STE WILLIAMS

Medical gear maker Medtronic is once again at the center of a hacker panic storm. This time, a number of its heart defibrillators, implanted in patients’ chests, can, in certain circumstances, be wirelessly hijacked and reprogrammed, perhaps to lethal effect.

On Thursday, the US government’s Dept of Homeland Security issued an alert over two CVE-listed vulnerabilities in Medtronic’s wireless communications system Conexus, which is used by some of its heart defibrillators and their control units. Conexus exchanges data between implanted devices and their control units over the air using radio-waves, with a range of roughly 25 feet without any signal boosting.

Read-write access

The more serious of the flaws, CVE-2019-6538, can be potentially exploited by an attacker to meddle with data flying between the device and its controller. The Conexus protocol does not include any checks for this kind of tampering, nor performs any form of authentication. This means transmissions can be intercepted, spoofed, and modified by hackers and their nearby equipment, which can also masquerade as a control unit, in certain circumstances that we’ll come to describe.

Here’s where it gets serious: the protocol allows a nearby miscreant, with the right radio gear and in the right circumstances, to send commands to the implanted cardiac device that reads or writes memory in the gadget. That means someone can, at the right moment, maliciously manipulate the operation of the vulnerable implant over the airwaves, potentially harming or perhaps even ultimately killing the patient.

Pete Morgan, one of the researchers who discovered and reported the flaw, told The Register that while a successful exploit could indeed lead to an attacker changing how the defibrillator operates – for example, making it fire randomly – there are some mitigating factors. Most notably, the device has to be in so-called listen mode, in which is awaits commands, a state that is not active the vast majority of the day.

The implanted device typically wakes up to pick up transmissions when it is activated by an inductive wand waved over the patient’s chest, usually during an appointment or checkup with a doctor, or it wakes up automatically and briefly to exchange telemetry with a control unit in the patient’s home.

“They enter listen mode through either of two states,” Morgan, the founder of Clever Security, explained.

“One, inductive wake up through a wand or puck with the programmer or Carelink home monitor. Two, during intervals usually configured by the physician, the implanted cardiac device will wake up and begin RF communication with the Carelink home monitor to check in and report on status.”

A spokesperson for Medtronic noted to El Reg that, in addition to being in range and having the device in listen mode, the attacker would need to know the specific model of device in the victim, and have reverse-engineered its design to know which commands to send to write the necessary data into memory to cause harm.

Thus, someone really needs to be out to get you if pull this off; it’s not like miscreants can go war-driving through town zapping people dead.

The second vulnerability, CVE-2019-6540, addresses the lack of encryption with Conexus wireless transmissions. This means an attacker within range can listen in on the data being sent and received, and spy on the patient’s condition over the air.

Pain in the brain! Kaspersky warns of hackable brain implants

READ MORE

Medtronic said it is working on a fix for both issues, and in the meantime urged doctors and patients to use the implants and controllers as usual.

“Medtronic recommends that patients and physicians continue to use these devices as prescribed and intended,” the med-tech giant said in its advisory [PDF].

“The benefits of remote monitoring outweigh the practical risk that these vulnerabilities could be exploited. These benefits include earlier detection of arrhythmias, fewer hospital visits and improved survival rates.”

Medtronic noted that its line of implanted pacemakers are not vulnerable to either of the flaws, just some of its heart defibrillators.

This isn’t the first time Medtronic has made headlines for its lapses in security. Last year, researchers reported a similar issue when the programming units for pacemakers were found to be using insecure channels to download their firmware updates. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/22/medtronic_implanted_defibrillator_hackable/

What’s more, their attempts to secure it may be putting information at risk, a new report finds.

Organizations managed an average of 9.7 petabytes of data in 2018, a 569% spike compared with the 1.45 petabytes they handled in 2016. Most see the value of data, and more are monetizing it, yet very few are confident in their existing tools’ ability to properly protect information.

This insight comes from Dell EMC’s third “Global Data Protection Index,” its most recent since 2016. Researchers polled 2,200 IT decision makers from public and private organizations across 18 countries and industries to learn about the state and maturity of data protection strategies.

What they found is businesses are managing much more data, nearly all (92%) recognize its value, and 36% are monetizing it. Still, most are challenged to secure it, and their attempts may be putting information at risk. More than three-quarters (76%) of respondents say their companies had “some type of disruption” within a 12-month period, and 27% couldn’t recover their data using their data protection tools – nearly double the 14% who said the same in 2016.

Coincidentally, 76% of respondents are using at least two data protection vendors, which researchers say makes them 35% more likely to experience disruption during a 12-month time frame than those with a single vendor. The most common types of interference among companies using multiple vendors was unplanned systems downtime (43%), ransomware attacks preventing data access (32%), and loss of information (29%).

“Organizations are valuing data more than ever before,” says Ruya Atac-Barrett, vice president of marketing of data protection at Dell EMC. “And that’s also driving more focus on how do you ensure availability of data, how do you protect data.”

System downtime may be more common, but data loss is more expensive. The businesses that experienced downtime struggled with an average of 20 hours lost in the past year, costing $526,845. Those that lost data lost an average of 2.13 terabytes, which has a price tag of nearly $1 million.

The downside of organizations placing greater value on data is cybercriminals recognize it, says Alex Almeida, consultant and product marketing lead with Dell EMC. “That also increases the risk because bad actors realize how much that data is valued to those businesses, and they try to exploit it,” he adds. This realization is driving the frequency of threats, like ransomware attacks.

Data Protection: Complexity and Compliance
The majority of respondents struggle to implement a data protection tool that sufficiently meets their needs, and 95% face at least one challenge related to securing their information.

Their biggest challenge, cited by 46% of respondents, is the complexity of configuring and operating data protection software and hardware, along with the price of storing backup copies. Next up is the lack of data protection for emerging technologies (45%), followed by ensuring compliance with regulations like the EU’s General Data Protection Regulation (41%).

“We saw regulation being more of a driver and a catalyst,” Atac-Barrett says. Now more so than ever, businesses think about what they need to do from a data management perspective. Only 35% are “very confident” their data protection strategies are compliant with regional regulation.

Then there’s the cloud factor: Most (98%) of respondents using the public cloud do so for data protection, the report shows. The top use case for cloud-based data security is backup services, which protect workloads developed in the cloud using new applications (41%), tied with backup of on-prem workloads and data (41%). Forty percent protect specific SaaS applications, and 40% use cloud-enabled versions of on-prem data protection software to protect public cloud workloads.

“Not only are companies trying to protect and make sure data is available, but 98% of organizations are leveraging public cloud as part of their protection strategies,” Atac-Barrett adds. Cloud will continue to be important in data security, with 64% of respondents saying scalability is important.

Related Content:

• Hacker AI vs. Enterprise AI: A New Threat
• 6 Ways Mature DevOps Teams Are Killing It in Security
• Norsk Hydro Shuts Plants Amid Ransomware Attack
• Stealing Corporate Funds Still Top Goal of Messaging Attacks

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/analytics/businesses-manage-97pb-of-data-but-struggle-to-protect-it/d/d-id/1334225?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The group now employs a new administrative interface for managing its campaigns, as well as documents that link to SQL databases for downloading its code.

The FIN7 cybercrime group continues to wage cyberattacks even in the wake of the arrest last year of three of its key members: researchers say FIN7 now is deploying new tactics and continuing to target the financial accounts of hospitality chains, restaurants, and financial firms.

Since 2013, the group has stolen more than an estimated $1.2 billion. That includes the sale of 15 million pilfered credit- and debit-card records from at least 100 companies in 47 states in the United States as well as Australia, France, and the United Kingdom. Among the companies hit by the FIN7 group are Chipotle Mexican Grill, Arby’s, and Hudson’s Bay Brands’ Saks Fifth Avenue.

According to new research from Flashpoint, FIN7 most recently has deployed an administrative Web interface for managing specific operations and used a unique tactic of connecting to an SQL database to download updated code to compromised systems. The hacking group embeds scripts in documents sent to targets, and when those documents are opened, the scripts reach out to the attacker-controlled database, says Jason Reaves, a principal threat researcher at Flashpoint, which this issued an advisory on FIN7’s most recent operations.

“FIN7 is active again,” he says. “They were perhaps inactive around the time of the arrests … but returned to active campaigning in October or November 2018.” 

The group, also known as the Cobalt Group and Carbanak Group, consisted of dozens of members and was extremely successful. They stole data from more than 6,500 individual point-of-sale terminals at at least 3,600 separate business locations, according to the Justice Department. 

In August 2018, however, the US Department of Justice announced that it had arrested three top members—Ukrainian nationals Dmytro Fedorov, Fedir Hladyr, and Andrii Kolpakov—earlier that year. Hladyr allegedly acted as a system administrator, maintaining the infrastructure that the group used to communicate, while Federov and Kolpakov managed the group’s other hackers, according to the DoJ.

Security experts did not expect the arrest of the three men to dismantle the group, and evidence around the time of the arrest announcements indicated that the group was still active, says Kimberly Goody, manager of intelligence analysis for security firm FireEye.

“We noted … immediately following the announcement of the FIN7 indictments that we had continued to see FIN7 activity past the date of the most recent arrest announced by U.S. law enforcement,” she says.

The group is well known for its sophisticated social engineering of targeted victims. In the most recent campaigns, the group has used techniques to track the percentage of documents that are being opened by targeted victims, Goody says.

“Selectively distributing the malicious payload can serve to limit the exposure of their malware and infrastructure,” she says. “There is also evidence to show that FIN7-affiliated actors engage in sometimes extensive communications with customer service representatives prior sending any documents at all.” 

‘Astra’

The group has also recently created a custom attack-management interface based on PHP to manage each operation. Dubbed Astra, the custom panel helps the group manage the scripts used to conduct specific activities in the victim’s network. Astra allows the operator to push the attack scripts to compromised systems.

“This isn’t so much a malware control panel, it’s a custom administration and attack panel primarily used for attacking a network, pivoting, recon and further deliveries,” says Joshua Platt, principal threat researcher at Flashpoint. “Some of the tools could be automated for gathering information about the network, but some of the tools recovered also require manual interaction in order to be utilized from the infected system.”

One unique tactic is the use of a backend SQL database as a way to deliver new attacks and updated code. Links in the document call out to an attacker-controlled database and pulls down new code from the Internet, says Flashpoint’s Reaves.

“The usage of SQL itself is not advanced, but the technique has not been seen before,” he said. “The idea of using a panel to launch attacks with a SQL database for harvesting information and delivering malware is pretty advanced.”

Companies should look out for newly-added Windows tasks and any attempt to disable the Microsoft Update Service, Flahshpooint warns. In addition, firms should use host-based detection agents that look for templates bearing the indicators of a malicious file.

Related Content

• Carbanak/Cobalt/FIN7 Group Targets Russian, Romanian Banks in New Attacks
• Feds Indict Three Ukrainians For Cyberattacks on 100+ Companies
• Chipotle Dishes Details on Data Breach
• Hudson’s Bay Brands Hacked, 5 Million Credit Card Accounts Stolen

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/analytics/fin7-cybercrime-gang-rises-again-/d/d-id/1334228?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Oh, feet of clay!

Facebook has just admitted that it has found many places – hundreds of millions of places, maybe – where it saved users’ passwords to disk in raw, unencrypted form.

In jargon terms, they’re known as plaintext passwords and it means that instead of seeing a password scrambled into a hashed form such as 379f153­1753a7c43­ab4f4faace­212451, anyone looking at the stored data will see the actual password, right there, just like that.

Like that: 123456789, or that: mypassword99, or that: jw45X$/­6FsT8.

Plaintext passwords used to be the rule, decades ago, but it’s become technically, socially and even morally irresponsible to save raw passwords over the years, a bit like drink-driving has become not only technically illegal but also outright unacceptable on the road.

In other words, it used to be the norm; then it was the thing you only did if you thought you wouldn’t get caught; and today it’s something that gets the book thrown at you, given that it’s so easy to get it right and so risky to get it wrong.

How did Facebook make such a basic mistake?

The good news is that the wrongly stored passwords don’t seem to be part of Facebook’s externally-accessible authentication system.

In other words, the Facebook gateway servers that let outside users log in aren’t festooned with raw copies of everyone’s passwords.

Instead, it looks as though some Facebook programmers have, over the years – back to 2012, according to cybersecurity journalist Brian Krebs – been careless when writing logfile entries.

In other words, instead of securely disposing of password data from memory after it’s been used to verify a login, they’ve allowed that data to stick around for a while, where it’s ended up in one or more logfiles where it simply didn’t need to be recorded, and shouldn’t have been.

It’s OK to keep access data such as username, timestamp, browser type, country and so on…

…but programmers are duty bound to dispose of data carefully and promptly if it isn’t supposed to be stored after it’s served its purpose.

Like passwords.

The idea is simple: if you bump password data out of memory the instant that you no longer absolutely require it, then no one else can accidentally leak it later on.

Simply put, you can’t lose data you don’t have.

How bad is this?

Apparently, correctly bumping password data out of memory didn’t always happen in Facebook’s code.

As a detailed audit by Facebook now reveals, littered amongst the ziggabytes of data on its grillions of servers, what look like millions of passwords inadvertently saved to disk where they should never have been.

According to Krebs:

A written statement from Facebook provided to KrebsOnSecurity says the company expects to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”

Facebook Lite is a stripped-down flavour of Facebook used in countries where mobile data plans are hard to come by and expensive.

Should I close my Facebook account?

We can’t answer that for you.

Given that the wrongly stored passwords weren’t easily accessible in one database, or deliberately stored for routine use during logins, we don’t think this breach alone is enough reason to terminate your account.

On the other hand, it’s a pretty poor look for Facebook, and it might be enough, amongst all the other privacy concerns that have dogged Facebook in recent years, to convince you to take that final step.

In short, we’re not advising you to close your account, but we are suggesting you factor this lapse in coding quality into your overall decision on what to do next.

But you have to decide for yourself. (For what it’s worth, we’re not closing our account.)

Should I change my Facebook password?

Why not?

It’s perfectly possible that no passwords at all fell into the hands of any crooks as a result of this.

But if any passwords did get into the wrong hands (and you can bet your boots that the crooks are trawling through any old data they might have right now, to see if there is anything they missed before!), then they are ready for abuse right away.

Hashed passwords still need to be cracked before they can be used; plaintext passwords are the real deal without any further hacking or cracking needed.

So our advice is: dont wait for Facebook; change your password now. (We already did!)

Should I turn on two-factor authentication?

Yes.

We’ve been urging you to do this everywhere you can anyway – it means that a password alone isn’t enough for crooks to raid your account.

If you are reluctant to give Facebook your phone number, use app-based authentication, where your mobile phone generates a one-time code each time you log in.

So we say: turn on 2FA now. (We did it ages ago!)

The short version

• Change your Facebook password now. Don’t wait for Facebook to contact you.
• Turn on 2FA if you haven’t already. It’s a small inconvenience for a big jump in security.

Then you can figure out whether you want to ditch your account, without making a snap decision you might later regret.

---

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mMwcIHgcQeY/

Attacks targeting a years-old – and patched – vulnerability in a Chrome extension for Cisco’s WebEx are on the increase, according to security outfit WatchGuard.

The vulnerability, which was disclosed and rapidly fixed at the beginning of 2017, allows malicious websites to remotely execute commands on Window systems that have the extension installed.

The team noted that at the beginning of 2018, attacks targeting the vulnerability were “almost non-existent”. But by the last quarter of 2018, it had grown to account for 7.4 per cent of all network attacks deflected by the company’s Firebox devices.

The volume of incidents was enough to send the vuln straight in at number three in WatchGuard’s top 10 list of network attacks, and number two for web attacks.

In better news, WatchGuard reckons that malware has declined, dropping 28 per cent since the last quarter and 51 per cent since the same period last year. Alas, depressingly, zero day malware grew to account for 37 per cent of all threats.

This represents a problem for the industry because it is tricky to defend against the unknown. WatchGuard pointed to the use of AI and behavioural analysis in its technology. Microsoft, of course, does something similar in its Defender Advanced Threat Protection line, updated this morning. Whoever your AV vendor, the growth in zero day malware is a worry.

Mimikatz continued its reign at the top of the charts, accounting for a jaw-dropping 18 per cent of all malware. Following behind was malware variant Trojan.Phishing.MH, which spoofs an email that appears to come from the victim’s own address – the email warns victims that those behind the variant have somehow installed a Trojan that tracked the user’s activities.

If the victim doesn’t want their special moments in front of the screen broadcast to their contact list, it wheedles, then coughing up some bitcoin would be a good idea.

It’s nonsense, of course. But the fact this type of email has leapt into the number two spot (in both a real and metaphorical sense) is a sign that miscreants reckon there are sufficient gullible and easily embarrassed users out there to make it worth their while.

As for the most widespread malware, the cryptominer JS.CoinHive topped the charts. JS.CoinHive doesn’t actually download any files to a victim’s computer, instead it is served up by a malicious or compromised web server and crouches in the user’s kit, churning through CPU, as it does its crypto stuff.

Finally, the team reported that the APAC global region has returned to a distant third in the malware volume leaderboard, accounting for 17.4 per cent of detections versus 35.4 per cent for the Americas and 47.2 per cent for EMEA. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/21/watchguard_security_report/

The Police Federation of England and Wales (PFEW), a sort-of trade union for police workers, has been battling to contain a ransomware strike on the group’s computer systems, it confessed this afternoon.

In a statement posted on Twitter, PFEW said it first noticed the attack infecting its systems on Saturday 9 March, “with cyber experts rapidly reacting to isolate the malware to stop it spreading to branches”. It informed the ICO and the NCSC two days after the infection.

We can confirm we have been subject to a malware attack on our computer systems. We were alerted by our own security systems on Saturday 9 March. Cyber experts rapidly reacted to isolate the malware and prevent it from spreading #PFEWCyberAttack pic.twitter.com/8Zi49S82ZM

— Police Federation (@PFEW_HQ) March 21, 2019

It added the attack “was not targeted specifically at PFEW and was more likely to have been part of a wider campaign”, saying that so far it reckons the malware had only affected the organisation’s Surrey HQ. It does not believe any data was extracted from its systems, reinforcing the notion that the incident could be down to run-of-the-mill ransomware.

“There is no evidence at this stage that any data was extracted from the organisation’s systems, although this cannot be discounted and PFEW are taking precautions to notify individuals who may potentially be affected,” said the association, which includes 120,000 constables, sergeants, inspectors and chief inspectors across 43 territorial forces.

The PFEW added in an FAQ: “A number of databases and systems were affected. Back up data has been deleted and data has been encrypted and became inaccessible. Email services were disabled and files were inaccessible.”

The federation tweeted: “As a precaution we are contacting individuals who are potentially affected, including our members, and will be providing them with further helpful information, including as to how they can make enquiries.”

Police workers reacted negatively to the news, with one posting on Twitter: “Why has it taken over 11 days to inform your members?”

The usual canned statement filled with apologies was also included in the customary statement, as was the insistence that PFEW took data security “very seriously” and had acted as soon as it was alerted to the malware.

BAE Systems’ Cyber Incident Response Division is the federation’s infosec firm. Perhaps unsurprisingly, police triggered a criminal investigation, having also involved GCHQ offshoot the National Cyber Security Centre and the National Crime Agency.

The federation carries out most of the functions of a trade union, inasmuch as it gives out advice to its members and engages with police managers on their behalf. However, there is one key difference: police constables are banned by law from going on strike. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/21/police_federation_ransomware_attack/

Promo What does it take to reach a leading role in the security field? There are different paths to take to get there: some go directly from analyst to leadership, others have a more technical background in general IT, or excellent tactical skills acquired in a consultancy or vendor role.

The mental shift from tactical to strategic, from hands-on delivery to communicator and facilitator can be challenging. Communicating with business leaders requires a different approach to talking to technical teams and (as old habits die hard), it can be tempting to slip back into the weeds, especially if an incident occurs.

Tune in to our live webinar airing now to hear Scott King, an experienced systems engineer and former CISO at Boston-based security firm Rapid7, share the wide-ranging knowledge he has gained over his long career in IT security.

Scott offers valuable hints and tips on how to balance strategy and tactics, how to deliver at every stage, and how to understand the benefits of pragmatism in your security role. So, don’t miss out: hit up the link above.

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/21/becoming_a_pragmatic_security_leader/

Antivirus vendor Kaspersky Lab has lodged a complaint about Apple with the Russian competition authority.

It follows Apple’s rejection of Kaspersky’s Safe Kids app because of two features the latter regards as essential.

“According to Apple, the use of configuration profiles was against App Store policy, and Apple demanded that these be removed, so that the app could pass the review and be published in the store. For us, that would mean removing two key features from Kaspersky Safe Kids: app control and Safari browser blocking,” the Moscow-based company explained on its blog.

Apple has included parental controls in iOS for some time, and expanded on these in iOS 12.

“Parents can access their child’s Activity Report right from their own iOS devices to understand where their child spends their time and can manage and set App Limits for them,” Apple explained when it introduced the features.

So it’s really a very familiar story – a platform folding in features sold by third-party ISVs. Similar complaints dogged Microsoft as it incorporated features like file compression into MS-DOS, and later bundled a browser and a media player with Windows. Both issues were formally investigated by competition authorities in the United States.

Last week Spotify filed a complaint with the European Competition Commission over Apple’s 30 per cent “tax”, or cut of revenue. The streaming company argued this discourages software developers from converting free users to paying users via the App Store. A service such as Slack must acquire paying customers through its website or desktop app instead, which is not exactly a seamless mobile experience. Apple refuted the claims, responding: “Spotify wants all the benefits of a free app without being free.”

Kaspersky may get a sympathetic hearing. In 2017, the Russian regulator found Apple guilty of price-fixing the iPhone. Russia also fined Google for abusing its Android monopoly – but not very much.

We have contacted Apple for comment. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/21/kaspersky_apple_in_russia_complaint/

Facebook today admitted it stored “some” of its addicts’ account passwords in a plaintext readable format. For “some”, read hundreds of millions.

The antisocial network quietly made the mea culpa in a statement that followed its breathless announcement of the Oculus Rift S Virtual Reality headset. The password snafu confession was, as far as we can tell, forthcoming from the Silicon Valley giant only after investigative journalist Brian Krebs blew the lid off the blunder.

Facebook said it realized its error in January, during a security review, and discreetly fixed the problem. Affected users can expect to receive a notification, although the Mark-Zuckerberg-run biz did not state if they would be required to change their password.

Keen to downplay the screw-up, Facebook protested that “these passwords were never visible to anyone outside of Facebook.” And as for insiders getting their hands on the credentials? In a not-very-reassuring statement, the creepy ad-slinger asserted: “We have found no evidence to date that anyone internally abused or improperly accessed them.”

The snafu affects hundreds of millions of Facebook Lite fans, tens of millions of other Facebook account holders, and tens of thousands of Instagrammers – somewhere between 200 and 600 million total, according to Krebs’ sources’ estimates.

As users logged in, their passwords were stored in a readable format that could be accessed via internal systems. Basically, it logged the credentials in plaintext, and Facebook engineers were allowed to peruse those logs while looking for bugs and faults, though we’re assured no one did anything bad with the sensitive data. This is the same biz that this month lied about how many teens were using its market-research-slash-surveillance app, and has repeatedly lied in the past, so take the statement with a pinch of salt.

In a humiliating climbdown, Facebook agrees to follow US laws

READ MORE

Facebook Lite is the lower-bandwidth version of the platform, ideal for regions without the greatest connectivity. Such as, er, chunks of rural Blighty, for example.

We asked the snuff-flick slinger how long it had been storing passwords in this way, how many employees had access to the data and what controls it had in place to stop the data leaving its hallowed halls. Facebook has yet to reply. We understand at least some of the passwords were logged as early as 2012.

It has not been a great week for the social media giant, coming hot on the heels of an impressive 14-hour outage following a mystery “configuration change” and a quiet shuffling of feet and staring at shoes regarding its ad targeting system and discrimination.

The megacorp has the usual perfunctory advice for those twitchy about security, including not reusing passwords over multiple systems and picking strong and complex character combinations. It also suggests that two-factor authentication could be used.

Or just don’t use the thing at all. There’s a thought.

And as for the idiot visor announced yesterday, with a resolution quite some way behind HP’s Reverb device, which also debuted this week, we suspect that the “S” in Oculus Rift S stands for the same word users will utter when they get their password notification.

Spoiler: it isn’t “Super”. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/21/facebook_passwords/

Healthcare information security suffers from the inherent weakness of using passwords to guard information. Chip-based smart cards could change that.

Given the copious amounts of sensitive data coursing through the US healthcare system, strong information security remains a high-stakes requirement for all players in the industry. Among the most obvious problem areas, healthcare information security currently suffers from the inherent weakness of using passwords to guard information access. Passwords remain an easy attack vector because humans pick easy-to-remember — and therefore hackable — words or phrases.

However, hope is on the horizon. Technology vendors and organizations are collaborating toward making a password-less future. But meanwhile, industries that store and share personally identifiable information can activate multifactor authentication (MFA) to buttress password protection. Given the successful rollout of chip-based cards for US consumer payments in the past few years, this form factor might be the best candidate for implementing MFA in healthcare.

Chip-based “smart” cards have become ubiquitous in the US since the middle of 2015, when they were distributed by payments issuers to combat the spike in data breaches and the resulting credit card fraud. This transition has reduced fraud, proved the sector can self-regulate and adapt to new systems, and demonstrated that American consumers will incorporate this form factor into routine practice. With three years’ evidence, it’s time we apply the lessons learned from financial services’ smart card implementation to secure access to medical records and other sensitive information of high interest to cybercriminals.

Reduce fraud: In the US healthcare sector, fraud, waste, and abuse are persistent problems. This begins with patient enrollment and continues with subsequent redundant information entry that is sometimes complicated by language barriers and improper patient identification. The adoption of a chip-based system for healthcare services provides an avenue to make things more efficient. For instance, a chip-based system would greatly improve the accuracy of data capture. In addition, the chip can ensure HIPAA compliance and increase the difficulty for medical identity theft to take place in a physical setting in which care is being provided. This will also lead to an accurate view of consumption.

Invite self-regulation: Financial services and healthcare are among the most regulated industries in the US, with a combination of governmental and self-regulating organizations (SROs). The Federal Financial Institutions Examination Council, the Federal Deposit Insurance Corporation, and the Consumer Financial Protection Bureau are examples of government regulators, while Financial Industry Regulatory Authority and the Payment Card Industry Security Standards Council are influential SROs. Healthcare, currently regulated primarily by government bodies, could accelerate stronger security practices by incorporating industry bodies that have a financial and ethical responsibility to protect access to sensitive information, including patient data, research results, and other proprietary information. Giving hospitals, insurance providers, and other medical players a stake in industry practices could speed implementation and result in a better outcome in the long run.

Change industry relationships: Like the tension between merchants and card providers in the payments industry, a similar tension exists in the US healthcare system. While employers and the government bear much of the costs, the actual “payment” is typically processed through insurance companies. Financial services implemented changes by reversing previous policies regarding how fraud liability was handled; under the new chip-card way of working, card issuers covered fraudulent charges in situations in which merchants had adopted point-of-sale technology that allowed chip-based cards to be used. Healthcare could similarly drive change by mandating providers integrate point-of-care terminals or otherwise looking for a parallel from the financial services industry. When insurers negotiate prices with healthcare providers, they could expedite payments for those using chip-based cards or add fees for those providers not implementing chip-based cards.

Change consumer habits: The way that hundreds of millions of US consumers relatively quickly adopted to the move to chip-based cards holds promise for the US healthcare industry. Moreover, many American consumers now understand that the chip provides a stronger level of both security and fraud prevention than previously existed. This prepares the way for the healthcare sector to adopt chip-based cards. As a way to implement stronger identity protection, portability, and tracking, the equivalent chip for our health data could become a reality via our insurance cards in a manner that moves patient data with greater veracity and velocity.

Chip-based cards hold the potential to solve many of the ongoing problems in the US healthcare sector, and consumers are already accustomed to using this technology as result of implementation in the payments industry. The time is right to bring smart chip cards into the healthcare security equation.

Related Content:

• 7 Privacy Mistakes That Keep Security Pros on Their Toes
• The Case for Transparency in End-User License Agreements
• Shifting Attacks Put Increasing ID Fraud Burden on Consumers
• Ultrasound Machine Diagnosed with Major Security Gaps

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Joram Borenstein, General Manager of Microsoft’s Cybersecurity Solutions Group
Joram Borenstein is the General Manager of Microsoft’s Cybersecurity Solutions Group, holds CISSP and CISA certifications. He has been on the Advisory Board of numerous cybersecurity startups, … View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/what-the-transition-to-smart-cards-can-teach-the-us-healthcare-industry/a/d-id/1334191?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple