InfoSec ICU

Steve and Gerry discuss healthcare employee termination when they violate privacy and ‘snoop’ on patients’ medical records, a topic Steve was interviewed for in a recent Post and Courier article. Also the guys interview and discuss a former senior leader in information security at Anthem, and his experience of being on the front lines of a mega-breach. Show Notes Resources: Post and Courier article: MUSC terminates employees who ‘snoop’ in patients’ medical records” https://www.postandcourier.com/health/musc-terminates-employees-who-snoop-in-patients-medical-records/article_b8b0abe6-1645-11e8-85e2-579077b71f57.html Few Consequences For Health Privacy Law’s Repeat Offenders https://www.propublica.org/article/few-consequences-for-health-privacy-law-repeat-offenders Matt Klein Bio http://academicdepartments.musc.edu/pr/pressrelease/2016/klein.htm Anthem breach https://www.reuters.com/article/us-anthem-cyber-settlement/anthem-to-pay-record-115-million-to-settle-u-s-lawsuits-over-data-breach-idUSKBN19E2ML One Cool Things Flipboard https://flipboard.com/ Flying Taxis https://www.digitaltrends.com/cool-tech/ehang-184-drone-flying-taxi-ces-2016/   Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

The guys discuss a diversity of topics this week! An intern at Apple abused access resulting in the release of sensitive intellectual property. Discussion around the Executive Branch report “The Cost of Malicious Cyber Activity to the U.S. Economy” and what the challenges are around improving information security at a national level. Finally, MFA sounds great in theory but bad things can happen. The guys discuss process issues that can occur to undermine MFA. Show Notes Resources: iPhone iBoot source code leaked: https://motherboard.vice.com/en_us/article/xw5yd7/how-iphone-iboot-source-code-leaked-on-github The Cost of Malicious Cyber Activity to the U.S. Economy: https://www.whitehouse.gov/wp-content/uploads/2018/02/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf Director of National Intelligence report to Senate Intelligence Committee: https://www.dni.gov/files/documents/Newsroom/Testimonies/SSCI%20Unclassified%20SFR%20-%20Final.pdf One Cool Things Flight Sims Labs Hacks Back: https://motherboard.vice.com/en_us/article/pamzqk/fs-labs-flight-simulator-password-malware-drm Best of Charleston: http://chscp.co/BestOfArts   Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

Steve and Gerry discuss the value and utility of the recently published SANS 2018 Cyber Threat Intelligence (CTI) report. Reflections on the debate around encryption from the Charleston School of Law Cybersecurity Summit are shared and government sites serving up more than information to visitors. Show Notes Resources: Information Sharing and Analysis Centers (ISACs): https://www.nationalisacs.org/ Charleston School of Law Cybersecurity Summit: http://charlestonlaw.edu/2018/01/31/10th-law-society-symposium-feb-9-focus-cybersecurity/ Keynote Speaker at Cybersecurity Summit, Mike McConnell: https://www.boozallen.com/d/bio/leadership/john-m—mike–mcconnell.html Govt websites serving cryptomining through third party utility: https://www.theregister.co.uk/2018/02/11/browsealoud_compromised_coinhive/   One Cool Things Southern Tier Choklat: http://www.stbcbeer.com/beer/cholat/ Signal Messaging App: https://signal.org/   Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

Would the creation of a National Cybersecurity Safety Board (NCSB), akin to the National Transportation Safety Board (NTSB), be a reasonable and effective mechanism to increase overall cybersecurity for all industries in the United States? Academics propose it, Gerry and Steve discuss it! Also, how smart data is giving away sensitive personnel locations and the always sexy world of cyber insurance (seriously cyber insurance). Show Notes Resources: National Cybersecurity Board – http://www.securityweek.com/does-us-need-national-cybersecurity-safety-board Health data tracking you – https://motherboard.vice.com/en_us/article/43q7qq/apple-health-data-is-being-used-as-evidence-in-a-rape-and-murder-investigation-germany Strava web app globally mapping locations of users, including military bases! –https://www.bleepingcomputer.com/news/technology/fitness-tracking-app-accidentally-exposed-military-bases/ Cyber insurance discounts for Cisco and Apple products – http://www.foxbusiness.com/features/2018/02/05/apple-cisco-team-up-with-insurance-companies-to-offer-cyber-policy-discounts.html One Cool Things Altered Carbon https://www.netflix.com/title/80097140 15th Annual Palmetto Regional First Robotics Competition! http://www.myrtlebeachfirstrobotics.com/ Stephen Sondheim’s Company at Midtown Productions https://www.midtownproductions.org/ Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

Women in technology and cybersecurity is an important topic. We engage with two female cybersecurity professionals to provide first hand accounts of their experiences and thoughts on women in technology and discuss several initiatives that are supporting female opportunity to learn and have a successful career in the technology and cybersecurity space. Steve and Gerry also provide some easy to implement security controls that significantly reduce personal cyber risk to you. Special thanks to Vanna Ramaiah and Whitney Champion for their time and contributions. Show Notes Resources: Girl Scouts offering merit badges in cybersecurity https://www.reuters.com/article/us-usa-girlscouts/new-girl-scout-badges-focus-on-cyber-crime-not-cookie-sales-idUSKBN19C29G GirlsGoCyberStart http://www.dllr.maryland.gov/whatsnews/cyberpart.shtml https://girlsgocyberstart.com/ RedHat Co.Lab https://www.redhat.com/en/open-source-stories/colab Women Who Code https://www.womenwhocode.com/ DJangoGirls: https://djangogirls.org/ PyLadies – http://www.pyladies.com/ Google Inactive Account Manager  https://myaccount.google.com/inactive One Cool Things Curated list: Women in Infosec Gerry “follows” on Twitter Caroline Wong @CarolineWMWong Amanda Rousseau @malwareunicorn Whitney Champion @shortxstack Sarah Edwards @iamevltwin Whitney Merrill @wbm312 Shannon Morse @snubs Kelly Paxton @pdxcfe   The Analogies Project https://theanalogiesproject.org/   Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

If it isn’t broke, don’t fix it! SamSam, an old standby ransomware-focused malware, returns for an encore performance. Steve and Gerry cover the (macro-level) Global Risk Report from World Economic Forum, shining a light on cyberattacks escalation to the “magic quadrant”, and a 15 year old hacktivist manages to social engineer his way into “pwning” the Director of the CIAs personal accounts. Show Notes Resources: SamSam: http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html Zyklon: https://threatpost.com/attackers-use-microsoft-office-vulnerabilities-to-spread-zyklon-malware/129503/ WEF Global Risk Report: http://www3.weforum.org/docs/WEF_GRR18_Report.pdf Social engineering hack: https://www.helpnetsecurity.com/2018/01/22/hack-social-engineering   One Cool Things See where that Bitly link goes: https://support.bitly.com/hc/en-us/articles/230905028-What-is-the-Bitly-info-plus-page- Ecco Shoes: https://us.shop.ecco.com/   Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

Do you believe in a money machine? Gerry and Steve discuss the current trends in cryptomining, which seems to makes money from electricity. They also give an overview of the EU’s new privacy regulations, the General Data Protection Regulation (GDPR) and they dig into the concept of technical debt, especially as it concerns medical devices. As always, they wrap up with their One Cool Things. Show Notes Resources: Cryptomining CoffeeMiner GDPR Healthcare Information Security Podcast One Cool Things Internet Storm Center’s StormCast podcast. Drop7 Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

Gerry and Steve talk about the recently released vulnerabilities Meltdown and Spectre. They covered what they are, how disclosure was handled as an industry and what you need to know as system admin or end-user. They briefly introduce Cryptomining and tease next weeks episode. Much like an audible dessert, they wrap it all up with their One Cool Things. Show Notes Resources: Meltdown and Spectre https://meltdownattack.com/ CoinHive https://www.pcmag.com/news/357535/why-hackers-love-cryptocurrency-miner-coinhive Anvil.Works https://anvil.works WTForecast https://nightcatproductions.com/whattheforecast  

Gerry and Steve talk about the recent revelation that the CTO of Bitcoin mining company NiceHash did jail time for running the Darkode cybercrime forum and the need to perform background checks to better understand risk. They also dive into a recent finding out of Princeton that identified websites using hidden form fields to grab data from your browser’s autofill feature to use in ad tracking. And, since it’s the new Year, they present some potential cyber resolutions you should consider to make your 2018 the most secure one yet. And, of course, they wrap it all up with their One Cool Things. Show Notes Resources: NiceHash CTO former cyber criminal https://krebsonsecurity.com/2017/12/former-botmaster-darkode-founder-is-cto-of-hacked-bitcoin-mining-firm-nicehash/ Bitcoin Primer from Ars Technica https://arstechnica.com/tech-policy/2017/12/how-bitcoin-works/ Websites that steal data from autofill browsers https://www.theverge.com/2017/12/30/16829804/browser-password-manager-adthink-princeton-research https://webtransparency.cs.princeton.edu/no_boundaries/autofill_sites.html Mr Robot Steganography breakdown http://jszym.com/blog/mr.robot-hides-data-on-audio-disks-and-so-can-you.html Contact Email infosecicu@musc.edu Twitter: * Gerry Auger (@Gerald_Auger) * Steven Cardinal (@sgcardinal)

The guys look toward 2018, helping with your cyber New Year’s resolutions! They discuss cyber jobs and the demand for a cybersecurity workforce in the United States and how you can pivot into the industry or charge your career if you are already working in information security.  They also drill into industry specific certifications and conferences that can help expose you to diverse aspects of the field and give you a tactical advantage at the negotiating table. If you have questions of suggestions, email us at infosecicu@musc.edu. Show Notes Resources: Job Market Study from Frost and Sullivan (supported by NIST) “2017 Global Information Security Workforce Study” https://iamcybersafe.org/wp-content/uploads/2017/07/N-America-GISWS-Report.pdf 2014 Cisco Annual Security Report, presented at CSO online. https://www.csoonline.com/article/3201974/it-careers/cybersecurity-job-market-statistics.html NORSE map (Global attack visualization) http://map.norsecorp.com/#/ Certifications Comptia https://www.comptia.org/ ISC (CISSP, SSCP, HCISPP) https://www.isc2.org/ ISACA (CISA, CISM) https://www.isaca.org/pages/default.aspx SANS (GIAC) https://www.sans.org/ Technology Specific (CCNA, MCSE) https://www.cisco.com/c/en/us/training-events/training-certifications/certifications/associate/ccna-routing-switching.html https://www.microsoft.com/en-us/learning/mcse-certification.aspx DoD Approved 8570 Baseline Certifications https://iase.disa.mil/iawip/Pages/iabaseline.aspx Security conferences Blackhat http://www.blackhat.com/ DEFCON https://www.defcon.org/ Shmoocon http://shmoocon.org/ Bsides (Charleston, Augusta) http://www.securitybsides.com/w/page/12194156/FrontPage#PastPresentandFutureBSidesEvents DerbyCon https://www.derbycon.com/ DakotaCon http://dakotacon.org/ HIMSS http://www.himss.org/Events EduCause (Security) https://events.educause.edu/security-professionals-conference/2018 RSA

Steve gets a bank fraud alert on his credit card and he passes along some tips to protect yourself during the holiday shopping season. Gerry talks about some attackers who went shopping through a California voter database and wins big. They both share their experience with this year’s SANS Holiday Hack Challenge. If you have questions of suggestions, email us at infosecicu@musc.edu. Please excuse the little bit of static we got during recording. The problem has been corrected for future episodes (bad USB cable). Show Notes Resources: Bank Fraud Examples: https://www.theguardian.com/money/2017/dec/09/text-bank-student-loan-money Avoiding Security researchers https://gbhackers.com/most-important-tools/ California Voter Information Data Breach: https://mackeepersecurity.com/post/cyber-criminals-steal-voter-database-of-the-state-of-california https://www.scmagazine.com/millions-of-california-voter-records-exposed-in-unprotected-mongodb/article/719028/ https://docs.mongodb.com/manual/administration/security-checklist/ SANS Holiday Hack Challenge: https://www.holidayhackchallenge.com/2017/ Cybrary: https://www.cybrary.it/ Python may be coming to Excel https://www.bleepingcomputer.com/news/microsoft/microsoft-considers-adding-python-as-an-official-scripting-language-to-excel/ You can also follow Gerry and Steve on Twitter. Disclaimer: Please note the views and opinions of the hosts are their own and not necessarily those of the Medical University of South Carolina.

If you discover an internal data breach do you, a. Report it to the affected Individuals, or b. Fix it quickly and say nothing? One official at Stanford University chose poorly. The U.S. House Energy and Commerce Commission asked some great questions of Health and Human Services (HHS), including requiring medical device managers to report a Bill of Materials (BoM) for all software components in their medical devices. Also, following on the heels of WannaCry was a Linux version called SambaCry, which has now been weaponized as a ransomware delivery mechanism. So get your Linux and NAS devices patched and amp up the monitoring. Gerry and Steve talk about all these topics plus their One Cool Things in this week’s episode. Show Notes Resources: Stanford CDO Resigns for Data Breach handling: https://www.sfgate.com/education/article/Stanford-University-executive-leaves-job-after-12407976.php House Energy and Commerce Committee wants Bill of Materials for medical device manufacturers: https://www.scmagazine.com/house-committee-asks-hhs-to-boost-cybersecurity-by-requiring-component-list-for-medical-devices/article/708139/ SambaCry and the new StorageCrypt ransomware attack: https://www.bleepingcomputer.com/news/security/storagecrypt-ransomware-infecting-nas-devices-using-sambacry/ https://f5.com/labs/articles/threat-intelligence/cyber-security/sambacry-the-linux-sequel-to-wannacry Emotion Analytics: http://searchhrsoftware.techtarget.com/feature/Emotion-analytics-may-expose-your-true-feelings-to-HR What Every Body is Saying by Joe Navarro: https://www.goodreads.com/book/show/1173576.What_Every_Body_is_Saying MoviePass https://www.moviepass.com/   Disclaimer: Please note the views and opinions of the hosts are their own and not necessarily those of the Medical University of South Carolina.

Gerry and Steve give you an Apple security update on the recent Mac High Sierra bug, discuss a recent testimonial given to Congress about identity verification in a post-breach world, and some advice from the IRS to avoid tax fraud with the tax season coming up. The guys also present their One Cool Thing. Get the Show Notes Resources Apple security problem in macOS High Sierra A vulnerability for macOS High Sierra has been identified that allows an attacker to bypass administrator authentication without supplying the administrator’s password. Basically someone can have root access to the machine without having to provide a password. In concert with your inner monologue, yes this is an awful vulnerability. Fortunately, Apple has responded quickly and has released a patch (Security update 2017-001). This vulnerability applies to systems running macOS High Sierra and does not affect systems running macOS Sierra 10.12.6 and earlier. https://support.apple.com/en-us/HT208315 https://support.apple.com/en-us/HT201541 House Energy and Commerce Hearing https://energycommerce.house.gov/hearings/identity-verification-post-breach-world/ IRS Anti- Tax Fraud tips and tricks As part of National Tax Security Awareness Week-November 27 to December 1-the Internal Revenue Service (IRS) is releasing daily security tips to help taxpayers protect their data and identities against tax-related identity theft. https://www.irs.gov/newsroom/national-tax-security-awareness-week-2017

Show Notes Introducing the InfoSec ICU Podcast, in which hosts Gerry Auger and Steven Cardinal discuss Information Security topics of interest to those working within the healthcare field. You’ll get the latest cyber news, tips and tricks for keeping yourself safe online, and a glimpse at the cool tech and scary threats coming down the pike. Please note that the views and opinions expressed on this podcast belong to the hosts and do not necessarily reflect those of the Medical University of South Carolina.