Monthly Archives: May 2015

We don’t cover stupid, says cyber insurer that’s fighting a payout

In 2013, California healthcare provider Cottage Health System discovered that security on one of its servers had been disabled, leaving tens of thousands of patients’ files potentially open and exposed on the internet.

Those files included patients’ names, addresses, dates of birth, and in a few cases, their diagnosis, lab results and procedures performed.

Cottage was sued, along with inSync, a Laguna Hills-based company responsible for putting the records in a secure location online.

Imagine the expenses rolling in: Class action lawsuit, ka-ching!

Cyber forensic investigators to figure out what happened, security consultants to analyse and scrub the malware away, affected patients notified and (typically, at any rate) offered credit monitoring services, business lost due to newly cautious customers – all of it costs big bucks, ka-ching, ka-ching!

Good thing the healthcare provider had insurance to cover such a data breach, eh?

Well, it would have been a bit of a relief, if the insurer hadn’t scratched its head and shrugged its shoulders, pointing to a clause in the policy that means it doesn’t have to pay out when the insured party has been bone-headed about its security.

Cottage’s insurer, Columbia Casualty, earlier in May filed a complaint against Cottage Health System, claiming that whatever money it had to pay out under the policy would have to be paid right back to it, for the same reasons that the class action lawsuit had been filed: because the healthcare provider allegedly failed to follow “minimum required practices” as spelled out in the insurance policy.

Specifically, the insurer is claiming that Cottage “stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the internet.”

The patient data had been exposed for about two months, starting in October 2013.

It’s not like the company was jumped on by cyber attackers, per se. Rather, the data was accessible via the public internet and to Google search.

That makes it tough to know who might have accessed the data.

In fact, anyone could have viewed the records during those two months, the complaint states, adding that the “extent of the breach is enormous.”

While Cottage is looking for about $4 million (about £2.6 million) from its insurer to cover both damages related to the incident as well as potential fines from a Department of Justice investigation of possible violations of HIPAA – the federal Health Insurance Portability and Accountability Act – Columbia is looking to recoup anything it has to pay out.

Some of the alleged security failings that Columbia is hoping will get it out of paying damages:

  • Cottage and its third-party vendor, inSync, allegedly failed “to continuously implement the procedures and risk controls identified in its application” for the coverage, including…
  • Configuration and change management for Cottage’s IT systems as well as regular patch management.
  • Alleged failure to regularly “re-assess its information security exposure and enhance risk controls” and to…
  • “deploy a system to detect unauthorized access or attempts to access sensitive information stored on its servers.”

Data breaches are proliferating, and the associated costs are exploding.

According to a study released on Wednesday by the Ponemon Institute and paid for by IBM, the average cost of a data breach has reached $3.8 million (about £2.5 million).

Businesses’ general liability policies don’t cover those costly data breaches.

All of which point to cyber insurance being a wise choice – potentially, if you can find one that doesn’t wiggle its way out of paying for the vast majority of data breaches a business may well endure.

In fact, AON PLC, the world’s largest reinsurance broker, claimed in October 2014 that the cyber insurance market was at the time growing at 38% annually.

But oh, those gotchas – they can kick you right in the shins right when you need that policy the most.

As Dark Reading notes in its interview with Linde and Jake Kouns of Risk Based Security, insurers can weasel out of covering data breaches for a host of reasons, including:

  • Not paying retroactively.
    Given that breaches can be discovered months or even years after they begin or end, organizations should carefully consider when coverage starts.
  • Terrorism/act of foreign enemy exclusions.
    Many cyber attacks originate from outside a country’s borders, and many of them are believed to be state sponsored. Depending on the policy’s wording, your organization could be left high and dry. Experts advise negotiating the removal of such exclusions to ensure organizations are covered by an attack coming from outside the country.
  • Lack of coverage for negligence.
    Insurers are starting to cover only data theft, not negligence. If an employee loses a laptop with sensitive data, some policies won’t cover it.

Those are just a few of the things to watch out for when purchasing cyber insurance.

It’s a new, growing insurance product, and that means it’s still evolving.

It’s worth getting, but it should go without saying that getting insurance doesn’t mean the job of securing data is done.

That’s just one tick mark on a list of securing an organization’s digital assets.

If Columbia’s allegations of Cottage and inSync’s security failings are true, who can blame the insurer for not paying out?



Via: sophos

Google Brings Turn-By-Turn Directions To Offline Maps

Google just announced that turn-by-turn directions will soon be accessible from Maps even when you don’t have a data connection.

Rounding out a series of announcements about improvements to the offline experience of its major mobile apps for regions without reliable, fast wireless infrastructure, like saving search results in Chrome or the ability to save videos from YouTube, Google announced that Maps will soon provide turn-by-turn navigation for routes saved for offline use (or when you completely lose your connection in the middle of nowhere).

That’s a boon for those traveling off the beaten path or visiting countries without the LTE coverage Western users have come to expect. Since GPS doesn’t rely on the wireless network, your phone will still be able to figure out where you are as well as calculate things like time remaining or when to turn as long as you saved the route to your phone.



Via: techcrunch

Amazon Expands Same-Day Delivery To New Markets, Drops Price To Free For Orders Over $35

Amazon says today it will expand its same-day delivery service covering around 1 million items to two new markets, San Diego and Tampa Bay, while also reducing the price to free for orders over $35. The company already offers same-day delivery in several regions, including New York, Philadelphia, San Francisco (and the Bay area, including Oakland), Seattle, Atlanta, Boston, Baltimore, Dallas-Ft. Worth, Indianapolis, Los Angeles, Phoenix, and Washington, D.C.

Previously, the cost to use this service was a flat $5.99 for Amazon Prime members, who also pay the $99 annual fee to participate in Amazon’s larger membership program which includes free two-day shipping on over 20 million items, plus other benefits like access to Prime Instant Video, Prime Music, a Kindle lending library, and more.

Meanwhile, non-members will continue to pay $8.99 plus $0.99 per unit when requesting same-day delivery. Orders, which can be placed seven days a week, have to be submitted by noon to be received by 9 PM that day.

This expansion is separate from Prime Now, an even quicker delivery program which offers thousands of everyday items, including household needs and gifts, in select markets. Prime Now currently operates in parts of New York City, Miami, Baltimore, Dallas, Atlanta, and Austin. With Prime Now, orders are delivered within two hours for free, or within the hour for $7.99.

Amazon’s move to make same-day delivery an option for more of the U.S. – now 500 cities and towns, notes Geekwire in their report – comes at a time when a number of competitors, including Postmates, Deliv, Uber and Lyft are also offering alternative ways to help people shop by leveraging their network of on-demand couriers and drivers who can pick up from local stores and deliver to nearby customers. Amazon, meanwhile, has historically placed its fulfillment centers outside of metro areas – a practice it’s now trying to change as the competition heats up.


Via: techcrunch

Google Photos’ Unlimited Free Storage Could Clobber Apple’s Expensive iCloud

How much does a terabyte of photo storage cost? On iCloud, $240 a year. Dropbox, $100. Microsoft OneDrive, $84.

Google, $0. It’s free on desktopAndroidand iOS.

Today, Google announced its new Google Photos product, which offers unlimited free storage of photos and videos. The only limits are that photos must be under 16 megapixels, and video resolution is capped at 1080P.

If the photos and videos are bigger, Google will compress them, but says the visual quality is virtually untouched. With auto-backup from its iOS and Android apps, you can forget worrying about saving your photos, and you can forget paying to store them.

Photos Are A Computer Vision Goldmine

Other services are still trying to make money more directly from photos. Flickr offers 1 terabyte free, but you and your viewers have to endure frequent full-page ads from its parent company Yahoo. Amazon offers free unlimited storage, but you have to buy a $99 a year Prime subscription.

But Google is willing to throw its money around. It earns enough on search ads that it can completely subsidize photo storage as a long-term investment. Google knows that photos are a gold mine. They contain an immense amount of information about the people who took them that could be used to target ads and personalize experiences…if you have the tools to mine them.

Google does. Its advanced computer vision, machine learning, artificial intelligence, and other technologies will let it determine what people, places, and things are in photos, and tie that data to your identity. Pics of you with your favorite soda or a motorcycle could tell it what to show you in ads. Locations ID’d by landmarks could help it predict what you’re searching for. And selfies with friends could clue Google in to who it should recommend you share something with.

The app even does the hard work of editing and curating photos. Its “Assistant” feature can balance out overexposure, turn burst shots into GIFs, and make little movies from your adventures. While pure file storage may have become a commodity anyone can offer, Google Photos does a lot that only the search giant could pull off.

According to interviews with Google VP Bradley Horowitz by Backchannel’s Steven Levy, the computer vision isn’t perfect yet, but that’s kind of the point of this launch. “The key to getting that last percentage which tips it over will come now, when we deploy it at scale. Getting all that data will create a virtuous cycle of getting better and better,” Horowitz says.

Tech So Good It Doesn’t Need To Understand Us

By tempting us with free storage, Google could get massive dumps of our media that will educate its machine vision system while making its ads and products better. And since you won’t want to move your massive archive of memories, Google Photos could bind you tighter to its family of apps and services. Some might worry about giving Google so much information, but we’ve already let it host our email, and that hasn’t turned out so badly.

Google is often criticized for not “getting” humans. But Photos ties together some its most powerful technologies so it doesn’t have to. Storage, editing, organization and search all happen automatically. There’s no need for manually moving files, correcting colors, tagging subjects, or rifling through reams of pictures.

That’s what makes Google Photos perfect for the casual photographer. They don’t have to do anything but point and shoot to make memories that last forever, for free.


Via: techcrunch

IRS discloses breach, attackers used PII to clear security checks

100,000 taxpayers affected, criminals used personal information to clear various security checks.

On Tuesday, the Internal Revenue Service (IRS) disclosed a data breach that affects 100,000 taxpayers. In a statement on the matter, the IRS said that the attackers were able to access information through the “Get Transcript” application, but added that the systems responsible for tax filing submissions remain secure.

The IRS says that the attackers were able to clear “a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems.”

The IRS also says that additional security checks, which include personal identity verification questions typically known only by the taxpayer, were also cleared by the attackers – suggesting they were armed with all the details needed via previous acts of fraud, Phishing, or targeted reconnaissance.

In all, the IRS detected some 200,000 attempts by the attackers to access information via the Get Transcript system, and determined that at least 100,000 individuals had their details exposed.

“On the Get Transcript application, a further review by the IRS identified that these attempts were quite complex in nature and appear to have started in February and ran through mid-May. In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles. During this filing season, taxpayers successfully and safely downloaded a total of approximately 23 million transcripts.”

The incident was discovered late last week, and the IRS says that the Get Transcript application has been shut down and will remain offline until it can be properly secured.

As for notification, the IRS will be sending letters to all accounts that were accessed directly, or where access was attempted. Of the 200,000 letters that will be sent via USPS, 100,000 of them will include an offer for one year of free credit monitoring.

It’s important to note, and this cannot be stressed enough, any contact form the IRS about this matter will only come via the US Postal Service (USPS). The IRS does not use email or telephone to contact taxpayers, especially where security is concerned.

Given the way the data was accessed, it’s clear the attackers were able to use some form of Phishing or social engineering to gain access to the required information. It’s also possible that they leveraged previous breached records or public sources of information. Perhaps both options are valid.

Either way, this breach is perfect example of why it’s a bad idea to used commonly available personal information as a security check.

“The IRS is continuing to conduct further reviews on those instances where the transcript application was accessed, including how many of these households filed taxes in 2015. It’s possible that some of these transcript accesses were made with an eye toward using them for identity theft for next year’s tax season,” a statement form the IRS explained.

Via: csoonline

Lavaboom Is Another Zero Access Encrypted Email Service Hosted In Germany

The post-Snowden boom in strongly encrypted services continues. To wit: Lavaboom, a made-in-Germany encrypted email service, which is currently in beta and seeking a $100,000 crowdfunding raise via Indiegogo to get a fully featured product to market.

Co-founder, Felix Müller-Irion, says the idea for Lavaboom came in the wake of U.S. encrypted email service Lavabit’s shut down back in 2013. Building a similar service in Germany, with its robust privacy laws, was the business opportunity the team spied.

“I came to the conclusion that encrypted email is the only way to go forward with this,” says Müller-Irion. “German privacy laws are among the best in the world. There would be huge public outrage if they were to be overlooked.”

They’re not the only Europeans with this idea; others playing in the end-to-end encrypted email space include the likes of Tutanota (also German) and Swiss-based ProtonMail, to name two.

Lavaboom is aiming to differentiate its zero knowledge, PGP end-to-end encrypted email service by focusing on simplifying the user experience. Users don’t need to trouble themselves with manually generating and exchanging encryption keys.

“We focus a lot on UX and UI, so we actually put the design process into the front of our minds. I’m from a UI and UX background… It’s focused on giving the users the best possible experience with the least amount of friction possible,” says Müller-Irion.

“We use JavaScript. All encryption happens on your browser… We as a company can’t look into the contents of your emails because they will be encrypted and decrypted only on your device,” he adds. “We focus on integrating known standards, on the PGP encryption tool… That’s what we use on all our assets.”

Metadata is also obfuscated via Lavaboom so that it appears as if the address it was sent from comes from the startup’s offices in Cologne — a partial solution to the hard problem of securing email metadata (Lavabit’s founders are working on reworking email messaging protocols to develop a secure end-to-end messaging protocol that can provide encryption of both message content and the email in transit — aka the Dark Mail project).

Lavaboom has fully open sourced its code, and is hosting it on Github where outsiders can dive in to check its claims. It launched a beta version of the email service around a week ago, and Müller-Irion says some 200,000 emails have been delivered via its system thus far.

“The target audience at the moment is really only for privacy-oriented people however we want to bring this to everyone so that every [consumer] and elderly person can use our service and send encrypted emails,” he adds.

The team is offering the encrypted webmail service free for individual users, with 2GB of storage going to Indiegogo backers, and 1GB for general users. Monetization plans focus on a white label b2b product that companies will be able to run on their own servers for a fee. A premium version of Lavaboom will also likely be offered where users can buy more storage if needed.

The current web-based beta version of Lavaboom, which has been in development for around a year, is pretty limited in terms of feature set. The plan is to flesh that out with “the usual stuff you would expect from your Gmail account or whatever you’re using”, as Müller-Irion puts it, so things like the ability to import and export contacts, create and store drafts, send and view attachments and so on.

Also on the slate for the future is offering iOS and Android version of the Lavaboom client, and a desktop version of the web-based client. He adds Lavaboom also has plans to build out additional encrypted services, such as a Dropbox-style cloud storage offering and perhaps an encrypted calendar module.


Via: techcrunch

Apple Now Sells A Lightning Dock For Your iPhone

Apple has finally done what many had long hoped it would – released an official dock for Lightning-sporting iPhones, ranging from the 5 all the way up to the iPhone 6 and 6 Plus. The new design should work with devices going forward, too, unlike previous Apple docks, because it features a freestanding Lightning connector that doesn’t require your device to fit the dimensions of a set slot.

The new dock retails for $40 via the U.S. Apple Store (prices vary by country) and offers a fairly basic design, with a rounded rectangular white plastic base and a single male lightning rising from the top. The Lightning connector comes from what looks like a reinforced protrusion, which probably helps it avoid wear and tear from the weight of the device it supports.

The Lightning Dock has two ports at the back, one for Lightning to support charging and data connectivity, and one 3.5mm stereo headphone jack to support audio out. The connector also has the necessary pins to support headsets and play-pause control that work with iPhone.

Via: techcrunch

WaitChatter Helps You Learn A New Language While You Wait For IM Replies

Despite the pace of online communications, we still spend a lot of time waiting: staring at an IM window is a common occurrence for anyone who spends a better part of their day at a computer. WaitChatter wants to make use of that standby time to promote a vital skill, letting users brush up on their vocabulary for a second language while they wait for their colleague or friend to respond to their Google Chat message.

The app comes out of research from MIT’s Computer Science and Artificial Intelligence Lab, which found that the average person racks up 10 to 15 minutes per day of essentially wasted waiting time while conversing over IM. That realization led to the development of WaitChatter, which uses a Google Chat (you have to revert from Hangouts to use it right now, but that’s fairly easy) extension to offer up quick vocabulary learning lessons right in your IM chat window.

It’s based not only on leveraging that otherwise unoccupied time, but also on the feeling people tend to have that dedicated language learning apps require an additional time commitment, even when designed for convenience and mobility.

Users of the app who participated in a pilot test picked up new words at a rate of about four a day, leveraging words from both a built-in list and from a user’s own IM conversation. And while it isn’t exactly a method for mastering a language and becoming perfectly fluent, it’s exactly the kind of thing that’s handy for accruing small useful skills that require a lot of memorization.

The research team behind WaitChatter is looking to exploit other waiting situations, such as when you’re letting your email messages load or standing in a taxi line. As for WaitChatter itself, they say it works with any alphabetic language that Google Translate can currently handle, and should also be able to be ported to most other popular IM applications, including Skype and Facebook Messenger.



Via: techcrunch

AT&T Will Begin Offering Hulu To Its Customers Later This Year

Hulu and AT&T announced an expanded deal today designed to bring the video streaming service to AT&T’s customers on both mobile devices and on the web. Starting later this year, customers will be able to access Hulu shows through an AT&T app on their mobile phones, as well as through an AT&T website for Internet viewing, the companies said. The two are also exploring the possibility of bringing a Hulu app to TVs.

This TV app, if it comes to pass, would be similar to the Hulu apps other distributors are already planning to offer customers by way of their set-top boxes.

Before today, AT&T and Hulu already had a contract focused on distributing Hulu’s free content, but this deal is specifically aimed at expanding access to Hulu’s premium tier. Previously, AT&T would show some of Hulu’s content by way of embedded player on its own websites, but the nature of this deal will be more about driving subscriptions for Hulu.

In particular, a new AT&T mobile app, which is still in development, will offer customers a selection of clips and some long-form content (to be announced), with a link to view full episodes. When clicked, customers will be taken to Hulu to sign up for the service, or can login if they’re already a customer. Customers will also be able to browse and search Hulu content from within AT&T apps, the company says.

Hulu subscribers paying a $7.99 per month fee are able to tap into the service’s larger library, including current seasons of shows from five of the six top broadcast networks, as well as popular older programs. For example, Hulu recently acquired the exclusive rights to stream all the episodes of Seinfeld on its network, which was a notable win for the service.

While Hulu’s premium tier is a paid service, AT&T tells us it’s considering offering bundled pricing that includes Hulu alongside other AT&T services or content in the future, however.

The deal follows Hulu’s recent moves to line up more distributors for its video streaming service, which began in late April with news that Cablevision would become the first pay TV provider to resell Hulu.

The Cablevision agreement was then quickly followed by the news that Hulu had lined up five other multichannel video programming distributors to offer Hulu, including Armstrong, Atlantic Broadband, Mediacom Communications, Midcontinent Communications and WideOpenWest (WOW!). Similarly, these companies also plan to deliver Hulu’s library to their TV and broadband customers by way of an updated set-top box.

These agreements are good for Hulu because it puts them in front of more potential customers, and as Tim Connolly, Hulu’s head of distribution and partnerships, recently explained, the partners also receive an undisclosed cut of Hulu’s subscription revenue. Likely, AT&T’s deal follows this same path.

AT&T is also investing in other over-the-top (OTT) initiatives, the company noted in anannouncement today, including its joint venture with The Chernin Group, Otter Media, which is designed to invest in, acquire and launch OTT video services. This previously led to AT&T’s and Chernin’s investment to buy a majority stake in Fullscreen, valued between $200-$300 million.

AT&T is hardly alone in looking for ways to improve its OTT offerings. Verizon announced yesterday that it’s buying (TechCrunch parent) AOL for $4.4 billion – a move that’s also about the importance of mobile and video to the communications industry’s future, and specifically about how AOL’s adtech could help Verizon improve its own upcoming OTT video business.




Via: techcrunch

CareFirst BlueCross BlueShield Suffers Hack, Warns 1.1 Million Customers of Data Breach

It’s the kind of bad news that every organization hopes it will never have to find itself sharing with its customers – hackers have breached computer systems, and accessed a database containing sensitive personal information.

On this occasion, the corporate victim warning 1.1 million customers that an attack has occurred is CareFirst, a major health insurer.

The company says that it has recently determined that in June 2014 hackers were able to gain unauthorised access to a database, used to collect details entered by members and other individuals on CareFirst’s websites and online services.

To its credit, CareFirst hasn’t tried to sweep the unfortunate news under the carpet.

A warning is displayed prominently on its website, and an apologetic video message from CareFirst’s CEO can be watched on a website,, set up specifically to share news and advice with affected customers.

In the video, CareFirst CEO Chet Burrell says that the attack was discovered as part of an ongoing security initiative, after a third-party security company was brought in to explore potential issues following a spate of attacks against other health insurers in recent months.

Burrell was keen to stress that no passwords, social security numbers, financial information or medical claims were exposed. However, user ids created by customers as well as members’ names, birth dates, email addresses and subscriber identification numbers could have been accessed by the attackers.

The fact that breach occurred in July last year, and has only been uncovered now highlights a key problem with detecting online crime.

When the contents of a hacked database are raided it’s not like the Mona Lisa being stolen from the Louvre, there’s no gap on the wall where the painting used to be.

The “loss” of data is virtual, meaning that more sophisticated methods have to be used to determine that it might have been accessed illegally and data siphoned out.

CareFirst says that no evidence of any further breach has been found by the security experts it called in.

It’s too early, and there’s no information available, to speculate as to how the hack occurred or whether CareFirst might have been able to do more to prevent it.

For now, all that can be said is that it appears to have responded appropriately and transparently, warning its customers about the unfortunate situation and offering free credit monitoring and identity theft protection for two years.

Furthermore, the fact that it chose to audit its network for security breaches following the hacks against Anthem and other healthcare firms sends an important message to all businesses – don’t assume it cannot happen to you.

When you read about hacks against other companies, don’t be tempted to enjoy another firm’s misfortune, but instead ask yourself the difficult question of whether it could happen to you and, perhaps even more importantly, has it already happened to you?



Via: tripwire