Townsend Security Data Privacy Blog

The National Institute of Standards and Technology (NIST) announced the selection of the new Secure Hash Algorithm SHA-3 this week. The winning algorithm is Keccak submitted by the team of Guido Bertoni, Joan Daemen and Gilles Van Assche, and Michaël Peeters. This culminates five years of work by the NIST team and the work of many Cryptologists and security specialists around the world. We owe a huge debt of gratitude to everyone involved in this project. While we are hardly aware of how much we use and depend on the work produced by this community of academics and professionals, it is hard to overestimate how much each of us benefits from this work.

Do I need to do anything right now?

No. The SHA-2 family of hash algorithms is considered secure and there is no near-term concern about this family of secure hash algorithms. Here at Townsend Security, when we reach for a secure hash algorithm, we use SHA-256 from the SHA-2 family, and it is expected to be secure for many years to come.

HOWEVER, if you are using MD5 or SHA-1, it is time to upgrade to SHA-2 , or SHA-3 if you like.

Will this new algorithm change how we do message authentication?

I don’t think so. There is some new flexibility in respect to the length of the generated hash, but the use of SHA-3 is likely to be very similar to SHA-2. The advantage of SHA-3 is that it is not SHA-2. That is, if SHA-2 is found to be weak in some way, it is not likely that SHA-3 will be weak in the same way. Basically, SHA-3 will be used for the same purposes as SHA-2.

Will I need to use a salt with this hash method?

Yes, you would use a salt value with SHA-3 for the same reasons you would for SHA-2 – to avoid dictionary attacks that are often optimized with rainbow tables. Any time you have a small amount of data to hash (think credit card number, social security number, email address, and so forth), it is a good idea to use a salt value, and to take care to protect the salt from disclosure.

Is there any reason NOT to use SHA-3 now?

As Bruce Schneier points out in his book on “Cryptography Engineering”, there are lots of ways to get security software engineering wrong. I don’t worry about the underlying security proofs of the SHA-3 algorithm, but I do worry about bad security software engineering because I’ve seen so much of it. I am sure that NIST will have a validation program for SHA-3 (maybe it is already in place), and security vendors will bring their work through this process. I think there are good reasons to wait for the technology to mature before jumping into using SHA-3.

Pop quiz:

Does the name Joan Daemen ring a bell?

If you remembered his name from the Advanced Encryption Standard (AES) competition some years ago, kudos to you! Joan Daemen and Vincent Rijmen submitted the work that became this important symmetric encryption standard.

Happy Halloween!

Patrick

Cyber hackers have repeatedly victimized US businesses, resulting in a widespread movement to increase cyber security in many US organizations. Due to this influx of security, hackers have recently turned to European companies in an effort to attack weaker targets. The most recent target, Gamigo—a German gaming company—was breached resulting in the loss of over eight million user names passwords. The breach was first reported by data breach watchdog service PwnedList.com, which has been vigilant in informing the public of particular breaches. Due to the great number of accounts hacked, some are referring to this particular breach as a world record. PwnedList’s founder Steve Thomas remarked, “It’s the largest data breach I’ve ever actually seen.”

Gamigo is currently going through the motions of damage control by offering reassurance to its customers. In fact, Gamigo automatically reset its users passwords immediately after the hack was discovered. However, the real danger to Gamigo’s clientele lies in the fact that so many people use a single password for many different websites. The password a person used on Gamigo could be the same password they use for their email or bank account. Even more concerning is that this sort of password breach (e.g. LinkedIn) has revealed that many people use extremely weak passwords such as “password” and “123456”.

Another blow is that Gamigo may ultimately lose is its clients and its client’s trust. Should Gamigo sustain any financial penalties from European security standards organizations, the losses it could experience may not be easily absorbed.

The recent data breaches of LinkedIn, eHarmony, and Last.FM may not have been well publicized overseas, but the Gamigo breach should put all European companies on full alert. Organizations asking for user names and passwords should always use the most up-to-date hashing technology and require stronger passwords. It is also not enough for a company to require strong passwords if their users’ personal information is stored on a database. If sensitive information is being stored on hardware, AES standard encryption and key management must be implemented. To learn how to protect your sensitive stored data, read our blog on how to protect databases that contain email addresses and passwords.

Download our podcast "How LinkedIn Could Have Avoided a Breach" to hear even more about Patrick’s take on the LinkedIn data breach and ways you can keep this from happening to your organization.

Danger looms large in Iran, as the flame virus has been unleashed. Experts say that this is far worse than Stuxnet, and that the world could be on the brink of a new kind of warfare. The emergence of cyber-weaponry over the last few years has alarmed the world with its capabilities and uncertainty. It definitely seems like this is the wave of the future in terms of international conflict and the training in espionage. Just 50 years ago, spies were being trained to tap phones and take incriminating photos. Now that computers virtually run the whole world, the focus, of course, is to invade private hard drives to intercept secure information or to make it inaccessible to the party that controls it.

According to a Kaspersky Lab, a security firm headquartered in Moscow, the Flame virus is capable of recording conversations and accessing microphones built into the computer it has infiltrated. It also can retain screenshots and record keystrokes. Just about any activity one does on the computer can be recited to those who let the flame virus loose in a play-by-play manner.

At the moment, it appears that computers outside the Middle East are safe, as it seems to be localized within the realm, particularly in Iran. But one of the reasons it can be so devastating is just how easy it is to intercept information that is password protected. Passwords hidden by asterisks are completely susceptible to being read by the Flame virus, and even if the computer is off, a nearby Bluetooth device can easily be the key to accessing an unplugged hard drive.

The United Nations International Telecommunications Union is on alert for the virus so people should be safe for the time being. But as more of these develop, it is important to make sure you are taking proper precautions to protect your data. When viruses are released, they swarm the prey they were designed to feed on. They can so easily catch people off guard, and it doesn’t pay to have to worry about what might happen. Proper safety precautions go a tremendous way in securing a business and piece of mind. The flame virus seems reasonable enough to control, but there could be real problems if something is developed called the hydrogen bomb virus.

For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person.  Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.

An alarming number of security breaches have occurred in the last decade victimizing families of military personnel, who belong to TRICARE. Since the fall of 2009, over 400 breaches have occurred. At least 500 people have been directly affected and another 50,000 smaller scale breaches have been reported to the government. The community of Palo Alto, California was hit closest to home, when over 20,000 names of emergency room patients were available on an online public forum before the list was discovered by authorities. For several months, all these people were susceptible to a profusion of afflictions such as identity theft, credit card fraud or fraud against Medicare and Medicaid programs. Just one move can financially ruin a family.

One major cause of the breach was that security tapes were stolen from the car of a TRICARE employee, and these backup tapes had people’s private information on them. The big problem of course, was that after these tapes were stolen, the information was readily available to pirates. Any encryption didn’t exist, so the information was just there for the taking.  If the data on these tapes was encrypted, TRICARE wouldn’t have to worry about the tapes being stolen and you wouldn’t be hearing about this problem – HIPAA grants a breach notification safe harbor to organizations who are encrypting their sensitive data.

If you aren’t familiar with HIPAA (The Health Insurance Portability and Accountability Act), it was established in 1996 and its main focus is to protect the rights to health insurance for families when the wage earner was to change or lose a job. It’s second objective focuses on standards for electronic health care transactions. With HIPAA, there are legal regulations that the government has put in place to protect our Personal Health Information (PHI).  While there is no encryption requirement, it is strongly considered a best practice.

The largest concern when a story like this breaks is for the victims. The Federal Trade Commission (FTC) has published a few tips for individuals who are affected from the TRICARE breach:

• Don’t willingly give out personal information over the phone unless you know exactly whom you are dealing with.
• Increase the frequency at which you check over your medical records to make sure nothing looks out of the ordinary.
• Any fraudulent report you notice should be reported to the police immediately.

The TRICARE breach should be an example of why encryption should be mandatory for organizations that deal with PHI.  Not only does it protect the privacy of your customers, when a breach does happen, HIPAA grants you a breach notification safe harbor.

Learn more about encryption and key management best practices for HIPAA and HITECH Act in our white paper titled "Achieve Safe-Harbor Status from HITECH Act Breach Notification".

Data breaches in the medical industry are occurring at a greater rate now than ever before. Emory Healthcare recently experienced a significant PHI (Private Health Information) breach and has announced that approximately 315,000 medical records have gone missing.

Included among those records are those of the chief executive officer of the hospital, who has tried to calm public outcry by noting that, to his knowledge, none of the personal information had been used in attempts at identity theft. But the loss is significant because it violates patient privacy rights and could have been prevented if Emory Healthcare was properly encrypting the data.

In total, 10 backup discs for the hospital system have been gone from their storage facilities since mid-February. Within each record was a wealth of information, including patient names, Social Security numbers, and surgical procedures and dates.

Emory has said that it had strong policies in place to protect the personal information of patients. It also attributed the cause of the theft to an honest mistake made by an employee.  However, HIPAA states that an organization is responsible for a breach notification regardless of whether the data was “hacked” or just lost.

As part of their remediation plan, Emory is providing free resources to help patients combat and prevent identity theft. While Emory has said it is revisiting its policies and procedures to better protect patient information, it's unclear if they are making systemic changes that could protect patients even if data is stolen in the future. Regardless of what security measures they take to better protect patient information, the only way Emory -- or any other medical facility -- can guarantee patient information is safe and avoid a breach notification will be to protect it with encryption and key management.

If you are not familiar, AES encryption (the standard for Data at Rest) is a form of data protection that uses an algorithm to transform information in a way that makes it unreadable by other entities. AES encryption that is certified by the National Institute of Standards and Technology (NIST) is used to attain the highest levels of security. Encryption can't be ignored as a security measure.

The second part of the encryption process is managing the encryption key. Only by knowing the encryption key can that information be unlocked and read. When data such as patient information is encrypted with proper key management, it is safe from being compromised by hackers or other entities that steal the information. Without the encryption key, the data is worthless.


With breaches in the healthcare industry up 32% in the last year, it is more important than ever to be encrypting PHI.  Data breaches have dollars lost directly tied to each record lost.  Download our white paper “Achieve Safe-Harbor Status from HIPAA/HITECH Breach Notification” to learn more about how your organization can protect PHI with encryption and key management.