A colleague lent me his most recent copy of IEEE’s Computer magazine.  Inside was an article entitled A Web 2.0 Model for Patient-Centered Health Informatics Applications (IEEE membership required to read).  Some possible benefits of their proposed approach were listed, including:

• Run deeper analytics across physicians groups and facilities, which can include relevant patient data…
• Provide a wide community of health professionals with feedback on the use and effectiveness of protocols…
• Share similar and alternative protocols and their analyses across many medical facilities and individual providers…

Anyone want to guess what’s completely missing from their approach?  You guessed it, any mention of security.  The commonly misunderstood (and frequently misspelled) HIPAA makes it pretty clear that the privacy and confidentiality of personal health information must be protected.  Even without HIPAA, it would just make good sense to be extra careful when sharing information and running data mining and analytics across large sets of health information.

The only mention of keeping information safe in the article is the fact that there is a division of data between the protocol, protocol modifications, and actual patient data – but it is very difficult to draw such bright, clear lines considering medical records and information.  How can you be sure the protocol modification a doctor submits won’t include information on the patient he tried it on?  Without even mentioning or considering the need for the protection of privacy, confidentiality, and data integrity within such a system, the authors of this article have done themselves and the software community a disservice.  Security requirements and threats must be considered at every phase of the life cycle, especially during the architecture phase.  As Kenneth Van Wyck and Mark Graff put it in their book Secure Coding: Principles and Practices,

As a general rule, the hardest vulnerabilities to fix are those resulting from architectural or design decisions. You may be surprised at how many of the vulnerabilities you have heard of we ascribe to errors at “pure think” time.

By developing an 8 page article published in a respected technical journal without any mention of the need for security controls in such a system, the authors of this article have once again helped me with my job security.  It is still difficult for me to foresee the day where security and risk management training programs won’t be necessary, and we won’t need an information security industry.

If you haven’t heard yet, a practical attack on the X.509 infrastructure using MD5 hashes has been demonstrated at the Chaos Communication Congress (CCC) today.

The basic gist of the attack is that a “normal” certificate is issued from a well-known and trusted CA (in this case “Equifax Secure Global eBusiness CA-1″) and then use the “magic” of MD5 hashing to create a certificate that collides with the “real” one, but just happens to be a CA. This CA can then issue certificates as they please, and your browser will trust them, no questions asked.

The details are a bit more in depth, and unless you study cryptography, you will find rather boring and dry. However, MD5 hashes have been known to collide in X.509 certificates since 2005, and this paper just takes it a step further and shows how bad this really is. The attack requires a little bit of money (to buy certificates) and some statistics on how the CA operates (how soon certs are issued, what the “next” serial number will be). Then a knowledge of how to collide MD5 hashes is used to create a new certificate – with the CA basic constraint set to “true”. Suddenly, you have a CA certificate that is trusted by all of the major browsers.

What does this mean for “normal” people? It means that an attacker can now create a site that looks just like your bank’s but takes your username and password, and your browser isn’t going to complain about it. You’ll have a lock, or a yellow location bar, or whatever your browser uses to indicate that the site is “trusted” and “secure”. However, you’ll be giving your username and password to the attacker.

What can you do about it? Immediately, remove the Equifax Secure Global eBusiness CA-1 from the list of trusted CAs – I’ve provided links below for how to do that on various systems and browsers. However, that is certainly not the only CA that is vulnerable, just the one that’s been proven to be vulnerable. There are several CAs listed in the linked paper that issue MD5 certificates – stop trusting them too. In the long run, the CAs have to fix themselves and stop using MD5 hashes in certificates. SHA-1 is better, and SHA-256 is best (good luck finding a CA that issues only SHA-256 hash certificates).

How to distrust CAs:

• OS X – Keychain. Double-click the CA in X509Anchors (Tiger) or System Roots (Leopard) and under Trust, select “Never Trust”.
• Firefox – The instructions are for the Comodo certificate, but it’s the same thing.
• Internet Explorer (and anything that uses MS CAPI, like Outlook).

If you’re lucky enough to be traveling to China for the 2008 Summer Olympics, you should think carefully about the security and safety of your personal belongings, as well as your information.  Travelers should be aware that as in any large metropolitan area, any computing devices (such as smart phones, PDAs, and laptops) are at a high risk of theft.   Additionally, the United States State Department has advised the following about travel to China:

Security personnel may at times place foreign visitors under surveillance.  Hotel rooms, telephones, and fax machines may be monitored, and personal possessions in hotel rooms, including computers, may be searched without the consent or knowledge of the traveler.  Foreign government officials, journalists, and business people with access to advanced proprietary technology are particularly likely to be under surveillance.

Therefore, we recommend the following approach for 2008 Olympics Visitors in order to keep their information and belongings safe:

• If at all possible, leave your computing devices home.  It will eliminate potential travel hassles, and alleviate the need to keep tabs on your things while you are out and about.  Enjoy the Olympic Games, and take a vacation from your email.
• If you bring a computing device, keep it with you at all times.  If you cannot bring the device with you, inquire at your hotel about a safe, or other secure storage area.  Hotel rooms and rental cars are prime places for theft to occur in China.
• Use file or disk encryption.  Products such as TrueCrypt or SecureDoc, or operating system capabilities such as Encrypting File System or BitLocker can keep your information safe even if your device is stolen.
• If you must write down passwords, secure them.  If you keep a post-it note with passwords on the lid of your notebook, the criminal may be able to use this information to get further access to the information in your machine or your networks.
• Keep your identification documents safe. Keep passports and other identification documents safe from pick pockets.  The State department recommends travelers make photocopies of their passport bio-data pages and Chinese visas and to keep these in a separate, secure location in case of passport theft.

We hope visitors to Beijing find this information useful, and stay safe during their visit to the 2008 Olympic Summer Games!