Collaborate Disseminate
We are in the process of switching from Hamachi to Meraki VPN by Cisco. Hamachi was managed internally, but this new VPN solution is managed by an external party and they have set it up as L2TP/IPsec with a pre-shared key and authenticatio… Continue reading Should users have access to the IPsec pre-shared key?
A while ago I supported a certain good cause through a crowdfunding website.
I learned afterwards that this website leaks user data as follows: it has publicly available, google-indexed pages that list the user’s real names … Continue reading What to do about a website that leaks user information and does not provide a delete account feature [on hold]
We have multiple desktop applications that are being used by clients on unconnected desktop computers. The application instances are being used by multiple users secured by username and password. The problem is that these users share the same windows account and thus have the same security level in the operating system. In addition to this these applications store privacy sensitive data in a local database (LocalDB).
In an ideal world the applications would be connected to a secured server that stores the data, but this is not possible. What would be the best approach to improve the security of handling privacy sensitive data in a local windows application? These applications should in theory conform to the privacy regulations in Europe and Hipaa in the US.
Quoted from the Health Insurance Portability and Accountability Act of 1996 (HIPAA):
A covered entity must, in accordance with §164.306… Implement a
mechanism to encrypt and decrypt electronic protected health
information.” (45 CFR § 164.312(a)(2)(iv))
Encrypting data in a local database is not easy, because our current solution (LocalDB) does not support it. The harder question is where should we store encryption keys on a desktop machine?
Continue reading Storing privacy sensitive data in a local application