At a glance.
- Baby monitors vulnerable to snooping.
- Breach at Nevada medical practice.
- Construction firm suffers data breach.
- Criminals pursue pandemic benefit scam.
- Jones Day breach linked to Accellion supply chain compromise.
Baby monitors could allow hackers to monitor you.
Researchers at SafetyDetectives explore a security flaw in baby monitors that could allow attackers to infiltrate the user’s video stream. The vulnerability is the result of manufacturer misconfiguration of the device’s RTSP (Real-Time Streaming Protocol), the procedures that regulate the camera’s media streaming process. Often monitors meant for only local networks are being streamed over the internet, or the manufacturer has rebranded an IP webcam as a baby monitor. The researchers used Shodan to discover over 100,000 cameras from nineteen countries that were vulnerable to unauthorized access. Of the monitors the researchers tested, the following models were found to be vulnerable: Hipcam RealServer/V1.0, H264DVR 1.0, webcamXP 5, and Boa/0.94. 14rc21. By examining the server headers and onscreen overlays of various monitor models, the SafetyDetectives team were able to ascertain which monitors were exposed. Essentially, if your monitor allows you to connect to it while away from home and does not require a password to connect, it might be at risk. As Threatpost explains, experts recommend users secure their devices by using password protection when exposed to the internet, and set up access control so that only authorized IP addresses are allowed to connect.
Gastroenterology practice suffers data breach.
Gastroenterology Consultants, a healthcare provider located in the US state of Nevada, experienced a cyberattack in December that exposed patient data. “At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers, and other personally identifiable information for a small group of individuals,” a spokesperson told This is Reno. The practice has responded by notifying the impacted individuals and collaborating with a cyber forensic firm and federal law enforcement to investigate the breach.
Self-insurance data leak at construction firm.
Another breach announced this week also involves health-related data, but from an unlikely source: Hoffman Construction, a US building contractor. The Daily Swig reports that an unauthorized party accessed employee data concerning Hoffman’s self-insured health plan, and that the compromised information includes dates of birth, social security numbers, and benefits info. Hoffman released a statement regarding the breach and has begun to contact the affected individuals, but has not yet stated how many employees were exposed.
Hackers target insurance sites for pandemic benefit scam.
Law360 reports that US insurance entities are being targeted by cybercriminals attempting to acquire fraudulent pandemic relief funding. The New York State Department of Financial Services (DFS) warned that hackers are harvesting user data from websites that provide insurance rate quotes, and then using the data to apply for COVID-19 related benefits. "Cyber criminals are creative and tenacious, and continue to look for new ways to exploit us during an already vulnerable time," said superintendent of DFS Linda A. Lacewell. Companies that host such sites have been instructed to watch for any signs of unauthorized access to site data or unusual spikes in quote requests, and to report any breaches discovered within the 72-hour period required by Part 500, the cybersecurity compliance regulation set by DFS in 2017.
Data breach at Jones Day linked to Accellion supply chain compromise.
The Wall Street Journal reports that the international law firm Jones Day has been breached via the compromised Accellion file-sharing software FTA. Jones Day is a large, influential firm with many high-profile clients. We received comment on the incident from several industry experts.
Lamar Bailey, senior director of security research at Tripwire, discussed the breach as another supply chain incident:
“The old saying a chain is only as strong as its weakest link also holds true for today’s extensive supply chains. If one of the products used by an organization is exploited, it opens up the organization to breaches as well.
"Organizations need to be using threat intelligence services to alert them on any exploits or breaches of any provider or product (hardware and software) that is in use or has access to the network. When an alert is received quickly, assess if the vulnerable versions of the hardware or software are in use and take remediation actions. If a supplier was breached, assess what access the supplier had in the network and what data was accessible and then take actions to lock it down until remediations are in place.”
Niamh Muldoon, global data protection officer at OneLogin, expects more such stories to be linked to Accellion in the near future, and recommends that organizations prepare themselves:
"We are likely to see more breach disclosures originating from the Accellion file-sharing data breach over the forthcoming months.
"Business leaders can take appropriate action now to help maintain the trust with their customers, partners and employees. They can achieve this by carrying out due diligence with their organization to understand if the Accellion data file sharing tool is in use, and/or was in use in the past.
"Being transparent with customers, partners and employees about this tool usage and potential exposure allows for appropriate actions to be taken."
ImmuniWeb's Ilia Kolochenko thinks third-party risk is now part of the given, and adds, in a contratian comment, that this case might be one in which negotiating with the criminals might have some point:
“It is highly likely that a third party or a vendor is the root cause of the alleged data breach. Cybercriminals usually start their “shopping” by probing unprotected third parties that have access to valuable data of the victim. Currently disclosed details about the stolen data indicate that the incident has a narrow impact and only a limited number of customers and cases are affected by it. Also, even if some documents are marked as confidential or privileged, it does not necessarily mean that they still have, or ever had, this protectable status.
"This is, however, a good example where negotiations with the attackers could have minimized the damage, notably the reputational impact of the incident. Aggrieved clients and impacted third-parties may have a wide spectrum of legal claims against the law firm, spanning from violation of state privacy and data protection laws to legal malpractice. The incident deserves rapid investigation and transparent communications with the affected customers - if any.”