Healthcare.gov data breach: 75k affected

health-care-sign-up

Last week (as of writing) the Centers for Medicare & Medicaid Services announced a large data breach regarding Healthcare.gov’s Federally Facilitated Exchanges. The specific part of the  exchanges that was breached is supposed to provide customers access with access to healthcare agents and brokers to assist in their applications for coverage.

“Our number one priority is the safety and security of the Americans we serve. We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information,” said CMS Administrator Seema Verma. “I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted. We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection.”

The breach seems to be a result of compromised agent/broker account, which CMS has done away with. The scope as reported by CMS is believed to be around 75,000 users, but the Office of the Inspector General has reported that no banking, federal tax, or personal health records were lost in the breach. CMS reported the breach to the FBI and are currently complying with the federal investigators regarding this event.

The strange activity began on October 13th and CMS identified it as a breach and reported it on October 16th. The offending accounts were disabled, and as an extra precaution they disabled the part of the FFE that allowed for agent/broker interaction with customers. As that tool is only one of multiple options for enrollment, Healthcare.gov remains open and operational while CMS works to fix the issues that led to a breach.

 

-Henry Ballentine

Apple User Data Site

Apple has recently released the initial version of a new website that will allow their users to check what personal information has been collected by Apple. This comes after an interview with Tim Cook in March where he said: “We’ve never believed that these detailed profiles of people that have incredibly deep personal information that is patched together from several sources should exist”. This website would add an unprecedented level of transparency for a company of this size. Despite this transparency and their apparent aversion to not making their customers products Apple still collects a wide variety of user information ranging from calendars and contacts to entire documents and photos. The website has already been tested in the EU to make sure it passed all of the privacy regulations that are present there. Their intentions do seem pure at least for right now. As part of the recently released iOS 12, Apple added features which help block targeted ads based on shopping or search history. Apple has continued to be very active in trying to push regulations regarding privacy across the globe. Even though they are making it harder for other companies to get personal information and allowing you to see your own they are continuing to collect and store that same information.

-Evan Schimberg

Critical Flaws Found in Amazon FreeRTOS IoT Operating System

Link

A researcher has found large flaws in the leading Real-Time Operating System, FreeRTOS. This leaves a large number of Internet of Things devices vulnerable to attack. This affects devices from refrigerators to pacemakers. Last year, Amazon took over project management and upgraded the OS for their own Amazon FreeRTOS IoT operating system. They enhanced the OS for use with their own products in the future.

There are a total of 13 vulnerabilities in FreeRTOS’s TCP/IP stack, which affect the Amazon FreeRTOS as well. These issues let hackers do just about anything they want to the target device, from executing their own code to leaking memory information. The technical details of the flaws have not been revealed to the public in order to protect the development of a fix.

-Max Swank

RIT set to Roll out MFA 10/24/18

    RIT is rolling out Multi Factor Authentication very soon. Multi Factor Authentication is adding an extra factor to validate your credentials. For example, when you log into RIT services you are prompted your username and password; with the new multi factor authentication, you will need to provide an extra form of authentication. These methods include: Using the DUO mobile app, text, phone call, office phone call, and email. RIT has been experiencing more attacks than ever before, and this is their attempt at mitigating the risk of attacks. Last year MFA was put into effect for faculty, staff, and student employees. This was because many Ebiz accounts became compromised. The attackers then changed direct deposit numbers to be routed somewhere else. Luckily no one lost money because controllers saw the change in numbers and knew what was happening because another university was attacked in the same manner.

Image result for multi factor authentication

Why does this matter to us?

If we do not enroll in MFA by the 24th of October, there will be a hold on your account and you will not be able to enroll for classes next semester.

Possible Problems:

With MFA comes the use of another device to authenticate yourself on RIT services. For example, if you signed up and planned on using the DUO app, DO NOT forget your phone. ITS will have to give you a Bypass until you can get access to your phone, which would be unfortunate if you need to log onto something ASAP. I personally don’t see why the students need MFA, but I have no choice but to enroll into it.

Image result for locked out

By: Alejandro Juarez

 

Facebook User Data Stolen In Hack. Facebook Offers No Protection.

In a recent breach of Facebook it is suspected that approximately 29 million users had their data stolen, with the most severely affected being a group of 14 million. The attack is currently being attributed to spammers pretending to be a digital marketing firm. According to Facebook, Data stolen includes: “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or pages they follow, and the 15 most recent searches”. News of the hack first surfaced on October 5th when it was suspected that 50 million users were affected, a number that has since been lowered.

Facebook first shared details of the attack last week, fearing as many as 50m people had been affected

Usually, companies in such a predicament offer access to credit protection agencies and other methods of identity theft prevention like in the case of the 2013 Target breach. However, Facebook declared that it would not be taking such steps, and would instead direct users to help pages where they could learn how to avoid phishing. Experts worry about the potential for smaller scale attacks. Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, believes that though no financial data was captured, information gathered could still be used in knowledge based authentication to break into accounts. He believes that the best move for Facebook would be to offer free access to password managers and other similar software to help combat this.

In Europe, the breach is costing Facebook about $1.6 billion, or 4% of its yearly revenue. This case is being recognized as the first major test of the General Data Protection Regulation which was enacted in May.

  • Nicholas Antiochos

Sources:

https://www.businessinsider.com/facebook-thinks-spammers-responsible-hack-stole-info-from-29-million-users-2018-10

https://www.bbc.com/news/technology-45845431?intlink_from_url=https://www.bbc.com/news/topics/cz4pr2gd85qt/cyber-security&link_location=live-reporting-correspondent