Tag Archive for: disclosures

Industry launches hacking policy council, legal defense fund to support security research and disclosures

/in


Google and other companies will develop and stand up a pair of new initiatives that will provide policy guidance to governments and legal protection to security researchers engaged in “good faith” vulnerability research and disclosure, while the tech giant also said it would formalize an internal policy to be publicly transparent when bugs in Google products are exploited in the wild.

The moves include the establishment of an industry-led Hacking Policy Council, which would be designed to bring “like minded organizations and leaders who will engage in focused advocacy new policies and regulations support best practices for vulnerability management and disclosure and do not undermine our user’s security,” as well as a planned nonprofit that would fund legal costs for security researchers who are sued or prosecuted while conducting vulnerability research and disclosure, according to a blog published alongside the announcements Wednesday.

The council will include representatives from bug bounty firms HackerOne, BugCrowd, Intigriti and Luta Security, as well as Venable, a law firm that specializes in cybersecurity law and policy matters, and Intel.

“I think it’s very much a coalition of the willing,” said Charley Snyder, head of security policy at Google, when asked how the council chose its initial membership. “There was no real criteria [for membership]…this is a fairly specialized area of policy, and these companies are ones that are really invested in getting it right.”

Snyder and Tim Willis, head of Google’s Project Zero, which conducts research on zero-day vulnerabilities, mentioned a trio of information security standards from the International Organization for Standardization (ISOs 27001, 27002 and 30179) as examples of the kind of standards and best practices that will guide the council’s recommendations.

The formation of the council comes at a time when the United States and other nations are showing an increased willingness to regulate the cybersecurity choices of businesses and other entities to prevent cyberattacks from significantly disrupting or spreading through a particular sector, critical infrastructure and other essential services.

The use of…

Source…

Data management company to pay $3 million in settlement with feds over 2020 ransomware disclosures

/in


Blackbaud Inc., which sells donor data management software to nonprofits, agreed Thursday to pay the Securities and Exchange Commission $3 million in a settlement regarding disclosures of a 2020 ransomware attack.

The SEC charged that Blackbaud violated federal law in making misleading disclosures that failed to mention the full extent of customer information seized in the cyberattack. Part of that failure stemmed from company personnel neglecting to inform upper management that sensitive data had been taken.

On May 14, 2020, Blackbaud discovered that someone had been accessing their internal systems without authorization since as early as February 2020, and found messages from the perpetrator saying that customer data had been taken from the system. 

The attacker demanded ransom in exchange for deleting the stolen data. A third-party vendor was hired to investigate, and to arrange communications with the attacker to eventually arrange payment of the ransom.

By July 16, 2020,

Source…

EHR Vendors’ Disclosures Are Latest Security Risk Reminders

/in


Breach Notification
,
Critical Infrastructure Security
,
HIPAA/HITECH

QRS Inc. Reports Patient Portal Hack; Philips Reveals TASY EMR Security Flaws

Marianne Kolbasuk McGee (HealthInfoSec) •
November 5, 2021    

EHR Vendors' Disclosures Are Latest Security Risk Reminders

A recent large hacking incident and a separate vulnerability disclosure involving two different vendors’ products related to electronic health records serve as the latest reminders of the potential risks these systems can pose to patients’ protected health information.

See Also: Finding New Ways to Disrupt Ransomware Operations

Tennessee-based QRS Inc., vendor of the Paradigm practice management and electronic health records systems, on Oct. 22 reported to the Department of Health and Human Services a hacking IT incident involving a patient portal server affecting nearly 320,000 individuals’ PHI.

Meanwhile, in a separate development, medical technology vendor Philips Healthcare and the Cybersecurity and Infrastructure Security Agency on Thursday each issued security advisories concerning two SQL vulnerabilities identified in the Philips TASY Electronic Medical Record HTML5 system, versions 3.06.1803 and prior.


The Philips EMR vulnerabilities, if exploited, pose risks to patient data confidentiality, the advisories say.

The two situations “are another reminder of how vulnerable the entire healthcare system is from the standpoint of cybersecurity,” says George Jackson, a senior principal consultant at privacy and security consultancy Clearwater.

“One is an example of a serious vulnerability requiring a…

Source…

Google Gets a Jump on Cyber Awareness Month with Repeated Zero Day and High Rank Threat Disclosures

/in


In seeming anticipation of Cyber Awareness Month in October, Google began a series of “Whack-a-Mole” updates to address a spate of Chrome security flaws. Each time they knocked a batch down, more have popped up. In the first week of October, Google announced they had found the 12th and 13th zero day exploits of 2021, affecting Linux, macOS, and Windows users – just days after number 11 was made public. More disclosures of high ranking exploits have since followed at what seems to be an accelerating pace.

“Zero day” exploits are particularly dangerous because hackers are aware of – and can exploit – them before security patches are available to fix them. With 2.65 billion Chrome users worldwide and a 65% market share, these newest Chrome zero days left an awful lot of users exposed to danger until Google released fixes. And since many organizations take some time to roll out new versions of their browsers, many users will be exposed to these vulnerabilities for quite a while.

DevOps Experience

Browsers are designed to execute all web code only within the browser, and nowhere else on the device. Browser security vulnerabilities are dangerous in that they allow code to “jump” from the browser to the device and execute there.

Use-After-Free Vulnerabilities

A number of the latest zero day exploits and high-rated threats were Use-After-Free (UAF) vulnerabilities, which are some of the most dangerous software vulnerabilities around.

Normally, when an application finishes using memory, that memory is returned to the free memory list. In a UAF, the attacker has gained access to the memory address. This allows them to insert malicious code into memory that has been freed for use other than for browsing – code which can cause all kinds of harm.

Additionally, since the memory isn’t wiped clean after a UAF has been exploited, the attacker can continue to read contents of memory of the device, including sensitive customer or organization data.

More Than Chrome Can Be at Risk

The most recent zero day was in the core code known as Chromium. Chromium is an open-source browser that is maintained primarily by Google. Google adds features to Chromium for its Chrome browser, and other…

Source…