Slashdot Mirror
Pharmacare, Harvard Try To Shut Down Security Hole
cfusion writes "CVS's drug insurance wing Pharmacare and Harvard University have taken steps to shut down a security hole that would have allowed anyone on the Internet to view any Harvard affiliate's drug history, a possible violation of Federal laws concerning medical records (HIPAA). The Boston Globe has the story,
which came after the vulnerabilities were discovered by two reporters for the school newspaper (that story has screenshots that show just how easy it was). Raises interesting questions about computer security and using ID numbers as passwords."
Wow...so Harvard actually did something about the hole instead of going after the people who discovered it? I'm floored.
I support the Center for Consumer Freedom
Yet another victory for the blogosphere!
What's that? Oh, you say it was print journalists?
Sorry, never mind everyone!
You me, before this, you would have thought it would be okay to use non-private ID numbers as passwords?
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
>> the difficulties posed to information privacy by the widespread use of ID numbers to verify identity
So they actually used an "username" with the purpose of representing both an username and a password.
That is a security issue by design. What were they thinking?
I smell lawsuits already!
It was probably designed by females... ...as we all know there are biological differences in men's and women's abilities ;)
Power of the press. Use wisely.
interesting questions about computer security and using ID numbers as passwords
Since when has anybody thought that was an acceptable practice? Ever?
It doesn't raise questions about the practice, it raises questions about the quality of the people dictating the practices. This is 30-years-ago stuff, isn't it? Really, now.
I will resist any humor related to the gender-based aptitudes of any IT mangement personnel at Harvard, given their recent discomfort in that area. BTW, if you've ever dealt with HIPAA compliance, it's right up there with Sarbanes-Oxley in terms of IT shop burdens. Not that it's any excuse for using people's known ID numbers as passwords. Whew.
Don't disappoint your bird dog. Go to the range.
a possible violation of Federal laws concerning medical records (HIPAA)
Speaking as someone who admins boxes with data that falls under HIPAA (as well as IRS data, but those are different servers), there's no "possible" about it. You don't screw around with HIPAA violations. You will get nailed good and hard.
"An unarmed man can only flee from evil, and evil is not overcome by fleeing from it." Col. Jeff Cooper
I live in a urban port town, on one street intersection, there are 4 pharmacies on each corner. It's ridicoulus to have all 4, especially when they're all really nice, but all have flaws. CVS isn't the best, close to last in my choices, because it doesn't have online pharmacy pick-ups. Walgreens is 1st, because of it's friendly service and online functionality.
"To be is to do." -Socrates
"To do is to be." -Jean-Paul Sartre
"Do-be-do-be-do." -Frank Sinatra
the key question is, why was someone with obviously no grasp of proper application security design allowed to use identification numbers as passwords? any competent person in the field will tell you that they ARE NOT PASSWORDS and SHOULD NEVER BE USED AS PASSWORDS. but in a world where dependable unix solutions are replaced with windows solutions that have to be rebooted every two weeks to avoid "data overload" (the reporter's term, not mine) and crash if someone puts a zero in the wrong application entry field, putting 800 planes worth of lives at risk and rendering a navy vessel dead in the water respectively, but NOTHING IS DONE about it except making sure they "DON'T DO THAT, THEN", this article should come as a surprise to NO ONE.
"It would take a reasonable amount of sophistication and knowledge of a specific tool," he (Dan Moriarty, Harvard's chief information officer) said of the means by which ID numbers were accessed. "There was a vulnerability, but the log shows, happily for us, that it was not exploited."
And they trust that their logs cannot be compromised just like they trusted this system could not be compromised. I tell you, Harvard has been slipping ever since Bush enrolled...
fucking idiot moderators hes making a JOKE about what happened previously this week in harvard.
slashdot is full of dumb fuckers.
I got what you were on about - just seems everyone else has a humor and intelligence bypass
If you read slashdot, or any number of other sites, you know what was recently said by Harvard's president.
Normally that kind of comment is a troll, in this context, no.
in estonia (the place where stoners live) the meaning of "using id numbers as passwords" is "ease of use" not "security risk".. at least our banks think so.
Why would then a bad guy flag himself saying that he discovered the flaw in the first place?? Makes no sense. Why draw attention to yourself if you are doing something bad? (besides bragging for hacking into it of course but in this case it's not worth sayin so because it was sooo easy...)
===== "Every head is a different world so don't invade mine you FREAK!" smartSAGA said
And what about the results of mandatory drug tests? Since they're not the property of a powerful insurance corporation, they won't get the same kind of expensive protection. So when you sacrifice your privacy to your employer by submitting to a drug test, you're risking telling the world some of your most private info, even if they fire you - because they very possibly will keep the data after they get rid of you.
--
make install -not war
Before everyone crucifies the University for "using ID numbers as both username and password", I will say that although this might have been Pharmacare's policy, it is not widespread policy throughout the university whatsoever.
Attached to our ID numbers we have passwords which the university has strict rules when we select (8 digits, at least 1 letter and 1 number, they're case sensitive, etc). There is no online resource here at Harvard that we can access with only our ID number-- we need the password as well.
And then we also have independant usernames and passwords which we use to access email and log onto networked computers around campus. So the security here is pretty good: visible usernames + secret passwords for email, computer access, etc. coupled with "secret" ID numbers + secret passwords for college resources.
Rob
Actually, not knowing any facts of this case beyond TFA but having fair familiarity with HIPAA regulations, I'd say this is probably not a violation of the sections of HIPAA currently in force.
The Privacy portion of HIPAA is what caused a big stir a couple years ago when it went into effect. (It's the only part of HIPAA really apparent to patients.) It deals with the sorts of intentional disclosures of Protected Health Information that a clinic can make. It does not (amazingly) deal much with unauthorized access to PHI.
For instance, it is allowed under HIPAA Privacy to e-mail a patient's chart to someone over the public internet, as long as you are absolutely sure that the e-mail address you entered represents the correct intended recipient. HIPAA Privacy cares not who reads it in transit.
The Security section of HIPAA will definitely cover this sort of thing. It applies to all electronic PHI in place or in transit. However, it doesn't take effect for a couple months yet. So if you're going to screw up PHI security this badly, you'd best do it quick!
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
"...have taken steps to shut down a security hole..."
So...cool! They're installing Xserves?!?
This is patently false. Though ID/PIN authentication has become more common throughout the university, as the story specifically mentions there are a number of important applications students and faculty access without a PIN, and just an ID or ID+last name.
c tivate/.
For instance, head over to http://www.seo.harvard.edu/students/search.html and note that only ID+last name is required. Or https://www.fas.harvard.edu/computing/utilities/a
From the Crimson article:
"But even if iCommons is fixed, The Crimson has identified a variety of web tools that require no more than the non-secret ID, or a combination of ID and last name or birthday, to access information that would generally be considered confidential.
For instance, anyone on campus can delete or register a Harvard network connection just knowing an individual's ID and last name. This would permit someone to illegally share files traceable to another person's identity.
A last name and ID are also the keys to choosing course sections and accessing the Student Employment Office's jobs database. Only an ID is required to access the Office of Career Services' MonsterTrak job listings database.
With a Harvard ID and birthday--obtainable by undergraduates through an online facebook, and more widely through websites like anybirthday.com--a user can post or download resumés on someone else's eRecruiting account or access the online UHS health insurance waiver form. Individuals can also activate an e-mail address for someone who is eligible for a Faculty of Arts and Sciences account but has not requested one.
Setting up all campus mail to forward to a different physical address requires the ID and the last four digits of a student's social security number--often obtainable by searching online directories like Lexis-Nexis and Accurint. Accessing mail forwarding would also show the individual's current Harvard address, which for a secure-flag student could result in the disclosure of their on-campus whereabouts."
Most of those aren't really what I'd consider critical systems. I agree you could probably do some mischief with the network connection activation/deactivation stuff in theory, though it may be pretty difficult to do anything with it in practice. And getting into the Student Employment Office job database seems pretty useless.
As for the resume stuff, well, is that so different from having your resume up on Monster.com? Sure, it's the closed University system, but it's getting blasted to tons of potential employers anyway. Shrug.
Obviously, all these services ought to require PIN or passwords to access, and I'm sure now that it's been pointed out, that will be done. But let's not be too hysterical about it.
He said that it's possible that inate biological differences may explain the difference in performance in math between men and women.
3 06 24-000003.html
And he's right about that- there have been studies which suggest that men and women's brains are different.
But apparently it's not politically correct to state what has been found in scientific research. If you notice, nobody claimed what he said was factually incorrect, they just said it was inappropriate. The press didn't seem to be too interested in asking experts about the accuracy of his statements, they seemed more interested in asking people about their reaction to the statements.
Here are some links which touch on differences between the male and female brain:
http://www.womens-health.org/hs/facts_brain.htm
http://cms.psychologytoday.com/articles/pto-200
Given that the Harvard President's salery is
directly dependent on Pharmecia, the Boston
Globe story is false.
The Harvard President has already contacted the
Registars Office, and Depts. connected with
the students.
The students will be dismissed at the earliest
possible time, in accordance with Pharmeceia's
directive to the President of Harvard.
This action by the President of Harvard
will instill correct reverence of the
importance of the President of Harvard
in the Student Body and in the Faculity
of Harvard.
Any deviation from the policy of reverence
of the President of Harvard will result
in termination.
Good Day.
At the University where I work and study in the UK, security like this, or lack thereof, is common practice - if you forget your password for your email account, click the "forgotten password" link, enter your student number and date of birth and hey presto - your default password appears. All well and good until you consider that your student ID card has all this information on it anyway... lose your student card and anyone can now gain access to your email, library record, etc. Admittedly, as far as I'm aware, the University doesn't have sensitive data available online as per the article, but it still raises questions as to what exact method they see as suitable for securing personal data.
Choosing your classes isn't a critical system????
Or even just seeing what classes someone is taking and where??????
Imagnine this was NYU and it was people hacking in to see what classes Mary Kate & Ashley are taking so they can stalk them. Or worse, these people under FERPA being kidnapped for money. That's why they keep their info private, having that stuff out there is a major security risk for a lot of people.
http://sladm.org Saint Louis Area Dance Marathon The Best One Night Stand of Your Life
Grandparent bryanp writes:
You don't screw around with HIPAA violations. You will get nailed good and hard.
Parent NessusRed writes:
sorry idiot no one has been charged with HIPAA violations to date. settle down diaherra mouth.
...and this guy's at -1??
I'm not aware of any HIPAA violations prosecuted to date, and I'd love to hear about them if they exist. One of the great tricks done by the HIPAA legislation and its industrial camp followers is to convince people that it's scary shit. No doubt the possibility of criminal sanctions helps a lot here, leading yupppie scum like me to pay attention. But the screaming and yelling of those who'll make a buck out of it works some too.
Can you imagine what the world would be like if email addresses, web site privacy policy, and spam were covered by regulations as strong as HIPAA? With major corporations scrambling to make sure their CIOs wouldn't be sent to prison for outsourcing spam to "affiliate" freelancers?
OK, enough of that. I did ace Macroecon, so I have to admit to the possibility of a benefit of inelastic demand for infosec experience in conformance to new regulations. Still, why can't *I* be the one to dig up the bottles of cash buried in the sand?
It was not a prof. It was the Harvard President, Larry Summers.
Said he was trying to be provocative at a research conference.
I was going to write, "We should consider the hypothesis that Ivy League males are just rock-dumb when it comes to cultural sensitivities."
But, then Summers issued a better sounding apology.
The meta-parent really IS funny!
-- Sally
Maybe they should have installed this:t y
http://sourceforge.net/projects/cvs-securi
Oh. Never Mind.
Serves them right for not using Subversion.
So yeah. Summers is wrong. Quote all the "studies" you want.
Wow, who needs studies performed by qualified researchers in the field when we have some guy named "Capt'n Hector" telling us how it all works?
Sounds like a brilliant idea. Let's just discard all those "studies" performed by "educated scientists" who have "doctorate degrees" and just replace them with emotionally-charged outpours by people like yourself. After all, you know better.
By the way- Feel free to provide evidence of your claim that he was factually incorrect.
the key question is, why was someone with obviously no grasp of proper application security design allowed to use identification numbers as passwords? any competent person in the field will tell you that they ARE NOT PASSWORDS and SHOULD NEVER BE USED AS PASSWORDS.
:-)
Heh... that should be MUST NOT be used as passwords.
The funny thing is that their security consultant is Scott Bradner, who came up with the MUST, SHOULD, etc. terminology for RFCs. He was also transport area director at the IETF (but not security area director).
The other funny thing is that his parents apparently gave him the middle name beginning with O, giving him the initials SOB.
-a
I'd like to know who the genius was who thought it was a good idea to create and use Joe accounts for a system which houses sensitive information? This is the oldest trick in the book as far as crackers getting in to systems like these. When I first got in to programing the first thing I was taught about security was do not let the user create an account that has the password the same as the user name. How long has this vulnerability been like this? How many have used this vulnerability to get information they shouldn't have had?
Specks
Batteries not included
... when he delivered his - infamous - lunch speech about the inability of women to do math ?
Toon Moene (a math and physics teacher, and GNU Fortran maintainer).
As stupid as this sounds, this is common practice everywhere at most colleges (although I only know about Harvard, Yale, Princeton, Amherst, and a few other "top-ranked" schools). I know of one liberal arts school that uses the student ID number in reverse as the code to enter any campus building. You could also easily obtain anyone's ID numbers as the (freely-accessible) online campus directory sorts students by their ID number. This was eventually fixed, but the ID number is still used as a password in several important online applications.
Colleges just aren't very good with security - they have to dumb things down because the students don't want to jump through hoops. I know most people at my school use the same 6-letter password that they were assigned as freshmen for their email.
such security would be considered a breach of the Data Protection Act 1998 here in the UK and risk criminal prosecution.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
wow that is some indifferent minimizing you're doing there. I would imagine the guy who decided to leave these gaping holes probably felt the same way too... before he was sacked! ;)
-- Howto: Get +5 (1) Whine about M$ (2) Namedrop Gentoo (3) Casually Abuse Mods (4) Namedrop Early Computer Model