The Threat of Hackers

The need to secure patient data & other important records on your agency’s notebook computer

• William Ott
• August 2008 JEMS Vol. 33 No.
• 2008 Aug 1

A night without your notebook. After a crazy day, you’ve slipped away from the office a little early to a favorite hideaway for a drink and some dinner in the company of your agency’s notebook computer. You need to finish up some overdue reports and spreadsheets, and getting away from the office, the people and the telephone allows you to concentrate. So you queried your database server at the office this morning, pulled the 50,000 or so patient and response records you needed from the past year, and copied them to your notebook.

You finally arrive at the destination you’d been looking forward to all day. You order, pull out your notebook, plug it in, boot it up and get online with the free Wi-Fi that’s offered. Yes, life is good. Those reports can wait a few more minutes, you tell yourself, as you walk over to chat for a moment with some friends.

You walk back to your table as the server is arriving with dinner, and you dive right in. The stress of the day is fading, and you’re enjoying your meal. But when you start to think about the reports and spreadsheets, a terrible, sickening feeling comes over you. Where’s my notebook? Your case and coat are still nearby, but there’s no sign of your notebook anywhere—not on another table, not on the floor, not on a chair, not in anyone’s hands. You ask people nearby if they saw anyone at your table with a computer, but no one did. Then it sets in -- it’s gone; you’re a victim.

The notebook was essentially unsecured, without encryption on the hard disk or data. Thousands of patient records with social security numbers, addresses, dates of birth (a treasure trove for identity thieves), not to mention the thousands of e-mails with sensitive information and the contacts that will be sold to a spam farm somewhere in Eastern Europe. You don’t even have the agency name engraved in the PC, and you have no record of its serial number. There’s no hope for recovery.

In Hindsight

• What mistakes did you make that led to this unhappy ending? 
• You don’t have a data-security policy.
• You don’t have ID info etched into your notebook, and you don’t know the serial number.
• You copied HIPAA-protected data to an unsecure device and took the device to an unsecured public place.
• You have no substantial security on the notebook.
• You have no encryption on the drive or data.
• You didn’t physically lock your notebook with a cable lock.
• You didn’t use a DEFCON anti-theft alarm system. 
• You logged on to an unsecure Wi-Fi network without using signal encryption.
• You took your eyes off your notebook.    

Hacker Facts
Amazingly, scenarios like this happen every day in the U.S. Go to  www.privacyrights.org and look at the data breaches page, scare yourself, and then start determining where your agency is and where you personally fall on the data-security spectrum.

It seems hardly a week goes by without a news report of a notebook computer being stolen or lost and thousands of individuals’ financial and health records being potentially compromised. Many times, the thefts are crimes of opportunity in which someone seeks the actual equipment for a quick buck. However, the real money lies in the unsecured, unencrypted data on the device’s hard drive.

There have been more than three dozen documented cases of EMS notebooks being lost or stolen in the U.S. and Canada in the past year. An estimated 2.2 million notebooks were stolen in the U.S. in 2007, with 98% never recovered, and the theft rate is expected to rise about 15% per year for the next three years until widespread adoption of trusted computing initiatives take hold, which will make stolen machines useless to anyone except authorized users. 

In more than two thirds of the EMS cases, the patient information on the drives wasn’t encrypted and, in most cases, was “protected” only by a username and password or a data application protection scheme. This protection can be easily bypassed by anyone with only scant IT skills.

A variety of tools exist to secure your notebook computer. Most modern notebook computers; operating systems; commercial products and software; and trusted open source, academically reviewed, third-party applications are designed with features that allow you to easily create extremely secure portable computing platforms. Unfortunately, security and usability have always been at odds—the more secure, the less user friendly, and the more user friendly, the less secure computing is.

Those lines are now starting to blur a bit. No doubt, computer and network security is difficult to obtain, and on a professional level it’s extremely complex. Implementing sweeping security policies that employees may view as draconian will always result in policy failure and compromised security. Thus, security must be built into agency operations across the board, and, for IT-related functions, security needs to be nearly invisible to the end user for optimal compliance. 

During the past five years, the majority of “notebook culprits” have gone from lone hackers and teenagers to more organized criminal operations with a profit motive. Virus and worm attacks in the past 10 years (e.g., Melissa, CodeRed, Zotab, SQLSlammer) may not have been isolated events, but rather probes of different attack vectors designed to see how long it takes major Internet service providers (ISPs) and the US-Computer Emergency Readiness Team (US-CERT) to determine what’s happening and squelch the criminal activity. This way attackers would know their strengths and weaknesses for a more crippling attack in the future.

The good news is that following a few simple precautions will protect us from the majority of malicious threats Internet users face today. The threats are constantly evolving, and we have to be ever alert. 

Encrypt the whole disk
Encryption is a necessary precaution. On newer notebook and desktop computers, we can utilize the Trusted Platform Module (TPM) security chip, an open industry standard security subsystem built into the motherboard. The TPM approves users via a finger swipe or a single sign-on password. If the machine is lost or stolen, it’s nothing but a paperweight to the thief. Should someone remove the drive and mount it to a different machine, they find it locked. Should they defeat that lock or take the drive apart and place the data platters into another drive, they find the entire disk, including the master boot record, encrypted and irrecoverable. 

Although it generates security key strings, the TPM doesn’t run any software, and security software has to be specifically written to use it. Many notebooks and desktops sold since 2003 have TPMs built in; if your notebook has a fingerprint reader, the fingerprint scan and passwords you save with your fingerprint may be secured by the TPM. Some password vaults, such as Wave Systems’ Private Information Manager and Document Manager applications, use the TPM.

These tools encrypt the entire Windows volume and use the TPM to check the boot components; you can’t boot up if the system has been tampered with, and a thief can’t boot from a CD or take your hard drive out and put it into a PC running another operating system to decrypt it.

For BitLocker, which comes free with the Ultimate version of Vista, your hard drive must be formatted with New Technology File System (NTFS), and you need two volumes. The system volume only needs to be 1.5 GB, because it stores only the files needed to load Windows, which aren’t encrypted. 

Vista itself will be on the boot volume, which will be encrypted by BitLocker with a full-volume encryption key. That key is encrypted with an unencrypted volume master key, so if you change something in your system, or lose a key, you can get a new key without taking the time to decrypt and encrypt the whole volume again. You can also turn BitLocker off temporarily to update the Basic Input/Output System (BIOS), which changes the measurement in the TPM. When you turn BitLocker back on, only the volume master key needs re-encrypting.

Once BitLocker verifies the key with the TPM and authenticates your log-in credentials, the Vista file system encrypts and decrypts disk sectors as you write and read data. If you hibernate the PC, the hibernation file is encrypted, and then decrypted again when you wake the PC. If you have other volumes, you don’t need to run BitLocker on them directly—instead, you can use the Windows Encrypting File System, because the keys for that are stored on the boot volume, where they’re protected by BitLocker.

You can add a PIN or startup key stored on a USB flash drive to make BitLocker more secure. You also need to create a recovery password or key and save it to a USB drive, so you can recover the encrypted drive if your PC fails and you need to read it on another system.

I use the TPM module in my notebooks in combination with my favorite disk encryption software, TrueCrypt. I’ve been using this open source, free product with Windows XP, Vista and Linux for more than three years, with no problems for whole-disk encryption. It’s platform-independent and well-constructed. 

TrueCrypt can do whole-disk encryption or partial-disk encryption. It also works on USB drives and in “traveler” mode, allowing you to decrypt/encrypt a USB memory stick on a PC that doesn’t have TrueCrypt installed. TrueCrypt has a longer track record than other encryption products, and opens its source code for review. For more on encryption vendors, visit www.jems.com/jems.

Secure the network
Almost all of us have jumped onto someone else’s unsecured Wi-Fi network, but it violates federal law to connect to a network that’s not yours without explicit permission. Doing this unintentionally and sucking in those signals and data packets is not illegal unless you use the captured data in a malicious way. 

In densely populated areas, many networks can be visible when a Wi-Fi card is turned on. (I heard that someone in Las Vegas actually recorded 199 separate networks available to his PC.) If you don’t control your Wi-Fi settings and you’re running Windows, your notebook will frequently try to make itself “at home” on other people’s networks. 

At public Wi-Fi locations, the station and any other locations, it’s important to properly secure your wireless connection. It’s easy for others to watch your wireless traffic and computing activities, almost in real time. It’s also relatively easy for hackers to hijack your session and take over your account. If you were logged in to an online banking session, they could easily obtain your financial records.

Because public hot spots generally don’t use encryption, you should assume that anyone can see your Internet traffic, unless you take the following precautions:

• Make sure you’re using a legitimate hot spot: Nefarious types have been known to set up pirate routers with a familiar service set identifier (SSID) name for the wireless network, such as “wayport” or “T-mobile,” and then use it to capture users’ login information and other data.
• Verify that your PC’s software firewall is turned on and the Windows file-sharing feature is off.
• Never send bank passwords, credit card numbers, confidential e-mails or other sensitive data online, unless you’re on a secure site. Look for the lock icon in the bottom-right corner of your browser, as well as a URL in the address bar that begins with https. Such sites build in their own encryption.
• Always turn your Wi-Fi radio off when you don’t need it. Hackers can use it to create peer-to-peer Wi-Fi connections with your computer and access it directly. This became a major attack vector in spring and summer of this year. 
• Disable or remove the Bluetooth card. It allows easy access into your notebook.    

The best way to protect a public wireless link is by using a virtual private network (VPN). VPNs keep your communications safe by creating secure “tunnels” through which your encrypted data travels. Many companies and governments provide VPN service to their mobile and offsite workers, so check with your IT department to see if this is available.

An inexpensive VPN service that offers a number of options is HotSpotVPN. This allows you to create a secure tunnel to HotSpotVPN’s servers where you’re placed on the Internet. All traffic from your PC to the Internet is contained within the tunnel, so the hacker can see only encrypted traffic from you and nothing sensitive is exposed.

Make sure you’re behind a hardware firewall and a network address translation (NAT) type of routing device. This simple step costs as little as $35 and can protect you from a myriad of online criminal activities.

Also, keep the software firewall of your PC on, even when behind a hardware firewall. If an infected notebook enters the office and connects to the network and certain PCs don’t have their software firewalls in place (assuming there’s no other threat-management appliance in place on the local area network), a worm will spread to all of the other PCs. A software firewall is especially important for nomadic PC notebooks.

Just like cash
The best advice for keeping your notebook computer around is to treat it like a $500 bill. Would you leave it on a restaurant table while you chat with friends? How about in a hotel room? If you have notebook computers deployed on EMS units, try to have your personnel apply the same logic. Never let the $500 bill out of sight. 

There isn’t a perfect solution yet for notebook security. As the trusted computing initiative moves along, the hardware will become less attractive to thieves looking for a quick buck. However, data will remain attractive for all the same reasons: identity theft, espionage, intelligence, competitive advantage, blackmail, bribery and so on. It’ll always be a challenge to keep data secure, and the insider will always be the highest threat. JEMS

Security resources
www.uscert.gov: US-CERT’s site, with great information and e-mail updates.

www.sans.org : IT security education and several excellent e-newsletters.

www.privacyrights.org : The perfect site for information on data breaches.

www.microsoft.com/security : Microsoft’s security site.

www.grc.com : A lot of neat tools and tips from Gibson Research Corp.

www.grc.com/securitynow.htm : Gibson’s and LaPorte’s security podcast site.

William Ott  is chief consultant at CPCS Technologies and co-founder and chief technologist at Max-Q Media, both located in Cary, N.C. He spent 20 years as a paramedic and EMS educator and also developed and wrote the eJEMS column. Since 1998, he has focused on information security and assurance, secure wireless communications, unconventional technology development and counter-terrorism technology support. Contact him at  weo@cpcstech.com .

• 

• Copyright © Elsevier Inc., a division of Reed Elsevier Inc. All rights reserved. Terms and Conditions Privacy Policy.

  SUBSCRIBE to JEMS NOW >>