HIPAABreachCyber SecurityHealthcare ITInformation SecurityPodcast

ProactiveIT Ep 24 – The Attack on Communication

By April 10, 2020 No Comments
Ep 24 Securing Zoom How Safe Are Other Collaboration Applications and Email Continues to be The Way In FB

This is the ProactiveIT Podcast.  This Week: The latest in IT and Cyber Security news plus Securing Zoom, How Safe Are Other Collaboration Applications, and Email Continues to be The Way In.

This is Episode 24!  

Intro

 Hi Everyone and welcome to the Proactive IT Podcast.  Each week we talk about the latest in tech and cyber news, compliance and more.  We also bring you real-world examples to learn from so that you can better protect your business and identity. 

This podcast is brought to you by Nwaj Tech – a client-focused & security-minded IT Consultant located in Central Connecticut.  You can find us at nwajtech.com.

 Thanks for listening to this podcast.  Show us some love on Apple or Google Podcasts.  Subscribe and leave us some positive feedback. What are you waiting for?

Also, go join the Get HIPAA Compliance Facebook Group.  Search for Get HIPAA Compliance

Patch Tuesday Update:

Chrome 81 Released With 32 Security Fixes and Web NFC API
Firefox 75 released with Windows 10 performance improvements
Juniper Networks Releases Security Updates
Microsoft releases April 2020 Office updates with crash fixes

Cyber Security News

Google Mobility Reports Show Impact of Lockdown
How Just Visiting A Site Could Have Hacked Your iPhone or MacBook Camera
DOJ Says Zoom-Bombing is Illegal, Could Lead to Jail Time
PSA: Fake Zoom installers being used to distribute malware
ThreatList: Skype-Themed Apps Hide a Raft of Malware
Interpol: Ransomware attacks on hospitals are increasing
Zoom Taps Ex-Facebook CISO Amid Security Snafus, Lawsuit
Cisco ‘Critical Update’ Phishing Attack Steals Webex Credentials
NASA under ‘significantly increasing’ hacking, phishing attacks

Topic 1: 12 Easy Ways to Secure Your Zoom Meetings

Topic 2:  Beyond Zoom: How Safe Are Slack and Other Collaboration Apps?

Topic 3:  Two schoolkids sue Google for collecting biometrics

HIPAA Corner: 

https://www.phe.gov/Preparedness/planning/405d/Documents/resources-templates-508.pdf

Breaches

https://www.hipaajournal.com/category/hipaa-breach-news/

Ep 24 Securing Zoom How Safe Are Other Collaboration Applications and Email Continues to be The Way In PIN

Transcription (Unedited)

This is the proactive IT podcast this week the latest in it in cybersecurity news plus securing zoom. How safe are other collaboration applications and email continues to be the way and this is episode 24 Hi everyone and welcome to the productive it podcast each week we talk about the latest in tech and cyber news compliance and more. We also bring your real world examples to learn from so that you can better protect your business and your identity. This podcast is brought to you by wash tech a client focused and security minded IT consultant Located in Central Connecticut, you can find a set and watch tech comm that’s NWA J. tech.com. Hi, thank you for joining us during this pandemic, we know you could be nowhere else right now. So thank you for joining us. Because I don’t know, I guess you could be watching TV. Wherever you’re listening to this, if you could like, share comment, or review would be spectacular. I would greatly appreciate it. I would drive to your house except I’m not allowed to right now. And if you aren’t a HIPAA compliant business, please go to Facebook in a search type in get HIPAA compliance and join that group. Because we share HIPAA information all the time. And you’ll find it valuable, you’ll help it’ll help your business and you’ll become a little more compliant, a little less scary to patients and to the HHS. We did not we did get a couple of questions this week, actually, but they’re going to be answered throughout the show. One of the questions was, how to deal with all of the Facebook news and warnings and so forth. The other one was I received a few times today or this week, sorry. emails. Click on people getting emails that say that they’ve been viewed on their webcam doing certain activities that most people wouldn’t be proud of. So we’re going to go over that too. Because there actually was a new story on that. But let’s start with the updates. like we always do the Patch Tuesday updates, of course, Patch Tuesday is next week to 14th. So no Microsoft Windows Updates yet, but there is a Microsoft update. We’ll get to that in a moment. But first of all, Chrome 81 was released with 32 security fixes. So you’ll want to update Google Chrome, Firefox 75 was released with Windows 10 performance improvements and I believe there were some issues security issues addressed there as well. So you’ll want to update Firefox as well. And that’ll be across all your different operating systems. Juniper Networks was released a security has released a security update to address multiple vulnerabilities and various Juniper products. So if you’re using Juniper, get that taken care of. and Microsoft as I mentioned, Microsoft released to April 2020, office updates with crash fixes. And I’m going to read from bleeping computer on this when Microsoft released the apple, April 2020, non security Microsoft Office updates that come with crash fixes, as well as performance and stability improvements for Windows Installer, additions of office 2016. For instance, this month’s series of office non security updates fix an issue where word 2016 would crash when trying to save certain documents in an unexpected crash issue impacting OneNote 2016 when the user agent string is longer than 128 characters so after installing Office 2016 kB 4484101. in OneNote 2016 kB for 475586 updates, you’ll be able to save any document formats and use OneNote with user agents of any length without the apps crashing unexpectedly. So make sure you apply your Microsoft Office 2016 updates and that is all the Patch Tuesday update news I have for you this week. Of course next week we’ll have a lot more wait It’s time for all the news that is fit for print or web you know, whichever. First up and info security dash magazine com Google mobility reports show impact of lockdown. So unless you’ve been living under a rock, and if you are then it doesn’t really matter. But unless you’ve been living under a rock and you know most countries are locked down to some degree at least including the US A lot of states including Connecticut, where I am, are pretty much locked down we I mean, we’re not told we have to stay in house but we’re strongly encouraged. So this is this is along those lines Google mobility reports show impact of lockdown Google published reports today that use aggregated phone location data to show how closely lockdown regulations are being followed around the world. company said its COVID-19 community mobility reports would provide insights into what has changed in response to work from home shelter in place and other policies aimed at flattening the curve of this pandemic. The reports use aggregated anonymized data gathered from cellphones to chart movement trends over time specifically, they reveal how busy popular destinations such as shops, parks, recreation spaces, grocery stores, pharmacies, transit stations, residential areas in more places had been since the majority of countries as people to stay at home. Initially report will cover 131 countries and regions and show trends that have emerged over several weeks with Most recent, included at least 48 hours old now I did look and I and this is a few days ago out of my own curiosity. I believe there’s 195 countries around the world. So this is originally 131 countries. I don’t know if that’s still true. Today’s reports show a traffic comparison over a five week period between February 16 to march 29. So this is a week ago now, data gathered from a little more than about 10 days ago. data gathered from UK shows that visits to transport stations are down 75% while 85% fewer people are frequenting public recreation places such as restaurants, cafes and movie theaters. In Italy were around 14,000 people have died and that number is higher now after contract contracting the Nobel Coronavirus strict lockdown measures have resulted in 94% fewer people’s in shops, restaurants and cafes and parks have been footfall dropped by 90% by contrast is Sweden where no strict measures have been introduced. To keep people in their homes. Google found that 18% fewer people were in work 24 fewer were used, reusing recreational spaces, and use of transport stations had dropped by 36%. Only data from users who have turned on a location history setting will be used to create different reports. Currently, the setting is turned off. By default, people have location history is turned on, can turn it off at any time from the Google account. You can also delete location history data directly from the timeline. Google says the reports will not intrude on privacy of individual people because no personally identifiable information, like an individual’s location, context or movement is made available at any point. So take that as you may. You know, Google says their PII is not involved. Turn it on, turn it off. But it is interesting to me to see these statistics and that’s why I share this. Hopefully you are staying home to prevent the spread. The Hacker News reports how just visiting a site could have hacked your iPhone or MacBook camera. This was on April 2. If you use Apple iPhone or MacBook Here we have a piece of alarming news for you. Turns out merely visiting a website not just malicious, but also legitimate sites, unknowingly loading malicious ads as well. using Safari browser could have let remote attackers secretly access your device’s camera, microphone or location, in some cases safe passwords as well. Apple Apple recently paid a $75,000 bounty reward to an ethical hacker Ryan Pickering, who practically demonstrated the hack and help the company patch a total of seven new vulnerabilities before any real high attacker could take advantage of them. fixes were issued in a series of updates to Safari, spanning versions 13.05 released in January 2018 and Safari 13.1 published on March 24. If the malicious website one camera access all I had to do was masquerade as a trusted video conferencing websites such as Skype zoom, or, or zoom sorry picker and set. When chained together. Three of the reported Safari flaws could have allowed malicious sites to impersonate any legit say victim trust and access camera or microphone. By using the permissions that were otherwise explicitly granted by the victim to the trusted domain only. So that has been fixed so make sure you do have the latest version of Safari on your your iPhone or iPad. The Department of Justice says zoom bombing is illegal could lead to jail time. This is also on bleeping computer. The Department of Justice and offices the United States Attorneys are warning that zoom bombing is illegal. And those who are involved can be charged with federal and state crimes as more people are working from home or conducting distance learning due to the Coronavirus pandemic. Zoom video conferencing software has become heavily utilized for remote meetings, online classrooms, exercise classes and family and friend get togethers and I have used it for all those things. So it is that is very true. Since then, people are crashing or zoom bombing online meetings to record them as pranks to be shared on YouTube and tik tok or to spread hate offensive images and even threatening language and it has it has happened. All of those things have happened not to me. But all of those things have happened to effort. Some people tell these stories already. Zoom meeting IDs are also being traded and shared on discord, Reddit and hacker forums according to Zd net, where they’re used to conduct zoom raids that hijacked and disrupt an online meeting or class and I’m going to talk about later on in this podcast, how to protect yourself from these attacks. Now, zoom did I believe today? I’m recording this on Thursday, April 9, did Saturday say then zoom meeting IDs would no longer be shown in the zoom window. So embalming is illegal in a press release. On the Department of Justice website. United States Attorneys for Michigan have stated that people involved in Zoo bombing could be charged with federal and state crimes that lead to fines and imprisonment. You think Zoo bombing is funny. Let’s see how fun it is. After you get arrested stated Matthew Schneider, United States Attorney for Eastern Michigan. If you interfere with a teleconference or public meeting in Michigan, you could have federal, state or local law enforcement not going to door if the if an injury was found to be backing or hacking or into, or disrupting online meetings, classrooms and conferences charges may include disrupting a public meeting, computer intrusion, using a computer to commit a crime hate crimes fraud transmitting threatening communications. This week, the FBI released an advisory bazoom bombing attacks that asked the victims of teleconferencing hijackings to file a complaint with the internet crime complaint center IC three. So, if you have been zoom bombed, continue to listen to this podcast, because I’m going to tell you how to prevent that. But also you should report to the FBI IC three. All along the lines of zoom bleeping computer also reports public service announcement fix zoom install is being used to distribute malware. attackers are taking advantage of the increased popularity of zoom video conferencing service to distribute installers that are bundled with malware and adware applications. As people are spending more time indoors and performing physical social distancing, many have started using this meetings for remote work exercise classes and virtual get togethers. Knowing this threat actors have started distributing zoom client installs bundled with malware such as coin miners remote access Trojans and adware bundles. Today Trend Micro reports that they have found a zoom installer being distributed that will also install a cryptocurrency miner. On victims computers, we found a crypto coin miner bundled in with the legitimate installer of zoom video conferencing app learning users to want to install the software but end up unwittingly downloading a malicious file. The compromised files are not from zooms official Download Center and are assumed to come from fraudulent websites. We have been working with zoom to ensure that they’re able to communicate this with users appropriately. So this is not anything that zoom can do. There’s nothing zoom could do to prevent us except educate users. You should be downloading from zoom.us. And again, I’m going to talk about these things in a little bit. Threat post Skype teams apps hide a raft of malware so it’s not just zoom. This is Microsoft Application now, hundreds of thousands of malware files are disguised as well known social conferencing and collaboration apps. Popular conferencing apps have become a major cybercrime lawyer during the COVID-19 work from home era, and Skype is the undisputed leader. When it comes to being impersonated by malicious downloads researchers have found an April analysis from Kaspersky uncovered a total of 120,000 suspicious malware and adware packages in the wild masquerading as versions of the video calling app. It should be said that Skype isn’t alone and being targeted. The research found that among a total of 1300 suspicious files, not using the Skype name 42% were disguised as zoom, followed by WebEx and we’re going to talk about WebEx as well. 22% goto meeting 13% flock 11% and slack 11%. With the rise of social distancing, Kaspersky experts investigated the threat as good for social meetings applications to make sure users are safe in their communication experiences enjoyable. The firm said in an email analysis social meaning applications currently provide easy ways for people to connect via video, audio or text when no other means of communications are available. However, cyber fraudsters Do not hesitate to use this fact and try to distribute various cyber threats under the guise of popular apps. So something to think about is not just zoom. I know everybody’s throwing their arms up about zoom. But it is Skype and Cisco WebEx in other applications as well. Interpol, this is bleeping computer again, Interpol. ransomware. tax on hospitals are increasing. The International Criminal Police Organization or we know it as Interpol warns that criminals are increasingly attempting to lock out hospitals out of critical systems by attempting to deploy ransomware on their networks despite currently ongoing COVID-19 outbreak just doesn’t come as a surprise even though some operators behind various ransomware strains have told bleeping computer last month that they will stop targeting health and medical organizations during the pandemic. Once since then May’s release data from drug testing company encrypted before their statement of not targeting healthcare well, Raju continues to attack hospitals, despite most of them being flooded with new COVID-19 cases every day. So the mains case was Hammersmith. We’ve talked about it a couple times. I’m not sure if it’s further down in this article, but in UK they were preparing to test COVID-19 vaccines. They were hit by ransomware before me said they would not attack any healthcare facilities. And but the release of the data happened after this that they would not do it. So Russian speaking threat actors have also talked to European companies in pharmaceutical and manufacturing industries incidents suspected to involve ransomware last week, Microsoft that said that it has started to send targeted alerts to dozens of hospitals regarding vulnerable public facing VPN devices. Those were pulse VPN and gateways located on their networks to help them prevent rebels sort of mcareavey ransomware attackers from reaching their networks following this trend and oppose it. Crime threat response team at its cyber fusion center said over the weekend that it has detected a significant increase in a number of attempted ransomware attacks against key organizations and infrastructure engaged in the virus response. After this discovery, the Interpol says that it has issued a purple notice alerting people to in all it’s not 194 member countries to to the heightened ransomware threat. Now, this is his talks about hospitals, attacks on hospitals, but this is going to be healthcare across the board people. This is going to go from massive hospital systems all the way down to single member healthcare practices. So we definitely need to everybody’s on attack right now. It’s not even just healthcare to everybody. We need to keep our guard up during this time, even more so than usual. And here’s a few suggestions in this article. You’ve heard all of these before on this podcast. So but we’ll go over it again because it is it is important that we do this open only email download software applications from trusted sources so back to zoom in Skype only trust from only download from their websites. Do not click on links or open attachments and emails which you are not expecting to receive or come from an unknown sender secure email systems to protect from spam which could be infected, backup all important files frequently and store them independently from your system. Ensure you have latest antivirus software installed on all systems or mobile devices and that it is constantly running and use strong unique passwords for all systems and update them regularly. And add to that use multi factor authentication. Now, on top of that, this is attended by me. In US SBA, there are a few different loan options and financial help for small businesses in the country. If you’re going to apply for them, because you are putting in a lot of sense of information, including your social security number, that business tax ID, your bank account information, your name and address and a lot of sensitive information. So Make sure you’re going to sba.gov don’t go to don’t click on any links, just type in sba.gov. If you’re going to move forward with that type of information, type in your bank’s website address directly as well. Because this is it, they are going after all types of businesses and people out there. So at this time because our guard is down because we’re more concerned with what’s going on with COVID-19 All right, just reported today is probably good news. Zoom taps x Facebook Cisco amid security snap foods lawsuit. The online video conferencing service added Alex Stamos to the team and has formed an expert advisory board to grapple with the pains of its COVID-19 growth spurt. So zoom jumped from about 10 million users per month to two articles 200 million. I don’t remember the exact number but a significant increase in the last few months. As it faces a major lawsuit zoom is taking a significant step to bolster security Privacy efforts by recruiting an industry heavy hitter former Facebook says So Alex Stamos to provide a special counsel has also named third party experts security advisory teams. The popular video conferencing service is making the changes as it faces a class action lawsuit filed by one of its shareholders on Tuesday, and US District Court for the Northern District of California. It alleges that the company made materially false and misleading statements that overstated its privacy and security measures. And it claims that zoom didn’t disclose its lack of end to end encryption. Zoom has experienced a raft of security related Growing Pains during a boom in usage amid the COVID-19 lockdown as people take work environments, school lessons and dates with friends. Online zoom now says that it aims to clean up the tissues from both the product side product side and taking a high level executive approach. Zoom founder Eric Yan said in a blog post published Wednesday, swim has been seen tremendous growth and new use cases emerge over the past few weeks. And we are committed to ensuring that the safety privacy and security of our platform is worthy of the trust of all of our Users he wrote. So good news for, for those concerned about security on zoom. And you should be of course, concerned especially if you’re working with sensitive information. But this is good news that they’ve hired someone who’s going to address this for sure. Cisco, also on threat post Cisco critical update, phishing attacks, steals WebEx credentials. So emails purporting to be Cisco. Critical security advisories are actually part of the phishing campaign trying to steal victims WebEx credentials. An ongoing phishing campaign is reeling in victims with a recycled Cisco security advisory that warns of critical vulnerability campaign urges victims to update only to steal their credentials for Cisco’s WebEx web conferencing platform. Instead, the campaign is looking to leverage the wave of remote workers who in the midst of Coronavirus pandemic have come to rely on online conferencing tools like WebEx as well as zoom and other platforms with the Spike. In online meetings compromised WebEx credentials could be a cybercriminals golden ticket into web conference calls where sensitive files and data are shared among other malicious activities. Targeting users of teleconferencing brands is nothing new said Ashley Tran with CO fences phishing defense center in a Thursday analysis but with most organizations adhering to guidelines that non essential workers stay home. The rapid influx of remote workers is prime picking for attackers trying to spoof brands like WebEx. We anticipate there will continue to be an increase in remote working fishing in the months to come. And I’ve been saying that and you know, so this is WebEx we talked about Skype and we talked about zoom already. So the attacks are on the rise, we need to be vigilant. Don’t click just think before you click that’s, you know, something I’m going to work on for 2020. I had planned on working on it but I’ve been super busy with addressing my clients issues and even some new clients working, working from home and so forth. Researchers said the phishing emails are being sent with various attention grabbing subject lines such as critical update or alert and come from the spoofed email address meetings at WebEx COMM And so critical update or alert playing on people’s fears, as I say phishing always, always plays on emotions and usually that’s fear. So don’t click on those and avoid being becoming another phishing statistic. In our final bit of news, NASA under significantly increased hacking phishing attacks, NASA has been significantly increasing. malicious activity from both has seen sorry has seen significantly increasing malicious activity from both nation state hackers and cyber criminals targeting the US space agency systems and personnel working from home during the COVID-19 pandemic. mitigation tools and measures set in place by NASA Security Operations Center successfully blocked a wave of cyber attacks. agency reporting double the number of phishing attempts attempts exponential increase in malware attacks, and double the number of malicious sites being blocked protect users from potential malicious attacks. So there have been an increase in domains registered with the word zoom with the word Skype. And I’m sure what at this point with WebEx, maybe NASA COVID-19, there’s a bunch of them. So we have to be careful what we’re clicking through to and what we’re looking for when we go on the internet. So there again, NASA is reporting an increase. This means everybody’s being attacked. It’s not just NASA not just hospitals, everybody. voted. It’s time for our hot topics in what is hotter. Well, besides COVID-19 what is hotter than zoom right now? So I wrote a blog post about it as well. So the title of the blog is 12 easy ways to secure your zoom meetings. And this applies to a lot of different things though. So I wanted to go through this and help you to understand how to secure your meetings. While some of the issues were definitely zoom, some of them some of the issues could have been prevented by users understanding how to use zoom as well. So 12 easy ways to secure your zoom meetings. This is a blog on nosh tech, watch tech COMM And wha tech comm It’s been a while since I’ve put a new blog post up. So you know, go there, check it out, leave us a comment. That would be great. So we’re living in interesting times, to say the least there’s no doubt about it. COVID-19 has changed the way we work and live and in some cases permanently. People who have never worked from home suddenly find themselves doing it full time. The COVID-19 pandemic has also challenged the technology world in ways it’s never seen. Before, there’s been a huge increase in phishing attacks, scams and malware, use an COVID-19 pandemic as a means of infiltrating victims. employees and business owners that are not entirely comfortable working remotely are finding that security challenges are different and somewhat unique when plugged into their home network. I have spent the first three weeks of our partial quarantine helping businesses and individuals prepare for life during a pandemic in isolation. I help us secure securing their computers and networks connected to resources and applications necessary to complete their work, helping with void and most almost every case, helpless setting up and using zoom. Zoom is a powerful tool. The primary reason for using zoom is video conferencing and collaboration. They have plans that allow you to host video conferencing calls with up to 100 people for just $15 a month. They even have a free plan that allows you allows up to 100 people so long as you keep the meeting under 40 minutes now I have heard that there they have lifted down Temporarily the 40 minute limit. So I’m not sure if that’s true, I haven’t challenged it. We have a paid account, so we don’t need to use the free account. But I’ve heard that. There are of course, other plans that include more features, but almost small, most small businesses will find $15 plan more than enough. You could do more than zoom. More with zoom then host meetings. Here are some of the other things I have done with zoom, screen share remote support, record videos, including screen captures, and then upload to social media. Record podcasts, have one to one meetings, virtual training. As you can see, it’s pretty useful tool. The ugly side of Zoom Zoom exploded in popularity when the pandemic began to unfold, and went from 10 million people using in December of 2019 to 200 million in March. That’s some intense growth. It was of course fueled by the COVID-19 pandemic and employee employers telling their employees to stay home and work zooms platform has remained stable throughout I have not had any issues and have only seen a few complaints about connectivity problems to the IRA news day after posted this there was an outage, I believe was Saturday, there was an outage that could have been attributed to the load on ISP as well. As I was writing this, there were four. Okay, so I put it in here. As I was writing this, there were reports of zoom web being down, but I was able to connect with zoom has run into problems with vulnerabilities and attacks. In the last few weeks zoom has been attacked by random people jumping into meetings. This is called zoom bombing. Those people then shared pornographic materials hate messaging and disruptive behavior. There have also been a few vulnerabilities discovered and I’ve linked a few articles here. So zoom lets attackers still windows credentials, run programs via UNC links. Ex NSA hacker drops new zero day Doom for zoom on Mac OSX zoom kills iOS apps, data sharing Facebook feature and zoom also came under scrutiny for privacy concerns during their increased usage. They have addressed all of those issues though. So as you can see, there’s a lot to deal with. There’s good news though. Zoom has patch all the time. have issues already. Zoom has also allocated all engineers who are working on feature improvements and additions to the development of improved security. Zoom CEO Eric s yawn, recently wrote a blog post post, adjusting to vulnerabilities and concerns essentially explained that recent growing pains to get to the vulnerabilities and challenges, it was very transparent with what has been done, what has been done and what they will be doing going forward. assumes issues are not solely theirs. They are also being belong to the businesses and consumers using the platform. Security is everybody’s responsibility. And until everybody takes it seriously, these things will continue to happen. I attempted phi, I attended five meetings over zoom last week, three of them did not have a password on them. I attended one just today that did not have a password on it. So as I’m recording this, this is Thursday, April 9. So how do you secure zoom meetings? Here’s a list of 12 things you could do to secure your zoom meetings going forward. Use a password for your meeting. When you set up your zoom meetings, you can add a password the password can be whatever you want it to be, it automatically generates a six digit number, but it doesn’t have to be numbers. You can also edit existing, existing existing meetings to add a password. Use the waiting room. This feature makes it so you have to approve anyone who wants to join to zoom in. If you’re not sure what the person who the person is, you can screen them to ensure your meeting is not a zoom, not zoom box. Do not share your zoom meeting information publicly. Don’t share it on social media. The best thing you can do is to require people who want to attend to RSVP and then send them the meeting information. Ensure your zoom client is updated do not use outdated zoom clients. So since I wrote this, which is five days ago, there’s been two updates to zoom so on windows so make sure you do update it. Disable participant screen sharing Akin can grant screen sharing to individuals as needed. Lock lock the meeting once everyone has joined require host to be present during the meetings. before the meeting starts secure meetings with end to end encryption. Yes, this feature is available through has been, though it has been publicized that it is not. And so when I wrote that that was what was being told to us, but on April 7, the CEO Eric Jaan zoom meetings aren’t into encrypted despite misleading marketing, and a link to the article on that one to allow only authenticated users to join meetings. This means users need to create an account on zoom.us to join a meeting. You can further limit this to specific email domains if it’s relevant to your meeting. Use generating meeting IDs instead of personal meeting ID if you do not. If you do use a personal meeting, Id do not share pictures of your meetings to social media or on the internet. This makes it easier to find your meeting. Now again, as I said earlier, zoom has now removed the meeting ID from the zoom window. Do not download the zoom client from anywhere other than zoom.us. There has been a surge in domains being purchased that include the word zoom to suggest that there will be malware and phishing attacks. Launched using zoom to get you Your attention. So we already reported on that. And of course my favorite user secure password and enable two factor authentication on your zoom account. Logging into zoom, US will give whoever logs in access to your meeting and account security information. Setting up to two factor authentication dramatically decreases the chance that someone can brute force your zoom account. 12 steps to secure zoom meetings might seem like a lot, but the steps are pretty easy. Some of them are configured by default. It also helps to spend time logged into your account on zooms website to understand the different features. Zoom is a great productivity tool. But like anything else, growing pains will challenge its stability, security and bring into question as policies. It seems zoom is on top of things rapidly fixing any vulnerabilities and addressing concerns that come up. As long as Zoom’s clients do their part. We could ride this pandemic out together using one of the few tools that have kept us connected and made this planet a little smaller, stay healthy, stay safe and stay secure. And so I close all my podcasts now but I also close out that blog All along. So one of the last things I talked about here was understanding the features. And then what I see is a lot of people want to want to turn on the green screen feature where you have, you know, a custom background. And that’s interesting to me because a lot of people are spending time during nap, but nobody’s spending time turning on two factor authentication on zoom.us. So get that turned on, because it’ll, it’ll slow down the spread for sure. along the lines of zoom, we have an article here from threat posts. So we’re going to go over beyond zoom, I’ll stay for slack and other collaboration apps. I’m a big fan of slack as well. We use slack for communication purposes. So this is interesting to me. COVID-19 effect on work footprints has created an unprecedented challenge for it and security staff. Many departments are scrambling to enable collaboration apps for all but without proper security. They can be a big risk as the Coronavirus pandemic continues to worsen remote collaboration platforms now fixtures in many workers new normal are facing more scrutiny. popular video conferencing app zoom may currently be in the service security hosty. But other collaboration tools such as Slack, Trello, WebEx and Microsoft Teams are certainly not immune from cyber criminal attention. Organizations leaning on these platforms, security should be top of mind. A failure to lock down slack at all, could lead to data breaches brand damage, malware infestations, and more. Researchers say that attackers are hard at work looking for new weaknesses to achieve. All the latter fortunately enough best practices can go a long way to shrink in the risk collaboration App Security bugs not hypothetical the risk posed by collaboration platforms is far from hypothetical. In March for example, a critical vulnerability vulnerability was found a slack which could allow automated account takeovers and lead to data breaches according to hacker one bug bounty report HTTP request, smuggling bug and proof of concept was used to force open redirects within slack. We reported this by the way leading users to rogue client outfitted with slack domain cookies with victims attached to the malicious client. Their session cookies would could be harvested and later used to take over the account. The attack could also be automated. Automated account takeover attacks like slack just had to deal with our pervasive said Jason Kenney, a hacker in residence at sequence in an interview, we see this takeover attempts all the time the hackers learned login or password recovery of workflow and start the attack on the logins. They know about most of the time, these attacks have been automated utilizing bots to take over as many accounts as possible. Aside from Slack, Cisco WebEx has had its share security flaws in March Cisco patch two eyes security vulnerabilities, the video conferencing platform which if exploited could allow an attacker to execute code on an affected system and earlier in the year and adjust that bug that would let strangers bargain on password protected meetings. No authentication necessary, presenting a serious data exposure concern. And of course, there’s zoom, which has gained widespread popularity for personal work use. Since stay at home orders went into effect across the country. The company has faced an onslaught of security woes in the last two weeks, including a pair of zero days and a various privacy problems. Apart from exploding security bugs, cyber criminals have other attack vectors when it comes to collaboration apps like Slack, Microsoft team, and others have messaging components that can be used for phishing attacks, and to deliver malware payloads through links and attachments just like email. External attackers can leverage stolen credentials or conduct brute force and credential stuffing attacks. To gain access to these platforms that Garrett Lansing field CTO at stealth bits, speak into threat ports, they can then compromise the information those credentials provided access to using it to either complete their mission or for intelligence to attack other targets within a company. They could also go as far as to impersonate the employee in conversations and send malicious attacks, attachments to people Onto employees workstations at lesion, which is which has a service desk type software. A lot of a lot of businesses may the lesion service desk public facing during this work from home time and they have been exposed as well where people are impersonating employees and things like that. Collaboration apps also subject to miss configuration, popular online collaboration platform Trello, for instance, which is used to corporate used in corporate settings to organize to do lists, and coordinate team task has a problem that is indexed by Google, if its boards are set to public and we reported that a while ago to and public boards specific contents can also be searched using a special search called dork. This setting is surprisingly easy to implement by mistake researcher said as evidenced by incident earlier this year at office space company Regis. In that case, a Trello board exposed the performance ratings of how Hundreds of staff. The troll incident was due to end users setting their boards to public and not fully realizing how easy it was for someone else. To search for the public ports James mcquaig and security awareness advocate at no before told threat post the group’s had that created the boards. were posting it sensitive information and dust exposing the unnecessary risk to the organization. To companies collaboration platform enables external communication, it can present yet more opportunities for attackers, for instance of an attack, attacker were able to get into a Developers channel inside a retail organization, they might help with a problem and actually inject their own flaws that can’t explain made cart jumps to mind, a person could simply say you can add this JavaScript file to the next production drop. There are ecosystems weaknesses, too. For instance, slack offers a software library containing add ons that can be installed in just a couple of clicks sodas, Microsoft Teams and attacker could create a slack On the advertiser some great features but also reads channel data said Matt gayford, Principal consultant at crypsis group. If and user mistakenly installs the add on they could expose all slack channels to the attacker in terms of actual attacks, or to have your free our CTO and co founder of safeguard cyber told threat post that coordinated campaigns against corporate instances of collaboration platforms can be difficult to pinpoint, making things challenging for security teams. The first step to compromising users collaboration accounts might initially look business email compromised or social spear phishing at first explained as an example he detailed one attack impacting slack that his company was involved in mitigating slack strength and vulnerability is connected this to other apps. He said for one customer we were brought in because they had an instance where a hiring system was mapped to an HR Slack channel, a resume that was infected word doc uploaded to the system, which they pushed a notification to the HR channel where hundreds of employees opened In the document at the same time, so and this article goes on to talk about the risks and best practices. But, you know, this is just another example of how collaboration tools and work from home tools and things like that. communication tools can be used. It can be abused very easily and taken advantage of. So, it’s not just zoom, we’ve all heard about zoom for the most part, but it’s also Skype, Microsoft Teams, Slack, things like that, while Cisco WebEx so it’s probably most important to be as careful as you can be. And I know I keep stating that, but it is what it is we need to we need to we need to remain vigilant. We need to make sure we’re doing our due diligence and we need to analyze everything in a hyper connected world right now. And I know it’s easy to not do that. I know it’s easy to overlook things when we’re focused more on what’s going on with COVID-19 and work from home and homeschooling, and all of that good stuff. So just, you know, ride the storm, do your best. And of course, if you have questions, feel free to reach out to us. But I’m going to share one more thing naked security up by Sophos to school kids who Google for collecting biometrics to school children have sued Google alleging that it’s illegally collecting their voiceprints face prints and other personally identifiable information to students were identified only as HK JC in a complaint, which was filed on Thursday in San Jose, California in the US District Court of Northern California. The children are suing through their father Clinton Farwell. The complaint notes that Google has infiltrated the country’s primary and secondary school systems by distributing its Chromebook laptops, which come pre installed with his G Suite for education platform. That suite includes student versions of Gmail calendar, drive, Docs, Sheets, And other Google Apps. In order to use those apps, the kids had to speak into the laptops audio recording device, so Google could record their voices. And they had to look into the laptops, cameras, so Google could scan their faces. So I will say, my kids, or, you know, my son took home a Chromebook. And he did not have to do those things for that for the for the Chromebook to work in order to use this obstacle. Okay. I read that how according to lawsuit, over half of the nation’s schoolchildren use Google’s education products, including those in Illinois, most of whom are under the age of 13. Oh, no, it comes into play because it’s got the strictest biometrics privacy law and the land to biometric Information Privacy Act HIPAA, that requires private entity entities like Google to first get our informed consent before collecting our biometrics including face prints and voiceprints. The complaint alleges that Google’s violating both PIPA and initial strictest federal online children’s privacy law, the children’s online privacy protection act COPPA COPPA requires websites and online services to fully and clearly disclose their data collection use and disclosure practices, and that they obtain verifiable parental consent before collecting using or disclosing the data they collect from children younger than 13. Incredibly, the complaint says Google is violating both of these privacy protection laws at the same time. The lawsuit says that they that besides face prints and voiceprints Google’s also illegally creating collecting storing using students PII including physical location websites, they visit every search term they use in Google search engine. And the results they click on the videos they watch on YouTube personal contact lists, voice recording, safe passwords and other behavioral information, all without verifiable parental consent from the complaint. Google has complete control of the data collection use and retention practices of G Suite for education service, including biometric data and other personally identifying information collected through the use of service and using uses this control not only to secretly and unlawfully monitor Provide profile children. But to do so without the knowledge or consent of these children’s parents. The plaintiffs are requesting a jury trial. They want Google to stop collecting the data and to destroy whatever data it has this tweet, just I’m sorry, the suit is also seeking 5000 per student for each of Google’s alleged intentional or reckless violations and 1000 for each negligent violation. This, of course, is not the first time that Google’s had to do this. There was something earlier this year out of New Mexico. And here we are. So Google’s being sued. I don’t know what will come of it. I’m curious to see what Google’s response is. You know, I don’t know how much that would be through the school and how much of that would be Google itself because I know that my kids did not have to do voice or facial recognition to set up the Chromebooks. And they don’t use they actually don’t use Gmail for email. Which I thought was interesting, because they’re using Microsoft but um, you know, my son did mention COPPA. The other Day, and that caught me off guard. I didn’t know that he knew anything about it. But apparently, he has been talked to about it at school. So maybe it’s the school system. So we’ll wait to see what happens. What comes with this complaint and lawsuit going forward? All right, it is time for the HIPAA education portion of our podcast and I’m going to talk about email. And the reason I’m going to talk about emails because the number of phishing attacks and email compromises around the healthcare industry, it just continues to astound me that it’s I believe it’s 40 something percent of all the HIPAA breaches are through email. So what I’m going to share with you is the health industry cybersecurity practices which short for short is called hiccup. It’s h ICP, managing threats and protecting patients resources and templates. And what I have, what I’ve shared in the in the show notes is the framework. It is a document for small businesses for small healthcare providers, small organizations, so practices, and it isn’t it is mapped to the NIST frame cybersecurity framework. So we’re going to talk what specifically about email so this talks about a bunch of different ways that a bunch of different things that you need to look at during a risk assessment and address during a risk assessment in healthcare. So this is specific to health care health industry cybersecurity practice. I will say this though it could be used pretty much for any business. And so it talks about different areas including endpoint protection systems access management, data protection and loss prevention network management incident response, medical device security, cybersecurity policies and so forth. So, we’re only going to focus on email for the purpose of this podcast because it is something that needs to be addressed. And in this document, it says, For email protection systems, these are the different things you should be doing. First of all, a baseline configuration of information technology, industrial control systems is created and maintained incorporating security principles, Eg concept of least functionality. So if you have email, which of course you do, everybody does. You need to based on configuration to understand what exactly your email is capable of. And you could be checking things like is we able to access email through a website? You know, in the case of if we’re using Office 365 or can we go to Outlook dot office comm and log in through there, and I will tell you, for most of my clients, that is locked down, they cannot log into office. I’m sorry outlook dot office COMM But you know, maybe there’s a reason for you to have that turned on. So if you do have it turned on do you have multi factor authentication setup? Now Microsoft is now making it mandatory for multi factor authentication. Your email will basically stop working in Outlook and other third party tools. If you don’t have multi factor authentication turned on. To Can I set up my email on a mobile device, again, up to the practice, some practices might have a need, maybe only certain people need to have mobile access to email. And again, this this could apply to any business. And if you do, how are we securing that even further? Does that mobile device have biometrics turned on? Is that device locked? Do you have device locking capabilities device wipe capabilities? Do we have MDM setup on that device? The laptop here If you have a laptop and most healthcare providers will have laptops, do we have biometrics on that laptop? Does it have a password on it? Does it have the remote wipe? Is it encrypted? Are the emails encrypted end to end encryption? Do you have a BA with that email. So all of these are through baseline configuration ba being business associate agreement. And there are a few email providers that will sign it the two biggest ones being office 365 through Microsoft and Google’s G Suite. But if you don’t have a business associate agreement, then you need to walk away from that email provider and find something different. So that’s a lot of stuff that you need to address in a baseline configuration. Data transit is protected is another area. So we talked about this with zoom. Do you have encryption is it in when it’s when your emails in transit isn’t encrypted, so you can send encrypted email. Some of the email providers will will have the ability to send encrypted emails again, G Suite and office 365. But there are third party systems out there that can encrypt your email as well. One example would be xyx, z ix. Users devices and other assets are authenticated. Eg single factor multi factor commensurate with the risk of the transaction, Eg individual security and privacy risk as risks and other organizational risks. Kind of going back to our baseline configuration, are we doing everything we can to protect the devices and the email? Are we ensuring that the security and privacy risks are addressed now? So HIPAA, HIPAA is an ongoing process, right. And if you are actively following HIPAA active if you have an active HIPAA program, then you are constantly Looking at these things, and making sure things are up to date. So I’ll give you a simplified example I go in on a regular basis and just make sure that AWS s3 buckets are still not available to the public because all the time we see how AWS s3 buckets were left out, to be viewed by the public, you know, has sensitive information including some some well known healthcare breaches. So I will check even though I know it’s turned on, I go back and I check every few weeks or so to make sure it’s still turned on that not they don’t have public access. So that’s a simplified example. We need to continue to run security analysis and and privacy risks and so forth, to make sure that something hasn’t fallen through the cracks. Since the last time we checked, and right now, we’re distracted as a nation as a world we’re distracted right? And so COVID-19 is gonna be But it’s tension we have relaxed. Tell them tell them edge capabilities right now. So you could use FaceTime or Facebook messenger to to practice telehealth. I said, Tell them that it’s telehealth and but eventually that’s going to go back to normal. We’re maybe not as focused on hip as we normally would be, because of the COVID-19 pandemic. And eventually it will go back to normal. So what happens when it goes back to normal is somebody going to provide another assessment and another analysis another audit to make sure that things are where they need to be. And that’s where the that’s where, making sure that users devices and other assets are authenticated through single factor multi factor authentication commensurate with the risk of the transaction. So if we’re using email, and this is about email, it should always have multi factor authentication because every single email breach had had pH I in it, every single one and it’s always the standard You’re going to hear we’re going to do the HIPAA breach report after this, so is the standard. We’ll take an action to prevent this going forward. But it shouldn’t. It’s not hard to set up multi factor authentication. It’s not hard to make sure your emails encrypted, it’s not hard to make sure we’re at least minimizing the amount of healthcare information that is inside of our email programs. But it continues to happen. So making sure that the devices are authenticated. So smartphone may be authenticated. The laptop authenticated via multi factor authentication would be the preference making sure you know, the VA uses card you have to have the card plugged into the the RFID card plugged into the laptop before it’ll work. If it’s not, if you walk away, then the laptop is no longer accessible. You know, things like that. So and of course to have health insurance mission for veterans. And of course, so that’s federal, so they need to have a lockdown. All Users are informed and trained. So this is something we talk about a lot. The continued phishing attacks that are successful, and a lot of times it’s multiple email accounts that get get compromised. Right? That means there’s not an active training program and training for email protection systems is how do you use it? How do you recognize phishing emails, then you do some testing, you send a phishing simulation, to your employees to the healthcare workers, and see how they respond. And if they don’t respond, the way they should respond, then you get additional training is this isn’t you know, going and fire them. Now this is additional training. And that actually leads to the last point the phishing simulation which we just mentioned, the organization’s personnel and partners are provided Cybersecurity Awareness education and training. trained to perform the cybersecurity related duties and responsibilities consistent with related policies, procedures and agreements. So you could send a COVID-19, submit a simulation to your employees and see how they respond to it. And if they don’t respond the way you want them to review it, train them and test again. They should be ongoing. All Users are informed to train and all users are kept up to date on the latest cybersecurity threats. are we telling our employees, hey, there has been a huge increase in COVID-19 related phishing attacks. are we telling them that maybe we are maybe we’re not I don’t know. But we need to be you need to educate your employees. And it needs to be ongoing. It’s not a set it and forget it. event. You can’t just do it in January and hope that the next 12 months are nice and safe. No, it has to be ongoing. And this is where we’re falling short. This is the email protection system. Part of the NIST framework and part of the HIPAA health health industry cybersecurity practices, managing threats and protecting patients resources and templates. So again, I’ll have the link, it’s a PDF document is 71 pages. This is the one for I think it’s just one for small practices, but they have one for small and then you have one for medium and large practices. And it goes into a bunch of other areas too, not just email. So it’s a good resource to take a look at and if you have any questions, of course, reach out to us and we’ll we’ll help you in any way we can. All right, it is time for a HIPAA breach report. Not a lot to share with you today. First up the Pharmacy Benefits consulting firm comm Phyto has started notifying 3600 of it. Clients employees members and their dependents that some of their personal information has potentially been accessed by an unauthorized individual who gain access to an employee’s email account. email account breach was detected on December 12. And an investigation was launched to determine the scale and scope of the breach. Assisted by a third party security firm can Fido determine on January 17, that an unauthorized individual had access to the email account for a period of two weeks which is a really long time for email between November 29 and December 12. It was not possible to determine if information in the email count was downloaded but the possibility could not be ruled out. comprehensive review of the email account revealed it contain names, dates of birth, health insurance information, social security numbers, prescription information, treatment information and clinical information such as diagnosis and provider names. individuals affected by the breach were notified on February 10. Complementary credit monitoring services have been offered to individuals whose social security number was exposed breach has prompted Fido to provide further security awareness training to its employees and additional procedures have been implemented to strengthen email security and that is exactly the point of the HIPAA education piece. That should have been done before, not after healthcare resources group are provider of billing services to Barlow respiratory Hospital in Los Angeles, California discovered that an employee’s email account again, was accessed by no unauthorized individual. An investigation was conducted which revealed the email account was accessed between November 4 and November 30. So that’s 26 days, and analysis of the email account revealed emails and attachments containing a limited number of protected health information of current and former Barlow respiratory hospital patients. A third party firm was engaged to review the account to determine what types of impairment of information had been compromised. The review was completed on February 27, and revealed patient names had been exposed along with one or more of the following data data elements date of birth. Social Security number driver’s license number medical record number patient account number health insurance information treatment information and medical billing or claims information. Health Care Resource Group sent notifications to affected patients on behalf of Barlow respiratory hospital on April 7, one year’s membership to credit monitoring and identity theft restoration services has been offered to affected patients so at least they didn’t have the standard press release. The dis was late last week the oldest our bone Center for Human Services and Indiana based provider of mental health and addiction recovery. Healthcare Services has announced that you unauthorized individuals have gained access to email accounts of two of its employees. It is unclear when the email accounts breach occurred and for how long and unauthorized individuals had access to email accounts. And its website substitute Breach Notification the artists Otis our Bowen center said an independent digital forensic investigation revealed on January 28, that pH I had potentially been accessed As a result of the attack, the review of the accounts has now been completed to determine which patients have been affected and those individuals have been individually notified by mail. No mention was made about the types of information that were potentially compromised Otis, our bone center said the investigation did not uncover any evidence to suggest that any pH I had been misused as a result of the breach, but out of the abundance of caution effective individuals have been offered complimentary membership to credit monitoring and identity theft protection services through crawl and response to the breach notice our Bowling Center has taken steps to improve email network security and is working closely with leading cybersecurity experts to improve the security of its digital environment. The Department of Health and Human Services breach portal indicates the compromised email accounts contained to protected health information of 35,804 patients. University of Minnesota physicians has discovered to employee email accounts have been compromised as a result of responses to phishing emails. No education do we just talk about that. In each case the phishing attacks were detected shortly after email accounts were compromised, and action was taken on January 31, and February 4 to secure the accounts. an unauthorized individual had access to one account for less than two days, and a second account was accessible for only a few hours. A comprehensive investigation was conducted by third party computer forensics experts, but it was not possible to determine if any emails in the accounts were viewed or copied by the attackers review the email counselors was conducted by third party specialists who determined the email accounts contain patient names, telephone numbers, addresses dates of birth, demographic information like race, gender and ethnicity, social security numbers, insurance ID numbers, location of treatment provider names, limited medical history information in case numbers. You when physicians started sending notification letters to affected patients on March 30, and is offering complimentary membership to credit monitoring and identity theft protection services through Colfax 12 months 12 months, you went physician said multiple email security controls were in place at the time. The email accounts were attacked including multi factor authentication. employees had also been provided with security awareness training and phishing simulation exercises are regularly conducted. refresher training has now been provided to employees and human physicians is looking into measures that can be implemented to further improve improve email security. OCR breach portal indicates 683 patients were affected by the breach. So this one is a little interesting because they say multi factor authentication was turned on. So I’m not sure how they were cracked, broken into but it is what it is. Um, that is going to do it for this week’s episode of the productivity podcast. So until next week, stay healthy, stay safe and stay secure.

Transcribed by https://otter.ai

Scott Gombar

Author Scott Gombar

More posts by Scott Gombar

Leave a Reply