IT Security

North of England NHS buyers name IT consultants who got in on £200m framework deal

Hundreds of millions of pounds’ worth of consultancy work farmed out

Deloitte, Atos, and Phoenix Software are among the 29 organisations who’ve been picked to provide a whopping £200m worth of IT consultancy services to the National Health Service in the north of England.…

Eavesdropping on Phone Taps from Voice Assistants

The microphones on voice assistants are very sensitive, and can snoop on all sorts of data:

In Hey Alexa what did I just type? we show that when sitting up to half a meter away, a voice assistant can still hear the taps you make on your phone, even in presence of noise. Modern voice assistants have two to seven microphones, so they can do directional localisation, just as human ears do, but with greater sensitivity. We assess the risk and show that a lot more work is needed to understand the privacy implications of the always-on microphones that are increasingly infesting our work spaces and our homes.

From the paper:

Abstract: Voice assistants are now ubiquitous and listen in on our everyday lives. Ever since they became commercially available, privacy advocates worried that the data they collect can be abused: might private conversations be extracted by third parties? In this paper we show that privacy threats go beyond spoken conversations and include sensitive data typed on nearby smartphones. Using two different smartphones and a tablet we demonstrate that the attacker can extract PIN codes and text messages from recordings collected by a voice assistant located up to half a meter away. This shows that remote keyboard-inference attacks are not limited to physical keyboards but extend to virtual keyboards too. As our homes become full of always-on microphones, we need to work through the implications.

Bill Spells Out New Factors to Weigh in Setting HIPAA Fines

Measure Passed by Congress Would Require Considering Use of ‘Recognized Security Practices’
Under legislation passed by Congress this weekend that awaits President Trump’s signature, HIPAA enforcers, when considering financial penalties for compliance violations, would need to determine whether an organization had implemented “recognized security practices,” such as the NIST Cybersecurity Framework.

DOJ Seizes Fake Domains Impersonating Moderna, Regeneron

Prosecutors: Websites Spoofed Pharmaceutical Firms for ID Theft
Federal investigators have seized two domains impersonating the pharmaceutical firms Moderna, which has begun shipping a COVID-19 vaccine, and Regeneron, which developed a treatment for COVID-19, according to the U.S. Justice Department. Fraudsters were using the websites for identity theft.

US Treasury Suffers ‘Significant’ SolarWinds Breach

‘Dozens of Email Accounts’ Compromised by Attackers, Says Senior Democratic Senator
An ongoing investigation at the U.S. Treasury Department has found that it suffered a “significant” breach as a result of the SolarWinds Orion supply chain attack, and that at least dozens of email accounts were accessed, reports a top Democrat on the Senate Finance Committee.