InfoSec ICU
Summary: Each week, Gerry and Steve discuss Information Security topics relevant to the medical industry and to patients. From the latest hacks and bugs, to changes in the regulatory environment, and tips and tricks to keep your own personal information safe.
- Visit Website
- RSS
- Artist: Information Security at the Medical University of South Carolina
- Copyright: Medical University of South Carolina 2017
Podcasts:
Steve and Gerry discuss recent research discovering mental health applications that are sharing personal data without informing the user, and the implications this practice has for individuals. Clemson’s Dr. Kelly Caine is interviewed on her work around her paper “Privacy is Health” and the bioethical implications of technology diagnosing individuals that are not seeking treatment. As always they end with One Cool Thing. Show Notes Resources: Mental Health Apps Selling Data https://www.theverge.com/2019/4/20/18508382/apps-mental-health-smoking-cessation-data-sharing-privacy-facebook-google-advertising Privacy is Health https://kellycaine.files.wordpress.com/2010/11/2016-ieee-pervasive-column-privacy-is-healthy-caine.pdf Dr. Kelly Caine: twitter: @kellycaine Clemson Human Technology Lab: www.hatlab.org Wearable Platforms for mHealth Research https://auracle-project.org/ https://amulet-project.org/ HomeSHARE initiative is a geographically distributed test-bed to design, develop, and evaluate pervasive home-based technologies for aging-in-place. https://crihomeshare.wordpress.com/ Kellie Caine’s book: https://www.amazon.com/Understanding-Your-Users-Requirements-Technologies/dp/1558609350 One Cool Thing 20 year anniversary of laser mouse https://gizmodo.com/20-years-ago-microsoft-changed-how-we-mouse-forever-1834274151 CISO Desk Reference Guide https://cisodrg.com/ Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)
Steve and Gerry discuss recent research around embedding malware in DICOM image files, and they interview Dr. Charlie Frank, Mirai Botnet expert. As always they end with One Cool Thing. Show Notes Resources: Malware Embedded DICOM Files https://threatpost.com/hipaa-protected-malware-medical-images/143890/ One Cool Thing The Internet Arcade https://archive.org/details/internetarcade Louie, Louie – whoa, whoa https://www.digitaltrends.com/cool-tech/nasa-robot-king-louie Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)
The guys discuss a recent privileged account compromise at Microsoft corporate that resulted in an email breach. They speak high-level of API security concerns and what to expect in the future. Finally they cover a recent example of vulnerability disclosure done poorly that left potentially 160,000 WordPress websites being exploited. As always they end with One Cool Thing. Show Notes Resources: Microsoft admits email hack https://www.darkreading.com/attacks-breaches/microsoft-downplays-scope-of-email-attack-/d/d-id/1334423 API Security Concerns https://www.scmagazine.com/home/opinion/5-things-you-need-to-know-about-api-protection/ Security researcher dropping 0-days https://arstechnica.com/information-technology/2019/04/a-security-researcher-with-a-grudge-is-dropping-web-0days-on-innocent-users/ One Cool Thing The Data Map: https://thedatamap.org/ Monitor Darkly: https://www.youtube.com/watch?v=zvP2FEfOSsk Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)
Steve and Gerry discuss the nuances of the Amazon Echo device receiving HIPAA compliance branding. They provide a look at the college admission process leveraging cloud platforms and how they were successfully hacked for fun and profit. Finally the guys discuss the cybersecurity elephant in the healthcare room that providers are not talking about. As always they end with One Cool Thing. Show Notes Resources: Amazon gets HIPAA-Compliance added to their list of things Alexa can be: https://developer.amazon.com/blogs/alexa/post/ff33dbc7-6cf5-4db8-b203-99144a251a21/introducing-new-alexa-healthcare-skills A high schooler notifies universities that their admissions portal is hackable. Not that anyone would want to subvert college admissions. https://d4stiny.github.io/Hacking-College-Admissions/ Cybersecurity Healthcare Challenges https://www.theverge.com/2019/4/4/18293817/cybersecurity-hospitals-health-care-scan-simulation One Cool Thing Breach Help: https://www.breachclarity.com/ Spy Gear: https://www.detective-store.com/ Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)
Steve and Gerry discuss an insider threat issue that resulted in $700K worth of damage to a company in retaliation for termination. The obvious involuntary terminations activities were performed, but what issues led to a compromise? They spend time covering the advancement on cyber insurance driving security technology adoption. The finish the topics with a case study in vulnerability disclosure being done wrong. As always they end with One Cool Thing. Show Notes Resources: Insider threats and departing employees. https://nakedsecurity.sophos.com/2019/03/22/sacked-it-guy-annihilates-23-of-his-ex-employers-aws-servers/ Cyber risk ratings from insurance companies. Do we need yet another measure? https://www.scmagazine.com/home/security-news/cybercrime/a-collaborative-effort-by-some-of-the-worlds-largest-insurers-has-set-out-to-create-a-consumer-ratings-service-for-the-cybersecurity-industry Bug reporting gets nasty https://arstechnica.com/information-technology/2019/03/50-shades-of-greyhat-a-study-in-how-not-to-handle-security-disclosures/ One Cool Thing Is there a doctor in the house? Auto-pilot tricks to kill your friends. https://arstechnica.com/information-technology/2019/04/researchers-trick-tesla-autopilot-into-steering-into-oncoming-traffic/ Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)
Steve and Gerry discuss the discovery of a 19 year old vulnerability, how organizations using Windows 7 now really really have to do something about it, and how the Pwn2Own 0-day contest in Vancouver is dropping 0-days like it’s hot. As always they end with One Cool Thing. Show Notes Resources: WinRar Bug https://www.scmagazine.com/home/security-news/hack-u-next-ariana-grande-file-is-one-of-100-ways-attackers-are-exploiting-winrar-bug/ Microsoft will start notifying users of Windows 7 about the end of (support) days. What you need to know. https://techcrunch.com/2019/03/20/windows-7-security-updates/ Pwn2Own Zero Day Initiative https://www.thezdi.com/blog/2019/3/20/pwn2own-vancouver-2019-day-one-results Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)
The guys discuss how a presidential candidate out of Texas is a member of the Cult of the Dead Cow, a hacktivist group started in 1990’s. They cover vishing attacks and how the government is trying to pass anti-robocall legislation. Finally they touch on pentesting in the gig economy. As always they end with One Cool Thing. Show Notes Resources: Robert “Beto” O’Roarke was recently revealed to be part of one of America’s first hacker groups. What does that actually mean? Hack the vote? https://www.reuters.com/investigates/special-report/usa-politics-beto-orourke/ Scammers still love the old school phone call. https://nakedsecurity.sophos.com/2019/03/11/ftc-says-taxpayer-voice-phishing-scams-are-up-nearly-20x/ Congress trying to address the issues with: HR 946, the Stopping Bad Robocalls Act http://www.tcpadefenseforce.com/tcpa-law-blog/stopping-bad-robocalls-act-reintroduced-in-congress-tcpa HR 721, the Spam Calls Task Force Act https://romesentinel.com/stories/brindisi-joins-fight-against-robocalls,73435 Hot Lemon Pie 1 lg lemon 4 eggs 1 tsp. Vanilla 1 1/2 c. Sugar 1/2 c. Butter 1 9″ unbaked pie shell Preheat oven to 350F Cut lemon in pieces, seeds removed, but with rind and peel attached. Put lemon, eggs, sugar, butter, and vanilla in food processor or blender and whirl until mixture is foamy and smooth. Pour in pie shell and bake 40min. Will set up like custard. Serve warm or chilled. Refrigerate any leftovers. Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)
What are Gerry and Steve talking about this week? Steve had an opportunity to talk with the AMA and provide a deeper dive into their comments to HHSs’ recent request for information related to HIPAA updates. The guys dig into a rare instance of federal criminal prosecution of HIPAA violation. They finish up discussing an FTC fine of TikTok, a popular social media app, for violating COPPA. As always they end with One Cool Thing. Show Notes Resources: Guilty Plea in Rare HIPAA Criminal Case https://www.healthcareinfosecurity.com/guilty-plea-in-rare-hipaa-criminal-case-a-12150 FTC Fines TikTok $5.7M https://www.ftc.gov/news-events/press-releases/2019/02/video-social-networking-app-musically-agrees-settle-ftc One Cool Things Robot invasion of Las Vegas https://www.forbes.com/sites/davidschwartz/2018/08/09/the-robot-invasion-of-las-vegas-might-be-horrifying-or-no-big-deal/#4ecd208e2956 Robot invasion of Professional Baseball https://bleacherreport.com/articles/2824558-mlb-to-experiment-with-robot-umpires-more-rule-changes-in-atlantic-league Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)
What are Gerry and Steve talking about this week? The guys discuss the federal government beginning to engage experts to develop a bill to address citizen’s privacy. The call out Facebook for offering multi-factor authentication and then using users phone numbers for other means. They round out with the obligation of media outlets to publish breach notifications that are sent to them, as required by HHS and federal law. As always they end with One Cool Thing. Show Notes Resources: InfoSec ICU is a finalist for Best Local Podcast in Charleston. Vote here -> http://chscp.co/BestOfArts 1. Privacy is solved, the government is involved. https://www.securityweek.com/us-lawmakers-kick-debate-over-online-privacy Hearing: https://energycommerce.house.gov/committee-activity/hearings/hearing-on-protecting-consumer-privacy-in-the-era-of-big-data Video with start time: https://youtu.be/mN1_FVOIA6s?t=1026 2. Give us your phone number, says Facebook. You can trust us. https://motherboard.vice.com/en_us/article/kzdxjx/facebook-phone-number-two-factor-authentication 3. Media reports of data breaches. Are they required to publish? http://www.live5news.com/2019/03/01/more-than-k-letters-were-sent-out-patients-after-phishing-attack-roper-st-francis/ One Cool Things James Veitch: “This is what happens when you reply to spam email” https://www.youtube.com/watch?v=_QdPW8JrYzQ Wireshark hits 3.0 https://www.wireshark.org/docs/relnotes/wireshark-3.0.0.html Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)
What are Gerry and Steve talking about this week? The Office of Civil Rights (OCR) asked for input on their proposal for improving patient access to PHI and the AMA responded with 29 pages of well-crafted sense. Will OCR listen? A red teamer provides some lessons learned after 6 years of penetration testing engagements. The top three findings are just #sad. Finally, a massive data breach at U Washington Medicine due to a “mis-configured database”. As always they end with One Cool Thing. Show Notes Resources: InfoSec ICU is a finalist for Best Local Podcast in Charleston. Vote here -> http://chscp.co/BestOfArts AMA feedback to OCR about improving patient access to PHI https://searchlf.ama-assn.org/undefined/documentDownload?uri=/unstructured/binary/letter/LETTERS/2019-2-8-Letter-to-Severino-re-HIPAA-RFI-Response.pdf Red Team findings from 6 years of tests https://www.cbronline.com/opinion/red-teaming-lessons University of Washington Medicine breach notification https://www.scmagazine.com/home/security-news/data-breach/misconfigured-database-exposes-974000-university-of-washington-medicine-patients/ What Google indexes > https://support.google.com/webmasters/answer/35287?hl=en One Cool Things YouTube Kids (totally not cool) https://www.cbsnews.com/news/youtube-kids-inappropriate-horrified-mom-discovers-suicide-instructions-in-video-on-youtube-and-youtube-kids/ The Tyrconnell https://www.thetyrconnellwhiskey.com/ Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)
Gerry and Steve discuss Apple’s iOS approach to security and the nuances with the recent FBI interaction with data requests from Apple. They talk about an HHS proposed rule released at HIMSS 19 this week on healthcare interoperability and data sharing and the security concerns that may introduce. They round out with mental health concerns in the information security industry, especially the CISO role. As always they end with One Cool Thing. Show Notes Resources: InfoSec ICU is a finalist for Best Local Podcast in Charleston. Vote here -> http://chscp.co/BestOfArts Does Apple have a double standard when dealing with FBI investigations? What security actually comes with an iCloud account? https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf HHS Proposes New Rules to Improve the Interoperability of Electronic Health Information https://www.hhs.gov/about/news/2019/02/11/hhs-proposes-new-rules-improve-interoperability-electronic-health-information.html The demands of the CISO job are growing much faster than the resources available https://www.forbes.com/sites/daveywinder/2019/02/15/cybersecurity-mental-health-warning-1-in-6-cisos-now-medicate-or-use-alcohol/#4d1f65673c0c https://www.techrepublic.com/article/burnout-warning-high-stress-levels-impacting-cisos-physical-mental-health/ https://www.darkreading.com/careers-and-people/high-stress-levels-impacting-cisos-physically-mentally/d/d-id/1333888 One Cool Things Hoopla https://www.hoopladigital.com/my/hoopla RevTown https://revtownusa.com/ Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)
Gerry and Steve discuss an ongoing case of an insurance provider withholding a claim payment because NotPetya may have been an act of war. They discuss the privacy implications of Apple holding application developers accountability for notifying users of screen capping user sessions. Finally the guys get technical, discussing a Docker (and really most container technology) vulnerability that could be a major issue if not patched. As always they end with One Cool Thing. Show Notes Resources: InfoSec ICU is a finalist for Best Local Podcast in Charleston. Vote here -> http://chscp.co/BestOfArts Buying cyber insurance well https://www.scmagazine.com/home/security-news/setting-up-for-success-when-buying-cyber-insurance/ Apple demands companies obtain consent before recording user app sessions https://www.scmagazine.com/home/security-news/report-apple-demands-companies-obtain-consent-before-recording-users-app-sessions Docker doomsday security hole discovered https://www.zdnet.com/google-amp/article/doomsday-docker-security-hole-uncovered/ https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d One Cool Things Accelerating America’s AI leadership https://www.whitehouse.gov/articles/accelerating-americas-leadership-in-artificial-intelligence/ AR Ruler https://aruler.download/ Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)
Gerry and Steve discuss MITRE’s new CVSS scoring guide for medical devices that is currently out for comments and what it could mean for healthcare. They cover a trending issue of unethical behavior using Apple watch to cheat on exams, and they round out the show covering Apple’s revoking the enterprise certificates issued to Facebook and Google for internally developed apps because of abuse. Show Notes Resources: Facebook and Google distributed what amounts to self-signed apps for iOS users which violate Apple’s AppStore ToS, making the giant fruit very unhappy. https://arstechnica.com/gadgets/2019/01/facebook-and-google-offered-gift-cards-for-root-level-access-to-ios-users-data/ Mitre, the think tank regularly associated with vulnerability scoring, has a draft rubric for assigning CVSS to medical devices. Think you can help? https://www.mitre.org/publications/technical-papers/rubric-for-applying-cvss-to-medical-devices The Apple Watch is the latest way to cheat in school. Are your policies flexible enough to combat the threat? https://theoutline.com/post/7030/rich-kids-are-cheating-in-school-with-apple-watches One Cool Things Thank You For Arguing. What Aristotle, Lincoln And Homer Simpson Can Teach Us About The Art Of Persuasion by Heinrichs, Jay Monday February 4, 2019 Stormcast, Discussing Bitcoin money laundering https://isc.sans.edu/podcastdetail.html?id=6356 Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)
Brandon Stephens joins Steve on the show as they dig into the latest Joint Security Plan from the Healthcare and Public Health Sector Coordinating Council on Medical Device and Health IT security. They also cast their gaze to the Far East to discuss China’s plan to encourage whistle blowers to turn in debtors via an app and Japan’s plan to defend the upcoming Olympics by attacking IoT devices. Show Notes Resources: HSCC Joint Cybersecurity Working Group releases the Medical Device and Health I.T. Joint Security Plan (JSP) https://healthsectorcouncil.org/the-joint-security-plan/ China has an app to report debtors who can pay their bills https://www.dailymail.co.uk/news/article-6620879/China-launches-app-tells-500-yards-debt.html Japan goes on the offensive to defend the Olympics https://www.scmagazine.com/home/security-news/japanese-govt-to-hack-civilian-iot-devices-in-security-push-before-olympics/ One Cool Things Coffee that’s out of this world. https://arstechnica.com/science/2019/01/how-much-would-you-pay-for-coffee-roasted-in-space/ Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)
Steve and Gerry are in the studio discussing a massive password cache that was discovered and if you should actually be concerned. Steve interviews Dallas Haselhorst, an HL7 protocol security expert. Finally they finish off discussing the insecurity discovered by the OIG after reviewing security controls at several DoD healthcare facilities. Show Notes Resources: Password Cache Dump https://krebsonsecurity.com/2019/01/773m-password-megabreach-is-years-old/ Defense Health Agency Insecurity https://media.defense.gov/2019/Jan/11/2002078551/-1/-1/1/DODIG-2019-044.PDF https://motherboard.vice.com/en_us/article/yw79k5/hacker-group-threatens-dump-911-insurance-files-dark-overlord One Cool Thing Fortnite, the new money laundering method: https://www.independent.co.uk/news/fortnite-v-bucks-discount-price-money-dark-web-money-laundering-crime-a8717941.html Home Healthcare with TytoCare https://www.tytocare.com/
