Covid-tracking lacks minimal electronic protection

Welcome to Cybersecurity 202! Volcanoes are amazing. I may see my first person during the next flight.

Below: Researchers say a newly disclosed hacking campaign could be the work of contractors, and that Android health apps share privacy data with advertisers. Or not:

An unprecedented oversight report reveals significant deficiencies in the cybersecurity of HHS

The Department of Health and Human Services (HHS) failed to implement basic safeguards against hackers when it developed a system to track coronavirus data in 2020, according to an internal oversight report that was never made public.

The Inspector General’s report concluded that those failures prior to the deployment of HHS Protect left them “Exposed to an unknown and possibly unacceptably high risk of failure or compromise from unintended disturbances (eg, natural or man-made disasters) or cyberattacks.” The report concluded that a successful attack could hamper the epidemiological response.

On November 2, 2021, the report received a public release for just his title after two days. my colleague Nate Jones It was received full report last month under a Freedom of Information Act request, which cited “restricted sensitive information” as a reason for its limited distribution.

The report also found similar failures in another related HHS program called TeleTracking. But on August 24 – the same day the Inspector General (IG) submitted the report to The Washington Post – IG Cancel the entire report. It cited unspecified errors in the part of the report that examined remote tracking.

Just last month, leaders of the Cyberspace Solarium Commission (now CSC 2.0) Wrote to HHSciting concerns about the quality of assistance in securing the health and public health sector.

“This suggests that the other half of their responsibility is equally challenged,” Mark Montgomery, the executive director of CSC 2.0, told me, noting HHS’ need to defend its information technology. “To fix these two components would take a significant amount of the senior leadership’s bandwidth.”

HHS Protect collects information such as case counts, hospital capacity, and demographic and demographic data from federal, state, and local governments, as well as the healthcare sector.

When HHS deployed HHS Protection in April of 2020, the program had not yet completed work on some “essential controls” on cybersecurity, according to the audit.which found that the partition was not completely done:

  • Evaluate the potential privacy impact of the program.
  • Identify threats and risks.
  • Provide an overview of the security requirements and describe the protections in place to meet them.
  • Determine the potential impact of a software crash.
  • Systematically evaluated for weaknesses.
  • Write a plan on how to restore broken systems.

Furthermore, no agency official initially granted HHS Protect a “permit to operate,” which is an explicit acceptance of the program’s risks to HHS operations. That final mandate arrived nine months later and, as of early last year, has yet to complete a risk assessment or contingency plan.

HHS did not respond to requests for comment about whether it addressed the shortcomings identified in the report. According to the report, the HHS Office of the Chief Information Officer explained “some electronic assessments were conducted on an ad hoc basis prior to launch, and they believed based on their experience that HHS Protect was safe when deployed. However, we were unable to verify that OCIO conducted electronic assessments because no electronic assessments were conducted.” Create documents.

The audit found that all of this poses serious risks to HHS.

The IG report reads: “Although HHS did not report a major incident to HHS Protect or TeleTracking during our audit period, HHS systems continued to be primary targets of cyberattacks.” “If the attack is successful, it is possible that systems or data have been destroyed or compromised and HHS may be unable to restore systems or data in a timely manner, which could significantly hamper pandemic response efforts.”

But the report defends HHS at least in part for how the programs are being implemented.

“Cyber ​​security controls for both systems were not implemented prior to recruitment because HHS officials prioritized deploying the systems for operational use to achieve the agency’s mission to combat the covid-19 pandemic over meeting all federal requirements prior to deployment.”

A former government official spoke on condition of anonymity because they were not authorized to speak less sympathetically. They said “oops” in a message to me about the lack of a privacy impact assessment. “That would have been the bottom line for this system.”

An IG spokesperson said they could not discuss what was inaccurate about TeleTracking’s audit. In the report, HHS rejected three recommendations from the IG, two of which recommended completing some cybersecurity safeguards for HHS Protect and another that did the same for remote tracking. As of November 2, IG has defended its recommendations.

“We cannot provide further details at this time because additional audit work is ongoing and the OIG does not discuss details of the work in progress,” an IG spokesperson Yvonne Gamble He said.

Although the IG concluded that only the TeleTracking portion of the report contained inaccurate information, “the audit standards require that we scrap the entire report under the circumstances,” Gamble said.

Also, there was no correlation between a Post FOIA order being fulfilled and a cancellation occurring on the same day, Gamble said.

“The two events are unrelated,” Gamble said. “HHS provided the information and documents to the Office of the Inspector General after the audit was completed. The revocation is based on analysis of that new information and interviews.”

Researchers say the newly discovered hack may have been the work of a government contractor

The hackers, dubbed by researchers at SentinelOne subsidiary SentinelLabs, targeted Metador, a Middle East telecommunications company, and a journalist. Kim Zetter Reports. But the campaign has left researchers speculating who was behind the hack, with SentinelLabs’ senior manager Juan Andrés Guerrero – Happiness It is speculated that it could be a contractor working for a country.

“As for who might be behind the activity, SentinelOne says there is not enough evidence to determine this,” Zetter wrote. “Based on some results in the code, it appears that some operators and developers speak English as their mother tongue, and others appear to speak Spanish. In addition, build times for some malicious components indicate that the developers may be based in the UTC+1 time zone. This The latter includes many countries, but among them are the United Kingdom and Spain. ”

Health apps share health concerns and identifiers with advertising companies

Popular health Android apps give advertisers the information they need to market to people based on their health concerns, Tatum Hunter and Jeremy B. Merrill Report. Users have few digital data protections under the Health Insurance Portability and Accountability Act (HIPAA), and people agree to the apps’ practices when they accept their jargon-laden privacy policies.

Most data does not directly identify people, but some is shared using “identifiers,” which are strings of numbers associated with devices.

“But privacy experts say that submitting user IDs along with keywords from the content we visit opens consumers to unnecessary risk,” Tatum and Jeremy wrote. “Big data collectors, such as brokers or advertising companies, can aggregate a person’s behavior or fears using multiple pieces of information or identifiers. This means that ‘depression’ can become another data point that helps companies target or shape us.”

Jamal Khashoggi’s wife sues NSO Group over Pegasus spyware (The Guardian)

‘They’re Watching’: Inside Russia’s Extensive Surveillance State (The New York Times)

A cyber attack steals passenger data from the Portuguese airline (Associated Press)

Chinese hackers suspected of targeting media and politicians in Tibet (Bloomberg News)

Proton CEO shuts down Indian VPN servers to protest cyber security rules (The Wall Street Journal)

Twitter reveals it wasn’t logging users out of accounts after password reset (TechCrunch)

Denver suburb won’t make millions in ransomware attack that shut down City Hall (Denver Post)

As facial recognition reaches schools, Montana enters uncharted territory (Montana Public Radio)

New review will examine NSA’s ‘double hat’ structure and cyber (the Registry)

NSA shares guidelines to help secure critical OT/ICS (computer sleeper) infrastructure

Senators Wyden and Warren Urge NTIA to Protect ‘Extremely Sensitive’ Domain Registration Information (Registry)

Convicted spy on Twitter says US hid whistleblower report (Bloomberg News)

  • Head of Information Security at Microsoft Britt Arsenault Discusses the Cloud innovation and security at a Washington Post live event Wednesday at 9 a.m.
  • House of Representatives Science Committee He carries Hearing on Artificial Intelligence on Thursday at 10:30 am
  • US Naval Institute hosts Update on cyberthreats and disinformation on Thursday at 10:30 a.m.
  • representatives. Frank Balloni Jr. (DN.J.) and Kathy McMorris Rodgers (R-Wash.), senior members of the House Energy and Commerce Committee, discuss Privacy Legislation at Washington Post Live event Thursday at 11am

Thanks for reading. See you next week.

Leave a Comment