Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, December 8th, 2023. From Toronto I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes David Shipley of Beauceron Security will be here to discuss recent news. That includes a report that millions of medical images like x-rays and CAT scans are sitting on easily cracked servers open to the internet, a warning by American and Israeli cyber authorities that an Iranian-based group is going after utilities and industrial networks, and the discovery that a lot of people are still running unsupported versions of Microsoft Exchange.
But before we get to the discussion here’s a quick a look at other headlines from the past seven days:
More Canadian organizations are refusing to pay ransomware gangs. That’s according to a survey by Palo Alto Networks. However, those who do pay are spending on average twice as much — just over $1 million — as they did in 2021.
The DNA testing service 23andMe says personal data of nearly 7 million customers was accessed by a hacker in October. The attacker got into 14,000 accounts using credentials stuffing. With that access they were able to also copy the DNA profile data of 5.5 million those people’s relatives, plus some family tree profiles of another 1.4 million people connected to the accounts.
Bluetooth has a protocol flaw that undercuts the security of some Android, Linux and Apple wireless mice and keyboards. That’s according to a security researcher. He promised full vulnerability details at an upcoming conference.
Fancy programming aimed at increasing security in new Intel and AMD processors may end up decreasing security. University researchers in the Netherlands make that claim in a new paper. Watch for guidance from chip makers.
Cyber agencies from the Five Eyes security co-operative including Canada and the U.S. issued guidance to application developers on making software better protected from memory attacks. Memory vulnerabilities are the most prevalent type of disclosed application holes. The agencies urge developers to use memory-safe programming languages.
For the benefit of threat researchers and defenders, Microsoft issued an updated report on the tactics and techniques of a Russian government-sponsored threat actor it calls Star Blizzard. Other researchers call it Coldriver and the Callisto Group. It has espionage and cyber-influence goals.
There’s no shortage of news stories about the cyber risks third parties pose to organizations. But a report from Blue Voyant suggests not a lot is being done. Only 47 per cent of respondents to a survey said they monitor their supply chain for cyber risk monthly or more. That’s up from 41 per cent last year. And only 19 per cent said they work actively with a supplier to fix a security issue once its found. The rest mainly rely on the supplier to solve the problem.
Cyber authorities in U.S. and the European Union signed an agreement to work closer. The pact between the U.S. Cybersecurity and Infrastructure Security Agency and the European Union Agency for Cybersecurity will improve knowledge-sharing of cyber threats and ways to better regulate the public and private sectors.
Finally, Google released another update to the Chrome browser. It patches 10 vulnerabilities. You should be running a version that starts with 120.
(The following is a partial transcript of the discussion. To hear the whole conversation play the podcast)
Howard: Millions of medical patient records are at risk because hospitals and clinics aren’t properly securing their image servers. That’s according to a German cybersecurity firm called Aplite. The servers hold X-rays, CT scans and MRIs stored in the DICOM format, a 30-year-old protocol accepted around the world for sharing and viewing medical data. But researchers at Aplite scanned the internet and found just over 3,800 servers in 111 countries are accessible from the internet. Fewer than one per cent of those servers use effective login authorization. Of the 3,800 servers just under a third leak data containing more than 59 million pieces of medical and personal data. David, this sound like violations of cybersecurity 101.
David Shipley: There’s so many things fundamentally wrong with the story — and terrifying when you think about the implications for things like ransomware, extortion and more. This is not the first company to dive into the digital imagery repositories in healthcare and come out with some massive horror stories. In fact, as part of new regulations for device manufacturers that started in March the U.S. Government Accountability Office did a study of vulnerabilities, and one of the things they found was that up to 51 per cent of all X-ray machines had high severity CVEs, 44 per cent of CT scanners and 20 per cent of imaging devices. Computers in a healthcare environment were running unsupported and unpatched versions of Windows. The implications for this are huge. There was a really interesting research project done in 2019 where a group of Israeli researchers — with authorization –hacked into one of these imaging depository systems and added or removed cancer indicators using AI deepfakes, and then went to see if the radiologist could tell. Short answer: They couldn’t tell. This also puts patient safety at risk … When you take down diagnostic imaging you set back healthcare 200 years
Howard: It’s not just medical images. These researchers could find some systems also had patient names. So medical information could be used for blackmail but also identity theft.
David: Absolutely. Keep in mind that these systems — particularly healthcare systems — often have privileged access back into billing systems. You can probably jump from an insecure patient instance and find many other vulnerable systems on the business network.
Howard: The DICOM protocol itself is old and has weaknesses as well. So a hacker can disrupt images, deny access to images, add false signs of illness and because the images are arranged with unlimited sequential numbers for each implementation this can cause real mayhem.
David: The points made by the Israeli researchers in 2019 was the fact that industry standard best practices on the public internet such as using [digital] certificates to authenticate so communications are made securely and not interfered with between an X-ray, CT scan machine and the patient system don’t exist. Authentication is hilariously absent. But along with the other things, the GAO report and the U.S. found hard-coded credentials [in medical devices] and other problems. While it’s cool that the U.S. has new regulations as of March 2023 for device manufacturers to actually build these things with secure-by-design … 75 per cent of [current] drug infusion pumps had at least one major vulnerability that could throw up a security concern. It’s going to take decades to get this equipment retired and new equipment in. We’re basically telling cyber criminals it’s open season on health care for the next 20-plus years.