InfoSec ICU

This episode is on the move! InfoSecICU focuses on mobile device security taking a look at mobile OS cyber arms dealers NSO Group and Lucy Gang, diving into their business model and the evolution of cyber criminal enterprises. The guys pivot to mobile healthcare, discussing Apples continued move into the healthcare space and the risks that come with being ‘innovative’. Show Notes Resources: NSO Group Spyware https://motherboard.vice.com/en_us/article/qvakb3/inside-nso-group-spyware-demo Lucy Gang Malware-as-a-Service https://threatpost.com/lucy-gang-debuts-with-unusual-android-maas-package/137590/ Apple Explores Medical Data https://healthitanalytics.com/news/apple-explores-medical-data-with-health-records-api-patents One Cool Things Elder Scrolls Legends Updated https://legends.bethesda.net/en LastPass integration for iOS 12 https://blog.lastpass.com/2018/09/get-in-app-autofill-with-lastpass-ios-12.html/ Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

Happy Anniversary to InfoSecICU! They guys celebrated the 52nd week of shows by discussing the HITRUST CSF framework for standardizing security certifications for healthcare-related vendors. They introduce a creepy story of Airbnb hosts using IoT devices to spy on guests. Finally, they discuss research that dives into the long term impact to a company’s value following a significant breach. Show Notes Resources: HITRUST CSF https://hitrustalliance.net/hitrust-csf/ AirBnB launches investigation regarding hidden camera https://nakedsecurity.sophos.com/2018/09/11/airbnb-launches-investigation-after-man-finds-hidden-camera-in-clock/ Data Breach affects stock performance https://www.zdnet.com/article/data-breaches-affect-stock-performance-in-the-long-run-study-finds/ One Cool Things CyberSecurity Supply/Demand Heat Map https://www.cyberseek.org/heatmap.html Free Virtual Care during Hurricane Florence Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

Steve and Gerry cover Health and Human Services Office of Civil Rights (HHS OCR) briefing presented to MUSC recently and discuss the clarification it brought with it. They cover the details of the recent British Airways hacked that compromised 380,000 individuals credit card information. Given the impending Hurricane Florence, the guys refresh on Disaster Recovery and Business Continuity Planning. Show Notes Resources: HHS OCR Guidance –> HIPAA for App Developers https://hipaaqsportal.hhs.gov/ British Airways Hack https://www.riskiq.com/blog/labs/magecart-british-airways-breach/ DR / BCP NIST 800-34 r1 https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-34r1.pdf Tool to assist in determining disclosures for emergency situations:  https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/emergency/emergencyprepdisclose.pdf     One Cool Things Gerald Auger – Seeking Research Participants! https://www.linkedin.com/feed/update/urn:li:activity:6445309181837873152 Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

Steve and Gerry discuss the privacy ramifications of the Google MasterCard deal that recently came to light. They discuss Instagram’s decision to support two-factor authenticator apps and the issues with SMS as a 2nd factor. They finish up discussing the dependence and concerns of using your phone number as your identity and authenticator. Show Notes Resources: Google Mastercard https://www.bloomberg.com/news/articles/2018-08-30/google-and-mastercard-cut-a-secret-ad-deal-to-track-retail-sales Instagram 2-Factor https://krebsonsecurity.com/2018/08/instagrams-new-security-tools-are-a-welcome-step-but-not-enough/ Phone Number Identity https://www.wired.com/story/phone-numbers-indentification-authentication/ One Cool Things There Will Be Hops https://www.charlestoncitypaper.com/charleston/charles-towne-fermentory/Location?oid=6458711 GMail Replacements Kolab Now, ProtonMail, Zoho Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

Steve is fresh from Gartner Catalyst and shares his experience and lessons learned. The guys discuss a follow up story from election officials that tells the other side of the story from the recent voting village hacks at DEF CON 26. They finish up with a discussion around the damages of NotPetya a year later with a case study of Maersk. Show Notes Resources: Gartner Catalyst https://www.gartner.com/en/conferences/na/catalyst-us Election Hacking https://www.propublica.org/article/defcon-teen-did-not-hack-a-state-election NotPetya https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ One Cool Things Netflix: Luke Cage https://www.netflix.com/title/80002537 0-emission Jaguar E-Type Zero https://arstechnica.com/cars/2018/08/want-a-zero-emissions-classic-jaguar-its-available-from-2020/ Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

Gerry and Brandon discuss the long term effect of the recently published Augusta University Medical Center Breach. They cover behavior based analysis for malicious activity on the network and utilizing RITA, a security tool from Black Hills Security Group to assist. Finally they touch on the recently enacted NIST Small Business Cybersecurity Act. Show Notes Resources: Augusta University Medical Center Breach https://www.healthcareitnews.com/news/417000-augusta-university-health-patient-records-breached-nearly-one-year-ago RITA https://www.blackhillsinfosec.com/projects/rita/ NIST Small Business Cybersecurity Act https://www.scmagazine.com/president-signs-nist-small-business-cybersecurity-act-into-law/article/789147/ One Cool Things AmazeFit Bip Fitness Trackers https://us.amazfit.com/shop/bip?variant=336750 Principles of Fraud Examinations https://www.amazon.com/Principles-Fraud-Examination-Joseph-Wells/dp/0470646292   Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

Gerry is back from BlackHat and he’s ready to tackle the oft-ignored member of the Confidentiality-Integrity-Availability triad as he digs into a new attack that tampers with medical device data to disastrous effect. While in Vegas, Gerry also had the opportunity to interview Jeremiah Grossman, CEO of BitDiscovery, to talk about the unique way his company is addressing asset discovery and management. To top it all off, they both present their One Cool Thing. Show Notes Resources: Pestilential Protocol: How Unsecure HL7 Messages Threaten Patient Lives http://i.blackhat.com/us-18/Thu-August-9/us-18-Dameff-Pestilential-Protocol-How-Unsecure-HL7-Messages-Threaten-Patient-Lives-wp.pdf Jeremiah Grossman https://www.jeremiahgrossman.com/ BitDiscovery https://bitdiscovery.com/   One Cool Things Visual Impact Awareness Training Video Camp, L. Jean. [Security Awareness Videos]. (2015, May 25). Toothbrushes & Passwords. Retrieved from https://www.youtube.com/watch?v=j7zcuDfqRrg&list=PLGVaKmEv-k0s3In0zllvPf9AZz4o-qUIW&index=2 SCBIO 2018 Annual Conference https://www.scbio.org/cpages/annual-conf-2018 Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

Brandon is back in the co-pilot’s chair as we talk about the recent GAO report that HHS is failing to protect PHI. We also share our intrigue surrounding the PHI breach at Iowa Health Group that was actually a Business Email Compromise attack. There’s also good news for Boston Childrens’ Hospital, as the hacktivist charged with disrupting their network in 2014 is convicted. Show Notes Resources: HHS puts PHI at risk https://healthitsecurity.com/news/hhs-fails-to-fix-cybersecurity-vulnerabilities-putting-phi-at-risk Iowa Health Group hit with 1.4M patient record breach https://www.databreachtoday.com/iowa-health-group-data-breach-hits-14-million-patients-a-11264 Boston Children’s Hospital Hacktivist is convicted https://www.bankinfosecurity.com/boston-childrens-hospital-ddos-attacker-convicted-a-11279 One Cool Things Malwarebytes Browser Extension  https://www.bleepingcomputer.com/news/security/malwarebytes-browser-extension-blocks-malware-scams-ads-and-trackers/  Sir Patrick Stewart ready to engage his Star Trek fans again. https://www.npr.org/2018/08/05/635809156/patrick-stewart-is-reprising-his-role-as-captain-picard-in-new-star-trek-series   Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

Gerry and Steve cover the recently released practical guidance from NIST on securely integrating mobile devices into clinical practices. They discuss then poke holes in a recent, widely distributed report discussing America’s most cyber insecure airports, and with Blackhat on the horizon they provide a preview of things to expect from the event and in the coming weeks. As always they wrap up with one cool thing. Show Notes Resources: NIST Securing Electronic Health Record on Mobile Devices https://www.nccoe.nist.gov/sites/default/files/library/sp1800/hit-ehr-nist-sp1800-1.pdf  Most insecure Airports https://www.cnbc.com/2018/07/17/these-are-the-10-airports-where-youre-most-likely-to-be-hacked.html Blackhat https://www.blackhat.com/us-18/ One Cool Things Magic Leap Coming Soon https://techcrunch.com/2018/07/27/magic-leap-unveils-what-its-mixed-reality-operating-system-will-look-like/ Dune Remake http://www.syfy.com/syfywire/dune-reboot-two-movies-two-years-denis-villeneuve Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

Gerry and Steve discuss organizations challenge of securing their supply chain, citing a recent robotics company that lost IP from major car vendors. They provide an update on the Healthcare Sector Coordinating Councils efforts on executing on the 2017 Healthcare Cybersecurity Taskforce report. They dive into Emotet malware and how it has evolved from a simple banking trojan in 2014 to a threat distribution platform. As always they wrap up with one cool thing. Show Notes Resources: Third Party Risk https://www.upguard.com/breaches/short-circuit-how-a-robotics-vendor-exposed-confidential-data-for-major-manufacturing-companies Healthcare Sector Coordinating Council Cybersecurity Working Group https://nhisac.org/announcements/healthcare-sector-coordinating-councils-cybersecurity-working-group-moves-boost-membership/ Emotet https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor One Cool Things Alexa interprets sign language https://www.theverge.com/2018/7/24/17606614/amazon-alexa-echo-mod-sign-language-gestures-ai Flying Cars https://www.digitaltrends.com/cars/opener-blackfly-flying-car/ Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

Gerry and Steve have read the indictment of Russian nationals APT28 aka “Fancy Bear” aka Unit 26165 released by the DOJ. The techniques and extent of the attacks are covered and discussed. They turn their attention to an NPR investigation into techniques health insurers are employing to determine policy premiums. Thirdly, they touch on a ‘hot’ criminal email campaign going on right now dubbed ‘sextortion’. As always, they close the show with one cool thing. Show Notes Resources: DOJ Russia Indictment https://www.justice.gov/opa/press-release/file/1035562/download Health Insurers Are Vacuuming Up Details About You — And It Could Raise Your Rates https://www.npr.org/sections/health-shots/2018/07/17/629441555/health-insurers-are-vacuuming-up-details-about-you-and-it-could-raise-your-rates  Sextortion https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/    One Cool Things The Seedy Underbelly Stops for World Cup https://www.scmagazine.com/cybercriminals-take-the-day-off-to-watch-the-world-cup/article/780398/ Scuba Jet Pack like Johnny Quest https://www.digitaltrends.com/cool-tech/underwater-jetpack-project/ Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

Gerry and Brandon dig into a recent lawsuit of a cyber insurance company suing a security provider for gross negligence of protecting the insurer’s client systems and what this may mean for the industry going forward. They investigate Californias new privacy law and how it relates to individuals and the healthcare industry. They finish up discussing yet another wearable device security issue and the impact of it. As always, they close the show with one cool thing. Show Notes Resources: Security Firm Sued for Failing to Detect Malware That Caused a 2009 Breach   https://www.bleepingcomputer.com/news/security/security-firm-sued-for-failing-to-detect-malware-that-caused-a-2009-breach/   Why California’s New Privacy Law Is a ‘Whole New Ballgame’  https://www.healthcareinfosecurity.com/interviews/californias-new-privacy-law-whole-new-ballgame-i-4036  More wearable security concerns https://www.av-test.org/en/news/fitness-trackers-13-wearables-in-a-security-test/   https://www.csoonline.com/article/3287646/security/polar-fitness-app-exposed-personal-information-of-soldiers-and-spies.html#tk.twt_cso  One Cool Things Skimmer Scanner https://play.google.com/store/apps/details?id=skimmerscammer.skimmerscammer&hl=en_US 1962 “OG” Comms Satellite Launch Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

Gerry’s on holiday and Security Architect Matt Jones joins the podcast to discuss the recent Magic Unicorn revelation that has forensics experts in a tizzy. We also dive into an interview with Elizabeth Snead, an expert on phishing campaigns, as she gives us insight into interesting types of phishes and what you can do to defend yourself. And since we’re talking about phishing, Matt and Steve discuss the recent Exactis breach and what that could mean for advancing spear-phishing campaigns. Finally, we wrap up with some One Cool Thing magic. Show Notes Resources: Magic Unicorn https://lmgsecurity.com/exposing-the-secret-office-365-forensics-tool/ Exactis discloses 340M user profile records https://www.wired.com/story/exactis-database-leak-340-million-records/ One Cool Things SpaceX delivers Death Wish Coffee https://www.cnet.com/news/spacex-dragon-delivers-death-wish-coffee-to-iss-astronauts/ Active Damping Phone Case https://techcrunch.com/2018/06/27/this-clever-case-pops-open-to-protect-your-phone-when-you-drop-it/ Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

It’s all HIPAA this week, and you’d be surprised at the meat on this bone! Steve and Gerry discuss the recent massive OCR fine to a Texas healthcare provider and how the poor understanding of HIPAA requirements and policies are leading to individuals violating HIPAA with the best of intentions. Finally, the guys cover the challenges individuals have attempting to bring HIPAA infractions to justice as citizens. Show Notes Resources: University of Texas MD Anderson Cancer Center ordered to pay $4.3M for 3 breaches involving 2 USB drives and a laptop https://medcitynews.com/2018/06/md-anderson-4-3m-hipaa/  State of NY suspends nurse for unauthorized removal of PHI https://healthitsecurity.com/news/new-york-suspends-nurse-for-hipaa-violation-affecting-3k-patients  Poor understanding of HIPAA requirements and policies can lead healthcare workers to deny or delay access to PHI.  https://jamanetwork.com/journals/jama/fullarticle/2686002 Judge Dismisses Lawsuit Charging LabCorp with HIPAA Violation.  https://healthitsecurity.com/news/amp/judge-dismisses-lawsuit-charging-labcorp-with-hipaa-violation    One Cool Things Recon-NG https://bitbucket.org/LaNMaSteR53/recon-ng Pi-Hole https://pi-hole.net/ Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

Gerry and Steve discuss a recently released security research showing geo-location data leakage from unexpected sources. They provide a list of tried and true defense-in-depth techniques for non-corporate networks. They wrap-up with a discussion on the practical application of security in corporate settings to get end-user buy-in. Show Notes Resources: Location data leak on Google DigitalAssistants and Media Player https://krebsonsecurity.com/2018/06/google-to-fix-location-data-leak-in-google-home-chromecast/ Practicality in a security program https://www.darkreading.com/vulnerabilities—threats/3-tips-for-driving-user-buy-in-to-security-policies/a/d-id/1332053 One Cool Things Google AI – https://www.bloomberg.com/news/articles/2018-06-18/google-is-training-machines-to-predict-when-a-patient-will-die Universal Translator – https://itunes.apple.com/us/app/speak-translate-translator/id804641004 Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)