Blog Feed
Why is healthcare data security so important?
Health is the main value of every person. But we start understanding it only when there is a threat to lose it. The reason for the latter may be not only bad habits or accidents but also viruses. Both common flu, and … computer viruses. Since we started to use electronic medical records healthcare data security became one of the most important aspects of data protection. Let’s find out why. In recent years, the hackers’ interest in the electronic medical records has increased sharply. At the black market, this kind of information is much more valuable than the credit card numbers and bank account passwords. The trend may be surprising, but if you think about it, the reasons are quite obvious. After all, the data in the electronic medical records contain: patients’ names, their dates of birth; addresses (postal and electronic); phone numbers; places of work and positions; IDs, card numbers, medical and social insurance. This information can be used for complete identity theft, rather than just for a one-time bank account hack. Another important reason is a weak patients’ data protection in medical institutions. Both banks and other financial institutions have already created a strong system of data protection. Two-factor authentication has become a ubiquitous standard for banks. The clients of the banks can get access to the information only after entering the OTP (one-time password). But the public health associations, on the contrary, have not paid attention to the health data security measures for a long time and thus became an easy prey for the hackers. How the fraudsters use stolen electronic medical records In addition to the identity theft, which was mentioned above, there are other ways to use the information contained in electronic medical records. Among them, there are three specific ways to use this certain type of information. Receiving medical care at the expense of others. Some treatments can be expensive and, thus, physician services, received by the fraudsters, can damage a victim’s financial well-being. Machinations with medicines. Hackers, who have a good health and don’t need treatment, can get a good income ordering some expensive drugs on behalf of a legitimate medical cardholder with the aim to resale them. Conspiracy with clinic employees. If criminals manage to get in touch with an unscrupulous clinic, an insurance company may be billed for services that have never been rendered, and the money will be divided between the clinic and fraudsters. Why the medical records hacks are dangerous Medical data hacks may result in not only material losses but also endanger the health and lives of people whose information was stolen. After all, fraud actions (receiving of medical services, purchase of medicines) get into the real clinical history of the patient. And, in case the real owner needs urgent help, physicians will be misled by incorrect information, which has no relation to the patient. For example, a person may have an allergic reaction to some drugs, but it won’t be specified in the electronic medical records because of the fraudster’s intervention. We should keep in mind that although you can easily lock and subsequently change bank accounts and cards, it is completely impossible to get back the compromised and disclosed medical data. Healthcare data security tips Despite all the dangers healthcare data security encounters in the age of...
read moreProtectimus New OTP Tokens
The range of Protectimus OTP tokens is expanded with new hardware tokens for one-time passwords generation. Meet – Protectimus TWO and Protectimus SLIM mini. Protectimus TWO is a handy hardware token made in the form of a key fob. It works according to the TOTP algorithm. It is waterproof, and its battery life is up to 5 years. The main distinguishing feature of this token – is the possibility to select the time interval during which the one-time passwords will be valid – 30 or 60 seconds. Protectimus SLIM mini is a miniature modern TOTP token smart-card. This is the token of the new generation. It can be reflashed with the help of the NFC technology. Here you can also adjust the duration of the OTP passwords’ lifetime. With the help of a special application, you can view all the information about this token you need. OTP token Protectimus SLIM mini can be used to during the authentication in Google, Facebook, Twitter, Dropbox, and other popular resources. And its size is equal to half the size of an ordinary credit card, which is very convenient for the end user. On request, the tokens can be made in the colors of the client’s brand and with the client’s logo. For more information about these tokens and their prices, please, visit our website...
read moreComic stories #5
Announcement: 55-year-old woman, the mother of three coders, asks someone not so psycho to teach her Internet. Yesterday, electricity was switched off… I spent two hours without the Internet … I communicated with my family, they turned out to be pretty nice...
read moreInformation Security Trends 2016
Today, the computers and the internet are not only the toys to help people spend their free time. Above all, they are the most important work instruments. Their safety and effectiveness determine business success and prosperity of a large number of people. Thus, it is not surprising that today information security is the matter of interest to many. What are the main information security trends of 2016? What challenges should we cope with in future? What mistakes can be avoided and, most importantly, in what direction to develop further? Hackers hunt not only the big game In the view of the majority of people, the main hackers’ objectives are large multinational corporations and high-level government agencies, such as the Defense or Finance Ministries. In fact, these objects are usually very well protected. Getting into their system requires the highest level of skills. It is much easier and often more profitable for the hackers to pay attention to smaller structures. As a rule, they do not have enough funds to ensure information security. At the same time, the data, stored on their servers, is often not less important. Today hackers are strengthening their attacks on small businesses and, especially, healthcare institutions. If to think about it, you’ll understand that a registration office of the health center in the small town is a more attractive titbit than a bank database with the credit card numbers. The medical record of any person provides almost all the information about a patient. From his exact address and passport data to the same credit card and social security cards numbers. That’s why reliable data protection is necessary not only for financial institutions. In 2015, 3 of the 5 major leaks happened in the healthcare system enterprises. And it seems this trend will continue. The vulnerability of megalopolises A town-dweller depends on the benefits of civilization much stronger than a countryman. If there is a well in the yard, a water pipe accident will not scare a countryman. When the central heating is turned off he can always stoke a fireplace. And if the electricity is cut off – primitive candles are always in reserve. At the same time, life in a huge metropolis can be completely paralyzed with a failure of any part of the life support system. Thus, the cyber-attacks on the computer systems of large infrastructure objects are extremely dangerous and can become an attractive target for fraudsters of all suits. And, it is not about the material losses at all… The importance of the human factor Investing a lot of money into security does not guarantee a complete protection from all kinds of risks. A human factor also requires close attention. In a long-term fight with Trojans and bots the information security experts often forget that today hackers are armed not only with viruses but also with the latest achievements of social engineering. A focus on the software and hardware improvement is destined to failure. It is because not a tricky virus, but a careless clerk can do more harm to the business. And he will do it not on purpose, but out of ignorance. Thus, not only technical staff should be taught the basics of the information security. But also the cleaning personnel, secretaries, managers, etc. It is necessary to bring to the...
read moreComic stories #4
Three phrases causing panic: It will not hurt. I want to talk to you seriously. Incorrect login or password. Do you want to hide important information on your computer? Place it in the folder named “Read. Me!” or even better “license...
read moreMobile Trojan Virus Android.Bankosy Intercepts One-Time Passwords
We store a lot of important information in the network: personal correspondence, photos, documents. For the most part, these are spiritual values – precious memories and the fruits of hours-long labor. But the Internet also stores rather concrete financial ‘matters’: our money. Today many people use online banking, as it is convenient to transfer funds, to pay for the services, and to control your accounts online. It is no wonder that the fraudsters of all sorts pay special attention to the bank online resources and tirelessly attack them, constantly coming up with something new. Not so long ago, a new version of the mobile trojan called Android.Bankosy was discovered. What is dangerous in the trojan virus Android.Banksy This virus intercepts one-time passwords used in banking applications for two-factor authentication (2FA). A temporary OTP passwords used for the two-step authentication of the user are often sent via the text messages. Earlier, different versions of the banking trojan viruses, with Android.Bankosy being among them, have learned to intercept the authentication code sent this way. In response to this threat, the cyber security specialists have developed and introduced systems that send one-time passwords via voice calls from the bank. It seems that a reliable data protection was ensured. But as it has turned out even an advanced one-time passwords delivery means are not a barrier for hackers. The creators of the mobile trojan virus Android.Bankosy taught it to overcome this new type of protection. The current version of this virus is capable of intercepting calls from the bank server. Moreover, Android.Bankosy can turn off the sound on your phone, and lock the device’s screen if there is a call from the bank number. Thus, the client even won’t find out he received a code, and the fraudsters will carry out further actions on the account on behalf of the client. How to protect data from the banking trojan Android.Bankosy What can a regular user of online banking oppose to the hackers armed with the most modern tools? As is known, the best tools are usually the simplest. But sometimes we either forget or are too lazy to use them. Perhaps, considering them not effective enough. But they work. And work quite reliably. Keep your smartphone secure from viruses. To get the control over the victim’s phone, the trojan virus should, first of all, penetrate in it. This can be done in a standard for all viruses way: as part of a harmless and even useful application. The official stores carefully control their software. The applications they offer are rarely infected with viruses. Thus, we must resist the temptation, and do not download programs from the doubtful websites. This is especially true for the charged software. Do not forget about free cheese in a mousetrap. If you install the virus like the Android.Bankosy on your gadget, you can lose a lot more money than you need to buy the app you liked. Use strong authentication. The example of the virus Android.Bankosy proves that even 2-factor authentication cannot always protect you from the intruders. Indeed, the familiar methods of obtaining OTP passwords via text messages (and even voice calls) are not completely reliable. That happens because modern hackers are able to get into the mobile phone network and transfer the call in the desired...
read moreNew Vulnerability of the LastPass Unveiled
Any active Internet user has many accounts on different websites. And each of them requires a username and password. Since it is impossible to keep everything in your head, a regular user usually writes them on a piece of paper. And puts it somewhere not far from the computer (we have already written why it is not recommended to do so here). An advanced user, in turn, uses password managers to store this information. But, even the best password manager sometimes cannot prevent accounts from being hacked. Let’s recall, for example, how the world community was stirred up by the news about the vulnerability of the KeePass password manager. Recently, another popular password manager LastPass has found itself in the center of the scandalous online chronicles. Moreover, it is not the first failure of the LastPass. It was hacked last summer, and as early as in November 2015 few bugs have been found in it again. This time, the analyst Sean Cassidy created a tool, which he jokingly called the ‘LostPass’. This tool under the guise of the LastPass allows collecting passwords in the automatic phishing attack mode. The essence of the LastPass vulnerability Ironically, a ‘disservice’ is the desire of the software developers to make a communication session between the user and the Internet resource more secure. The thing is that the LastPass requires the user to re-enter the password several times during the session. This is where a loophole for the hackers hides. It turned out that at this moment it is possible to palm off a phishing page for re-authorization. This page looks like the real one with almost no differences in the address. Once the unsuspecting user enters his email and password, all his confidential information stored in LastPass becomes available for fraudsters. The worst thing is that the hackers get not only one password but all the data the password manager stores! So far, the LostPass operates only in the Chrome browser. But Cassidy is working hard to prove that the same tool can be made for the Firefox as well. Of course, the LastPass developers will make changes to the code and patch up the gaps found in the safety of their product. But what should the users do now? While the protection level of password managers isn’t 100% reliable yet. And is there any guarantee that some vulnerabilities won’t pop up in the future? The author of the tools himself recommends using the LastPass app instead of the browser extension. It deprives the hackers of the possibility to use the phishing page. But this method is quite time-consuming and inconvenient. The user needs to copy all passwords from the LastPass web page, and enter them manually. Maybe 2FA (two-factor authentication) can protect users from the new threat? Alas, Cassidy argues that one-time passwords can also be intercepted with the help of his tool. But, apparently, the researcher means the traditional version of 2FA with OTP passwords delivered to the user via text messages or emails. After all, there is nothing to be afraid of if to use the hardware or software tokens. They generate OTP passwords for two-factor authentication offline. Moreover, if the token supports the data signature function CWYS (Confirm What You See), it becomes even more reliable. CWYS function allows taking into account certain...
read moreThe Worst Passwords of 2015
It is not a secret that the Internet users tend to choose weak and unreliable passwords. And even more! People use this weak password in almost all their accounts. And the list of the worst passwords of 2015, which was recently published by SplashData, proves that all the efforts to convince people of the importance of using strong passwords were vain. For several years, the palm belongs to the notorious “123456” and “password”. Such loved by many key sequences as “qwerty”, “12345678“, and “1234567” didn’t lose their ground and even made some progress, becoming more popular. Moreover, there is a new variation – “qwertyuiop“. A popular password containing both letters and numbers “pasword1” was extruded with “passw0rd“, which not a bit more reliable than the first one. It is interesting that the popularity of a new episode of the cult saga “Star Wars” caused the appearance of the new group of popular passwords. The list of 25 worst passwords of 2015 includes such words as “princess“, “solo” and “starwars“. The list of 25 worst passwords of 2015 was formed after the analysis of more than two million passwords that appeared in the public access as a result of various leaks and hacker attacks during the year. The list of all the passwords is presented below. Remember, all these passwords are not secure. Here you can read how to choose a strong password, which will be easy to remember, but difficult for a hacker to guess or to pick up. But any password, whether weak or reliable, should not be the only obstacle to the intruder to your confidential data. Your account should be protected from cracking with two-factor authentication and one-time passwords. Here is an article on the principles of the two-factor authentication work and one-time passwords generation. The worst passwords of...
read moreComic stories #3
The Photoshop is 25 this year. Well, actually it is 38 but looks 25. A man comes home. Sits at the computer and starts shouting at his wife: – Did you do this? – No, how could I? – Did you? – With whom? – Tell me, did you do this? – Well, it was just once with the neighbor… – I asked if you changed the password to the...
read moreStrong Authentication Methods in 2016
At the beginning of the new year, everyone is trying to predict what it will bring: what trends will prevail in the economy and politics, what outfits will be the most fashionable, what books will possess the minds and souls, how inventors and developers will surprise and delight fans of technological progress. Let’s try to predict how the technologies and strong authentication methods would develop in 2016, what new things are waiting for us, and to what extent they are better than those already familiar to everybody (and whether they are better at all). One main trend immediately catches the eye: many large companies, dictating fashion in the IT-market, strive to create such means of strong user authentication that will provide a high level of data protection, and at the same time simplify the authentication procedure when logging in. For example, it suffices to mention only such names as Pay Pal (the largest international money transfer system) and Google. Now these companies are actively working to ease multi-factor authentication process for their users. Developers offer different, often quite exotic strong authentication methods that, according to their authors, will help to unite the reliability and ease of use. It is quite natural that every developer defends the prospects of his own method. Perhaps, the only thing that unites them all is awareness of the need to change something in the traditional multi-factor authentication procedure. Today, it is most often based on 2-factor authentication (2FA) with one-time passwords (OTP). But what alternatives are available? 1. Avoiding use of a static password as the first factor. This is one of the most promising variants at this moment. If it is used competently, we can get easy-to-use and reliable two-factor authentication at the same time. For example, almost any token is additionally protected with the PIN-code you need to enter before starting work with a device. Why not use this PIN-code as the first step of two-step authentication – the factor of knowledge? While a smartphone with software token or a hardware OTP token can easily serve as the second factor of authentication – the factor of ownership. Moreover, both the software and hardware tokens may support CWYS function (data signature), that further enhances the level of protection. 2. One-time passwords – into the dustbin of history. Many users don’t want to waste their time entering one-time passwords to log into this or that account. Especially if during a single session they need to enter the OTP password several times (such precaution is practiced when it is especially important to protect the connection). The developers are constantly looking for new ways to avoid this inconvenience. Not so long ago, they have come up with such strong authentication method as the background noise. Google is working on the authentication method that allows sending signals to the smartphone via GCM (Google Cloud Messaging). Another interesting way of 2 step verification with the help of smartphone has been presented by the Clef Company. 3. New types of hardware tokens, immune to viruses. Contemporary USB-tokens may be vulnerable to viruses located on the computers they are connected to. But not so long ago the improved USB-tokens Yubikey have been presented to the world. Yubikey OTP tokens generate one-time password only after the user clicks a special button on it....
read more