STE WILLIAMS

Researchers have found an unexpected behavior in a Windows feature designed to protect remote sessions that could allow attackers to take control of them.

The issue, discovered by Joe Tammariello at the CERT Coordination Center (CERT) at Carnegie Mellon’s Software Engineering Institute, is documented as CVE-2019-9510. It stems from Network Level Authentication (NLA), which is a feature that you can use to protect Windows installations that have the Remote Desktop Protocol (RDP) enabled. NLA stops anyone from remotely logging into the Windows computer by requiring them to authenticate first.

Starting with Windows 10 release 1803 in April 2019, and with Windows Server 2019, Microsoft changed the way NLA works. Now, the authentication mechanism caches the client’s login credentials on the RDP host so that it can quickly log the client in again if it loses connectivity. The change enables an attacker to circumvent a Windows lock screen, warns CERT/CC, which disclosed the issue, in an advisory.

Let’s say you remotely log in to a Windows box using RDP. Then, you lock that remote desktop to stop an attacker from accessing it from your machine while you leave the room.

The attacker could interrupt the network connection between the local machine and the remote Windows box and then reestablish it, by unplugging the network cable and plugging it in again (or disabling and re-enabling Wi-Fi).

That’s where the unexpected behavior kicks in, according to the advisory:

Because of this vulnerability, the reconnected RDP session is restored to a logged-in desktop rather than the login screen. This means that the remote system unlocks without requiring any credentials to be manually entered.

The behavior also bypasses multi-factor authentication (MFA) systems that integrate with the Windows login screen, explains the advisory. Duo Security admits that its MFA products are affected, adding that the issue isn’t its fault:

By forcing the use of cached credentials, Microsoft has broken functionality used by credential providers to add resilience to this workflow.

However, rival MFA firm Silverfort says that it isn’t affected because it doesn’t rely on the Windows lock screen:

Due to the way our products [sic] operates, we are not affected by this vulnerability. We use a unique technology which allows us to enforce MFA on top of the authentication protocol itself (e.g. Kerberos, NTLM, LDAP) without relying on Windows login screen.

Microsoft also responded to the issue, explaining that it’s a feature, not a bug. It told CERT:

After investigating this scenario, we have determined that this behavior does not meet the Microsoft Security Servicing Criteria for Windows. What you are observing is Windows Server 2019 honoring Network Level Authentication (NLA). Network Level Authentication requires user creds to allow connection to proceed in the earliest phase of connection. Those same creds are used logging the user into a session (or reconnecting). As long as it is connected, the client will cache the credentials used for connecting and reuse them when it needs to auto-reconnect (so it can bypass NLA).

Unconvinced, Tammariello’s colleague Will Dormann still thinks you should work around it:

Courtesy of our own Joe Tammariello,
When connected via RDP, modern Windows session locking does NOT require authen… twitter.com/i/web/status/1…

—
Will Dormann (@wdormann) June 04, 2019

Given that Microsoft isn’t fixing this any time soon, you should use the local machine’s lock screen rather than relying on the remote box’s lock, says the CERT advisory. You can also disconnect RDP sessions when you go and visit the loo. Yes, it’s annoying, we know.

Responding to a user complaint, a Microsoft Technet moderator also said it was possible to disable automatic reconnection on the RDP host via group policy, and provided instructions.

If the phrase ‘Network Level Authentication’ rings a bell, it’s because Microsoft has recommended this as a protection measure against exploitation of CVE-2019-07-08, nicknamed BlueKeep, the serious exploit affecting pre-Windows 8 systems, which the NSA, amongst many others, is now begging people to patch.

This issue doesn’t mean that you shouldn’t use NLA to protect your pre-Windows 10 boxes. For one thing, this unexpected behavior only exists on Windows 10 and Windows Server 2019. BlueKeep doesn’t affect these editions of the Windows OS.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/m73omlAvvDY/

Years in the making, the latest version of Firefox, 67.0.1, has finally unleashed a fully fledged version of Mozilla’s much-touted Enhanced Tracking Protection (ETP) privacy system.

Mozilla’s reached this point through so many smaller jumps that Firefox users could be forgiven for being confused about what ETP adds to the browser that’s not already there.

Its beginnings can be traced back to 2015 with the appearance of Tracking Protection in Firefox’s Private Browsing mode, a way of making it harder for advertisers to monitor users by setting cookies that track them across websites.

Firefox 57 (Quantum) in 2017 started migrating this layer into the main browser, which Mozilla said it planned to make a default setting for future releases – a far from easy undertaking given how easily anti-tracking can break the bits of websites users value.

As outlined in a launch blog, it’s now doing that in earnest by integrating a tracker block list compiled by partner Disconnect.me.

It’s hard to say how exhaustive this is but with 2,567 domains on the block list – including a large number connected to Google – it is surely a show of intent by Mozilla.

However, before users rush to update Firefox, there are a few issues worth paying attention to, the first being that ETP will only be turned on by default for users who download Firefox anew.

Anyone updating a current installation will need to enable default blocking manually via Options Privacy Security enable Custom blocking and tick all the boxes.

Clicking on Change block list reveals that there are also two blocking lists, the strictest of which (number two) might cause problems on some websites. Users can see which trackers have been detected for any site by clicking on the purple shield icon in the address bar.

Arguably, Firefox’s Standard, Strict, and Custom blocking levels have become a bit confusing which is why it’s worth reading the company’s detailed explanation to understand what each signifies.

Facebook Container

Also added is an upgraded version of the Facebook Container extension, which Naked Security covered when it launched last year.

That offered basic protection – logging users out of the site in case they forgot, for instance. The new version adds the ability to block the ubiquitous buttons on third-party sites that can also be used to track users beyond the site’s confines.

Wrote Firefox senior vice president, Dave Camp:

This blocking makes it much harder for Facebook to build shadow profiles of non-Facebook users. You will know the blocking is in effect when you see the Facebook Container purple fence badge.

Firefox Lockwise

Launched as app on Android and iOS as a place to store passwords, Lockbox has been renamed Lockwise and is now available as a desktop extension.

This performs a similar job to third-party password managers with the obvious caveat that it only works when using Firefox. It also needs an account to sync passwords across devices.

Monitor dashboard

Mozilla has also enhanced Firefox monitor with a dashboard that allows users to see at a glance how multiple email addresses are connected to known breaches. Camp said:

You’ll be able to easily identify which emails are being monitored, how many known data breaches may have exposed your information, and specifically, if any passwords have been leaked across those breaches.

What’s fascinating about Firefox’s development is how it is becoming ever more differentiated from rivals such as Google’s Chrome and Microsoft’s Chromium-based Edge.

In the past, it wasn’t always clear to users what made Firefox different beyond the fact that it wasn’t developed by Google or Microsoft, which some users preferred.

It’s an issue that seems to have energised Apple too, which in theory makes Safari one of Firefox’s main rivals for the privacy crown.

Tech used to be about which company could get big and make the most money. It’s still about that but as a forthright interview with Apple’s Tim Cook this week underlines, privacy might yet turn out to be Google and Facebook’s Achilles Heel.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/T8P9YUhz9I4/

As ransomware infections continue, conventional wisdom on how to respond to threats is going out the window.

The idea of agreeing to an extortionist’s demand, and paying a ransom to restore your company’s scrambled data, long considered a non-starter, is something businesses should mull over as a viable option, according to analyst house Forrester Research.

Josh Zelonis, a senior analyst specializing in security and risk for Forrester, argued this month that while organizations shouldn’t just cave in immediately to every demand made, they should at least look into whether agreeing to a criminal’s terms may be a better option than a costly wipe and recovery process.

The analyst is not alone, either. Other security professionals agree that, in certain cases, it may be better to negotiate than hold out and face a catastrophic outage and recovery. It may be wise to factor in paying up as a final recovery option, after other mainstream defenses – regular offline backups and security patching, intrusion prevention, and so on – fail.

It shouldn’t be the first option to reach for, you should focus on prevention rather than reactive cleanup, and yet the option shouldn’t be entirely discarded especially as you prepare to sign off spending seven-figures or more on restoring operations.

The case against bankrolling criminals

When it comes to malware, the advice handed down by government agencies and information security firms alike has been to never pay ransom demands. The FBI’s ransomware guidance (PDF) encourages anyone hit with ransomware to contact law enforcement, and tells both home PC owners and enterprises alike not to pay any extortion demands.

Rather, companies are advised to build and maintain regular backups of their data, stored offline separate from networks, and be prepared to wipe and restore any systems that get hit with the file-encrypting extortionware.

The reasoning is not hard to understand. Paying off a ransom only encourages criminals to continue their actions. When a hacker hits pay dirt from a successful ransomware infection, they are almost certain to try the same tactic again, possibly on the same target. By caving in to a ransomware demand, you only strengthen the criminals and put others at risk.

There is another basic truth at work: criminals are not trustworthy people. When you pay a ransomware demand, there is no guarantee the crooks will actually give you a valid unlock code (and in some cases the malware operators don’t even know how to actually unencrypt the files their code scrambles, or care at all if it works.)

Steve Piper, CEO with CyberEdge Group, told The Register that his outfit’s most recent threat report found only about 60 per cent of companies that pay ransomware demands actually get their data back in the end.

“Even if you pay the ransom there is a two in five chance you are not getting the data back anyway,” he explained.

When it comes down to it, the best defense against ransomware is to not get infected in the first place. Barring that, companies should have strong backup and recovery plans. It seems simple enough.

It’s not always so simple, however

While the statistics and tough talk about not negotiating with crooks is all well and good, things are a bit different when it’s your organization’s data that is on the line after you’ve been solidly defeated. Large companies such as shipping titan Maersk and the US city of Baltimore have incurred massive multi-million-dollar cleanup bills after they resolved not to agree to any ransom demands, and repaired their installations virtually from scratch.

Even if a company is meticulous about backing up their data, the actual recovery process is far easier said than done, particularly when you have to do it with hundreds or thousands of PCs and terminals, and dozens of servers or cabinets of servers.

It woz ransomware wot did it: ConnectWise spills beans on cause for day-long outage

READ MORE

“A majority of organizations, even those that have backups, don’t test their ability to recover,” Forrester’s Zelonis told El Reg, “and those that do don’t test their ability to recover at scale.”

This is where Zelonis wants companies to have the tough conversation; should pride and ego take precedence over the financial health of the organization and its ability to function? Baltimore, for example, has seen vital services such as the police force be affected by their ransomware infection, and Maersk’s operations hit the rocks hard.

When it comes down to it, the analyst argues, organizations should consider the option that is best for their business. In some cases, that might be to agree to some or all of the ransom demands.

“The decision to pay or not pay a ransom is in fact a business decision, and anyone telling you differently are not serving your interests,” Zelonis told El Reg.

“At what point do we make a decision that our ego is second to how do we continue to provide the necessary services?”

Zelonis is not alone in this sentiment. Multiple infosec professionals who spoke with The Register supported the idea that companies should consider at least opening a dialogue with ransomware operators about a possible deal if recovery is non-trivial.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/06/06/ransomware_coping_strategy/

Pizza Hut has warned members of its loyalty scheme “Hut Rewards” not to re-use passwords after hackers managed to access some customer accounts.

The fast-food chain, which also suffered a breach stateside in 2017, believes that miscreants got hold of details from elsewhere and then used them to access Pizza Hut systems.

The outfit reassured customers that it does not store credit or debit card details and that it had already contacted customers whose accounts were compromised.

At least one traumatised punter has seen their rewards points spent on free pizza, according to Money Saving Expert.

A Reg reader sent us the warning email:

We believe there has been unauthorised access of a small amount of Hut Rewards accounts by a third party. We suspect this is due to a third party obtaining emails and passwords from unsecure websites and using them to try and access other websites in the hope that users have used the same email password combination. As a precaution we recommend that you change your Hut Rewards password as soon as possible to preserve the security of your account and, as best practice, strongly recommend that you use different passwords for different websites.

Please rest assured that we do not store any credit or debit card details. We have already contacted the small number of customers whose accounts we’ve identified as being compromised.

We take consumer data and security very seriously and we are working hard to ensure this issue is resolved quickly. We will continue to notify any customers that we identify as being at risk and have also informed our regulator of the incident.

If you have noticed any unusual activity on your account, or if you require further information, please contact our Customer Team. Their details can be found via our website’s Contact Us page at Pizzahut.co.uk.

Though we asked Pizza Hut how the breach was detected and how systems were protected, aside from repeating what was in the email above, it sent us the following statement:

“We are aware of a few hundred accounts, which is under 1 per cent of Hut Rewards customers being impacted. We have contacted these customers directly and will be reinstating lost slices. As a precaution, we are asking all Hut Rewards customers to change their password. We are continuing to investigate this as a priority.”

It could serve as a warning to other organisations if hackers have got their mitts on a bunch of names and passwords and are trying their luck on other websites.

The EU’s General Data Protection Regulation puts the onus on companies to inform customers at risk and the Information Commissioner’s Office (ICO) in the event of breaches. We’re still awaiting a response from the UK data watchdog. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/06/06/pizza_hut_hacked_tells_rewards_users_to_change_passwords/

May 31, 2019

Article source: https://informationweek.com/whitepaper/operating-systems/application-acceleration/2019-state-of-devops/408073?cid=mp_rptbx&_mc=mp_rptbx&_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cyber can learn a lot from the highly regulated world of rail travel. The most important lesson: the value of impartial analysis.

“I’m just amazed at the amount of failure that goes along here,” said Bruce Landsberg, National Transportation and Safety Board’s (NTSB) vice president, during a recent hearing about the fatal December 2017 Tacoma Amtrak derailment, according to the Seattle Times.

“We have five or six or seven different organizations that all say safety is their primary responsibility, and yet nobody seems to be responsible,” Landsberg observed. “And it just flows all the way throughout the entire operation here, from the very top management down to the lower levels.”

Let’s change the word safety to security because in today’s world, where security is everyone’s responsibility, this report offers an opportunity to reflect on the similarities and differences between the highly regulated world of rail travel and the world of Internet technologies.

One crucial difference between cybersecurity and transportation is that there’s a widely respected organization, the NTSB, that comes in after accidents and produces a report, and that report establishes facts. Despite many calls for such an organization in the technology world, we still do not have one. There are also important differences between a cyber investigation and a real-world accident involving trains, planes, automobiles, and other vehicles. For example:

• People often die in transportation accidents.
• Transportation accidents are defined by law.
• Transportation accidents are hard to hide.
• There is industry support for transportation investigations.
• The accident scene is easy to define with yellow tape that circles the site.

None of these apply to cyber incidents, where, in contrast, the relevant systems may be virtual machines long since shut down, the logs aggregated, and the computers involved owned by many different parties, including individuals.

Time for a Cyber Safety Board?
The NTSB has issued a preliminary synopsis of a forthcoming report, and the 10 pages are both thought provoking and easy reading. I read the report because it was a local tragedy, and, like most NTSB reports, it doesn’t have very much to do with cybersecurity. But as I read, I noticed a couple of things as I went through it.

First, the cause of the accident is established, as are contributing factors. There are technical, training, and process failures, and many of these are interesting to us in cybersecurity.

Perhaps most interesting are the training findings: “Amtrak did not provide sufficient training on all characteristics of the Charger locomotive,” and “Engineers could better master the characteristics of a new locomotive with the use of simulators.”

How many of us have gotten “sufficient training” on “all characteristics” of the software we use to get our jobs done? What would that even mean for a systems administrator? How long is sufficient RedHat system administration training? What does it mean to get sufficient training on an Amazon Web Services component, which is subject to change at any time? How many of us have ever used a simulator or range?

We are far more open about breaches than we were even a decade ago, but facts are often thin on the ground. We have a tremendous stream of speculation. We can look over at the transportation sector and see the value of impartial analysis. And that is value to us. It’s time for our industry to figure out how we can get an impartial investigator in cybersecurity.

Related Content:

• What You Need to Know About Zero Trust Security
• 20 Years of STRIDE: Looking Back, Looking Forward
• Making the Case for a Cybersecurity Moon Shot

Adam is a consultant, entrepreneur, technologist, author and game designer. He’s a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps organizations improve their security via Shostack Associates, and advises startups … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/when-security-goes-off-the-rails/a/d-id/1334851?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Google has released its June bundle of security vulnerability patches for Android, with fixes for 22 CVE-listed flaws included.

This month’s update, including eight critical fixes, includes patches to close up four confirmed remote code execution vulnerabilities. Google says none of the bugs have been targeted in the wild, yet.

Those with Google-branded devices like the Pixel phone line will get the update directly from the Chocolate Factory, while others will need to rely on their vendor or carrier to test and deploy the fixes.

At the basic patch level for all Android devices, users will get fixes for 11 vulnerabilities, four of which are classified as critical remote code execution flaws. Those bugs, if exploited, would allow an attacker to execute commands and install software on the device with little to no user interaction or notification.

Three of the remote code flaws are found in the Android media framework and would be triggered by opening a specially crafted file (such as an image or movie.) Two of the bugs, CVE-2019-2093 and CVE-2019-2095 are only present in Android 9, while CVE-2019-2094 is also found in Android 7.0, 7.1.1, 7.1.2, 8.0, 8.1. A fourth media framework bug, CVE-2019-2096, allows elevation of privileges and is present in versions dating back to 7.0.

A remote code execution flaw was also patched in the Android System component. That bug, CVE-2019-2097, allows arbitrary code execution as a privileged process by way of a poisoned PAC file. The bug was found in versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9. Three other bugs in the System, CVE-2019-2102, CVE-2019-2098, and CVE-2019-2099 are present in versions 7.0 and up and would allow elevation of privilege if exploited.

The Android framework was on the receiving end of three bug fixes for CVE-2019-2090, CVE-2019-2091, and CVE-2019-2092. Those vulnerabilities would all allow elevation of privilege by a local application, meaning the bad guy would already need to be running code on your machine and privilege escalation would be the least of your worries.

Those Android device owners whose vendor or carrier have decided they need the next level will get patches for an additional 11 CVE-listed flaws, nine of which are found in various Qualcomm components.

Titan-ic disaster: Bluetooth blunder sinks Google’s 2FA keys, free replacements offered

READ MORE

The Android framework will see a fix for CVE-2018-9526, an information disclosure flaw in Android versions 7.0-9, while the Android kernel’s UVC driver will be patched against CVE-2019-2101, another information disclosure bug that allows a local app to bypass system safeguards and few data from other applications.

The nine Qualcomm fixes are divided into two categories. For open source components, four fixes will be handed down. Those include CVE-2019-2269, a critical flaw in WLAN Host stemming from a buffer overflow, and CVE-2019-2287, a critical flaw in a video codec. Two other bugs, CVE-2019-2260 in Android kernel and CVE-2019-2292 in WLAN Host, were also patched.

Five other fixes were applied to Qualcomm’s closed-source components, and as such were not given much explanation. They include two vulnerabilities (CVE-2018-13924 and CVE-2018-13927) classified as critical, and three others (CVE-2018-13896, CVE-2019-2243, CVE-2019-2261) rated as high.

Admins may want to consider the Android patches a warm-up for what is to come next week. June 11th will mark Patch Tuesday, when Microsoft, Adobe, and SAP are all slated to deliver their monthly security updates. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/06/05/android_june_patch/

A critical data encryption tool, included by default in iOS, is being turned off in more than two-thirds of popular apps.

When a computing platform has a security feature built in, why would a developer decide not to use it? A better question might be, why would more than 20,000 iOS apps be published without an Apple encryption feature that’s turned on by default?

Those are among the questions researchers at Wandera sought to answer when they analyzed more than 30,000 commonly used iOS apps found in the App Store. They found that App Transport Security (ATS), a set of rules and app extensions Apple provides as part of the Swift development platform, is turned off and not used by a majority of the app developers they saw.

Michael Covington, vice president at Wandera, says researchers began looking for answers when they saw critical information being passed in the clear. The company has traditionally looked for any personally identifiable information (PII) going across the network without encryption, he says.

“Apple has this framework in place that essentially should be forcing developers to encrypt anything that they sent out on the network, let alone user names, passwords, and credit card numbers,” he says. So when Wandera researchers saw information flowing without encryption, they asked, “How were these things making it through?” Covington says. “And that’s what led us to ATS.”

Covington says he believes many developers disable ATS because they feel it will impact app performance. Those concerns, he says, come from legacy servers and mobile devices that had very limited CPUs, but today’s systems can easily handle “HTTPS everywhere.” 

Other developers disable ATS because they depend on ad networks for revenue from free apps. Many of those ad networks, including those from Facebook, rely on unencrypted connections.

In early versions of ATS, developers could only control the service by turning it on or off. Since iOS 10, though, developers have had the ability to turn it on and off for specific functions within the app. Still, as Wandera researchers point out in their report on the issue, many developers have never changed their practices to use the more granular control available for ATS.

While the original research focused on consumer apps, Covington says he’s concerned about enterprise apps developed by — or for — large corporations. “One of our customers in pharmaceuticals has about 500 mobile apps that they build and maintain annually,” he explains. “Those are the apps that are either being outsourced to third-party developers or are being built in-house where security is not the primary focus.”

And yet those apps carry very sensitive data on a regular basis.

Covington says he expects to see more examples of security events that take advantage of these unencrypted apps. Until Apple or customers force developers to enable encryption for sensitive data transmission in all of their apps, it seems VPNs may be the only way corporations and consumers can be sure their PII remains private.

Related Content:

• Adware Hidden in Android Apps Downloaded More Than 440 Million Times
• Focusing on Endpoints: 5 Steps to Fight Cybercrime
• Commercial Spyware Uses WhatsApp Flaw to Infect Phones
• Digital Ad-Fraud Losses Decline
• ‘Exodus’ iOS Surveillance Software Masqueraded as Legit Apps

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/mobile/researchers-finds-thousands-of-ios-apps-ignoring-security/d/d-id/1334888?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

LabCorp says its third-party debt-collection provider, AMCA, notified the company that information on 7.7 million patients had leaked. Expect more healthcare companies to come forward.

A second large healthcare company has come forward to acknowledge that customer information sent to a third-party debt-collection firm likely was compromised.

In a June 4 filing, medical diagnostics firm LabCorp notified the US Securities and Exchange Commission that the company had used the services of American Medical Collection Agency (AMCA) to collect past due medical bills from 7.7 million patients. The debt-collection firm notified LabCorp that an unknown person or group had accessed data on LabCorp’s customers between August 1, 2018 and March 1, 2019.

The exposed information included the customer’s name, date of birth, address, phone, date of service, provider, and balance information, as well as payment-account information, if the patient had attempted to pay their bill, according to the SEC filing. 

“AMCA has informed LabCorp that it is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed,” LabCorp stated in the filing. “AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them.”

LabCorp’s notification comes a day after a rival medical-services firm Quest Diagnostics revealed that the breach of AMCA’s website left information on 11.9 million of its customers at risk.

AMCA has not provided the public with a list of its clients, potentially all of whose customers may have been put at risk by the security lapse on the company’s website. On June 5, the company provided an updated statement to Dark Reading, stating it is investigating the unauthorized access of its website and that it planned to provide 24 months of credit monitoring to people affected.

“Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page,” AMCA said in the statement. “We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security.”

The debt-collection company plans to provide “24 months of credit monitoring to anyone who had a social security number or credit card account compromised,” according to the statement.

The size of the breach could quickly grow, depending on the number of AMCA clients impacted by the breach, and how many each of those clients referred to AMCA for collection, says Avivah Litan, distinguished analyst with business intelligence firm Gartner.

“It is anyone’s guess, but it could end up affecting all of their customers,” she says. “It could very well be huge. It could make Equifax look like a run-of-the-mill breach.”

The compromise of Equifax’s database put information on more than 145 million Americans—the majority of adults in the country—at risk. 

AMCA’s data breach also underscores the danger of third-party providers. AMCA acts as the custodian of financial information for those patients whose files are sent to debt collection. The company accumulates sensitive information from all its clients, but patients rely on the original provider—LabCorp and Quest Diagnostics, in the lastest compromise—to keep their information safe, says Fred Kneip, CEO of compliance-service provider CyberGRX.

“It’s natural for healthcare companies to do business with third-party vendors, but it’s critical that they understand and take the actions necessary to mitigate the cyber risks associated with integrated partner ecosystems,” Kneip said in a statement. “Patients place their trust in healthcare providers to protect their data, so it is the provider’s responsibility to protect that data both within their network and beyond to their third parties, ensuring visibility into network ecosystems as well as conducting regular evaluations of their security posture.”

There is very little that patients can do to hold suppliers accountable for the security of their information—they rely on the original service provider, said Michael Covington, vice president of product strategy at Wandera, a mobile security provider. 

“You can’t stop going to the doctor because you’re afraid of a data breach,” he said in a statement. “Your physician, hospital, pharmacy and diagnostics provider all must access your data to keep you healthy. And each one of those ‘service providers’ uses third-parties—many of whom are unvetted from an IT security perspective—to enable their business.”

Until the government puts additional pressure on service providers or suppliers feel the pain of failing to protect their custodial data, the situation will not improve, says Gartner’s Litan.

“The ones who get hurt in the end are the consumer,” she says. “The only ones who do a decent job of regulating are the credit card company, because they have to pay for any fraud.”

Related Content:

• Medical Debt Collector Breach Highlights Supply Chain Dangers
• Humana Breaches Reflect Chronic Credential Theft in Healthcare
• Atrium Health Breach Exposes 2.65 Million Patient Records
• Regulations, Insider Threat Handicap Healthcare IT Security
• Cybersecurity The Internet of Medical Things

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/informationweek-home/healthcare-breach-expands-to-196-million-patient-accounts/d/d-id/1334889?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The country’s rapid economic growth and other factors are driving an increase in cybercrime and cyber espionage activity.

Vietnam has rarely been associated with cybercrime activity in the same way other Asian nations, such as China, North Korea, and Iran, have in recent years. But that could change soon.

According to a new report from Intsights, cybercrime and cyber espionage activity in Vietnam is growing.

Vietnamese-language based Internet traffic and activity on the Deep and Dark Web is increasing, and so are attacks on foreign multinational organizations based in the country — particularly automotive companies and media outlets.

At least one previously known advanced persistent threat (APT) group — APT32/OceanLotus — appears to be working in support of the government’s strategic interests. Over the past year or so, the threat group has ramped up attacks against Vietnamese and Cambodian media outlets viewed as hostile to the government. The threat actor has also been increasingly going after automobile manufacturers in advance of the planned launch of Vietnam’s first domestically manufactured vehicles this September.

“This is an optimal time to be keeping a close eye on Vietnam, their economy, and their cyber operations — both state-sponsored and group,” says Charity Wright, cyberthreat intelligence analyst at IntSights. Several factors are contributing to the increased threat activity, she says. One is the country’s rapid economic growth.

Vietnam’s one-party government has committed to aggressive economic growth and has been investing in domestic technology development. With the country seeking ways to gain an advantage over regional economic powerhouses like China, Japan, and South Korea, there has been an increase in cyber espionage activity targeting multinationals, IntSights said.

APT32’s attacks on auto manufacturers serve as one example. Last year the group launched a worldwide malware and espionage campaign targeting major auto companies, such as Toyota. The timing of the attacks suggests the group was tasked with gathering intelligence on rivals and potentially even disrupting their operations with a view to helping VinFast, Vietnam’s first domestic auto company, get off the ground faster.

Internet Censorship Law
The increased threat activity, at least partly, also appears tied to an unpopular Internet censorship law that Vietnam’s government passed last year, IntSights said. The law requires social media companies, such as Facebook and Twitter, to maintain local offices in Vietnam, store local user data within the country, and hand the data over to the government upon request.

The law puts restrictions on what people can say and do on social media. The government has also established a cyber offensive unit called Force 47, comprising some 10,000 members to enforce the law. Force 47’s mission is to monitor for and block access to content that the government deems as unfriendly and unsavory.

The censorship law has driven a growing number of Vietnamese users to the Dark Web, and more people have begun seeking information on cryptocurrencies and cybercrime opportunities, according to the IntSights report. Vietnamese-speaking users have increasingly begun populating well-known, multilanguage, underground forums, though sites dedicated solely to Vietnamese users continue to have relatively low membership, Wright says.

Hacker Vietnam Association (HVA), a Vietnamese hacking website, had over 14,000 members when it was shut down last year. The site offered information on a variety of topics, including hacking, carding, Tor usage, and cryptocurrencies.

Since then, other sites have taken the place of HVA, including one called Vietnam Hacker Blackhats, Wright notes. Such sites are providing a forum for Vietnamese hackers to collaborate, trade ideas, and tutor each other on a wide variety of malicious activities, including how to access dark sites, steal bank and credit card information, hack social media account, and reverse-engineer malware. Other researchers have associated at least one other APT — Poison Ivy, aka APT-C-01 — with Vietnam. But IntSights is unable to confirm that information, Wright says.

“This is a dynamic time for Vietnam because of the rise of their state-sponsored APT32 and the growth of the Vietnamese-language cyber underground,” Wright says.  

The nation is fast developing new technologies and learning how to use its Force 47 offensive unit to further economic growth and the objectives of the Vietnamese Communist party, she says.

Up until now, the targets have been directly aligned with the country’s economic and political interests. But Vietnam-based cybercrime activity has been observed targeting US and global banks, social media websites, and other organizations.

“We are witnessing the rise and development of a viable global cyberthreat and notable migration of young, technical population to the Deep and Dark Web,” Wright says. 

Related Content:

• OceanLotus APT Group Unfolds New Tactic in Cyber Espionage Campaign
• Report: China’s Intelligence Apparatus Linked to Previously Unconnected Threat Groups
• Korean APT Adds Rare Bluetooth Device-Harvester Tool
• 7 Container Components That Increase a Network’s Security

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/vietnam-rises-as-cyberthreat-/d/d-id/1334890?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple