Another good “bad example” to share with my
Computer Security students. Consider how this could go undetected
for so long.
The breach in question may have begun in
January, 2012, years before OH Muhlenberg acquired Muhlenberg
Community Hospital, but it
potentially impacted all patients, all payment guarantors, employees
and some credentialed providers after that date
and before OH Muhlenberg learned of the breach and contained it.
This incident does not yet appear on HHS’s public breach tool, so
the number potentially impacted is not known as of the time of this
posting.
OH Muhlenberg, LLC issued the following press
release today:
[ … ]
OH Muhlenberg, LLC acquired the Muhlenberg
Community Hospital operations on July 1, 2015. Prior
to that time, the hospital had been owned and operated by Muhlenberg
Community Hospital since 1938. As part of the acquisition, OH
Muhlenberg, LLC acquired substantially all of the assets of the
hospital in Muhlenberg, including its computer systems, patient
records and other records.
On September 16, 2015, the Federal Bureau of
Investigation (FBI) notified the hospital of suspicious network
activity involving third parties. Upon learning this information,
the hospital took immediate action, including initiating an internal
investigation and engaging a leading digital forensics and security
firm to investigate this matter. Based upon this review, the
hospital confirmed that a limited number of computers
were infected with a keystroke logger designed to capture and
transmit data as it was entered onto the affected computers.
The infection may have started as early as January 2012.
… Upon learning of the incident, the hospital
took prompt steps to address and contain it, including immediately
blocking the external unauthorized IP addresses, taking steps to
disable the malware and continuing to enhance the security of its
systems moving forward.
The
affected computers were used to enter patient financial data and
health information, information about persons responsible
for a patient’s bill and employee/contractor data, including
potentially name, address, telephone number(s), birthdate, Social
Security number, driver’s license/state identification number,
medical and health plan information (such health insurance number,
medical record number, diagnoses and treatment information, and
payment information), financial account number, payment card
information (such as primary account number and expiration date) and
employment-related information. [ … ]
Bad for my Computer Security students, good for my
Computer Forensics students.
Lucian Constantin reports:
Companies relying on Microsoft BitLocker to encrypt the drives of their employees’ computers should install the latest Windows patches immediately. A researcher disclosed a trivial Windows authentication bypass, fixed earlier this week, that puts data on BitLocker-encrypted drives at risk.
Ian Haken, a researcher with software security testing firm Synopsys, demonstrated the attack Friday at the Black Hat Europe security conference in Amsterdam. The issue affects Windows computers that are part of a domain, a common configuration on enterprise networks.
Read more on PCWorld.
For my Computer Security students. This is not
for amateurs. Consider the downside of attacking state sponsored
hackers.
Hacking
Back: Industry Reactions to Offensive Security Research
… A
good example of researchers “hacking
back” is detailed in a report
published this week by security firm Check Point. The company hacked
into the phishing and C&C servers of the Iran-linked group dubbed
Rocket Kitten (aka Newscaster), which led to the identification of
victims and even an individual suspected of being the main developer.
[The
report:
The
complete report, titled “Rocket
Kitten: A Campaign with 9 Lives” is available for download in
PDF format.
Perhaps the FTC won't be leading the way to secure
data, at least until they figure out what that means. Who made the
decision to go after LabMD?
In a data security enforcement action that some
have characterized as a modern version of David vs. Goliath, David
won today, and the FTC lost. It was an enforcement action that the
FTC never should have commenced, as I’ve argued repeatedly, and
today’s loss may actually make future enforcement actions more
difficult for them as the standard for demonstrating likelihood of
substantial injury has now been addressed in this ruling.
Background
LabMD was a cancer detection laboratory whose
security practices were designed to comply with HIPAA’s standards.
The FTC opened an investigation into their data security practices
after an employee violated their policies and downloaded P2P software
that wound up exposing some patient information on the file-sharing
network.
For that mistake – which wasn’t even a
reportable breach under HIPAA back in 2008 – the FTC came down like
a ton of bricks on them. In 2013, after LabMD steadfastly refused to
sign a consent order, the FTC filed a complaint that included many of
its now-common complaints about what constitutes “unreasonable”
data security practices that put consumers at risk of substantial
injury.
But the FTC’s case relied primarily on evidence
by a third party, Tiversa, Inc., who had testified to Congress and to
the FTC that a LabMD file with patient information had been exposed a
file-sharing network and had been downloaded by others. That
testimony turned out not
to be credible.
But the FTC had taken Tiversa’s testimony and
asked some experts to assess the risk of substantial harm to
consumers. The experts, however, were told to assume that the breach
had occurred. As it turned out, the data had not been downloaded by
anyone other than Tiversa. In time, the FTC informed the
administrative law judge hearing the complaint that they would not
rely on Tiversa’s original testimony nor on their expert witnesses’
statements. Instead, they argued that LabMD’s “unreasonable”
data security had put consumers at risk of substantial injury –
even though there was no evidence that the data had ever been shared
or that even one consumer had been harmed.
By then, LabMD had closed its doors to new
testing, crushed under the weight and expense of fighting the FTC.
[Will they ever recover any
of that? Probably as likely as the FTC apologizing... Bob]
Today, Administrative Law Judge Michael Chappell
issued his ruling in FTC v. LabMD. It is a somewhat
startling ruling for its veiled criticisms of the FTC commissioners’
actions.
On the main issues, though, Judge Chappell
summarizes his ruling:
Section 5(n) of the FTC Act states that “[t]he Commission shall have no authority to declare unlawful an act or practice on the grounds that such act or practice is unfair unless [1] the act or practice causes or is likely to cause substantial injury to consumers [2] which is not reasonably avoidable by consumers themselves and [3] not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n). Complaint Counsel has failed to carry its burden of proving its theory that Respondent’s alleged failure to employ reasonable data security constitutes an unfair trade practice because Complaint Counsel has failed to prove the first prong of the three-part test – that this alleged unreasonable conduct caused or is likely to cause substantial injury to consumers.
First, with respect to the 1718 File, the evidence fails to prove that the limited exposure of the 1718 File has resulted, or is likely to result, in any identity theft-related harm, as argued by Complaint Counsel. Moreover, the evidence fails to prove Complaint Counsel’s contention that embarrassment or similar emotional harm is likely to be suffered from the exposure of the 1718 File alone. Even if there were proof of such harm, this would constitute only subjective or emotional harm that, under the facts of this case, where there is no proof of other tangible injury, is not a “substantial injury” within the meaning of Section 5(n).
[…]
At best, Complaint Counsel has proven the “possibility” of harm, but not any “probability” or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case. Accordingly, the Complaint is DISMISSED.
I’ve uploaded the entire ruling here
(pdf), and I’m sure there will be more discussion and analysis
later, but this is just so stunning that I wanted to get the news out
immediately.
What is “notification” today? Do we need to
use every possible means? Is there a hierarchy?
I’m not sure that posting a breach notification
on a Facebook page is sufficient when you also have a web site where
you could post the announcement. Assuming
everyone is on Facebook is risky.
Case in point: Common
Market in Union, Maine, posted this on their Facebook
page on October 30.
ATTENTION COMMON MARKET CUSTOMERS
We recently learned that there has been a breach of Debit and Credit Card data in our area. The Common Market was one of the stores compromised. Please keep a close eye on your Debit and/or Credit Card transactions for the last couple of months (from August 12 to October 26) for any suspicious activities or charges that you do not recognize. Contact your bank immediately if you see any suspicious activity.
We have been in close contact with our Debit/Credit card processor and they have taken steps to make sure our system is now secure.
We sincerely apologize for any inconvenience this has caused.
That FB post shows up in a scrolling feed on their
web site, but if someone didn’t happen to check the site before it
scrolled down, they might miss it.
While I commend Common Market for their
transparency in notifying their customers, I would encourage ALL
entities to post such disclosures on the home page of their web sites
or prominently linked from the home page of their web sites.
Should become the basis for many interesting
scenarios. If I understand the process, the terrorist in Paris could
have sent messages to thousands of innocent people telling them to
“begin the attack.” If that message went out at 3AM for example,
most of the recipients would never have seen it and would be very
surprised when the SWAT teams blew their front door down.
Soon, You
Could Receive a Facebook Message That Disappears Before You Read It
Facebook is testing a new feature on Facebook
Messenger in France that allows users to create messages that
self-destruct an hour after they're sent. (Yes, you read that right:
they disappear an hour after they're sent, not read.)
It's the first time a disappearing messaging
feature has been available on the platform, and it's a clear
indication that the company will continue to compete with Snapchat,
the app that brought disappearing messages to the forefront.
(Facebook tried, unsuccessfully, to acquire the company in 2013.)
… This latest attempt is different, primarily
because it adds ephemerality as a feature to an existing app instead
of requiring users to download a new one. But in practical terms, it
seems pretty messy. Say you send someone an ephemeral message
through Facebook Messenger, but they don't see it for a few hours.
Does this mean your message will self-destruct before it's ever
opened?
Apparently, yes.
For my student who asked me this week (the 6th
week of the quarter) “What textbook?”
Search Any
Book With Google – It’s Finally Legal!
… Google Books Library Project makes the
complete text from all books searchable. When you search
for a keyword or phrase in a book, the Search Engine Results Page
(SERP) returns basic bibliographic information about the book and
relevant snippets of context around the keywords.
If a
book is out of copyright you can read and download the whole book.
Sometimes publishers even give permission for their books (or
portions of them) to be available on Google Books – including
popular ones.
… This ruling is popular among fans of Google
Books, but the implications reach farther than that. Non-profits,
libraries, and software developers today have a much greater
understanding of how Fair Use can protect them, and that’s great
news. As Dan
Cohen wrote in The Atlantic, this ruling could lead to all sorts
of innovations:
Because many institutions want to avoid legal and financial risk, many possible uses that the courts would find fair — including a number of non-commercial, educational uses — are simply never attempted. A clearer fair-use principle, with stronger support from the courts, will make libraries and similar organizations more confident about pursuing forms of broader digital access.
So I make that (80.7 / 2,800 = 0.0288) a 2.88%
return. Of course they could raise tolls every year.
Canadian
consortium buys Chicago Skyway lease rights for $2.8 billion
A decade after investors gave the city more than
$1.8 billion to lease the Chicago Skyway for 99 years, the rights to
run the privatized highway and collect tolls have been sold for $1
billion more than the original price.
… The Skyway company reported collecting
nearly $80.7 million in revenue from tolls last year, a slight
increase from 2013.
Perspective. The only generation where the
majority have posted selfies are the Millennials. Infographic.
The Selfie
Habits Across Different Generations
For my students interested in Big Data.
9 Useful
Open Source Big Data Tools
… Why are so many Big Data projects open
source? There's no definitive answer, but most likely it's related
to the fact that Hadoop is the project that got the Big Data
bandwagon rolling. Since Hadoop is open source, many folks who work
with it are active in the open source community. That means the
tools they develop are also likely to be open source.
Interesting, but I probably will still ignore
PowerPoint.
Microsoft
announces two brilliant PowerPoint 2016 design tools
First, a new Designer feature is a bit like a
real-time template. You can create all of your slides the way you
normally do, with a template or without. You lay out the images and
text, get everything in the order you want, and even create all of
the timings and transitions. Then, you pick the Designer tool. As
Maloney explained, it’s like taking your slides and giving them a
graphic designer who knows how improve them even more and wow an
audience. [I like it!
Facts first, then pretty. Bob]
… Another interesting aspect to the Designer
is that the processing for the suggestions occurs in Microsoft
Azure in the cloud, and this feature knows which designs most
users pick. If none one is picking the one with the art gallery
look, it won’t keep showing up. It’s the power of the crowd
instilled in the app. [I
hate it! Looking for the lowest common denominator? Bob]
… Another new feature called Morph ... lets
you create animations without having to know anything about how
animation works. You create some art, move it around, and Morph
watches what you are doing and builds the animation. [Distracting.
Bob]
I can't believe so much happens every week!
Hack
Education Weekly News
… Via
the LA School Report: “A year later, secrecy surrounds FBI
probe of LAUSD's iPad program.”
… The University of Illinois has paid $875,000
to settle Steven Salaita’s lawsuit, resulting from the school’s
decision to fire Salaita based on comments he made on Twitter about
Palestine.
… “The Starbucks Corporation this week
announced that it will offer a tuition-free education to a spouse or
child of its employees who are veterans or active-duty members of the
U.S. military,” Inside
Higher Ed reports. (That is, tuition-free education at ASU
Online as part of Starbucks’ existing deal with the school.)
… “Math
tutoring service in the form of a phone sex hotline.”
Stay classy, ed-tech. [Does
it work? Bob]
… “Schools Can’t Stop Kids From Sexting.
More Technology Can,”
Jonathan
Zimmerman argues
in a NYT op-ed. Moar technology!
Perspective. I hadn't thought of that, but she
might be on to something here.
How The
Old Farmer’s Almanac
Previewed the Information Age
… It must have seemed, to the people of the
1792, when The Farmer’s Almanac was founded, something
like what a smartphone is to people today: a handheld, portable
device that contained information about all manner of things—health
advice, weather predictions, jokes, recipes, charts detailing the
times of sunrises and sunsets, and other “new, useful, and
entertaining” tidbits, as the cover promised.