Biscom Delivery Server

According to Redspin consulting, as reported in  infosecurity, the number of patient record breaches has doubled last year.

Redspin cites the increasing concentration of protected health information (PHI) on unencrypted portable devices and the lack of sufficient oversight of PHI disclosed to hospital’s business associates as the main reasons for the increase.

Here at Biscom, we’re definitely seeing an uptick in demand for our secure file transfer solution from our healthcare customers - there are serious consequences, both in terms of financial liability as well as reputation that are at stake. NIH, Mass General Hospital, Children’s Hospital, Medtronic, and many more healthcare organization trust us to transmit their PHI securely. Contact us if you’re facing similar issues – we can help!

Video Run Time – 2:26

Law firms face the daily task of protecting themselves and their clients from breaches of confidential data that could lead to noncompliance with government regulations, large fines, damaged reputations, and loss of business. What some firms are not aware of is that the most ordinary tools and practices – from emails to software configurations – can open a legal organization up to breaches.

Biscom is hosting a webinar on the issue of law firm security and the hidden dangers that lurk within firms. Our Legal Practice Director, Charlie Magliato, will be joined by Jeffrey Brandt, Editor of the Pinhawk Law Technology Daily Digest and noted legal technology thought leader. They will discuss the vulnerabilities posed by the proliferation of mobile devices, the consumerization of technology and cloud computing.  In addition, they will also talk about the following which can be helpful to a law firm as they assess their security program:

• High-profile data breaches  - law firms are no longer immune.
• Culture and technology pressures that contribute to increased risks
• The increasing demands of both national and state government regulations
• How  employees, clients and vendors  contribute to data breaches
• Current and emerging security best practices

Webinar Details:

Date: Wednesday, January 25, 2012

Time: 12:00 pm – 1:00 pm EST

Register Now

The unfortunate victims of this latest data breach of student and parent records was discovered when a mother Googled her child’s name and turned up his social security number. In all, 18,000 student records and information about 6000 parents were also exposed when strategy consulting company Public Consulting Group accidentally left this information on an unsecure server that was indexed by Google.

The Ha
rvard and Yale football rivalry is the second oldest continuing rivalry in college football history. “The Game” pits Harvard Crimson against Yale Bulldogs and goes back to 1875.

However, there’s another rivalry that neither Harvard or Yale cares to win – being the unfortunate victim of a data breach. In February 2008, hackers accessed about 10,000 personal records from Harvard, including 6,000 social security numbers. Just last month, Yale discovered that an FTP server was indexed by Google after a search algorithm change, resulting in the names and social security numbers of 43,000 faculty, staff, and students made publicly available for ten months.

Their recourse – credit monitoring service for a year. Doesn’t really solve the problem, but it does end up costing these universities quite a bit of money. Or, they could have invested a small fraction of the cost and penalties in technology and solutions that would have mitigated or even prevented these problems entirely. These two prominent institutions of higher learning should worry less about losing “The Game” and more about losing their data and information assets.

For our healthcare readers out there, be sure to join us for a Webinar on Tuesday, June 14th, 2011, with nationally recognized security leader, Mac McMillan, CEO of CynergisTek. Avoiding data losses and security breaches should be a number one priority for hospitals and business associates dealing with private health information on a regular basis. Mac will provide an overview of:

• Encryption options
• Re-Evaluating Our Enterprise Security Standard
• Making Safe Harbor Meaningfu

Register for the webinar now.

File sharing services are under scrutiny and most of them fail miserably. Researchers were able to harvest 310,735 files in just one month using a crawler, and included photos, zip files, PDFs, and office files. InfoWorld reported the results of the study, and “what they found will raise — no, curl your eyebrows.” And the study shows that there are people all over the world who are actively dumpster diving for files on these file sharing sites.

These file sharing and collaboration sites committed several sins, including the use of sequential IDs in their URLs. This is a good lesson for those of you looking for ways to send or share your files – make sure your vendor has extensive security experience, implements a secure architecture, and actively defends against common penetration attacks. Almost anyone can offer a secure file transfer solution, but not all SFT vendors are created equal. Do your homework, weed out the wannabes, and choose wisely. Or, you can just pick Biscom Delivery Server and be done with it.

During the past quarter, I’ve had the privilege of hosting a series of ILTA roadshows focused on security issues around file transfers. The roadshows – held in Boston, New York and DC – typically welcome around 20 IT professionals each from multiple law firms. The intimate size helps us all to have frank discussions about what keeps IT up at night.

On the forefront: Breaching client confidentiality and regulations.

Beyond the obvious dread of jeopardizing a law firm’s reputation and opening it up for massive fines, there’s a personal take as well. IT leaders are realizing that they are responsible for technology safeguards that protect client data and comply with federal and state data privacy regulations.

The Culprits: Email and FTP Sites

Two methods of potentially risky file transfer kept surfacing during our conversations: Email and FTP sites.

The attendees expressed concern that there seems to be little regard from attorneys and staff when  it comes to potential security breaches caused by using email and unsecured FTP sites  to transfer client documents and files.

It is almost like the proverbial Sword of Damocles is hanging over legal IT’s head. IT is only one wrong click or FTP error away from heavy fines and potential damage to law firms’ reputations.

Revenge of the Large Email Attachments

The 2010 ILTA member technology purchasing survey identified email management as the biggest issue facing legal IT for the third year running and the roadshow attendees verified that the ever-increasing size of email attachments is a growing support issue.

Is this scenario familiar?

An attorney tries to attach a 50 MB+ PDF to an email addressed to a client.  If the email is lucky enough to traverse the firm’s exchange gateway, there is a good chance it will get bounced back due to recipient email size limitations.  The attorney then receives an undeliverable message (sometimes not until the next day) and contacts IT for help.  Cue the IT support drama!

Would you believe that one of the most popular remedies is to break up a large file into multiple smaller files and then send multiple email messages?  This is a quick fix, yes, but doesn’t speak to a law firm’s technical prowess.

And Don’t Even Start us on FTPs

Another common option is for IT to erect an FTP site. After a communal groan, the attendees agreed FTP sites are often difficult to use, challenging to secure and an overall pain in the neck.

What do you think?

Does your law firm face challenges when transferring large files?  What do you think are the leading security issues around this?

Leave a comment below so we can continue the conversation.

Coming to a City Near You

ILTA is planning more roadshows for Biscom so hopefully I’ll be in your neck of the woods soon.  Feel free to reach out to me at cmagliato at biscom.com if you have a specific city in mind you’d like to see us in. I will keep you posted.

SQL injection is still out there as an attack. It worked against Twin America LLC, and it was only discovered this past October, after hundreds of thousands of records were stolen. It’s a well known ploy – you take advantage of web sites that have a form for inputting information. If a site doesn’t employ techniques to nullify SQL injection, an attacker can easily see your entire database, which often includes usernames, passwords, and account information, or worse, download the information and then destroy the database.

Two common areas that are potentially open to attack are unfiltered escape characters, and poor type handling. In an unfiltered web form, a form variable is plugged directly into a SQL statement. If I crafted just the right input, I could potentially append my own SQL clause to the one being executed. The classic example is:

SELECT * FROM user_table WHERE username = ‘ ” + username + ” ‘;”

If instead of a valid username, I entered  ‘ or ’1=1, I’d now be running this statement:

SELECT * FROM user_table WHERE username = ‘ ‘ OR ’1′=’1′;

The OR ’1′ = ’1′ clause will always evaluate to true, retrieving all columns from the user table.

A second potential hole exists if the programmer does not check for type constraints. If a SQL statement is expecting a number, the input to supply that variable should be checked to make sure it truly is a number. Again, like the trick above, I could insert an entirely new statement like DROP TABLE user_table after entering a number into a form. The back end would then execute whatever statement I presented to it.

There are several techniques to protect a Web application from these types of attacks, including the use of parameterized statements, or even escaping characters that have a special meaning in SQL. But programmers have to be diligent about adding this protection, because hackers will find even the smallest hole and take advantage of it.

Biscom spends its time worried about these types of hacks, so you don’t have to. Countless penetration tests have proven our security model. We think our customers want a secure file transfer solution that is actually secure.

SourceForge is a well respected resource for developers to access open source software. One vendor ProFTP, who develops GPL-licensed FTP software, was just compromised. There’s something funny about an FTP vendor getting its own FTP server hacked – it has a paradoxical recursiveness to it.  If you’ve read Douglas Hofstadter’s great book Gödel Escher and Bach: An Eternal Golden Braid, it will remind you of the story about “turtles all the way down.”

This just in from Mesa County, Colorado: Long-term Employee Responsible for Mesa County Data Breach.

It’s unclear whether this was malicious or unintentional. It seems to be something that was “an honest mistake.” Well, honest mistakes do not mitigate the potential for fraud. According to the article, “Hundreds of thousands of pieces of personal information have been leaked onto an un-secure file-transfer website, or FTP.” That’s a lot of information, including social security numbers, and names and addresses of sherrif’s office employees. This breach was open from April through October, and they tracked IP addresses from all over the world that have accessed this confidential information.

At the end of the article, the helpful author lists the contact information for three credit organizations’ fraud departments. Here’s to hoping the unfortunate Mesa County employees will not have to deal with this.