- Email: [email protected]
Health Net hit by lawsuit
NEWS
Health Net hit by lawsuit
H
ealth insurance giant Health Net is the subject of a groundbreaking lawsuit filed against it by the State of Connecticut. Connecticut Attorney General Richard Blumenthal filed the suit following a data breach that saw 446 000 Connecticut residents’ records compromised.
Blumenthal argued that Health Net failed to secure private medical records and financial information. The company also failed to promptly notify consumers endangered by the security breach, the lawsuit alleges. The action against Health Net is particularly significant because it brings into play the Health Insurance Portability and Accountability Act (HIPAA). The State is seeking an injunction against Health Net stopping it from violating HIPAA. It is the first action by a state attorney involving HIPAA since those public officials were given the right to enforce the legislation. Health Net – now owned by UnitedHealth Group and Oxford Health Plans – lost a portable disk drive last May containing unencrypted personal information. Data on the drive included health information, social security numbers, and bank account numbers. Insurance claim forms, membership forms, appeals and grievances, correspondence and medical records were also on the disk. “Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months – most likely by thieves – before Health Net notified appropriate authorities and consumers,” Blumenthal said, adding that Health Net downplayed the danger.
Encrypted drives susceptible to attack
V
endors of encrypted USB drives are issuing security updates and recalling products of theirs that had been certified by the National Institute of Science and Technology (NIST) after it was found that attackers could access encrypted data on the drives.
Experts from German penetration testing company SYSS discovered a flaw
January 2010
in the way that the Windows-based password entry program accesses the encrypted USB drives. The flaw enables attackers to access the encrypted data without having to grapple with the AES256 encryption algorithm used to scramble the data. SYSS discovered that the Windowsbased password access software always sends the same character string to the drive to access the data, regardless of the password that is used. The company was able to alter the source code of the software, making it send the character string to access the encrypted data regardless of which password was entered. Upon hearing the news, Kingston issued a recall for its DataTraveler BlackBox, Secure, and Elite ranges of encrypted USB drives, although the company said that several of its other drives were not affected. Verbatim chose not to recall its encrypted drives, but instead provided a software update to fix the problem. “This issue is only applicable to the application running on the host system,” the company noted. “It does not apply to the device hardware.” SanDisk indicated the same thing, providing a software patch for its encrypted device access mechanism. The flaw affects 16 of its encrypted drive SKUs, it said. All of these encrypted drives were issued with a FIPS 140-2 Level 2 certificate by the National Institute of Standards and Technology in the US. This enables them to be used to store sensitive government data.
McAfee predicts attacks on hybrid applications Applications that blur the boundaries between online and offline software will be a primary hacker target this year, according to McAfee. In its 2010 Threat Predictions Report, McAfee said that the advent of HTML 5 – a yet-to-be-ratified, enhanced version of the HTML language used to create web pages – is blurring the line between the internet and the desktop. New functionality in the language makes web apps act more like desktop computer software than ever before. The hacker commu-
nity will be drawn to this phenomenon, McAfee predicted. An example of a HTML 5-based application is Google Wave, which reinvents email, combining it with instant messaging-like functionality to create online conversations that can be embedded in other web pages. The anti-virus vendor singled out Google’s Chrome OS as a technology that will complement the new language to draw interest from hacker groups. Chrome OS, an open-source operating system that was released to developers in November, is designed for use on netbooks and other small footprint devices that rely almost exclusively on internetbased applications for their operation. The system is scheduled for end-user release later this year. “Google Chrome OS is intended for use with netbooks, and HTML5 enables not only a rich internet experience, but also offline applications. Another motivation for attackers is HTML 5’s anticipated cross-platform support, which will allow attackers to eventually reach users of many mainstream browsers”, McAfee continued. The document also suggested that the hacker community may switch its emphasis from Microsoft to Adobe. “In 2010, we anticipate Adobe software, especially Acrobat Reader and Flash, will take the top spot”, it said. Adobe has already seen several zero-day attacks from hacker groups targeting these two. Other, perhaps more obvious, predictions from the report include more sophisticated hacker threats targeting social networking applications, as their user numbers increase, and cleverer banking trojans (it’s generally a safe bet to assume that the hacker underground won’t become dumber and simpler, and neither will its products).
ISACA launches risk certification Non-profit security body ISACA has launched a new risk management qualification for information security professionals. The Certified in Risk and Information Systems Control (CRISC) certification targets professionals in the IT area who use
Computer Fraud & Security
3
Health Net hit by lawsuit
H
ealth insurance giant Health Net is the subject of a groundbreaking lawsuit filed against it by the State of Connecticut. Connecticut Attorney General Richard Blumenthal filed the suit following a data breach that saw 446 000 Connecticut residents’ records compromised.
Blumenthal argued that Health Net failed to secure private medical records and financial information. The company also failed to promptly notify consumers endangered by the security breach, the lawsuit alleges. The action against Health Net is particularly significant because it brings into play the Health Insurance Portability and Accountability Act (HIPAA). The State is seeking an injunction against Health Net stopping it from violating HIPAA. It is the first action by a state attorney involving HIPAA since those public officials were given the right to enforce the legislation. Health Net – now owned by UnitedHealth Group and Oxford Health Plans – lost a portable disk drive last May containing unencrypted personal information. Data on the drive included health information, social security numbers, and bank account numbers. Insurance claim forms, membership forms, appeals and grievances, correspondence and medical records were also on the disk. “Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months – most likely by thieves – before Health Net notified appropriate authorities and consumers,” Blumenthal said, adding that Health Net downplayed the danger.
Encrypted drives susceptible to attack
V
endors of encrypted USB drives are issuing security updates and recalling products of theirs that had been certified by the National Institute of Science and Technology (NIST) after it was found that attackers could access encrypted data on the drives.
Experts from German penetration testing company SYSS discovered a flaw
January 2010
in the way that the Windows-based password entry program accesses the encrypted USB drives. The flaw enables attackers to access the encrypted data without having to grapple with the AES256 encryption algorithm used to scramble the data. SYSS discovered that the Windowsbased password access software always sends the same character string to the drive to access the data, regardless of the password that is used. The company was able to alter the source code of the software, making it send the character string to access the encrypted data regardless of which password was entered. Upon hearing the news, Kingston issued a recall for its DataTraveler BlackBox, Secure, and Elite ranges of encrypted USB drives, although the company said that several of its other drives were not affected. Verbatim chose not to recall its encrypted drives, but instead provided a software update to fix the problem. “This issue is only applicable to the application running on the host system,” the company noted. “It does not apply to the device hardware.” SanDisk indicated the same thing, providing a software patch for its encrypted device access mechanism. The flaw affects 16 of its encrypted drive SKUs, it said. All of these encrypted drives were issued with a FIPS 140-2 Level 2 certificate by the National Institute of Standards and Technology in the US. This enables them to be used to store sensitive government data.
McAfee predicts attacks on hybrid applications Applications that blur the boundaries between online and offline software will be a primary hacker target this year, according to McAfee. In its 2010 Threat Predictions Report, McAfee said that the advent of HTML 5 – a yet-to-be-ratified, enhanced version of the HTML language used to create web pages – is blurring the line between the internet and the desktop. New functionality in the language makes web apps act more like desktop computer software than ever before. The hacker commu-
nity will be drawn to this phenomenon, McAfee predicted. An example of a HTML 5-based application is Google Wave, which reinvents email, combining it with instant messaging-like functionality to create online conversations that can be embedded in other web pages. The anti-virus vendor singled out Google’s Chrome OS as a technology that will complement the new language to draw interest from hacker groups. Chrome OS, an open-source operating system that was released to developers in November, is designed for use on netbooks and other small footprint devices that rely almost exclusively on internetbased applications for their operation. The system is scheduled for end-user release later this year. “Google Chrome OS is intended for use with netbooks, and HTML5 enables not only a rich internet experience, but also offline applications. Another motivation for attackers is HTML 5’s anticipated cross-platform support, which will allow attackers to eventually reach users of many mainstream browsers”, McAfee continued. The document also suggested that the hacker community may switch its emphasis from Microsoft to Adobe. “In 2010, we anticipate Adobe software, especially Acrobat Reader and Flash, will take the top spot”, it said. Adobe has already seen several zero-day attacks from hacker groups targeting these two. Other, perhaps more obvious, predictions from the report include more sophisticated hacker threats targeting social networking applications, as their user numbers increase, and cleverer banking trojans (it’s generally a safe bet to assume that the hacker underground won’t become dumber and simpler, and neither will its products).
ISACA launches risk certification Non-profit security body ISACA has launched a new risk management qualification for information security professionals. The Certified in Risk and Information Systems Control (CRISC) certification targets professionals in the IT area who use
Computer Fraud & Security
3