This digest of cybersecurity news is curated by the Internet Security Alliance and Direct Computer Resources (DCR). DCR has been an ISA Board Member since 2008.
'All wifi networks' are vulnerable to hacking, security expert discovers
The Guardian, October 16 — The security protocol used to protect the vast majority of wifi connections has been broken, potentially exposing wireless internet traffic to malicious eavesdroppers and attacks, according to the researcher who discovered the weakness. Mathy Vanhoef, a security expert at Belgian university KU Leuven, discovered the weakness in the wireless security protocol WPA2, and published details of the flaw on Monday morning. “Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted,” Vanhoef’s report said. “This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on. Vanhoef emphasised that “the attack works against all modern protected wifi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.” The vulnerability affects a number of operating systems and devices, the report said, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others. “If your device supports wifi, it is most likely affected,” Vanhoef wrote. “In general, any data or information that the victim transmits can be decrypted … Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website).” The researchers have given the weakness the codename Krack, short for Key Reinstallation AttaCK. The United States Computer Emergency Readiness Team (Cert) issued a warning on Sunday in response to the vulnerability. ... Read More.
OnePlus dials back data collection after users protest
ZD Net, October 16 — Smartphone maker OnePlus has said it will now give users the choice to opt-in to its data collection program after complaints about the amount of data the company was recording. The type and frequency of OnePlus' data collection was revealed last week by UK-based software engineer Christopher Moore, who found the company was not only collecting unique device identifiers, but his wireless network identifiers, his phone number, details about when he unlocked the phone, and the exact times he was using specific apps, such as Outlook and Slack. The details OnePlus was collecting allowed it to tie device and app usage to each device and phone number, which Moore argued was unnecessary. After probing OnePlus' support team over Twitter about the issue, he found that unless he rooted his phone, there is no way to disable this data collection, which happens via OxygenOS system services, OnePlus Device Manager and OnePlus Device Manager Provider. OnePlus co-founder Carl Pei has now responded to growing criticism of its telemetry system, telling users on its forum that it takes data privacy "very seriously". ... Read More.
Homeland Security orders federal agencies to start encrypting sites, emails
ZD Net, October 16 — Homeland Security is ordering federal agencies to deploy basic web and email security features in an effort to boost cybersecurity across government. Up until now, Homeland Security had been pushing businesses and enterprise customers to enable HTTPS web encryption across the board, which helps secure data in transit but also ensures that nobody can alter the contents of the website you're visiting. The agency has also pushed DMARC, an email validation system used to verify the identity of an email sender, which helps to protect against inbound spoofed emails and phishing attacks. Now, the Homeland Security has set its sights on government agencies, which have for years fallen behind. The agency has issued a binding operational directive, giving all federal agencies three months to roll out DMARC across their networks. Enabling that email policy will prevent spammers from impersonating federal email addresses to send spoofed email. The agency is also requiring within the next four months for all federal agencies to employ HTTPS. If you thought the government already had that policy, you're not wrong. In 2015, the Obama administration issued a directive that all federal government sites should be HTTPS by default by the end of 2016. More than two years later, about one-quarter of all federal sites still don't support basic website encryption. ... Read More.
These fake tax documents spread jRAT malware
ZD Net, October 16 — jRAT malware users targeted US taxpayers with fake IRS tax documents, and now the same trick is being used to infect UK users but with bogus VAT return forms, supposedly from Her Majesty's Revenue & Customs (HMRC). jRAT or Java RAT is also known as Adwind, Jackbot and several others names, which are sold as a service with features such as keystroke logging, stealing data from web forms, taking screen shots, capturing content from a device's cam and mic, and more. One of its key selling points is that it can run on Windows, macOS, Linux, and Android. The malware is typically spread via mass email. According to security firm Trustwave, the email campaign targeting British users comes with subject "VAT Return Query" and an embedded image of a PDF. The text suggests the recipient read the document to resolve errors in the attachment: there is no actual attachment and image of the PDF is actually used to conceal a link that points to a ZIP-archived file hosted on Microsoft's OneDrive, which if unzipped extracts the jRAT malware. Trustwave notes the jRAT malware is popular with criminals because at $29 it's dirt cheap and offers a number configurations to block security products from detecting it. This example also disables the Windows Task Manager and System Restore, and creating a Windows registry. The company notes it has seen an uptick in phishing campaigns that use Microsoft SharePoint and OneDrive. ... Read More.
Bad passwords and weak security are making ships an easy target for hackers
ZD Net, October 16 — Commercial shipping vessels have such poor cyber security it's possible to track them down and hack into them via poorly secured communications systems. Ken Munro, a security researcher at Pen Test Partners, who has documented the lapses in security said they are "simply not acceptable". Many of the problems stem from how ships traditionally ran on dedicated, isolated networks which didn't connected to the outside world, meaning that network security wasn't really an issue, so long as physical security was in place to stop outsiders actually boarding the ships to tamper with computers. Now ships have evolved to become connected industrial control systems which happen to float and sail around the world's oceans. Shipping vessels are now rife with complex always-on connected systems, as well as internet connections for crews, electronic navigation systems and more. The problem is that while the maritime industry has evolved to use modern internet connected technologies, the operational security of ships hasn't always kept up. One example: many of the satellite communication terminals employed on the ships — including some from big brands in the maritime space such as Inmarsat, Telenor and Cobham — are discoverable on Shodan, a search engine which finds Internet of Things devices around the world. In some cases the default credentials for 'securing' these systems are as dangerously simple as admin/1234, potentially leaving them open to misuse to hackers who know what they're looking for and are familiar enough with shipping infrastructure to take advantage of systems which haven't had logins and passwords changed. ... Read More.
Former Nurse Convicted of Theft of Patient Information and Tax Fraud
HIPAA Journal, October 16 — A former nurse from Midway, FL has been convicted of wire fraud, theft of government funds, possession of unauthorized access devices and aggravated identity theft by a court in Tallahassee. 41-year old Tangela Lawson-Brown was employed as a nurse in a Tallahassee nursing home between October 2011 and December 2012. During her time at the nursing home, Lawson-Brown stole the personal information of 26 patients, although she was discovered to have a notebook containing the personal information of 150 individuals. According to a press release issued by the United States Attorney’s Office for the Northern District of Florida, Lawson-Brown’s husband was arrested in January 2013 and items were seized from Lawson-Brown’s vehicle by the Tallahassee Police Department, including the notebook. ... Read More.
What people say about privacy, and what they mean
Ogilvy, October 16 — Privacy matters to consumers — but pizza matters more. In a recent study entitled The Digital Privacy Paradox: Small Money, Small Costs, Small Talk, researchers found that the smallest incentives, like free pizza, were enough to prompt otherwise savvy MIT students to relinquish their personal data. The authors of the paper, Susan Athey, Christian Catalini and Catherine Tucker, explored how “notice and choice” can limit the ability of consumers to safeguard their own privacy. “Notice” gives consumers information about data collection and use, and “choice” informs them on whether or not to allow their data to be used in such a way. The report highlights a stark disconnect between what people say about data privacy, and how they actually behave in day-to-day life. The study uses data from MIT’s digital currency experiment, where every undergraduate student at MIT was offered $100 worth of Bitcoin, and had to make three digital privacy choices: whether or not to disclose the contact details of their friends, whether or not to maximise the privacy of their transactions from government and commercial bodies, and whether or not to take additional measures to protect their privacy. “In all of these cases, privacy-decreasing decisions take place regardless of stated preferences for privacy,” write Athey, Catalini and Tucker. For instance; when offered free pizza, many students were willing to provide the email addresses of their friends, despite having previously stated they would not. ... Read More.
Review asks for tighter Medicare card privacy controls from Human Services
ZD Net, October 16 — A review into heath providers' access to the Health Professional Online Services (HPOS) system, and in particular access to Medicare card information, has requested the Australian government move the authentication location of HPOS into the "more secure" Provider Digital Access (PRODA) platform as a means to tighten the security controls around card information and other personally identifiable elements. Authentication for HPOS is currently run via public key infrastructure (PKI), but the three-year transition requested by the review panel would see this step handled by PRODA — an online authentication system based on a username, password, and verification code to log in, run by the Department of Human Services (DHS). As such, the committee wants to see the terms and conditions for HPOS, PKI, and PRODA simplified and presented to users in a form that ensures that they "fully appreciate the seriousness of their obligations". In total, the Final Report of the Independent Review of Health Providers' Access to Medicare Card Numbers details 14 recommendations the review panel said have been made to improve the security of Medicare card numbers within the HPOS system, while continuing to support access to health services without unnecessarily increasing the administrative workload faced by health professionals. As of June 30, 2017, 24.9 million individuals were eligible for Medicare, the report noted, and there were 14.1 million active Medicare cards. ... Read More.
Equifax website hack blamed on drive-by download attack
Hyatt Hotels Suffers International Payment Card Data Breach
Data Breach Today, October 13 — For the second time since 2015, Hyatt Hotels has suffered a breach of customers' payment card data due to attackers infecting its sytems with malware. The Chicago-based hotel chain says the latest breach lasted for more than three months this year and affected a total of 41 properties in 11 countries. The breach ran from March 18 to July 2, when Hyatt discovered the intrusion, according to a Hyatt data breach notification issued Thursday by Chuck Floyd, global president of operations at the hotel chain. "Hyatt's cybersecurity team discovered signs of and then resolved unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations," according to Hyatt's breach FAQ. "Upon discovery, we launched a comprehensive investigation to understand what happened and how this occurred, including engaging leading third-party experts, payment card networks and authorities." That investigation discovered malware infections at 41 properties — including 18 in China, which was the most affected country. In the United States and its territories, seven properties were breached, including three in Hawaii, three in Puerto Rico and one in Guam. Other affected countries included Brazil, Columbia, India, Indonesia, Japan, Malaysia, Mexico, Saudi Arabia and South Korea. Hyatt says it appears that only data from payment cards — comprising the cardholder name, card number, expiration date and internal verification code — was stolen. "There is no indication that any other information was involved," Hyatt says. ... Read More.
Getting the Most Out of Cyber Threat Intelligence
DARKReading, October 13 — Today’s security environment is complex, ever changing, and sometimes even political. Many organizations struggle to keep current about the cyber threats they face. This is due to a number of issues, ranging from the failure to adapt security recommendations to the specific needs of an organization, to an over focus on malware instead of the human adversary. Adding to the struggle is the fact that every organization is different. For example, inside an industry vertical, you may find political or regional differences beyond just technical ones. There may be differences in how one division within an organization approaches security in comparison to other divisions within the company. These division-based differences can be the result of varying organizational missions or business units. Each disparity impacts the organization’s overarching threat model, and its understanding of its threat landscape. Over the years defenders have taken a tool-centric approach. But technology alone won't stop a well-focused and funded human adversary. While technology is great at synthesizing data, limiting the attack space, and making human analysts more efficient, at the end of the day, it is a human adversary vs. human defender contest — and it must be treated as such. ... Read More.
Amida Care Mailing Potentially Revealed HIV Status of its Members
HIPAA Journal, October 13 — The New York not-for-profit community health plan Amida Care has reported a HIPAA breach that has potentially impacted 6,231 of its members. Amida Care specializes in providing health coverage and coordinated care to Medicaid members suffering from chronic health conditions such as HIV. On July 25, 2017, Amida Care sent a flyer to some of its members who had contracted HIV, advising them of an opportunity to take part in a HIV research project. The double-sided flyers contained details of the HIV research project on one side, and information on an Amida Care Summer Life Celebration event on the other. The decision had originally been made to send out the flyer in windowless envelopes, and those instructions were provided to the mailroom. However, due to fault with the envelope printer, and in order to make sure individuals received the flyer in time, the decision was made to send out the flyer in windowed envelopes. ... Read More.
500 million PCs are being used for stealth cryptocurrency mining online
ZD Net, October 13 — A new report suggests hundreds of websites have taken The Pirate Bay's lead and are now using visitor PCs to mine cryptocurrency without the consent of users. A month or so ago, torrent search website The Pirate Bay raised concern among the community as visitors noticed their CPU usage surged whenever a page was opened. At first, some worried that malvertising or embedded malware was at play; however, when the domain's operators realized the game was up, they admitted the power surge was due to a "small experiment" in cryptocurrency mining. Cryptocurrency, such as Bitcoin or Monero can be "mined" and acquired through computational power. If enough PC owners donate power, then mining can be a way to rake in revenue. ... Read More.
A Conversation With the Cyber Gang 'The Dark Overlord'
Data Breach Today, October 13 — A discussion with ISMG Security and Technology Editor Jeremy Kirk about his chat with the cyber gang "The Dark Overlord," which threatened some U.S. school districts with extortion, leads the latest edition of the ISMG Security Report. Also in the Security Report, you'll hear: An update on soaring employment among information security practitioners; and Barclays' Christopher Greany, managing director and head of group investigations and insider threat program, discuss how Europe's pending General Data Protection Regulation would have an impact on an Equifax-type breach. Greany will be on a panel that will address the long-term implications of the Equifax breach at the ISMG Fraud and Breach Prevention Summit in London that begins on Tuesday. ... Read More.
This nasty new Android ransomware encrypts your phone — and changes your PIN
ZD Net, October 13 — A new form of Android ransomware encrypts victims' data and changes their PIN, making it almost impossible to get their files back without paying a ransom. Dubbed DoubleLocker by researchers at ESET who discovered it, the ransomware is spread as a fake Adobe Flash update via compromised websites. Once downloaded onto the device, the fake Adobe Flash app asks for activation of 'Google Play Services' exploiting a series of permissions via accessibility services, a function designed to help people with disabilities use their phone. These include retrieval of window content, turning on enhanced web accessibility for the purposes of installing scripts and observing typed in text. The same technique of abusing accessibility services has previously been exploited by data-stealing Android trojans, but this is the first time it has been seen in ransomware. Once given the appropriate permissions, DoubleLocker installs the ransomware as the default Home application, meaning the next time the user visits their home screen, they're faced with a ransom note. "Setting itself as a default home app — a launcher — is a trick that improves the malware's persistence. Whenever the user clicks on the Home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn't know that they launched malware by hitting Home," says Lukáš Štefanko, malware researcher at ESET. ... Read More.
DEFCON hopes voting machine hacking can secure systems
TechTarget SearchSecurity, October 12 — A new report pushes recommendations based on the research done into voting machine hacking at DEFCON 25, including basic cybersecurity guidelines, collaboration with local officials and an offer of free voting machine penetration testing. It took less than an hour for hackers to break into the first voting machine at the DEFCON conference in July. This week, DEFCON organizers released a new report that details the results from the Voting Village and the steps needed to ensure election security in the future. Douglas Lute, former U.S. ambassador to NATO and retired U.S. Army lieutenant general, wrote in the report that "last year's attack on America's voting process is as serious a threat to our democracy as any I have ever seen in the last 40+ years — potentially more serious than any physical attack on our Nation." "Loss of life and damage to property are tragic, but we are resilient and can recover. Losing confidence in the security of our voting process — the fundamental link between the American people and our government — could be much more damaging," Lute wrote. "In short, this is a serious national security issue that strikes at the core of our democracy." ... Read More.
Kaspersky Lab and the AV Security Hole
DARKReading, October 12 — With Moscow-based Kaspersky Lab under the gun for its software reportedly helping Russian cyberspies steal classified US data, some security experts say the same sort of theft the company is alleged to have enabled could have been pulled off using any other antivirus software, and without any vendor participation. The Wall Street Journal on Wednesday cited knowledgeable sources as saying that Kaspersky Lab actively modified its anti-virus system so Russian agents could use it as a tool to search through and steal from computers running the vendor's software. The WSJ report was the latest twist to a rapidly evolving and sometimes, bizarre, story involving Kaspersky Lab, Israeli intelligence agents, Russian cyber spooks, and the US government. The WSJ was the first to break the story when it reported last week that in 2015 Russian agents had used Kaspersky Lab systems' and network to steal highly classified material from the computer of a contractor who worked for the US National Security Agency (NSA) In separate subsequent reports, the WSJ, New York Times, and Washington Post said the Russian hackers had used Kaspersky Lab's systems and network to search through computers worldwide that had the AV vendor's software installed on them. The Russian cyberspies were apparently looking to see if they could find and pilfer from systems containing data on classified US government programs. Those searches, which involved the use of specific keywords such as "Top Secret" and "Classified," eventually led them to an Internet-connected home computer of an NSA contractor that happened to be running Kaspersky's antivirus software. The home computer contained highly sensitive data on NSA penetration testing and cyber offense tools stored in complete violation of the agency's rules. It remains unclear at this point if the Russian spies succeeded in finding and stealing additional classified US government information from any other computers running Kaspersky's AV software. ... Read More.
PHI of 10,500 Patients of an Illinois Psychiatrist Exposed
HIPAA Journal, October 12 — The medical files of more than 10,000 patients of a Naperville, IL-based psychiatrist — Dr. Riaz Baber, M.D. — have been discovered in the basement of an Aurora property by the woman who rented the house from the psychiatrist. The files had been stored in the basement for at least 4 years. The tenant, Barbara Jarvis-Neavins, was allegedly provided with a key to the basement by the psychiatrist’s wife as access was required when workmen had to visit the property. She was told that she was required to accompany workmen when they needed access. Jarvis-Neavins said she wanted to report the presence of the files — and that she could access the storage area — but thought that by doing so she would be asked to vacate the property. When she was told that she had to move out as the house was being sold, she contacted law enforcement — including the FBI — and state regulators to report the unsecured files. The FBI referred her to the Department of Health and Human Services’ Office for Civil Rights and she filed a complaint. She also contacted NBC 5. ... Read More.
How Should You Respond to an Accidental HIPAA Violation?
HIPAA Journal, October 12 — The majority of HIPAA covered entities, business associates, and healthcare employees take great care to ensure HIPAA Rules are followed, but what happens when there is accidental HIPAA violation? How should healthcare employees, covered entities, and business associates respond? Accidents happen. If a healthcare employee accidentally views the records of a patient, if a fax is sent to an incorrect recipient, an email containing PHI is sent to the wrong person, or any other accidental disclosure of PHI has occurred, it is essential that the incident is reported to your Privacy Officer. Your Privacy Officer will need to determine what actions need to be taken to mitigate risk and reduce the potential for harm. The incident will need to be investigated, a risk assessment may need to be performed, and a report of the breach may need to be sent to the Department of Health and Human Services’ Office for Civil Rights (OCR). You should explain that a mistake was made and what has happened. You will need to explain which patient’s records were viewed or disclosed. The failure to report such a breach promptly can turn a simple error into a major incident, one that could result in disciplinary action and potentially, penalties for your employer. ... Read More.