At a glance.
- mHealth apps found vulnerable.
- Ransomware prevention task force issues guidelines to prevent infection and deal with compromise.
- Romance scams return for Valentine's Day.
- University of Colorado data affected by Accellion breach.
Research shows mHealth apps vulnerable to attack.
API protection firm Approov released a report prepared by cybersecurity marketing agency Knight Ink showing that all thirty of the leading mHealth applications they tested contained vulnerabilities that could expose private patient data. With the global pandemic shaping much of our online activity, mobile health apps have become more popular than banking or job searching platforms, making them prime targets for cybercriminals. In fact, on the dark web private patient data has become a more sought after bounty than even credit card credentials. Knight Ink calls the problem systemic, as their report estimates that more than 23 million users have been exposed by the vulnerabilities they uncovered. Of the apps investigated, 77% had hardcoded API keys, and 50% did not require tokens to authenticate requests. Half of the records accessed in the study contained personally identifiable information like social security numbers and dates of birth and health data, indicating that US FHIR/SMART standards are clearly not enough to ensure the security of health apps and the sensitive data they contain.
We received comments on the study from several industry experts. Saryu Nayyar, CEO of Gurucul, commented that, "This report is telling in how little attention is given to application security for mobile applications. It is disheartening to see how many basic security Best Practices are ignored in the development of mobile applications and the API's that allow them to access relevant data. Code review and remediation for all of the applications and API's in question is a monumental, but necessary, task to start. As is a review of the coding practices that led to such weak security in the first place.”
Chloé Messdaghi, Chief Strategist at Point3 Security, said:
"mHealth apps – even before the pandemic – have had real problems with security. Unfortunately, many of these types of apps don’t have strong security – they don’t allow MFA, they only require short passwords, and of course, the API-related issues this researcher has underscored. As stated in the report, we’re seeing people using healthcare apps even more now as a necessity driven by the pandemic. Another area of vulnerability is how the apps are put together. Are they using OS software? If so, are they checking for vulns in OS code? That’s a common problem, and it’s worth remembering that anything that’s free usually comes with a price.”
Shared Assessments' CISO Tom Garrubba wrote, "While it is a best practice for a mainstream application’s code to move through a thorough secure code review during development, organizations are often haphazard on following the same secure systems development lifecycle (SSDLC) process while developing mobile applications. By not applying the same rigorous process, any defective code will lead to vulnerabilities that can be exploited by even the most novice of hackers."
Garret F. Grajek, CEO of YouAttest, sees the report as more evidence that healthcare records are "the challenge of the decade." He said:
"We need to ensure that the information is available to providers and patients – and that ONLY the right parties view the data. This is exactly the NIS concept of PoLP (PR AC-6, "Principle of Least Privilege"). Easy to say - hard to do. That is we have to ensure that apps and data have the right tools/policies/procedures that access is not granted to unwarranted people and processes. The Principle of Least Privilege is mandated by both HIPAA and HITRUST standards. Execution of this is also mandated by access reviews - reviews of what accounts and people have access to applications, servers and data. This is required by the mandates but implementation is up to the parties. A best practice is to use a cloud-based solution to automate the review processes and create quantifiable reports for BOTH the auditors and security personnel.”
Cybersecurity task force publishes ransomware factsheet.
In an effort to increase awareness and maximize mitigation, a ransomware factsheet has been released by the National Cyber Investigative Joint Task Force (NCIJTF), a collaboration of experts from over fifteen US government agencies, reports Security Week. The two-page document explains that in addition to shutting down the victim’s system, ransomware attackers now often threaten to destroy or expose sensitive data in order to force the victims to pay. The threat affects various critical infrastructure sectors, and popular vectors include phishing, remote desktop protocol misconfigurations, and software vulnerabilities. The FBI advises victims not to pay, as that just encourages hackers and doesn’t guarantee the data will be protected. Instead, they advise the use of safeguards like multi-factor authentication, frequent system updates, and data backups.
Scant hope for the lovelorn (alas).
Just in time for Valentine’s Day, the US FBI in Phoenix, Arizona released a statement warning the public about online romance scams. In 2020 alone, more than five hundred Arizonans fell prey to conmen posing as love interests on social media or dating sites, who then used the victim’s confidence to clean out their pockets, with combined losses totalling $12 million. In nearby Texas, KPRC reports that a woman was convinced the criminal emailing her was actually Grammy-winning musician Bruno Mars. “Bruno,” apparently strapped for cash despite his success, tricked his target into “loaning” him cash to cover touring expenses to the tune of $100,000. Cybersecurity firm Check Point Software reported a huge jump in phishing scams in the last half of January, with over four hundred Valentine’s-themed scam emails a week, a 29% increase over last year.
University of Colorado exposed in Accellion breach.
Officials say that the cyberattack on US file-transfer software provider Accellion, first noted by the CyberWire in January, has impacted at least three hundred of its clients. The latest victim is the University of Colorado (CU), resulting in a data breach that is believed to be the largest in the school’s history, CBS Denver reports. The school uses Accellion’s File Transfer Appliance to send large files, and the Boulder campus was forced to suspend service on January 25, restoring it with a patched version by January 28. It appears that over four hundred CU users were impacted by the breach, and they’ve been asked to notify the CU Office of Information Security if any confidential information was present in the exposed files.