Friday Five 11/18
Inadequate cybersecurity efforts, questionable data privacy practices, and ransomware made the top headlines this past week. Catch up on the latest stories in this week's Friday Five!
MISCONFIGURATIONS, VULNERABILITIES FOUND IN 95% OF APPLICATIONS BY ROBERT LEMOS
Synopsys' latest Software Vulnerabilities Snapshot 2022, published this past week, found that nearly every application has at least one vulnerability or misconfiguration that affects security, nearly a quarter of which are highly or critically severe vulnerabilities. Weak SSL and TLS configuration, missing Content Security Policy (CSP) header, and information leakage through server banners were reportedly the most common software issues that were found. Read up on the report's details in the full story at Dark Reading, including software supply chain dangers and how organizations can better identify these vulnerabilities.
WATCHDOG: AGENCY OVERSEEING CYBERSECURITY FOR OFFSHORE ENERGY FALLING SHORT BY CHRISTIAN VASQUEZ
A watchdog report from the U.S. Government Accountability Office (GAO), publicly released this past week, claims that the Department of Interior’s Bureau of Safety and Environmental Enforcement has taken “few actions” to address cybersecurity risks despite the agency claiming to have begun addressing those issues seven years ago. According to Chris Grove, director of cybersecurity strategy at Nozomi Networks, a firm that works with offshore oil and gas rigs, “We’re not dealing with just a system going down or a website or data leakage or maybe some financial loss, there could be major consequences for an offshore oil rig not operating as intended.”
TELEHEALTH SITES PUT ADDICTION PATIENT DATA AT RISK BY LINDSEY ELLEFSON
The Opioid Policy Institute (OPI) and Legal Action Center (LAC) released their findings from a joint 16-month analysis of 12 major substance-use-focused mobile health websites, which found that all 12 websites have technologies that collect, identify, and share information about users with third parties and had ad trackers that are used for advertising purposes. Such tracking is reportedly able to avoid the protections granted to patients by the Health Insurance Portability and Accountability Act (HIPAA) along with CFR Part 2, which guarantees the confidentiality of treatment records and protects individuals from having their treatment history used against them. Read the full story from Wired to learn why this concerns privacy experts in a post-Roe world.
FBI: HIVE RANSOMWARE EXTORTED $100M FROM OVER 1,300 VICTIMS BY SERGIU GATLAN
According to the FBI in its recent joint advisory with the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS), "as of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments." While Hive has reportedly focused its efforts on Healthcare and Public Health organizations, the greater list of victims includes organizations from a wide range of industries and critical infrastructure sectors such as government facilities, communications, and information technology.
RESEARCHERS QUIETLY CRACKED ZEPPELIN RANSOMWARE KEYS BY BRIAN KREBS
According to a recent tell-all from an anonymous IT manager whose organization was affected by Zeppelin ransomware, researchers from a cybersecurity consulting firm known as Unit 221B were able to crack Zeppelin's encryption. The firm was reportedly wary of advertising its ability to crack Zeppelin ransomware keys because it didn’t want to tip its hand to Zeppelin’s creators and risk them changing their encryption approach. “The minute you announce you’ve got a decryptor for some ransomware, they change up the code,” said Lance James, founder of Unit 221B.