alt tag

Posts from March, 2015


The $100,000 Phone Bill: Is Your Office VoIP Phone System the Next Target?

Friday, March 20th, 2015

Avoid information technology VoIP fraud San Francisco, San Mateo, San Jose.

How would you react if your company’s next phone bill revealed a major cost spike—to the tune of over $100,000? It’s actually happening now to small businesses across the U.S., thanks to international VoIP toll fraud—perhaps the fastest growing cyber-threat today.

While many small companies have adopted VoIP (Voice over Internet Protocol) as a cost-effective alternative to traditional phone service, the trade-off is increased security risks. Primarily in Africa and Eastern Europe—those usual hotbeds of cybercrime—hackers have discovered that a VoIP-based PBX system (like other online networks) contains multiple vulnerabilities, which most smaller companies fix only rarely, if ever. Once they successfully hack into a U.S. company’s VoIP network, they can literally hijack its entire PBX and begin placing thousands of calls from that company’s local office lines—typically over a weekend, when nobody will be there to notice.

Long-Distance Robbery

Who do they call? In most cases, they’ve leased international phone numbers with “premium” surcharges (think adult chat or psychic hotlines), resell the calls, and rack up the pay-per-minute profits. And unlike a conventional landline, a single hacked VoIP line can dial several hundred calls simultaneously! Do the math; it all adds up to a lot of money, very quickly.

International law guarantees that somebody must pay those long distance charges—either the victimized company or their VoIP service provider.

As with so much other cybercrime from the Third World, the chances of U.S. law enforcement tracking down the culprits are slim at best. Meanwhile, the victim faces, at the very least, a major multi-week headache contesting that ridiculously huge bill.

Protect Yourself

Your VoIP phone system should be secured as much as any other network. There are steps you can take right now to shield your company from a costly telephone cyberattack:

  • Deactivate Call Forwarding, to prevent rerouting calls to third party numbers—particularly those outside the U.S.

  • Set strong passwords for central root access as well as every phone line and voice mailbox. Then schedule company-wide password changes every six months.

  • Protect your VoIP network behind its own high-security firewall, configured to only accept access from pre-approved IP addresses.

  • Consider Secure Shell encryption (SSH) for an added level of security.

  • Physically isolate your VoIP system from the rest of your network infrastructure—down to the cables and Ethernet switches. If a lucky hacker can use your phone system as a front door for infiltrating your entire company network, then you’ve got even more trouble.

The stakes are simply too high for a do-it-yourself approach to VoIP security, or to think “it won’t happen to us.” Trust an experienced IT partner who not only knows the nuts and bolts of VoIP, but also specializes in cutting-edge network security. Learn more here.

Welcome to the IoT: Will Your TV Be Watching YOU?

Thursday, March 12th, 2015

screen-310714_640

We’ve talked recently about the potential dangers of the rapidly expanding Internet of Things, or IoT. As we discussed, the IoT consists of embedded sensors collecting data from dozens of devices in your daily life—your car, your health and fitness equipment, and even your home thermostat. All that tabulated data is intended to help you, whether it reminds you that your car needs a tune-up, that you’re slacking off on those cardio workouts, or that the heat can shut off because you’re not at home. But just as when the Internet first exploded upon us in the mid-1990s, IoT technology may be growing faster than our ability to regulate it and protect our privacy—from hackers, corporations, and even the government.

Smart Devices: Getting Too Smart?

Consider this recent Salon.com article. The author was excited about buying a state-of-the-art “smart” TV—until he read all 46 pages of the manufacturer’s Privacy Policy.

Think for a moment about the last time you needed to check an “I Agree” box before installing software, downloading music, or applying for a job online. Did you actually read the binding legal contract you were virtually signing? Like most people, you probably skipped that “fine print,” whether it was three pages or 30. “It’s got to be fair,” you assured yourself, “or they couldn’t get away with it.” And you clicked through.

In the case of that smart TV, they actually try to get away with quite a lot. Soon after plugging in that new TV, the user is asked to give their consent to:

  • Set cookies and beacons marking the content you watch and the E-mail you read.

  • Track the apps you use, the websites you visit, and your online interactions with both.

  • Record facial recognition via a built-in camera.

  • A voice recognition feature which may “transmit your spoken words to a third party.”

But what about opt-outs and do-not-track requests, you ask? The TV’s Privacy Policy specifically excludes them. You’re not just watching TV anymore—it’s watching you, too.

New Targets for Hackers … or “Big Brother”?

Are we sounding a little too much like George Orwell here? Maybe. But in this relatively early stage of the IoT, who’s to say your networked household devices won’t be hacked to let a burglar know when you won’t be home? Or after the uproar the federal government created by eavesdropping on millions of cell phone calls via the 2001 Patriot Act, could they someday get permission to monitor citizens via the data collected by their household devices—including their living room TV?

Before you consider upgrading to a smart TV, we recommend you isolate it—along with other IoT devices—from your home or office network via a dual-firewall or “DMZ” configuration. And block that camera the same “low-tech” way many laptop users already do—with a simple piece of black electrical tape over the lens.

For advice and support on protecting your privacy when it comes to IoT devices, contact us at www.mpa.com

Is Your Law Firm HIPAA Compliant? Should It Be? Are You Sure?

Wednesday, March 4th, 2015

justice-423446_640

When the Health Insurance Portability and Accountability Act (HIPAA) took effect in 1996, a number of legal “gray areas” existed in that original law. At the top of the list: to what extent was a law firm obligated to protect the confidentiality of Protected Health Information (PHI) stored in their client records? There simply wasn’t a clear-cut answer back then; ask five different lawyers, and you’d probably get five different answers.

After 13 years of wading through ambiguity, those issues would be mostly settled by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. Law firms are now clearly defined as “business associates” of a “covered entity”—the plaintiff or defendant in any legal matter in which PHI served as evidence.

As a Business Associate, the law firm is governed by strict IT procedures—about 40 “minimum necessary standards” in total—for safeguarding PHI stored in their electronic records. This affects virtually the entire IT configuration of the firm: document files, emails, authorized access and password security, encryption and firewalls, anti-malware protection, and even screen savers.

The Feds: Ignorance is No Excuse

According to HIPAA regulations, any lapse in those 40 minimum standards can be considered a direct data breach.

The penalty for an HIPAA violation—or failure to report it to Covered Entities/HHS regulators? A fine of up to $50,000 per incident, or a whopping $1.5 million per year.

Among the large number of Bay Area law firms we’ve worked with, a major problem we’ve noticed is that many don’t realize that HIPAA/HITECH compliance is actually retroactive for all legal records kept after 1996. If the firm used PHI in any case—from medical malpractice, an injury accident, or worker’s comp to elder care or estate planning—it is now bound by HIPAA/HITECH IT regulations. And if only one attorney on a law firm’s staff of 30 worked a PHI case, that means the entire firm’s IT environment may be subject to those IT rules from a practical perspective.

Know What You Don’t Know… Before It’s Too Late

If your firm is still unclear about the full scope of HIPAA/HITECH compliance, now is the time to admit it. We recommend an immediate, comprehensive IT “gap assessment” to identify any problem areas which fall under HIPAA governance—specifically how PHI is stored on onsite servers, Cloud-service vendors, desktop hard drives, mobile devices, and E-mail. Security may also be a problem area, including password policy, workstation and server patching, filtering malware at your firewall, and even door locks!

Next, establish a formal HIPAA compliance policy that features employee security training. Conduct bi-annual audits to ensure your firm doesn’t fall out of compliance.

With heavy penalties at stake, you don’t want to go it alone. Work with a trusted IT partner who understands HIPAA regulations inside and out—and who will help you maintain airtight compliance. Like those old motor oil commercials used to say, you can pay now, or pay later.