Spears Legal Technology


This blog is a resource guide for informational purposes only, and not the delivery of legal, technical or other professional advice. Using the information provided on this blog does not constitute an attorney-client relationship. If you need legal advice, please consult your lawyer.

Data Protection

Report: Heartbleed to blame for Community Health Systems breach

If this report is true, the Community Health Systems data breach that affected 4.5M patients would be the first known exploit of the Heartbleed vulnerability. However, it is likely not the last. A report on the Errata Security blog in June noted that 300,000 vulnerable systems remained unpatched two months after the vulnerability was disclosed.

Here’s more from TrustedSec:

While no technical details of the attack had previously been disclosed, information security firm TrustedSec, citing sources familiar with the incident, said on Tuesday that the initial attack vector was through the infamous “
Heartbleed” vulnerability in OpenSSL, which provided the attackers a way in, eventually resulting in the compromise of patient data.

“This confirmation of the initial attack vector was obtained from a trusted and anonymous source close to the CHS investigation,” TrustedSec wrote in a
blog post. “Attackers were able to glean user credentials from memory on a CHS Juniper device via the heartbleed vulnerability (which was vulnerable at the time) and use them to login via a VPN.”

While TrustedSec did not share much on the source, the firm is reputable. As background, David Kennedy, TrustedSec's founder and Princial Consultant, formerly worked for the NSA and also served as Chief Security Officer at ATM maker Diebold. He is also founder of the
Derbycon conference.



P.F. Chang's Goes Manual After Card Breach

Restaurant chain P.F. Chang's China Bistro confirms it suffered a data breach that compromised credit and debt card numbers used by an unknown number of patrons. While the breach continues to be investigated, P.F. Chang’s has announced that they will use a manual imprinting system to process credit cards.

Some experts see a connection to last December’s Target breach:

But several security experts and cyber-intelligence researchers say they believe the chain suffered a malware attack similar to those that compromised the point-of-sale networks of U.S. retailers Target Corp., Neiman Marcus and Sally Beauty Holdings Corp.. Other experts, however, say it's too soon to tell what the cause of the latest breach was, and whether it was linked to any previous breaches.

But while the experts disagree about the details of this latest alleged breach, they agree it's time for retailers to tighten network security.

"It's really got the retail industry up in arms," says financial fraud expert
Avivah Litan, an analyst at the consultancy Gartner. "CISOs are scared of getting fired, they are afraid of the consumer reaction and they're just trying to get handle on all of this."


UPDATE (6/18/2014): Brian Krebs provides new information indicating that the breach at the nationwide restaurant chain began on or around Sept. 18, 2013, and didn’t end until June 11. If true, the breach would predate the attack that compromised Target.

At nearly nine months, that’s slightly longer than the
average amount of time before a breach is detected.


When Do Conduits Cross the HIPAA Business Associates Line?

The Legal Health Information Exchange has published a lengthy article that examines the boundaries of the HIPAA Conduit Exception as they apply to Business Associates (BAs) who also handle Personal Health Information (PHI). BAs were first explicitly brought under parts of HIPAA’s regulatory umbrella as a result of the 2009 HITECH Act, and more explicitly with the release of last year’s Omnibus Rule.

The Preamble to the Final HITECH Rule states:

“The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services [and their electronic equivalents.]  As we have stated in prior guidance, a conduit transports information, but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law.”

Here’s a summary of the author’s conclusion.

Therefore, a HIPAA BA relationship is generally not implicated by an HIO, HISP or similar entity simply performing just fully encrypted data routing or transmission activities for a covered entity.  A HIPAA BA relationship
will, however, be found where such HIO, HISP or similar entity performs more than such limited activities, such as, for example, data aggregation, processing, hosting and transmission (other than as a conduit), encryption/decryption functions/management, record locator/querying functions, auditing and other oversight and governance functions requiring access to PHI, and creating data sets of de-identified information.

Read the whole article here.

‘Using TrueCrypt Is Not Secure’

TrueCrypt, a popular free open source encryption solution, is being abandoned and is considered "harmful and no longer secure" by its developers.

But is that really the case? There are many theories surrounding why the development team abruptly quit. Hopefully an ongoing audit of the code will provide answers:

TrueCrypt has been developed for the past 10 years by a team of anonymous coders who appear to have worked diligently to keep their identities hidden...

Green last year helped spearhead dual crowdfunding efforts to raise money for a full-scale, professional security audit of the software. That effort ended up pulling in more than $70,000 (after counting the numerous Bitcoin donations) —  far exceeding the campaign’s goal and demonstrating strong interest and support from the user community. Earlier this year, security firm iSEC Partners completed the first component of the code review: an analysis of TrueCrypt’s bootloader (PDF).



Network Engineer Sentenced to Four Years for Destroying Company Data

Having a written Employee Termination Checklist designed to flag the many operational issues involved in wrapping up an individual’s employment with the company is not only common sense, it’s an important part of a holistic data protection strategy.

Before his access to EnerVest was terminated, Mitchell went to the office after business hours, disconnected critical pieces of computer-network equipment and disabled the equipment's cooling system. EnerVest was unable to fully communicate or conduct business operations for nearly 30 days.

The company spent hundreds of thousands of dollars trying to recover historical data from its network servers. Some data was lost forever.



2014 Verizon Data Breach Investigations Report

Verizon's annual data-breach investigations report makes a strong case for behavioral analytics technology that looks for anomalies among user activity to spot hackers.

Such technology could help detect the use of stolen credentials, which were one of two ways most Web applications were compromised, according to the report released Tuesday. The other way was exploiting a weakness in the application.

Read the full report


Would a Proprietary OpenSSL Have Been More Secure than Open Source?

I’m a proponent of open-source software, but in the wake of Heartbleed this is an issue that should at least be revisited. I think the author takes an honest look at the questions that should be asked.

“The OpenSSL Heartbleed vulnerability has resurrected the age-old debate of whether or not open source code is more or less secure than proprietary code. Before putting on your open source or proprietary jerseys and launching into this (frankly not-very-productive) fight, first consider a few things.”

Read the whole article here:


Report: Healthcare has seen a 13 percent increase in botnet activity

Using real-world case studies and findings from over 3 billion analyzed attacks, the 2014 NTT Global Threat Intelligence Report (GTIR) demonstrates strategies to minimize threat impact and compress the threat mitigation timeline. Among key findings of the study:

* The cost for a "minor" SQL injection attack can exceed $196,000;
* Anti-virus applications fail to detect 54 percent of new malware;
* Healthcare has seen a 13 percent increase in botnet activity.

Read the full report


Stephen Colbert's Fantastic Take on the Heartbleed Vulnerability

Stephen should look into getting a new tech expert.



‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys

Oh my. The potential ramifications...

This vulnerability is particularly unique because the sequence of the fix is important. If the keys and certificates have to be replaced, folks must wait to change their passwords until they confirm that action has been taken. Otherwise the new password is vulnerable as well.

Jamie Blasco, director of AlienVault Labs, said this bug has “epic repercussions” because not only does it expose passwords and cryptographic keys, but in order to ensure that attackers won’t be able to use any data that does get compromised by this flaw, affected providers have to replace the private keys and certificates after patching the vulnerable OpenSSL service for each of the services that are using the OpenSSL library.



Cryptolocker scambles U.S. law firm's entire cache of legal files

We are going to see more small and medium sized businesses with poor security/backup processes be affected by malware like this.

The email infected a company server holding thousands of important documents after an email with a malicious attachment was mistaken for a message sent from the firm's phone answering service.

That error left every single document used by firm on its main server in an encrypted state, including Word, WordPerfect and PDF files, said Goodson's owner, Paul M. Goodson.

"The virus also warned if you tried to tamper or decrypt anything, it was going to be permanently locked and you could never open it," Goodson said.

After IT staff were unable to make any headway against the malware's encryption, Goodson tried to pay the ransom but discovered that the grace period - another nasty aspect of Cryptolocker - had expired.

Read the full article

ABA survey: lawyers at most large firms unaware of data breaches

A recent American Bar Association survey, Security Snapshots: Threats and Opportunities, conducted by the ABA's Legal Technology Resource Center, asserts that "Fully 70% of large firm respondents reported that they didn't know if their firm had experienced a security breach." The survey findings also implied a systemic, widespread lack of information security best practices across the industry.

Because of the sensitive data handled by law firms, they're a critical and oft-overlooked weak link in the "Cybersecurity chain," according to Inside Cybersecurity.


SANS: The 6 Categories of Critical Log Information

To the network admins out there: Here’s a document from the esteemed Dr. Anton Chuvakin that is definitely worth looking at.

The document linked in the article can be used to figure out what to log, what to report on and what reports to review for various purposes. At its center are these top log report categories:

  • 1. Authentication and Authorization Reports
  • 2. Systems and Data Change Reports
  • 3. Network Activity Reports
  • 4. Resource Access Reports
  • 5. Malware Activity Reports
  • 6. Failure and Critical Error Reports
  • Link.


Survey Reports High Percentage of Employee Misuse and Theft of Company Data

Littler Mendelson P.C. reminds us that data protection isn’t just about addressing external threats:

A recent study by independent data privacy research firm Ponemon Institute of 3,317 individuals in six industrialized countries found that employees are moving intellectual property, including trade secrets, outside their companies in all directions. 

Over half of those surveyed admitted they had emailed business documents to their personal email accounts; 41% said they do this at least once a week. The same percentage of respondents confessed they downloaded company IP to personally-owned tablets or smartphones. A majority of those surveyed did not believe this was “wrong.”



Personal Information Recovered From Wiped Hard Drive

Using software freely available on the Internet, two computer professionals explained how they recovered sensitive patient information, including Social Security numbers, from hard disk drives “professionally” wiped and discarded by a hospital.

Watch this WYFF Channel 4 Geenville-Spartanburg news video. (Or here.)

For effective data security businesses and consumers should shred old hard-disk drives when you discard them. Look toward NIST SP800-88 for more specific recommendations.



Preventing Data Breaches During The Disposal Process

Last month I discussed two encryption standards established by the National Institute of Standards and Technology (NIST), specifically NIST 800-111 which discussed encrypting Data at Rest, and NIST 800-52 which outlines procedures to encrypt Data in Motion.

NIST Special Publication 800-88, Guidelines for Media Sanitization, outlines ways to protect sensitive data during the disposal process. Three common methods of securely disposing electronic media containing sensitive information are to clear, purge or destroy the information.

(1) Clearing Information:
: To protect the confidentiality of information against a robust keyboard attack. Must not allow information to be retrieved by data, disk, or file recovery utilities.

Method: Use software or hardware products to overwrite storage space on the media with non-sensitive data, replacing written data with random data.

(2) Purging Information:
Goal: To protect the confidentiality of information against a laboratory attack using nonstandard systems to conduct data recovery attempts on media outside their normal operating environment.

Method: Degaussing (exposing magnetic media to a strong magnetic field) and executing the firmware Secure Erase command (for ATA drives only) are two methods listed by NIST. The degaussing of any hard drive assembly usually destroys the drive as the firmware that manages the device is also destroyed.

(3) Destroying Information:
Goal: The ultimate form of sanitization. After the media is destroyed, it cannot be reused as originally intended.

Method: Physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding, and melting.

Keep in mind that NIST 800-88 may be getting a bit long in the tooth, and isn't designed to apply to all media or storage technologies. Still, it provides a useful reminder that sensitive data resides on a wide variety of media, and thinking about the disposal process should be a part of any data protection policy.