Tag Archives: breaches

Security News for the Week Ending June 4, 2021

Freaking Ooops: Us Nuke Bunker Security Secrets On Public ‘Net Since 2013

Details of some US nuclear missile bunkers in Europe, including secret duress codewords have been exposed publicly on the Internet. Journalists discovered it by using simple search queries. The information was on training flashcards, which should not have been public. It includes “intricate security details and protocols such as the positions of cameras, the frequency of patrols around the vaults, secret duress words that signal when a guard is being threatened and the identifiers that a restricted area badge needs to have”. The information has now been deleted. It was exposed since 2013. Good job, folks! Credit: The Register

If You Can’t Spy Yourself, Ask Your Friends for Help

It takes a village – even if that is a village of Spies. The NSA got help from Denmark in spying on top politicians and other high ranking officials in Germany, Sweden, Norway and France. They did this by asking the Danes to let them tap into an underwater fiber optic cable in 2012. Targets include Angela Merkel. Generally, politicians cyber hygiene habits are really poor, so the NSA probably found a lot of unencrypted data. Credit: The Hacker News

Watch Your Words When Discussing Breaches

If your company is in the unfortunate situation of dealing with a cyber breach, the lawyers say watch what you say in emails or Slack or similar channels because it can come back to bite the company later. If you say to a coworker “oh, yeah, we knew about that bug for months” and the bug wasn’t fixed and that contributed to the breach, well, you can see, that could be a problem for the company. Obviously, it goes without saying that social media is definitely off limits for that kind of conversation. Unless, you don’t like your job or the company. Read details in SC Magazine.

ARIN Plans to Take Down Part of the Internet – This is Just a Test

ARIN, the American Internet IP authority, plans to take down the RPKI infrastructure some time in July, without notice, just to see what breaks. In theory, if RPKI is implemented correctly, the fact that this goes down should be a big yawn. We shall see. Credit: Bleeping Computer

FBI and DoJ to Treat Ransomware Like Terrorism

Since ransomware *IS* terrorism, it is nice to hear that the DoJ is going to treat it as such. Unlike the last administration, this time the FBI took direct aim at Russia as the culprit in a lot of the ransomware attacks. The US Attorney’s offices in every state have been directed to investigate ransomware attacks the same way that they treat other forms of terrorism. While they don’t have the resources to investigate every ransomware attack, any big attack or one that hits a critical industry will be handled just like a terrorist bombing. While this won’t fix the problem, more attention is good. Credit: ZDNet

Security News for the Week Ending January 29, 2021

Adult Web Site Hacked; 2 Million Records Leaked

Most visitors to adult web sites do not want to be “outed”, but that is exactly what happened to 2 million customers of MyFreeCams. While the data stolen (username, email, UNENCRYPTED passwords and account balance) is not that sensitive, the fact that someone has an account there at all could be used to blackmail their customers. As is too often the case, the site discovered the breach when the media asked them if the data they had was legit. Ouch. Credit: Cybernews

FBI’s Goal of Weakened Encryption Might Backfire on All of Us

A group associated with Hezbollah known as Lebanese Cedar has hacked telephone companies and Internet providers in the US, UK, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, the Palestinian Authority and the UAE. At least. Reports have identified at least 250 servers that were compromised by the group. If the FBI gets their way and we add more holes in the security scheme, that will only make the job of hacking us and ransomware easier for terrorists. That doesn’t seem like a great plan. Contrary to their wishes, there is no way to create a hole that only the good guys can use. Credit: ZDNet

Open Source Library Flaws Used by DoD & IC for Satellite Imagery Could Lead to Takeovers

Nitro is a software library used by the Defense Department and Intelligence Community to store, transmit and exchange satellite images. Researchers at GRIMM discovered the bugs in Nitro which they think could have led to system takeovers. The good news is that the researchers, who were working with DHS CISA alerted the vendor and they released a fixed version the following day. Credit: SC Magazine

Air Force Intelligence Officer Planned to Sell Secrets to Russia

Elizabeth Jo Shirley, an Air Force Intelligence Officer, kidnapped her daughter to Mexico and planned to defect to Russia with top-secret information. She worked at the NSA, Department of Energy and other government agencies for nearly 20 years before she went rogue. She was sentenced to 97 months. Credit: The Register

Security News for the Week Ending January 22, 2021

Parler Finds A New Home With Russian Hosting Provider in Belize

“Hello world, is this thing on? With that message Parler’s website is back online. Well at least a one page website is back online. The site is being hosted by Russian-owned DDoS-Guard, a company that apparently also hosts ISIS web sites. Whether the folks who invaded the Capitol earlier this month are going to be willing to post their content on a Russian hosted server is not clear. It is unlikely that their hosting provider would respond to a US subpoena, but whether they would steal the posts for their own purpose is a different question. Credit: Cybernews

Capitol Terrorist Who (Allegedly) Planned to Sell Pelosi’s Laptop to Russian Intelligence Arrested

The amazing amount of video footage from the storming of the Capitol is really making the cops’ lives a lot easier. Riley June Williams, 22, from Pennsylvania, was outed by her former boyfriend. She videoed herself committing the felony and then shared that video. She has now been arrested. She has not been charged with espionage, yet. After the events of January 6th, she changed her phone number, deleted her social media accounts and fled. Her public defender wants her released but the feds say that she is a flight risk. Given she disappeared even before she was charged, that doesn’t seem unreasonable. Credit: WaPo

Parler Data Is Available for Download

If you want to be an amateur detective and you have 70 terabytes or so of free disk space on your computer, you too, can download the data that was scraped from the site during its last few hours of its existence. It is chunked down to 4GB chunks and more of it is being uploaded in real time. This will be examined and reexamined for a long time. Details can be found here.

Malware Bytes Joins Club of Those Hacked by SolarWinds Hacking Team

Malware Bytes joins the long and getting longer list of those folks sucked in by the Solar Winds attackers. In their case, they did not use Solar Winds but were compromised by other techniques used by the Solar Winds attackers. They said the damage was minor and limited to some of their emails. Credit: Cyber News

Trump Pardons Google Engineer Who Stole Self Driving Car Trade Secrets and Took Them to Uber

Anthony Levandowski, the Google Engineer who went to work for Uber’s self driving car division, was pardoned by Trump after being sentenced to 18 months for his theft. I am not sure if the pardon relieves him of the obligation to pay Google the $179 million fine, but it probably does. He took 141,000 files with him and likely advanced Uber’s progress by years. Google settled it’s lawsuit against Waymo in 2018 and paid a multi-hundred-million dollar fine. Curiously, Google is an investor in Uber, so they probably don’t want to hurt them too much. Credit: Cyber News

Breaches Down; Record Count Up

According to Risk Based Security, the NUMBER of breaches reported fell 48% in 2020 compared to 2019, but the number of records exposed was UP by 141% to an amazing 37 BILLION records. We don’t believe that the number of breaches was actually down; likely it is just that a lot of breaches are not being reported. Part of it may be that with other important events like the election and Covid, the media is not covering breaches. In addition, we are seeing some really large breaches. Hacking group Shiny Hunters disclosed 129 million hacked records in just five weeks. Credit: Tech Republic

Security News for the Week Ending December 18, 2020

Data from employment firm Automation Personnel Services Leaked

Automation Personnel Services, a provider of temporary employment services, found 440 gigabytes of their data leaked on the dark web. The poster says that it includes payroll, accounting and legal documents.

The data was leaked because the company refused to pay the ransom.

When asked if the data was genuine, the company only said that they are working with forensics firms and are improving their security. Credit: Cybernews

Are Hospitals Protecting Your Data?

The Register is reporting that two thousand servers containing 45 million images of X-rays and other medical scans were left online during the course of the past twelve months, freely accessible by anyone, with no security protections at all.

To make matters worse, apparently hackers had been there before the researchers and left all kinds of malware behind. Will anyone get in trouble over this? Probably not. Credit: The Register

Ya Know Those Smart TVs? Maybe Not So Smart to Use?

Ponder this. Most TVs are made in China. Smart TVs connect to the Internet. There is Internet in China. China makes the chips that go into those TVs. And the software that goes into those chips. The executives for at least some of those companies have a documented connection to the Chinese government and/or military. China might be very interested in hearing what goes on in everyone’s living room. And bedroom. Including your kids’ bedroom. Some smart TVs have cameras in addition to microphones. Connect the dots; I am not allowed to. Credit: US Department of Homeland Security

Ransomware Attacks on the Rise and Insurers React

As ransomware attacks increased this year – both in terms of cost and severity, insurers are becoming more selective and some are scaling back their coverage. Total costs of ransom payments doubled between 1H2019 and 1H2020, but that might change going forward now that the feds are threatening to throw people in jail if they pay ransoms to terrorists. This means that some premiums are going up and some carriers are even getting out of the cyber risk insurance business. Credit: Reuters

Suppliers Under Attack

The company Blackbaud helps companies in a variety industries manage their customer relationships. Their services include fundraising and relationship management, customer engagement, financial management and related services.

The customers span many industries including arts and culture, faith based organizations, non-profit foundations, healthcare organizations, higher education, change agents and even commercial corporations.

Companies can also install their own copies of the Blackbaud software in their computer computer rooms and data centers instead of in Blackbaud’s data centers. It is this subset of their customers that were compromised and only some of them.

Unfortunately for Blackbaud, among the many companies affected are healthcare providers and since they are HIPAA Covered Entities, they are required to report these breaches to the U.S. Federal Government and they publish the largest of these breaches.

While this breach (which was actually a ransomware attack where the hackers stole the data before encrypting it) happened in May and this is September, we are still hearing about more companies who’s data was compromised, including some who have not yet reported the breach.

Among those companies are:

  • Northern Light Health – 657,000 people’s information compromised
  • Saint Luke’s Foundation – 360,000 people
  • Multicare Health System – 179,000 people
  • University of Florida Health – 136,000 people

and others. The total, just in healthcare, so far – more to come – is almost 1.6 million people who’s data was compromised.

This is just ONE VENDOR who serves healthcare that was attacked this year.

Another vendor is Magellan Health which is a managed healthcare provider. That breach affected about 1.7 million people.

Some organizations were affected by both breaches.

And while the Magellan breach likely only affected the healthcare industry and that is where this story is focused, the Blackbaud breach affects every industry.

In the case of healthcare, as is usually the case, who winds up on the short end of the stick is the healthcare providers.

In concept, they did nothing wrong other than trust a provider, a vendor, that maybe they should not have trusted.

These 3+ million people who were affected represent just two compromises and just this year. Many other organizations were independently hacked this year and their numbers are not included.

Again in just 2020 alone and only in healthcare, 345 breaches affected over 11 million . Those are just the ones that were posted to Health and Human Services “wall of shame”.

But fines, if and when the do happen, are typically small and come 5 years or more after the event, when most of the people responsible are no longer there.

So what needs to happen?

First of all, given the current Republican administration, it is unlikely that enforcement is going increase or speed up.

Ultimately, who gets to do the heavy lifting is the companies who hire these vendors. It is the companies’ responsibility to make sure that their vendors secure their data.

There is no rocket science involved. What is involved is

  • Time
  • Money
  • People
  • Motivation

Unfortunately, at least some businesses look at it as a profit and loss decision. If it is perceived to cost more to fix the problems of poor security than than to deal with the consequences, some companies make that financial decision.

But as a company that hires these vendors, you can impact this.

Your vendor CYBER risk management program needs to make sure that these vendors that have access to or store your client’s data are following best security and privacy practices.

You also want to make sure that your contracts with these vendors hold those vendors financially responsible for all of the costs that you bear including lost business and lawsuits, among other costs.

The only way we are going to shift the conversation and have vendors make the needed investments in cybersecurity is if it becomes more costly to be non-secure than secure.

In the case of healthcare, it is easy – it is the law!

If you need help building or enhancing your vendor cyber risk management program, please contact us. Credit: Data Breach Today

Law Firms Face Cyber Security Risks

“This is not time for firms to keep calm and carry on.  The proper response is to freak out.” – Prof. Dan Solove, GWU Law School

While I am not sure that freaking out is, in fact, the only proper response, I think that what Prof. Solove is saying is that ignoring the situation is not going to work very well.  We are beginning to seem law firms being hacked showing up in the news. Firms such as Weil and Cravath have been outed by the FBI.  Bloomberg says that 80 out of the top 100 law firms have been hacked.  The Russian hacker Oleras has announced he is trying to hack 48 specific law firms.  It seems like the handwriting is on the wall.

Professor Solove calls hacking law firms a “gourmet data feast“.  Once they get in, many law firms have little to no monitoring, so the odds of getting caught are nearly zero.  In addition, many firms have no internal access controls, so while associates are not supposed to access files for clients that they are not working on, there is nothing to stop a hacker, who is using an associate’s credentials, from hacking every client’s data and sending it to their server in Outer Slobovia.

The gourmet data feast comes from the fact that most law firms have hundreds of clients and the data that they have may include HIPAA protected information, non public personal information, financial information, criminal trial information, civil trial information, merger and acquisition information, insider trading protected information and other sensitive files.  Hackers mouths just water at the thought of it.

Prof. solove suggests that state laws governing breach of confidentiality, public disclosure of private facts and negligence may be used against attorneys that do not take appropriate steps to protect their client’s information.  Even if the case is not ultimately successful, the reputational damage can be significant.

In the case of HIPAA protected information, the fines can be very steep.  HHS can fine a law firm that has a client’s protected health information up to $1.5 million per violation.  In addition, the client can be fined because the law firm is now considered a business associate under HIPAA and HiTech regulations and if the client does not have a written and signed business associate agreement, they can be held liable for violating HIPAA as well.

In addition to dealing with the breach – paying for forensics investigations, dealing with lawsuits and depositions, reputational damage and regulatory fines, victim clients could file ethics complaints for failing to adequately protect confidential information.

A client’s trade secrets could be disclosed and I am not sure how you can possibly put that genie back in the bottle.

In addition, the client could be liable too, via vicarious liability.

Since the client did not adequately vet the law firm for cyber security risk prior to hiring them, they get to share in the responsibility.  Assuming this happens the client could both get sued by the victims and sue the firm.

To really make things messy, the FTC recently sued a company for violating section 5 of the FTC Act – unfair or deceptive practices – for failing to vet their vendor prior to giving them sensitive information.  This means that the FTC could commence an action against your client for your data breach.  Under typical FTC consent orders, the FTC will be closely watching your client for a mere 20 years and requiring an external audit every year or two.  Who do you think the client is going to turn to in order to recover those costs?

To make matters a little more uncomfortable, the insurance broker Marsh did a study recently and found that only half of the law firms surveyed had cyber risk insurance and 60% said that they had not calculated the effective revenue that could be lost following a breach.  For the firms that do have insurance, whether the insurance would adequately cover the effects of a breach is unknown.

One last thought.  Professor Solove has almost 900,000 followers to his LinkedIn blog in addition to being a law professor at GWU Law School.  In the blogging world, that is a ridiculously large following.  He is also the organizer of the annual Privacy + Security forum in Washington, DC.  I would suggest that he would likely qualify as an expert.

Information for this post came from Prof. Solove’s company, Teach Privacy.