This is your Shared Security Weekly Blaze for December 24th 2018 with your host, Tom Eston. In this week’s episode: Healthcare databases exposed, Facebook’s Photo API bug, and Signal speaks out.
Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
A new report called the “Chronic [Cyber] Pain: Exposed & Misconfigured Databases in the Healthcare Industry,” from threat intelligence firm IntSights shows that about 30 percent of all healthcare databases end up unsecured and exposed to the Internet. Some key findings during their research included spending 90 hours of research which found 15 databases exposed containing 1.5 million patient records. Based on their calculations this results in approximately 16,667 medical records discovered. Other interesting information from the report note that the estimated price on the black market is $1 for a single medical record. Exposed databases were found using popular cloud data storage and sharing databases like Elasticsearch or MongoDB. Exposed and misconfigured Elasticsearch databases in particular have been a source of countless data breaches this year including one that we discussed on the podcast, the Exactis data leak, which exposed 340 million records back in July. Other interesting attack vectors found that led to healthcare databases being exposed include legacy and outdated file sharing protocols such as SMB and FTP as well as misconfigured APIs and of course our favorite, weak passwords. Recommendations from the report note the always standard security recommendations such as enabling two-factor authentication for web applications, limit third-party access to databases, closely monitor databases for unusual reads or requests, limit database access to specific IP ranges and conduct penetration testing to find exposed systems and vulnerabilities.
One recommendation I would add is for healthcare organizations to evaluate what systems and databases may be exposed to the Internet and to have a process for discovering exposed systems on a continual basis. Certainly, penetration testing can be used for a point-in-time assessment but using vulnerability scanning and other discovery services on all company owned or third-party managed systems that are exposed to the Internet should be part of any good cybersecurity program.
Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center.
Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you:
- Visibility into workload communication pathways;
- Security policies built on the cryptographic fingerprint of the software;
- The ability to apply policies and segment your networks in one click; and
- A way to continuously monitor and assess risk.
Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications.
Facebook recently announced yet another vulnerability that affected nearly 6.8 million of its users. Apparently, a bug in Facebook’s Photo API allowed third-party apps being used by Facebook developers to access more than the users private photos that were authorized to access, but also photos that were shared on Facebook’s Marketplace, Facebook Stories, or photos that were uploaded but not posted by the user. For example, if someone uploads a photo but doesn’t finish posting it, those photos may have been exposed. Facebook says that this bug only impacted users for 12 days, from September 13th to September 25th of this year and that this issue has been corrected. If you were impacted by this vulnerability Facebook states that you will see an alert pop up when you login to Facebook. Facebook also recommends logging into any apps with which you may have shared Facebook photos with to see which photos these apps may have access to.
This most recent issue is a great reminder that you should frequently review the third-party apps that you may have given permission to view personal data from your Facebook account. If you’ve been a long time user of Facebook, it’s easy to forget about all the apps that you may have given various types of permission to your personal data. To see what third-party apps have access to your data, login to Facebook and then visit your Settings, then click on “Apps and Websites”. On this page you can see all the apps that have access to data from your Facebook profile. You can either remove access or in some cases, change the level of permissions for each third-party app. If you’ve never visited these settings before, you may be surprised how many different apps have access to your data. One way that Facebook makes it easy for developers to access your data is through the Facebook login that you see embedded in many popular sites and services that you may use. Often times, it’s easy to trade convenience over privacy because it’s so easy to just login with Facebook rather than creating a whole new set of user credentials. The key here is for you to make the best decision for you and your level of risk. If you’re ok with a third-party company getting information from your Facebook profile, and in some cases, information you were going to give them anyway, it may not be that big of a deal. However keep in mind, when Facebook has a vulnerability like the one they just announced, it’s not just the third-party that has your data but Facebook has it as well.
Signal the popular end-to-end encrypted messaging app said this past week that they would not give in to any requests made by a new law in Australia related to the new “Assistance and Access” bill. This law requires that companies provide a way to access encrypted communications and can even impose massive fines to companies and individuals who do not comply. In a blog post from Signal, they are quick to note that by design Signal does not have a record of any conversations, contact lists or other profile information and that “the end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us. In most cases now we don’t even have access to who is messaging whom”. Signal even points out that the Prime Minister of Australia uses their application to prove the point that everyone benefits from the way that Signal was designed, even the people trying to enforce laws that make no sense in an ever increasing digital and online world.
This is not the first time that governments around the world have either tried to ban encryption or compel companies into creating backdoors into applications and products to circumvent encryption. Here in the United States back in 2016, a federal judge asked Apple to help the FBI unlock an iPhone that belonged to the San Bernardino mass shooter . Ironically, even after the case went to court, the FBI never needed Apple to build a encryption backdoor since the FBI had paid a third-party firm called Cellebrite to unlock the phone for them. This latest example will not be the last case of a government that doesn’t have a good understanding of why banning encryption or creating backdoors within popular end-to-end encrypted communications software weakens protection for everyone.
That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.
*** This is a Security Bloggers Network syndicated blog from Shared Security authored by Tom Eston. Read the original post at: https://sharedsecurity.net/2018/12/24/healthcare-databases-exposed-facebooks-photo-api-bug-signal-speaks-out-wb48/