Tag Archives: exposure

[ISN] More than 80% of healthcare IT leaders say their systems have been compromised

http://www.computerworld.com/article/2975988/healthcare-it/more-than-80-of-healthcare-it-leaders-say-their-systems-have-been-compromised.html By Lucas Mearian Computerworld Aug 27, 2015 Eighty-one percent of healthcare executives say their organizations have been compromised by at least one malware, botnet or other kind of cyberattack during the past two years, according to a survey by KPMG. The KPMG report also states that only half of those executives feel that they are adequately prepared to prevent future attacks. The attacks place sensitive patient data at risk of exposure, KPMG said. The 2015 KPMG Healthcare Cybersecurity Survey polled 223 CIOs, CTOs, chief security officers and chief compliance officers at healthcare providers and health plans. Sixty-six percent of the IT executives at healthcare plans who were surveyed said they were prepared to fend off attacks. Based on revenue, larger organizations are better prepared than smaller ones, KPMG said. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Most corporate risk due to just 1% of employees

http://www.csoonline.com/article/2975914/application-security/most-corporate-risk-due-to-just-1-of-employees.html By Maria Korolov CSO Aug 26, 2015 Just 1 percent of employees are responsible for 75 percent of cloud-related enterprise security risk, and companies can dramatically reduce their exposure at very little additional cost by paying extra attention to these users. According to newly-released research by CloudLock, which analyzed the behavior of 10 million users during the second quarter of this year, these users are sending out plain-text passwords, sharing files, accidentally downloading malware, clicking on phishing links, using risky applications, reusing passwords, and engaging in other types of dangerous behaviors. These users include both rank-and-file employees as well as super-privileged users, software architects, and non-human accounts used to perform automated tasks. According to the most recent Verizon data breach report, the two biggest attack vectors, responsible for more than two-thirds of all breaches last year, involved stolen credentials or phishing. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Heartland issues breach notification letters after computer theft

http://www.csoonline.com/article/2928928/disaster-recovery/heartland-issues-breach-notification-letters-after-computer-theft.html By Steve Ragan Salted Hash CSO Online June 1, 2015 In a letter to the California Attorney General, Heartland Payment Systems has disclosed a data breach impacting personal information. The letter states that the data exposure is the result of a break-in at one of their offices, which included stolen computers. The notification letter says that the theft took place at Heartland’s Santa Ana, California offices on May 8. The incident involved the theft of many items including password protected computers that might have contained Social Security Numbers and / or banking information that is processed by employers. “We have seen no evidence suggesting that the data has been accessed on the stolen computers or used in any way, and we have no reason to believe any such use will occur. We have involved state and federal regulatory and law enforcement agencies to assist us in determining how to proceed with the matter at hand,” the notification letter states. In 2008 Heartland was the victim of one of the world’s first major data breaches that exposed 130 million U.S. credit and debit cards. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hacked French TV network admits “blunder” that exposed YouTube password

http://arstechnica.com/security/2015/04/hacked-french-tv-network-admits-blunder-that-exposed-youtube-password/ By Dan Goodin Ars Technica April 12, 2015 The head of the French TV network that suspended broadcasting following last week’s hack attack has confirmed the service exposed its own passwords during a TV interview, but said the gaffe came only after the breach. “We don’t hide the fact that this is a blunder,” the channel’s director general Yves Bigot, told the AFP news service. The exposure came during an interview a rival TV service broadcast on the TV5Monde attack. During the questioning, a TV5Monde journalist sat in front of several scraps of paper hanging on a window. One of them showed the password of for the network’s YouTube account. As Ars reported last week, the pass code was “lemotdepassedeyoutube,” which translates in English to “the password of YouTube.” Bigot stressed that the passwords were broadcast only after the hack attack, which occurred overnight Wednesday when hackers compromised TV5Monde servers and social networking accounts. A TV5Monde manager told AFP that the gaffe came in the immediate aftermath of the hack attack, when network managers were scrambling to quickly hand out new temporary online access codes. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] 216 Jimmy John’s Gourmet Sandwiches Shops Suffer Data Breach

http://www.infosecnews.org/216-jimmy-johns-gourmet-sandwiches-shops-suffer-data-breach/ By William Knowles @c4i Senior Editor InfoSec News September 24, 2014 Somewhat Freaky Fast Notification. Champaign Illinois based Jimmy John’s Gourmet Sandwiches Shops have announced on Wednesday they were the latest business to suffer a credit card breach. Joining the ranks of Target, Neiman Marcus, Michaels, and Home Depot. Here’s the company statement: On July 30, 2014, Jimmy John’s learned of a possible security incident involving credit and debit card data at some of Jimmy John’s stores and franchised locations. Jimmy John’s immediately hired third party forensic experts to assist with its investigation. While the investigation is ongoing, it appears that customers’ credit and debit card data was compromised after an intruder stole log-in credentials from Jimmy John’s point-of-sale vendor and used these stolen credentials to remotely access the point-of-sale systems at some corporate and franchised locations between June 16, 2014 and September 5, 2014. The security compromise has been contained, and customers can use their credit and debit cards securely at Jimmy John’s stores. Approximately 216 stores appear to have been affected by this event. Cards impacted by this event appear to be those swiped at the stores, and did not include those cards entered manually or online. The credit and debit card information at issue may include the card number and in some cases the cardholder’s name, verification code, and/or the card’s expiration date. Information entered online, such as customer address, e-mail, and password, remains secure. The locations and dates of exposure for each affected Jimmy John’s location are listed on AFFECTED STORES & DATES. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Identifying and mitigating healthcare IT security risks

http://healthitsecurity.com/2014/08/19/identifying-and-mitigating-healthcare-it-security-risks/ By Patrick Ouellette Health IT Security August 19, 2014 Being proactive in healthcare IT security means picking out risks before incidents occur, not after the fact. But the challenge is that potential risks are spread across a variety of areas within a healthcare organization. Blair Smith, Ph.D. Dean, Informatics-Management-Technology (IMT) at American Sentinel University, spoke with HealthITSecurity.com about security considerations for healthcare organizations. Smith was a professional IT consultant for a number of years and for the last 15 years was with the University of Phoenix, including the last five as the Dean of Information Systems prior to joining American Sentinel. With heavy experience in disaster recovery planning and said he always considered security a heavy risk area. What are some major security risks within healthcare at the moment? When I look at IT security for healthcare organizations, it’s not that much different from what many other retail or manufacturing organizations in that it’s a prominent topic. The key is to understand and identify areas of risk and potential exposure, and it’s where the HIPAA rules for risk assessment become very important. BYOD, for example, has its risks and benefits but from an industry perspective, the access to data housed [on the device] would be a concern. Similarly, cloud security opens another external pathway for data to possibly be exposed to a number of different risks such as inappropriate data access and loss. As we use more mobile devices, whether it’s a smart phone or tablet, those types of things really present a wide range of issues for security personnel. And what we’re seeing today is more hackers and outside threats bringing exposure and risks to organizations. For example, there’s the subject of single sign on (SSO) and how to have effective security controls while maintaining convenience. The idea is to move beyond prevention security to proactive response technology. How do we quickly mitigate and take care of any exposures. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] How healthcare can learn from retail’s IT security mistakes

http://healthitsecurity.com/2014/07/24/how-healthcare-can-learn-from-retails-it-security-mistakes/ By Patrick Ouellette Health IT Security July 24, 2014 There’s little doubt the healthcare industry’s perception of security and compliance has changed to a serious one within the past few years. While regulatory demands and business needs are certainly strong drivers, what should healthcare organizations be focusing on as cybersecurity threats grow in stature? Eric Cowperthwaite of Core Security and former CISO for Providence Health discussed with HealthITSecurity.com how identifying risks early on can help reduce exposures. The days of organizations that put effort into IT security being only large hospital systems and other organizations that had some sort of significant problem are certainly over. According to Cowperthwaite, there are a few indicators within the past 12-18 months that leads him to believe healthcare organizations, large and small, across the country are focusing on information security. “First is the amount of information security leaders hiring that’s being done,” he said. “And the second piece of it is the number of organizations that are sending their people to [security] conferences and training to help them interact with products and services providers.” Many of these changes have been driven by regulatory compliance, such as HIPAA, HITECH and Meaningful Use, but Cowperthwaite said there are other regulatory considerations, such as any hospital system being a tier 1 PCI merchant. Beyond compliance, the reality these days is that these organizations have a lot of data and there a lot of “bad actors” out there who like to steal data. There are main areas of focus that organizations should be beginning to worry about. First, Cowperthwaite said, though everyone is concerned about PHI disclosures because of bad publicity and potential fines, the other side of PHI disclosures is medical insurance fraud. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping

http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/ By Dan Goodin Ars Technica April 7, 2014 Researchers have discovered an extremely critical defect in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data. The warning about the bug in OpenSSL coincided with the release of version 1.0.1g of the open-source program, which is the default cryptographic library used in the Apache and nginx Web server applications, as well as a wide variety of operating systems and e-mail and instant-messaging clients. The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there’s no way of knowing if the bug has been actively exploited. Still, the risk is extraordinary, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises. “Bugs in single software or library come and go and are fixed by new versions,” the researchers who discovered the vulnerability wrote in a blog post published Monday. “However this bug has left a large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitations and attacks leaving no trace this exposure should be taken seriously.” The researchers, who work at Google and software security firm Codenomicon, said even after vulnerable websites install the OpenSSL patch, they may still remain vulnerable to attacks. The risk stems from the possibility that attackers already exploited the vulnerability to recover the private key of the digital certificate, passwords used to administer the sites, or authentication cookies and similar credentials used to validate users to restricted parts of a website. Fully recovering from the two-year-long vulnerability may also require revoking any exposed keys, reissuing new keys, and invalidating all session keys and session cookies. Members of the Tor anonymity project have a brief write-up of the bug here, and a this analysis provides useful technical details. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail