Ubiquitous Bug Allows HIPAA-Protected Malware to Hide Behind Medical Images
Recently, a vulnerability was found in a 30-year-old standard used to exchange and store medical images. The vulnerability can allow a hacker to install malicious code into imagining files (such as CT and MRI machines) to infect patient data. Without raising suspicion, the malware binaries can hide behind standard-compliant images that preserve the original patient data. By abusing this vulnerability, an attacker can conduct multi-stage attacks, which is further detailed in the analysis. According to the security researcher, the vulnerability “exists in DICOM, which is a global and ubiquitous imaging standard within the healthcare industry, originally drafted by the National Electrical Manufacturers Association (NEMA).” To properly exploit the vulnerability, “an attacker would need to have valid Active Directory credentials or permissions.” Ultimately, this bug allows malware to evolve into more potent variants targeting healthcare organizations by using patient data to “hide, protect and spread itself.”
Read more
Facebook Stored Millions of Instagram Passwords in Plain Text, Not Thousands
An update to a security lapse Facebook reported last month came out recently exposing the poor security practices Facebook conducted regarding user passwords. Last month, Facebook stated “tens of thousands of Instagram users” had their passwords stored in plaintext and were available to more than 20,000 employees. In an updated blog post, Facebook admits it was actually storing millions of Instagram user passwords in plaintext, as well as tens of millions of other Facebook users. As many of us know, passwords should be stored in an encrypted format that allows a website to confirm what a user is entering without directly reading it, storing plain-text passwords poses large security and privacy risks. Facebook continues to create headlines related to their poor security practices; it seems as if every week a new security lapse occurs.
Read more here
Google Bans Logins from Embedded Browser Frameworks to Prevent MitM Phishing
In the last week, Google announced they would soon implement a system that blocks any user login attempts initiated from an embedded browser framework technology. Tools such as Chromium Embedded Framework (CEF), XULRuner, and others would be affected by this security update. As many cybercriminals abuse embedded browser frameworks for MITM phishing and other nefarious purposes, Google hopes this change will reduce those attacks. If a user puts their credentials on a phishing page, a cybercriminal operating that page “can use an embedded browser framework to automate the login operation on the real Google server” (ZDNet). As Google cannot “differentiate between a legitimate sign in and a MITM attack” on the embedded platforms, Google plans to completely block “sign-ins from embedded browser frameworks starting in June.” Google recommends developers to use browser-based OAuth authentication instead- stating it is much more secure than embedded browser frameworks.
Get more information here
FSA to Cryptocurrency Exchanges: Improve Your Cold Wallet Security Protocols
According to an anonymous source close to Japan’s Financial Services Agency (FSA), the FSA will soon require cryptocurrency exchanges to strengthen the internal oversight of “cold wallets” that store virtual currencies. This event adds onto recent actions the FSA has been conducting to beef up cryptocurrency exchange internal security. The FSA highlights various weak-points an exchange may have, such as putting employees in charge of administering cold wallets and not periodically rotating them. As a reaction to numerous security lapses last year, the FSA restricted the use of less-secure “hot wallets” (where virtual currencies are stored on a device/platform that is connected to the internet).
Read more here
British Hacker Who Helped Stop World Wide WannaCry Outbreak Pleads Guilty to Malware Charges
Security researcher Marcus Hutchins has pleaded guilty to federal charges of creating and distributing malware used to break into online bank accounts. Hutchins is known as the security researcher who helped decrease the impact of the WaanaCry ransomware worm. “Hutchins was charged in August 2017 with creating Kronos, a banking trojan that stole online bank account passwords from infected computers. A superseding indictment filed ten months later charged him with ten felony counts that alleged he created a second piece of malware called UPAS Kit.” In a plea agreement filed in federal court last week, Hutchins pleaded guilty “to two of the 10 counts.” He was charged with distributing Kronos, and conspiracy. Hutchins states, “I regret these actions and accept full responsibility for my mistakes,” and currently faces up to 10 years in prison.
The agreement, which is signed by Hutchins, includes the following elements:
-
The conspiracy as charged existed;
-
The defendant knowingly became a member of the conspiracy with the intent to advance the conspiracy;
-
And one of the conspirators committed an overt act to advance the goal of the conspiracy.
Read more here