iPhone Users Targeted by New Malware Campaign

Cisco Talos has discovered a new menace to iPhone users—a sophisticated malware campaign targeting iPhones to trick users into downloading an open-source Mobile Device Management (MDM) solution that gives the hackers control of the phone. It is reported that Cisco and Apple are working together to combat the threat.

According to reports, once the MDM tool is downloaded and the hackers have control of the phone, they can steal information from the infected devices, including the phone number, serial number, location, contact information and basically everything else on the phone.

Cisco reports that the infected phones use iOS versions 10.2.1 to 11.2.6. It believes that the attackers were able to obtain the permissions required to infect the phones through extensive social engineering efforts.

Although the confirmed attacks against particular iPhone users are low, because they used malicious versions of Telegram and WhatsApp, security experts are warning users to be vigilant about downloading apps onto their phone, including mobile device management solutions, and to confirm that the MDM solution is sanctioned by employers or others issuing the solution.

Malware Attacks Up 75 Percent According to New Report

A new report issued by Positive Technologies finds that cyber incidents have increased 32 percent from the first quarter of 2017 to the first quarter of 2018. It also notes that the theft of account credentials is on the rise.

Alarmingly, the report states that the greatest increase in cyber-attacks was the use of malware attacks, which increased 75 percent from the first quarter of 2017 to the first quarter of 2018, and that malware was used in 63 percent of all attacks.

Spyware is used the most often, in order to obtain credentials to the system, and individuals continue to be the primary victims of malware attacks. Interestingly, 23 percent of malware attacks were conducted by cryptocurrency miners.

The report flagged the financial services industry, stating that IT professionals in the banking sector should be aware that hackers are targeting them not only to steal credentials, but also to gain sensitive access to client account balances, and that customer databases should be secured as much as possible.

MLB to Use Biometrics to Replace Traditional Ticketing

Traditional tickets (paper, that is) have already been replaced with mobile tickets for many Major League Baseball (MLB) stadiums across the country, but now, MLB has teamed up with CLEAR, which provides biometric authentication, to implement biometric ticketing at select stadiums. CLEAR will allow baseball fans to use their fingerprints, and eventually facial recognition, to enter the stadium. This program will begin later this season, and the full rollout will happen sometime next season.

In order for fans to use this CLEAR service, fans need to link their MLB.com account with a CLEAR account. MLB’s executive vice president, Noah Garden, said, “Our collaboration with CLEAR is an important new technology initiative, delivering safe, simple and seamless experience for fans. Developing a partnership that will truly unify emerging identity technology and ticketing is reflective of our commitments to always improving ballpark accessibility and maintaining critical security standards.”

Eventually, this program will expand to concession stands, allowing fans to pay for their food and drink with biometrics using their CLEAR accounts as well. CLEAR will even be able to validate the individuals age for alcohol sales.

Healthcare Industry Continues to Fight Cyber-Attacks at Alarming Rate—Healthcare Data Breaches Cost Average of $408 Per Record

It is clear that the healthcare industry continues to be targeted with cyber-attacks. In 2018, the 10 largest health care breaches, outlined here, include unauthorized access to protected health information (PHI) through a vendor offering claims processing, ransomware incidents, successful phishing schemes, mailing PHI to wrong addressees, hacking, a misdirected email, and a lost unencrypted hard drive. Most of these might have been prevented through greater employee security awareness.

A report by Positive Technologies [view related post] indicates that, overall, cyber incidents have increased 32 percent in 2018 from 2017, including a 13 percent increase in data theft.

A new Ponemon study for IBM Security states that the average cost of a healthcare data breach is $408 per record, compared to a $206 per record for a financial services data breach. According to the study, the overall average cost of a data breach globally is $3.86 million, which is an increase of 6.4 percent over last year, although the average cost of a data breach in the U.S. was $7.91 million.

It is being reported that for the first time ever, Ponemon and IBM analyzed the costs of breaches involving more than one million records. The estimated cost is $40 million, which rises to $350 million if there are over 50 million records involved. Interestingly, the report states that the biggest cost of these huge data breaches is the loss of customers, which has never before been quantified. The study estimates that the loss of customers for a 50 million record breach costs $118 million.

Even more interesting to this writer is the conclusion that rushing to notify individuals of an incident before all of the facts have been obtained increases the cost of a data breach by almost $5 per record. With the new GDPR 72 hour breach notification, companies should be aware of the increase cost associated with issuing notices before all of the facts are known, which is likely to be the case if notifications are issued within 72 hours.

DJI Enhances Geofencing Flexibility in its Drones

DJI, a leading drone manufacturer, has announced its strengthened commitment to enterprise drone users with new improvements to its geofencing system. Professional drone pilots with authorization to fly in sensitive locations can now use a streamlined application process to receive unlocking codes within 30 minutes. DJI’s geofencing systems uses GPS and other navigational satellite signals to automatically help prevent drones from flying near sensitive locations like airports, nuclear power plants and prisons. These improvements are carefully designed to help expand the uses of drones in sensitive areas that have been restricted in DJI’s geofencing system. While those sensitive areas will remain restricted for drone hobbyists (i.e., non-commercial pilots), DJI will now staff its global authorization team 24-hours a day to process applications and provide unlocking codes quickly for commercial operators.

Managing Director of North America, Michael Perry, said that DJI is hoping to “make it easier for authorized pilots to put drones to work in sensitive areas.” DJI said that it tries to process requests within 30 minutes, though some requests involving unusual circumstances or requiring additional documentation may need additional time. Commercial drone operators can apply to unlock restricted zones at DJI’s website.

Privacy Tip #148 – Medtronic MyCareLink Heart Monitors Vulnerabilities Identified

Wearable technology and medical devices have vulnerabilities just like anything else that is digital.

ICS-CERT recently issued an advisory about vulnerabilities in Medtronic’s MyCareLink patient heart monitors. These devices are implantable cardiac devices that transmit patients’ heart rhythms directly to a provider. The alert notes that vulnerabilities identified in the devices could be exploited by bad actors to allow the actor to access the operating system of the device. Of course, once a bad actor has access to a device, it can control the device, which could be detrimental to the patient.

The vulnerabilities are noted in all versions of Medtronic 24950 and 24952 MyCareLink Monitors. Medtronic has indicated that the risks to the monitors are controlled because a bad actor would have to have physical access to the monitor to exploit the vulnerabilities. Nonetheless, Medtronic is issuing a software update for the monitors and is urging patients to contact health care providers or Medtronic if their monitor exhibits any concerning behavior.

Not sure what that means, but apparently closely watching your monitor and confirming the software update has been applied is recommended by the manufacturer.

Massachusetts PATCH Act, Requires Additional Protection for Certain Confidential Health Care Information

Earlier this year, Governor Charlie Baker signed into law an Act to Protect Access to Confidential Healthcare (the PATCH Act), which prevents information regarding “sensitive health care services” from being shared with anyone other than the patient in the form of Explanation of Benefits (EOB) and Summary of Payment (SOP) forms. When more than one person is covered by the same medical insurance plan, sensitive health care information can be disclosed through the use of these common forms, sometimes including information on sexual assault, domestic violence, mental health disorders, or sexual and reproductive health. When the EOB or SOP is provided to the named policyholder—rather than the specific beneficiary that the services described therein relate to—the beneficiary’s confidentiality can be compromised.  Continue Reading

FDA Classifies St. Jude Defibrillators as Class 2 Recalls for Cybersecurity Updates

We have previously reported on the ongoing cybersecurity issues with St. Jude defibrillators [view related posts here, here, and here].

On June 29, 2018, the Food and Drug Administration (FDA) classified the required firmware updates to St. Jude defibrillators as Class 2 recalls, which is the medium-severity category of classifications that is applicable to issues where adverse health consequences are considered temporary or reversible.

The manufacturer of the defibrillators is pushing the firmware updates to approximately 740,000 units that are able to accept the update. The communication system to older devices that can’t accept the update will be disabled. Therefore, both the FDA and the manufacturer are recommending that patients with implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators get the updates during their next doctor’s visit.

Obviously, patients with older units should consult with their physician about next steps if their communication system will be disabled. The manufacturer recommends “a discussion of the risks of cybersecurity vulnerabilities and proven benefits of remote monitoring with patients at their next regularly scheduled visit.”

ReadyTech Settles With FTC Over Claims of Participation in Privacy Shield

Although the U.S. – E.U. Privacy Shield Framework has been intensely criticized by E.U. authorities, the Federal Trade Commission (FTC) continues to enforce violations of it by U.S. companies.

On July 2, 2018, the FTC issued a press release stating that it has settled its complaint against ReadyTech, a California-based online training company for “falsely” claiming that it was in the process of Privacy Shield certification when it was not.

According to the FTC, ReadyTech initiated a Privacy Shield application with the Department of Commerce (DOC) in October 2016, but never finished the application nor received confirmation of certification by the DOC. Nonetheless, ReadyTech held itself out as a company that was in the process of obtaining Privacy Shield certification in marketing materials. The FTC alleged thatReadyTech’s false claim that it was in the process of Privacy Shield certification violated the FTC Act as a deceptive act or practice.

The settlement requires ReadyTech to stop misrepresenting its participation in the Privacy Shield Framework and comply with standard reporting and compliance requirements.

The Consent Agreement will be published in the Federal Register and comments to it may be submitted through August 1, 2018.

This settlement is a strong reminder for companies to determine whether they have applied for Privacy Shield certification, how they are portraying certification in marketing or website materials, and to renew certification on a timely basis.

Millions of Adidas Customers Affected by Data Breach

Adidas has published a customer warning that its U.S. customers could be at risk from a security incident it discovered on June 26, 2018. In the warning, Adidas says that it will reach out to certain customers who purchased goods through its website with more details about the incident. It has been reported that the incident could have affected millions of Adidas customers.

Adidas says it is in the process of undergoing a thorough forensic review, but that the initial analysis indicates that the customer information compromised includes customers’ usernames, encrypted passwords and contact information. Even though it appears that usernames and encrypted passwords were involved, Adidas stated that it is not aware that any credit card or fitness information was compromised.

Nonetheless, those who have purchased items through the Adidas website may wish to consider changing their password for the Adidas platform.

LexBlog