Data Breach Reported, New Cybersecurity Legislation Introduced: Tech Update

Internet of things legislation, a possible Michigan medical data breach of 600,000 people, Microsoft and Google vulnerabilities, and tax season scams highlight a roundup of cybersecurity news and notes.

Legislation introduced last week would require established standards for government use of internet connected devices. The bipartisan Internet of Things Cybersecurity Improvement Act of 2019 — introduced in the Senate by Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) and in the House by Reps. Will Hurd (R-Texas) and Robin Kelly (D-Ill.) — does not make specific recommendations but instead calls for the National Institute of Standards and Technology to develop security guidelines for IoT devices sold to the U.S. government.

“IoT devices represent an exciting technology for the American and global consumer. Yet despite the benefits of IoT, we have to also realize the major security risks associated with it,” Budd said in a statement. “This is groundbreaking work and IoT devices must be built with security in mind, not as an afterthought,” Hurd stated.

“As the government continues to purchase and use more and more internet-connected devices, we must ensure that these devices are secure,” Kelly said. Kelly added, “It’s estimated that by 2020 there will be 30 million internet-connected devices in use. As these devices positively revolutionize communication, we cannot allow them to become a backdoor to hackers or tools for cyberattacks.”

Kenta Yasukawa, co-founder and chief technology officer for IOT at connectivity provider Soracom, commented: “Security concerns represent the single biggest obstacle to IoT development and public adoption.” Yasukawa said it remains one of the biggest challenges because projects often prioritize things like reducing cost and accelerating speed to market.

Yasukawa added the good news is IoT is not inherently insecure. “Clear standards remove uncertainty for developers, reassure consumers, and shift the Internet of Things toward the effective practices already in place in security-conscious industries like finance and transportation and across cellular data networks.”

Meanwhile, a cyberattack might have compromised the personal information and medical data of more than 600,000 people in Michigan. The state’s Attorney General Dana Nessel said last week the cyberattack on Wolverine Solutions Group, which partners with health plans and hospital systems including Blue Cross Blue Shield of Michigan, Health Alliance Plan, McLaren Health Care, Three Rivers Health, and North Ottawa Community Health System, could have yielded names, addresses, birthdates, social security and phone numbers, insurance contract information, and medical data.

Kevin Bocek, vice president of security strategy and threat intelligence at Salt Lake City based Venafi, which provides machine identity protection, offered, “It’s not surprising to see a large-scale attack on multiple insurers be so successful: cybercriminals can use the power of encryption to hide and escape detection.” Bocek added, “Machine identities, like TLS (transport layer security) certificates, establish what is good or bad on networks and establish private communications. Experts forecast at least 70% of network attacks will use the power of machine identities to encrypt and hide breaches.”

Bocek suggested most security teams are still catching up to these new threats. “Many organizations don’t have the intelligence and automation to properly protect machine identities, so their existing threat protection leaves incoming and outgoing encrypted traffic vulnerable.”

New York City-based Avanan, which delivers a cloud security platform, revealed hackers are bypassing email security gateways and sending phishing emails directly to Google and Office 365 root domains.

Yoav Nathaniel, cloud security expert at Avanan, wrote in a blog, “If you use Office 365 and G Suite, you have a root domain. They are free, built-in domains for G Suite and Office 365 used during email setup. The DNS of root domains are managed by Google and Microsoft — not by you.”

Nathaniel also noted, “In our tests, roughly 70% of Office 365 and G Suite enterprise customers who use gateways are vulnerable. This vulnerability (which is a common misconfiguration) may be resolved with a reconfiguration.”

Finally, Corin Imai, senior security advisor, at Seattle-based DomainTools, which provides a proprietary threat intelligence and investigation platform, warned, “With tax season in full swing, it’s crucial to be vigilant of scams, especially those that mimic the IRS. Cybercriminals are targeting taxpayers through phishing emails, spoofed domains, and even phone calls to lure people into supplying credentials and PII,”

Imai explained one scam is putting tax returns at risk, with adversaries claiming refunds. “It’s imperative to heed caution when receiving correspondence from the IRS and important to remember that the IRS will never call, text, or email. Any pertinent message regarding your taxes will be sent to you directly via official notice in the mail.”

Imai suggested taxpayers stay apprised of tactics the IRS shared in its scam warning, monitor for suspicious links (i.e. turhbotax[.]com) when checking for updates, and when in doubt, go straight to the official tax provider website, and exercise the utmost caution this season.