InfoSec News

InfoSec

Leading privacy and cybersecurity law firm investigates Tandem Diabetes Care data breach

By

InfoSec News

By William Knowles @c4i
Senior Editor
InfoSec News
April 20, 2020

Its almost cliche at this point.

We take the privacy and confidentiality of our customers’ information very seriously and apologize for any inconvenience or concern this incident may cause our customers.

With the next sentence…

Tandem Diabetes Care, Inc. (“Tandem”) is committed to protecting the confidentiality and security of our customers’ information. Regrettably, this notice is to inform our customers of a recent phishing incident that may have involved some customer information.

Some customer information is “reputational risk management code” for only 140,781 customers.

We are continuing to invest heavily in cyber security and data protection safeguards. We are also implementing additional email security controls, strengthening our user authorization and authentication processes, and limiting the types of data permitted to be transferred via email.

On January 17, 2020, Tandem Diabetes Care learned that an unauthorized person gained access to a Tandem employee’s email account through a security incident commonly known as “phishing.”

Once we learned about the incident, we immediately secured the account and a cyber security firm was engaged to assist in our investigation. Our investigation determined that a limited number of Tandem employee email accounts may have been accessed by an unauthorized user between January 17, 2020 and January 20, 2020.

Through the investigation, Tandem Diabetes Care learned that some customers’ information may have been contained in one or more of the Tandem email accounts affected by the incident. The affected email accounts may have contained customer names, contact information, information related to those customers’ use of Tandem’s products or services, clinical data regarding their diabetes therapy, and in a few limited instances, Social Security numbers.

On LinkedIn, Tandem Diabetes Care lists some 935 employees, but only three security people (understandably some of the security team might have temporarily pulled their profiles offline) and currently Tandem is looking for a Security Analyst II and a VP, Information Technology but neither of the job descriptions mention having knowing how to perform phishing exercises.

While you would think all this bad news is terrible for Tandem Diabetes Care’s stock price, guess again, when the data breach was submitted to the U.S. Department of Health and Human Services on March 13, 2020, TNDM – Tandem Diabetes Care, Inc closed at $46.55 a share and closed on Apri 18, 2020 at $72.94 a share.

So it should come to no surprised that Stueve Siegel Hanson LLP, a small Kansas City law firm known for their eight-figure legal outcomes would explore legal options for this data breach.

KANSAS CITY, Mo., April 1, 2020 /PRNewswire-PRWeb/ — Stueve Siegel Hanson LLP, a national leader in privacy and cybersecurity litigation, is investigating the data breach at Tandem Diabetes Care, Inc. that compromised the sensitive personal information of 140,000 patients, the firm announced today.

On January 17, Tandem discovered its email system had been hacked through a “phishing” scheme. An internal investigation showed several employee email accounts were compromised for three days between January 17 and January 20. The compromised information included names, email addresses, contact information, Social Security numbers and a range of patient data, including details related to customers’ use of Tandem products or services, and clinical data about diabetes therapy.

Tandem announced the data breach on March 16 and said it would notify affected customers. Individuals who receive these notifications can contact Stueve Siegel Hanson at 816.714.7105 or online to discuss their legal options.

Recognized by Law360 as “Cybersecurity & Privacy Group of the Year,” Stueve Siegel Hanson has prosecuted cases involving the largest data breaches in U.S. history, securing billions of dollars for affected customers. In 2019, the firm’s work included:

  • Securing final approval of a $1.5 billion settlement with Equifax in a nationwide class action resulting from its massive 2017 data breach;
  • Obtaining a $3.25 million settlement in a class action by optometrists following a data breach at the national testing organization for new eye doctors;
  • Serving as co-lead counsel against Capital One following a data breach affecting 106 million credit applicants; and
  • Pursuing a consumer lawsuit accusing Facebook of tracking users’ location information even after they opt-out of Location History features.

DEF CON Spot The Fed, C4I.org, 303, Phrack Magazine, Toool T-Shirts For Sale on eBay

By

InfoSec News InfoSec News

 

 

 

 

 

 

 

By William Knowles @c4i
Senior Editor
InfoSec News
April 19, 2020

Just a quick note, the house I have been renting for the last four years has sold and while packing things up it, I felt I should sell some classic hacking, infosec, and security shirts acquired over the years like the DEF CON ‘I Am The Fed’ shirt on eBay. but also make some small donations to groups like the Special Operations Warrior Foundation, Electronic Frontier Foundation, (RED), Greenwood Wildlife Rehabilitation Center, BADASS – Battling Against Demeaning and Abusive Selfie Sharing, The Tor Project, The Diana Initiative, and Hak4Kidz NFP.

Also, my funemployment ended soon after DEF CON 27, and I’ve been looking for meaningful information security employment since then, job hunting during a pandemic definitely has its challenges and I admit I have made some mistakes over the months/years. I have a few solid leads I am exploring, but if you’re looking for someone like me with a very particular set of skills, skills I have acquired over a very long career. Skills that make a lot of money for security enterprises owned and employed by InfoSec News subscribers, I can be reached via my LinkedIn page or Twitter.

Thanks for your time!

Unclassified and Secure

By

InfoSec News

By William Knowles @c4i
Senior Editor
InfoSec News
April 12, 2020

A new report from the RAND Corporation, by Daniel Gonzales, Sarah Harting, Mary Kate Adgie, Julia Brackup, Lindsey Polley, and Karlyn D. Stanley

The defense industrial base (DIB) is under attack. Foreign actors are stealing large amounts of sensitive data, trade secrets, and intellectual property every day from DIB firms — contributing to the erosion of the DIB and potentially harming U.S. military capabilities and future U.S. military operations. The U.S. Department of Defense (DoD) has taken steps to better secure systems against cyber threats, but most protections in place focus on classified networks, while unclassified networks have become an attractive entrance for adversaries seeking access to cutting-edge technologies and research and development efforts. To address this problem, DoD has increased regulations and introduced new security controls, but the current approach may be insufficient.

This report offers DoD a way ahead to better secure unclassified networks housing defense information — through the establishment and implementation of a cybersecurity program designed to strengthen the protections of these networks. The program offers a means for DoD to better monitor the real-time health of the DIB and ensure that protections are in place to prevent the disclosure of sensitive corporate information from DIB firms or sensitive supply chain information across the DIB. The program also includes a means to offer qualified small DIB firms access to cybersecurity tools for use on unclassified networks, for free or at a discounted rate, to ensure that affordable protections are accessible to all DIB firms. Advanced persistent threats and sophisticated cyber attacks will not stop, but this program can help build stronger defenses, develop more-coordinated responses, and help maintain the technological superiority of U.S. military forces.

Key Findings
DoD’s current approach to defending DIB firms against cyber attacks is inadequate

  • The cybersecurity architectures of small DIB firms are likely to be deficient in several key areas: user authentication, network defenses, vulnerability scanning, software patching, and security information and event management, or cyber attack response.
  • Current DoD cybersecurity requirements are unaffordable for many small and some medium-sized DIB firms.
  • DoD’s voluntary cyber threat sharing service is not available to many DIB firms.
  • New cybersecurity tools can significantly strengthen the cyber defenses of DIB firms, but most small DIB firms cannot afford them

Recommendations

  • DoD should establish a DIB Cyber Protection Program (DCP2) to improve the monitoring and real-time health of the DIB, improve cybersecurity for firms that cannot afford the needed CSTs and professional staff, and offer data and legal protections to DIB firms.
  • The DCP2 would be a voluntary program under which DoD would provide CSTs to DIB firms either free of charge or at significantly reduced licensing costs. In turn, the DIB firms would agree to provide sanitized data produced by the CSTs to a security operations center (SOC) — either one run by DoD or a trusted third-party SOC — devoted exclusively to defending the DIB.
  • The DIB SOC or commercial SOC would provide dynamic intelligence, security alerts, and recommended actions to DIB firms to identify and remediate advanced persistent threat incursions and to prevent the exfiltration of important information from the unclassified network of the DIB firm.
  • The DCP2 would enable real-time threat intelligence to be collected and synthesized across the DIB in ways currently not possible, while respecting the confidentiality and proprietary nature of DIB contractor supply chains.

Download the ebook for free here, or buy the paperback when its available from Amazon on May 15, 2020.

 

How to prevent ZoomBombing from your Zoom video conference

By

 

InfoSec News

By William Knowles @c4i
Senior Editor
InfoSec News
April 3, 2020

It seems lately not an hour goes by without news of another ZoomBombing happening, just as I was preparing this story comes this headline from Vermont Senate committee Zoom hearing derailed by porn hacker

A Vermont Senate Committee on Agriculture Zoom hearing, which was being live-streamed on Youtube, was interrupted by a hacker Thursday who screen shared pornographic videos before reaching into his pants.

The sudden outburst came as the committee had been in the midst of discussing school lunch access and how farms were faring during the COVID-19 crisis.

The first sign of trouble began with a sudden outburst of “p—- ass” and a racial slur before a video from the site Pornhub began to play.

Without blaming the Zoom administrators, many of these stories of ZoomBombings remind me of early conversations about using Amazon Web Services and hearing minds blown about insecure EC2 instances. I can’t tell you how many enterprises thought the workloads they ran in AWS were completely secure by default. More than a few shops were counting their stars nothing happened.

I suspect a number of Zoom users naturally feel the same way as early AWS users, but fear not, Zoom has a guide with a number of recommendations to keep your video conferencing secure.
When you share your meeting link on social media or other public forums, that makes your event … extremely public. ANYONE with the link can join your meeting.

Avoid using your Personal Meeting ID (PMI) to host public events. Your PMI is basically one continuous meeting and you don’t want randos crashing your personal virtual space after the party’s over. Learn about meeting IDs and how to generate a random meeting ID (at the 0:27 mark) in this video tutorial.

Boris Johnson says HI

Familiarize yourself with Zoom’s settings and features so you understand how to protect your virtual space when you need to. For example, the Waiting Room is an unbelievably helpful feature for hosts to control who comes and goes. (More on that below.)

Manage screen sharing

The first rule of Zoom Club: Don’t give up control of your screen.

You do not want random people in your public event to take control of the screen and sharing unwanted content with the group. You can restrict this — before the meeting and during the meeting in the host control bar — so that you’re the only one who can screen-share.

Follow this link for more tips on how to keep your Zoom conferences secure.

Also, Founder and CEO of Zoom, Eric S. Yuan said in a blog posting today that effective immediately, Zoom will have a feature freeze for the next 90 days, and shifting all engineering resources to focus on their biggest trust, safety, and privacy issues.

  • Conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.
  • Preparing a transparency report that details information related to requests for data, records, or content.
  • Enhancing our current bug bounty program.
  • Launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.
  • Engaging a series of simultaneous white box penetration tests to further identify and address issues.
  • Starting next week, Yuan will host a weekly webinar on Wednesdays at 10 am PT to provide privacy and security updates to our community.

 

InfoSec News Signal Boost – March 27, 2020

By

InfoSec News Signal Boost

By William Knowles @c4i
Senior Editor
InfoSec News
March 27, 2020

As we try to get used to the new normal, InfoSec News understands many cyber and information security professionals (including myself) are looking for their new security forever homes. As I find these calls for security professionals, I’m hopeful this might be the catalyst for breaking what has been broken forever. Hiring experienced professionals and competent security-aware people that can be trained to be that unicorn that many HR departments have been looking for.

-=-

The popular Infosec R&D company Grimm (https://grimm.rip), famous for only
taking on “difficult projects” is still hiring at a time when many of their
competitors are going out of business. The lack of competitors also means tons
of work coming in, so job security is solid. If you were laid off and have a
heavy Security Engineering (& DevSecOps) Exploit Dev and/or AppSec background
and want to work with some of the objectively smartest people in Infosec, check
out their job postings here https://www.grimm-co.com/careers, and note the
“General Resume Submission” link at the bottom if you want to be considered for
“whatever.”

-=-

Research Analyst, Cyber Policy Initiative

Cyber Policy Initiative

The Carnegie Endowment for International Peace is seeking a Research Analyst to
work with scholars in our Washington DC-based Cyber Policy Initiative. Founded
in 1910, Carnegie is a top-ranked policy think tank with a unique global network
research centers in Russia, China, Europe, the Middle East, India, and the
United States. The Cyber Policy Initiative is part of Carnegie’s Technology and
International Affairs program, which also focuses on artificial intelligence and
biotechnology.

The Research Analyst will primarily help build a project exploring how to
leverage market incentives to improve cyber risk management. For example, it
researches and promotes ways in which commercial insurers, major asset-holding
corporations, and credit-rating agencies, can set de facto standards that
promote cybersecurity more quickly, flexibly, and internationally than
governmental regulatory processes often do.

The Research Analyst will work closely with scholars to develop and execute
original research and writing projects such as policy briefs and longer research
reports and build partnerships within the private sector. Additional activities
include: Engaging with policymakers in the U.S. Congress and administration;
preparing and delivering briefings; attending and reporting back on relevant
events in the policy community; contributing to other areas of the Initiative’s
work on cyber policy and strategy; and occasional administrative support, such
as organizing public and private events.

The ideal candidate will have deep interest in technology policy, a willingness
to dive into new research topics, and possess the ability to perform within a
challenging program environment. Up to two years of relevant post-graduate
experience is a plus, but not required. Strong writing and research skills are
essential.

Located in Dupont Circle in Washington, DC, we offer an outstanding benefits
package. When applying, please include your resume/C.V. and cover letter. Please
apply via the Carnegie Endowment website:
https://carnegieendowment.applicantpro.com/jobs/1373349.html

All qualified applicants will receive consideration for employment without
regard to race, color, religion, sex, national origin, disability, protected
veteran status, sexual orientation, gender identity, or any other protected
group

-=-

Principal Technician (Cyber Security)-200286

Primary Location Belgium-Mons
NATO Body NATO Communications and Information Agency (NCI Agency)
Schedule Full-time
Salary (Pay Basis) : 4,449.34Euro (EUR) Monthly
Grade B.5

Description:

NATO offers you more than a job. It gives you a mission: building peace and
security for one billion people in Europe and North America. The NATO
Communications & Information Agency is leading NATO’s Digital Endeavour.

We are NATO’s technology and cyber leaders, helping NATO Nations to communicate
and work together in smarter ways. Our work is challenging and meaningful, and
you will develop and apply your expertise as part of a dynamic international
team of civilian and military professionals.

What do we offer?

Genuinely meaningful work as part of the most successful alliance in history

3 year contract with competitive tax-free salary and household and children’s
allowances

Privileges for expatriate staff including expatriation and education allowances
(where appropriate) and additional home leave

Excellent private health insurance scheme

Generous annual leave of 30 days plus official holidays

Retirement Pension Plan

About the job

Based in Mons, Belgium you will join the Agency as we embark on a journey to
transform our IT services to support NATO’s Digital Endeavour. You will be
responsible for production and management of Security Hardening, Configuration
and Installation guidelines; providing security expert assistance and support in
analysis of security incidents and resolution; reviewing documents to be
published on NCSC Portals, or provided to NCSC customers, as part of projects
deliverables.

For a full list of duties, please review the job description. Here.
https://www.ncia.nato.int/Documents/JD_Principal%20Technician%20(Cyber%20Security)_B5_200286.pdf

About you

We’re looking for a talented and knowledgeable Principal Technician (Cyber
Security) professional with ideally a higher vocational training in a relevant
discipline with 3 years post-related experience; or, a secondary educational
qualification with 5 years post-related experience A different qualification
coupled with particularly relevant experience may also be considered.

Knowledge of English, both written and spoken, is essential.