January 18, 2017
Natalya Northrip, Carpedatumlaw.com, January 10, 2017
Businesses should take steps to protect usernames, email addresses, passwords, and security questions and answers.
A key issue in determining whether notification is required following a data breach is whether “personal information” (PI) was acquired by an unauthorized person. US states vary significantly in defining what information qualifies as PI. As part of a recent trend, some data breach notification statutes have been expanding the definition of PI, including by adding usernames and email addresses.
Dave Palmer, Itproportal.com, January 16, 2017
‘Trust’ attacks in the news
A new year, a new threat. Modern attackers are moving away from pure data theft or website hacking, to attacks that have a more subtle target – data integrity. In 2017 we expect to see attackers use their ability to hack information systems not just to make a quick buck, but to cause long-term, reputational damage to individuals or groups, by eroding trust in the data itself.
Gur Shatz, Darkreading.com, January 16, 2017
The word “ransomware” conjures up images of dark cloaks and even darker alleys, and not surprisingly, the level of media attention has been unprecedented. The fact that news stories measure the affect of ransomware in terms of cash helps grab the public’s attention. (One analysis estimates more than $1 billion in ransoms were paid out in 2016).
Maria Korolov, Csoonline.com, January 17, 2017
As open source code becomes more prevalent in both commercial and home-grown applications, the number of attacks based on its vulnerabilities will increase by 20 percent this year, predicted Black Duck Software, which collects statistics about open source projects.
Brian Krebs, Krebsonsecurity.com, January 17, 2017
Adobe and Microsoft on Tuesday each released security updates for software installed on hundreds of millions of devices. Adobe issued an update for Flash Player and for Acrobat/Reader. Microsoft released just four updates to plug some 15 security holes in Windows and related software.
Kelly Jackson Higgins, Darkreading.com, January 11, 2017
All eyes may be on Russian and other nation-state hacking threats to power grids and other critical infrastructure facilities, but ransomware is already disrupting plants and, in at least one case, causing a power outage.
Jeremy Kirk, Bankinfosecurity.com, January 16, 2017
In early 2013, cybercriminals began deploying in Mexico what some security experts described as one of the most advanced pieces of malware that’s ever been built to steal money from ATMs. Nicknamed Ploutus, it evolved to become the first ATM malware that could be controlled remotely by a mobile phone.
Marianne Kolbasuk McGee, Healthcareinfosecurity.com, January 12, 2017
Although HIPAA requires healthcare organizations to conduct a periodic security risk analysis focused on systems containing protected health information, larger entities should also perform much more comprehensive security self-assessments, advises CISO David Loewy.
Michael Piscopo, Delta-risk.net, January 12, 2017
It’s a late Saturday morning and Joe Hacker (aka WF4EAK in underground hacking circles) fires up the software-defined radio (SDR) he bought online for $20 to listen in on the local hospital paging traffic. After all, he is trying to make a few extra bucks to buy a new Xbox, and selling healthcare information on the black market has turned into a lucrative side job. Let’s face it, organizations that are strictly following HIPAA guidelines and other healthcare regulations have made it harder to hack into hospitals. So how’s a hacker supposed to get to that protected healthcare information (PHI) to make some fast cash?
FTC Files Complaint Against Device Maker Concerning Alleged Failures to Reasonably Secure Routers and Internet Protocol (IP) Cameras
BuckleySandler LLP, Infobytesblog.com, January 13, 2017
On January 5, the FTC announced that it was initiating and enforcement action against a Taiwanese computer networking equipment manufacturer and its U.S. subsidiary. In a complaint filed with the Northern District of California, the FTC charged that the device-manufacturer failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras. Specifically, the FTC alleged that hackers could exploit these vulnerabilities using any of several “simple methods.”