Healthcare Cybersecurity

CISA and FBI Publish List of Top 10 Exploited Vulnerabilities

Posted by HIPAA Journal

On Tuesday, the FBI and the Cybersecurity and Infrastructure Security Agency issued a joint public service announcement detailing the top 10 most exploited vulnerabilities between 2016 and 2019. These vulnerabilities have been exploited by sophisticated nation state hackers to attack organizations in the public and private sectors to gain access to their networks to steal sensitive data.

The vulnerabilities included in the list have been extensively exploited by hacking groups with ties to China, Iran, Russia and North Korea with those cyber actors are still conducting attacks exploiting the vulnerabilities, even though patches have been released to address the flaws. In some cases, patches have been available for more than 5 years, but some organizations have still not applied the patches.

Exploiting the vulnerabilities in the top 10 list requires fewer resources compared to zero-day exploits, which means more attacks can be conducted. When patches are applied to address the top 10 vulnerabilities, nation state hackers will be forced to develop new exploits which will limit their ability to conduct attacks.

“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries,” explains CISA and FBI in the alert.

CISA and the FBI hope the list will help organizations to prioritize patching and are urging all organizations to invest more time and resources into patching and develop a program that will keep all system patching up to date moving forward.

Top 10 Routinely Exploited Vulnerabilities

The top 10 list of routinely exploited vulnerabilities includes flaws in Microsoft Office, Microsoft Windows, Microsoft SharePoint, Microsoft .NET Framework, Apache Struts, Adobe Flash Player, and Drupal. Out of the top ten, most nation state hacking groups have concentrated on just three vulnerabilities – CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158 – all of which concern Microsoft’s OLE technology. Microsoft’s Object Linking and Embedding (OLE) allows content from other applications to be embedded in Word Documents. The fourth most commonly exploited vulnerability – CVE-2017-5638 – is present in the web framework, Apache Struts. These vulnerabilities have been exploited to deploy a range of different malware payloads including Loki, FormBook, Pony/FAREIT, FINSPY, LATENTBOT, Dridex, JexBos, China Chopper, DOGCALL, WingBird, FinFisher, and Kitty.

Priority Vulnerability Affected Products
1 CVE-2017-11882 Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products
2 CVE-2017-0199 Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1
3 CVE-2017-5638 Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
4 CVE-2012-0158 Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0
5 CVE-2019-0604 Microsoft SharePoint
6 CVE-2017-0143 Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT
7 CVE-2018-4878 Adobe Flash Player before 28.0.0.161
8 CVE-2017-8759 Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7
9 CVE-2015-1641 Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1
10 CVE-2018-7600 Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1

 

A warning has also been issued about two vulnerabilities that have been exploited in attacks in 2020. These vulnerabilities both concern Virtual Private Network (VPN) solutions and have been exploited by nation state hackers and cybercriminal groups: The Citrix vulnerability CVE-2019-19781 and the Pulse Secure VPN vulnerability CVE-2019-11510.

The rush to implement cloud collaboration services such as Microsoft Office 365 to allow employees to work remotely due to COVID-19 has given hackers new options for attacking organizations. Hasty deployments of these solutions have led to oversights in security configurations which makes them vulnerable to attack. Cybersecurity weaknesses are also being targeted, such as poor employee education about phishing and social engineering. A lack of system recovery and contingency plans has also placed organizations at risk of ransomware attacks.

The post CISA and FBI Publish List of Top 10 Exploited Vulnerabilities appeared first on HIPAA Journal.

Zoom Reaches Settlement with NY Attorney General Over Privacy and Security Issues

Posted by HIPAA Journal

Zoom reached an agreement with the New York Attorney General’s office and has committed to implementing better privacy and security controls for its teleconferencing platform. New York Attorney General Letitia James launched an investigation into Zoom after researchers uncovered a number of privacy and security issues with the platform earlier this year.

Zoom has proven to be one of the most popular teleconferencing platforms during the COVID-19 pandemic. In March, more than 200 million individuals were participating in Zoom meetings with usership growing by 2,000% in the space of just three months. As the number of users grew and the platform started to be used more frequently by consumers and students, flaws in the platform started to emerge.

Meeting participants started reporting cases of uninvited people joining and disrupting private meetings. Several of these “Zoombombing” attacks saw participants racially abused and harassed on the basis of religion and gender. There were also several reported cases of uninvited individuals joining meetings and displaying pornographic images.

Then security researchers started uncovering privacy and security issues with the platform. Zoom stated on its website that Zoom meetings were protected with end-to-end encryption, but it was discovered that Zoom had used AES 128 bit encryption rather than AES 256 bit encryption and its end-to-end encryption claim was false. Zoom was also discovered to have issued encryption keys through data centers in China, even though meetings were taking place between users in the United States.

Zoom used Facebook’s SDK for iOS to allow users of the iOS mobile app to login through Facebook, which meant that Facebook was provided with technical data related to users’ devices each time they opened the Zoom app. While Zoom did state in its privacy policy that third-party tools may collect information about users, data was discovered to have been passed to Facebook even when users had not used the Facebook login with the app.  There were also privacy issues associated with the LinkedIn Sales Navigator feature, which allowed meeting participants to view the LinkedIn profiles of other meeting participants, even when they had taken steps to remain anonymous by adopting pseudonyms. The Company Directory feature of the platform was found to violate the privacy of some users by leaking personal information to other users if they had the same email domain.

Zoom responded quickly to the privacy and security issues and corrected most within a few days of discovery. The firm also announced that it was halting all development work to concentrate on privacy and security. The company also enacted a CISO Council and Advisory Board to focus on privacy and security and Zoom recently announced that it has acquired the start-up firm Keybase, which will help to implement end-to-end encryption for Zoom meetings.

Under the terms off the settlement with the New York Attorney General’s office, Zoom has agreed to implement a comprehensive data security program to ensure its users are protected. The program will be overseen by Zoom’s head of security. The company has also agreed to conduct a comprehensive security risk assessment and code review and will fix all identified security issues with the platform. Privacy controls will also be implemented to protect free accounts, such as those used by schools.

Under the terms of the settlement, Zoom must continue to review privacy and security and implement further protections to give its users greater control over their privacy. Steps must also be taken to regulate abusive activity on the platform.

“This agreement puts protections in place so that Zoom users have control over their privacy and security, and so that workplaces, schools, religious institutions, and consumers don’t have to worry while participating in a video call,” said Attorney General James.

The post Zoom Reaches Settlement with NY Attorney General Over Privacy and Security Issues appeared first on HIPAA Journal.

Government Healthcare Agencies and COVID-19 Research Organizations Targeted by Nigerian BEC Scammers

Posted by HIPAA Journal

Business email compromise scammers operating out of Nigeria have been targeting government healthcare agencies, COVID-19 research organizations, and pandemic response organizations to obtain fraudulent wire transfer payments and spread malware.

The attacks were detected by Palo Alto Networks’ Unit 42 team researchers and have been attributed to a cybercriminal organization called SilverTerrier. SilverTerrier actors have been highly active over the past 12 months and are known to have conducted at least 2.1 million BEC attacks since the Unit 42 team started tracking their activity in 2014. In 2019, the group conducted an average of 92,739 attacks per month, with activity peaking in June when 245,637 attacks were conducted.

The gang has been observed exploiting the CVE-2017-11882 vulnerability in Microsoft Office to install malware, but most commonly uses spear phishing emails targeting individuals in the finance department. The gang uses standard phishing lures such as fake invoices and payment advice notifications to trick recipients into opening malicious email attachments that install malware. A wide range of malware variants have been used by the gang, including information stealers such as Lokibot, Pony, and PredatorPain and remote administration tools to maintain persistent access to compromised systems. The gangs use malware to steal sensitive information and gain access to bank accounts and payroll systems. BEC attacks are also conducted to obtain fraudulent wire transfer payments.

Unit 42 researchers have tracked the activity of three threat actors from the group over the past 3 months who, between them, have conducted 10 COVID-19 themed malware campaigns on organizations involved in the national response to COVID-19 in Australia, Canada, Italy, the United Kingdom, and the United States.

Recent targets have included government healthcare agencies, local and regional governments, medical publishing companies, research firms, insurance companies, and universities with medical programs and medical centers. 170 distinct phishing emails have been identified by the researchers, several of which related to supplies of face masks and other personal protective equipment.

SilverTerrier attacks increased by 172% in 2019 and Palo Alto Networks reports there is no indication that the attacks will slow in 2020. “In light of this trend, we encourage government agencies, healthcare and insurance organisations, public utilities, and universities with medical programs to apply extra scrutiny to Covid-19-related emails containing attachments,” said the researchers. Since the attacks are mostly conducted by email, the best defense is training for staff to help them identify spear phishing emails and an advanced spam filtering solution to prevent the emails from being delivered to inboxes. It is also important to check to make sure that the CVE-2017-11882 Microsoft Office vulnerability and to continue to apply patches promptly.

 

The post Government Healthcare Agencies and COVID-19 Research Organizations Targeted by Nigerian BEC Scammers appeared first on HIPAA Journal.

CISA Issues Fresh Alert About Ongoing APT Group Attacks on Healthcare Organizations

Posted by HIPAA Journal

Advanced Persistent Threat (APT) groups are continuing to target healthcare providers, pharmaceutical firms, research institutions, and others involved in the COVID-19 response, prompting a further joint alert from cybersecurity authorities in the United State and United Kingdom.

The latest warning from the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) follows on from an earlier joint alert issued on April 8, 2020 and provides further information on the tactics, techniques, and procedures being used by the APT groups to gain access to networks and sensitive data.

In the latest alert, CISA/NCSC explained that APT groups are targeting organizations involved in COVID-19 research to obtain sensitive information on the COVID-19 response and research data to further the domestic research efforts in countries that fund the APT groups.

APT groups often target healthcare organizations to obtain personal information of patients, intellectual property, and intelligence that aligns with national priorities. APT groups do not appear to be conducting higher numbers of attacks, they have just shifted their focus and are now concentrating attacks on organizations engaged in the response to COVID-19. CISA/NCSC warn that efforts to obtain sensitive data are continuing with national and international healthcare organizations being targeted in order to acquire sensitive COVID-19 research data.

One of the ways that the attacks are being conducted is to target supply chains, which are seen as a weak link that can be exploited to gain access to higher value targets. Many employees of organizations in the supply chain are now working from home due to the COVID-19 lockdown, and new vulnerabilities have been introduced as a result.

The APT groups are using a variety of methods to infiltrate networks, gain persistence, and steal sensitive data. The alert raises awareness of two tactics that have been observed over the past few weeks: Exploitation of vulnerabilities and password spraying.

Many employees have been forced to work from home during the pandemic to help control the spread of the virus and are accessing their corporate networks using virtual private networks (VPNs). Several commercial VPN solutions have been found to have exploitable vulnerabilities which are now being exploited. In 2019, VPN solutions from Palo Alto Networks, Pulse Secure, and Fortinet were found to have vulnerabilities and patches were released to correct the flaws. Many organizations are also vulnerable to the Citrix vulnerability, CVE-2019-19781. Patches to correct these flaws were released several months ago but many organizations have not yet applied the patches and are vulnerable to attack. APT groups have been observed conducting scans to identify organizations that have not yet patched the Citrix and VPN vulnerabilities and are actively exploiting the flaws.

APT groups are also conducting password spraying attacks to gain access to corporate systems. Password spraying is a type of brute force attack that involves the use of commonly used passwords. These attacks involve using a commonly used passwords to see if it allows access to a system. The same password is then tried on multiple accounts before the process is repeated with a second password. That process continues until the correct password is found.

CISA/NCSC warn that this tactic is often successful, as within any large group of users there will be commonly used passwords. The approach of using one password on many different accounts before moving on to the next also helps the attackers conduct attacks undetected, as this would be less likely to trigger account lockouts due to too many failed password attempts in a short period of time.

Once an attack succeeds and a correct password is found, the password is used to access other accounts where the password has been reused. Attackers also download global address lists which are used for further password spraying attacks on the organization. The attackers also attempt to move laterally to steal additional credentials and sensitive data.

CISA/NCSC have provided mitigations that will help healthcare organizations harden security against these attacks. These include ensuring VPN clients and infrastructure are updated and running the latest versions of software and patching all other software and operating systems promptly. Multi-factor authentication should be configured to prevent stolen or brute forced passwords from being used to access accounts, the management interfaces of critical systems should also be protected to prevent attackers from gaining privileged access to vital assets, and monitoring capability should be stepped up to identify network intrusions.

You can view the CISA/NCSC alert, mitigations, and other useful resources on this link.

The post CISA Issues Fresh Alert About Ongoing APT Group Attacks on Healthcare Organizations appeared first on HIPAA Journal.

Worldwide Spike in Brute Force RDP Attacks During COVID-19 Pandemic

Posted by HIPAA Journal

COVID-19 has forced many organizations to rapidly scale up the numbers of employees working from home, which has created new opportunities for cybercriminals to conduct attacks. Cyberattacks on remote workers have increased substantially during the COVID-19 lockdown, with application-level protocols used by remote workers to connect to corporate systems now being extensively targeted.

Remote Desktop Protocol (RDP) is a proprietary communications protocol developed by Microsoft to allow employees, IT workers, and others to remotely connect to corporate systems, services, and virtual desktops. The protocol has been used by many organizations to allow their employees to work from home on personal computers.

RDP has also proven to be popular with cybercriminals. In line with the increase in remote workers accessing systems via RDP, cybercriminals have stepped up attacks. New data from Kaspersky show a major worldwide increase in brute force attacks on RDP.

In order to connect via RDP, employees typically need to enter a username and password. Brute force attacks on RDP are conducted to guess those passwords, which involves trying different password combinations until the right one is guessed. That can take a long time for complex passwords, but the attacks start with dictionary words and passwords obtained in prior data breaches. Annual worst passwords lists show a great deal of people still choose easy to remember passwords, which can be correctly guessed in these automated RDP attacks in a matter of seconds.

Once the credentials have been correctly guessed, they can be used to remotely connect to whatever systems an employee is authorized to access. Even if a fairly low-level set of credentials is compromised, it can give hackers the foothold in the network to conduct extensive attacks on the organization. These unauthorized logins using stolen credentials can be difficult for IT security teams to identify.

Once access is gained, attackers can take control of email accounts and send phishing emails internally to other employees. As has been made clear in the many phishing incidents reported by healthcare providers in recent months, a single email account compromise could result in a data breach involving hundreds, thousands, or even hundreds of thousands of patents’ protected health information. Ransomware and other malware can also be installed.

The scale of the attacks is alarming. “During the last year, there were some spikes of such attacks in different regions, but they were mainly local and small,” said, Kaspersky security researcher, Dmitry Galov. “Right now, we can see that almost worldwide, the amount of attacks increased significantly. For instance, in February we witnessed 93,102,836 attacks globally. In April, the figure was already 326,896,999.”

The number of RDP brute force attacks in the United States more than doubled between January 2 and March 3, and almost tripled by April 7, when there were 1.4 million RDP brute force attacks detected.

Increase in Brute Force RDP Attacks. Source: Kaspersky

The brute force RDP attacks are likely to continue at high levels for the foreseeable future, and certainly until the number of remote employees reduces once the COVID-19 crisis is over.

There are several steps that companies can take to reduce the risk of these attacks succeeding. One of the most important steps to take is to implement password policies that force users to set strong passwords that are difficult to guess. Two-factor authentication is also important. If a password is guessed, a second factor must be provided before a connection is allowed. Employees should also use a corporate VPN to connect remotely along with Network Level Authentication (NLA) measures to block unauthorized access attempts. Kaspersky also warns that if RDP is not being used by remote employees, port 3389 should be disabled.

The post Worldwide Spike in Brute Force RDP Attacks During COVID-19 Pandemic appeared first on HIPAA Journal.

NSA Cybersecurity Guidance for Teleworkers and Other Useful COVID-19 Threat Resources

Posted by HIPAA Journal

The National Security Agency has issued cybersecurity guidance for teleworkers to help improve security when working remotely. The guidance has been released primarily for U.S. government employees and military service members, but it is also relevant to healthcare industry workers providing telehealth services from their home computers and smartphones.

There are many consumer and enterprise-grade communication solutions available and the cybersecurity protections offered by each can differ considerably. The guidance document outlines 9 important considerations when selecting a collaboration service. By assessing each service against the 9 criteria, remote workers will be able to choose the most appropriate solution to meet their needs.

The NSA strongly recommends conducting high-level security assessments to determine how the security capabilities of each platform performs against certain security criteria. These assessments are useful for identifying risks associated with the features of each tool. The guidance document also provides information on using the collaboration services securely.

The NSA recommends the guidance should be reviewed by all employees who are now working from home to allow them to make an informed decision about the best communication and collaboration tools to use to meet their specific needs, and for workers to take the steps outlined in the guidance document to mitigate risks of cyberattacks.

The guidance document, Selecting and Securely Using Collaboration Service for Telework can be downloaded here.

Healthcare-specific guidance for remote workers has also recently been published by the American Hospital Association (AHA) /American Medical Association (AMA), which should be used in conjunction with the NSA guidance.

OCR Suggests Resources to Help Healthcare Organizations Combat COVID-19 Threats

On April 30, 2020, the HHS’ Office for Civil Rights suggested several resources covering the current threat landscape and the steps that can be taken to reduce risks to a reasonable and acceptable level, as detailed below:

The post NSA Cybersecurity Guidance for Teleworkers and Other Useful COVID-19 Threat Resources appeared first on HIPAA Journal.

Advice for Healthcare Organizations on Preventing and Detecting Human-Operated Ransomware Attacks

Posted by HIPAA Journal

Human-operated ransomware attacks on healthcare organizations and critical infrastructure have increased during the COVID-19 pandemic. Dozens of attacks have occurred on healthcare organizations in recent weeks, including Parkview Medical Center, ExecuPharm, and Brandywine Counselling and Community Services.

Many ransomware attacks are automated and start with a phishing email. Once ransomware is downloaded, it typically runs its encryption routine within an hour. Human-operated ransomware attacks are different. Access is gained to systems several weeks or months before ransomware is deployed. During that time, the attackers obtain credentials, move laterally, and collect and exfiltrate data before encrypting files with ransomware.

The attackers can lay dormant in systems for several months before choosing their moment to deploy the ransomware to maximize the disruption caused. The COVID-19 pandemic is the ideal time for deployment of ransomware on healthcare organizations and others involved in the response to COVID-19, as there is a higher probability that the ransom will be paid to ensure a quick recovery.

In the first two weeks of April alone, dozens of attacks have been conducted by a range of advanced cybercriminal organizations on healthcare providers, medical billing companies, research and pharmaceutical firms, and suppliers to the healthcare industry, along with attacks on educational software providers, manufacturers, government institutions, and aid organizations, according to data from Microsoft.

During the first two weeks in April, Microsoft observed human-operated ransomware attacks using 10 different ransomware variants: RobbinHood, Maze, PonyFinal, REvil (Sodinokibi), Valet Loader, NetWalker, Paradise, RagnarLocker, MedusaLocker, and LockBit. While it may appear that ransomware activity has increased in recent weeks, Microsoft explains that in the April attacks, the attackers initially compromised the systems much earlier and they have been biding their time before deploying ransomware. In many cases, the initial compromise occurred several months before the ransomware was deployed.

Different threat groups use different ransomware variants to encrypt files, but the attacks usually occur in the same way. First, the attackers gain access to systems, then they steal credentials, move laterally, exfiltrate sensitive data, establish persistence, before delivering and executing the ransomware payload.

Microsoft has shared information on how the attackers gain access to systems to help network defenders harden their defenses and block attacks. While there are many possible ways of attacking an organization, these threat actors typically use the same methods to gain access.

One of the most common methods of attack is through Remote Desktop Protocol and Virtual Desktop endpoints that lack multi-factor authentication, either through the use of stolen credentials or through brute force tactics to guess weak passwords. Without multi-factor authentication, the stolen credentials can be used to access systems. Since valid credentials are used, network defenders fail to identify attackers accessing their systems.

Weaknesses in internet-facing systems are commonly exploited, such as misconfigured web servers, EHRs, backup servers, and systems management servers. Unpatched vulnerabilities are also often exploited to gain access, with several of the April 2020 attacks having exploited the Citrix Application Delivery Controller (ADC) flaw, CVE-2019-19781, and the Pulse Secure VPN flaw, CVE-2019-11510. Vulnerabilities in unsupported operating systems are also exploited. To block attacks, it is essential for operating systems to be updated to supported versions and for patches to be applied as soon as possible after release.

These are not smash-and-grab raids where ransomware is quickly deployed to obtain a quick payout. All of the threat actors using the above ransomware variants take their time to obtain administrative credentials and move laterally with the aim of infiltrating an organization’s entire environment, including EHRs, inboxes, endpoints, and applications. Almost all of the attacks involved the exfiltration of data, either to sell for profit, use for their own nefarious purposes, or to pressure organizations into paying the ransom.

“After gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec, and a plethora of other tools to deploy various payloads and access data. They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells,” explained Microsoft. “They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.” In virtually all cases, accounts had been set up and backdoors used to ensure networks could continue to be accessed after the attack, even after the ransom was paid.

The time between the initial compromise and the deployment of ransomware gives network defenders an opportunity to identify and block the attacks. While threat actors take steps to hide their activity, it is possible to identify their activities as they move laterally. Network defenders should be checking for activity that could indicate an attack in progress, such as the use of malicious PowerShell commands, Cobalt Strike, and other penetration-testing tools. Security logs should be checked to identify any signs of tampering and checks should be performed to identify registry modifications and suspicious access to Local Security Authority Subsystem Service (LSASS).

Microsoft also offers detailed advice on hardening security to prevent attacks and the steps that should be taken if an attack is discovered, including investigation, isolation of compromised endpoints, and recovery.

The post Advice for Healthcare Organizations on Preventing and Detecting Human-Operated Ransomware Attacks appeared first on HIPAA Journal.

EFF Warns of Privacy and Security Risks with Google and Apple’s COVID-19 Contact Tracing Technology

Posted by HIPAA Journal

The contact tracing technology being developed by Apple and Google to help track people who have come into close contact with individuals confirmed as having contracted COVID-19 could be invaluable in the fight against SARS-CoV-19; however, the Electronic Frontier Foundation (EFF) has warned that in its current form, the system could be abused by cybercriminals.

Google and Apple are working together on the technology, which is expected to be fully rolled out next month. The system will allow app developers to build contact tracing apps to help identify individuals who may have been exposed to SARS-CoV-2. When a user downloads a contact tracing app, each time they come into contact with another person with the app installed on their phone, anonymous identifier beacons called rolling proximity identifiers (RPIDs) will be exchanged via Bluetooth Low Energy.

How Does the Contact-Tracing System Work?

RPIDs will be exchanged only if an individual moves within a predefined range – 6 feet – and stays in close contact for a set period of time. Range can be determined by strength of the pings sent out by users’ smartphones. Should a person be diagnosed with COVID-19 and enters the information into the app, all individuals that the person has come into contact with over the previous 14 days will be sent an electronic notification.

The data sent is anonymously, so notifications will not provide any information about the person that has contracted COVID-19. The RPIDs will change every 10-20 minutes, which will prevent a person from being tracked and data will be stored on smartphones rather than being sent to a central server and RPIDs will only be retained for 14 days. Permission is also required from a user before a public health authority can share the user’s temporary exposure key that confirms the individual has contracted COVID-19, which will prevent false alarms.

When a COVID-19 diagnosis is confirmed, a diagnosis key will be logged in a public registry which will be accessible by all app users and will be used for generating alerts. The diagnosis keys contain all of the RPIDs for a particular user to allow all individuals who have been in contact with them to be notified.

Electronic Frontier Foundation Concerned About Privacy and Security Risks

The public registry is one of the problems with the system, as EFF’s Bennett Cypher and Gennie Gebhart explained in a recent blog post, “any proximity tracking system that checks a public database of diagnosis keys against RPIDs on a user’s device—as the Apple-Google proposal does—leaves open the possibility that the contacts of an infected person will figure out which of the people they encountered is infected.”

Each day, users of the apps will share their diagnosis keys, which opens up the possibility of linkage attacks. It would be possible for a threat actor to collect RPIDs from many different places simultaneously through the use of static Bluetooth beacons in public places. This would only provide information about where pings occurred and would not allow an individual to be tracked. However, when the diagnosis keys are broadcast, an attacker could link the RPIDs together and determine a person’s daily routine from their RPIDs. Since a person’s movements would be unique, it would potentially be possible to identify that individual and discover their movements and where they live and work. EFF suggests that risk could be reduced by sending diagnosis keys more frequently, such as every hour rather than once a day.

Another problem with the system in its current form is there is currently no way of verifying that a device sending contact-tracing data is the device that generated the RPID. This means a malicious actor could intercept RPIDs and rebroadcast them.

“Imagine a network of Bluetooth beacons set up on busy street corners that rebroadcast all the RPIDs they observe,” explained. “Anyone who passes by a ‘bad’ beacon would log the RPIDs of everyone else who was near any one of the beacons. This would lead to a lot of false positives, which might undermine public trust in proximity-tracing apps—or worse, in the public-health system as a whole.”

Concern has also been raised about the potential for developers to centralize the data collected by the apps, which EFF warns could expose people to more risk. EFF recommends developers stick to the proposal outlined by Apple and Google and keep users’ data on their phones rather than in a central repository. EFF also says it is important to limit the data sent out over the internet as far as possible and to only send data that is absolutely necessary.

Echoing the advice of more than 300 scientists who recently signed an open letter about the privacy and security risks of contact-tracing technology, EFF said it is also essential for the program to sunset once the COVID-19 public health emergency is over to ensure there will be no secondary uses that could impact personal privacy in the future. They also recommend that app developers must operate with complete transparency and clearly explain to users what data is collected, and should allow users to stop pings should they wish and also access the RPIDs they have received and delete data from their contact history.

Further, any app must be extensively tested to ensure it functions as it should and does not have any vulnerabilities that can be exploited. Post-release, testing will need to continue to find vulnerabilities and patches and updates will need to be developed and rolled out rapidly to correct flaws that are discovered. In order for the system to work as it should, a high percentage of the population will need to be using the system, which would likely make it an attractive target for cybercriminals and nation state hacking groups. The latter are already conducting campaigns spreading disinformation about COVID-19 and are conducting cyberattacks to disrupt the COVID-19 response.

No contact tracing system is likely to be free of privacy risks, as there must be a trade-off to perform this type of contact tracing, but EFF says that steps must be taken to reduce those privacy risks as far as possible. The whole system is based on trust and, if trust is undermined, the system will not be able to achieve its aims.

The post EFF Warns of Privacy and Security Risks with Google and Apple’s COVID-19 Contact Tracing Technology appeared first on HIPAA Journal.

WHO Confirms Fivefold Increase in Cyberattacks on its Staff

Posted by HIPAA Journal

The World Health Organization is one of the leading agencies combating COVID-19 and has proven to be an attractive target for hackers and hacktivists, who have stepped up attacks on the organization during the COVID-19 pandemic. Cyberattacks on WHO are at five times the level they were at this time last year.

Last month, WHO confirmed hackers had tried to gain access to its network and those of its partners by spoofing an internal WHO email system and the attacks have kept on coming. Last week, SITE Intelligence Group discovered the credentials of thousands of individuals involved in the fight against COVID-19 had been dumped online on 4chan, Pastebin, Telegram, and Twitter. Around 25,000 email and password combos were leaked in total, including around 2,700 credentials for WHO staff members. WHO said the data had come from an old extranet system and most of the credentials were no longer valid, but 457 were current and still active.

In response, WHO said it performed a password reset to ensure the credentials could no longer be used, internal security has been strengthened, a more secure authentication system has been implemented, and security awareness training for its staff is being improved.

The remainder of the dumped credentials came from organizations such as the Gates Foundation, Centers for Disease Control and Prevention, and the National Institutes of Health. It is not clear where the data came from or who leaked it online, but the credentials have been used far right groups to attack organizations working on vaccines and conducting other activities related to COVID-19.

“Ensuring the security of health information for member states and the privacy of users interacting with us is a priority for WHO at all times, but also particularly during the COVID-19 pandemic,” said WHO CIO, Bernardo Mariano. “We are grateful for the alerts we receive from Member States and the private sector. We are all in this fight together.”

Mariano also confirmed that ongoing phishing campaigns are being conducted that spoof WHO to trick people into making donations to a fictitious fund similar to the COVID-19 Solidarity Response Fund that is overseen by WHO and the United Nations. Campaigns are also being conducted by nation-state hacking groups that spoof WHO to trick people into downloading malware that is used for espionage.

Malicious attacks using COVID-19 and coronavirus themes have soared over the past few weeks. Data released by cybersecurity firm Zscaler shows there has been a 30,000% increase in COVID-themed attacks in March compared. In March there were around 380,000 attempted COVID-19 themed attacks, compared to around 1,200 in January and 10,000 in February.

There was an 85% increase in COVID-19-themed phishing attacks on remote enterprise users, a 17% increase in threats directed at enterprise clients, and the company blocked 25% more malicious websites and malware samples in March. The company also detected 130,000 suspicious or malicious newly registered domains that included words such as Wuhan, test, mask, and kit.

Many of the attacks are succeeding. Figures from the FTC indicate around $19 million has been lost to COVID-19 related scams since January 2020, with $7 million lost in the past 10 days. Figures released by Google earlier this month revealed that in a single week it blocked 18 million COVID-19 phishing emails. While the number of COVID-19 themed attacks has increased sharply, overall the number of attacks has remained fairly constant. Microsoft reports that the number of cyberattacks has not significantly increased during the COVID-19 pandemic. Threat actors are simply repurposing their infrastructure and switching from their regular campaigns to COVID-19 related attacks.

The post WHO Confirms Fivefold Increase in Cyberattacks on its Staff appeared first on HIPAA Journal.