Jun 182019

Zack Whittaker reports:

An internet advertising company specializing in helping law firms sign up potential clients has exposed close to 150,000 records from a database that was left unsecured.

The database contained submissions as part of a lead-generation effort by X Social Media, a Florida-based ad firm that largely uses Facebook to advertise various campaigns for its law firm customers.

Read more on TechCrunch. It’s another could-have-awful-consequences exposure situation. And not surprisingly, the researchers who found it throw in references to HIPAA, although further down in their report, they acknowledge that x Social Media is not covered by HIPAA.

Throwing in references to HIPAA doesn’t help if HIPAA doesn’t apply — even though the public may want the standards of security and privacy to be upheld in the business sector. What would have been more on point for vpnMentor to mention would be any privacy policy for x Social Media or assurances about data security that may have been violated.

Think FTC, not HHS, folks.


Jun 172019

Alfred Ng reports:

Multiple government agencies are relying on a security measure that can be easily bypassed thanks to massive breaches like the Equifax hack, the US Government Accountability Office has found. In a report released Friday, the government watchdog group found that the US Postal Service, the Department of Veterans Affairs, the Social Security Administration and the Centers for Medicare and Medicaid Services have still been using “Knowledge-Based Verification” to make sure people who apply for benefits online are authentic.

This verification method asked applicants questions like their date of birth, Social Security numbers and addresses, assuming that only the applicant would have that information. But in Equifax’s breach in 2017, that information had been stolen from 145.5 million Americans, rounding out to more than half the US population.

Read more on CNET.

Jun 152019

Zach Clemens reports that Estes Park Health suffered a ransomware attack on June 2. No data was exfiltrated, but it was locked up, and after consulting with their cyberinsurer and IT people, they decided that they had to pay the ransom.

“At that point in time we are looking at the patients we have internally, we are looking at what is coming through the door and monitoring everything that was going on,” Leaming said.

And THAT’s what people who are not in healthcare don’t “get” when they blithely just advise entities to never pay ransom. If you are a healthcare facility you have to try to determine whether you can protect patient safety and health if you don’t pay the ransom. If your computer system got locked up but you have usable backups, then you are in a different situation than if your computer system was locked up and you’re the trauma center for your region.

“I think it is important to say that likely the only way to restore the software in the clinic and the only way we were able to restore the imaging and so forth is because our insurance company paid the ransom money and we were able to get the keys to unlock those files,” Leaming said.

Leaming did not mention having usable backups, and that is something that I expect the insurer asked about and that OCR will ask about.

EPH had to pay a $10,000 deductible to the insurance company for their payment of the ransom. Yet Leaming did say that an initial amount was paid, and as they were unlocking files, they found more locks, which they had to go back and pay the hackers more.

It is not clear how much they paid, total. Nor do they reveal the type of ransomware used.

Read more on the Estes Park Trail-Gazette.

Jun 132019

Seen on d/darknetlive:

On June 12, French law enforcement arrested the three suspected administrators of the French DeepWeb Market, the largest darkweb market in France. The administrators are facing charges in connection with the drug trafficking that took place on the site and several related crimes.

Three people were detained on June 12 as part of an operation aimed at dismantling a major illegal dark web platform that sold drugs, weapons and forged documents, French news outlets reported.

This operation, the second of its kind within a year, targeted the “French Deep Web-Market” or “FDW-Market.” The market was considered one of the most prolific darkweb marketplaces in France with almost 6,000 buyers and 700 vendors.

Source: lefigaro.fr

You can read the full post on dread.

Jun 132019

Sergiu Gatlan reports:

A critical flaw in the Evernote Web Clipper Chrome extension could allow potential attackers to access users’ sensitive information from third party online services.

“Due to Evernote’s widespread popularity, this issue had the potential of affecting its consumers and companies who use the extension – about 4,600,000 users at the time of discovery,” says security company Guardio which discovered the vulnerability.

Read more on BleepingComputer.