Pharmacare, Harvard Try To Shut Down Security Hole

cfusion writes "CVS's drug insurance wing Pharmacare and Harvard University have taken steps to shut down a security hole that would have allowed anyone on the Internet to view any Harvard affiliate's drug history, a possible violation of Federal laws concerning medical records (HIPAA). The Boston Globe has the story, which came after the vulnerabilities were discovered by two reporters for the school newspaper (that story has screenshots that show just how easy it was). Raises interesting questions about computer security and using ID numbers as passwords."

I'm impressed

[Quattro Vezina]

Wow...so Harvard actually did something about the hole instead of going after the people who discovered it? I'm floored.

Re:I'm impressed

[odano]

If this type of reaction to a problem is used in the future, I think it will lead to more secure software.

Think about it. A good guy finds a bug in the software, but in order to test it he ended up breaking into something. For fear of prosecution, he says nothing. Then a bad guy does the same thing, and takes down the system after stealing all the data. If the first guy knew he could contact the administrator without fear of prosecution (if he could prove he has positive intents), then the problem could be patched before the bad guy gets there.

Re:Simple

[KinkifyTheNation]

He never said anything about the bad guy saying he discovered it.

Re:Simple

[odano]

This assumes that all people that find exploits are bad guys. I think it is very possible for a developer to find a major bug in a popular software product, then test to see if it is an exploit.

Then, by drawing attention to the problem, they can actually get the server operator to fix it. There is a huge difference between:
"I think your server might have a security exploit. You can find the patch at http://whatever.net"

and

"Your server has a security exploit that allowed me to download somebodies perso

Re:I'm impressed

[DrSkwid]

I think it will lead to more secure software

"less insecure", not "more secure"

Re:I'm impressed

[drinkypoo]

Subtracting a negative is the same as adding the absolute value.

Re:I'm impressed

[jrockway]

Yeah, eventually someone will realize that shooting the messenger won't fix the security problems. It's getting to that "eventually" that's hard.

About a month ago, I found a major flaw in UI-Integrate, the system that does EVERYTHING for the University of Illinois (UIC, UIUC, and UIS). Anyway, I found this blatantly obvious (XSS) hole, and wrote up an advisory. Since it was potentially major, I didn't post it publicly. I made slight mention on my blog ("hey, I found a security hole, cool"). I showed u

Yes!

[drivinghighway61]

Yet another victory for the blogosphere!

What's that? Oh, you say it was print journalists?

Sorry, never mind everyone!

Re:Yes!

[Fred_A]

Yet another victory would be to stop using Windows-1252 characters on webpages with no charset definitions so that they are actually legible on non Windows machines...

Well, one victory at a time I suppose...

Raises questions?

[evilviper]

Raises interesting questions about computer security and using ID numbers as passwords.

You me, before this, you would have thought it would be okay to use non-private ID numbers as passwords?

Re:Raises questions?

[Klar]

Well duh.. easy password are easy to remember. You can't seriously mean that I shouldn't use a basic dictionary word such as 'password' or 'cat' for the password for my personal files.

Re:Raises questions?

[BandwidthHog]

use non-private ID numbers as passwords

I'm told there's a large, affluent first world country where this is the norm. Every citizen is issued a nine digit identifier, which is then used for the rest of their life as both username and password for various reasons, both important and trivial.

But that's probably just an urban legend.

Re:Raises questions?

[superpulpsicle]

I am not sure which is worse. A single social security number containing too much info about me. Or the need for a million different username and passwords for everything.

Re:Raises questions?

[legirons]

"You mean, before this, you would have thought it would be okay to use non-private ID numbers as passwords?"

Please prove you are who you say you are, by revealing your date of birth and your mother's maiden name.

(I'm not joking, that public-record information is used to access my bank account over the phone)

Re:Raises questions?

[evilviper]

(I'm not joking, that public-record information is used to access my bank account over the phone)

I suggest you change banks, immediately. It would be a good idea to let them know why, but switching is the most important thing.

People jst accept these things, assuming they will never be the victim, until it happens.

It can take an incredibly long time to recover your money after it is stolen, and if your bank is not FDIC insured, you run the risk of possibly never getting it back (or having to go through a

Re:Raises questions?

[DrSkwid]

I prefer "can you fax us your signature"

No password

[vladd_rom]

>> the difficulties posed to information privacy by the widespread use of ID numbers to verify identity

So they actually used an "username" with the purpose of representing both an username and a password.

That is a security issue by design. What were they thinking?

Re:No password

[dxxt]

You are right. It is always said that the weakest link in security is human beings, which include not only next door neighbors who provides free wireless access to me, but also designers who just wnat to provide functionalities as soon as possible.

Somebody is going to pay. BIG

[Anonymous Coward]

I smell lawsuits already!

Harvard?

[RobertTaylor]

It was probably designed by females... ...as we all know there are biological differences in men's and women's abilities ;)

Re:MOD PARENT UP +1 Funny

[BandwidthHog]

slashdot is full of dumb fuckers.

You must be new h------

*OWW*

What was THAT for?

Re:Harvard?

[torinth]

Haha. He's not trolling folks... Somebody's got to know that.

Re:Harvard?

[s7uar7]

It's not a troll - a Harvard professor has had to apologise after apparently saying women lack the ability to excel at math and science [bloomberg.com]

He did not state it that way.

[i41Overlord]

He said that it's possible that inate biological differences may explain the difference in performance in math between men and women.

And he's right about that- there have been studies which suggest that men and women's brains are different.

But apparently it's not politically correct to state what has been found in scientific research. If you notice, nobody claimed what he said was factually incorrect, they just said it was inappropriate. The press didn't seem to be too interested in asking experts about

Re:He did not state it that way.

[Capt'n Hector]

If you notice, nobody claimed what he said was factually incorrect, they just said it was inappropriate.

Really? Well, here I am saying it: what he said was not only inappropriate, it was factually incorrect. I don't give a fuck how big your brain is or how fast you are. All it takes to be a great mathematician is some powerful creativity and the willpower to follow through on ideas. If anything, the reason there are few women mathematicians is because:

1. Boys are more aggressive than girls. when in cl

You're a funny guy, you know that?

[i41Overlord]

So yeah. Summers is wrong. Quote all the "studies" you want.

Wow, who needs studies performed by qualified researchers in the field when we have some guy named "Capt'n Hector" telling us how it all works?

Sounds like a brilliant idea. Let's just discard all those "studies" performed by "educated scientists" who have "doctorate degrees" and just replace them with emotionally-charged outpours by people like yourself. After all, you know better.

By the way- Feel free to provide evidence of your claim that he

Re:You're a funny guy, you know that?

[Capt'n Hector]

Please. Studies can prove correlation, not causality.

And to think, Summers said that the reason there aren't woman mathematicians at Harvard is because they are biologically inferior. The same excuse was used to by the Nazis to kill Jews. I DO know better, and you should too.

Lastly, "people like myself?" I am the son of one such of these rare woman mathematicians. She had to fight for her tenure at UC Berkeley. Her name is Jenny Harrison, perhaps you've heard of her. I spent the first 7 years of

Re:You're a funny guy, you know that?

[i41Overlord]

And to think, Summers said that the reason there aren't woman mathematicians at Harvard is because they are biologically inferior. The same excuse was used to by the Nazis to kill Jews. I DO know better, and you should too.

Wow, you're really trying hard to set up a strawman argument. That one is ancient- equate everything to Nazis and you just *must* be right.

Nobody said that women are biologically inferior. He just claimed that it's possible that women could be at a disadvantage in that one specific sub

Re:He did not state it that way.

[Borderlinebass]

Interesting related note: The offers of tenure to women professors at Harvard have decreased durring each of Summer's three years as president, down to 4 of 32 last year.

Re:He did not state it that way.

[mizhi]

Boys are more aggressive than girls. when in class, boys will jump to answer questions, intimidating the girls. Math class can be very unpleasant for the non-aggressive type.

Actually, this could be one of those fabled biological differences. If aggression is caused by body chemicals, then the fact that boys tend to be more agressive than girls could explain some of the social outcomes.

That said, you're dead right on this observation:

When a woman finally does get a degree, she is discriminated against

Professor.. NOT! It was the Harvard President!

[SallyShears]

It was not a prof. It was the Harvard President, Larry Summers.

Said he was trying to be provocative at a research conference.

I was going to write, "We should consider the hypothesis that Ivy League males are just rock-dumb when it comes to cultural sensitivities."

But, then Summers issued a better sounding apology.

The meta-parent really IS funny!

-- Sally

raises interesting questions?

[ScentCone]

interesting questions about computer security and using ID numbers as passwords

Since when has anybody thought that was an acceptable practice? Ever?

It doesn't raise questions about the practice, it raises questions about the quality of the people dictating the practices. This is 30-years-ago stuff, isn't it? Really, now.

I will resist any humor related to the gender-based aptitudes of any IT mangement personnel at Harvard, given their recent discomfort in that area. BTW, if you've ever dealt with HIPAA compliance, it's right up there with Sarbanes-Oxley in terms of IT shop burdens. Not that it's any excuse for using people's known ID numbers as passwords. Whew.

Re:raises interesting questions?

[Jeff DeMaagd]

A lot of colleges used Social Security numbers to identify students, which I think is nearly as bad as you can do pretty bad things to people's criminal and credit records by signing up infringing accounts.

Re:raises interesting questions?

[Fnkmaster]

I'm not clear this stuff was developed in house by Harvard. Harvard's IT people are generally quite anal about security stuff - the system that lets you log in and check your grades, for example, requires a special PIN number. If you lose your PIN number, there is NO way to retrieve it, online or otherwise. You have to make a request, and if you are a current student, they will mail you a new PIN number to your current registered student snail mail address (at least such was the protocol a few years back

"Possible?"

[bryanp]

a possible violation of Federal laws concerning medical records (HIPAA)

Speaking as someone who admins boxes with data that falls under HIPAA (as well as IRS data, but those are different servers), there's no "possible" about it. You don't screw around with HIPAA violations. You will get nailed good and hard.

Re:"Possible?"

[PornMaster]

I think this raises the kind of question like "should HIPAA systems be certified for use?"

Since you deal with it, perhaps you could illuminate the types of auditing that go on, and whether there's the possibility of using a software vendor which will indemnify against security design flaws.

Re:"Possible?"

[peacefinder]

"should HIPAA systems be certified for use?"

It is a common misunderstanding to think that software, hardware, or turnkey systems can be made inherently HIPAA compliant. They can't.

HIPAA does not specify technologies, it specifies that a clinic (or whatever) that generates, uses, or stores protected health information have policies in place to protect that data (for several values of "protect") and that it adheres to its own policies.

Like ISO 9000, HIPAA is just a standard framework for creating policies

The troll boy theah's got a point, boy

[Jay Carlson]

Grandparent bryanp writes:

You don't screw around with HIPAA violations. You will get nailed good and hard.

Parent NessusRed writes:

sorry idiot no one has been charged with HIPAA violations to date. settle down diaherra mouth.

...and this guy's at -1??

I'm not aware of any HIPAA violations prosecuted to date, and I'd love to hear about them if they exist. One of the great tricks done by the HIPAA legislation and its industrial camp followers is to convince people that it's scary shit. No doubt the po

Re:The troll boy theah's got a point, boy

[peacefinder]

"I'm not aware of any HIPAA violations prosecuted to date, and I'd love to hear about them if they exist."

I think the feds are still focusing on getting clinics to comply with HIPAA, and are not yet using prosecution and fines as much more than a threat.

I think it's a sound approach... they come to a non-compliant clinic, set a really big freakin' stick down on the table, and speak softly about the need to get into compliance with the regs for the protection of the patients. They say that later they'll a

Only possible. Maybe not likely.

[peacefinder]

Actually, not knowing any facts of this case beyond TFA but having fair familiarity with HIPAA regulations, I'd say this is probably not a violation of the sections of HIPAA currently in force.

The Privacy portion of HIPAA is what caused a big stir a couple years ago when it went into effect. (It's the only part of HIPAA really apparent to patients.) It deals with the sorts of intentional disclosures of Protected Health Information that a clinic can make. It does not (amazingly) deal much with unauthorized access to PHI.

For instance, it is allowed under HIPAA Privacy to e-mail a patient's chart to someone over the public internet, as long as you are absolutely sure that the e-mail address you entered represents the correct intended recipient. HIPAA Privacy cares not who reads it in transit.

The Security section of HIPAA will definitely cover this sort of thing. It applies to all electronic PHI in place or in transit. However, it doesn't take effect for a couple months yet. So if you're going to screw up PHI security this badly, you'd best do it quick!

the key question

[edward.virtually@pob]

the key question is, why was someone with obviously no grasp of proper application security design allowed to use identification numbers as passwords? any competent person in the field will tell you that they ARE NOT PASSWORDS and SHOULD NEVER BE USED AS PASSWORDS. but in a world where dependable unix solutions are replaced with windows solutions that have to be rebooted every two weeks to avoid "data overload" (the reporter's term, not mine) and crash if someone puts a zero in the wrong application entry field, putting 800 planes worth of lives at risk and rendering a navy vessel dead in the water respectively, but NOTHING IS DONE about it except making sure they "DON'T DO THAT, THEN", this article should come as a surprise to NO ONE.

Re:the key question

[Cmdr-Absurd]

Because this is higher ed we're talking about. All too often, security is not even an afterthought at higher ed institutions. Richard Clark made this point at a higher ed cybercecurity sumit I attened a few months back (right after the $h!T hit the fan over his book.) Some universities are making progress, but many are totally clueless. Reasons for lax security range from historical perceived lack of need (the small group of people with access were trusted) to bugetary (part time hourly student employees in

Re:the key question

[pedestrian crossing]

any competent person in the field will tell you that they ARE NOT PASSWORDS and SHOULD NEVER BE USED AS PASSWORDS

I agree, but I have experienced a similar situation (fortunately nothing as sensitive as medical records), and you would not believe the pressure there was to use a public ID as a password.

Everyone was pushing for the path of least resistance, which is rarely a secure path.

Funny thing is, all of the potential "problems" that were brought up as justification for developing an insecure system

Scott Bradner

[God! Awful 2]

the key question is, why was someone with obviously no grasp of proper application security design allowed to use identification numbers as passwords? any competent person in the field will tell you that they ARE NOT PASSWORDS and SHOULD NEVER BE USED AS PASSWORDS.

Heh... that should be MUST NOT be used as passwords. :-)

The funny thing is that their security consultant is Scott Bradner, who came up with the MUST, SHOULD, etc. terminology for RFCs. He was also transport area director at the IETF (but not s

self incrimination

[Doc Ruby]

And what about the results of mandatory drug tests? Since they're not the property of a powerful insurance corporation, they won't get the same kind of expensive protection. So when you sacrifice your privacy to your employer by submitting to a drug test, you're risking telling the world some of your most private info, even if they fire you - because they very possibly will keep the data after they get rid of you.

Re:self incrimination

[t_allardyce]

Which is why you have the data protection act.. oh.. whats that? you don't have a data protection act? oh dear.

Re:self incrimination

[Doc Ruby]

No, we have an endless stream of Corporate Security Acts.

Re:self incrimination

[t_allardyce]

Does that mean corporations get data security and have the right to know everything about you and get to sell your data too? thats pretty good, kinda like extra rights for them to not abuse.

Re:self incrimination

[Doc Ruby]

Yes, except the data security comes in the form of a law, not a technology, protocol or practice. The law limits their liability.

Re:self incrimination

[t_allardyce]

In Europe we have the right to see any personal data any organisation, business, government etc has on us including recordings of phone conversations, cctv, internal memos, databases, logs etc. and they have to keep it secure from everyone else. Kinda like medical records but for everything.

Re:self incrimination

[conteXXt]

unless you KNOW you are always going to test clean....

NEVER EVER submit to a drug test.

1. they are most probably illegal (time will tell)

2. if !1 then they are highly invasive

3. if your employer does not trust you, or the field you work in does not trust you... It's time for a change.

Advice? Start your own business, contract, work for humans.

Re:self incrimination

[Doc Ruby]

Another tactic I haven't heard is to flip the script, and actively contaminate test samples. The security on those samples can't be too tight. "They can't bust all of us!", especially not the Republican straightedge boss' nephew who tests for adrenochrome and dilaudid.

From a Harvard Student...

[Anonymous Coward]

Before everyone crucifies the University for "using ID numbers as both username and password", I will say that although this might have been Pharmacare's policy, it is not widespread policy throughout the university whatsoever.

Attached to our ID numbers we have passwords which the university has strict rules when we select (8 digits, at least 1 letter and 1 number, they're case sensitive, etc). There is no online resource here at Harvard that we can access with only our ID number-- we need the password as well.

And then we also have independant usernames and passwords which we use to access email and log onto networked computers around campus. So the security here is pretty good: visible usernames + secret passwords for email, computer access, etc. coupled with "secret" ID numbers + secret passwords for college resources.

Rob

Re:From a Harvard Student... -- patently false

[Anonymous Coward]

This is patently false. Though ID/PIN authentication has become more common throughout the university, as the story specifically mentions there are a number of important applications students and faculty access without a PIN, and just an ID or ID+last name.

For instance, head over to http://www.seo.harvard.edu/students/search.html and note that only ID+last name is required. Or https://www.fas.harvard.edu/computing/utilities/ac tivate/.

From the Crimson article:

"But even if iCommons is fixed, The Crimson has identified a variety of web tools that require no more than the non-secret ID, or a combination of ID and last name or birthday, to access information that would generally be considered confidential.

For instance, anyone on campus can delete or register a Harvard network connection just knowing an individual's ID and last name. This would permit someone to illegally share files traceable to another person's identity.

A last name and ID are also the keys to choosing course sections and accessing the Student Employment Office's jobs database. Only an ID is required to access the Office of Career Services' MonsterTrak job listings database.

With a Harvard ID and birthday--obtainable by undergraduates through an online facebook, and more widely through websites like anybirthday.com--a user can post or download resumés on someone else's eRecruiting account or access the online UHS health insurance waiver form. Individuals can also activate an e-mail address for someone who is eligible for a Faculty of Arts and Sciences account but has not requested one.

Setting up all campus mail to forward to a different physical address requires the ID and the last four digits of a student's social security number--often obtainable by searching online directories like Lexis-Nexis and Accurint. Accessing mail forwarding would also show the individual's current Harvard address, which for a secure-flag student could result in the disclosure of their on-campus whereabouts."

Re:From a Harvard Student... -- patently false

[Fnkmaster]

Most of those aren't really what I'd consider critical systems. I agree you could probably do some mischief with the network connection activation/deactivation stuff in theory, though it may be pretty difficult to do anything with it in practice. And getting into the Student Employment Office job database seems pretty useless.

As for the resume stuff, well, is that so different from having your resume up on Monster.com? Sure, it's the closed University system, but it's getting blasted to tons of potentia

Re:From a Harvard Student... -- patently false

[cowsandmilk]

Choosing your classes isn't a critical system????

Or even just seeing what classes someone is taking and where??????

Imagnine this was NYU and it was people hacking in to see what classes Mary Kate & Ashley are taking so they can stalk them. Or worse, these people under FERPA being kidnapped for money. That's why they keep their info private, having that stuff out there is a major security risk for a lot of people.

Re:From a Harvard Student... -- patently false

[DrSkwid]

such security would be considered a breach of the Data Protection Act 1998 here in the UK and risk criminal prosecution.

Security Device

[eomnimedia]

"...have taken steps to shut down a security hole..."

So...cool! They're installing Xserves?!?

CVS security?

[anandamide]

Maybe they should have installed this:
http://sourceforge.net/projects/cvs-securit y

Oh. Never Mind.

Figures

[mattwarden]

Serves them right for not using Subversion.

Joe Accounts

[Specks]

I'd like to know who the genius was who thought it was a good idea to create and use Joe accounts for a system which houses sensitive information? This is the oldest trick in the book as far as crackers getting in to systems like these. When I first got in to programing the first thing I was taught about security was do not let the user create an account that has the password the same as the user name. How long has this vulnerability been like this? How many have used this vulnerability to get information t

This is common practice in higher education

[ambrosine10]

As stupid as this sounds, this is common practice everywhere at most colleges (although I only know about Harvard, Yale, Princeton, Amherst, and a few other "top-ranked" schools). I know of one liberal arts school that uses the student ID number in reverse as the code to enter any campus building. You could also easily obtain anyone's ID numbers as the (freely-accessible) online campus directory sorts students by their ID number. This was eventually fixed, but the ID number is still used as a password in se