HIPAA-Compliant Wi-Fi: What You Need To Know

Did you know your medical Personally Identifiable Information (PII) is worth 50x more than your credit card information on the black market? It’s also the target of exponentially rising attacks.

A recent report from Keeper Security has highlighted staggering stats informing us that 90% of all healthcare organizations have had a data breach, affecting nearly one-third of the U.S. population.

As cyber attacks on healthcare organizations are increasing rapidly, IT administrators are reviewing their cyber security policies from the ground up.  Wireless access is one area that deserves close attention given the proliferation of the BYOD phenomena, staff equipped with tablets to access Electronic Health Records (EHR), and increasing adoption of wirelessly connected medical devices.

HIPAA has historically provided the guiding principles for securing access to patient information. However, you won’t find specific implementation requirements for a wireless LAN (WLAN) within HIPAA.  Instead, you’ll find it somewhat buried inside the Code of Federal Regulations (CFR) Title 45, Part 164, Subpart C.  The CFR splits WLAN requirements into three categories: administrative (office processes and policies), physical (hardware), and technical (securing WLAN traffic).

Adhering to the following requirements will ensure your Wi-Fi network is HIPAA compliant:

Administrative requirements

1. Collect logs of the WLAN administrators’ logon and logoff events
2. Use a WLAN solution with central management (controller/cloud) so that administrator account passwords are maintained in one system
3. Use a WLAN solution with detection of wireless security threats such as rogue access points
4. Make a backup of your WLAN configuration from the controller/cloud management system and store it safely offsite in case of an emergency
5. Use a WLAN solution that allows healthcare staff to remain connected to patient information if the internet or central controller is unavailable to the access points

Physical requirements 

1. Use access points that offer protection from physical tampering, such as Kensington locks
2. Store any on-site WLAN controller equipment behind access-restricted areas

Technical requirements 

1. If you offer public-facing Wi-Fi access, separate this traffic from your internal EHR-facing network using separate SSIDs and/or VLAN IDs
2. At a minimum, use WPA2 with PSK encryption and if possible, implement WPA2 enterprise 802.1x with client-side certificate security protection
3. Use a WLAN solution the provides visibility into wireless client activity such as bandwidth consumed, source/destination information, and that has the ability to selectively block any traffic

-Ryan Orsi, Product Manager (@RyanOrsi)

Backdoors and Watering Holes – WSWiR Episode 162

Cyber security has become mainstream. Nowadays, there’s more information security (infosec) stories each week than the average IT professional can keep up with. If you find yourself falling behind, let our daily and weekly videos keep you informed. If you watch my Daily Security Bytes, you can probably skip this weekly summary. However, if you prefer to recap the week in one go, this video is for you.

This week’s episode includes surprising new updates to the Ashley Madison hack, a backdoor in a bunch of consumer routers, and a watering hole attack targeting the EFF. Watch the video below for the scoop, and check out the references section for more.

(Episode Runtime: 8:41)

Direct YouTube Link: https://www.youtube.com/watch?v=DkcT9sFEfWc

Show Note: A couple notes this episode. First, while I posted last week’s summary video to YouTube, I was not able to blog about it due to my early week travel. If you missed it, you can view it here, or just subscribe to my YouTube channel to see my videos right when they come out. 

Also, I will be traveling in Europe all week to attend WatchGuard partner conferences. I will try to post some videos, but I probably won’t get to one every day, and will post them at unusual times. 

EPISODE REFERENCES:

• Monday:
  • N/A
• Tuesday:
  • N/A
• Wednesday: Ashley Madison Extortion – Daily Security Byte EP.131
  • Two suicides allegedly associated with AM breach – Ars Technica
  • Biderman email leaks suggest AM CTO hacked competitors – Krebs on Security
  • Four class action suits against AM in the US – Motherboard
  • Attackers extorting AM hack victims for 1 BTC – TechCrunch
  • Research cracks 4000 AM passwords (despite bcrypt) – Motherboard
  • Canadian fed investigates AM for privacy issues – Motherboard
  • AM hacked played “Thunderstruck” on victim computers – Business Insider
  • Toronto police investigating AM breach and offering reward – Motherboard
  • Eccentric John McAfee claims AM hack is the work of lone female ex-employee – IBTimes
  • Krebs and his researchers also think they’ve found the hacker – Krebs on Security
  • Few women really on Ashley Madison – Gizmodo
  • Noel Biderman, Ashley Madison’s CEO, resigns – Wired
• Thursday: Backdoor in Multiple DSL Routers – Daily Security Byte EP.132
  • US-CERT advisory on consumer router backdoor – CERT.org
  • Original vulnerability advisory for LTE router – CERT.org
  • Article describing the hardcoded password in a bunch of DSL routers – The Register
• Friday: EFF Watering Hole Attack – Daily Security Byte EP.133
  • EFF’s blog post about a spear phishing campaign using their name – EFF.org
  • Tech article describing this fake EFF site attack – Ars Technica

EXTRAS:

• My tech analysis for episode 9 of Mr. Robot – GeekWire
• Adobe settles the old 2013 breach case – V3.co.uk
• Netcraft research shows 600k+ Win2K3 servers on the Internet – Netcraft
• Eugene Kaspersky reacts to last week’s allegations – Kaspersky.com
• Cornell paper on ambient sound as an auth factor [PDF] – ARXIV.org
• Bittorrent used to power DDoS Attacks – Ars Technica
  • USENIX research paper on the Bittorrent DRDoS [PDF] – USENIX
• Plenty of fish dating site pushed to malware via ads – Malwarebytes
• Portmapper; yet another reflection friendly for DDoSer – Level3
• Hackers already using the IE 0day on Hong Kong sites – The Register
• IRS says their database breach was bigger than first mentioned – Time
• Botnet clean up efforts seems to be useless – The Register
• Research finds flaw in United’s Mileage app – Motherboard
• Hacking satellites is simple?! – Motherboard
• Good article on the actual security tech used in Mr. Robot – Wired
• You can’t change your fingerprint (something I’ve said before) – ZDNet
• @DadSecurity is DDoSing and SWATing Mumsnet – IT Pro Portal
• Angler EK increasing malvertising 325% – SC Magazine
• Ins0mnia: Patched iOS flaw allows apps to break backgrounding rules – Fireye
• Video demonstration of Ins0mnia – YouTube
• Researchers steal Gmail creds for Samsung Smart Fridge – Betanews
• Long-form article on the car hacking era – Ars Technica
• FTC holding Wyndham liable for lack of security – Bloomberg
• Amazon drops Flash ads due to malvertising – Tech Week
• Researcher finds flaws in less popular Android browsers – The Register
• Australia’s primary telco serving malvertising from website – The Register
• 3D printer high heels hid hacking kit – The Register
  • Researchers Imgur post of the hacking heels (slight NSFW) – Imgur
• Netflix dropping traditional AV – Forbes
• Sundown EK using the latest IE vulnerability – SC Magazine
• Ex-security company employee pleads guilty to creating Dendroid kit – SC Magazine
• NIST recommends energy industry use better auth & access control – Computer World
• Phishing education does work according to Poneman research – CIO
• Github DDoSed again for hosting anti-Great Firewall software – Motherboard
• Illegal Dark Web sites shuts down due to Tor weakness – Ars Technica
• US Gov. does use a drone to kill a hacker (ISIS terrorist) – TechDirt
• Paypal fixes a critical XSS flaw – Betanews
• AutoIT tool leveraged by malicious RAT – The Register
• Adobe releases a ColdFusion update – Threat Post
• UK police arrest teens who use Lizard Stressers DDoS tool – Engadget

— Corey Nachreiner, CISSP (@SecAdept)

EFF Watering Hole Attack – Daily Security Byte EP.133

Today, the EFF warned the world that advanced attackers have been using their name in vain. A targeted spear phishing email is linking to a fake version of the EFF site, which forces malware via a recent cross-platform Java exploit. Learn more about this attack and how to protect yourself by watching the video below.

(Episode Runtime: 2:07)

Direct YouTube Link: https://www.youtube.com/watch?v=ZQXOgjC3gTg

EPISODE REFERENCES:

• EFF’s blog post about a spear phishing campaign using their name – EFF.org
• Tech article describing this fake EFF site attack – Ars Technica

— Corey Nachreiner, CISSP (@SecAdept)

Backdoor in Multiple DSL Routers – Daily Security Byte EP.132

A few months ago, researchers found a backdoor in an LTE consumer router. Today, we learned that his hole exists in a number of DSL routers, including ones given to customers by ISPs. Watch the video to learn about this secret admin account, and what you can do to mitigate access to it.

(Episode Runtime: 2:25)

Direct YouTube Link: https://www.youtube.com/watch?v=7RCigiLt8gI

EPISODE REFERENCES:

• US-CERT advisory on consumer router backdoor – CERT.org
• Original vulnerability advisory for LTE router – CERT.org
• Article describing the hardcoded password in a bunch of DSL routers – The Register

— Corey Nachreiner, CISSP (@SecAdept)

Ashley Madison Extortion – Daily Security Byte EP.131

I’ve talked about the Ashley Madison breach before, but the news keeps coming. Today’s video covers, tragic suicides, new attack details, a CTO hacker, and criminals extorting the victims. Watch below to get the latest updates.

(Episode Runtime: 3:46)

Direct YouTube Link: https://www.youtube.com/watch?v=IemvDUxe7Wo

EPISODE REFERENCES:

• Two suicides allegedly associated with AM breach – Ars Technica
• Biderman email leaks suggest AM CTO hacked competitors – Krebs on Security
• Four class action suits against AM in the US – Motherboard
• Attackers extorting AM hack victims for 1 BTC – TechCrunch
• Research cracks 4000 AM passwords (despite bcrypt) – Motherboard
• Canadian fed investigates AM for privacy issues – Motherboard
• AM hacked played “Thunderstruck” on victim computers – Business Insider
• Toronto police investigating AM breach and offering reward – Motherboard
• Eccentric John McAfee claims AM hack is the work of lone female ex-employee – IBTimes
• Krebs and his researchers also think they’ve found the hacker – Krebs on Security

— Corey Nachreiner, CISSP (@SecAdept)

Yosemite 0day – Daily Security Byte EP.130

It’s pretty impressive to know an 18 year old Italian teenager is already finding vulnerabilities in OS X. However, I hope he learns to disclose them responsibly, and starts informing vendors first. This week, news surfaced of a zero day privileges escalation flaw in the latest version of OS X Yosemite. Click play below to learn all about it.

(Episode Runtime: 1:30)

Direct YouTube Link: https://www.youtube.com/watch?v=6WmdmY9kHks

EPISODE REFERENCES:

• Teenager releases OS X 0day before telling Apple – V3.co.uk
• Github project for the OS X Yosemite Tpwn flaw – Github

— Corey Nachreiner, CISSP (@SecAdept)

Ashley Madison Hemorrhaging Data – Daily Security Byte EP.129

As if yesterday’s Ashley Madison data dump wasn’t bad enough, the attackers have released new stolen data. Learn what new information is at stake, and what you can do to protect your data in today’s video.

(Episode Runtime: 1:39)

Direct YouTube Link: https://www.youtube.com/watch?v=4Yk7OOST1ag

EPISODE REFERENCES:

• Attacker dump new data from the Ashley Madison breach – Motherboard
• Details on new Ashley Madison data leaked – Hydraze.org

— Corey Nachreiner, CISSP (@SecAdept)

How to Save Yourself an 802.11ac Wave 2 Headache

The latest Wi-Fi standard to hit the market is 802.11ac and it’s been split up into two flavors; Wave 1 and Wave 2. Wave 1 has been out for awhile, but Wave 2 consumer routers and business access points have recently become available. With that in mind, what do you need to know about these new standards?

It’s important to know the two main differences between Wave 2 versus Wave 1:

1. Multi-User MIMO (MU-MIMO) essentially allows a Wave 2 router or access point (AP) to communicate with more than one client at a time. Until Wave 2, APs served wireless clients one at a time. That means each wireless device had to wait its turn among all the other clients. MU-MIMO has the effect of occupying the radio waves for a shorter time (known as airtime demand). The lower airtime demand, the faster your neighbor across the café gets his email attachment, and the faster you get your important Instagram pictures, which means the happier all Wi-Fi users will be.
2. 160MHz bandwidth channels are supported in Wave 2. Without diving into the weeds, the wider the bandwidth, the faster your downloads complete.

Should you rush to buy Wave 2 routers and access points?

I highly recommend you don’t yet. Why not? Consider the following:

• Routers and access points are infrastructure (like a cellular base station is for our smart phones). Infrastructure needs friends to play with, or client devices. To realize Wave 2 benefits, our laptops, smart phones, tablets, game consoles, and other gear have to use Wave 2 wireless chips. I don’t expect many Wave 2 clients to show up on the market until 2016, and even then it will take a year longer before the majority of clients support Wave 2.
• For the home user—especially gamers—the bandwidth provided by the 160MHz channel could be a win. For everyone else, it’s a yawn. That’s because even though it provides faster speed to single clients, it also translates to less overall speed for the combined group. Think of it like the width of your shopping cart at the grocery store. If we’re all wheeling around a 6ft. wide monster cart, only one of us could cruise a shopping isle at a time, which slows down shopping for everyone. However, if we all sported 2ft. wide carts, we could fit three of them in the isle at a time, allowing everyone to get their shopping done in a reasonable period.

In summary, to avoid an unnecessary 802.11ac Wave 2 headache, I recommend you go ahead and buy Wave 1 routers or APs today. You can rest easy and not worry, because doing so won’t put you behind the times.

-Ryan Orsi, Product Manager (@RyanOrsi)

IE 0day & AM Hack Update – Daily Security Byte EP.128

I missed yesterday’s daily video due to an offsite meeting, so today’s episode contains two important stories; an emergency update to fix a zero day vulnerability in Internet Explorer (IE) and the latest update to the Ashley Madison breach. If you run a Microsoft network, or you know anyone that had an account on Ashley Madison, you’ll want to watch the video below to learn what you can do to protect yourself from attackers.

(Episode Runtime: 2:18)

Direct YouTube Link: https://www.youtube.com/watch?v=w9CI3Fk5NiE

EPISODE REFERENCES:

• Microsoft’s out-of-band August IE update – Microsoft
• News about hacktivists releasing Ashley Madison data – Motherboard
• Info about what data was in the leak – Hydraze.org
• One view on how concerned you should be about the leaked data – Bloomberg
• Ashley Madison was concerned about data breaches – Motherboard

— Corey Nachreiner, CISSP (@SecAdept)

Global Mobile Hack – Daily Security Byte EP.127

The Australian 60 Minutes unveiled a piece on how attackers can track and intercept the calls from any mobile, as long as they know its number. However, others say the researchers demonstrating this attack had special access to carrier networks. Watch today’s video to learn how real this threat is, and whether or not you can do something about it.

(Episode Runtime: 3:34)

Direct YouTube Link: https://www.youtube.com/watch?v=G63kB987kyg

EPISODE REFERENCES:

• Australia 60 Minutes episode on SS7 attacks – 9jumpin.com.au
• An article covering the SS7 hacking issue – Computer Weekly
• Original 2014 research on SS7 attacks – CCC.de
• German research given gov access to pull of SS7 attack – Gizmodo
• Wikipedia article on IMSI-Catcher – Wikipedia

— Corey Nachreiner, CISSP (@SecAdept)