Health Net Loses More Patient Records

This month news came out that Health Net lost another 1.9 million patient records. This comes on the heels of a 1.5 million record loss just two years ago.

A previous data loss event happened in May of 2009, but the company only informed the state Attorneys General where disclosure laws exist, and that took nearly six months. They plan to, but have not yet, informed those affected. Vermont fined Health Net $55,000 on behalf of the 525 state citizens who were affected. And Health Net paid $525,000 to settle two claims with the state of Connecticut.

In the healthcare industry, the new HITECH provisions of the HIPAA rule address these data loss events. They require that an organization notify affected individuals within 60 days of a breach. Though there are provisions which would negate the obligation to notify (such as strong encryption or quick recovery), in the Health Net case these do not apply.

In the May 2009 event, the company claims it took six months to identify what and whose data was lost. The information was stored unencrypted on a portable disk drive. Not to worry, they say, the data was compressed only readable using specialty software. There are at least three things wrong with these positions.

Companies need to know where their sensitive information is stored. Health Net claims that it took six months of forensic investigation to determine what was lost. There may be several explanations for this. Maybe they just don't know what they store where. Or maybe those trying to figure it out weren't good or didn't spend much time doing it. Or it's possible that the right people didn't know about the drive, didn't know it was lost or didn't know it may have contained sensitive information. But in the end, it comes down to a basic lack of data and asset tracking.

Portable media is at high risk of theft and loss, so sensitive data stored there should be protected. Physical protection would mean keeping the media in authorized and secured areas; logical protection would mean encryption. But Health Net failed to do this.

Though the data is supposedly unreadable without special software, I doubt this is the case. I've sometimes found that proprietary formats - for which custom software is often very expensive - are nothing more than standard formats with cryptic file names. If you open the file with a text editor, document editor, image viewer or other widely available software, many times you have no problem extracting the data.

But this problem isn't one that exists for Health Net alone. The DataLossDB catalogs many of the data loss events that happen. Others remain undisclosed and unknown.

Beau on the Local News

Blatant self-promotion. Hey, I can't help it. Check out the video, too.

Cyber War Against North Korea

I’ve heard people calling for retaliation against North Korea for the latest cyber attacks on the US and South Korean Internet sites. That idea is worse than bad, it’s nearly insane. The best that could be hoped for in such a move would be to saturate the attacker’s bandwidth and thus cancel out the attacks. The worst that could happen would be a virtual Armageddon of factions fighting each other on the Internet, with most of the damage being done to innocent bystanders.

The first mistake that proponents of retaliation make is that they assume that North Korea’s government was behind the attack. But they don’t ask for any evidence of this other than one of the possible beneficiaries of the attacks would be the Kim Jong Il’s regime. In fact, conflicting evidence has been pointing toward the UK as one major source of the attack, and the botnet controller may reside in Florida – yet no calls have been made to attack the British or US governments.

In fact, it's unlikely that there is a North Korea-UK-US connection in these cyber attacks. It’s very difficult to determine accurately and quickly who may be behind an attack. It is too easy to hide the real source behind several layers of obfuscation and the perpetrator may only be discovered after the attack has ended, if at all. The bottom line is that we just don't know who executed the attacks.

Even if you have the right country as the source of attacks, that doesn’t guarantee that the government had any involvement. Looking at a different cyber-conflict, there’s no doubt that Russians were behind the Estonian cyber attacks. But much of this activity was likely individuals within the country acting on nationalist sympathy, not a government-sponsored network of attackers. As Marcus Ranum has pointed out, cyber war is unlikely (PDF link).

Even if you assume that you have the right target, retaliating against them will simply escalate the level of hostilities, not calm it. The attackers will raise their level of attack and may practice asymmetric warfare, taking out not just government sites but commercial ones, as well. One of the best ways to change a government’s behavior is to hurt them financially or to turn the people against them.

Now consider a different scenario: someone tries to get two other countries to fight each other. One individual can buy access to 10,000 infected computers inside one of the countries. He then uses these to launch an attack against another country’s Internet sites. The second country then retaliates against the first. Voila! Cyber-war has erupted. In the current botnet economy, this would cost $500-$1000 (according to a presentation by Lenny Zeltser I can no longer find online).

Some people have questioned why North Korea has Internet connectivity at all. It would seem to be easy to find the choke points – ISPs providing service – and get them to disconnect Pyongyang. With the McColo situation, the bad guys just jumped on other ISPs and diversified. With North Korea, the people themselves are isolated from the rest of the world. But I would suspect that the benefits from a connected country outweigh the potential bad sides. It is much easier to get information out of the country via the Internet than physically. So there is a vested interest in us having an Internet connection out of North Korea – we can find out what goes on inside.

So the next time one of these cyber attacks happens and is hailed as the next step in cyber warfare, take a step back and really look at the players and the landscape. Consider what would be the best course of action. And remember that it is very difficult to determine who the attackers are, where they are located and what their motives are. Hopefully our policy makers will do the same.

Blog Comment Spammer Strikes

There's a comment spammer hitting my blog. Some anti-virus company I've never heard of, possibly some rogue anti-malware. Lame. So I've turned on moderation for my old posts.

Wordlist Manipulation

Today I wanted to append and/or prefix a brute force wordlist with some numbers, to generate some likely passwords. I couldn't find a good program to do this, so I tried my hand at some shell scripting. I got too ambitious and tried to add functions to remove duplicates (using the 'uniq' Unix command), sort the list (using the 'sort' Unix command) and do replacement (using the 'sed' Unix command). But all of these proved too time consuming to do right. I didn't want to force the list to be sorted alphabetically in case it was already sorted in a different way (likelihood of use, for example), so the 'uniq' command was useless. And the 'sort' command is so easy you might as well just use it alone. I didn't feel like putting the time into developing the "replace" function since I don't use it all that often (except for capitalizing the first letter, but Brutus has a tool to do that). So here's my script. Don't laugh, it's the first coding I've done since Dr. Scheme, about 5 years ago.

#!/bin/sh

##  listperm.sh - Takes a wordlist and performs permutations on it
##  Copyright (C) 2008 Beau Woods (beauwoods.com)
##
##  This program is free software: you can redistribute it and/or modify
##  it under the terms of the GNU General Public License as published by
##  the Free Software Foundation, either version 3 of the License, or
##  (at your option) any later version.
##
##  This program is distributed in the hope that it will be useful,
##  but WITHOUT ANY WARRANTY; without even the implied warranty of
##  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
##  GNU General Public License for more details.
##
##  You should have received a copy of the GNU General Public License
##  along with this program.  If not, see http://www.gnu.org/licenses/.

##  This script will take a wordlist and either prefix (-p) or append (-P)
##  each line with each line of the file it is to be combined with. For
##  modularity, it will generate new lists rather than overwriting the
##  old ones.

##  Command line options:
##  -in [filename] - This is the wordlist you want to permutate.
##  -out [filename] - This is the list of characters to add.
##  -p [filename] - This will prefix the wordlist with another list.
##  -P [filename] - This will append the wordlist with another list.

vflag=on
ops=0
while [ $# -gt 0 ]
do
 case "$1" in
  -in) infile=$2; shift;;
  -out) outfile=$2; shift;;
  -p) prefile=$2; shift;;
  -P) postfile=$2; shift;;
  *) echo "Error: Unexpected Argument: "$1; error=1; break;;
 esac
 shift
done
 
##  This if block will check to see if the input file is given and will
##  throw an error if not.
if [ -z $infile ]; then
 echo "Error: No input file specified."
 error=1;
fi

##  This if block will check to see if the output file is given and will
##  throw an error if not.
if [ -z $outfile ]; then
 echo "Error: No output file specified."
 error=1;
 else
 ##  This checks to see if the output file exists and if it does, throws
 ##  an error and exits the program. I don't want to clobber the file.
 if [ -f $outfile ]; then
  echo "Error: The output file already exists. Please delete it"
  echo "       and rerun the script."
  error=1;
 fi
 ##  OK, now that we know the file doesn't exist, let's create it!
 touch $outfile
fi

##  This if block checks to see if more than one permeutation operation
##  is called and if so, throws an error message.
if [ $ops -gt 1 ]; then
 echo "Error: Only one permeutation option may be run at once."
 error=1;
fi

if [ $error ]; then
 echo >&2
 echo "Options: -in [filename] -out [filename] -p [filename] -P [filename]"
 echo ""
 echo "  This script will take a wordlist and either prefix (-p) or append (-P)"
 echo "  each line with each line of the file it is to be combined with. For"
 echo "  modularity, it will generate new lists rather than overwriting the"
 echo "  old ones."
 echo ""
 echo "  Command line options:"
 echo "  -in [filename] - This is the wordlist you want to permutate."
 echo "  -out [filename] - This is the output file."
 echo "  -p [filename] - This will prefix the wordlist with another list."
 echo "  -P [filename] - This will append the wordlist with another list."
 echo ""
 exit 1;
fi

##  This will determine if we are doing a prefix or append operation and will
##  set the input file correctly. We could do this at the beginning, but if
##  the arguments are out of order then something might get clobbered.
if [ $prefile ]; then
 postfile=$infile;
 else
 if [ $postfile ]; then
  prefile=$infile;
 fi
fi

#####
##  OK, time to start doing work!
#####

##  This checks to see if the operation is a concatenation and combines the files.
for word in $(cat $prefile); do
 for i in $(cat $postfile); do
  echo "$word""$i" >> $outfile
 done
done