NCCoE Seeks Comment from Manufacturing Sector for Industrial Control Systems

Protection of industrial control systems is crucial to the security of our country. The National Cybersecurity Center of Excellence (NCCoE) has announced a project for which it is seeking comment: Detecting and Protecting Against Data Integrity Attacks in Industrial Control System (ICS) Environments.

The project scope is to assist manufacturing organizations in taking a comprehensive approach to enhancing the security of their industrial control systems by leveraging the following cybersecurity capabilities:

  • behavioral anomaly detection
  • security incident and event monitoring
  • industrial control system application white listing
  • malware detection and mitigation
  • change control management
  • user authentication and authorization
  • access control least privilege
  • file integrity checking mechanisms

Commenters from the manufacturing sector are urged to submit comments by July 25, 2019.

KiK Sued by SEC Over $100M Initial Coin Offering

In a contentious move, the Securities and Exchange Commission (SEC) recently sued Kik Interactive Inc. for its Initial Coin Offering of $100 million, alleging it violated securities laws by not registering the offering with the SEC.

The SEC alleges that the fundraising of $100 million was illegal because it did not provide proper disclosures to investors.

Kik has launched a crowdfunding site to help raise money to defend against the suit.

Employers and Wellness Plans: Questions about Quest Breach?

Last week, we wrote that Quest Diagnostics reported in a security filing that a collection agency performing collections for the company had suffered an intrusion that exposed almost 12 million individuals’ personal and financial information [view related post]. Another lab company reported days later that it was notified that the information of 8 million of its patients had been compromised as well; that total is now almost 20 million.

What we have been able to learn is that the records compromised were only those in collections, not all lab records. The Connecticut and Illinois Attorneys General are both investigating the facts.

Many self-funded health plans and wellness plans have asked us what to do if they use these two lab companies. Here are some thoughts.

First, we have been told that the self-funded and wellness program products were not affected. If confirmed, this would be good news. This means that normal labs and drug testing that employers perform or employees have taken should not be affected. But any labs that have not been paid, or are in collections, might be affected. Again, it appears that only information of collection cases is involved.

Nonetheless, there is a lot of confusion about the personal information of employees that may have been impacted, and about how to communicate with employees, who are understandably nervous and may have questions for employers and wellness plans.

The lab companies have not yet been told which patients’ personal information was compromised, so it is hard to evaluate which employees’ information, if any, was involved. The lab companies are trying to find that out from the collection agency, but this has not yet been accomplished.

Employees are asking questions, and most companies want to assist their employees, so they are trying to figure out next steps. Employees generally appreciate transparency about what their employer has been told by the lab company. Let them know in an email or other correspondence that you are trying to find out who was impacted, if anyone. If the lab company confirms that the only people who were impacted are those whose bills are in collection, and that affected employees are required to be notified under state or federal law, pass that information along, so they know they will be notified if their information was compromised.

Let them know that you are working on it, that you are in touch with the lab company to find out who was impacted, and that you will assist, if possible, your employees/members in the event their information was compromised.

Let your employees know that you will assist them and answer any questions you can should you learn relevant information. But until you find out what information was actually involved, other than offering support, there isn’t a lot employers can do to assist.

Amazon Prime Air’s Drone Design

Amazon CEO, Jeff Bezos, announced Amazon Prime Air, a delivery-by-drone initiative more than five years ago, and last week, Amazon revealed more information about its delivery system–the design. The Amazon delivery drone will use vertical takeoff and landing (VTOL) technology that is aerodynamic and “fully shrouded for safety.” Additionally, the drone features artificial intelligence to help it operate safely using sensors and advanced algorithms for detect-and-avoid capabilities while in flight. The drone’s artificial intelligence also uses these algorithms to detect people and animals from above. The drone can fly for up to 15 miles and make deliveries of packages under 5 lbs. in less than a half an hour. With Amazon’s “Shipment Zero” campaign (i.e., a goal of achieving 50 percent net-zero shipments by 2030), we are sure to see more of Amazon’s delivery drones hitting the skies soon–provided the Federal Aviation Administration and our national airspace are ready for them.

FAA Grants Waiver for Drone Use Over People

Last week, the Federal Aviation Administration (FAA) issued Hensel Phelps Construction Co. a Part 107 unmanned aerial system (UAS or drone) waiver to operate a parachute-equipped drone over people. However, the FAA clarified that while it granted the wavier for the use it did not certify or approve the parachute or the parachute system itself. The FAA only made a determination as to the safe operation of the drone.

This is the first time the FAA has collaborated with industry to develop a publicly available standard by working with a waiver applicant to make sure that the testing and data collected meet the FAA’s safety standard for drone operations over people. The FAA stated that this process is scalable, and may be available to other applicants who propose to use the same drone and parachute combination.

Privacy Tip #194 – NSA Issues Alert to Microsoft Windows Users

Many individuals and not-for-profit organizations, including those in the health care industry, believe that they do not have the resources to update to the newest versions of software. However, the newest versions are introduced by manufacturers to patch older versions that have known security flaws and vulnerabilities.

Microsoft Windows users have been warned repeatedly over the past several years to update to newer versions because of known security vulnerabilities that put the software and data behind it at risk. Unfortunately, some of those users have not done so, and attacks have crippled them, possibly including a recent one in Baltimore.

The widespread problem of the use of older versions of Windows has become so extreme that the National Security Agency (NSA) recently issued an advisory again telling Windows users that older versions contain a flaw known as “Bluekeep,” which could subject the user to a cyber-attack. The vulnerability makes computers susceptible to viruses and ransomware. It could even allow the attackers to remotely gain complete control of the system.

The fact that the NSA has issued this advisory shows how serious it is and how devastating it can be to individuals and companies. Now is the time to upgrade to newer versions of Windows to avoid becoming a victim.

Is Your Bed Bugged? Data-Collecting Mattresses and Sleep Apps May Give You Nightmares

When you next lie down to sleep, the bed may not your secrets keep. So-called “smart” beds, mattress pads, sleep apps, and fitness trackers with sleep options are collecting data on those who use them and sending that personal information back to manufacturers. The data gathered can include biometric information (i.e., heart rate, respiration), sleep positions, and movement (think about that one for a minute). Some even include microphones to track snoring.

According to an article by Julie Appleby published in Kaiser Health News, “Consumers are flocking to mattresses and under-mattress sensors aimed at quantifying sleep as well as sleep-tracking devices; sleep apps are among the most popular downloads on Apple and Android smartphones.” While such products can be useful to people interesting in monitoring their sleep patterns, consumers might not think about what personal data are being collected and how they are being used.

For example, the article reports that Sleep Number, a manufacturer of popular “smart” beds, collects more than 8 billion biometric data points every night, gathered each second and sent via an app through the internet to the company’s servers. Sleep Number reportedly analyzes the data not only to help consumers learn more about their health but also to support algorithms and improve their product. Company spokespersons state that Sleep Number goes to great lengths to protect consumers’ privacy and does not share biometric information outside of the company. However, according to the article, the company’s privacy notice states that personal information—potentially including biometric data—“may” be shared with marketing companies or business partners, and also that the company can “exploit, share and use for any purpose” personal information with names or addresses withheld or stripped out, known as “de-identified” data.

The privacy policies of many other devices that track and transmit personal information allow for the sharing of such de-identified data. Privacy experts, however, have shown it is “not terribly difficult to use or combine such information to ‘re-identify’ people.” Further, the article reports that information gathered by sleep trackers is not protected by federal privacy rules. And some sleep trackers or apps can connect with other “smart” devices in your home, such as a thermostat or coffee maker, which raises the possibility that those devices could be sharing information as well as increasing the risk of it being hacked.

This potential loss of privacy may be scarier than the monster under the bed. People who use “smart” sleep devices and applications are well advised to use encryption, strong passwords and additional authentication whenever possible. Consumers also should read privacy policies to better understand what information is being collected and shared, and may want to consider whether the value of information gained regarding their sleep habits is worth the privacy risk.

To read the full article, click on this title: “Your Wake-Up Call On Data-Collecting Smart Beds And Sleep Apps.” The publisher, Kaiser Health News, is a nonprofit news service covering health issues. It is an editorially independent program of the Kaiser Family Foundation, which is not affiliated with Kaiser Permanente.

China-Based Company is Believed to be Behind HiddenWasp Malware

Vicious malware continues to be deployed by China-based attackers. A new strain of malware, dubbed “HiddenWasp,” which has the ability to remotely infect computers, has been discovered by a security researcher at Intezar. The malware is believed to have originated from a Chinese forensics firm; the malware is hosted by servers owned by a Hong Kong-based company.

The malware is a Trojan that targets Linux systems and, to date, has not been detected by antivirus products. It is presently being used in targeted attacks. According to Ars Technica, and without getting too technical, the basic premise is that the malware “includes a Trojan, rootkit, and initial deployment script.” According to Intezar, review of the code shows that the computers that are infected with HiddenWasp have previously been infected, and HiddenWasp is then introduced into the already-infected computers. This means that companies may already be infected and not know it.

HiddenWasp is different and more dangerous than other malware that affects Linux systems in that it has the ability to remotely control computers after it is deployed and is able to download and execute code, upload files, and implement other commands. Usually, Linux malware is used to mine cryptocurrencies or implement a denial of service attack.

According to Intezar, because detection tools are unable to detect HiddenWasp and it stays “under the radar,” the security industry needs to be aware of it and “allocate greater efforts or resources to detect these threats.” At a minimum, companies are urged to “search for “ld.so” files — if any of the files do not contain the string ‘/etc/ld.so.preload’, your system may be compromised. This is because the trojan implant will attempt to patch instances of ld.so in order to enforce the LD_PRELOAD mechanism from arbitrary locations.”

For more information on the technical aspects of the malware, go to www.arstechnica.com.

Quest Diagnostics Reports Data Breach Affecting 11.9M Patients in Securities Filing

Another day in the healthc are industry, another big data breach.

This week, Quest Diagnostics announced in a security filing with the Securities and Exchange Commission, that a collection agency vendor that it uses for collection services notified it that for eight months, an unauthorized user had access to Quest patients’ records, including credit card numbers, bank account information, medical information, and personal information, including Social Security numbers. Quest has reported that no laboratory data of patients were involved.

Quest has publicly stated that it has stopped sending collection cases to the vendor. The vendor has stated that it is presently investigating the incident. It has taken down its web payments page, moved its online payments portal services to a vendor, and retained security experts to assist with the investigation.

CCPA Update

We have been watching all of the activity around the proposed amendments to the California Consumer Privacy Act (CCPA) to see where the law settles to assist with compliance.

Not surprisingly, but nonetheless important to know, is the fact that the California Assembly on May 29, 2019, unanimously passed an amendment to CCPA that excludes employee information from the definition of “consumer,” and therefore, employee information is not under the CCPA umbrella for compliance purposes.

Specifically, the definition of “consumer” in CCPA now excludes a person whose personal information has been collected if the person is “acting as a job applicant to, an employee of, a contractor of or an agent on behalf of” the company if the information has been “collected and used solely within the context of the person’s role” with the company. This, of course, means that if the employee or contractor is a customer of the company, CCPA may apply. It is only applicable to the information collected if the individual is a job applicant, employee or contractor of the company.

It is anticipated that the amendment will be signed by the Governor. This amendment is significant for companies that are in the process of developing a CCPA compliance program.

LexBlog