Data Protection Day!

Image of a screen if the label 'Security' and a cursor hovering on it.
https://www.pexels.com/photo/internet-screen-security-protection-60504/

Yesterday, 28th January was an important day… The Council of Europe celebrated this year the 14th edition of Data Protection Day. 

This practice was to raise awareness about good practices in this field, informing users about their rights and how to exercise them.

This date is aligned to the anniversary of the opening for signature of the Council of Europe’s Convention 108 for the Protection of individuals in relation to automatic processing of personal data. For the past 30 years this has been a cornerstone of data protection, in Europe and around the world.

Why is Data Protection so important?

Data protection issues are very present throughout everyone’s lives. Not to mention in the work environment, in public relations, in the health sector, when buying goods and services, in travel or merely whilst using the internet.

However, not all people are informed on their rights. For this reason, the 28th January has been allocated to inform more users on their rights and so that data protection professionals address data subjects. It is important our digitally advanced society understands what personal data is collected from them and why, as well as what their rights are when their data is processed. This in turn, will help users be aware of the risks which comes with illegal mishandling and unfair processing of personal data.

Meterian can help!

Here are a list of our blogs which can help users be more cyber resilient and diligent when it comes to managing sensitive data.

Read also our past blog posts about vulnerabilities in:

to make sure your apps are not susceptible to such exploits that would risk data confidentiality.

Data Protection Day!

Read up on more Node.Js Vulnerabilities!

It’s that time of the week again folks. Meterian has two new Node.Js vulnerabilities to inform you on. Both are ranked a severity score of 7.5 and therefore considered to be of urgent attention. The first vulnerability concerns the bson-objectid package and the second the csv-parse module. Act fast and don’t let these vulnerabilities sit within your software/networks, or you could be at serious risk of a cyber attack. 

  • CVE-2019-19729: There is an issue discovered in the bson-objectid package version 1.3.0 for Node.js. Hackers could generate a malformed objectid, resulting in objects in arbitrary forms to bypass formatting if they have a valid bsontype.
  • CVE-2019-17592: The csv-parse module before version 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. An attacker can cause a program to spend an unnecessary amount of time processing.

CVE-2019-19729

Vulnerability Score: 7.5 /HIGH

Platform: Node.js

Component: bson-objectid

Affected Versions: up to 1.3.0

Read up Node.js users you’ll want to know about this vulnerability! This was discovered on the 12th December 2019 by user Xiaofen9 on Github who noticed that ObjectID() allows an attacker to generate a malformed objectid by inserting an additional property to his user-input.

What is bson-objectid? This component allows you to create and parse ObjectIDs without using bigger components, such as other fully-fledged bson libraries.

The problem is that in certain conditions the input object will not be checked and will be returned early. This means that objects in arbitrary (potentially malicious) forms can completely bypass formatting and validation.

https://github.com/williamkapke/bson-objectid/issues/30

So what can hackers do? The manipulation with an unknown input leads to a privilege escalation vulnerability and could lead to an impact on confidentiality, integrity, and availability.

But what does a privilege escalation vulnerability actually entail? It is when a malicious user gains access to the privileges of another user account in a target system. This allows hackers to use these privileges to steal confidential data, run administrative demands or deploy malware.

What can you do to fix this? Unfortunately, at this time of writing there is still no remedy to this vulnerability. However, we recommend to cease using this component or switch to a full bson library like bson.

CVE-2019-17592

Vulnerability Score: 7.5/ HIGH

Platform: Node.js

Component: csv-parse module

Affected Versions: up to 4.4.5

Oh yes…we are not done yet. Here is another Node.js vulnerability for you all! This was discovered on the 14th of October and given a high score of 7.5 by NVD. The affected module is csv-parse which is a CSV module. This project is a parser which converts CSV text inputs into objects. It uses the Node.js stream.Transform API and provides a simple callback-based API. Released for the first time in 2010, it is very easy to use and helps the big community that uses it with large data sets. 

The problem is that before version 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. A cast option is available in the module, it defines multiple functions to transform values based on their type. When such option is active and an integer cast is required, the corresponding __isInt() function uses a malformed regular expression that processes large inputs extremely slowly.

Why is Regular Expression Denial Service a backdoor for hackers? The attacker will insert in the file a malicious string which they know would take a very long time to evaluate. This means the attacker can make the user spend an excessive amount of time processing, resulting in the user’s executed commands to slow down or become unresponsive. Thus,  the availability of the system degrades. To make things worse, the exploit can be easily and remotely executed depicting clearly why this vulnerability is classified as problematic.

An image of a coffee shop. A barista making coffee with a speech bubble saying '*making coffee slowly*' and a woman at the till looking impatient with a speech bubble saying "My coffee is taking forever".

The best thing to do to avoid getting caught out by such exploit, is to upgrade to version 4.4.6 and above. 

That is it from us…for now! Make sure to spread the word on these critically-rated Node.js vulnerabilities in order to help protect your apps/the apps you develop. But as you all know, open-source vulnerabilities are discovered daily, so you can expect us to be back with new vulnerabilities very soon!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Read up on more Node.Js Vulnerabilities!

The Healthcare Sector: A Major Target for Cyber Attacks

An image of a doctor with his hands crossed.
https://unsplash.com/photos/hIgeoQjS_iE

The healthcare sector is seeing a progressiveness when innovating its medical practices. Forbes estimated digital health tech catering to out-of-hospital settings would grow by 30% to exceed $25 billion market globally by the end of 2019.

Alas, with the growth of innovation in this sector, there also comes the risk of cyber attacks. The healthcare sector in particular seems to be a major target for cyber criminals. Why is this? What is the financial impact? And most importantly what can be done?

Why do cyber criminals target the healthcare sector?

There are many reasons why the healthcare sector is a target:

  • One of the main reasons has to do with the financial worth of the masses of patient information hospitals store. With the introduction of GDPR (May 2018) it has never been so crucial for hospitals and businesses to keep patient data secure.
  • Medical devices tend to be easy entry points for cyber attackers. Due to these devices only being used for medical practices, cyber security is not within the design of the product. Although these devices will not store patient data, hackers can launch an attack on the server which holds important information. For example, a vulnerability was discovered in the work of insulin pumps of Johnson & Johnson. This vulnerability could have allowed attackers to get control of the device via Wi-Fi and provoke an overdose of insulin in the patient’s blood.
  • Medical staff are accessing data remotely on different devices and networks, which provides another entry point for attackers. The problem is that if one device is hacked, this might leave the rest of the organisation vulnerable.
  • Despite the healthcare sector progressively innovating its practices, staff are still reluctant to disrupt working practices with the introduction of new technology. This creates weaknesses in the healthcare organisation’s IT systems because it produces outdated software that allows entry points for cyber criminals.
  • The result of costly budgets, lack of resources and time constraints make it hard for healthcare staff to be fully educated in cybersecurity practices.
  • The vast amount of devices used in a hospital makes it hard for IT specialists to protect the entire hardware network against attacks.
  • A very serious reason why the healthcare sector is targeted is also to do with international espionage. For example:
  • John Riggi, a former ex-FBI cyber specialist: Hospitals are “being targeted by hostile nation-states for theft of intellectual property related to medical research, innovations, cancer studies, population health studies, research of medicine and clinical trials, and also potentially for conversion for military use such as biological weapons”
  • They might target hospitals to acquire the medical details of business leaders, politicians or military figures. An example is seen when the Singaporean government health database was hacked in 2018. Prime Minister Lee Hsien Loong was amongst the 1.5 million whose personal data was stolen from the database.
  • Another problem is if hackers target hospitals near military installations this could give sensitive records of military personnel and worse, insight into where troops might be deployed.

Popular cyber attacks within the healthcare sector

The most popular attacks to the healthcare sector have shown to be: 

  1. Ransomware attacks

Ransomware is a type of malware that will infect systems and files, making them inaccessible until someone pays a ransom. For the healthcare system, this slows down processes and often forces hospitals to turn to pen and paper. A recent example of this was seen last November with the ransomware attack on French hospitals in Rouen. More worryingly, the 2017 Healthcare Cybersecurity Report suggested ransomware attacks on the healthcare sector will quadruple by 2020 and ransom-takers are using more sophisticated tactics to hack into systems, as 350 different variants of ransomware were observed in 2018 compared to 241 in previous years.

Often these attacks will affect machines through: phishing emails with malicious attachments, a user clicking on a malicious link, or viewing an advertisement containing malware. But an entry point that is often disregarded is ransomware via an outdated component or software. For example Hollywood Presbyterian Hospital in California suffered a ransomware attack due to an outdated JBoss server software. The attacker uploaded malware to the out-of-date server without any interaction with a victim. This resulted in delayed patient care and the hospital had to pay $17,000 to recover access to files and the network. What was interesting was that the attackers had used an open source tool, JexBoss, to search the internet for a vulnerable JBoss server and networks which had been infected. Organisations that handle healthcare data have to make sure to update their systems as the majority of healthcare ransomware attacks are malware related.

A picture of a computer with some code on the screen.
https://unsplash.com/photos/OqtafYT5kTw

What is a JBoss Server? This is an open source application server program used for developing and deploying enterprise java applications, services and web portals. JBoss released its last version (7.1.1) in 2012, as it then switched its name to Wildfly in its next release. So if you are running an application server with the name JBoss, it is out of date and has been for a very long time.

  1. Data breaches

Data breaches can occur for many different types of reasons, from credential stealing malware to insider threats to lost devices. The reason why data breaches are so common within the healthcare sector is because Personal Health Information (PHI) is more valuable on the black market than financial or Personally Identifiable Information (PII). 

But why is PHI more valuable that PII? The average cost of a data breach for a non-healthcare related agency is $158 per stolen record. Yet, for the healthcare sector the average cost is $355. According to Infosec Institute, PII can sell on the black market for $1-2 but PHI has been said to be worth up to $363

This shows the value of patient data financially. However, PHI can be valuable also to target victims with fraud scams by taking advantage of their medical conditions. Cyber criminals have also been known to use stolen patient data to access prescriptions for their own use or resale. 

With the enforcement of GDPR since May 2018, securing patient and medical records has never been so important.

  1. Insider Threats

Did you know the healthcare sector is the only industry for which the biggest threat to data breaches come from internal sources? According to the 2019 Verizon Insider Threat Report, 46% of healthcare organisations were affected by insider threats

Insider threats have shown to stem from a lack of cybersecurity training amongst staff or employees maliciously giving away access codes or them purposefully selling PHI or PII for profit. For example, Anthem a Medical Insurance company learned in 2017 that an employee had been misusing and stealing Medicaid member data — up to 18,000 of PHI — as early as July 2016. This demonstrates the cautiousness there needs to be within the staffing of the healthcare sector to ensure people are not misusing PHI. 

  1. Business email compromise

Business email compromise is when hackers use spoof emails to compromise an account by tricking the employee to transfer money to a fake account. Normally, the fraudsters pretend to be a person of authority within the company to seem as if they might be asking a legitimate request. This has been successful because fraudsters tend to do a lot of research on their targets and will make sure to convincingly impersonate the individual whilst only sending the email to select few people. 

For example, in 2015 a local medical center reported that they had received a call from a pharmacy to confirm a large order of prescription drugs amounting to over $50,000. After a thorough investigation they discovered that the medical center had not placed that order. The pharmacy had called to check because the shipping address of the medical center didn’t match their records, yet all of the other credentials provided had been correct, such as:

  • The Drug Enforcement Agency ID number
  • Doctor licences
  • Pharmaceutical certificates

This clearly demonstrates how cyber crime is becoming more sophisticated.

The Financial Impact

Data breaches are particularly strenuous on the healthcare sector because they take longer to deal with an attack due to a lack of financial resources or trained personnel. To make matters worse, by 2020 security breaches are said to cost the healthcare sector 6 trillion dollars. A study conducted by Mid-Horizon found that hackers can very easily access domain level administrative privileges of most healthcare applications. 

The financial damage the WannaCry attack placed on the NHS in 2017 was significant. The Department of Health said the attack cost the NHS £92 million due to a third of hospital trusts and 8% of GP practices had affected computers. The hack forced 200,000 computers to lock out their users with red-lettered error messages demanding a ransom in Bitcoins. 

This is all the more reason the healthcare sector need to prioritise their cybersecurity as these sorts of attacks could have crippling consequences. 

A picture of some doctors/nurses walking down a white corridor.
https://unsplash.com/photos/Pd4lRfKo16U

What can be done? 

On a national level, there are some countries that set a good example. After the cyber siege in 2007, the Estonian government created a cybersecurity strategy built into their law enforcement. After one of their reports found that 11,000 cybersecurity incidents happened in 2018, Estonia introduced a blockchain technology to have more control over electronic patient records. This meant there was a time-stamped record of anyone in contact with/adding/omitting information. Conversely, patients use electronic identification cards to access their health information and can decide who they share the information with.

Although many security executives think that their programs are providing sufficient protection, these programs might not be securing the actual patient or member data. There needs to be an understanding between compliance-driven strategy which is when programs do not stand up to the test of the attackers and security-driven strategy when programs are designed to deal with attackers and the threats they create. This means a refocus on the actual risks of the healthcare infrastructure:

  • Where is the patient data?
  • Where does it live? 
  • How is it stored?
  • How is it protected?
  • Are these protections sufficient?

Therefore when new technologies are in place there can also be a focus on:

  • If the technologies are fully supported 
  • If the technologies are deployed across the organisation’s entire enterprise
  • That the technologies have no limited capacities
  • That the technologies are never unmonitored

Both patient care and business continuity are important to healthcare organisations.  As hospitals and caregivers rely on technology to deliver greater gains for more timely care and more efficient business processes, they must ensure their systems are secure and stable for everyday operations. This requires a cyber resilient approach that addresses people and processes, as well as the technology used. Read Meterian’s blog post on how your organization  can become more cyber resilient.

The Healthcare Sector: A Major Target for Cyber Attacks

New Python Vulnerabilities!

Image of thief climbing out of laptop shining flashlight on Python icon, titled Vulnerability Focus: Python.

In honour of Meterian introducing Python into their beta production, here are two Python vulnerabilities which you should look out for. We don’t like it when systems or computers behave in unexpected ways. It’s worse when such outcomes result in a cyber security incident. This month’s Python vulnerabilities can cause unexpected behaviours which hackers could exploit to compromise the integrity of your system in unpredictable ways. Don’t waste any time as you could be affected, so read on and learn how to avoid these risks.

  • CVE-2019-18874: through python-psutil versions 5.6.5 there are risks of double free consequences. Attackers could use this issue to cause psutil to crash, therefore a denial of service, and possibly execute arbitrary code.
  • CVE-2019-17626: ReportLab through 3.5.31 allows remote code execution because of toColor(eval(arg)) in colors.py. This vulnerability could affect confidentiality, integrity, and availability within your software/network.

CVE-2019-18874

Vulnerability Score: 7.5 / HIGH

Platform: Python

Component: python-psutil

Affected Versions: up to 5.6.5 inclusive

Indeed…Python has a vulnerability within the package python-psutil. This was discovered on the 11th November 2019 by Riccardo Schirone who noticed that the psutil incorrectly handled certain reference counting operations. 

Python-psutil, is a Python package which provides convenient functions for accessing system process data. It is a cross-platform library for retrieving information on running processes and system utilization in Python. It is mainly used for system monitoring, profiling and limiting process resources and management of running processes. Psutil supports a range of platforms: Linux, Windows, macOS, FreeBSD, OpenBSD, NetBSD, Sun Solaris and AIX.

How does this vulnerability happen? It was caused by incorrect reference counting handling within for/while loops that convert system data into said Python objects. If an error occurred, the reference counter would be dropped twice.   In this case, the computer system’s memory storage is mishandled. Essentially, a double free releases the same area of memory twice.  

How can hackers take advantage of the system? They could use this vulnerability to cause the psutil program to crash which could lead to a denial of service and potentially the execution of arbitrary code. This execution of arbitrary code will provide the attacker with the ability to execute any command of their choice in a target machine or process. Like landmines, this vulnerability is unpredictable and hard to spot. The idea is that the hacker is waiting for the system to trip up in order for the “landmine” (malicious code) to set off and infect the users’ system.

Image of an area with signs saying 'Danger!!!Mines!!!'
https://flickr.com/photos/anzclusters/3404799066/

To remedy this vulnerability, please upgrade to version 5.6.6 or higher of python-psutil. Upgrade fast Python users, you don’t want to be at risk of a cyber attack.

CVE-2019-17626

Vulnerability Score: 9.8 / CRITICAL

Platform: Python

Component: reportlab 

Affected Versions: up to 3.5.31 inclusive

Yes that’s right! We have one more Python vulnerability to inform you on. This one is found within ReportLab up to 3.5.31 and it has allowed remote code execution because of toColor(eval(arg)) in colors.py. This vulnerability was found on the 10th October 2019 and has been classified as critical. The issue is affecting the function toColor of the file colors.py. 

An image displaying the lines of code which show where the vulnerability was found.
https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code

ReportLab is an open source engine for creating data-driven PDF documents and custom vector graphics. So it is free, hence open-source and widely used to generate reports in Python. The package sees more than 50,000 downloads per month, it is embedded in many products and was even selected to power the print/export feature for Wikipedia. So you can understand now why this vulnerability is critical and urgently needed to be fixed by users.

The issue with this vulnerability is that the manipulation of the input value to <span color=” can lead to a privilege escalation vulnerability. Not only can this attack be initiated remotely but it will impact a user’s confidentiality, integrity and availability. To make matters worse, it has been said that the price of this exploit be around USD $0-$5k since last stated on 16/10/19.

An image of 3 eggs, 2 white one brown. The first egg has a bubble which says in remarks to the brown egg 'Hey how'd you get in here?' and the brown egg has another bubble which says "Oh no they found me". This image represents the vulnerability discussed.
https://www.pexels.com/photo/eggs-in-tray-on-white-surface-1556707/

To remedy this vulnerability, please upgrade to version 3.5.32 or higher.  This is different from the recommendation of NVD which suggests to upgrade to version 3.5.26 or higher.  NVD also references the incorrect CWE, which should be corrected to CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’).  Based on Meterian’s analysis, we only see the remediation implemented in versions 3.5.32 or later.  You can verify the code here

Spread the word on these critically-rated, easy-to-exploit Python vulnerabilities in order to help the app sec community defend against unwanted exploits. But as you all know, open-source vulnerabilities are discovered daily, so you can expect us to be back with new vulnerabilities very soon!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

New Python Vulnerabilities!