At a glance.
- India's main payment processor fixes vulnerabilities discovered during a security audit.
- Twitter's account of how its employees were socially engineered.
- North Korea uses fake job offers to phish for defense and aerospace professionals.
- HHS looking into University of Utah Health breach.
NCPI audit reveals lack of encryption (now said to be fixed).
A government audit determined that India's principal payments processor, National Payments Corporation of India (NPCI), a not-for-profit that accounts for two-thirds of India's paycards and that has been strongly advocated by Prime Minister Modi, found "more than forty" security vulnerabilities. Reuters reports that the four-month audit was completed in February 2019. The basic problem, according to Inc42, was a lack of encryption for personal data, including "16-digit card numbers, customer’s names, account numbers and other such information." National Cyber Security Coordinator Rajesh Pant told Reuters that “all observations raised in last year’s report have been confirmed as resolved by the NPCI."
Twitter's conclusions about how hackers got access to account controls.
According to Twitter, the social engineering that enabled attackers to compromise high-profile accounts to compromise user information and run a Bitcoin scam was accomplished through “a phone spear phishing attack.” It’s unclear exactly what that means, but Graham Cluley speculates that it involved impersonating a Twitter help desk, possibly with a combination of SMS phishing with a request to call a scam help site. By Twitter’s account, the social engineering that gave the hackers access to Twitter’s internal support tools proceeded in at least two phases.
Twitter says that “not all of the employees that were initially targeted had permissions to use account management tools,” but the credentials the social engineers obtained from those personnel enabled the attackers to sift through parts of Twitter’s internal systems to collect information about the company’s processes. They then used what they learned to find and target other employees who had the access the attackers were after. Once they’d obtained credentials belonging to users with more extensive privileges, the attackers were able to use them to access account support tools.
Twitter says it’s increasing security. As Ars Technica points out, Twitter has been criticized for the large number of people who had access to its account support tools and for inadequate controls in place to prevent the sort of abuse that ultimately compromised them. Twitter has represented its security improvements as assigning a higher priority to security, and in pushing forward “pre-existing security workstreams and improvements to our tools.” With regret, the company says customers may expect less responsive service while it sorts out its procedures.
Operation North Star uses fake job postings as bait.
McAfee researchers describe Operation North Star, a North Korean cyberespionage campaign that prospects workers in the defense and aerospace sector with bogus job offers. Pyongyang has used this approach intermittently since 2018. LinkedIn has again been used to communicate the offers, which are subsequently baited with malicious code. The approach is particularly effective against professionals going through difficult economic times.
Follow-up on the University of Utah Health data breach.
The US Department of Health and Human Services is currently working through a data breach that compromised patient information at University of Utah Health, KUTV reports. Some ten-thousand patients were affected after attackers secured access to employee email accounts through phishing. Those accounts held patient information.
The lessons being drawn include the familiar need for better awareness of social engineering, and the surprising use of email for sensitive information. Chris Hauk, consumer privacy champion at Pixel Privacy, commented, “This is another case of employees not receiving the proper education about how to avoid phishing schemes. Companies need to take action, spending the time and money to educate their employees and executives on the risks of phishing emails and of opening links or attachments included in such emails. We can expect to see a continuing increase in incidents like this, especially in the medical industry, as the COVID-19 pandemic has resulted in making the medical and hospital industry an attractive target for the bad actors of the world.”
Comparitech privacy advocate Paul Bischoff said, “It surprises me that hospitals allow staff to send medical records via email. Surely there is a more secure way to request, share, and access such sensitive information? Email attachments are rarely encrypted and are, as we saw in this case, susceptible to phishing attacks. Unfortunately, the digital systems used by healthcare providers are so fragmented that they're often not interoperable, so staff may have no other choice but to use an insecure medium like email.”