windowsnerd.com

notes from an admin for himself. you can read it if you want.

Entries Comments


Custom Search






Oh hell no, Logmein bought Citrix Goto products. No BAA/HIPAA compliance for you!

28 April, 2017 (11:12) | complaining, Mindless Blather, security, software | 2 comments

Logmein acquired the fleet of Goto products from Citrix last year. We moved away from logmein because they refused to offer or acknowledge they were responsible for a BAA for HIPAA data per the HITECH Omnibus of 2013. Now we are sad about our use of gotomeeting, webinar, training and gotoassist. Citrix offered us a BAA for the whole Goto line, it was great.

I used some leverage from needing a new license to get information from GetGo sales. Logmein hates talking to you in writing about this subject. After a few weeks of prodding and promises that weren’t kept by sales folks:

 

BAAs are only needed when GetGo, Inc. is acting as a business associate by creating, receiving, maintaining or transmitting PHI on behalf of Covered Entities or other Business Associates. Because the GoTo Services do none of these things, GetGo, Inc is not a business associate. Our standard Terms of Service also prohibit using the GoTo Services for these purposes. Use of the GoTo Services does not create a business associate relationship subject to HIPAA compliance obligations, and Covered Entities/Business Associates don’t need to have a BAA in place with GetGo, Inc in order to use the GoTo Services. For these reasons, GetGo, Inc is not required to and does not sign BAAs for the GoTo Services. 

 

The GoTo Services are not intended to and do not create, receive, maintain or transmit PHI, so the GoTo services do not have to comply with HIPAA. This is because the GoTo Services use screen-sharing technology and only transmit keyboard and mouse commands. The actual PHI stays at the user’s location. Any image of PHI on the screen is fully encrypted and sending these images does not constitute “transmission” for purposes of HIPAA. It is more accurate to say that the GoTo Services support HIPAA compliance. Because of the technical and security measures GetGo, Inc has implemented, when used properly, the services can help you fulfill your HIPAA compliance obligations to keep data secure and confidential

GetGo should do a little light reading like slide 20 step 6 on this handy guide from HHS:

http://www.wedi.org/forms/uploadFiles/362A500000091.toc.7.26_Combined.pdf

Encryption has very little to do with it. It isn’t even “required” by the Omnibus although you would be an idiot not to.

They say they aren’t transmitting data… but they are. I told them they are. Chuckle, which means they have to provide a BAA according to the Omnibus. Citrix’s lawyers agreed with me. Maybe Getgo fired them.

Here are some fun facts you should think about when dealing with Logmein.

Refusing a BAA means they aren’t confident in their security. They are refusing to be liable for protecting your PHI. If they were secure they wouldn’t mind a small amount of risk. If they didn’t have any responsibility they would sign a BAA because they could never be fined.

Things to think about:

  • Any data on the screen of the machine you are controlling with PHI is TRANSMITTED using goto products (according to paragraph 1 above I’m prohibited from transmitting PHI. According to Paragraph 2 it is encypted and a magical unicorn waves its horn and says now it isn’t PHI.)
  • Encryption keys are controlled by GetGo, not you
  • Root level access is in the possession of GetGO for the following purposes- running as a service, autoupdating the client software, authentication using your root credentials which are stored in their directory service.
  • Directory service- all the credentials are stored by GetGo for your account unless you have SSO. Either way, they have admin access to your machine. Think about that. What other software allows full backdoor full screen remote access to a machine in your inventory?
  • Network services – Clients are sitting there listening on an open network port, Getgo is responsible for the security of that client.
  • Data storage – Gototraining and I think webinar have the ability to save data for use in presentations. Why shouldn’t my users be allowed to do a presentation at a hospital with live patient data if users are allowed to view it?
  • All relationships in the chain with a BAA involved between CE’s and BA’s must be covered with a BAA. If I contract with a backup company to transmit or store PHI, they have to provide a BAA. They do. Hell even Salesforce has a BAA with me.

I could list quite a number of controls that are required in order to do an audit with HITRUST for HIPAA compliance that aren’t done by GetGo products. I’m not willing to spend too much more time opining and typing. The important thing is getting the BAA for the liability shift.

The most entertaining bit in all of this is their explanation of use- You aren’t allowed to transmit PHI in the first paragraph… But you can because of the magic encryption in the second. I wish it made a fairy noise and sparkled on the screen when it does this.

Bottom line, in my opinion GetGo/Logmein has ruined yet another product line due to their Ostrich approach to things. Not total crap, they are cool products. They work really well. Just not something that belongs in health care -HIPAA/HITECH, PHIPA, PIPEDA, or PCI type spaces. Cross your fingers and hope they don’t screw up lastpass.

 

Hair stylist – Cheapest (easy) way to set up a wordpress blog in q1 2016

19 March, 2016 (14:53) | How to | No comments

Just added – Building a personal blog for a hair stylist explaining how to build a cheap easy wordpress blog to share your photos, life and connect with your clients better. I would recommend finding a nerd to help you. If you have one, great, the tools to make it cheaper and better are there. Let me know if anyone finds this helpful.

Dell Superfish 2.0 fishing – what has it and what doesn’t

23 November, 2015 (16:43) | antivirus/spyware, security | No comments

Starting to search for the Dell evil certificate: http://www.theregister.co.uk/2015/11/23/dell_security_nightmare_gets_worse/
I’ll start looking for the eDellRoot cert on all the machines I can find and update this. Please comment if you have any results.

Machines that do have it:

Machines that do not:
Precision t7610
Latitude e6510
Latitude e7440
optiplex 790

Logmein buys lastpass… time to go shopping for a replacement. Also Logmein is NOT HIPAA compliant

12 October, 2015 (07:44) | security | 1 comment

Anyone have an enterprise level password manager they recommend?

http://techcrunch.com/2015/10/09/logmein-acquires-password-management-software-lastpass-for-110-million/

Logmein is a scary company. Large price boosts with little warning, they lie about HIPAA compliance. The thing that makes me the most angry about Logmein is that they couldn’t just say NO. No we don’t meet the conduit exemption. No, we aren’t built for HIPAA data. Instead they have an employee in their forum trying to sell it like it is. I’m copy and pasting a bunch of data from their forum here in case they delete it or try to sue me for pointing out that they fail at HIPAA/HITECH.

Why is Logmein a fail on HIPAA/Hitech Omnibus compliance?

Logmein will not enter in to a Business Associate Agreement with you or your company. This means they take no legal responsibility for your patient data. It is also illegal. Once a 3rd party is informed they store, transport, touch patient data in the slightest they must sign a BAA and take responsibility for securing the data according to HITECH. The only exemption is for ISP’s called the conduit exemption. Logmein does not appear to have anything to do with being an ISP providing fiber lines to customers.

Their customer service is clueless, sales wouldn’t talk to me about it the last few times I tried.

No HITECH Omnibus compliance-

http://community.logmein.com/t5/Central/HIPAA-compliance-HITECH-Omnibus-BAA-available-yet/m-p/133037/highlight/true#M3974

Angi_Fro
New Contributor
Angi_Fro
Posts: 3
0
Accepted Solution HIPPA
Options
?04-25-2013 04:49 PM

The new HIPPA regs effective 9/2013 require those using remote access to have a Business Associate Agreenment (BAA) with the company providing remote access unless they are acting just as a conduit. Does anyone know if LogMeIn stores the data accessed in a data base or are they just a conduit for remote access?
Solved! Go to Solution.
Report Inappropriate Content
Message 1 of 6 (1,672 Views)

Sean_K
LogMeIn Contributor Sean_K
LogMeIn Contributor
Posts: 855
Topics: 40
Kudos: 26
Solutions: 36
Registered: ?04-05-2012
0
Re: HIPPA [ Edited ]
Options
?04-26-2013 07:04 AM – edited ?04-26-2013 07:27 AM

That depends on the definition of data as far as HIPAA is concerned.
Sean Keough
Product Specialist, LogMeIn Support
Report Inappropriate Content
Message 2 of 6 (1,667 Views)

Angi_Fro
New Contributor
Angi_Fro
Posts: 3
0
Re: HIPPA
Options
?04-26-2013 09:32 AM

data being patient private information
Report Inappropriate Content
Message 3 of 6 (1,659 Views)

Sean_K
LogMeIn Contributor Sean_K
LogMeIn Contributor
Posts: 855
Topics: 40
Kudos: 26
Solutions: 36
Registered: ?04-05-2012
0
Re: HIPPA [ Edited ]
Options
?04-26-2013 09:43 AM – edited ?04-26-2013 09:44 AM

Ah. That is not recorded by any of our logs.

We centrally log:

Access (Date/Time) to the account, and the IP from which the access occurred.
Access (Date/Time) to the computer, and the account and IP from which the access occurred.

Exactly what has been accessed during that session, we do not log.

Forced Screen Recording is possible, which would record what has been accessed within the Remote Session, but we do not store these in a Central location. They are stored in a place that the Host computer has access to.

Lastly, the logs of the sessions themselves are stored on the computers that were accessed.
Sean Keough
Product Specialist, LogMeIn Support
Report Inappropriate Content
Message 4 of 6 (1,657 Views)

Angi_Fro
New Contributor
Angi_Fro
Posts: 3
0
Re: HIPPA
Options
?04-27-2013 05:38 PM

Is that stated anywhere in writing where we could keep a copy for documentation?
Report Inappropriate Content
Message 5 of 6 (1,646 Views)

Sean_K
LogMeIn Contributor Sean_K
LogMeIn Contributor
Posts: 855
Topics: 40
Kudos: 26
Solutions: 36
Registered: ?04-05-2012
0
Solution! Re: HIPPA
Options
?04-29-2013 07:48 AM

This doc from our help site should outline everything important about HIPAA and LogMeIn.

https://secure.logmein.com/welcome/documentation/EN/pdf/common/LogMeIn_HIPAA.pdf

If you need something more, you could most likely get it by requesting it from a sales associate.
Sean Keough
Product Specialist, LogMeIn Support
Report Inappropriate Content
Message 6 of 6 (1,637 Views)

World of Tanks firewall exceptions March 2015 (Sophos UTM)

1 March, 2015 (22:12) | How to, Mindless Blather, networking | No comments

Gamers really suck at tracking down firewall ports, I don’t.

World of tanks has a bunch of ports needed, it may seem like a lot but they do appear to be using massive resources so a /24 isn’t out of line.

Here is a test from the Sophos UTM 9 firewall. Great UTM box for home, not sure about for businesses yet. I have WOT running with chat etc, just took it one step/port/ip range at a time.

wot firewall rules

 

 

 

At the moment I can’t figure out how to just list a bunch of comma separated ports, a sequence is separated with a colon :

So I have 2 internal test subnets as the source

services (ports) open-

UDP:

20010-20020

32800-32900

tcp/udp 1080 (clean this up later)

TCP:

5222, 5333

 

Destinations:

103.9.183.0/24

162.216.229.0/24

162.213.61.0/24

 

 

Let me know if you discover anything else. I’m cruising along just fine for now but haven’t been through a patch yet.

 

port 8089 firewall block 236.­61.­220-216.­q9.­net Ecobee thermostat

28 February, 2015 (09:52) | security | No comments

Look my ecobee is spamming a q9 datacenter in Canada. It’s not someone’s splunk server monitoring me on 8089 as I feared. Now on to fixing my kbox connection and see if otis notices I’m pinging the snot out of him while I mess with rules.

firewall ports

Horrible password policies – Dell Kace #1

10 November, 2014 (12:59) | security | No comments

We are trying to figure out how to change our Kace community passwords. Dell/Kace is the last one keeping us down on a little lastpass score competition. Kace will reset your password by asking for your email address and sending a new one to you via email. Thus far we can’t find another way to do it. We don’t see an option to choose our own password.

To make matters worse, it appears their password choosing tool is obsessed with the word “boxer.” Here are a few of my past passwords:

 

606boxer

6169boxer

7027boxer

1411boxer12725 (looks like they were stronger in 2011)

 

Needless to say, my lastpass score is severely handicapped by this one weak ass website. Funny that a shitty bank like chase is beating Dell at password security.

Poodle mitigation for IE and Google Chrome via group policy

16 October, 2014 (16:54) | security, Stupid windows tricks | No comments

poodle mitigation

https://isc.sans.edu/diary/OpenSSL+SSLv3+POODLE+Vulnerability+Official+Release/18827

IE – Go to policies>All settings>filter SSL in the options if you want to go fast. Choose the one on the right: Use SSL 2.0, TLS 1.0, TLS 1.1, and TLS 1.2.

 

 

 

 

 

settings greyed out for user

 

 

 

 

 

 

 

 

 

 

Google Chrome-

working on that right now.

McGladrey security is downright awful

24 August, 2014 (11:32) | complaining, Mindless Blather, security | No comments

I have been forced to work with McGladrey for quite a while now in order to maintain our accounting server and clients. I like the guys doing the work, they are good at what they do and pleasant to work with. What I can’t stand is the lack of oversight McGladrey employees get when it comes to security. Every time they show up we run through the same chaos with resetting their passwords, reminding them what their user names are etc. The team who works for us shares passwords with each other on paper and aren’t open to a central system suggestion from us. They always tell us that they have clients who are more strict, I don’t believe them. I am recommending we move to another vendor. Anyone have suggestions?

Lastpass is down. 8/12/2014

12 August, 2014 (09:17) | complaining, security | No comments

As of now, 9ish AM MST, 3 PM GMT, lastpass is still down for many users. Not all, I am in and working fine. Most my my company is not.

Lastpass has not published my comment in the forums which is a little disappointing. It was very professional and offered some data points for them to look at. Right now I am not impressed with how they are handling the outage. No email to customers, twitter isn’t very helpful. Twitter comments like “this is a small percentage of users” sound like a lie, who knows maybe that small percentage includes mostly all of my company and friends/family?

 

I am sure we will all learn a bit after this outage is done.

Update:

Ha, 7 hours for them to respond with what is going on:

Re: Lastpass login issues 8/12/2014?

Unread postby chantieLP » Tue Aug 12, 2014 11:11 am

Hi all,

One of our data centers went down at 3:57 am Eastern Time this morning (Tuesday August 12th). We immediately started taking action to migrate the service to run entirely on a different data center – in the meantime, a percentage of our userbase did experience connection errors with the LastPass service. We have been engaged with our provider the entire time and have been working with them to resolve the issues. We have done everything we can to minimize impact and are working to get the redundant data center up as soon as possible.

Apologies for the inconvenience. Please login offline for now to access your accounts.

« Older entries