InfoSec ICU show

InfoSec ICU

Summary: Each week, Gerry and Steve discuss Information Security topics relevant to the medical industry and to patients. From the latest hacks and bugs, to changes in the regulatory environment, and tips and tricks to keep your own personal information safe.

Join Now to Subscribe to this Podcast
  • Visit Website
  • RSS
  • Artist: Information Security at the Medical University of South Carolina
  • Copyright: Medical University of South Carolina 2017

Podcasts:

 Aggregated Live Internet Web Cams, EFail, Russian Facebook Ads Evidence | File Type: audio/mpeg | Duration: 39:33

Steve and Gerry discuss the use cases and privacy implications of a new website that provides aggregated access to the Internet’s live streaming web cams. A major attack on email encryption and the argument security professionals are having about it is covered. They finish with thoughts on the recently released trove of published evidence from the recent Russian Facebook meddling. Show Notes Resources: Network live IP video cameras directory – http://www.insecam.org/ Decrypt Encrypted Email – https://efail.de/ Russian Facebook Ads Evidence – https://www.darkreading.com/vulnerabilities—threats/newly-released-russian-facebook-ads-show-scale-of-manipulation/d/d-id/1331779   One Cool Things USB Sniffing K9 https://www.scmagazine.com/usb-drive-sniffing-k-9-helps-capture-student-hacker/article/765275/ All the Developer Tools You Need to Build Child Privacy-Certified Products! https://www.dynepic.com/   Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 DNA Privacy Considerations, Children Identity Fraud, and Organized Criminals Phishing Attacks | File Type: audio/mpeg | Duration: 39:19

Steve and Gerry discuss a serious, but often overlooked issue of children identity theft and fraud. They shed light on how organized crimes are making substantial financial investments to improve phishing attacks. They round out discussing privacy concerns with individuals DNA and how it can be used to solve cold cases. Show Notes Resources: Children identity theft: https://www.darkreading.com/vulnerabilities—threats/more-than-1m-children-victims-of-identity-fraud-in-2017/d/d-id/1331674 Phishing as an organized criminal enterprise: https://www.vadesecure.com/en/phishing-attack-targets-550-million/ DNA catches a killer: http://beta.nydailynews.com/news/national/dna-testing-golden-state-killer-case-raises-concerns-article-1.3958054     One Cool Things Truck stopping ray gun: https://www.defenseone.com/technology/2018/04/pentagon-making-ray-gun-stop-truck-attacks/147702/ Gmail self-destructing email: https://www.helpnetsecurity.com/2018/04/26/gmail-self-destructing-emails/   Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 Healthcare InfraGard Sector Chief Interview, National ISACs, and CISA 2015 | File Type: audio/mpeg | Duration: 45:46

Its all about information sharing in this episode of Infosec ICU. Steve and Gerry interview Chris Bennett, sector chief for healthcare and public health for South Carolina’s InfraGard. They discuss the plethora of ISACs available to US based companies and what values you can realize. Finally they discuss the privacy and security concerns of the Cybersecurity Information Sharing Act of 2015. Show Notes Resources: South Carolina InfraGard https://southcarolinainfragard.org/ National ISACs https://www.nationalisacs.org/ Cybersecurity Information Sharing Act of 2015 https://corpgov.law.harvard.edu/2016/03/03/federal-guidance-on-the-cybersecurity-information-sharing-act-of-2015/   One Cool Things Controlling Dreams: https://motherboard.vice.com/en_us/article/ywxjvg/steel-ball-control-dreams-dormio-mit-hypnagogia Bad Lip Reading https://www.youtube.com/user/BadLipReading Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 Cybersecurity Accord, Medical Device Safety Action Plan, and Deep Fakes | File Type: audio/mpeg | Duration: 42:32

Steve and Gerry discuss the 34 tech company Cybersecurity Accord announced at RSA 2018, the new plan the FDA has published with respect to medical device cybersecurity. Show Notes Resources: Cybersecurity Accord https://www.scmagazine.com/tech-giants-combine-to-protect-civilians-from-cyberattack/article/759201/  https://cybertechaccord.org/  FDA Medial Device Safety Plan https://www.fda.gov/downloads/AboutFDA/CentersOffices/OfficeofMedicalProductsandTobacco/CDRH/CDRHReports/UCM604690.pdf DeepFakes: https://www.buzzfeed.com/davidmack/obama-fake-news-jordan-peele-psa-video-buzzfeed  https://www.technologyreview.com/s/610784/this-algorithm-automatically-spots-face-swaps-in-videos/  One Cool Things SkyRim Mods “Thomas the Tank Engine” https://youtu.be/yNaTZV8qS1I My Tide Times (app) https://itunes.apple.com/us/app/my-tide-times-tables-chart/id777280890?mt=8 Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 Data Breaches Lead to Higher Mortality Rates, IoT the High Roller Database, and HHS OCR Guidance Updates | File Type: audio/mpeg | Duration: 45:47

Steve and Gerry discuss recent research that demonstrates data breaches are linked to higher patient mortality rates. IoTs in the enterprise and the impending future of them are discussed, introduced by a recent casino breach that started with a thermometer. Finally they socialize recent HHS guidance on acceptable privacy disclosure. Show Notes Resources: Do data breaches lead to higher mortality rates? http://weis2017.econinfosec.org/wp-content/uploads/sites/3/2017/05/WEIS_2017_paper_2.pdf IoT hacked a Casino: http://www.businessinsider.de/hackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4?r=UK&IR=T One Cool Things DSU takes 3rd at CCDC: http://www.nccdc.org/ CoC takes 2nd at PCDC: http://pcdc-sc.com/ Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 Hactivism, Verizon Enterprise PHI Breach Report, and GMail Dots Attack | File Type: audio/mpeg | Duration: 44:03

Steve and Gerry drill into the Verizon PHI Data Breach Report and discuss a few surprising findings. They offer their opinion on the recent attacks on Russian and Iranian Cisco devices and the value of Hacktivism. They close out with a scam that attacks a little known feature of all GMail email addresses. Show Notes Resources: Verizon PHI Data Breach Report: http://www.verizonenterprise.com/verizon-insights-lab/phi/2018/ Attacked Cisco Devices: https://www.securityweek.com/cisco-switches-iran-russia-hacked-apparent-pro-us-attack  https://motherboard.vice.com/en_us/article/a3yn38/election-hacking-vigilante-russia-iran-cisco  GMail dots do matter: https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user.html One Cool Things Sysmon https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon Swift on Security Sysmon Config file. https://github.com/SwiftOnSecurity/sysmon-config PlayFest http://southofbroadway.com/season/ Piccolo Spoleto https://www.charlestoncvb.com/events/piccolo-spoleto-~8959/ Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 Bundle of Breaches, Cloudflare DNS, and Cost of a Data Breach | File Type: audio/mpeg | Duration: 1:02:45

Breach, breach, breach! Steve and Gerry talk the Good, the Bad, the Ugly of recent breaches, showcasing a comparison between organizations that handle breaches well and those that fail miserably. Cloudflare’s new DNS resolver and its privacy approach are discussed followed by the Ponemon report on the cost of a data breach. Show Notes Resources: Bundle of Breaches: * https://www.wired.com/story/under-armour-myfitnesspal-hack-password-hashing * https://www.wsj.com/articles/saks-lord-taylor-hit-with-data-breach-1522598460 * https://www.nytimes.com/2018/03/27/us/cyberattack-atlanta-ransomware.html * https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ Cloudflare DNS Resolver: https://blog.cloudflare.com/announcing-1111/ Ponemon Cost of a Data Breach 2017: https://public.dhe.ibm.com/common/ssi/ecm/se/en/sel03130wwen/security-ibm-security-services-se-research-report-sel03130wwen-20180122.pdf   One Cool Things Drunk apps: https://www.thrillist.com/tech/nation/apps-to-prevent-drunk-texting-and-late-night-mistakes The Vocabulary for Event Recording and Incident Sharing http://veriscommunity.net/index.html Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 Higher Education a Target for Hackers, Biometric Authentication Shortcomings, and Dakotacon | File Type: audio/mpeg | Duration: 53:32

Steve and Gerry dive headfirst into a recent indictment against 9 Iranian nationals accused of hacking universities worldwide (a majority in the US) for research capital; showing the value of academic research, they discuss a recently published paper from China outlining a technique for tricking facial recognition biometric information. Finally Gerry shares his experiences from the DakotaCon security conference and how blue teams are gaining ground against attackers. Show Notes Resources: Iranian hackers attack universities worldwide: https://www.bleepingcomputer.com/news/security/us-charges-nine-iranians-with-hacking-over-300-universities/ Research tricking Facial Recognition systems: https://arxiv.org/pdf/1803.04683.pdf DakotaCon http://dakotacon.org DakotaCon talks http://dakotacon.org/#video One Cool Things Google Takeout: https://takeout.google.com/ GIAC Leadership: https://www.giac.org/certification/strategic-planning-policy-leadership-gstrt?msc=PR Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 The Art of (cyber) War, Identity Management, and the Cambridge Analytica and Facebook Debacle | File Type: audio/mpeg | Duration: 46:01

With Gerry in South Dakota presenting his proposal for his dissertation, guest-host Brandon Stephens steps up to the plate to discuss how Sun Tzu’s The Art of War is helpful in preparing for a cyber attack. He and Steve also discuss why Identity and Access Management is so important, as well as the challenges in getting it right. And, of course, they can’t help but weigh in on the recent mess with Facebook and Cambridge Analytica: How could we have seen this coming and is this a big enough reason for people to take a hard look at their social media usage. Show Notes Resources: The Art of War – https://suntzusaid.com/ Cambridge Analytica and Facebook controversy – https://www.theguardian.com/news/2018/mar/17/data-war-whistleblower-christopher-wylie-faceook-nix-bannon-trump One Cool Things The Open Policy Project – https://www.t2pa.com/project-open-it-policy-project/oitpp-directory/ Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 The Cybersecurity Culture War, Memcache, and Deputizing the Geek Squad | File Type: audio/mpeg | Duration: 35:53

We all think it, but now we know it. The guys discuss statistical evidence that supports employees are a weak link in healthcare cybersecurity defenses. Also attackers have discovered that they can unleash unprecedented Distributed Denial of Service (DDoS) attacks using open memcached servers. The guys cover both these topics and dive into how the FBI has been using the Geek Squad to identify illegal content and report them. Is this a warrantless search and in violation of the 4th Amendment? Show Notes Resources: Losing Cybersecurity Culture War: https://newsroom.accenture.com/news/one-in-five-health-employees-willing-to-sell-confidential-data-to-unauthorized-parties-accenture-survey-finds.htm DDoS Memcache: https://www.wired.com/story/github-ddos-memcached/ https://www.corero.com/company/newsroom/press-releases/corero-network-security-discovers-memcached-ddos-attack-kill-switch-and-also-reveals-memcached-exploit-can-be-used-to-steal-or-corrupt-data/ Deputizing Geek Squad: https://www.eff.org/deeplinks/2018/03/geek-squads-relationship-fbi-cozier-we-thought One Cool Things Oculus Rift Fail: https://www.polygon.com/2018/3/7/17091938/oculus-runtime-error-outage-rift-vr-facebook Zero Trust Network: http://shop.oreilly.com/product/0636920052265.do Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 What Happened with the HHS OCR Phase 2 Audits, Breaches Eroding Public Trust, and New Twists to Old Cons | File Type: audio/mpeg | Duration: 50:32

Last year HHS executed their HIPAA Phase 2 audits across covered entities and business associates, but why have things been quiet at HHS? The guys provide insights regarding the findings and suggest ideas on why HHS’s focus may have changed. The guys look at the bigger picture of the effects breaches have had on public trust, and a 21st century method of money laundering is covered. Show Notes Resources: OCR Says Desk Audits Rates Many HIPAA Efforts to be Inadequate or Worse https://cynergistek.com/ocr-desk-audits-preliminary-results/ Amazon Books Fraud https://krebsonsecurity.com/2018/02/money-laundering-via-author-impersonation-on-amazon/ One Cool Things CIMON: https://motherboard.vice.com/en_us/article/bj53q3/astronauts-will-welcome-a-free-floating-robot-head-to-the-iss-this-summer Hipku: https://gabrielmartin.net/projects/hipku/ Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 Unauthorized Access of Patient Record Sanctions and Interview with Former Anthem Information Security Leader | File Type: audio/mpeg | Duration: 1:01:00

Steve and Gerry discuss healthcare employee termination when they violate privacy and ‘snoop’ on patients’ medical records, a topic Steve was interviewed for in a recent Post and Courier article. Also the guys interview and discuss a former senior leader in information security at Anthem, and his experience of being on the front lines of a mega-breach. Show Notes Resources: Post and Courier article: MUSC terminates employees who ‘snoop’ in patients’ medical records” https://www.postandcourier.com/health/musc-terminates-employees-who-snoop-in-patients-medical-records/article_b8b0abe6-1645-11e8-85e2-579077b71f57.html Few Consequences For Health Privacy Law’s Repeat Offenders https://www.propublica.org/article/few-consequences-for-health-privacy-law-repeat-offenders Matt Klein Bio http://academicdepartments.musc.edu/pr/pressrelease/2016/klein.htm Anthem breach https://www.reuters.com/article/us-anthem-cyber-settlement/anthem-to-pay-record-115-million-to-settle-u-s-lawsuits-over-data-breach-idUSKBN19E2ML One Cool Things Flipboard https://flipboard.com/ Flying Taxis https://www.digitaltrends.com/cool-tech/ehang-184-drone-flying-taxi-ces-2016/   Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 Insider Threats at Apple, The Cost of Malicious Cyber Activity, and When MFA Goes Bad | File Type: audio/mpeg | Duration: 43:57

The guys discuss a diversity of topics this week! An intern at Apple abused access resulting in the release of sensitive intellectual property. Discussion around the Executive Branch report “The Cost of Malicious Cyber Activity to the U.S. Economy” and what the challenges are around improving information security at a national level. Finally, MFA sounds great in theory but bad things can happen. The guys discuss process issues that can occur to undermine MFA. Show Notes Resources: iPhone iBoot source code leaked: https://motherboard.vice.com/en_us/article/xw5yd7/how-iphone-iboot-source-code-leaked-on-github The Cost of Malicious Cyber Activity to the U.S. Economy: https://www.whitehouse.gov/wp-content/uploads/2018/02/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf Director of National Intelligence report to Senate Intelligence Committee: https://www.dni.gov/files/documents/Newsroom/Testimonies/SSCI%20Unclassified%20SFR%20-%20Final.pdf One Cool Things Flight Sims Labs Hacks Back: https://motherboard.vice.com/en_us/article/pamzqk/fs-labs-flight-simulator-password-malware-drm Best of Charleston: http://chscp.co/BestOfArts   Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 Cyber Threat Intelligence, Cybersecurity Summit, and More Monero Mining Attacks | File Type: audio/mpeg | Duration: 45:40

Steve and Gerry discuss the value and utility of the recently published SANS 2018 Cyber Threat Intelligence (CTI) report. Reflections on the debate around encryption from the Charleston School of Law Cybersecurity Summit are shared and government sites serving up more than information to visitors. Show Notes Resources: Information Sharing and Analysis Centers (ISACs): https://www.nationalisacs.org/ Charleston School of Law Cybersecurity Summit: http://charlestonlaw.edu/2018/01/31/10th-law-society-symposium-feb-9-focus-cybersecurity/ Keynote Speaker at Cybersecurity Summit, Mike McConnell: https://www.boozallen.com/d/bio/leadership/john-m—mike–mcconnell.html Govt websites serving cryptomining through third party utility: https://www.theregister.co.uk/2018/02/11/browsealoud_compromised_coinhive/   One Cool Things Southern Tier Choklat: http://www.stbcbeer.com/beer/cholat/ Signal Messaging App: https://signal.org/   Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 National Cybersecurity Safety Board, “Smart” Data, and Cyber Insurance | File Type: audio/mpeg | Duration: 46:49

Would the creation of a National Cybersecurity Safety Board (NCSB), akin to the National Transportation Safety Board (NTSB), be a reasonable and effective mechanism to increase overall cybersecurity for all industries in the United States? Academics propose it, Gerry and Steve discuss it! Also, how smart data is giving away sensitive personnel locations and the always sexy world of cyber insurance (seriously cyber insurance). Show Notes Resources: National Cybersecurity Board – http://www.securityweek.com/does-us-need-national-cybersecurity-safety-board Health data tracking you – https://motherboard.vice.com/en_us/article/43q7qq/apple-health-data-is-being-used-as-evidence-in-a-rape-and-murder-investigation-germany Strava web app globally mapping locations of users, including military bases! –https://www.bleepingcomputer.com/news/technology/fitness-tracking-app-accidentally-exposed-military-bases/ Cyber insurance discounts for Cisco and Apple products – http://www.foxbusiness.com/features/2018/02/05/apple-cisco-team-up-with-insurance-companies-to-offer-cyber-policy-discounts.html One Cool Things Altered Carbon https://www.netflix.com/title/80097140 15th Annual Palmetto Regional First Robotics Competition! http://www.myrtlebeachfirstrobotics.com/ Stephen Sondheim’s Company at Midtown Productions https://www.midtownproductions.org/ Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

Comments

Login or signup comment.