Stolen Health Record Databases Sell for $500,000 in the Deep Web*:
- Medical insurance identification, medical profiles, and even complete electronic health record (EHR) databases have attracted the eyes of enterprising black hats.
- A new report from TrendLabs shows that complete EHR databases can fetch as much as $500,000 on the Deep Web, and attackers are also making their money off of smaller caches of farmed medical identities, medical insurance ID card information, and personal medical profiles.
- Cybercriminals always have their eyes open for new profitable revenue streams, and the poor security around increasingly data-rich EHR systems pose a huge opportunity for the bad guys.
- Monetizing raw data such as PII is nothing new in the underground, but EHRs are different because some of the data can be used to create a whole new list of offerings, including fraudulent tax returns, fake IDs, and stolen prescriptions.
- Complete databases may be the most highly coveted items for sale.
- Medical insurance IDs with valid prescriptions were selling for $0.50 US, and complete profiles of US victims were selling for under $1.
- Fraudulent tax returns based on stolen medical records were marketed for $13.50 and fake birth certificates based on data stolen from medical records were selling for $500.
- Attackers are practically printing money when it comes to this new line of stolen goods, considering how poorly healthcare organizations are protecting their key assets.
- A recent survey found that 69% of US healthcare organizations report their biggest spend is on perimeter defences, meanwhile they’re leaving huge holes in the network by way of IoT medical devices and other poorly secured systems.
- The TrendLabs report showed how many of these systems were left accessible to the public internet with minimal to no access controls, which expose networks to further lateral attacks and in many cases provide direct access to the HER systems themselves.
*Source: Dark Reading, February 21, 2017
Horizon Fined $1.1M for not Protecting Customers' Private Info*:
- The state's largest insurance carrier will pay a $1.1 million penalty for failing to protect the private information of 690,000 policy holders whose information was contained on two laptops stolen from the company’s headquarters in 2013.
- Their names, addresses, birthdates, insurance identification numbers, and some Social Security Numbers and limited medical information for 690,000 customers are not encrypted.
- The thief cut the cables securing the laptops to a desk during a period when the office was improperly supervised during building renovations.
- A Horizon spokesman pointed out there was never evidence medical information was ever used by the perpetrator.
- The state’s most recent investigation found 100 laptops that did not contain encryption protection, and the state also uncovered the employees whose laptops were stolen in 2013 should not have had access to confidential information.
- The 2013 theft led to legislation that required health insurance companies to use encryption software to protect its consumers' information.
*Source: New Jersey, February 17, 2017
Email Compromises, Phishing Top Insider Threats*:
- Security & Risk decision-makers face threats from three groups of insiders- compromised accounts, careless misuse, and malicious insiders.
- Nearly two-thirds of the firms in a recent study experienced a security incident involving a compromised account in the past two years, while 57% had an incident stemming from careless misuse and 41% from a malicious insider in that same period.
- Email remains a critical component of day-to-day business activity, and a significant channel through which employees interact with one another and the outside world.
- Almost every firm (99%) experienced some form of insider security incident within the past two years, with more than four out of 10 firms reporting a phishing attack during that time.
- About 64% said malicious insiders caused a significant or moderate financial impact, and 57% said it had a significant or moderate productivity impact, with careless misuse creating financial issues for 61% and productivity impacts for 54%.
- Internal threats, specifically ones that use email, must be taken seriously by S&R decision makers.
*Source: Info Security, February 24, 2017
CloudFlare Leaked Sensitive Data Across the Internet for Months*:
- CloudFlare, a multibillion-dollar startup that runs a popular content delivery network used by more than 5.5 million sites, accidentally leaked customers' sensitive information for months.
- The leaked data included private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, and hotel bookings.
- Tavis Ormandy, the Google security researcher who spotted and reported the issue, pointed to sites including Uber, 1Password, FitBit, and OKCupid, as having spilled data.
- CloudFlare responded promptly to Ormandy’s notification and within hours the security team disabled several new features to its service that had caused the problem to surface.
- The memory leakage issue, known technically as a buffer overrun, began in September when CloudFlare swapped a new bit of code (an HTML parser) into its system.
- The leakage problem reached a nadir between Feb. 13 and Feb. 18 when 0.00003% of every page request through its network potentially let private information slip.
- It remains to be seen whether CloudFlare, or any of CloudFlare's customers, will advise or force people to change their passwords and authentication credentials, though multiple security professionals have recommended taking that precaution.
*Source: Fortune, February 24, 2017
Verizon Data Breach Digest Triangulates Humanity Inside Security*:
- Verizon’s newly released Data Breach Digest is full of stories of online shenanigans, with some identifying details altered.
- Situations where hidden endpoints that could be anything from systems, user accounts, software, or data, are what Verizon labels “Unknown Unknowns,” and are the hardest for organizations to plan for and react to.
- The DBD has two objectives: Sketch out the complexity of the most common kinds of attacks, and provide a guidebook for all the individuals affected in the chain of command.
- The 99-page report breaks out 16 different attack scenarios and specifies the target, sophistication level, attributes, and the attack's pattern, along with its times to discovery and containment.
- Each scenario identifies a threat actor along with their motives, tactics, and techniques; the targeted victim also gets profiled in terms of industry, key stakeholders, and necessary countermeasures.
- Verizon also offers a five-point incident response plan for organizations that have discovered any kind of data breach:
- Preserve evidence; consider consequences of every action taken once the breach has been discovered.
- Be flexible; adapt to evolving situations.
- Establish consistent methods for communication.
- Know the limits of your own expertise; collaborate with other key stakeholders.
- Document actions and findings; be prepared to explain them.
*Source: Dark Reading, February 13, 2017