Snapshot of mining activity for one of the distributed monero keys being used to infect MikroTik routers. (Source: Avast)

Cryptojackers Keep Hacking Unpatched MikroTik Routers

Mathew J. Schwartz • October 19, 2018

Cryptojackers and eavesdroppers are continuing to exploit a one-time zero-day flaw in unpatched MikroTik routers, despite a patch that's been available for six months as well as the actions of a vigilante "gray hat" hacker who's forcibly "fixed" 100,000 vulnerable routers.

Cybercrime

Pentagon Travel Provider Data Breach Counts 30,000 Victims

Latest

Cybersecurity

FDA Calls for 'Cybersecurity Bill of Materials' for Devices

Marianne Kolbasuk McGee • October 19, 2018

Before marketing their medical devices, manufacturers should prepare a "cybersecurity bill of materials" that lists components that could be susceptible to vulnerabilities, according to a draft of updated FDA premarket guidance.

Authentication

Heads-Up: Patch 'Comically Bad' libSSH Flaw Now

Jeremy Kirk • October 19, 2018

Attention admins: If you use libSSH - one of the open-source flavors of Secure Shell, or SSH - patch now. The advice follows the disclosure of a vulnerability that one expert, Paul Ducklin of Sophos, terms "comically bad."

3rd Party Risk Management

Vendor Risk Management: Conquering the Challenges

Nick Holland • October 19, 2018

Organizations must carefully monitor that their business associates are adequately addressing data security to help guard against breaches, says Mark Eggleston, CISO at Health Partners Plans, who will speak on vendor risk management at ISMG's Healthcare Security Summit, to be held Nov. 13-14 in New York.

Cybersecurity

UK Cyberattack Investigations: An Analysis

Nick Holland • October 19, 2018

The latest edition of the ISMG Security Report features an analysis of the results of over 1,000 cyberattack investigations in the U.K. Also: an update on the proposed NIST privacy framework and a report on voter registration information for sale on the dark web.

Data Breach

Aetna Hit With More Penalties for Two Breaches

Marianne Kolbasuk McGee • October 15, 2018

Health insurer Aetna is still paying the price for two 2017 privacy breaches involving mailings that potentially exposed HIV and cardiac condition information about thousands of individuals. Here's the latest update.

Encryption & Key Management

Tech Companies Bristle at Australia's Crypto Legislation

Jeremy Kirk • October 15, 2018

The disagreements continue over Australia's efforts to pass legislation that would help law enforcement counter encryption. Technology companies and civil liberties organizations contend the latest draft of legislation would allow for too much secrecy and imperil privacy and security.

Governance

Update: NIST Preparing Privacy Framework

Nick Holland • October 15, 2018

Building on the success of the NIST Cybersecurity Framework, the National Institute of Standards and Technology is in the early stages of developing a privacy framework. The effort will kick off with a workshop Tuesday in Austin, Texas, explains Naomi Lefkovitz, who is leading the project.

Cybersecurity

RSA President on the Case for a Risk-Based Security Model

Geetha Nandikotkur • October 15, 2018

CISOs and other security practitioners are embracing the idea of a business-driven security model that takes a risk-oriented approach, says Rohit Ghai, president of RSA. "Cybersecurity conversations are becoming business conversations rather than technology conversations."

Breach Response

Facebook Clarifies Extent of Data Breach

Howard Anderson • October 12, 2018

Facebook now says that 20 million fewer accounts were breached than it originally believed, but the attackers accessed extensive sensitive personal information on nearly half of those affected.

Endpoint Security

Medtronic Cardiac Devices Recalled Due to Cyber Concerns

Marianne Kolbasuk McGee • October 12, 2018

The FDA has announced a "voluntary recall" by Medtronic of certain internet-connected programmers for implantable cardiac devices due to cybersecurity vulnerabilities. Some security experts are hopeful that this will serve as a wake-up call for more manufacturers to take action on addressing cybersecurity issues.

Endpoint Security

Review Shows Glaring Flaws In Xiongmai IoT Devices

Jeremy Kirk • October 12, 2018

Millions of internet-of-things devices made by the Chinese company Xiongmai and sold in stores such as Home Depot and Wal-Mart still have glaring security problems, a security consultancy warns. The findings come two years after the Mirai botnet targeted Xiongmai devices.

Business Continuity/Disaster Recovery

Safeguarding Critical Infrastructure From Cyberattacks

Nick Holland • October 12, 2018

The biggest challenge for any critical infrastructure facing potential cyberattacks is devising ways to maintain business continuity, says cybersecurity specialist Prashant Pillai, who calls for building resilience into network design. He'll be a speaker at ISMG's Security Summit: London, to be held Oct. 23.