Friday Five: 8/31 Edition
A four year old vulnerability resurfaces, experts on California's privacy bill, and more -- catch up on this week's infosec news with this roundup!
1. Old “Misfortune Cookie” flaw opens medical gateway and devices to attack by Zeljka Zorz
Every so often old vulnerabilities, years after they’re discovered, rear their head. That was the case this week when Misfortune Cookie, a flaw that affected millions of devices running embedded webservers called RomPager, initially discovered in 2014, was found to affect medical gateway devices manufactured by Qualcomm. The flaw affects specifically Qualcomm’s Life Capsule Datacaptor Terminal Servers. The DHS' ICS-CERT warned about the issue on Tuesday this week, stressing that if an attacker exploited the issue, they could execute unauthorized code to obtain admin-level privileges. Researchers with CyberMDX, a healthcare cybersecurity solution, discovered the vulnerability and reported it to the National Cybersecurity & Communications Integration Center. While there was a firmware update released to resolve the issue, some versions won't receive it, putting pressure on hospitals to disable the affected webserver themselves.
2. The Fight over California's Privacy Bill has Only Just Begun by Issie Lapowsky
As soon as California's landmark Data Privacy Protection Act was passed we stressed on this blog it would likely undergo some serious tweaking before going into effect. Now experts are concerned the law may not even make to 2020, the year it's supposed to go live. In a Wired story this week privacy advocates from ACLU and Californians for Consumer Privacy, to name a few groups, warned there's a lot of ground to cover before it's finalized. Many special interest groups, like the EFF, agree the law needs work but by the sounds of it that won't come until 2019.
3. Why you should hide your child’s Social Security number by Kari Paul
More than 1 million children had their identities stolen in 2017 but Experian, one of the "big three" consumer credit agencies is hoping that number decreases next year. The company is offering a free scan for parents to verify whether or not their child has had their identity stolen and used to open a line of credit. In hopes of upping awareness around the problem the company is designating September 1 as Child Identity Theft Awareness Day. The company has some exorbitant numbers around the problem on its site, including the fact that child identity fraud caused $1.6 billion in losses last year and that families, as a result of the problem, had to pay $540 million out-of-pocket.
Data-centric Security for Healthcare Compliance
4. HMC Says Ransomware Attack Turned Into Healthcare Data Breach by Fred Donovan
Health Management Concepts, Inc., a healthcare management vendor, accidentally wound up compromising patient data this summer after it was hit by a ransomware attack. According to a data breach disclosure it filed with the state of New Hampshire. The company paid to get their data decrypted but a few days after realized that it provided a file containing patient data, including names, Social Security numbers, and health insurance plan data, to the attackers. According to HealthITSecurity the information belonged to members of Inlandboatmen's United of the Pacific National Benefit Funds. It’s unclear how many patients had their data compromised however.
Hospital image via agecombahia's Flickr photostream, Creative Commons
5. 3D Printers in The Wild, What Can Go Wrong? By Xavier Mertens
Thousands of 3D printers are connected to the internet and lack authentication, Xavier Mertens, a Senior Handler at SANS Internet Storm Center, warned this week. The big issue, of course, is that this could enable an attacker to upload code to these printers and have the 3D printers actually print them, something in turn that could actually start a fire if no one was monitoring the machine. Mertens found the unsecured printers by searching for instances of Octoprint, a web interface for 3D printers, on Shodan, a search engine for internet-connected devices. Another, potentially more damaging outcome: G-code, a language that's tells computer-aided machine tools how to build things, could be downloaded and leak company trade secrets.