-----BEGIN ENCRYPTED MESSAGE-----

The majority of people in the United States probably have no idea what is contained in the Health Insurance Portability and Accountability Act (HIPAA). Similarly, most people are clueless about the Payment Card Industry (PCI) standards. Despite this, most of us who work in those fields are expected to not only know about them, but understand the security ramifications behind them. This gets to be even more complicated when you have to take into account that a number of the systems that are part of HIPAA or PCI based purchases are connected to the web.

We can pretty much all agree that web servers, regardless of the underlying OS, are vulnerable to attack. Further, we can also agree that once breached, there is a gold mine of data behind these web servers that the bad guys are just salivating to get their hands on. What most people forget, or more correctly seem to over look, is that the majority of data breaches in the United States in recent memory have not been from the outside in, but from the inside out. As architects and administrators, security specialists and day-to-day users, it is our responsibility to ensure that the data we use daily in our jobs is stored as securely and as safely as possible.

Let’s review. In my last post, I mentioned the break in at the Commonwealth of Virginia’s Prescription Monitoring program. This was probably an attack from the outside and the bad guys managed to get the data and encrypt it, thus holding it for ransom. What I find strange is that they were able to get any data at all. Under the rules of HIPAA, that data should have been encrypted already.

If I were to take a survey, and maybe we will see if we can get the Linux Journal to whip one up for us, how many of you encrypt the data on your laptops as a general practice? If you are in the US Federal Government, all of you should have your hands up, regardless of operating system. The issue of wandering laptops came to a head in 2006 when one was stolen from an employee of the Department of Veterans Affairs. Not to belittle the issue, but other than bad luck, the employee had not really done anything wrong, according to my sources at the Department. He was in a position where he was entitled to access and use the data.

How many of you encrypt the data on your servers? I expect there are fewer hands in the air, after all, servers are generally locked away in a building somewhere, and most people never get access to them - except in the case of the data theft at TXJ. Again, however, the data was stolen by people with a legitimate need to access the data as a part of their jobs. Perhaps better screening of employees who have access to data that is supposed to fall under the PCI standards is needed. I believe it is fairly safe to say most of us have never had a hard disk go walking.

How many encrypt your backup tapes? I expect there are even fewer hands, even though CitiGroup lost a bunch of backup tapes in shipment. Do we blame UPS for losing the tapes? Or Citi for not taking proper precautions? Or, perhaps, again, they never even considered it a risk.

Finally, how many of you encrypt the hard disks of your desktops? I can hear the laughter as you tell me that most of your desktops barely have enough power to launch the current office automation suite you are using, much less do encryption, yet I am sure we all know someone or have worked with a team where desktops have disappeared. Several years ago, a company I was working at, lost six workstations from the accounting department. To this day I have no idea if they were ever recovered or if there were any data on them that was significant or sensitive.

For many companies, the data is the crown jewels. Millions of bytes are circulated every day on networks that, but for a little bit of probing, are as frail as a strand of hair and less well protected. We spend millions of dollars securing and reducing the risk of penetration from the outside, yet very few companies take the basic steps to secure their data internally. There are simple things that we can all do - such as IPSec on the wire, encryption in the backend and proper security on the desktops. We must think about more than a simple username and password scheme when it comes to securing our data from the bad guys, because, quite often, the bad guys are none other than that cute redhead who just asked you to reset her password. And it wasn’t for her account.

______________________

David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

i've a program(spy message)i

Anonymous's picture

i've a program(spy message)i can hide(encrypt) messages using images i found it in this link
http://WWW.Flashpile.com
it really works

Hospitals also need to be

Anonymous's picture

Hospitals also need to be careful to only provide user accounts to authorized users (aka doctors, nurses, etc.) and NOT patients. I've seen a few close calls with this one.

In addition to carefully monitoring who gets accounts, hospitals need to be careful with unlocked workstations in examination rooms and hallways. I could not tell you how many times I've noticed an unlocked, fully accessible workstation (complete with a minimized but open and logged into records-system).

Yes, I also know that both of these should be common sense, but in my experience, they still need to be mentioned.

Encryption software is not reliable!

Zeke Krahlin's picture

Truecrypt corrupted my partition. By the tenth time I tried to access my data, it failed. Until encryption software becomes truly reliable, I'll abstain. For my laptop, I encrypt the hard drive via the BIOS (also encrypting BIOS access), and require a password to log in to a Linux session.

Maybe we need an article on encryption?

David Lane's picture

Here is a question (and a pitch for an article). Would it be beneficial for Linux Journal (either in the magazine or the web site) to run an article (or two) on encryption? Data, disk and network? I know it has been a while since we did one on the IPSec standard, and certainly there are a number of tools for disk encryption. But also there are things like on-the-fly data encryption for databases (I cannot write that one but I have seen it done), in-line email encryption etc?

Let us know and if there is enough interest and what you would be interested in seeing covered, I will see if I can find an author.

David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack

I am always interested in

~S~'s picture

I am always interested in security topics for the LJ!

Also, I use disk based encryption (LUKS) for my server and laptop. I use truecrypt for some personal documents that I keep on my thumbdrive (along with the debs, rpms, and exe for truecrypt :-)

Interest in an LJ article on encryption

davescafe's picture

I would love to see an article (or two) on Linux encryption. Recently, one of the vice presidents where I worked asked me about encrypting the USB drives used in the HR department. I am also interested in laptop encryption as a protection against data loss due to laptop theft.

Encryption is the solution

dangerseeker's picture

Hi,

I've got an Acer Aspire One netbook with Debian Lenny and encrypted my home partition, located on a SD card.

Question: How many passwords do I need to secure the machine?
Answer: EIGHT!
1. BIOS Supervisor Password
2. BIOS Bootpassword
3. Harddisk Password
4. GRUB password
5. Encrypted root partition (/)
6. Encrypted home partition (/home)
(SWAP is encrypted with new pasword on every boot)
7. root account
8. user account

All have to be secure, 10 to 12 characters (upper and lower case, numbers and special characters)...

To actually use you need only 4 of them, but still...

This is ridiculous and totally unusable! Memorizing passwords is not my day job.

It's all in the setup

Anonymous's picture

All you have to do is create a single encrypted LVM that contains / /home and swap and you can update your list as follows:

1. BIOS Supervisor Password [NOT NEEDED, they can feel free to boot to alternate media, they still can't read the data]
2. BIOS Bootpassword [NOT NEEDED, they can feel free to try booting, but they will have to know/provide the decryption key/phrase]
3. Harddisk Password [NOT NEEDED, the data is encrypted]
4. GRUB password [ NOT NEEDED see comment in #2]
5. Encrypted root partition (/) [COMBINED IN AN LVM]
6. Encrypted home partition (/home) [COMBINED IN AN LVM]
(SWAP is encrypted with new pasword on every boot)[COMBINED IN AN LVM]
7. root account
8. user account

So your list becomes

1. LVM password
2. user account password
3. root account password

and if your the only one using the machine you could set it to auto login when it boots since you already authenticated when you decrypted. Then it's just one password that you enter in order to boot the machine and another when you need root access

It's PHI, not PCI

Anonymous's picture

HIPPA uses PHI as the abbreviation for Protected Health Information.

HIPAA does not refer to PCI.

Correct

David Lane's picture

HIPAA is Health Information, PCI is credit card and related information. However, both HIPAA and PCI have similar requirements for data protection.

David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack

I can tell you that I tried

Anonymous's picture

I can tell you that I tried to encrypt my laptop with TrueCrypt full HD encryption and OS encryption. I wrote down the password on an index card to make absolutely sure I was writing it right. Then at third boot in the process it didn't accept it anymore. I was at this for about a week or two. This was with Windows XP. I have a Comp. Sci. degree and have been in the field 3 years. If it was this frustrating to me, imagine getting joe user that only knows the basics to encrypt their data.

What I ended up doing is use XPs basic HD encryption on folders that may have important stuff. Only problem with this, is laptop or HD starts to give problems it may be impossible to get that data out. I keep backups but this is another problem with organizations.

Still I do agree all this data should be encrypted and protected. Like it or not the human factor should be dealt with since as much as we want to solve the problem programmatic there will be a Murphy like human to damage it.

TrueCrypt problems

Keith Daniels's picture

I also had problems on an Ubuntu 8.04 installation of TrueCrypt. I created a 20 gig file with no problems and then added about 6 gigs of data. Everything went fine for the first few days. The last day I spent a few hours organizing the folders and files then tried to drag and drop some of the folders on to my usb drive. This corrupted the usb drive so I rebooted to see if that might let me access the usb drive and delete the bad data (No it wouldn't). Before I turned off the computer I unmounted the encrypted folder with the TrueCrypt control panel. When I restarted the computer there was no encrypted folder and no evidence that there ever had been an encrypted folder on the drive.

I also had to reformat the usb drive before it would work again.

I'm taking TrueCrypt off my computer. It really sounded good, I'm sorry it isn't safe to use.

"I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone."
-- Bjarne Stroustrup

Windows and Truecrypt

dangerseeker's picture

Hi,

there are known problems with Truecrypt and the "Copy Protection" implemented by several vendors who mess in an undocumented way with "unused" diskspace... Whose fault?

You can encrypt already encrypted data

ghendar's picture

It's possible that the CVPM data in question was already encrypted and that the person responsible merely encrypted over it in order to hold it for ransom.

After all, if the data weren't encrypted already, it would probably be more profitable for him/her/them (with a greater chance of a payoff and a far less chance of getting caught) to just quietly copy the data and sell it elsewhere rather than come at the victim head on like this.

Agreed

David Lane's picture

Yes, you can encrypt encrypted data...which of course would result in the same hostage mechanism, but in the case of Virginia, that to me indicates a very sophisticated level of attack, and the attack, as reported did not seem that sophisticated...after all, why hold it hostage? It is not like the Commonwealth is going to actually pay the fee.

David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack

I thought PCI meant...

Anonymous's picture

Payment Card Industry? WTF? I always thought it stood for Peripheral Component Interconnect, a hardware expansion interface created by intel in 1993 ( http://en.wikipedia.org/wiki/PCI_Local_Bus ). Oh look, they have a wikipedia entry for Payment Card Industry too => http://en.wikipedia.org/wiki/Payment_card_industry

It depends on the context

Salvadesswaran's picture

Well, in a discussion on hardware, PCI means Peripheral Component Interconnect, but this is an article on data security so Payment Card Industry Data Security Standard is what PCI standard means.

You are both wrong.

Anonymous's picture

PCI stands for Patient Care Information.

No...

David Lane's picture

While some hospitals may refer to patient care data as pci, in this case PCI is the Payment Card Industry (which is why I spelled it out in the first paragraph).

Most of the time, you will see the term Personally Identifiable Information (PII) when talking about the actual information in HIPAA (and other) systems that need to be protected or scrubbed and that usually refers to Social Security number, name, address, date of birth, etc, depending on the information.

David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack

Sorry!

Anonymous's picture

Sorry! I was thinking of PHI, Patient Healthcare Information.

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState