Naavi avatar
Full name:
Vijayashankar Na
Nickname:
Naavi
Website:
Description:

Posts by Vijayashankar Na

Multi Billion Dollar Catastrophe…

anthem_video

On January 29, 2015, Anthem Inc, a Health Insurance provider in US (second largest in US) reported a discovery of a Cyber Attack in which it is estimated that about 78.80 million health records have been compromised. (Refer here). The incident has sparked many law suits and is expected to impact the information security practices in US and elsewhere. (See report in Fortune)

The data that were accessed by hackers was not encrypted and contained identity details such as the social security numbers. This is a violation of the security requirements under HIPAA-HITECH Act and attracts civil penalty from the department of Health and Human Services (HHS).

 According to the company’s admission, hackers gained access to Anthem’s data by stealing the network credentials of at least five employees with high-level IT access. The data is believed to have been extracted over a period of 6 to 8 weeks during which the attack went undetected. The company claims that the attack was “Sophisticated” but only the investigations will reveal if it was really a sophisticated attack or a simple phishing attack.

This data breach may be the largest in terms of the financial implications on an organization. The company is said to have an insurance cover of US$ 100 million but the claims under this case may far exceed this limit. This could also be a big set back for the Cyber Insurance industry. The black market rate for health data in US is estimated to be around US 470 per record (See this article). The value of the data lost at Anthem in the black market is therefore around US$ 37.6 billion or Rs 2,33,000 crores. The value in the black market for a data is normally 5 to 10% of the potential benefit that can be derived from the data by a buyer. Hence the estimated gross value of the data lost in terms of the potential loss to consumers could be of the order of US$376 billion. (Also see here)

Now Anthem is focusing on its responsibilities under HIPAA-HITECH Act to assist the affected persons to protect themselves from the consequences of identity theft by providing a two year protection service from All Clear ID. (Refer here)Individually the cost of such service is around US$14.95 per month and for the 78.8 million IDs to be protected the total potential cost is Us $28 billion. Of course Anthem may get a much cheaper bulk rate. But the cost is still likely to be of the order of US $ 3 billion. This is besides the cost of sending data breach notices to 78.8 million people by US first class mail.

The net impact of this data breach on the Health Insurance industry, the Cyber Crime Insurance industry, as well as the status of HIPAA implementation across US (extended to Business Associates in India) are likely to be enormous. It will shake the whole industry and perhaps bring in several lasting changes in industry practices.

In the meantime, Anthem has also attracted another controversy by refusing to allow the US regulator the “Office of Inspector General” (OIG) to conduct a vulnerability scan of their systems citing their corporate policy that no external audit is permitted. (Refer here)

The Office of Personnel Management of  OIG  oversees the Federal Employee Health Benefits Program and in the course of such supervision  performs a variety of audits on health insurers that provide health plans to federal employees. Though it is a regulator of sorts, it is not having the same powers available to the HHS which is the regulator under HIPAA which has the powers of audit and imposition of penalty. The powers of the OIG has to be derived from a contract which Anthem believes are non existent.

While at first glance this attitude of Anthem appears to be self defeating from a PR angle, it is likely to establish the primacy of HHS as the sole regulator of Health data breach and resist an attempt by multiple agencies to fish in troubled waters. (Also see here).

Anthem attack itself has resulted from Phishing and now the incident itself has become a source for many other scams involving phishing e-mails offering various services. The collateral damage of this fraud can therefore go beyond the Health Care data breach.  Already suspicions are being aired about the hacking having emanated from China (See here). If these rumors are confirmed the breach may get a “Cyber War” tag similar to the recent attack on Sony attributed to North Korea.

The incident therefore has many dimensions and security professionals need to keep a watch on the developments.

End of the day one wonders…could a better “data encryption under storage” could have prevented this multi-billion dollar catastrophe?

Naavi

hipaa_apnacourse1

Share Button

PMO finds a Chief of Cyber Security

 

It is reported (Refer article in ET) that Dr Gulshan Rai who has been a veteran in Cyber Security and part of MCIT for a long time has been drafted by the PMO as head of Cyber Security.

In the recent days, PM has been expressing some concern on Cyber Security and there was no better person to take this forward. In the Corporate world, we say that a designation/appointment of a person as CISO is a significant development in the road to Information Security implementation. Similarly this appointment is a significant step to demonstrate the commitment of the Government to address Cyber Security Issues.

We take this opportunity to congratulate Dr Gulshan Rai and wish him all the best. We hope necessary support would be made available by the Government to Dr Rai to ensure that his mission would be successful.

At the same time we need to remind that Dr Gulshan Rai was the Head of Department overseeing the Cyber Appellate Tribunal (CAT) which is still crying for appointment of a Chair Person. Our repeated requests to Mr Ravi Shankar Prasad as well as the PMO has not elicited any response.

Since Dr Rai is fully aware of the past issues involved in this aspect, we trust that CAT would soon get activated.

During the previous time when CAT was active, there was a move to set up a bench of CAT in Bangalore.

I request Dr Rai to take up this suggestion once again so that litigants from South India need not travel to Delhi every time for hearings.

I also draw the attention of Mr Siddaramaiah, the honourable Chief Minister of Karnataka with a request to take up the issue to the logical end.

Naavi

apna_ad_nov24

Share Button

Monitoring of Employee Internet Activity

After the recent incidents involving corporate employees engaging in terrorist activities, there is an increasing necessity for companies to monitor the employee’s internet activities.

The Hyderabad police have reportedly advised companies to monitor the social media activities of their employees as a part of anti terrorist measures.

From the Information Security point of view it therefore becomes mandatory for companies to put in place appropriate technology measures to monitor the activities of their employees at least when they use the IT assets of the company.

Further the HR department needs to device methods to monitor the behavior of their employees that indicates any pattern of activities that indicate radical leanings of the employees towards ideologies that may nurture terrorism.

This is the new challenge to CISOs following the Mehdi Masroor incident in Bangalore.

Naavi

Share Button

The Risk of Keeping a USB port open.. Beware of USBdriveby !

apna_ad_nov24

Here is a demo of how an open USB port can be used by a hacker with a 30 to 60 sec access using a “USBDriveBy”.

The device which is small enough to be worn around the neck (or carried in the pocket) when connected to a USB port will emulate as a mouse or key board and establish connect to the OS and establish a remote control to the hacker’s computer completely compromising the computer.

See the detailed report

Now we need to start worrying about how to lock and unlock USB ports. Refer here for ways to disable USB ports in windows.

Naavi

Share Button

Is What’s App bound by Section 67C of ITA 2008?

apna_ad_nov24

TOI has reported today that the Nagpur Bench of Mumbai High Court has dismissed a PIL filed by Advocate Mahendra Limaye demanding that What’s App should retain the data for a specified period under Section 67C of ITA 2008.

The Court has held that since the service is voluntary and free, there is no public interest in the requirement.

Recently I had a discussion with some senior police officials who informed that in several investigations they were unable to obtain information from What’s App because of which their investigation could not proceed on the desired lines.

From the published information it appears that What’s App stores the personal data of its subscribers and also the contacts of the subscribers. To that extent, What’s App is exposed to Section 43A of ITA 2008 requiring “Reasonable Security Practice”. This also requires adherence to data retention requirements under Section 67C. They are also bound by Section 79 of ITA 2008 as an intermediary. Under the circumstances it appears that What’s App is bound by ITA 2008 and therefore there is a stake for Indian public on What’s App being compliant to Indian law.

However, it is the business model of What’s App that they only store the contact information and allow the content only to pass through. According to information available at http://www.howdoeswhatsappwork.com ,  the messages are temporarily saved on What’s App servers and automatically deleted after 30 days.

It is also known that What’s App proposes to charge a service fee after a trial period though they have indefinitely postponed the charging on the service. Now that Facebook has taken over the management of What’s App it is only time that What’s App would be a paid service or an ad supported service in a short time. The contention of Nagpur Court on “What’s App is free” is therefore not correct.

Further one grey area of What’s App operations is that they are acquiring “Contact” details of the subscribers and using it. A question arises in this context whether the subscriber has the consent of his contact to part with the mobile number and name to What’s App and whether this would be subject to privacy right of the contact. Since the subscriber is only sharing the number as associated with a name he has assigned to the contact, it may be argued that the data ceases to be that of the contact.

After the Uber and Bitcoin controversies on Interpretation Internet based business models, What’s App also needs to be understood properly if it is a purely “Peer to Peer” service or a “Server Based Service” and if so, whether What’s App will have liability to retain data at least when demanded by law enforcement etc.

Naavi

Share Button

After the sophisticated Sony attack, It is now the simple J P Morgan attack!

apna_ad_nov24

Just as the IS community is absorbing the lessons of Sony attack, the JP Morgan security breach involving a suspected data theft of 76 million records has disturbed the community.

See Report 

According to the New York report it appears that the J P Morgan attack resulted from one of the servers being out of the 2F authentication which prevented the breach on close to 100 other servers. Though the 2F authentication is in itself not fool proof, the fact that every small step towards security can have its own ROI is proved from this incident since the servers which were hardened with 2F authentication seems to have escaped the attack.

It is interesting to note that hackers donot always need zero day exploits to make big hits. There are many negligent IS practitioners who can facilitate exploits which could have otherwise been prevented with a “Reasonable Security Practice”.

Naavi

Share Button