INFOSECURITY NEWSLETTER

March 15, 2017

Hackers Exploit Apache Struts Vulnerability to Compromise Corporate Web Servers

Lucian Constantin, Csoonline.com, March 9, 2017

Attackers are widely exploiting a recently patched vulnerability in Apache Struts that allows them to remotely execute malicious code on web servers. Apache Struts is an open-source web development framework for Java web applications. It’s widely used to build corporate websites in sectors including education, government, financial services, retail and media.

Mirai Is the Hydra of IoT Security: Too Many Heads to Cut Off

Michael Kan, Computerworld.com, March 14, 2017

Efforts to stop Mirai, a malware found infecting thousands of IoT devices, have become a game of whack-a-mole, with differing opinions over whether hackers or the security community are making any headway.

How Much Are Vendor Security Assurances Worth After the CIA Leaks?

Lucian Constantin, Pcworld.com, March 13, 2017

Following the recent revelations about the U.S. Central Intelligence Agency’s cyberespionage arsenal, software vendors reiterated their commitments to fix vulnerabilities in a timely manner and told users that many of the flaws described in the agency’s leaked documents have been fixed.

The Rise of Biometrics Is Not as Clear Cut as May Seem

Nicholas Fearn, Idgconnect.com, March 13, 2017

Advancements in technology and software have introduced new possibilities in the security and surveillance world over the past few years. Biometric innovation has, in particular, had a significant impact on cyber security practices right across the world.

It’s Time to Turn on HTTPS: The Benefits Are Well Worth the Effort

Lucian Constantin, Networkworld.com, March 14, 2017

After Edward Snowden revealed that online communications were being collected en masse by some of the world’s most powerful intelligence agencies, security experts called for encryption of the entire web. Four years later, it looks like we’ve passed the tipping point.

Navigating Clear Text Password Vulnerabilities

Paul Brandau, Delta-risk.net, March 10, 2017

Accessing Clear Text Administrative Passwords In our last blog post, we showed how pen testers can use misconfigurations within Active Directory group management to escalate privileges. However, that technique is heavily dependent on having access to privileged or misconfigured accounts in the first place.

Shock Report: 92 Percent of US Government Websites Totally Suck

Kieren McCarthy, Theregister.co.uk, March 8, 2017

A new report into nearly 300 websites run by the US government has reached an unsurprising conclusion: they suck.
What may be startling, however, is just how much they suck. According to the Information Technology and Innovation Foundation (ITIF), a dramatic 92 per cent of the websites they reviewed had a significant flaw or failing – whether in terms of security, accessibility or speed.

Vendor Configuration Error Results in Exposure of 14,000 Individuals’ ePHI

Hipaajournal.com, March 6, 2017

A major breach of electronic protected health information has been discovered by Universal Care, dba, Brand New Day – A Medicare approved health plan.
On December 28, 2016, Brand New Day became aware that an unauthorized individual had gained access to ePHI provided to one of its HIPAA business associates. Access to ePHI was gained via a third-party vendor system used by Brand New Day’s contracting provider six days previously on December 22, 2016.

What Can We Learn From HIPAA Settlements?

Marianne Kolbasuk McGee, Healthcareinfosecurity.com, March 13, 2017

An important theme that emerges from the Department of Health and Human Services’ Office for Civil Rights’ dozens of HIPAA settlements and other enforcement actions is that all aspects of compliance are critical and subject to scrutiny by federal regulators, says former OCR director Leon Rodriguez.

5 HIPAA Items That Practices Should Focus on in 2017

Jim Johnson, Hitechanswers.net, March 9, 2017

With all the recent turbulence in healthcare surrounding Meaningful Use, ICD-10 and now the transition to the Merit-based Incentive Payment System, HIPAA has flown under the radar, in a sense, for some practices. However, in 2017 it’s important that practices make HIPAA compliance a priority. Here are five things we covered in a recent webinar on what all practices should focus on in regards to HIPAA compliance in 2017.