Microsoft ADFS Vulnerability Allows Bypassing of Multi-Factor Authentication

A vulnerability has been discovered in Microsoft’s Active Directory Federation Services (ADFS) that allows multi-factor authentication (MFA) to be bypassed with ease. The flaw is being tracked as CVE-2018-8340 and was discovered by Andrew Lee, a security researcher at Okta.

ADFS is used by many organizations to help secure accounts and ADFA is used by vendors such as SecureAuth, Okta, and RSA to add multi-factor authentication to their security offerings.

To exploit the vulnerability an attacker would need to obtain the login credentials of an employee and have a valid second factor authentication token. That token could then be used as authentication to access any other person’s account if their username and password is known.

A threat actor could easily obtain a username and a password by conducting a phishing campaign. The number of phishing attacks on healthcare organizations that have been reported recently show just how easy it is to fool employees into disclosing their login credentials. A brute force attempt on an account with a weak password would also work.

Obtaining the second factor token is a little more difficult. The second factor is often a mobile phone number or email address or a smart card PIN number. That information could also potentially be obtained through phishing or through a successful attempt to get the IT help desk to reset a user’s MFA token.

The vulnerability would be easy to exploit by an insider, since that person would already have a valid MFA token registered on the system. All that would be required to access the account of another employee would be their username and password.

The vulnerability is due to the way ADFS communicates during a login. When an attempt is made to login, the server sends an encrypted context log which contains the MFA token. However, the context log does not include the username, so no check is performed to ensure the MFA token is being used by the correct individual. If an attacker used a browser to gain access to an account using a known username/password and MFA token, and a second browser with just a username and password but no MFA token, a single MFA token could be used to gain access to both accounts.

Two-factor authentication is an important security control that can prevent unauthorized account access even if a threat actor has successfully obtained login credentials, although this vulnerability shows that the system is not infallible.

The flaw has now been fixed in Microsoft’s Patch Tuesday updates on August 14. Healthcare organizations should ensure that the patch is applied promptly to ensure their MFA controls cannot be easily bypassed.

The post Microsoft ADFS Vulnerability Allows Bypassing of Multi-Factor Authentication appeared first on HIPAA Journal.

Bankrupt Medical Records Company Hit With $100000 Penalty For HIPAA Violations – JD Supra (press release)

JD Supra (press release)
Bankrupt Medical Records Company Hit With $100000 Penalty For HIPAA Violations
JD Supra (press release)
As the HHS press release stated, the consequences for HIPAA violations don't stop when a business closes. In this case, Filefax had been under investigation by state and federal authorities since 2015 for careless handling of medical records which had ...

Vulnerabilities in Patient Monitors Allow Vital Signs to be Altered in Real Time

A security researcher at McAfee (Douglas McKee) has identified a vulnerability in the communications protocol used by patient monitoring equipment. The flaw could be exploited by a threat actor allowing patients’ vital signs to be falsified and sent to central monitoring systems.

Patient monitors record patients’ vital signs and communicate the information to central monitoring systems. The central management systems collect data from many bedside patient monitors, allowing healthcare professionals to monitor multiple patients simultaneously. Information is usually sent over TCP/IP through wired or wireless connections and includes information such as blood pressure, blood oxygen levels, and heart rates. Decisions about treatment are made based on the information provided through those monitoring systems.

Vital signs are integral to clinical decision making. If vital signs are misreported, decisions could be made that could cause patients to come to harm – incorrect doses of medications could be provided, the choice of drug could be influenced by bad data, an incorrect diagnosis could be made, or there could be delays providing medical assistance.

Incorrect data could also lead to patients staying in hospital for far longer than necessary and additional unnecessary tests may be performed, which would come at a cost to the healthcare provider, insurer, or patient.

For the study, McAfee purchased a patient monitor and a central monitoring station on eBay that were manufactured in 2004 and ran Windows XP Embedded. While the devices were old, McAfee confirmed that the monitor and central monitoring station are still in use in several hospitals in the United States.

The researchers were able to create a simple device to emulate vital signs using a Raspberry Pi and conduct a replay attack. The researchers were able to send heart rate data to the central monitoring system indicating a steady heart rate of 80 bpm, when the patient monitor was no longer connected to the system. The researchers were able to do the same with other vital signs. This just involved a short loss in connection, which would likely go unnoticed.

For such an attack to be pulled off, the attacker would need access to the patient to disconnect the patient monitor and plug in the emulation device. The replay attack could allow normal heart rate data to be provided to the central monitoring station when the patient was actually flatlining.

The researchers were also able to devise an attack method that allowed vital signs data to be modified in real time. In this attack, access to the patient was not required. The attacker simply needed to be on the same network. The attacker posed as the central monitoring station, intercepted data from the targeted patient’s monitor, and then falsified the data and sent it to the real central monitoring station. This attack was possible due to a flaw in the Rwhat protocol that is used to send data over wired or Wi-Fi connections. Since data is sent over unencrypted User Datagram Protocol (UDP), data packets can easily spoofed and modified.

Conducting such an attack is not straightforward. Knowledge of the equipment and networking protocol is required, and the attack could only be performed on single or possibly small groups of patients. Some medical knowledge would be required, as the vital signs would need to be believable to a physician. The attack also only caused falsified data to be displayed on the monitoring station – The patient monitor continued to display the correct readings.

Such an attack may be unlikely but could be a threat for certain patients – Those testifying in trials or politicians for example.

If communications between patient monitors and central monitoring stations are encrypted and additional authentication checks are incorporated, such an attack would be much harder to pull off. It is also important for the equipment to be located on isolated networks with very strict access controls to reduce the potential for such an attack to occur.

The post Vulnerabilities in Patient Monitors Allow Vital Signs to be Altered in Real Time appeared first on HIPAA Journal.

OCR Levies Close to $80M in HIPAA Privacy Rule Fines –

Buffalo Business First
OCR Levies Close to $80M in HIPAA Privacy Rule Fines
OCR has assessed close to $80 million in fines in 55 cases of HIPAA Privacy Rule violations since the rule took effect in April 2003.
HIPAA through the years: 5 biggest fines since 2008Becker's Hospital Review
Column: Changes may be on the horizon for HIPAA - Buffalo ...Buffalo Business First

all 3 news articles »

HIPAA through the years: 5 biggest fines since 2008 – Becker’s Hospital Review

Buffalo Business First
HIPAA through the years: 5 biggest fines since 2008
Becker's Hospital Review
Two key laws govern patient privacy in the U.S. — HIPAA and the Health Information Technology for Economic and Clinical Health Act.
OCR Levies Close to $80M in HIPAA Privacy Rule
Column: Changes may be on the horizon for HIPAA - Buffalo ...Buffalo Business First

all 3 news articles »

Vulnerabilities in Fax Machines Can Be Exploited to Gain Network Access and Exfiltrate Sensitive Data

Despite many alternative communication methods being available, healthcare organizations still extensively use faxes to communicate. Some estimates suggest as many as 75% of all communications occur via fax in the healthcare industry.

While fax machines would not rank highly on any list of possible attack vectors, new research shows that flaws in the fax protocol could be exploited to launch attacks on businesses and gain network access.

The flaws were detected by researchers at Check Point who successfully exploited them to create a backdoor into a network which was used to steal information through the fax. The researchers believe there are tens of millions of vulnerable fax machines are currently in use around the world.

To exploit the flaw, the researchers sent a specially crafted image file through the phone line to a target fax machine. The fax machine decoded the image and uploaded it to the memory and the researchers’ script triggered a buffer overflow condition that allowed remote code execution. The researchers were able to gain full control of the fax machine and, using the NSA exploits Eternal Blue and Double Pulsar, spread malware to a vulnerable PC that was connected to the same network.

The malware was programmed to search for files of interest. When a file was located, it was sent back to the Check Point via fax.

Check Point’s research was mainly focused on HP’s OfficeJet Pro all-in-one fax printers, although the same flaws exist in many other manufacturers’ fax machines including those manufactured by Epson and Canon. Check Point alerted HP to the issue, which has now been patched, although other manufacturers’ devices remain vulnerable. In many cases, software on the all-in-one-printers cannot be updated. Correcting the flaw will only be possible by upgrading to newer devices.

Check Point suggests all businesses that still use fax machines, including healthcare organizations, should determine whether their fax machines are capable of being updated and ensure all software is kept up to date. If updates are not possible, upgrading the devices is recommended and the printer-fax machines should be located on secure networks separate from those on which protected health information is stored.

While the research was focused on all-in-one printers, the researchers note that attacks would not be limited to those devices. Potentially, stand-alone fax machines could also serve as an entry point into a business network as could fax-to-mail services.

At this stage there have been no reports of this method of attack being used in the wild, although the Check Point researchers note it will only be a matter of time before others determine how the attacks can be conducted.

The post Vulnerabilities in Fax Machines Can Be Exploited to Gain Network Access and Exfiltrate Sensitive Data appeared first on HIPAA Journal.