Security Corner


December 5, 2014  9:24 PM

Hospital ID and Your Medical Security

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Access, Compliance, Data, Data Center, Healthcare, id, provisioning, Security

As a security blog writer, my role is to explore the world and then share information, tips, tricks and advice that will help you keep yourself, your data, your company’s data and the organization you work for safe. While I try to stay B2B in nature, today is going into the full realm of B2C, but the lessons shared are applicable across the board.

Screen Shot 2014-12-05 at 4.21.52 PM

Sit down and get ready. Here’s a personal glimpse into the joy that has been my medical life the past eight days. It’s a story of daring and intrigue. It features security gaffes and puking; a two-liter IV, fevers of 103, and a few lessons that everyone should know before sharing information.

It’s not really a gory tale, but I have been ill for more than a week with pneumonia AND the flu. A nice combination to be sure and that’s why you’ve been sitting here clicking refresh and seeing no new weekly article from me. That changes here.

Though I’m still knocked down, I’m writing from a recliner and I’m only doing about ten words a minute instead of my usual 68. And my wit has returned nicely as I’ve started to feel better – a benefit you shouldn’t overlook as I was bitter and sad and really unfunny for the past six days. Let’s get this party started…

What’s your name? That’s right. Easy question, right? Well, it would be if information was handled consistently across all channels. As we all know, that’s not usually the case. Sadly that was also not the case at points this week when I was visiting emergency rooms, talking to insurance companies and getting liters of fluid pumped into my body.

In a wicked twist to an already fun pneumonia and flu episode, it seems that hospitals are one of the few businesses that have changed NOTHING in the way of record keeping since the Twin Towers attack in 2001. While banks now require a passport and your legal name to do any business with them, if the hospital had your name as Jerf Cutler in 2000, that’s how it remains and that’s how you have to remember to share it.

It’s not a big deal, but now everyone – airlines of course, car rental, bowling alley shoe rental – requires your full legal name to do service with them. The hospital stays in the dark ages and keeps their records as is. Unfortunately, I had to go from one facility (as Jeff) to another (as Cutler J) and to the emergency room (where I had to guess which records they were trying to use to treat me). I guess the two lessons here are not to get pneumonia, and to streamline your identity with ALL your medical providers so they have your data under one record.

Are you allowed in? Well, it’s pretty important if you’re sick that you get into a hospital or a doctor’s office. But to be seen you must repeatedly answer your birthdate and your name and sometimes even both. And then there are labs and x-ray rooms where they need to actually see a wristband and scan you in before they poke you or spray you with radiation.

I’m all for that type of security, but the manner with which this inquisition occurs seems to be in place to defray insurance fraud and not actually focus on making me better. Multiple times I drifted off (could have been the fever) and wondered what harm it would do to have someone else get jabbed with a needle or take two liters of hospital salt water (saline) from the system.

Would the cost be monumental? Would the insurance system collapse? Would there be heads rolling? Would the compliance police swarm swarm swarm? Or would JCAHO launch an investigation?

My guess is none of the above. But if I wanted to defraud a medical facility and breach their walls, I’d just have to memorize someone’s name and birthday. The fine nurses who weigh and take my temperature would probably believe me when I lied about who I was once I got behind the mahogany reception area.

Ultimately, I wanted to share my journeys the past week or so to see if the real world operates in the same security-centric bubble that we’re looking at on a daily basis. For an industry that is over-the-top compliant about $$, billing, patient rights and so forth, they seem a little open about security and access. Perhaps the doors must open a little easier to admit treatment than the doors at a credit card data center. But I think all businesses can afford to step back a moment and implement a little tighter protocol when letting people onsite.

What’s your take? Or do you just think the fever has made me delirious and hope I come back to normal next week?

November 30, 2014  2:46 AM

The 15th Golden Rule of computer security

Ken Harthun Ken Harthun Profile: Ken Harthun
Computers, cybersecurity, Security, tips and tricks

14goldenIn 2009, I published 14 Golden Rules of Computer Security as a downloadable eBook. It was quite popular and I have decided to bring it up to date and re-release it sometime next month (December 2014). If you aren’t familiar with those rules, here’s an excerpt from my August 31, 2009 posting (note that these are broad statements and the book goes into much greater detail):

#1: The best security measures are completely useless if you invite attackers into your PCs or networks. 
#2: A first, important step in securing your PC is to install  and configure a NAT router. 
#3: Always change the default username and password of any configurable device you put on your home network. 
#4: Use an un-guessable, or difficult-to-guess password always. 
#5: A vital part of PC security is keeping up with software patches for ALL of the software on your system, not just the operating system. Where it is available, use the software’s automatic updates feature. 
#6: Always disable any message preview or auto-open features in your e-mail client. View messages as text-only until you know they are safe. 
#7: If you store sensitive information on a PC or laptop, even if it’s only personal information, encrypt the 
folders or drives where the information is stored and use an un-guessable passphrase as  the encryption key. 
#8: Physical security is  almost as important as data security. Make it as difficult as possible through any 
physical means for a thief to steal your hardware. Rules of thumb: Lock it up and lock it down; out of sight, out of mind. 
#9: When surfing the web, testing unknown programs, or engaging in other activities with the potential to harm your computer, use a sandbox or virtual machine to protect your base system from harm. 
#10: When using external removable media for backups, either encrypt the backup files or make sure the media is taken offline after the backup has been completed. 
#11 Never enter sensitive information into any web page unless you have verified that the information is being sent over a secure connection signified by https:// in the address bar and a lock icon in the browser’s status bar. 
#12: Once a PC is infected with malware, you can’t trust it. The only way to restore trust is to wipe the hard drive clean and reload the operating system.
#13: When it comes to securing a WiFi network, the only way is WPA. 
#14: If your email address will be visible to the public, obfuscate it.

Now, for the 15th Golden Rule. I have noticed when cleaning off adware and potentially unwanted programs (PUPS) from computers that many of these programs open browser windows (phone home) and try to talk you out of uninstalling their junk or try to scare you into buying it (this usually happens with the junk “cleaner” and “backup” programs). So, here’s the new rule:

Golden Rule #15 – Before cleaning adware and potentially unwanted programs (PUPS) from any computer, disconnect from the internet to prevent the program from phoning home.

The new rule will appear in the new edition of the eBook: 15 Golden Rules of Computer Security which will also be revised to include some additional advice and more detailed information on each of the rules.


November 30, 2014  2:24 AM

‘Tis the season – for identity theft and other fraud

Ken Harthun Ken Harthun Profile: Ken Harthun
cyberscams, Identity theft, Scam emails, Security

holidayscamThe holiday season has begun in earnest and along with that comes a greater-than-normal threat of identity theft and cyber-fraud. While there are always myriad scams going on at any given time, certain types tend to show up more during the holidays. As tax season approaches identity theft and the filing of fraudulent tax returns spikes up. First, here are some common holiday scams to watch out for.

  1. Charity scams - Legitimate charities don’t solicit donations via email, so chances are if you get a solicitation from what appears to be a legit charity, it’s probably a phishing attempt designed to steal your credit card and other personal information. Do not open it — delete immediately.
  2. Shipping notification emails-  I have seen these come from USPS, FedEx, UPS and DHL. They look totally legitimate and if you are ordering things online, you might think they are about your order. They probably are not. They will usually be sent with an attachment and you are directed to open the attachment for information. Don’t do it! According to the FBI, the majority of the links and attachments in these emails are either phishing attempts or malware. Be very alert and read carefully.
  3. Auction scams – Cyberthieves often use stolen credit card numbers to purchase gift cards and then auction them off at a discount in online auction sites. The problem is, the cards are worthless and you will have parted with cold cash or given up credit card information which might then be used by the scammers. Don’t risk it.
  4. Counterfeit merchandise –  Besides being illegal, the quality of the knock-offs is usually poor and you are wasting your money. Counterfeit toys pose a special risk to the safety of your child as they are often made in China and painted with lead-based paints. Buy the real thing and if you absolutely don’t want to pay full price, seek out legitimate discount sales of authentic merchandise.
  5. Letter from Santa scam - You receive an unsolicited (spam) email offering a personalized letter from Santa to your child.  Prices vary, but chances are it’s just a phishing scheme designed to steal your identity. If you want to make a letter to your child from Santa, there are legitimate sites that let you do it free. Here’s one of them: www.freelettersfromsantaclaus.com.

I’ll post more on the identity theft/tax fraud issues as tax season approaches, but for now, here are some tips from the IRS to help you avoid identity theft: http://www.irs.gov/Individuals/Identity-Protection-Tips.

Have a Safe, Happy and Fraud-free Holiday Season!


November 26, 2014  5:13 PM

Video anatomy of a Windows support scam

Ken Harthun Ken Harthun Profile: Ken Harthun
Security

Here is an excellent video by Carey Holzman that shows an actual support scam telephone call. Mr. Holzman toys with the scammer, but you can see how it all develops. I had a client who actually fell for one of these, but when he caught on and refused to pay, the scammer deleted all of his files. Fortunately, I was able to recover them all for him. This is a long video, but well worth watching.


November 23, 2014  7:04 PM

Does cell phone encryption hinder law enforcement?

Ken Harthun Ken Harthun Profile: Ken Harthun
FBI, Mobile encryption, NSA, privacy, Security

encryptionAccording to The Intercept, if you listen to FBI Director James Comey, you would be led to believe that “…cell-phone encryption could lead law enforcement to a ‘very dark place’ where it ‘misses out’ on crucial evidence to nail criminals.” In his recent speech, Comey sites four cases that he says could have been solved if only they were able to decrypt the criminals’ cell phones. The truth is quite a bit different however, as this piece in The Intercept shows:

In the three cases The Intercept was able to examine, cell-phone evidence had nothing to do with the identification or capture of the culprits, and encryption would not remotely have been a factor.

In the most dramatic case that Comey invoked — the death of a 2-year-old Los Angeles girl — not only was cellphone data a non-issue, but records show the girl’s death could actually have been avoided had government agencies involved in overseeing her and her parents acted on the extensive record they already had before them.

In another case, of a Lousiana sex offender who enticed and then killed a 12-year-old boy, the big break had nothing to do with a phone: The murderer left behind his keys and a trail of muddy footprints, and was stopped nearby after his car ran out of gas.

And in the case of a Sacramento hit-and-run that killed a man and his girlfriend’s four dogs, the driver was arrested in a traffic stop because his car was smashed up, and immediately confessed to involvement in the incident.

As a general rule, I don’t trust government agencies (with the possible exception of the FCC, who seems to do a relatively good job of regulating the various modes of communication), especially the FBI, CIA, DHS and NSA. Comey’ stance disturbs me, but I shouldn’t be surprised; most non-technical types — Comey being one of them — are clueless when it comes to technology. Then again, I’m sure he’s an intelligent fellow and realizes that he’s up against a lot of evidence that encryption makes us safer. He’s trying to spin any case he can find, however feeble the connection with encryption, to show that having backdoors into encryption software is essential to the solving of crimes. But it’s just not true.

Bruce Schneier has this to say: “All the FBI talk about “going dark” and losing the ability to solve crimes is absolute bullshit. There is absolutely no evidence, either statistically or even anecdotally, that criminals are going free because of encryption.”

Follow me on Twitter.


November 23, 2014  12:06 AM

Solution: Hacking Skills Challenge – Realistic 1

Ken Harthun Ken Harthun Profile: Ken Harthun
cybersecurity, Hacking, Security

In this post, you were given a challenge to hack a band review site and move your friend’s band, Raging Inferno to the top of the list. Did you figure it out? No? Well, here’s how it’s done.

Follow me on Twitter.


November 21, 2014  5:07 PM

Making Hard (drive) Decisions – Data Security and Storage

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
cloud, Data, IT, Security, Storage

My photos are important to me. We’ve covered that in past columns here on ITKE and I’ll probably talk about it again in the future. To keep these images safe, I’ve employed a set of steps that are logical, unobtrusive and practical. But they’re driving me mad.

Screen Shot 2014-11-21 at 12.05.19 PM

When data storage costs – and let’s be clear that photos and videos are just data, though large chunks of data – are dropping faster than the the temperatures outside, why does it require a Ph.D. to figure out the best solution for storing information.

In fact, why do most people revisit their data storage and security strategy at least quarterly to ensure recoverability, access and affordability? To me, it’s the biggest riddle technologists face. So, let’s dig a little deeper as I share my perspective.

Screen Shot 2014-11-21 at 12.05.09 PM

1 – Pick a plan and stick to it. Technology is changing and online/cloud storage solutions are myriad. But with change comes uncertainty, so don’t change your decisions with the seasons. Pick a strategy for backing up and securing your data and stick with it for a while. Most cloud contracts are a year or so anyhow, so why not look at an 18-24-month review period. If you start to become disenchanted with a provider, then you’ll have ample time to research and move your data to a new location.

This also comes into play if you’re still backing up your information physically. Drive prices are spiraling ever downward. Get a SATA or other RAID solution that works for you and up the size of the drives you use with your servers. Right now a small office can do quite well by getting four or eight 2TB or 4TB drives. If you outgrow this solution, it probably won’t be for at least two years. When that time comes, reevaluate cloud and other physical solutions.

2 – Be dedicated to security. This column is focused on security, so I’d be negligent if I didn’t emphasize how well you should lock down your accounts. So, do it! Change passwords regularly. Use password generators to assist you in creating secure access. Keep your sites locked and make sure browsers don’t auto log you in. Shut down all office machines at night so they’re off the network and disconnected from the Web.

Screen Shot 2014-11-21 at 12.04.58 PM

When it comes to physical devices, rotate – rotate – rotate. Have at least three drives for one set of data. As I type this, I’m waiting for FedEx or UPS to deliver a 2TB drive so I’ll have the recommended three-pronged data storage approach. I currently rotate two drives with photos on them and three drives that back up my complete office system. I keep one drive at a safe-deposit box and the others are secure locations at my home and my office. I plan to expand this approach by carrying a drive with me so I’ll always have a backup available if disaster were to strike.

3 – Relax. I may have served up some great paranoia ingredients here, but once you’ve done all you can to secure your stuff, focus on other stuff. Go take great photos. Go do great work. Go serve your clients. With a comprehensive and secure data backup system in place, you can concentrate on running your business. Treat your data as one more component to your enterprise. If you’re convinced it’s secure, then go make money and revisit your strategy every so often.

It’s akin to any other business strategy you have in place. Pick the right solution and then move on to the actions that make you successful.

How do you secure your data? How much do you worry about data security after you’ve picked a solution?

Talk to you next week!


November 10, 2014  4:09 PM

Your Online Self and Your Real Identity – Security Strategy 101

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Data, Internet, IT, Security, Web

Can people find you?

I’m still listed in many online repositories with a beeper number I had in college. Yes, I had a beeper in college because I couldn’t afford a cell phone and I was a bike messenger. But both those intriguing tidbits are better saved for another column. Today, I want to discuss clearing your personal cache as you move through life.

_MG_2730

Unless you live with your parents and have them take messages for you on the land line, you’ve probably got some semblance of a digital footprint. With that footprint comes trackability, the danger of breaches, loss of privacy, and even the possibility of identity theft. It’s the world we live in and things aren’t likely to change.

The one thing that can change is how you operate within these parameters. That’s dictated by how much info you share online, what you share with companies, if you use credit cards and generally how relaxed you are about your data.

Lots of people realize that cleaning up your credit and your digital footprint can be time-consuming and labor-intensive. In some arenas it can even cost a bit of cash. Let’s look at digital triage from another angle. If all the info about you online is accurate – then it’s probably pretty easy for anyone to misrepresent themselves as you. Follow me?

_MG_2692

If your online self lists your address, current phone numbers, email addresses, names of your lovers and children, and even the types of pets you own…then you’re in a sticky situation. That’s a bucket of info that anyone can use to spoof people and breach your defenses. Even steal your identity. Where it becomes more difficult is if you leave your path alone and don’t clean up after yourself.

This might be counter to what your parents suggested during your formative years, but if you leave your digital path littered with misinformation and red herrings, then you’ll easily be able to identify when people are trying to phish you, scam you, steal your data and generally make themselves a thorn in your side.

Using my life as an example, there are multiple sites that still list me as working at a job I left a decade ago. There are people-finder services that have that old beeper number as my phone number. There are even credit services that have my college major as something different from my eventual degree. Better than thinking up crazy answers to two-step authentication quizzes, I can just use some of my real info that can’t be found anywhere online.

We’ve heard about celebrities who have had their online accounts hacked and photos stolen (see my column from a few weeks ago). You think that was because the actresses were so skilled at keeping their info private? Hardly. They were bad at choosing passwords, they used common-knowledge facts that any fan might know, and they didn’t employ basic security techniques.

Is there something about you online that is blatantly incorrect? As long as it’s not hurting your chances for advancement at work or is damaging your reputation, let it be. Maybe the ‘fact’ you still work at an ice cream truck in the summer will come in handy the next time a Nigerian relative calls to ask if you’d like to adopt them and share in their inheritance.

What little facts are wrong about you online, and how anxious or angry does it make you? Is it worth the hassle to correct that stuff and possibly open yourself up to an attack on your privacy?

Let me know in the comments. I love sharing these deep discussion topics on a Monday. Look for something less brain-wrenching later this week. Maybe even a video interview with a security pro. Until then, be safe!


November 10, 2014  2:03 PM

The Home Depot stolen emails are already spawning scams

Ken Harthun Ken Harthun Profile: Ken Harthun
Inheritance, Scam emails, Security

And so it begins.

Here’s a link to a WCNC (Charlotte, NC) news story about how scammers are using the emails from the Home Depot breach in an inheritance scam:

http://www.wcnc.com/story/money/consumer/2014/11/07/information-stolen-in-home-depot-data-breach-spawns-scam/18667689/

The scammers send an email mentioning that you have money coming from a deceased relative. If you fall for it and call them as they ask, they’ll exchange information back and forth with you to build your confidence. At some point, they want you to give them your bank account information over the phone so they can send you the money, less their fee for helping you. Once they have your information, of course, they will drain your bank account.

NEVER give anyone your bank account information over the phone. If you have been a victim of this scam and have given them the information, immediately call your bank and report it. Then, set up fraud alerts and credit monitoring on all your credit cards.

According to the Better Business Bureau, this scam is going on nationwide, not just in Charlotte, NC.

If you get such an email, immediately report it to your State Attorney General Consumer Protection Division. Please do not fall for it!


November 10, 2014  12:45 AM

Home Depot announces 53 million email addresses stolen

Ken Harthun Ken Harthun Profile: Ken Harthun
Security

According to CNET: “An investigation of what may be the world’s largest credit card breach reveals hackers didn’t just grab 56 million credit card numbers — they stole tens of millions of email addresses, too.”

Both my wife’s and mine are among them. My wife got this email on Friday and I got it yesterday:

Notice to our customers from The Home Depot

Dear Valued Customer,

The Home Depot has discovered that a file containing your email address may have been taken during the payment card breach we announced in September. The file contained email addresses, but it did not contain passwords, payment card information, or other sensitive personal information. We apologize for this incident and for the inconvenience and frustration this may cause you.

In all likelihood this event will not impact you, but we recommend that you be on the alert for phony emails requesting personal or sensitive information. If you have any questions or would like additional information on how to protect yourself from email scams, please visit our website or call 1-800-HOMEDEPOT.

Again, we apologize for the frustration and inconvenience this incident may have caused. Thank you for your continued support.

Sincerely,

The Home Depot


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: