[IS&T Security-FYI] SFYI Newsletter, May 5, 2014

Mon May 5 14:17:03 EDT 2014

In this issue:

1. EVENT: Laptop Tagging and Registration on Wed. 5/7
2. The Rise of Identity Theft in Healthcare
3. Phishing Scheme Used VoIP to Steal Debit Card Data
4. Hackers Lurk in the Strangest Places

----------------------------------------------------------------------------
1. EVENT: Laptop Tagging and Registration on Wed. 5/7
----------------------------------------------------------------------------

This Wednesday, there is an opportunity to register and tag your laptop.

Where: Lobby of Building 10
When: Wed., May 7, 11:00 am - 12:30 pm

Cost: $10 cash (no cards) or MIT Cash Object

Just as you might register a bike with the police, you can also register your laptop. Information Systems & Technology partners with MIT Police to provide STOP (Security Tracking of Office Property) tags for laptops. The tag is affixed to the device, has a unique number, and is registered with a world-wide database.

Sgt. Cheryl Vossmer of the MIT Police says that although a STOP tag is not software that can track a device via GPS or other means, it has been very effective at providing a way for lost or stolen laptops to be returned to their rightful owners.

Read laptop recovery stories here<https://www.stoptheft.com/>.

Learn more about laptop registration at MIT<http://kb.mit.edu/confluence/display/istcontrib/MIT+Police+Laptop+Tagging+and+Registration>.

--------------------------------------------------------
2. The Rise of Identity Theft in Healthcare
--------------------------------------------------------

The Identity Theft Resource Center produced a survey last month showing that medical-related identity theft accounted for 43% of all identity thefts reported in the US in 2013. This amount is far greater than identity theft involving banking, finance, the government, military or education. Since 2009, between 27.8 million and 67.7 million people have had their medical records breached.

Stolen medical information is generally used to commit insurance fraud and illegally obtain prescription drugs.

Unfortunately, this type of identity theft has one of the lowest recourses for victims. They experience financial repercussions and may often find erroneous information added to their medical files. According to James Pyles, a Washington, DC lawyer, “It’s almost impossible to clear up a medical record once medical identity theft has occurred.”

Identity theft occurs when someone gains unauthorized access to the medical information, and passes it on without permission (20%) or when systems are hacked (14%).

But the majority of identity theft (over 50%) occurs when the theft of a computer or other medical device is involved. This is why it’s so important to protect those devices. “We say, encrypt, encrypt, encrypt,” says Rachel Seeger, a spokesperson for the US Department of Health and Human Services.

Read the full story online<http://www.studentdoctor.net/2014/04/the-rise-of-medical-identity-theft-in-healthcare/>.

----------------------------------------------------------------------------
3. Phishing Scheme Used VoIP to Steal Debit Card Data
----------------------------------------------------------------------------

In a new variation on phishing campaigns, thieves used text messages and VoIP (voice over Internet protocol) calls to steal debit card data from customers of a number of US financial institutions. The method is called voice phishing or “vishing” (using a phone to scam customers).

The targeted bank customers received text messages telling them their debit card has been deactivated and were given a phone number to call to reactivate the card. The number sent them to an interactive voice response (IVR) system that asked for their debit card number and PIN.

Read the full story online<http://www.computerworld.com/s/article/9248027/Voice_phishing_scheme_lets_hackers_steal_personal_data_from_banks>.

-----------------------------------------------------
4. Hackers Lurk in the Strangest Places
-----------------------------------------------------

When hackers were unable to gain access to Target’s records through their main system, they went through its heating and cooling system. In other cases, hackers have used printers, thermostats, video-conferencing equipment and a Chinese takeout menu.

A Chinese takeout menu? Yes, when hackers couldn’t breach the computer network at a big oil company, they infected the online menu of a Chinese restaurant with malware that was popular with employees of the oil company. When workers browsed the menu, they inadvertently downloaded code that gave attackers a foothold in the business’ network.

Companies that are doing everything possible to seal up their systems are now having to look in the unlikeliest places for vulnerabilities. The situation has grown increasingly complex and urgent. Access to a network is given to all kinds of other computerized systems and services, including heating, ventilation and cooling systems, billing and expense systems, health insurance providers and even vending machines.

While security researchers are often employed to find such leaks in a system, it is now becoming as difficult as finding a needle in a haystack.

Read the full story online<http://www.nytimes.com/2014/04/08/technology/the-spy-in-the-soda-machine.html>.

=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================

Monique Buchanan
IT Security Communications Consultant
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20140505/bf4b923e/attachment.htm