InfoSec ICU show

InfoSec ICU

Summary: Each week, Gerry and Steve discuss Information Security topics relevant to the medical industry and to patients. From the latest hacks and bugs, to changes in the regulatory environment, and tips and tricks to keep your own personal information safe.

Join Now to Subscribe to this Podcast
  • Visit Website
  • RSS
  • Artist: Information Security at the Medical University of South Carolina
  • Copyright: Medical University of South Carolina 2017

Podcasts:

 Marriott Starwood Breach, BioHacked Man Lee Wangenheim Interview, RFID-Related Privacy Legislation | File Type: audio/mpeg | Duration: 51:25

Gerry and Brandon are back in the studio discussing the Marriott Starwood breach. Steve interviews an RFID/NFC bio-hacked individual, and Gerry and Brandon discuss the ramifications and privacy legislation around  RFID for personal identification. Show Notes Resources: Marriott / Starwood Breach https://www.washingtonpost.com/business/2018/11/30/marriott-discloses-massive-data-breach-impacting-million-guests/ Privacy Regulations http://www.ncsl.org/research/telecommunications-and-information-technology/radio-frequency-identification-rfid-privacy-laws.aspx https://www.dhs.gov/xlibrary/assets/privacy/privacy_advcom_12-2006_rpt_RFID.pdf One Cool Thing Firewalla https://firewalla.com/ Doom turns 25: https://qz.com/1490069/doom-the-game-that-kicked-off-a-video-game-revolution-turns-25-today/   Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 Web App Security, Social Engineering Google Results, and Privacy Not Included | File Type: audio/mpeg | Duration: 38:22

Gerry and Brandon discuss a recent web application vulnerability that has caused a business to respond with what appears to be breach notifications. They discuss social engineers attacking Google results to trick victims into trusting contact information. Finally, they cover several hot IoT items this holiday season and the privacy implications. Show Notes Resources: Healthcare Web Application Security Issues https://www.healthcareinfosecurity.com/another-healthcare-website-security-issue-revealed-a-11752 Social Engineers Attack Google Results https://www.hackread.com/fraudsters-changing-contact-details-of-bank-on-google-maps Privacy Not Included https://foundation.mozilla.org/en/privacynotincluded/ One Cool Thing Blue Team Handbooks https://www.amazon.com/Blue-Team-Handbook-condensed-Responder/dp/1500734756 Quad9 DNS Resolver https://www.quad9.net/   Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 Ransomware Strikes Again, SIM Swapping for Profit, and Social Science Breakthroughs with De-identified Datasets | File Type: audio/mpeg | Duration: 34:05

Gerry and Steve celebrate their 1-year anniversary of InfosecICU. They discuss an Ohio medical center struck with ransomware and how attacking during a holiday weekend is more likely for bad guys. They discuss SIM swapping attacks against high net-value individuals. The finish with a discussion of social science research that looks at how much time politically polarized individuals spent together during Thanksgiving dinner and how this has larger ramifications on privacy. Show Notes Resources: A holiday-break turns holiday break-in when hackers attack medical facilities with ransomware: http://www.theintelligencer.net/news/top-headlines/2018/11/ovmc-eorh-computers-attacked-by-hackers/ Seems like a good time to warn your executives that they could be a target for SIM Swappers https://securityaffairs.co/wordpress/78427/hacking/sim-swap-hacker.html Researchers have been able to use cellphone tracking technology and public voting data to identify if partisan politics is reducing time spent at the holiday table: https://www.wired.com/story/the-thanksgiving-effect-and-the-power-of-phone-data/ Battlefied 5 https://www.ea.com/en-gb/games/battlefield/battlefield-5 Guerilla Mail https://www.guerrillamail.com/ How to Measure Anything in CyberSecurity Risk https://www.howtomeasureanything.com/cybersecurity/   Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 Vovox Insecure Messaging, Credit Card Chips Not Enough, and Chipping the Human | File Type: audio/mpeg | Duration: 36:11

Brandon and Steve discuss another incident involving insecurity in text messaging as an authentication mechanism. They discuss criminals success in compromising credit card security controls. They finish with the interesting and somewhat science fiction approach to authentication via microchipping humans. Show Notes Resources: Vovox Text Messaging Issues https://techcrunch.com/2018/11/15/millions-sms-text-messages-leaked-two-factor-codes/   Chipped credit card theft and fraud https://threatpost.com/u-s-chip-cards-are-being-compromised-in-the-millions/139028/   Chip Implants for authentication https://www.engadget.com/2018/11/16/employee-microchip-security-orwell   One Cool Things SANS Holiday Hack Challenge https://www.holidayhackchallenge.com/2018/ The Biltmore Estate https://www.biltmore.com/   Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 BSides Charleston, Alexa as a Key Witness, and Hacking The Air Force | File Type: audio/mpeg | Duration: 38:15

Gerry and Steve are fresh from BSides Charleston. The two share their favorite talks and the overall thoughts on the conference. They discuss the slippery slope of privacy concerns using Amazon Echo recordings in a court case. They finish up discussing the utility of the “Hack the Air Force” competition being executed. Show Notes Resources: Charleston BSides http://www.bsidescharleston.com/ https://youtu.be/ptL0aTYzRfM Alexa as Evidence http://www.bostonherald.com/news/local_coverage/2018/11/alexa_served_privacy_concerns_echoed_in_new_hampshire_case Hack The Air Force https://www.af.mil/News/Article-Display/Article/1682502/usaf-announces-hack-the-air-force-30/ One Cool Things Celebration Ale https://sierranevada.com/beer/seasonal/celebration-ipa A great talk about Secure DNS options and some major privacy concerns over DNS-over-HTTPS by Sara Dickinson https://www.youtube.com/watch?v=3tMGD6J04Jk Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 Old Tech Blows CIA Cover, Interviewing Darknet Diaries Creator, Election Hacking Revisit | File Type: audio/mpeg | Duration: 49:34

The guys discuss how the CIA’s continued usage and organic growth of a communication system that was used well past its intention led to a catastrophic impact to CIA agents in Iran and China in 2013. Steve interviews Jack Rhysider, the creator of the hot podcast “Darknet Diaries”. They wrap the show revisiting election hacking and why attacking the human is more realistic than hacking the technology. Show Notes Resources: CIA’s communications suffered a catastrophic compromise https://www.yahoo.com/news/cias-communications-suffered-catastrophic-compromise-started-iran-090018710.html Darknet diaries https://darknetdiaries.com/ Election hacking https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/11/06/the-cybersecurity-202-today-s-the-big-test-for-election-security-here-are-five-things-we-re-watching/5be085cb1b326b39290545f3/?utm_term=.c5183b140da6 One Cool Things Instant Pot https://instantpot.com/ Peerlyst https://www.peerlyst.com/   Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 FDA’s Medical Device Guidance, AI in the SOC, and Malware Starter Kits | File Type: audio/mpeg | Duration: 37:45

The guys discuss the FDA’s new guidance, currently out for comment, on premarket submissions for management of cybersecurity in medical devices. They turn to the SOC and explore a published opinion of using AI to lighten the load on Analyst 1’s in the SOC and help with burn out. The wrap up by discussing recently discovered starter kits found on the dark web that make being a cyber criminal an entry level job. Show Notes Resources: FDA’s Guidance on Premarket Submissions for Management of Cybersecurity in Medical Devices https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM623529.pdf AI in the SOC https://www.scmagazine.com/home/opinions/bridging-the-cybersecurity-skills-gap-through-ai/ DDoS Starter Kits https://www.scmagazine.com/home/security-news/ddos-and-ransomware-tools-for-starter-and-experienced-cybercriminals-exposed/ One Cool Things Brain Wave Passwords https://www.fastcompany.com/90257174/the-future-of-passwords-your-brain Steve Pearce and JBJ: USC GameCocks and MVPs   Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 Stories from the Front Lines, NAIC Insurance Cyber Law, Facebook Looking to Acquire a Security Firm | File Type: audio/mpeg | Duration: 34:33

The guys discuss two dramatic stories of ABC filming reality shows in Boston and New York hospitals and the privacy infractions that followed. They shift to discussing the legislation that will go into effect January 2019 around insurance data cyber security and the recent Healthcare.gov breach. They round out the show theorizing on motives related to the recent news that Facebook is acquiring a cybersecurity firm. Show Notes Resources: https://www.hipaajournal.com/boston-med-hipaa-violation-penalties/ https://www.healthcareitnews.com/news/newyork-presbyterian-hospital-pay-22-million-egregious-disclosure-phi-hipaa-violation https://www.zdnet.com/article/hackers-steal-data-of-75000-users-after-healthcare-gov-ffe-breach/ https://corpgov.law.harvard.edu/2017/08/30/naic-adopts-model-cybersecurity-law/ https://www.businessinsider.com/facebook-wants-to-acquire-a-cybersecurity-firm-2018-10 One Cool Things Oculus Go https://www.oculus.com/go/ Darknet Diaries by Jack Rhysider https://darknetdiaries.com/ Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 Medtronic Devices Recalled, Cyber Lexicon, OCR $16M Settlement with Anthem | File Type: audio/mpeg | Duration: 51:31

The guys discuss Medtronic’s recall of their cardiac device programmer system due to security vulnerabilities and how this is a good trend for the medical device industry. Next they discuss cyber lexicon and since words have meaning the nuances of each and how journalists may mistakenly say one thing when they mean another. They finish with news of OCR’s largest settlement to date of $16M to Anthem. Show Notes Resources: Medtronic recall OCR $16M settlement One Cool Things GMail granular permissions https://gadgets.ndtv.com/apps/news/google-third-party-apps-granular-control-permissions-contacts-provider-removal-gmail-api-1929178 The Foot Soldier of Birmingham http://revisionisthistory.com/episodes/14-the-foot-soldier-of-birmingham Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 Bloomberg Bombshell Report, Apollo Data Breach, and Google+ API Leak | File Type: audio/mpeg | Duration: 34:44

The guys dive into the hotly debated Bloomberg report about hardware compromised motherboards and the two sides of the story. They discuss the Apollo data service analytics publicly exposed database. They finish discussing Google’s decision to not disclose a data leak of their Google+ platform for political reasons and how they shuddered Google+ in response. Show Notes Resources: Bloomber: The Big Hack https://www.bloomberg.com/businessweek Apollo Breach https://www.wired.com/story/apollo-breach-linkedin-salesforce-data/ Google+ Data Leak https://www.theguardian.com/technology/2018/oct/08/google-plus-security-breach-wall-street-journal One Cool Things Spotify Student Deals https://www.theverge.com/2017/9/7/16263938/spotify-hulu-student-deal-announced MITRE ATT&CK https://attack.mitre.org/wiki/Main_Page Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 Senate Approved Cybersecurity Bills, US Consumer Privacy Data Efforts, and Facebook’s 50M User Account Breach | File Type: audio/mpeg | Duration: 35:24

The guys discuss 5 recent Senate approved Cybersecurity bills and their potential impact if passed into legislation. They introduce the Department of Commerce of NTIA’s Request for Comments (RFC) regarding a US Consumer Privacy Data effort. They finish with the technical details regarding the recent Facebook breach and what the impact is to affected individuals. Show Notes Resources: Senate Approves Cybersecurity Bills https://www.securityweek.com/senate-committee-approves-several-cybersecurity-bills NTIA Seeks Comments on Data Privacy https://www.ntia.doc.gov/press-release/2018/ntia-seeks-comment-new-approach-consumer-data-privacy https://www.securityweek.com/us-unveils-first-step-toward-new-online-privacy-rules Facebook Hack https://www.securityweek.com/several-bugs-exploited-massive-facebook-hack One Cool Things Evernote https://evernote.com/ Peanuts Cartoon celebrates 68 years of publication Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 Mobile Security! Cyber Arms Dealers NSO Group and Lucy Gang, and Apples Healthcare Moves | File Type: audio/mpeg | Duration: 39:44

This episode is on the move! InfoSecICU focuses on mobile device security taking a look at mobile OS cyber arms dealers NSO Group and Lucy Gang, diving into their business model and the evolution of cyber criminal enterprises. The guys pivot to mobile healthcare, discussing Apples continued move into the healthcare space and the risks that come with being ‘innovative’. Show Notes Resources: NSO Group Spyware https://motherboard.vice.com/en_us/article/qvakb3/inside-nso-group-spyware-demo Lucy Gang Malware-as-a-Service https://threatpost.com/lucy-gang-debuts-with-unusual-android-maas-package/137590/ Apple Explores Medical Data https://healthitanalytics.com/news/apple-explores-medical-data-with-health-records-api-patents One Cool Things Elder Scrolls Legends Updated https://legends.bethesda.net/en LastPass integration for iOS 12 https://blog.lastpass.com/2018/09/get-in-app-autofill-with-lastpass-ios-12.html/ Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 HITRUST CSF, Are Your Appliances Watching You, and Steps to Quantifying Reputational Harm | File Type: audio/mpeg | Duration: 41:59

Happy Anniversary to InfoSecICU! They guys celebrated the 52nd week of shows by discussing the HITRUST CSF framework for standardizing security certifications for healthcare-related vendors. They introduce a creepy story of Airbnb hosts using IoT devices to spy on guests. Finally, they discuss research that dives into the long term impact to a company’s value following a significant breach. Show Notes Resources: HITRUST CSF https://hitrustalliance.net/hitrust-csf/ AirBnB launches investigation regarding hidden camera https://nakedsecurity.sophos.com/2018/09/11/airbnb-launches-investigation-after-man-finds-hidden-camera-in-clock/ Data Breach affects stock performance https://www.zdnet.com/article/data-breaches-affect-stock-performance-in-the-long-run-study-finds/ One Cool Things CyberSecurity Supply/Demand Heat Map https://www.cyberseek.org/heatmap.html Free Virtual Care during Hurricane Florence Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 OCR Presents to MUSC, British Airways Hack, and Executing DR/BC | File Type: audio/mpeg | Duration: 51:11

Steve and Gerry cover Health and Human Services Office of Civil Rights (HHS OCR) briefing presented to MUSC recently and discuss the clarification it brought with it. They cover the details of the recent British Airways hacked that compromised 380,000 individuals credit card information. Given the impending Hurricane Florence, the guys refresh on Disaster Recovery and Business Continuity Planning. Show Notes Resources: HHS OCR Guidance –> HIPAA for App Developers https://hipaaqsportal.hhs.gov/ British Airways Hack https://www.riskiq.com/blog/labs/magecart-british-airways-breach/ DR / BCP NIST 800-34 r1 https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-34r1.pdf Tool to assist in determining disclosures for emergency situations:  https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/emergency/emergencyprepdisclose.pdf     One Cool Things Gerald Auger – Seeking Research Participants! https://www.linkedin.com/feed/update/urn:li:activity:6445309181837873152 Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

 Google MasterCard Deal, Instagram 2-Factor, Phone Number as an Identifier | File Type: audio/mpeg | Duration: 33:13

Steve and Gerry discuss the privacy ramifications of the Google MasterCard deal that recently came to light. They discuss Instagram’s decision to support two-factor authenticator apps and the issues with SMS as a 2nd factor. They finish up discussing the dependence and concerns of using your phone number as your identity and authenticator. Show Notes Resources: Google Mastercard https://www.bloomberg.com/news/articles/2018-08-30/google-and-mastercard-cut-a-secret-ad-deal-to-track-retail-sales Instagram 2-Factor https://krebsonsecurity.com/2018/08/instagrams-new-security-tools-are-a-welcome-step-but-not-enough/ Phone Number Identity https://www.wired.com/story/phone-numbers-indentification-authentication/ One Cool Things There Will Be Hops https://www.charlestoncitypaper.com/charleston/charles-towne-fermentory/Location?oid=6458711 GMail Replacements Kolab Now, ProtonMail, Zoho Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

Comments

Login or signup comment.