Friday Five: 5/31 Edition
Incentivizing healthcare orgs to adopt cybersecurity practices, malware targeting Linux systems, and Microsoft's call for federal data privacy - catch up on the week's infosec news with this roundup!
1. Senate HELP Proposes Incentivizing Healthcare Cybersecurity Adoption by Jessica Davis
A new bill, proposed last week, would encourage healthcare orgs. Specifically, the bill, introduced by the U.S. Senate Committee on Health, Education, Labor, and Provisions, would incentivize healthcare entities to "adopt strong cybersecurity practices by encouraging the Secretary of Health and Human Services to consider entities’ adoption of recognized cybersecurity practices when conducting audits or administering fines related to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule." If passed, the bill would also get a GAO study to better understand the gaps in privacy and security protections for health information as patients move their data to third parties and possibly identify opportunities for improving the privacy and security protections around that data. Cybersecurity is only one small part of the bill, the Lower Health Care Costs Act of 2019; the main goal is to improve the overall patient experience of care while cutting down on out-of-pocket patient spending.
2. Flipboard reveals data breach, which left users' details exposed by Johnny Lieu
Data breaches are still a dime a dozen but for some reason it feels like it’s been a few months since we’ve had a social media platform other than Facebook disclose of one. Flipboard, a news aggregation app that began in 2010, acknowledged this week that attackers commandeered its servers for nine months. Over this span of time, between June 2018 and March of this year, attackers had access to user names, email addresses, and passwords. The company said it also observed unauthorized access to some if its databases on April 21 – 22, 2019. For some reason, it's unclear why, the service waited until this week, almost June, to finally reset users' passwords. It's likely the users whose passwords were exposed aren't in too much trouble however. Flipboard says that most of them were hashed with bcrypt. Users who haven't logged into the account since March 14, 2012 had their passwords protected with SHA-1 and salted. Even if you haven’t used Flipboard since the early aughts, hopefully you’re not still using the same password on other services.
We recently identified & addressed a security incident. We’ve taken measures to protect users’ accounts & secure our systems. As a precautionary measure, we proactively reset all user passwords. We’re providing more details via email & on our support page. https://t.co/tSTKwt7PYN
— Flipboard (@Flipboard) May 28, 2019
3. Regulators Issue More Draft Rules to Tighten Up Lax Data Protection by Ye Zhanqi and Mo Yelin
As part of our weekly effort to check in on other country's data protection efforts, some interesting news from China here, where regulators are prepping a draft policy on data protection. While it's still in its infancy, it is a draft policy after all, it would give customers more control over how their personal data is collected and used, a la GDPR. If you can read Chinese, you may find the following link, via the country's Office of the Central Cyberspace Affairs Commission and Cyberspace Administration interesting. According to Caixin, a Chinese media group, it's the second policy to get proposed this month, following one brought forward by China's National Information Security Standardization Technical Committee. Where this policy zigs when GDPR zags comes to the punishment for violators. According to Sixth Tone, another Chinese news site, there are no specific punishments, only a vague line about how violators could “face public exposure, fines, suspensions, shutdowns, or criminal charges.” There's no doubt China needs a privacy law of its own but it’s unclear when or if this one will get off the ground and if it does, how it would be enforced.
4. New HiddenWasp malware found targeting Linux systems by Catalin Cimpanu
Via ZDNet, a quick primer on HiddenWasp, a new strain of malware apparently unique to Linux, and purportedly developed by someone in China. While the malware shares code with a handful of other malware familes, suggesting it could be cribbed from other projects, there are some clues that suggest it came from China, including the fact that some of its files were uploaded using a path containing the name of a Chinese forensics company. The malware implants, according to ZDNet, were hosted on servers from a physical server hosting company, ThinkDream, located in Hong Kong.
5. Data privacy: Consumers want it, businesses need it — it's time our government delivers it by Julie Brill
Officials at Microsoft have previously called for the creation of a Digital Geneva Convention to better protect cyberspace and now, in hopes of strengthening enforcement around data violations, they're urging for the creation a US privacy law. Julie Brill, Microsoft's Corporate Vice President and Deputy General Counsel, voiced the company's support for the Washington Privacy Act last month. Last week, in The Hill she and the company renewed calls for federal privacy legislation. Brill points out the stance isn't a new for the company - Microsoft first voiced its support for a national privacy law in the U.S. back in 2005, she says - but that the company has been invigorated by the recent one year anniversary of GDPR: “Since GDPR went into effect, we’ve observed intense interest in these data subject rights from customers globally. Consumers worldwide both want and would benefit from privacy frameworks that provide consumers with these tools of empowerment,” Brill wrote.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business