Monthly Archives: December 2017

Global e-commerce business PayPal has disclosed a data breach that may have compromised personally identifiable information for roughly 1.6 million customers at a payment processing company PayPal acquired earlier this year.

PayPal Holdings Inc. said Friday that a review of its recently acquired company TIO Networks showed evidence of unauthorized access to the company’s network, including some confidential parts where the personal information of TIO’s customers and customers of TIO billers stored.

Acquired by PayPal for US$233 Million in July 2017, TIO Network is a cloud-based multi-channel bill payment processor and receivables management provider that serves the largest telecom, wireless, cable and utility bill issuers in North America.

PayPal did not clear when or how the data breach incident took place, neither it revealed details about the types of information being stolen by the hackers, but the company did confirm that its platform and systems were not affected by the incident.

“The PayPal platform is not impacted in any way, as the TIO systems are completely separate from the PayPal network, and PayPal’s customers’ data remains secure,” PayPal said in its press release [PDF].

The data breach in TIO Networks was discovered as part of an ongoing investigation for identifying security vulnerabilities in the payment processing platform.

As soon as PayPal identified an unauthorized access to the TIO’s network, PayPal took action by “initiating an internal investigation of TIO and bringing in additional third-party cybersecurity expertise to review TIO’s bill payment platform,” PayPal press release [PDF] reads.

The company has begun working with companies it services to notify potentially affected customers.

Besides notifying, the company is also working with a consumer credit reporting agency, Experian, to provide free credit monitoring memberships for fraud and identity theft to those who are affected by the breach.
To protect its customers, TIO has also suspended its services until a full-scale investigation into the incident is completed.

“At this point, TIO cannot provide a timeline for restoring bill pay services, and continues to recommend that you contact your biller to identify alternative ways to pay your bills,” TIO’s Consumer FAQ reads.

“We sincerely apologize for any inconvenience caused to you by the disruption of TIO’s service.”

Since the investigation is ongoing, PayPal will communicate with TIO customers and merchant partners directly as soon as the company has more details on the incident. Also, the affected customers will be directly contacted by the company.

via:  thehackernews

Two lawsuits have been filed against healthcare organizations over alleged HIPAA and HITECH Act violations.

60 Hospitals Named in Lawsuit Alleging HITECH Act Violations

A recently unsealed complaint, filed in a U.S. District Court in Indiana in 2016, seeks more than $1 billion in damages from 60 hospitals that received HITECH Act meaningful use incentive payments for transitioning to electronic health records, yet failed to meet the requirements of the HITECH Act with respect to providing patients, and their legal representatives, with copies of health records promptly on request.

In order to receive incentive payments, one of the requirements was for hospitals to attest that for at least 50% of patients, they were able to provide copies of medical records within 3 business days of requests being submitted. When copies of health records are requested, the HITECH Act only permits healthcare organizations to charge for labor costs for supplying copies of records.

Michael Misch and Bradley Colborn, attorneys with Anderson, Agostino & Keller, P.C., of South Bend Indiana, investigated hospitals after growing frustrated with the delay in obtaining copies of health records at their clients’ request, and over the amounts being charged for copies of health records.

The aim of the investigation was to streamline requests, reduce the time taken to obtain copies of health records, and reduce the cost of accessing those records. However, the investigation revealed that many hospitals were failing to meet the requirements of the HITECH Act, even though they had received incentive payments for compliance.

In the complaint, it is alleged that 60 hospitals received payments of $324.4 million in HITECH Act grant funding, yet failed to meet the requirements of the HITECH Act when it came to providing copies of health records of patients. The lawsuit also alleges the hospitals violated the Anti-Kickback Statute and the False Claims Act; falsely claiming compliance with HITECH Act to gain access to public funding.

Patient Sues BJC Health System Over Barnes-Jewish Hospital Breach

A patient whose protected health information was exposed as a result of a security breach at Barnes-Jewish Hospital in St. Louis, MO, has filed a complaint in the St. Louis Circuit Court against the hospital operator, BJC Health System.

Megan L. Rosemann claims BJC Health System allowed unauthorized individuals to gain access to the protected health information of patients and failed to adequately protect patient data. She alleges BJC Health System was negligent and breached its fiduciary duty.

Rosemann claims the exposure of her information places her at an increased risk of identity theft, abuse, and exploitation. The lawsuit names Rosemann as the plaintiff, along with other individuals affected by the breach. Rosemann is seeking a class certification and trial by jury. A jury trial has been scheduled for May 14, 2018.

BJC Healthcare reported the unauthorized accessing of an email account to the Department of Health and Human Services’ Office for Civil Rights on February 26, 2016. The breach impacted 2,393 patients. The case is still marked as under investigation by OCR.

via:  hipaajournal

Many of us are visiting parents/relatives this Thanksgiving/Christmas, and will have an opportunity to help our them with cybersecurity issues. I thought I’d write up a quick guide of the most important things.

1. Stop them from reusing passwords

By far the biggest threat to average people is that they re-use the same password across many websites, so that when one website gets hacked, all their accounts get hacked.

To demonstrate the problem, go to haveibeenpwned.com and enter the email address of your relatives. This will show them a number of sites where their password has already been stolen, like LinkedIn, Adobe, etc. That should convince them of the severity of the problem.

They don’t need a separate password for every site. You don’t care about the majority of website whether you get hacked. Use a common password for all the meaningless sites. You only need unique passwords for important accounts, like email, Facebook, and Twitter.

Write down passwords and store them in a safe place. Sure, it’s a common joke that people in offices write passwords on Post-It notes stuck on their monitors or under their keyboards. This is a common security mistake, but that’s only because the office environment is widely accessible. Your home isn’t, and there’s plenty of places to store written passwords securely, such as in a home safe. Even if it’s just a desk drawer, such passwords are safe from hackers, because they aren’t on a computer.

Write them down, with pen and paper. Don’t put them in a MyPasswords.doc, because when a hacker breaks in, they’ll easily find that document and easily hack your accounts.

You might help them out with getting a password manager (lastpass), or two-factor authentication (2FA). Good 2FA like YubiKey will stop a lot of phishing threats. But this is difficult technology to learn, and of course, you’ll be on the hook for support issues, such as when they lose the device. Thus, while 2FA is best, I’m only recommending pen-and-paper to store passwords. (AccessNow has a guide, though I think YubiKey/U2F keys for Facebook and GMail are the best).

2. Lock their phone (passcode, fingerprint, faceprint)

You’ll lose your phone at some point. It has the keys all all your accounts, like email and so on. With your email, phones thieves can then reset passwords on all your other accounts. Thus, it’s incredibly important to lock the phone.

Apple has made this especially easy with fingerprints (and now faceprints), so there’s little excuse not to lock the phone.

Note that Apple iPhones are the most secure. I give my mother my old iPhones so that they will have something secure.

My mom demonstrates a problem you’ll have with the older generation: she doesn’t reliably have her phone with her, and charged. She’s the opposite of my dad who religiously slaved to his phone. Even a small change to make her lock her phone means it’ll be even more likely she won’t have it with her when you need to call her.

3. WiFi (WPA)

Make sure their home WiFi is WPA encrypted. It probably already is, but it’s worthwhile checking.

The password should be written down on the same piece of paper as all the other passwords. This is importance. My parents just moved, Comcast installed a WiFi access point for them, and they promptly lost the piece of paper. When I wanted to debug some thing on their network today, they didn’t know the password, and couldn’t find the paper. Get that password written down in a place it won’t get lost!

Discourage them from extra security features like “SSID hiding” and/or “MAC address filtering”. They provide no security benefit, and actually make security worse. It means a phone has to advertise the SSID when away from home, and it makes MAC address randomization harder, both of which allows your privacy to be tracked.

If they have a really old home router, you should probably replace it, or at least update the firmware. A lot of old routers have hacks that allow hackers (like me masscaning the Internet) to easily break in.

4. Ad blockers or Brave

Most of the online tricks that will confuse your older parents will come via advertising, such as popups claiming “You are infected with a virus, click here to clean it”. Installing an ad blocker in the browser, such as uBlock Origin, stops most all this nonsense.

For example, here’s a screenshot of going to the “Speedtest” website to test the speed of my connection (I took this on the plane on the way home for Thanksgiving). Ignore the error (plane’s firewall Speedtest) — but instead look at the advertising banner across the top of the page insisting you need to download a browser extension. This is tricking you into installing malware — the ad appears as if it’s a message from Speedtest, it’s not. Speedtest is just selling advertising and has no clue what the banner says. This sort of thing needs to be blocked — it fools even the technologically competent.

uBlock Origin for Chrome is the one I use. Another option is to replace their browser with Brave, a browser that blocks ads, but at the same time, allows micropayments to support websites you want to support. I use Brave on my iPhone.

A side benefit of ad blockers or Brave is that web surfing becomes much faster, since you aren’t downloading all this advertising. The smallest NYtimes story is 15 megabytes in size due to all the advertisements, for example.

5. Cloud Backups

Do backups, in the cloud. It’s a good idea in general, especially with the threat of ransomware these days.

In particular, consider your photos. Over time, they will be lost, because people make no effort to keep track of them. All hard drives will eventually crash, deleting your photos. Sure, a few key ones are backed up on Facebook for life, but the rest aren’t.

There are so many excellent online backup services out there, like DropBox and Backblaze. Or, you can use the iCloud feature that Apple provides. My favorite is Microsoft’s: I already pay $99 a year for Office 365 subscription, and it comes with 1-terabyte of online storage.

6. Separate email accounts

You should have three email accounts: work, personal, and financial.

First, you really need to separate your work account from personal. The IT department is already getting misdirected emails with your spouse/lover that they don’t want to see. Any conflict with your work, such as getting fired, gives your private correspondence to their lawyers.

Second, you need a wholly separate account for financial stuff, like Amazon.com, your bank, PayPal, and so on. That prevents confusion with phishing attacks.

Consider this warning today:

If you had split accounts, you could safely ignore this. The USPS would only your financial email account, which gets no phishing attacks, because it’s not widely known. When your receive the phishing attack on your personal email, you ignore it, because you know the USPS doesn’t know your personal email account.

Phishing emails are so sophisticated that even experts can’t tell the difference. Splitting financial from personal emails makes it so you don’t have to tell the difference — anything financial sent to personal email can safely be ignored.

7. Deauth those apps!

Twitter user @tompcoleman comments that we also need deauth apps.

Social media sites like Facebook, Twitter, and Google encourage you to enable “apps” that work their platforms, often demanding privileges to generate messages on your behalf. The typical scenario is that you use them only once or twice and forget about them.

A lot of them are hostile. For example, my niece’s twitter account would occasional send out advertisements, and she didn’t know why. It’s because a long time ago, she enabled an app with the permission to send tweets for her. I had to sit down and get rid of most of her apps.

Now would be a good time to go through your relatives Facebook, Twitter, and Google/GMail and disable those apps. Don’t be a afraid to be ruthless — they probably weren’t using them anyway. Some will still be necessary. For example, Twitter for iPhone shows up in the list of Twitter apps. The URL for editing these apps for Twitter is https://twitter.com/settings/applications.

Google link is here (thanks @spextr). I don’t know of simple URLs for Facebook, but you should find it somewhere under privacy/security settings.

Update: Here’s a more complete guide for a even more social media services.
https://www.permissions.review/

8. Up-to-date software? maybe

I put this last because it can be so much work.
You should install the latest OS (Windows 10, macOS High Sierra), and also turn on automatic patching.

But remember it may not be worth the huge effort involved. I want my parents to be secure — but no so secure I have to deal with issues.

For example, when my parents updated their HP Print software, the icon on the desktop my mom usually uses to scan things in from the printer disappeared, and needed me to spend 15 minutes with her helping find the new way to access the software.

However, I did get my mom a new netbook to travel with instead of the old WinXP one. I want to get her a Chromebook, but she doesn’t want one.

For iOS, you can probably make sure their phones have the latest version without having these usability problems.

Conclusion

You can’t solve every problem for your relatives, but these are the more critical ones.

via:  erratasec

A day after a researcher discovered a huge login security flaw in the latest version of Apple’s macOS High Sierra operating system, the company said that it would review its software development process. On November 29, 2017, Apple said it released a patch to fix the password bug that would be automatically installed on the vulnerable machines. The bug reportedly enabled hackers to gain access to Apple computers without using a password.

The bug was discovered by a Turkish software developer, Lemi Orhan Ergin, who took to the micro-blogging site Twitter to report the issue. He tweeted “Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?”

Ergin’s tweet went viral within no time and it got 12,744 retweets at the time of publishing this report. In an article on Medium.com, Ergin elaborated the story behind “anyone can login as root” tweet. He wrote “On Nov 23, the staff members informed Apple about it (bug issue). They also searched online and saw the issue mentioned in a few places already, even in Apple Developer Forum from Nov 13. It seemed like the issue had been revealed, but Apple had not noticed yet.”

With prompt action, Apple fixed the patch within 24 hours after security engineers learned of the bug issue on November 28, 2017, following Ergin’s tweet.

In a statement, the U.S. technology giant said, “We greatly regret this error and we apologize to all Mac users. Our customers deserve better. We are auditing our development processes to help prevent this from happening again. Security is a top priority for every Apple product, and regrettably we stumbled with this release of Mac OS”.

Immediately after the bug report was spread, the U.S. and German governments issued alerts advising Mac users to install the patch. In tech stocks, Apple stock was reported to be down to 2.6 percent at $168.55 on November 29, 2017.

Earlier this month, Apple was left red-faced when its newly launched iOs 11.1 and Safari were hacked several times by security researchers at a hacking competition called Pwn2Own in Tokyo.

via:  cisomag

A judge has ordered digital currency broker Coinbase to hand over the details of 14,355 users to the Internal Revenue Service (IRS).

Filed on 28 November with the U.S. District Court in the Northern District of California, the court order (PDF) demands that Coinbase provide information on 8.9 million transactions involving more than 14,000 of its users to the United States’ federal revenue service. The Summons applies to accounts that completed at least a single transaction involving at least $20,000 in Bitcoin between 2013 and 2015. It does not pertain to users who merely bought Bitcoin and did nothing with it or to those for whom Coinbase filed Forms 1099-K during the same period.

The information covered in the order includes account activity, periodic invoices, and key identifying information such as a wallet owner’s name, address, tax identification number, date of birth, and copies of their passport or driver’s license.

IRS filed the request to reconcile a tax disparity. Users are supposed to pay capital gains tax on cryptocurrency transactions, with such currency listed as property by the IRS. However, the IRS has documentation indicating that not everyone who engaged in a cryptocurrency transaction paid their dues.

The court order makes this legal purpose clear:

The Narrowed Summons serves the legitimate purpose of investigating the “reporting gap between the number of virtual currency users Coinbase claims to have had during the summons period” and “U.S. bitcoin users reporting gains or losses to the IRS during the summoned years.” (Dkt. No. 65 at 11:4-6.) Coinbase is the largest U.S. exchange of bitcoin into dollars with at least 5.9 customers served and 6 billion in transactions while only 800 to 900 taxpayers a year have electronically filed returns with a property description related to bitcoin from 2013 through 2015. This discrepancy creates an inference that more Coinbase users are trading bitcoin than reporting gains on their tax returns.

This decision is the latest development in a lawsuit filed by the IRS in November 2016. At the time, the federal revenue service demanded information on all U.S. Coinbase users. The digital broker sued and a judge agreed, which led the IRS to file this narrower summons. Coinbase sued once again, but this time, the courts ruled against its position.

At this time, it’s unclear how Coinbase will proceed with handing over the information.

News of this ruling follows several months after a U.S. District Court in the District of Connecticut ordered two Bitcoin mining companies to each pay a $10 million penalty for conducting a Ponzi scheme orchestrated by their principal.

via:  tripwire