Doctor’s Ignore Security, Expose Patient Data

I’m shocked that doctors refuse to listen to anyone. A billion medical images are exposed online, as doctors ignore warnings. Okay, I’m not that shocked.

It isn’t just the 35 million patients and the images of X-rays, ultrasounds and CT scans. Patient info is also exposed.

These unprotected servers not only expose medical imaging but also patient personal health information. Many patient scans include cover sheets baked into the DICOM file, including the patient’s name, date of birth and sensitive information about their diagnoses. In some cases, hospitals use a patient’s Social Security number to identify patients in these systems.

Privacy is such a 20th Century concept. And the issue has been seriously ignored by the medical profession, because doing something would involve money, and listening to someone who is not an MD.

About half of all the exposed images, which include X-rays, ultrasounds and CT scans, belong to patients in the United States.

Yet despite warnings from security researchers who have spent weeks alerting hospitals and doctors’ offices to the problem, many have ignored their warnings and continue to expose their patients’ private health information.

You mean we can’t just keep doing things the way we’ve always done them?

267 Million Users’ Data Stolen From F*c*book

Are we surprised? Data Leak Exposes 267 Million Facebook Users.

A database of 267 million Facebook user IDs, phone numbers, and names was left exposed online for a fortnight thanks to another cloud misconfiguration, according to researchers.

At this point we don’t know if the data came from a breach at FB, or was a left-over from when their developer API allowed people access to the phone number, or if it was scraped from public profiles.

The researchers warned that such a large database of sensitive information could be used in major spam, phishing and smishing campaigns.
[SNIP]
This is just the latest in a long line of data leaks stemming from unsecured cloud databases. In November personal data on over one billion individuals harvested by data enrichment companies was found exposed.

Privacy is such a 20th Century concept.

Health Care Attacks During the Christmas Season

‘Tis the Season. Or something. Criminals Pull Hard Before Xmas, Attack U.S. Health Industry.

Seems there was a big effort to hit health care before the holidays.

Colorado Department of Human Services, Sinai Health System, Cheyenne Regional Medical Center, Children’s Hope Alliance, and RiverKids Pediatric Home Health are a handful of the total number of healthcare providers impacted by data breaches just during December.

Tens of thousands of people had their data stolen.

For the year there were more than 750 attacks on health care providers.

Tis The Season for Data Stealing

One Day, Three Credit Card Data Breach Notifications.

  • Wawa store, food market, coffee shop, gas pump
  • Islands restaurants (Most are in California, with rest mostly in Hawaii, Arizona and Nevada)
  • Champagne French Bakery Cafe

In all three cases, malware designed to collect magnetic stripe data was discovered on payment processing servers for card transactions.

If you’ve been to any of these businesses, you might need a new credit card.

The Future of Texting Is Broken

Whiskey. Tango. Foxtrot. The Future of Texting Is Far Too Easy to Hack: Rich Communication Services promises to be the new standard for texting. Thanks to sloppy implementation, it’s also a security mess..

Can we PLEASE get some secure communications. Aside from Signal that is. (Look, I love Signal. I wish I could get everyone to use it, but for some reason I can’t.) And in what is essentially 2020 there is no fucking excuse to have insecure communications. We know how to do this.

But when security researchers looked under the hood, they found the way carriers and Google have implemented the protocol creates a basket of worrisome vulnerabilities.

At the Black Hat security conference in London on Tuesday, German security consultancy SRLabs demonstrated a collection of problems in how RCS is implemented by both phone carriers and Google in modern Android phones.

For the love of all things Holy. USE Signal.

1,000 Ransomware Attacks on Schools for 2019

Because they love to put stuff online, but can’t be bothered about security. Ransomware Hit Over 1,000 U.S. Schools in 2019.

The FBI advises all U.S. entities currently targeted by a heavy barrage of ransomware attacks to follow these best practices:

  • Regularly back up data and verify its integrity
  • Focus on awareness and training
  • Patch the operating system, software, and firmware on devices
  • Enable anti-malware auto-update and perform regular scans
  • Implement the least privilege for file, directory, and network share permissions
  • Disable macro scripts from Office files transmitted via email
  • Implement software restriction policies and controls
  • Employ best practices for use of RDP
  • Implement application whitelisting
  • Implement physical and logical separation of networks and data for different org units
  • Require user interaction for end-user apps communicating with uncategorized online assets

Of course a lot of the problems for the past few years were caused by (or at least it was a contributing factor) unpatched, unsupported Windows machines. So I seriously doubt that the rest of this will happen. And the backups must be offline. (Ransomware will encrypt your raid server.)

If you can’t update or upgrade, then you have no business putting stuff on the public internet. Unless dealing with ransomware is something you like to do. But schools and cities will continue to put insecure servers on the public internet, and then shriek about how it was “totally unexpected” when bad things happen.

Big Amazon Is Watching You

Massive surveillance of everything is in the hands of Amazon. What could go wrong? Amazon’s Ring Home Surveillance Network Raises Big Privacy Concerns.

According to Motherboard, police officers can request homeowners’ surveillance footage through Ring. In a statement, Ring said that law enforcement requests must be tied to an active investigation, and though the owner’s consent is required, a warrant isn’t necessary.

Edward Snowden’s privacy concerns are starting to sound less and less like paranoia.

And the terms of service will change over time. You know, that legally binding statement you agreed to when you opened the package. The fine print that no one ever reads, and changes regularly anyway.

More Ransomware Targeting Health Care

Because of course they are. At some point this stops being news. Zeppelin Ransomware Targets Healthcare and IT Companies.

And it is important to note that this is a phishing (may be spear phishing) attack on health care.

In a new report from Cylance, researchers have discovered the Zeppelin ransomware being used in targeted attacks against IT and healthcare companies. In at least some of the attacks, Cylance believes that they targeted MSPs in order to further infect customers via management software.

Because if you infect a service provider, you infect all of their clients. (I just said something about outsourcing of IT work…)

My take is still that doctors refuse to follow instructions that aren’t provided by doctors of higher status, but a lot of this probably overworked people, and a good phishing campaign. With probably a little bit of “It won’t happen to me! What are the chances?” Welcome to the 21st Century.

NYPD Near Miss with Ransomware

Because outsourcing everything to the low bidder is perhaps not the best strategy in the 21st Century. NYPD Fingerprint Database Infected With Ransomware by Third Party Contractor.

So they outsourced the installation of some video equipment in a training location to a 3rd Party, who proceeded to plug an infected device into the NYPD network.

According to the New York Post, which first reported on the incident, the introduction of the malicious ransomware code was detected within a matter of hours. Still, even in that short period of time, the ransomware had proliferated to 23 other machines connected to the NYPD LiveScan fingerprint tracking system. At first, the NYPD thought the ransomware had been inserted maliciously, but after calling in the contractor and asking questions, the NYPD determined that the entire ransomware “attack” had been the result of simple negligence related to an infected device.

Near miss, I would say.

The size and scope of these ransomware attacks raises an interesting question: Why are hackers shifting their focus from corporations to public entities such as the NYPD? The easiest answer to that question is that these public sector entities cannot afford to be offline for more than a few hours at a time, and thus, are very amenable to paying a ransom.

CPO calls this a variation of the Supply Chain attack. If they attacked the contractor specifically, I could see that. But if it is just a contractor being careless, not so much.

Smith & Wesson’s Website Hit with Magecart

It happens to a lot of companies, but even so, I want to be extra pissed. Smith & Wesson Web Site Hacked to Steal Customer Payment Info.

Gun manufacturers are going to be a target of a lot of people.

American gun manufacturer Smith & Wesson’s online store has been compromised by attackers who have injected a malicious script that attempts to steal customer’s payment information.

This type of attack is called Magecart and is when hackers compromise a web site so that they can inject malicious JavaScript scripts into ecommerce or checkout pages. These scripts then steal payment information that is submitted by a customer by sending it to a remote site under the attacker’s control.

If you have purchased anything from Smith & Wesson you should contact your bank about your credit card info.

It isn’t good. But it is life in the 21st Century.

Your After Holiday Security Update

Medical facilities are still getting hit with ransomware. Ransomware Locks Medical Records at Great Plains Health.

On Tuesday, GPHealth announced that it was canceling a large number of non-emergent patient appointments and procedures. This decision does not affect surgeries and select imaging procedures, which continued as planned.

Mel McNea, GPHealth chief executive officer, says that there is no reason to suspect that patient data was accessed but the organization will do a full audit, nevertheless.

My take is still that doctors refuse to follow procedures outlined by IT security professionals. They are not doctors!

In the ironic story of the week… Ryuk Ransomware Forces Prosegur Security Firm to Shut Down Network.

Spanish multinational security company Prosegur announced that it was the victim of a cybersecurity incident disrupting its telecommunication platform.

eCards are a problem? Color me shocked. Beware of Thanksgiving eCard Emails Distributing Malware. OK, I’m not that shocked, since eCards have ALWAYS been a bad idea.

New email campaigns are underway that pretend to be Thanksgiving Day greeting cards and office closing notices with last minute invoices. Users who fall for the emails and open the attached word documents will be left with a Windows computer infected with a password-stealing Trojan and possibly other malware.

Companies in The Netherlands are targeted. Dutch Govt Warns of 3 Ransomware Infecting 1,800 Businesses.

The three ransomware strains named by the NCSC are LockerGoga, MegaCortex, and Ryuk. All of them have been involved in attacks against businesses.

Yet another reason to not store passwords in your browser. New Chrome Password Stealer Sends Stolen Data to a MongoDB Database. This is actually a fairly common occurrence.

This trojan is called CStealer, and like many other info-stealing trojans, was created to target and steal login credentials that were saved in Google Chrome’s password manager.

Yet Another School Hit By Ransomware

Is this even if news anymore? When do we start looking at the number of schools not hit with ransomware? Livingston School District in New Jersey Hit With Ransomware.

Students at the Livingston public school district in New Jersey are undoubtedly happy for a two hour delayed opening tomorrow. Unfortunately, this delay is not being caused by snow, but rather by a ransomware attack that the district is still recovering from.

There is little other real information. The district made some “reassuring statements” that didn’t cross over into lies, but were probably close.

“Our understanding is that these criminals do not typically steal data, but rather render the systems unusable”

While true, is not an assurance that no data was stolen. And then of course Bleeping Computer cites an instance were encrypted data was stolen, and released because no ransom was paid.

DNS over HTTPS – or – Why is your ISP spying on you?

UPDATED: to reflect a newer version of the VPN list from Torrent Freak.

Or DoH has been in the news, because it turns out, your Internet Service Provider, or your Cellphone Carrier if you are using them, is spying on your internet access. Everything you do on the internet. Why aren’t you using a VPN? If you EVER do ANYTHING on a public WiFi, you should have a VPN that you trust. (Hint: You CANNOT trust a VPN that is Free. You also can’t trust all of them that you pay for. TorrentFreak is your friend.) A video version of the story is at this link: Security Now Episode 740. And the Show Notes are at this link.

Incidentally, you can bypass all of this nonsense on Android and iOS by downloading and running the 1.1.1.1 app. (Available in both stores.) This is Cloudflare’s solution. And while that means you are trusting Cloudflare, Mozilla has done a credible job of vetting them, and will keep them on their toes. And they are certainly more trustworthy than Comcast, Verizon, et al. Note that 1.1.1.1 is NOT a complete VPN. If you run a VPN (see the Torrent Freak link) this problem of your ISP spying on you is less of an issue.

DoH prevents the ISPs from doing some simple spying, which is why Comcast is so upset, they have to spread Fear, Uncertainty and Doubt all over the place. Six of the seven major web browsers are implementing DoH, it just isn’t on by default yet. Well as usual, it isn’t clear what Apple is doing, since they almost never answer questions.

Brave

Tom Lowenthal, Product Manager at Brave for Privacy & Security told ZDNet: “We absolutely want to implement it. Implementing DoH is far more than just the technical work, though. We need to decide on sensible and protective defaults for the vast majority of people who don’t think about their DNS configuration while making sure that we don’t break things for the people and organizations who have carefully tuned their setup.” Because Brave is built on top of the Chromium open-source browser codebase, DoH support is available. However, the Brave team has yet tweaked the feature so that it works exactly the way they wish. So DoH is already there in the codebase the way the Google Chrome team designed it to work, as we’ve previously described. DoH in Brave can be enabled at: brave://flags/#dns-over-https

Chrome

As we know, Google Chrome is the second browser after Firefox to add DoH support. DoH isn’t yet enabled by default for everyone since Google is currently running a limited experiment with a small number of users to see how DoH fares in a real-world test. As we’ve noted, they take an adaptive approach, first honoring the user’s existing DNS provider to see whether it supports DoH and using it it possible. If not it follows various heuristic paths. DoH in Chrome can be enabled at: chrome://flags/#dns-over-https

Edge

A Microsoft spokesperson told ZDNet that they were supportive of DoH, but they couldn’t share their exact plans. However, like Brave, the soon-to-be-released Chromium-based version of Edge already supports DoH. DoH in Edge can be enabled at: edge://flags/#dns-over-https Additional thoughts, tips and tricks from an Edge developer are here: https://textslashplain.com/2019/11/06/thoughts-on-dns-over-https/

Firefox

As we know, Firefox was the first out of the gate with DoH and took some undeserved, in my opinion, arrows in its back for simply standardizing upon Cloudflare as their DoH provider. No one took the time to understand how rigorously Mozilla vetted Cloudflare. And many people who don’t listen to this podcast might mistakenly believe that Cloudflare is just another CDN. But anyone who can erect a large wall of Lava Lamps and use their video images to generate true random numbers definitely stands out as an innovator. Which is what we know them to be. DoH can be enabled in Firefox through its Settings UI.

Opera

Opera has already rolled out DoH support. The feature is disabled by default for all users but it can be enabled at any time in the stable release, and it works without users going through any additional steps. The flip side of the “no additional steps” is that Opera has followed Firefox’s lead and simply routes all DoH traffic to Cloudflare’s 1.1.1.1 DoH resolver. Users of Opera’s popular VPN should not, however, that the two are incompatible and the VPN must be disabled for DoH to work. On the other hand, if you’re using a VPN you already have a privacy-encrypting tunnel which zips right past your ISP or service provider, so DoH is not needed in VPN mode. DoH can be enabled in Opera at: opera://flags/opera-doh

Safari

ZDNet was unable to obtain any reply from Apple about Safari but ZDNet notes that since Apple has recently been investing in user privacy-focused features, the chances are good that DoH will eventually appear in Safari.

Vivaldi

Being yet another Chromium-based browser, Vilvadi also works like Chrome. DoH can be enabled in Vivaldi at: vivaldi://flags/#dns-over-https

Hospital Ransomware Attacks Cause Deaths

What a shock. Study: Ransomware, Data Breaches at Hospitals tied to Uptick in Fatal Heart Attacks.

As PBS noted in its coverage of the Vanderbilt study, after data breaches as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined.

The researchers found that for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.

Do you think that security is worth anything? Do you think that doctors will actually follow recommendations from someone who isn’t a doctor?

BlueKeep Is a Threat. Not That Systems Will Be Updated

But just like the idiots who ignored the warnings before WannaCry took down a couple of business and UK’s NHS, I predict that people won’t heed this warning. Microsoft Warns of More Harmful Windows BlueKeep Attacks, Patch Now.

BlueKeep is out there in the wild. What has been seen to date is cryptomining malware. But really once you’re in, you can do anything, so everyone in the know is betting that ransomware is on the way.

So if you haven’t updated your systems… well I hope you enjoyed the internet while you could.

Does a Hospital Getting Hit with Ransomware Count as News?

I’m leaning toward not news. Brooklyn Hospital Loses Patient Data In Ransomware Attack.

The hospital provided very little information, except to say that the attack happened in July. There was an investigation, and attempts to recover the files in the intervening months.

The unrecoverable information includes names and certain dental or cardiac images. The hospital highlights that the investigation did not find any evidence that the data was exfiltrated from its systems or otherwise misused.

Does it need to be stated again? Organizations have decided that backups are not needed. (People have decided that as well, both are wrong.) Or in other cases, they have a backup server which is online to their network, and that gets encrypted as well. At least some of the backups need to be offline.

Does a School Getting Hit with Ransomware Qualify as News?

And are they ever going to learn? Ransomware Attack Causes School ‘District-Wide Shutdown’.

At least the Las Cruces Public Schools didn’t cancel classes because the computer network was shut down.

Swift action does not save the day

The district activated the crisis response team and is working to restore critical services. It is unclear at this point how long the systems will be down.

The IT department discovered early Tuesday morning (7 a.m.) that some servers were compromised and reacted quickly by shutting down the entire computer network of the district.

Communication with schools in the district is done via phones and handheld radio stations.

However will they survive without the Internet?

2019 Hacks and Other Cyber-insanity

I usually see this kind of “the year in review” stuff in December. The scariest hacks and vulnerabilities of 2019.

It’s a surprisingly long list. It includes things like hard-coded password left in a car telemetry app, that could make cars vulnerable, F*c*book storing millions of passwords in plaintext on one of their servers, personnel data from LAPD was stolen, Louisiana school districts and Texas cities were hit with ransomware, and SIM jacker could target any phone with a 2g or newer SIM card. Then there were the hacks that cost a lot, like the $95million hack that hit Demant, a Danish company.

Two months to go.

Adware Found in Google Play Store Apps

Because of course it is. New Google Android Malware Warning Issued To 8 Million Play Store Users.

Adware is a type of malware that hides on your device so it can serve you unwanted adverts, including scam ads. On top of this, adware-containing apps can drain battery resources, increase network traffic and gather your personal information.

No one seems to be able to produce a simple list of the apps in question. Everyone is just reproducing the image published by ESET. So here’s a link to the image at Forbes.

Even legitimate apps seem to collect an awful lot of data, usually by way of their integration with F*c*book, and even if you aren’t logged into FB, or even if you don’t have an account. Malware is of course over the top.

All of the impacted apps have been removed from the Play Store, but some are available from other locations.

Since I had a story on the Apple problems yesterday…

German Cybersecurity Agency Recommends Firefox

News you can use. German Cybersecurity Agency Picks Firefox As Most Secure Browser.

Bundesamt für Sicherheit in der Informationstechnik (BSI), OR The Federal Office for Information Security for the German government, evaluated a group of browsers. Google Chrome, Apple’s Safari, Microsoft Edge and Internet Explorer, and Mozilla’s Firefox. (Their testing criteria is listed at the bottom of this post.)

Firefox was the only one that passed.

The details of the things BSI was looking for are available in the Show Notes for Security Now #737. And I can recommend the Security Now Podcast episode 737. They are included after the break.

Continue reading