Follow ISA on LinkedIn to get notified of the latest cybersecurity news.
Staying safe with Chrome
The recent serious “zero day” vulnerability found in Google’s Chrome browser is a reminder to stay current with the latest patches on all operating systems, applications, and services. Chrome specifically offers a quick way for users to check for the latest information on potential data breaches, compromised software extensions, etc. In Chrome, click Customize (the three vertical dots at the top right of your screen), then select Settings, Safety Check (or simply browse directly to chrome://settings/safetyCheck). Chrome will present a blue “Check Now” button that any user can click to automatically scan for updates or vulnerabilities in seconds.
Chrome is typically configured to automatically install patches at startup, but in some managed environments, patches may be controlled, delayed, or blocked. A periodic self-test as described above will help keep users informed of any late-breaking information or vulnerabilities.
City of Mississauga suffers third-party data breach
In a broadcast email sent on February 9, 2021, an undisclosed number of residents of Mississauga, Ontario were advised of a data breach suffered by a municipal service provider. According to the email notification, the city was notified on January 20 that a privacy breach at city contractor National Public Relations had resulted in the unauthorized disclosure of email addresses and survey responses for the city’s Climate Change Action Plan Survey from September 29 to October 20, 2020. The letter was e-signed by Diana Rusnov, the Director, Legislative Services and City Clerk for Mississauga, Canada’s sixth-largest city by population.
Details of the cause or circumstances of the breach were not disclosed, merely that the city “has been working with our contractor to understand the details of this incident”. No acknowledgement of the breach has been posted on the city’s website, or that of National Public Relations.
The city’s email recommended that residents “be vigilant and exercise caution regarding the email address that [was] used for the survey. You should change your email password, be careful of clicking on web links inside emails, and take other preventative measures for your protection.”
Wire fraud attacks on lawyers on the rise
In a February blog posting, Ontario legal malpractice insurer LAWPRO reports that attempted wire frauds are up in recent weeks. Juda Strawczynski, director of the practicePRO risk management program at LAWPRO, explains that a variety of increasingly sophisticated strategies is being used by tricksters looking to dupe unsuspecting lawyers and their staff. In the report, Strawczynski presents some of the methods being used, and a list of five strategies to reduce law firms’ cyber risk.
Florida water system hack update
According to a report by security news resource Threatpost, investigations suggest that multiple sets of credentials for the recently breached Florida water plant have been found online on the dark web. A 2017 credential compilation revealed 11 user ID / password combinations; due to their age, the risk of these credentials being used for system access is reduced. However, the researchers also found 13 credential pairs in a “compilation of many breaches” (COMB) dataset posted just three days before the attack.
The water treatment facility at Oldsmar, Florida (about 25 km northwest of Tampa), was breached on February 5. According to multiple reports, credentials for remote access software TeamViewer were used to access the facility’s supervisory control and data acquisition (SCADA) system. An attempt was made to apply system changes to release sodium hydroxide – also known as lye – at a concentration over 100 times the standard level into the water supply. A supervisor working remotely saw the unauthorized changes being made, and immediately reversed them. City officials assured residents that the water supply was unaffected, and also emphasized that there are multiple additional safeguards in place to prevent contaminated water from entering the water supply (either accidentally or deliberately).
In response to the incident, U.S. government agency CISA issued an advisory warning organizations about appropriate security configurations and the use of TeamViewer and Windows 7. “All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system… Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.”
While the Windows 7 operating system has been “end of life” for over a year, there is no current indication that its obsolescence was directly linked to the breach.
As yet, no criminal charges have been laid in the incident, but local authorities are pursuing leads in the case. The breach provides a sobering reminder about the importance of security measures around remote access, and the importance of failsafe and redundant monitoring for critical infrastructure services.
Mobile health apps found to have numerous cybersecurity vulnerabilities
A research study conducted by cybersecurity analyst Alissa Knight of Knight Ink reveals that many current mobile health apps have serious, inherent cybersecurity risks. In a report released February 3, 2021, a wide range of significant vulnerabilities and design issues is itemized.
According to the report, out of thirty mobile health apps tested, 77% contained hardcoded API keys (some of which never expire), tokens, and private keys; 7% even contained hardcoded usernames and passwords, and 100% of the apps tested failed to implement certificate pinning, potentially allowing an attacker to conduct a man-in-the-middle attack. Out of the API endpoints tested, 100% were vulnerable to Broken Object Level Authorization (BOLA) attacks that could potentially lead to unauthorized access to full patient records, lab results and x-ray images, bloodwork, allergies, and personally identifiable information (PII) including home addresses, family member data, birthdates, and social security numbers. Even where biometric authentication was in place, a vulnerability existed allowing the researcher to replay days-old FaceID unlock requests and take over other users’ old sessions.
While the report did not disclose the names of the apps tested, it should serve as a call-to-action for all mobile health app developers to review their software development approaches and application security testing practices to protect sensitive patient data.
Password storage bug affects some Slack users on Android
According to a bulletin released by messaging and collaboration application Slack, on “December 21st, 2020, Slack introduced a bug that caused some versions of our Android app to log clear text user credentials to their device. Slack identified the issue on January 20th, 2021 and fixed it on January 21st, 2021. A fixed version of the Android app is available and we have blocked usage of the impacted version(s)”.
Slack emphasizes that only a small percentage – perhaps 1% – of Android users was affected. That said, Slack reportedly had well over 12 million daily active users across all platforms in March 2020, as popularity of the app exploded with the onset of the COVID-19 pandemic.
Users of Slack on the Android platform are encouraged to update their applications and change their passwords as soon as possible. It is important to emphasize the use of a strong, unique password that is not shared with any other online presence or service by the user.