IT Security News Blast 6-21-2017

Health Sector Security and the Big Squishy Middle

Call center operations have been shut down by telephone denial of service. An entire hospital system in the UK was shut down by ransomware a problem that is only projected to escalate. And now medical devices have been shown to have been developed with the same (lack of) care as web-connected toys. At a time when national health care is the subject of debate (a term I’m using quite loosely here) and regulations are being viewed at the federal level as something to get rid of, I think we’re setting ourselves up for quite a landmine.

Healthcare Cybersecurity Measures Must Evolve for Success

There are two key areas that directly apply to healthcare from the ISACA report, Clyde explained. First, the Internet of Things (IoT) overtook mobile as the industry’s primary focus. This is right in healthcare’s wheelhouse, he stated. It goes without saying that healthcare with its medical devices is one of the top industries that has adopted the Internet of Things to better people’s lives. But as this report indicates, the industry is concerned.

Shipowners must do more to prevent cyber attacks

In that session, DNV GL maritime cyber security manager Patrick Rossi listed many of the problems found on board container ships and tankers that make these vessels more vulnerable to cyber attack. These include:

  •     Bridge systems connected to unsecure connections
  •     Missing software patches
  •     USBs passed between multiple ship computers and bridge equipment
  •     Unconnected firewalls
  •     Lack of network segregation
  •     Unencrypted emails
  •     No malware scanning on ecdis,shipowners-must-do-more-to-prevent-cyber-attacks_48164.htm

Healthcare Data Breach Costs Highest for 7th Straight Year

In the US, data breaches cost companies an average of $225 per compromised record. Furthermore, the total average organizational cost of data breach hit a new high at $7.35 million. Heavily regulated industries, including healthcare, experienced higher data breach costs. Following healthcare at $380 per capita, the industries with the highest costs were financial services ($336 per capita), services ($274), life science ($264), and industrial ($259). The mean per capita data breach costs were $225.

US is Number One! In sales register hacking attacks, at least

Hacking attacks against sales terminals have risen by nearly a third last year, and the US is still leading the way in being insecure. Incidents affecting sales tills and payment systems increased to 31 per cent in 2016, according to research by security firm Trustwave, while incidents affecting e-commerce environments fell to 26 per cent from 38 per cent. Incidents involving sales registers were most common in the US, thanks to its tardy adoption of EMV chip technology and a reliance on chip and signature rather than chip and PIN payment.

Bank websites struggle, consumer services sites shine in online trust assessment

Nearly two-thirds, or 65 percent, of websites operated by the largest 100 U.S. banks by asset flunked the 2017 Online Trust Audit and Honor Roll exercise, which was conducted in April and May 2017 by the Online Trust Alliance, an Internet Society Initiative. “Their failures were attributed in part to the revised failure threshold, increased number of data breaches, observed site security vulnerabilities and inadequate privacy disclosures,” the report reads.

ProtonMail Launches Free VPN Service

According to Proton Technologies AG, the company behind ProtonMail, the VPN was developed by the same scientists from CERN and MIT that originally developed the email service. The company says the VPN re-routes users’ traffic through encrypted tunnels via core servers located in hardened data centers in Switzerland, Iceland, and Sweden. Some tiers of the VPN allow for integration with Tor, so users, if they choose, can route traffic via the anonymity network to access dark web sites.

Armed Services panel aims to toughen cyber oversight in defense bill

That bill, introduced by Reps. Mac Thornberry (R-Texas), Adam Smith (D-Wash.), Elise Stefanik (R-N.Y.) and Jim Langevin (D-R.I.), would require Congress to be notified within 48 hours of any sensitive military cyber operations that are conducted and would also mandate notification of any unauthorized disclosure of cyber capabilities.

Canadian security agency will soon be able to launch cyber attacks against terrorists

At the moment, CSE does not have the authority to take action online outside of Government of Canada networks to deter cyber threats against the country. But once this new legislation passes, CSE employees will be allowed to conduct both defensive cyber operations and active cyber operations, including operations that advance national objectives.

EU Warns of ‘United Response’ to Cyber-Attacks 

The European Union warned Monday that a cyber-attack on any one member state could merit a response by all members of the bloc, amid growing fears of hackers holding governments to ransom.[…] EU foreign ministers meeting in Luxembourg said the 28-nation bloc was “concerned by the increased ability and willingness of state and non-state actors to pursue their objectives through malicious cyber activities.”

Hacktivist hits Minnesota gov databases to protest Philando Castile verdict

A hacktivist Sunday breached Minnesota government databases and stole 1,400 email credentials, along with other information, to Protest the Philando Castile verdict. […] The stolen credentials reportedly give access to internal databases from the server, which connects to other databases of the sites and, according to Vice’s Motherboard.

Microsoft admits to disabling third-party antivirus code if Win 10 doesn’t like it

Redmond is currently being sued by security house Kaspersky Lab in the EU, Germany and Russia over alleged anti-competitive behavior because it bundles the Windows Defender security suite into its latest operating system. Kaspersky (and others) claim Microsoft is up to its Internet Explorer shenanigans again, but that’s not so, said the operating system giant.

Avaya Patches Remote Code Execution Flaw in Aura

Internet telephony company Avaya has patched a high-severity vulnerability in its Aura Application Enablement Services product that put phone call and API data running through the server at risk for interception. Researchers at Digital Defense found a vulnerability where an attacker could, without authentication, abuse Remote Procedure Calls (RPC) into the server and modify input in such a way that they would be granted remote administrative access.

Mexican government accused of illegal phone hacking of citizens

An investigation by Mexican NGOs and a Canadian tech lab has revealed how the Mexican government is illegally targeting the mobile phones of journalists, lawyers and activists to spy on them. R3D, SocialTic, Article 19 and CitizenLab report that the government has been sending malware links to specific individuals’ phones, typically with highly personalized messages – even moving on to their family members if they are not duped into clicking.

TP-Link Fixes Code Execution Vulnerability in End-of-Life Routers

Router manufacturer TP-Link recently fixed a vulnerability in a discontinued line of routers that if exploited could have been used to execute code on the device. Researchers at Senrio, a firm that specializes in IoT security, uncovered a logic vulnerability in a configuration service present in TP-Link’s PTWR841N V8 router models.

Ad ‘urgently’ seeks company to build national e-ID system

The post is from an unidentified small IT consultancy which is submitting a bid to deliver a National e-ID system, including a biometric enrolment for all citizens and residents above the age of five years*, for a population coverage of approximately 4 million people. The advert did not state which country the system is for, but from the spelling it reads as if it has been posted by an US outfit.

NY gov directs review of voting infrastructure cybersecurity

Cuomo announced that he has directed the state’s cybersecurity advisory board to work with state agencies as well as the state and county boards of election to evaluate cyber threats to New York’s election infrastructure and make any recommendations for additional security measures. The governor’s announcement noted, however, that there have yet to be any credible reports about disruptions of election infrastructure in the state.

No recourse, perhaps, for 200M affected in breach of RNC database, attorney says

“Affected people may not have a clear way to get recourse because most laws about data security and data breaches don’t contemplate the kinds of harms we will see from what happened here,” Monroe said. “Some states have laws requiring that businesses have reasonable security measures in place to protect personal information, but those laws are generally directed toward financial harms like identity theft. The information here, while many would consider it sensitive, probably wouldn’t be subject to those laws.”

NSA had NFI about opsec: 2016 audit found laughably bad security

It’s almost surprising that the agency was able to cuff Reality Winner, let alone prevent a wholesale Snowden-style leak. The Department of Defense Inspector General report, first obtained by the New York Times, finds everything from unsecured servers to a lack of two-factor authentication. The formerly-classified review (PDF) was instigated after Snowden exfiltrated his million-and-a-half files from August 2012 to May 2013.


Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.