06-Jul-2022 05:00 - edited 08-Jul-2022 09:50
This Week in Security
June 20-26, 2022
"USB(ooze), 24 Billion Credentials Can't Be Wrong, I Spy With My Little Eye"
The theme this week is information and it's (mis)management.
To err is human, but adding alcohol definitely helps the process along. Of course, the prerequisite conditions for this colossal mistake would not have existed had proper information security procedures been followed. The information should not have been copied onto the USB drive in the first place. That rule having been broken, once the work was completed the information should have been deleted. Failing to do even that, not getting pass-out-in-the-gutter drunk with the unsecured drive in his bag might have been a better life, and career, choice.
The drive is reportedly encrypted, which might offer some reassurance to the 465-thousand people whose personal information was on the missing drive. Though, given the worker's chain of excellent decisions I'm not sure I'd put a lot of faith in his correctly encrypting the drive.
<Insert Your Own Dr. Evil 'Billion' Joke Here>
For those of us in infosec the popularity of credential stuffing attacks is no surprise. They've been increasingly common over the past few years, aided by multiple massive credential leaks. But the number of username/password credentials available on the dark web is truly staggering now - 24 billion combinations. 6.7 billion unique - a 1.7 billion increase from 2020. For the average consumer, who will use one email address as their username pretty much everywhere (as is the de facto standard these days), this highlights the risk of password reuse. Leaks are so prevalent, and credential stuffing so common, that the risks are high for users who reuse their credentials. One leak and accounts on multiple sites may get popped.
The best way to protect ourselves from this is by using unique passphrases (not just passwords) for each site, likely aided by password managers since our brains aren't great at remembering all of those, and using multi-factor authentication (MFA) (aka two-factor authentication (2FA)) everywhere it is offered. Using apps like Authy, Duo, Google Authenticator, etc., is probably the best choice for most users. Physical tokens are great, but the tradeoff in usability and convenience is probably not justified for most users. Even SMS-based authentication is better than nothing. Yes, SIM-jacking and other attacks exist, but the risk to any random user is fairly low. It isn't perfect, but it raises the level of effort required.
Of course, unique passphrases would be a huge improvement given 1 out of 200 of the passwords in the collection are '123456'. And 49 of the 50 most common passwords can be cracked in under a second with standard tools. The users are not alright.
Nearly three million patient records, and counting, have been potentially compromised by a breach at Eye Care Leaders, a provider of electronic health records and patient management software solutions for eye care practices. The breach took place back in early December, but the scope - and tally of affected records - just keeps growing. Eye care providers large and small are affected - in the running list being maintained by HIPAA Journal the smallest provider had 1,337 patients at risk while the largest had 1,290,104.
While there is not yet evidence that patient records were successfully exfiltrated or otherwise accessed, the systems with the information were compromised and patient record access or exfiltration cannot be ruled out. Eye Care Leaders claims they provide software solutions to over 9,000 ophthalmologists and optometrists, so the list of affected practices, and therefore the number of patient records at risk, seems likely to continue to grow from the 33 listed today.
As the investigation is ongoing, and it doesn't look like any findings have been released at this point, there aren't really any new recommendations stemming from this breach. It just goes to show how far reaching the impact of a breach in a services provider can be. With all of the practices storing their data in 'the cloud', as provided by ECL, the risks for operators are higher, as are the rewards for black hats.