A warning to users of Microsoft Power Apps, vulnerabilities in a medical pump, and more.
Welcome to Cyber Security Today. It’s Wednesday August 25th, I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
Some inexperienced website and application developers using Microsoft’s Power Apps platform have been unwittingly making what they thought was protected personal data available for anyone to see. That’s because the default setting on the application programming interfaces in the platform made stored data publicly accessible unless the developer chose otherwise. It’s a perfect example of giving the wrong option to people. Microsoft and others have now acted on warnings about this. However, we don’t know how many threat actors found and copied personal data on perhaps tens of thousands of people. What we do know is researchers at Australian security company UpGuard discovered the bug in May, and reported it to Microsoft in June. Some of the vulnerable web portals discovered were used by governments or health authorities for COVID-19 contact tracing and vaccination appointments. Other websites held social security numbers for job applicants. UpGuard notified 47 organizations whose data was left open, including some U.S. states, Ford Motor Company, American Airlines – and Microsoft. One healthcare company had over 50,000 records with names and drug test dates. Some people might not want it publicly known they were taking a drug test. Upguard estimates 38 million pieces of information were left open.
Microsoft properly warned developers in its documentation about the problem of misconfiguring an application. But many apparently didn’t read it, or didn’t read it carefully enough. Power Apps was created to make it easy for non-IT people to write apps.
Microsoft has now released a tool developers can use for checking portals developed with Power Apps. That tool detects lists that allow anonymous access to data. Newly created Power Apps portals will require permission needed by default for access to data tables. If you or your organization developed a portal or app with Power Apps you should use the Portal Checker tool to check if your data is safe.
Experts have worried for some about the vulnerabilities of sensitive IT network-connected devices for industry that don’t have rigorous cybersecurity controls. The latest example of a problem was discovered by researchers at McAfee and Culinda, who discovered five vulnerabilities in a medical infusion pump made by a company called B.Braun. Together these problems could be used by a remote attacker to modify the pump’s workings to deliver an unexpected dose of medication. McAfee concluded the device wasn’t designed to prevent a malicious attack. True, an attacker would have to get access to a hospital’s internal IT network to get into this device. But McAfee says the research shows industrial device manufacturers have to think more about cybersecurity. B.Bruan is working on mitigations for this device. Hospitals and clinics using it should watch for news of progress.
Last week I reported news about problems with software development kits. There’s more this week. Multiple vulnerabilities have been found in the Java software development kit in IBM’s Security Directory Suite and App Connect Enterprise. Administrators should see IBM Security Bulletins about fixing these problems. Also note that a patch to fix an issue with the Golang Go language in IBM Cloud Pak for Multicloud Management Monitoring is now available.
Finally, there’s no shortage of ways an attacker can take over a poorly-protected personal computer. One way may be through the configuration software used when installing a keyboard, mouse or other peripheral. Researchers have discovered that the Razer Synapse application which automatically downloads when plugging in Razer keyboards and mice would automatically – and needlessly – give a user System rights in Windows. With System privileges a person can do anything on a computer. According to the Bleeping Computer news site, Razer will issue a fix. However, the site also reports that another researcher has found an installation app for keyboards, mice and headsets from a company called SteelSeries will also give elevated Windows access privileges. Under a proof-of-concept all an attacker would need is the app and access to a computer – no need to plug in a peripheral. At the time this podcast was recorded SteelSeries hadn’t addressed this report.
One lesson: Pay attention when you install anything to see if the software asks for unnecessary privileged access to Windows, or any operating system.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.