Information Technology

The Federal Bureau of Investigations (FBI) is warning that someone is scraping credit card data from the checkout pages of US businesses’ websites. “As of January 2022, unidentified cyber actors unlawfully scraped credit card data from a US business by injecting malicious PHP Hypertext Preprocessor (PHP) code into the business’ online checkout page and sending the scraped data to an actor-controlled server that spoofed a legitimate card processing server,” the FBI said in an alert.

It said the “unidentified cyber actors” also established backdoor access to the victim’s system by modifying two files within the checkout page. SEE: Just in time? Bosses are finally waking up to the cybersecurity threatJavaScript-based Magecart card-skimming attacks have been the main threat to e-commerce sites in recent years, but PHP code remains a major source of card skimming activity. The attackers began targeting US businesses in September 2020 by inserting malicious PHP code into the customized online checkout pages. But earlier this year, the actors changed tactics using a different PHP function.  The actors create a basic backdoor using a debugging function that allows the system to download two webshells onto the US firm’s web server, giving the attackers backdoors for further exploitation. The FBI’s recommended mitigations include changing default login credentials on all systems, monitoring requests performed against your e-commerce environment to identify possible malicious activity, segregating and segmenting network systems to limit how easily cyber criminals can move from one to another, and securing all websites transferring sensitive information by using secure socket layer (SSL) protocol.Security firm Sucuri observed that 41% of new credit card skimming malware samples in 2021 were from PHP backend credit card skimmers. This suggested that solely scanning for frontend JavaScript infections could be missing a large proportion of credit card skimming malware. As Sucuri explains, webshell backdoors give attackers full access to the website file system, often providing a full picture of the environment, including the server operating system and PHP versions, as well powerful functionality to change permissions of files and move into adjacent websites and directories. Webshells accounted for 19% of 400 new malware signatures gathered by Sucuri in 2021. The firm saw a “hugely disproportionate” rise in signatures in 2021 for PHP-based credit card stealers impacting e-commerce platforms Magento, WordPress and OpenCart.    More

Skilled software and mobile app developers from North Korea are posing as US-based remote workers to land contract work as developers in US and European tech and crypto firms. The warning comes in a new joint advisory from The US Department of State, the US Department of the Treasury, and the Federal Bureau of Investigation (FBI) outlining the role North Korean IT workers play in raising revenue for North Korea, which contributes to its weapons of mass destruction (WMD) and ballistic missile programs, in violation of U.S. and UN sanctions.

ZDNet Recommends

Hackers working for North Korea – officially known as the Democratic People’s Republic of Korea (DPRK) – have gained notoriety for sophisticated hacks on cryptocurrency exchanges during the past five years. In 2021 alone they stole over $400 million worth of cryptocurrency for the DPRK. SEE: Just in time? Bosses are finally waking up to the cybersecurity threatThe FBI, US Cybersecurity and Infrastructure Security Agency (CISA), and Treasury last month warned that North Korea’s Lazarus Group, or APT 38, was targeting exchanges in the blockchain and cryptocurrency industry using spear-phishing campaigns and malware. Treasury also in April linked Lazarus to the $600 million heist in March from the Ronin blockchain network underpinning the play-to-earn game Axie Finity.  However, the skilled North Korean IT workers play another function for DPRK, using their access as sub-contracted developers within US and European contracting firms to enable DPRK-sponsored hacking. The US government has outlined “red flag” indicators that firms might be hiring North Korean freelance developers and tips to “protect against inadvertently hiring or facilitating the operations of DPRK IT workers.” “The DPRK dispatches thousands of highly skilled IT workers around the world to generate revenue that contributes to its weapons of mass destruction (WMD) and ballistic missile programs, in violation of U.S. and UN sanctions,” the advisory states. DPRK IT workers are primarily located in the People’s Republic of China (PRC) and Russia, but some are located in Africa and Southeast Asia, the US says. “The vast majority of [DPRK IT workers] are subordinate to and working on behalf of entities directly involved in the DPRK’s UN-prohibited WMD and ballistic missile programs, as well as its advanced conventional weapons development and trade sectors. This results in revenue generated by these DPRK IT workers being used by the DPRK to develop its WMD and ballistic programs, in violation of US and UN sanctions.” Rather than engaging directly in malicious cyber activity, DPRK IT workers use privileged access within contractor roles to provide logistical support to DPRK hackers by sharing access to virtual infrastructure, facilitating sales of stolen data, and assisting in DPRK’s money laundering and virtual currency transfers.”Although DPRK IT workers normally engage in IT work distinct from malicious cyber activity, they have used the privileged access gained as contractors to enable the DPRK’s malicious cyber intrusions. Additionally, there are likely instances where workers are subjected to forced labor,” the warning notes.A tight labor market coupled with high demand for software developers in the US and Europe are working in favor of North Korean software developers, who can earn at least ten times more than a conventional North Korean laborer working in a factory or on a construction project overseas. The list of roles that DPRK tech workers specialize in reflect the hottest areas of tech in the West and globally, including mobile and web apps, building crypto exchange platforms and digital coins, mobile games, online gambling, AI-related applications, hardware and firmware development, VR and AR programming, facial and biometric recognition software, and database development. The DPRK workers often take on projects that involve virtual currency in categories spanning business, health and fitness, social networking, sports, entertainment, and lifestyle, according to the advisory.SEE: Cloud computing security: New guidance aims to keep your data safe from cyberattacks and breachesUnsurprisingly, DPRK IT workers are using VPNs and third-country IP addresses to conceal their internet connections and avoid violating terms of service of online platforms they use. They’re also using proxy accounts to bid for work, and might use a dedicated device for banking services to evade anti-money laundering measures. And they’re using forged and stolen identity documents to hide their identity.   Red flags include: multiple logins into one account from various IP addresses linked to different countries in a short time; developers logging into multiple accounts on the same platform from one IP address; developers being logged into accounts continuously for one or more days at a time; router ports such as 3389 and other configurations associated with the use of remote desktop-sharing software; multiple developer accounts receiving high ratings from one client account in a short period; extensive budding on projects and a low number of accepted project bids; and frequent money transfers through payment platforms, especially to China-based bank accounts.       The advisory notes that DPRK IT workers employed by a US firm fraudulently charged its payment account $50,000 in 30 small installments over a matter of months. The US agencies recommend contracting firms conduct video interviews with applicants to verify their identity and to reject low-quality images as verification of identity.  More

Written by

Eileen Yu, Contributor

Eileen Yu
Contributor

Eileen Yu began covering the IT industry when Asynchronous Transfer Mode was still hip and e-commerce was the new buzzword. Currently an independent business technology journalist and content specialist based in Singapore, she has over 20 years of industry experience with various publications including ZDNet, IDG, and Singapore Press Holdings.

Full Bio

A higher number of organisations in Singapore are experiencing at least six cybersecurity incidents in the past year, compared to their counterparts across 10 other global markets. However, just 49% in the Asian nation are able to respond to a threat within 24 hours, compared to the global average of 70%. Some 65% of organisations in Singapore saw at least six security incidents, which was the highest amongst the 11 markets surveyed in a study commissioned by Infoblox that polled 100 respondents in the country. Globally, 46% of organisations encountered at least six security incidents. Conducted by CyberRisk Alliance’s Business Intelligence Unit, the survey had a total of 1,100 respondents from markets that also included Australia, Germany, the US, and UK.

In Singapore, 73% said cybersecurity incidents led to an actual breach, compared to 34% across the globe that saw at least one breach. Some 45% pointed to a cloud application or infrastructure as the source of a breach, while 42% cited an IoT device or network and 32% blamed an employee-owned endpoint device.  Globally, 32% said their organisation’s security breaches originated from Wi-Fi access points while 29% pointed to a cloud application or infrastructure. Another 29% cited an employee-owned endpoint device and 25% blamed a third-party or supply chain services provider. As a result of breaches, 57% in Singapore said hackers exposed sensitive data, while 53% suffered system outages or downtime and 43% had to deal with malware infections. The survey also found that 33% incurred losses–direct and indirect–of up to $1 million due to a security breach. Globally, this figure was a higher 43%, with respondents highlighting the associated cost of operating amidst the pandemic where more sensitive data had to be shared via multiple channels. Asked about challenges they faced safeguarding their network against attacks, 33% globally pointed to monitoring remote work access and 28% noted a lack of budget. In Singapore, 32% cited poor network visibility, while 32% highlighted a shortage of security skills and 28% faced budget restraints.Data leakage was the top cybersecurity concern for 51% of companies in Singapore, while 42% were anxious about remote connections and 35% felt the same about networked IoT attacks. Some 29% also expressed concerns about attacks through cloud services.Worldwide, data leakage also was the top concern for 49% of respondents, followed by ransomware at 39% and attacks via remote connections at 36%.To cope with the threat landscape, 73% in Singapore said their organisation had increased their IT security budgets last year, with another 69% expecting this upward trend to continue this year. Globally, 71% expected their IT security budgets to increase this year. Some 28% in Singapore said they would invest in DNS security, while 26% said likewise for network security tools. Another 37% would pump funds into data encryption and 36% were opting for cloud access security brokers. Some 60% currently tapped DNS controls as part of their cybersecurity strategy to block and flag malicious traffic and devices. Another 61% had implemented SASE (secure access service edge) infrastructures, with 29% indicating plans to do likewise.RELATED COVERAGE More

on May 16, 2022

| Topic: Legal

US prosecutors have accused 55-year-old Venezuelan cardiologist Moises Luis Zagala Gonzalez, also known as Nosophoros, Aesculapius and Nebuchadnezzar, of being the mastermind behind a slew of notorious ransomware.According to Justice Department officials, Zagala is alleged to have set up a cybercriminal enterprise in which he held an economic and reputational interest in his software being used in successful cyber attacks. “We allege Zagala not only created and sold ransomware products to hackers, but also trained them in their use. Our actions today will prevent Zagala from further victimizing users,” assistant director-in-charge Michael Driscoll said.”Many other malicious criminals are searching for businesses and organizations that haven’t taken steps to protect their systems — which is an incredibly vital step in stopping the next ransomware attack.” Some of Zagala’s associated ransomware products include Jigsaw, and private ransomware builder Thanos. Jigsaw has been around since 2016, and is known for its dramatic means of pressuring victims to pay up fast, stealing the idea from the 2004 movie Saw, where characters have to solve puzzles within a time limit or face fatal consequences. Meanwhile, Thanos — named presumably after the Marvel supervillain — first appeared in 2019, allowing users to build their own ransomware.In 2020, while investigating security incidents at several Israeli prominent organisations, security researchers from ClearSky and Profero said they linked the use of the Thanos ransomware to MuddyWater, a known Iranian state-sponsored hacking group.”Combating ransomware is a top priority of the Department of Justice and of this Office.  If you profit from ransomware, we will find you and disrupt your malicious operations,” said US Attorney Breon Peace. Despite this, if convicted, Zagala only faces up to five years’ imprisonment for attempted computer intrusion, and five years’ imprisonment for conspiracy to commit computer intrusions. Related Coverage More

Do you want a solid Linux distribution that also delivers the latest languages and solid security? Yes? Then consider getting Red Hat Enterprise Linux 8.6.Red Hat announced this new release at the Red Hat Summit. It has numerous new features, but the ones that caught my eye were the security improvements.

For example, if you’re serious about securing your Linux distribution, you should run Security-Enhanced Linux (SELinux). But, SELinux has long had a fundamental problem. Because its Common Intermediate Language (CIL) couldn’t store the module name and version in the module itself, there was no simple way to verify that the installed module was the right version. This kind of thing has become a common software chain supply security problem. Now, however, you can create a SHA256 hash checksum signature for your SELinux modules. You can then compare this with the original file’s checksum to make sure you’re actually using the correct SELinux configuration file. Continuing with configuration file security improvements, RHEL’s OpenSSH servers now support drop-in configuration files. The sshd_config file supports the Include directive. That means you can include configuration files in another directory. What makes this matter is that it makes it easier to apply system-specific configurations on OpenSSH servers by using automation tools such as Ansible Engine. It also makes it easier to organize different configuration files for different uses, such as filtering incoming connections.Libreswan, a popular open-source IPsec Virtual Private Network (VPN) server and Internet Key Exchange (IKE), has been rebased to upstream version 4.5. This includes many bug fixes and enhancements, such as the support of IKE version 2 for Labeled IPsec.This enables Libreswan to work better on SELinux systems.For SAP HANA users, the big news is there’s now a jointly-tested RHEL SAP HANA configuration with SELinux enabled. SELinux enables the server to automatically isolate processes. This, in turn, provides excellent privilege escalation attack protection.At a higher level, RHEL’s Web console now includes support for Smart Card Authentication with sudo and SSH. With the growing need for Two-Factor Authentication (2FA) this is a big step forward for improved day-to-day security.For developers, the biggest news is that RHEL 8.6 now comes with PHP 8 and Perl 5.32. It also includes support for GCC 11, LLVM 13.0.1, Rust 1.58.1, Go 1.17.7, OpenJDK 17, and Apache Log4j 2. In other words, it supports today’s most up-to-date languages.If you need high-availability (HA), RHEL 8.6 also comes with a HA Cluster System Role. This makes it much easier to create more consistent and stable RHEL HA clusters solutions.Life is also easier for SAP HANA users because SAP day-1 Automation uses the Red Hat Ansible Automation Platform to automate SAP HANA setup and configurations. Additionally, these new RHEL system roles are now available as Ansible collections, providing organizations with more flexibility to consume SAP automation content. All these SAP HANA improvements make RHEL much more competitive with SUSE SAP HANA offerings.Put it all together and what you get is a great, solid enterprise Linux for Red Hat users on everything from a simple server in the backroom to the data center to the public cloud to the hybrid cloud and beyond.RHEL 8.6 is available now for everyone with an active RHEL subscription. Don’t have one and want to give the latest RHEL a try? You can download a 60-day evaluation edition of RHEL 8.6 to see if it works for you. Related Stories: More

Written by

Angelica Mari, Contributing Editor

Angelica Mari
Contributing Editor

Angelica Mari is a Brazil-based technology journalist. She started working at age 15 as a computer instructor and started writing professionally about technology two years later.

Full Bio

Brazilian e-commerce conglomerate Americanas.com reported a multimillion-dollar loss in sales in its financial results on Friday after a major cyberattack earlier this year. The company lost 923 million Brazilian reais ($183 million) in sales after two attacks that took place between February 19 and 20 and rendered its e-commerce operation unavailable. According to the company, physical stores continued to operate and the logistics arm of the company continued to deliver orders placed after the event.

“In order to add strength to our internal team and security partner companies in the resolution and investigation of this incident, we called on world-renowned experts with experience in situations like these,” the company said in its financial statement. According to Americanas, the operations started to be gradually restored on February 23 and activities fully resumed on the following day. “There is no evidence of other damages, beyond the fact that our e-commerce operations were suspended,” the firm noted. Despite the impact caused by the incident, the company reported a 22% increase in total sales compared to the same period last year. According to the firm’s results, digital sales increased 20% in the first quarter of the year as the pace of sales resumed in the weeks following the incident. The company noted that if the cyberattack hadn’t happened, sales growth would have reached 30%. The authors of the Americanas attack are understood to be the Lapsus$ Group — the group responsible for a major ransomware attack against Brazil’s Ministry of Health in December 2021 that resulted in the unavailability of the COVID-19 vaccination data of millions of citizens. According to analyst firm IDC, overall IT security spending is expected to reach nearly $1 billion in Brazil this year, an increase of 10% in relation to 2020. The research company predicts that 2022 will see firms dealing with an increasing number of cyberattacks, a trend that has gathered pace since the start of the COVID-19 pandemic.

ZDNet Recommends More

As the battle over abortion continues in the United States, concerns have been raised over period tracking apps’ data practices and security.  You should stop using them, or at the least, only use a service with stringent data protection and encryption — and this is why. 

What is Roe v. Wade?

For those unfamiliar with the current upheaval in the US, the 1973 Roe v. Wade case, brought forward against state laws restricting abortion, was a landmark ruling that effectively legalized the procedure in the US. However, different US states still take varied views on abortion and when it is permissible. Earlier this month, reports surfaced of a leaked draft majority opinion showing the US Supreme Court is likely set to overturn Roe v. Wade. The draft also cites a 1992 decision that further concreted the constitutional right to abortion services. According to the Associated Press, Senate Democrats have tried to move quickly and enshrine the 50-year-old ruling into law through new legislation, which, if passed, would have made abortion rights far harder to overturn. However, the proposed bill has been blocked. A final ruling is reportedly to take place within months. If Roe v. Wade is overturned, the non-profit Guttmacher Institute suggests that at least 26 US states, including Texas, Alabama, and Louisiana, may be poised to trigger abortion bans or at least impose a minimal time frame for terminations. 

Technology in the medical sector

Wearable health tech, hospital robots, and telehealth appointments with healthcare providers all have become commonplace. As we’ve seen during the pandemic, technology can be of great benefit to overstretched medical professionals, and we can use mobile technology, too, on a personal level — to track our activities, sleeping patterns, and more. Millions of people with periods worldwide use menstruation tracking apps to track and monitor their monthly cycles, and the overarching “femtech” market is estimated to be worth roughly $49 billion by 2025.

What do period tracking apps do?

Menstruation apps log user input related to menstrual cycles over several months to predict when their next one is due. These apps can also be used to record changes in flow, predict likely fertility windows, log symptoms such as mood swings and cramps, and record sexual activities.Some apps focus on users attempting to become pregnant. Others offer general health and lifestyle advice. Some can quietly connect users to healthcare providers if they have questions or concerns. Period tracking apps can be particularly useful for users entering puberty and for those with irregular cycles. However, they should not be used as a form of birth control and, as people with periods know all too well, accurately predicting your next cycle start date is far from an exact science. 

Which are the most popular period trackers?

In the Android and iOS mobile ecosystems, some of the most popular menstruation trackers are Flo, Clue, Glow, MagicGirl, and Natural Cycles.

What do period tracker apps have to do with the US Supreme Court?

There are several emerging issues connecting the two. Period, fertility, and sexual activity trackers, by design, have to collect intimate information from their users, which is often stored and analyzed over time. Users can then tap into their record for next-cycle estimates, the days they may be most fertile, and to find out if they are likely to be pregnant.  In a post-Roe world, and if some US states do choose to write their own laws surrounding terminations, data from these apps could be used to prosecute people. Online information and digital records can make or break a criminal prosecution. This can include social networking posts, email records, conversations, location (GPS) data, and the user data collected by personal health mobile apps.  Keep in mind that such evidence may be flimsy, at best, considering how inaccurate these trackers can be. Should a user, for example, cross state lines to have a procedure done and their location or cycle records are known, investigators would need to prove beyond a reasonable doubt that the individual broke the law. However, information obtained from reproductive health and monitoring apps could, in theory, be used to build up a case. 

The Electronic Frontier Foundation puts it thus: “Service providers can expect a raft of subpoenas and warrants seeking user data that could be employed to prosecute abortion seekers, providers, and helpers.  They can also expect pressure to aggressively police the use of their services to provide information that may be classified in many states as facilitating a crime.”

The case for criminality

If seeking an abortion becomes a criminal act in some states, then how app providers secure and manage user data has to become a priority — not just in terms of transparency, but what future legal US mandates may require.User data that is fed through third-party infrastructure providers, for example, could become subject to warrants or subpoenas in criminal investigations if individuals are suspected of being pregnant or of seeking a termination. In addition, app providers themselves may be subject to user data requests or demands if the information they hold isn’t legally protected. As noted by Slate, the data held by period trackers might not have any intrinsic value now to government agencies or investigators, but if Roe v. Wade is dissolved, these records could be used as evidence in a prosecution.The state of Louisiana is already considering treating abortions as homicides. Perhaps some states will follow the example of El Salvador, which recently prosecuted a woman for homicide after she suffered a miscarriage.If this is the future, other data sets gathered by these apps — such as smoking habits and alcohol intake, as Slate reports — could also be of interest to prosecutors.   

Isn’t this being overblown?

Not necessarily. It wasn’t so long ago that whistleblower Edward Snowden landed the US National Security Agency (NSA) in hot water over its mass digital surveillance programs.Last year, Flo drew the ire of the US Federal Trade Commission (FTC) for allegedly misleading users by “sharing the health information of users with outside data analytics providers.” In response, Flo said:

We understand that our users place trust in our technology to keep their sensitive information private and the responsibility we have to provide a safe and secure platform for them to use […] Our agreement with the FTC is not an admission of any wrongdoing. Rather, it is a settlement to avoid the time and expense of litigation and enables us to decisively put this matter behind us. In a 2020 study conducted by Privacy International, the civil rights group found that menstruation apps stored a “dizzying” amount of data on their users. For example, after requesting a copy of their information under GDPR, out of five apps surveyed, only two provided records — and these revealed data concerning menstruation, their sexual lives, diseases, orgasm rates, masturbation habits, medication intake, and how many children they have, and more.  According to Privacy International, some of this information was shared with third parties. (It should be noted that some of the apps have reviewed their data policies since the report went live.) The issue is that some period tracking apps may have vague data protection policies, share information — unaware that it could be used against its users — or may outright sell information to third parties. If an investigator can’t secure a warrant or subpoena to demand this data, they could buy it instead, if they knew where to look.  You just need to look to Texas and the so-called Heartbeat Bill, which allows citizens to effectively become bounty hunters by suing anyone for up to $10,000 who assists an individual in receiving an abortion, to understand that there may also be some people out there who would try to purchase this information to line their pockets. 

Data management: The US vs. Europe

How mobile app developers, across every sector, handle data is often questionable and is not necessarily protected under laws such as the EU’s GDPR. The EU’s General Data Protection Regulation (GDPR) requires organizations in the bloc to adhere to basic data protection standards, only hold “necessary” user information, and submit to strict rules depending on whether they are processors or controllers. When it comes to medical information, this is defined as “physical or mental health of an individual, including the provision of health care services, which reveals information about their health status.” Some period trackers may be protected under GDPR, and in general, medical data can be exempt from disclosure when a data request is made if being compliant is “likely to cause serious harm to the physical or mental health of any individual.”Clue told Slate that it is “obligated under European Law (GDPR) to apply special protections to our users’ reproductive health data.” GDPR-bound apps may offer more protection, but this isn’t guaranteed. Apps in the EU may not be exempt from subpoenas, and future US laws could be proposed that force EU firms to hand over data (think the Patriot Act.)Read on: What is GDPR? Everything you need to know about the new general data protection regulationsThe US’ HIPAA laws, too, do not necessarily apply to the information gathered by period tracker apps as the law only deals with Protected Health Information (PHI). PHI is defined as “individually identifiable health information that is transmitted or maintained in electronic, written, or oral form,” but unless an app connects to healthcare providers for medical monitoring, it is unlikely to be HIPAA-compliant. Many period trackers also deal with lifestyle-based information and as these datasets are not inherently focused on health, these datasets would not be protected as PHI. The developers of apps under GDPR are required to clearly lay out how information is managed and used in privacy policies, and these should be checked if you choose to use a period tracker. However, as Privacy International found in a 2019 study, developers can still fall short of GDPR and other data protection standards. In other words, whether or not an app is said to be HIPAA/GDPR-compliant, in real-world scenarios there is no cast-iron guarantee your data is safe — unless, for example, it is encrypted and stored locally on your device, and so developers themselves have no access rights. 

What can period tracking app vendors do?

As the EFF says: “If you build it, they will come — so don’t build it, don’t keep it, dismantle what you can, and keep it secure.”The non-profit has published a list of recommendations for period trackers, women’s health, and healthcare service provider app developers to follow:Allow users pseudonymous access, so you don’t even know their namesDo not track the behavior of your users, and if this must happen, make it opt-in and clear there may be ramificationsCheck data retention policies and ask yourself: do we need to collect all this data, and for so long? Delete logs regularlyEncrypt data in transitEnable end-to-end encryption by defaultDo not allow your apps to become location broker havensDo not share user data, but if you must, only with trusted and vetted partners – and make this clear to usersConsider interoperability with third parties if they can provide the security for users that you cannot

Every time Mozilla releases its Privacy Not Included guide, we find that apps providing sensitive services, including health apps, are lax or fail spectacularly at security. It’s not just about an app provider’s intentions; you also need to assess the vendor’s technical expertise and understanding of cybersecurity.  “Privately-owned user data cannot be protected from state-mandated legal action,” commented Issy Towell, Wearables Analyst at CCS Insight. “Unless that changes, it is the responsibility of apps to demonstrate a genuine duty of care for users by rethinking the kind of data it collects on them.” There may be some apps out there that are more secure than others, where data is protected due to where it is stored and the legal requirements in that area.  For example, Natural Cycles, while FDA-cleared, stores its data in Europe and is, therefore, subject to GDPR requirements. Furthermore, the app’s developers told us that data is encrypted both in transit and at rest, and “we have never — and never will — sell user data.” Natural Cycles told ZDNet: “Natural Cycles is not a covered entity by HIPAA, not by choice, but because we do not handle medical electronic records. It is important to note, however, that HIPAA is not the only data safeguard. As potential legislation changes arise, we remain focused on being a company committed to doing the right thing for our users vs. relying on specific laws that are subject to change. We’re closely monitoring the ongoing situation with legal counsel to make sure that no matter the outcome, we will achieve our goal of remaining regulatory compliant as a medical device, while never turning over personal, sensitive data. We will be evolving our privacy policy to make sure our users are protected against unimaginable potential legal situations.”

Should I delete my period tracking app?

Yes.

(Author’s note: This is my personal recommendation.)It may not be a popular opinion, and it’s certainly one that will raise the ire of some developers, but in the interests of future safety, those with periods in the US should delete these apps from their mobile devices. The convenience is simply not worth the risk of your data being used against you — not unless you are 100% sure that the period tracker you use is protected from laws outside the US and won’t be subject to future legislative changes that could force the developers to hand over your sensitive data. Either that or records held in the app cannot be connected to your name or identifying information. There are rallies and protests, certainly, but one thing many of us can do is to take control of our data privacy in small, marginal ways. Close off as many channels for law enforcement or government bodies to obtain data on your cycles, fertility, or any signs of pregnancy in the future, especially if you live in a state most likely to trigger a bill when (or if) Roe v. Wade is overturned. The data you generate to monitor your cycle, activities, sexual activity, and lifestyle habits, in some states, could become a weapon against you. It is up to period tracker software providers to examine the data they hold, for how long, and how best to protect their users. 

How else can I track my menstrual cycle?

The most secure option is the old-fashioned way — pen and paper. We may eventually see changes in app functionality, too. Towell believes that some apps with users in regions impacted by Roe v. Wade could “help users avoid stating an intention to avoid pregnancy, [but] this will come at the expense of the overall app functionality and experience.””At the very least, if brands want to maintain the trust of users they will need to clearly communicate the potential legal implications of using their app to users,” Towell added. “Unless reproductive rights are protected at the federal level, females will be forced to sacrifice personalized period prediction algorithms for the family-planning method that women have been using for centuries — pen, paper, and a calendar.” More

The US Cybersecurity and Infrastructure Security Agency (CISA) has taken the unusual step of removing a bug from its catalog of vulnerabilities that are known to be exploited, and which federal civilian agencies are required to patch within a certain timeframe.  CISA said it is “temporarily removing”  Microsoft’s May 2022 fix for the security bug CVE-2022-26925 from its Known Exploited Vulnerability Catalog. It said after admins apply Microsoft’s May 10, 2022 rollup security fixes to Windows Servers that are used as domain controllers, there is a risk of authentication failures. CISA removed the vulnerability from its must-patch list on Friday. “Microsoft notified CISA of this issue, which is related to how the mapping of certificates to machine accounts is being handled by the domain controller,” it said.”After installing May 10, 2022 rollup update on domain controllers, organizations might experience authentication failures on the server or client for services, such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP),” CISA explained. This issue only affects the update on Windows Servers used as domain controllers. CISA is still strongly encouraging admins to apply Microsoft’s May updates on client Windows devices and non-domain controller Windows Servers.  Microsoft describes CVE-2022-26925 as a Local Security Authority (LSA) Spoofing vulnerability. LSA allows applications to authenticate and log users on to a local system. Details of the bug have been publicly disclosed and exploits exist for it, according to Microsoft.  “An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it,” Microsoft says. The bug would have a severity score of 9.8 when it is chained with NTLM Relay Attacks on Active Directory Certificate Services (AD CS), Microsoft adds. The company noted the May 10, 2022 update addresses the vulnerability on all servers but urged admins to prioritize the update of domain controllers.CISA referred admins to Microsoft’s document KB5014754, which detail “certificate-based authentication changes on Windows domain controllers” concerning the May 10 updates for CVE-2022-26931 and CVE-2022-26923. These were an elevation of privilege vulnerability that can happen when the Kerberos Distribution Center (KDC) is servicing a certificate-based authentication request, according to Microsoft. “Before the May 10, 2022 security update, certificate-based authentication would not account for a dollar sign ($) at the end of a machine name. This allowed related certificates to be emulated (spoofed) in various ways,” Microsoft says.  More