IT Security News Blast 04-06-2018

Medical Devices Exposed to Cyber Risk

Report: Exposed Medical Devices, Supply Chain Attacks Pose Major Cyber Risks
Using Shodan, a search engine for internet-connected devices, the researchers looked for healthcare-related cyber assets and found that a large number of hospital systems are exposed on the internet. The researchers discovered exposed medical systems, healthcare software interfaces and even misconfigured hospital networks, that should not be viewable publicly. While a device or system being exposed does not necessarily mean that it is vulnerable, exposed devices can potentially be leveraged by cybercriminals and other threat actors to penetrate into organizations, steal data, run botnet and install ransomware.  been deleted following the realization malicious actors have abused it to scrape public profile data by submitting phone numbers and email addresses they already have through account recovery.

State of play: One year on from WannaCry ransomware outbreak
The main findings from the “Securing Connected Hospitals” report shows how several systems are vulnerable, including device firmware attacks, and website, electronic health records and internal portal open to compromise. The report also identifies potential risk sources as being a mix of insider threats from hospital and vendor staff and applications provided by third-party vendors. With this second category, included in this are mobile health (mHealth) mobile apps, which is of concern given the extent to which this area is anticipated to expand over the next few years.

Delta Air Lines, Sears Hit By Cyber Attack; Customers’ Payment Info Compromised
The airline said the incident involved [24], a chat-services provider used by Delta and other companies. Both Delta and Sears do business with the software provider. Delta says only “a small subset” of customers were affected, with payment information exposed from Sept. 26 to Oct. 12. It says no other personal details about customers, such as their passport, security or frequent-flyer account information, was affected. Sears said in a statement that the company believes the data breach “involved unauthorized access to less than 100,000 of our customers’ credit card information.”

Facebook: Most Profiles Likely Scraped by Third Parties
“Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way,” the company says. Facebook also reports the data of about 87 million people was taken by Cambridge Analytica without users’ consent. Most of those affected are in the United States. The extent of changes demonstrates a shift in Facebook’s relationship with third-party apps, which could previously access users’ events, relationship statuses, and other information.

Survey Finds Lax Patching Practices Feed Healthcare Data Breaches
Patching vulnerabilities in your systems and applications is one of the most important steps you can take to prevent a healthcare data breach at your organization. Yet, a majority of security professionals in the healthcare and pharmaceutical industries admit that they have had a data breach because of an unpatched vulnerability for which a patch was available. This was one startling finding of a survey of nearly 3,000 security professionals across industries and countries by the Ponemon Institute on behalf of ServiceNow. The survey results are contained in a report entitled “Today’s State of Vulnerability Response: Patch Work Demands Attention.”

Insiders pose biggest threat to health information security, report finds
While unsettling, the large share of security incidents stemming from inside organizations is not a total surprise. A 2017 study by an international team of researchers found widespread sharing of EHR passwords among physicians and clinical support staff, putting patients’ personal health information at risk. Despite the media buzz around large-scale cyberattacks, hacking and malware accounted for just 14.8% and 10.8% of security incidents in healthcare. The most common cause was error, tripping 458 cases (33.5%). The next most common factor was unapproved or wrongful use of an organization’s resources (29.5%). Incidents involving missing laptops and other assets made up 16.3% of the incidents.

How Gamers Could Save the Cybersecurity Skills Gap
McAfee shares its firsthand experience on training in-house cybersecurity pros and publishes new data on how other organizations deal with filling security jobs. Grant Bourzikas, McAfee’s chief information security officer (CISO), swears by gamification as one of the key ways to invest in and retain security talent. It’s a strategy his own company has adopted in building out its security operations center in the wake of its spin-off from Intel, and new data from a study by Vanson Bourne on behalf of McAfee found that nearly three-fourths of organizations believe hiring experienced video gamers is a solid option for filling cybersecurity skills and jobs in their organizations.

Gamers Are Not the Answer to the Shortage of Cybersecurity Workers
There’s something very backward about looking at a field with a serious diversity problem and deciding that the best way to grow it is to hire more people exactly like the ones who are already working in it. If we decide to recruit the cybersecurity workforce of the next decade by duplicating the people who are already working in the field and the things that hiring managers are already looking for, we will inevitably end up with a very homogenous pool of people who look an awful lot like the ones already in this space.

Windows 10 security: Microsoft patches critical flaw in Windows Defender
Microsoft has rolled-out security updates to fix a critical remote code execution flaw affecting Windows Defender and other anti-malware products. Ahead of April’s Patch Tuesday, Microsoft has released patches for the critical flaw, which affects Microsoft Malware Protection Engine, or mpengine.dll, the core of Windows Defender in Windows 10. “An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system,” warns Microsoft. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Human error led to 424% increase in misconfigured cloud servers, prompting hacks
Human error has long been associated with poor cybersecurity hygiene, but it’s starting to negatively impact other aspects of the tech ecosystem. Due to employee mistakes, the number of records breached through misconfigured cloud servers rose by 424% in 2017, according to the 2018 IBM X-Force Threat Intelligence Index, released Wednesday. An IBM press release called it an “historic” jump. Additionally, nearly 70% off the compromised records tracked by IBM in 2017 were exposed due to one of these misconfigured servers, the release noted. In keeping with the theme of human error, roughly a third of the “inadvertent activity” that led to a security event last year was due to someone getting phished. Millions of spam messages that led to some of these incidents were created with the Necurs botnet, a favorite of hackers in 2017, the report said.

Engaging Employees in Health Care Data Security
Over the past year, the healthcare industry found itself under constant attack. Cybercriminals targeted vulnerable clinical networks and poor controls to gain privileged access to medical devices and databases on an almost daily basis. Consider that in just the first two months of 2018, 24 health care provider organizations reported data breaches affecting over 1,000 patients each, a 60% increase over the same time period last year. However, with only 53% of healthcare and public-sector security decision makers reporting a breach in the past year, it’s likely there are many more breaches going unreported.

White House email domains are at risk of being used in phishing attacks
In the latest episode of how badly some branches of government are at cybersecurity, a new study by the cybersecurity outfit Global Cyber Alliance indicates that 95 percent of the email domains managed by the Executive Office of the President could be spoofed and potentially used in phishing attacks. Of the domains that are managed by the Office of the President, only the email address has fully implemented the highest level of defense against spoofing and phishing emails. Malicious actors often tweak metadata to trick targets into thinking they are receiving email from an official-sounding domain, like

Intel drops plans to develop Spectre microcode for ancient chips
Intel has scaled back its plans to produce microcode updates for some of its older processors to address the “Spectre variant 2” attack. Core 2 processors are no longer scheduled to receive updates, and, while some first generation Core products have microcode updates available already, others have had their update cancelled. Earlier this year, attacks that exploit the processor’s speculative execution were published with the names Meltdown and Spectre, prompting a reaction from hardware and software companies. The Spectre attack has two variants, numbered version 1 and version 2. Spectre version 1 attacks will need software fixes, and the nature of these attacks means that they may always need software fixes. Version 2 is amenable to hardware and firmware fixes.

Feds: There are hostile stingrays in DC, but we don’t know how to find them
Given that cell-site simulators have been used for years at home, it would be naive to think that malevolent actors, including criminals and foreign governments, would not attempt to set up stingrays in major American cities, particularly the capital. DHS’ answers also say that the agency is “aware” of the use of stingrays in other US cities, although it did not name them. […] In 2015, various federal law enforcement agencies, including the FBI, said that, in most circumstances, they will require a warrant when they use a stingray. Some states also impose similar requirements.

Hackers target ad networks to inject cryptocurrency mining scripts
Trend Micro wrote in a blog post Wednesday that its researchers tracked web miner traffic linked to, a popular ad-supported home page, which was displaying an ad that was using a computer’s processor to silently mine cryptocurrency in the background. Hackers had injected the widely-used Coinhive code into an ad supplied by the AOL advertising network. Trend Micro alerted AOL to the bad ad, which — two days later — was pulled offline. […] A similar cryptocurrency mining scheme for a time relied on YouTube ads to drain the processing power of individuals’ computers.

Lock and block: Ransomworms take over the hacking scene
According to IBM X-Force, there has been close to a 25 percent drop in compromised records as ransomware and worms which spread this particularly grim kind of malware take precedence in the criminal world. The security team’s annual Threat Intelligence Index suggests that in 2017, ransomware was seen as far more lucrative than stealing data in bulk and selling these dumps in the web’s underbelly. […] The financial services industry was most often targeted by cybercriminals in 2016 due to the lucrative information that these establishments store which can be used to empty bank accounts, make fraudulent transactions and withdrawals, and may also be used in identity theft. However, this area is now the third-most attacked at 17 percent, behind IT companies and manufacturing, accounting for 33 percent and 18 percent of reported attacks, respectively.

Microsoft adds ransomware protection, recovery tools to Office 365
The first new ransomware defense has the company bringing its File Restore feature over from OneDrive for Business to the consumer-level OneDrive accounts. Files Restore allows you to restore an entire OneDrive account to a previous point in time within the last 30 days. This would allow a person to rebuild or replace any files encrypted by a ransomware attack, Koenigsbauer wrote in a blog.

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.