HIPAABreachCyber SecurityHealthcare ITInformation SecurityPodcast

ProactiveIT Ep 5 – Louisiana Government & Disney+ Hacked

By November 23, 2019 November 26th, 2019 No Comments
EP5 ProactiveIT Podcast Louisiana Government Hacked Was Disney+ Hacked and Smartwatch HIPAA Breach

This is the ProactiveIT Podcast.  This Week: The latest in IT and Cyber Security news, Louisiana State Govt Hit With Ransomware, were they prepared?  What does Disney+ have to do with Cyber Security Awareness and Smartwatch HIPAA Violations?

This is Episode FIVE!

Intro

 Hi Everyone and welcome to the Proactive IT Podcast.  Each week we talk about the latest in tech and cyber news, compliance and more.  We also bring you real-world examples to learn from so that you can better protect your business and identity.

This is podcast is brought to you by Nwaj Tech – A HIPAA compliant client-focused IT Consultant located in Central Connecticut.  You can find us at nwajtech.com.

 

Patch Tuesday Update:

Google Chrome update (78.0.3904.108)

https://news.sophos.com/en-us/2019/11/12/patch-tuesday-targets-hyper-v-virtual-machines-in-november-2019-updates/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+sophos%2FdgdY+%28Sophos%29

 

Cyber Security News

https://www.securitymagazine.com/articles/91307-new-data-predicts-unprecedented-levels-of-holiday-hacking

https://cyware.com/news/unprotected-pacs-servers-accounted-for-119-billion-medical-images-leaked-in-span-of-three-months-83214785

https://www.bleepingcomputer.com/news/security/millions-of-sites-exposed-by-flaw-in-jetpack-wordpress-plugin/

https://www.us-cert.gov/ncas/current-activity/2019/11/19/national-tax-security-awareness-week-december-2-6

 

Topic 1:  Louisiana State Government Hit With Ransomware – https://thehackernews.com/2019/11/louisiana-ransomware-attack.html

Topic 2: Disney+ Blog

Topic 3: https://www.hipaajournal.com/smartwatch-data-act-consumer-health-data/

 

EP5 ProactiveIT Podcast Louisiana Government Hacked Was Disney+ Hacked and Smartwatch HIPAA Breach pin

 

Transcription (Not Edited)

Welcome to the ProactiveIT Podcast this week the latest 219 cyber-security news Louisiana state government hit with ransomware where they prepared what does Disney Plus have to do with cyber security awareness and it’s almost Thanksgiving what do you think of this is episode 5

 

you’re welcome to practice I T podcast each week we talked about the latest in Tech and Cyber News compliance and more we also bring your real world examples to learn from so that you can better protect your business and identify this podcast is brought to you by now watch check a hipaa-compliant client-focused IT consulting located in Central Connecticut you can find us at navage check.com snwa j-tech. Com alright so Patch Tuesday for November 2018 was November 12th for Microsoft they did release some patches to address vulnerabilities in hyper-v and in the scripting engines so if you have not updated Microsoft Windows as of yet you should test and roll it out as needed so we talked about in the previous episode so go back to episode 4 how to listen and update as necessary to address a couple of vulnerabilities that are not being exploited at the moment but do exist so you should be on version 78. 0. 3904. 108. 78. 0. 3904. 108 or so make sure you’re up-to-date on your Google Chrome and let’s see what we got for news this week so the first a first of all I’m recording it didn’t get a chance to record normally on Friday so we’re recording on Saturday so I have a couple of news items that came up between yesterday and today which is Saturday November 23rd Google will a million dollars plus two people who can hack Titan m security chip this is on threat posed to company expanded its Android bug Bounty program is one of several recent moves to ramp up mobile security Google’s Wellington waterproof 1 and 1/2 million dollars to hackers who can successfully hack its Titan m security chip on the company’s pixel Services as part of an expansion of its Android bug Bounty program unveiled so if you’re looking to make a cool million plus then hack Google’s Titan m security chip so that’s on threatpost I reported this yesterday in the daily the cyber-security daily that I do National Tax security awareness week is December 2nd through the 6th the Internal Revenue Service has released an article announcing that National Tax security awareness week will be held December 2nd through the 6th annual recognition event will feature a series of resources and tips to help taxpayers a tax professionals protected data and identities like identity theft so every year there are issues with theft of identity and even people submitting multiple tax returns because somebody claimed it to be then submitted one and then they submitted one so now the IRS upholds everything investigates and. It’s been a big deal for the last few years so again Nationals have security awareness week will be December 2nd through the 6th we will be sharing tips for for that week data and Rich profiles on 1.2 billion people have the people exposing gigantic leak this is all Saint threatpost and also again was posted late yesterday although the data was legitimately scrape meaning this was daddy that was found on social social media sites and so forth on the internet it was legally scrape by legally operated firms the security and privacy implications are numerous so and open elasticsearch server has exposed the rich profiles of more than 1.2 billion people to the open internet first found in October 16th by researchers Bob bychenko and Vinny troia the database contains more than 4 terabytes of data and consists of scraped information from social media sites like Facebook and Linkedin combined with names personal and working on just as phone numbers Twitter and GitHub your else and other data commonly available from data Brokers I eat companies which specialize in supporting targeted advertising marketing and messaging services taken together the profile provide a 360-degree view of individuals including their employment and education history has all the information was unprotected with no login needed to access it so this is information that that people are leaving out there on the internet and everybody does it Facebook LinkedIn if you are late then chances are they’re in a lot of people still keep their email addresses even after the LinkedIn preach a few years ago people still keep email addresses and so forth on LinkedIn some people keep email dresses that aren’t relevant but some other people keep it there they are business email or email address that they use for for whatever reason on LinkedIn and available for everybody okay I reported this yesterday in this cyber security daily millions of sites exposed by flaw in Jetpack WordPress plugin there’s a 5.25 this 5 million install the jetpack plugin which is managed by the group automatic which also manages WordPress so if you should you should immediately apply an update to get the jetpack 7.9.18 this goes this vulnerability goes all the way back to a jetpack 5.1 which is from 2017 and as I said yesterday if you’re still using a plug-in not updated since 2017 then you have problems because chances are you leaving yourself open to attack big time so get your WordPress plugins patched updated get your WordPress Court files updated and make sure your website is secure there are people in it after our course is available on the internet to learn how to attack a WordPress sites there freely available on YouTube you pay for my new number so people are learning how to do it going out there and testing and potentially hacking WordPress sites not just WordPress but WordPress accounts for the majority of the websites in WordPress is the CMS of choice for most of the websites on the internet today so it is like the same reason Microsoft Windows is the attackers because it is the the operating system used the most in the world it’s the same thing for WordPress it’s a Target because it is to the CMS the back and for most websites on the internet today there were three HIPAA breaches to report this week interesting is none of them reported within 60 days which is a requirement of of HHS Yoshi I want you to report within 60 days of first realizing you’ve been breached so here are the three three breaches I reported this yesterday also in the cyber-security daily which is a much shorter show so if you don’t want to listen to this to me ramble for 45 minutes to an hour then you go listen to The cybersecurity Daily it’s not on on Apple podcast yet but it will be soon it is it pretty much everywhere else though so the three preachers Ferguson Medical Group so shorts long story short Ferguson Medical Group is now owned by Saint Francis Health when they were breached they were not Saint Francis discovered the issue early in 2018 the breach was from 2018 the last quarter 2018 and as a result of the breach they were not able to recover call Patient data between September 20th 2018 and December 31st 2018 so anybody who any patient who was a patient of Ferguson Medical Group in Missouri during that time frame should should reach out to Ferguson to see what recourse they have and obviously you should be monitoring your credit and so Choice Cancer Care employee email hack and Solara medical supplies reports months-long data breach both of these were email hacks both of these here to have no multi-factor authentication setup password policies and storing data especially sensitive data and email so both of these are again failures on on the behalf of the healthcare provider and a healthcare provider it if they had any to set up any type of security with the email the Solara one appears to be a little bigger potentially impacting 114000 patients so that could be that could sting a little bit for them write an article and security magazine reports new data predicts unprecedented levels of holiday Hawking and this should come as no surprise if you listen to previous episode because I reported this I believe I launch the block on November 1st regarding holiday hacking so this is not news this is what I’ve said it’s all three weeks ago now a new report from Tyler security predicts unprecedented levels of online data theft this holiday season due to a lack of deploy client-side security measures the state of the web report highlights the wood widespread vulnerability resulting from immigrations that enable and enhance website functionality these Integrations which exists on nearly every modern website offering today allow attacker Target Pi Pi which is personally identifiable information and payment information now for pii to be compromised and used to be two pieces of information so first name last name and then another piece of information like home address email address social security number Etc 98% of the Alexa 1,000 websites were found to be lacking security measures measures so this means the top 1000 websites in the world according to Alexa and that’s not the voice search by the way that’s that’s Alexa attracts website rankings traffic and so forth according to them 98% of the top 1,000 sites are vulnerable Black Ink security measures capable of preventing attacks and related warnings about the FBI in a PCI counsel caution that hackers are targeting online credit card information online merchants and website owners must recognize the critical need for client-side security fundamental driver of online Commerce consumer choice is at stake as attackers Target widespread client-side vulnerabilities to steal credentials credit card numbers financial data in the other p i I said a non-Christian Krishna founder and CEO tallest security key findings of the report include only 2% of Alexa 1,000 sides have implemented effective controls to prevent personal financial and credential theft I wonder if Amazon is one of those two sites to % userform data captured on forms available on 98% of websites is exposed to ten times more domains than intended by the website owner just a massive opportunity for data theft from attackers website relies on 31 third-party integration which provide nearly two-thirds of the content customer review on their garages delivered via client-side connections that lack of effective security most consumers will be surprised to learn that only one-third of the content rendering on their browser his own created and served by the owner of the website the remaining two-thirds of cervia client-side connections that lack of effective security although 27% of website on his attempt to deploy security measures only 2% succeed in deployment affect the policy is capable of preventing client-side attacks so then there’s this is on security magazine.com and there is a link to the actual full report so if you’re interested only 2% of the top 1000 websites in the world are able to be successful in in deploying security measures to protect consumer data during this holiday season or anytime realistically now what’s another report of and I don’t have it in front of it today I think I reported it last week that web.com and a couple of other registrar’s were hacked and data was stolen this is leading to a big huge increase in fishing websites on a lot of those fishing websites are shopping sites so you know I don’t know if Macy’s is one of them but let’s use Macy’s as the example there are going to be closed of the Macy’s website that are actually fishing sites that will steal your information so it is online shopping it doesn’t come without risk big risk so insecure be safe out there monitor your stuff and also reported yesterday or I think I reported this Thursday this is on site where unprotected PCS pack servers accounting for 1.19 billion medical images leaked in the span of 3 months so these PCS servers were not protected many Healthcare Providers use the service to store images of their patients and they were compromised Network Hopper as they were not protected they were found unprotected so as a result a lot of patient data has been exposed so in a lot of countries were impacted by the seventy-five 75% of the images belong to the US India South Africa Brazil and Ecuador in the US around 786 million exposed images were identified a subset of around 114.5 million images were fully accessible these images were exposed by 60 new pscs servers belonging 2/800 institutions include clinics hospitals in Radiology service providers 195 systems using unguarded PCS service were identified by the sewage leak and 49 of them were taken offline immediately and are no longer available so that’s all you don’t 1.19 billion or roughly a little more than 1/8 of the world has had dumb images exposed Healthcare patient Health images so that’s big again lack of controls lack of security fall through lack of it knowledge a lot of things that went wrong there a lack of collaboration so there is movement in in the community in the Healthcare Community for more collaboration so that data like this doesn’t continue to get exposed you know I wonder at what point is it really too late you know 1.19 doing we’re not seeing numbers in the millions anymore if we’re seeing numbers in the billions now for healthcare information being exposed I so let’s get to the meat and potatoes of our episode today I have three topics I want to go over so the first one Louisiana state government hit with ransomware I reported this earlier this week the Louisiana state government was hit by ransomware at and a forced server shutdowns Many Louisiana state Services were impacted including the office of motor vehicles and all the Office of Motor Vehicles were shut down for approximately two days so let’s go through this targeted ransomware attacks on Banking and finance government Healthcare and critical infrastructure on the rise with the latest victim being the state government of Louisiana Social Security Experts are reporting ransomware was on the decline that is not accurate it went down a little bit this year because one of the major actors threat actors in ransomware attack was essentially there Offline that has changed in the second half of 2019 and we are on Pace to have another record your friends and we’re both in the number of attacks and in the dollar amount requested for ransoms so don’t believe the hype the state government of Louisiana was hit by a large-scale coordinated ransomware attack yesterday this was reported on November 19th that was Tuesday so it Monday which course the state to take several state agency servers offline including Government website to email systems and other internet internal applications to mitigate the risk of them hours infection from spreading Monday’s ransomware attack resulted in the subsequent shutdown of a majority of large state agencies including the office of the governor Office of Motor Vehicles Department of Health Department of Children and Family Services and the Department of Transportation and development Louisiana governor John Bel Edwards revealed the incident in a series of tweets saying that he had activated the state cyber security team in response to the Cyber attack and that the shutdown a Services was due to the state’s response and not do so the good news is they had a plan in the event that something like this happened now they were able to recover within a couple of days which for a large-scale chocolate this is not bad so all services were back online within two days know what that being said two days of no motor vehicles and other services that’s a lot of lost productivity and that’s a lot of money to eat still. The other thing is so they had a plan and the governor says they activated the state cyber security team but what does that mean activated this isn’t cybersecurity and ongoing team is it aren’t they 24/7 monitoring and saw that that is a little concerning but overall recover is not a terrible thing this is the second major ransomware attack that Louisiana suffered this year in July Louisiana declares state of emergency following a coordinator ransomware outbreak that disrupted nearly half a dozen school districts Governor Edwards at this time it’s unclear what family ransomware malware was used in the latest attack all the ransomware got into the state systems and how much amount the attackers have demanded as a ransom however the governor has a structure that there is no anticipated that a lost in the state did not pay a ransom so I also could do is pay the ransom if you are attacked by ransomware you are making yourself a target for future ransomware attacks you need to mitigate which means having a backup and Disaster Recovery plan I need to put put measures in place to make sure it doesn’t happen again in the news on HIPAA djournal.com Smartwatch data act introduced to improve privacy protections for consumer health data so we all know about smart watches many of them have them many of us have them including myself I have a smartwatch and the problem that we’ve seen over the years yes it’s been years now what SmartWatches is there’s been breaches where data has been exposed there was one incident where military base was exposed because of a smartwatch so let’s go through this stop marketing and revealing the wearables and trackers consumer health Smartwatch data act so stop marketing revealing the wearables and trackers consumer health is short first Smartwatch is the acronym for that so pretty cool and it has been introduced by Senators Billy Cassidy and Jacky Rosen of Louisiana in Nevada the new legislation will ensure that that helped out of collected through Fitness tracker smart watches and health apps cannot be sold or shared without consumer consent so you can’t sell my heart rate to other people the HIPAA act apply to help out of collected receive stored maintained or transmitted by hipaa-covered entities in their business associates some of the same information is collected stored and transmitted by fitness trackers wearable devices in a health apps that information can be used shared or sold without consent consumers have no control over who can access their health. It the new legislation I am so dress that privacy got so that’s all pretty serious stuff there the bill prohibits the transfer sale Sharon or access of any non anonymised consumer health information or other individually identifiable health information that is collected recorded or derived from personal consumer devices to domestic information Brokers other domestic entities or entities based outside the United States unless consent has been obtained from the consumer consumer devices are defined as equipment application software or mechanism that has primary function or capability to collect store or transmit consumer health information the Smartwatch that act applies to information about the health status of an individual personal biometric information and kinesthetic information collected directly through sensors or inputed manually into apps by consumers Smartwatch. I would treat all Health Data collected through apps wearable devices and trackers as protected health information there have been calls for HIPAA to be extended to cover app developers and wearable device manufacturers that collect store maintain process or transmit consumer health information Smartwatch that act is not extended to the cover of these companies instead of Legends legislation applies to the data itself the bill proposes to hhc office of civil rights the main enforcer of the compliance with HIPAA should also be responsible for enforcing compliance with the Smartwatch data hack the penalties for non-compliance with the Smartwatch that I would be the same as the penalties for HIPAA violation so that will be interesting to see how they manage that the introduction of technology to our healthcare system in the form of apps and wearable Health devices has brought up a number of important questions regarding data collection of privacy said Senator Rosen the common sense bipartisan legislation will extend existing Healthcare privacy protections to personal Health Data collected by apps and wearable preventing this data from being sold or used commercially without to Consumers consent the legislation was introduced following the news that Google has partnered with Ascension which I’ve mentioned this in a few podcast now the second largest healthcare provider United States and has given access to the health information of 50 million Americans that partnership has raised a number of questions about the privacy of health information so basically Google has collected Phi in partnership with Ascension and the Have Nots exactly is closed why yet so we’ll see your central. Epatha Google is covered by HIPAA data is not think that’s already happened or or the groundwork has been laid in 2020 and concern has been raised about how Google will use personal help that it clicked through Fitbit devices Smartwatch that would help to ensure that consumers are given a say in how their health. It is used so very interesting stuff that was on hit the Journal of course I will the follow that story closely to see where it goes and keep everybody up to date or in our final piece of news for this week episode 5 not not exactly business-related more consumer-related but interesting nonetheless a Blog on watch tec.com that I wrote earlier this week was it on December 19th November 19th of getting ahead of myself here Disney plus hack was it inevitable that’s a reference to end game by the way and there’s one easy fix for this a lot of people so Disney plus launched on November 12th of course I have it you know I’m a big Star Wars fan sort of big Marvel fan my son love Marvel Universe lots of great content the Mandalorian is great go watch it I really recommend you watch it on even if you’re not a Star Wars fan go watch it so launched on November 12th shortly after lots of reports of accounts being hacked last count I saw it was over 4,000 accounts being hacked now door 10 million people signed up for Disney plus 4000 accounts is 004 % of all the accounts so not even a half a percent not even a percent 0 4% of the total subscribers so it’s not even a half a percent where hacked so half of a half percent sorry numbers are escaping me this morning anyway the point is 4000 sounds like a big number it’s really not when you consider 10 million people signed up. A lot of people are blaming Disney plus a lot of people saying that platform was hacked but that is not what happened so was Disney plus hacked there are cyber Security Experts out there that are saying yes it was and there are people in IT industry that question them on this and are just being told you don’t know what you’re talkin about no it was not hacked it Disney plus was hacked you would think it’d be more than four thousand years is it be closer to you know Millions what is happening is that users are using weak passwords or using and or reusing the same credentials that they’ve used somewhere else the concert where where we saw these accounts that are being compromised or being purchased on the dark web for $3 in the problem is once your account has been hacked you don’t have just nothing you could do about it because you know I got back to see, they’re changing the login information the account is locked for that user and the account then gets sold on the dark web for $3 and something is wrong and then called the credit card company to cancel it so these customers is 4,000 people some of them a call Disney plus and I’ve gotten nowhere with Disney plus now my understanding is Disney Plus do they have a system in place to prevent how many logins you have sore but I’ve been told that if you log into more than four devices that they won’t allow it now I have not experienced that I have not attended used for devices at the same time yet I think I’ve only used two or three at the most so I don’t know if that’s an accurate statement so here’s where people are going wrong it’s not Disney’s problem that you’re using a weak password it’s not Disney’s problem that you use the same password on Facebook it is your problem you need to educate yourself on strong passwords and music concert so I’ll tell you what is a strong password is uppercase lowercase numbers and special characters the longer the better it’s better to use a 10 character password then it is an 8 I don’t have any passwords shorter than 15 characters unless whatever application it is doesn’t accept 15 characters every one of my password has uppercase lowercase numbers and special characters I use a password manager you should also use a password manager because it’s impossible to remember all the passwords you need throughout the day that password manager should only be able to be accessed with a very complicated password for Biometrics so I use Biometrics that I use LastPass password manager should also only be able to be access if it’s one use over the Internet setup multi-factor authentication now this is where Disney fail at this point anyway multi-factor authentication is not an option on Disney Plus God is a failure Netflix and Hulu have multi-factor authentication this needs to be set up immediately on Disney plus to prevent these type of scenarios this way I can when I login when I try to access Disney plus from somewhere else it asked for my username and password and then it asked for another form of authentication LastPass I have to go to an app that’s on my phone look for a time-based token six digit number to enter into LastPass so that I can login to LastPass so in order to gain access to my LastPass account you have to know what email this amusing and I have multiple email addresses you have to know what very long password I’m using I don’t know how many characters it is but it’s probably close to 20 and you have to have access to my soft token app on my phone which to get on my phone you need a thumbprint so you see that’s strong password policy that strong account locking policy making sure that your your counselors secure Disney plus doesn’t have multi-factor authentication yet I’m I would imagine that is coming Disney plus didn’t Lawrence without some some minor issues in the first day people couldn’t even log on and was all kinds of issues playback issues just just stuff normal normal users experience stuff that they could have done better but no multi-factor authentication now can I reuse passwords there’s a good chance that you’re reusing a password that’s already been compromised so if you use a password on let’s say LinkedIn that you use for years ago I believe those four years ago when they were compromised those passwords were dumped on the dark web if you’re reusing that same password and the same human but email address what information is available on the dark web applications out there that automate this process so it doesn’t take long to find out if accounts are using the same credentials that you may have used in in LinkedIn when they were breached four years ago or any other application that may have been breached it also doesn’t take long if you have a 6 or 8 character password with just no excuse letters it doesn’t take long to brute force that not at all Disney plus doesn’t appear to prevent you know I number of logins in a short. Of time and no number of login attempts in a short. Of time I haven’t really tested that it does not geofence and it does not have multi-factor authentication what do I mean by geofence so if I am in Central Connecticut if I travel outside of Central Connecticut to say I go to California and try to login from California I should get blocked until I can prove I am who I say it because it’s not my normal footprint us I’m not normally in California so if accounts been compromised chances are it’s not somebody in the same area you’re in and they should have been geo-fenced so that option is not available in Disney Plus either yet again I would imagine it will be Bob so let’s see what else I could tell you her so I told you what what Disney plus can do differently and I told you what you need to do differently or not I mean that’s pretty much going to sum it up the reason I chose Disney Plus in this example is because it’s relevant because I think it’ll get people’s attention. This is not new password passwords have been an issue for some time now and people are not taking it seriously too many you know I reported earlier to two breaches to HIPAA violation for to HIPAA breaches that were email accounts being compromised which means multi-factor authentication wasn’t set up I know not all email providers awesome multi-factor authentication but the two big ones do G Suite in Office 365 but also means we were probably in use and or fishing was done social engineering fishing is social engineering social engineering continues to be a big problem we passwords continue to be a big problem even though these things have been talked about Ad nauseam if you’re doing this on your Disney Plus account when is a really good chance you’re doing this in your business life as well and so you need to improve Security in order to prevent data lost data loss can result in business loss or or the business closing and in 60% of the cases six months after a data loss after data loss so something to think about so check that out that’s on the last check. Com that’s in waj tec.com that’s going to do it for this episode of the proactive it cyber security podcast come back next week I am going to record a Black Friday for for this podcast. I will have that up for you Happy Thanksgiving everybody enjoy your food Family Fun friends and football and until next week stay secure 

Scott Gombar

Author Scott Gombar

More posts by Scott Gombar

Leave a Reply