Change Healthcare Estimates 100 Million Affected by February Breach

(October 24, 25, & 28, 2024)
 

In a recent updated filing with US Department of Health and Human Services Office for Civil Rights (HHS OCR), Change Healthcare now estimates the number of individuals affected by the February 2024 breach to be 100 million. HHS OCR has published an updated FAQ about the breach. The new statistics make the Change Healthcare incident the largest healthcare breach on record.
 

Editor's Note

[Pescatore]
Back in April, Change Healthcare publicly admitted that “… the impacted data could cover a substantial proportion of people in America.” That statement and “largest healthcare breach on record” should be required to be shown prominently on all their marketing material, kinda like the warnings on cigarette packaging.

[Spitzner]
A breach of this scope and size deserves to be a case study in lessons learned. I hope in 2025 our friends at the Cybersecurity Review Board (CSRB) can publish a report detailing findings and key takeaways, just as they did earlier this year for the Microsoft breach in 2023.

[Neely]
Oddly as breach notifications continue to arrive, I’ve seen notifications for my deceased neighbors. My point is breach notifications are taking a long time and you need to get proactive and setup your own identity restoration/credit monitoring. Lock your credit. Don’t wait to find out you’ve got a problem.

Read more in:
- www.hhs.gov: Change Healthcare Cybersecurity Incident Frequently Asked Questions
- therecord.media: Change Healthcare says 100 million people impacted by February ransomware attack
- www.scworld.com: Change Healthcare breach affected 100 million Americans
- securityonline.info: Data of Over 100 Million Individuals Exposed in Change Healthcare Cyberattack
- ocrportal.hhs.gov: Cases Currently Under Investigation

Hospitals are Using Untrustworthy AI Transcription Tools

(October 26 & 28, 2024)
 

When OpenAI introduced their transcription tool, Whisper, in 2022, they claimed it “approache[d] human level robustness and accuracy.” However, the tool in fact is prone to hallucinations and a ChatGPT-generated description of Whisper recommends against the tool being used in “high-risk domains.” Despite the warning, healthcare organizations are using Whisper; software engineers, developers, and researchers found high levels of inaccurate chunks of text and even entirely false sentences in Whisper-generated AI transcriptions they examined.
 

Editor's Note

[Pescatore]
AI literally has decades of over-hype but has gotten Bitcoin-like levels of promotion in the past few years. All too often, using an AI-generated document is like eating a meal you created from room service trays left outside of hotel room doors on your way from the elevator to your room.

[Dukes]
Troubling, as this deals with patient healthcare records. Is it simply that in the rush to get to market the tool had insufficient data from which to train, or are there underlying assumptions made by the model that are incorrect? Whatever the cause, a general warning not to use in high-risk domains is insufficient.

[Neely]
We should all be investigating AI capabilities, but not without careful review of the results. Remember this is still new technology and we are still learning not just how to use it but also where the information provided is stored, leveraged, and shared.

Read more in:
- apnews.com: Researchers say an AI-powered transcription tool used in hospitals invents things no one ever said
- arstechnica.com: Hospitals adopt error-prone AI transcription tools despite warnings
- openai.com: Introducing Whisper (September 21, 2022)
- ai.azure.com: openai-whisper-large (ChatGPT-generated summary)

Health Aging Poll: Older Adults Wouldn’t Trust AI-Generated Health Information

(October 16 & 28, 2024)
 

According to the University of Michigan National Poll on Health Aging, nearly three-quarters of adults over the age of 50 say they would not trust AI-generated health information. Overall, 20 percent of those responding said they had “little or no confidence” in their ability to identify health misinformation.
 

Editor's Note

[Neely]
As an old fart, I have trouble with chat/audio assistants trying to assist me with my call. While these have improved the experience, and are designed to allow services to scale, and numbers show they have a lot of success, they are not yet a complete human replacement, particularly for those of us who grew up with non-automated response. If you’re providing automated response services, make sure there is an easy option to request a human.

[Honan]
It is good to see this level of sceptism around AI tools. Hopefully people will continue to rely on medical experts rather than Dr. AI or indeed Dr. Google.

Read more in:
- www.washingtonpost.com: Many older Americans don’t trust AI-generated health information
- ihpi.umich.edu: Most older adults don’t trust AI-generated health information — but many aren’t sure what to trust
- www.healthyagingpoll.org: Health Literacy: How Well Can Older Adults Find, Understand, and Use Health Information?

US Copyright Office Grants Partial DMCA Exemption for Retail Food Prep Equipment Repair

(October 25 & 28, 2024)
 

The US Copyright Office has granted a partial Digital Millennium Copyright Act (DMCA) exemption “allowing for repair of retail-level food preparation equipment.” The exemption was requested by Public Knowledge, a consumer advocacy group, along with iFixit. The original, broader request sought “to expand the repair exemption for consumer electronic devices to include commercial industrial equipment such as automated building management systems and industrial equipment (i.e. soft serve ice cream machines and other industrial kitchen equipment).” The Copyright Office considered a total of seven proposed classes for exemption and granted all but one: a request regarding the preservation of video games.
 

Editor's Note

[Ullrich]
The "right to repair" movement has significant implications for device security. As more and more "smart devices" are reaching end of support, or vendors go out of business, it becomes more and more important for owners to have the ability to apply fixes to software and hardware. While it may sound benign to be able to fix an ice cream machine, the implications could be far reaching.

[Dukes]
A win for ‘consumer right to repair’ advocates and McFlurry lovers around the world. The US would be well served modeling federal law off the NY State Digital Fair Repair Act. This State law addresses many of the concerns of manufacturers (i.e., protection of trade secrets, liability, etc.).

[Neely]
With increased “right to repair,” the burden passes to the consumer to ensure the repair is done with genuine components by trained technicians. Consider the supply chain risk when screening alternate repair services.

Read more in:
- publicknowledge.org: Public Knowledge, iFixit Free the McFlurry, Win Copyright Office DMCA Exemption for Ice Cream Machines
- arstechnica.com: US Copyright Office “frees the McFlurry,” allowing repair of ice cream machines
- arstechnica.com: Video game libraries lose legal appeal to emulate physical game collections online
- public-inspection.federalregister.gov: Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies (PDF)
- www.copyright.gov: Section 1201 Rulemaking: Ninth Triennial Proceeding to Determine Exemptions to the Prohibition on Circumvention (PDF)

Russian Prison Sentences for Members of REvil Ransomware Group

(October 25, 26, & 28, 2024)
 

Russian courts sentenced members of the REvil gang to prison terms for hacking and money laundering. The group is best known for 2021 attacks on meat-packing company JBS and IT services firm Kaseya. Members of the REvil team were arrested in 2022 with cooperation from US law enforcement.
 

Editor's Note

[Elgee]
With Russia's invasion of Ukraine in 2022, the US Department of Justice stopped cooperating with Russian authorities. Many of us thought that would be the end of the case against REvil, especially where hacking companies in foreign countries is not illegal in Russia. While several gang members were released, you've got to hand it to Russian authorities for following through to prison sentences on some of the key players.

Read more in:
- therecord.media: Four REvil members sentenced to more than four years in prison
- thehackernews.com: Four REvil Ransomware Members Sentenced in Rare Russian Cybercrime Convictions
- www.securityweek.com: Four REvil Ransomware Group Members Sentenced to Prison in Russia

Arcadyan Routers Vulnerable Through Wi-Fi Test Suite

(October 23 & 25, 2024)
 

The Software Engineering Institute's (SEI) Computer Emergency Response Team Coordination Center (CERT/CC) following up on disclosure by independent researcher "fj016" and SSD Secure Disclosure, has released an advisory describing a command injection vulnerability in the Wi-Fi Alliance's Test Suite tool. Using "specially crafted packets," an attacker could gain root privileges and execute code, posing particular risk to any "commercial router deployments" where the Wi-Fi Test Suite is not meant to be used. The vulnerable code is found on the Arcadyan FMIMG51AX000J model device. There is no patch from the manufacturer; CERT/CC recommends the Wi-Fi Test Suite be updated to at least version 9.0 or removed entirely.
 

Editor's Note

[Ullrich]
This issue may affect other brands as well. The vulnerability was introduced by a test suite used by the Wi-Fi Alliance to verify compliance with Wi-Fi standards. Arcadyan did ship their devices leaving the test suite enabled. Others may have made the same mistake.

Read more in:
- kb.cert.org: Vulnerable WiFi Alliance example code found in Arcadyan FMIMG51AX000J
- ssd-disclosure.com: SSD Advisory – Arcadyan FMIMG51AX000J (WiFi Alliance) RCE (August, 2024)
- thehackernews.com: Researchers Discover Command Injection Flaw in Wi-Fi Alliance's Test Suite

S3 Bucket Vulnerability in AWS Cloud Development Kit

(October 24, 2024)
 

Amazon Web Services' (AWS) Cloud Development Kit (CDK) has been vulnerable to S3 bucket "namesquatting," according to researchers at Aqua, which could lead to many security issues including "full account takeover." Aqua's research was published on October 24, 2024 and details their communication with AWS after reporting the flaw in June, 2024. An S3 staging bucket is created as part of the CDK bootstrapping process, and named using an easily predictable and exploitable naming system, which creates a vulnerability: "Criminals could predict AWS S3 bucket names, pre-load malicious code into a bucket, and then sit back and wait for the target org to execute it unwittingly. Once that happened, the attackers could steal data, or even take over a user's account without them knowing." Aqua notes "there's no way to know if the vulnerability, which doesn't have an associated CVE number, has been exploited in the wild." Amazon has patched the issue and notified customers, and Aqua suggests updating and re-running the boostrap command, or applying an "IAM policy condition ... similar to the AWS patch."
 

Editor's Note

[Pescatore]
I guess the analogy here is if you are going to use dishes directly from the dishwasher, make sure you run the dishwasher first.

Read more in:
- www.aquasec.com: AWS CDK Risk: Exploiting a Missing S3 Bucket Allowed Account Takeover
- www.theregister.com: AWS Cloud Development Kit flaw exposed accounts to full takeover
- www.darkreading.com: AWS's Predictable Bucket Names Make Accounts Easier to Crack

Windows Kernel Vulnerable to Rootkits via Downgrade Attack

(October 26 & 28, 2024)
 

Beginning at the Black Hat conference in August, 2024, and in subsequently released research, SafeBreach's Alon Leviev has demonstrated a Windows vulnerability he calls Windows Downdate, in which an attacker with administrative privileges can bypass Driver Signature Enforcement and downgrade the OS kernel, drivers, DLLS, and other components, allowing rootkit installation on a completely up-to-date machine. In some cases, virtualization-based security (VBS) can also be bypassed or disabled if no "mandatory" flag is set with UEFI lock. Leviev stated: "I was able to make a fully patched Windows machine susceptible to past vulnerabilities, turning fixed vulnerabilities unfixed and making the term 'fully patched' meaningless on any Windows machine in the world." While Microsoft at first stated that this issue "did not cross a defined security boundary," the company has since created a "revocation policy mitigation" for CVE-2024-21302 (Windows Secure Kernel Mode Elevation of Privilege Vulnerability), and patched CVE-2024-38202 (Windows Update Stack Elevation of Privilege Vulnerability), though some systems may require additional action.

Read more in:
- www.bleepingcomputer.com: New Windows Driver Signature bypass allows kernel rootkit installs
- thehackernews.com: Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel
- www.securityweek.com: More Details Shared on Windows Downgrade Attacks After Microsoft Rolls Out Mitigations
- nvd.nist.gov: CVE-2024-38202 Detail
- nvd.nist.gov: CVE-2024-21302 Detail

NIST Evaluating 14 PQC Digital Signature Candidates

(October 25, 2024)
 

After finalizing three encryption algorithms in August, 2024, all designed to withstand quantum computing attacks, the National Institute of Science and Technology (NIST) has continued to seek variety in its Post-Quantum Cryptography (PQC) standards. "While several non-lattice-based KEMs remained under consideration in the fourth round, no signature schemes remained," and from a selection of 40, now 14 candidates comprise a second evaluation round of "additional [digital] signatures" open for comments and tweaks, only one of which is lattice-based. NIST predicts quantum computing will be employed in attacks on encryption within ten years.

Read more in:
- csrc.nist.gov: Post-Quantum Cryptography: Additional Digital Signature Schemes
- csrc.nist.gov: NIST IR 8528
- www.meritalk.com: NIST Advances 14 Digital Signatures to Guard Against Quantum Cyber Threats

Operation Magnus: International Effort Results in Infostealer Malware-as-a-Service Disruption

(October 28, 2024)
 

The Dutch National Police (Politie) say they have obtained ”full access” to servers used by the Redline and Meta infostealers, both of which operate as malware-as-a-service. Operation Magnus, which involved law enforcement agencies from the US, the UK, Portugal, Australia, and EuroJust (the European Union Agency for Criminal Justice Cooperation), “gained access to the Redline and Meta source code, including the license servers, REST API servers, panels, stealers, and Telegram bots.” The operation also turned up information that could be helpful in identifying people who used the malware.
 

Editor's Note

[Dukes]
A success is a success. That said, these sorts of tools are easy to replicate. Defenders are still best served by updating their software as patches become available, using a secure configuration, and actively monitoring their enterprise for compromise.

[Honan]
Yet again another great example of international law enforcement cooperation. Well done to all the agencies involved. No doubt the intelligence gathered from this operation will lead to multiple arrests. It also is a reminder why it's important that victims of cybercrime engage with law enforcement so that those agencies can prioritise and plan operations against criminal gangs.

Read more in:
- www.operation-magnus.com: Operation Magnus
- therecord.media: 'All servers' for Redline and Meta infostealers hacked by Dutch police and FBI
- www.theregister.com: Dutch cops pwn the Redline and Meta infostealers, leak 'VIP' aliases
- www.helpnetsecurity.com: Police hacks, disrupts Redline, Meta infostealer operations