Monthly Archives: July 2018

UK Government Sets Minimum Cybersecurity Standard

The UK government has launched a new cybersecurity standard designed to set a baseline of mandatory security outcomes for all departments.

The Minimum Cyber Security Standard announced this week presents a minimum set of measures which all government departments will need to follow, although the hope is that they will look to exceed these at all times.

There is some flexibility in how they achieve these measures, depending on “local context.”

“Over time, the measures will be incremented to continually ‘raise the bar’, address new threats or classes of vulnerabilities and to incorporate the use of new Active Cyber Defence measures that Departments will be expected to use and where available for use by suppliers,” the document states.

There are 10 elements to the standard, divided into five key domains: identify, protect, detect, respond and recover.

These start with putting in place “appropriate cybersecurity governance processes,” identifying and cataloging sensitive information and operational services, and continuous management of access rights.

Next comes strict authentication of all users who want access to sensitive info and key services; protection of key systems from exploitation of known vulnerabilities; security for highly privileged accounts; detection of common cyber-attacks; well-defined incident response plans; and well-tested processes to ensure continuity of services in the event of compromise.

Security experts welcomed the best practice security standard.

“Over the past decade, the UK government has been aiming to simplify security — moving away from proscriptive mandatory requirements in security standards, towards describing the minimum security outcomes that need to be achieved,” explained FireEye director, Mike Trevett. “This standard helps do exactly that. For mature organizations it provides a solid framework for managing their information risk. For less mature organizations, it will help them structure how they manage information risk and guide their cybersecurity process development.”

Mark Adams, regional VP for UK and Ireland at Veeam, argued that the standard would help government departments manage risk in a new era of GDPR and NIS Directive, and sets a good example for other industries to follow.

“The emphasis on recovery, often an unsung hero with data management, is especially welcome,” he added. “No matter who you are or where you work, it has never been more important to ensure that your digital lives are permanently ‘on’. The ability to seamlessly move data to the best location across multi-cloud environments is now crucial for business continuity, compliance, security, and optimal use of resources for business operations.”


via: infosecurity-magazine

UK Financial Regulators Cracking Down on Banks IT Failures

Financial regulators have ordered British banks and other financial services firms to provide a detailed plan for responding to IT outages and cyber-attacks.

The Bank of England (BoE) and the Financial Conduct Authority (FCA) published a joint discussion paper on Thursday, asking firms to report on their exposure to risk and incident response processes.

Firms have been given an October 5 deadline to provide their emergency back-up plans.

The discussion paper stresses the importance of operational resilience given today’s “hostile cyber-environment and large scale technological changes.”

“A resilient financial system is one that can absorb shocks rather than contribute to them,” said the BoE and FCA in a joint statement.

“The financial sector needs an approach to operational risk management that includes preventative measures and the capabilities – in terms of people, processes and organizational culture – to adapt and recover when things go wrong,” they said.

The paper also highlights the role of firms’ senior officials when responding to incidents, recommending setting “board-approved impact tolerances quantifying the level of disruption that could be tolerated.”

Regulators suggested two days as an acceptable limit for disruption to a business service, according to one scenario detailed in the discussion paper.

“Operational disruption can impact financial stability, threaten the viability of individual firms and financial market infrastructures, or cause harm to consumers and other market participants in the financial system,” states the paper.

Another important concept that regulators advised financial firms to address involves an effective communication plan.

“The speed and effectiveness of communication with the people and institutions most affected, in particular customers, should be at the forefront of every firm’s response,” the discussion paper noted.

Firms that fail to demonstrate adequate back-up plans could face fines and other sanctions, such as a requirement for higher capital levels or demanding additional IT investment.


via:  tripwire

How doctors and patients might benefit from these Apple updates

Find out how Group FaceTime, Siri Shortcuts, Apple Watch improvements, and privacy updates could solve some healthcare headaches.


Improved privacy controls was a big news story from the WWDC 2018 keynote. With iOS 12, Safari will prevent Share buttons and comment widgets on webpages from tracking users without your permission. The Safari update also will make it harder for advertisers to track a device’s “fingerprint” to retarget ads.

One announcement related to data and health didn’t make it to the keynote stage: Apple has made it easier for people to share their health data with researchers and app developers. Apple has extended its privacy philosophy to this new feature as well, according to the press release:

“Health Records data is encrypted on iPhone and protected with the consumer’s iPhone passcode. When consumers choose to share their health record data with trusted apps, the data flows directly from HealthKit to the third-party app and is not sent to Apple’s servers.”

This is exactly the right approach. People will be more likely to trust Apple with their personal health info if they know that the information is not being sold to third parties to push drugs and devices.

This is not the only important Apple news for the healthcare world. Several updates to the phone and watch operating systems have the potential to solve communication challenges for patients and doctors and maybe even make healthcare a little more efficient.

Group FaceTime could be a game changer in hospitals

This announcement didn’t require a “This is really cool!” nudge from the speaker to get a reaction from the audience. It’s hard to imagine that anyone would hit the 32 person limit in the new Group FaceTime feature, but a hospital care team meeting could come close.

Assembling the care team is always a challenge, particularly for people with complex conditions. The challenge of getting several doctors in the same place at the same time is so great that many people are too intimidated to try. Even waiting for a hospitalist to show up for rounds is a big challenge. “Don’t leave” is the general rule when someone you love is in the hospital. This advice is very difficult to follow, but crucial if you want an update on your loved one’s condition or if you have a question to ask about the care plan.

Group FaceTime could be a game changer for families trying to get everyone—even the adult child living across the country—an update from the doctor about a person in the hospital. Hospitals could set FaceTime hours for doctors and other members of the care team to solve the problem of never being at the bedside when the doctor is.

Siri Shortcuts for improved medication adherence

During the WWDC 2018 keynote, an Apple manager showed off a Siri Shortcut that connected several tasks. The Shortcut estimated her evening commute time, sent a message to her roommate with the ETA, and turned on NPR in her car.

A Siri Shortcut could be a powerful tool to help people living with complex health conditions, as well as people taking multiple medications every day at different times each day. This tool could also help patients who have to take injections or follow multi-step instructions. For example, doctors don’t have a lot of time to explain how to use an asthma inhaler during a visit. A Siri Shortcut could use a calendar reminder to trigger a “Don’t forget your evening dose,” pull up a video that shows how to use the inhaler, and then record the action in the Health app.


Pharmacies could create Siri Shortcuts to share with customers to remind them to finish the entire bottle of antibiotics. People taking expensive meds—such as the Hepatitis C drugs that cost about $1,000 per pill—could get these reminders as well.

These Siri Shortcuts could be useful before a drug even hits the market. Pharma companies spend between $19 and $52 million on phase 3 clinical trials (that’s the stage when the new treatments are tested on humans). Giving an iPhone to participants could pay for itself in better trial results as well as improved compliance once (if) the drug makes it to the market.

Some clinical trials also sometimes require daily reporting from a participant such as getting on a scale or taking vital signs or reporting mood. Pre-programmed shortcuts could increase the chances of people remembering to do this too.

All this requires a person to have an iPhone or an Apple Watch, of course. The newer phones start at $699 and the watches at $329. Hepatitis C destroys your liver, so a course of meds that comes with an iPhone is still cheaper than a transplant and a lifetime of anti-rejection meds.

Hands-free voice activation for the Apple Watch

Kevin Lynch’s job during the WWDC 2018 keynote was to explain how the new Apple Watch features will help users “stay active and connected.” The VP of Technology at Apple shared a lot of updates about exercise—auto detection of workouts, tracking for more types of exercise like hiking, new features for runners. He also announced that Apple Watch users would no longer have to say “Hey, Siri,” to activate the assistant. Developers changed the interaction to be triggered by the wearer lifting his wrist to wake up Siri.

This gesture-based “on button” is a perfect fit for healthcare providers. There are many occasions when a nurse has to keep her hands clean, but could use her voice or a gesture to ask a virtual assistant to start paying attention or take an action. Gesture-based activation could also help hospital patients interact with technology if they are on pain meds or if their mobility is limited.

Developers working on voice-controlled software are starting to think in terms of “place-onas.” A play on “persona,” this term identifies the best way for humans to interact with technology based on location and activity. For instance, a surgeon could use her voice but not her hands to control software in the operating room—that place-ona would be characterized as “eyes busy, hands busy, ears free, voice free.”

Hospitals are full of “hands busy” place-onas. The idea of turning on a virtual assistant with a gesture has a lot of potential for making interactions with technology easier in healthcare settings.



via:  techrepublic




Restaurant Chain Struck by Payment Card Data Breach

An American restaurant chain revealed it suffered a data breach affecting customers’ payment card details at most of its locations.

On 22 June, PDQ issued a statement explaining that a malicious attacker obtained unauthorized access to its computer system and acquired the names, credit card numbers, expiration dates and cardholder verification value (CVV) of some of its customers.

The restaurant chain first learned that some customers’ information might have been compromised on 8 June. It launched an investigation into the matter shortly thereafter and thereby determined that the period of unauthorized access lasted from 19 May 2017 to 20 April 2018. During that span of time, attackers made off with customers’ information used at all but three of the company’s locations.

PDQ wasn’t able to pinpoint an exact number of payment cards that the attackers might have exposed. For that reason, it urged customers who used a payment card at one of its affected locations during the breach period to monitor their credit reports and bank statements carefully. The restaurant chain also clarified what actions it’s taken since discovering the unauthorized access to its systems:

Caring for our customers is a top priority, and once we suspected a possible breach, we acted immediately to address the situation and stop the breach. We initiated an investigation and engaged a cybersecurity firm that conducted a comprehensive forensic review of the attack. We reported the breach to law enforcement and continue to work with authorities and state regulators. We have taken steps to further strengthen the security of our systems to help prevent this type of incident from happening again.

As of this writing, PDQ has traced the breach back to “an outside technology vendor’s remote connection tool.” This type of attack vector highlights the importance of organizations reviewing the digital security risks lurking in their supply chain.


via:  tripwire

Bank says Ticketmaster knew of breach months before taking action


Ticketmaster UK announced on its site yesterday that it identified malicious malware on June 23rd that had affected nearly five percent of their customers, allowing an unknown third-party access to customers’ names, email addresses, telephone numbers, payment details and login information between February 2017 and June 23rd, 2018.

The company says the breach can be traced back to an AI chat bot it uses to help answer customers’ questions when a live staff member is unavailable. The software’s designer, Inbenta, confirmed that the malware had taken advantage of one piece of JavaScript that was written specially for Ticketmaster’s use of the chat bot.

However, both companies have confirmed that as of June 26th the vulnerability has been resolved. In its statement, Ticketmaster told customers that affected accounts had been contacted and were offered a free 12-month identity monitoring service as a consolation as soon as the company became aware of the breach.

But, according to U.K. digital bank Monzo, Ticketmaster was informed of the breach in April.

In a statement released by its Financial Crime team today, Monzo describes the events from its perspective. On April 6th, the bank began to notice a pattern of fraudulent transactions on cards that had been previously used at Ticketmaster. Out of 50 fraud reports the bank received that day, 70 percent of cards had made transactions on Ticketmaster in the last several months.

“This seemed unusual, as overall only 0.8% of all our customers had used Ticketmaster,” said Natasha Vernier, head of Financial Crime at Monzo, in the statement.

On April 12th, Monzo says it expressed its concerns directly to Ticketmaster and that the company said it would “investigate internally.” In the week to follow, Monzo received several more Ticketmaster-related fraud alerts and made the decision to replace roughly 6,000 compromised cards over the course of April 19th and 20th, without mentioning Ticketmaster.

During that same period, Ticketmaster told Monzo that its completed internal investigation had shown no evidence of a breach.

This puts Ticketmaster in an awkward position, because under the 2018 General Data Protection Regulations (GDPR), companies are required to report information of a breach within 72 hours. Not 76 days. It’s uncertain, based on the timeline of events, if Ticketmaster will be held to these standards or the now-overturned 1998 standards, but either way the water is starting to heat up around the ticket dealer.

We’ve reached out to Ticketmaster for comment but the company did not reply by the time of publication.

Update 10:20 am/June 29th A Ticketmaster spokesperson provided the following comment:

When a bank or credit card provider alerts us to suspicious activity it is always investigated thoroughly with our acquiring bank, which processes card payments on our behalf. In this case, there was an investigation, but there was no evidence that the issue originated with Ticketmaster.


via:  techcrunch

Ticketmaster Warns of Data Breach, Customer Payment Details Potentially Exposed

Ticketmaster has alerted thousands of UK-based customers that it has learned of a security breach in which their payment information may have been exposed.

In a statement on its website, the popular ticketing service stated that it recently identified malicious software on a customer support product hosted by an external third-party supplier – Inbenta Technologies.

“As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites,” said the company.

Ticketmaster says less than five percent of its global customer base has been impacted by the incident. A report by BBC claims it involves up to 40,000 UK customers.

This includes UK customers who purchased – or attempted to purchase – tickets between February and June 23, 2018, as well as international customers who did the same from September 2017 to June 23, 2018.

Customers in North America have not been affected.

As a result of Inbenta’s product running on Ticketmaster International websites, the ticketing service explained some customers’ personal data “may have been accessed by an unknown third party.”

The potentially compromised information includes name, address, email address, telephone number, payment details and Ticketmaster login details.

“We have contacted customers who may have been affected by the security incident,” said the company. “If you have not received an email, we do not believe you have been affected by this security incident based on our investigations.”

Ticketmaster added that forensic teams and security experts are further investigating to determine how the security breach occurred.

“We are working with relevant authorities, as well as credit card companies and banks,” the firm said.

Affected customers are advised to reset their passwords and monitor their account statements for any suspicious or fraudulent activity. The company is offering a free 12-month identity monitoring service to those impacted.


via:  tripwire

Tinder bolsters its security to ward off hacks and blackmail


This week, Tinder responded to a letter from Oregon Senator Ron Wyden calling for the company to seal up security loopholes in its app that could lead to blackmail and other privacy incursions.

In a letter to Sen. Wyden, Match Group General Counsel Jared Sine describes recent changes to the app, noting that as of June 19, “swipe data has been padded such that all actions are now the same size.” Sine added that images on the mobile app are fully encrypted as of February 6, while images on the web version of Tinder were already encrypted.

The Tinder issues were first called out in a report by a research team at Checkmarx describing the app’s “disturbing vulnerabilities” and their propensity for blackmail:

The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app. It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content (as demonstrated in the research).

While no credential theft and no immediate financial impact are involved in this process, an attacker targeting a vulnerable user can blackmail the victim, threatening to expose highly private information from the user’s Tinder profile and actions in the app.

In February, Wyden called for Tinder to address the vulnerability by encrypting all data that moves between its servers and the app and by padding data to obscure it from hackers. In a statement to TechCrunch at the time, Tinder indicated that it heard Sen. Wyden’s concerns and had recently implemented encryption for profile photos in the interest of moving toward deepening its privacy practices.

“Like every technology company, we are constantly working to improve our defenses in the battle against malicious hackers and cyber criminals,” Sine said in the letter. “… Our goal is to have protocols and systems that not only meet, but exceed industry best practices.”


via:  techcrunch

Amazon launches a last-mile delivery program powered by entrepreneurs

Amazon has gotten flack in the past for some of the challenges its crowdsourced “last-mile” delivery drivers face, but now it’s offering those with entrepreneurial ambitions the option to do more. Instead of showing up for gig work, drivers can opt for a new program where Amazon helps them establish their own delivery business.

The program will include access to Amazon’s delivery technology, hands-on training and discounts on a suite of assets and services, including the vehicle leasing and insurance, the retailer says.

That means drivers won’t have to use their own cars, as in the crowdsourced delivery program known as Amazon Flex. This gives them more space for organizing packages, the ability to use parking spots for delivery vehicles and the ability to haul extra equipment, like straps and dollies.

Amazon says the earning potential for successful owners is as much as $300,000 in annual profit operating a fleet of 40 vehicles. The company expects that, over time, hundreds of small business owners will hire tens of thousands of delivery drivers across the U.S., it says.

In other words, Amazon just launched its own UPS competitor of sorts, by offering leased vans, training and resources to those who want to drive for Amazon instead of Uber.

The retailer says people can start up their Amazon delivery businesses with as little as $10,000. Military vets can get that 10K reimbursed, as Amazon is investing a million into a program that funds their startup costs.

The business owners — who don’t need logistics experience, Amazon notes — will be offered discounts on the customized delivery vans, branded uniforms, fuel, comprehensive insurance coverage and more — deals the retailer pre-negotiated on their behalf.

This also addresses some of the problems the gig work Flex drivers faced — gas prices would often cut far too much into profits; the lack of insurance; and the general challenges associated with trying to deliver packages from an unbranded, small car.

“We have great partners in our traditional carriers and it’s exciting to continue to see the logistics industry grow,” said Dave Clark, Amazon’s senior vice president of worldwide operations, in a statement about the launch. “Customer demand is higher than ever and we have a need to build more capacity. As we evaluated how to support our growth, we went back to our roots to share the opportunity with small-and-medium-sized businesses. We are going to empower new, small businesses to form in order to take advantage of the growing opportunity in e-commerce package delivery.”

The changes come at a time when there’s been debate about Amazon’s financial impact on the U.S. Postal Service. But with this new program, Amazon could reduce its reliance on outside partners as the program scales.

However, Amazon will continue to work with existing partners, including UPS and FedEx, in addition to the USPS and smaller last-mile delivery partners, for some time. As Amazon’s business continues to grow, it will need these partners’ help to get packages to customers for the foreseeable future — a fleet of leased Prime vans can’t do it all.


via:  techcrunch