Netgear Exploit Found in 31 Models*:
- Researchers have discovered a severe security hole that potentially puts hundreds of thousands of Netgear devices at risk.
- The vulnerability essentially allows attackers to exploit the router’s password recovery system to bypass authentication and hijack admin credentials, giving them full access to the device and its settings.
- The bug affects at least 31 different Netgear models, potentially leaving over a million users open to attacks.
- Even more unsettling is the fact that affected devices could in certain cases be breached remotely.
- Netgear has also confirmed the flaw in a post on its website, releasing a full list of the affected models: R8500, R8300, R7000, R6400, R7300DST, R7100LG, R6300v2, WNDR3400v3, WNR3500Lv2, R6250, R6700, R6900, R8000, R7900, WNDR4500v2, R6200v2, WNDR3400v2, D6220, D6400, C6300 (firmware released to ISPs)
- Netgear has already posted the updated firmware on its website, and advised users to update the firmware on their devices in order to avoid getting hacked.
- This vulnerability marks a second blunder for the popular router-maker in a window of less than two months; in December, a flaw was found in two other Netgear routers.
*Source: The Next Web, January 31, 2017
Businesses Fear Brand Damage More Than Security Breaches*:
- Risk management is a challenge for most businesses, but security breaches aren't their top concern.
- Researchers surveyed 641 individuals involved in their organization's risk management programs to learn about the state of business risk intelligence.
- They discovered the biggest fear resulting from a poor risk management program is reputation damage (63%).
- As cyber-attacks on businesses become more publicized, enterprise leaders face the responsibility of predicting the likelihood, and potential impact, of security breaches.
- The survey discovered less than one-quarter (24%) of respondents say their organization has a clearly defined risk management strategy that is relevant across the enterprise.
- More than half (52%) of respondents don't have a formal budget around enterprise risk strategy.
- Among the businesses with formal budgets dedicated to risk management, 58% plan to spend between $1M and $5M on risk management products in the upcoming fiscal year.
- For organizations working to reduce their IT security risk, it’s beneficial to start with an asset inventory to determine what your critical needs are.
*Source: Dark Reading, February 02, 2017
Majority of Americans are Data Breach Victims*:
- According to a study from the Pew Research Center, at least 64% of Americans have personally experienced a major data breach, while 49% feel that their personal information is less secure than it was five years ago.
- A substantial majority (70%) of Americans anticipate major cyber-attacks in the next five years on our nation's public infrastructure.
- Many Americans lack faith in government and business to keep their information safe.
- Despite the lack of faith in business and government institutions, consumers largely fail to pursue even the simplest method of protecting themselves by ignoring password safety guidelines.
- Only 12% of internet users say they use password management software, with about two-thirds saying the simply memorize their passwords while 18% write them down on a piece of paper.
- Since most people rely on memorization to manage their passwords, many use the same or very similar passwords for most of their online accounts.
- Cybersecurity experts find this surprising, given the large number of highly effective, free, and easy-to-use password management tools, like LastPass, KeePassX, Dashlane, and Sticky Password, to name just a few.
*Source: Consumer Affairs, January 27, 2017
Breaches Highlight Massachusetts Data Risk*:
- Sensitive information from nearly 3.4 million Massachusetts customer accounts has been inappropriately viewed, lost or stolen from businesses and state agencies since 2012.
- All told, companies and state agencies have reported more than 8,200 data breach incidents to the state Office of Consumer Affairs and Business Regulation over the last five years, an average of 4.5 per day; most affected fewer than 10 people.
- Credit and debit card numbers were lost or stolen in breaches affecting 1.9 million Massachusetts residents, Social Security numbers in breaches affecting 1.5 million, driver's license numbers in breaches affecting 320,000, and account information in breaches affecting 240,000.
- Companies are required to notify the state when their sensitive data is stolen.
- The list of breaches show that the vast majority of victimized companies were flaunting state regulations that require them to encrypt sensitive data.
- Out of the 8,200 breaches, the stolen data was encrypted in only 16.
- While some mom-and-pop business may not have the means or savvy to encrypt customer data, the process is relatively cheap and easy and it is surprising that the vast majority of the companies on the breach list did not take the precaution.
- If your personal information was compromised in one of the 8,200 breaches, you should have received a notification from the company or agency explaining (in sparse detail), what happened and what steps are being taken.
- The good news is that cybersecurity is improving, and in the future the personal information of a Massachusetts resident may not be compromised, on average, every 47 seconds.
*Source: Lowellsun, January 29, 2017
OCR Fines Children's Medical Center of Dallas $3.2 Million for Lack of Encryption*:
- The U.S. Department of Health and Human Services’ Office for Civil Rights fined Children’s Medical Center of Dallas $3.2 million for HIPAA noncompliance and impermissible disclosure of unsecured ePHI stemming from two data breaches caused by a lack of encryption.
- The first breach involved the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort worth International Airport.
- The second incident involved the theft of an unencrypted laptop from Children’s the first week of April 2013.
- Although Children’s physically protected part of the laptop storage area with badge access and a security camera, it also allowed access to staff members who weren’t authorized to access ePHI.
- The subsequent OCR investigation further revealed HIPAA noncompliance that included a failure to implement risk management plans – despite external recommendations to do so.
- Further, the hospital failed to use encryption or equivalent method on its laptops, workstations, and mobile devices until April 2013.
- Children’s also issued unencrypted BlackBerry devices to nurses and allowed staff to continue use of unencrypted laptops and mobile devices until 2013, despite warnings about the risk of unencrypted ePHI as far back as 2007.
- Children’s did not request a hearing and paid the full penalty.
*Source: Healthcare IT News, February 01, 2017
Flaws in Popular Printers Can Let Hackers Easily Steal Printed Documents*:
- New research published by academics has resurfaced several serious vulnerabilities in popular internet-connected printers, which if exploited could allow an attacker to remotely steal sensitive documents from print jobs.
- The research published six security disclosures along with a blog, a wiki, and an open-source toolkit, which could be used to allow the user to easily steal passwords, shut down and hijack networked printers, and remotely steal copies of printed documents.
- At least 20 network printers built by Dell, HP, Lexmark, Brother, Samsung, and others were confirmed to have been affected.
- A successful attack could allow an attacker to siphon off the printer's memory to access print jobs of potentially sensitive files, like contracts, corporate information, or patient information.
- All of the vendors of affected devices were informed in October, but only Dell responded -- though the researchers say the company did not follow up.
- Google rewarded the group's findings with $3133.70.
*Source: ZDNet, January 31, 2017