Monday, July 25, 2011

Hacker Hackett sentenced to 10 years

Good article at SecurityWeek on the case of a professional identity thief sentenced to 10 years in prison:

The best part is his name: Hackett. Phonetically, that would be pronounced "Hack - It". 10 years and a $100,000 fine for having 675,000 stolen credit card numbers which investigators believe led to more than $36 million in fraudulent transactions. It appears he had been working in his profession for about 7 years before being caught.

Thursday, July 21, 2011

Barack Obama's Audacity of Hack, Chapter One

In May, the White House released a comprehensive proposal for a number of CyberSecurity measures. Unlike most of the other legislation proposed that focuses on Data Breaches or Do-Not Track. The White House proposal has 6 different sections that include changes to Homeland Security CyberSecurity as well as coordination of CyberSecurity between agencies.

  • Data Breach Notifications

  • Homeland Security CyberSecurity Authority and Information Sharing

  • CyberSecurity Regulatory Framework for Covered Critical Infrastructure

  • Coordination of Federal Information Security Policy

  • Personnel Authorities Related to CyberSecurity Positions

  • Preventing Restrictions on Data Center Locations

At 52 pages, the entire proposal is very dense, which makes me think this could be a sequel to Obama’s second book, the Audacity of Hope. The proposal, which I’ve nicknamed the Audacity of Hack, is interesting at points and surprising at others. I still think it is very "hopeful" to think that any of this legislation will passed this year, but hopefully there will be some progress. This will be a multi-part series looking at the proposal.

The first thing that strikes me is how different all the data breach proposals are. The White House may well be the most conservative of all the proposals.

The average max penalty for a data breach for the House of Representatives proposals is $3.8 million. The average max penalty for a data breach for the Senate is nearly double that at $7.2 million. The senate is also much higher for the daily average penalty at $12,333 versus $7,333 for the house.

Thursday, July 14, 2011

HIPAA Hot Potato - Federal vs. State

In May, The Office of the Inspector General issued a report on the results of an audit conducted for the Office of Civil Rights on the effectiveness of HIPAA compliance. The report wasn’t so great.

“Although OCR stated that it maintains a process for initiating covered entity compliance reviews in the absence of complaints, it provided no evidence that it had actually done so. The only reviews OCR mentioned were related to our hospital audits. In the absence of evidence of a more expansive review process, we encourage OCR to continue the compliance review process begun by CMS in 2009.”

This report was a follow up to a 2008 report that was much worse.

Perhaps in response to this, In June, Texas became the first state to pass a law that provides for even greater scrutiny for HIPAA, in part as a response to ineffective Federal enforcement.

According to Republican State Representative Kolkhorst says she was frustrated by the lack of HIPAA enforcement at the federal level and wanted to pave the way for ramped up enforcement of healthcare privacy rights at the state level. "There's no data more sensitive than your healthcare data," she says. "We have lots of laws to protect financial data; I wanted to strengthen our laws protecting healthcare data."

While it may be true that the state of security in health care isn’t great…is it really true that enforcement at the federal level isn’t happening? Yes and no. Prior to 2011, HHS had taken only four major enforcement actions with resolution amounts totaling approximately $3.4 million. This year, however, there have been 3 major enforcement actions just in the first 6 months totaling almost $6.2 million. Most recently, the UCLA Health System was fined $865 million for broad security issues.

HIPAA Major Enforcement Actions Timeline:

  1. August 2008 – Providence Health Systems - $100,000
  2. Feb 2009 – CVS Caremark - $2.25 million
  3. January 2010 – Health Net - $250,000
  4. July 2010 – Rite Aid - $1 million
  5. February 2011 – Cignet Health - $4.3 Million
  6. Feburary 2011 – The General Hospital Corp/Mass General - $1 million
  7. July 2011 – UCLA Health System - $865,000

There is more to the federal level enforcement story, however. HHS publishes data on their enforcement actions. Not all of them end in monetary awards, but there is a significant amount of work being done. According to the data, there were 9,158 resolutions in 2010, up from 8,092 resolutions in 2009.

This brings us to the question of the most recent amendment to HIPAA, the HITECH Act. HITECH significantly expanded HIPAA’s enforcement mechanisms, including allowing state Attorney General’s to now enforce HIPAA and bring their own civil actions. Connecticut’s Attorney General was the first to bring such an action in January of 2010. It appears that state enforcement actions haven’t been that plentiful.

Here’s the big question: If HITECH allows state attorney generals to enforce HIPAA, how can Texas claim that there isn’t enough enforcement at the Federal level? I could find no evidence of the Texas Attorney General's office bringing an action for enforcement of HIPAA...(If I missed one, please comment below.)

This creates a dangerous precedent if other states begin to follow Texas. The whole point of having a federal standard is so that companies can have one clear rulebook to follow. Adding new rules for every state would drastically increase the costs for compliance (and probably increase the costs for healthcare overall).

Friday, July 8, 2011

Discussion Draft of the SAFE Data Act introduced by Representative Mary Bono Mack (R-CA)

On June 13th, Congresswoman Mary Bono Mack released a discussion draft of what she calls the SAFE Data Act. Here’s the marketing release if you’d prefer to read the cliff notes.

Since it’s a discussion draft, let’s discuss! Actually, I think this could be a good bill to eliminate a lot of the confusion about how individual states are treating data breach notifications.

From the press release:

“A key feature of the SAFE Data Act requires notification to the FTC and consumers within 48 hours of the time that a breach has been secured and scope of the breach assessed. The FTC would also be given the authority to levy civil penalties if companies or entities fail to respond in a timely and responsible manner. Non-profit organizations such as universities and charities would be required to comply with the legislation.”

This bill differs slightly from others recently introduced in that it requires companies to implement “reasonable security procedures”. After having arguments for years about whether it is reasonable to require users to change their passwords…at all…I wonder who determines what reasonable means. Should we let consumers determine how much security they want or need? I think users did that to some extent by leaving MySpace for Facebook because of the perceived insecurity of MySpace. But in that scenario, users had a choice with a perceived difference.

One of the best aspects of the document is that it creates requirements for the contents of a breach notification, which would go a long way to having some kind of standard for these letters. There are five requirements:

  • Description of the PII breached
  • A Toll free telephone number for victims to call
  • Credit monitoring services for 2 years. (I think this is great, but I would bet money that through negotiations it will be reduced to 1 year if a bill ever gets passed.)
  • Toll free numbers for credit reporting agencies
  • Toll free number or website info for the FTC

I like that the bill provides for email notification if that is the main method of contact between the business and the individual. I also like that there is an alternative method of contact should it be a small group or contact info isn’t sufficient.

I like that there is a safe harbor provision for encryption similar to HIPAA.

What I’m not so sure about – the “Data Security Requirements”. Yes you need a security policy and an Information Security Officer. The rest of the requirements seem too vague to me. My take on this is that they expect any administrative guidelines set up by the FTC to address this. I also get the need to be flexible for different sized businesses and different industries. I think to have successful security legislation (meaning actually make the country’s infrastructure more secure) we need a standard like PCI which spells out the requirements. Instead, what the bill leaves us with is a requirement for security processes for identifying vulnerabilities, data retention, data disposal and minimization. What this does is set the companies to be judged in court by their own policies when something goes wrong. And I suspect things will go wrong without firmer requirements.

One thing that is missing from all of these data privacy laws is that they don’t list anything about requiring passwords to be changed. If Google, Facebook, Yahoo, and Hotmail all regularly required users to change their passwords (even if only once per year) the chances of an exposed account and password compromising a host of other accounts would be reduced. Users who use the same password for their credit card site as they do for their Twitter account would eventually be forced to use different ones…oh happy day.

What about requiring two factor authentication? By and large, banks have started asking challenge questions as the regular part of the logon process. Why not extend this beyond the financial industry?

The real question is, should we try and force users actions to change through corporate regulations or change the habits of hackers through penalties? I would argue that the former would have a much greater impact than the latter.

Wednesday, July 6, 2011

What has Al Franken done for me lately, Part 2

Last week, the Senate Committee on Commerce, Science and Transportation held a hearing on Privacy and Information Security. Senator Rockefeller made a point of emphasizing his committee’s jurisdiction over privacy and data security issues. I think this statement alone shows a rift in the Senate’s perspective on Information Security in light of the newly formed subcommittee on Privacy on the Senate Judiciary Committee. I really hope that posturing and territorialism doesn’t hold up any new legislation this year, but it looks like it will.

Senator Toomey (R-PA) wanted to draw a distinction between privacy and security while bringing up the need for a cost-benefit analysis for the proposed regulations (read between the lines, changes to Privacy laws at least won’t be happening anytime soon).

From the perspective of business, all the legislation proposed this year needs to do is to set a national standard for data breaches that preempts state law so that there is one standard to follow rather than 46 different rules based on who your customers are and where they live. From the perspective of the states, they want a law that allows them to more easily sue offenders, thereby protecting their residents, and generating a new revenue source. States also don’t want the penalties to be too harsh for fear of appearing anti-business.

Most likely, any new data breach law will mirror HIPAA/HITECH. HIPAA has two types of penalties – penalties for non-compliance and penalties for wrongful disclosure. For HIPAA, penalties range from fines of $100 per violation for non-compliance, capped at $25,000 . For a wrongful disclosure, penalties can range from $50,000 to $250,000 and may include a prison sentence depending on the crime. All of the new legislation proposed this year has substantially higher penalties.

So what makes health related financial crime better or worse than SSN theft, for example? Have efforts to keep patient data cost Doctors and Hospitals money? Has HIPAA put healthcare out of business? Okay, bad example given the rising costs of healthcare, but you get the picture.

So what should Al Franken do next? Force companies to make their default settings completely private? Require background checks for companies that have access consumer information? Push for a Do-Not Track mechanism built into the web?

Tuesday, July 5, 2011

War Powers Resolution and Cyberwar

If you've been following the war in Libya and the Obama's report to Congress in June, you'll know that the administration is claiming that our military actions in Libya are not covered under the War Powers Resolution which would require them to be terminated after 60 days. To get around this window, there must be an authorization for the use of military force by Congress or a declaration of war.

The reasoning in the White House report is basically that since the action in Libya involves drones, no soldiers are being put in danger, so the War Powers Resolution doesn't apply. The reasoning also follows that we are acting in Libya under limited circumstances, only going after specific targets.

What does this have to do with Information Security you ask? Since Clinton ignored the Resolution in 1999, and other presidents have argued that the War Powers Resolution is unconstitutional, the conspiracy theorist in me wonders if the intent in this report wasn't to set a precedent in order for future actions to follow the same model. It seems to me that the same reasoning could be applied to Cyberwarfare. Soldier/Hackers are essentially the same as drone pilots. Cyberwar, if such a thing ever happens, will also most likely be fought in small theaters and in limited circumstances...not an all out world Cyberwar. Cyberwar actions would by definition also only be directed against specific types of infrastructure.

Saturday, July 2, 2011

What has Al Franken done for me lately, Part 1

In February of this year, the Senate Judiciary Committee voted to form a new sub-committee on Privacy, Technology, and the Law. They chose my favorite Senator, Al Franken to chair the new group. After I heard about this new committee’s formation back in February (feb 14), they kinda went radio silent for a few months, presumably putting their noses to the grindstone to come up with something brilliant. So what has Al Franken done for us lately?

On June 17th, Senator Franken introduced his Location Privacy Protection Act, which is probably just a gut reaction to Apple and Google Android’s ability to track where you’ve been, either inadvertently or overtly through compromised apps. This is great for privacy (if it ever gets passed), but most likely the two companies (Apple and Google) will clear up their vunlerabilities long before any legislation gets passed.

The real question is, Why? The supreme court this year will consider whether warrantless GPS tracking by the FBI is okay. The Justice department is arguing that “a person has no reasonable expectation of privacy in his movements from one place to another,”. If law enforcement is able to monitor citizens in this way, then why take the same information away from individuals who might want to see where their kids or spouse have been? Are we really concerned that hackers will want to know where we’ve been? Or are we worried that stalkers could use the info? That advertisers will be able to better market products to us based on our travel habits? Why should the government get a free pass when Facebook is getting beat up over releasing impersonal statistical data to advertisers?

So what about current laws on the books that protect Privacy, like HIPAA? This begs the question of whether health records are any more or less important than other types of personal information, like GPS tracking. The majority of crime that HIPAA attempts to prevent isn’t someone shouting from a rooftop that someone has an embarrassing rash or STD. HIPAA attempts to prevent financial crimes, which is exactly what SAFE Data and the Privacy Bill of Rights are about…They’re not about Privacy at all.

Now, this brings us back to what Al Franken has done for us lately. Is the Privacy sub-committee just an Orwellian attempt at naming a group that is out to protect the opposite of Privacy? After all, why should I care if my identity is stolen if the FTC limits my direct damages to $50? From studies, we know that indirect damages are higher, maybe $250. But the real damages are to companies, which pass along the costs to consumers.

Do we even care about Privacy anymore? If the answer is, "Only when it hurts us not to" then maybe we should be revising our notions of Privacy just as quickly as the technology evolves our ability to subvert it.