CyberNews: Top of the news (27 Feb 2019)

Senator Warner Wants to Work with Healthcare Sector on Cybersecurity Strategy(February 21 & 22, 2019)

 In an effort to strengthen cybersecurity in the healthcare sector, US Senator Mark Warner (D-Virginia) has sent letters to multiple healthcare organizations asking for their input in “develop[ing] a short and long term strategy for reducing cybersecurity vulnerabilities in the health care sector.” Among the questions Warner asks in the letter are whether the organizations have adopted any strategies to reduce vulnerabilities that they recommend be adopted across the sector and whether the organizations are using software or operating systems that are no longer supported.
 Editor’s Note

HIPAA security rules have not only been ineffective in security, they have been counter-productive in digital medical records. They have resulted in the proliferation of both paper and electronic data with the consequential leakage and few of the promised advantages. It is time to tear up these rules and replace them with rules that are simple, effective, and measurable.

Read more in:
: Senator Seeks Input on Health Care Cyber Strategy
– Warner questions health care groups on cybersecurity
– Warner Seeks to Work With Healthcare Industry on Cybersecurity
– Warner Seeks to Advance Information Security in the Health Care Sector
– AHA Health Cyber Letter

DNC Cybersecurity Checklist for Candidates(February 22 & 25, 2019)

 The US Democratic National Committee (DNC) has released an updated cybersecurity checklist for candidates and others involved in the 2020 elections to employ to protect their data. The list addresses the importance of not reusing passwords, of using a password manager, and of having separate password managers for personal and work accounts. It also strongly advises against using mail services other than those hosted by Microsoft (Outlook/Office 365) or Google (Gmail/G Suite) and strongly recommends using the HTTPS Everywhere browser extension.
 Read more in:
: Device and Account Security Checklist 2.0
– DNC updates cybersecurity advice to protect candidates from hackers in 2020
– DNC unveils new security checklist to protect campaigns from cyberattacks
– Device and Account Security Checklist (PDF)

White House Releases New National Strategy for Aviation Security(February 20, 2019)

 The White House has released an updated/new National Strategy for Aviation Security. The report enumerates the threats the “Aviation Ecosystem” faces, which include terrorists, hostile nation-states and foreign intelligence activity, the spread of infectious disease, and cyber threats, including connectivity, reliance on radio frequency spectrum, and proliferation of unmanned aircraft. The report also lists the roles and responsibilities of the various government agencies and the private sector with regard to the strategy.
 Read more in:
: White House Orders Agencies to Defend the Skies From Cyberattacks
– National Strategy for Aviation Security of the United States of America December 2018 (PDF)

International Civil Liberties and Technology Coalition Files Submission Regarding Australia’s Encryption Laws(February 25, 2019)

 A coalition of civil liberties advocates and technology companies have filed a submission regarding Australia’s encryption laws. The submission argues against Australia’s plan to force service providers to allow law enforcement to be secretly added to encrypted communications as “ghost users.” The group also voiced its opposition to plans to force companies to reveal source code to the government, to requiring phone makers to take screenshots and send then to law enforcement, and to imposing gag orders on companies that receive technical capabilities requests from the government.
 Read more in:
: Tech giants and civil liberty groups call out ghost cops and source code demands under Australian encryption laws

TurboTax Customer Data Exposed in Credential Stuffing Attack(February 22 & 25, 2019)

 Some TurboTax customer data were exposed through a credential stuffing attack. Parent company Intuit temporarily disabled the hacked accounts. Affected customers will have to call Intuit and verify their identity to reactive their accounts.
 Editor’s Note

So called “stuffing attacks” exploit a failure to resist brute force attacks by regulating logon attempts. Application providers should slow down the logon prompt after failed attempts. Slowing the prompt by minutes will resist brute force attacks with only minor inconvenience to a fat-fingered user. Users should not use the same password across applications.
Read more in:
: TurboTax Hit with Cyberattack, Tax Returns Compromised
– Tax Returns Exposed in TurboTax Credential Stuffing Attacks
– Example of TurboTax customer notification letter provided to Vermont Attorney General (PDF)

IARPA Virtuous User Environment(February 25, 2019)

 The US Intelligence Advanced Research Projects Agency (IARPA) is developing the Virtuous User Environment (VirtUE), which uses containers to isolate different user functions. The idea is to limit damage from breaches by preventing intruders from gaining access to other networks.
 Read more in:
: IARPA to offer potential cure for employees’ ‘linkclickitis’ disease
– Virtuous User Environment (VirtUE)

Electric Vehicle Charging Station Security Issues(February 25, 2019)
 Researchers from the US Department of Energy’s (DOE’s) Idaho National Laboratory are looking into how hacking electric vehicle (EV) charging stations could affect the flow of power through local grids. The project involved running an attack on the EV station’s human machine interface (HMI) to communicate with control system to increase the harmonic distortion of the energy flowing through the station. The project plans to examine how such increased distortions would affect local power grids. Idaho National Laboratory is working on the project with other DOE labs as well as utilities, charging station vendors, and a charging network operator.
 Read more in:
: Power struggle: Government-funded researchers investigate vulnerabilities in EV charging stations

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.