This month in security: August 2019
We’ve seen a few interesting security-related incidents affect the APAC region during August – including breaches of sensitive medical information and public transport users’ data, plus a work-alike Microsoft exploit attracting the attention of ASD.
Thousands of medical histories exposed in Neoclinical data breach
Contact and medical information of around 37,000 Australians and New Zealanders – including diagnoses, illicit drug use and treatments – was exposed in a data breach at Neoclinical, a company that qualified them for paid clinical trials.
According to the Neoclinical, “During a routine IT operation, our server was temporarily opened last month” and that the disclosure of the breach “was an exercise by a cybersecurity company demonstrating their expertise for marketing purposes”.
Looking at the timeline of events, it really comes back to the incident response and how this was initially handled by Neoclinical. If the database was open during routine IT operations, was that maintenance or a dev issue? We’re not privy to the precise information, so – whilst there are a lot of questions around the security of their software development, and segregation between dev and production – we’re going to focus on what should have been done after the breach occurred.
Timeline of Response
1 July: Security Researcher from UpGuard discovered an online Database labelled Neoclincal, then attempted to notify Neoclincial via phone numbers on their website. One line was disconnected and the other line converted calls to text.
25 July: After no action, UpGuard notified Amazon AWS Security’s team, which responded by saying they would notify the database owner.
26 July: Public access to the database was taken down
Now I don’t think you need to be an expert in incident response to agree that this was a painfully slow response from Neoclinical.
Not a good look
At the end of the day, this organisation is responsible for holding the medical histories of individuals not only across Australia, but globally. It doesn’t matter whether you’re a start-up or a large enterprise; if you hold an individual’s personal – and in this case sensitive – data, you’re responsible for it under Privacy legislation under most national jurisdictions.
A breach such as this can significantly change the trajectory of a company’s future, especially for a small business like Neoclinical. Its website no longer resolves, although the business is still listed on LinkedIn.
Botched travel smartcard data release breached privacy laws
Victoria’s Department of Transport has been found to have breached the state’s Privacy and Data Protection Act of 2014 when it released travel records from 15 million myki cards to the Department of Premier and Cabinet.
Firstly, you might be wondering how this occurred? The Premier’s department asked for a dataset of partially redacted dataset containing 1.8 billion records of activity for three years up to June 2018. The idea was to ‘feed’ the 2018 Melbourne Datathon, an educational competition for our best and brightest data scientists.
In fact, according to the Datathon’s website, anyone can join in – there’s no NDA to sign and you can do as you please with the data!
This all sounds great, right?
It turns out that data scientists are very good at manipulating datasets and seemingly have been able to reverse engineer the data to find out when people are travelling and even home in on individuals. (If you’re interested, read this report by some Melbourne University researchers.
On 15 August 2019, the Office of the Victorian Information Commission (OVIC) released a report on its investigation and its conclusion that the Privacy and Data Protection Act ( 2014) (Vic) had been breached. You can read their entire report here.
Human error strikes again
Let’s look at what really caused this breach… human error! I don’t think there was any malicious intent at all – in fact far from it. However, the reality is we’re in charge of the data we hold and we need to ensure it’s kept secure and private and adheres to all state and federal laws.
If we look at the Department of Transport’s response, it really doesn’t admit to fault, and disagrees with the outcome of the investigation: “A lot more information and further steps are required from other sources, along with private knowledge, data science expertise, etc.”
Some of their points may have levels of validity, but the fact they called out data science expertise as an excuse for this not being a potentially harmful breach is a poor response. We’re in the age of Big Data; just because I personally don’t have the ability to reproduce this, it doesn’t mean someone else with malicious intent doesn’t.
Further, because the dataset was published online, it’s been found numerous times on other areas of the internet. The data is pretty much out there. The learning from this is, you need to be very careful when you share data, especially in a public forum, and consider what it could possibly be used for.
BlueKeep-like exploit, affecting thousands of ANZ entities.
According to Microsoft’s path notes, a remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system to then install programs; view, change, or delete data; or create new accounts with full user rights.
While we’ve seen this before, when Mimecast patched BlueKeep back in May, the challenge with this new exploit is that it affects newer versions of Windows:
Windows 7 SP1,
Windows Server 2008 R2 SP1,
Windows Server 2012,
Windows Server 2012 R2
Windows 10 & All server versions
The Australian Signals Directorate (ASD) has even released a security bulletin, warning up to 50,000 Australian devices could be affected – and any organisation relying on older Microsoft systems is at risk.
Effectively, a security researcher, @zerosum0x0 on Twitter, has now packaged up these exploits into Metasploit. For those who aren’t aware, Metasploit is open-source tech very commonly used by Pen Testers, running on Kali Linux for use by both White and Black Hat hackers. The reason there is a security warning is because a lot of organisations and individuals are quite slow at patching and updating.
So, what should your organisation do?
Patch! When I say patch, it’s also worth reviewing what your patch schedule looks like. Do you monitor security bulletins? If this is the first time you’ve read about this (and your Windows boxes are unpatched) I’d recommend a full review of your approach.
It will be interesting to see how this one plays out. However, there’s no excuse for suffering from this exploit as it is all public, widespread knowledge and there’s a fix available.