TLP White: In this edition of Hacking Healthcare, we discuss a UK regulator’s decision to fine a pregnancy and parenting support club for sharing users’ data without informed consent and running afoul of the GDPR. We also break down a new nation-state attack that allows hackers to access user login credentials and online account information. We then dive into Brazilian cyber criminals’ focus on and interest in infiltrating the country’s electronic banking system. Finally, we remind you of NIST’s continued interest in IoT and the agency’s upcoming efforts to advance cryptography standards for connected devices.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog.
Welcome back to Hacking Healthcare.
Hot Links –
1. Parenting Company’s Data Practices Catch UK Regulator’s Eye.
Earlier this month, the United Kingdom Information Commissioner’s Office (“ICO”) slapped a UK-based pregnancy and parenting company with a GDPR fine. The regulator assessed Bounty UK a penalty in the amount of £400,000 for collecting information about “potentially vulnerable… new mothers or mothers-to-be [and their] very young children.”[1] In addition to collecting personal information through its website, mobile app, membership forms, and merchandise pack claim cards, the company also collected information directly from new mothers at their hospital bedsides.[2] The company shared the information of over 14 million mothers and children with a number of third party marketing and credit agencies, including Acxiom and Equifax.
The ICO charged that Bounty UK did not meet its duty of transparency, use consumers’ data in a way that adheres to expectations, or obtain consumers’ informed consent for information sharing.[3] The Monetary Penalty Notice issued by the ICO also bemoaned the fact that the company’s practices enabled advertisers to collect information about children before they could have the ability to consent or articulate preferences regarding the sharing of their personal data. According to the ICO, Bounty UK failed to give consumers appropriate notice and consent under the GDPR.
The ICO’s decision affirms that certain data practices and types of information can and will attract the attention of regulators. Children’s data, for instance, is a special category of data that is afforded heightened protections under a number of statutes (including existing US federal law). Legal compliance should be tightly managed when dealing in these kinds of data to ensure appropriate notices are given and consents are received.
2. Nation-State Hijacks IP Addresses.
Cisco Talos has reported that a state-sponsored group spent the last two years executing a hacking campaign on the Internet’s Domain Name Service (“DNS”) system. The attackers allegedly co-opted the DNS server, which matches web addresses to IP addresses, to direct internet traffic to a different attacker-controlled server. This kind of “middle man attack” enabled the attackers to collect user credentials.[4] Victims entered their account information without knowing they were under attack, allowing the nefarious actors to steal such information. This most recent DNS hacking campaign, named “Sea Turtle,” targeted public and private entities alike, including intelligence agencies, militaries, and communications companies.[5] Cisco Telos declined to attribute the hack to a particular nation, noting that the culprit likely attempted to cover its tracks by planting evidence to suggest another country was responsible for the attack.
3. Brazilian Hackers Target Banking Industry.
Oftentimes hackers’ motivation for executing an attack is personal financial gain. For example, researchers have long noted that hackers in Brazil have honed in on the country’s electronic banking industry in an effort to make some quick cash. Security firm Recorded Future reports that hackers in Brazil have compromised desktops used for electronic banking. [6] According to the report, these hacker “pirates” have also engaged in “carding”—a fraudulent method of generating a usable credit card number through an algorithm.[7]
Recorded Future monitored popular apps WhatsApp and Telegram for discussion of Brazilian hacking activities and discovered that some Brazilian hackers have found a way to circumvent two-factor authentication to reach financial assets.[8] The actors used a “SIM-swapping” method to gain control of users’ phone numbers. Subsequently, any authentication check or query sent to a user’s phone can be manipulated or used by the hacker. This enables the hacker to bypass at least half of two-factor authentication protections that use a cell phone as a factor.
The Brazilian government has taken note of the uptick in interest in financial systems, but it has been somewhat slow to react. Just last year the state’s National Monetary Council started to require certain banks to implement a cybersecurity policy. However, it’s clear that more robust cyber protections will be needed to shore up the security of Brazilians’ financial accounts and protect them from unauthorized access.
4. NIST Considers IoT Cryptography Standards.
Last but not least, we want to alert you to a request from the National Institute of Standards and Technology (“NIST”) for algorithms that support cryptography in Internet of Things (“IoT”) devices.[9] As IoT devices have exploded in prevalence, security concerns surrounding these devices have also grown.[10] NIST is actively soliciting information to help it “develop cryptographic algorithm standards that can work within the confines of a simple electronic device.”[11] NIST will hold an in-person workshop on lightweight cryptography for IoT devices on November 4-6, 2019 in Gaithersburg, MD to discuss potential proposals.[12] If you have any input to contribute to NIST before then, submissions can be made via email to lightweight-crypto@nist.gov.
If you have never participated in a NIST process before, we encourage you to do so, particularly on an issue like this that will have significant impact on medical devices moving forward. Despite being a US based government agency, NIST’s work, particularly on cryptography, is respected and followed worldwide. They genuinely want industry feedback and carefully consider everything that they hear, whether submitted online or at the workshops. If you care about the security of medical devices and other IoT systems, this is perfect chance to have your voice heard.
Congress –
Tuesday, April 23rd:
–No relevant hearings.
Wednesday, April 24th:
–No relevant hearings.
Thursday, April 25th:
–No relevant hearings.
International Hearings/Meetings –
EU – No relevant hearings.
Conferences, Webinars, and Summits –
–HEALTH IT Summit (Southern California) – San Diego, CA (4/23/19-4/24/19)
<https://h-isac.org/hisacevents/health-it-summit-southern-california-2019/>
–Increasing OT Security for Life Sciences & Healthcare – Webinar (4/23/2019)
<https://h-isac.org/hisacevents/navigator-deloitte-webinar/>
–Peer Sharing ICS Security Workshop – Singapore (4/24/2019)
<https://event.boozallen.com/ICSWorkshopSingapore>
–H-ISAC Cybersecurity Workshop – Huntsville, AL (4/25/19)
<https://h-isac.org/hisacevents/h-isac-workshop-huntsville/>
–H-ISAC Medical Device Security Workshop – Burlington, VT (5/1/19)
<https://h-isac.org/hisacevents/h-isac-md-workshop-vt/>
–2019 NH-ISAC Spring Summit – Ponte Vedra Beach, FL (5/13/19-5/17/19) <https://www.marriott.com/hotels/travel/jaxsw-sawgrass-marriott-golf-resort-and-spa/>
–HEALTH IT Summit (Florida) – Wesley Chapel, FL (5/21/19-5/22/19)
<https://h-isac.org/hisacevents/health-it-summit-florida-2019/>
–HEALTH IT Summit (Mid-Atlantic) – Philadelphia, PA (6/3/19-6/4/19)
<https://endeavor.swoogo.com/2019-Philadelphia-Health-IT-Summit>
–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)
<https://h-isac.org/hisacevents/health-it-summit-southeast-2019/>
–H-ISAC Healthcare Cybersecurity Workshop- Buffalo, NY (6/18/2019)
<https://h-isac.org/hisacevents/h-isac-cybersecurity-workshop-buffalo-ny/>
–Healthcare Cybersecurity Workshop – London, UK (7/10/19)
<https://h-isac.org/hisacevents/workshop-london/>
–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)
<https://h-isac.org/hisacevents/cybsec-and-blockchain-health/>
–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)
<https://h-isac.org/hisacevents/health-it-summit-rocky-mountain/>
–HEALTH IT Summit (California) – Los Angeles, CA (9/19/19-9/20/19)
<https://endeavor.swoogo.com/2019-LosAngeles-Health-IT-Summit>
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)
<https://h-isac.org/hisacevents/health-it-summit-northeast/>
–HEALTH IT Summit (Southwest) – Houston, TX (11/14/19-11/15/19)
<https://endeavor.swoogo.com/2019-Dallas-Health-IT-Summit>
–Health IT Summit (Northwest) – Seattle, WA (11/19/19-11/20/19)
<https://endeavor.swoogo.com/2019-PacificNorthwest-HITSummit>
–2019 NH-ISAC Fall Summit – San Diego, CA (12/2/19-2/6/19)
<https://www.loewshotels.com/coronado-bay-resort>
Sundries –
—Scammers are selling 3.2 million payment records stolen from Indian cardholders
<https://www.cyberscoop.com/scammers-selling-3-2-million-payment-records-stolen-indian-cardholders/>
—6 Takeaways from Ransomware Attacks in Q1
<://www.darkreading.com/attacks-breaches/6-takeaways-from-ransomware-attacks-in-q1/d/d-id/1334472>
—Facebook copied email contacts of 1.5 million users
<https://www.bbc.com/news/technology-47974574>
—Ubiquitous Bug Allows HIPAA-Protected Malware to Hide Behind Medical Images
<https://threatpost.com/hipaa-protected-malware-medical-images/143890/>
—Cyber Attack Forces The Weather Channel Off the Air
<https://www.bleepingcomputer.com/news/security/cyber-attack-forces-the-weather-channel-off-the-air/>
—Wipro Intruders Targeted Other Major IT Firms
<https://krebsonsecurity.com/2019/04/wipro-intruders-targeted-other-major-it-firms/>
—Hacker Group Exposes Iranian APT Operations and Members
<https://www.bleepingcomputer.com/news/security/hacker-group-exposes-iranian-apt-operations-and-members/>
—Facebook security notice announces millions of Instagram users had their passwords stored in plaintext
<https://www.cyberscoop.com/instagram-password-plain-text-facebook-update/>
Contact us: follow @HealthISAC, and email
[1] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/04/bounty-uk-fined-400-000-for-sharing-personal-data-unlawfully/
[2] https://www.cyberscoop.com/bounty-uk-fine-uk-ico-gdpr/
[3] https://ico.org.uk/action-weve-taken/enforcement/bounty-uk-ltd/
[4] https://www.wired.com/story/sea-turtle-dns-hijacking/
[5] https://www.cyberscoop.com/ongoing-state-sponsored-dns-hijacking-campaign-compromised-40-entities/
[6] https://www.recordedfuture.com/brazilian-hacking-communities/
[7] https://resources.infosecinstitute.com/all-about-carding-for-noobs-only/#gref
[8] https://www.cyberscoop.com/brazilian-pirates-two-factor-authentication-recorded-future/
[9] https://csrc.nist.gov/CSRC/media/Projects/Lightweight-Cryptography/documents/final-lwc-submission-requirements-august2018.pdf
[10] https://www.darkreading.com/iot/new-iot-security-bill-third-times-the-charm/d/d-id/1334190
[11] https://csrc.nist.gov/Projects/Lightweight-Cryptography/events
[12] https://csrc.nist.gov/Events/2019/Lightweight-Cryptography-Workshop-2019