Friday Five: 3/16 Edition
More microprocessor flaws, exposed healthcare data, and more -- catch up on the week's infosec news with this roundup!
In addition to the U.S. government the Russian government has also been targeting critical infrastructure, like energy, nuclear, commercial, water, aviation, and manufacturing facilities, the Department of Homeland Security revealed Thursday. The news certainly isn't surprising, even less so if you've been keeping tabs on reports on that have been released by security companies over the last several years. The news, which coincided with new sanctions against Russian individuals and entities, is still notable, even if many critics argued the sanctions weren't enough; it's not everyday the U.S. points fingers, especially when it comes to cyber.
Stories about misconfigured Amazon S3 buckets, like cryptocurrency mining scams and data breaches, simply aren’t going away. When it comes to disclosing these foibles two firms, Kromtech Security and UpGuard, are leading the charge. The former announced this week that MBM Company, a jewelry company that works in tandem with Walmart, is the latest victim. Customer names, addresses, zip codes, phone numbers, e-mail addresses, IP addresses, and even plain text passwords were left out in the open. While leaving sensitive information like that out in the open obviously demonstrates poor security hygiene the fact the company wasn't encrypting passwords is plain negligent.
Speaking of sensitive data being left online: A data server configuration error at a chain of healthcare facilities left more than 33,000 patients’ data online for eight months, it was revealed. The issue affected BJC Healthcare, an organization that services 15 hospitals in and around St. Louis. The issue affected BJC Healthcare, an organization that services 15 hospitals in and around St. Louis, at least until January 23, when the organization discovered the problem during an internal scan. BJC Healthcare declined to give additional details around the incident but claims it did put new processes in place "throughout the organization to prevent a similar error from occurring in the future."
4. Yahoo Judge Lets Hack Victims Seek Payback for Data Breaches by Jef Feeley and Scott Moritz
Yahoo has had a rough couple of years. There's been breach after breach, yes, but litigation around those breaches continues to percolate. A judge in California this week said that those affected by 2013's breach (yes all three billion users) could theoretically sue if they're based in the U.S. The news comes just a week after the company reached an $80 million settlement with investors over claims execs at Yahoo concealed breaches to gets its stock shares to rise.
Hands down the messiest story of the week, if not the story with the most loose ends and controversy, was the AMD chip vulnerability saga. ICYMI: On Tuesday an Israeli cybersecurity firm CTS released findings that some AMD processors (EPYC, Ryzen, Ryzen Pro and Ryzen Mobile to be specific) contained flaws. The findings had a website, names, and even shiny new logos. What was hazy was how much advanced notice, if any, AMD had over the disclosure. "This company was previously unknown to AMD, and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings," AMD said Tuesday. Any doubt the bugs were legitimate was put to rest that afternoon when Dan Guido, CEO of Trail of Bits, acknowledged his firm verified the flaws (for a cost, $16K per Reuters). Was this disclosure process ethical? Do the flaws truly pose a risk? This story has so many tentacles we'll let you decide.