Dennis Fisher talks with Rich Mogull of Securosis about his days as a teen wannabe hacker, his meandering path through Navy ROTC, software development, near miss with medical school, mountain rescues and his life as a security industry analyst.
Archive for August, 2013
Privacy and data security experts are closely watching a case that for the first time challenges the Federal Trade Commission’s (FTC) authority to sue companies on behalf of consumers for cybersecurity breaches and lax or misleading data security policies.
In Federal Trade Commission v. Wyndham Worldwide Corporation, the FTC alleges that Wyndham and its hotel subsidiaries violated Section 5 of the FTC Act, which forbids “unfair or deceptive” practices by not maintaining “reasonable and appropriate” data security protections.
The broad authority to protect consumers from data breaches has been the basis of 41 previous investigations of such companies as Google Inc., Twitter Inc. and HTC Corp., resulting in out-of-court settlements and consent decrees. Wyndham is the first company to fight back in court, arguing Congress never granted the FTC cybersecurity oversight and the lawsuit therefore exceeds the FTC’s enforcement authority.
“If Wyndham wins, it would disable the ability of the FTC to broadly enforce cybersecurity standards under the guise of consumer protection. I fully expect that the FTC would appeal any such decision to the court of appeals,” says Paul Rosenzweig, founder of Red Branch Law Consulting, which specializes in homeland security and data privacy issues.
The FTC action grew out of three breaches of the Wyndham data system between June 2008 and January 2010 by a criminal organization based in Russia. The hackers have not been apprehended.
The breaches resulted in the leak of personally identifiable information (PII) from several hundred thousand credit and debit accounts and more than $10 million in fraud losses to consumers, according to the FTC. Wyndham asserts the only PII taken was credit and debit card information, and there is no proof of actual damage to consumers.
The FTC is asserting its power to regulate deceptive and unfair trade practices under Section 5 in its case against Wyndham. The first claim is that Wyndham made representations to the public that were false and that it could not perform. The second claim is that the defendant engaged in unfair business practices that “caused or [are] likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.”
The FTC seeks a permanent injunction directing Wyndham to better secure its systems, as well as monetary damages.
The FTC filed the case in June 2012, and it subsequently was transferred from the Federal District Court of Arizona to the New Jersey District Court. At press time, a decision on the defendant’s motion to dismiss was still pending. The motion contends Congress never granted the FTC broad powers over data security issues.
“Wyndham notes that there are a host of more specific data-security laws already on the books, including the Health Insurance Portability and Accountability Act, the Children’s Online Privacy Protection Act, Graham-Leach-Bliley and the Fair Credit Reporting Act, suggesting that there has not been a broad, general grant of data-breach security regulatory authority to the FTC,” Rosenzweig says.
The defendant’s position is supported in an amicus brief from a coalition led by the U.S. Chamber of Commerce.
Aberdeen City Council is to commit to improving its data protection practices after being hit with a £100,000 fine over a data breach where sensitive information about vulnerable children was published online, the Information Commissioner’s Office (ICO) has said.30 Aug 2013
“It’s a huge breach,” said Tom Walsh, principal of Tom Walsh Consulting, Overland Park, Kan. This is likely to be the second trip to the OCR wall for Advocate. The theft of a laptop back in November 2009 also made the list because it, too, was unencrypted. The stolen laptop had the medical records of 812 individuals on board.
In an Aug. 23 statement, Advocate announced the breach, adding that it had sent letters to the affected patients and had offered them one year of credit monitoring. Advocate also said it had “reinforced our security protocols and encryption program with associates.” An Advocate spokeswoman said an encryption program launched by the organization in 2009 had not reached the four computers in the Park Ridge office.
Susan McAndrew, deputy director for health information privacy at the Office for Civil Rights, confirmed the agency, which has privacy and security rule enforcement authority under the Health Insurance Portability and Accountability Act, had received a breach report from Advocate and has referred it to its regional office in Chicago for investigation.
Maura Possley, spokeswoman for Illinois Attorney General Lisa Madigan, said the attorney general’s office is also investigating the Advocate breach incident for potential violations under HIPAA and the Illinois Consumer Fraud and Deceptive Business Practices Act.
The costs to Advocate of this latest breach are likely to be substantial.
“You can imagine the extent of the forensic analysis to uncover what was on those hard drives,” said Kelly Jo Golson, senior vice president and chief marketing officer for Advocate Health Care, based in Downers Grove, Ill. “To the best of our knowledge, this data goes back to the early 1990s.”
“We established the call center, we set up the website,” Golson said. Advocate also sent out more than 4 million letters to affected patients and even hired 24/7 security guard coverage at its Park Ridge administrative office and is reviewing the need for physical security throughout the organization.
Golson said Advocate hasn’t tallied up the costs of the breach. “At some point, we’ll look at the financial implications, but we’re not there yet.”
So far, there has been no recovery of the computers or an arrest.
Golson said Advocate embarked on a program of encrypting its computers in 2009, the year the laptop went missing. The initial target was to encrypt “all new laptops and all old ones that were able to be encrypted.” Next, the hospital started on desktop computers, again, ensuring all new ones were encrypted and “we began a process to encrypt old ones.”
Golson said she didn’t know the number of computers Advocate uses at its more than 250 care sites. “We do have 35,000 associates across the Advocate enterprise, so it’s a large number.”
Golson said the data types in the stolen records varied. Some included Social Security numbers or medical record numbers, for example, while others did not. The data was used for primarily operational and administrative purposes” such as appointments scheduling, benefits verification, coordination of care and patient registration.
Those data elements, while limited, still would be sufficient for medical identity theft, said Pam Dixon, founder and executive director of the World Privacy Forum.
In two online public statements, Advocate said the breach involved “no patient medical records” and it “has no impact on patient care.”
“We are certainly not trying to state that this information couldn’t be used inappropriately,” Golson said. “We just wanted to assure folks it wasn’t the level of information that’s include in a full medical record. We understand why our patients are concerned. We deeply regret this.”
According to Walsh, given the risk of storing data without encryption and the relatively low cost to encrypt—about $55 per computer—it’s hard to accept the lack of encryption on purely the cost of installing encryption software. Data handlers are supposed to be in compliance with HIPAA’s security standards.
Only 64% of healthcare organizations—both hospitals and office based physician practices—use encryption when they transmit healthcare information, according to a survey conducted in 2012 by the Healthcare Information and Management Systems Society, said Lisa Gallagher, vice president, technology solutions for HIMSS
Advocates of encryption say there is a people problem in convincing physician groups to use encryption. “Their eyes kinda of glaze over,” he said. “They don’t have anybody that’s technically qualified. It’s generally going to fall to the practice manager who’s going to be the compliance officer, the privacy officer, the security officer and every other thing they have to do, including running a practice.”
Walsh said he’s also heard grumbling, “If you put full-disk encryption on, and you boot up, it slows the boot up the process.” Walsh said it might require two passwords, one for encryption and one for the operating system. “A lot of times people think that’s inconvenient.” But with the latest Windows operating system, disk encryption is available as an option. All that needs be done is to turn it on, he said.
For a big group like Advocate, not addressing encryption is another story. “I just can’t understand how an organization could have allowed that to occur,” Walsh said. “They should have identified this through their risk analysis years ago, and it should have been remediated.”
The record for the all-time largest HIPAA breach for any entity thus far goes to Science Applications International Corp., the business associate of a HIPAA-covered entity, Tricare Management Activity, the Defense Department’s health insurer. In 2011, an SAIC employee reportedly had backup tapes stolen from his parked car in San Antonio. Those unencrypted tapes bore the records of 4.9 million active duty and retired military personnel covered by Tricare.
If lack of encryption seems to be a common theme running through these three breach incidents, there’s good reason.
There are currently 659 breaches on the OCR list. In each, the records of 500 or more individuals have been exposed. Combined, they account for more than 22.8 million records breached. Of the listed breaches involving unencrypted computers or other electronic devices, 48% of the incident reports mention theft, 11% loss; and 8% hacking, all events that encryption might have mitigated.
Encryption won’t by itself solve all of the healthcare industry’s medical records security problems—nearly 1 in 4 reported breaches (24%) on the Office for Civil Rights list involved paper records. But encrypting electronic records would go a long way toward keeping a healthcare organization out of hot water with the feds. Under HIPAA, data that are sufficiently encrypted to be rendered “unusable, unreadable or indecipherable” make it unnecessary to file a breach notification, for example.
Gallagher said her organization is about to begin this year’s survey and should have results by December. With more rigorous enforcement of the HIPAA security rule in recent years, Gallagher said she hopes to see a rise in encryption usage.
Follow Joseph Conn on Twitter: @MHJConn
A Florissant orthodontist’s office has informed 10,000 people that their personal information could be compromised because of a break-in and burglary at its offices in July.
Olson White Orthodontics, which also has offices in O’Fallon, Mo., was burglarized on July 22. Thieves took computers containing personal data, including patient health information, according to Armstrong Teasdale, the Clayton-based law firm hired by Olson White after the break-in.
Dan Nelson, an attorney with the firm, said he was not aware of any personal information being stolen or used. But under federal health privacy laws patients need to be informed of a possible loss or misuse of personal data within 60 days. Letters were sent Thursday.
“I wouldn’t characterize it as a lag,” Nelson said, referring to the nearly five-weeks since the burglary occurred and when the letters were sent. “We had to do a fairly extensive investigation to determine what personal information may have existed on the stolen hardware and the scope of the number of people potentially impacted.”
Most of the patients were likely teenagers who were getting braces, Nelson said. Their parents’ data was also in the office’s systems.
The patients’ personal information included names, addresses, X-rays, photos and diagnostic findings. The parents’, or insured party’s, information included names, emails, Social Security numbers and credit scores.
The computers were password-protected, but savvy identity thieves could still lift the data if they pursued it, Nelson said. Other items were stolen from the office, including a flat-screen television.
The investigation into the theft is ongoing, Nelson said.
Patients are being told to take specific steps to protect against identify theft, including not verifying requests to confirm any sensitive personal information.
Patients with questions should call Olson White during normal business hours at 1-855-479-9542.
Click here to go My Page
Liberty Mutual Insurance Co. is suing Schnuck Markets Inc., arguing that it shouldn’t be liable for eight lawsuits filed against the grocery store chain over a data breach that might have compromised about 2.4 million credit and debit cards at most of its stores this year.
Schnuck has more than 30 stores in Illinois, including in the Rockford area. The family-owned chain has said cards used at 79 of its 100 stores might have been exposed in a criminal hacking that occurred during a recent four-month period.
In a lawsuit filed this month in a U.S. District Court in the eastern district of Missouri, Liberty Mutual, which is the grocer’s insurer, said, among other things, that its policy covers losses related to tangible property, and that “for purposes of this insurance, electronic data property is not tangible property.”
Schnuck spokeswoman Lori Willis called the Liberty Mutual lawsuit “disappointing, even surprising.”
“We never expected a lawsuit from our insurance company,” she said. “We bought a policy, and they are attempting to walk away from their obligations under that policy.”
Schnuck was proactive in getting the coverage and expects Liberty Mutual to honor the commitment, Willis said.
A court filing in another case has shown that Schnuck, based in St. Louis and run by a third generation of family, could face $80 million in punitive damages in Illinois alone.
Consumers have filed eight lawsuits against Schnuck regarding the data breach. Nearly all are class-action lawsuits, and four have been filed in Illinois.
The breach occurred from December through March.
A passing: The father of Morningstar Inc. Chief Executive Joe Mansueto died last month.
Mario Mansueto “was two weeks shy of his 88th birthday,” said his son, also founder of the Chicago-based investment research firm. “He died peacefully in his sleep at his home in Munster, and I miss him very much.”
Mario Mansueto was born in Montefalcone, Italy, and immigrated to the United States at age 3. He was a longtime ear, nose, and throat physician in northwest Indiana.
Joe Mansueto, one of Mario’s three surviving children, is on Forbes’ list of the world’s 1,426 billionaires and has pledged to give away half his wealth.
ATM aid: PNC Bank’s Performance Checking has begun offering unlimited reimbursement of ATM fees and surcharges incurred at any bank; typically, consumers have to pay fees when they use ATMs at other banks.
The offer is good only in Chicago, Milwaukee and some Southeast markets for customers of Pittsburgh-based PNC, the sixth-biggest deposit gatherer in the Chicago area.
Homebuying 101: Wintrust Financial this week received its trademark registration for PATH2OWN, a service that the Rosemont-based banking company’s mortgage unit rolled out this year to coach consumers through the process of buying a home.
Dennis Publishing Editorial Offices
30 Cleveland Street
London, W1T 4JD
T: +44 (0)20 7907 6000
Article source: http://threatpost.com/threatpost-news-wrap-august-30-2013/102142
Like most major Web and software companies, Facebook receives a lot of bug reports. As one researcher learned recently, not all bugs are created equal, and Facebook doesn’t like people messing with its users–or its executives.
New documents leaked by Edward Snowden quantify the resources supporting an extensive intelligence community crypto-cracking program.
Tens of thousands of people and billions of dollars are behind the Consolidated Cryptologic Program, as reported yesterday by The Washington Post. Signals intelligence, otherwise known as SIGINT, remains one of the best-funded initiatives according to the document handed over by the whistleblower Snowden, currently in asylum in Russia. The Post published portions of the 178-page top-secret budget justification document for the fiscal 2013 National Intelligence Program; this the first time such a report has been made public.
The budget was a whopping $52.6 billion, according to the document, which also lays out some of the offensive cyber objectives the National Security Agency and Central Intelligence Agency have established. The Post, however, said it withheld most of the details of such operations after consulting with government officials concerned about protecting its intelligence sources and methods.
Director of National Intelligence James Clapper wrote the opening statement for the document, which is dated February 2012. In it, Clapper said signals intelligence and cybersecurity were two areas where investments were increasing.
“We are bolstering our support for clandestine SIGINT capabilities to collect against high priority targets, including foreign leadership targets,” Clapper wrote. “Also, we are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit Internet traffic.”
The Post said the document indicates 35,000 code-breakers from the NSA, and the four branches of the armed services are part of the Consolidated Cryptologic Program. In addition, to support not only hacking and code breaking, the NSA said it was devoting close to $50 million to deal with increasing storage costs associated with data collection activities under Section 215 of the Patriot Act and the PRISM program. The Post story also said the CIA devotes more than 11 percent of its budget and almost $2 billion to “technical collection” and referred to joint project with the NSA called CLANSIG, purportedly an initiative central to foreign radio and telephone communication interception.
This is just the latest in a string of top-secret documents Snowden has handed over to major media entities since the first leaks were published in June by the Guardian UK newspaper. This also isn’t Snowden’s first intel drop related to encryption capabilities.
In late June, 2009 documents released by the Guardian outline NSA policy on the retention of data, including encrypted communication. Even messages collected by chance and without a warrant may be held as long as it takes for analysts to decrypt them, the documents said. Also, users of Tor and other online proxy-based anonymity services were put on notice that communication between people whose location is unknown is considered communication between non-U.S. citizens and can be retained.
The documents outlined policy on how the NSA handles data and communication pertaining to forein intelligence matters and what to do with data inadvertently collected.
The documents say that inadvertent communications must be destroyed within five years of acquisition and upon determination that no foreign intelligence information is contained. It stipulates, however, that electronic communication may be retained longer while under cryptanalysis.
“In the context of a cryptanalytic effort, maintenance of technical databases requires retention of all communications that are enciphered or reasonably believed to contain secret meaning, and sufficient duration may consist of any period of time during which encrypted material is subject to, or of use in, cryptanalysis,” the document said.
Image courtesy World Can’t Wait Flickr feed