IT Security News Blast 04-03-2018

Guilt Pleas in Criminal Insider Breach Case

Preparing for a Potential Healthcare Data Breach Investigation
A law enforcement investigation could also potentially impact the data breach notification process. For example, if the FBI would determine that consumer notification could possibly compromise the investigation, it might instruct a covered entity to delay in sending out notice of an incident. However, healthcare organizations need to ensure that this is the case. Both state and federal requirements allow for law enforcement investigations, but entities need to not overly delay the notification process at the same time.
https://healthitsecurity.com/news/preparing-for-a-potential-healthcare-data-breach-investigation

Guilty Pleas in Criminal Insider Breach Case
Court documents show that Lane Miller, a former nurse at Mercy Health Love County Hospital and Clinic in Marietta, Oklahoma, pleaded guilty March 28 to aggravated identity theft, which is punishable by up to two years imprisonment and a $250,000 fine. On March 26, Robert Bond, an accomplice in the case, pleaded guilty to conspiracy to commit wire fraud as well as aggravated identity theft and could now face fines as well as 20 years or more in prison.
https://www.bankinfosecurity.com/guilty-pleas-in-criminal-insider-breach-case-a-10759

Securing IoT Devices in the Increasingly Connected Hospital System
However, a connected hospital doesn’t come without its own challenges. The Accenture report indicated that executives see the top two barriers— privacy concerns and legacy systems— as equal hindrances. These top two are only slightly ahead of the next three cited barriers: security concerns, technology immaturity and lack of budget. Despite all of this, inaction is not an option.
https://healthitsecurity.com/news/securing-iot-devices-in-the-increasingly-connected-hospital-system

INSIGHT: U.S. insurers grapple with physical risks from cyber attacks
They can also launch “cyber-physical” attacks aimed at crippling operations or causing bodily injury and property damage. […] Standard cyber policies aim to avoid redundant coverage by excluding bodily injury and property damage liability. […] The problem for insureds is that cyber policy exclusions may not dovetail with the coverage actually provided by Coverage A or other traditional policies. Over time, exclusions and lower sub-limits have crept into traditional policies that can leave many insureds with little or no coverage for cyber-induced physical losses, including losses that would have been fully covered had they not been induced by hacking.
https://www.reuters.com/article/bc-finreg-cyber-risks-physical-risks/insight-u-s-insurers-grapple-with-physical-risks-from-cyber-attacks-idUSKCN1H91EH

Cyber breach at Saks Fifth Ave, Lord & Taylor puts millions at risk
High-end retailers Saks Fifth Avenue and Lord & Taylor suffered a cyber breach that could put the financial information of millions of customers in jeopardy. Five million credit card and debit card numbers from the department stores have been put up for sale on dark web forums, according to a note published Sunday by New York-based cybersecurity firm Gemini Advisory. Hudson’s Bay Co., which owns the both chains, confirmed the data security breach.
https://www.bizjournals.com/newyork/news/2018/04/02/cyber-breach-at-saks-fifth-ave-lord-taylor.html

Cities Held For Ransom – Lessons From Atlanta’s Cyber Extortion
All too often, cyber criminals who seek monetary gains from their ransomware attacks exploit so called soft targets, which makes many government agencies easy prey. This is so due to the lack of synchronization of critical systems, harmonization among the numerous third parties’ states rely on to render their services, as well as the difficulty in attracting high-demand cybersecurity professionals who can make a more lucrative career in the private sector.
https://www.forbes.com/sites/dantedisparte/2018/04/02/cities-held-for-ransom-lessons-from-atlantas-cyber-extortion/#5161c7b85996

Want to hack a voting machine? Hack the voting machine vendor first
An attacker who managed to break into a voting machine vendor employee’s work email, because the employee used the same password as on a breached site, could leverage that to gain access to the voting machines themselves. And if voting machine vendors install remote access software on voting machines, factory backdoors that vendor employees use to remotely access the machines for maintenance, troubleshooting or election setup purposes, this turns voting machine vendor employees into targets.
https://www.csoonline.com/article/3267625/security/want-to-hack-a-voting-machine-hack-the-voting-machine-vendor-first.html

NATO Strengthens Its Cyber Stance
The Cyber Operations Center would integrate NATO members’ growing cyber warfare capabilities within NATO’s traditional military response for both offensive and defensive operations. “[Defense] ministers will decide on ways to integrate cyber into all NATO planning and operations so we can be just as effective in the cyber domain as we are in air, on land and at sea,” said the secretary-general after the November decision to form the center.
https://www.afcea.org/content/nato-strengthens-its-cyber-stance

Will the U.S. Ever Switch From Cyber Defense to Offense?
Beyond just adopting a defensive posture, the question becomes, when is it OK to use the Cyber Mission Forces offensively? Military leaders have said that the CMF teams possess a mixture of defensive, offensive and support capabilities. Should they be used to actively attack our attackers? […] But can we really sit back and take these constant attacks, at this level, without responding? Especially now that we have a robust capability to strike back, the question of if we should, and when, deserves more careful consideration.
http://www.nextgov.com/ideas/2018/04/will-us-ever-switch-cyber-defense-offense/147146/

We should have dealt with Russia sooner
In light of current and previous events, given the amount of involvement Russia has had, my only question is this: Why now? Why did NATO wait so long? I think expelling Russian diplomats from NATO is definitely the right move, but not only as retaliation against the poisoning of a spy and his daughter on British soil. I strongly believe that using a nerve agent in someone else’s territory is a disgraceful act. But even aside from Skripal’s case, there has been much more to talk about. Let’s be honest here: There has been a lot. An illegal annexation of Crimea, the Ukrainian crisis, the restless war.
http://www.campustimes.org/2018/04/02/we-should-have-dealt-with-russia-sooner/

Triggering the New Forever War, in Cyberspace
The just-released U.S. Cyber Command “vision” accurately diagnoses the current state of cyber conflict and outlines an appropriate new operational model for the command: since cyber forces are in “persistent engagement” with one another, U.S. Cyber Command must dive into the fight, actively contesting adversaries farther forward and with more agility and operational partnerships. The vision, however, ignores many of the risks and how to best address them.
https://www.thecipherbrief.com/triggering-new-forever-war-cyberspace

Accused NSA leaker wants to subpoena states, cybersecurity firms and federal agencies
National Security Agency contractor Reality Winner, who is accused of leaking a top-secret report on Russian hacking activity connected to the 2016 election, is seeking to pull 21 states and an array of leading cybersecurity firms into her criminal case by subpoenaing them as part of her trial. […] Winner’s attorneys also listed 10 cybersecurity companies they contend could have information useful to her defense: TrendMicro, FireEye, Eset, CrowdStrike, Volexity, F-Secure Corporation, ThreatConnect, Motherboard, Secureworks and Fidelis Cybersecurity.
https://www.politico.com/blogs/under-the-radar/2018/04/01/accused-nsa-leaker-cybersecurity-494321

Facebook Allows Advertisers to Target Users on the Basis of Their Interest in Illegal Firearms
So long as advertisers don’t explicitly sell a firearm, they haven’t violated the company’s policy. And so long as they don’t sell a prohibited firearm, they haven’t broken any laws. The question is, why does Facebook allow these targeting categories when its ban on the sale of firearms has already proved so extraordinarily difficult to enforce? Thanks to the company’s ceaseless data collection, it can point advertisers toward users most likely to purchase particular firearms, even in states where they are outlawed. And it doesn’t seem interested in closing this loophole any time soon.
https://slate.com/technology/2018/04/facebook-lets-advertisers-target-users-on-the-basis-of-their-interest-in-illegal-firearms.html

People are really worried about IoT data privacy and security—and they should be
According to the study, huge majorities of consumers around the world don’t think their IoT data is safe, and they want something done about it before the problem spirals out of control:
92 percent say they want to control what personal information is automatically collected.
74 percent are concerned that small privacy invasions may eventually lead to a loss of civil rights.
https://www.networkworld.com/article/3267065/internet-of-things/people-are-really-worried-about-iot-data-privacy-and-securityand-they-should-be.html

US wants 5 years’ worth of social media history from visa applicants
According to Drexel University associate law professor Anil Kalhan, “This is unnecessarily intrusive and beyond ridiculous.” The ACLU is none too happy about the proposal either. Hina Shamsi, director ACLU’s National Security Project, said: This attempt to collect a massive amount of information on the social media activity of millions of visa applicants is yet another ineffective and deeply problematic Trump administration plan. It will infringe on the rights of immigrants and U.S. citizens by chilling freedom of speech and association, particularly because people will now have to wonder if what they say online will be misconstrued or misunderstood by a government official.
https://www.csoonline.com/article/3267608/security/us-wants-5-years-worth-of-social-media-history-from-visa-applicants.html

Cloudflare’s free DNS service speeds up web browsing and helps protect your privacy
“If you switch to 1.1.1.1, then that ledger of where you’re going online is not being kept by your ISP,” said company CEO Matthew Prince. “[I]t’s been depressing to us to watch all too frequently how DNS can be used as a tool of censorship against many of the groups we protect. While we’re good at stopping cyber attacks, if a consumer’s DNS gets blocked there’s been nothing we could do to help.” Cloudflare says it will not write any querying addresses to disk and will wipe logs within 24 hours. It also promises not to sell people’s data or use it to target ads. To show it’s living up to these claims, the firm has retained KPMG to perform annual audits.
https://www.techspot.com/news/73964-cloudflare-free-dns-service-speeds-up-web-browsing.html

What Facebook’s Data Scandal Really Means for Regulators
[What] most people call AI is in reality machine learning, using the brute force of big data to perform tasks. True AI requires coming up with algorithms that, like humans, can learn from just one or two examples, rather than thousands. More privacy regulation could force research in that direction. Even then there could be risks to over-regulation, according to Parpart. If companies like Alibaba or Facebook are restricted too much in terms of the data they can store and how they can use it they may lose the advertising revenue that enables them to fund AI research, she said.
https://www.bloomberg.com/news/articles/2018-04-02/what-facebook-s-data-scandal-really-means-for-regulators

More than money: How to woo cybersecurity professionals
A word of caution — a lack of clarity in a job description implies the organization doesn’t understand security. When hiring managers use vague language to craft descriptions that don’t seem to accurately reflect the job, that’s a red flag for job seekers. Whether you are looking for someone well versed in cybersecurity strategy, cybersecurity management, user education, risk assessment or security operations, be clear about the skills needed and avoid ambiguity about the role.
https://www.ciodive.com/news/more-than-money-how-to-woo-cybersecurity-professionals/520370/

Grindr Is Letting Other Companies See User HIV Status And Location Data
The two companies — Apptimize and Localytics, which help optimize apps — receive some of the information that Grindr users choose to include in their profiles, including their HIV status and “last tested date.” Because the HIV information is sent together with users’ GPS data, phone ID, and email, it could identify specific users and their HIV status, according to Antoine Pultier, a researcher at the Norwegian nonprofit SINTEF, which first identified the issue.
https://www.buzzfeed.com/azeenghorayshi/grindr-hiv-status-privacy?utm_term=.kwd823OXON#.hv3rQmGyGz

 

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.