, while many states' data breach notification laws require a notification no later than 60 calendar days, not all states do. New York, in fact, only states that: The disclosure must be made in the most expedient time possible and without unreasonable delay… One could argue that 60 days was as expedient as it could get, but nine months? In addition, it turned out that Hilton was not compliant with PCI-DSS requirements, a set of security rules meant to minimize the incident of credit card number hacks.   Have You Seen HLT's 10-K? Seven-hundred thousand dollars is a big chunk of money. However, it's meaningless to a company like Hilton. The holding company had revenues of over $11.6 billion in 2016 with net income of $348 million. That makes $700K a cost of doing business, and a small one at that. Look at it this way: In Hilton's case, over 360,000 credit cards were put at risk. That works out to nearly a $2 fine per credit card compromised. Their hotels' profit margins on minibar peanuts is probably higher. I imagine that management is probably more concerned about the cost of towels and robes that go missing each year. So, the AG's proclamation that data breaches take top priority can feel a little anticlimactic based on the figures involved. But, it's not his fault. He doesn't make the law; he merely does what he can with the legal tools he's given. People have been calling for greater punitive damages against companies who appear to be less than concerned that their security is compromised (who in turn have been whining since the early 2000s that they're victims, too. For companies that do this, let's put this way: it's hard to sympathize with a drunk driver who ran over the neighbor's dog but asks for pity because his car was totaled and his ribs are broken). Case in point regarding the legal branch having its hands tied: despite the disaster that is Equifax, the US Congress has voted this week to make it harder for people to sue it.     Related Articles and Sites: https://www.engadget.com/2017/10/31/hilton-data-breaches-700-000-penalty/ https://ag.ny.gov/press-release/ag-schneiderman-announces-700000-joint-settlement-hilton-after-data-breach-exposed http://codes.findlaw.com/ny/general-business-law/gbs-sect-899-aa.html https://finance.yahoo.com/quote/HLT/financials?p=HLT https://techc[...]



FBI Unable to Access 7000 Encrypted Devices in 2017

Fri, 27 Oct 2017 06:25:00 GMT

At the International Association of Chiefs of Police conference, held in Philadelphia last week, Federal Bureau of Investigation Director Christopher Wray noted that the FBI has nearly 7,000 encrypted devices it cannot access. Per the phillyvoice.com: In the first 11 months of the fiscal year [2017], federal agents were unable to access the content of more than 6,900 mobile devices, Wray said in a speech…. Considering what Wray's predecessor had to say about the issue in 2016, the problem is growing, fast: [Former FBI Director James Comey] said, during the last three months of 2016 the FBI lab received 2,800 electronic devices sent in by local police and federal agents looking for evidence they contain. But analysts were unable to open 1,200 of them, "using any technique." Assuming that the influx of inaccessible encrypted devices to the FBI's labs remained relatively constant last year, the implication is that the FBI possessed 4,800 encrypted mobile devices in 2016. In other words, there was a 50% increase year-over-year.   A Growing Problem One can expect the number of inaccessible smartphones to keep growing for a number of reasons. First, older devices get replaced with new ones, eventually. That in of itself doesn't mean anything security-wise, except that encryption was not turned on by default for many older devices. Even if encryption were turned on, a password may not have been required. Smartphones and tablets now come with encryption turned on by default and require a form of password; one can assume that nearly 100% of the phones the FBI needs to search in the future will be inaccessible. Second, encryption tends to get stronger over time because researchers are constantly trying to find flaws in it. When found, they're patched up. Cracking techniques that may have worked in the past may not be available on newer devices. When the FBI filed and then dropped a lawsuit against Apple in 2016, the Bureau revealed that it had obtained a method to gain access to an iPhone 5C (they didn't reveal what it was). Thus, it didn't need to force Apple through the courts. It also noted that this method didn't work on iPhones newer than the 5C, so that's as far as that technique will go. Seeing how OS updates to the iPhone 5C ended this past summer, the FBI's mysterious technique will see limited action in the future. This tends to be the general pattern for flaws in security (assuming, of course, that you have bright people working on the problem; sometimes, flaws go undetected for years, possibly decades. Still, encryption performance points in one direction). Third, more people are aware of the power and need for encryption. When the FBI butted heads with Apple (and, indirectly, with the entire tech community) in 2016, many in Congress initially supported the FBI. Calls for encryption backdoors, explicit or otherwise, were in the air. As time went by and these representatives educated themselves on the pros and cons of purposefully hamstringing cryptography, they started backtracking. But, it's not just Congress. Ironically, the Apple vs. FBI case caused ripples and worked to educate a lot of people about encryption and its benefits, detriments, and importance. With more people aware of what encryption does and how it works, you can expect encryption to extend to even those devices that don't come with it by default.   How to Solve It? So, yeah, encryption is problematic for the FBI. And, it will continue to be problematic. Hence, it's not surprising to find that, The Justice Department under President Donald Trump has suggested it will be aggressive in seeking access to encrypted information from technology companies. But in a recent speech, Deputy Attorney General Rod Rosenstein stopped short of saying exactly what action it might take. [apnews.com] Honestly, short of a backdoor, there isn't a solution here, and[...]