Tag: Recent News

Breach Of Health Data Gets California Company $2M Fine

Cottage Health System, a company that operates five hospitals in the Santa Barbara area of California, is the latest firm to have been hit with a hefty fine for losing control of PHI and PII for patients that it serves.

In this case, more than 55,000 patients were impacted between 2013 and 2015.

Cottage Health discovered the breach late in 2013. The company received a voicemail message informing company officers that there was a large file containing PHI of an unspecified number of its patients available online, without encryption or password protection that could prevent unauthorized access. In 2015, the company suffered a second, much smaller breach that impacted 4,596 of its patients.

As a result of the investigation that followed, the California Attorney General determined that the Cottage Health System had violated California’s Confidentiality of Medical Information Act, as well as several federal HIPAA regulations.

Under the terms of the agreement, in addition to a $2 million fine, the company has been required to upgrade its data security practices, including:

• Training employees on the collection, storage and proper use of PHI and PII
• Maintaining a reasonable set of policies and protocols surrounding incident tracking reports, risk assessment, data retention, internal audits and incident management plans, subject to external review
• Encrypting all PHI and PII in transit
• Assessing all hardware and software used in Cottage Health’s network for potential vulnerabilities, and upgrading as appropriate
• And conducting periodic testing to identify and address additional vulnerabilities.

This most recent incident serves as a painful reminder to any company involved in the handling of PHI and PII. According to Elizabeth Hodge, a health care attorney of the law firm Akerman, LLP:

“Even if the Office for Civil Rights slows down its enforcement activities going forward, covered entities and business associates should still anticipate enforcement activity by state attorney’s general enforcing their respective state laws.”

Windows 10 Third Party Password Manager Could Have Security Issue

Do you use “Keeper?” If you’re not sure what it is, then you probably don’t. It’s a password manager that Microsoft has been bundling with some of its Windows 10 releases. Either way, there’s a serious flaw in its design that you should be aware of.

Earlier in the year, Tavis Ormandy, a researcher on Google’s Project Zero team, discovered a bug that saw Keeper injecting privileged user information into web pages, exposing all manner of private data unnecessarily to website owners.

The potential damage comes from a user being lured onto a hacker-controlled website, whose owner could siphon up the information (including literally every password stored by Keeper) and resell it, or use it to launch a highly targeted attack against a specific user or device.

The bug was reported, and a patch was issued. Then, in a later version, Ormandy found the same bug cropping up again. He had this to say about the matter:

“I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages. I checked and, they’re doing the same thing again with this version.

I think I’m being generous considering this a new issue that qualifies for a ninety-day disclosure, as I literally just changed the selectors and the same attack works. Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password.”

Craig Lurey, the CTO of Keeper Security, had this to say when informed of the bug:

“This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a ‘clickjacking’ technique to execute privileged code within the browser extension.”

The two important takeaways here are as follows:

  • The company reports that so far as anyone can tell, this flaw has not actually been exploited in the wild.
  • Keeper Security has issued an emergency patch that has disabled the “Add to Existing” feature, which is where the problem code actually resides.

This temporary measure was implemented as a stop-gap until the bug can be properly patched.

Apple Might Be Working On Universal Apps Across Mac, iOS

Apple has been quietly working on something called “Project Marzipan” for a couple of years now, and it appears that they’re getting closer to unveiling it.

The company seeks to bring its MacOS and iOS platforms closer together by developing universal apps that will work in either environment. This mirrors Microsoft’s Universal Windows app strategy, where apps can detect the environment they’re running on and adjust their display and navigation accordingly.

Project Marzipan presents some real challenges for Apple because MacOS programs use an entirely different set of development tools, although there is some overlap. The programming language called Swift, for example, can be used to make apps that run in either environment, and if the company placed a greater emphasis on it, the process of creating their own universal apps would be greatly simplified.

The thinking behind Marzipan seems to be driven by the company’s desire to breathe new life into the Mac App Store, which hasn’t seen nearly the level of success as their iOS Store. The move would be a boon to developers because creating a common platform would allow Mac app developers to get their product in front of more potential customers.

Another potential reason is that the company may be planning to ultimately merge MacOS and iOS into a singular operating system that runs every Apple product. It’s a compelling theory, but the company has said nothing to confirm it.

In any event, if Apple goes ahead with Marzipan, and at this point, all indications are that they will, then we can expect a public announcement to that effect at next year’s World Wide Developer Conference. The first of the universal apps should appear not long after that, although the process of merging the two app stores and building out a robust collection of universal apps could take more than a year.

2017 List Of Most Used Passwords Released

SplashData has released their latest annual report on the most commonly used passwords. Unfortunately, the more things change, the more they stay the same.

By now, everyone knows that the number of hacking attempts and high-profile data breaches are on the rise. Everyone has heard, on more than one occasion, how important it is to not use the same password across multiple web properties, to enable two-factor authentication if and where it is offered and to use passwords that contain a combination of letters, numbers and symbols in order to make them more difficult to crack.

Although these are things that everyone knows, the wisdom embedded in the advice above often goes unheeded. According to the data collected by aggregating passwords leaked in data breaches over the past year, the most commonly used password for 2017 is “123456,” followed closely by the ubiquitous “password.” These are unchanged from last year.

The rest of the top 25 list contains a mix of the old and the new, including:

  • 12345678
  • Qwerty
  • 12345
  • 123456789
  • Letmein
  • 1234567
  • Football
  • Iloveyou
  • Admin
  • Welcome
  • Monkey
  • Login
  • Abel123
  • Starwars
  • 123123
  • Dragon
  • Passw0rd
  • Master
  • Hello
  • Freedom
  • Whatever
  • Qazwsx
  • And Trustno1

If you make use of any of these passwords, we urge you to change them immediately. As important as data security is and as much as is at stake, you’re putting yourself, your friends and your coworkers at grave risk by using such easily cracked passwords.

SplashData’s CEO Morgan Slain had this to say on the topic:

“Unfortunately, while the newest episode may be a fantastic addition to the Star Wars franchise, ‘starwars’ is a dangerous password to use. Hackers are using common terms from pop culture and sports to break into accounts online because they know how many people are using those easy-to-remember words.”

A Million Imgur Users Affected By Breach

<img class=”alignleft size-medium wp-image-7149″ src=”https://www.securepc-wi.com/wp-content/uploads/2018/07/AXMillion-300×195.jpg” alt=”” width=”300″ height=”195″ />Do you use the image hosting service, Imgur? If you do, there’s a slight chance that you’ll be prompted to change your password the next time you log on. That’s because the company’s servers were breached in 2014, and the hackers made off with 1.7 million usernames and passwords, which represents just a tiny fraction of the company’s 150 million users.

Although the breach happened a few years ago, the company only found out about it on Thanksgiving Day of this year. Their response was immediate and decisive. The company called people in over the holiday and notified their impacted users just 25 hours and 10 minutes after discovering the details of the incident.

Contrast that to Uber’s handling of their most recent hack. They kept their impacted users in the dark for more than a year, and worse, paid the hackers $100,000 to keep the incident quiet. It’s easy to see why security professionals around the world have lauded Imgur for their handling of the hack.

Three key things to note in relation to the breach:
<ul>
<li>Not much information was stolen during the hack because Imgur doesn’t ask its users for much in the way of personal information in the first place. However, if you use your Imgur password on other systems, you could be at additional risk.</li>
<li>At the time of the breach, Imgur was using SHA-256 encryption, which is fairly robust and impractical for most hackers to crack due to the amount of computational power required.</li>
<li>In 2015, the company switched to an even more secure algorithm, Bcrypt, so if the company is breached again in the future, it’ll be even harder for the hackers to glean anything useful from any data stolen.</li>
</ul>
All that to say, if you’re looking for a benchmark to compare yourself to if you’re ever hacked, Imgur’s example would be an excellent one to follow.

Older iPhones Are Being Purposefully Throttled, According To Apple

Not long ago, observant Reddit users noted and began discussing a curious phenomenon. It appeared that older iPhones were unexpectedly slowing down, and no one could name the reason why.

It caught the attention of a number of security researchers who delved more deeply into the issue, including a man named John Poole, who confirmed the Reddit claims. His tests confirmed that on iPhone 6s and 7s, Apple made tweaks to iOS versions 10.2.1 through 11.2.0.

These changes are designed to throttle the phone’s performance when the battery degrades beyond a certain point. While the company itself has subsequently confirmed the findings, they didn’t offer much in the way of a detailed explanation other than to say:

“Our goal is to deliver the best experience for customers, which includes overall performance and prolonging the life of their devices. Lithium-ion batters become less capable of supplying peak current demands when in cold conditions, have a low battery charge or as they age over time, which can result in the device unexpectedly shutting down to protect its electronic components.

Last year we released a feature for iPhone 6, iPhone 6s and iPhone SE to smooth out the instantaneous peaks only when needed to prevent the device from unexpectedly shutting down during these conditions. We’ve now extended that feature to iPhone 7 with iOS 11.2, and plan to add support for other products in the future.”

If you have an older iPhone, you may find yourself in disagreement that throttling its performance optimizes your user experience, and admittedly, it isn’t an optimal solution. On the other hand, having your phone power down unexpectedly when the battery life still reads 40 percent can be worse than annoying.

The only way around it is to replace your battery, which will not trigger the throttle built into the OS.

Bug in macOS Could Allow Hackers Root Access

Do you own a Mac? Is it running Apple’s latest macOS, the “High Sierra?”  If so, be extra careful with who you allow access to your machine.

A security flaw recently discovered by a developer named Lemi Orhan Ergin can easily allow anyone unfettered access to everything on your machine, and by extension, give them an easy “in” to whatever network it’s connected to. All they need is physical access.

Exploiting this vulnerability is a lesson in simplicity. All a hacker has to do is enter “root” in the username field, leave the password field blank, and press Enter.

Done.

They now have total access.

Needless to say, this is a large and rather glaring security issue, and one which Apple will be remedying in the near future via a patch. Until they do, however, be aware that the physical security of your Mac is of paramount importance. Leaving your workstation unsecured and unattended, even for a few minutes, is all it would take to lose control over all the files on your machine and give a hacker access to the even more sensitive data lurking elsewhere on your company’s network.

Unfortunately, as bad as this security flaw is, it’s not the only recent stumble by Apple. Just last month, the company had to issue an emergency patch to fix a flaw that affected encrypted volumes, where the password hint section was displaying the actual password in plain text.

To try this exploit out for yourself to verify how easy it is to use, simply do the following:

  • Open your machine’s System Preferences and select “Users and Groups”
  • Click on the lock icon, which will allow you to make changes. You’ll get a user name and password box at this point
  • Type in “root” in the username field
  • Move the cursor into the password field and hit enter

That’s all there is to it.

Until Apple issues their patch, the best thing you can do is leave your machine on and lock your workstation when you step away. At least that way, the hacker would have to know your current password in order to gain access.

Of course, they could simply power the machine off and reboot, but that would take a bit more time, during which they could be discovered.

It’s far from perfect, but for the time being, it’s the best protection you have.

Chrome OS To Get App Multitasking Soon

Chromebooks have brought Android apps to a much wider market, making them accessible to virtually everyone, but the Chrome OS has always lagged behind other platforms developmentally.

One of its most serious limitations where running apps was concerned centered on its inability to multitask. Basically, if the app you’re using is not “in focus” or in the window you’re currently viewing, all activity in the app ceases.

There are a few exceptions such as the Spotify app, but most apps that rely on real time data and most games will freeze when a user clicks out of the window. If you’re coming to Chromebook from almost any other platform, it can be annoying and hard to get used to.

Fortunately, you won’t have to deal with this for much longer. Google recently announced the release of Chrome OS 64, which will, among other things, allow apps to continue running in the background, even when you’re not using them in the active window.

Right now, the update is available on the company’s Beta channel, so it’s a fair bet that it will be rolled out to the general user base in the very near future. However, the company has not given a firm timeframe for that.

If you have a Chromebook, this is good news indeed as it corrects what many industry insiders have long seen as a glaring weakness of the platform.

While Chromebooks don’t get much use at the Enterprise level, they are a cost-effective computing option for students and low-income people, and it’s good to see Google spending time and resources improving them.

While the latest version offers a number of enhancements, the two biggest are the multitasking support mentioned above, and the “split view” feature which will further enhance the multitasking capabilities of the platform.

Microsoft May Remove Windows Paint From Operating System

“Paint” is one step closer to being a thing of the past.

In May of this year, Microsoft caught a surprising amount of flak when they announced that the venerable app, which had been included with the OS in every release since 1985, would be going away and replaced by a newer, sleeker version called Paint 3D.

The company had not expected any backlash on the matter and was sent scrambling when tens of thousands of people complained loudly in forums all over the internet.

The company quickly revised its position, explaining that while Paint would no longer come pre-installed on future releases of Windows, it would still be available on Microsoft’s app store. This move seemed to mollify Paint’s surprising number of fans and followers, but now, Microsoft is in the news again over the surprisingly cherished app.

In a recently released Windows 10 Insider Preview, the following message was discovered when accessing Paint: “This version of Paint will soon be replaced with Paint 3D. Classic Paint will then become available in the store.”

Note that this message was not displayed upon opening Paint itself, but rather upon clicking the “Product Alert” button at the top right corner of the app screen.

While the news is certainly no surprise, given the above, the sparse wording of the message does raise the question of whether the transition will be occurring during the next Windows 10 release. So far, the company has not offered any sort of clarification or confirmation.

In any case, we’re now one step closer to saying goodbye to Paint. While it was never a very good image editing program, it has proven to have a surprisingly deep base of support. Support or no, however, the day is soon coming when it will be a thing of the past, unless users go to the store and manually download and install it.

Nvidia Dropping Driver Support For Older Operating Systems

AMD long ago dropped support of 32-bit operating systems, and now, Nvidia is following suit. The long-anticipated move by the company will mean the end of driver support for the 32-bit builds of Windows 7, Windows 8, Windows 8.1, Windows 10, Linux and FreeBSD.

Nvidia is taking a balanced, responsible approach here. The company has pledged to continue offering 32-bit driver security updates until January 2019, but will immediately discontinue making performance updates to the drivers of older OS’s.

In some respects, it’s long overdue. Today’s application environment is incredibly resource intensive, with a growing number of applications requiring more computing horsepower than 32-bit systems can deliver, since a 32-bit OS can only support up to 4GB of RAM.

The picture gets even bleaker if you’re a gamer. Even modest games tend to require more than 4GB of RAM these days, and most top-tier titles no longer offer support for 32-bit systems. That, combined with the fact that 32-bit systems are somewhat less secure overall, it’s probably time they were put to pasture.

Given this landscape, it’s probably time to pronounce the 32-bit operating system dead. If you’ve got some legacy applications still running on an old machine, now is the time to get serious about your migration plan.

Most of the older OS’s are no longer receiving security updates, which leaves you increasingly vulnerable to a wide range of hacks. That, coupled with the increasingly sparse driver support makes it inevitable that you’ll have to migrate at some point, and it’s always better to do it on your terms than someone else’s.

If you haven’t yet worked out what to do about your old legacy systems, it’s long past time to do so. The clock has been ticking for a while now, and the ticking just got a little bit louder.