New tool released that may allow bad actors with almost any skill set to bypass many implementations of Two-Factor Authentication (2FA)

Until recently, hackers have had limited success stealing Two-Factor Authentication (2FA) PIN and token information. Unfortunately, a tool has been released that will now make it much easier for practically any bad actor to bypass many implementations of 2FA:

https://www.zdnet.com/article/new-tool-automates-phishing-attacks-that-bypass-2fa/

This does not mean we should stop using Two-Factor Authentication (2FA). We should still use 2FA, or Multi-Factor Authentication (MFA) wherever possible. What it does mean is that we need to be even more careful about checking to see that we’re on the correct web site before logging in.

Even with this tool, the most impressive fake site still cannot use the real site’s URL, so please ensure your organization’s cybersecurity training and awareness plan regularly highlights the ever-important task of checking the URL in your browser before inputting any credentials. Of course, tactics like punycode attacks and typosquatting can also be used to complicate verifying the URL; to help ensure your users access safe web sites, consider bookmarking those sites and training your users to only initiate a session with each site by clicking on that bookmark, and not links via other mediums, such as SMS text, other web pages or email.

Yahoo! Breach Class Action Poised to Settle

By Jon Washburn on October 29, 2018 Posted in Data Breach, Privacy, Security, Uncategorized

The Yahoo! class action over the 2013-2014 hacks, affecting 1 billion (later updated to 3 billion) accounts, is poised to settle for $85 million – and the provision of free credit monitoring services for 200 million account holders for 2 years.

While $85 million may seem like a relative bargain compared to the $350 million Verizon knocked of the sale price during the purchase of Yahoo!, the real cost is likely in the credit monitoring service. As this article notes, the current market rate for a credit monitoring subscription is about $14.95/month, or $359 per person for 2 years. Multiply $359 by 200 million people, and at full retail price they’d be looking at a $71.8 billion price tag! Of course Yahoo! won’t pay anywhere near that rate. Plus, many of the ~200 million people that held those 1 billion accounts may already have credit monitoring, and may not elect to opt in.

The settlement didn’t disclose how much Yahoo! would be paying for the credit monitoring service. Nevertheless, as an exercise let’s say Yahoo! gets a 95% discount on the rates (down to about $17.95 per person for 2 years) and only 25% of the 200 million people opt in. That would still be an $897.5 million expense over 2 years. Considering they’re willing to settle, and experts were estimating the average value of each account at $1 and $8 each – for 1 billion accounts – the total cost of this should be somewhere south of $1 billion. However much it ends up being, this is yet another illustration of the significant impact data breaches can have on expenses and value.

A link to the filed settlement agreement can be found here.

Anthem Pays OCR $16 Million in Record-Breaking HIPAA Data Breach Settlement

By Sarah Bimber on October 18, 2018 Posted in Cyber Attack, Data Breach, HIPAA, Regulators, Security

The Office of Civil Rights (OCR) announced in a press release this week that Anthem, Inc. (Anthem), one of the nation’s largest health benefit companies, has agreed to pay $16 million and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. This settlement is the largest in HIPAA-enforcement history, far exceeding the previous record of $5.5 million paid by Memorial Healthcare in 2017.

OCR investigated Anthem following its report that a series of cyber attacks in 2014 and 2015 resulted in theft of the electronic protected health information (ePHI) of nearly 79 million members of its affiliated and other covered entity health plans. In addition to Anthem’s failure to implement sufficient safeguards to prevent and detect the inappropriate access to its systems, OCR also found that Anthem had:

Failed to conduct an enterprise-wide risk analysis
Insufficient procedures to regularly review records of information system activity
Failed to identify and respond to suspected or known security incidents
Failed to implement adequate minimum access controls to prevent unauthorized access to ePHI

A link to the Resolution Agreement between Anthem and OCR is available here.

It is not surprising that the largest HIPAA breach to date would result in the largest settlement to date, and this is a strong signal of this administration’s interest in leveraging its penalty authority to make an example of organizations that have large data breaches. Organizations of all sizes should take note, however. While penalties are imposed in only a small fraction of the incidents reported to OCR, any significant data breach will result in an OCR investigation that may bring inadequacies of privacy and security safeguards to light.

If you have questions or concerns about your HIPAA compliance posture or your information security and governance plans, we are ready to help.

The Senate Commerce Committee held a second hearing on consumer data privacy, this time with privacy advocates

By Jon Washburn on October 12, 2018 Posted in ePrivacy, Events, Privacy

This past Wednesday, the Senate Commerce Committee held another hearing on consumer data privacy, this time giving voice to prominent privacy advocates. Previous testimony in September from leading technology businesses focused on concerns with the complexity of having to comply with a patchwork of different state privacy regulations, broad definitions of “personal information” in the California Consumer Privacy Act (CCPA), and a desire to see Federal legislation enacted that would preempt state laws and create a single, unified US privacy law.

While a national privacy law would simplify compliance, in Wednesday’s hearing Nuala O’Connor, the President and CEO of the Center for Democracy & Technology, cautioned the committee that the “price of preemption would be very, very high”, and Laura Moy, Executive Director and Adjunct Professor of Law at the Georgetown Law Center on Privacy & Technology, laid out in her written testimony six strong recommendations that we should expect to see in any proposed national standard: Continue Reading

NIST announces project to develop new Privacy Framework

By Jon Washburn on September 17, 2018 Posted in Announcements, ePrivacy

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) announced recently that it has launched a collaborative project to develop a voluntary privacy framework to help organizations manage risk. According to NIST Director Walter G. Copan, “The development of a privacy framework through an open process of stakeholder engagement is intended to deliver practical tools that allow continued U.S. innovation, together with stronger privacy protections.”

With a wide variety of privacy laws both nationally (many states have specific privacy laws, and all 50 states have breach notification laws) and internationally, an effective solution will need to be comprehensive enough to meet as many diverse privacy requirements as possible without being so onerous that it limits innovation and product development. It will also need to be flexible enough to respond over time to individuals’ changing expectations, and the continued expansion of the Internet of Things (IoT.)

NIST will be kicking off their first workshop for this conference on October 16th at the IAPP Privacy. Security. Risk. 2018 Conference in Austin, Texas, and will be posting a recording of this event on their Privacy Framework website, so stay tuned …

When was the last time you looked at RDP access?

By Jon Washburn on August 15, 2018 Posted in Cyber Attack, Cyber Crime, Data Breach, Security

A presentation at Black Hat recently revealed that the creators of the “SamSam” ransomware have netted over $6M to date, attacking mostly medium-to-large public and private sector organizations. And they’re showing no signs of slowing down.

In the most recent SamSam attacks, the attackers concentrated their efforts on brute-force hacking of weak passwords on devices accessible over the internet using Remote Desktop Protocol (RDP). Searching for devices using a tool such as Shodan will reveal thousands of IP addresses accessible over the Internet on port 3389, the default RDP port. While many devices using RDP may be secure, large numbers likely are not. The combination of efficient search and readily-available brute-force hacking tools allows bad actors to more easily exploit RDP vulnerabilities.

If you’re not using RDP, consider blocking port 3389 at your firewall.

If you are using it, or you don’t know, we recommend taking these steps to help protect your organization from RDP attacks:

– Review your RDP configuration to ensure that it is as secure as possible (patching, updated software, etc.)

– Limit RDP access to only those users and devices that need it.

– Consider enhancing remote desktop security by installing a Remote Desktop gateway.

– Have an “account lockout policy” that will lock out user accounts after a certain number of failed login attempts, which will help thwart brute-force hacking attacks.

– Have a strong password policy.

– Implement two-factor authentication to ensure that a compromised password alone can’t let a bad actor onto your systems.

New threat targeting old medical imaging equipment

By Jon Washburn on April 30, 2018 Posted in Cyber Attack, Cyber Crime, HIPAA, Industrial Control Systems, Security

Health care providers and suppliers should be wary of the “Orangeworm” threat, an implementation of malware out in the wild that’s gathering information off of compromised medical equipment, especially old systems where file shares and Windows XP are still in use:

https://www.zdnet.com/article/mysterious-cyber-worm-targets-medical-systems-found-on-x-ray-machines-and-mri-scanners/

While this group seems to be limiting their actions to reconnaissance and compromising systems vs. patient information, that doesn’t mean they couldn’t pivot to some other form of mischief on the systems they’ve compromised.

While some people might find it shocking to learn that their medical provider is still using Windows XP, it can be tough to get budget approval to replace a $2M MRI machine that still makes perfectly good images just because you can’t upgrade the Windows OS. Eventually these outdated devices will have to be replaced – but until then, in addition to updating them as much as possible, here are some compensating measures owners of these systems should put in place to help reduce the chance of, or spread of, an infection:

Isolate the equipment on the network: don’t allow the old MRI machine to talk to anything on the network it doesn’t absolutely have to talk to, especially the Internet
Limit elevated access to the device: no one should have “administrator” access other than the people who maintain the equipment. Why would your physicians need to (or even want to) install updates?
Limit the use of mapped drives and file shares: ensure the output of your devices is securely transferred to a system that manages your medical imaging output, vs. just dropping the output on open file shares. If you can see a file share, whatever’s on the file share can also see you…
Control removable media ports: reduce the chance that an infected USB drive could compromise the device by limiting how they are used, or disabling them altogether
Monitor the equipment closely: knowing about a potential compromise as soon as possible could limit the potential impact
Subscribe to ICS-CERT: the Industrial Control Systems Cyber Emergency Readiness Team sends out alerts on a wide variety of industrial control vulnerabilities, including medical devices

Visiting With SKW Schwarz at IAPP’s Global Privacy Summit

By Amy Carlson on April 9, 2018 Posted in EU, Events

Hunter Ferguson and I were joined by Dr. Matthias Orthwein and Dr. Volker Wodianka at IAPP’s Global Privacy Summit 2018. We had many interesting discussions about GDPR, German data privacy law and DPO services. Our firms, Stoel Rives LLP and SKW Schwarz Rechtsanwalte are members of TerraLex ®, an international network of 155 leading independent law firms serving the business needs of clients around the globe. You might find SKW Schwarz’s Introduction to the German Federal Data Protection Act to be useful if you are doing business in Germany!

France – CNIL

By Amy Carlson on April 9, 2018 Posted in EU, Regulators

France’s Commission Nationale de l’Informatique et des Libertés (“CNIL”) provides great tools and resources as well.

CNIL recently updated its Privacy Impact Assessment (PIA) Guides which include application to connected objects, methodology, template and knowledge bases.
CNIL also recently updated its PIA software tool in four languages that companies can use for compliance.
CNIL provides guidelines for processors under GDPR: A Guide to Assist Processors.
CNIL provides guidelines on Data Protection Impact Assessments as well as a useful DPIA infographic.

Germany – BfDI

By Amy Carlson on April 9, 2018 Posted in EU, Regulators

Germany’s Bundesbeauftragte für den Datenschutz und die Informationsfreiheit published the Federal Data Protection Act to adapt GDPR. Germany provided some extensive guidance on GDPR here. Germany also publishes the standard data protection model, SDPM, in English on its site. Also available from the site are guidance materials about GDPR from the German Data Protection Conference, Datenschutzkonferenz or DSK: