Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
Committing IT Malpractice
In This Issue:
- It’s enough to make you sick
- Data leaks expose entire nations
- We’re still crying
- The opposite of unbroken
It’s Enough To Make You Sick
So, Medical images and details of 24.3 million patients left exposed on the internet. Another day, another data breach. This seems somewhat ho-hum until you get to this bit:
"...researchers did not have to exploit a software vulnerability or crack a password to access this treasure trove of medical data. All they had to do was visit publicly-accessible webpages, where no thought had seemingly been put into securing the details with even the simplest of passwords."
Twenty-plus pages of further grisly details are here: Patient data freely accessible on the internet. Reading about these things is what makes reporting on—or working in—infosec so utterly depressing. This sort of thing is clearly very not OK.
This data was not put at risk by nation-states waging war, or even by organized criminals. This data was put at risk by ordinary people, who are causing damage to their patients through nothing more complicated than apathy and negligence.
Please don't be like these organizations. If you collect any data at all (you do), and if you use the Internet (this is also something that you do), then at the very least—at the absolute bare minimum—password-protect your data. For review, here are some basics, from the report above:
- Implement Access Control Lists (ACLs) for IP-addresses and/or port filters. Even if it's "only" visible "internally." Don't let patient or customer data be one misconfigured firewall rule away from a compromise event.
- Access control through the implementation of AAA systems
- VPN access for selected persons/institutions, i.e., "don't leave your stuff open to the Internet."
Data Leaks Expose Entire Nations
The past week also deposited this little gem on the world: Leaky database spills data on 20 million Ecuadorians and businesses. The Quotes Of Despair™ from this particular article: "there were more people’s data in that database than there are people living in Ecuador. As of 2017, the country only had a population of about 16.62 million"; and, "The worrying thing is that if we cross reference this information, one could determine who is the person with the most money in Ecuador, where he lives, what car he has and even the data of their children."
The data likely contains data on deceased as well as living individuals, and includes personally identifiable information on 7 million minors. vpnMentor, which released the report on this breach, said the data appeared to come from sources including a bank, an automotive association, and government registries. The firm in question, Novaestrat, is an analytics firm. The data dump contains every scrap of information you would need to steal the identities of the victims, including the Ecuadorian equivalent of a Social Security number.
Counterbalancing the despair, however, is a brilliant ray of sunshine, found in this article: Arrest made in Ecuador's massive data breach. The hopeful quote? "Ecuadorian authorities have arrested the executive of a data analytics firm after his company left the personal records of most of Ecuador's population exposed online on an internet server." Good.
The important takeaway from this is that the data wasn't stolen from the original sources. It was stolen from an analytics firm. We don't know yet how the analytics firm got the data, but, given the correlation between "government registries" and "automotive association," we can only assume that the firm obtained the data as part of legitimate and sanctioned business activities. That makes this essentially a supply chain attack—however inadvertently—on the population of an entire nation.
The standard disclaimers of "know what a supply chain attack is," and "make sure that anyone your organization gives data to is actually treating that data in a secure fashion," apply here. If you operate in the EU at all, you should probably know that doing this is the law. If you don't, it's time to catch up on the GDPR.
The other thing to bear in mind is that when your company operates on data provided to you by either customers or suppliers, you are responsible for what happens to that data. Data from multiple sources can be analyzed to powerful effect. It can transform businesses, even nations. But the aggregation of data from multiple sources is also a gigantic target. And finally, after far too long, individuals—in this case, the IT manager in charge of Novaestrat—has been arrested for being negligent about defending one of these caches of data.
They won't be the last to face a judge for this sort of behavior. So if you’re sitting on a mountain of data, or have outsourced your data analytics to someone else, perhaps it's time to test the defenses.
Unless you too want a court date of your very own.
We’re Still Crying
Full report: WannaCry Aftershock. From that report:
"To be certain, we did investigate a random selection of computers to manually verify that they had, indeed, not been patched against EternalBlue, or anything else, in the last two years."
Just to be clear: security fixes only work if you, um, actually apply them.
The Opposite of Unbroken
It's Obvious Day! Let's start with Common storage and router devices are still hopelessly broken. The TL;DR: "… if your vendor is someone other than Synology, you probably need to beat them with a large trout." Not that Synology gets off Scott free—they have a long and storied history of both vulnerabilities and poor response to their disclosure—but at least it looks like they've learned a few things along the way.
Danny offers up some boilerplate advice that never seems to go out of style: "You should also avoid using the device with the default configuration. Turn off features that you won’t use, especially remote access features. Also, regularly search for patches from that vendor and apply them."
The general theme of stating the obvious is repeated in another one of Danny's pieces: Former hacker warns against password reuse. "The reuse of login credentials in my opinion is the greatest security flaw that we have today," said the criminal who made millions of dollars exploiting this flaw.
We're also going to throw this one into the pile: Scotiabank slammed for 'muppet-grade security' after internal source code and credentials spill onto open internet. Apparently, this is the week that everyone needs to be bludgeoned until they stop "oops-ing" entire nations.
The point of stating the obvious here isn't just to raise some flags on annoying things to rail at. The point is that the majority of compromise events are not because of superhackers burning zero days. The majority of compromise events are because IT types (dev, ops, networking, what-have-you) simply didn't do, or were prevented from doing, even the absolute bare basic minimum of IT security work. Everyone—and we mean everyone—needs to regularly review their infrastructure, code, and cloudy anything for basic vulnerabilities. And then fix them.
Looking for some new listening material? Try one or more of these:
"No, we don't need a full assessment. We know where our vulnerabilities are." – Chris Cox - @Cyber_Cox.
(You have to see the picture.)
Thread of the Week
Everyone needs a good giggle:
"Hey #Infosec Twitter, in for a game? Incorporate a security term in the name of a singer or band
#InfosecAnArtist" – John Opdenakker (@j_opdenakker)
Resource of the Week
- The ransomware crisis is going to get a lot worse
- Ransomware: 11 steps you should take to protect against disaster
- CookieMiner malware targets Macs, steals passwords and SMS messages, mines for cryptocurrency
- Windows Defender malware scans are failing after a few seconds
- Hackers are exploiting a platform-agnostic flaw to track mobile phone locations