> On Feb 14, 2025, at 6:16 PM, charles meyer <[log in to unmask]> wrote:
> 
> But for all the HIPAA guidelines, we know of major health care breaches (e.g. Kaiser, HCA, Lab Corp, etc.) so the strict guidelines didn't protect the patients' data with those companies.
> 
> If huge corps can't protect data it doesn't seem to bode well for smaller companies or practices.
> 
> I wondered if anyone on this list was knowledgeable about how exactly these
> security breaches were effected?
> 
> How did a phishing expedition expose hundreds of thousands of other
> patient's health info with those security breaches?


I don't know any specifics of any of these breaches, but generally the idea is that if you can get someone's password or even better have them run some program, you can get a foothold in their system, and then use that to figure out some way to slowly get yourself more privileges.

We had a few "security incidents" in our group when I was at NASA.  Of course, the security group considered anyone probing us to be an "incident", and insisted that we had been hacked because one of my web servers returned a 200 status after an attempted SQL injection.  (I had to explain to them that the page in question didn't use SQL, and ignored any inputs that weren't in the list of known good inputs for that field).

There were five notable incidents:

Two were because of a person who had a valid login, and someone had hacked them somewhere downstream, got into their work computer and saw their login & password used to connect to our systems.  That whole company (a major defense contractor) got banned from being allowed to login to our systems after it happened the second time.

Two were because of pre-made PHP systems.  The one that I was responsible for, I passed along a bunch of improvements to the author... but I don't think he saw them until I mentioned it on this list.  My boss ended up banning PHP entirely on our network.

The other one was really, really odd.  We had a trouble ticket system that allowed people to upload screen shots or whatever... and someone posted an image that said "I've hacked your computer" and then started bragging about it on some other website, telling people to go and look.  I had to spend weeks rebuilding the system, because they insisted that someone had hacked us, and they didn't believe me that no, people were allowed to upload images, we weren't actually hacked.  A year or so later, I was running a deep virus scan (went through tarballs and such) and it pinged that the image (in a backup that I made before I wiped and reinstalled everything) had a JPEG overflow that affected windows systems.  Still didn't affect us, but the people who he got to look at the image might have been hacked.

...

Once someone gets a foothold into the system, they might be able to find something that's exploitable from inside, or if they can sniff network traffic they might they might be able to find other systems to attack, or even valid credentials to get into them.

I personally do things like if I have a system that reads and writes to a database... the page that does the writing uses a different account, so if someone manages a SQL injection on the other pages, all they can do is read.  (and those accounts can't read the password table... they'd have to specifically attack the login page to read it, and the password update page to update it)

But I've also done things like host websites that pull their content from partitions that are NFS mounted as read-only, so you have to be on a completely different machine to update anything.



> My concern with the pw generators are that some are storing a person's info on their site. Not all but a few are. Imagine, if you will, that millions
> store several pws to health care accounts, investment cos, etc. With lesser guidelines than HIPAA?

Yeah, don't use one that stores passwords on their servers... yes, it's convenient, but it means that they've created a target for hackers.

Your comment about smaller sites vs larger sites forgets to consider that the larger sites are specifically targeted because they're more valuable.  Hackers have to consider what the payoff is for the amount of effort, and the bigger places have a bigger payoff.   Apple used to brag that they didn't have the virus issues that Windows had... but once Apple started having enough market share, they got targeted, too.


And I don't know that the HIPPA guidelines specifically have rules about how to secure your data other than you're not allowed to store identifying information alongside medical information.    But I don't know what qualifies as acceptable separation... just stored in different database tables?  That doesn't really do a lot if someone dumps the whole thing.


> Which leads me to a related question (although not the OP if I can please be given some latitude?) - what creative ways are you aware of in creating more effective passwords to help people?
> 
> I've read creating a phrase or borrowing dialogue from your favorite movie
> - "You Can't Handle the Truth" but with no spaces in between has been recommended.
> 
> But, is that more effective than a pw generator?

There was a while when it was more secure, just because that wasn't something that the password cracking tools used as a pattern... dictionary words have more entropy than individual characters, but it's still a fixed set.  And common substitutions (O->0; L/I->1; S->$) don't take that much longer to test if you have the hashes to test against directly.  Most authentication systems do some form of rate limiting, or even lock accounts after too many failures.... which is part of why I'm glad that I have a pretty odd username.  There were a lot of mornings when I'd have to unlock my lead sysadmin's accounts (username 'amy')

If you're going to use a combination of words, it's better to go with completely random words.  Preferably in a mix of languages.  And possibly some Welsh place names in there.  And use whatever characters the system allows... see if it allows you to use emoji in your passwords.  Or BEL (control-G).  But beware of single quotes... I used to use them for decades (because it has to be escaped in most programming languages), and then a year or so back, iOS decided that it wanted to turn them into smart quotes as I was typing my passwords.

I personally prefer longer phrases for entropy... the first letter and all numbers and punctuation from movies or TV quotes, or song lyrics.  It looks pretty random, but it's not too hard to remember even for a 16+ character password.  Of course, it's best not to use quotes from Coupling, because then when they hire a DBA and you have to give her the passwords, you don't have to explain to her that the mnemonic for the password is something that Jeff said.

I actually made a program decades ago to generate passwords from fortune files using those sort of rules... but I realized that the files just aren't big enough, so there's not enough entropy.  I thought about having it import the IMDB quotes database, but never finished it (and I don't think they allow you to download those files anymore)


-Joe

(unaffiliated, but did whatever that NIST computer security certification was 20+ years ago)

(and seemed to be the only person who pushed back against HTTPS-Only, because it increased the attack surface on our systems)