Tuesday, January 10, 2017

You might think this would have occurred years ago, but then you realize it a government bureaucracy trying to do something for the first time. 
OCR has announced a settlement involving a breach that I never even reported on this site at the time and that doesn’t appear to have been in the news at the time.  A quick look at HHS’s “Wall of Shame” shows two entries for the incident at issue: one entry says it was reported on January 31, 2014 as “Loss – Paper/Films.”  The second entry says it was reported on April 4, 2014 as “Other – Paper/Films.”  Let’s see what the press release from OCR says: 
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced the first Health Insurance Portability and Accountability Act (HIPAA) settlement based on the untimely reporting of a breach of unsecured protected health information (PHI).  Presence Health has agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a corrective action plan.  
   With this settlement amount, OCR balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentive breach reporting altogether.
On January 31, 2014, OCR received a breach notification report from Presence indicating that on October 22, 2013, Presence discovered that paper-based operating room schedules, which contained the PHI of 836 individuals, were missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois.  The information consisted of the affected individuals’ names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia.  OCR’s investigation revealed that Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR.
So they were late by more than one month.  The press release doesn’t indicate how late they were, but the Resolution Agreement notes that notifications to individuals did not occur until February 3, 2014 (104 days post-discovery), notification to media outlets did not occur until February 5, and notification to HHS did not occur until January 31.
The Resolution Agreement also indicates that Presence explained its delay as being due to a “miscommunication between workers.”  But in investigating Presence, OCR had also uncovered other breaches in which notification had not been timely made.  As a result, the corrective action plan requires revision of policies and procedures for receiving and addressing reports of breaches from both internal sources and external parties.
As a tease to readers:
In the near future, Protenus will be releasing its report on 2016 health data breaches.  Their analyses includes some data on the gap between breach, discovery, and reporting, and how many entities actually comply with the 60-day of discovery timeline.  Their analyses, in light of today’s resolution agreement, should make for some interesting conversations – and sweating – in C-Suites.

Assumptions galore.  What does the Board of Directors know about their vulnerability?  How often should you backup a database? 
The other night on Twitter, after I and others communicated concern as the number of attacks on misconfigured MongoDB installations rose to 27,000  in a relatively short period, @Cyber_War_News and I had a respectful disagreement about the seriousness of the situation:
still shocked that yall shocked and fussing about the mongodb ransom spike.
@Cyber_War_News And it's not the ransom that's my main concern. It's databases getting wiped...
@PogoWasRight well we all know 95% are dev and waste databases, others are most likely backed up, i see no major issue really
In light of the above, I thought I’d highlight what we can learn from the MongoDB ransacking sheet created by Victor Gevers and Niall Merrigan.  They’ve added a sheet about the victims they’ve provided assistance to.  For the first 118 victim entries, consider the following:
·         Only 13 report that they had recently backed up the now-wiped database; the rest reported no recent backups.
·         7 reported paying the ransom; none of those had gotten their data back.
·         86 of the databases (73%) were production databases, with an additional 11 instances being coded as “staging,” and 4 instances coded as “development.”  The remaining were coded as “unknown,” left blank, or had other designations.
Maybe the first 118 cases are an atypical sample of the more than 27,000 that have been hit, but also consider this:
For the 40+ U.S. entries in the sheet, the production databases included:
·         a travel organization that issued tickets and stored search and customer data in the database;
·         an online advertising firm that stored online ads tracking data;
·         a school that stored a student database;
·         an Internet app (Social Media) that stored user data;
·         a Consumer Services organization that stored customer data;
·         an Online Media entity that stored customer data;
·         an Online Service (Webshop) that stored orders and customer data; and
·         an Online Service (Financial) that stored transaction logs.
Many other U.S. entries were noted as “production” without more specific information entered yet.
And of course, the problem is not confined to U.S. databases.  A French healthcare research entity had its database with cancer research data wiped out.  They reported no recent backup.  And an online financial service in Argentina also had its production database wiped out; that one contained payroll data.  They, too, had no recent backup.
So should we be concerned about these attacks?  I think we should.
But in light of the fact that this is not a new problem, will the Federal Trade Commission consider any enforcement actions against some entities for not using “reasonable security” to protect personally identifiable information?  Could the FTC argue that even if they haven’t specifically provided any guidance on MongoDB or other NoSQL databases, the information was out there and entities or their third-party vendors should have known by now?

For my Ethical Hacking students.  Why didn’t you find these keys first?  (Is this the only place you should look?)
"Truffle Hog" Tool Detects Secret Key Leaks on GitHub
A free and open source tool called “Truffle Hog” can help developers check if they have accidentally leaked any secret keys through the projects they publish on GitHub.
Truffle Hog is a Python tool designed to search repositories, including the entire commit history and branches, for high-entropy strings that could represent secrets, such as AWS secret keys.

Something for our Computer Forensics students.
A data breach investigation blow-by-blow
Someone has just sent me a data breach. I could go and process the whole thing, attribute it to a source, load it into Have I been pwned (HIBP) then communicate the end result, but I thought it would be more interesting to readers if I took you through the whole process of verifying the legitimacy of the data and pinpointing the source.

Won’t this get the lawyer a visit from the “Obfuscation is good” committee?
Amy B. Wang reports:
“‘Terms and conditions’ is one of the first things you agree to when you come upon a site,” Jenny Afia, a privacy lawyer and partner at Schillings law firm in London, told The Washington Post.  “But of course no one reads them.  I mean, most adults don’t read them.”
Afia was a member of a “Growing Up Digital” task force group convened by the Children’s Commissioner for England to study internet use among teens and the concerns children might face as they grow up in the digital age.
The group found more than a third of internet users are younger than 18, with 12- to 15-year-olds spending more than 20 hours a week online.
Most of those children have no idea what their privacy rights are, despite all of them agreeing to terms and conditions before starting their social media accounts, Afia said.  The task force, which included experts from the public and private sector, worked for a year and released its report Wednesday.
Read more on The Denver Post.  I love how the task force translated the legalese into short, comprehensible English for kids and teens.  We need more of that!

Falsifying data for job security?  Sounds like their ‘one size fits all’ process for eliminating books needs a revision.  Since this impacts funding, it’s fraud.
To save books, librarians create fake 'reader' to check out titles
Chuck Finley appears to be a voracious reader, having checked out 2,361 books at the East Lake County Library in a nine-month period this year.
But Finley didn't read a single one of the books, ranging from "Cannery Row" by John Steinbeck to a kids book called "Why Do My Ears Pop?" by Ann Fullick.  That's because Finley isn't real.
The fictional character was concocted by two employees at the library, complete with a false address and drivers license number.
   The goal behind the creation of "Chuck Finley" was to make sure certain books stayed on the shelves — books that aren't used for a long period can be discarded and removed from the library system.

Interesting, but I would never do this in isolation.  It is very difficult to pull intelligence targeting one location.  Better to see what could happen anywhere and figure out how to deal with it at your airport.  Reads more like a plan to keep celebrities safe from ‘the little people.’
Inside LAX's New Anti-Terrorism Intelligence Unit

I’m trying to ensure that my students use all the data they can find.
UK – There is no shortage of open data – Is anyone using it?
by Sabrina I. Pacifici on Jan 9, 2017
ComputerWeekly.com: “The UK government’s data portal, data.gov.uk, currently shows 36,552 published datasets available, but how usable are they, and is anyone actually downloading them?…  There are examples of data being linked in useful ways.  In several, but by no means all, cities in the UK and Europe, Citymapper draws on open datasets, including mapping data and public transport timetables, to show people where they are and what their options are for getting where they want to go.  To do this, the data should, first and foremost, be available and up to date.  It should also be in machine-readable format.  Bus timetables in PDF form are not much fun for human beings – and they are almost useless for navigation apps.  Citymapper is often cited as an open data success story, but is comparatively rare.  A counter example was raised at the summit by a question concerning threesixtygiving.org.  On its website, threesixtygiving says it “supports organisations to publish their grants data in an open, standardised way and helps people to understand and use the data in order to support decision-making and learning across the charitable giving sector”.  But a questioner from the floor pointed out that UK government data on grants is not currently open…”

Because I read a lot! 
   You’d be surprised how many ebooks you can get without paying a cent, and that applies to both fiction and non-fiction.  Where can you find these free ebooks?  Well, we’re glad you asked…

I have some students who live for comic book movies.
Comic Book and Sci-fi Movies 2017: listed and ranked with trailers
   The following list is ranked in order of how epic I feel each film in the greater 2017 collection will be.  For me, “epic” doesn’t necessarily mean “award-winning” or even “good for most viewers.”  In this market of sequels and chapter-cut releases, EPIC mostly means “if you liked what came before, you’re going to love this.”  

No comments: