IT Security News Blast 9-6-2017

Top HIPAA Enforcer Names His Top Enforcement Priority

I really want to make sure people come into compliance without us having to enforce. I want to underscore that.” […] Our caseload has been growing significantly. We are up to about 20,000 complaints a year. That is an extraordinarily large number. We have a lot of staff that work on technical assistance.” Ultimately, Severino says he wants “to see those 20,000 complaints start to go down so we can have a culture of compliance throughout our country so that we will achieve all of our goals and do it efficiently with as little burden as possible on all of you so we can have some wonderful results.”

 What to look for when hiring healthcare cybersecurity pros

“Experience will be the key factor in dealing with the challenges and threats that are unique to healthcare,” Fund said. “CISOs and CSOs of tech companies will find it more complex than their previous roles. Given the choice between a senior security leader from a large tech company and a senior security leader with healthcare experience, hospitals will choose the healthcare background because the job requires a deeper understanding of the implications of breaches.”

 How banks are coping with New York’s cybersecurity rules

“It was a complete and utter waste of time,” said Tomita, a senior vice president and the chief technology officer at Catskill Hudson Bank in Monticello. “I would love to have about 15 minutes with [Gov. Andrew] Cuomo to thank him for the 4,000 phone calls I’ve received from every fly-by-night company that says they can be our information security officer. Many of them have no idea what they’re doing and some are fraud peddlers.”

 Examining the litigious ramifications of the recent ransomware cyber attacks

Beyond the interruption and potential damage to their business, they realise that failure to act properly may also significantly increase the risk of regulatory fines, negligence, breach of privacy, and breach of contracts with consequent litigation (including in relation to consultancy obligations, supply contracts, business interruption, consequential losses and of course insurance).

 Lenovo Wasn’t Paying Attention: 750,000 Laptops Had Spyware

The Federal Trade Commission announced Tuesday that it had settled with the Beijing-based electronics company over three violations that show how the agency is continuing to clampdown on companies that invade customer privacy. […] It would also keep its eyes on consumer’s personal info, like log-in credentials, Social Security numbers, bank account information, medical information, and emails, investigators learned.

 Does Your Small Business Need Data Breach Insurance?

Comprehensive data breach insurance will also offer practical support in the event of a cyber-attack on your business. Such support includes providing a business with legal advice, forensic investigations, notifications to clients, customers and regulators and support to affected customers, such as credit card monitoring.

 Thousands of Military Vets’ Details Exposed in S3 Privacy Snafu

“The exposed documents belong almost exclusively to US military veterans, providing a high level of detail about their past duties, including elite or sensitive defense and intelligence roles. They include information typically found on resumes, such as applicants’ home addresses, phone numbers, work history, and email addresses,” explained O’Sullivan.

 U.S. Takes Fight to ISIS on Cyber Battlefield

From its headquarters in Fort Meade, U.S. Cyber Command has become an integral part of the fight against the terrorist organization. Forward-deployed cyber operators embedded in ground teams, or relaying from links to ISIS infrastructure through drones, aircraft or naval vessels, can access ISIS systems where internet or satellite links cannot. The recently elevated combatant command first cut its teeth in February 2016 by launching targeted denial of service attacks and other cyber countermeasures to jam ISIS communications during the strategic recapturing of the town Shaddada in Syria.

 Returning Congress May Focus on Cybersecurity, Surveillance

The 115th Congress will have a full plate of cybersecurity, email privacy, and surveillance bills when it starts its fall term Sept. 5. Lawmakers will be considering mandating enhanced cybersecurity protections and best practices for companies, updating a decades-old email privacy law, and continuing an important national security surveillance authority.

 FCC makes net neutrality complaints public, but too late to stop repeal

The Federal Communications Commission last week released more than 13,000 pages of net neutrality complaints filed by consumers against their Internet service providers. But the big document release came just one day before the deadline for the public to comment on FCC Chairman Ajit Pai’s proposal to repeal the net neutrality rules. […] The FCC released the biggest batch of documents to the NHMC on August 29 and a smaller batch on August 24, but the commission did not publish the documents on its website or take any other steps to make them widely available. Ars has been asking the FCC to make the complaints public since August 25, but we haven’t gotten a reply.

 Senate Dem pushes for government-wide ban of Russian cyber firm

“I am advancing bipartisan legislation to prohibit the federal government from using Kaspersky Lab software,” Shaheen wrote in an op-ed published in The New York Times. “When broad defense legislation comes before the Senate in the weeks ahead, I hope to amend it to ban Kaspersky software from all of the federal government.”

 The hidden history of cyber-crime forums

But those sites, including Dark Market, Carders Market, Shadow Crew,, Darkode, GhostMarket and the Silk Road, have more in common than just the trajectory of their genesis and demise. They all follow the modus operandi of a landmark forum set up in 2001 called Carder Planet. Designed for criminals who specialised in monetising lists or “dumps” of credit card numbers, it has had an influence far beyond that select group.

 Four Million Time Warner Cable Records Left on Misconfigured AWS S3

The repositories, owned by BroadSoft, a global communication software and service provider, contained information – SQL database dumps, code, access logs, customer billing addresses, and phone numbers – belonging to clients, namely cable company Time Warner Cable (TWC). Researchers who found the information say records belonging to more than four million TWC customers, dating back to 2010, were found in one file.

 Attacker demands ransom after series of DDoS attacks on Poker site

“We had the attacker get on chat and say I am gonna attack you in one minute and he does the attack, but I will never pay an attacker I won’t pay a ransom, I won’t do it because once you get the bully get your lunch money, he’s taking your money all the time. Once they make you a bit*h, you are a bit*h, and I don’t like the idea of being a bit*h.” Nagy told the attacker to “get some job,” in reply, the attacker said, “This is my job, some other site is paying me to attack you.”

 Key-logging malware, dubbed EHDevel, found intelligence gathering

The malware allows hackers to log keystokes, identify a victim’s location and steal personal data. The malware also uses a complex mix of transitions from one programming language to another, code under active development, and bugs that were not spotted during the QA process. […] Further investigations found that is used a malware framework that uses a handful of novel techniques for command and control identification and communications, as well as a plugin-based architecture, a design choice increasingly being adopted among threat actor groups in the past few years.

 Patch Released for Critical Apache Struts Bug

“This is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises,” said Oege de Moor, CEO and founder of Semmle. Affected developers are urged to upgrade to Apache Struts version 2.5.13. The ASF said there is no workaround available for the vulnerability (CVE-2017-9805) in Struts, an open-source framework for developing web applications in the Java programming language.

 YouTube MP3 Converter Site Shut Down After Labels Win Lawsuit

In 2016, (YTMP3), a popular YouTube-ripping site was taken to court by Recording Industry Association of America (RIAA) with intentions to see the site burn forever and pay a sum of $150,000 (€126,172) for each copyright infringement. Now, it has been reported that the RIAA has won the case leading to a settlement between both parties which includes the transfer of the website to one of the record labels; meaning this is the end of it and time to say good bye to one of the best known YouTube-ripping platforms.

 Doxagram site selling celebrity info from Instagram hack lives on in dark web

The folks behind Doxagram, who claim to be from Russia, are selling the phone numbers and email addresses of celebrities, high-profile politicians and athletes. The service, they claim, is “100% legal.” […] It’s worth noting that the attackers claim to have “the full Instagram database (200M+ users) unlike Facebook is claiming, but we only sell information from that data to top customers ($5,000+ spent in shop) and only via XMPP/Jabber.”

 Chinese Man Jailed For Selling VPNs that Bypass Great Firewall

Chinese citizens usually make use of VPNs to bypass the Great Firewall of China, also known as the Golden Shield project, which employs a variety of tricks to censor the Internet in the country. […] But to tighten grip over the Internet and online users, the Chinese government announced a 14-month-long crackdown on VPNs in the country at the beginning of this year, requiring VPN service providers to obtain prior government approval.


Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.