New Hacking Technique Revealed, Viruses in Online Video Subtitles

Check Point security group has released information revealing how hackers are now using online video subtitles as a source to transport viruses into personal computers, granting hackers to endless information for very little work.

This method of hacking requires a user to do nothing other than opening up their favorite videos online. According to a recent article, this is not even potential danger but is the real thing because it’s already being used successfully by the hackers.

Hackers are very knowledgeable and creative which is why most seem to be one step behind them in most cases. A few years ago people were panicking because of pop-ups, surveys, or phishing links. Now hackers are able to encrypt information by using techniques that can bypass many security products and it is more destructive than anything seen before.

This drastic increase in hackers using the technique of online video subtitles as a source to transport viruses is no surprise. Check Point stated they “estimate there are approximately 200 million video players and streamers” and online video streams have a massive audience making these defenseless targets very beneficial investments. Using this technique, these hackers are able to take complete control of a computer with minimal effort.

Big streaming sites such as VLC, Stremio, Popcorn Time, and others are assisting users in defense by providing updated patches for blocking viruses. Unfortunately downloading these patches is the only defense (other than completely avoiding online videos) and as we saw recently with the #WannaCry ransomware outbreak, counting on people to keep their systems patched seems to be too much to ask. Hopefully, that will begin to change.


Seth Tuma is a student at Santa Barbara City College in Santa Barbara, California.

Quiz: How much do you know about cybersecurity?

Here is an interesting little quiz that is actually quite informative. It is by the Pew Research Center so it seems legit. Thanks for originally sharing it, Kevin Keane:

How much do you know about cybersecurity?

UPDATED: Read what the results show about overall cybersecurity understanding


Are Smaller Healthcare Practices Required to Report a Ransomware or Potential Data Breach?

Does the HIPAA Breach Notification Rule apply to all Covered Entities and Business Associates, Even Smaller Ones?

To many of you reading this post this question seems ridiculous. You know the answer. However, I get asked this question so frequently that I decided to answer it with a blog post to save time next time I get asked the same question. What is worse, however, is I often hear people say — out of complete ignorance — “no, it is not a big deal.”

Let me be clear: it is a big deal – a very big deal – and if it is considered a “breach” then you are required to report. See this Guide for more information.

Healthcare professionals must understand just how important cybersecurity and privacy of patient protected health information (PHI) is to their practices: You can spend your entire career building a fine medical practice and lose it all because you did not take this seriously. Don’t believe me? Then jump to this point of the post.

Are ransomware attacks a data breach?

Regarding ransomware attacks in particular, the Department of Health and Human Services (HHS) considers these kinds of attacks on Covered Entities and Business Associates to be a breach that requires notification, by default, unless you perform a risk assessment that considers four factors and determines there was no breach. See HHS FACT SHEET: Ransomware and HIPAA

The reason for this is because under what is called the CIA Triad of Cybersecurity. To maintain the security of data, you must ensure you maintain its confidentiality, integrity, and availability; when you have a ransomware attack encrypt your data, you no longer have availability unless you have appropriate backups of the data. Moreover, depending on the nature of the ransomware, some strains may exfiltrate data prior to the encryption, causing a failure to maintain confidentiality as well.

Is there a penalty for failing to notify?

 See also Professor Daniel Solove’s 2017 HIPAA Enforcement Update

Absolutely. When a Covered Entity or Business Associate fails to comply with the HIPAA Breach Notification Rule, HHS may launch an investigation and bring an enforcement action against the entity that failed to timely notify. Below are two notable cases where HHS has done this but it is important to note that the vast majority of the smaller ones are resolved with fines and compliance measures imposed at the investigation level:

Does HHS fine small healthcare practices?

Read these examples and decide for yourself:

If you would like more information about other HHS cases, read about these HHS Case Examples.


What are the 3 most important questions you should ask yourself now before you have an incident?

  1. Do you have privacy and cyber insurance coverage for your practice?
  2. Do you always have a backup of your critical business, customer, and PHI information that is completely disconnected from your network?
  3. Do you understand these 3 critical cybersecurity steps your organization must take?


Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

WHDT World News Interviews Shawn Tuma about WikiLeaks’ CIA Vault7

See also: