Archive for January 2, 2025

HIPAA to Mandate MFA, Risk Analysis, Vulnerability Scanning Among Other Items In The Wake Of Breaches

Posted in Commentary with tags on January 2, 2025 by itnerd

To better protect patient records, the Department of Health and Human Services’ HHS Office for Civil Rights is proposing substantial cybersecurity requirements for all covered entities and their business associates be added to the HIPAA Security Rule (enacted in 1996). The Health Insurance Portability and Accountability Act Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information is set to be published on January 6, 2025.

A 300+ page working draft for public comment is currently in the Federal Register: https://public-inspection.federalregister.gov/2024-30983.pdf

Ted Miracco, CEO, Approov had this to say:

  “The proposed updates to HIPAA are an overdue response to the escalating cybersecurity attacks on the healthcare sector, especially with regards to mobile devices and API attacks. Enforcing stricter security measures such as encryption, MFA, attestation and network segmentation, is a strong start as HHS aims to enhance the protection of patient data significantly. However, for mobile app developers, this will mean adapting much more advanced security practices to meet these emerging standards. Rebuilding user trust and safety remain critical priorities, given the extensive number of data breaches that have occurred in recent years, and their devastating impacts.”

Lawrence Pingree, VP, Dispersive follows with this:

   “For HIPAA/HITECH, this guides organizations to more prescriptive controls – e.g. not just “you need to protect your data and users” – it’s now bringing more specific controls around multi-factor authentication and data protection strategies. In security, the more prescriptive the controls, the better since this reduces the variance of approaches that might not adequately address current threats. The grand challenge is for prescriptive guidance not to become outdated, so much be continuously uplifted to address modern threats.”

Given how often the health care sector gets pwned by hackers, it’s about time that something like this has come down the pipe. Because if the health care sector wasn’t going to do protect themselves on their own, they need to forced to protect themselves.

Leave a comment »

Other World Computing Names Matt Dargis as Chief Revenue Officer

Posted in Commentary with tags on January 2, 2025 by itnerd

Other World Computing today announced the appointment of Matt Dargis as Chief Revenue Officer (CRO). Reporting directly to OWC Founder and CEO Larry O’Connor, Dargis will leverage his extensive experience in sales leadership and global market strategy to spearhead OWC’s continued growth and market expansion, cementing the company’s position as a leader in workflow, performance, and collaboration innovations for Mac and PC users.

As CRO, Dargis will be responsible for driving OWC’s global revenue growth and expanding its market presence across both commercial and consumer channels. He will oversee the company’s sales and channel strategies, ensuring alignment with OWC’s mission to deliver the highest performance and most trusted technology solutions that provide the greatest value and ROI. Additionally, Dargis will focus on building and scaling high-performing teams, optimizing go-to-market initiatives, and enhancing customer experiences to meet and exceed evolving market demands.

With an entrepreneurial spirit backed by decades of experience and customer relationships, Dargis is a seasoned executive with more than 20 years of building and scaling tech businesses through his superior market knowledge, and exemplary team building and servant leadership style. Prior to joining OWC, Dargis served as Senior Vice President, US Sales at ACCO Brands and Vice President of North America Sales at Kensington where he rebuilt the North America sales team and created a new go-to-market strategy and three-year plan to double sales while improving the bottom line. Before that, he led Buffalo Americas, Inc. as Executive Vice President, COO, where he was responsible for building new sales and marketing teams and expanding internationally. Dargis has also served as Vice President, Worldwide Sales and Marketing at ioSafe, Inc., and held senior sales and marketing positions with NETGEAR, Inc. and D-Link Systems, Inc. Dargis attended the v where he majored in Business Administration and minored in Computer Science.

Leave a comment »

China Tied To Hack Of US Treasury Department

Posted in Commentary with tags on January 2, 2025 by itnerd

U.S. Treasury office that administers economic sanctions has admitted that they were pwned by a “Chinese threat actor”:

Chinese government hackers breached the U.S. Treasury office that administers economic sanctions, the Washington Post reported on Wednesday, identifying targets of a cyberattack Treasury disclosed earlier this week.

Citing unnamed U.S. officials, the Washington Post said hackers compromised the Office of Foreign Assets Control and the Office of Financial Research and also targeted the office of U.S. Treasury Secretary Janet Yellen.

The department earlier this week disclosed in a letter to lawmakers that hackers stole unclassified documents in a “major incident.” It did not specify which users or departments were affected.

Asked about the paper’s report, Liu Pengyu, spokesperson for the Chinese Embassy in Washington, said the “irrational” U.S. claim was “without any factual basis” and represented “smear attacks” against Beijing.

Yeah. Right. I don’t believe anything that the Chinese have to say at this point. More on that later. Avishai Aviva, CISO, SafeBreach had this to say:

“In this latest breach of the US Treasury workstation, neither the government nor BeyondTrust, the vendor involved, provided sufficient information to understand what happened fully. This is normal for such events. Let’s peel through the layers of obscurity and get a clearer picture of what happened in this breach.

First, looking at the letter from the Treasury to lawmakers, we find this:”  “gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor could override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.” With all my years of experience, I was scratching my head at this narrative. When reading the BeyondTrust statement on their website – it became more apparent.

BeyondTrust, unironically, provides a secure method for Information Technology (IT) support personnel to provide remote support to end users. This method involves establishing a trusted connection between the support person and the end user. This trusted connection punches through traditional perimeter security controls and gives the support person full access and control over the end-user workstation.

Once inside, the support person can send documents back over that secure channel or masquerade as the end-user and send the same documents directly.

The security controls protecting the US Treasury network have no way of knowing something nefarious is happening, as the trusted connection is, well, trusted.

From the BeyondTrust website, the malicious actors used a critical vulnerability to gain unauthenticated (read as untrusted) access to the same support functionality that the authorized IT support personnel.

This incident boils down to what we refer to as a supply-chain vulnerability leading to a data breach. An Information and Communication Technology (ICT) vendor in the US Treasury supply chain had a vulnerability that was then used to extract data out of the US Treasury end-user workstations and network.

Now that we understand what happened, albeit at a high level, let’s focus on the following interesting detail – Attribution. The letter from the US Treasury indicates that this breach originated from China. It is unusual for an early notice, especially in case of such breaches, to be able to make such clear attributions. Looking through the technical details provided by BeyondTrust, we can see that the vulnerability was associated with four IP addresses. These addresses belong to DigitalOcean, a New Jersey Cloud Service Provider (CSP). This information indicates to me that the malicious actors used this cloud provider as a jumping-off point to infiltrate the BeyondTrust service and exploit the trusted connection to the US Treasury. The clear attribution suggests that the investigation was able to link these four addresses to accounts originating in China.

Last but not least, was there something that the US Treasury could have done to prevent this? The sad answer appears to be yes. Again, referring to the scant technical information BeyondTrust provided, the system administrators at the US Treasury, or the vendor likely to provide support services, failed to configure trusted locations from which the support agents could connect. We refer to this as IP Whitelisting. This failure is a critical risk with any such service. The same issue led to notable breaches in 2023 and 2024. This oversight is why we urge all service vendors, especially trusted ICT vendors, to follow the CISA Secure-by-Default guidance.”

The fact is that there appears to be enough evidence to tie China to this. Thus besides taking action to prevent these incidents from happening as this appears to be the latest attack that has been tied to China. Thus there needs to be action to make such activities something that China is less likely to carry out. And there needs to be action to make it way harder to get into supposedly secure networks.

UPDATE: Will Lin, CEO, AKA Identity adds this:

“This incident highlights two urgent, unsolved security issues today: third party vendor risk management and a lack of real-time visibility into identities. Because technology tools are built to trust valid credentials, the average identity-based breach takes over 200 days to detect.

Kudos to the US Treasury and BeyondTrust for detecting this incident and wishing the best in determining the investigation’s blast radius.”

Leave a comment »

More US States Restrict Access To Porn…. VPN Usage Spikes As A Result…. Shock… Not….

Posted in Commentary with tags , on January 2, 2025 by itnerd

About two or so years ago, a trend in the US started where individual states started to require online porn sites to do some form of age verification to keep kids from accessing online porn. Now whether that is the true goal of the states who do this is an open question as some would argue that these states are trying to restrict access to the Internet. But I will leave you to form your own opinion on that.

As of the new year, the list of states that restrict online porn is as follows:

  • Virginia 
  • Montana
  • North Carolina
  • Arkansas
  • Utah
  • Mississippi
  • Texas
  • Nebraska
  • Idaho
  • Kansas
  • Kentucky
  • Indiana
  • Alabama
  • Oklahoma
  • Florida
  • Tennessee
  • South Carolina
  • Louisiana

Georgia has a law that takes effect in July.

The net result of this is that porn sites such as PornHub which is apparently the biggest player in the online porn space have outright blocked access to their sites in those states. Why? Well, for sites like PornHub to comply with these laws, they would have to perform reasonable age verification methods to verify the age of individuals attempting to access the material, which usually involves uploading your ID to them for verification purposes. PornHub clearly doesn’t want to play gatekeeper, nor do they want to be responsible for all that personally identifiable information, so they blocked access instead.

Now history has proven that if someone wants to ban something, those who want access to what is being banned will find a way to access it somehow. Which is why it isn’t surprising to me that according to VPN Mentor, in the state of Florida alone, they detected a surge of 1150% in VPN demand in the first few hours. You have to assume that similar things are happening in other states that have been geo blocked by PornHub. Meaning that the efforts to restrict access to online porn are completely ineffective. Not that I am surprised by that because anyone who has been on the Internet for something longer than 60 seconds could have predicted that this was going to happen. Thus it will be interesting to see what these states do next? Do they ban VPN usage? Do they force ISP’s to hand over info on which of their customers use VPNs? Do they go after PornHub or other online sites for not doing enough in their eyes? Or do they do nothing?

Get the popcorn ready.

Leave a comment »

Canadian Gets Held By Indian Authorities For Carrying A Garmin InReach Satellite Communication Device

Posted in Commentary with tags , on January 2, 2025 by itnerd

Before travelling to another country with your tech, it always pays to see how the local laws might affect you and the tech you carry. For example, some countries have restrictions on VPN usage or encryption technologies. Thus if you’re going to one of those countries, you might want to avoid using a VPN or bringing a laptop that’s encrypted.

Now to be clear, this example that I am about to bring you is not a case of blame the victim. It’s more of a cautionary tale:

In early December, a Canadian trail runner named Tina Lewis was two months into her extended trip to India when she ran into legal trouble due to her backcountry GPS communication device.

On December 6, Lewis, 51, arrived at Dabolim International Airport in the city of Goa, to fly to the nearby city of Kochi. She was traveling with a Garmin inReach Mini, a popular GPS and satellite messaging device often used by backpackers and climbers.

“It had been an amazing trip, the trip of a lifetime,” Lewis told Outside.

But when Lewis removed her InReach from her carry-on bag and placed it onto a scanning tray, she said a security officer approached her and asked her questions about the device. Lewis said armed guards then removed her from the line.

Lewis missed her flight. For the next four hours she was detained and interrogated about the InReach. Although her eventual fine was just $11, Lewis said she spent more than $2,000 to pay legal fees and bail.

“They treated me like a frickin’ fugitive,” she said.

And:

Lewis had unknowingly violated an Indian law that requires individuals to obtain a license before owning or using a personal satellite communication device. Lewis spent the next six days attempting to get her passport back from authorities. She had to appear in court on three consecutive days, and she eventually hired lawyers to avoid jail time.

India’s laws prohibiting individuals from owning satellite devices are published online: Unless registered and licensed by the government, satellite communicators are illegal. The Garmin website lists India as one of 14 countries that may “regulate or prohibit the use or possession of a satellite communicator” or are otherwise embargoed by the United States. The other nations on the list are Afghanistan, Ukrainian Crimea, Cuba, Georgia, Iran, North Korea, Myanmar, Sudan, Syria, Thailand, Vietnam, China, and Russia.

But the roots of the law are tied to an obscure rule from India’s past. The ban on satellite communication originated with the Indian Telegraph Act of 1885 and the Wireless Telegraphy Act of 1933. According to Global Rescue, an international medical and security evacuation service, these older laws were reinforced after the Mumbai terror attacks of 2008, when an Islamist militia used satellite communicators to coordinate bombings and shootings that killed nearly 200 people.

Now from first hand experience having travelled to the country on several occasions, I can say that India has some “interesting” laws when it comes to tech. But this one is kind of surprising. Though I can see from India’s perspective why they need a law like this one. The flip side of that is that the Garmin InReach is a popular device among those who go to remote areas on a frequent basis. Thus you would think that that this is a law that requires modernization for that reason.

By the way, this Canadian wasn’t the only person caught up in a situation like this:

She isn’t the only traveler to run afoul of the law. On December 9, just three days after Lewis’ arrest, a Czech traveler named Martin Polesny with a Garmin was detained at another Goa state airport. The following day, an American named Joshua Ivan Richardson was arrested with a satellite phone in Dehradun. A month prior, another American was detained at Chennai airport for the same reason.

Well, that’s not going to help with getting tourists into India and spending money there. Because now that these stories are out there, the users of these devices are going to think twice about going there because few if any of them are going to leave their Garmin InReach devices at home.

Oh. To borrow a phrase that was often used by Steve Jobs, there’s one more thing:

Direct satellite communication features are increasingly standard in modern smartphones. The newest versions of Apple’s iPhones have satellite communication capabilities. iPhones allow users to send messages to emergency services, share location, and stay in touch with emergency contacts, all while off the grid, with no cellular or Wi-Fi coverage, via satellite connection.

So in theory, if I go to India with my iPhone 14 Pro which has a feature called SOS Over Satellite, I could get into trouble. Well, seeing as I don’t go anywhere without my phone I have two choices. Take my chances or avoid going to India. And it will likely be the latter. Thus if I could give one piece of advice to the Indian government, you need to rethink this law. And at the same time, if I could give one piece of advice to travellers, check the local laws in regards to your tech and make your travel plans accordingly.

Leave a comment »