Seattle healthcare provider facing lawsuit over exposure of 688,000 individuals’ PHI

Read More

The U.S. Internal Revenue Service (IRS) said Monday that taxpayers are no longer required to provide facial scans to create an account online at irs.gov. In lieu of providing biometric data, taxpayers can now opt for a live video interview with ID.me, the privately-held Virginia company that runs the agency’s identity proofing system. The IRS also said any biometric data already shared with ID.me would be permanently deleted over the next few weeks, and any biometric data provided for new signups will be destroyed after an account is created.

“Taxpayers will have the option of verifying their identity during a live, virtual interview with agents; no biometric data – including facial recognition – will be required if taxpayers choose to authenticate their identity through a virtual interview,” the IRS said in a Feb. 21 statement.

“Taxpayers will still have the option to verify their identity automatically through the use of biometric verification through ID.me’s self-assistance tool if they choose,” the IRS explained. “For taxpayers who select this option, new requirements are in place to ensure images provided by taxpayers are deleted for the account being created. Any existing biometric data from taxpayers who previously created an IRS Online Account that has already been collected will also be permanently deleted over the course of the next few weeks.”

In addition, the IRS said it planned to roll out Login.gov as an authentication tool for those seeking access to their tax records online. Login.gov is a single sign-on solution already used to access 200 websites run by 28 federal agencies.

“The General Services Administration is currently working with the IRS to achieve the security standards and scale required of Login.Gov, with the goal of moving toward introducing this option after the 2022 filing deadline,” the agency wrote.

The IRS first announced its partnership with ID.me in November, but the press release received little public attention. On Jan. 19, KrebsOnSecurity published the story IRS Will Soon Require Selfies for Online Access, detailing a rocky experience signing up for IRS access via ID.me.

That story went viral, and the ensuing media coverage forced the IRS to answer questions about why it was incentivizing the collection and storage of biometric data by a private company. On Feb. 7, the IRS announced its intention to transition away from requiring biometric data from taxpayers who wish to access their records at the agency’s website, but it left unanswered the question of what would happen with the facial recognition data already collected by ID.me on behalf of the IRS.

In a letter to the IRS this month, Senate Finance Committee Chairman Ron Wyden (D-Ore.) challenged the Treasury Department and IRS to reconsider the biometric requirements, saying login.gov is perfectly up to the task if given all of the resources and funding it deserves.

“Unfortunately, login.gov has not yet reached its full potential, in part because many agencies have flouted the Congressional mandate that they use it, and because successive Administrations have failed to prioritize digital identity,” Wyden wrote. “The cost of this inaction has been billions of dollars in fraud, which has in turn fueled a black market for stolen personal data, and enabled companies like ID.me to commercialize what should be a core government service.”

Read More

Fast-growing companies more likely to have suffered ten or more cybersecurity breaches

Read More

Software development platform GitHub has made its Advisory Database open to community contributions allowing anyone to contribute insight and intelligence on security vulnerabilities to help improve software supply chain security. The full contents of the database will also now be published to a new, freely accessible public repository under Creative Commons license. Experts say data sharing of this kind is key to improving the security of software supply chains and addressing software-related risks.

Security community to benefit from free and open data

Millions of developers and companies use GitHub to build, ship and maintain software. By making its Advisory Database publicly open to community contributions, the firm said security researchers, academics and enthusiasts will be able to provide, share and benefit from additional information and context to further the community’s understanding and awareness of security advisories.

To read this article in full, please click here

Read More

Global logistics company shuts down operations systems following cyber-attack

Read More

Missouri Governor Mike Parson made headlines last year when he vowed to criminally prosecute a journalist for reporting a security flaw in a state website that exposed personal information of more than 100,000 teachers. But Missouri prosecutors now say they will not pursue charges following revelations that the data had been exposed since 2011 — two years after responsibility for securing the state’s IT systems was centralized within Parson’s own Office of Administration.

In October 2021, St. Louis Post-Dispatch reporter Josh Renaud alerted Missouri education department officials that their website was exposing the Social Security numbers of more than 100,000 primary and secondary teachers in the state. Renaud found teachers’ SSNs were accessible in the HTML source code of some Missouri education department webpages.

After confirming that state IT officials had secured the exposed teacher data, the Post-Dispatch ran a story about their findings. Gov. Parson responded by holding a press conference in which he vowed his administration would seek to prosecute and investigate “the hackers” and anyone who aided the publication in its “attempt to embarrass the state and sell headlines for their news outlet.”

“The state is committed to bringing to justice anyone who hacked our systems or anyone who aided them to do so,” Parson said in October. “A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert or decode, so this was clearly a hack.”

Parson tasked the Missouri Highway Patrol to produce a report on their investigation into “the hackers.”  On Monday, Feb. 21, The Post-Dispatch published the 158-page report (PDF), which concluded after 175 hours of investigation that Renaud did nothing wrong and only accessed information that was publicly available.

Emails later obtained by the Post-Dispatch showed that the FBI told state cybersecurity officials that there was “not an actual network intrusion” and the state database was “misconfigured.” The emails also revealed the proposed message when education department leaders initially prepared to respond in October:

“We are grateful to the member of the media who brought this to the state’s attention,” was the proposed quote attributed to the state’s education commissioner before Parson began shooting the messenger.

The Missouri Highway Patrol report includes an interview with Mallory McGowin, the chief communications officer for the state’s Department of Elementary and Secondary Education (DESE). McGowin told police the website weakness actually exposed 576,000 teacher Social Security numbers, and the data would have been publicly exposed for a decade.

McGowin also said the DESE’s website was developed and maintained by the Office of Administration’s Information Technology Services Division (ITSD) — which the governor’s office controls directly.

“I asked Mrs. McGowin if I was correct in saying the website was for DESE but it was maintained by ITSD, and she indicated that was correct,” the Highway Patrol investigator wrote. “I asked her if the ITSD was within the Office of Administration, or if DESE had their on-information technology section, and she indicated it was within the Office of Administration. She stated in 2009, policy was changed to move all information technology services to the Office of Administration.”

The report was a vindication for Renaud and for University of Missouri-St. Louis professor Shaji Khan, who helped the Post-Dispatch verify that the security flaw existed. Khan was also a target of Parson’s vow to prosecute “the hackers.” Khan’s attorney Elad Gross told the publication his client was not being charged, and that “state officials committed all of the wrongdoing here.”

“They failed to follow basic security procedures for years, failed to protect teachers’ Social Security numbers, and failed to take responsibility, instead choosing to instigate a baseless investigation into two Missourians who did the right thing and reported the problem,” Gross told The Post-Dispatch. “We thank the Missouri State Highway Patrol and the Cole County Prosecutor’s Office for their diligent work on a case that never should have been sent to them.”

Read More

Owners of Asustor NAS drives have woken up to discover that data they believed was safe and sound on their network storage devices has instead been encrypted by ransomware, and that cybercriminals are demanding over $1000.

Read more in my article on the Hot for Security blog.

Read More

The US National Cyber Director Chris Inglis wrote an essay outlining a new social contract for the cyber age:

The United States needs a new social contract for the digital age — one that meaningfully alters the relationship between public and private sectors and proposes a new set of obligations for each. Such a shift is momentous but not without precedent. From the Pure Food and Drug Act of 1906 to the Clean Air Act of 1963 and the public-private revolution in airline safety in the 1990s, the United States has made important adjustments following profound changes in the economy and technology.

A similarly innovative shift in the cyber-realm will likely require an intense process of development and iteration. Still, its contours are already clear: the private sector must prioritize long-term investments in a digital ecosystem that equitably distributes the burden of cyberdefense. Government, in turn, must provide more timely and comprehensive threat information while simultaneously treating industry as a vital partner. Finally, both the public and private sectors must commit to moving toward true collaboration — contributing resources, attention, expertise, and people toward institutions designed to prevent, counter, and recover from cyber-incidents.

The devil is in the details, of course, but he’s 100% right when he writes that the market cannot solve this: that the incentives are all wrong. While he never actually uses the word “regulation,” the future he postulates won’t be possible without it. Regulation is how society aligns market incentives with its own values. He also leaves out the NSA — whose effectiveness rests on all of these global insecurities — and the FBI, whose incessant push for encryption backdoors goes against his vision of increased cybersecurity. I’m not sure how he’s going to get them on board. Or the surveillance capitalists, for that matter. A lot of what he wants will require reining in that particular business model.

Good essay — worth reading in full.

Read More