Author Archives: aglet

Loading
loading..

HIPPA Compliance and Mobile Devices

HHS Issued a Fine After a Stolen Phone Resulted in HIPPA Compliance Violations

HIPPA compliance violations represent a significant threat to patient privacy and the financial security of healthcare institutions. Lost, stolen or hacked mobile devices may be a weak link in an organization’s HIPPA compliance efforts. Consequently, healthcare providers must take meaningful precautions to ensure all mobile devices are well-secured and meet guidelines for HIPPA compliance. As the following story form lexology.com indicates, failure to comply can by devastating.

‘On June 24, 2016, the non-profit Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule with the U.S. Department of Health and Human Services (HHS). This is HHS’ first resolution agreement and monetary penalty against a business associate (BA) under HIPAA.

CHCS provides management and IT services to nursing facilities as a BA. The alleged HIPAA violations arose from theft of a CHCS mobile device, compromising 412 nursing home residents’ protected health information (PHI). HHS’ investigation results indicate that CHCS failed to (1) conduct an accurate and thorough assessment of potential risks and vulnerabilities to electronic PHI, and (2) implement appropriate security measures to reduce such risks and vulnerabilities, in violation of HIPAA’s Security Rule.

Under the settlement, CHCS has agreed to pay HHS $650,000 and comply with a comprehensive Corrective Action Plan (CAP). The CAP requires CHCS to conduct an accurate and thorough security risk assessment; develop, maintain, and implement comprehensive security policies and procedures; educate its workforce on such policies and procedures and train them on security issues; report internal violations of its security policies and procedures to HHS; provide copies of its BA agreements to HHS; maintain compliance records for a period of 6 years; and submit annual compliance reports to HHS.

HHS continues to ramp-up its HIPAA enforcement activities. This case is surely just the first of many enforcement actions against BAs, especially since HHS will start conducting its HIPAA compliance audits of select BAs this fall under Phase 2 of its HIPAA Privacy, Security, and Breach Notification Audit Program (previously discussed on Arent Fox’s Health Care Counsel blog herehere, and here). As a result, businesses that provide goods and services to covered entities (and to BAs) and may come into contact with PHI should carefully assess whether they are subject to HIPAA as a BA. If so, they should have a rigorous HIPAA compliance program in place.’

St. Louis is fortunate to have such a vibrant healthcare industry. To ensure HIPPA compliance, patient privacy and healthcare provider viability, Aglet Technology takes seriously the need to secure mobile devices for St. Louis area healthcare providers. For a consultation, or assistance with compliance, please call 314-200-8995

Mobile Payment Services and SMS Vulnerabilities

SMS Notifications May Present An Avenue For Hackers To Attack Mobile Payment Services

Mobile payment services such as Venmo and Square offer great convenience by letting us use our phones as wallets and plastic cards. Generally speaking the technology is secure, but it is not without vulnerabilities. As described in the article below from onthewire.io, short message service (SMS–text) notifications may be used by bad actors to send Venmo payments from a device that hasn’t been unlocked. As with all mobile technology, users should employ best practices to ensure their networks, devices and data are secure.

‘LAS VEGAS–Mobile payment services have become a popular choice for consumers, but security researchers have been finding plenty of vulnerabilities in them, and Venmo is the latest one to take a hit.

A researcher was able to uncover a number of weaknesses in the Venmo mobile payment system recently, some of which enabled him to steal money from users, regardless of whether their devices were locked or open. The vulnerabilities have to do with the way that the system handles SMS notifications, and, combined with Siri commands and other methods, the flaws allow an attacker to force a victim to make a payment through the Venmo app.

Venmo is a service owned by PayPal, and it allows users to send money to one another and also to make payments to outside services. One of the app’s features is that it allows one user to “charge” other users for something, which results in an SMS notification being sent to the person who was charged. When that occurs, the recipient can reply to the SMS with a six-digit code that was sent in the original message, which completes the payment.

Security researcher Martin Vigo, who uses Venmo, noticed the SMS notifications for charges and thought about the fact that he didn’t have to authenticate to the service before replying to the message authorizing the payment. So he began looking at the way that the app handled notifications and how he might be able to mess with that process through Siri.

“I remembered that you can use Siri to send SMS when your device is locked. It is worth noting that this feature is on by default and became especially popular when the ‘Hey Siri’ feature was added in iOS 9,” Vigo wrote in a post explaining the bugs.

The SMS notification is not enabled by default in Venmo.

“Now that we know we can send SMS on locked devices, we need the code present in the SMS in order to reply and make the payment. Apple introduced the ‘Text Message Preview’ which allows you too see in the lock screen who sent you a text and part of the content. This is also on by default. If we combine these two, I am able to see the SMS with the code and can reply using Siri. All this without unlocking the device. All this out of the box.”

The SMS notification is not enabled by default in Venmo, Vigo said, so he tried to find a method to turn it on. It didn’t take long before he noticed that each SMS response from Venmo included a line that told him to text the command “STOP” to disable notifications. If that worked, why not try sending the command “START” to turn them on?

“You can activate the SMS notification service by sending an SMS to 86753 with the word ‘Start’.86753 is a short code number owned by Venmo and used for all the SMS notifications. Now, I am able to activate Venmo’s SMS notification service, ask Siri to tell me the secret code and reply to make the payment. All that without unlocking the device!” he wrote.

In an email, Vigo said users might notice an email from Venmo about a payment, but by then the attack has already succeeded.

“When it comes to the Siri attack, the victim will usually receive an email that a payment was made. By then is already to late though,” he wrote.

The attack that Vigo devised isn’t entirely reliant on issues with Venmo’s app. Some of the problems have to do with the way that iPhones display texts and how Siri handles voice commands. An iPhone will display several lines of an incoming text message on the lock screen, which can include the short code that Venmo, or many other apps, send to users.

Vigo said that with the payment limits set up in Venmo an attacker could steal nearly $3,000 a day with his attack before it was patched. Vigo reported the flaws to Venmo in June and the company deployed fixes for them by mid-July.

Vigo also discovered a method that could possibly allow him to send the same payment request to as many as a million Venmo users at the same time.

“These attacks are theoretical and I did not try them. Venmo payments are known to be monitoredand the last thing I want is someone knocking at my door asking why so many people owes me money,” Vigo said.

The methods Vigo described need physical access to the device, but he also found a way to exploit the bugs by brute-forcing the short code Venmo sends to users. He charged his own account, for the short code, and then began to reply with incorrect codes. Rather than canceling the payment, Venmo sent him a message saying he would have to wait to try again.

“Anyway, the point is, after 5 tries I had to wait about 5 minutes till I could try another 5 times. The codes are six digits long so we have 1 million possibilities and we can try 5 codes every 5 minutes. Do the math. Possible but not feasible,” Vigo said.’

If you or your business use mobile payment services, be sure to secure your devices and operate using best practices for securing devices and data. Aglet Technology specializes in mobile device management in the St. Louis area. Call for a consultation.

Mobile Threats–Businesses Remain Complacent

A New Study Suggests Most Businesses Fail to Secure Themselves Against Mobile Threats

Mobile threats to networks, devices and data abound with frequent stories of hacked databases and breached email accounts in the news. Companies may be liable for actual losses suffered by customers and may never recover from damage to their reputation. The failure to follow best practices and enforce security policies makes the enterprise more vulnerable to a variety of mobile threats. As outlined in the summary below from ComputerWeekly, the failure of businesses to secure their systems allows hackers to reuse older techniques that have resulted in successful breaches in the past.

‘Businesses must ensure mobile security controls are deployed and enforced on every device used to access corporate data and apps, according to MobileIron’s latest mobile security and risk review

Enterprises continue to fall short when it comes to protecting corporate data on mobile apps and devices, a report has revealed.

Only 8% of companies are enforcing operating system updates and less than 5% are using app reputation or mobile threat detection software, according to the Mobile Security and Risk Review for Q2 2016 by security firm MobileIron.

This is despite the fact that several new mobile attacks have emerged that threaten enterprises with the loss of both personal and business data.

However, the report says most mobile attacks are re-using old tactics against mobile-specific services, such as SideStepper’s use of man in the middle (MitM) attacks against mobile device management (MDM) services rather than employing new techniques or exploiting new vulnerabilities.

“The velocity of mobile attacks is increasing, but the latest data shows that enterprises are still not doing the things they could be to protect themselves,” said James Plouffe, lead architect at MobileIron.

“This lack of security hygiene demonstrates that enterprises are alarmingly complacent, even when many solutions are readily available,” he added.

The following mobile attacks have either emerged or worsened in the past six months:

  • Android GMBot: This spyware remotely controls infected devices to trick victims into providing their bank credentials.
  • AceDeceiver iOS malware: This is designed to steal a person’s Apple ID.
  • SideStepper iOS “vulnerability”: This technique was discovered to intercept and manipulate traffic between an MDM server and a managed device.
  • High-severity OpenSSL issues: These vulnerabilities can potentially affect large numbers of applications and services, which could ultimately jeopardise enterprise data-in-motion.
  • Marcher Android malware: This has evolved to mimic bank web pages that trick users into entering their login information through e-commerce websites.

Despite these new and emerging mobile threats, mobile security practices remain largely unchanged, the report said.

Precursor to a breach

Security incidents are often the precursor to a breach, the report said, because they leave a device or app vulnerable, which can put enterprise data at risk.

The second quarter of 2016 saw a number of trends in employee compliance incidents and enterprise security practices, including:

  • Missing devices: 40% of companies had missing devices, up from 33% in Q4 2015.
  • Out-of-date policies: 27% of companies had out-of-date policies, up from 20% in Q4 2015.
  • Enforcing OS updates: 8% of companies were enforcing OS updates, which was comparable to Q4 2015.
  • App reputation software: Less than 5% of companies deployed app reputation software, which was comparable to Q4 2015.

However, UK businesses were found to have the fewest devices out of compliance – 39% compared with the global average of 50%. UK businesses also had the fewest compromised devices – 4% compared with the global average of 9%. And the UK had the fewest companies that reported staff removing MDM software – 17% compared with the global average of 26%.

The top 10 consumer unmanaged apps most often blacklisted by enterprises changed from Q4 2015 to Q2 2016, with the addition of Line and Evernote.

The top 10 consumer unmanaged apps most often blacklisted in Q2 2016 include:

  • Dropbox
  • Facebook
  • Angry Birds
  • Skype
  • Line
  • Box
  • OneDrive
  • Google Drive
  • Twitter
  • Evernote

“When an unmanaged app that can potentially access corporate data or bypass corporate security measures achieves broad consumer adoption, IT departments look to blacklist it because they can’t protect corporate data in an app they don’t manage,” said Plouffe.

Top third-party apps

There were also changes in the top third-party (managed) apps most often deployed by enterprises, with new entrants including Accellion, Acronis Access, Breezy, PocketCloud and Roambi Analytics.

Goodreader, Google Docs, Microsoft Office Suite, Skype for Business and Xora Mobile Worker dropped off the top 10 list.

Top third-party apps that were most often deployed by enterprises in Q2 2016 included:

  • Salesforce
  • QuickOffice
  • Evernote
  • Breezy
  • Cisco AnyConnect
  • Accellion
  • GoodReader
  • Cisco Webex
  • Box
  • Roambi Analytics

Government organisations are known for having some of the most stringent security requirements. Paradoxically, the report said, extensive approval processes make it difficult for these organisations to keep pace with change, which can make them more vulnerable.

Globally, government organisations are less prepared to deal with security incidents than the global average:

  • 61% of government organisations have at least one non-compliant device, compared with the global average of 53%.
  • 48% of government organisations have missing devices, compared to the global average of 40%.
  • 34% of government organisations have devices operating under outdated policies, compared to the global average of 27%.

The share of iOS devices grew from 78% in Q4 2015 to 81% in Q2 2016. The share of Android devices remained flat at 18% over the same period. In the UK, 83% of mobiles covered in the report were running iOS, compared with 16% running Android.

The report concluded by recommending that organisations protect everything and enforce mobile security.

Enterprises typically manage only a fraction of mobile devices throughenterprise mobility management (EMM), the report said, pointing out that every unmanaged device is an opportunity for attackers to steal company data.

“IT must ensure mobile security controls are deployed and enforced on every device used to access corporate data and apps,” the report said.

Gaining user trust is the first step to maintaining EMM controls on mobile devices, but IT should not put enterprise security exclusively in the hands of users, the report said.

According to MobileIron, employees should not be allowed to remove EMM security controls without IT’s approval.

“Moving forward, IT should consider deploying all corporate-liable devices using the Apple Device Enrollment Program (DEP), Samsung KNOX orAndroid for Work Device Owner to prevent users from deleting or sidestepping corporate security policies on these devices.

The report is based on aggregated, anonymous usage data shared by MobileIron customers that was compiled between 1 April and 30 June 2016.’

Security is an essential part of business management, but it isn’t the reason most businesses exist. Aglet Technology is St. Louis’ first company dedicated exclusively to mobile device management. We will help mitigate mobile threats so you can focus on what you do.

Wearables, Devices and Cybersecurity: New Regulations and Potential Liability

The Vulnerability of Healthcare Information

According to a report the Brookings Institute issued in May 2016, 23% of all data breaches occur in the healthcare industry. Nearly 90% of healthcare organizations had some sort of data breach between 2013 and 2015, costing the industry $6.2 billion.

Why is healthcare data so vulnerable? Because it is so valuable. It contains a wide range of identifying information, including social security numbers, birthdates and home addresses. Unlike credit card information, much of this information is constant and can’t be changed. In addition, it’s information that’s kept across a number of years and increasingly shared across different entities.

Legal Mandates to Address Security Issues

There are a number of legal mandates in place to address the security issues around healthcare information. The first and probably best known is the Health Insurance Portability and Accountability Act (HIPAA), which established national standards for protecting electronic health information. In addition, we have the Health Information Technology Certification Program, administered by the Office of the National Coordinator for Health Information Technology (ONC), that allows health IT projects to be certified based on standards adopted via regulation by the Department of Health and Human Services (HHS). Finally, there is the Food and Drug Administration’s (FDA) premarket review and approval process for medical devices, which focuses on medical device cybersecurity.

It’s important to recognize that the existing mandatory guidance is limited. Supplementing the mandatory guidance is a fair amount of nonmandatory guidance relating specifically to wearables, mobile apps and connected medical devices. For example, in October 2015, the Office of Civil Rights (OCR)—which is the office that oversees HIPAA—released an in-house mHealth Developer Portal, a community-based portal that lets developers post HIPAA-related questions. In February 2016, the OCR published informal guidance clarifying when mobile apps are subject to HIPAA. In addition, in April 2016, the Federal Trade Commission (FTC) released a set of Web-based interactive tools to help mobile app developers navigate current laws and regulations.

Despite the legal framework the existing guidance has established, there are still many questions around the legal requirements that apply to wearables and mobile devices. For example, when and how does HIPAA apply to mobile apps? Is an app that lets patients communicate with their healthcare providers covered by HIPAA, if the provider didn’t recommend the app? The answers aren’t always clear. This is an evolving area, with a lot more guidance likely to come going forward.

Cybersecurity Risks of Connected Medical Devices

Connected medical devices are devices that transmit information to and from the Internet, hospital IT systems or each other. For example, a heart monitor that connects to an electronic health record or an infusion pump with remote dosage controls would be classified as a connected medical device.

Connected medical devices face a number of cybersecurity pitfalls. While electronic health records are certified, other types of medical software products tend not to be, leaving them vulnerable to hacking. While there have been no reports of injury or death resulting from hacking into connected medical devices, the threat is definitely real.

Connected medical devices also can pose HIPAA challenges. HIPAA applies to protected health information (PHI) regardless of where it’s stored. Therefore, when a medical device is disposed of, it needs to be wiped or destroyed to eliminate the possibility of disclosing PHI. While healthcare providers are very focused on ensuring that they wipe PHI from computers, they are not always as vigilant about PHI stored on medical devices.

Exacerbating the security risk is the fact that medical devices purchased by hospitals don’t have updates intended to protect security. As we grow increasingly more interconnected, healthcare organizations need to start thinking about including requirements on securability for the lifetime of a device in their procurement specifications to mitigate some of the security risks.

Connected Medical Devices and Recent Regulatory Actions

Over the last few years, we’ve witnessed an explosion of attention around the cybersecurity risks that connected medical devices can pose and the resulting threat to patient safety. There have been increasing research, regulatory guidance, warnings and speculation about the ability of hackers to take control of medical systems to hurt or kill patients. While there have been no actual cases of injuries or deaths caused by hacking, it looms as a frightening possibility.

A 2012 episode of the television program Homeland featured a character hacking into the pacemaker of the fictional vice president. When interviewed about the episode, former vice president Dick Cheney revealed that toward the end of his administration’s second term, the Secret Service recommended that his doctors disable the wireless capabilities in his own pacemaker because of the potential threat to his safety.

The private sector has started to pay attention to the possible serious risks of medical device hackers. In 2013, the Mayo Clinic engaged some of the most high-profile, sought-after “white hat” hackers to conduct a study of medical devices. “White hat” hackers are hackers hired by private companies to attempt to hack into their own devices, so that the companies can identify their cybersecurity vulnerabilities.

The “white hat” hackers worked on about 40 different medical devices, including cardiac monitors, infusion pumps and even hospital beds, which sometimes connect to hospital networks and electronic networks. The final report showed that, in a significant number of cases, the hackers could crush the security on the devices and gain control in some form. The most alarming finding was that one of the hackers was able to gain control of a particular brand of infusion pump and remotely cause it to deliver a potentially lethal dose of medication. Again, that is not something that’s been reported to have ever actually happened, but having discovered that he could do it, the hacker reported his result to Homeland Security.

In 2014, the press revealed that Homeland Security was engaged in its own study of various medical device vulnerabilities through its Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT. In July 2015, Homeland Security, working in collaboration with the FDA, became concerned about the particular infusion pump that the hacker had identified. After a series of warnings and communications with the manufacturer and, in turn, with hospitals and providers, the FDA eventually recommended a recall and stopped usage of that particular infusion pump. Again, nothing actually happened—but the threat was real enough for the FDA to stop the use of that brand of device.

The increasing concerns around cybersecurity have resulted in largely nonbinding guidance and recommendations. For example, the FDA now reviews cybersecurity issues for medical devices as part of the premarket submissions it receives—whether for premarket approval applications or, more commonly, 510K applications for new versions of devices that are currently on the market.

Although the guidance the FDA has issued is nonbinding, it provides instructions to device manufacturers on what sort of information they need to include with their general free market submissions regarding their cybersecurity measures. The FDA is asking manufacturers to ensure their submissions identify any potential threats, quantify those threats and define what mitigation steps they’re planning to implement.

In January 2016, the FDA issued more interesting and more ambitious postmarket guidance. The guidance asks medical device manufacturers to identify cybersecurity threats in the same way that they identify the efficacy and risk issues of their devices in the postmarket setting. The FDA is requesting that manufacturers ensure the quality audits that current regulations require include cybersecurity issues and reporting of problems and complaints to the FDA.

Although this is nonbinding guidance, it includes a promise by the FDA that it will not enforce certain reporting requirements for device manufacturers that participate in an information exchange through the National Health Information Sharing & Analysis Center, or the NH-ISAC. The NH-ISAC is an information exchange portal that allows device manufacturers and others to share information in a forum that is actually privileged by statute to a certain degree. The FDA has stated in its guidance that it strongly recommends that companies participate in information exchange portals.

Congressional Prospects

There have been some congressional actions to address mounting concerns around cybersecurity risks. California Senator Barbara Boxer sent a letter to leading medical device manufacturers expressing her concerns about cybersecurity vulnerabilities and asking them to describe the steps they’re taking to address the threat of cybersecurity vulnerabilities.

There are also several pieces of legislation that are in front of Congress right now, including the TRUST IT Act, which would basically set up a star ratings program for federally certified electronic health record (EHRs). Other legislation includes:

  • The Cybersecurity Disclosure Act, which would direct the SEC to require public companies to disclose whether they have any cybersecurity experts on their boards.
  • The HHS Data Protection Act, with bipartisan support, that creates a separate office for the HHS Chief Information Security Officer (CISO).

Conclusion

In the end, the question remains as to whether more enforcement is the right approach. The Brookings Institute released a report saying that helping healthcare organizations prevent cyberattacks, instead of punishing those affected by them, would be a much more effective approach. The bottom line is that this is a rapidly evolving area that’s changing very quickly, so it will be critical to stay tuned.

http://www.lexology.com/library/detail.aspx?g=2146460e-2f6b-4e2b-ab28-97e7c98d8a29

Data Breach Exposes 1.6 Million Accounts from Clash of Kings Forum

The official forum of Clash of Kings, the popular mobile game, was breached, and the hacker stole nearly 1.6 million accounts. The stolen data included usernames, email addresses, IP addresses, device identifiers, Facebook data and tokens. Fortunately, user passwords were protected, as they were hashed and salted.

On July 14, the attacker exploited a weakness in the forum’s security software to steal the information. The company was using a 2013 version of vBulletin, which is vulnerable to a number of well-documented security flaws.

After stealing the information, the hacker notified LeakedSource, a website which allows users to search for their login credentials to see if they’ve been hacked. A LeakedSource member told ZDNet that the hacker was looking for websites running out-of-date forum software, and Clash of Kings was the largest site listed.

“At this point, any unpatched vBulletin 4 forum with over 100,000 users is probably hacked,” the LeakedSource member told ZDNet.

Clash of Kings is one of the most popular mobile games on the market. There have been over 100 million installs on Android devices alone.

Data Breach Exposes 1.6 Million Accounts from Clash of Kings Forum

HHS Penalizes Philadelphia Healthcare Organization For HIPAA Violation

Catholic Health Care Services of the Archdiocese of Philadelphia agrees to pay $650,000 fine over 2014 data breach.

Organizations that provide services to entities handling personal health information and health records—like doctors offices and hospitals—for some time now have been required to comply with the security and privacy requirements of the Health Information Portability and Accountability Act (HIPAA).

But thus far, the Office of Civil Rights (OCR) at the US Department of Health and Human Services, which is responsible for administering the rules, has taken few steps to enforce HIPAA.

That may finally be changing.

The OCR recently reached a settlement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) over the 2014 theft of a mobile device containing unencrypted protected health data on over 400 hundred patients at a nursing home.

The settlement requires CHCS to pay a $650,000 fine and adopt a corrective action plan to protect against something similar happening again. The plan calls on CHCS to implement formal risk analysis and risk management procedures and to develop and maintain a written security policy covering topics like data encryption, password management, incident response, device control, log-in monitoring, and disaster recovery.

“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said Jocelyn Samuels, director of the OCR in a statement announcing the settlement.

CHCS provides living services like housing, care management, and in-support programs for seniors in the Philadelphia area. It is the first business associate—or organization that provides services to HIPAA-covered entities—to face enforcement action for a security violation under the statute.

Odia Kagan, an attorney with the law firm Ballard Spahr LLP in Philadelphia, says the OCR enforcement action highlights the need for business associates to properly address how they handle protected health information (PHI) under HIPAA.

“They should conduct periodic risk assessments to ascertain the vulnerabilities to PHI going through their systems, both externally and internally,” Kagan says. In addition they should make sure to implement written policies and procedures for protecting the confidentiality, integrity, and availability of PHI in their systems, she says.

Going forward, business associates should expect more such audits and enforcement action from the OCR — and it won’t always take a breach to initiate one, Kagan cautions.

The OCR recently launched Phase 2 of its HIPAA audit program and it has already sent out emails to some 167 covered entities notifying them of being selected for a formal desk audit, she says. The desk audits will focus on how well the covered entities have complied with requirements like making privacy notices available to patients, the access they provide to PHI, the timeliness and content of their breach notifications, and whether they conduct periodic audits of business associate compliance.

According to the OCR, the second phase of its HIPAA audit program scheduled for later this year will involve not only covered entities but also their business partners, Kagan says.

Such developments should encourage business associates to pay attention not just to the prospect of an audit but also to the likely outcome of one. “If business associates adequately prepare by taking the right steps to protect PHI, they would be well positioned to do well in an audit, even if one does occur,” she says.

http://www.darkreading.com/risk/compliance/hhs-penalizes-philadelphia-healthcare-organization-for-hipaa-violation/d/d-id/1326417

IoT hidden security risks: How businesses and telecommuters can protect themselves

There are a plethora of IoT-connected devices that create a huge security risk for companies, whether at the corporate office, or at an employee’s home office.

The security of IoT devices is a growing area of concern for the enterprise as newly introduced machines are creating novel ways for cybercriminals to hack into networks. While companies know to protect against common methods of attacks, the Internet of Things has created a whole new world of connected devices that put a company at risk.

Even the IoT-connected vending machine in the corporate kitchen can be the backdoor entryway for cybercriminals to hack into the company’s network.

“The Coke machine isn’t something that the IT department would know to patch or look at security vulnerabilities or what it is. That’s the world we’re facing with IoT devices. You have the same framework for addressing security vulnerabilities that are tied to your desktop or your mobile devices, but how does that tie to innocuous devices where you don’t have that same relationship or same expectation,” said Kendall Burman, an attorney on Mayer Brown’s cybersecurity and data privacy team.

IoT security expert Dave Palmer, director of technology for Darktrace, said: “Modern businesses are digital hives of connected objects that all too often lack adequate security, providing attractive gateways for cyber attackers. That could be anything from a printer or a thermostat connected to the corporate network, through to a connected coffee machine or iWatch. These devices are part of the modern tech scene today, but they are relatively unprotected and vulnerable to new threats, such as ransomware.”

SEE: Internet of Things security is dreadful: Here’s what to do to protect yourself

To determine the risks, and what companies can do, TechRepublic conducted a roundtable where security experts discussed the risks of connected devices, and what companies and individuals can do to protect themselves at work and at home. Participants included: Lorie Wigle, general manager of IoT security solutions, Intel Security; Steve Durbin, managing director at the Information Security Forum; George Japak, managing director of ICSA Labs; Marie White, CEO and president at Security Mentor; Mike Weber, vice president of Coalfire Labs; Dodi Glenn, vice president of cybersecurity for PC Pitstop; Reiner Kappenberger, global product manager, HPE Security—data security at Hewlett Packard Enterprise.

Which IoT devices are a threat to security for businesses?

Reiner Kappenberger: Any connected device or application provides an attack vector for adversaries to potentially capitalize. According to a HPE Internet of Things Research Study, 60% of IoT devices tested raised security concerns with their user interfaces. These included a range of issues such as persistent XSS and weak credentials.

Lorie Wigle: Everything from printers, cell phones, tablets, USB drives and wearable fitness devices, to industrial controls, smart building technology and the multitude of other internet-enabled devices connecting to a company’s network can be a threat if the proper precautions are not in place. Securing the IoT is a complex topic, especially so for business and when it comes to employees bringing their own devices into a corporate environment, but with proactive protection in place and prescriptive education for employees who use mobile devices at work, whether they are company-issued or personal devices, businesses can establish a strong security posture to minimize the risks posed by the ever-growing Internet of Things.

Steve Durbin: The billions of devices that comprise the Internet of Things (IoT) are collecting a wide variety of data from users, who most likely are unaware that it is happening, where the data is being stored, or who has access to it. These devices may be ineffectively protected—exposing critical infrastructure, including industrial control and financial systems, to attack.

Any physical object with an embedded operating system and with a virtual presence that interacts and exchanges contextual cloud-based information with a business is a potential threat to a business. Security is the number one barrier to IoT adoption and when you look at the number of IoT devices out in the environment now, it’s easy to see why. Everything from Wi-Fi sensors on manufacturing and production equipment to your smart coffee machine come with the possibility of being compromised, and offer a backdoor for attackers into the enterprise.

George Japak: In the past, internet connected devices were not considered smart and, as such, many organizations did not consider them a high priority to safeguard. However, this thinking is flawed since any device connected to the internet requires protecting. Experts estimate the number of connected devices will grow to more than 5 billion by 2020. Many of these IoT devices are being developed by companies that do not have experience securing devices on the internet, which can lead to privacy leaks and security breaches. Any of these devices can cause problems.

With the vast number of IoT devices, remembering the weakest link is crucial. Even the best laid security plans can fail if they are not properly considered as a part of the overall risk framework. Data breaches are a real threat. Those introducing these devices to their organizations need to understand their agreements carefully. Agreements on where the data goes and what rights are inadvertently given to which entity need to be clear.

Marie White: Anything that connects to a work network, whether Wi-Fi enabled or wired, can be a potential IoT threat to businesses. This can include new versions of more traditional items, such as printer/scanner/fax that gets upgraded with Wi-Fi capabilities that are not properly protected. Also, office or parking lot security cameras may not be properly protected—enabling outsiders to gain access or to remotely monitor activities. As new kitchen products start to be connected, they can become backdoors into company networks or home data. This can include everything from refrigerators to microwave ovens to coffee pots. Even an office TV with Wi-Fi capability and cameras in the break room could be hacked, if precautions are not taken. IoT devices such as smartwatches present an avenue for a hacker or malicious insider to infect a corporate network, or be used as monitoring devices.

SEE: Ransomware 2.0 is around the corner and it’s a massive threat to the enterprise

Are there IoT devices that are a threat to people who have home offices or telecommute?

Kappenberger: IoT devices that embed security in from the start are not a threat, but consumers need to think about how their personal IoT devices connect to other things. Consumer electronic devices such as smart appliances or home thermostats are now able to connect to the internet via a wireless router, one of the most insecure devices on the internet. The IoT devices themselves were not designed with data security in mind. Most devices do not require a password, or have a minimum default password. For example, 80%of IoT devices failed to require passwords of sufficient complexity and length, and 70% did not encrypt communications to the internet and local network, according to a HPE Internet of Things Research Study. However, consumers are not made aware they need to change passwords or go over security settings for their devices. This creates gaps in protection, and allows potential attackers to infiltrate and steal the data as it is in motion, as well as access wider systems connected to the insecure device or router.

Wigle: The same devices that pose a threat to businesses in the corporate office, can be threats outside of the office at employees’ homes, coffee shops or when traveling, and there are likely fewer security controls in place. For businesses, the key to mitigating risks when employees connect for work outside of the workplace is to enforce secure Wi-Fi connections, strong passwords, VPN use and encryption.

How are these IoT devices a threat to the enterprise and employees with home offices?

Kappenberger: Companies need to think about securing the data and the device itself. Many organizations take an approach of securing the back-end of the IoT infrastructure that is running in the data center, but not the IoT device itself, or the application that remotely manages the device. Security should actually be treated by those vendors as being as important as functionality. The risks that IoT brings are not only the significant risks of data breaches, but now the expanded risks of physical security and safety of the IoT device user. This is a very important aspect of development which IoT vendors need to keep in mind.

For example, people that use IoT devices to monitor their home for intrusion might find that those systems actually enable a burglar to gain access to their home, or the device could be made to believe that there is no intrusion happening. Even scarier are cases when an intrusion into an IoT device could be used to physically attack a person. An attacker gaining illegal access to an oven or HVAC system that is connected through the internet could potentially switch on the gas valve without starting the igniter. This could cause serious problems, and it is yet unclear if this attack vector could be identified, or the situation declared a malfunction of the device instead of a homicide.

Wigle: Any device that connects to a business network or is used to access business data brings with it risk because of the valuable data that can be accessed through that device. Such devices capture everything from our conversations, to our videos, health information, activities, location, interests and more, while also tracking and accessing customer and employee data, proprietary information, and company financials. Cybercriminals see that data as immensely worthwhile, making connected devices a rich target for attack.

Durbin: The data that individuals store on their fully-connected, mobile devices already makes them attractive targets for hackers and cyber criminals. At the same time the amount of applications people download to their personal and work devices continues to grow. The applications access more information than necessary. At worst, applications can be infected with malware that steals the user’s information. This will only worsen as hackers and malware providers switch their attention to the hyper-connected landscape of mobile devices.

The problem with business commuters is that they are not just connecting to the workplace and isn’t accessing company data from home; they are likely to do it from anywhere there’s a Wi-Fi hot spot, which are not secure enough to protect corporate data and designed for convenience not security. In that, more and more automakers are offering Wi-Fi in their vehicles, commuters will use them to connect their network-enabled smartphones, tablets, and other devices that are also connected to business servers. This has the potential for even greater telecommuting threats, but we will wait and see.

Mike Weber: Generally speaking, there is a lack of awareness of the attack surface that the IoT systems present and a lack of due care in consumer deployments. Accordingly, in a home environment where cellular connectivity is not a requirement, the existing wireless infrastructure would be leveraged to provide connectivity for these devices. The majority of home users will not go to any lengths to secure the environment through network segmentation to keep these devices segregated from their other systems, and end up introducing these systems of unknown security pedigree onto the same WLAN. If compromised, these devices could be used as a pivot point to attack other systems.

What can business do to protect themselves?

Kappenberger: When developing and implementing IoT applications, it is critical that organizations build security testing into the development process instead of making it an afterthought. While everyone wants to be quick to market and save on costs, security should be treated as being just as important as functionality.

Businesses should apply an end-to-end, data-centric security approach throughout the IoT infrastructure. Organizations should encrypt not only the communications, but also commands and values, on a field level, going from the device to the infrastructure and remote control element. This removes risk (even if an attacker is able to impersonate the infrastructure) and enables maximum protection against remote takeover of an IoT device—the biggest threat to IoT security.

Wigle: Internet-enabled devices create more meaningful and easier work experiences, and we expect to see more and more connected devices being used in the workplace. The key with IoT is to ensure that data is consistently secured from the edge to the data center, with a particular focus on privacy-related data.

Businesses need to formally educate their employees on the risks of bringing their own devices to work and of using their personal devices to access company-owned information. Additionally, they have to reinforce with employees the importance of only connecting to safe and protected Wi-Fi networks, as well as to make sure the security software is installed, up-to-date, and active on any devices that are connected to the company network, or being used to access company data. Businesses should also create a policy around devices in the workplace that defines the following:

  • Who is eligible to Bring Your Own Device (BYOD)
  • Which devices are allowed
  • Which websites or cloud services employees can access for business purposes
  • Whitelists and blacklists of apps that employees can use
  • Consequences of not following policy

Further, companies need to implement the complete threat defense lifecycle for their enterprises—measures to protect, detect, and correct. Company-owned IoT devices should be selected that implement solid security, particularly if they’re connected to the network. IoT devices should implement secure boot, have robust hardware-based identity for authentication, and take advantage of whitelisting to prevent running malicious code. And, of course, protect data via encryption.

Durbin: IoT holds the potential to empower and advance each and every individual and business. However, the security threats are broad and potentially devastating. Organizations must ensure that technology for both off-site and on-site employees adhere to the highest of standards for safety and security. While IoT is still in its early stages, organizations have a chance to build in new approaches to security if they start preparing now. Security teams should take the initiative to research security best practices to secure these emerging devices, and be prepared to update their security policies as even more interconnected devices make their way onto enterprise networks.

Many telecommuting programs focus on productivity and corporate culture with simple networking kits or bundles that are given to employees, and allow them to connect their devices for remote access. However, part of the culture must include security protocols and training that place remote employees under the same strict cybersecurity controls as on-site employees. Remote employees are best working under a security policy that includes policies and controls that create secure mobile environments for telecommuters.

Network access controls are an important aspect of such a program. A solid telecommuting program must include a cybersecurity component to manage network access control such that if a remote employee tried to connect a non-authorized device to a remote server, it will be bounced to the non-secure. This is just one example of the hardware component. Software apps also pose a huge threat as many can contain malware. Allowing access to internal corporate resources does not mean having to go the whole nine. Consider that most of the applications that workers are given access to contain more information than necessary for the employee to perform their tasks.

Additionally, password protection alone isn’t sufficient for information in transit at either a Wi-Fi hotspot or a co-working space. End-to-end encryption provided by a virtual private network (VPN) is one of the most common protection measures. Privileged Account Management (PAM) programs are also an important measure to deploy as they prevent hackers from escalating privileges once an account has been hacked.

White: First, know what’s on your network. Keep track of who’s connecting.

Second, develop an IoT policy, similar to BYOD policies at work. Policies should address allowed devices, network access, security requirements, and privacy. For example, if/when kitchen products or other “Christmas and birthday presents” show up at the office, segment those devices onto other non-critical networks.

Third, enable the protections that are available for these devices. Make sure that security is enabled to the greatest extent possible.

Fourth, train your staff to recognize the pros and cons of various IoT devices. Provide guidance to help them understand and become aware of the benefits and dangers of IoT. Your security awareness training program is the ideal place to incorporate information about new technologies such as IoT, and their associated risks.

Fifth, ensure that adequate monitoring and management of IoT devices is being deployed by security and technology staff. Where appropriate, build IoT into existing procedures and incident management processes.

Finally, understand the many positive ways that IoT can enable new business opportunities. Don’t just look at the negatives, but understand how a new generation of sensors can enable the good and disable the bad. Work with the business to develop tactical and strategic plans around IoT.

What can people who are self-employed or who work in home offices do to protect themselves?

Kappenberger: When using IoT devices, people should consider more than their typical router with built-in-firewall to protect themselves. People should consider investing in commercial intrusion detection and network monitoring to prevent IoT devices from actually being a back door into their own network without them knowing about this. In addition, consumers should always change default device passwords and usernames, install a quality firewall, and ask the vendor for information on their internal security mechanisms.

Wigle: All users should actively engage in the security of their connected devices. Some steps for doing this are below:

  • Make sure security software is installed, up-to-date, and active on any devices that are connected to your company network or being used to access company data.
  • Keep your devices locked and secured when not in use, and require PINs, passwords, or biometric security to unlock internet-enabled devices.
  • When working in public locations, use a privacy or blackout screen on phones and laptops to prevent prying eyes.
  • Always use encrypted, password-enabled Wi-Fi and connect via VPN.
  • Turn off Bluetooth and only enable it when, and if, you need it to avoid unwanted connections from other devices.
  • Only download apps from official app stores, and be sure to read and understand the security settings.
  • Remember that any device connected to your home Wi-Fi network can introduce a vulnerability. Select IoT and smart home devices that implement good security and keep them up-to-date with vendor-provided patches. Use strong passwords on these devices also.

Durbin: Telecommuters should keep their devices and security software up-to-date and know how to disable file sharing and automatic connections to Wi-Fi from all company-issued mobile devices. Home-based Wi-fi routers should be configured using WPA2 security and passwords should be very unique and changed often. Again, passwords alone won’t protect your devices. Any VPN needs end-to-end encryption.

Are cyberthreats increasing for IoT devices?

Wigle: Current figures put the number of connected devices worldwide at 15 billion. This number will continue to grow exponentially as more and more connected devices become integral to consumers’ and workers’ daily lives. Because the data stored on and accessible through mobile devices connected to corporate networks is so valuable, we anticipate the risk to businesses and consumers will continue to increase. Ransomware is a particularly troublesome threat that we expect to see rise with the growth of the IoT.

Because so many IoT devices lack sophisticated security measures, we also see them being targeted by criminals to conscript into botnets, networks of hijacked computers used to amplify attacks, flood servers, and otherwise cause mayhem on a targeted website. The best way for businesses and consumers to combat future attacks on connected devices is to update the software on smart devices, do ample research on security policies, and update procedures on devices before purchasing, and to protect devices with security solutions like VPN software, antivirus, endpoint protection, and encryption.

Durbin: Yes. As the number of IoT connections grow, so will the threat level. IoT is high on the list of the C-suite because it gives businesses a whole new level of increasing efficiency, revenue streams, and customer satisfaction; while at the same time lowering overall operating costs. If you look at the amount of malware that is targeting mobile devices today, consider that similar threats will likely proliferate among IoT devices as they catch on.

Weber: Yes, there is an increasing demand for IoT solutions. Historically speaking, high demand has always driven the pace of product development and vulnerabilities are just a byproduct of that. Until the industry undergoes a major change in direction, more solutions on the market equals more vulnerabilities.

Dodi Glenn: Absolutely. As more of these devices are deployed, miscreants are taking advantage of unpatched/vulnerable devices. In fact, just today areport was posted about a security issue with a wireless keyboard, which allows someone to sniff the keys being typed. This can include usernames and passwords, or other sensitive pieces of information.

Do you find that businesses are unaware of the dangers of IoT devices?

Kappenberger: We have seen several cases where people assume that IoT devices are safe, and do not expose additional threats. However, this assumption after talking with them more, deeply is quickly replaced with worries about the security problems this can expose. Ultimately, for IoT to have the biggest impact, a security story has to be part of IoT manufacturers’ thought process. They need to take into account the sensitivity of the data itself, and how they protect the data itself.

Wigle: Often there is an assumption that the risk of IoT devices is limited to the functionality of the device itself. For example, does it really matter if my smart light bulb is compromised? But, the reality is a vulnerability in the light bulb could permit an attacker to gain access to the Wi-Fi network and much more valuable devices and data. Security for IoT needs to be very comprehensive and implemented as a system. In the home, as an example, a gateway device could be monitoring traffic and helping secure other devices.

Durbin: Yes. Most organizations have not prepared for, nor are they aware of, the numerous security issues of IoT. The whole area of vulnerability management, DDoS attacks, bandwidth requirements, the need for security analytics capabilities, etc. etc. are not areas that most businesses have thought through fully. This should be a priority of organizations of all sizes moving forward. Security is no longer a “nice to have.” It is business critical and should be front and center for all employees, from the basement all the way up to the boardroom.

Glenn: I think businesses are, for the most part, aware of the dangers, but they aren’t doing anything about it. The businesses know that these devices connect to the internet, but have nothing to really protect them. Conversely, the “consumer people” do not know about the dangers of the IoT devices, and are largely concerned with the feature/functionality of the device itself, rather than security.

http://www.techrepublic.com/article/iot-hidden-security-risks-how-businesses-and-telecommuters-can-protect-themselves/

Mobile App Security in a BYOD Environment

Mobile app security is a major issue.

Popular apps for your smartphone can be convenient, and increase productivity but can also carry malware which gives hackers easy access to your personal or company sensitive information. Mobile security firms and experts consistently report that somewhere between 75% and 100% of all apps have been hacked.

In 2015 Gartner claimed that 75% of all mobile applications failed basic security tests. And an IBM study found that 40% of large companies aren’t scanning the apps that they build for customers for security vulnerabilities.

Mobile apps are vulnerable to attacks

First of all, it is easy to hack an app. There are freely available tools on the market that can reverse engineer the binary code of an app back to the source code. And the resulting reverse engineered code is close to the original source code. The hacker can then analyze the source code and extract sensitive information or identify security vulnerabilities.

That allows the hacker to find the optimum attack vector; code modification or payload insertion. Or, when the hacker has the original source code, he can settle on a method swizzling approach.

Method swizzling is a technique that allows a runtime code substitution without modifying the source code. With the detailed knowledge of the source code, the hacker can then develop a malicious app that replaces a method call – of, for example, a banking app – with his own method call to divert a financial transaction.

So mobile app security starts with application design and coding.

Second, as mentioned in the previous paragraph most of the available apps have already been hacked. So the download of an innocent app with a malicious payload – that is controlled by a command & control server – allows the hacker to query all apps on a device and structure his attack vector.

Mobile app security management in a BYOD environment

You have built a secure mobile application, and tested and resolved the security vulnerabilities. But as secure as an application is, its security relies on the security of the mobile device.

Jail broken devices or the presence of applications with a malware payload can represent a security risk that may be fine for certain enterprise apps but not for others.

In a BYOD environment where companies need to manage jail broken devices and rogue applications, they need to consider Mobile Device Management software. MDM is commonly deployed to enforce policies.

An organization might use MDM to enforce device encryption, a strong PIN code, allow for remote wipe in the event of theft or loss. But the full range of MDM functionality also includes inventorization of installed applications.

Using this functionality and up-to-date intelligence sources and application reputation services, application capabilities could be enabled or disabled based on the device risk profile.

Second, enterprises should also consider Mobile Application Management software to improve their mobile app security. First of all, the mobile app sandbox must be intact. Jailbroken devices pose a risk to the mobile app security model, and it is highly recommended to restrict these devices from accessing enterprise data.

But to take this one step further, applications can to be packaged or “wrapped” so that MAM products can manage them. Wrapping an application typically involves taking the original application package and compiling it with management code from the MAM vendor.

Conclusion

Without a shadow of a doubt, mobile app security is a major concern. So, if you have questions about the mobile applications that you are using for your company. Or if you are a business and would like to learn more about our MAM and MDM software, Do google it for the same & find out reliable resource that can provide you with a state of the art mobile application security solution.

http://www.ifsecglobal.com/mobile-app-security-in-a-byod-environment/

On the Move and At Risk: Safeguards for Mitigating Mobile Device Vulnerabilities While Traveling Overseas

Employees use their smartphones as a key tool for accessing information during a work day – especially when outside the office and traveling on business.  While smartphones, tablets, laptops and other devices may increase productivity by facilitating work flow and communications, a wireless mobile device and related data may be exploited by cybercriminals, and this risk increases significantly when overseas.  Organizations can help manage the risk of compromising confidential information, intellectual property, and other sensitive data by adopting safeguards for personnel travelling in other countries.

Some destinations outside the United States tend to host far more mobile device attacks than others due to less secure cellular networks, elevated levels of corporate corruption, and authoritarian legal regimes.  Kaspersky Lab, a digital security service, annually measures the countries with the most attacks on mobile users.  They noted that in 2015, the top 10 countries for mobile attacks were China, Nigeria, Syria, Malaysia, Ivory Coast, Vietnam, Iran, Russia, Indonesia, and Ukraine.  This list of top offenders, however, should not cause organizations to be complacent about travel in other countries – data theft happens in cities throughout the world.  Kaspersky Labreported earlier this year that malware targeting users of mobile devices grew more than three times between 2014 and 2015.

The most dangerous threats in 2015 were ransomware, malware capable of obtaining unlimited rights to an infected device, and data stealers such as financial malware.  Attacks might arise by intercepting cellular signals using network vulnerabilities, such as the SS7 global network, or by using software downloaded through a mobile application.  Once access to a mobile device is obtained, criminals can make and record calls, delete call logs, intercept text messages, download data stored on the device, record audio and video using the phone as a remotely operated camera and microphone, and access email accounts.  This creates the risk of compromising ongoing negotiations, insider information, financial data, intellectual property, and personal information, as well as other documents and data that move through or reside on the mobile device.

Fortunately, employing safeguards can help minimize the risk that a mobile device will become an unauthorized gateway to an organization’s sensitive information including the following:

•  If overseas business travel is frequent – and to areas where there is a heightened risk of cybercrime – consider using a dedicated mobile device with minimal stored data that can be wiped clean at the end of the trip.

•  Use industry standard encryption protocols for files stored on mobile devices containing especially sensitive information.

•  Be especially cautious when using public wireless networks at airports, hotel business centers, and other locations despite their convenience.

•  Use caution when storing or transmitting sensitive data through the mobile device while travelling and backup the data before travelling.

•  Educate personnel to avoid downloading mobile applications while overseas if the device will be connected to the organization’s network.

While there are other precautions that might be considered, these safeguards are a good starting point together with training personnel (and others) to help any organization reduce its risk of compromising sensitive communications, as well as avoid potential costly risk mitigation, security breach notices, and associated litigation if an incident should occur.

http://www.jdsupra.com/legalnews/on-the-move-and-at-risk-safeguards-for-93342/

MSPs Warned of BYOD Security Threat From Pokémon GO

The maker of the hit mobile video game Pokémon GOsays its engineers are working to fix a flaw that grants the company access to all Google files and data of users who play the game on iOS devices.

Players who sign in with their Google accounts must agree to a privacy policy that allows Niantic Inc. access to users’ email, photos, videos, web page viewing data, GPS navigation histories, and all documents contained in Google Drive.

Cybersecurity concerns were heightened even further following reports that a weekend crash of the Pokémon GO servers was the result of multiple hacking attacks.

Niantic and Google, which has a stake in the game developer, said only User IDs and email addresses are being tracked, and denied accessing or collecting any of the more sensitive player data.

“Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access,” Niantec said on its website. “Google has verified that no other information has been received or accessed by Pokémon GO or Niantic.”

BYOD data concerns

The augmented reality game, in which graphics from smartphone cameras are projected in real world locations, became the biggest mobile game in U.S. history last week, with 21 million daily active users, according to a post in SurveyMonkey intelligence blog.

That staggering number is raising questions about whether some of those devices are unprotected enterprise phones or personal BYOD devices that could expose sensitive business data.

The vulnerabilities pose challenges and opportunities for managed services providers (MSPs) and managed security services providers (MSSPs).

“As an MSP, you can use apps like Pokémon GO as an example to show clients and employees the security risks involved with unprotected mobile devices and the growing need for managing these endpoints,” according to a post on Continuum’s MSPblog.

“By leveraging a mobile device management (MDM) solution, you can reduce these risks by remotely wiping an individual’s data if a device is compromised,” the post continues. “An MDM solution will also allow you to implement endpoint security policies and put restrictions on app purchases from non-validated markets.”

Several government agencies have issued advisories regarding the game. One blogger posted an unclassified memo to his Twitter feed entitled “U.S. Government operation security guidance for intelligence officers and friends playing Pokémon GO.”

“Don’t use your personal Gmail account to log in, as this not only links your personal information with your Pokémon GO activity (which includes GPS data), it could also expose your Google credentials to the app owner,” the advisory states.

Instead, players in sensitive government roles are advised to sign into the game using the alternate Pokémon Trainers Club account method or create a “throw-away” Google account just for gameplay.

Hackers target game’s maker

Niantic has offered no timetable for when the flaw might be repaired.

Though the game’s maker has vowed not to misuse the unsecured information, thePokémon GO privacy policy also grants the company permission to sell the information it obtains from users, share it with third parties or turn it over to law enforcement.

If the personal data and other Google user files were somehow to end up in Niantic’s huge user database, the danger of a catastrophic cybersecurity breach would increase exponentially.

Over the weekend, the Pokémon GO servers suffered a major outage, which Niantic blamed on too many downloads as it expanded the game to 26 new countries.

But two separate hacker groups claimed the outage was a result of distributed denial of service (DDoS) attacks, and vowed that more were being planned in the near future.

PoodleCorp, one of the hacker organizations, said another attack would occur on Aug. 1.

The hacker group OurMine – which previously hacked the social media accounts of Mark Zuckerberg, Sundar Pichai and Jack Dorsey – sent an email to PCMag.com, saying they also attacked the Pokémon GO servers in an effort to help improve security.

“We wrote we will stop the attack if (Niantic) staff talked with us,” the web article states, citing an anonymous OurMine representative, “because we will teach them how to protect their servers.”

http://mspmentor.net/msp-mentor/msps-warned-byod-security-threat-pok-mon-go

Layout mode
Predefined Skins
Custom Colors
Choose your skin color
Patterns Background
Images Background