Category Archives: Breach

Security News for the Week Ending Friday August 10, 2018

Lack of Vendor Cyber Risk Management Hurts over 750 Banks

TCM Bank, a company that helps hundreds of small banks issue credit cards had a problem with their third party vendor – the bank’s fourth party vendor risk.

The small bank wants to issue credit cards so they hire TCM and TCM hires someone else and that company leaked the bank’s customer data.

TCM said less than 25% of applicants had their data compromised – fewer than 10,000 consumers.  That, I gather, is supposed to make us feel better, but somehow, it doesn’t.

The small community bank, who has the least security expertise is liable for the fourth party breach.  The Feds – the FFIEC or the OCC or the FDIC plus the state regulators will be asking lots of embarrassing questions.  Those banks, who likely do not have a good vendor cyber risk management program, will be left holding the bag.

Many companies have a fourth party vendor cyber risk management problem.  Most are completely unaware.  Source: Krebs on Security

It is Amazing What a Potential 20 Million Euro Fine Will Do

In the UK alone, there were about 400 breaches reported to the ICO (information commissioner’s office) in March and another 400 in April.  In May, the month that GDPR came into effect at the end of the month, there were 750 breaches reported.  In June, the first full month that GDPR was in effect, there were 1,750 breaches reported.

It is unlikely that hackers decided to become more active in alignment with GDPR, so what is likely is that the threat of a massive fine is causing people to report breaches.  We shall have to see what the trend looks like and what happens in other countries.  Source: Bankinfo Security

The Pentagon is Creating a “Do Not Buy” List

The Pentagon’s Acquisition Chief admitted last week that the Pentagon is creating a secret Do Not Buy list of companies known to use Russian and Chinese software in their products.

The Pentagon plans to work with defense industry trade associations to effectively blacklist those companies.

The new Defense Authorization bill also requires companies to tell if they have less the Ruskies or Chinese look at their source code.  Source: Bleeping Computer.

 

Some Samsung Phones Sending Random Pictures To Random Contacts

Reports started surfacing last month about some Samsung phones sending one or more pictures to contacts in the user’s contact list without the user even being involved.  In one reported case the user’s entire gallery was sent.

Given that many people have at least some adult pictures on their phone, if this is really happening, the results could be dicey to say the least.

In addition, if you have any pictures with business proprietary information – say a snap of a white board from a meeting – that could be a problem too.

Samsung said they are aware of it.

T-Mobile, the carrier in at least some of the cases, in a perfect example of taking care of their customers said “It’s not a T-Mobile issue” and told people to talk to Samsung.  Note to self – even though T-Mobile may be less expensive, a great customer focused attitude like that goes a long way to kill that value.

Luckily it seems to be happening on new phones which, if Samsung can figure out what is happening, they may be able to develop a patch and those patches would likely be available to the users of the new phones.  If this is happening on older phones, users may just be out of luck, since most vendors don’t provide any patches for phones older than about 2 years. This assumes that the users bother to install the patches that are available, which is probably less than a 50/50 bet.  Source: Gizmodo.

More Problems for Huawei

While US Gov Tries to Ban Huawei Devices, the UK Gov only said it was “disappointed” at the lack of progress Huawei has made in improving security.  Curiously, this is the fourth report over the last 8 years that the UK government has issued and the first three said that any risks had been mitigated.  The reason for the change of heart is unknown.

In the meantime, Australia is considering banning Huawei gear, like the U.S. is doing.

One of Britain’s concerns is that Huawei is using third party software – in this case the operating system the gear runs on – that will no longer be supported in two years.  Given the normal lifespan of telecom equipment, that is a major problem.

Hauwei said that there were “some areas for improvement”.

Given the concerns over Chinese government influence and possible backdooring of Hauwei equipment, it seems like it would just be a better idea to find another vendor.  Source: BBC .

 

Facebooktwitterredditlinkedinmailby feather

Lessons From LabCorp

As I wrote last week, LabCorp, the mega medical lab testing company (mega as in revenue around $10 billion last year) was breached and  they have provided some interesting insights as they have been forced to detail to the SEC some of what happened last week when they had to shut down large parts of their network unannounced, putting a stop to testing of lab samples, both in house and on the way.

From what we are gleaning from their filings, they were hit with a ransomware attack, likely a SamSam variant which seems to have an affection for the healthcare industry.

They claim that their Security Operations Center was notified, we assume automatically, when the first computer was infected.

That, by itself, is pretty amazing.  I bet less than one percent of U.S. companies could achieve that benchmark.

Then, they say, they were able to contain the malware within 50 minutes of the first alert.  That too is pretty amazing.  In order to that, you have to know what you are dealing with and how it spreads.  Then you have to figure out which “circuit breakers” to trip in order to contain the malware.  The City of Denver was hit with a Denial of Service attack a couple of years ago and it took them, they say, a couple of hours to figure out how to disconnect from the Internet.  That is more typical than what LabCorp was able to do.

The attack started at around midnight, of course, when the least number of people were around to deal with it.  If you factor that in to the 50 minute containment time, that is pretty impressive.

However, in that very short 50 minute interval, 7,000 systems were infected including 1,900 servers.  Those numbers are not so good.  Of the 1,900 servers, 300 of these were production servers.  That is really not so good.

One of the attack vectors of SamSam is an old Microsoft Protocol called Remote Desktop protocol or RDP.

RDP should never  be publicly accessible and we don’t know if it was here and if used internally, it should be severely limited and where it is needed, it should require multifactor authentication.  While we don’t know, it is likely that this was the attack vector and they did not have multifactor authentication turned on.  Hopefully as part of their lessons learned, they will change that.

Within a few days they claimed they had 90% of their systems back.  It is not clear whether that is 90% of 7,000, which would be quite impressive or 90% of 300, which would be much less impressive but still good.

So what are the takeaways from this?

These conclusions are based mostly on what we can interpret, since they are not saying much.  This is likely because they are afraid of being sued and also what HIPAA sanctions they might get.

  • They seem to have excellent monitoring and alerting since they were able to detect the attack very quickly.
  • They also must have a good security operations center since they were able to identify what they were dealing with and contain it within 50 minutes.
  • On the other end of the spectrum, the malware was able to infect 7,000 machines including some production machines.  They probably need to work on this one.
  • Assuming RDP was the infection vector, that should not have happened at all – they lose points for this one.
  • They were able to restart a significant number of machines pretty quickly so it would appear that they have some degree of disaster recovery.
  • On the other hand, given that they had to shut down their network and stop processing lab work, it says that their business continuity process could use some work.
  • Finally, they claim that they were able to KNOW that none of the data was removed from the network.  I would say that 99% of companies could not do that.

Overall, you can compare how your company stacks up against LabCorp and figure out where you can improve.

Using other company’s bad luck to learn lessons is probably the least expensive way to improve your security.

I suggest that this is a great breach from which to learn lessons.

Information for this post came from CSO Online.

 

 

 

Facebooktwitterredditlinkedinmailby feather

The Ugly Version of Ransomware

As hackers are discovering that some organizations are opting to not pay the ransom after a ransomware attack, either because they have backups or they do not want to support criminals, the criminals are changing tactics – something we warned about months ago.

In this case, CarePartners, a home healthcare service provider in Ontario announced last month that it had been breached.  At that time it said that personal health and financial information of patients had been inappropriately accessed and nothing more.

This is where the ugly starts.

Since CarePartners was managing spin and, apparently, not telling the whole story, the hackers reached out the CBC News and spilled the beans.

They provided a sample of the data that was involved in the ransom and said that they were going to release it if the ransom was not paid.  Of course, there is no way to know if they will release it, even if the ransom is paid.

The “sample” includes thousands of patient medical records with phone numbers, addresses, birth dates, health ID numbers, detailed medical conditions, diagnoses, surgical procedures, care plans and medications.

Other documents shared include credit card numbers and related information.

Now CarePartners says the breach could affect up to 237,000 patients.

Since this particular ransom attack took place in Canada, the penalties would be governed by PIPEDA, the Canadian privacy law, which is pretty tough.

What does this mean for you?

First, you should plan for the worst case situation of a ransom attack where the attacker says that if you don’t give us the money, we are going to release your data publicly.  OUCH!

Second, be ready to figure out what the attackers took.  A month after the attack, CarePartners said that they have identified 627 patient files and 886 employee records that were accessed, but the “partial” data provided to CBC News contained 80,000 records.  HUH?!

Next, apparently, the servers did not have current patches installed.  They were two years out of date.

And then, the data was not encrypted.

When CBC News contacted some of the people matching the records that the hackers gave them, they said they were patients of CarePartners, but had not been contacted by them.

CarePartners is working with the Herjavec Group (as in the guy on Shark Tank and yes, they are a legit and well known security company).

CarePartners said that they take security seriously and they have outsourced their IT to someone else.  Apparently that third party isn’t doing a very good job and CarePartners will get to pay the fine,  deal with the lawsuits and have their reputation damaged.  In their case, they are a contractor to the local government, so they could have their contract cancelled as well.  Remember, you can outsource the responsibility but you cannot outsource the liability, so make sure that you are effectively managing any third parties that claim to be taking care of your security.  

Lets assume this breach costs CarePartners a couple of million dollars, which is reasonable.  They need to make sure that they can afford to pay that bill and that their outsource security provider can reimburse them for that cost – hopefully, in both cases, through adequate insurance.

Information for this post came from CBC News.

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for Week Ending July 13, 2018

Timehop Hack Compromises 21 Million Users

In a bit of good news/bad news, the social media time capsule site Timehop said that it was hacked around July 4th, but that they interrupted the hack in progress.  Still the hackers got usernames, passwords, email addresses, date of birth, gender, some phone numbers and other information for 21 million users.

More importantly, the security tokens that Timehop uses to access the social media sites like Twitter were also compromised.  Part of the good news is that since they detected this hack in progress, they were able to immediately disable those tokens, reducing the damage.

Still this does point out the risk of granting someone else proxy to your data – in this case, 21 million users were compromised because of a breach of a third party.  The data here was not particularly sensitive – unless your FB posts are sensitive, but that is purely accidental.

One bit of bad news in all of this (beyond all the bad news above for the people who’s data was stolen).  This attack in December 2017.  The hacker logged on in March and April 2018 also.  The hacker next logged in on June 22 and finally, stole the data on July 4, 2018.

Why is that important?  Because GDPR went into effect on May 25, 2018 and the data was stolen on July 4, 2018.  I hope they have deep pockets or a lot of insurance.  The Register article has a table with the number of GDPR impacted records, but I am having a hard time making sense of it.  For sure, it is in the millions.  (Source: CNet and The Register)

Apple Adds Security Feature to iOS11.4.1

Apple has added USB restricted mode to the current release of iOS.  Restricted mode locks down the lightning port of an iPhone or iPad after it has been locked for another so that it cannot be used for data access, only charging.  It defaults to enabled although you can manually turn the feature off.  This is designed to make it harder to hack an iPhone/iPad.

This will make it harder for law enforcement to hack into phones, but some of the hackers are saying that they have figured out a workaround.  The cat and mouse game continues.  (Source: The Verge)

Another Hospital Invokes Emergency Procedures Due to Ransomware

Cass Regional Medical Center in Harrisonville, MO.  put ambulances on diversion and invoked its incident response protocol earlier this week due to a ransomware attack.  They shut down their EHR system to make sure it did not become a casualty of the ransomware attack.  The day after the attack they said that they had begun decryption of the affected systems, which, while they are not saying, is likely a result of paying the ransom and getting the decryption key from the attacker.  The wording of the statement did not say that they were restoring the affected systems from their backups.  Other hospitals, which chose not to pay the ransom, took weeks to recover, so the reasonable assumption is that they paid off the hackers.  (Source: Cass Regional web site)

The Insider Threat is a Real Problem

We are seeing an increasing number of insider threat issues; some are accidental, some are intentional.

A hacker was found to be selling manuals for the Reaper MQ-9, a $17 million military drone for less than $200 on the dark web.  He got them by hacking an Air Force Airman’s home Internet router which was not patched for a known vulnerability.  It is likely that the Airman was not involved, but it is not clear if he was authorized to have the manuals on his personal home computer (Source: Defense One).

In another case, an employee of a Navy contractor stole thousands of documents from his soon to be former employer before going to work for a competitor.  He was caught and convicted (Source: The Hartford Courant).

These are just two examples of many.  Most do not get caught because the company that was hacked does not want the bad publicity.  Still it is a multi-billion dollar a year problem.

Facebooktwitterredditlinkedinmailby feather

News Bites For June 22, 2018

Latest Cost Estimates For Equifax Breach is $439 Million

According to recent (March) tax filings, costs related to their breach are now $439 million, making the Equifax breach the costliest in US history.  Assuming insurance does pay, it would cover, at most, $125 million, leaving Equifax to write a check for $300  million plus.  Given that none of the lawsuits have been settled yet, that $439 million number is sure to grow.  While Equifax’s investors can write that check, I am sure that none of them are happy about doing so.  (Source: Computing.co)

Apple, Others Allows Russians to Look for Vulnerabilities in Software Used by the Pentagon and FBI

After all, what could go wrong?

U.S. tech companies have given in to Russian, Chinese and other country’s demands to review the source code for their products.  Not only does this expose vulnerabilities (which they likely will NOT point out to the U.S. company), but it also gives away U.S. intellectual property, all in a never ending quest to increase sales and profit.

A bill currently in Congress would force companies who do business with the government to disclose any source code review done by military adversaries.  Forcing companies to disclose will keep the pressure on to stop doing that.

The limited leaks that we have already seen have caused companies to do a quick dance to try and mitigate the PR damage.

The companies say that the reviews are done in company controlled facilities.  I am sure that they use one of those memory wipers from the Men In Black movies on the reviewers before they leave the room.

The knowledge that the Russians and Chinese get is, of course, used against everyday companies as well as the government and is used to build competing products that they sell against ours.

The article has a graphic with examples of software reviewed and who uses it.  (Source: Reuters)

Senate Votes 85 to 10 to Continue ZTE Ban

ZTE, the Chinese electronics maker said to be a national security threat to America, was banned last month, from buying parts and selling products in the U.S. by the Commerce Department.  President Trump tried to overturn the ban, which basically shut the company down, by asking the company to pay a billion dollar fine and saying that would make it a non-threat.  The Senate attached a bill to the Defense Authorization Bill outlawing ZTE, nullifying Trumps gimicky non-solution.  Trump could risk shutting down the Armed Forces by vetoing the bill, but even if he did, which would be an incredibly risky political move given his base, at 85 to 10, any veto would be quickly overridden. (Source: Politico)

macOS Quicklook Feature Exposes Data on Encrypted Volumes

Let’s assume that you have some sensitive pictures and you store them on an encrypted volume on your mac.  MacOS conveniently creates thumbnails of those pictures to show you and stores them unencrypted, so while the full resolution picture is encrypted, the thumbmail is not.  Apple says this is a feature and is not going to fix it.

This problem also exists on Windows.  If you store a Word or Excel document, for example, on an encrypted volume, the temp file that those programs use will be on an unencrypted system volume.  The only way to “fix” this is to encrypt the system volume. (Source: Ars Technica)

Software Supply Chain is a Critical Issue

Recently there have been a number of reports of cities having credit card breaches.  It turns out that it all ties back to the same vendor that those cities all use called Superion.  At least 10 cities have reported being breached and there are probably more.  Superion has finally admitted that the breach was due to a WebLogic (Oracle) bug  that had not been patched.  The cities counted on Superion to keep them safe.  Superion is blaming Oracle.  Ultimately, it is the cities and taxpayers who will foot the bill for this mess – a mess caused by not managing the entire software supply chain from end to end.  Likely those cities were not even aware that they were running Oracle software.  Who’s fault is that?  (Source: Dark Reading)

Facebooktwitterredditlinkedinmailby feather

Come On Folks – Another Amazon S3 Breach

AgentRun is a startup that helps independent insurance agents and brokers manage customer relationships (CRM) and they are the latest company to do the perp walk for leaving an Amazon storage bucket unprotected.

Compromised were thousands of client’s sensitive data files like insurance policy documents, health data, medical data, social security and medicare cards, blank checks for payment info and financial data.

Andrew Lech admitted to the faux-pas and quickly fixed it.

But not to worry;  their web site says that the service is secure and uses the latest encryption technology.  Unfortunately, it doesn’t, in this case, require passwords.  Of course, that statement is mostly meaningless, although it MAY be possible to use it in court.  Probably not sufficient to gain a win, however.

Information for this post came from ZDNet.

How do you protect yourself?

First thing – who do you think is liable for the breach?  If you said AgentRun, you are very likely wrong.  the terms of services says:

h.  … Your use of the Service is at your own risk.
i. Among other things, the Service Provider does not warrant or represent to the client that:
  • defects or bugs within the Service will be eliminated or fixed
  • the client’s use of the service will meet the client’s qualifications
  • the Service will be error free, secure or undisrupted to the client
  • any information, regarding the clients use of the Service, will be accurate, current or credible
j. Warranties do not apply to the Service except to the degree they are expressed in the Agreement.
  • The Service provider is not responsible or liable for any direct, indirect or consequential damage to client which may be incurred in relation with the service, including:
  • damage associated with corruption of, deletion of or failure to store any Client’s Content
  • damage associated with any changes or alterations which the Service Provider may make to the Service
  • damage associated with the Client’s inability to provide the Service Provider with credible and accurate account information
  • damage associated with the Client’s inability to protect and secure the Client’s account details (such as a username and password)
  • damage associated with any temporary or permanent interruption in the provision of the Service
And, to add insult to injury, it also says:
n. The client must indemnify the Service Providers, its employees, employers, affiliates, etc. for any and all claims, losses, damage, costs and liabilities resulting from the breach of the Agreement and from the use of the Clients Account.

Source for the terms of service: https://agentrun.com/legal.html

If you are a large enough company, make the vendor give you preferred terms of service if they want your business.

You need to make sure that you have GOOD cyber risk insurance and that it covers breaches at third party providers and breaches of third party (as in your client’s) data.

You should have a vendor cyber risk management program.  My guess is that AgentRun’s cyber security program may be lacking.  Don’t know for sure, but, look at the evidence.  This problem happens weekly.  

Amazon has created a whole bucket of tools for you to use to help protect yourself from self inflicted mortal wounds like this. Check out Jeff Barr’s post from last year.  Jeff is AWS’s chief evangelist.  The post can be found at https://aws.amazon.com/blogs/aws/new-amazon-s3-encryption-security-features/

Some of Amazon’s features include default encryption, automatic permission checks, detailed inventory reports and other security features.

Finally, as an executive in your company, you need to be asking your IT guys embarrassing security questions.  After all, your head will be on the chopping block if your third party provider – or you – suffer a breach.  Since sometimes it is hard to be a prophet in your own land, contract with us to be your virtual Chief Information Security Officer (vCISO).  We don’t mind asking those embarrassing questions.

 

Facebooktwitterredditlinkedinmailby feather