»RSA issued an advisory recommending customers not use a community-developed encryption algorithm that may contain a privacy-affecting backdoor. The algorithm in question – Dual_EC_DRBG – affects all versions of numerous RSA products. The recommendation came after a September announcement from the National Institute of Standards and Technology (NIST) advising individuals to not use Dual_EC_DRBG, and also arrived in the wake of leaked documents by Edward Snowden. The leaks revealed that the NSA pressured major tech companies into giving the agency backdoor access to encryption software and, in some cases, outright stole company encryption keys by hacking organizations’ servers.
»Along with the release of the iPhone 5s and 5c in September, came a number of bug discoveries in Apple‘s new iOS 7 software. One, a bypass flaw which could allow users to slip past Apple’s lock screen security feature, foreshadowed the swift release of iOS 7.0.2 – Apple’s update to the buggy iOS 7. Not long after, however, researchers found another bypass flaw, this time in Apple’s artificial intelligence technology Siri. The workaround could grant individuals access to users’ phone app, subsequently allowing them to dial anywhere they wish, listen to saved voicemails, view and change contact information, access photos, use Twitter, login to email and send texts.
»Soon after reissuing its September Patch Tuesday update due to install glitches, Microsoft was faced with another security concern affecting its widespread customer base: a zero-day vulnerability in its Internet Explorer (IE) web browser, which was being leveraged in targeted attacks against users. In mid-September, the tech giant released a temporary fix for the flaw in IE 8 and 9, which could allow an attacker to remotely execute malicious code in users’ browsers. The vulnerability impacts users running all supported versions of IE.
»As the compliance grace period for the updated Health Insurance Portability and Accountability Act (HIPAA) ended in late September, so expanded the legal responsibilities of third-party organizations handling protected health information. Major amendments to the security rule included measures that legally require “business associates” of covered entities to comply with security and privacy measures enforced by HIPAA, like breach notifications. In addition, the changes to HIPAA expands the definition of a business associate so that any subcontractor that creates, receives, maintains or transmits protected health information (PHI) on behalf of a covered HIPAA-entity, must comply. Health information organizations, e-prescribing gateways and others that provide data transmission services for covered entities, were also designated as “business associates” in the updated rule.
»Erratum: In October’s cover story on medical devices, we misspelled the name of Axel Wirth at Symantec. Our apologies.