Stanford Hospital leaks 20,000 patient records

Creative Commons photo of Stanford Hospital courtesy of DoNotLick's Flickr photostreamOver 20,000 records of patients who visited the emergency room at Stanford Hospital in 2009 were posted on the internet for over a year it was disclosed today.

The leaked information included names, diagnosis codes, account numbers, admission and discharge dates, and billing charges according to the New York Times.

The information was posted to the website Student of Fortune, a site where students can pay for tutorials on how to complete their homework.

A spreadsheet with the sensitive information was attached to a question posted to the site asking if someone could explain how to convert the information into a bar graph.

Multi-Specialty Collection Services, a billing contractor for the hospital, is likely the source of the leak.

The question I have is, why was the data not protected (encrypted) and who would think it is a good idea to post this kind of information to a public forum?

I see two problems at work in these types of incidents…

First, medical organizations that are required to protect confidential patient data in the United States under the HIPAA and HITECH acts often outsource work to third parties.

Simply inserting some clauses in their contracts to require these third parties to meet these regulations will ensure the data will be protected, right?

Second the laws and our attitudes toward data protection are simply outdated. If you think you should treat data differently when it is inside than when it is outside you are doing it wrong…

Confidential information, whether it is sensitive health records or source code to your secret Jesus phone to be released next month cannot be “inside” or “outside”. There is no inside.

HIPAA privacy is important banner

Repeat after me… There is no inside. Has your organization ever had a malware infection? Then you don’t have an inside. Unfortunately, this case proves that information *does* just want to be free.

If your data requires protection when it is on your USB thumb drive, your laptop and your iPad then it needs protection on your server, in your databases and with your trusted partners.

Eventually I will write up my thoughts on firewall policies and you will see how enraged I get when someone says “We aren’t at risk from that worm, our firewalls block incoming connections.”

Rather than track down the person who made the mistake, imposing multi-million dollar fines and saying it won’t happen to us, let us learn from their mistakes.

Classify your data based upon its importance. Now, based on that classification take the appropriate actions to control and protect that data. Please?

Creative Commons photo of Stanford Hospital courtesy of DoNotLick’s Flickr photostream.

Researchers extend Firesheep to exploit Google Search data leak

Firesheep infiltrates GoogleA pair of security researchers have created their own version of the notorious Firesheep plugin to expose a data leak in the world’s favourite search engine.

The proof-of-concept plugin exploits the use of unencrypted cookies by Google’s Web History feature.

Although you need to be logged in to make use of Web History it does not require an encrypted (HTTPS) connection. This flaw can allow attackers to find out what you’ve been searching for, who your social contacts are and who’s in your Gmail address book.

The new variant of Firesheep allows hackers to easily exploit the flaw if they are sharing the same WiFi hotspot as you.

For researchers Vincent Toubiana and Vincent Verdot the choice to adapt Firesheep must have been obvious. The original Firesheep was released last October by a security researcher fed up with what he saw as the failure of big websites such as Twitter and Facebook to protect their users. Whilst his efforts weren’t greeted with a chorus of approval they do appear to have had the desired effect.

The good news is that this latest exploit does not allow attackers to take over users’ Google Accounts. However, it does expose private data. In the researchers’ own words:

"while the direct access to users’ data is subject to a strict security policy, using personalized services (which may leak this same personal information) is not"

Anyone thinking that search histories are innocuous need only cast their mind back to 2006.

In a well-intentioned but disastrous move AOL released a sizeable chunk of its users’ search data for research purposes. And what did we learn? That users put all sorts of private information into search engines.

AOL user 17556639's search historyThe supposedly anonymised searches included names, addresses and social security numbers amongst other things. In some cases users’ search histories built up to create mosaic-like pictures of their lives (and in the sinister case of user 17556639 not a flattering one).

As well as introducing their take on Firesheep,  Toubiana and Verdot’s recent paper outlines a number of ways to acquire the offending cookies, including just Googling for them.

They estimate that about 50% of Google’s users have Web Search History switched on and that many users are unaware of it. To make matters worse the compromised cookies are used across more than 20 websites including some web behemoths like Google Search, Google Maps, YouTube and Blogger.

The researchers have already alerted the Google Security Team who are working on a fix. In the meantime they recommend making sure you’re not logged in to your Google account when you’re using an unsecured network.

Although it is possible to protect yourself when searching by using Google’s HTTPS search many of the webpages where the cookie can be exposed don’t offer HTTPS as an option.

If you don’t use Web Search History or you’ve never heard of it you may want to visit your search history page and disable it.

For more information on this research you can download Toubiana and Verdot’s paper “Show Me Your Cookie And I Will Tell You Who You Are” from

You might also like to watch our video showing you how to counter Firesheep and its friends, even on unencrypted WiFi:

(Enjoy this video? Why not check out the SophosLabs YouTube channel?)

Facebook birthday T-shirt scam steals secret mobile email addresses

Facebook scams are getting sneakier and sneakier – with the latest attack using the lure of a free T-shirt celebrating Facebook’s birthday in an attempt to steal the secret backdoor key to your account.

The offer seems attractive enough – a webpage claiming to celebrate Facebook’s 7th birthday, saying that it has over 1.9 million official T-shirts in stock.

Facebook birthday t-shirt scam

All you have to do is verify that you are a Facebook user, claims the following webpage. And this is where things get very sneaky.

Facebook birthday t-shirt scam

The webpage tells you to visit Facebook Mobile, and find on that page the personalised email address that you can use to post status updates or upload photos and videos straight to your profile.

Many people are probably unaware that such a thing exists – but every Facebook user has a secret mobile email address they can use for this purpose.

The important thing, of course, is to keep it secret. Because if someone else finds it out, they’ll be able to post status messages to your Facebook page or upload videos and photos to your wall – which your friends will be able to see.

The scammers, unsurprisingly, want your secret mobile email address for Facebook. And so they claim that you have to hand it over to verify you are a legitimate Facebook user in order to get your T-shirt.

The scammers have even had the gall to make a YouTube video showing how to find the secret email address on the Facebook Mobile page, and where to enter it on their form:

The above video is made by a YouTube user called “vicsthedevil” and we have to assume that they are intimately involved in the scam. They posted the video on 5 September, the same day that they registered the website domain name where they are hosting their scam.

Of course, you’re still hoping that you’re going to receive a free T-shirt. So you may not baulk at the idea of completing a survey (which, by the way, earns commission for the scammers) and giving them your snail mail details so they can send through your free gift.

Facebook birthday t-shirt scam

Good luck, by the way, on that T-shirt. My hunch is that you won’t ever receive one. But the scammers now have the ability to post to your Facebook page and upload pictures to your account, and you have helped them earn some money in the process.

If you were hit by this scam then you must refresh your Facebook mobile upload email address – that way the bad guys you just gave it too won’t be able to use it as a secret backdoor into your account.

How to refresh your Facebook Mobile upload email address
Some commenters have asked how do you change your Facebook Mobile upload address. Unfortunately, Facebook has made it somewhat tricky to find this option (maybe that’s why the scammers felt they had to make their own explanatory video!).


Refresh the page until you see an option like that displayed below. You may have to scroll down the page to find it.

Facebook Mobile email address

You should now see your Facebook Mobile upload address. Beneath it you should also see an option to “Find out more”. Click it, and a screen like the following should pop up.

Upload email

On this page you should find an option to refresh your mobile email address – but note! Facebook warns that you can only refresh it a limited number of times.

If you don’t change your mobile email address on Facebook, you’re just asking for trouble. In the past, Facebook pages such as that belonging to the Van Gogh Museum have been hit by scammers who abused the mobile upload feature.

It would be great, of course, if there was a way of telling Facebook to not allow any email address to be used for mobile uploads, as I would imagine that many individuals and companies would find the permanent blocking of the feature attractive.

If you’re a Facebook user and want to keep up on the latest threats and security news I would recommend you join the Sophos Facebook page – where more than 100,000 people regularly discuss the latest issues.

Hotel credit card wrong transaction email malware attack

Be on your guard! Emails claiming to be from a hotel about a wrong transaction on your credit card are being spammed worldwide – with the intention of infecting your computer with a malware.

Here’s a typical example. In this case it claims to come from the booking department of the Hotel Swissotel in Chicago:

Hotel malicious email

Hotel Swissotel Chicago made wrong transaction

Dear client!

We are sorry to inform you that on July 26th, 2011 Hotel transaction debiting from your account for an overall amount of $1857.
This partner hotel was divested accreditation in Booking Company with reference of noncompliance of the service contract.
Please see the attached form. You need to fill it in and contact your bank for the return of funds.
In the attachment you will find expense sheet with the sum of wrong transaction writing-down.
Company just mediates and bears no responsibility for any money transactions made by Hotel.
Sorry for the inconvenience. We trust you can solve this unpleasant problem.

Manager: Genaro Dunwiddie

The name of the hotel, the amount of money and the manager’s name can vary from email to email. Similarly the subject lines vary as you can see in the examples below:

Hotel malicious email subject lines

But all of the emails we have seen so far do claim to have a booking refund attached in a ZIP file, and this is where the malware attack is contained.

Of course, even if you weren’t staying at the hotel on July 26th you might still be concerned that your credit card has been abused by someone who *was* enjoying luxurious room service, unfettered use of the mini-bar and a complimentary newspaper.

Recipients who are intrigued to find that they may be owed some money might open the ZIP file without thinking of the possible consequences, and infect their computer with a Trojan horse.

Once infected, remote hackers can take control of your computer – potentially using it to spam out other attacks or to steal information from you.

Sophos detects the malware as Troj/Zbot-AXZ and the ZIP file itself as Troj/Invo-Zip.

Make sure that your anti-virus defences are up-to-date and always be suspicious of unsolicited emails that try to lure you into opening attachments. It could be a ploy by a hacker to hijack your computer.