October 2014 | SafeLogic

Archive for October, 2014

27 Oct 2014

Exposing the Risks of Data-Driven Healthcare

BlogFooter_Guest_JaredThis is a guest post from blogger Jared Hill as a special contribution to SafeLogic.

The recent Heartbleed and POODLE data leaks exposed some of the major dangers of living in a digitized world. With the entire healthcare system becoming increasingly reliant upon digital organizational systems, a patient’s most private information — prescriptions, records, communications, you name it — might be vulnerable to hacks. While many hoped doctor-patient confidentiality and legal privacy rights would be easily applicable across the board, this guarantee can simply not be made in the digital realm.

Illegally obtained medical records promise huge sums of money on the black market, more so than customer or banking information, or even risque photos of famous celebrities. Certain kinds of personal information are very valuable for those wanting to pose as someone else in order to obtain medical care. Although there are dozens of cybersecurity-related legislative proposals before Congress and amendments made to pre-existing legislation, notably, the Health Information Portability and Accountability Act (HIPAA), there is still much work to be done to safeguard patients against data hacking.

The Heartbleed “mishap” incited widespread privacy and identity panic, particularly from those within the healthcare sector, but also among other professionals who are now culpable for such dataleaks. It has suddenly become glaringly obvious that thousands of servers are vulnerable to attacks from outside intruders, and it’s also clear that unsophisticated Secured Sockets Layer (SSL) certificates are not as safe as experts believed.  POODLE has illustrated the dangers of misconfiguration and untrusted networks in its own way.

The real question, then, is by what means can healthcare companies safeguard themselves against the next threat?  Some are confident that newly drafted legislation like FedRAMP will be helpful towards that end. One health IT expert was optimistic recently, saying, “Ideally, the FedRAMP regulations will adequately address common security concerns, such as multi-tenancy and shared resource pooling, and provide a standard set of regulations that would ensure secure cloud usage in the Healthcare industry.”  That would be a major step in the right direction.

Whether FedRAMP or the amendments made to HIPAA will increase patient privacy and data security remains to be seen. They may not be strong enough legislation.  Devices are emerging that have the ability to record DNA, heartbeat patterns, and a myriad of other integral and unique personal characteristics. Instead of solely responding to current issues and security breaches, startups and tech industries need to have a conversation now regarding exactly how users will be protected from technology that won’t arrive for another decade.

Rohit Sethi, vice president of security consulting firm Security Compass said, “Maybe down the road our heartbeat, for example, becomes the main way we prove our identities.  And if we didn’t protect it 10 years ago, we don’t have a way of correcting it. So we have to treat it as serious now because we can’t predict the future.”

Sethi has a point, and a frightening one at that. Sethi cites startups (responsible for creating many of the latest apps and storage systems) as a particularly worrisome area. While established companies have spent years understanding security breaches, startups are often run by young, motivated techies who are concerned about the innovation of the product first, and user security as a distant second.

Sethi predicted that, unless strong regulations are implemented and upheld, everything from medical information to our DNA fingerprints could all become subject to theft and misuse. “You can get a credit card reissued,” Sethi said, “but you can’t reset your heartbeat or your DNA.”

15 Oct 2014

Putting a Muzzle on POODLE

SafeLogic is not vulnerable to POODLEYou may have seen the news about POODLE recently.  The good news is that it’s not as severe as Heartbleed, which affected server-side SSL implementations and had repercussions across most web traffic. The bad news is that it’s still seriously nasty.

POODLE is an acronym for Padding Oracle On Downgraded Legacy Encryption and essentially allows an attacker to decrypt SSL v3.0 browser sessions. This man-in-the-middle attack has one major constraint: the attacker has to be on the same wireless network.

That renders POODLE irrelevant because everyone locks down their wireless networks, right? Oh yeah, except those customer-friendly coffee shops with public wifi. In places like Palo Alto, you can bet there is a *lot* of interesting information going over the air there. Or at conferences, where diligent employees handle pressing business and aggressive stock traders log in to their account to buy the stock of the keynote speaker (or short it if his presentation lacks luster).  The threat is real – session hijacking and identity theft are just the tip of the iceberg.

It’s worth noting that this is a protocol-specific vulnerability and not tied to vendor implementation (such as Heartbleed with OpenSSL and the default Dual_EC_DRBG fiasco with RSA). That makes it a mixed bag. The issue affects a wide variety of browsers and servers (Twitter, for example, scrambled to disable SSLv3 altogether), but users do have some control.  This is because SSLv3 can also be disabled in the client within some browser configurations, so check your current settings for vulnerability at PoodleTest.com and install any patches when available for your browser.

Some browser vendors have already made moves to patch against this threat and permanently disable SSLv3.  Meanwhile, others have dubbed server-side vulnerability “Poodlebleed” and offer a diagnostic tool to assess connectivity.

From a government and compliance perspective, Federal agencies should be using TLS 1.1 according to Special Publication 800-52 Rev 1. TLS 1.1 is not susceptible to POODLE. FIPS 140 validations and SafeLogic customers are not affected.

If you’re interested in a deep dive, I recommend this fantastic technical post by Daniel Franke, which also provides a great history of SSL and its challenges.


6 Oct 2014

It’s Q4 Already?

It’s hard to believe we are in Q4 already. If you’re in the Bay Area, it still feels like summer!  But here we are, rapidly approaching Halloween and the holidays, watching football and playoff baseball.

I don’t really do quarterly company updates on the blog; in fact, I think Walt would argue I don’t write enough blog posts in general. But I’m just too excited. SafeLogic has had a great year and I’m really proud of the work that the team is done. A more detailed recap will happen towards the end of the year – Walt will be sure of that!

I’m on the way to Orlando now to talk at Gartner Symposium about security and compliance with Paul DePond of Globo, one of our customers in mobility. If you follow us on Twitter (and why wouldn’t you?), you’ll notice that I’ve been on the road speaking quite a bit recently. The content has been a blend of education and evangelism. I’m trying to get developers in emerging areas of technology to think about building security in to their solutions. I know it’s no easy task but I want to be sure folks are thinking about emerging threats. It’s easier with SafeLogic, but that’s another story. I want folks to understand the need for and value of strong encryption built with compliance in mind.

We have talked to customers and potential clients in some very cool new spaces, and it’s encouraging to see a more mature comprehension of the advantages offered by validated crypto.  Questions from analysts and press are becoming more sophisticated, and end users are really adapting to the landscape.  It’s gratifying to see folks genuinely care about how their data is being protected.

It’s been a very fun and very busy year… and we have some cool surprises in store, in both the short and long term. I can’t wait to share more.