20 December 2022

WATCH OUT! Nothing is Sacred when There's Money To Be Made

 


> 1 As The Markup report makes clear, existing privacy regulations like the Health Insurance Portability and Accountability Act (HIPAA) were not built for telehealth, so much of this sloppy handling of consumer data falls through the cracks. Most consumers, meanwhile, operate from the false belief that this data is far more protected than it actually is. . 

www.techdirt.com

Surprise: Telehealth Startups Playing Fast And Loose With Sensitive User Medical Data

Mon, Dec 19th 2022 05:49am - Karl Bode
4 - 5 minutes

from the nothing-is-sacred-when-there's-money-to-be-made dept 



"From the Internet of very broken things to telecom networks, the state of U.S. privacy and user security is arguably pathetic. It’s 2022 and we still don’t have even a basic privacy law for the Internet era, in large part because over-collection of data is too profitable to a wide swath of industries, which, in turn, lobby Congress to do either nothing, or the wrong thing.

Sensitive medical data, supposedly held to a higher standard, isn’t much of an exception. The Markup and STAT this week had an interesting joint report showcasing how many telehealth startups routinely play fast and loose with consumer data. . . 

Inevitably there will be a medical privacy data scandal so massive it will force the culture to truly own the fact they’ve prioritized money over consumer/market health, privacy, and safety for decades. But even then, it’s a steep uphill climb to get a comically corrupt Congress to craft even the most modest of guardrails." READ MORE (7 comments)

Filed Under: , , , , , , ,



> 2 InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum.



7 days ago · In response to information shared by KrebsOnSecurity, the FBI said it is aware of a potential false account associated with the InfraGard Portal ...
5 days ago · The FBI was repeatedly breached recently. On December 10, 2022, a database containing the contact information of more than 80,000 members of the ...

6 days ago · A hacker has breached an FBI program dedicated to critical infrastructure cybersecurity and is now selling access to its data on the dark ...
6 days ago · As seen by Hackread.com, the hacker is selling the stolen InfraGard database which contains the personal data of its members for $50,000. by ...
6 days ago · The database was stolen by a hacker who goes by the name USDoD. The way they gained access was relatively simple—using the personal details of a ...
6 days ago · Ughh. FBI's Vetted Threat Sharing Network 'InfraGard' Hacked ... Meanwhile, the hackers responsible are communicating directly with members ...



It’s a shame the FBI wasn’t aware of this before being contacted by people who don’t work for the FBI. If the agency wants the private sector to trust it with its threat reports and data, it needs to be ahead of things like this, rather than simply refusing to talk about incidents it should have been more proactive about.

www.techdirt.com

FBI Private Sector Cyberthreat Reporting Database Hacked By Apparently Unreported Cyberthreat 



Tue, Dec 20th 2022 09:30am - Tim Cushing
5 - 6 minutes

from the target-rich-environment-unsurprisingly-targeted dept

"Is this irony? It kind of seems like it is. Maybe it isn’t. It could just be a coincidence. An extremely unfortunate, ironic coincidence.

Whatever it is, it doesn’t look good for the FBI, which encouraged pretty much every private company to register as reporting entities so the FBI could (theoretically, it appears) respond to reported security threats.

The FBI wants to be part of the cyber Pearl Harbor discussion. Here’s its latest contribution to that conversation, as first reported by Brian Krebs.

InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible are communicating directly with members through the InfraGard portal online — using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.

Trust, but don’t even bother verifying, I guess. That’s how they — and by “they,” I mean the hacker referring to themselves as “USDoD” — get you. A portal for private companies to report threats has been compromised using nothing more than credentials that have likely been floating around the web (dark or otherwise) for some time now.

USDoD said they gained access to the FBI’s InfraGard system by applying for a new account using the name, Social Security Number, date of birth  and other personal details of a chief executive officer at a company that was highly likely to be granted InfraGard membership.

The CEO in question — currently the head of a major U.S. financial corporation that has a direct impact on the creditworthiness of most Americans — told KrebsOnSecurity they were never contacted by the FBI seeking to vet an InfraGard application.

With access obtained, the breach began. USDoD “asked a friend” to create a script that would pull all available user data from the database, which apparently had no defensive methods in place to thwart the script, or any siloing in place to ensure one user’s approved access wouldn’t allow them to obtain other users’ information.

In an effort to increase collaboration between private sector contributors (if not the FBI itself, although there doesn’t appear to be any actual FBI data/communications included in the hacking haul), InfraGard acted as a quasi-social media hub to allow private companies to share info with each other. That connectivity apparently contributed to the easy exfiltration of data, albeit data of disputable value.

USDoD acknowledged that their $50,000 asking price for the InfraGard database may be a tad high, given that it is a fairly basic list of people who are already very security-conscious. Also, only about half of the user accounts contain an email address, and most of the other database fields — like Social Security Number and Date of Birth — are completely empty.

While the eventual sale of this data will put USDoD in the black, the ultimate end game may not be the easily-absconded-with user data. The hacker is taking full advantage of this impersonation to contact private sector participants in hopes of securing additional data and/or credentials usable for bigger and better data heists.

The FBI has responded to these reports with a no comment.

“This is an ongoing situation, and we are not able to provide any additional information at this time,” the FBI said in a written statement.

It’s a shame the FBI wasn’t aware of this before being contacted by people who don’t work for the FBI. If the agency wants the private sector to trust it with its threat reports and data, it needs to be ahead of things like this, rather than simply refusing to talk about incidents it should have been more proactive about.

But spending tax dollars on “cyber security furniture” only buys so much competence. While it’s essential private sector contributors are able to share information easily with each other, a breach like this will only encourage them to cut the FBI out of the loop. There are obviously more secure channels for communication about these issues. Allowing a hacker to make off with critical data suggests the FBI is not only failing to fully vet contributors to its cyber security marketplace of ideas, but failing to ensure the private companies it hires to provide solutions are capable of meeting the demands of the job.

Filed Under: , , ,

 

No comments:

The Complete Bart Simpson Timeline