This is your Shared Security Weekly Blaze for June 10th 2019 with your host, Tom Eston. In this week’s episode: the Quest Diagnostics and LabCorp Data Breach, what happens to your smart devices when the Internet goes down, and US visa applicants now required to share their social media names.
Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Everyone ready for news about yet another massive data breach? Well, last Monday Quest Diagnostics (which is the world’s largest blood testing company) disclosed that a data breach affecting 11.9 million customers was due to a website breach of a third-party collections vendor called American Medical Collection Agency (or AMCA). This breach in particular was a little different because Quest uses a contractor (Optum360) which in turn uses another contractor, AMCA, for medical billing and collections. According to the SEC filing, the AMCA payment system was compromised on August 1st 2018 and was vulnerable until March 30th of this year. Information compromised included names, birth dates, address, phone number, dates of service, medical providers, and balance information. To make matters worse, LabCorp (who also used AMCA) disclosed later in the week that 7.7 million of their patients were also affected by this breach. LabCorp also indicated that about 200,000 people also had their credit cards and bank account information compromised as well. The only good news out of all this is that medical data and laboratory test results were not compromised.
What this latest breach shows us that companies like Quest Diagnostics routinely outsource functions like billing and collections to third-party companies. In this case it was a contractor of a contractor but in many similar breaches, we never know how far or how deep the rabbit hole may go with all these third-party relationships. Third-party security is very challenging for organizations, especially when there are multiple parties involved processing and storing customer data. One thing is clear, I think we’ve all had enough of free credit monitoring for 24 months and statements like “we take the security and privacy of your data seriously” type responses we always hear after every data breach. I know personally, I’d like to hear more statements like: we are doing the following things to make sure a breach like this doesn’t happen again. Perhaps it’s just a pipe dream but for now, I guess we continue to let the data breaches flow.
Last week Google had a major outage that affected YouTube, Gmail, G Suite, and several other services like Nest which by the way is now a Google owned company. While network outages are not that uncommon, in this case the outage caused Nest products to not function which left many customers without any way to control thermostats, security cameras, and other Nest products like their smart door locks. Now most of these devices have manual overrides in the case of an Internet outage, that is until they lose power or battery then you may be in trouble. It just depends on your device. For example, the Nest smart lock in particular has a way to use the key pad even if the battery is dead. This outage made me think that incidents like this may be a significant disadvantage of cloud controlled products like Nest. We often only think of the convenience of products like these but when the Internet or cloud infrastructure goes down, well they all go back to the “dumb” devices that they were. And why would we ever go back to using an old fashioned thermostat or door lock? This is crazy talk!
Potential privacy and security concerns with Internet of Things devices aside, think for a minute about all the smart devices in your home and what you would do if you lost Internet or there was a large network outage or even loss of power to your home. If you have smart devices being used for security, what will your plan be so that you can continue to use these devices.
And now a word from our sponsor, Edgewise Networks.
The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center.
But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure.
But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.”
Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch.
At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications.
Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached.
Visit edgewise.net to find out more about how Edgewise can help stop data breaches.
If you’re from another country coming over to the US on a visa, surprise, surprise but you’ll now need to share the social media names that you’ve used for the past five years in your visa application. Of course, you could choose not to share this information and just say that you don’t use social media, but according to the US State Department, it would be unwise to lie in your application as lying could present serious consequences. The purpose of this allows the US government a way to identify potentially terrorists, public safety threats, and other dangerous individuals from gaining access to the US. The way the process works is that visa applicants will have background checks completed against watchlists that are maintained by the US government. Future “improvements” to the visa application process may also require applicants to provide more extensive information about their travel history. Reports say that much of this new policy stems from the 2015 mass shooting that took place in San Bernard-ino California where Syed Farook killed 14 people. Farook’s wife, Tashfeen Malik, was found to have terrorist sympathies in her social media communications before she was granted a US visa. So what do you think? Is this a worthwhile effort to stop real terrorists from coming to the US or will it end up causing more privacy problems and controversy for the US government.
That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.
*** This is a Security Bloggers Network syndicated blog from Shared Security Podcast authored by Tom Eston. Read the original post at: https://sharedsecurity.net/2019/06/10/quest-diagnostics-data-breach-googles-network-outage-us-visa-applicants-and-social-media-names/