UVA Health System Breach

The University of Virginia Health System is notifying a little less than 2,000 patients know that there information may have been exposed by an unauthorized third party. UVA Health System is just finding out about this breach after it has happened several years later. The exact count of people that were affected is 1,882 people, all being patients. These patients data may have been involved but it is not clear. The type of patient information that they would have had access to was names, diagnoses, treatment information, dates of birth, and addresses. Lucky for the patients their social security numbers and financial information were not viewable by the computer that was infected. In response to the breach UVA Health System reported the breach to authorities on December 23, 2017. The person who was behind the attack was arrested and it does not seem like any of the information was used maliciously.

–  Barry Nitzel

 

Source:

https://www.scmagazine.com/2000-uva-health-system-patients-information-compromised/article/745936/

 

 

 

Patients’ info from University of Virginia at risk

The university of Virginia (UVA) has undergone issuing an apology for to the patients that had been effected by a data breach. On December 23, 2017, UVA became aware of an unauthorized third party that has had access to patient information from May 3, 2015 to December 27, 2016 through a laptop that was owned by one of the physicians of the university’s health system. The physician had access to patient records that would allow him to see information which includes: Patient name, diagnoses, treatment, date of birth and home address. A patient’s financial status or social security number was mentioned to not be accessible, but a patient’s healthcare information was not detailed in the report.
The university has been working with the FBI, where an internal investigation was done. The FBI has arrested the third party individual and can confirm from interrogation that patients’ information was not used or shared in any way. Letters have been sent out to the effected patients, about 1900 or so individuals, to review statements and verify information sent from their health insurance provider. If patients find incorrect info, a dedicated support line was opened by UVA for this matter. The call center specializes in assisting patients that look to correct or invalidate inquiries regarding the incident.
As for the security of UVA, they issued this statement: “We are sorry this happened and regret any inconvenience or concern this incident may cause our patients. To help prevent something like this from happening in the future, we are enhancing the security measures required to remotely access UVA Health System information.” The details behind UVA enhancing security has not been disseminated yet.
— Serge Louis

Sources: https://uvahealth.com/privacy-notice-for-uva-health-system-patients
https://www.scmagazine.com/2000-uva-health-system-patients-information-compromised/article/745936/
UVA Health System warns patients of data breach

Hackers hijack Tesla’s cloud system to mine cryptocurrency

Tesla’s cloud system was hijacked by attackers last week. The company’s Kubernetes administration console was not password protected, which left the company extremely vulnerable. With this vulnerability, attackers sent Stratum, a cryptocurrency mining software to Tesla’s Amazon Web Services account.

This event was another occurrence of ‘cryptojacking’, which is when an attacker deploys malware to “mine” cryptocurrency. The cryptocurrency mined in this attack was not specified.

RedLock is the security company responsible for protecting the company’s cloud system. Gaurav Kumar, CTO of RedLock, made an announcement about the attack last Tuesday. “The message from this research is loud and clear — the unmistakable potential of cloud environments is seriously compromised by sophisticated hackers identifying easy-to-exploit vulnerabilities.”

A spokesperson for Tesla assured that this attack did not affect the safety of their vehicles, saying “The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way.”

– Spencer Fleming

Source: https://www.cnbc.com/2018/02/21/hackers-hijack-teslas-cloud-system-to-mine-cryptocurrency-redlock.html

The Evolution of Cryptography

Throughout history, keeping data secure was a major issue. Messengers in times as far back as ancient Greece would try to keep information secure using things like invisible ink, and shaving the messenger’s head, writing the message on his head, and letting the hair grow back. These tricks are classified as steganography, which means to conceal information. This was useful for keeping information where your enemy couldn’t find it, but eventually, methods of making information unreadable, called encryption, came about. The first major method of encryption, called the shift cipher, was widely used for centuries.

Eventually, different nations, eager to read stolen information from their enemies, started to develop methods of breaking codes. In the case of the shift cipher, frequency analysis was used to determine how much a message was shifted. This lead to a sort of evolutionary conflict. Code makers would develop a new method of encryption, ad code breakers would find some way to beat it, and the cycle would continue. Ciphers like the poly alphabetic cipher, le chiffre indechiffrable, and enigma all came and went. Today, we use systems like public key encryption and RSA to encode our data, but even these codes aren’t unbreakable.

We are approaching a new age of computing and of encryption as a whole. The advent of quantum computers will greatly change the state of security. Systems like RSA will no longer be as secure, as quantum computers will allow things like Shor’s Algorithm to run, which quickly solves RSA encryption. Code makers will have to adapt to this new technology, but I have confidence that they will.

 

Sources: The Code Book by Simon Singh

Facebook’s personal data acquisition and use in the wake of court rulings

On Monday, February 12, a ruling from a German court regarding Facebook’s default privacy settings and personal data use was made publicly available. The ruling handed down from a regional court in Berlin found five of Facebook’s default privacy settings and eight clauses of their terms of service to be in breach of consumer law. A similar case in Belgium occurred later that week, on the 16th of February, in which Facebook has been ordered to cease tracking through third party sites. These rulings appear to be continuing a precedent of European concern regarding Facebook’s collection, use, and distribution of both consumer and non-consumer data.

Under the requirement for explicit and informed consent, the German court ruled that the default privacy settings were in violation of German data protection laws. Other rulings of interest are as follows: “read and understood” clauses are invalid, a clause that required users to use their real names or names they are popularly identified by was ruled invalid, and a clause that was designed to give consent for Facebook to transfer user data to the United States was ruled invalid.

The ruling regarding “read and understood” clauses has interesting implications regarding the future of methods of consent in Europe. A great number of services have obscenely long terms of service contracts which are generally ignored but serve as the primary form of communicating the conditions of a product’s use. If these sorts of terms and service contracts can be declared invalid under the assumption that a user cannot be expected to fully read and understand the terms, then it could potentially force companies to either find alternative ways of setting terms of use or just encourage companies to shorten them.

The removal of a “real name” clause theoretically removes a convenient user id for select users, possibly requiring Facebook to resort to cross referencing to tie data available on Facebook with other identifying data in order to maintain the same user data structure they once had. This would be complicated by the fact that cross-referencing personally identifiable data is currently illegal in all EU countries, and Facebook has already faced an EU taskforce in October of the previous year regarding the cross-referencing of data between Facebook and WhatsApp. Of course, the implications of the removal of the “real name” clause runs under the assumption that Facebook haven’t already discovered or designed a more convenient alternative.

The final ruling of interest here regarding the transfer of personal data to the US actually has much stronger implications on the value of the personal data collected by Facebook than it seems. Much of the data collected by Facebook is very niche, and not very useful for their advertisement algorithms on their own. To allow for more insights into this data, Facebook cross-references the individual data sources in order to generate a more valuable combined dataset for their algorithms and for other companies. In Europe, however, the cross-referencing is complicated because of the illegality mentioned previously. To circumvent this, Facebook would send the individual data to the United States, where cross-referencing personal data is legal, combine the data sets, and then send the combined dataset back to Europe. This ruling could remove the ability for companies to circumvent the data protection laws via this method, which would reduce the desire for companies to gather as much niche data.

– S. Carlton

References:

Court Ruling (German):

https://www.vzbv.de/sites/default/files/downloads/2018/02/12/facebook_lg_berlin.pdf

German Court News:

https://www.reuters.com/article/us-germany-facebook/german-court-rules-facebook-use-of-personal-data-illegal-idUSKBN1FW1FI?il=0

https://www.theguardian.com/technology/2018/feb/12/facebook-personal-data-privacy-settings-ruled-illegal-german-court

https://www.theguardian.com/technology/2017/oct/26/whatsapp-facebook-eu-data-article-29-working-party-taskforce-sharing-user

Belgian Court News:

https://www.theguardian.com/technology/2018/feb/16/facebook-ordered-stop-collecting-user-data-fines-belgian-court