Welcome to the SecAware blog

I spy with my beady eye ...

1 Oct 2011

SSL security checker

A nicely presented online tool from Qualys lets us check the security of SSL configurations used by public websites

SSL is not exactly the security panacea that is usually implied by online businesses.  It can be configured on the servers to negotiate and establish connections using older, weaker algorithms, instead of the more recent, stronger, recommended ones - or not.  The Qualys tool presumably connects and tries to persuade the tested site to fall back to one of the deprecated SSL algorithms, marking down the site's score if it succeeds.

This is a simple illustration of the complexity of IT security management today, and the value of routine independent pen testing of corporate websites.

Regards, Gary (Gary@isect.com)

[Thanks to Jim for the heads-up on this.]

Another 4,900,000 privacy breach statistics

A backup tape containing medical records and other personal information on nearly 5 million US military personnel in the TRICARE scheme have been stolen from an SAIC employee's car. 

TRICARE is a US "health care program serving Uniformed Service members, retirees and their families worldwide".

SAIC (Science Applications International Corporation) is a "scientific, engineering, and technology applications company that uses its deep domain knowledge to solve problems of vital importance to the nation and the world, in national security, energy and the environment, critical infrastructure, and health. We do this with the constant and deliberate commitment to ethical performance and integrity that has marked SAIC since its founding".  It is best known as an IT oursourcer/service provider.

TRICARE's statement "retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure" does not stand up well to scrutiny.  If the data had been strongly encrypted - which is generally accepted as good practice for such confidential information, or "reasonable controls" - then knowledge of hardware, software and data structures wouldn't have been a factor.  Without encryption, yes it might require a professional tape drive to get at the data, and then some time (perhaps months) analyzing the data to establish the data structure.  But if the prize is worth the investment, someone may feel lucky.  Given that the people whose personal information has been stolen include serving US military personnel, the stakes are high.

Did they really have to wait two weeks after discovery before disclosing this 'to avoid raising undue alarm'?  It sounds like their incident management, HIPAA compliance, and relationship management processes could do with a squirt of WD-40

TRICARE says "both SAIC and TRICARE Management Activity (TMA) are reviewing current data protection security policies and procedures to prevent similar breaches in the future".  Shame it took an incident of this magnitude to spur them into action.  If I was one of the 4.9 million, or a US taxpayer, I would be calling TRICARE and SAIC management to account for their handling of governace, compliance, policy, privacy and information security.
Gary (Gary@isect.com)