Latest

Breach Response

Facebook Password, Email Contact Mishandling Worsens

Jeremy Kirk  •  April 19, 2019

Two security issues disclosed by Facebook over the past month are worse than first thought, adding to a harrowing series of data-handling mishaps by the social network. Millions of Instagram users had their plain-text passwords stored, and 1.5 million people had their email contact lists uploaded without consent.

Cybercrime

Leak Exposes OilRig APT Group's Tools

Scott Ferguson  •  April 19, 2019

A set of malicious tools, along with a list of potential targets and victims, belonging to an APT group dubbed OilRig has leaked online, exposing some of the organization's methods and goals, analysts say.

Cybercrime

Not So 'Smart' - Child Tech Has Hackable Flaws

Mathew J. Schwartz  •  April 19, 2019

A warning that a smartwatch marketed to parents for tracking and communicating with their children could be coopted by hackers leads the latest edition of the ISMG Security Report. It also reviews how a DNS hijacking campaign is hitting organizations and how "dark patterns" trick users.

Anti-Malware

Researchers: Malware Can Be Hidden in Medical Images

Marianne Kolbasuk McGee  •  April 17, 2019

A "flaw" in the file format of the DICOM standard for communication of medical imaging information could be exploited to hide malware in MRI and CT scans alongside patient data, according to a new research report. But the developer of DICOM contends the feature isn't a flaw and any risks can be mitigated.

Blockchain & Cryptocurrency

10 Highlights: Cryptographers' Panel at RSA Conference 2019

Mathew J. Schwartz  •  April 17, 2019

From blockchains and surveillance to backdoors and GDPR, a group of leading cryptographers rounded up the top cybersecurity and privacy matters of the day at the cryptographers' panel held at the recent RSA Conference 2019 in San Francisco.

Cybercrime

Silk Road 2.0 Operator Sentenced to Prison

Scott Ferguson  •  April 15, 2019

An unemployed British man has been sentenced to more than five years in prison for his role in operating the Silk Road 2.0 darknet site, which succeeded the original Silk Road website after the FBI closed it in 2013, U.K. authorities say.

Cybersecurity

Australian Child-Tracking Smartwatch Vulnerable to Hackers

Jeremy Kirk  •  April 15, 2019

An Australian company that markets a smartwatch that lets parents monitor their children shut down its service on Monday after researchers revealed hackers could track a child's location, spoof the location, add themselves as a "parent" and view personally identifiable information associated with the account.

Anti-Malware

Two Romanian Nationals Convicted in 'Bayrob' Malware Case

Scott Ferguson  •  April 12, 2019

Two Romanian nationals have been convicted by a federal jury for their roles in stealing more than $4 million from victims by creating a botnet of more than 400,000 PCs through custom-designed malware called Bayrob.

Application Security

Another Scathing Equifax Post-Breach Report

Nick Holland  •  April 12, 2019

The latest edition of the ISMG Security Report features an update on a congressional report that slams Equifax for lacking a strong cybersecurity culture. Also featured: A new study on the status of women in the cybersecurity industry and the use of Android phones as security keys.

Data Breach

MD Anderson Cancer Center Appeals $4.3 Million HIPAA Fine

Marianne Kolbasuk McGee  •  April 11, 2019

The University of Texas MD Anderson Cancer Center has filed a lawsuit arguing that a $4.3 million HIPAA penalty levied against it last year by the Department of Health and Human Services following three data breaches was unlawful. What are the main arguments?

Endpoint Security

Android Devices Can Now Be Used as a Security Key

Jeremy Kirk  •  April 11, 2019

Google's latest security feature enables the use of Android phones as a security key, eliminating the need for a separate token or hardware device. The free feature is potentially more appealing that Google's Titan security keys, which cost $50.

Cybersecurity

GAO: HHS Has Not Implemented Critical Cyber Recommendations

Marianne Kolbasuk McGee  •  April 10, 2019

The Department of Health and Human Services has yet to take certain critical actions to help enhance cybersecurity, according to a new GAO report that lists hundreds of recommendations for improving operations that have not been implemented.