STE WILLIAMS

The theft of 1.5 million patient records, including those of Singapore’s Prime Minister, from the city state’s SingHealth hospital group by hackers could probably have been stopped had the IT department not been so useless, an inquiry has found.

In July, citizens were notified that miscreants had siphoned massive amounts of private information from the healthcare organization’s database, which included the records of Premier Lee Hsien Loong, along with those of roughly a quarter of the island state’s population.

A committee of inquiry published its report into the hack on Thursday, and said the attacker, or attackers, probably should have been stopped before they could make off with the data.

Marriott: Good news. Hackers only took 383 million booking records … and 5.3m unencrypted passport numbers

READ MORE

The report suggested that, since the Prime Minister was the main target, a “well-resourced” group “having an extensive command and control network, the capability to develop numerous customised tools, and a wide range of technical expertise,” was involved.

“While our cyber defences will never be impregnable and it may be difficult to prevent an Advanced Persistent Threat (APT) from breaching the perimeter of the network, the success of the attacker in obtaining and exfiltrating the data was not inevitable,” the report stated.

In particular, the hackers exploited poorly secured Citrix servers that should have had two-factor authentication enabled for administrative accounts – but the IT gear just wasn’t secured that way.

Internet connectivity to the Citrix servers and the Sunrise Clinical Manager (SCM) software was a convenience rather than a necessity, increasing risk, the report added: “Network connectivity was maintained for the use of administrative tools and custom applications, but there was no necessity to do so.”

Worse, the company that operates the patient record database had been warned of vulnerabilities following a penetration-test audit. The report said Integrated Health Information Systems (IHiS) was advised of security holes in 2017, including weak admin passwords and insufficient network segregation.

“Unfortunately, the remediation process undertaken by IHiS was mismanaged and inadequate, and a number of vulnerabilities remained at the time of the Cyber Attack,” the report said.

The attack’s timeline also revealed that IHiS dragged its feet reporting the breach of its network security:

• Probably through phishing attacks, an attacker first gained access to front-end workstations in August 2017, and by June 2018, had access to Citrix servers with SCM database connections, and had compromised “a large number” of user and admin accounts.
• From May 2018, the attacker was unsuccessfully trying to log into the database.
• Although admins began spotting malicious connections on 11 June 2018 and saw further attempts on 12, 13, and 26 June, the attacker was able to log into the database on 27 June and begin exfiltrating data.
• A week later, on July 4, IHiS admins identified the suspicious queries against the database, and blocked the attacks.

The matter wasn’t escalated to the Cyber Security Agency of Singapore, SingHealth’s senior management, the Ministry of Health, nor the Ministry of Health Holdings until July 10, 2018, and it took until July 20 for before the cyber-raid was announced to the public.

The report is critical of IHiS staff training, saying it lacked the “awareness, training and resources” to respond to the attack, and as a result, they missed opportunities to prevent the data exfiltration.

Recommendations in the report include an enhanced security structure, better endpoint security and forensic capability, better staff awareness, enhanced security testing (including periodical red team exercises), tighter controls on administrative accounts, and better incident response planning. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/11/singapore_health_hack/

US snack food giant Mondelez is suing its insurance company for $100m after its claim for cleaning up a massive NotPetya ransomware infection was rejected – for being “an act of war” and therefore not covered under its policy.

Zurich American Insurance Company has refused to pay out on a Mondelez policy that explicitly stated it covered “all risks of physical loss or damage” as well as “physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”

The claim stems from the 2017 NotPetya cyberattack: a Windows-based piece of ransomware that encrypted a hard drive’s file system table and prevented the system from booting. The code then demanded that a Bitcoin payment be made to regain access. Mondelez says it lost 1,700 servers and 24,000 laptops as a result of the malware.

Security experts – and the UK government – have pinned the blame for NotPetya on Russian hackers trying to damage the Ukrainian government, but the Russian government has formally denied any responsibility.

Insurance companies would probably have to shell out over $80bn as a result of the attack, warned one survey – more than 2012’s Hurricane Sandy. Shipping giant Maersk said it had lost $300m as a result of the ransomware; FedEx said it has lost the same.

So, it’s a no from us

After reviewing Mondelez’s $100m claim, Zurich did what all insurance companies do and investigated with an eye to reducing the payout.

But despite offering an initial payment of $10m, the company then rejected the claim altogether claiming an exclusion for “hostile or warlike action in time of peace or war” by a “government or sovereign power.”

In effect, it argued that the losses had been suffered through a Russian government hostile action – an act of war.

That is a very unusual position to take – Mondelez called it “unprecedented” in court papers – since the insurance company will be obliged to prove that it was in fact the Russian government that had carried out the attack as a hostile action. It is notoriously difficult to pin cyberattacks on specific groups, governments or organizations.

If Zurich does succeed in arguing in case in court and wins, it would have an immediate impact, causing all large companies to review their policies and most likely creating a new market in cyberattack insurance almost overnight. The case, lodged in Illinois court (2018-L-011008) is being watched keenly as a result. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/11/notpetya_insurance_claim/

The IT impact of the ongoing partial US federal government shutdown has begun to show up in the form of degraded computer security. According to internet services biz Netcraft, more than 80 TLS certificates used on .gov websites have expired and have not been renewed.

That’s caused a bunch of HTTPS-protected .gov sites to become inaccessible or throw up browser errors. Some websites, such as NIST.gov, have been scaled back due to the funding freeze.

Not all of those aforementioned TLS certificates have lapsed since the budget impasse became apparent on December 22, 2018. For example a US Justice Department website sports a TLS certificate from web registrar Go Daddy that expired on December 17, 2018.

But other websites sport more recently lapsed certs like NASA’s Rocket Test website, which expired on January 5, 2019. The Lawrence Berkeley Lab website, expired on 8 January 2019.

Due to the expired certificates, would-be visitors may find it difficult to access to affected websites or may be kept away entirely by scary browser warning messages.

In theory, Netcraft observes, support for HTTP Strict Transport Security (HSTS) in modern browsers should prevent users from visiting websites with invalid certs. But because many government websites fail to implement HSTS correctly, visitors to these misconfigured sites will still be able to bypass warnings, raising the possibility of man-in-the-middle attacks.

The partial government shutdown arises from President Trump’s insistence that Congress pass a national budget that includes $5.7 billion for the border wall he previously said would be paid for by Mexico. The Democrats now in control of the US House of Representatives have rejected Trump’s plan and there’s no evident interest in a compromise at the moment. As a result, federal government employees are expected to continue working without pay, or are being barred from work if deemed non-essential.

FYI: NASA eggheads can’t fix a knackered Hubble space ‘scope camera – thanks to Trump’s govt shutdown

READ MORE

With government agencies limiting operations, including the Departments of Agriculture, Commerce, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, State, Transportation, and the Treasury, not to mention the Environmental Protection Agency, official inattention is magnifying security risks.

As the funding freeze loomed last month, DHS issued shutdown guidance saying it’s expected only 2,008 of its 3,531 employees in the recently formed Cybersecurity and Infrastructure Security Agency (CISA) would be active in the absence of funding. That means a lot of IT security work will be left undone. While a skeleton staff remains active at NIST to keep the national vulnerability database and time servers running, the majority of employees were sent home and its website pared back, somewhat hampering security research.

On Thursday, the FBI Agents Association, a group that represents almost 13,000 active duty FBI Special Agents, sent a petition to the White House and Congressional leaders warning of the impact of the shutdown on the national law enforcement agency.

Noting that FBI workers will not be paid on Friday, January 11, as they should be, the petition asks for elected leaders to fund agency operations “before financial insecurity compromises national security.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/11/government_shutdown_security/

After a busy sequence of updates in October, November, and December, the new year’s first Patch Tuesday promises a lighter workload.

All told, there are 49 patches with CVEs, two advisories affecting Adobe and the Windows 10 servicing stack updates (see below), with a modest seven rated ‘critical’.

In a welcome change from recent months, there are no zero-day flaws although one, a Remote Code Execution (RCE) flaw in the Jet database engine (CVE-2019-0579), has been publicly disclosed thus earning it an ‘important’ rating.

Interestingly, Jet is responsible for 11 CVEs, winning it the award for being this month’s most patched component, ahead of the OS kernel, SharePoint, and Office on four each.

The seven critical-rated vulnerabilities are all RCEs, including CVE-2019-0547 in the Windows DHCP Client for all versions of Windows 10 1803, which given the delay to 1809 (October 2018 update), many will still be running.

CVE-2019-0550 and CVE-2019-0551 are RCEs affecting Windows Hyper-V, while CVE-2019-0565 is a memory corruption flaw in the Edge browser.

Rounding these out are three memory corruption flaws in the Chakra Scripting Engine, CVE-2019-0539, CVE-2019-0568, and CVE-2019-0567.

An interesting lower-priority flaw is CVE-2019-0622, an elevation of privilege (EoP) bug affecting the Android Skype app that reports last week said could allow someone with physical access to bypass Android’s screen lock, giving access to photos and contacts.

As an aside for anyone still running Windows 10 1703 (April 2017’s Creators Update), Microsoft recommends that users first apply servicing stack updates (SSU), the part of Windows responsible for updating.

Exchange

If there’s a curiosity this month it might be CVE-2019-0586, which Microsoft rates as important rather than critical despite the slightly alarming fact that the company’s assessment goes on to state:

Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server.

At least one expert has pointed out that because Exchange is a messaging server this might not be much of a barrier assuming the attackers know how to craft the right exploit.

If you use Exchange, definitely put this high on your test and deploy list.

Adobe

Adobe updates in Patch Tuesday correspond to last week’s APSB19-01 (a non-security update for Flash) and APSB19-02 (Acrobat/Reader) which addressed CVE-2018-16011 and CVE-2018-1618, both critical flaws.

A welcome surprise is that there are no new Flash vulnerabilities this month. At the rate Adobe has been issuing urgent fixes in recent months the shrinking population of people using the software were surely due a break.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WVVNi9Dxun8/

Back in June, when Vietnam passed a new cybersecurity law giving its government sweeping powers to monitor online activity, Amnesty International called it a “devastating blow for freedom of expression,” leaving “no safe place for people to speak freely” in Vietnam:

The law would give sweeping new powers to the Vietnamese authorities, allowing them to force technology companies to hand over potentially vast amounts of data, including personal information, and to censor users’ posts.

At the same time, internet giants such as Google, Facebook and Twitter warned that provisions for data localization, controls on content that affect free speech, and local office requirements would harm the country’s economic development.

The draconian law took effect on the first day of the new year, and less than 10 days later, the government began flexing its new legal muscle. On Tuesday, Vietnam threatened Facebook, claiming that it’s violated the new law by not removing what it says is anti-government content.

According to a report published on Wednesday by state-controlled media Vietnam News, the Ministry of Information and Communications (MIC) on Tuesday held a press conference in which it accused Facebook of allowing personal accounts to post “slanderous content, anti-government sentiment and libel and defamation of individuals, organisations and State agencies.”

From the report:

Facebook had not reportedly responded to a request to remove fanpages provoking activities against the State at the request of authorities.

Vietnam News quoted the MIC as saying that the content had been found to “seriously violate Vietnam’s Law on cybersecurity and government regulations on the management, provision and use of internet services.”

The MIC reportedly claimed that the government had sent emails repeatedly asking Facebook to remove “distorted and misleading content,” but the platform “delayed” removal of the content, saying it didn’t violate its community standards. The MIC also said that Facebook refused to give the communist country’s security agencies the data it sought for “fraudulent accounts.”

Facebook put out a statement saying that it has a “clear process” for governments to report illegal content and that it reviews all such reports:

We review all these requests against our terms of service and local law. We are transparent about the content restrictions we make in accordance with local law in our Transparency Report.

According to Facebook’s most recent transparency report, which covers the first half of 2018, it received 12 requests for data from Vietnam. It only handed over the data for two of those requests.

The government is also considering taxing Facebook for its advertising revenue, saying that the country’s losing money due to foreign businesses such as Facebook not paying taxes. The report cited a market research company as saying that $235 million was spent on advertising on Facebook in Vietnam last year, but that Facebook was ignoring its tax obligations to the country.

Vietnam News said that authorities are still gathering evidence of Facebook’s “infringements.”

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jNklLQJSxGc/

The #DeleteFacebook movement may be growing, but many Samsung users are having a tough time scraping the social network’s preinstalled software from their phones.

Bloomberg reports that the Facebook software that comes installed on some Samsung phones cannot be deleted. Instead, it can only be disabled. Devices affected include flagship models such as the Galaxy 9, for which users pay high prices.

Some users were irritated that the app couldn’t be truly deleted, even in its disabled state:

Every time I consider getting an #Android phone, something like this pops up, reminding me that Android is a blazin… twitter.com/i/web/status/1…

—
Jason, RN (@PressXtoJason_) January 09, 2019

@sarahfrier Is this legal? Isn’t that exactly what @Microsoft was penalised for in EU with Explorer on Windows?

—
Kasaro (@kpellegr) January 08, 2019

Pre-installed software has long been a feature on both mobile and desktop platforms. For years, many PCs have shipped with ‘bloatware’ – trial versions of apps including antivirus tools that users see the first time they start their machine. However, PC users have the power to delete those apps.

While it’s true that you can’t delete Facebook’s preinstalled software from some Samsung units, the problem isn’t as severe as you might think. The preinstalled software isn’t the full-blown app. Instead, it’s a ‘stub’ application called the Facebook App Manager that simply prompts you to update it to the full version of the Facebook app.

The stub app is installed as system software, making it hard for regular users to delete. It isn’t the only system software that Android users can find on their phones. Applications from Google, which produces Android, also regularly crop up in the system space on Android phones.

Disabling the Facebook app makes it act as though it has been deleted. This means that as far as anyone knows, the disabled stub version won’t secretly send your data to Facebook.

Having said that, users could be forgiven for distrusting Facebook’s interaction with software on their phones. The Onavo VPN that it purchased in 2013 was found to have been phoning home from users’ devices and telling it what software people were using, even when it was turned off. More recently, third-party apps have been caught sending app usage data to Facebook’s servers without users’ permission.

There are reportedly some complex options available to delete stub system apps without gaining root access to the phone. These include package disablers and Android Debug Bridge (ADB) programs that let you communicate with the phone via a command line interface. This is technical stuff, though, and not something that the average consumer should tackle. One wrong step with an erroneous command and you could damage your Android operating system.

For the majority, the best option may simply be to take a deep breath, disable the app, and ignore the fact that companies are making money preinstalling stub apps on a device that you already paid for.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xxl_Q1H21P8/

Some Redditors have been locked out of their accounts over a mysterious security problem that the internet forum’s admins have blamed on people reusing old passwords.

Precisely what has happened, or whether Reddit itself has suffered a hack or data breach, is not yet known, only that the website described it as a “security concern”.

However, a thread posted by Reddit admin Sporkicide squarely blamed the all-encompassing forum’s users for bad password hygiene.

The most common explanation for this is the use of very simple passwords or the reuse of credentials across multiple websites or services. If another site is compromised and those lists of usernames and passwords become available, it’s very likely that they will be tried against other popular sites to see if they work and this means that any account where you use the same credential combination is then at risk.

Credential-stuffing attacks are where compromised usernames and passwords harvested by hackers from one site are tried on other sites to see whether they work. One easy way of avoiding this is to not reuse login credentials across different websites.

While Zuck squirmed, Reddit revealed it found and killed 944 Russian troll factory accounts

READ MORE

“Over the next few hours, affected accounts will be allowed to reset their passwords to be unlocked and restored. This will take the form of either a notification to the account (yes, you’ll be able to log in to get it) and/or an email to any support ticket you’ve already sent in,” continued Sporkicide’s post.

Another possible reason for an enforced password reset could be a compromise of users’ login credentials from the site operator. There is no evidence in the public domain either way, however.

Reddit is owned by American magazine publishing house Condé Nast. In August last year the site suffered a confirmed data breach after hackers worked around staffers’ SMS two-factor authentication protections. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/10/reddit_password_reset/