Posts Tagged: DBIR


8
May 17

Website Flaw Let True Health Diagnostics Users View All Medical Records

Over the past two weeks readers have pointed KrebsOnSecurity to no fewer than three different healthcare providers that failed to provide the most basic care to protect their patients’ records online. Only one of the three companies — the subject of today’s story — required users to be logged on in order to view all patient records.

thgA week ago I heard from Troy Mursch, an IT consultant based in Las Vegas. A big fan of proactive medical testing, Mursch said he’s been getting his various lab results reviewed annually for the past two years with the help of a company based in Frisco, Texas called True Health Diagnostics.

True Health is a privately held health services company specializing in “comprehensive testing for early detection of chronic diseases,” according to the company’s Web site.

The medical reports that True Health produces contain vast amounts of extremely personal information on patients, including indicators of genetic abnormalities as well as markers of potentially current and future diseases.

To demonstrate the flaw, Mursch logged into his account at True Health and right clicked on the PDF file for his latest health report. He showed how the site would readily cough up someone else’s detailed health records and blood tests if he modified a single digit in the link attached to that PDF record and then refreshed the page.

I alerted True Health Diagnostics immediately after verifying the flaw, and they responded by disabling the healthcare records data portal within minutes of our call. Over the weekend, True Health said it discovered and fixed the source of the problem.

“Upon discovering the potential for registered users of our patient portal to access data for individuals other than themselves, we immediately shut down the system in order to resolve any vulnerabilities,” the company said in a statement emailed to this author.  “True Health has total confidence that all patient records are fully secure at this time. We regret this situation and any harm it may have caused.”

The statement said True Health CEO Chris Grottenthaler has ordered an immediate investigation to determine which files, if any, were improperly accessed.

“It will be thorough, speedy and transparent,” the statement concludes. “Nothing is more important to us than the trust that doctors and patients put in our company.”

The company says it is still investigating how long this vulnerability may have existed. But Mursch said it appears his healthcare record was assigned by True Health a record number that was issued as part of a numerical sequence, and that the difference between the record numbers attached to a result he received recently and another set of test results produced two years ago indicate at least two million records may have been exposed in between.

“I would assume all patient records were exposed,” Mursch wrote in an email.

Alex Holden, founder of cybersecurity consultancy Hold Security, said he’s responded to a number of inquiries of late regarding clients who inadvertently published patient data online with little or no authentication needed to view sensitive health records.

Holden said he advises clients to add security components to their links to encrypt any portion of the link that contains data so that it can’t be easily reversed or manipulated. He also tells clients not to use sequential account numbers that can be discovered by simply increasing or decreasing an existing account number by a single digit.

“A lot of times the medical records are stored sequentially as PDF files and they all just sit in the same folder that patients can access with a Web browser,” Holden said. “And in many cases they are not even protected by a username and password.” Continue reading →


24
Mar 16

Crooks Steal, Sell Verizon Enterprise Customer Data

Verizon Enterprise Solutions, a B2B unit of the telecommunications giant that gets called in to help Fortune 500’s respond to some of the world’s largest data breaches, is reeling from its own data breach involving the theft and resale of customer data, KrebsOnSecurity has learned.

vzbzEarlier this week, a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise.

The seller priced the entire package at $100,000, but also offered to sell it off in chunks of 100,000 records for $10,000 apiece. Buyers also were offered the option to purchase information about security vulnerabilities in Verizon’s Web site.

Contacted about the posting, Verizon Enterprise told KrebsOnSecurity that the company recently identified a security  flaw in its site that permitted hackers to steal customer contact information, and that it is in the process of alerting affected customers.

“Verizon recently discovered and remediated a security vulnerability on our enterprise client portal,” the company said in an emailed statement. “Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers. No customer proprietary network information (CPNI) or other data was accessed or accessible.”

The seller of the Verizon Enterprise data offers the database in multiple formats, including the database platform MongoDB, so it seems likely that the attackers somehow forced the MongoDB system to dump its contents. Verizon has not yet responded to questions about how the breach occurred, or exactly how many customers were being notified. Continue reading →


27
Oct 15

Cybersecurity Information (Over)Sharing Act?

The U.S. Senate is preparing to vote on cybersecurity legislation that proponents say is sorely needed to better help companies and the government share information about the latest Internet threats. Critics of the bill and its many proposed amendments charge that it will do little, if anything, to address the very real problem of flawed cybersecurity while creating conditions that are ripe for privacy abuses. What follows is a breakdown of the arguments on both sides, and a personal analysis that seeks to add some important context to the debate.

Up for consideration by the full Senate this week is the Cybersecurity Information Sharing Act (CISA), a bill designed to shield companies from private lawsuits and antitrust laws if they seek help or cooperate with one another to fight cybercrime. The Wall Street Journal and The Washington Post each recently published editorials in support of the bill.

Update, 6:57 p.m. ET: The Senate this afternoon passed CISA by a vote of 74-21.

Original story:

“The idea behind the legislation is simple: Let private businesses share information with each other, and with the government, to better fight an escalating and constantly evolving cyber threat,” the WSJ said in an editorial published today (paywall). “This shared data might be the footprint of hackers that the government has seen but private companies haven’t. Or it might include more advanced technology that private companies have developed as a defense.”

“Since hackers can strike fast, real-time cooperation is essential,” the WSJ continued. “A crucial provision would shield companies from private lawsuits and antitrust laws if they seek help or cooperate with one another. Democrats had long resisted this legal safe harbor at the behest of plaintiffs lawyers who view corporate victims of cyber attack as another source of plunder.”

The Post’s editorial dismisses “alarmist claims [that] have been made by privacy advocates who describe it as a ‘surveillance’ bill”:

“The notion that there is a binary choice between privacy and security is false. We need both privacy protection and cybersecurity, and the Senate legislation is one step toward breaking the logjam on security,” the Post concluded. “Sponsors have added privacy protections that would scrub out personal information before it is shared. They have made the legislation voluntary, so if companies are really concerned, they can stay away. A broad coalition of business groups, including the U.S. Chamber of Commerce, has backed the legislation, saying that cybertheft and disruption are “advancing in scope and complexity.”

But critics of CISA say the devil is in the details, or rather in the raft of amendments that may be added to the bill before it’s passed. The Center for Democracy & Technology (CDT), a nonprofit technology policy group based in Washington, D.C., has published a comprehensive breakdown of the proposed amendments and their potential impacts.

CDT says despite some changes made to assuage privacy concerns, neither CISA as written nor any of its many proposed amendments address the fundamental weaknesses of the legislation. According to CDT, “the bill requires that any Internet user information volunteered by a company to the Department of Homeland Security for cybersecurity purposes be shared immediately with the National Security Agency (NSA), other elements of the Intelligence Community, with the FBI/DOJ, and many other Federal agencies – a requirement that will discourage company participation in the voluntary information sharing scheme envisioned in the bill.”

CDT warns that CISA risks turning the cybersecurity program it creates into a backdoor wiretap by authorizing sharing and use of CTIs (cyber threat indicators) for a broad array of law enforcement purposes that have nothing to do with cybersecurity. Moreover, CDT says, CISA will likely introduce unintended consequences:

“It trumps all law in authorizing companies to share user Internet communications and data that qualify as ‘cyber threat indicators,’ [and] does nothing to address conduct of the NSA that actually undermines cybersecurity, including the stockpiling of zero day vulnerabilities.”

ANALYSIS

On the surface, efforts to increase information sharing about the latest cyber threats seem like a no-brainer. We read constantly about breaches at major corporations in which the attackers were found to have been inside of the victim’s network for months or years on end before the organization discovered that it was breached (or, more likely, they were notified by law enforcement officials or third-party security firms).

If only there were an easier way, we are told, for companies to share so-called “indicators of compromise” — Internet addresses or malicious software samples known to be favored by specific cybercriminal groups, for example — such breaches and the resulting leakage of consumer data and corporate secrets could be detected and stanched far more quickly.

In practice, however, there are already plenty of efforts — some public, some subscription-based — to collect and disseminate this threat data. From where I sit, the biggest impediment to detecting and responding to breaches in a more timely manner comes from a fundamental lack of appreciation — from an organization’s leadership on down — for how much is riding on all the technology that drives virtually every aspect of the modern business enterprise today. While many business leaders fail to appreciate the value and criticality of all their IT assets, I guarantee you today’s cybercrooks know all too well how much these assets are worth. And this yawning gap in awareness and understanding is evident by the sheer number of breaches announced each week. Continue reading →