Archive for March, 2014

HIMSS Security Survey: Preparing to handle the worst data breach

Michael Bruemmer

In today’s data heavy landscape, data breaches are an unfortunate reality for organizations across all industries. When looking specifically at the healthcare industry we find that just last year, nearly one in five healthcare provider organizations reported having experienced a security breach, and about one in eight had at least one case of medical identity theft.1 While healthcare organizations recognize these security incidents as a real threat, the amount of data sharing is not keeping pace with the adoption of security practices and protocols.

According to the 2013 HIMSS Security Survey, conducted last month by the Healthcare Information and Management Systems Society in partnership with Experian Data Breach Resolution, 88 percent of healthcare organizations indicated they currently share information with third party vendors. Of the 283 healthcare information technology (IT) and security professionals surveyed however, most are not well prepared to protect that data. For example, only about half of physicians provide encryption while in transit (ie laptop protection). And although we are seeing an increase of organizations that both have and test a data breach response plan, nearly half are not testing regularly, which can leave them vulnerable.

The good news is there are several steps healthcare organizations large and small can take to help prepare for a breach, and protect the electronic health records shared with third parties.

1. Train Employees. Recognizing inappropriate data access by insiders as an area where organizations are at risk of a security breach, there has been increased use of several key technologies related to employee access to patient data, including user access control and audit logs of access to patient health records. Data from the HIMSS Security Survey suggest the greatest perceived “threat motivator” is that of healthcare workers potentially snooping into the electronic health information of friends, neighbors, spouses or co-workers (i.e., inappropriate data access).

Even the most basic security protocols such as encryption for employee mobile devices and laptops are important security practices. Check that physicians are keeping their work related laptops, mobile and digital devices secure at all times and remind them to change passwords every three months. It is also important to verify that staff is up to date on company policy regarding data security procedures, including what digital and paper documents to keep and how to securely discard what is not needed. Train staff to identify signs of cyber security threats in their daily work life and know the proper course of action in reporting a breach.

2. Practice Makes Perfect. More than half of respondents from the HIMSS security survey report their organization has tested their data breach response plan. Those working for hospitals were more likely to report that this was the case, compared to respondents working for physician practices. Two-thirds of those who responded that their organization tests their data breach response plan reported that their plan was tested annually. While great to see healthcare organizations are developing a data breach response plan, this should also be regularly practiced with the team.

3. Invest in Security. More than half of survey respondents indicated their organizations had increased budgeted spending on security, but 49 percent admitted they spent 3 percent or less of their overall IT budgets on security initiatives that will secure patient data. Recognizing the real threat of breaches, organizations should at minimum invest in employee training, a proper data breach response plan and security software. Check that automated software and operating system updates for the entire company are installed properly. Ensure automated security monitoring and reporting systems are up to date, and securely store sensitive patient data.

As more and more data is being shared by the healthcare sector, there is increased concern amongst security professionals about the safety of electronic records. Many organizations have yet to implement the technologies to protect this data, yet there are positive signs that breaches are being taken more seriously. We are likely to see an upward trend in the adoption of securities and tools in the healthcare industry to better prepare against potential incidents.

Copyright 2014 MedCity News. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Hear the latest industry news first

Get our daily newsletter or follow us.

Please enter your email below:

Michael Bruemmer

Article source:


No Comments

Data Breaches Eroding Usefulness of Personal Identification, Argues New …


The number of personal records compromised by data breaches has reached such proportions that once important identifiers such as U.S. social security numbers could soon stop being a reliable way of authenticating people, a new analysis by NSS Labs has suggested.

The world according to Why Your Data Breach is My Problem by security researchers Stefan Frei and Bob Walder is a depressing if not downright worrying one where breaches have stopped being frightening exceptions and become almost normal.

This has bred a mixture of complacency and organisational inertia; NSS Labs is not the first to point out the extraordinary statistic that at least half of the largest data breaches yet recorded happened in 2013. This is surely not simply a matter of better detection – criminals really are going after personal data like miners drawn to a bizarre digital gold rush.

But as the report also makes clear, the long-term accumulation of large data breaches could be to fatally undermine the usefulness of supposedly private personal data itself. If criminals keep mining huge amounts of personal data from thefts, it will eventually become difficult for anyone to authenticate themselves using today’s identifiers.

“Cybercriminals have already been collecting and correlating breach information, and eventually they will be able to accurately identify individual users in large numbers. Therefore, in the long term, these static information attributes will no longer be considered private,” said the report.

These identifiers include date of birth, gender, citizenship and social security numbers (SSNs), all static identifiers that consumers can’t change after a breach as they can a password or credit card number. Static identifiers are also used by multiple services which means that a compromise of one can impact on a many others.

In the view of the authors, the idea that identifying people using this kind of data not only pre-dates the era of massive information breaches but the Internet itself. Enterprises, and especially governments, should reduce their dependence on them.

Businesses should look to hold the minimum amount of data they need, preferably using dynamic identifiers that don’t put a user’s identity at risk in the long term, the authors recommend. Meanwhile all users at risk – those whose accounts have been compromised – should be properly re-authenticated.

“The continuing large-scale erosion of privacy related to data once considered confidential poses a challenge not only to the industry but to society as well,” said the authors.

“Governments and the industry should consider setting up a trusted clearing-house that systematically collects and analyses breached data in order to notify and consult the operators of services at risk and to help users assess their risk.”

The NSS Labs perspective on data breaches is a reminder that an industry still arguing over notification laws has a huge amount of work to do. One firm, SafeNet, has even funded an attempt to rate breaches on a Richter-like scale beyond simply looking at the number of records compromised.

Regardless of size and apparent seriousness, Why Your Data Breach is My Problem is a reminder that the data breaches of the last year will not be victimless crimes. The serious cumulative effect of breached data might not yet have shown its full destructive effects.

Article source:


No Comments

Security firm Trustwave says Target data breach claims baseless

(Reuters) – Trustwave Holdings Inc, a credit-card security firm that has been sued along with Target Corp (TGT.N) over a sweeping data breach, said on Saturday it did not process cardholder data for the retailer or handle Target’s data security as a lawsuit alleges.

In a letter to customers and business partners, Trustwave Chief Executive Robert McCullen said the company’s connection to Target was not what had been portrayed in a suit filed last Monday by two banks seeking at least $5 million in damages.

“Contrary to the misstated allegations in the plaintiffs’ complaints, Target did not outsource its data security or IT obligations to Trustwave. Trustwave did not monitor Target’s network, nor did Trustwave process cardholder data for Target,” said the letter from McCullen posted on the company’s website.

“These claims against Trustwave are without merit,” the letter added.

The lawsuit filed in Chicago federal court by Trustmark National Bank and Green Bank NA accuses Target and Trustwave of failing to properly secure customer data, enabling the theft of about 40 million payment card records plus 70 million other records, including addresses and phone numbers.

The banks said they lost money from alerting customers to the breach, reimbursing fraudulent charges and reissuing cards. Those losses could increase, they said, if criminals ultimately use several million stolen cards as some analysts project.

While the complaint seeks unspecified damages of at least $5 million, New York-based Trustmark and Houston-based Green Bank said losses could top $1 billion for card issuers they hope to represent in a class action, and $18 billion for banks and retailers combined.

Target, the no. 3 U.S. retailer, already faces dozen of lawsuits over the breach, but the lawsuit filed on Monday appears to be the first to focus on Trustwave, a privately held Chicago-based provider of credit-card security services.

The data breach occurred from November 27, the big post-Thanksgiving shopping day known as Black Friday, to about December 15.

The case is Trustmark National Bank et al v. Target Corp et al, U.S. District Court, Northern District of Illinois, No. 14-02069.

(Reporting by Jonathan Stempel in New York, and Jim Finkle in Boston; Writing by Carey Gillam in Kansas City; Editing by Peter Cooney)

Article source:


No Comments

Researcher Identifies Potential Security Issues With Tesla S

The current move by auto makers to stuff their vehicles full of networked devices, Bluetooth radios and WiFi connectivity has not gone unnoticed by security researchers. Charlie Miller and Chris Valasek spent months taking apart–literally and figuratively–a Toyota Prius to see what vulnerabilities might lie inside; and they found plenty. Now, another researcher has identified a number of issues with the security of the Tesla S, including its dependence upon a weak one-factor authentication system linked to a mobile app that can unlock the car remotely.

The Tesla S is a high-end, all-electric vehicle that includes a number of interesting features, including a center console touchscreen that controls much of the car’s systems. There also is an iPhone app that allows users to control a number of the car’s functions, including the door locks, the suspension and braking system and sunroof. Nitesh Dhanjani found that when new owners sign up for an account on the Tesla site, they must create a six-character password. That password is then used to login to the iPhone app.

Dhanjani discovered that the Tesla site doesn’t seem to have a function to limit the number of login attempts on a user account, so an attacker potentially could try to brute force a user’s password. An attacker also could phish a user to get her password and then, if he had access to the user’s iPhone, log in to the Tesla app and control the vehicle’s systems. The attacker also could use the Tesla API to check the location of the user’s vehicle, even without the iPhone app.

“The point here (and subsequent attack vectors) is that Tesla needs to implement an authentication mechanism that is beyond 1-factor. Attackers shouldn’t be able to use traditional and well known attack vectors like phishing to remotely locate and unlock a 100k+ car built in 2014,” he said via email.

“In cases where the attacker is able to hack another website, he or she can use the usernames and credentials from the compromised accounts to attempt them on Tesla’s website and APIs given that users have the tendency to re-use passwords.”

Other possible attack vectors Dhanjani envisioned include an attacker installing malware on a target user’s machine to log his password for the Tesla site or using social-engineering attacks against Tesla employees to have them turn over passwords or remotely unlock a vehicle. The phishing and malware attack vectors are threats that any site that relies on a password faces. But they take on extra importance when the password is associated with something as valuable as a car.

“The Tesla Model S is a great car and a fantastic product of innovation. Owners of Tesla as well as other cars are increasingly relying on information security to protect the physical safety of their loved ones and their belongings. Given the serious nature of this topic, we know we can’t attempt to secure our vehicles the way we have attempted to secure our workstations at home in the past by relying on static passwords and trusted networks. The implications to physical security and privacy in this context have raised stakes to the next level,” Dhanjani said.

Along with the authentication issues, Dhanjani also found that by connecting a laptop to the vehicle through a port in the dashboard, he could identify three separate IP-enabled devices in the vehicle, potentially the dashboard screen, the center console and an unidentified third device. Both the console and the dashboard have a number of services exposed, including SSH and HTTP, and the third device has tlnet exposed, as well.

He said that he has sent the information he gathered to a Tesla employee through a friend and the company is aware of what he’s published, but he hasn’t heard an official response.

Image from Flickr photos of AutoMotoPortal.HR

Article source:

No Comments

Second NSA Crypto Tool Found in RSA BSafe

A team of academics released a study on the maligned Dual EC DRBG algorithm used in RSA Security’s BSafe and other cryptographic libraries that includes new evidence that the National Security Agency used a second cryptographic tool alongside Dual EC DRBG in Bsafe to facilitate spying.

Allegations in top secret documents leaked by Edward Snowden say the NSA subverted the NIST standards process years ago in order to contribute weaknesses to the Dual EC DRBG algorithm. Reuters then reported in December that RSA Security was paid $10 million to make it the default random number generator in Bsafe. Those libraries are not only in RSA products, but in a good number of commercial and open source software packages.

The paper, “On the Practical Exploitability of Dual EC in TLS Implementations,” concludes that Dual EC can be cracked in short order given its inherent predictability weaknesses in generating random numbers. The inclusion of the Extended Random extension in Bsafe reduced the time required to crack the algorithm exponentially, from three hours on Microsoft Windows SChannel II down to four seconds in Bsafe for C. The researchers also tested OpenSSL’s implementation of Dual EC and found it the most difficult to crack.

A report this morning by Reuters outed the presence of Extended Random in Dual EC DRBG; the extension works contrary to its mission of enhancing the randomness of numbers generated by the algorithm.

Reuters said today that, while use of Extended Random isn’t pervasive, RSA built support for Extended Random in BSafe for Java in 2009. The paper explains how the researchers used $40,000 worth of servers in their experiment and that cracking BSafe for C and BSafe for Java were the most straightforward attacks.

“The BSAFE implementations of TLS make the Dual EC back door particularly easy to exploit in two ways,” the researchers wrote. “The Java version of BSAFE includes fingerprints in connections, making them easy to identify. The C version of BSAFE allows a drastic speedup in the attack by broadcasting longer strings of random bits than one would at first imagine to be possible given the TLS standards.”

Stephen Checkoway, assistant research professor at Johns Hopkins, told Reuters it would have been 65,000 times faster with Extended Random.

RSA Security said it had removed Extended Random within the last six months, but its CTO Sam Curry would not comment on whether the government had paid RSA to include the protocol in BSafe as well.

RSA advised developers in September to move off Dual EC DRBG, one week after NIST made a similar recommendation. But experts were skeptical about the algorithm long before Edward Snowden and surveillance were part of the day-to-day lexicon. In 2007, cryptography experts Dan Shumow and Niels Ferguson gave a landmark presentation on weaknesses in the algorithm, and Bruce Schneier wrote a seminal essay in which is he said the weaknesses in Dual EC DRBG “can only be described as a backdoor.”

Schneier wrote that the algorithm was slow and had a bias, meaning that the random numbers it generates aren’t so random. According to the new paper, assuming the attacker generated the constants in Dual EC—as the NSA would have if it inserted a backdoor into the RNG—would be able to predict future outputs.

“What Shumow and Ferguson showed is that these numbers have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can predict the output of the random-number generator after collecting just 32 bytes of its output,” Schneier wrote in essay. “To put that in real terms, you only need to monitor one TLS Internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG.

“The researchers don’t know what the secret numbers are,” Schneier said. “But because of the way the algorithm works, the person who produced the constants might know; he had the mathematical opportunity to produce the constants and the secret numbers in tandem.”

Over the weekend, Steve Marquess, founding partner at the OpenSSL Software Foundation, slammed FIPS 140-2 validation testing and speculated that the weaknesses in Dual EC DRBG were carefully planned and executed, likening them to an advanced persistent threat in a post on his personal website. FIPS 140-2 is the government standard against which cryptographic modules are certified.

“That, I think, perhaps even more than rigged standards like Dual EC DRBG, is the real impact of the cryptographic module validation program,” he wrote. “It severely inhibits the naturally occurring process of evolutionary improvement that would otherwise limit the utility of consciously exploited vulnerabilities.”

He offered up the OpenSSL FIPS module as an example where vulnerabilities live on, including Lucky 13 and CVE-2014-0076.

“That’s why I’ve long been on record as saying that ‘a validated module is necessarily less secure than its unvalidated equivalent’, e.g. the OpenSSL FIPS module versus stock OpenSSL,” he said.

Dual EC DRBG, however, is not enabled by default in the OpenSSL FIPS Object Module, but its presence offers an attacker who is on a server by another means the chance to enable it silently.

“As an APT agent you already have access to many target systems via multiple means such as ‘QUANTUM INTERCEPT’ style remote compromises and access to products at multiple points in the supply chain. You don’t want to install ransomware or steal credit card numbers, you want unobtrusive and persistent visibility into all electronic communications,” Marquess wrote. “You want to leave as little trace of that as possible, and the latent Dual EC DRBG implementation in the OpenSSL FIPS module aids discrete compromise. By only overwriting a few words of object code you can silently enable use of Dual EC, whether FIPS mode is actually enabled or not. Do it in live memory and you have an essentially undetectable hack.”

Marquess said the best defense is not to have the code present at all and that the OSF is trying to have it removed from its FIPS Module.

Article source:

No Comments

Texas Retail Giant Spec’s Victim Of Data Breach

Texas Retail Giant Spec’s Victim Of Data Breach

March 31, 2014

Texas retail chain Spec’s Wine, Spirits and Finer Foods announced Friday that financial information for more than half a million customers may have been exposed in what the company is calling a sophisticated hacking scheme. The breach, which covered 34 Spec’s-owned stores spanning the state, is believed to have run from October 31, 2012 until as recently as March 20 of this year.

Spec’s says it was alerted to the scam by a major lending institution and one of its card payment processors. The retailer subsequently hired a private investigator and turned over evidence to the U.S. Secret Service, according to the Houston Chronicle. The issue is now resolved, the company says.

Houston-based Spec’s, which has 155 stores across Texas, joins major retailers like Target and Neiman Marcus, which have also lately fallen victim to data hacking. Target’s breach affected more than 100 million consumers, while Neiman Marcus’s affected 1.1 million.

Tagged : , , ,

Article source:


No Comments

Data breaches in federal departments soar in 10 months

Image from Shutterstock.comShutterstock
Image from Shutterstock

Nestor E. Arellano Share on LinkedIn Share with Google+ Comment on this article

Published: March 31st, 2014

Here’s another sign of how bad network security is in the national capital: The federal government suffered more data breaches in the last 10 months than it has the the last 10 years, according to a report to Parliament.

A synopsis of the report was carried today by the Ottawa Citizen.

The large number of breaches for the 10-month period can be attributed to the Canada Revenue Agency reporting data breaches for the first time.

The Department of National Defence (DND) would not release data breach figures for the 10-month period covered by the report, saying releasing classified information would be a threat to national security.

During the period between April 1, 2013 and January 29, 2014, federal departments and agencies reported no less than 3,763 data breaches including incidents where taxpayers’ information were lost, compromised or mistakenly released, according to a report by the Privacy Commissioner’s Office. That figure is slightly higher than the 3,000 data breaches reported by the government in the last 10 years, according to the Citizen.

Related Articles
148650499 Feature Security Privacy 1

The federal government generally “does a good job” of protecting citizens’ personal data but there is still “room for improvement,” according to Anne-Marie Hayden, spokesperson for the privacy commissioner’s office.

Most recent figures show that the CRA reported 2,983 data breach incidents during the reporting period. About 120 of the cases stemmed from theft or loss of data or information being compromised.

Read the whole story here


Share on LinkedIn Share with Google+ Comment on this article More Articles

Article source:


No Comments

Sally Beauty data breach is bigger than earlier announced

sally beauty signage

Sally Beauty Supply is based in Denton.

Lance Murray
Digital Content Producer- Dallas Business Journal


Denton-based Sally Beauty Holidings Inc. said that more customers may have been affected by a breach of its computer systems than previously announced and that it was going to offer one year of free credit monitoring and identity theft protection to customers who might have been affected.

“Our customers remain our top priority,” Chairman, President and CEO Gary Winterhalter said in release. He said that instructions on how customers can take advantage of the service can be found on the company’s website.

Earlier in March, Sally Beauty said that it discovered evidence that fewer than 25,000 records containing credit card data had been accessed.

Now, Sally Beauty said further investigation shows that the number of affected accounts likely is larger than the earlier number, but the company said it “would not speculate on the scope of our recent data security incident until forensic review processes because experience with such incidents at other retailers has taught that it is difficult to ascertain the extent of a data breach incident until the required forensic review is complete.”

Sally Beauty (NYSE: SBH) sells and distributes hair, skin and nail care products through 4,700 stores, including approximately 200 franchised units, throughout the United States, the United Kingdom, Belgium, Chile, France, the Netherlands, Canada, Puerto Rico, Mexico, Ireland, Spain and Germany, the company said on its website.

Sally Beauty is just one of the recent data security breaches reported by retailers, including hacks at Target Corp. (NYSE: TGT) and at Dallas-based Neiman Marcus.

Lance Murray edits and writes for the DBJ’s website and can be reached at 214-706-7106

Article source:


No Comments

Google DNS Intercepted in Turkey

Article source:

No Comments

Target Downgraded by S&P After Data Breach Crimps Profit

Target Corp. (TGT), the second-largest
U.S. discount retailer, had its debt rating cut by Standard
after a hacker attack and sluggish performance at its
Canadian unit squeezed fourth-quarter profit.

The rating was dropped one level to A, the sixth-highest
investment grade, from A+, SP said yesterday in a statement.
The ratings firm has a stable outlook on Target, which ranks
second to Wal-Mart Stores Inc. in the discount-retail industry.

The retail chain suffered a data breach at the height of
the holiday season last year, allowing hackers to steal card
data and personal information from millions of shoppers. Even as
Chief Executive Officer Gregg Steinhafel worked to reassure
customers, the attack took a toll on fourth-quarter results,
contributing to a 46 percent drop in net income.

“We expect the data breach to have a somewhat lingering
effect on customer traffic at least through the first half of
fiscal 2014, but this should moderate over time,” Ana Lai, an
analyst at the New York-based ratings firm, said in the report.
“While the costs related to the data breach are difficult to
forecast, we believe these expenses could be significant but
manageable given Target’s good cash flow generation.”

Photographer: Patrick T. Fallon/Bloomberg

Customers reach for shopping carts inside a Target Corp. store in Torrance, California.

Customers reach for shopping carts inside a Target Corp. store in Torrance, California. Close


Photographer: Patrick T. Fallon/Bloomberg

Customers reach for shopping carts inside a Target Corp. store in Torrance, California.

Target’s stock was little changed in yesterday’s trading,
closing at $59.98 in New York. Shares of the Minneapolis-based
company have dropped 5.2 percent so far this year, compared with
a 0.5 percent gain for the SP 500 Index.

The retailer’s bonds, meanwhile, have gained 4.45 percent
in 2014, outperforming the 3.78 percent rise among peers in the
Bloomberg U.S. Corporate Bond index. Target has $11.7 billion of
obligations outstanding, with about $1 billion of debt coming
due this year.

Canada Woes

In addition to suffering the data breach, Target had a
bigger-than-expected loss at its Canadian division, SP said.
Earnings before interest, taxes, depreciation and amortization
fell to $6.1 billion in the last fiscal year, missing SP’s
estimate of about $6.7 billion. Target’s debt leverage increased
to 2.5 times in fiscal 2013, compared with the ratings firm’s
prediction of 2.3.

Target testified before a U.S. Senate panel this week about
the hacker attack and why the company took weeks to respond to
the threat. The hearing followed a report by Bloomberg
Businessweek that found Target ignored warnings from its hacker-detection tools, leading to a breach that compromised 40 million
credit card numbers — along with 70 million addresses, phone
numbers and other pieces of personal information.

“We are asking hard questions about whether we could have
taken different actions before the breach was discovered that
would’ve resulted in different outcomes,” Chief Financial
Officer John Mulligan told the panel this week.

To contact the reporters on this story:
Kevin Orland in Chicago at
[email protected];
Nick Turner in New York at
[email protected]

To contact the editors responsible for this story:
Nick Turner at
[email protected]
Ben Livesey

Article source:


No Comments