Security & Privacy Weekly News Roundup, Vol. 1, Issue 7

Security & Privacy Weekly News Roundup, Vol. 1, Issue 7

Just a pinch of punishment: AT&T’s $25 million settlement with the Federal Communications Commission isn’t enough to prompt other companies to take stronger security measures, some cybersecurity experts said. Tripwire’s Chris Conacher called it a “slap on the wrist” for the telecom giant, which reported revenue of $34.4 billion for the fourth quarter of 2014. AT&T had breaches involving mobile customers’ personal data at three call centers. “If you really want companies to think about security, you need to do something that makes the decision-makers sit up and listen,” Conacher said. Source: ComputerWorld

In the PIPE line: The health care industry is moving to electronic health record systems, raising privacy and security questions. If patients believe EHR systems are insecure, they’ll hesitate to use them. Due to the size of digital medical files, encryption may be practically unfeasible. One solution might be Pseudonymization of Information for Privacy in e-Health (PIPE). It transforms an identification tag, which disassociates the patient’s name from their data and uses a secret key stored in a smartcard to grant or revoke access. Source: The Brookings Institution

Credit where it’s not due: The biggest breach threats to credit unions may be internal, according to a survey of 772 IT professionals. “Insider Threats and the Need for a Fast and Directed Response,” a survey conducted by the SANS Institute and sponsored by behavior analysis software vendor SpectorSoft, said most organizations have security holes when it comes to protecting themselves against insider threats. Almost all respondents say they’re concerned that insiders could hurt their organizations. Source: Credit Union Times

Who’s watching who? With more companies getting permission to test drones for future commercial use, potential privacy violations could become an issue if the images that drones capture are used for reasons other than legitimate commerce. In the wrong hands, drones could be used as corporate spying devices. Several states have laws to try to address privacy concerns, but they usually are directed at private citizens, often offering piecemeal protections. Source: Business Insurance

Safety vs. security: Law enforcement and intelligence officials have warned that the increase in device encryption could hurt criminal and national security investigations. But the White House is looking at whether authorities have other ways to get data they need rather than regulatory or legislative action. Advocates of default commercial encryption find little in common with government officials who see rising danger as encryption technology becomes widespread on mobile phones and text-messaging apps. Recently, Apple announced that smartphones would come with a unique digital key that can be used only by its owner. Even with a warrant, Apple could no longer unlock an iPhone. Source: The Washington Post

An ocean of risk: Navy Vice Chief of Naval Operations Adm. Michelle Howard wants to raise awareness of the dangers of cyber intrusion. “There’s not a person in the Department of the Navy who … doesn’t have a desktop, doesn’t deal with Microsoft products, Excel spreadsheets, databases, transference of data, e-mail, and so we are all in this domain. … We’re going to have to start becoming more sophisticated.” Source: The Navy Times

Wolves at the door: Given the current security levels for most companies, 90 percent would be vulnerable to an attack such as the one that hit Sony, which destroyed 3,000 computers and released sensitive information and proprietary content. “There are probably a couple thousand, three, four, five-thousand people who could do (the Sony) attack today,” Jon Miller, a former hacker now with antivirus software maker Cylance, told CBS’ 60 Minutes. “Not all of them are in friendly countries, and the number is growing rapidly.” Source: CNet

Changing priorities: A Harris Poll survey of 920 IT decision-makers found that data protection in health care organizations has been driven largely by compliance requirements—54 percent reported compliance requirements as the top reason for protecting sensitive data. But that’s changing, with respondents reporting that compliance is now their second priority for security spending, at 39 percent. Preventing a data breach ranks first, at 53 percent. More than a quarter of respondents (26 percent) reported that their organization had previously experienced a data breach. Source: eWeek

Plugging away: Microsoft has patched a vulnerability in the Windows HTTP protocol stack, known as HTTP.sys, which could have serious consequences if exploited. “Once an attacker knows how to create the ‘specially crafted HTTP request,’ they can simply start targeting every Web server they can find until they hit one that is vulnerable,” said Andrew Storms, vice president of security services for New Context. “The work-around provided by Microsoft is very limited and doesn’t provide IT admins much to protect themselves while they test and deploy the patch,” Source: Threat Post

Chip “fingerprints”: Mitsubishi Electric, Ritsumeikan University and the Japan Science and Technology Agency have developed a security plan to identify individual microchips by variations in materials used in fabrication. Researchers applied four 32-bit input signals to portions of the chip’s circuitry. An algorithm combines the results to produce a unique 128-bit number string, which is placed in the chip’s register when the power is turned on. The IDs could prevent malware infections from spreading between Internet of Things devices. Source: The Security Ledger

Target on your back: Security firm High-Tech Bridge has spotted what it is calling drive-by login attacks, in which a hacker sets up malicious code on a website he knows the victim is going to visit. The code is designed to deliver malware only to the targeted user, not all website visitors. An attacker only needs to compromise a website that the targeted individual is likely to visit, and obtain information that will help single out the victim. Source: Security Week

Cards on the table: The PCI Security Standards Council updated security requirements in the creation of payment cards to protect against fraud. The standards include physical security requirements of card production, manufacturing of the cards, embedding chips, card personalization, mailing and shipping. PCI SSC Chief Technology Officer Troy Leach said the updated requirements “will help card vendors secure the card production process from design all the way through delivery.” Source: SC magazine

This article originally appeared on