VPN Packages Store Cookies Insecurely

The Department of Homeland Security (DHS) issued a warning on April 15, 2019, entitled “VPN Applications Insecurely Store Session Cookies” (Vulnerability Note VU#192371) stating that “[M]ultiple Virtual Private Network (VPN) applications store the authentication and/or session cookies insecurely in memory and/or log files.”

The affected products identified by DHS are:

  • Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
  • Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
  • Cisco AnyConnect 4.7.x and prior

According to US-CERT, “[I]f an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.”

A patch is available for the Palo Alto products, but as of April 15, 2019, US-CERT was unaware of a patch for the Cisco product.

If your organization is using any of these products, or if you believe that your organization is vulnerable, US-CERT suggests that you contact CERT/CC at cert@cert.org with the affected products, version numbers, patch information, and self-assigned CVE.

WIPRO Hacked

I have been alerting clients that I know use Wipro, but may have missed some of you. It is being reported that IT outsourcing company Wipro Ltd. has been hacked through several phishing campaigns from what is believed to be a state-sponsored attacker.

According to recent reports, including KrebsonSecurity, sources have stated that “Wipro’s systems were seen being used as jumping-off points for digital fishing expeditions targeting at least a dozen Wipro customer systems.” Apparently, at least 11 of Wipro’s customers have traced malicious and suspicious activity to systems that were communicating with Wipro’s network. It is disputed whether the attack lasted weeks or months.

According to Wipro, it was hit with a zero-day attack. Wipro has sent its affected clients a set of indicators of compromise, which includes clues about tactics, tools and procedures that attackers use that may assist them in determining whether they were compromised during the hop from Wipro’s system to a client’s system. A helpful Wipro client shared the indicators with Wipro and Wipro then sent it to its other clients.

It is also being reported that the successful attack against Wipro was caused by a successful phishing email to one of Wipro’s employees, which was followed by several more successful phishing campaigns against other employees.

There is some concern that Wipro’s systems may still be compromised, so Wipro clients should be aware of this possibility, how it can be used to compromise their system, and prepare for it.

KrebsonSecurity has published the indicators of compromise provided by Wipro clients, which can be accessed here.

Texas Health System MD Anderson Seeks 5th Circuit Review of HHS Determination that HIPAA Required Encryption of its ePHI

On April 8, 2019, The University of Texas MD Anderson Cancer Center (MDA) filed a petition with the U.S. Court of Appeals for the Fifth Circuit seeking review of a decision by the Department of Health & Human Services’s (HHS) Departmental Appeals Board (DAB) Appellate Division to uphold $4.35 million in civil money penalties (CMPs) assessed against MDA by HHS for alleged violations of HIPAA’s Security and Privacy Rules.

The DAB’s decision, issued on February 8, 2019, affirmed a 2018 decision by an Administrative Law Judge that sustained CMPs issued against MDA arising from three HIPAA breaches in 2011 and 2012 (see our previous analysis of the ALJ’s decision here).

The CMPs were imposed in 2017 after an investigation which found that MDA allegedly violated HIPAA’s Security Rule and Privacy Rule in connection with the improper disclosure of ePHI of at least 34,883 individuals.  In three separate incidents, portable electronic devices (two thumb drives and one laptop computer) of MDA workforce members containing ePHI were stolen or lost.  In each case, the data on the portable electronic device were not encrypted. HHS’s Office for Civil Rights (OCR) thus alleged that MDA had violated the Privacy Rule prohibition on unauthorized disclosure of ePHI, as well as the Security Rule’s requirements concerning implementation of technical safeguards (and specifically, the encryption of ePHI where reasonable and appropriate).

After the ALJ upheld OCR’s imposition of the CMPs against MDA in 2018, MDA appealed to the DAB’s appellate division. The DAB affirmed the ALJ’s decision and the penalties in February, finding in pertinent part that “MDA was required to implement encryption” and that the encryption requirement as applied to MDA was “plainly mandatory” under HIPAA. MDA had argued that because the encryption standard within the Security Rule is an “addressable” implementation specification, it was optional. In response, the DAB determined that addressable was not equivalent to optional, but instead required an analysis of whether implementation of such a specification was reasonable and appropriate, and unless it was not reasonable or appropriate under the circumstances, implementation was required. The DAB further determined that “undisputable evidence shows that MDA determined that encryption of its portable electronic devices was reasonable and appropriate” and noted that various risk analyses carried out by MDA identified the lack of encryption of ePHI as a high security risk. The DAB thus concluded that “the [HIPAA] regulations did not permit MDA to forgo encryption because it did not document that encryption was not reasonable and appropriate… [and] the record… shows no genuine dispute that MDA, in fact, determined, in its own words, not only that encryption was “reasonable and appropriate” but that encryption “must be a required security control.”

The DAB also affirmed the ALJ’s decision that the CMPs imposed against MDA were reasonable. MDA had argued that the CMPs were excessive in part because they were based on a determination that the Privacy Rule had been violated 34,883 times (based on the number of individuals’ ePHI allegedly disclosed), even though MDA only lost devices on three occasions (and thus should have only been alleged to have committed three violations). The DAB also upheld OCR’s imposition of per-day CMPs for MDA’s alleged Security Rule violations, relying in part on Security Rule preamble commentary (from HHS) that CMPs for ongoing Security Rule violations could be based on the number of days of noncompliance.

This dispute concerning HIPAA compliance, and MDA’s continued challenge to the substantial CMPs imposed by OCR in 2017, serves as an important reminder to health care providers and other entities subject to HIPAA that “addressable” implementation specifications under the Security Rule – considered at times to be less important than “required” specifications – are likely to be seen by OCR as mandatory unless an entity can demonstrate otherwise. Health care providers would therefore be well-served to review the Security Rule’s safeguards and addressable implementation specifications, and to document the basis for any such specifications that the entity can demonstrate are not reasonable or appropriate for implementation. Furthermore, it remains to be seen whether the Fifth Circuit will intervene in this dispute, and if so whether a federal circuit court may have a different interpretation than HHS of the application of HHS-drafted regulations under HIPAA.

Incident Response Plan Saves Money

The Ponemon Institute recently completed research, sponsored by IBM Resilient, entitled “The 2019 Cyber Resilient Organization,” which surveyed more than 3,600 security and IT professionals around the world to determine organizations’ ability to maintain their core purpose and integrity in the face of cyber-attacks.

According to IBM, the research found that “a vast majority of organizations surveyed are still unprepared to properly respond to cybersecurity incidents, with 77 percent of respondents indicating they do not have a cybersecurity incident response plan applied consistently across the enterprise.”

Following the results of IBM/Ponemon’s 2018 study on the cost of a data breach, which showed that companies that respond quickly and efficiently to contain a cyber-attack within 30 days save over $1 million on average, this study shows that organizations are still falling short when it comes to planning for an incident and testing the incident response plan.

Almost half of the respondents admitted that, since they do not have an incident response plan in place, they are not in full compliance with GDPR.

Significantly, 62 percent of those surveyed state that aligning the privacy and cybersecurity teams of the organization “is essential to achieving resilience” and that data privacy has become a top priority in organizations.

Finally, the survey found that more than half of those surveyed (54 percent) do not test their incident response plans regularly, “which can leave them less prepared to effectively manage the complex processes and coordination” following an attack.

Message: developing, implementing and testing an incident response plan saves money. According to this research, it is a sound investment.

Privacy Tip #186 – Some Hotmail Users’ Emails Compromised

On April 14, 2019, Microsoft alerted some account owners that Microsoft Outlook and Hotmail email addresses had been compromised over a three-month period.

According to Microsoft, “We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account.” It also said “[U]pon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access.”

The unauthorized access occurred between January 1, 2019, and March 28, 2019.

Microsoft recommends that users change their passwords and “be careful when receiving any emails from any misleading domain name, any email that requests personal information or payment, or any unsolicited request from an untrusted source.” This is a sound practice at all times, not just when you have been alerted by your email provider that an account has been compromised.

States Legislate Cybersecurity Requirements for Insurance Companies

Following in the footsteps of the New York Department of Financial Regulation (NYDFS) in enacting cybersecurity requirements for the financial services industry, and in response to massive data breaches in the insurance industry, a wave of states have either enacted or are pursuing legislation aimed at regulating the cybersecurity measures of insurance companies.

In 2017, the National Association of Insurance Commissioners (NAIC) published a model rule that follows many of the NYDFS cybersecurity requirements, and most states are using that model in fashioning legislation for the insurance industry.

South Carolina, Michigan, and Ohio enacted cybersecurity laws applicable to insurance companies in the past year, and Mississippi, Connecticut, and New Hampshire have bills pending in their legislatures. More to come, for sure.

Since some states are not using the model law, there will be some variations from state to state. But basic security measures will be required in most of them, including having a Written Information Security Program (WISP) in place, completing a security risk assessment, and implementing procedures around incident response and breach notification.  Just as in other areas of the law, such as breach notification, it will be important to follow the most stringent law if a company does business nationally or in multiple states and to stay current as states adopt new laws regulating cybersecurity.

Another California Consumer Privacy Act of 2018 Amendment—Employees and/or Job Applicants Are Not Consumers

A few weeks ago, I pondered whether the California Consumer Privacy Act of 2018 (CCPA) is still a bit of a work in progress with the introduction of a proposed amendment. Recently, another amendment was proposed by Assembly Member Edwin Chau in the form of Assembly Bill 25.

Assembly Bill 25 would exclude employees and job applicants from the definition of “consumer.” The new amendment states: “Consumer does not include a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or employee, contractor, or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of that person’s activities for the business as a job applicant, employee, contractor, or agent of the business.”

If this amendment passes, the broad rights granted to consumers under the CCPA would not apply to employees and job applicants of CCPA-covered employers. The CCPA grants consumers (California residents):

  • the right to ask companies to identify the personal data they collected on the consumer and whether a business is collecting or selling/disclosing their personal information;
  • the right to demand that personal data not be sold or shared for business purposes;
  • the right to sue companies that violate the law or that experience data breaches,
  • the right to access and download their personal information in a transferrable way;
  • the right to opt-out; the right to request deletion of their personal information; and
  • the right not to be discriminated against.

This proposed amendment would likely mean that CCPA-covered businesses would not have to be concerned with their employees or job applicants asserting any of the consumer rights conferred by the CCPA. CCPA-covered businesses are defined as profit businesses that do business in California and meet any of the following three criteria:

  • annual gross revenue in excess of $25 million;
  • annual purchases, receipt or sales of the personal information of 50,000 or more California residents; or
  • companies that derive 50 percent or more of their annual revenue from selling consumers’ personal information.

A key fact to note from this definition is that the CCPA applies to any business that “does business in the State of California” as described above, and not just businesses residing or incorporated in California. This change would be most impactful to CCPA-covered employers in terms of their readiness preparation for CCPA compliance when the CCPA takes effect on January 1, 2020.

Think Like a Hacker

I was with a bunch of CFOs this week talking about cybersecurity and I told them how easy it is for hackers these days. They can infiltrate a company’s system by compromising an O365 account that doesn’t have multi-factor authentication, and according to a Ponemon study, are in the company’s system for over 200 days. They monitor literally everything that is happening in the company, since all companies rely on email communication, and then strike at the perfect time for a fraudulent wire transfer, change the integrity of banking instructions in Word documents, use social engineering to target certain people in the company, and learn exactly who the partners, customers, vendors and trusted individuals are with whom the company does business.

Just think about how much a hacker could figure out about your daily business if they followed your emails for over 200 days—six to seven months.  A lot. They know your contacts, who owes you money, to whom you owe money, who you are doing business with, and how much you are paid. What’s really brilliant is that after they commit the perfect fraud on your company, they now have six to seven months’ worth of information to leverage to launch their next attacks on your customers, vendors and contacts. This is called “island hopping.” They have contact information, they know who knows each other and what business is being conducted, and they know what projects you are working on together. Folks, they have lots of time to figure this out, as this is their day job. We have day jobs that do not involve criminal activity. Their day job is to analyze your email traffic to figure out their next scam, and it is so incredibly easy to do if you think about it.

Carbon Black has released its latest Global Incident Response Threat Report, which confirms that hackers are doing just that—leveraging the information that they obtain from the target company to target connected companies along the supply chain. The Carbon Black researchers found that 70 percent of all attacks involve the intruder moving laterally across the network and trying to take over the system. According to Carbon Black, ”attackers are fighting back. They have no desire to leave the environment. And they don’t just want to rob you and those along your supply chain…[they] want to ‘own’ your entire system.”

According to the report, hackers are using counter-incident response measures to thwart a company’s response to an incident by destroying logs, turning off anti-virus tools, disabling firewalls and using forensic tools to cover their tracks so the IT folks don’t know they are in the system.

One of the methods the hackers are using is “reverse business email compromise,” which involves the hackers taking over the mail server of the victim. These attacks are currently hitting the financial services industry.

According to Carbon Black, “businesses need to be mindful of companies they’re working closely with and ensure that those companies are doing due diligence around cybersecurity as well,” because the hackers are going after the weakest link in the supply chain.

So,think like a hacker. It’s not as hard as you might think it is. If, as a hacker, you wanted to go after the weakest link in your company or supply chain, who would you target? If that is an easy answer, start asking your weak links questions about their cybersecurity measures.

FAA Set to Approve First Drone Airline License

The Federal Aviation Administration (FAA) is expected to award its first license to operate a drone airline in May. Last year, the FAA determined that large-scale commercial package delivery drone operations would require certain safety and economic certification standards like other licensed U.S. airlines. The FAA has not yet announced which company will receive that certificate,  but to date, the only air carrier certificate application for a drone carrier listed on the applicant website has come from Wing Aviation LLC, which is a subsidiary of Google’s parent, Alphabet, Inc. We will watch the FAA’s press releases for more information on this new venture in the drone delivery industry.

Privacy Tip #185 – Scammers Are Getting Bolder and More Insistent

I try to keep my spam filter on the most restrictive setting, which has dramatically decreased the amount of spam I receive in my email box every day. But every once in a while, I receive an email that makes my gut twitch and my eyebrows raise. I got one today from a well-known bank, logo and all, looking very official and authentic. Those of you who know me know that I am “wicked paranoid,” so the frown was deep on my forehead when I read it.

Official looking or not, I do not do business with this bank (not to say that it isn’t a good bank), and of course, I do not conduct any banking business online or through email.

The missive said that the bank was alerting me to the fact that “we detect an issue on your account that needs to be resolved” and included a link to “Resolve here” from the Online Team. I was curious, so I looked at the url, and it was “security-online @[bank name].com”, which looked pretty legitimate. It could definitely dupe someone else, so I sent it to my IT team and asked them to blacklist it in the event that someone else received it.

But that’s not all. After I deleted the email and sent it to my IT team, I got a telephone call on my cell phone from a Rhode Island number of that bank. I don’t pick up any calls that are from unknown numbers, so I didn’t pick up. As I said before, I don’t do business with this bank. I had just received this bogus email, so my wicked paranoid tendencies kicked into high gear. The caller did not leave a message, so that is an obvious sign that it was not legit. Then one minute later, yes one minute later, the “bank” tried to call again, but this time it was from the same number except for the last digit, which was one digit higher. I didn’t answer this call either, and no message was left. I truly believe it was the hacker. When the email didn’t work, the scammer tried to call me to say how urgent the situation is, and to resolve it through the email.

Hackers are buying domain names that are very similar to real businesses in order to dupe people into believing it is the real business. They are spoofing numbers so the caller ID looks like it is from your area code or actually from the business. When emails don’t work, they call. And it’s always urgent.

Scammers are getting bolder and more insistent. They have the time. This is their day job. They target you and try to scare you. If this had been a bank with which I do business, I would have called the bank or my banker directly to inquire about my account. I would never reply to any email or telephone call from my “bank.” Delete that email and don’t answer that call.