Security Leftovers

posted by Roy Schestowitz on Mar 04, 2023

• Python Infostealer Targeting Gamers, (Wed, Mar 1st)

  They generate a lot of business around games.

• Dumb Password Rules

  Troy Hunt is collecting examples of dumb password rules.

  There are some pretty bad disasters out there.

  My worst experiences are with sites that have artificial complexity requirements that cause my personal password-generation systems to fail. Some of the systems on the list are even worse: when they fail they don't tell you why, so you just have to guess until you get it right.

• Fooling a Voice Authentication System with an AI-Generated Voice

  A reporter used an AI synthesis of his own voice to fool the voice authentication system for Lloyd's Bank.

• Minneapolis Public Schools systems restored, no ransom paid

  [Note: MPS’s phrase “encryption event” appeared to be a ridiculous — and dare we say, sleazy– attempt not to call it a “ransomware attack.” The district still has not described it as ransomware attack.]

• Businessman convicted of Experian data breach skips sentencing, court issues warrant for his arrest

  A man who was convicted of fraudulently obtaining the personal data of millions of South Africans is a wanted man after he skipped his sentencing.

  Karabo Phungula failed to appear in the Specialised Commercial Crimes Court, sitting in the Palm Ridge Magistrate's Court, for his sentencing on Wednesday.

  It was the second time that he missed a scheduled court appearance in the case, in which he was accused of fraudulently obtaining a trove of personal and business data from data services firm, Experian, in 2020.

  Phungula, the founder of Hi-Pixel Communications, was convicted in October last year. On 14 February, he failed to appear in court for sentencing, citing ill health.

• Nearly 800 people affected by possible data breach during College of the Desert malware attack last summer

  College of the Desert has begun alerting the approximately 800 people who may be affected by a possible data breach during a malware attack last summer.

  The malware attack occurred in early July. The attack took down the school's phone and online services for nearly the entire month.

• HHS OCR creates new HIPAA enforcement arm and enhances focus on cybersecurity and privacy oversight

  This week the U.S. Department of Health and Human Services, the agency responsible for HIPAA enforcement, announced the formation of three new divisions within the Office for Civil Rights (“OCR”). The new divisions – Enforcement, Policy, and Strategic Planning – are intended to enhance focus and efficiency in conducting HIPAA compliance reviews, developing policies related to HIPAA and health privacy, promulgating regulations, providing technical assistance, and educating the public about health privacy and cybersecurity requirements.

• WHSmith targeted by hackers in cyber attack as company data at risk

  High street retailer WHSmith has reported it has been the target of a cyber attack with hackers accessing company data.

  The company said information regarding current and former employees had also been accessed by hackers during the security breach.

  Bosses of the established retailer said the situation does not impact its trading activities and stressed that the brand’s website, customer accounts and customer databases were all safe, as they were operated on a separate system.

• Lubbock Heart and Surgical Hospital sued for breach where no one knows for sure whether data was accessed or acquired

  If the victim of a cyberattack cannot determine whether data was accessed or acquired, should that increase the damages sought by plaintiffs in a class action suit? Or should it get the suit tossed out because the plaintiffs can’t prove any theft of their data?

  Kelly Mehorter reports about a class action lawsuit filed against Lubbock Heart and Surgical Hospital over a 2022 breach. The hospital notified 23,379 patients about a July incident in September 2022, but then updated their report in December 2022. The updated report frankly admitted, “Our investigation could not determine whether the unauthorized party did, in fact, access or copy any files but was unable to rule it out.”

• Little Rock School District seeks cyberattack guidance

  The Little Rock School District is continuing to seek an attorney general’s opinion on the legality of holding private school board meetings when reacting to a cyber- or ransomware attack on a district’s electronic information systems.

  Little Rock Superintendent Jermall Wright sent a lengthy letter in January to the attorney general’s office asking how to appropriately balance a school board’s obligations for disclosure under state law with the risk of harm to students and employees that public discussion of a cyberattack could pose.

  Eric Walker, staff attorney for the 21,000-student Little Rock district that experienced a cyberattack late last year, said this week that the matter is pending.

• Doctor suspended over medical records breach

  A doctor has been suspended from clinical duties and reported to the police on suspicion of accessing medical records without their subject's consent.

  A spokesman for North District Hospital said in a statement published on Tuesday night that they discovered the breach after a member of staff reported that she suspected her medical records had been accessed improperly.

  It said an investigation had found that a doctor had accessed the medical records of 29 individuals – including patients and healthcare staff – through the hospital’s Clinical Management System without their consent.

• Texas waited two months to start informing 3,000 people that crooks copied their driver's licenses. DPS explains why.

  After discovering in December that an organized crime group had obtained thousands of replacement Texas driver licenses, state public safety officials waited more than two months to publicly reveal the breach and start notifying those swept up in the operation.

  The criminal effort, disclosed to lawmakers Monday by Texas Department of Public Safety Director Steve McCraw, targeted at least 3,000 Texans with Asian surnames, whose replacement licenses were then sent to Chinese nationals in the country illegally.

• Sentara Health notifying 741 patients after mistake by Coronis Health employee

  In a refreshingly straightforward breach disclosure, Sentara Health in Virginia reports that on December 19, an anonymous individual called their Compliance Hotline to alert them that while searching for something online, the called had stumbled across an exposed file with patients’ Medicare billing information. Sentara quickly verified the caller’s report and determined that the file had been uploaded to Adobe Acrobat’s site by an employee of a Sentara business associate, Coronis Health. The employee uploaded the billing remittance file on October 17.