Archive for the ‘Lawsuits and settlements’ category

CIA hacking docs on WikiLeaks

March 15th, 2017

WikiLeaks published the 1st part of documents which it claims are retrieved from U.S. Central Intelligence Agency. The initial upload consists of  8,761 documents and files.

“Recently, the CIA lost control of the majority of its hacking arsenal, including malware, viruses, Trojans, weaponized “zero-day” exploits, malware remote control systems and associated documentation,” the organization stated in a press release. “This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA.”

The source of the document is not clear. WikiLeaks mentioned that the documents were already in circulation among the group of hackers.

“The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons,” WikiLeaks stated.

The ways of surveillance includes:

  • Accessing Samsung smart TVs even when the units are turned off
  • Installing software in vehicle control systems in cars and trucks
  • Use of smartphones to access the camera, microphone, user location, audio and texts
  • Efforts are done to bypass encryption of WhatsApp

CIA spokesman Jonathan said “We do not comment on the authenticity or content of purported intelligence documents.”

Skyport Systems EVP Rick Hanson told “Donald Trump previously praised WikiLeaks during his campaign,” he said. “When an organization like WikiLeaks is lauded in any forum there is reason to be concerned.”

“We are losing the cybersecurity war to other nation states and [are] at a deficit in our ability to protect ourselves,” Carbon Black nation security strategist Eric O’Neill said by email. “Now with the release of one of our offensive playbooks, our ability to attack is compromised. All of these tools will now proliferate among those for whom breaching security is a business or profession, leading to additional attacks.”

Contrast Security CTO Jeff Williams mentioned that answer isn’t to focus on “cyber arms control,” which he said will never work. “We need a massive increased focus on writing secure code and defending against attacks,” he said.

“As a nation, we are simply incapable of reliably writing code that isn’t susceptible to these attacks,” Williams continued. “But it’s not impossible. It’s not even that difficult. But we have to change the incentives in the software market, which currently don’t encourage writing secure code.”

Access Now senior legislative manager Nathan White said “Today, our digital security has been compromised because the CIA has been stockpiling vulnerabilities rather than working with companies to patch them,” he said. “The United States is supposed to have a process that helps secure our digital devices and services — the ‘Vulnerabilities Equities Process.'”

“Many of these vulnerabilities could have been responsibly disclosed and patched,” White added. “This leak proves the inherent digital risk of stockpiling vulnerabilities rather than patching them.”


Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.    

Internet and PHI breach

May 12th, 2016

The Children’s National Medical Center in Washington DC may have recently suffered data breach as few of its document where available on the internet. The incident may have occurred in February. According to the reports, due to Ascend Healthcare Systems mistake, a former business associate of the healthcare system, data related to 4,107 patients of Children’s National Medical Center was accessible via the Internet.

“Due to changes and upgrades to systems, a system that is secure today could become vulnerable with the next change – thus the need to repeat the vulnerability scan periodically,” says Mark Dill, former longtime CISO at the Cleveland Clinic who is now a principal consultant at tw-Security.

PHI could have been found using a search engine, like Google. Affected information includes names, dates of births, medications lists, and physicians’ notes on diagnosis and treatment. The incident occurred as the File Transfer Protocol site was misconfigured. Facility mentioned that the site was a standard network for storing and transferring files.

According to the Children’s National Medical Center, Ascend Healthcare Systems violated its contract who was required to delete all patient information as per the separation agreement.  After the incident, Ascend is advised by the Children’s Hospital Medical Center’s to delete transcription documents from its servers and secure the site.

Medical center didn’t receive any reports about inappropriate access or misuse of patient information. It has sent notification letters to affected individuals. Also, a dedicated call center was created to answer queries. Children’s National regrets any concern this incident may cause.

According to the statement:

Children’s National Health System, based in Washington, DC, has been serving the nation’s children since 1870. Children’s National is a Leapfrog Group Top Hospital, Magnet® designated, and was ranked among the top 10 pediatric hospitals by U.S. News & World Report 2015-16. Home to the Children’s Research Institute and the Sheikh Zayed Institute for Pediatric Surgical Innovation, Children’s National is one of the nation’s top NIH-funded pediatric institutions. With a community-based pediatric network, seven regional outpatient centers, an ambulatory surgery center, two emergency rooms, an acute care hospital, and collaborations throughout the region, Children’s National is recognized for its expertise and innovation in pediatric care and as an advocate for all children.


Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

Decoding the Red Flags

April 12th, 2013

Investors can now heave a sigh of relief. The Securities and Exchange Commission and the Commodity Futures Trading Commission (CFTC) have formulated a new set of rules and guidelines that enable entities subject to their enforcement authorities to develop platforms which would protect investors from identity theft.

The rules that were tabled on April 10th are not very different from the present day rules put in place by the Fair Credit Reporting Act and federal banking regulators.

The rules, named, ‘Red Flags Rules’ can be looked at as an adopted pursuant to the Dodd-Frank Act. For the uninitiated, Dodd-Frank Act was an act to promote the financial stability of U.S.A; to save the tax payer’s money by improving accountability and transparency in the financial system; to protect the American taxpayer by ending bailouts; to protect consumers from abusive financial services practices and for other purposes.

It requires the businesses to implement a written identity theft prevention code to scrutinize the signs of theft termed as the red flags.

The new set of acts are meant for those “creditors” and “financial institutions” that have certain covered accounts .These rules necessitate such “creditors” and “investors”  to process and execute a theft identification and detection platform.

The program should identify and detect and find an answer to such activities that would indicate identity theft.

Entities such as broker dealers who create accounts for minors, investment companies permitting investor wire transfers and check writing, and investment advisers permitting payments out of transaction accounts are the ones who would fall in the ambit of the SEC. CFTC, on the other hand, would look after futures commission merchants, retail foreign exchange dealers, commodity trading advisers, commodity pool operators, introducing brokers, swap dealers and major swap participants.

It’s pertinent for an entity maintaining one or multiple covered accounts to determine whether the accounts meet the risk- assessment criteria. Since any account other than an account for personal, family or household purposes under the covered account contains foreseeable risk to customers this rule is particularly meted out for such kind of accounts. These types of consumer accounts include ‘‘a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account.’’

How to identify Red Flags?

The theft detection code of each business entity must carry out the following five functions.

  1. Identifying red flags : Identification of relevant patterns, practices  and specific forms in a periodic and sporadic manner would rule out any possible theft.
  2. Detecting them: Detecting the red flags so that suitable policies implemented.
  3. Finding a suitable response: Resolving those issues would come in this step.
  4. Periodic Review and Updating. There should also be a mechanism to evaluate and update the code for future threats.
  5. Administration of Program. The program must be approved by the board of directors of the company. Also, an experienced person must be responsible for administering the program.
  6. The program must initially be approved by the board of directors or, if the entity does not have a board, by a senior-level manager. It must specify who is responsible for implementing and administering the program.

The Red Flags Rules will become effective 30 days after publication in the Federal Register, and the compliance date will be six months after the effective date (around November 15).

The Red Flag Rules are deemed to be a breath of fresh air for the investors. Even though most of the entities are privy to similar rules doled out by FTC, this rule is deemed to be a novel one for many private fund advisers.
The results of the risk assessment would help to prioritize the risk areas (e.g., portable devices, offshore business associates, lack of encryption) that would be targeted for the implementation of controls (e.g., policies, processes, training) to manage identified risks.

Secure your Data with Alertsec

Following the essential guidelines is very necessary for data security in any organization. This news exemplifies the need for data protection applications. In an incident which highlights the need ofData encryption software and recovery software, the threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

Enhanced by Zemanta