Karen Lopez

Health Data Breaches – Insider Data Trading?

This was reposted from http://blog.infoadvisors.com/index.php/2013/01/09/health-data-breaches-insider-data-trading/ written by Karen Lopez. They get all the credit for this, not me.

image

It seems like the majority of health data breaches I read about are via insiders with access to patient information systems stealing and selling their data.

Federal authorities say Sergei Kusyakov, who was involved with Metro Chiropractic and Wellness Center and City Lights Medical Center, illegally obtained private information about patients through Dale Munroe II and his wife, Katrina Munroe, who worked at Florida Hospital’s Celebration campus.

Authorities said Dale Munroe accessed more than 763,000 records for patients treated at various Florida

Additional reading can be found at the original author’s post.

Soulskill

NTLM 100% Broken Using Hashes Derived From Captures

This was reposted from http://rss.slashdot.org/~r/Slashdot/slashdot/~3/-x3fWaDw3LA/story01.htm written by Soulskill. They get all the credit for this, not me.

New submitter uCallHimDrJ0NES writes “Security researcher Mark Gamache has used Moxie Marlinspike’s Cloudcracker to derive hashes from captured NTLM handshakes, resulting in successful pass-the-hash attacks. It’s been going on for a long time, probably, but this is the first time a ‘white hat’ has researched and exposed the how-to details for us all to enjoy. ‘You might think that with all the papers and presentations, no one would be using NTLM…or, God forbid, LM. NTLMv2 has been around for quite some time. Surely, everyone is using it. Right? Wrong! According to the last data from the W3 Schools, 21% of computers are running XP, while NetMarketShare claims it is 39%. Unless someone has hardened these machines (no MS patches do this), these machines are sending LM and NTLM responses!’ Microsoft has posted a little guidance for those who need to turn off NTLM. Have fun explaining your new security project to your management, server admins!”

Additional reading can be found at the original author’s post.

Unknown Lamer

Ruby On Rails SQL Injection Flaw Has Serious Real-Life Consequences

This was reposted from http://rss.slashdot.org/~r/Slashdot/slashdot/~3/4jJjYcqA-4M/story01.htm written by Unknown Lamer. They get all the credit for this, not me.

vikingpower writes “As a previous Slashdot story already reported, Ruby on Rails was recently reported to suffer from a major SQL injection flaw. This has prompted the Dutch government to take the one and only national site for citizens’ digital identification offline (link in Dutch, Google translation to English). Here is the English-language placeholder page for the now-offline site. This means that 16 million Dutch citizens cannot authenticate themselves anymore with government instances, and that those same government instances can not communicate anything to those same citizens anymore.” Fixes were released, so it looks like it’s on their sysadmin team now.

Additional reading can be found at the original author’s post.

Karen Lopez

An Audible Data Privacy Breach

This was reposted from Clean Up BlogThisSecurity feed and make it a snipit http://blog.infoadvisors.com/index.php/2013/01/02/an-audible-data-privacy-breach/ written by Karen Lopez. They get all the credit for this, not me.

 

image

RI labor dept. warns of possible privacy breach.

I think about data encryption, physical access controls to servers and such on a regular basis. But there are all kinds of formats via which data gets stored or communicated.  The Rhode Island Department of Labor recently had a data breach involving their call center.  Customers were able to hear conversations on other calls.  The department estimates fewer than 700 pe

Additional reading can be found at the original author’s post.

(author unknown)

Are Your Protecting Your DB Backups?

This was reposted from Clean Up BlogThisSecurity feed and make it a snipit http://www.sqlservercentral.com/blogs/brian_kelley/2012/11/27/are-your-protecting-your-db-backups/ written by (author unknown). They get all the credit for this, not me.

tapes by twicepix, on FlickrFolks have cited the recent InformationWeek article on how South Carolina’s Department of Revenue was hacked because the SC state government basically said, “It’s the IRS’ fault for not telling us we should encrypt social security numbers.” I’m not going to touch that. It stands on its own for its foolishness. However, I did key in on how the hack happened and how the data was obtained. I found this bit to be particularly interesting:

“But with more work, by Sept. 12, 2012, the attacker had successfully located and begun copying 23 database backup files, containing 74.7 GB of data, to another directory. Soon, the attacker compressed the data into 15 zip files, transferred them to another server, sent the data to an external system — outside the state’s control — and deleted the zip files to help hide the data breach, according to Mandiant’s report.”

In other words, the attacker, once inside the trusted network, located the database backup files, zipped them up, and then copied them offsite. That’s how the data was lost. The database backups were attacked.

 

Additional reading can be found at the original author’s post.

Soulskill

Jail Looms For Man Who Revealed AT&T Leaked iPad User E-Mails

This was reposted from Clean Up BlogThisSecurity feed and make it a snipit http://rss.slashdot.org/~r/Slashdot/slashdot/~3/5ifWhOwuT7U/story01.htm written by Soulskill. They get all the credit for this, not me.

concealment sends this quote from MIT’s Technology Review: “AT&T screwed up in 2010, serving up the e-mail addresses of over 110,000 of its iPad 3G customers online for anyone to find. But Andrew Auernheimer, an online activist who pointed out AT&T’s blunder to Gawker Media, which went on to publicize the breach of private information, is the one in federal court this week. Groups like the Electronic Frontier Foundation worry that should that charge succeed it will become easy to criminalize many online activities, including work by well-intentioned activists looking for leaks of private information or other online security holes. [Auernheimer’s] case hasn’t received much attention so far, but should he be found guilty this week it will likely become well known, fast.”

Share on Google+

Read more of this story at Slashdot.

Additional reading can be found at the original author’s post.