The data breach at Citigroup in May – a breach which reportedly exposed an estimated 200,000 customer accounts – has motivated members of the U.S. Congress to re-introduce legislation to penalize the very organizations that have been victimized by hackers.  What are the next steps your company should take?

New bills to protect consumers’ personal data

Two bills are proposed by both House and Senate legislators.

First, Sen. Patrick Leahy (D-Vt.) has introduced the Personal Data Privacy and Security Act of 2011.  The new bill provides:

• Tough criminal penalties for individuals who intentionally or willfully conceal a security breach involving personal data;
• A requirement that companies that maintain personal data establish and implement internal policies to protect data privacy and security; and
• A requirement that the government ensure sensitive data is protected when the government hires  third-party contractors.

This act would also require, under threat of fine or imprisonment, that businesses and agencies notify affected individuals of a security breach by mail, telephone or email  “without unreasonable delay.” Media notices would be required for breaches involving 5,000 or more people.  The FBI and the Secret Service would need to be notified if the breach affects 10,000 or more people, compromises databases containing the information of one million or more people, or impacts federal databases or law enforcement.

But that’s not the only security bill that has businesses concerned.

In the House, Rep. Mary Bono Mack (R-Ca) is holding hearings in preparation of a bill she’s named The SAFE (Secure and Fortify) Data Act that would also require “reasonable security policies and procedures” to protect consumers and enable disclosures to victims and the Federal Trade Commission within 48 hours of a data breach.

Companies no longer viewed as the victims

All this sounds good from the consumer’s point of view. But what about the expense – and potential penalties – suffered by the “owners” of the data: the businesses themselves?

While these bills may address the public’s interest for notification — and indeed they would bring some semblance of a national standard – they also represent an interesting shift in the liabilities that companies will face.  How is that?

Though we currently have no federal data breach notification law, federal policies now view the companies that experience a data breach as the victims of crime. However, under the proposed legislative bills, companies that do not act quickly to appropriately secure the personal data of customers – or fail to report a data breach in a reasonable amount of time – would not only suffer the theft of data, but also be held liable for its loss.

This is a significant shift. Companies are now being viewed not as the owners of consumer data, but merely guardians and trustees whose job it is to protect that data or face criminal penalties. And the message is clear: if companies won’t take adequate precautions to secure the sensitive data of our customers, they’ll pay a hefty price.

Where does your company stand?

In a world in which diligent hackers have the power break into seemingly secure networks and systems, what can your company do?

The challenge is first to determine exactly what qualifies as adequate precautions.

A review of the HIPAA HITECH security provisions that took effect last year provides some insight about what the government considers adequate protection.

HITECH strongly recommends the use of encryption technology. Encryption is a good place for your company to start, especially when dealing with the data your company stores on its servers.  If sensitive data itself is kept securely encrypted, a data breach doesn’t expose the content of the information itself.

Secure managed file transfer protocols – which send data using encryption – is the second place to focus attention.

If data is encrypted when it is being securely transmitted between business partners, the value of that data should it be breached – through hacking, theft, or other malicious actions – is worthless.  Encryption and secure managed file transfers can dramatically minimize the holes of technical breaches, significantly reducing an organization’s liability.

Preventing exposure

The Citigroup data breach has rekindled the momentum for a nationwide, cross-industry data breach reporting standard. This standard will not to eliminate the physical breaches themselves. What’s needed is legislation to encourage companies secure the underlying data that is the target of the hackers.

Isn’t it time for your company to take a serious look at its liabilities and to investigate how encryption and managed file transfers can close these important security holes?

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

Website - More Posts

Most data breaches are caused by simple acts of carelessness.

Last March the Ponemon Institute released its findings for the 2010 Annual Study: U.S. Cost of a Data Breach. The study — based on the actual data breach experiences of 51 U.S. companies from 15 different industry sectors — revealed that data breaches grew more costly for the fifth year in a row. They jumped from $204 per compromised record in 2009 to $214 in 2010.

The increase in cost, however, pales in comparison to the reputational cost of companies that have been victimized, particularly in the healthcare sector.

HITECH builds Wall of Shame

Consider that the U.S. Department of Health and Human Services has begun posting the data breaches affecting 500 or more individuals as required by section 13402(e)(4) of the HITECH Act.  The New York Times has labeled this site “The Wall of Shame”.  Why? Because if patients have no faith in electronic record-keeping, the future of healthcare record automation will be jeopardized: Law suits and government regulation will bury any cost-savings.

The Back Stories of Healthcare Data Breaches

What are the stories behind the most severe healthcare sector data breaches reported in 2010?  Here are the ten most expensive stories, in ascending order of cost, documented in the Privacy Rights Clearing House database. While they’re sober reminders of the problem of keeping data secure, they’re also instructive: none of these breaches were malicious hacks, but were instead the results of theft, poor record-keeping policies, and simple human error.

(Note that the estimate of liability uses the $214/ record cost identified by the Ponemon Institute in its annual report. We have purposely not published the names of the reporting institutions.)

10^th Most Expensive: Physician Computer Theft Exposes 25,000

On June 29^th of 2010 a thief stole four computers from a physician specialist’s office in Fort Worth, Texas.  This theft resulted in an estimated 25,000 patient records being exposed.  The patient records contained addresses, Social Security numbers and dates of birth. Estimated liability: $5,350,000.

9^th: Medical Center Theft Exposes 39,000

On the weekend of May 22^nd, 2010 two computers were stolen from a medical center in the Bronx. Names, medical record numbers, Social Security numbers, dates of birth, insurers, and hospital admission dates of patients were known to be on the computers.  Total records compromised: 39,000. Estimated liability: $8,346,000.

8^th: Optometrist’s Computer Theft Exposes 40,000

A computer stolen from an Optometry office in Santa Clara, California on Friday April 2nd, 2010 contained patient names, addresses, phone numbers, email addresses, birth dates, family member names, medical insurance information, medical records, and in some cases, Social Security numbers. Though the files were password protected, they were not encrypted.  A total of 40,000 records were lost, with an estimated liability of $8,560,000.

7^th: Medical Records Found at Dump Expose 44,600

Medical records were found at a public dump in Georgetown, Massachusetts on August 13^th, 2010. The records contained names, addresses, diagnosis, Social Security numbers, and insurance information. A medical billing company that had worked for multiple hospitals was responsible for depositing the records at the dump. The exposure required the hospitals to notify patients – an effort that continues to this date.  The total number of records known to have been exposed is 44,600, but the search continues.  Estimated liability: $9,544,400.

6^th: Consultant Laptop Stolen Exposing 76,000

On March 20^th, 2010, in Chicago, Illinois, a contractor working for a large dental chain found his laptop stolen.  The computer held a database containing the personal information of approximately 76,000 clients, including first names, last names and Social Security numbers. Estimated liability: $16,264,000.

5^th: Lost CDs Expose 130,495

On June 30^th, 2010 a medical center in the Bronx reported that it had failed to receive multiple CDs containing patient personal information that was sent to it by its billing associate.  These CDs were lost in transit. Information of 130,495 patients included the dates of birth, driver’s license numbers, descriptions of medical procedures, addresses, and Social Security numbers.  Estimated liability of $27,925,930.

4^th: Portable Hard Drive Theft Exposes 180,111

In Westmont, Illinois, a medical management resources company reported on May 10, 2010 that a portable hard drive had been stolen after a break-in.  The company believes the hard drive contained personally identifiable information about patients including name, address, phone, date of birth, and Social Security number. The company acknowledged that this hard drive had no encryption.  As a result, 180,111 records were exposed, creating an estimated liability of $38,543,754.

3^rd: Leased Digital Copier Leaks 409,262

On April 10^th, 2010 a New York managed care service in the Bronx reported that it was notifying 409,262 current and former customers, employees, providers, applicants for jobs, plan members, and applicants for coverage that their personal data might have been accidentally leaked through a leased digital copier. The exposure resulted because the hard drive of the leased digital copier had not been erased when returned to the warehouse. Estimated liability: $87,582,068.

2^nd: Training Center Hard Drive Theft Center Exposes 1,023,209

The theft of 57 hard drives from a medical insurance company’s Tennessee training facility in October of 2010 put at risk the private information of an estimated 1,023,209. customers in at least 32 states. The hard drives contained audio files and video files as well as data containing customers’ personal data and diagnostic information, date of birth, and Social Security numbers, names and insurance ID numbers. That data was encoded but not encrypted. Estimated liability to date: $218,966,726.

Most Expensive of 2010: Two Laptops Stolen Exposes 860,000

A Gainsville, Florida health insurance company reported in November of 2010 that two stolen laptops contained the protected information of 1.2 million people.  This is an on-going story, as new estimates are calculated.  To date, the estimated liability is $256,800,000.

Preventing Exposure: Data Encryption

These cases document that the majority of the data breaches which occurred in 2010 were not the result of hacking activities, or even unauthorized access by personnel. The greatest data losses were simply the result of computer theft of portable devices and misplaced media.  Had the contents of the files been encrypted, this could have significantly reduced the risks and liabilities of these data losses.

Time and time again, industry experts point to data encryption as the key method by which organizations can prevent inadvertent exposure of sensitive data.

Of course, no healthcare organization wants to be listed on the US Department of Health and Humans Services’ Wall of Shame.  And the costs – in dollars and in reputation – can be extraordinary.

Isn’t it about time your management got serious about data encryption?

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

Website - More Posts

Managed File Transfer (MFT) systems are great for policy enforcement, access authentication, risk reduction, and more. But for HIPAA and HITECH requirements, MFT shines as a work-flow automation tool.

MFT as the B2B Enabler

It shines because Managed File Transfer systems are actually automation platforms that can help companies streamline the secure transfer of data between business partners. How? It removes many of the configuration steps traditionally required for complex Business-to-Business (B2B) processes, keeping it straightforward and manageable.

Transferring patient information is a difficult challenge which many healthcare institutions are facing. Data standards were supposed to simplify this communication between healthcare institutions and their partners. But ask any technical professional about the underlying variability of data formats, and you’ll hear a tale of potential confusion and complexity.

Nightmares of Compliance

The HITECH regulations within HIPAA require the security and privacy of healthcare records, strongly suggesting the use of data encryption. These records may travel between various healthcare-related partners including hospitals, clinics, payment processors and insurers. Each partner may require their own unique data format, and each may prefer a different encryption technique or transport protocol.

Considering these differing requirements, adding each new trading partner has traditionally needed the attention of in-house programming or manual processes, which has become hugely inefficient. Furthermore, if the new trading partner is not implemented properly, this can also create the potential for errors that may lead to data exposures. Any exposures could move the healthcare institution out of HIPAA/HITECH compliance and may cost them severely.

Simplifying and Integrating Information Transfer

A Managed File Transfer (MFT) solution can significantly reduce the potential for errors and automate those processes. With a good MFT solution, any authorized personnel should be able to quickly build transfer configurations for each healthcare business partner. This should allow for quick selection of strong encryption methods (e.g. Open PGP, SFTP, FTPS, HTTPS) based on the partner’s requirements, so that HITECH requirements are maintained. At the same time, a MFT solution creates a visible audit trail to ensure that compliance is sustained.

But, perhaps just as important, a good Managed File Transfer solution is constructed as a modular tool that can be easily integrated into existing software suites and workflow processes. In fact, a good MFT is like a plug-able transfer platform that brings the variability of all kinds of B2B communications under real management.

Now extend the MFT concept beyond the healthcare business sector, into manufacturing, finance, distribution, etc. Suddenly MFT isn’t a niche’ utility, but a productivity and automation tool that has myriad uses in multiple B2B environments.

A Day-to-day Technical Solution

Perhaps this is why the Gartner Group has identified Managed File Transfer as one of the key technologies that will propel businesses in the coming years. It’s more than just a utility suite: It’s a system that can be utilized over and over as an integral part of an organization’s solutions to automate and secure B2B relationships. In other words, MFT isn’t just for specialized compliance requirements, but a lynch-pin of efficient B2B communications technology that can bring real cost savings to every organization.

Healthcare Case Study Utilizing a MFT Solution: Bristol Hospital Takes No Risks with Sensitive Data

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

Website - More Posts

When our users send a file over the Internet there are really just a few things that seem important to them at the time:

a)      Is the file complete?

b)      Is it being sent to the right place?

c)      Will it arrive intact?

and — if the data is sensitive –

d)     Will the intended recipient (and only that recipient) be able to use it?

That’s where encryption comes in: By scrambling the data using one or more encryption algorithms, the sender of the file can feel confident that the data has been secured.

But what about the file’s recipient? Will she/he be able to decode the scrambled file?

Encryption, Decryption, and PGP

For years, PGP has been one of the most widely used technologies for encrypting and decrypting files. PGP stands for “Pretty Good Privacy” and it was developed in the early 1990s by Phillip Zimmerman. Today it is considered to be one of the safest cryptographic technologies for signing, encrypting and decrypting texts, e-mails, files, directories and even whole partitions to increase the security.

How PGP Works

PGP encryption employs a serial combination of hashing, data compression, symmetric-key cryptography, and, finally, public-key cryptography. Each step uses one of several supported algorithms. A resulting public key is bound to a user name and/or an e-mail address. Current versions of PGP employ both the original “Web of Trust” authentication method, and the X.509 specification of a hierarchical “Certificate Authority” method to ensure that only the right people can decode the encrypted files.

Why are these details important for you to know?

Growing Pains for PGP

PGP has gone through some significant growing pains – including a widely publicized criminal investigation by the U.S. Government. (Don’t worry! The Federal investigation was closed in 1996 after Zimmerman published the source code.)

One result of PGP’s growing pains has been the fragmentation of PGP: Earlier versions of the technology sometimes can not decode the more recent versions deployed within various software applications. This PGP versioning problem was exacerbated as the ownership of the PGP technology was handed off from one company to another over the last 20 years.

And yet, because PGP is such a powerful tool for ensuring privacy in data transmission, its use continues to spread far more quickly than other commercially owned encryption technologies.

Fragmentation and the Future of PGP

So how is the industry managing the issue of PGP fragmentation? The answer is the OpenPGP Alliance.

In January 2001, Zimmermann started the OpenPGP Alliance, establishing a Working Group of developers that are seeking the qualification of OpenPGP as an Internet Engineering Task Force (IETF) Internet Standard.

Why is this important to you? By establishing OpenPGP as an Internet Standard, fragmentation of the PGP technology can be charted and – to a large degree – controlled.

This means that the encrypted file destined for your system will be using a documented, standardized encryption technology that OpenPGP can be appropriately decrypted. The standardization helps ensure privacy, interoperability between different computing systems, and the charting of a clear path for securely interchanging data.

The OpenPGP Standard and Linoma Software

OpenPGP has now reached the second stage in the IETF’s four-step standards process, and is currently seeking draft standard status. (The standards document for OpenPGP is RFC4880.)

Linoma Software uses OpenPGP in its GoAnywhere Director Managed File Transfer solution. Just as importantly, Linoma Software is an active member of the OpenPGP Alliance, contributing to the processes that will ensure that OpenPGP becomes a documented IETF Internet Standard. This will ensure that your investment in Linoma’s GoAnywhere managed file transfer software remains current, relevant, and productive.

For more information about OpenPGP and the OpenPGP Alliance, go to http://www.openpgp.org. To better understand how OpenPGP can help your company secure its data transfers, check out Linoma Software’s GoAnywhere Director managed file transfer (MFT) solution.

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

Website - More Posts

Patient Privacy in Jeopardy

How important is a patient’s privacy? If your organization is a health care facility, the instinctive answer that comes to mind is “Very important!” After all, a patient’s privacy is the basis upon which the doctor/patient relationship is based. Right?

But the real answer, when it comes to patient data, may surprise you. According to a study released by the Ponemon Institute, “patient data is being unknowingly exposed until the patients themselves detect the breach.”

The independent study, entitled “Benchmark Study on Patient Privacy and Data Security” published in November of 2010 examined  the privacy and data protection policies of 65 health care organizations, in accordance with the mandated Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. HITECH requires health care providers to provide stronger safeguards for patient data and to notify patients when their information has been breached.

Patient Data Protection Not a Priority?

According to the study, seventy percent of hospitals say that protecting patient data is not a top priority. Most at risk is billing information and medical records which are not being protected. More significantly, there is little or no oversight of the data itself, as patients are the first to detect breaches and end up notifying the health care facility themselves.

The study reports that most health care organizations do not have the staff or the technology to adequately protect their patients’ information. The majority (67 percent) say that they have fewer than two staff members dedicated to data protection management.

And perhaps because of this lack of resources, sixty percent of organizations in the study had more than two data breaches in the past two years, at a cost of almost $2M per organization. The estimated cost per year to our health care systems is over $6B.

This begs the question: Why?

HITECH Rules Fail to Ensure Protection

HITECH encourages health care organizations to move to Electronic Health Records (EHR) systems to help better secure patient data. And, indeed, the majority of those organizations in the studies (89 percent) said they have either fully implemented or planned soon to fully implement EHR. Yet the HITECH regulations to date do not seem to have diminished security breaches at all, and the Ponemon Institute’s study provides a sobering evaluation:

Despite the intent of these rules (HITECH), the majority (71 percent) of respondents do not believe these new federal regulations have significantly changed the management practices of patient records.

Unintentional Actions – The Primary Cause of Breaches

According to the report, the primary causes of data loss or theft were unintentional employee action (52 percent), lost or stolen computing device (41 percent) and third-party mistakes (34 percent).

Indeed, it would seem that – with the use of EHR systems – technologies should be deployed to assist in these unintentional breaches. And while 85 percent believe they do comply with the loose legal privacy requirements of HIPAA, only 10 percent are confident that they are able to protect patient information when used by outsourcers and cloud computing providers. More significantly, only 23 percent of respondents believed they were capable of curtailing physical access to data storage devices and severs.

The study lists 20 commonly used technology methodologies encouraged by HITECH and deployed by these institutions, including firewalls, intrusion prevention systems, monitoring systems, and encryption. The confidence these institutions feel in these technologies are also listed. Firewalls are the top choice for both data breach prevention and compliance with HIPAA. Also popular for accomplishing both are access governance systems and privileged user management. Respondents favor anti-virus and anti-malware for data breach prevention and for compliance with HIPAA they favor encryption for data at rest.

The Value of Encryption

The study points to the value of encryption technologies – for both compliance purposes and for the prevention of unintended disclosure – and this value is perceived as particularly high by those who participated in the study: 72 percent see it as a necessary technology for compliance, even though only 60 percent are currently deploying it for data breach prevention. These identified needs for encryption falls just behind the use of firewalls (78 percent), and the requirements of access governance (73 percent).

Encryption for data-at-rest is one of the key technologies that HITECH specifically identifies: An encrypted file can not be accidentally examined without the appropriate credentials. In addition, some encryption packages, such as Linoma’s Crypto Complete, monitor and record when and by whom data has been examined. These safeguards permit IT security to audit the use of data to ensure that – should a intrusion breach occur – the scope and seriousness of the breach can be assessed quickly and confidently.

So how important is a patient’s privacy? We believe it’s vitally important. And this report from the Ponemon Institute should make good reading to help your organization come to terms with the growing epidemic of security breaches.

Read how Bristol Hospital utilizes GoAnywhere Director to secure sensitive data.

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

Website - More Posts

Last November, six hospitals and one nursing home were fined in California for data security breaches related to patient healthcare records. The total fines were $792,500 by the California Attorney General. The cause? The facilities failed to prevent unauthorized access to confidential patient medical information.

While these breaches made headline news in California, they were but the tip of the iceberg of the total healthcare record breaches in 2010. According to the Privacy Rights Clearinghouse, there were 592 reported healthcare data security breaches last year, which potentially exposed more than 11.5 million records. This was double the breaches of healthcare facilities in 2009, opening severe liabilities to the organizations that housed those patient records.

So what now? If your organization can be fined for failing to prevent unauthorized access, how can you safeguard your company’s healthcare records?

HITECH – What is it?

Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, extended the complete Privacy and Security Provisions of HIPAA to business associates of covered entities. This includes the extension of newly updated civil and criminal penalties to business associates.  On November 30, 2009, the regulations associated with the new enhancements to HIPAA enforcement took effect.

What’s it mean? If your company merely does business with an organization that is involved with healthcare records, HITECH says that you are liable for any security breaches on your watch that reveal patient vital healthcare information. This could include things like names, addresses, social security and Medicare/Medicaid numbers, or any info that could lead to misuse of healthcare information.

So how can your company protect itself from this liability?

The Department of Health and Human Services (DHHS) interim Security Rule says that “a covered entity must consider implementing encryption as a method for safeguarding electronic protected health information.” The DHHS rule does permit something called “comparable methods” in lieu of encryption, but it does not specify what those methods might be.

Encryption vs. Comparable Methods: The Vague Alternatives

To determine if your company can provide security through some so-called “comparable method” it’s important to look at the types of breaches that occurred in the past. The Privacy Rights Clearinghouse provides a good free search service to investigate at http://www.privacyrights.org.

By looking through the types of breaches that occurred in 2010, (stolen laptops, doctors emailing records to their home computers, lost or missing flash drives, unauthorized browsing by employees), the first question that you should be asking is “Can our organization really secure all those potential mechanisms for data theft without relying upon encryption?” It’s a difficult task, and the resources that your organization will expend (hardware solutions, policy solutions, etc.) can be significant.

Still, the monetary fines for failing to provide adequate protection are severe, and your management may decide that a thorough review of your security will be required.

By comparison, implementing encryption technology like Crypto Complete – is undoubtedly a faster and more cost-effective means. Crypto Complete encrypts sensitive data at the source using integrated key management, complete with auditing, field encryption and backup encryption, without interrupting the normal IT workflow. Data encryption permits the source of information itself to be put under a lock and key, and once encrypted, that data is protected from both unlawful use and the HITECH liability rule.

Now is the Time

Finally, consider the downside of ignoring the HITECH rules? Take a look at one attorney’s perspective “Responding to an Electronic Medical Records Security Breach: What Every Health Care Provider Needs to Know” to get a handle on the steps for determining the scope of the law. You’ll be surprised at how comprehensive the requirements have become, and why your management should be concerned.

Encrypting your data is the most recognized, safest and least expensive means of protecting your organization from liability from unauthorized access. If you’ve been to putting off addressing the potential pitfall of unauthorized access to your data, now is the time to investigate.

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

Website - More Posts

November and December were difficult months for IT security.

Wikileaks began on Sunday November 28th publishing 251,287 leaked United States embassy cables, the largest set of confidential documents ever to be released into the public domain. How do security officials believe these documents were originally retrieved by the alleged source, Pfc. Bradley Manning? Many security professionals are wondering if FTP was the software mechanism used.

Also in the news was the security breach at the popular publication Gawker.com. Over the weekend of December 11, Gawker discovered that 1.2 million accounts were compromised, the infrastructure breached, and access to MySQL databases raided. Gawker internal FTP credentials were listed as a part of the breach.

Gawker’s problems prompted Social Networking giant LinkedIn to reset the passwords of all users that had Gawker.com accounts, for fear of contamination by hackers who had gained Gawker profile information.

Smaller national headlines of other breaches included the theft of an undisclosed number of email addresses, birth-dates, and other information by a contractor working for McDonalds.

Also, it was reported that a mailing list was pilfered from the drugstore giant Walgreens. In addition, a leak of law enforcement data was reported by a Mesa County, Colorado.

Finally, a popular Open Source FTP server software application, ProFTPD version 1.3.3c, was distributed containing a malicious backdoor that permits hackers to access FTP credentials. It is thought the attackers took advantage of an un-patched security flaw in the FTP daemon to gain access to the server and exchange distribution files.

What do these various breaches have in common? The threats may be too diverse to slip into a single category, but the likely culprit is the use of powerful native FTP, without proper, secure management. Once a doorway is left open, native unmanaged FTP access can wreak havoc in any organization.

It doesn’t have to be this way. Using a managed secure file server like Linoma Software’s GoAnywhere Services – which has granular permissions and security controls, along with detailed audit logs and alerts – IT can monitor and better secure and control its data resources.

Regardless of how your organization or your trusted business partners are configured to exchange data, isn’t it time to consider a better way to manage your company’s file transfer security?

Related Blog Post: Are You Confident Your FTP Credentials are Secure?

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

Website - More Posts

Nesting Dolls to Wormholes

Do You Know Where Your FTP Credentials Are?

A security researcher named Chris Larson happened onto a curious website last September that had been serving some malicious-looking exe files. While poking around, he wrote in his blog, “I came across an ‘unlocked door’ on the malicious Web site and took a look inside.” Treading like an adventurer in Alice’s Wonderland, Larson discovered that this little doorway opened into a world of potential hurt for companies around the world.

There was a strange, oddly-sized GIF file that, with further poking, revealed a hidden payload. The GIF, when poked, revealed four text files. Little by little, their contents spilled out, until, finally it revealed a dark criminal archive. The files contained the login credentials of more than 100,000 FTP sites.

It was an unbelievable discovery, like a Russian nesting doll, that – when unpacked – opened a veritable wormhole to FTP sites around the world: Domain names, User IDs, and Passwords.

Nearly two thousand of these FTP credentials were the domain credentials from one particular site that claimed to Web-host nearly two hundred thousand separate FTP sites. Another file contained a hundred thousand credentials from a variety of unrelated individual sites. Using this archive of FTP credentials, the thief (or thieves) could penetrate, inspect, and selectively harvest the information contained within stored files that users had transferred between their workstations and their corporate computers.

How this archive was assembled and hidden demonstrates how the network of thieves profits and expands. Larson noticed a duplication of a small percentage of the FTP credentials. This seems to indicate that the archive was probably robotically created by a virus or Trojan.

Larson had discovered an actual retail operation that gathers FTP credentials, and then sells those credentials – like a retail mailing list — throughout the underworld to anyone who can pay the price. The archive, in its hidden GIF packaging, appears to be the actual product. Such an archive would be valuable to identity thieves with its hidden payload. In this state, it was ready to be transmitted to other thieves, running beneath the radar of security network packet sniffers.

This begs the question: “Do you know where your company’s FTP credentials are stored?” If your company is using a managed file transfer (MFT) suite like Linoma’s GoAnywhere, you already know the answer.

The best MFT suites manage the access to FTP, centralize the file transfer process, and secure the credentials that are communicated between hosts. By using a MFT suite, IT can institute rules by which file transfer credentials are organized, encrypt the transfers themselves, and log every transfer activity. User credentials to other servers are also centralized and secured, and the connection rules that your business partners use can be managed to ensure that user ids and passwords regularly updated.

Chris Larsen uncovered a secret world in which the doors to our systems – and our business partner’s systems – are sold as simple commodities, available to anyone who can pay the price. It’s like a toyshop where your company’s FTP credentials are displayed like exotic dolls, nested within a GIF wrapping: a GIF that promises to keep on giving.

Isn’t it time to do something about it?

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

Website - More Posts

We know that FTP has security issues that are based upon its aging design. But a new flaw, discovered by Maksymilian Arciemowicz, is creating new concerns. This new flaw is calling into question the underlying code-base implemented by literally thousands of FTP server applications.

The flaw resides in several C code libraries that call the glob() function. “Globbing” is a pervasive function that permits the use of wildcard patterns to identify file names. It’s one of the most commonly used processes in transferring large numbers of files with FTP: Instead of individually selecting files, a user may select a folder or a group of files based upon a common string. The common use of *.doc or *.* are examples.

The flaw discovered by Arciemowicz relates to a feature added to C libraries in 2001.  That feature – called GLOB_LIMIT – was designed to limit the amount of memory used during transfer. Because GLOB_LIMIT is not effective, it potentially allows a system’s main memory to be flooded when processing certain patterns and this may, depending on the hardware used, cause the system to become very slow, cease to respond or even crash as a result.

Of course, crashing an FTP server can then permit other security violations to take place – not only on the server side. For instance, a hung FTP server that is in the midst of a conversation with a client can leave the client’s data in the open. This represents a serious potential security hole for the client software itself.

In most servers, the function is implemented via libc, but some vendors have integrated the globbing feature directly into their products, with an option in the configuration settings for it to be disabled. Arciemowicz said that OpenBSD 4.7, NetBSD 5.0.2, FreeBSD 7.3 / 8.1, Oracle Sun Solaris 10 and GNU Libc (glibc) are affected. FTP and SFTP servers all tend to support globbing, so it’s important to either disable globbing in the configuration of the server side, and/or to contact the software vendor about the use of this underlying function to discuss how to the function.

GoAnywhere does not have this issue as it does not use C or the GLOB_LIMIT. GoAnywhere Services is a secure file server that allows trading partners (both internal and external) to securely connect to your system and exchange files within a fully managed and audited solution. Popular file transfer and encryption standards are supported without the need for proprietary client software.

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

Website - More Posts

According to a survey of 155 Qualified Security Assessors (QSAs) conducted by the Ponemon Institute, 60 percent of retailers lack the budgets to be fully compliant with the PCI DSS standards. As an example, the annual audit cost for a major retailer can be as high as $225,000.

According to the Ponemon Institute survey, restricting access to card data on a “need-to-know basis” (PCI DSS Requirement #7) is still the most important PCI DSS requirement, but also the most difficult to achieve.

QSAs reported that the three most common business reasons for storing cardholder data are:

• Handling charge-backs
• Providing customer service
• Processing recurring subscriptions

In order to service these customer’s requirements, the credit card data must still be available for the various software applications. These industry processes require merchants to implement methods of protecting cardholders from theft.

Encryption the Best Technology

QSAs find the most significant threats to cardholder data are in merchant networks and databases. They believe firewalls, encryption for data at rest, and encryption for data in motion are the top three most effective technologies for achieving compliance.

Sixty percent of QSAs believe encryption is the best means to protect card data end-to-end. Forty-one percent of QSAs say that controlling access to encryption keys is the most difficult management task their clients face.

Getting a Handle on PCI Issues

So what’s the best way to both satisfy the requirements of PCI and still make secured data transparent to applications?

The strategy QSAs recommend is to lock down the cardholder data with technologies that:

1. Restrict the access
2. Encrypt the data
3. Manage and control the encryption keys

These recommendations point to a need to make encryption and encryption-key access an integral part of the overall information system.

But too many organizations use ad hoc encryption/de-encryption utilities that slow processing, and often leave de-encrypted data in the open. In addition, without any integrated encryption key management process, there is really no security at all.  Unsecured encryption keys, just like data, can be lost, stolen, and misused. Access to those keys should be managed as an integral part of the overall security of the operating system.

The point is that the QSA’s three recommendations go beyond the basic requirements of the PCI standard to actually secure the credit card data at the host – and to ensure that the data isn’t misused when the data is at rest or while being transferred.

Linoma Software’s data encryption suite Crypto Complete successfully addresses these QSA PCI requirements by providing data encryption and key management services that can be integrated seamlessly with IBM i (iSeries) applications.

Building on PCI-DSS V2

Industry security analysts will still complain that PCI-DSS needs to be a real security standard aimed at protecting card holder data, but Version 2.0 doesn’t provide that value.  Consequently, we need to analyze what the QSAs are recommending, and then build on PCI-DSS Version 2.0 to implement the best possible data security for our customers’ credit card data.

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

Website - More Posts