At a glance.
- Recent email breaches at healthcare providers.
- Update on the Manchester United cyber incident.
- Smart doorbells found to have questionable security.
- Credential stuffing and credential exposure.
Email breaches compromise hospital patient data.
As we've had occasion to note, cyberattacks against US medical institutions have been on the rise just as the pandemic puts unprecedented stress on their operations. Just this week, the Daily Advertiser reports that private patient data were potentially exposed due to a breach at the Louisiana State University (LSU) Health Care Services Division in September, and Security Magazine reports that Mercy Iowa City Hospital experienced a breach and subsequent phishing incident. Both attacks began with an intruder infiltrating an internal email account and resulted in the potential exposure of the sensitive data of thousands (and in Mercy Iowa City’s case, tens of thousands) of patients. Experts weigh in on how to defend an organization against these attacks:
- Mohit Tiwari, CEO of data security firm Symmetry Systems, proposes that while breaches are often unavoidable, organizations could do more to stop a minor email hijacking from turning into a large-scale data compromise: “Tracing the attack from emails to data stores where critical data resides...is critical.”
- Lisa Plaggemier of cybersecurity education company MediaPro suggests continuous, strategic training would help employees better identify and report phishing scams.
- Matthew Gardiner of cybersecurity provider Mimecast recommends multi-factor authentication and “phishing controls that inspect and filter inbound, outbound, and internal mail flow to prevent the attacker’s initial access and spreading.”
Man U’s goalkeeper overpowered (but supporters' personal data are apparently safe).
The Manchester United communications department released a statement notifying the public that the British football club has suffered a cyberattack. However, Man U asserts that their cybersecurity team shut down the attack right away and secured the impacted systems, and that no fan or customer data were compromised. Most importantly, supporters can rest assured that “all critical systems required for matches to take place at Old Trafford remain secure and operational” so the club’s schedule should be unaffected. Play on.
Self-identified Man U supporter Chloé Messdaghi, VP of Strategy at Point3 Security, shared some thoughts on the incident:
"This is a perfect example of how better planning can be less disruptive. As a fan of Manchester United, I am so proud of how they handled this. They had obviously prepared, planned and rehearsed for this (something all organizations should be doing) and it shows. They were able to react quickly, shut it down, and save their data. Manchester United likely doesn’t even have as sensitive data that other orgs would have, like hospitals or government entities, but they had all the policies and procedures in place – and that’s what saved them. They clearly had a current playbook to help guide them through this, and it worked perfectly. In addition, they referenced the attackers as 'cybercriminals,' which is the correct reference, versus the incorrect reference of these criminal attacks as 'hackers'.”
Ding-dong, there’s a cybercriminal at the door.
UK consumer watchdog group Which? has found that several smart doorbells have security weaknesses that make them easy targets for hackers, reports BBC News. Which? tried out eleven doorbells and found weak password requirements and inadequate data encryption, with two doorbells even able to tap into the user’s wifi system and infiltrate other devices in the home. Perhaps the most dangerous device was the bestselling Victure Smart Video Doorbell, which could send users' unencrypted network login info to Chinese servers.
As the CyberWire has reported recently, researchers have found that smart devices like vacuum cleaners and remote controls are often easy prey for threat actors. Lisa Forte of Red Goat Cybersecurity confirms the connection is no coincidence: "Generally speaking the more convenient something is, the less secure it is.” As sellers of these products are not currently held to consistent safety regulations, she recommends securing your device with a strong password and two-factor authentication, while Which? computing editor Kate Bevan feels “government legislation to tackle unsecure products should be introduced without delay.”
Spotify credentials stuffed, then left exposed.
The story of enterprises inadvertently leaving databases open to inspection from the Internet without snoopers needing so much as a by-your-leave is an old and familiar one. It happens to the hoods, too. CNET, citing research published by vpnMentor, reports that a crew engaged in credential stuffing Spotify accounts left their list of successfully stuffed credentials exposed online. Spotify is having its users change their passwords. It's worth noting that this is a user problem, and not a breach at Spotify.
Felix Rosbach, product manager with data security specialists comforte AG, commented:
“Personally identifiable information (PII) and, especially, decrypted passwords are always valuable. According to statistics, 55% of people use the same password for the majority of services they use. It is no surprise that bad actors frequently focus on getting access to repositories storing this type of information.
"It is critical that we all become aware of and understand the risks facing our data – especially passwords. Everyone should know how high the chances of a data breach are and that you will not always be aware of a breach, and sometimes you won’t be informed at all.
"While this is a key takeaway for end users, there is also something in it for enterprises that process this critical data. While there is no sure-fire way to prevent attackers from getting access to an enterprise network, there are solutions that protect valuable customer information. Being able to not only protect passwords but also related personal data reduces the risk of misuse of data and resulting reputational damage drastically. Companies should look to deploy data security tactics such as stateless tokenization to protect the privacy of their customers.”
Hicham Bouali, security evangelist at One Identity, also commented on the Spotify incident:
“In order to obtain these genuine Spotify accounts, the cybercriminals resorted to the dramatically effective and duplicable method of "credential stuffing”. In this type of attack, hackers take a database of millions of emails and passwords already used that they will refine in order to enhance them. As users very often juggle lazily with the same password for their different online accounts, cybercriminals use Botnets, computer bots, to test thousands of combinations of IDs and passwords on well-known services. Each Botnet is capable of trying up to 300,000 connections per hour to a website or online service so they quickly get access to applications like Uber, Netflix or Spotify. This attack and other password-related attacks, highlight the importance of adopting multi-factor authentication solutions to ensure that consumers can’t gain access into accounts.”