At a glance.
- NHS Data pumps the brakes.
- Power Apps oversharing.
- Phishing for healthcare data.
- Update on JPMorgan Chase data exposure.
- Conti ransomware hits SAC Wireless.
- More reaction to the T-Mobile breach.
NHS puts the brakes on data-sharing program.
The UK’s National Health Service (NHS) has indefinitely postponed its medical data-sharing plan, previously set to begin in September, after resistance from the general public, medical experts, and privacy advocates led over 1.2 million Brits to take advantage of their right to opt out of the program, the Guardian reports. The General Practice Data for Planning and Research program was designed to provide data for healthcare research and planning, but dissenters argue the scheme is a violation of privacy. According to Computer Weekly, the NHS has announced it will engage in a “listening exercise” to reassess the plan and improve data handling protocol in an effort to increase the public’s confidence in the initiative.
Microsoft Power Apps vulnerabilities expose millions of data records.
Researchers at UpGuard discovered that numerous data leaks in Microsoft Power Apps, an app-development platform for designing business-intelligence tools, resulted in the exposure of 38 million data records. Forty-seven entities, including private businesses like American Airlines and Microsoft, as well as the governments of states like Maryland and New York City, were among the impacted. StateScoop notes that the exposure of a COVID-19 contact-tracing database in Indiana has been linked to the flaws in the app-development tool. The incident highlights how these platforms, though convenient, can lead to new data exposure vectors when misconfigured, underlining the need for organizations to be hypervigilant when working with third-party collaborators.
So, failure to examine and change default permissions has exposed a great deal of data. Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, notes that it can be all too easy for the many benefits of the cloud to be offset by configuration errors and oversights:
"The rush to the cloud has exposed many organizations’ inexperience with the various cloud platforms and risks from their default configurations. Developing in a public cloud can have efficiency and scaling advantages, but it also often removes the 'Safety net' of development conducted inside internal networks protected by outside access by the perimeter firewall. It’s critical that company’s 'look before they leap' with migrations or new development on cloud platforms to fully understand the potential security gotchas or risks that they might introduce. It’s also instructive for cloud vendors to understand the risks that their chosen default settings have on customers and change them to provide higher security by default even if it reduces upfront convenience."
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, isn't surprised by the way in which legacy issues have far-reaching and damaging effects:
"This is probably the ten thousandth example of the same thing...data being accidentally exposed in a cloud app because of a legacy issue...in this case, overly permissive permissions. It is the most common cloud security issue. It's funny, when the cloud first came out and started to catch fire, most of the cybersecurity world was incredibly concerned with all the new types of threats and vulnerabilities that cloud apps would bring with the shared, multi-tenancy, use, and heavy dependency on virtualization. And for sure, there have been some occasional cloud-specific threats and attacks. But without a doubt, the most common issues that compromise cloud apps are social engineering, unpatched software, and overly permissive permissions, which are the same things that have plagued non-cloud systems for decades. I have people ask me all the time how they can keep their clouds secure, like it's some secret sauce. But it really isn't. It's really mostly by focusing on the same things that were your biggest problems in the non-cloud world. So, why we've all been worried about some devious fast spreading cloud worm or some master exploitation that will let every cloud tenant get compromised at once, the real news is that cloud attacks are the same old news. And anyone not paying attention to that fact is going to re-learn it the hard way. Focus on the basics."
Grimes's colleague Erich Kron, Security Awareness Advocate at KnowBe4, thinks that some organizations have dodged a bullet this time, but that privacy and data issues all too often trace their origins to misconfigurations:
"Unfortunately, data exposure due to misconfigured security settings in applications, or in cloud storage containers, is far from uncommon in our modern digital world. Due to the volume of, and sensitivity of, data being collected, these misconfigurations can have serious implications, especially with systems that are internet facing.
"Fortunately, it appears that in this case data loss has not occurred, however any time data is exposed, steps should be taken to review data access logs to ensure the data was not stolen.
"It is not enough to just rely on applications to keep data safe, processes and procedures must be in place to ensure that the data remains secure and the permissions that protect the data should be audited on a regular basis. Logging of data access should be enabled, along with regular reviews of data access activity, to ensure that information is not being accessed in unexpected ways or by unauthorized people. Regular and consistent training related to cyber security topics of all kinds can help to develop a security-centric mindset with employees, leading to more awareness around data protection and a greater likelihood that they will spot potential security setting misconfigurations."
Casey Ellis, CTO and founder of Bugcrowd, drew a lesson about why design matters to security and privacy:
“This breach highlights the importance of "making secure easy, and insecure obvious". Insecure defaults are rarely classed as vulnerabilities in and of themselves, but the combination of the speed at which businesses have deployed technology over the past two years, the absence of feedback from those who "think bad, but do good" in the ethical hacker community, and the default itself all contributed to this particular data leak.
"The breach is a good example and timely reminder of the value of ethical hackers in both the software design phase, and for testing systems in products - especially for organizations that are dealing with sensitive information such as Covid-19 contact tracing platforms. Without the enablement of security researchers via Microsoft’s vulnerability disclosure program (VDP), the weakness would likely have remained exploitable for much longer, exposing the data to malicious adversaries.
"A VDP, such as the one used by Microsoft, allows ethical security researchers to proactively and securely disclose cybersecurity vulnerabilities to the organization before adversaries can discover and exploit them. This offers a layered security approach, as it is to be leveraged in addition to an organization’s internal security team."
"The longer a vulnerability exists undetected, the more likely adversaries are to have already accessed or obtained the data. VDPs establish an open line of communication between the community of security researchers and organizations, so researchers can proactively report such vulnerabilities and organizations can fix them - before they’re exploited by bad actors”.
Alicia Townsend, technology evangelist with OneLogin, also looks at design, and sees a trend:
“This touches on a couple of historically interesting facts. One, a lot of Microsoft products in the past have started off giving wide access to data and resources by default. It was left up to users and administrators to take action and lock things down. This approach has definitely changed over at least the last decade or so, but ease of use and access still tend to lead the way, instead of developing tools and reports that make it easier for admins and users to see who has access to what information and adjust as necessary. This then leads to the other fact that we have stated over and over again, that it is the responsibility of everyone to both be aware of and educate others on the importance of protecting people’s private information.
"End users have been given a lot of very powerful tools that allow them to easily access, analyze and share data in new and exciting ways. Platforms that provide these tools need to help these users also protect that data. Warning users of who can see the data when they make particular changes, or giving users the ability to see what a data view might look like from another user’s point of view can go a long way towards ensuring that users are able to secure the data when necessary without getting too frustrated.”
Nathanael Coffing, CSO and co-founder of Cloudentity, wrote to draw attention to the kinds of API risks that patching alone won't
"In this scenario, the application programming interfaces (APIs) on Microsoft Power Apps were lacking authentication and authorization which made data from these applications publicly available, so that anyone actively searching for a web app containing users’ information could have easily accessed personal data such as COVID-19 tracing forms, vaccination sign-ups and employee databases.
"While the flaws discovered in the platform have been patched, it’s still evident that organizations have a long way to go in terms of proper API security. To prevent misconfigurations and similar vulnerabilities from occurring, APIs must be securely operated within Automated Identity, Authorization, Consent and governance guardrails to safeguard sensitive data. To stay ahead of cybercriminals, this necessary level of security requires organizations to implement context-based, granular authorization for APIs, along with a Zero Trust API Authorization approach. Only then can organizations ensure all internal, customer and partner data that is stored and collected by their APIs is completely secure.
Lamar Bailey, senior director, cyber security at Tripwire, also sees such misconfiguration-driven data exposure as becoming too common:
“Misconfigurations like these are becoming all too common. Exposing sensitive data doesn’t require a sophisticated vulnerability, and the rapid growth of cloud-based data storage has exposed weaknesses in processes that leave data available to anyone.
"A misconfigured database on an internal network might not be noticed, and if noticed might not go public, but the stakes are higher when your data storage is directly connected to the Internet.
"Organizations should identify processes for securely configuring all systems, including cloud-based storage, like Elasticsearch and Amazon S3. Once a process is in place, the systems must be monitored for changes to their configurations because change detection (hardening) is key for securing your cloud infrastructure and preventing inadvertent exposure. These are solvable problems, and tools exist today to help.”
Healthcare employee ensnared in phishing scam.
Revere Health, based in the US state of Utah, has disclosed that an employee was targeted by a phishing operation that exposed the medical records of 12,000 patients, the Spectrum reports. The intruder gained access to the employee’s email account for approximately forty-five minutes, but the two-month investigation indicates that no patient data have yet been shared online, leading Revere Health to label the incident a “low-level risk” breach.
JPMorgan Chase notifies customers of website glitch.
As we noted last week, a website bug gave customers of New York City-based bank JPMorgan Chase access to other users’ information. Security Week explains the subsequent investigation indicates no customer data were misused, but Chase has nonetheless begun notifying affected users of the incident. The bank has advised users to check their accounts for any suspicious activity, but has not disclosed exactly how many customers were impacted.
Conti hits Chicago telecom.
SAC Wireless, a Chicago-based subsidiary of multinational telecom Nokia, has disclosed that it suffered a cyberattack at the hands of the infamous Conti ransomware group, Heimdal Security Blog reports. Conti boasted on its website that it pilfered 250GB of data, and SAC has confirmed the exposure of current and former employee info including names, contact info, Social Security numbers, and in some cases, even birth and marriage certificates. In response, SAC has beefed up its security by improving firewall rules, tightening VPN connections, increasing endpoint monitoring, and offering employee training.
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, pointed out that leading criminal organizations (like Conti's operators) are moving more into zero-days and bespoke malware, and these are no longer the province of nation-state intelligence services:
"Unfortunately, it’s not at all unusual that organizations discover they have been breached only when notified by third parties like security researchers or law enforcement, or when the attacker triggers an unmistakable event like launching ransomware. Modern ransomware gangs like Conti are very skilled in infiltrating victims and quickly escalating to administrator privileges once inside an organization’s internal network and most organizations lack the workforce, expertise, and security controls necessary to prevent a breach or raise alerts from the activities of the more sophisticated groups. It’s important to understand that every victim’s network is worth potentially millions of dollars. That incentive means that sophisticated threat actors are much more willing to employ zero-day exploits and bespoke malware that avoids even the most sophisticated antivirus or EDR tools. Against such formidable threats it can be extremely difficult to remain safe. Safety against modern threat actors requires a true culture of security in organizations with leadership at the high executive levels to understand current risks and take an honest assessment of the organization’s cybersecurity capabilities. There are many things that organizations can do around security best practices themselves, but other critical components of a successful security program may require trusted partners and vendors that can augment an organization’s abilities in more experienced and cost effective ways."
More reflections on the T-Mobile breach.
Jason Soroko, CTO of PKI at Sectigo, summarizes the consequences of the T-Mobile breach for those individuals it affected:
“The potential harm can be categorized as the following:
- "Social security numbers may have been included in this breach (that portion of the data is yet to be confirmed). Social security numbers are unfortunately used as a ‘secret’ to gain access to social services, making spoofing victim identities easier.
- "Authentication risk: ‘Knowledge base’ questions are often used as a form of second factor authentication and sometimes the question is your birthday. With the birth dates of potentially 100 million people in this breach, any form of knowledge base 2fa that uses birthdate should be deprecated. With all of the breaches that have happened over the past years, we should no longer consider birth dates to be a ‘secret’.
- "Pin number reuse risk: The breach included pin numbers used for customer accounts. In a similar way that people often reuse passwords, it is possible that a lot of people reuse pin numbers, so the attacker may be able to take advantage of that when targeting a specific victim whose data is in the breach.
- "36 Million IMEI/IMSI numbers were included in the breach. We have seen attacks in the past which allowed hackers to gain remote access to phone communication, based on the hardware IMEI/IMSI handset identifier, but stronger handset authentication to cell networks has mostly mitigated that.”
“Because the breach may have included social security numbers, customers should seek ID protection services. With all of the breaches that have occurred over the past years, along with the weakness of SSN as a secret, everyone should assume their SSN is known to some malicious party.”
“These kinds of massive data breaches happen so often that it’s hard to keep up. Why do the bad guys keep doing it? Keep in mind that the bad guys use ‘big data’ too, so by cross referencing data from previous breaches, it makes ID theft and specific victim targeting more possible as more information is known about individuals. For security architects, we must deprecate knowledge base questions as a form of 2nd factor authentication. Authentication based on ‘what you know’ makes sense only if all the bad guys also don’t know the same information. Don’t reuse passwords, and don’t reuse pins. For the individual person, ensure you are using ID protection services and try your best to stay aware of when your known SSN number may be used against you in events such as social services and loan applications.”