Tag Archive for: Breaches

Breaches, patches, leaks and tweaks! [Audio + Text] – Naked Security

/in


Latest epidode – listen now.

DOUG.  Breaches, breaches, patches, and typios.

All that, and more, on the Naked Security podcast.

[MUSICAL MODEM]

Welcome to the podcast, everybody.

I am Doug Aamoth; he is Daul Pucklin…

…I’m sorry, Paul!

DUCK.  I think I’ve worked it out, Doug.

“Typios” is an audio typo.

DOUG.  Exactly!

DUCK.  Yes… well done, that man!

DOUG.  So, what do typos have to do with cybersecurity?

We’ll get into that…

But first – we like to start with our This Week in Tech History segment.

This week, 23 January 1996, version 1.0 of the Java Development Kit said, “Hello, world.

Its mantra, “Write once, run anywhere”, and its release right as the web’s popularity was really reaching a fever pitch, made it an excellent platform for web-based apps.

Fast-forward to today, and we’re at version 19, Paul.

DUCK.  We are!

Java, eh?

Or “Oak”.

I believe that was its original name, because the person who invented the language had an oak tree growing outside his office.

Let us take this opportunity, Doug, to clear up, for once and for all, the confusion that lots of people have between Java and JavaScript.

DOUG.  Ooooooh…

DUCK.  A lot of people think that they are related.

They’re not related, Doug.

They’re *exactly the same* – one is just the shortened… NO, I’M COMPLETELY KIDDING YOU!

Java is not JavaScript – tell your friends!

DOUG.  I was, like, “Where is this going?” [LAUGHS]

DUCK.  JavaScript basically got that name because the word Java was cool…

…and programmers run on coffee, whether they’re programming in Java or JavaScript.

DOUG.  Alright, very good.

Thank you for clearing that up.

And on the subject of clearing things up, GoTo, the company behind such products as GoToMyPC, GoToWebinar, LogMeIn, and (cough, cough) others says that they’ve “detected unusual activity within our development environment and third party cloud storage service.”

Paul, what do we know?

GoTo admits: Customer cloud backups stolen together with decryption key

DUCK.  That was back on the last day of November 2022.

And the (cough, cough) that you mentioned earlier, of course, is GoTo’s…

Source…

Google Ads exploited for network breaches | SC Media – SC Media

/in



Google Ads exploited for network breaches | SC Media  SC Media

Source…

Hacking, Security & Privacy News: data breaches and leaks, new hacks & more

/in


Jak Connor | Jan 16, 2023 7:34 AM CST

Norton LifeLock, a very well-known provider of identity protection and cybersecurity services, recently revealed in an announcement that thousands of its customers had their accounts compromised.

Norton announces thousands of its customer accounts have been hacked 65

The parent company of Norton LifeLock, Gen Digital, states that the likely cause of the hack was a “credential stuffing” attack, which is when previously exposed or breached credentials of accounts are used to break into other accounts on different sites and services that have the same passwords. The company notes that it detected a “large volume” of failed logins to customer accounts on December 12, which led them to discover that the intruders had compromised accounts dating back to December 1.

The company sent notices to about 6,450 Norton customers whose accounts were affected by the breach. In the data breach notice, Gen Digital states that the unauthorized third party may have viewed customers’ first names, last names, phone numbers, and mailing addresses. The company also said that it could not rule out that the intruders also accessed some customers’ saved passwords.

Continue reading: Norton announces thousands of its customer accounts have been hacked (full post)

Cameron Wilmot | Jan 10, 2023 2:22 PM CST

It wasn’t until recently that I discovered Chrome has an in-built feature to help protect your kids (and anyone, actually) while browsing the web with Google’s popular web browser. A recent Facebook post from the Google Chrome page alerted me to its “Enhanced Protection” security mode and family DNS feature, which we dive into below.

An easy way to protect your kids while browsing the net with Google Chrome 1

In the simplest terms, when turned on, this feature proactively monitors the user’s behavior in Chrome and blocks bad websites, downloads, and extensions before they can cause a problem on your device. For example, you or your child might be about to enter a harmful website that attempts to steal important information. Chrome blocks the website and presents a very obvious red screen warning you.

A little discussion with your kids would go a long way, alerting them if they see this obvious red screen, reminding them it’s a bad site and they shouldn’t visit it. Chrome can also scan any downloads before the files are…

Source…

Scripps Health, Avalon Healthcare reach settlements after data breaches

/in


One hundred dollar bills with Benjamin Franklin's profile are scattered in a pile.
Two recent healthcare data breach settlements spotlight the impact beaches have on the sector. (“Cash Money (part two)” by jtyerse is licensed under CC BY-NC-ND 2.0.)

States have ramped up enforcement efforts against entities affected by ransomware and other data privacy breaches, particularly those in healthcare, over the last year. At an even greater pace, there’s been a relentless uptick in the number of breach lawsuits filed against providers.

Two recent healthcare data breach settlements spotlight the growing dichotomy and impact on the healthcare sector. 

Oregon and Utah recently handed down a $200,000 fine to Avalon Healthcare Management to resolve compliance issues found in the wake of its 2019 email-related data breach, while Scripps Health reached a $3.5 million settlement with patients affected by its 2021 incident.

Avalon Health pays states $200K, with new security requirements

The attorneys general of Utah and Oregon reached a $200,000 settlement with Avalon Health, which also requires the provider to develop and implement practices that aim to bolster its information security for both patient and employee data.

In April 2020, the skilled nursing, therapy, senior living, and assisted living provider reported an email-related incident affecting 14,500 Avalon employees and patients. A threat actor gained access to an email account 10 months earlier in July 2020, after an employee fell victim to a phishing attack.

The account contained employee and patient names, addresses, Social Security numbers, dates of birth, driver’s license numbers, medical treatment information, including diagnosis, health conditions, and/or medications, and limited financial information.

The delayed notification prompted the states’ joint investigation, with a particular focus on Avalon’s email security practices and compliance with state breach notification laws and the Health Insurance Portability and Accountability Act. Under HIPAA, notices are required without undue delay and within 60 days of discovery. Under Oregon law, the timeline is just 45 days.

The delay, highly common with email-related breaches in healthcare, prompted the fine, as well as the sensitivity of the data it held,…

Source…