Morgan Stanley pays $60M for data gaffe

Hello Readers!

Welcome to the Free Friday edition of Inside Security. Today, I'm giving free subscribers a treat, offering my PODCAST NOTES premium feature for free. If you'd like to receive this weekly feature in your inbox, start your FREE 14-day trial of Inside Security Premium today while the offer lasts. When you do, you'll also be able to access past and future exclusive premium content, like this week's:

SECURITY FUNDING: Onapsis gets $55M.
SECURITY TRENDS: PCI DSS compliance declines.
CYBER BREACH MONDAY: A summary of the most important data breaches.
Monday's CISO CORNER column features exclusive interviews with leading CISO.

Thanks for your support!

Fred

Some organizations that use the Playback Now conference platform have been infected with credit card skimmer malware, according to Malwarebytes. The attackers were able to compromise a Playback Now server that hosts conference materials for its customers. The hackers stole financial data of users purchasing conference materials for websites hosted on the server.

More:

Playback Now enables users to record events and provide live streaming, on-demand content, and a virtual conference expo hall.
Malwarebytes found that more than 40 websites hosted by Playback Now were compromised.
The researcher discovered that the sites were running a vulnerable version of the Magento content management system, version 1.x.
Malwarebytes researchers contacted Playback Now but did not say whether the company has taken any action to fix the problem.

SECURITY WEEK

Investment bank Morgan Stanley has agreed to pay a $60M fine to the Treasury Department for exposing customer data in decommissioning data centers and network devices. Hardware from the data centers, which were closed down in 2016, contained confidential customer data when they were sent to a recycler. In addition, network devices decommissioned in 2019 also had confidential customer data.

More from the Treasury:

Morgan Stanley failed to take the following actions regarding the decommissioning of data centers and network devices:

Assess or address risks associated with decommissioning its hardware.
Assess the risk of subcontracting the decommissioning work, including exercising due diligence in selecting a vendor and monitoring its performance.
Maintain inventory of customer data stored on the decommissioned hardware devices.

The Treasury Department also this week assessed a $400M fine on Citbank for deficiencies in enterprise-wide risk management, compliance risk management, data governance, and internal controls.

CYBERSCOOP

A team of security researchers could earn up to $500,000 for finding close to a dozen critical bugs in Apple's corporate network and products. In total, the team found 55 vulnerabilities, including some that could enable attackers to take control of Apple's infrastructure. Apple has fixed the bugs, some within hours of being notified by the research team.

More:

The team includes Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes.
The researchers said they found 55 vulnerabilities: 11 critical severity, 29 high severity, 13 medium severity, and 2 low severity.
Some of the bugs could have enabled attackers to retrieve source code for internal Apple projects and access management tools and sensitive resources used by Apple employees.

ARS TECHNICA

New Android ransomware is able to infect devices by abusing the incoming call notification and Home button, warned Microsoft researchers. The AndroidOS/MalLocker.B ransomware hides inside Android apps for download on online forums and third-party sites. The ransomware prevents users from accessing their phone and displays a ransom note claiming the user has to pay a police fine.

More from Microsoft:

The ransomware uses social engineering lures, including pretending to be popular apps, cracked games, or video players.
AndroidOS/MalLocker.B is able to evade most mobile security products.
The attackers use an open-source machine learning module for context-aware cropping of the ransom note.

ZDNET

The Lightning Network used to make fast Bitcoin payments has a vulnerability affecting LND versions 0.10 and below, warned a Lightning Labs engineer. Users are being urged to upgrade to LND version 0.11, which was pushed out on Oct. 1, "ASAP."

More:

The Lightning Network uses smart contract functionality in the blockchain to enable instant Bitcoin payments across the network of participants.
Security researchers warned earlier this year about privacy bugs in the Lightning Network that could expose the financial data of Bitcoin transactions.
Lightning Labs, Blockstream, and ACINQ are working on Lightning Network development.

COIN TELEGRAPH

Cisco plans to focus its research and development investment in cloud security and collaboration as part of its restructuring designed to cut more than $1B in costs. The restructuring includes earlier retirement offers and layoffs across locations.

More:

A number of long-serving executives announced this week that they are the taking an early retirement offer, including Steve Benvenuto, who most recently served as senior director of global security at Cisco's Partner Sales Organization.
Cisco estimated pretax restructuring charges of $900M consisting of severance and other one-time termination benefits.
The company also plans to invest more in education and healthcare solutions as part of the restructuring.

CRN

Attackers could use social engineering to steal personal data from Fitbit users through malicious apps uploaded to the official Fitbit Gallery. Immersive Labs researcher Kevin Breen was able to upload a malicious app and bypass the Fitbit store's defenses.

More from Immersive Labs:

The malicious app was able to collect information about device type and location, user health data, and calendar information and connect to corporate networks.
Breen said he was able to turn the malicious app into a network scanner that could scan and access internal network sites and services.
After being informed of the security bug, Fitbit said it would fix the issue with the Gallery site.

BLEEPING COMPUTER

More than half of companies have seen at least a moderate increase in cyberattacks during the COVID-19 pandemic, with 10% saying they've seen a drastic increase. Yet, only 16% of companies have had a breach in the past 12 months, compared to 15% in the same period last year, according to a survey of 520 security professionals by DomainTools.

More from the survey:

Only 24% of respondents gave their company's security program a grade of "A," compared to 30% in 2019.
More than half said they were prepared to support a fully remote workforce.
More than one-quarter of companies reassessed their security posture in response to COVID-19 and the move to remote work.

DARK READING

PODCAST NOTES: (This premium content first appeared in the Oct. 8 issue of Inside Security)

Every Thursday, I summarize a podcast about cybersecurity so you can read it in about five minutes or less. This week features Caleb Barlow, CEO and president of CynergisTek, who spoke with Dave Bittner of Hacking Humans (#119) about the dangers of ransomware attacks targeting hospitals. [Note: Questions and answers were edited for brevity and clarity.]

Dave Bittner: Could you discuss the recent incident in which a woman died due to a ransomware attack against a hospital in Germany?

Caleb Barlow responded that cybersecurity professionals often focus on these marquee events where kinetic impact comes into play. This is a very tragic event. Someone died because the hospital they were headed to was locked up with ransomware, and the hospital had to divert patients.

In emergency medicine, there's this concept called the golden hour, Barlow explained. The idea is that an emergency medical professional's duty is to get a patient to a higher level of care, i.e., a hospital or a trauma center or a stroke unit, in under one hour from the time they dialed 911. And when something gets in the way of that, such as a ransomware attack, the death rate grows dramatically. And, unfortunately, that's exactly what we saw in this case.

Dave Bittner: Can you provide us with some insights as to what goes on within a hospital, within an emergency facility, when they find themselves confronting a ransomware attack?

Barlow explained that not only is he the CEO of a company that focuses on protecting hospitals from cyberattacks, but he also had a 15-year career working as an EMT. The thing that people have to understand in an emergency medical situation is that the EMTs are responding because something has gone very wrong. It's the EMT's job to try to fix it or at least reduce the risk. So one of the primary things EMTs looking at is, "How fast can I get this individual to a higher level of care?" When something stands in the way, that's a problem.

What a hospital does when they're locked up with ransomware, they can't access their medical records. There are no paper records anymore. They can't see what drugs a patient is on. They don't know if the patient has any allergies. Not only that, their processes slow down because all the documentation and all the patient routing are done electronically.

The safest thing for them to do is start to divert patients and shut down non-emergency care. And that's exactly what happened in this case. They started diverting their ER patients. Now, ERs divert all the time, but usually due to patient load not because they're locked up with ransomware...

Barlow related that he spoke with some of his clients who told him about a situation where a hospital was locked up with ransomware. They had surgeries going on at the time. There were literally patients on the table in the middle of a surgical procedure, and they couldn't access data and everything locked up. Their communications were down. The systems they were working on went down.

Most doctors understand what to do in that situation. Start making sure they can protect the patient and not cause any harm. One of the questions that came out of this discussion was, how many close calls have there been that we haven't heard about as hospitals are continually getting locked up with ransomware? This just happened to be one where there was a confirmed death.

QUICK HITS:

The U.S. Department of Justice has published a framework to combat criminal use of blockchain and cryptocurrency.
Unknown attackers have targeted the U.S. Census Bureau network over the last year.
Facebook has created a "loyalty program" for its bug bounties.
Belgium's largest telecom operator Proximus is replacing Huawei telecom equipment due to security and other concerns.
See how leading sales teams are solving their challenges of selling remotely.*
Top executives from Netflix, Calm, T-Mobile, and Okta discuss identity access management. Don’t miss the event. Sign up here.*

*This is a sponsored post.

We're hiring! Check out our available positions:

Fred Donovan is a professional writer, editor, and content specialist with decades of experience, most recently in the areas of information technology and cybersecurity. He has written for such publications as HealthITSecurity.com, FierceITSecurity, InfoSecurity Magazine, Report on Patient Privacy, TechGenix, and NetDefense. Fred has a B.A. from Harvard University in government and an M.S. in national security from Georgetown University.

Editor

Sheena Vasani is a journalist and UC Berkeley, Dev Bootcamp, and Thinkful alumna who writes Inside Dev and Inside NoCode.