The Shared Security Weekly Blaze – Lost and Stolen Devices, Instagram and SIM Hijacking, LabCorp Security Breach

This is the Shared Security Weekly Blaze for July 23rd, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here!

Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated!

Show Transcript
This is your Shared Security Weekly Blaze for July 23rd 2018 with your host, Tom Eston. In this week’s episode: Lost and stolen devices, Instagram and SIM hijacking and the LabCorp security breach.

The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details.

Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.

In the spirit of good GDPR compliance you can now opt-in to our brand new email list for the podcast! Stay up-to-date on the latest episodes, receive exclusive offers from our sponsors, participate in contests and gain access to content just for our email subscribers! Sign-up at sharedsecurity.net today.

Did you know that over 26,000 electronic devices (including mobile phones, laptops and eReaders) were lost in the London transport system last year? According to a report released from a research firm called Parliament Street showed that the majority of lost devices, to the tune of 23,000, were mobile devices followed by laptops with approximately 1,000 devices that were lost.  This announcement has been a wakeup call of sorts for UK business’ to ensure that there are protections in place for the data being stored on lost or stolen devices. Not only does this present a business risk, but also a personal privacy risk as well. I’m sure many of these devices were not properly protected by very basic device security controls such as passcodes for mobile devices and full disk encryption for laptops. While 26,000 devices does seem like a lot, imagine how many devices go missing in an even larger transportation system like the one in New York City.

Physical device security is one of most important, and easiest, security controls you can implement on your devices to avoid having your data accessed if your mobile phone or laptop is ever lost or stolen. Some of the basics for a mobile phone is to ensure you’re setting a long, complex passcode or passphrase, ensure that the device is erased after 10 failed login attempts as well as enabling any GPS or location tracking so that you have a way to find your device if its ever lost. You’d be surprised how many people are able to find their lost device by using a feature like this. Also, for laptops always enable full disk encryption that is enabled upon powering on your laptop. For Windows laptops, depending if you have Windows 10 Professional or not, you can enable BitLocker for full disk encryption. If you have Windows 10 Home Edition, you can use a free and open-source full disk encryption solution called VeraCrypt. MacOS users should enable FileVault which is installed with all modern versions of MacOS. See our show notes for links to these different full disk encryption solutions to ensure your devices are protected if they are ever lost or stolen.

Instagram is reported to be developing a more secure way of two-factor authentication by moving away from text messages to more app based solutions like Google Authenticator or Duo. As we’ve previously reported on the Weekly Blaze, SIM card “port out” scams or also known as SIM hijacking attacks have been on the rise in just the last year or so. A SIM hijacking scam is where an attacker will call your mobile carrier and use social engineering techniques to transfer your mobile number to another carrier, thus, giving the attacker access to receive SMS text messages. This access is then used to reset passwords on many popular apps like Instagram as well as your email service which can also be used to reset passwords.  Many celebrities and others with very valuable Instagram user names have been a target of this attack but it can really happen to anyone, especially if you’re known to be trading bitcoin or other cryptocurrency. With the recent popularity of cryptocurrency, this attack is now financially motivated.

So what can you do to prevent becoming a victim of a SIM port out scam? First, contact your mobile carrier to ensure you have set up or configured a PIN or passphrase on your account that would be required for any request with customer support to port your number over to a new carrier. See our show notes for a great guide on how to do this. Second, consider using a virtual phone number like Google Voice for two-factor authentication for sensitive accounts like your bank or social media. We’ve also provided a link to several virtual phone number services in our show notes for you to reference. We also suggest removing your phone number or using a virtual one for whatever email provider you’re using. For example, Google’s Gmail gives you many different options besides using a phone number for other forms of authentication. Be safe out there and lets all stop thinking that our phone numbers are a secure method to verify our identity and as a way for secure authentication.

Last week it was announced that LabCorp, one of the largest medical laboratories in the United States, had its network breached through what looks to be from a ransomware attack. The attack prompted LabCorp to shut down its entire network while they investigated the incident. LabCorp said in a filing with the Securities and Exchange Commission that it detected suspicious activities on its network the weekend of July 14th and “immediately took certain systems offline as part of its comprehensive response to contain the activity”. The suspicious activity was apparently only detected on LabCorp Diagnostic systems. No other information has been released but LabCorp noted that there has been no evidence of any medical data being compromised thus far in their investigation. It’s important to note that LabCorp is required to notify and patients of a data breach within 60 days after an incident so it will be interesting to see that if this does take place and what data was actually accessed, if any at all.

LabCorp provides services for over 115 million patients and processes tests for more than 2.5 million specimens per week. If patient data was compromised during this ransomware attack, it could be one of the largest healthcare breaches in history. The largest healthcare data breach to date was the Anthem Blue Cross data breach in 2015 that affected 78.8 million individuals. We’ll be keeping a close eye on this story so stay tuned for updates in future episodes of the podcast.

That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunesGoogle Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.

Facebooktwitterredditlinkedinmail



*** This is a Security Bloggers Network syndicated blog from Shared Security authored by Tom Eston. Read the original post at: https://sharedsecurity.net/2018/07/23/the-shared-security-weekly-blaze-lost-and-stolen-devices-instagram-and-sim-hijacking-labcorp-security-breach/