Health Data: A Growing Challenge

November 30, 2018

While the world wrings its hands over the idea of social media sharing their data and having security breaches, a much larger problem lurks in the shadows. We are talking about the absurdly high number of health care data breaches, which contain far more sensitive data. We learned more from a recent Healthcare Analytics News story, “Yes, Healthcare’s Data Breach Really Is That Bad.”

According to the story:

“Healthcare providers were hit the hardest, reporting 1,503 data breaches compromising 37.1 million records during the period in question. The number of incidents made up 70 percent of all data breaches included in the tally. But health plans, which reported 278 data breaches, reported 110.4 million exposed records, or 63 percent of the pie, according to the findings.”

Why are criminals doing all this? It’s not just to set up a new credit card in your name. According to Forbes, this recent rash of theft is tied to fraudulent medication and even procedures being acquired, as well as receiving Medicare and Medicaid benefits.

News about the data breach at Atrium Health billing lost data for an estimate 2.65 million patients.

More challenges to come we fear.

Patrick Roland, November 30, 2018

Dongles, Security, and Keys: A New but Familiar Tune

November 22, 2018

Part of Google’s new product lineup is the Titan Security Key, selling for only $50. The Hacker News shares more information on the Titan Security Key in the article, “Google ‘Titan Security Key’ Is Now On Sale For $50.” Google first announced the security key at the Google Cloud Next 2018 convention.

The Titan Security Key is similar to Yubico’s YubiKey. It offers hardware-based two factor authentication for online accounts with the highest level of protection from phishing. The full kit offers a USB security key, Bluetooth security key, USB-C to USB-A adapter, and USB-C to USB-A connecting cable. The Titan Security Key is based on the FIDO (Fast IDentity Online) Alliance, U2F protocol and uses Google developed secure element and firmware. It adds another security level on top of passwords, an idea similar to the Tor browser. It is compliant with many popular browsers, email services, social media, and cloud services.

As more aspects of people’s lives migrate online, security is more important than ever. Tools like the Titan Security Key provide an extra level of security at a nominal price:

“According to Google, the FIDO-compatible hardware-based security keys are thought to be more safe and efficient at preventing phishing, man-in-the-middle (MITM) and other types of account-takeover attacks than other 2FA methods requiring SMS, for example. This is because even if an attacker manages to compromise your online account credentials, log into your account is impossible without the physical key. Last month, Google said it started requiring its 85,000 employees to use Titan Security Keys internally for months last year, and the company said since then none of them had fallen victim to any phishing attack.”

The Google Titan Security Key appears to be a simple and cheap way to ensure more security for individuals. One of the problems people face with online security is the lack of understanding, cost, and finding an effective product. Google appears to have created a great solution, but the one problem is that China made the Titan Security Key. China has all the schematics for the device and China is a hotbed for phishing attacks.

Microsoft, another me too outfit, has jumped on the bandwagon for dongles. Microsoft now offers native FIDO key login for Windows 10. What about losing a dongle?

Back to square one?

Whitney Grace, November 22, 2018

Microsoft: Nibbling at Crime Fighting

November 20, 2018

Every year cyber crime is one the rise and digital security experts are always trying to stay one click ahead of their assailants. Microsoft is not the world’s leading expert in cyber security, but the company is investing in it. Fortune’s article, “Microsoft Pours Millions Into Startup That Nails Cybercriminals” explains more about the investment.

Microsoft invested $6.2 million in Hyas, a startup that specializes in identifying and taking down cybercriminals. Hyas’s CEO described his company’s mission as tracking down bad actors to their exact location so law enforcement can arrest them.

“In 2014, Davis founded Hyas, his third startup, out of his basement on Vancouver Island, Canada. The firm sells subscriptions to digital forensics software—called “Comox” after a town in the company’s home region of British Columbia—that helps security analysts investigate breaches.

We noted this statement:

‘Hyas is going beyond threat detection and providing the attribution tools required to actually identify and prosecute cybercriminals,’ said Matthew Goldstein, a partner at Microsoft’s M12, in a statement. He said that Hyas’s tech ‘will help take bad actors off the Internet, and lead to an overall decrease in cybercrime globally.’”

Hyas works based on its relationships with infrastructure providers and combining the insights it receives from the infrastructure providers with malware analysis, threat intelligence, and mobile data. Davis plans to use Microsoft’s investment to increase its new products and offer Hyas services to a more diverse clientele.

Whitney Grace, November 20, 2018

Google: A New Challenge from Code Piracy?

November 5, 2018

With Google charging for its Android apps and services, one question is, “Will Google’s software be pirated?” The question seems as if it comes from the early days of MS DOS and software piracy of floppy discs.

Google has spent much of its two-decade life in the crosshairs of some enemy or another. Whether it was from rival search engines, advertisers, or other media. However, a new battle recently used their own fire in the fight. We learned more from a CNBC story, “Chinese Firm Touting ‘Innovative’ Software Used Parts of Google Code.”

According to the story:

“Redcore, a Chinese start-up said it has developed “core technology” with “independent intellectual property rights” in regards to its browser. “But eagle-eyed users on Chinese social media spotted traces of Chrome in the installation directory of Redcore’s browser. There was a file in the directory called “Chrome.exe” and some image files of Google’s browser.”

This is not the only time Google has had to battle off theft issues with its software. However, more often than not, it’s people using Google for theft. Such as how they only recently found a way to detect and stop people using Chrome to steal wi-fi network information. The online ad giant seems to be aware of the target on its back and the archers taking aim.

Security lapses, pirated code, and interesting management decisions—worth watching the Google.

Patrick Roland, November 5, 2018

Facebook: Interesting Real News Filtering

September 29, 2018

Here in Harrod’s Creek, it is difficult to determine what is accurate and what is not. For example, allegedly a university president fiddled his pay. Then we had rumors of a novel way to recruit basketball players. News about these events were filtered because, hey, basketball is a big deal along with interesting real estate deals in River City.

We read “Facebook Users Unable to Post Story about Huge Facebook Hack on Facebook.” A real news outfit in London noticed that stories about Facebook’s most recent security lapse were not appearing on Facebook.

Another real news outfit reported that some Facebook users saw this message:

“Action Blocked: Our security systems have detected that a lot of people are posting the same content, which could mean that it’s spam. Please try a different post.”

Facebook fans suggested that Facebook was not blocking a story which might put Facebook in a bad light.

Here in rural Kentucky we know that no Silicon Valley company would filter news about its own security problems.

Facebook is a fine outfit. Obviously the news about the security lapse was fake; otherwise, why would the information be blocked?

Just a misunderstanding which the 50 million plus people affected are certain to understand. What’s the big deal with regaining access to one’s account?

The Facebook service is free and just wonderful. Really wonderful.

Stephen E Arnold, September 29, 2018

A New Cyber Angle: Differential Traceability

August 20, 2018

Let’s start the week with a bit of jargon: differential traceability.”

How do you separate the bad eggs from the good online? It’s a question we’ve all been wracking our brains to solve ever since the first email was sent. However, the stakes have grown incredibly higher since those innocent days. Recently, some very bright minds have begun digging deeply into the idea of traceability as a way to track down internet offenders and it’s gaining traction, as we discovered from a Communications of the ACM editorial entitled: “Traceability.”

According to the story, it all comes down to differential traceability:

“The ability to trace bad actors to bring them to justice seems to me an important goal in a civilized society. The tension with privacy protection leads to the idea that only under appropriate conditions can privacy be violated. By way of example, consider license plates on cars. They are usually arbitrary identifiers and special authority is needed to match them with the car owners.”

Giving everyone a tag, much like a car, for Internet traffic is an interesting idea. However, much like real license plates, the only ones who will follow the rules will be the ones who aren’t trying to break them.

This phrase meshes nicely with Australia’s proposed legislation to attach fines to specific requests for companies to work around encryption. Cooperate and there is no fine. Fail to cooperate, the company could be fined millions per incident.

Differential? A new concept.

Patrick Roland, August 20, 2018

Amazon Clarification on Network Switches

July 19, 2018

I read an exclusive on Marketwatch. (I did not know it was “real” journalism.) The story is “Exclusive: Amazon Denies It Will Challenge Cisco with Switch Sales.” The story’s main point struck me as: Inc.’s top cloud-computing executive has officially denied that Amazon Web Services plans to start selling network switches to other businesses, after a report last week claiming that move was in the works damaged stocks of Cisco Systems Inc. and other major networking companies.

I think I understand.

Amazon may be building switches with Amazon Web Services and maybe its streaming data marketplace baked in. But these switches will not be old to “other businesses.”

Such a switch would add some functionality to Amazon’s own infrastructure. I wonder if these switches, assuming they exist, would add some beef to Amazon’s government client activities. For example, some lawful intercept activities take place at network tiers where there are some quite versatile switches.

The write up adds:

Amazon would not comment on whether it is creating its own networking equipment, just that it did not plan to sell such equipment to other businesses.

If Amazon wins more US government cloud and AWS centric work, certification of these devices eliminates possible questions about backdoors or phone home functions in gear sourced from other companies.

To sum up, Amazon does not deny it is building switches (whatever that term includes).

Worth watching in the context of the on going dust up between Oracle’s data marketplace and Amazon’s designs on building a new source of revenue with its marketplace innovations.

Stephen E Arnold, July 19, 2018

Unlocking iPhones: Cat and Mouse Continues

June 25, 2018

In a recent DarkCyber, referenced companies that specialize in unlocking iPhones for law enforcement. Apple responded by suggesting that it would alter the functionality of its lightning USB connector to provide greater user privacy.

At the security conference in Winston Salem, North Carolina, last week, I heard some talk about the issues that the Apple versus law enforcement cat and mouse game would create. (I gave two talks available to the 160 conference attendees. No boos and not thrown tomatoes.)

My impression of these comments is that the games will continue.

I was not surprised to read “A Hacker Figured Out How to Brute Force iPhone Passcodes.” Has the hacker kicked off a new round of game playing? Who knows?

The write up states:

A security researcher has figured out how to brute force a passcode on any up-to-date iPhone or iPad, bypassing the software’s security mechanisms… But Matthew Hickey, a security researcher and co-founder of cybersecurity firm Hacker House, found a way to bypass the 10-time limit and enter as many codes as he wants — even on iOS 11.3.

The method revealed in the write up is clever, like many hacks.

The write up quotes the hacker as saying, “I suspect others will find it [the hack] or have already found it.

Worth monitoring the score line.

Stephen E Arnold, June 25, 2018

Cheerleading for VPNs: Gimme a V, Gimmie an S, Gimmie an N!

June 20, 2018

VPNs Protect Your Data Away From Home

The received wisdom is that a VPN or virtual private network can be used to protect your Internet data from hackers and other bad actors.  ZDNet wrote up a piece about VPNs in “Take Home Along: Six Ways A VPN Can Help Travelers Connect Wherever They Go.”  Typically remote access from a different country or area than your normal IP area will be flagged as a bad actor, but it can also protect you.

In theory, you can use a VPN to prevent your debit or credit card from being blocked, do home online shopping, watch your streaming services, and use VOIP services.  While these are apparent application for a VPN, the article also shares some other that are “naughtier.”

If you are visiting a country, like China, that has restricted access to social media then a VPN in theory will allow you to circumnavigate it.  Even more helpful is that it can hide your online tracks from spies:

“Some companies provide VPN access to their employees while traveling. Employees are given software or configurations that allow them to create encrypted tunnels between their laptops and home servers. These enterprise VPN clients do a great job of hiding the content, but they fail in one critical way: They often let a spying nation state know the IP address of those VPN end-points.

The hope is that by using a VPN service provider, you can obfuscate the path back to work, as well as the data you’re transmitting. This is a very good idea to make it just a little harder for nation-state spies and the organized crime hackers that often work with them to find your company’s servers.”

The problem is that not every VPN is fully secure. Why? In some countries, those who use and operate VPNs are either expected to cooperate with the authorities or just want to stay in business and maybe out of jail.

Whitney Grace, June 20, 2018

France: A Player in Cybersecurity

May 9, 2018

We know the French are good at cheese and wine and romance. Heck, we’d say they are the best in the world in those departments. But when it comes to cyber security, most people think they are about as fresh as rotten brie. That image could be changing. We certainly changed our tune after reading some persuasive recent pieces, starting with Express article, “WhatsApp is About to Get a Rival From One of the Most Unlikely Places.”

That place is, obviously, France. Here’s what the story had to say:

“Since none of the major encrypted messaging apps are based in France, it has raised the risk of data breaches at servers outside the country, the French digital ministry said.

“About 20 officials and top civil servants are testing the new app which a state-employed developer has designed, a ministry spokewoman said, with the aim that its use will become mandatory for the whole government by the summer.”

On the surface, this sounds completely laughable, right? But people are starting to talk about the surprising strength of France’s tech industry. If you ask some people, they are on the cusp of becoming a cyber security power. If things go France’s way, cyber technology might rank up there with champagne, as the country’s finer exports.

Patrick Roland, May 9, 2018

Next Page »

  • Archives

  • Recent Posts

  • Meta