TLP White: We start with a breach impacting a Maryland library system. We also discuss a new law in California banning weak passwords. We conclude by shedding some light on global supply chain risks, including the ones that you did not see coming.
Welcome back to Hacking Healthcare:
Hot Links –
1. Virus Hits Maryland Library System.
Awareness around vulnerabilities and proper cyber hygiene are important to organizations of all shapes and sizes, including your local library. Those operating the library system in Anne Arundel County, Maryland are working to get it back online after a self-propagating Emotet banking Trojan infected around 600 staff and public library computers. Officials in Anne Arundel County have informed thousands of library customers who used the public computers that their data may have been compromised, and urged them to monitor their personal information for fraudulent activity. This is particularly important for those who used the library computers to access banking or social security information.
The library discovered the malware following reports from library staff that they were receiving an abnormal volume of spam to library accounts. Other symptoms included spontaneous computer reboots which spread to public computers. Once it was determined that the unusual activity was caused by malware, the computers were pulled from service. In response to the events, the library has since updated its malware scanning capabilities and is providing staff with training so that they can better recognize the warning signs of a digital threat.
The implications of an attack like this one on public computers quickly becomes personal. Individuals that used compromised devices must be cautious of potentially infecting their home networks and must monitor their credentials across a number of accounts. Library systems have to be particularly careful about monitoring systems, employing appropriate access controls, and keeping employees appropriately trained in order to limit system disruptions.
2. California Bans Weak Passwords.
From our “Hey, at least it’s something” department, we report on California recently passing a law that bans weak passwords in connected devices. The law demonstrates an attempt to bolster the security of Internet of Things (“IoT”) devices by strengthening authentication requirements.
The law provides that if a connected device can be authenticated outside of a local area network, it will be deemed to have reasonable security features if either: (1) the preprogrammed device password is unique to each device manufactured; or (2) if the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
When it comes to improving security outcomes, it is unclear whether using legislation to impose specific security requirements leads to more secure networks, or whether it is better to provide organizations with incentives in the way of tax breaks or other advantages to lure people into compliance.
Either way, weak authentication continues to be a major vulnerability, and by extension, stronger authentication mechanisms will continue to be an important component of improving the security of connected devices. Other states may also jump on the strong password bandwagon as the proliferation of IoT devices continues to grow.
3. Tiny Spy Chip (maybe?)
Big Supply Chain Problem (yes). This week it may have been difficult to miss headlines about the grain-of-rice-sized, data-stealing hardware believed to have been installed into Supermicro motherboards before the servers employing them were shipped off to several major US companies, including Apple, Amazon, and a telecommunications provider. The elaborate attack was reported to have been the result of individuals gaining access to multiple factories in China and manipulating factory employees to permit the installation of malicious hardware that gave attackers undetectable access to computer network data.
Bloomberg published a few articles breaking the story, explaining the compromise in greater detail. However, Apple, Amazon and others have all flatly denied that any of this actually happened and it doesn’t appear any physical evidence has actually been produced so far. Some may remember a few years ago when it was reported the National Security Agency was planting
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:
Hacking Healthcare 10.16.2018 TLP White