Friday Five: 3/9 Edition
DDoS attacks, data breach settlements, and dark web crackdowns -- catch up on the week's infosec news with this roundup!
Last week’s massive DDoS attacks – the largest-ever recorded - apparently have an Achilles' Heel. Researchers with Corero, a DDoS mitigation firm, said this week the source of the attacks, the Memcached vulnerability, could be suppressed. The "kill switch," as the firm calls it, sends a command back to an attacking server, something which can invalidate a server's cache. Last week's attacks against GitHub seemingly came out of nowhere. The first blast was measured at 1.35 Tbps and persisted for eight minutes; the second spiked at 400Gbps. The amplification attacks leverage Memcached, an open source memory caching system that stores data in RAM to speed up access times.
2. EmblemHealth Faces $575K Penalty for Exposing Social Security Numbers on Envelopes by Angie Stewart
There was a sizeable - and if you're a New Yorker an important - settlement announced this week. Attorney General Eric T. Schneiderman said this week EmblemHealth agreed to pay $575K after it mistakenly disclosed over 80,000 social security numbers in a mailing. The incident occurred back in 2016 when EmblemHealth mailed thousands of policyholders, including 55,000 New Yorkers, their Medicare Prescription Drug Plan Evidence of Coverage. Unfortunately when the healthcare provider sent out the notices it included individuals' social security number on the address labels. “The careless handling of social security numbers is never acceptable,” Schneiderman said. “New Yorkers need to be able to trust that companies entrusted with their private information will guard it appropriately. This starts with good governance—which is why my office will continue to push for stronger security laws and hold businesses accountable for protecting their customers’ personal data.”
Medtronic, a prominent medical technology company, admitted this week it should've acted faster to address vulnerabilities in its CareLink 2090 line of defibrillator programmers. The Minnesota Star Tribune reported on the saga Monday, relaying a statement from the company that stressed it took "longer than all of us expected" to confirm findings made by Billy Rios, a security researcher who's previous uncovered scores of flaws in medical devices and critical infrastructure. These vulnerabilities could have let an attacker compromise systems used to update the software. In Medronic's defense the company said the vulnerabilities didn't directly threaten patients.
4. Operation Bayonet: Inside the Sting That Hijacked an Entire Dark Web Drug Market by Andy Greenberg
Each year there are a handful of fascinating stories that emerge from the Security Analyst Summit, Kaspersky Lab’s invite only annual deep dive into all things infosec. This year two officers from Netherlands' National High Tech Crime Unit explained how they managed to commandeer Hansa, an enormously popular - in Europe at least - dark web market for 10 months. Not only did NHTCU investigators manage to infiltrate the market, they hijacked the thing to track buyers, sellers, and patterns between the two. Nearly 3,000 words, it’s an impressive, thorough longread on the takedown courtesy of Andy Greenberg.
It was a fairly big week when it comes to data breach settlements. In addition to EmblemHealth's aforementioned $575 settlement Yahoo agreed to pay $80 million to settle a federal securities class action suit stemming from its 2013 and 2014 breaches that ultimately leaked information on three billion of its users. Yahoo has agreed to settle litigation but it's unclear if it will actually end; one of the plaintiffs named in it hasn't yet agreed to terms. This particular class action was brought about by investors in January 2017 who argued the company misled them about its cybersecurity hygiene. Derek Borchardt and Craig A. Newman, lawyers with Patterson Belknap Webb & Tyler LLP, predicted last month that we'd see an uptick in data breach securities class action litigation and this is a fine example.