Security: They’re doing it wrong

P2P Networks Rife With Sensitive Health Care Data, Researcher Warns

Computerworld (01/30/09) Vijayan, Jaikumar 

Sensitive medical data is easily available through peer-to-peer (P2P) file-sharing networks, reveals a study by researchers at Dartmouth College. During the study, the researchers used search terms related to the top 10 publicly traded U.S. healthcare organizations to see if they could find medical data on P2P networks such as Gnutella, FastTrack, Aries, and e-Donkey.

Dartmouth professor Eric Johnson says the searches yielded a plethora of information from healthcare companies, suppliers, and patients. For example, Johnson says he was able to find a 1,718-page document containing Social Security numbers, dates of birth, insurance information, treatment codes, and other sensitive data belonging to roughly 9,000 patients at a medical testing laboratory.

Johnson and the other researchers were able to obtain the information because employees at healthcare providers installed P2P networks on their computers, which allow users to download and share music and videos from shared folders but also can allow users to obtain other types of files if care is not taken to control which folders users have access to.

Johnson says the study underscores the need for hospitals and other healthcare providers to be aware of the dangers of inadvertent data leakage as well as the need to put improved controls in place to monitor, detect, and stop them.

More good news about malware

Thieves Winning Online War, Maybe Even in Your Computer
New York Times (12/06/08) P. A1; Markoff, John

Malware continues to overcome security professionals’ efforts to defend against it. “Right now the bad guys are improving more quickly than the good guys,” says SRI International’s Patrick Lincoln.

As businesses and individuals become increasingly involved in online communities, cybercriminals are given more opportunities to infect machines and commit crimes. The Organization for Security and Cooperation in Europe estimates that credit card thefts, bank fraud, and other online scams rob computer users of $100 billion annually. In late October, the RSA FraudAction Research Lab discovered a cache of 500,000 credit-card numbers and bank account log-ins that were stolen by a network of zombie computers run by an online gang.

“Modern worms are stealthier and they are professionally written,” says British Telecom chief security technology officer Bruce Schneier. “The criminals have gone upmarket, and they’re organized and international because there is real money to be made.”

Meanwhile, malicious programs are becoming increasingly sophisticated, with some programs searching for the most recent documents on the assumption that they are the most valuable and others stealing log-in and password information for consumer finances.

Microsoft researchers recently discovered malware that runs Windows Update after it infects a machine to ensure the machine is protected from other pieces of malware. Purdue University computer scientist Eugene Spafford is concerned that companies will cut back on computer security to save money.

“In many respects, we are probably worse off than we were 20 years ago,” he says, “because all of the money has been devoted to patching the current problem rather than investing in the redesign of our infrastructure.”

amen to that last paragraph.  Go Mr. Obama, Go!

Security 102 – Passwords

You need more than one password.  You probably need more than three.  If a hacker or social engineer gets one of your passwords, you don’t want him to hold all the keys to your kingdom, right?  So keep banking, healthcare, and general web access (not related to banking or healthcare) separate.

Most places that require strong passwords have the following rules:  At least 8 characters (more is better), and it must include Capital and lower case letters, numbers, and special characters (like !+-_”~@ etc).

You need a different password for each online bank you use.  The easy-to-remember, hard-to-guess strategy for a banking password might be using the bankname or initials with your initials and a number or two that is meaningful to you.  For example, if it’s your main bank account you might use BOA-me-1 or if it’s secondary put a two on the end. Mix it up, and if you use the one I just used for an example you don’t need to read any further, I can’t help you.

If you take advantage of online healthcare and order your prescriptions or make appointments online, you need a different password for that.  Use the same principles.  You might use some form of the name, some initials, some numbers and maybe a dash or star or something just to make it that much harder to guess.  I like to separate the pieces of my passwords with dashes.  Easy to remember, hard to hack.  That’s called chunking (not to be confused with bad Chinese food in a can).

Other places on the web that require a password for access but don’t affect your money or health can probably all share a password.  It depends on how much information you give them, and how much it would hurt if someone else got ahold of that information.

How to Build and Remember Strong Passwords

People remember things differently, and most passwords are easier to remember if they spread the work out across our brain – using combinations of techniques and things that are meaningful to us.  Think about getting songs stuck in your head. Why do they stick?  Or, how many e-mail addresses do you have memorized?  Phone numbers? Rhyming is good, cadence matters, and patterns help us remember.  With that in mind, here are some suggestions to help you build strong passwords that you can remember.

1. Use a fake e-mail address
Pick a name:  Homer
Pick a related phrase: loves donuts
Monitor sticky note hint – Homer eathing a donut or just one of the Simpsons

2. Use a word you have strong associations with, make some substitutions, and then add 4 extra characters at the end
Maybe you grew up in Fairfax –
Substitute a 4 for the the a, and a 1(one) for the i.
Add four characters to the end that you can type easily.
Result :  F41rfax1112
Monitor hint – make the hint “city1112” and you’ll likely be able to remember the rest of it.

3. Use three+ words/numbers that rhyme – add numbers or punctuation and capital letters
wordz-wordz(okay!) (don’t use this one, PITA to type)

4. Repeat words

5. Use visualization –
Monitor hint – a picture of your password

6. Chunking –

7. Number combos

8. Humor –
Gone Crazy-BRB
I Love My Job

9. URLs/domains

10. Phone numbers –
Some combination of letters plus an old phone number you remember makes a great password.  Using your current phone number is just dumb.  Initials interspersed through a zipcode could work, but it will be a bitch to type.

11. Sentences with spaces –
I Hate Changing Passwords
Password Rules Stink Out Loud
I love my IT department

Final Suggestions

If you have to change your passwords every 60 or 90 days, use one new word a year and add the month or quarter name or number – JuicyFruit-60, JuicyFruit-120, JuicyFruit-180 etc.  No human can remember different passwords for different functions and have to change them all the time if they are a) random and b) non repetitive.  What happens is that you’re forced to write them down and paste them under your keyboard or on your desk pullout or God Forbid right on your monitor, which of course makes the whole thing an exercise in futility.

Last but not least:  When you’re coming up with your password, give it a few trial runs on your keyboard.  Make sure it’s actually “typeable”.   I just recently screwed myself with an email password that is so hard to type that I generally have to type it 3 times before I get it right.  But I do remember it!  Next time, I’ll do the run through first … Live and learn, baby.

Will it work if you cut somebody’s finger off?

Why Veins Could Replace Fingerprints and Retinas as Most Secure Form of ID
Times Online (UK) (11/11/08) Harvey, Mike

Finger vein authentication is starting to gain traction in Europe. Easydentic Group in France says it will use finger vein security for door access systems in the United Kingdom and other European markets.

The advanced biometric system, which verifies identities based on the unique patterns of veins inside the finger, has been widely introduced by Japanese banks in thousands of cash machines over the last two years. Hitachi developed the technology, which captures the pattern of blood vessels by transmitting near-infrared light at different angles through the finger, and then turns it into a digital code to match it against preregistered profiles.

Veins are difficult to forge and impossible to manipulate because they are inside the body, according to Hitachi. The company also says finger vein technology is more affordable than iris scanning or face/voice recognition and has a lower false rejection rate than fingerprinting. Finger vein authentication is primarily used in Japan for ATMs, door access systems, and computer log-in systems.

Security 101

You know, I work with people all day, every day, helping them to be secure when they’re computing in the office and at home. It’s not full time or anything, but it’s one of my (many) focuses and I do want people to be safe. But it’s mostly thankless, and some days I feel like I’m wasting my time.

There’s a t-shirt somewhere that says “Social Engineering: Because There’s No Patch for Human Stupidity.”

Case in point:

College boy (and son of Tennessee Rep. Mike Kernell) Kevin Kernell hacked into Sarah Palin’s personal e-mail account after he heard about it.

“Kernell allegedly obtained access to the account by guessing answers to security questions on the account and resetting the password for the account to “popcorn.” (Which he then posted online to a forum…”

Did you get that? Some random kid guessed the answers to the security questions that the ex VP nom had in put in her email account. No patch for that.

Word to the wise, people: Use better questions and answers. If you put your birthday in as a security question, guess what? Facebook knows your birthday. So do 35 million other people.

How about “What’s my honeybunny’s birthday?” Guess what. We can figure out your honeybunny is your husband. Your husband’s birthday isn’t very hard to find, either.

If you want a good question that you’ll remember and will be hard to guess, try something like this:

“What color was my first car?”

“What make and model was my first car?”

“Who was my first grade teacher?”

“What was the cross street where I grew up?”

Now, someone REALLY dedicated to getting into your stuff could find the answers to these questions, but he’d have to look long and hard and chances are good he’d move on to an easier target.

Next lesson: How to create a good password and why you need several.

I give up

Keyboard Sniffers to Steal Data
BBC News (10/21/08) 

Doctoral students Martin Vuagnoux and Sylvain Pasini from the Security and Cryptography Laboratory at the Swiss Ecole Polytechnique Federale de Lausanne (EPFL) were able to monitor what people type by analyzing the electromagnetic signals produced by every keystroke.

The EPFL students developed four attacks that will work on a variety of computer keyboards, leading them to declare that keyboards are not safe to transmit sensitive information. Vuagnoux and Pasini tested 11 keyboards that connected to a computer through either a USB or PS/2 socket, though the attacks also work on keyboards embedded in laptops. Each keyboard tested was vulnerable to at least one of the four attacks they developed, with one of the attacks being effective at a distance of 20 meters.

The students used a radio antenna to fully or partially recover keystrokes by detecting the electromagnetic radiation emitted when keys are pressed. The research builds on previous work by University of Cambridge computer scientist Markus Kuhn, who explored ways of using electromagnetic emanations to eavesdrop and steal useful information.

On cyberwar

Reprinted from Crypto-Gram, by Bruce Schneier [schneier@SCHNEIER.COM]

On April 27, 2007, Estonia was attacked in cyberspace.  Following a
diplomatic incident with Russia about the relocation of a Soviet World
War II memorial, the networks of many Estonian organizations, including
the Estonian parliament, banks, ministries, newspapers and broadcasters,
were attacked and — in many cases — shut down.  Estonia was quick to
blame Russia, which was equally quick to deny any involvement.

It was hyped as the first cyberwar: Russia attacking Estonia in
cyberspace.  But nearly a year later, evidence that the Russian
government was involved in the denial-of-service attacks still hasn’t
emerged. Though Russian hackers were indisputably the major instigators
of the attack, the only individuals positively identified have been
young ethnic Russians living inside Estonia, who were pissed off over
the statue incident.

You know you’ve got a problem when you can’t tell a hostile attack by
another nation from bored kids with an axe to grind.

This article goes on for another 4 pages but if you’re interested, you can read the rest of it on Bruce’s blog, at

Front page for Crypto-Gram:

Grandma had the right idea with the mattress stuffing

Researchers Hack ‘Tamper-Proof’ PIN Terminals
ZDNet UK (02/26/08) Espiner, Tom

Cambridge University researchers have successfully hacked the Ingenico i3300 and Dione Xtreme PIN terminals, which are widely used in Britain and are touted as tamper-proof. Cambridge’s Saar Drimer and Steven Murdoch say the devices’ anti-tampering measures can be bypassed by tapping the line of the PIN Entry Device/smartcard interface, where the data is unencrypted, using conductors linked to a logic board with a field programmable gate array through a thin wire. The Ingenico device features a user-accessible compartment to insert SIM cards that is not designed with tamper-proofing in mind. The researchers employed a paper clip as a conductor, which they inserted into the serial data line through a hole in the PCB and thus were able to capture both the PIN and card details. They also drilled into the Dione Xtreme from the rear without being detected, and tapped the data through the insertion of a 4-centimeter needle into a flat ribbon connector socket. Both terminals were certified by Visa as secure, but the researchers found that neither device complied with security standards. “What this shows is that PIN entry devices in the U.K. are very insecure,” says Cambridge professor Ross Anderson. “What’s more, the [device] certification process is completely defective.”