Just about eight months ago, SecurityArchitecture.com joined the multitude of websites running WordPress. This change, after more than five years online with a largely custom-coded PHP and HTML setup, enabled a number of stylistic and functional improvements, and facilitated the consolidation of the SecurityArchitecture blog with the rest of the content presented on the site. Adopting a popular platform like WordPress offers a lot of advantages, not least of which is that almost anything you want to do has already been done by someone using WordPress. Similarly, almost any problem or technical issue you might encounter has also been seen (and usually resolved) by someone else. The widespread implementation of WordPress combined with its (relative) ease of use has some negative aspects as well, however, particularly when it comes to cyber security. In much the same way that Microsoft’s Windows operating systems and Windows products face the largest proportion of attacks, malware, and attempted exploits, WordPress is a popular target for attackers, meaning essentially everyone running a WordPress site, no matter how small or off-the-radar, is likely to see a lot of attempted intrusions. While WordPress is famous for its “5-minute install” and an administrative dashboard that requires WordPress users to have little or no technical knowledge to be able to produce a high-quality website, there is almost nothing in the standard installation instructions about security and many WordPress sites are highly vulnerable to attack.
For a site focused on information security, there is an implied obligation to do more (in some cases much more) than the bare minimum when it comes to security. Taking proactive steps to implement a variety of security controls should, however, be a priority for any website. Classic definitions of security include the distinct and inter-related objectives of confidentiality, integrity, and availability, each of which is necessary to maintain the operational state of an application and the data it contains. Conventional information security models also distinguish between preventive, detective, and corrective controls, where we use preventive controls to try to keep unintended or undesirable events from occurring, detective controls to discover when such things have happened, and corrective controls to respond or recover after unwanted events occur. Each of these types of controls is important for a WordPress site, or any application or environment subject to attack. For a web-based application like WordPress, preventive controls typically include firewalls, access controls (like requiring users to log in with a password), and user education like security awareness training. Detective controls include network and application monitoring, vulnerability and malware scanning, and review of audit and event logs. Corrective controls include incident response procedures, file and database backup and recovery capabilities, and (not to be overlooked) planning in advance what to do when something goes wrong.
The good news for WordPress users is that there are multiple security plugins available that enhance site security, provide routine (even continuous) monitoring, and help administrators remove and repair whatever changes or damage an intrusion has caused. A quick online search for “WordPress security plugins” will return dozens of tools and lots of reviews and opinions about which plugins are the best. It is a pointless exercise to try to arrive at a set of recommendations that will work for every WordPress site, since the features and functional purpose of each site is different. From prior experience across multiple WordPress implementations, however, we believe it is a good idea to select and install security plugins that will 1) strengthen access controls; 2) monitor WordPress for activity or changes that could indicate an attempted or successful intrusion; and 3) help “clean” a compromised site and restore normal function. Most available security plugins overlap to some extent in the features they offer, but to provide a complete set of security controls site administrators often need to deploy more than one tool. Most popular free security plugins provide several of these capabilities that can, if configured and used properly, strengthen protection for WordPress sites.
For commercial, professional, or high-traffic sites, administrators may also want to consider additional subscription services such as active scanning, web application firewalls, denial-of-service protection, and post-intrusion cleanup and restoration services.
In the weeks following the June 4 announcement by the U.S. Office of Personnel Management that it had discovered in April a large-scale security incident that had compromised the personal information of as many as 4 million current and former federal government employees, subsequent disclosures and updates about the incident paint a troubling picture of the poor security practices that facilitated the attack and delayed its discovery. First came the perhaps inevitable revelation that the impact from the incident was worse than initially reported, affecting not only federal employees but millions of former employees and contractors – potentially everyone who applied for a security clearance dating back to 2000, a group that OPM estimates at 21.5 million people.
The initial, smaller group of employees was slated to receive identity theft protection and other measures to help avoid future damage from the loss of their personal information. OPM quickly hired a contractor to assist in the employee notification effort, but in the rush to get the process started OPM apparently failed to consider how affected individuals would perceive email notifications directing them to a non-government site and asking for personal information. Many recipients believed the emails coming from contractor CSID were phishing attempts or raised concerns about providing personal information to the fraud protection companies OPM had engaged. The Army went so far as to warn its employees not to respond to such emails, categorizing them as an attack. OPM subsequently suspended the notifications to defense agencies (although they continued to go to civilian ones). Unfortunately for all concerned, notification emails about the OPM breach and follow-up actions affected individuals can take proved to be irresistible fodder for hackers, as news of phishing attacks surfaced from the U.S. Computer Emergency Response Team (US-CERT).
Aside from the generally unsatisfactory way OPM has handled its response to the data breach (notification to the broader group of security clearance applicants still has yet to begin), information OPM provided to Congress in testimony at a Senate hearing convened by the Appropriations Subcommittee on Financial Services and General Government revealed multiple failures in what should be considered basic information security practices. Perhaps most troubling was the indication by OPM Director Katherine Archuleta that the unauthorized access to OPM’s systems was achieved by compromising user credentials from a contractor, KeyPoint Government Solutions, that was itself the victim of a cyberattack resulting in a data breach of information on thousands of government employees. The implication is that after the intrusion into its contractor’s systems, OPM failed to disable or change credentials it had issued to KeyPoint personnel. Imagine a homeowner who has given a spare house key to his neighbor and, upon learning his neighbor’s house was robbed, chooses not to have his locks changed. The successful use of credentials issued to a contractor is reminiscent of other high-profile data breaches, including the theft of customer information from Home Depot and Target, where hackers first compromised a third party vendor to gain access to the primary target.
After a full 11-judge en banc panel of the U.S Court of Appeals for the 11th Circuit reversed a ruling made last June by a 3-judge panel of the same Court, deciding that government law enforcement agents do not need a search warrant to obtain cell tower location data about individuals, the attorney for appellant Quartavious Davis came to a dire conclusion about what the ruling meant. As quoted in a May 5 Washington Post article about the ruling, lawyer David Oscar Markus called the opinion “breathtaking,” declaring, “It means that the government can get anything stored by a third party – your Facebook posts, your Amazon purchases, your Internet search history, even the documents and pictures you store in the cloud, all without a warrant.” It’s understandable that Markus would be upset, frustrated, and possibly even confused by the ruling, but his hyperbolic statement suggests either that he was speaking with emotion rather than reason or that he suffers from a lack of understanding about current search doctrine in the United States.
In the en banc opinion for United States v. Quartavious Davis, Circuit Judge Frank Hull wrote the majority opinion with explicit attention to detail regarding the nature of the information that the government sought about Davis’ cell phone use in its court order to wireless carrier MetroPCS. As a form of electronic communications, cell phone activity falls under the purview of the Electronic Communications Privacy Act (ECPA) and, more importantly, the Stored Communications Act (SCA) portion of that law. In the Davis case, the government obtained a court order (but not a search warrant) for MetroPCS records that included all the numbers Davis called over a 67-day period and identifying information for the cell tower that connected the calls. The government used the tower identifiers to determine the exact physical location of each of the towers and used that location information tied to each call as evidence that Davis was near the location of six armed robberies, for which he and several accomplices were indicted, around the time the robberies occurred. The Court’s opinion notes that the government neither requested nor received information about the contents of Davis’ calls, or any real-time location information for Davis’ phone. This distinction is important because the SCA requires the government to obtain a search warrant for the contents of electronic communications, but not for records about such communication.
The SCA lays out statutory requirements under which the government can require an electronics communication service provider (like a cellular carrier) to disclose customer records, including the contents of customer communications or records about those communications. The regulations for different types of information differ in what type of government request is required, ranging from a search warrant (the highest legal standard) to a simple subpoena. In general, the government has to meet a higher burden to get a judge to issue a search warrant than a court order (a subpoena can also be issued by a judge but may also be issued by a district attorney, lawyer, or other authorized official. In its investigation of Davis, the government relied on a section of the SCA that requires only a court order (not a search warrant) if it can show that the records sought are “relevant and material to an ongoing criminal investigation.” (18 U.S.C. §2703(d)). The statute is clearly written and, at least in Davis’ case, there was no question that the government satisfied the requirements necessary to obtain the court order.
Back to Markus’ warning about what this ruling means. The ECPA and SCA cover many kinds of electronic communications, including wireless and landline telephone use, text messaging, email, and other forms of data transfer over wired networks or radio frequencies, as well as “remote computer use” such as hosted email services, search engines, document storage, and social media. Records related to these types of activities can and are requested by law enforcement, but where the records include communications contents the government is still required to get a search warrant before a provider discloses data to them. Major service providers typically cite the SCA (specifically §2701 and §2703) in their public notices regarding compliance with requests from law enforcement. Some law enforcement guidelines, like those for Apple and Microsoft, are publicly available. A quick review of such guidelines highlights the distinction between types of data that can be obtained with a subpoena (subscriber information), court order (customer usage or purchase records), or a search warrant (email contents, documents in online cloud storage). Nothing in the 11th Circuit Court ruling changes the categorization of any consumer content to require a lower legal standard.
In a 9-2 ruling issued on May 5, a full 11-judge panel of the U.S. Court of Appeals for the 11th Circuit rejected one of its own panel rulings to decide that law enforcement authorities do not need to get a warrant to obtain cell tower location records or other business records created and maintained by telecommunications companies about subscribers or users of their services. In the case under consideration, United States v. Quartavious Davis, federal prosecutors had secured a conviction of Davis for multiple counts of armed robbery based in part on their introduction as evidence telephone call records from wireless carrier MetroPCS containing details of Davis’ calls over more than two months. The MetroPCS records included the numbers Davis called and the physical location information for every cell tower that connected the calls. While the cell tower location data could not precisely place Davis at the robbery sites, prosecutors used the data as evidence that Davis was at least near each of the locations around the times the crimes occurred. After his initial conviction, Davis’ attorneys appealed the decision from the federal District court to the 11th Circuit Appellate court, a three-judge panel of which upheld the convictions but ruled that the government nonetheless had violated Davis’ Fourth Amendment rights by obtaining the telephone records without a search warrant (which, it is important to note, existing law does not require).
The legal treatment of data produced by wireless carriers about the users of their cellular networks is an area of significant debate, in Congress as well as the courts, especially with respect to GPS data and cell site location data and other information that carriers gather or produce as a routine part of providing wireless service to consumer and businesses. The SCA was enacted as Title II of the Electronic Communications Privacy Act of 1986 (ECPA), the law governing most aspects of telecommunications transmissions. Because the law was written nearly 30 years ago, applying it to modern communication transmission methods – including text messaging, cell phones, and satellite navigation systems such as GPS – sometimes seems to take the law into uncertain territory. There have been multiple attempts in Congress to modernize the ECPA, including an ultimately unsuccessful effort by Sen. Patrick Leahy in 2011 to strengthen legal protection for geolocation information such as GPS coordinates and cell site location data.
The focus of the most recent ruling involves the way in which the authorities obtained the cell tower location data and other call data from MetroPCS. The government, following established procedures spelled out by statute under the Stored Communications Act (18 U.S.C. §2703), applied to a federal magistrate judge for a court order for MetroPCS’ records that were “relevant and material to an ongoing criminal investigation” as the statue requires. The law does not require the government to show probable cause to request such business records. The 11th Circuit Court opinion explicitly notes that, in this case, the government did not ask for, nor did it obtain, the contents of any telephone call, cell phone, or text message, any cell location information regarding when Davis’ cell phone was powered on but not in use for a call, or any GPS location information associated with the cell phone. Although the court order the government obtained met the applicable statutory requirements, Davis’ attorneys filed a motion to suppress the records, claiming the government’s ability to obtain and review the records constituted a search under the Fourth Amendment and therefore should have required a showing of probable cause and a search warrant. This is essentially an argument that the SCA, as codified, is unconstitutional when applied to cell tower location information. The District Court denied the motion, and the 11th Circuit ruling this week affirmed that decision. Davis’ attorneys apparently plan to appeal this decision to the U.S. Supreme Court, but it is far from certain that the Supreme Court would agree to hear the case, since other rulings at the appellate level so far seem to agree and the Court is often reluctant to take on an issue unless there is disagreement among lower courts.
In breaking down the rationale for its findings, the 11th Circuit decision seems to follow conventional Fourth Amendment analysis to determine both whether the request for cell tower location information is a search and whether the records are something for which an individual like Davis can assert a reasonable expectation of privacy. The decision cites multiple Supreme Court precedents holding that individuals cannot have a reasonable expectation of privacy for certain types of business records “owned and maintained by a third-party business.” This line of reasoning has been used to refute an expectation of privacy for the telephone numbers a caller dials, and first the Fifth Circuit and now the 11th Circuit have extended that thinking to cell tower location data and other telecommunications provider information that does not include the actual content of calls. Simply put, Davis cannot argue for the suppression of the data because, “This type of non-content evidence, lawfully created by a third-party telephone company for legitimate business purposes, does not belong to Davis, even if it concerns him.” The Court also found that Davis had “no subjective or objective reasonable expectation of privacy” regarding the cell tower location data.
In a legal action noted by several privacy-minded observers, a woman in Cabell County, West Virginia filed suit in March against health care provider Marshall Health (the collective name for a group of clinical centers affiliated with Marshall University School of Medicine) for failing to prevent unauthorized access to her daughter’s medical records by a Marshall Health employee. According to an online article published by the West Virginia Record, the plaintiff’s daughter sought medical treatment from Marshall Health, where a woman in a relationship with the girl’s father was an employee. The employee, either acting on her own or on behalf of the girl’s father, accessed the daughter’s electronic medical records on multiple occasions over a period of more than a year. The employee was not involved in the daughter’s care, so her access to the medical records was unauthorized – a fact that Marshall Health acknowledged – and therefore constituted a breach of privacy. According to the account in the WV Record, Marshall Health management only became aware of their employee’s activity after the plaintiff contacted Marshall’s CIO to express her concerns that her daughter’s records were being accessed (and potentially altered) improperly. Marshall Health apparently had no automated monitoring of employee access to records and never provided any notification about its employee’s activity during the time it allegedly occurred, although it did confirm the unauthorized access in a letter responding to the plaintiff’s concerns. She is suing for compensatory and punitive damages.
It’s not entirely clear what the legal or statutory basis for this lawsuit might be. Like most states, West Virginia has enacted laws covering the protection of consumer information, including requirements for entities holding computerized personal information when breaches of security that information occur. The applicable sections of the West Virginia code, however, define a security breach to mean unauthorized access to personal information that “has caused or will cause identity theft or other fraud” to a resident of West Virginia. The unauthorized access is not in dispute here, but the alleged harm doesn’t seem to related to identity theft or fraud. Although the facts of the case raise issues that sound relevant under the Security Rule and the Privacy Rule of the Health Information Portability and Accountability Act (HIPAA), there is no private right of action under HIPAA, so the plaintiff can’t bring suit under federal rules protecting the security and privacy of health-related personal information. It’s possible that the suit rests on a negligence claim, since the plaintiff claims that Marshall Health had a duty to protect the confidentiality of patient information and that it breached that duty when it failed to prevent unauthorized access by one of its employees to that information. The difficultly with that legal path is that, under U.S. tort law, to succeed with a claim of negligence the plaintiff must show actual damages as a direct result of the action (or inaction) that constitutes the breach of duty.
Under the HIPAA Privacy Rule covered entities like Marshall Health are required to maintain an accounting of disclosures of protected health information, but the regulations currently in force include an exception for disclosures related to treatment, payment, or health care operations. The employee implicated in this lawsuit may not have been engaged in any of those activities, but the exception for these “routine” types of disclosure often means that covered entities don’t produce detailed data access logs for their employees who have permission to access health record systems. The Health Information Technology for Economic and Clinical Health (HITECH) Act included a provision that would change accounting of disclosure rules to remove the exception for treatment, payment, and health care operations purposes, but that provision has never been implemented. As part of its consideration of that provision, the U.S. Department of Health and Human Services (HHS) actually proposed going further than the language in the law to add a requirement for covered entities to be able to provide an “access report” to individuals that would indicate who has accessed their electronic health information. The access report idea was contained in a Notice of Proposed Rulemaking published in 2011, but neither the access report nor changes to the accounting of disclosures regulation was included in the HITECH Omnibus Rule finalized in early 2013.
If the plaintiff’s allegations are true, then Marshall Health may in fact be in violation of HIPAA rules, some of which could serve to articulate the specific duty it owed to protect patient records from unauthorized access. The HIPAA Security Rule requires covered entities to “regularly review records of information system activity” including audit logs and access reports. The simple fact that Marshall Health didn’t regularly monitor employee access to its systems may not, in and of itself, be sufficient justification for a breach of duty since the regulations do not specify that “regularly” means. Because it seems that Marshall Health admits they employee’s access was unauthorized, it presumably bears some fault that the unauthorized access occurred. Without a showing of the specific harm that resulted from the unauthorized access, however, the plaintiff can not expect to prevail even if there is clear evidence that Marshall Health acted (or failed to act) in a way that it should have to prevent its employees from accessing patient data that is not explicitly needed for the performance of their job duties.