Subject: New York to crack down on hospital cybersecurity
Source: Becker’s Healthcare – Health IT
https://www.beckershospitalreview.com/cybersecurity/new-york-to-crack-down-on-hospital-cybersecurity.html
New York is planning to tighten regulation of hospital cybersecurity practices, according to draft rules reviewed by The Wall Street Journal. [sharable]The regulations will require hospitals to develop incident response plans, adopt secure software design practices for in-house applications and install security technologies such as multifactor identification, among other preventive measures.
…
Filed: https://www.beckershospitalreview.com/cybersecurity.html
RSS: https://www.beckershospitalreview.com/cybersecurity.feed?type=rss
Copyright © 2023 Becker’s Healthcare.
Source: Gizmodo
https://gizmodo.com/google-sues-hackers-ai-hype-alleged-bard-scams-1851016917
Ads for fake versions of Google’s generative AI tool, Bard, are showing up on Facebook to steal social media accounts of U.S. small businesses, according to a lawsuit from Google filed Monday.The phony Facebook ads ask users to download Bard, but the AI doesn’t need to be downloaded – it’s a completely web-based product. Naive users actually downloaded malware that stole social media credentials and compromised their accounts. Google’s lawsuit aims to disable any current domains related to the trap and bar the alleged fraudsters, located in Vietnam and India, from setting up any more. This is considered the first lawsuit to protect users of a major tech company’s flagship AI product, Google’s general counsel Halimah DeLaine Prado said to the Wall Street Journal Monday.
In a separate lawsuit also filed on Monday, Google sued a group of bad actors who abused copyright law to wrongly remove over 100,000 businesses’ websites, costing them millions of dollars and thousands of hours in lost employee time.
Source: heise online
https://www.bespacific.com/microsoft-lays-hands-on-login-data-beware-of-the-new-outlook/
“The free new Outlook replaces Mail in Windows, and later also the classic Outlook. It sends secret credentials to Microsoft servers. (This is a translation of this german article.) [English] The new Outlook is not what it seems at first glance: a replacement for Microsoft Office Outlook – at least not yet. What it definitely is, however: way too curious. Microsoft is singing the praises of the new Outlook and wants to persuade users to switch. But beware: if you try out the new Outlook, you risk transferring your IMAP and SMTP credentials of mail accounts and all your emails to Microsoft servers. Although Microsoft explains that it is possible to switch back to the previous apps at any time, the data will already be stored by the company. This allows Microsoft to read the emails….In a recent tech community article, Microsoft employee Caitlin Hart also explains that it will also replace the classic Outlook. However, unlike the Windows Mail and Calendar apps, the timetable for this has not yet been set.”
Abstracted from beSpacific
Copyright © 2023 beSpacific, All rights reserved.
Source: Gizmodo
https://gizmodo.com/zelle-begins-refunding-scam-victims-in-major-tone-shift-1851020583
The payments platform, Zelle, will now refund victims of imposter fraud, which cost Americans $2.6 billion in losses across the industry last year.Zelle, a payments app owned by seven of America’s largest banks, began reimbursing victims of imposter scams on the platform, according to an emailed statement from the company. Early Warning Services, the network operator of Zelle, says it will process refunds for scams dating back to June, which is a change of attitude by American bankers.
Zelle has always reimbursed certain victims, like if a hacker gets into your Zelle account and steals your money. This new reimbursement policy announced Monday, however, is a different category of fraud involving imposter scams, where users are duped into sending money to a fraudulent Zelle account claiming to be someone else. America’s largest banks have long tried to escape responsibility on this front.
…
*BONUS Article 1 * https://gizmodo.com/paypal-scams-crypto-bitcoin-customer-service-fraud-tax-1849556838
‘I Withdrew $15,000 Three Times’: 9 PayPal Scams We Can’t Believe People Actually Fell for
One of the most common scams of the 2020s, and one that popped up repeatedly in the complaints Gizmodo obtained, is the Accidental Overpayment Scam, a type of grift the FTC has been warning Americans about since at least 2004. Essentially, the scammer pretends to be part of some big financial institution like PayPal and deposits money into your account. Sometimes the deposited money is a “refund” for a charge that only existed on a fake invoice delivered via email. This big deposit was a mistake, the scammer says, so you’re asked to pay the money back in a different way. Often, the scammer will ask to be paid back in gift cards from Target, Walmart, or Apple. But the boldest of scammers will ask for cash to be mailed, as one did in perhaps the strangest complaints we obtained. The hapless victim complied, according to the complaint.
…
*BONUS Article 2 * https://gizmodo.com/old-bitcoin-wallets-security-flaws-randstorm-unciphered-1851020470
Millions of Old Bitcoin Wallets Have Critical Security Flaws, Experts Say. Bitcoin wallets older than 2016 could have a vulnerability that puts over $1 billion worth of cryptocurrency at risk, according to a report in the Washington Post.
According to Unciphered, a cryptocurrency recovery company, an untold number of crypto wallets were designed with baked-in flaws that leave a backdoor in the code that hackers could easily break open. Encrypted software systems like crypto wallets often rely on random number generators, but the company found that a significant number of wallets were built on open-source software that used numbers that aren’t nearly random enough. These vulnerable wallets use keys with numbers that are one in several thousand instead of one in a trillion, making them susceptible to brute-force attacks.
Source: Forbes
https://www.forbes.com/sites/thomasbrewster/2023/11/16/chatgpt-becomes-a-social-media-spy-assistant/
Social Links, a surveillance company that had thousands of accounts banned after Meta accused it of mass-scraping Facebook and Instagram, is now using ChatGPT to make sense of data its software grabs from social media.Most people use ChatGPT to answer simple queries, draft emails, or produce useful (and useless) code. But spyware companies are now exploring how to use it and other emerging AI tools to surveil people on social media.
In a presentation at the Milipol homeland security conference in Paris on Tuesday, online surveillance company Social Links demonstrated ChatGPT performing “sentiment analysis,” where the AI assesses the mood of social media users or can highlight commonly-discussed topics amongst a group. That can then help predict whether online activity will spill over into physical violence and require law enforcement action.
…
That’s a problem not just because this kind of technological eavesdropping could amplify inaccuracies or biases. It could also chill online discourse because everyone feels “that they’re being watched, not necessarily by humans, but by AI agents that have the ability to report things to humans who can bring consequences down on your head,” Stanley added.
ChatGPT maker OpenAI didn’t respond to requests for comment. Its usage policy says it does not allow “activity that violates people’s privacy,” including “tracking or monitoring an individual without their consent.”
…
He warned, however, that law enforcement must be transparent with its use of AI because of its reliability and bias issues. “There is never going to be a way of making AI unbiased,” he said, noting, as have others, that technologies programmed by humans reflect human fallibility.
Source: CISA
https://www.cisa.gov/news-events/alerts/2023/11/17/cisa-releases-mitigation-guide-healthcare-and-public-health-hph-sector
Today, CISA released the Mitigation Guide: Healthcare and Public Health (HPH) Sector as a supplemental companion to the HPH Cyber Risk Summary, published July 19, 2023. This guide provides defensive mitigation strategy recommendations and best practices to combat pervasive cyber threats affecting this critical infrastructure sector. It also identifies known vulnerabilities for organizations to assess their networks and minimize risks before intrusions occur.For more information and resources, HPH entities are encouraged to visit CISA’s Healthcare and Public Health Cybersecurity Toolkit and Healthcare and Public Health Sector webpages.
NB
CISA | Cybersecurity and Infrastructure Security Agency
Contents
Introduction ………………………………………………………………………………………………………….. 3
Data Note …………………………………………………………………………………………………………….. 4
Mitigation Strategy #1 Asset Management and Security ……………………………………………….. 6
Focus Area 1: Asset Inventory……………………………………………………………………………………………….6
Focus Area 2: Securing Your Assets ………………………………………………………………………………………..8
Resources ………………………………………………………………………………………………………………………. 10
Mitigation Strategy #2 Identity Management and Device Security ………………………………… 11
Focus Area 1: Email Security and Phishing Prevention …………………………………………………………….. 11
Focus Area 2: Access Management ……………………………………………………………………………………… 13
Focus Area 3: Password Policies …………………………………………………………………………………………. 13
Focus Area 4: Data Protection and Loss Prevention ………………………………………………………………… 13
Focus Area 5: Device Logs and Monitoring Solutions ………………………………………………………………. 15
Resources ………………………………………………………………………………………………………………………. 15
Mitigation Strategy #3 Vulnerability, Patch, and Configuration Management …………………. 16
Focus Area 1: Vulnerability and Patch Management……………………………………………………………….. 16
Focus Area 2: Configuration and Change Management……………………………………………………………. 18
Resources ………………………………………………………………………………………………………………………. 18
Shifting Towards a More Secure Future: Secure by Design ……………………………………………. 19
HPH Sector Vulnerability Remediation Guidance ………………………………………………………… 21
Conclusion …………………………………………………………………………………………………………… 23
Appendix #1 Glossary of Cyber Terms ………………………………………………………………………. 24
Appendix #2 Acronyms and Abbreviations ………………………………………………………………… 25
Resource Materials
Source: Ars Technica via Schneier on Security
https://www.schneier.com/blog/archives/2023/11/leaving-authentication-credentials-in-public-code.html
Interesting article about a surprisingly common vulnerability: programmers leaving authentication credentials and other secrets in publicly accessible software code: Researchers from security firm GitGuardian this week reported finding almost 4,000 unique secrets stashed inside a total of 450,000 projects submitted to PyPI, the official code repository for the Python programming language. Nearly 3,000 projects contained at least one unique secret. Many secrets were leaked more than once, bringing the total number of exposed secrets to almost 57,000.
[…]
The credentials exposed provided access to a range of resources, including Microsoft Active Directory servers that provision and manage accounts in enterprise networks, OAuth servers allowing single sign-on, SSH servers, and third-party services for customer communications and cryptocurrencies. Examples included:
…
Site RSS feed: https://www.schneier.com/feed/
Source: AP via Nexstar Media Wire
https://www.nxsttv.com/nmw/news/ibm-eu-and-lionsgate-pull-ads-from-elon-musks-x-as-concerns-about-antisemitism-fuel-backlash/
(AP) – Advertisers are fleeing social media platform X over concerns about their ads showing up next to pro-Nazi content and hate speech on the site in general, with billionaire owner Elon Musk inflaming tensions with his own tweets endorsing an antisemitic conspiracy theory.IBM said this week that it stopped advertising on X after a report said its ads were appearing alongside material praising Nazis — a fresh setback as the platform formerly known as Twitter tries to win back big brands and their ad dollars, X’s main source of revenue.
The liberal advocacy group Media Matters said in a report Thursday that ads from Apple, Oracle, NBCUniversal’s Bravo network and Comcast also were placed next to antisemitic material on X.
“IBM has zero tolerance for hate speech and discrimination and we have immediately suspended all advertising on X while we investigate this entirely unacceptable situation,” the company said in a statement.
Apple, Oracle, NBCUniversal and Comcast didn’t respond immediately to requests seeking comment on their next steps.
Source: BleepingComputer
https://www.bleepingcomputer.com/news/security/fcc-adopts-new-rules-to-protect-consumers-from-sim-swapping-attacks/
The Federal Communications Commission (FCC) has revealed new rules to shield consumers from criminals who hijack their phone numbers in SIM swapping attacks and port-out fraud. FCC’s Privacy and Data Protection Task Force introduced the new regulations in July. They are geared toward thwarting scammers who seek to access personal data and information by swapping SIM cards or transferring phone numbers to different carriers without obtaining physical control of their targets’ devices.
In SIM swapping attacks, criminals trick a victim’s wireless carrier into redirecting their service to a device controlled by the fraudster. Conversely, in port-out fraud or mobile number porting fraud, scammers transfer the victim’s phone number from one service provider to another without the owner’s authorization.
They both cause significant financial losses, identity theft, and distress for the victim, as they lead to unauthorized access to personal accounts and sensitive information.
“These scams – SIM swap and port-out fraud – don’t just put wireless account access and details at risk,” said Commissioner Geoffrey Starks.
“Because we so frequently use our phone numbers for two-factor authentication, a bad actor who takes control of a phone can also take control of financial accounts, social media accounts, the list goes on.”
…
Filed: https://www.bleepingcomputer.com/news/security/
Topics:
Source: Vice via Sabrina
https://www.vice.com/en/article/m7bk3v/commercial-flights-are-experiencing-unthinkable-gps-attacks-and-nobody-knows-what-to-do
Commercial air crews are reporting something “unthinkable” in the skies above the Middle East: novel “spoofing” attacks have caused navigation systems to fail in dozens of incidents since September.
In late September, multiple commercial flights near Iran went astray after navigation systems went blind. The planes first received spoofed GPS signals, meaning signals designed to fool planes’ systems into thinking they are flying miles away from their real location. One of the aircraft almost flew into Iranian airspace without permission. Since then, air crews discussing the problem online have said it’s only gotten worse, and experts are racing to establish who is behind it.
…
While GPS spoofing is not new, the specific vector of these new attacks was previously “unthinkable,” according to OPSGROUP, which described them as exposing a “fundamental flaw in avionics design.” The spoofing corrupts the Inertial Reference System, a piece of equipment often described as the “brain” of an aircraft that uses gyroscopes, accelerometers, and other tech to help planes navigate. One expert Motherboard spoke to said this was “highly significant.”
…
There is currently no solution to this problem, with its potentially disastrous effects and unclear cause. According to OPSGROUP’s November update, “The industry has been slow to come to terms with the issue, leaving flight crews alone to find ways of detecting and mitigating GPS spoofing.”
…
Humphreys and others have been sounding the alarm about an attack like this occurring for the past 15 years. In 2012, he testified by Congress about the need to protect GNSS from spoofing. “GPS spoofing acts like a zero-day exploit against aviation systems,” he told Motherboard. “They’re completely unprepared for it and powerless against it.”
…
Source: Wired
https://www.bespacific.com/hemisphere-das-white-house-surveillance-trillions-us-call-records/
Wired [read free]: “A little-known surveillance program tracks more than a trillion domestic phone records within the United States each year, according to a letter WIRED obtained that was sent by US senator Ron Wyden to the Department of Justice (DOJ) on Sunday, challenging the program’s legality. According to the letter, a surveillance program now known as Data Analytical Services (DAS) has for more than a decade allowed federal, state, and local law enforcement agencies to mine the details of Americans’ calls, analyzing the phone records of countless people who are not suspected of any crime, including victims. Using a technique known as chain analysis, the program targets not only those in direct phone contact with a criminal suspect but anyone with whom those individuals have been in contact as well. The DAS program, formerly known as Hemisphere, is run ……
Filed in Wired Category Security: https://www.wired.com/category/security/
RSS: https://www.wired.com/feed/category/security/latest/rss