Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.
Big items to consider: Hackers broke into the networks of the country’s top law firms who represent fortune 500 companies and Wall Street banks; no confirmation of what data has been stolen, but expert warn this could result in insider trading. CNBC published a story on password security with a tool on the page that allowed readers to enter their password to see if it was secure, security researchers determined that this tool actually kept all of the passwords and then sold them to third party advertisers. The National Institute of Standards and Technology (NIST) published a new computer security standard that could potentially secure credit card numbers and healthcare records by various methods of format-preserving encryption. MedStar Health has now been forced to turn patients away due to the ransomware cyberattack, without paying the ransom the healthcare network is forced to operate without any patient records.
Hackers Breach Law Firms, Including Cravath and Weil Gotshal – Publication: The Wall Street Journal – Reporter name: Nicole Hong & Robin Sidel
Hackers broke into the computer networks at some of the country’s most prestigious law firms, and federal investigators are exploring whether they stole confidential information for the purpose of insider trading, according to people familiar with the matter. The firms include Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, which represent Wall Street banks and Fortune 500 companies in everything from lawsuits to multibillion-dollar merger negotiations. Other law firms also were breached, the people said, and hackers, in postings on the Internet, are threatening to attack more.
CNBC just collected your password and shared it with marketers – Publication: CSO – Reporter name: Jeremy Kirk
CNBC inadvertently exposed peoples’ passwords after it ran an article Tuesday that ironically was intended to promote secure password practices. The story was removed from CNBC’s website shortly after it ran following a flurry of criticism from security experts. Vice’s Motherboard posted a link to the archived version. Embedded within the story was a tool in which people could enter their passwords. The tool would then evaluate a password and estimate how long it would take to crack it. A note said the tool was for “entertainment and educational purposes” and would not store the passwords. That turned out not to be accurate, as well as having other problems. Adrienne Porter Felt, a software engineer with Google’s Chrome security team, spotted that the article wasn’t delivered using SSL/TLS (Secure Socket Layer/Transport Layer Security) encryption. SSL/TLS encrypts the connection between a user and a website, scrambling the data that is sent back and forth. Without SSL/TLS, someone one the same network can see data in clear text and, in this case, any password sent to CNBC.
New NIST Security Standard Can Protect Credit Cards, Health Information – Publication: National Institute of Standards and Technology – Reporter name: Chad Boutin
For many years, when you swiped your credit card, your number would be stored on the card reader, making encryption difficult to implement. Now, after nearly a decade of collaboration with industry, a new computer security standard published by the National Institute of Standards and Technology (NIST) not only will support sound methods that vendors have introduced to protect your card number, but the method could help keep your personal health information secure as well. Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption, specifies two techniques for “format-preserving encryption,” or FPE. The publication addresses a longstanding issue in many software packages that handle financial data and other forms of sensitive information: How do you transform a string of digits such as a credit card number so that it is indecipherable to hackers, but still has the same length and look—in other words, preserves the format—of the original number, as the software expects?
MedStar Health turns away patients after likely ransomware cyberattack – Publication: The Washington Post – Reporter name: John Woodrow Cox
MedStar Health patients were being turned away or treated without important computer records Tuesday as the health-care giant worked to restore online systems crippled by a virus. By Tuesday evening, MedStar staff could read — but not update — thousands of patient records in its central database, though other systems remained dark, a spokeswoman said. MedStar officials have refused to characterize the attack as “ransomware,” a virus used to hold systems hostage until victims pay for a key to regain access. But a number of employees reported seeing a pop-up message on their computer screens seeking payment in bitcoins, an Internet currency. One woman who works at MedStar Southern Maryland Hospital Center sent The Washington Post an image of the ransom note, which demanded that the $5 billion health-care provider pays 45 bitcoins — equivalent to about $19,000 — in exchange for the digital key that would release the data.