At a glance.
- Children's smart watches and privacy risks.
- Healthcare staffing firm's unprotected database discovered. (Update: no apparent threat to staffers' privacy.)
- Planned Parenthood sustains a ransomware attack.
Research shows kids’ smart watches watch users.
After analyzing several popular smartwatches designed to be used by children, the researchers at Dr.Web found a number of vulnerabilities that could allow a threat actor to nab sensitive data. While features like GPS tracking and the capability to control the watch remotely make these devices popular among parents hoping to keep tabs on their offspring, these are the very traits that make them easy targets for hackers seeking to steal private data. For instance, the Elari Kidphone 4G Smartwatch’s built-in app that, when connecting to the C&C server, launches two malicious modules that could be used for cyberespionage or to install malware. In the Wokka Lokka Q50, a standard 123456 password is used to send SMS commands, and at no point does the watch or its manual instruct users to change it. Overall, the researchers noted that many kids’ smartwatches use third-party firmware that the watchmakers rarely check for security, making it easy for hackers to install trojans or adware.
Craig Young, principal security researcher at Tripwire, sees this as an instance of the meretricious combination of high technology and low, low prices:
“Low-cost and high-tech do not often blend together well. Vendors produce these devices with razor thin margins often leaving little to no room for considering security. Often times the software running on these devices is a simple skin on top of a reference firmware provided by an OEM. These reference firmware images can greatly accelerate deployment of a new product but they often contain outdated libraries and insecure logic. Time spent applying patches and reviewing source code comes directly out of profit margins and so it should be no surprise that it generally doesn’t happen.
"The issue is compounded by a general lack of consequences for the device makers. Apart from the potential reputation damage, there are generally very few repercussions for firms selling insecure products. Without a reputation sully, a “no-name” brand is more or less not impacted by the hit on their reputation.”
Medical staffing firm exposes sensitive profile data. (Update: No sensitive data appear to have been compromised.)
Update, 12.3.21: Gale Healthcare Solutions reached out to us today with an explanation of the incident, explaining that "The database was a temporary environment created for an internal system test. When the researcher notified us of a potential vulnerability in September, the environment had already been deactivated and secured. There is no evidence there was any further unauthorized access beyond the researcher or that any personal data has been, or will be, misused. Contrary to the report findings, Social Security Numbers were not used in the file names, nor disclosed. Rather, file names featured auto-generated sequential ten-digit Unix timestamps that were used in the testing environment. Dates of birth were also not disclosed, and to our knowledge, the accounts did not contain active links to images of tax documents or other credentials." Thus there appears to have been no threat to employee privacy.
Researchers at Website Planet have discovered an unprotected database containing the private data of medical workers, nurses, and caregivers linked to US healthcare staffing company Gale Healthcare Solutions. Consisting of over 170,000 records, the dataset contained employee profiles bearing names, phone, email, home addresses, and even links to images of the employees and tax documents with Social Security numbers. Researchers were especially concerned to find full employee names and SSN numbers embedded in the file names. References to “UseGale” indicate the data is connected to Gale’s mobile app, designed to help healthcare facilities locate available nurses and caregivers. It’s unclear how long the database was exposed or if any threat actors accessed it, and though Gale was contacted about the leak, the staffing company has yet to respond.
Erich Kron, security awareness advocate at KnowBe4, commented on the risks involved in the generation and collection of data:
“As the volume of digital information collected and generated by organizations continues to grow, so does the importance of protecting it. Unfortunately, this lesson is often learned by organizations too late as many organizations feel they are too small to be a target or don’t have data worth stealing. In reality, even the smallest organizations are targets and are easily found on the internet.
"Complicating matters is the shift to cloud-based storage and services, which allow a minor misconfiguration to expose your data to anyone on the internet, not just someone within your private network. Organizations should work toward having well written policies and procedures for tasks to be performed on cloud-based services, with a focus on security and should have regular checks done on configurations to ensure that misconfigurations or errors are caught and resolved quickly.”
Data breach at Planned Parenthood.
The Wall Street Journal reports that Planned Parenthood Los Angeles has notified some 400,000 clients that their "names, address, insurance and other identifying information" were accessed in an October breach of the organization's network. It appears to be a criminally motivated ransomware attack. We received several comments from industry experts on the case.
Ilia Kolochenko, Founder of ImmuniWeb, notes the ways in which pressure on third-parties can be used to intensify extortion of the principal target:
“We should expect even better targeted and perfidious ransomware attacks in the near future. Today, cybercriminals start running marketplaces with stolen data to “punish” stubborn companies who refuse to pay the ransom by naming and shaming. I think we should soon expect that in sensitive cases, like the Planned Parenthood breach, attackers will also contact the victims and try to racket them individually. Payment of ransom, however, does not guarantee that your data will not be leaked or silently re-sold later. Sadly, cyber insurances are now massively trying to deny coverage of ransomware payments even if the contract says otherwise.
"Every case of ransom payment should be treated individually, in view of the integrity of circumstances. National legislation needs to be taken into consideration, for example, the FBI is categorically opposed to payment of any ransom, while OFAC made it crystal clear that ransom payments may violate US sanctions. Some cases of cyber racket can be safely ignored, while others may help to better understand the origins of data breaches and possibly identify the intruders. In all cases, victims should never act alone and must talk to an experienced law firm or data breach investigation company.”
Ken Westin, Director, Security Strategy, at Cybereason, agrees that the threat of public doxing increases the pressure to pay:
“The reported ransomware attack against Planned Parenthood could escalate to a triple ransom situation, where not only is the data itself held hostage, but also the threat to release to the public, or for cybercriminals to target or blackmail patients themselves. The fact that the compromised data included names, addresses, insurance information, date of birth as well as clinical information including medical procedures and prescriptions for more than 400,000 patients makes it a potential disaster.
"In this attack, the type of data compromised should have an impact on the severity of punishment, it likely would have little impact, with these ransomware gangs often operating with impunity in Russia and other countries where these attacks are state ignored. Overall, the amount of money ransomware gangs are generating only increases the level of greed and with it their brazenness. As this data can be used for criminal acts beyond a ransomware attack, there may be more repercussions and possibly more help bringing the attackers to justice, depending on where the compromised data is sold or used with malicious intent.”
Erich Kron, security awareness advocate at KnowBe4, wrote about the most common social engineering approach in ransomware cases:
“Ransomware continues to be a major issue for organizations around the world, especially now that data is stolen before being encrypted. This stolen data, and the threats by the ransomware gangs that perform the attacks to release it publicly, have contributed to the skyrocketing ransom amounts we are seeing. In this case, very personal and private information related to very controversial procedures has been stolen, something that could directly impact the trust people have in the organization, especially if the data is released.
"The most common method for spreading ransomware is email phishing. Organizations that want to protect themselves against these attacks should focus on prevention measures such as training the employees to spot and report phishing emails, including sending simulated attacks to help them polish their skills. Organizations should also ensure that email filters are in place and as a last resort to recover from the outage, that system backups are tested and kept isolated from the network.”