Securing SSL Keys on your BIG-IP
Losing your keys is a real problem While losing your car keys is indeed a pain, I mean losing your Web Server Keys. Lost keys can expose your website to a Man in The Middle (MiTM) Attack.While in the middle, an attacker can use those keys to decrypt the traffic between your clients and your servers. All of the data is open to be read by the hacker. How can we help make sure you're not the poor soul in the picture? Let's start with a little Crypto background. What is a Cryptographic key? A cryptographic key is pretty much like any other key.It unlocks a door; in this case, the door is a ciphered piece of text. I'll save the mechanics for what enciphering and deciphering are for another time, but suffice to say when traffic is encrypted, we need to encrypt it in such a way that it cannot be easily decrypted. In asymmetric encryption, there are two files – one is a certificate (the lock on the door—also known as the “public key”), and the other one is the key (the, uh, key?--also known as the “private key”). The certificate is the public part anybody can have.We share that readily, possibly through infrastructure that automatically transfers the info or delivers the certificate over a handshake or an email. An example of an RSA certificate file … slightly obfuscated because I am somewhat paranoid. The key itself is what stores the secret component, and it is the file we need to protect. An example of an RSA key file. Storing Cryptographic Files We can protect our key by storing it somewhere securely and ensuring that access is extremely limited. There are tools, like hardware security modules (HSM) that do this for us, and there are standards like Federal Information Processing Standard (FIPS) 140 (https://csrc.nist.gov/publications/detail/fips/140/3/final) which define many of the specifications around storing keys, including access and retention.When there are 1000s of keys to manage, it makes sense to invest in these tools. For others, we might just want to store them in a secure location, and there are several ways to do that. File Storage Indeed, the first is file access controls.We can limit access to these files using ACLs and read/write protection, and we definitely should do that.By default, on Linux distributions, you haveto correctly set the file permissions for some applications to even use your keys. Properly setting the file permissions is necessary, but with this mechanism alone, anyone who is able to get the necessary access to any of the systems storing the key can copy the key—it is just a small string of text--and do whatever they want with it. While gaining access to a BIGIP is not simple, there are many ways this can be done such as a disgruntled administrator, a vulnerability, a weak access password, and so on. Further, OpenSSL (www.openssl.org) provides a means to add a passphrase to this file so that instead of storing the file data as plain text, the file itself is enciphered with a passphrase even to read it. Shown here is a file – the same "key" even – without and then with a passphrase: Plaintext key file. You will notice that in the image above, we can read the key's text is displayed right after the header – that is THE KEY itself. Key file protected with an OpenSSL Passphrase enciphered with AES256. However, in the next image, there's a "Proc-Type:" and "DEK-Info:" header.The text of the file is NOT the actual key but an enciphered version of the key. Doing this means that, even with file access, an attacker would still need to get the Passphrase to use the key.It adds an extra factor of authentication to use the file.It is not as secure as a Hardware Security Module, but it is at least another layer of protection from unwanted access toyour keys. Now, note that the key itself has not changed.The file is the only change.Once you read the file with the proper access, the resulting key string remains the same. Passphrases and TMOS Within the BIG-IP configuration, these files are stored in an unencrypted version or an encrypted version depending on whether or not a Passphrase was supplied when they were loaded.To protect the Passphrase-protected files, TMOS includes Secure Vault (https://support.f5.com/csp/article/K73034260), which uses a "Master Key" which encrypts the file passphrases into the BIG-IP configuration.TMOS stores the OpenSSL Passphrase, but the Passphrase itself is stored in an encrypted format in the configuration files.To access the keys, you now need both the required TMOS access permissions and the Passphrase to read the contents. So, merely gaining access to the system is not enough to steal the key and use it to decrypt confidential data! Neat, huh? But Security is HARD!!! Yup, security is hard, and I would say moderately annoying, and a lot of people skip this step of adding the Passphrase to their keys. It is easier to store them as plain text, which allows loading them into TMOS without a Passphrase. When the keys are used in a Client or Server SSL profile, that pesky Passphrase isn't required. More comfortable, sure, but this isn't a smart or secure way to work. Plaintext keys came up recently with a customer.The customer had conducted a thorough security audit and determined that having keys available in plaintext on the file system was a possible threat to customer data integrity.This finding led to a requirement that all keys across the organization need to use a Passphrase. Great idea, but how could they retrofit the 100s of keys already loaded without a Passphrase? Luckily, OpenSSL provides a mechanism for managing the Passphrase associated with a key.You can change, add, or remove the Passphrase with a simple command. Here's the command if you want to copy it: openssl rsa -aes256 -in devcentral-example-key-open -out devcentral-key-protected Using this command, OpenSSL takes the "in" file and adds a Passphrase to the "out" file, enciphering it in the desired format specified (AES256). Fortunately, this is possible using the BIG-IP RESTful API and a few shell calls to manage the underlying files.The steps are: Copy the keys. Run the OpenSSL command to add a passphrase and encipher a copy of the file. Load the new, enciphered version of the key onto the BIG-IP. Get a list of the SSL Client and Server profiles using the plaintext key. Update these profiles with the new name of the encrypted key and Passphrase. Optionally remove the plaintext version of the key. I have built a sample script that does all this for you! I've posted it on my Github here https://github.com/pmscheffler/securekey, and you're welcome to take a copy and give it a try. Since it uses your keys, I would suggest thorough testing and making sure you're not using it in Production the first time out! Protecting the Keys to Your Door If you haven't adopted Passphrases on your keys because you thought it was too much effort to maintain, I hope you take a moment to check out the script and see that it isn't a lot to manage them in this manner. If you find the script useful or have another method you use – please let me know in the comments below. Hopefully, you never have a case where your customer data is exposed in a Man in the Middle breach because you lost your keys.Bait Phone
You may be familiar with the truTV program Bait Car, where the police place a vehicle equipped with hidden cameras and radio trackers in various areas to catch a would be car thief in the act. It’s kinda fun to watch people ‘check out’ the car, check out the surroundings and decide to jump in and drive off. You get to see their excitement as they think that they’ve just won the jackpot along with the utter despair as officers remotely kill the car and the thief is surrounded. Even the excuses as to why they are driving it are hilarious. ‘I was just moving it for my friend, so they wouldn’t get a ticket, whose name I forgot and I also can’t remember where they live.’ In the UK, they got something similar except with mobile phones called ‘Operation Mobli.’ Plain clothes police purposely left "bait" phones embedded with tracking devices in nine pubs and bars across the towns of Hastings and St Leonards in Sussex. I’m not sure what makes and models of phones were left for the taking but none of the baited devices were stolen. In every case, an honest patron noticed the ‘forgotten’ phone and turned in to the bar staff. Some might describe this sting as a failure but according to the Sussex Police’s press release Sgt Ché Donald said, ‘This was an excellent result and my faith has been restored as the phones were honestly handed in.’ I often write about the potential perils of losing a smartphone crammed with private data and all the unfortunate circumstances that follow. If it gets into the wrong hands then that is the case yet we must also remember that there are plenty of good, honest folks out there who will do the right thing when they find something that doesn’t belong to them. Maybe they’ve seen police sting shows, maybe they’ve lost something themselves, maybe their parents raised them right or maybe it’s simply kindness and honesty that’s built into every one of us. Human’s are capable of the greatest good and the nastiest of evil, it’s all how we decide to play it. ps References: Operation Mobli deters mobile phone thieves in Hastings Police mobile phone sting fails when.. err.. no handsets stolen Mobile-phone 'sting' reveals honesty of Sussex pubgoers Police Sting Operation Yields No Mobile Phone Thefts It's legal: cops seize cell phone, impersonate owner What’s in Your Smartphone? Freedom vs. Control BYOD–The Hottest Trend or Just the Hottest Term Will BYOL Cripple BYOD?The Intruders of Things
Gartner predicts that by 2020, IoT security will make up 20 percent of annual security budgets. 2020 seems to be an important milestone for the Internet of Things. That’s the year that Cisco says there will be 50 billion connected devices and also the year Gartner notes that over 50% of major new business processes and systems will incorporate some element of the Internet of Things. That’s the good news. A recent Symantec Internet Security Threat Report says there are 25 connected devices per 100 inhabitants in the US. Minimum 25 entry points to your personal information, not counting your front door, personal computers, compromised ATMs and other data sources. As your connected devices grow, so will your exposure. And with no clear methods of identifying and authenticating connected devices, enterprises will have a challenging time getting a handle on how many employee shirts, shoes, fitness trackers, and smartwatches are connected to the corporate network. And more importantly, what do they have access to? The sneaky spreadsheet macro malware will soon be a spoofed critical alert requiring instant attention. Healthcare is a prime target for IoT attacks and researchers have already compromised several devices revealing personal info and worse, causing the devices to malfunction. ‘Hey, why isn’t my heart beating any……’ The chaos on the feature first consumer side can be frustrating but nothing compared to industrial and manufacturing. The Industrial Internet of Things (IIoT) focuses on industrial control systems, device to network access and all the other connective sensor capabilities. These attacks are less frequent, at least today, but the consequences can be huge – taking out industrial plants, buildings, tractors, and even entire cities. If you think data protection and privacy are hot now, just wait until 2020. Like BYOD, security pros need to be ready for the inevitable not just the potential of a breach. While the gadgets get all the interest, it’ll be the back end data center infrastructure that will take the brunt of the traffic – good and bad. Organizations need an infrastructure that can both withstand the traffic growth and defend against attacks. Over on F5’s Newsroom, Lori MacVittie talks about the 3 Things the Network Must Provide for IoT – delivery, security and visibility. Things that can communicate securely with back-end apps, ADC’s that can understand the languages of things (like MQTT) and the ability to see what is going on with the things. According to TechTarget, ensuring high availability of the IoT services will rely on boosting traffic management and monitoring. This will both mitigate business continuity risks, and prevent potential losses. From a project planning standpoint, organizations need to do capacity planning and watch the growth rate of the network so that the increased demand for the required bandwidth can be met. If you already have BIG-IP in your back yard, you’re well on your way to being IoT ready. You got the network security to protect against inbound attacks; you can offload SSL to improve the performance of the IoT application servers; you can extend your data centers to the cloud to support IoT deployments; scale IoT applications beyond the data center when required and both encrypt and accelerate IoT connections to the cloud. A pair of BIG-IPs in the DMZ terminates the connection. They, in turn, intelligently distribute the client request to a pool (multiple) of IoT application servers, which then query the database servers for the appropriate content. Each tier has redundant servers so in the event of a server outage, the others take the load and the system stays available. The BIG-IP tuning may vary but it is still all about nodes, hosts, members, pools, virtual servers and the profiles and services applied. The BIG-IP platform is application and location agnostic, meaning the type of application or where the application lives does not matter. As long as you tell the BIG-IP where to find the IoT application, the BIG-IP platform will deliver it. ps Related: The Internet of Things is Booming: Why This is a Cybersecurity Problem IoT Security By The Numbers Four critical steps for implementing an IoT strategyYou Don’t Own Anything Anymore Including Your Privacy
You purchased a Tesla Model S and live the %1 eco-warrior dream. Now imagine if GM purchased Tesla and sent an over-the-air update to disable all Tesla cars because they’re working on their own electric substitute? Literally even if you were on the freeway to pick up your fajita skillet from Chili's To Go. You’d be pretty sassed, right? Google is doing just that and setting a new precedence of poor choices. Arlo Gilbert recently reported his discovery of Nest’s decision to permanently disable the Revolv home automation tool that parent company Google acquired 17 months ago. To clarify, if you bought the Revolv device, not only will it no longer be supported for future updates but Google is going to disable existing models already purchased and in use. The app will stop to function and the hub will cease operating. There’s no logical business reasoning stated on Revolv’s FAQ, but Google's very visible middle finger is another recent example of exercising the terms and conditions of the rarely read or understood EULA. The End User License Agreement or EULA is a masterful contract, washing away ethical and legal responsibilities of the issuing body. In this example, it allows Google to disable a service you purchased even before Google acquired the company. You'd think this is just another tin-foil hat security rant... Increasing coverage on various EULA’s terms of acceptable use and ownership are coming to light; specifically when related to corporate disclosure of personal data. What's more disturbing are the increases in terminology for allowances to actively track you beyond metadata analytics. Oculus’s new RIFT VR headset has some rather unsettling EULA conditions, made more creepy due to the very nature of the device’s intended use. U.S. Senator Al Franken recently wrote an open letter to Brendan Iribe, CEO of Oculus VR (owned by Facebook, masters of the EULA) questioning the depth of “collection, storage, and sharing of user’ personal data”. Given the intended use of Oculus as an immersive input device, their EULA is akin to a keyboard manufacturer being allowed to record your keystrokes, for the purpose of “making sure heavily used keys are strengthened for future clientele”. The exhausted cries over NSA intrusion into our lives are muffled by the petabytes of voluntary metrics we provide private companies to share and sell, all decided by clicking “I Agree” to the EULA. So where’s the backlash? It’s taken some time, but as Fortune noted this week, people are finally realizing that sharing their most intimate secrets on the internet may not be such a wise thing to do (I'd say stupid or dumb but that’s insensitive). People are now recognizing that everything posted on the internet comes at a cost of privacy and privacy isn’t such a bad thing. Yet now we have corporations disabling products, justified by esoteric clauses defined in ammended EULAs, so maybe it’s time to reevaluate where we stand as end users. You don’t have to update iTunes or use Apple’s App store, but that makes owning an Apple device pretty difficult. You don’t have to agree to Windows default telemetry settings but it’ll be difficult to disable everything in Windows. Yea, I can run Bastille Linux and wear a trilby in my dark cave of knowledge but I’ll miss out on some pretty neat advances in technology, and life in general. So what do we do? Read the fine print and make educated and logical choices based off our desired needs for the product or service’s intended use. Yea right.... I need my Instagram filters more than my privacy. Ok, maybe making sure people don’t use iTunes to produce biological weapons is a good idea, but “how” would be something interesting to see. That person should receive a grant or something.Arguing with Things
As more things get connected, we may find ourselves disagreeing with them. We all argue, especially if you’re passionate about something. Sometimes it’s with our spouse, sometimes with friends or co-workers and sometimes we scold objects that aren’t doing what we want them to do, ‘Ah, come on pen…don’t run out of ink now!!’ As more of these things get connected and are interacting with us, will you find yourself arguing with inanimate objects even more? The other day I was talking to my wife about Alexa (the Amazon Echo) and suddenly from the other room we hear, ‘I will add that item to the shopping cart.’ We looked at each other and simultaneously said, ‘What was that?’ with the added ‘jinx’ that quickly follows. We walked over to the device and started interrogating it as to what it just added to the cart. ‘I don’t understand the question…I can’t seem to find what you are looking for…I can’t understand what you said,’ were the various responses. These answers would drive a detective to charge it with obstructing justice. This is not a complaint against Echo mind you, we like it. It just couldn’t understand our questions until we asked the right way. It also seems to have feelings. My daughter told it that it was stupid (for not understanding us) and Echo replied with, ‘That’s not very nice.’ M3S looked at me, looked at Alexa and then apologized to the cylinder. Not sure if she forgave us, but we’re a little more courteous around her now. Over at The Guardian, Rory Carroll experienced the same thing and he writes about how these home robots hear everything and the types of data captured by many of these home services. There are no more boundaries between home and the outside world. When I’m in the car and pass the intended route, the GPS keeps telling me to make my first legal U-turn, even though I know where I’m going. On a few occasions I’ve quipped, ‘Stop bossing me around!’ It ignores me and keeps reiterating that I’m going the wrong way. Tossing it in the back seat doesn’t help. With the holiday season upon us and wish lists getting fulfilled, you may find that in 2016, your quarrels will be with gaming consoles, thermostats, fitness trackers, security cameras, refrigerators and other gadgets instead of humans. I guess that’s better than making a scene at the dinner table.* ps * Except in cases where smart utensils have been deployed. Related Goodbye privacy, hello 'Alexa': Amazon Echo, the home robot who hears it all Connecting the Threads Wearables Head to Tail Our Five Senses on Sensors Internet of Food The IoT Ready Platform Technorati Tags: iot,things,sensors,wearables,holiday,argue,silva,digital assistant,privacy Connect with Peter: Connect with F5:Identity Theft: Not So Scary Anymore?
This article originally appeared on F5.com on 10.20.15. With Halloween in our rearview mirror and the holiday shopping season upon us, a couple surveys are out examining our fears and in particular, our concerns about identity theft. Apparently, ID theft is not so scary anymore - like entering a haunted house for the hair-raising screams but walking out with nervous giggles. Over at Bankrate.com, only 54% of surveyed tricksters says they are somewhat or very frightened of ID theft. That's down 80% from those who expressed the same level of concern back in 2008. Almost half, 43%, claim they have little or no fear, trouncing the 19% who were brave in 2008. This is all while the overall victim count remains at similar levels - 12.5 million in 2008 verses 12.7 million in 2014 according to Javelin Strategy & Research. As far as knowing someone who has been hit, 46% say they or a friend has been a victim compared to 34% in 2008. They chalk it up to people being desensitized to breaches due to the almost weekly confessions of data intrusions. The general feeling is that if large retailers, health care providers and credit agencies can't keep my data safe, how can I. More of those same folks however are also following some good advice of shredding sensitive documents (72%), checking their credit report regularly (56%), avoiding insecure WiFi (54%) and almost 20% have frozen their credit files. These are all good ways to help you worry less. And Chapman University published their Survey of American Fears, Wave 2 (2015) examining the fears of average Americans. The domains of fear include areas like crime, natural and man made disasters, personal anxieties, environment, technology and others. Along with the corruption, terrorism and warfare, identity theft comes in at 39.6% and credit card fraud sits at 36.9%. Both in the Top 10. So, while ID theft is still one of our top fears, by the time you get to Nightmare on Identity Street 4, Freddy isn't so freighting and you have some tools to deal with him. Besides, your insecure connected kettles could be exposing your WiFi passwords without your knowledge. Now that's scary! ps Related Survey: More Americans say 'boo' to the ID theft boogeyman America’s Top Fears 2015 Connected kettles boil over, spill Wi-Fi passwords over London The Breach of Things The Reach of a Breach 5 Stages of a Data Breach Technorati Tags: identity theft,breach,privacy,crime,fears,silva,fraud Connect with Peter: Connect with F5:Connecting the Threads
What was first used to protect humans from the outside elements is now monitoring our body's inside environment. According to eMarketer.com, wearable usage will grow almost 60% in 2015 verses 2014. This year, almost 40 million U.S. adults will use wearables, including smartwatches and fitness trackers. And that's only 16% of the penetrable market. They expect that number double in two years with close to 82 million adults wearing something connected by 2018. Almost two in five internet users by 2019. You probably think that it'll be all those youngsters growing up with connected objects but over the next four years, older Americans will see the biggest growth with the flood of wearable health monitor devices. Don't fret, I'm sure that new outfit for special occasions will monitor something. These connected wearables will soon be able to cover our body. Even with that growth, adults are still exploring the value of wearables, above the wow-cool factor, for the real benefit of the investment. With prices still high for many of these gadgets, the adoption will be slightly lower than the recent mad rush for smartphones and tablets. Yet like many new technologies, as sticker-shock drops, the adoption grows. In addition, as more apps are developed to work with this new wardrobe, more people are likely to use it...just like the mobile device market. After all, that's what these things are - mobile devices. And once that happens, the advertisers will be all over that segment, which is currently very sparse. And what typically follows mass adoption of technology? Vulnerabilities and security risks. More connected personal devices in the office means more enterprise security risks. Whether it be from smartwatches having access to sensitive corporate data or the lost bandwidth from all the updates and alerts sent to these devices. Corporate BYOD security policies could soon include smartwatch use or any other wearable that poses a risk to the organization. As Steven Wright says, 'Right now I'm having amnesia and déjà vu at the same time.' BYO2.0 And we haven't even touched on the lack of security being built into some of these devices. From insulin pumps, to glucose meters to pacemakers, anything that is wireless enabled is vulnerable to attack. While the bad guys are always looking for an easy score, it could also be the disgruntled employee looking to fix someone's wagon. And when I say fix, I really mean break. There are also privacy concerns for those who might be wearing smart eyewear. That casual, always awkward conversation at the urinal now takes on new meaning. For highly sensitive meetings, there could be a clothes rack and changing station so someone doesn't need to strip down just to participate. Forget about spy pens with wireless mics, my shirt's logo has a camera weaved into the seam. All is not lost though, as there will be plenty of top 10 lists guiding you so you do not become a social (real world) outcast. WT VOX has put together it's Top 10 Worst Wearable Tech Devices So Far list. From a tie that has a QR code built into its back, to smartwigs, selfie-hats and drum pants, they explore the wild gadgets that are clamoring to cover our body. And on the flip side, they also look at the 10 Wearables and IoT Companies To Watch In 2015. Here, you get a glimpse of the future of smart lighting, dealing with big data, new IoT chipsets, IoT cloud platforms and other entities focused on our networked society. Hashtag: Amazing. ps Related: Wearable Usage Will Grow by Nearly 60% This Year The Dark Side of Wearable Tech Use Top 10 Worst Wearable Tech Devices So Far 10 Wearables and IoT Companies To Watch In 2015 Wearables Head to Tail Oh, Is That The Internet You're Wearing? The Digital Dress Code IoT Influence on Society Technorati Tags: wearables,iot,things,connected devices,security,privacy,silva Connect with Peter: Connect with F5:Ask the Expert – Why Web Fraud Protection?
Corey Marshall, Security Solution Architect, explains why the browser is a new threat vector into an organization’s applications and infrastructure. This universal client can be the weakest link in the access chain and malicious characters are focusing on this as an avenue to steal information. Web fraud can be detrimental to both users and organizations alike and Corey explains some specific business scenarios along with F5 fraud protection services that can provide visibility into behavior anomalies and protect the client side against data leakage. ps Related: Ask the Expert – Are WAFs Dead? Ask the Expert – Why SSL Everywhere? F5 Web Fraud Protection Technorati Tags: f5,web fraud,security,browser,threats,privacy,silva,video Connect with Peter: Connect with F5:Ask the Expert – Why SSL Everywhere?
Kevin Stewart, Security Solution Architect, talks about the paradigm shift in the way we think about IT network services, particularly SSL and encryption. Gone are the days where clear text roams freely on the internal network and organizations are looking to bring SSL all the way to the application, which brings complexity. Kevin explains some of the challenges of encrypting all the way to the application and ways to solve this increasing trend. SSL is not just about protecting data in motion, it’s also about privacy. ps Related: Ask the Expert – Are WAFs Dead? RSA2015 – SSL Everywhere (feat Holmes) AWS re:Invent 2015 – SSL Everywhere…Including the Cloud (feat Stanley) F5 SSL Everywhere Solutions Technorati Tags: f5,ssl,encryption,pki,big-ip,security,privacy,silva,video Connect with Peter: Connect with F5:Healthcare in the Crosshairs
Is Healthcare the new Target? Recently I've received a number of 'I am writing to inform you that we were the target of a sophisticated cyber attack and some of your personal information may have been accessed by the attackers..' letters for myself and my family. I especially hate the ones that start, 'To the parents of...' because my daughter has a rare genetic condition. You probably got one of these letters too since the Anthem breach could have disclosed medical records for as many as 80 million people. Medical identity theft is big business and has become a huge target over the last few years. The attackers are not really interested in that sprained ankle or those 25 stitches from last summer. They want the personally identifiable information. Names, addresses, birthdays, and social security numbers. Stuff you can actually use to open accounts, commit insurance fraud and create fake identities - using real information. Healthcare info also goes for a premium on black market sites. One expert noted that recently that at one underground auction, a patient medical record sold for $251 while credit cards are selling at .33 cents. With all the recent retail breaches, credit cards have flooded the underground, plus they can get cancelled quickly. I also know that fraudsters are already trying to entice people with fake emails and calls regarding the breaches - I've gotten a bunch of them recently. More than ever, do not click the email link unless you're expecting something. The interesting phenomenon for me is all the identity theft protection offerings from various credit bureaus. One breach, sign up here...another breach, sign up there. It is important to take advantage of the services to stay alert on your identity but you also have to include the very same sensitive info that was just compromised to yet another entity. I'm waiting on the breach of one of these identity protection sites. I mean the thieves must be thinking, 'well, we missed them in the medical grab but maybe we can get them through the protection app.' According to Ponemon Institute, about 90% of healthcare organizations have reported at least one data breach over the last two years with most due to employee negligence or system flaws but more, as we've seen recently, are due to criminal behavior. Certainly, there will be more of these healthcare hiccups in the coming years especially with the push to digitize medical records. Great for patient access but a huge risk for unauthorized peeks. With the Premera breach hot on Anthem's heels, I hope providers are getting the message that the bad guys are coming for ya. ps Related Massive breach at health care company Anthem Inc Anthem Data Breach: Potential Game Changer for Healthcare Health care data breaches have hit 30M patients and counting Data Breach at Anthem May Forecast a Trend Premera breach: Are hackers targeting more health records as credit card companies improve security? The Hacker Will See You Now Lost Records a Day Shows Doctors are Blasé The Top 10, Top 10 Predictions for 2015 . Technorati Tags: healthcare,records,pii,breach,patient,silva,security,privacy,f5,medical Connect with Peter: Connect with F5:
