This week we start by looking at a phishing technique used by Iranian hackers to circumvent two-factor SMS authentication protections. We then turn to the Marriott data breach and regulators’ claims that China is to blame for the hack, and we discuss a recent Pennsylvania case that could have lasting implications on employers’ efforts to protect employee data. We end by adding some color to last week’s summary of Australia’s Assistance and Access law, a piece of legislation that allows government agencies to access previously unreachable digital communications in order to assist law enforcement efforts.
Welcome back to Hacking Healthcare.
Hot Links –
Phishing Scheme Bypasses SMS-Based Two-Factor Authentication Protections.
Last week, state-sponsored hackers from Iran found a way to get around SMS-based two-factor authentication controls used by Gmail and Yahoo Mail. The hackers began by sending a target a highly detailed spear-phishing email. The email directed the target to enter his or her Gmail or Yahoo Mail login credentials into a fake Gmail or Yahoo Mail security page. When the target entered his or her username and password into the fake security page, the hackers simultaneously entered the login credentials they collected from the fake page into a real Gmail or Yahoo Mail login website. The hackers were then prompted to enter a two-factor verification code that had been sent to the real user via SMS. To gain access to this code, the hackers shortly thereafter redirected the target user to a new website that requested the one-time verification code from the target. Once the target entered the verification code into the new webpage, the hackers were able to access the code. The hackers, therefore, had all the information necessary to access their target’s email account (username, password, and verification code) at their fingertips in a matter of minutes.
This attack technique demonstrates yet again that hackers do not need to develop new and sophisticated technical methods to continue their relentless practice of gaining access to users’ protected web portals. “Phishing attacks are the most popular method of stealing data and hacking accounts amongst Iranian hackers, but the most significant fact about this campaign is its timing.” The timing of this attack technique demonstrates that hackers can use tried and true methods of accessing user accounts in new ways that exploit the processes users must go through to verify their identities. As a way to fix the rampant problem of phishing schemes, CERTFA (the research group that discovered this Iranian hack) has suggested that users refrain from clicking on unknown links in their email and that technology companies stop using two-factor authentication by text plain message/SMS. While we understand the spirit of that advice, it is important to note that SMS based MFA is still an improvement over just a username/password combination and it would be unwise to stop using it based solely on the fact that it isn’t perfect.
S. Investigators Point the Finger at China in Recent Marriott Data Breach.
Last month, Marriott reported a breach of its Starwood hotel reservation system that exposed the private information and travel details of approximately 500 million people. Now, U.S. government officials are reporting that state-sponsored Chinese hackers likely orchestrated the attack that divulged an atypically broad range of information to hackers, including individuals’ names, phone numbers, addresses, passport numbers, credit card numbers, travel destinations, travel partners, and other data.
Government investigators have speculated that the Chinese government’s motivation for this attack was to gain information to enhance the enormous data sets it has worked to curate on U.S. and other world citizens for years. The information exposed by the Marriott breach could be useful to individual hackers seeking to commit identity theft as well as intelligence agencies seeking to track diplomat, spy, or military personnel movements and build records on particular persons of interest. U.S. investigators have cited further evidence of the Chinese government’s culpability for this attack by noting that the Marriott breach resulted from a signature Chinese hacking tactic. The tactic involves accessing a cloud-hosting space and moving from server to server in order to access individuals’ protected information.
Experts have also noted that the timing of the Starwood compromise aligns with compromises at both Anthem and Premera healthcare insurance companies, both of which have been attributed to China based hackers. In today’s day and age, information is power, and China has apparently made its goal to amass large volumes of information on US citizens. From an intelligence standpoint, it’s easy to see how Chinese government access to personal data on U.S. diplomats, intelligence officers, and/or military personnel could compromise U.S. interests. The U.S. and other world powers have been slow to react on systemic, policy level to cyberattacks from foreign governments, and these attacks have been allowed to grow in number and scope as a result.
Pennsylvania Supreme Court Holds Employer Has Duty to Reasonably Protect Employees’ Personal Information.
In a precedent-setting decision that could very well have lasting implications on companies and their use of cybersecurity mechanisms to protect employee data, the Pennsylvania Supreme Court decided last Tuesday that the University of Pennsylvania Medical Center (“UPMC”) had an affirmative duty to protect its employees from data breaches by employing reasonable measures to secure employee information. In Dittman v. UPMC, UPMC employees brought a negligence claim and a breach of implied contract claim against the medical center after it suffered from a data breach that exposed its employees’ personal and financial information. Claiming that UPMC failed to use “proper encryption, adequate firewalls, and an adequate authentication protocol,” the employees alleged that this lack of data security fell below the reasonable standard of care that employers owe to their employees.
Like the vast majority of companies in the world, UPMC required its employees to provide it with personal information in the course of their employment. This affirmative requirement, the Pennsylvania Supreme Court implied, was the hook that allowed UPMC workers to allege that UPMC breached its duty of care to employees. The court found in favor of the employees, ruling that an employer must take reasonable measures to defend the sensitive personal information it collects from its agents. In addition to the affirmative duty this decision places on companies in the realm of data security, this holding also opens up avenues for employees to pursue monetary damages from their employers if they do not exercise “reasonable” measures to protect worker data. What constitutes such “reasonable” measures, however, is still unclear and is yet to be seen.
Australia’s “Assistance and Access” Law: A Deeper Dive.
Last week we told you that Australia passed a new telecommunications law in an effort to force companies to help Australian law enforcement agencies access otherwise unintelligible or inaccessible digital information. Because of the laws potential to influence the global landscape on these issues, we are taking a deeper dive into the “Assistance and Access” statute’s terms and the political back-and-forth that ensued after it was signed into law. After the bill was passed, a slew of complex amendments were quickly drafted and passed in order to incorporate necessary technical changes, address internal consistencies, and contend with general contradictions within the law. Many experts have reported that the legislation is flawed and was rushed to pass, so further amendments may be on the horizon. Despite all of its last minute alterations, the law currently authorizes a number of law enforcement and security agencies that hold a legal warrant for access to data to approach companies for assistance in accessing previously inaccessible data.
While the legislation is typically discussed in terms of anti-encryption, access to encrypted data is only one aspect of the law. After the amendments, the statute now also allows law enforcement agencies to compel an individual, or someone with “knowledge of the [individual’s] device,” (i.e., a company) to reveal that person’s password to the agency. Law enforcement has also been granted the ability to apply access warrants remotely; officers no longer need to be on the premises specified in order to execute a warrant. Finally, the law has been extended to include cloud data—data hosted in cloud drives that is not stored, but is accessible, on a given device—to be included in the law’s terms. Penalties for violating the law include harsh fines and custodial sentences.
Tuesday, December 18:
–No relevant hearings.
Wednesday, December 19:
–No relevant hearings.
Thursday, December 20:
–No relevant hearings.
International Hearings/Meetings –
EU – No relevant hearings.
Conferences, Webinars, and Summits –
–Medical Device Security 101 Conference – Orlando, FL (1/21/19-1/22/19) <https://nhisac.org/events/nhisac-events/medical-device-security-101-conference/>
–FIRST Symposium 2019 – London, UK (3/18/19-3/20/19)
–HEALTH IT Summit (Midwest) – Cleveland, OH (3/19/19-3/20/19)
–National Association of Rural Health Clinics Spring Institute – San Antonio, TX (3/20/19-3/22/19)
–HEALTH IT Summit (Southern California) – San Diego, CA (4/23/19-4/24/19)
–HEALTH IT Summit (Florida) – Wesley Chapel (5/21/19-5/22/19)
–2019 NH-ISAC Spring Summit – Ponte Vedra Beach, FL (5/13/19-5/17/19) <https://www.marriott.com/hotels/travel/jaxsw-sawgrass-marriott-golf-resort-and-spa/>
–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)
–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)
–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)
—Signal app to Australia: Good luck with that crypto ban
—Computing pioneer Evelyn Berezin died this week—she should be remembered
— “We’re sorry,” Facebook says, again—new photo bug affects millions
—U.S. Ballistic Missile Defense Systems Fail Cybersecurity Audit
—Twitter Fixes Bug That Gives Unauthorized Access to Direct Messages
—123456 Is the Most Used Password for the 5th Year in a Row
—Shamoon resurfaces, targeting Italian oil company
—Can’t hack? You can buy the tools on the dark web instead
—Facebook, under scrutiny, pays out largest bug bounty yet
—If China Hacked Marriot, 2014 Marked a Full-On Assault
Contact us: follow @HealthISAC, and email at firstname.lastname@example.org
 Dittman v. UPMC, __ A.3d __, No. 43 WAP 2017, 2018 WL 6072199 (Pa. 2018).