IT Security News Blast 04-20-2018

Blue Shield of California Breach

Blue Shield of California Reports PHI Data Breach
Blue Shield of California admitted to a PHI data breach involving an insurance broker who was not authorized to receive patient information, according to a breach notification submitted to the California Attorney General’s Office. […] The PHI included names, home addresses, mailing addresses, Blue Shield subscriber identification numbers, telephone numbers, and subscribers’ Blue Shield Medicare Advantage plan numbers.
https://healthitsecurity.com/news/blue-shield-of-california-reports-phi-data-breach

Reducing Cybersecurity Vulnerabilities Part of FDA Action Plan
The Food and Drug Administration (FDA) is asking Congress for additional authority and funding to expand its efforts to improve medical device safety, including reducing cybersecurity vulnerabilities in devices, said FDA Commissioner Scott Gottlieb in announcing this week a new medical device safety action plan. As part of those efforts, the FDA wants to set up a CyberMed Safety (Expert) Analysis Board, which would be a public-private partnership between the FDA and devices makers to complement existing device vulnerability coordination and response mechanisms.
https://healthitsecurity.com/news/reducing-cybersecurity-vulnerabilities-part-of-fda-action-plan

Deep Learning, Cyber Security and Finance
Deep learning is a technology that learns from algorithms and focuses on making decisions based on an intensive investigation of data. As of today, the amount of information available to businesses and people is in abundance. With so much data being available, deep learning that uses neural networks can assist financial organizations in countering the challenges faced by them in numerous ways.
https://www.bbntimes.com/en/technology/deep-learning-cyber-security-and-finance

Lessons From the Marsh ‘Global Cyber Risk Perception Survey’: Disconnects Persist Despite Increased Executive Involvement
According to the survey, the financial impact of cyber incidents varied between companies of different sizes. For example, 9 percent of organizations with less than $50 million in revenue estimated a financial impact of $10 million to $100 million. That figure rose to 26 percent for organizations with $50 million to $500 million in revenue, and 33 percent for companies that reported revenues of $500 million to $1 billion.
https://securityintelligence.com/lessons-from-the-marsh-global-cyber-risk-perception-survey-disconnects-persist-despite-increased-executive-involvement/

Cybersecurity And The Board’s Responsibilities — ‘What’s Reasonable Has Changed’
Stated at a high level of generality, the board must ensure that the company has cyber risk management policies and procedures consistent with its strategy and risk appetite, and the board must ensure that these policies and procedures are functioning. Boards should review annual budgets for privacy and security, assign roles and responsibilities, and get regular briefings on cyber issues. Depending on the company, it may have to be quarterly.
https://www.forbes.com/sites/christopherskroupa/2018/04/19/cybersecurity-and-the-boards-responsibilities-whats-reasonable-has-changed/#73203fea3c3c

Implementing the NIST cybersecurity framework could be worth at least $1.4m to your business
We conservatively estimate that implementing the NIST CSF was worth $1.4 million for By Light, a mid-sized government contractor that won a one-year DoD contract awarded in 2017. By Light brings in about $230 million in revenue each year, according to Washington Technology. The company won the DoD contract, worth $59.5 million alone, even though a competitor underbid the project by about $3 million. The reason was largely due to By Light having implemented the NIST CSF. Our estimate is probably conservative, because a $60 million contract is relatively small.
https://www.csoonline.com/article/3268937/data-protection/implementing-the-nist-cybersecurity-framework-could-be-worth-at-least-1-4m-to-your-business.html

More Than Half of Organizations Have Unfilled Cybersecurity Positions
The survey found that employees lack confidence in the qualifications of their organization’s workforce. Three in 10 participants said that less than a quarter of employees were qualified. Slightly more (31 percent) reported that 25 to 50 percent of their co-workers possess the necessary skills, while just 12 percent of respondents indicated that 75 to 100 percent of their colleages are sufficiently qualified. At the organizational level, respondents revealed that 39 percent of most openings were for “individual contributor, technical security.”
https://securityintelligence.com/news/more-than-half-of-organizations-have-unfilled-cybersecurity-positions/

Erie Launches New Secure Smart City Project
“So what we’re focusing on is creating a Secure Smart City, so in other words we’re going to create a destination in Erie, Pennsylvania for secure cyber and connected services, the first of its kind in the world, Sanchack added. The project will bring public Wi-Fi to Perry Square, and install energy-efficient LED lighting, to 66 poles in the area. This July, they will also install two new poles in Perry Square, with state-of-the-art video surveillance, to increase security and even alert police to potential threats.
http://www.erienewsnow.com/story/37997454/erie-launches-new-secure-smart-city-project

Four things driving the Cybersecurity Economy
The cybersecurity industry is on a roll, according to research firm Gartner Inc. The company says the global information security spending will reach $96 billion in 2018, up 8 percent from 2017. Fast and furious changes in device technology—and in cyberthieves’ strategies—have fueled this rapid expansion. Here are four reasons that cybersecurity is now a very big business.
1) Cyberthreats are an industry of their own
2) It’s not just about PCs anymore
3) Automation brings better protection
4) The Internet of Things creates new benefits and challenges for businesses and consumers.
https://www.reuters.com/article/us-sponsored-cybersecurity/four-things-driving-the-cybersecurity-economy-idUSKBN1HQ25Y

DHS is Lukewarm on the Bug Bounty Programs Congress Keeps Pushing
The Hack DHS bill includes $250,000 for the program. While the cost of running a Homeland Security bug bounty aren’t clear, the most recent military bug bounty, at the U.S. Air Force, paid out $104,000 in bounties, which doesn’t include other costs such as vetting participants and analyzing the validity of bug reports. “We have the hunt and incident response team, which gets us the same capability,” Krebs said, referring to the Homeland Security division that scans government systems for vulnerabilities and responds to data breaches and other cyber incidents.
https://www.nextgov.com/cybersecurity/2018/04/dhs-lukewarm-bug-bounty-programs-congress-keeps-pushing/147573/

More Promo Cyber Attacks Reported; Western Officials Point to Russia
Issued earlier this week, the warning about the Kremlin’s alleged attack campaign comes at a time in which a growing number of North American promotional products companies said they’re being targeted by malware viruses that can cripple computer networks, email and phone systems. Counselor reported Tuesday that several promo industry firms had been victimized by the virus, which was launched, in at least a couple instances, by clicking a link in an email asking to confirm shipping information.
https://www.asicentral.com/news/newsletters/promogram/april-2018/more-promo-cyber-attacks-reported-western-officials-point-to-russia/

Russia cyber attack: How legitimate is threat against the UK?
He said: “Cyber attacks like WannaCry and Not-Petya demonstrate governments can and will, use nefarious means to target critical national infrastructure of nation states. “There is no doubt that Russia has the ability and the motive to deploy this kind of attack on the West. Many other nation states have this ability too. “That said, it is not just national infrastructure at risk. For many state-sponsored hackers, business and governmental department disruption is top of the agenda, much like the NHS attack.”
https://www.express.co.uk/news/world/948710/russia-cyber-attack-uk-news-latest-theresa-may-putin

Should the U.S. treat Russian hacking networks like ISIS?
“Russia, North Korea and Iran have very little to lose when it comes to sanctions,” said panelist Tom Corcoran, head of cybersecurity at Farmers Insurance. “They’re already under very heavy sanctions, so the one actor that was vulnerable to pressure was China.” […] “If you were to poll the military and intelligence communities in the United States at the three-star level and below, you would have general agreement that the only way we’ll be able to change opponent behavior is by taking direct action against them,” said panelist James Lewis, SVP and program director at the Center for Strategic and International Studies.
https://www.scmagazine.com/should-the-us-treat-russian-hacking-networks-like-isis/article/759660/

Assessing the Nation-State Threat
While U.S. agencies and enterprises increasingly understand the nation-state cyber threat, they are woefully unprepared to respond to a sustained attack, says former State Department adviser Morgan Wright. What are we overlooking? In an video interview at RSA Conference 2018, Wright discusses:
·       The top nation-state threats to the U.S.
·       Why the U.S. is unprepared for a sustained event;
·       What public and private sector entities must do to improve preparation.
https://www.bankinfosecurity.com/assessing-nation-state-threat-a-10807

Palantir Knows Everything About You
Police and sheriff’s departments in New York, New Orleans, Chicago, and Los Angeles have also used it, frequently ensnaring in the digital dragnet people who aren’t suspected of committing any crime. People and objects pop up on the Palantir screen inside boxes connected to other boxes by radiating lines labeled with the relationship: “Colleague of,” “Lives with,” “Operator of [cell number],” “Owner of [vehicle],” “Sibling of,” even “Lover of.” If the authorities have a picture, the rest is easy.
https://www.bloomberg.com/features/2018-palantir-peter-thiel/

To Mitigate Third-Party Security Risk, Be at the Table
Digital transformation is expanding the scope of the third-party ecosystem. As that ecosystem grows, we’re seeing a corollary security impact. As organizations deploy integrated solutions, their security architecture must address the impact of the resulting expanded third-party ecosystem. We must determine if our third parties are meeting the same security standards we adhere to ourselves.
https://www.securityweek.com/mitigate-third-party-security-risk-be-table

Hide Secret Messages In Plain Sight With Zero-Width Characters
Fingerprinting text is really very nifty; the ability to encode hidden data within a string of characters opens up a large number of opportunities. For example, someone within your team is leaking confidential information but you don’t know who. Simply send each team member some classified text with their name encoded in it. Wait for it to be leaked, then extract the name from the text — the classic canary trap. Here’s a method that hides data in text using zero-width characters.
https://hackaday.com/2018/04/15/hide-secret-messages-in-plain-sight-with-zero-width-characters/

A Facebook malware has compromised thousands of accounts
The IT security researchers at Radware have discovered a sophisticated malware campaign targeting unsuspecting Facebook users in the name of a painting application called ‘Relieve Stress Paint.’ As a result, tens of thousands Facebook accounts have been compromised in the last couple of days. The application is available on a website which takes advantage of Unicode representation to appear in search engines including Google as Aol.net, a web portal, and online service provider originally known as America Online[.]
https://www.hackread.com/facebook-malware-hacks-thousands-of-accounts/

Millions of scraped public social net profiles left in open AWS S3 box
US social network data aggregator LocalBlox has been caught leaving its AWS bucket of 48 million records – harvested in part from public Facebook, LinkedIn and Twitter profiles – available to be viewed by anyone who stopped by. […] We’re told the S3 bucket contained a single 151.3GB compressed representation of a 1.2TB ndjson (newline-delineated JSON) file. The database describes “tens of millions of individuals,” we’re told.Upguard, in a blog post on Wednesday, said it informed LocalBlox on February 28, and the bucket was secured later that day.
https://www.theregister.co.uk/2018/04/19/48_million_personal_profiles_left_exposed_by_data_firm_localblox/

‘iTunes Wi-Fi Sync’ Feature Could Let Attackers Hijack Your iPhone, iPad Remotely
Apple provides an iTunes Wi-Fi sync feature in iOS that allows users to sync their iPhones to a computer wirelessly. To enable this feature, users have to grant one-time permission to a trusted computer (with iTunes) over a USB cable. Once enabled, the feature allows the computer owner to secretly spy on your iPhone over the Wi-Fi network without requiring any authentication, even when your phone is no longer physically connected to that computer.
https://thehackernews.com/2018/04/iphone-itunes-wifi-sync.html

 

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.