MISCELLANEOUS CYBERSECURITY NEWS:

A Lawsuit Threatens Critical US Cyber Protections - Three states are suing to block security rules for water facilities. If they win, it may open the floodgates for challenges to other cyber rules. https://www.wired.com/story/epa-lawsuit-biden-cybersecurity-critical-infrastructure/

Former Ubiquiti dev who extorted the firm gets six years in prison - A former senior developer of Ubiquiti, was sentenced to six years in prison for stealing company data, attempting to extort his employer, and aiding the publication of misleading news articles that severely impacted the firm's market capitalization. https://www.bleepingcomputer.com/news/security/former-ubiquiti-dev-who-extorted-the-firm-gets-six-years-in-prison/NIST Debuts New Cyber Guidance for Contractors Handling Sensitive Data

The National Institute of Standards and Technology is accepting comments on the revised document through July 14. - Updates to federal guidelines for protecting sensitive, unclassified information were unveiled yesterday, emphasizing clarifications in security requirements to better safeguard critical data. https://www.nextgov.com/cybersecurity/2023/05/nist-debuts-new-cyber-guidance-contractors-handling-sensitive-data/386233/

US charges, sanctions Russian ransomware operator who leaked stolen DC police data - The Treasury Department placed economic sanctions on a Russian national that U.S. prosecutors say has been "a central figure" in multiple major ransomware operations since 2020. https://www.scmagazine.com/news/ransomware/us-sanctions-russian-ransomware-operator-who-leaked-stolen-dc-police-data

MedEvolve pays OCR $350K penalty over ‘insufficient’ HIPAA risk analysis - MedEvolve agreed to pay a $350,000 civil monetary penalty to the Department of Health and Human Services’ Office for Civil Rights to resolve possible violations of the Health Insurance Portability and Accountability Act, including failure to perform a risk analysis. https://www.scmagazine.com/news/compliance/medevolve-pays-ocr-350k-penalty-over-insufficient-hipaa-risk-analysis

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Leak of MSI UEFI signing keys stokes fears of “doomsday” supply chain attack - A ransomware intrusion on hardware manufacturer Micro-Star International, better known as MSI, is stoking concerns of devastating supply chain attacks that could inject malicious updates that have been signed with company signing keys that are trusted by a huge base of end-user devices, a researcher said. https://arstechnica.com/information-technology/2023/05/leak-of-msi-uefi-signing-keys-stokes-concerns-of-doomsday-supply-chain-attack/

Sysco Data Breach Exposes Customer, Employee Data - In an internal memo sent on May 3, global food distribution company Sysco revealed that it had suffered a data breach earlier in the year when sensitive data on customers, employees, and the business, was stolen by cyberattackers. https://www.darkreading.com/attacks-breaches/sysco-data-breach-exposes-customer-employee-data

Staten Island Hospital operating in network downtime amid ransomware attack - Richmond University Medical Center (RUMC) in Staten Island is currently recovering from a ransomware attack in network downtime procedures, according to local news outlets. The attack was deployed against the almost-500 bed hospital one week ago. https://www.scmagazine.com/news/ransomware/staten-island-hospital-operating-in-network-downtime-amid-ransomware-attack

Data of 5.82M PharMerica patients stolen, accessed during cyberattack - More than 5.81 million patients tied to PharMerica have been notified that their data was accessed and stolen during a March cyberattack. The long-term care pharmacy solution provider reported the breach to the Office of the Maine Attorney General on May 12. https://www.scmagazine.com/news/ransomware/5-82m-pharmerica-patients-stolen-accessed-cyberattack

Toyota: Car location data of 2 million customers exposed for ten years - Toyota Motor Corporation disclosed a data breach on its cloud environment that exposed the car-location information of 2,150,000 customers for ten years, between November 6, 2013, and April 17, 2023. https://www.bleepingcomputer.com/news/security/toyota-car-location-data-of-2-million-customers-exposed-for-ten-years/

Data of 5.82M PharMerica patients stolen, accessed during cyberattack - More than 5.81 million patients tied to PharMerica have been notified that their data was accessed and stolen during a March cyberattack. The long-term care pharmacy solution provider reported the breach to the Office of the Maine Attorney General on May 12. https://www.scmagazine.com/news/ransomware/5-82m-pharmerica-patients-stolen-accessed-cyberattack

Hack on Transportation Systems Exposes Employee Information - The Department of Transportation breach exposed the data of 237,000 current and former employees. https://www.nextgov.com/cybersecurity/2023/05/hack-transportation-systems-exposes-employee-information/386364/

Staten Island Hospital operating in network downtime amid ransomware attack - Richmond University Medical Center (RUMC) in Staten Island is currently recovering from a ransomware attack in network downtime procedures, according to local news outlets. The attack was deployed against the almost-500 bed hospital one week ago. https://www.scmagazine.com/news/ransomware/staten-island-hospital-operating-in-network-downtime-amid-ransomware-attack

EyeMed fined $2.5M after security ‘deficiencies’ spurred 2020 breach - New Jersey, Oregon, Pennsylvania, and Florida reached a $2.5 million settlement with EyeMed Vision Care to resolve claims that “deficiencies” in its security program caused a 2020 data breach tied to over 2.1 million patients nationwide. https://www.scmagazine.com/news/privacy/eyemed-fined-2-5m-after-security-deficiencies-spurred-2020-breach

Return to the top of the newsletter

WEB SITE COMPLIANCE - Flood Disaster Protection Act
   
   The regulation implementing the National Flood Insurance Program requires a financial institution to notify a prospective borrower and the servicer that the structure securing the loan is located or to be located in a special flood hazard area. The regulation also requires a notice of the servicer's identity be delivered to the insurance provider. While the regulation addresses electronic delivery to the servicer and to the insurance provider, it does not address electronic delivery of the notice to the borrower.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
   
   Logical Access Controls 
   
   A primary concern in controlling system access is the safeguarding of user IDs and passwords.  The Internet presents numerous issues to consider in this regard. Passwords can be obtained through deceptive "spoofing" techniques such as redirecting users to false Web sites where passwords or user names are entered, or creating shadow copies of Web sites where attackers can monitor all activities of a user. Many "spoofing" techniques are hard to identify and guard against, especially for an average user, making authentication processes an important defense mechanism. 
   
   The unauthorized or unsuspected acquisition of data such as passwords, user IDs, e-mail addresses, phone numbers, names, and addresses, can facilitate an attempt at unauthorized access to a system or application. If passwords and user IDs are a derivative of someone's personal information, malicious parties could use the information in software programs specifically designed to generate possible passwords. Default files on a computer, sometimes called "cache" files, can automatically retain images of such data received or sent over the Internet, making them a potential target for a system intruder. 
   
   Security Flaws and Bugs / Active Content Languages 
   
   Vulnerabilities in software and hardware design also represent an area of concern. Security problems are often identified after the release of a new product, and solutions to correct security flaws commonly contain flaws themselves. Such vulnerabilities are usually widely publicized, and the identification of new bugs is constant. These bugs and flaws are often serious enough to compromise system integrity. Security flaws and exploitation guidelines are also frequently available on hacker Web sites. Furthermore, software marketed to the general public may not contain sufficient security controls for financial institution applications. 
   
   Newly developed languages and technologies present similar security concerns, especially when dealing with network software or active content languages which allow computer programs to be attached to Web pages (e.g., Java, ActiveX). Security flaws identified in Web browsers (i.e., application software used to navigate the Internet) have included bugs which, theoretically, may allow the installation of programs on a Web server, which could then be used to back into the bank's system. Even if new technologies are regarded as secure, they must be managed properly. For example, if controls over active content languages are inadequate, potentially hostile and malicious programs could be automatically downloaded from the Internet and executed on a system.  
   
   Viruses / Malicious Programs 
   
   Viruses and other malicious programs pose a threat to systems or networks that are connected to the Internet, because they may be downloaded directly. Aside from causing destruction or damage to data, these programs could open a communication link with an external network, allowing unauthorized system access, or even initiating the transmission of data.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 4.5 Malicious Hackers
  
  The term malicious hackers, sometimes called crackers, refers to those who break into computers without authorization. They can include both outsiders and insiders. Much of the rise of hacker activity is often attributed to increases in connectivity in both government and industry. One 1992 study of a particular Internet site (i.e., one computer system) found that hackers attempted to break in once at least every other day.
  The hacker threat should be considered in terms of past and potential future damage. Although current losses due to hacker attacks are significantly smaller than losses due to insider theft and sabotage, the hacker problem is widespread and serious. One example of malicious hacker activity is that directed against the public telephone system.
  
  Studies by the National Research Council and the National Security Telecommunications Advisory Committee show that hacker activity is not limited to toll fraud. It also includes the ability to break into telecommunications systems (such as switches), resulting in the degradation or disruption of system availability. While unable to reach a conclusion about the degree of threat or risk, these studies underscore the ability of hackers to cause serious damage.
  
  The hacker threat often receives more attention than more common and dangerous threats. The U.S. Department of Justice's Computer Crime Unit suggests three reasons for this.
  
       First, the hacker threat is a more recently encountered threat. Organizations have always had to worry about the actions of their own employees and could use disciplinary measures to reduce that threat. However, these measures are ineffective against outsiders who are not subject to the rules and regulations of the employer.
  
       Second, organizations do not know the purposes of a hacker -- some hackers browse, some steal, some damage. This inability to identify purposes can suggest that hacker attacks have no limitations.
  
       Third, hacker attacks make people feel vulnerable, particularly because their identity is unknown. For example, suppose a painter is hired to paint a house and, once inside, steals a piece of jewelry. Other homeowners in the neighborhood may not feel threatened by this crime and will protect themselves by not doing business with that painter. But if a burglar breaks into the same house and steals the same piece of jewelry, the entire neighborhood may feel victimized and vulnerable.