Search
  • Avantia Threat Update

Health Care & Telco's get the heat.

Updated: Aug 10, 2018



This week serves up a reminder why medical data should be handled with care, as it’s among the most highly sought after and valuable for Cyber Criminals. Two of the biggest telecommunications providers in the world were also breached this week, which is what can happen when you “phone in” to get cyber security codes..


Highlights

  1. Can’t Opt Out – Australian Health Engine

  2. Unsecure Amazon S3 bucket strikes again! Hello… Verizon, can you hear me now?

  3. Unencrypted Healthcare Data.

  4. It’s my data, give it back!


So many Australians have been rushing to opt-out of the Australian Government’s new centralized health record system - Health Engine that the site has crashed!

Originally it was designed as an opt-in database, but there just wasn’t a lot of activity with the program. After the government spent more than AU $4 billion on this database, a flop of that magnitude was not an option, so it became a mandatory opt-out program.

Those who have been calling in rather than taking to the web to opt-out of the system face employees with a lack of training, long wait times, and general mayhem. Many people cite privacy concerns as their reason for opting out, which is a fair assessment.

This lack of trust could be because despite assurances by government officials that no data will be shared with third parties, a partner app called HealthEngine has been caught red-handed breaking those promises.


95% Success Rate GPS Spoofing

Spoofing, in general, is a fraudulent or malicious practice in which communication is sent from an unknown source disguised as a source known to the receiver. Spoofing is most prevalent in communication mechanisms that lack a high level of security.


Researchers have successfully been able to launch GPS spoofing attacks on road navigation systems… a scary achievement. GPS spoofing systems have been around for a while but had previously been unable to trick humans into actually following the directions. The phone or GPS unit would give directions that didn’t make sense, such as abruptly turning off the road. The new and improved technology can now take into account the road layout while giving the driver wrong directions. As car manufacturers look toward a self-driving future, accurate GPS spoofing could lead to some unfortunate circumstances.

DDoS Siege

(A DDoS attack is a form of electronic attack involving multiple computers, which send repeated HTTP requests or pings to a server to load it down and render it inaccessible for a period of time.)

Gaming studio Ubisoft was the victim of a DDoS attack this week, leaving many of its most popular titles unplayable. The attacks lasted for several days and were focused on the game’s connections and server latency. This is not the first time a gaming studio has been targeted by a DDoS attack, as American studio Blizzard, known for their game World of Warcraft, experienced downtime last week due to the same issue. While the motive behind the attacks is unclear, what is certain is that these attacks are costing the companies that experience them a LOT of money.


Threat Focus: Verizon – ISRAEL

Exploit: Exposed Amazon S3 storage server, supply chain vulnerability. Risk to Small Business: High: Supply chain breaches are increasingly blamed on the prime vendor as its their fiduciary responsibility to ensure the downstream vendors they use are secure. This one has global reach as many of the customers are US-based individuals. Individual Risk: High: Could allow hackers to break into an exposed individual’s email account protected by 2FA. Verizon: A U.S. based phone company that has over 108 million post-paid wireless customers. Nice Systems: An Israeli based enterprise software company that has 85 of the Fortune 100 as customers. Date Occurred/Discovered: Late June 2018 Date Disclosed: July 2018 Data Compromised:

  • Name

  • Cell phone number

  • Account PIN (allowing access to a subscriber’s account)

  • Home address

  • Email address

  • Current balance of account

  • Verizon customer subscribed services

Customers Impacted: 14 Million.

Threat Focus: Ministry of Health - SINGAPORE

Exploit: Undisclosed at this time. Lack of advanced, real-time intrusion detection. Risk to Small Business: High: Nation-state originated, this is a massive breach in both scope and severity; most business would not recover from this, especially due to the fines that many countries would levy on a business that did not secure healthcare data. Individual Risk: High: Medical information is valuable on the Dark Web and can be used to impersonate or exploit an individual. Ministry of Health: Singapore’s national health organization that manages the country’s public healthcare system. Date Occurred/Discovered: June 27, 2018 – July 4, 2018 Date Disclosed: July 20, 2018 Data Compromised:

  • Name

  • NRIC number

  • Address

  • Gender

  • Race

  • Date of birth

  • Details on dispensed medicines

Customers Impacted: 1.5 million citizens, including the Prime Minister.

Threat Focus: Care Partners - CANADA Exploit: Unencrypted data-at-rest. Elevated privileged access. Unpatched vulnerability open for 2 years. Risk to Small Business: High: Ransom and exfiltrate attacks are an increasingly common practice amongst cyber criminals and can be reputationally and monetarily damaging to an organization. Individual Risk: Extreme: Health information is useful for identity theft and traded frequently on Dark Web market places. CarePartners: An organization that provides home medical services for the Ontario government. Date Occurred/Discovered: June 2018 Date Disclosed: June 2018… however this week, the hackers revealed that they had much more information than CarePartners revealed. Data Compromised:

  • Names

  • Phone numbers

  • Addresses

  • Medical Records

  • Past conditions

  • Diagnoses

  • Surgical procedures

  • Care plans

  • Medications

  • Credit card numbers

  • Expiry dates

  • Security codes

  • T4 tax slips

  • Social insurance numbers

  • Bank account details

  • Plaintext passwords

Customers Impacted: 80,000.

POSTSCRIPT: How Long to Hack?

How long could it take for your business or organisation to fail?

Months of operating on a loss or being able to provide a service? Years of angst from a bad employee costing you money?

How about an hour. According to top researchers in the UK, more than HALF of UK

SME’s could be hacked in less than an hour. Systems are put into place to prevent frivolous spending within an organisation and to stop theft before it happens. Budgets are made, and doors are secured with locks. Why wouldn’t you do the same for cyber security? Especially when it could only take someone across the country, or even in a different country, less than an hour to cripple your business if you are not protected.

You wouldn’t just look at your organization’s spending spreadsheet or leave your office’s door open at night. So again, the question is raised, why would you take a lackadaisical approach to cyber security?

With the world becoming increasingly connected, it is important to proactively fight cyber-attacks with employee training and defence systems, monitor for Dark Web credential exposure and to have a robust breach response plan in place.



Consider this: When you think about Cyber Security think about the ones you care the most about – your family. If you have children or young adults using Smartphones, Tablets or Laptops consider their vulnerability. Do you want to put their digital selves in the hands of pedophiles, scammers and cyber criminals. The purchase of children’s digital credentials (username/password) is big business on the Dark Web. Check out our inexpensive Individual or Family monitoring service – it’s a ‘no brainer’ for your peace of mind. CLICK HERE FOR PRICING

Disclaimer: Avantia Corporate Services Pty Ltd provides the content in this publication for general information only and has compiled the content from number of sources believed to be reliable. No warranty, implied or otherwise, is given as to its accuracy or fitness for use, no validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.

Want The Information  Cyber Criminal's  Don't Want You To Know?

Subscribe below to receive our weekly Threat Updates straight to your inbox.

Call (07) 3010 9711 

info@avantiacorp.com.au

 

Avantia Corporate Services Pty Ltd,                    Level 7, 320 Adelaide Street

Brisbane, Queensland 4000

AUSTRALIA.

  • LinkedIn Social Icon
  • Facebook Social Icon

DISCLAIMER*: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach and cybersecurity information to us in real-time. Given their international focus and experience in the cyberspace arena, we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the content's accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.

*COPYRIGHT 2020* Avantia Corporate Services  PTY LTD - All Rights Reserved.