Stolen password leads to loan company hack, subcontractor employee responsible for data breach and why web site code needs to be protected.
Welcome to Cyber Security Today. It’s Wednesday March 3rd. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
Citywide Home Loans, which lends money in the United States, is now notifying people that it was the victim of a ransomware and data theft attack in November. Information on a number of employees and customers was copied. According to letters filed with several states, an attacker got hold of an employee’s login credentials for the company’s virtual private network. It isn’t explained how that happened. One possibility is the VPN software was hacked. In the past 12 months the software of corporate VPNs of at least two manufacturers have been cracked to expose usernames and passwords. These are being sold on criminal websites.
There have been many warnings to IT administrators recently to install the latest VPN security updates and have users change passwords to fight this. Other possibilities are the loan company employee’s password was guessed, or they were tricked into revealing it. No matter the method, experts say proper use of multi-factor authentication is a good way to add extra protection to logins.
The next two items take a bit of explaining, so please be patient.
Organizations worry that personal data of customers and employees can be violated in two ways: Through a hack by outsiders, or abuse by an insider. But who is an insider? An employee, for sure. But it also includes employees of partner, contractor or supplier firms with data access. And as an article this week on the news site DataBreaches.net points out, it can also include subcontractors of contractors. The author gave the following true example: An American health insurance provider bought risk management software and services from a firm I’ll call Company Two. This firm subcontracted some work to a firm I’ll call Company Three.
One of Company Three’s employees with authorized access to the insurer’s data had a side business training people of how to do data coding. This person was using the insurance company’s data for training material with those people without permission. So unapproved people were seeing patient data. That’s a data breach. So far just under 1,000 people have been notified their personal and medical data might have been involved.
This incident raises a number of questions: Why didn’t the health insurance provider anonymize the data sent to Company Two so the risk of compromise was low? If that wasn’t possible, why didn’t Company Two anonymize data that was handled by Company Three? What other security measures could have been used to prevent Company Three employees from seeing real data? And did the health insurer realize all the risks it was taking opening its data to several companies?
As the author notes, organizations can force employees of contractors and subcontractors to sign business associate agreements that cover proper data handling and privacy. However, compliance with those agreements has to be regularly policed.
Finally, crooks have been manipulating the results of search engines like Google for years to spread malware. The idea is to get a high result of a search to be an infected website. Security company Sophos said this week it recently found a gang using one of these techniques not only for spreading viruses but also ransomware. It works like this: You ask the search engine to find the answer to a specific question the crooks think people are likely to want answered. High up on the list of returns are links to what look like legitimate companies. Click on a link and you go to a forum with a message that offers a file for downloading with the answer to the question. Download that file and you get infected.
Like similar search engine scams, crooks start by secretly placing code on the websites of unsuspecting companies so their site will come up high on a search. That fools people because they’ll trust a legitimate-looking web address. In one example the report says a question was, “Do I need a party wall agreement to sell my house?” The first on the list of search engine responses was the website of a Canadian medical practice. Underneath that address was a link to “Do I need a party wall agreement to sell my house?”
Unknown to the medical practice, its site had been hacked and code had been inserted so that particular link would pop up on a search. This scam works for two reasons: First, it relies on people thinking, “I don’t know why that company would have a link to the answer to my question, but I’ll trust it.” The other reason it works is because many companies don’t have good security to prevent their web sites from being hacked. One solution is a web application firewall. Another is to limit website code access through tough passwords and using multifactor authentication. Also, regularly check your firm’s site to see if the code has been tampered with.
Sophos says this particular gang uses 400 servers with unsuspecting hacked websites to make the scam work.
That’s it for today. Links to details about these stories are in the text version of this podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at cybersecurity professionals.
Subscribe to Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.