Why passwords have never been weaker—and crackers have never been stronger
In late 2010, Sean Brooks received three e-mails over a span of 30 hours warning that his accounts on LinkedIn, Battle.net, and other popular websites were at risk. He was tempted to dismiss them as hoaxes—until he noticed they included specifics that weren't typical of mass-produced phishing scams. The e-mails said that his login credentials for various Gawker websites had been exposed by hackers who rooted the sites' servers, then bragged about it online; if Brooks used the same e-mail and password for other accounts, they would be compromised too.
The warnings Brooks and millions of other people received that December weren't fabrications. Within hours of anonymous hackers penetrating Gawker servers and exposing cryptographically protected passwords for 1.3 million of its users, botnets were cracking the passwords and using them to commandeer Twitter accounts and send spam. Over the next few days, the sites advising or requiring their users to change passwords expanded to include Twitter, Amazon, and Yahoo.
"The danger of weak password habits is becoming increasingly well-recognized," said Brooks, who at the time blogged about the warnings as the Program Associate for the Center for Democracy and Technology. The warnings, he told me, "show [that] these companies understand how a security breach outside their systems can create a vulnerability within their networks."
The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.
Read the full article here
Data Security Breach at Chapman University
On February 15, officials at Chapman University were informed that a document that should have been secured was available to authorized logged in system users who were not authorized to see that document . The university immediately secured the document by correcting the access privileges, and on February 22, notified the New Hampshire Attorney General’s Office that 15 New Hampshire residents were among those who had sensitive data on the exposed document. According to their letter, information in the file included students’ names, Social Security numbers, student ID numbers, and financial aid information of those who applied for financial aid for the 2009-2010 academic year.
[Full Disclosure: I attended Chapman University many years ago and throughly enjoyed the experience.]
Mass. General to pay $1M to settle privacy claims
Massachusetts General Hospital and its physicians organization have agreed to pay the federal government $1,000,000 to settle claims related to a worker leaving personal health documents on the subway.
The hospital also agreed to develop a comprehensive new privacy policy to prevent patient information from being compromised in the future, and to provide training to workers. The hospital must remit semi-annual compliance reports to the U.S. Dept. of Health and Human Services for the next three years.
“To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” HHS Office of Civil Rights Director Georgina Verdugo said in a statement. “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”
The settlement stems from a 2009 complaint from a patient whose personal health information was lost. The federal government subsequently opened an investigation and found that records from 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS, were lost. It was determined that a Mass General employee had left the records on the MBTA while commuting to work on March 9, 2009.
Source: Boston Business Journal.
IE9 To Include Tracking Protection
On December 1, 2010, the Federal Trade Commission issued a major report discussing consumer privacy online. In the report, the FTC advocated the use of a "Do Not Track" mechanism governing the collection of information about consumer’s Internet activity. Specifically, the FTC suggested the use of a "persistent setting, similar to a cookie, on the consumer’s browser signaling the consumer’s choices about being tracked and receiving targeted ads."
In the wake of that report, Microsoft announced a new feature to be included in version 9 of Internet Explorer. Although still in development, IE9 will include a opt-in mechanism (“Tracking Protection”) to identify and block many forms of undesired tracking as well as a “Tracking Protection Lists” will enable consumers to control what third-party site content can track them when they’re online.
For an example of how this is supposed to work, check out the following video:
Source: Microsoft
University Hospital Fined $250,000 for Breach
HealthLeaders Media reports that California Department of Public Health (CDPH) officials have fined Lucile Salter Packard Children's Hospital at Stanford University $250,000--the maximum amount allowed under state law--for failing to report a breach of 532 patient medical records due to the theft of a hospital computer. The records included such information as names, dates of birth, procedures and Social Security numbers. The hospital, which is appealing the decision, has stated that when it was determined the computer could not be recovered, the incident was reported to the CDPH, federal authorities and families of potentially affected patients. Under California's failure-to-notify penalties, which are unique in the U.S., state health officials have issued more than $1.8 million in fines against 143 hospitals for failing to report a variety of incidents including breaches of medical records, the report states.
Apple to Combat Jailbreaking Using Patent Kill Switch
Two weeks ago, the Daily Journal published an article authored by me entitled, “Cell Phone Users Catch a Break.” The subject of this article was a new DMCA exemption that allowed the jail breaking of cell phones, in particular the Apple iPhone. I want to make clear that I do not recommend anyone to jail break their phone and would strongly advise against doing so. In addition to violating your warranty, jail breaking can cause any number of performance problems and has the potential to “brick” your phone.[1]
That being said, in my article I discussed potential responses by Apple to the DMCA exemption, in particular I noted that Apple has the technical resources to continually update and change the iPhone operating system to thwart jailbreaking attempts. Shortly after the DMCA announcement, it was revealed that Apple has submitted a patent application entitled, “Systems and Methods for Identifying Unauthorized Users of an Electronic Device.” In other words, it is a method for detecting unauthorized users and uses of a device and if those are detected, shutting them down or disabling the device. Engadget.com described it best by calling it a “patent kill switch.” I believe this application is an indicator that Apple will be taking a strong stance against jail breaking and will be combating it primarily through technical means.
Source: U.S. Patent Office Application, Apple Insider.
[1] “Brick,” is a term which refers to the situation where either by jail breaking or other means, the phone no longer operates and is essentially an expensive paper weight or “brick.”
Hidden Message in US Cyber Command Logo Is Solved
When the United States Cyber Command unveiled its company logo, it contained an encoded message. In small letters along the inside ring of the logo, contained the text: “9ec4c12949a4f31474f299058ce2b22a.” When this code was discovered, Wired.com Magazine held a contest to see who could crack the code first. Sadly, it took just a little more than three hours for someone to crack the code using a MD5 hash.
MD5 hash is a mathematical algorithm used in security applications and forensics which translates almost any 
length of text or data into a 32 bit string. For example, the text “The quick brown fox jumps over the lazy dog” has an MD5 hash value of “9e107d9d372bb6826bd81d3542a419d6” while the hash value of my last blog post is “28c2a82cba12c6c0275f12fa95464def”. The easy part was recognizing that the code was an MD5 hash, the hard part was figuring out what it referred to. This can be very difficult because MD5 hashes are designed to be one-way. Luckily for us, someone figured out that the hidden code was a MD5 hash of the U.S. Cyber Command’s Mission Statement:
USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.
That’s it! Seriously, try it for yourself using this MD5 Generator.
This simple and fun puzzle has made the U.S. Cyber Command logo truly unique. Of course, MD5 hash may not have been the best choice to immortalize on the logo considering the 2008 announcement by the U.S. Department of Homeland Security which said MD5, "should be considered cryptographically broken and unsuitable for further use,” and most U.S. government applications will be required to move to the SHA-2 family of hash functions after 2010.
Source: Wired.com Magazine
New Regulations Require Disclosure of Data Breaches
HIPAA-covered entities need to be aware of new regulations issued this week that require public disclosure of data breaches. The U.S. Department of Health and Human Services has issued new regulations that require providers, health plans, and other HIPAA-covered entities to notify individuals when their health information is breached.
Data breaches involving protected health information must be reported to the Department of Health and Human Services. Breaches affecting less than 500 individuals can be reported to the HHS secretary on an annual basis. However, breaches that affect more than 500 individuals must be promptly disclosed to the affected individuals, the HHS secretary, and the media.
Principal Deputy Director of the HHS Office Robinsue Frohboese has said that “The new federal law ensures that covered entities and business associates are accountable to the department and to individuals for proper safeguarding of the private information entrusted to their care. These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information.”
These regulations were issued pursuant to provisions of the Health Information Technology and Economic and Clinical Health Act, which was signed into law in February 2009 by President Obama.
Originally Posted by Scott Koller at Life, Heath and Disability Insurance Blog
