27 November 2019

News round-up 28 November 2019 — Hacked Disney+ accounts, IoT, internet sovereignty and data breaches

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up:

From angry users unable to stream their favourite Disney classics to an entire citizenry deprived of access to the internet – events in cyberspace can have wildly varying consequences. In this roundup we explore what these recent events mean for businesses and why – given the stakes – elevenM and other Australian businesses are calling for a dedicated voice for cyber security at ministerial levels of the Federal Government.

Key articles:

Thousands of hacked Disney+ accounts are already for sale on hacking forums

Summary: Only hours after new streaming service Disney+ was launched, thousands of accounts have been put up for sale on hacking forums, triggering complaints by customers.

Key risk takeaway: It’s a harsh reality for online businesses – the poor security practices of their users can translate into brand damage. Disney+ has faced a “flood of complaints” from users that were locked out their new accounts by hackers just hours after excitedly setting them up. However, rather than a compromise of Disney’s systems, these accounts appear to have become accessible to hackers because users had set them up with the same email and password combination used for other online services (and which had been breached). Cybercriminals today have access to enormous troves of already breached username/password combinations. In a technique called “credential stuffing”, they systematically try out usernames and passwords from these troves on other services (in this case, Disney+ accounts). And because many people re-use passwords, it works a lot. Businesses can educate their customers and staff on the dangers of password re-use (and other security risks) be enrolling them in engaging online learning and in-person training sessions.

Tags: #securityawareness #credentialstuffing

Govt unveils IoT cyber guidelines

Summary: The Federal Government has unveiled new guidelines for consumer Internet of Things (IoT) devices to help ensure their security.

Key risk takeaway: Although the guidelines are voluntary, they signal the growing expectation of governments and the broader community that “good security” be included as a standard “feature” in new products. The Government’s guidelines largely mirror similar principles issued by the UK earlier this year, while the EU this month also issued a report outlining good practices for security of IoT devices. Some of the prescriptions – such as keeping software securely updated and making it easy for consumers to delete personal data – are instructive of the standards of security and privacy increasingly expected of any business offering digital services. However, as with the AI ethics framework we covered in our last news roundup, business should be wary of alignment to these voluntary codes as a substitute for rigorous assessment of digital risks.

Tags: #IoT #securebydesign #securityriskassessment

Russia and China get a big win on internet “sovereignty”

Summary: The United Nations has voted to advance a Russian-drafted resolution on cybercrime that some western observers fear will pave the way for global norms that endorse state control of the internet and threaten the notion that access to the internet should be a human right.

Key risk takeaway: In an interconnected digital world, the increasingly contested debate about how the internet should be governed has real implications for businesses with a global footprint or ambitions. A more fractured, state-controlled, internet (in which nations can exert greater sovereignty over the internet) potentially threatens both the economic potential and democratic values made possible by an open, free and secure internet (the latter being Australia’s goal under its international cyber engagement strategy). At a very basic level, digital access to markets could more easily be disrupted (see Iran) under a model in which states can exert greater sovereignty over the internet. As international dialogue in this space apparently shifts, businesses could voice their views via Australia’s 2020 cyber security strategy (see the final item in this roundup) or through Australia’s Cyber Ambassador.

Tags: #cybernorms

1.2 Billion Records Found Exposed Online in a Single Server

Summary: A security researcher has found yet another large trove of data exposed on an unsecured server, comprising 4 terabytes of personal information, including profile data from Facebook, Twitter, LinkedIn, and Github.

Key risk takeaway: Looking into these data troves and data leaks is to take a peek into the toolkit of attackers – and see that the breadth of data within is more than enough ammunition for attackers to successfully compromise or impersonate a large number of user accounts via techniques such as phishing and credential stuffing. As we have written previously when covering instances of leaked personal data or credentials, businesses should remind users not to re-use account login credentials across multiple services. This prevents credentials found in a trove like this being exploited to access other accounts. Organisations can also use the Have I Been Pwned service to identify if any of their accounts exist in this, and other, exposed data sets – and reset passwords for those users. And take the simple step of educating your staff on common threats such as phishing.

Tags: #passwords #cyberawareness #securityawareness

110 Nursing Homes Cut Off from Health Records in Ransomware Attack

Summary: A ransomware outbreak at a US-based IT company has impacted more than 100 of its nursing home clients, preventing them from accessing crucial patient medical records. Meanwhile a US state declared a statewide emergency after a ransomware attack this month.

Key risk takeaway: Echoing the warning in our last roundup that businesses can be severely disrupted if a supplier is infected with ransomware, patient lives were reportedly placed at risk as a result of medical records becoming unavailable in this incident. The high ransom amount – $US14m –has attracted attention, suggesting the attackers had some sense of the critical impact they would have on the target business and its clients. In addition to ensuring your own business has the ability to detect and prevent ransomware – such as by installing reputable antivirus and doing regular backups – businesses should gain assurances that their services providers also have the right security provisions in place.

Tags: #ransomware #securityassurance

My Health Record exposed to shared cyber security risks

Summary: An audit has found that cyber security and privacy risks relating to the core infrastructure of the My Health Record (MHR) system have been “largely well managed”, though broader concerns remain around third-party risk.

Key risk takeaway: Given the firestorm around the security and privacy of My Health Record last year, perhaps we can treat this mostly positive audit as a step forward. Notably, the audit cited the positive impact of initiatives such as the implementation of the Australian Government’s Essential Eight cyber mitigation strategies – widely considered a strong foundation for any business looking to mitigate cyber risks. The role of privacy impact assessments in managing privacy risks was also noted, though an end-to-end privacy assessment of the system has nonetheless been recommended. The audit also highlighted a key challenge faced by many organisations (not only the Australian Digital Health Agency, which oversees MHR) – namely, the need to manage privacy and security risks not only with their own core systems, but also relating to suppliers. In this instance, ADHA has been urged to monitor the compliance by healthcare providers with legislated security requirements and standards.

Tags: #myhealthrecord #privacy #supplier #essentialeight