Security News

ca544271-5f47-4f6b-b4ed-c1fea90c4edb.jpg

#RSAC: Realize the Harms and Benefits of Technology and Create Policies to Enable the Public

#RSAC: Realize the Harms and Benefits of Technology and Create Policies to Enable the Public

#RSAC: Realize the Harms and Benefits of Technology and Create Policies to Enable the Public 1

Speaking at the Cloud Security Alliance (CSA) summit at the RSA Conference in San Francisco, Alex Stamos, adjunct professor at Stanford University’s Freeman-Spogli Institute, said that issues and decisions made by technology companies have angered people.

Stamos, who previously served as CISO of both Facebook and Yahoo, said that once he stepped out of those roles and “out of constant emergencies” he could see the bigger picture.

He said that “tradeoffs from a policy perspective are poorly understood by the public and usually go back to the engineering adage of do you want it done correctly, cheaply, or quickly—pick 1 of 3.” Stamos said that this is a basic problem of society, as people say that they don’t want companies looking at their data, but to stop bad things happening you need to see bad things. “Politicians say companies have to find the bad guys, but you cannot have two things.”

Another issue Stamos highlighted is the balance that technology companies have for “solving societal ills,” as he pointed out that technology companies provide platforms while “every bad thing [that] happened [was] done by people.”

He said that companies have to “embrace transparency and make decisions in a transparent manner.” However, the line has to be drawn around bullying and harassment, as “nothing has changed since the last election.”

Stamos said that Google, Facebook, and Twitter came up with policies on political advertising “in closed rooms with no transparency,” and these will be the rules that the 2020 election will be fought on.

He recommended that the tech industry adopt a regulatory framework similar to what Germany did regarding what speech is allowed online, but should consider how this can be adopted by countries with reduced democratic freedoms. “Or you end up with tech companies who are happy if they get regulated if they can make money, as most people who use the internet don’t live in democracies, or if they do, it is with reduced free speech.”

Stamos concluded by saying that we “have to realize that technology has made changes in good and bad ways” and take responsibility for that.

d7bd6826-1a29-45cb-bb3c-b45c8a3c5f8e.jpg

#RSAC: Make Security a Business and a Technical Issue

#RSAC: Make Security a Business and a Technical Issue

#RSAC: Make Security a Business and a Technical Issue 2

Security is both a business and a technical issue, especially as businesses become more digital and have technical controls embedded into software.

Speaking at the Cloud Security Alliance (CSA) summit at the RSA Conference in San Francisco, Phil Venables, board director and a senior advisor for risk and cybersecurity at Goldman Sachs Bank, said that to treat cybersecurity as just a business issue is important, but “to say it is not also a technology issue is a disservice” to those digital businesses.

Venables said there are three ways that cyber can be a business risk:

Enterprise Integration — Make this part of the fabric of business decision making.

  • Embed risk considerations into the enterprise governance apparatus.
  • Conduct risk assessments and establish a risk appetite.
  • Relentlessly integrate risk considerations into all business processes: strategic, capital, people, product.

Technology Integration — Make this a core part of how technology is built and operated, and secure products, not just security products.

  • Recognize that basic and relentless controls, hygiene/operational discipline are essential.
  • Embed automation/iterative improvement into the heart of tech delivery. Continuously monitor control effectiveness, presence, and operation.
  • Strive for ambient controls—in preference to expecting employees/customers to be a significant line of defense

Venables recommended embedding security into your processes, using standards like those created by the CSA, and creating an environment of products that “are not jammed in after the fact.” He said: “Think about embedding control across the life cycle.”

Resilience and Recovery — Plan for failure and constantly exercise and drill.

  • Detect early, respond decisively, formalize accountability, and test constantly.
  • Limit the blast radius of potential events through business and technology process adjustment.
  • Integrate cybersecurity incident response with operational resilience.

Venables said there should be a consideration of how to maximize your response efforts. “Treating security as a first-class risk is about doing the simple things that have to be exercised relentlessly over many years,” he said, saying that security is “not a project that finishes anytime soon” but is a perpetual part of the business DNA.

Looking forward, Venables said there are five areas of focus:

  1. Software security and reliability
  2. Usable security and ambient control
  3. Continuous assurance—continuous monitoring—provable security
  4. Operational resilience
  5. Adjacent benefits

He concluded by saying that as many organizations and customers become accidental software developers, we “need to make sure security is baked in.” He said that as users are enabled with tools and controls to increase software reliability, the user experience has to be considered, as it is a part of the supply chain.

f0eacdf8-c3df-4b10-b305-a16919c34966.jpg

Case Dropped Against Coalfire Pen Testers Accused of Burglary

Case Dropped Against Coalfire Pen Testers Accused of Burglary

Case Dropped Against Coalfire Pen Testers Accused of Burglary 3

Two employees of cybersecurity firm Coalfire who were arrested for an alleged burglary of an Iowa courthouse have had all charges against them dismissed. 

Gary Edward Demercurio, of Seattle, Wash., and Justin Lawson Wynn, of Naples, Fla., were arrested in September 2019 after being found inside the Dallas County Courthouse in possession of burglary tools. 

The two Colorado company employees were mistaken for criminals while conducting what a Coalfire spokesperson described as “a standard penetration test to protect Iowa citizens” for their client, the State of Iowa, on September 11.

Demercurio and Wynn, who were 43 and 29, respectively, at the time of the arrest, were both charged with felony burglary and the possession of burglary tools, which could have seen them jailed for a total of seven years each. 

Following discussions between representatives of Coalfire, the Dallas County Sheriff, and the Dallas County Attorney, the Dallas County Attorney decided to dismiss trespass charges against the duo.

Senior security consultant Wynn said: “It was a red team engagement with physical penetration included as part of it. It wasn’t the first physical breach that we did during that assessment. There were multiple facilities that we had already assessed, and it was the last one that we were coming around to. 

“They specifically requested that they wanted ‘after hours’ testing at these locations. The client said they wanted to see how their facilities could be breached and what the security vulnerabilities are that we’re working with.”

Demercurio said: “The original arrest was supposed to be for trespassing but that changed to felony burglary. From that point, we were arrested and taken to jail. We were there for about 24 hours.”

Wynn said that bail was set at $50,000 each for both him and Demercurio after the local prosecutor deemed them “a flight risk.” The standard rate at which bail is set in Iowa is $5,000 per person. 

Coalfire CEO Tom McAndrew said: “We are pleased that all charges are dropped in the Iowa incident. With positive lessons learned, a new dialogue now begins with a focus on improving best practices and elevating the alignment between security professionals and law enforcement.

“We’re grateful to the global security community for their support throughout this experience.”

a5c9e782-bbe4-488b-bf82-49e6f9f68b44.jpg

FBI Arrests Man on Political Cyber-attack Charges

FBI Arrests Man on Political Cyber-attack Charges

FBI Arrests Man on Political Cyber-attack Charges 4

America’s Federal Bureau of Investigation has arrested a man on suspicion of cyber-attacking the political rival of a former US congresswoman.

Arthur Jan Dam was arrested by the FBI on Friday. The 32-year-old is accused of masterminding a series of DDoS (distributed denial-of-service) attacks that targeted an opponent of former congresswoman Katie Hill.

Dam is suspected of causing four DDoS attacks to hit the websites of Hill’s rival in April and May of 2018. As a result of the attacks, the victim’s website was down for approximately 21 hours, causing financial losses of $5,000. 

The victim believes that the attacks were partly to blame for a political loss sustained in the June 2018 Democratic primary for California’s 25th congressional district.

According to the complaint, “The victim reported suffering losses, including website downtime, a reduction in campaign donations, and time spent by campaign staff and others conducting critical incident response.”

An investigation by the FBI found that the cyber-attacks originated from a single Amazon Web Services (AWS) account controlled by Dam, whose wife, Kelsey O’Hara, worked for one of Hill’s rivals. Geolocation revealed that the attacks were launched from Dam’s residence and also from his workplace.

The complaint states: “Dam was found to be connected to the cyber-attacks through subscriber information, IP addresses, geolocation history, and open sources, including through his employer and his wife, K.O., who worked for one of the victim’s opponents.”

According to Intercept, Dam provided $500 of free cybersecurity consulting services and graphic design to Hill’s campaign in 2018; however, no evidence was found by the FBI that linked Hill personally to the cyber-attacks. 

The websites of Jess Phoenix and Bryan Cafario—two of Hill’s Democratic party opponents—were struck with cyber-attacks in 2018, one of which was timed to coincide with a pivotal debate on April 28. Over the same period, no attacks against Hill’s website were reported.

In a statement released on Friday, Paul Delacourt, assistant director of the FBI’s Los Angeles Field Office, said: “Today’s arrest shows the FBI’s commitment to hold accountable anyone who interferes with an American’s right to vote or who deprives a candidate the right to compete fairly in an election.”

fb71555c-5d2b-496f-a484-370a37027885.jpg

UW Medicine Facing Breach Lawsuit

UW Medicine Facing Breach Lawsuit

UW Medicine Facing Breach Lawsuit 5

The University of Washington School of Medicine is facing a class-action lawsuit over a data breach that impacted 974,000 patients. 

Plaintiffs claim UW Medicine failed to “properly secure and safeguard” patients’ personal health information (PHI), resulting in the exposure of data that included patient names, medical record numbers, and other healthcare data.

Earlier this month, UW Medicine reported that a misconfigured server had resulted in patient data’s being exposed online for a three-week period. The breach was identified when a patient came across a file containing their own PHI data during a routine Google search and reported it to UW Medicine.  

After an internal investigation into the incident, UW Medicine found that an employee error had left a database containing patient data exposed from December 4 to December 6, 2018. 

“Because Google had saved some of the files before December 26, 2018, UW Medicine worked with Google to remove the saved versions and prevent them from showing up in search results,” officials said at the time. “All saved files were completely removed from Google’s servers by January 10, 2019.”

UW Medicine said that the compromised data did not include financial information or Social Security numbers. Data that was exposed included details regarding what tests patients had undergone. 

Judging from the wording of the complaint filed in King County Superior Court, the plaintiffs aren’t certain exactly what information was exposed in the breach. Among other things, the plaintiffs are seeking an order that will require UW Medicine to “fully and accurately disclose the precise nature of data that has been compromised.” 

Plaintiffs also want UW Medicine “to adopt reasonably sufficient security practices and safeguards” to prevent any further breaches from occurring in the future. 

In 2015, UW Medicine agreed to take corrective action and pay the Department of Health and Human Services $750,000 following a 2013 breach, which exposed 90,000 patient records. The healthcare provider said the incident was the result of a malware infection. 

An audit of UW Medicine conducted at the time by the Office of Civil Rights found that the healthcare provider did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.

Vox Messenger Logo - 512x512

End-2-End Encrypted. Secure. Ad-Free.
Lightweight and Faster than the Competition.

Vox Messenger is an ad-free, secure and end-2-end encrypted alternative to other popular chat messenger apps.

Available for Free. Whitelabel Corporate Edition Available on Request.

All Rights Reserved - © Copyright 2020 - Vox Messenger (a Division of Kryotech Ltd.)