Real Estate Industry Has A ‘False Sense Of Security’ When It Comes To Cyber Safety

Last December, government services in Mecklenburg, North Carolina, ground to a halt. What began as a malicious email attachment sent to a county employee turned into a crippling cyberattack that held 48 of the county’s 500 data servers hostage.

The attack prevented services ranging from intakes at the county jail to processing applications for marriage licenses. Contractors were among those hit the hardest. Unable to schedule inspections or receive approval to pour foundations or complete electrical work, contractors had to put development projects on hold during the multiday recovery process.

The Mecklenburg County attack, and an increasing number of high-profile hacks in the past year, have brought to light a sobering reality: The real estate industry is unprepared for cyberattacks.

“Real estate firms have been generally lucky where they have not experienced the type of breaches that you see in other industry sectors, and that has probably given many people a false sense of security,” Baker Tilly Cybersecurity and IT Risk Senior Manager Mike Cullen said. “As other businesses get better at security, criminals are looking for easy targets. Construction and real estate could be such targets because they have historically not always taken the necessary precautions.”

Cullen works with Baker Tilly clients to lead and execute IT risk assessments, IT process audits and information security assessments, among other cybersecurity initiatives. Historically, real estate companies were at lower risk because they maintained less personal information and intellectual property than financial or healthcare businesses. More recently, attackers have been drawn to the select pool of wealthy investors real estate ventures attract, Cullen said.

Data like personal information, blueprints and schematics, access to building technology systems and financial information can be sold or used to gain a competitive advantage. Money can be skimmed from tenant and vendor accounts or credit cards and extorted directly thanks to ransomware. Last June, property management firm BNP Paribas Real Estate reported a ransomware attack that took down most of its global systems.

The rise of the Internet of Things, which I call Internet of Threats has brought the threat of cyberattacks more directly into tangible property. Building managers have started to embrace more systems that allow them to manage security infrastructure, HVAC, lighting controls and utilities remotely. This gives hackers another point of entry for attacking systems and stealing data, Cullen said.

In the past, building management systems were more proprietary and offline, creating a higher barrier to entry for hackers. Newer building systems are more standardized, using software obtained from vendors. These programs, like all software, come with vulnerabilities that hackers can exploit. Many companies may also have insufficient password protection or outdated antivirus programs that contribute to heightened cyberrisk.

More than directly sabotage the systems themselves, hackers can pull personal data from “smart” or intelligent building infrastructure. In November 2013, hackers infiltrated Target Corp.’s HVAC contractor’s systems to steal the payment card records and other personal information of nearly 110 million customers. The company reported a gross financial loss of $252M by the end of Q4 2014 as a result of the cyberattack.

Risk will continue to rise as intelligent buildings gain popularity. According to Faculty Executive, an estimated 95% of building systems connected to the internet have insecure connections, and 65% of vendors have remote access to building systems.

Talking to vendors about potential cyberthreats and hiring a dedicated person in charge of cybersecurity are the first steps real estate companies should take in arming themselves against the growing risk, Cullen said. Companies must have an employee who spends at least 50% of their time on the job dealing with cybersecurity.

Once key personnel are put in place, creating a security program that is specific to the type of real estate business and adaptable to new threats will ensure a strong defense against future attacks.

“It is impossible to prevent 100% of every attack,” Cullen said. “Your security program needs to include how you react to an incident so that you can respond in a timely and thoughtful way instead of a fire drill, figure-it-out-as-you-go strategy.”

Global spending on cybersecurity will exceed $1 trillion over the next five years, from 2017 to 2021, with 1.5 million cybersecurity job openings by 2019. While the industry is growing, real estate might not be able to attract the same top talent as the finance or healthcare sectors.

“Other industries have more money to attract top talent and CRE has not been willing to spend as much on cybersecurity, which means they are not getting the best resources,” Cullen said. “To be prepared for what is ahead, real estate companies will need to invest more in cybersecurity.”

Meltdown and Spectre CPU Flaws Affect Intel, ARM, AMD Processors

Unlike the initial reports suggested about Intel chips being vulnerable to some severe ‘memory leaking’ flaws, full technical details about the vulnerabilities have now been emerged, which revealed that almost every modern processor since 1995 is vulnerable to the issues.

Disclosed today by Google Project Zero, the vulnerabilities potentially impact all major CPUs, including those from AMD, ARM, and Intel—threatening almost all PCs, laptops, tablets, and smartphones, regardless of manufacturer or operating system.

These hardware vulnerabilities have been categorized into two attacks, named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), which could allow attackers to steal sensitive data which is currently processed on the computer.

Both attacks take advantage of a feature in chips known as “speculative execution,” a technique used by most modern CPUs to optimize performance.

“In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions,” Project Zero says.

Therefore, it is possible for such speculative execution to have “side effects which are not restored when the CPU state is unwound and can lead to information disclosure,” which can be accessed using side-channel attacks.

Meltdown Attack:

The first issue, Meltdown (paper), allows attackers to read not only kernel memory but also the entire physical memory of the target machines, and therefore all secrets of other programs and the operating system.

“Meltdown is a related microarchitectural attack which exploits out-of-order execution in order to leak the target’s physical memory.”

Meltdown uses speculative execution to break the isolation between user applications and the operating system, allowing any application to access all system memory, including memory allocated for the kernel.

“Meltdown exploits a privilege escalation vulnerability specific to Intel processors, due to which speculatively executed instructions can bypass memory protection.”

Nearly all desktop, laptop, and cloud computers affected by Meltdown.

Spectre Attack:
The second problem, Spectre (paper), is not easy to patch and will haunt people for quite some time since this issue requires changes to processor architecture in order to fully mitigate.

Spectre attack breaks the isolation between different applications, allowing the attacker-controlled program to trick error-free programs into leaking their secrets by forcing them into accessing arbitrary portions of its memory, which can then be read through a side channel.

Spectre attacks can be used to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

“In addition to violating process isolation boundaries using native code, Spectre attacks can also be used to violate browser sandboxing, by mounting them via portable JavaScript code. We wrote a JavaScript program that successfully reads data from the address space of the browser process running it.” the paper explains.

 

“KAISER patch, which has been widely applied as a mitigation to the Meltdown attack, does not protect against Spectre.”

According to researchers, this vulnerability impacts almost every system, including desktops, laptops, cloud servers, as well as smartphones—powered by Intel, AMD, and ARM chips.

What You Should Do: Mitigations And Patches
Many vendors have security patches available for one or both of these attacks.

  • Windows — Microsoft has issued an out-of-band patch update for Windows 10, while other versions of Windows will be patched on the traditional Patch Tuesday on January 9, 2018
  • MacOS — Apple had already fixed most of these security holes in macOS High Sierra 10.13.2 last month, but MacOS 10.13.3 will enhance or complete these mitigations.
  • Linux — Linux kernel developers have also released patches by implementing kernel page-table isolation (KPTI) to move the kernel into an entirely separate address space.
  • Android — Google has released security patches for Pixel/Nexus users as part of the Android January security patch update.  Other users have to wait for their device manufacturers to release a compatible security update.

Mitigations for Chrome Users:

Since this exploit can be executed through the website, Chrome users can turn on Site Isolation feature on their devices to mitigate these flaws.
Here’s how to turn Site Isolation on Windows, Mac, Linux, Chrome OS or Android:
  • Copy chrome://flags/#enable-site-per-process and paste it into the URL field at the top of your Chrome web browser, and then hit the Enter key.
  • Look for Strict Site Isolation, then click the box labeled Enable.
  • Once done, hit Relaunch Now to relaunch your Chrome browser.

There is no single fix for both the attacks since each requires protection independently.

Happy New Year 2018: 10 Steps to Improve Cybersecurity

Just a few (10) recommendations to think about in the new year.

  1. Patch the operating system on all PCs and Servers. Windows security updates should be applied and Windows Update should be set to download automatically and install manually. [Preventative]
  2. Update Microsoft Office with all available updates. Set Windows Update to also update any other Microsoft products. [Preventative]
  3. Update all web browsers. Preferred browser would be 64 bit Google Chrome Enterprise as it is fairly secure by default and includes its own sand-boxed Flash player and PDF viewer. [Preventative]
  4. Update Adobe Flash to most current version or remove if using Chrome as advised above. Update Adobe Reader to most current version or remove if using Google Chrome. [Preventative]
  5. Remove Java. If you must run Java, update to most current version but seriously consider removing Java. [Preventative]
  6. Raise the level of User Access Control (UAC) to the highest level – requiring Admin account to install or modify the system. [Preventative]
  7. Users must not be Local Admin on their PC. [Preventative]
  8. Enable Windows firewall on all PCs and servers. Only enable ports and applications both inbound and outbound as required (block inbound by default minimum). [Preventative]
  9. Implement a backup solution for all user data. Restore must be tested periodically. Ideally, versioning or offline snapshots should be enabled to protect against ransomware. [Preventative]
  10. All mobile devices should be updated to latest version of OS and device pass codes must be set (at least 6 digits). [Preventative]

Bonus Items

  1. Install antivirus / anti-malware software on PCs and servers. Any IPS / IDS functionality would be good to apply. Solution should be set to update signatures automatically. [Preventative / Detective]
  2. Bitlocker or other hard drive encryption should be enabled and enforced via GPO.[Preventative]
  3. Application whitelisting using AppLocker with trusted publishers or hashes of known good applications. [Preventative]
  4. Install SYSMON on all PCs and Servers. Configure for logging process creation, command line execution parameters, process creation, optionally network events. [Detective]
  5. Turn on Windows Event logging for critical events see SANS Detecting Security Incidents Windows Event Logs. [Detective]

Have a great New Year and be safe and cyber aware !!

Crime Does Not Pay!!


The U.S. federal officials have arrested three hackers who have pleaded guilty to computer-crimes charges for creating and distributing Mirai botnet that crippled some of the world’s biggest and most popular websites by launching the massive DDoS attacks last year.

According to the federal court documents unsealed Tuesday, Paras Jha (21-year-old from New Jersey), Josiah White (20-year-old Washington) and Dalton Norman (21-year-old from Louisiana) were indicted by an Alaska court last week on multiple charges for their role in massive cyber attacks conducted using Mirai botnet.

Mirai is a piece of nasty IoT malware that scans for insecure routers, cameras, DVRs, and other Internet of Things devices which are still using their default passwords and then add them into a botnet network, which is then used to launch DDoS attacks on websites and Internet infrastructure.

According to his plea agreement, Jha “conspired to conduct DDoS attacks against websites and web hosting companies located in the United States and abroad” by ensnaring over 300,000 IoT devices. He also demanded payment “in exchange for halting the attack.

Between September and October 2016, Jha advertised Mirai botnet on multiple dark web forums using the online monikers “Anna Senpai.” He also admitted to securely wiping off the virtual machine used to run Mirai on his device and then posting the source code of Mirai online for free.

Since then, other cybercriminals have used the open-source code of the botnet to create their own Mirai variants in a variety of different cyber attacks against their targets.

Paras Jha (a.k.a Anna Senpai) and his business partner Josiah White (a.k.a Lightspeed and thegenius) are the same people who were outed by blogger Brian Krebs earlier this year after his blog was also knocked offline by a massive 620 Gbps of DDoS attack using Mirai botnet.

Paras-Jha-Mirai-botnet

According to Jha’s LinkedIn profile, he is a 21-year-old passionate programmer from Fanwood, U.S., who knows how to code in multiple programming languages and is positioned as president of a DDoS mitigation firm, ProTraf Solutions.

White admitted to creating the Mirai botnet’s scanner to identify and hijack vulnerable internet-connected devices to enlist in the botnet, while Norman (a.k.a Drake) admitted to identifying private zero-day vulnerabilities and exploits to build into the massive botnet.

From December 2016 to February 2017, the trio successfully infected more than 100,000 computing devices to form another powerful botnet, called Clickfraud, which was designed to scam online ad networks by simulating clicks on ads for the purpose of artificially generating revenue.

A week after the massive DDoS attack, the source code of Mirai was released on the widely used hacker chat forum Hackforums by Jha who, under the name Anna-senpai, wrote he had “made their money…so it’s time to GTFO.”

“So today, I have an amazing release for you,” he wrote. “With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”

Once Mirai source code was out, various cyber criminals started exploiting the IoT malware to launch powerful DDoS attacks against websites and Internet infrastructure, one of which was the popular DNS provider Dyn, which was DDoSed by a botnet of an around 100,000 Mirai malware-infected devices.

The defendants’ involvement with the original Mirai variant ended in the fall of 2016, when Jha posted the source code for Mirai on a criminal forum. Since then, other criminal actors have used Mirai variants in a variety of other attacks.” DOJ said.

The trio faces a sentence of up to five years in prison.
Crime does not pay, it will eventually catch up to you !!!

How Hackable Are Our Apartments?


The Internet of Things is poised to revolutionize apartment home systems and appliances, but it also increases the security and privacy threats to apartment firms. At the 2017 NMHC OPTECH Conference & Exposition, a panel of leading security experts shared best practices for ensuring that apartment firms are mindful of the new threats as they integrate smart home devices into their communities.

The panel’s moderator, Mike Smith, vice president at White Space Building Technology Advisors, advised that as apartment firms add IoT devices to their communities, they need to look for products that are specifically designed for multifamily, noting, “if you buy a product at Home Depot, it is probably not designed for the complex nature of multifamily security needs.”

Panelist Michael Reese, Chief Information Officer for USA Properties Fund, agreed, saying that he views “IoT as Internet of Threats, not Internet of Things,” and recommended this view as apartment firms evaluate smart home technology. Kevin Gerber, project manager at Forest City Enterprises, noted that it is critical to educate staff on the new technologies and maintaining strong security protocols, and highlighted the need for a strong support structure.

Panelists agreed in the importance of segregating networks as a critical step in good cyber hygiene. Yousef Abdelilah, innovation and product management leader at American Tower, stressed the importance of implementing different layers of security to protect systems. Hackers don’t want to spend a significant amount of time trying to hack a system and will move on to systems that have fewer layers and are, therefore, easier to access.

Bill Fisher, security engineer at the National Cybersecurity Center of Excellence, part of the National Institute of Standards and Technology (NIST), commented that “IoT threat mitigation is not that different from past cyber DSC_2153threats. Best practices for strong cyber hygiene aren’t new. Right now, the onus is on the end-user to ask right questions and educate him or herself until market correction forces vendors pushes vendors to address security.” NIST provides best practices and a customizable approach to managing cyber risk through the NIST Cybersecurity Framework.

Panelists recommended evaluating the ROI on current IoT technology. Fisher commented that installing IoT is a risk decision. Firms need to weigh the convenience of devices versus the risk of security and legal ramifications if a system is hacked.

Reese reminded the audience that ensuring strong information security policy is a senior executive issue, not simply an IT issue, that needs to be implemented throughout the company

NMHC provides a resources on cybersecurity, including a cybersecurity white paper and a cyber threat alert system. More information can be found at nmhc.org/data-security.

Small Business Cyber Security – MYTH BUSTING

 

These days cybersecurity is a constant headline in the news.  It can be easy to go on with business either feeling helpless or like this doesn’t pertain to my business.  But with recent headlines highlighting crypto-extortion/ransom-ware and hacking of large enterprises by way of their small business partners, cyber threats have become something that affects all our businesses.  But this problem is so-big and so-nebulous, what can we do to stay safe and secure in this ever-changing connected world?

Myth #1 – I’m not a large enterprise, hackers won’t attack me:

Did you know that more than half of the data breach victims are businesses with under 250 employees?1 Hackers are intelligent, and sophisticated, but they’re also often looking for something quick and easy. Small and medium businesses who believe they are not at risk, tend not to invest as much in cybersecurity; thus, making them an easier target. They collect and store a wealth of data, but often don’t realize it’s true value, and therefore don’t put the right measures in place to protect it.

From there, attackers take various routes.  They might just encrypt your systems and hold your business for ransom, preventing order processing and other critical functions – often not restoring service when paid.  Further the attackers might use data or access gained from the small business to leverage an attack on larger partner organizations.  In 2014 Fazio Mechanical Services provided the vector for hackers which lead to Target’s massive breach. What big clients would you lose in this situation?

Myth #2 – Technology will fix everything:

It’s true that professionals use robust technology systems and tools to be prepared against cyberthreats, but technology is only part of the solution and buying and implementing technology solutions without expert configuration and monitoring is a lot like using WebMD.com in place of a doctor to diagnose and treat diabetes.  Might you end up doing some beneficial things and even improving your situation?  Absolutely!  But are you positioned to understand all the complex intersections of causes, tools and treatments, side-effects, etc, to lead to an ideal outcome?  It’s possible, but the truth is that you’re probably busy running your business and family.

Beyond technology, one critically underutilized tool in this fight against cybercrime is employee education.  The number one risk factor since something like 1995 has been and remains human interaction.  According to Verizon’s 2017 Data Breach Investigation Report, 99% of malicious content came from email (93.8%) and web browsers (5.8%).  Though all of these threats are not easily detectible by humans, many are.  As such, one of the most effective things we can do is to teach employees how to identify and avoid these sorts of threats and to pro-actively test them with controlled and measured phishing tests to determine where additional education may be needed.  If employees are properly trained to detect a scam or raise a suspicion, we can prevent many attacks before malware is even in the system.

Myth #3 – I Don’t have funds or resources for cybersecurity:

It might feel like you’re not in a financial position to invest in cybersecurity yet – especially if you believe your business is too small to attract the attention of would-be-hackers.  But have you stopped to think about the cost implications of a breach?  There’s loss of business due to reputational damage, legal fees, loss of competitive edge, and so much more at stake.  

Your local MSP (Managed Service Provider) has an IT Service that can help you.  They will take an in-depth approach to cyber security which has proven highly effective by creating layers of security measures which minimize user impact and cost while maximizing return on investment.  For instance, endpoint protection as a service solution, which is composed of industry leading anti-virus and web defense software married with best-in-class management and response procedures, has been deployed on 1000’s of systems as best practice.

Cybersecurity Ventures predicts $1 trillion will be spent globally on cybersecurity from 2017 to 20212. Ensure you’re a part of that investment, so you don’t get left behind.

Hackable Apartments: How to Keep Our Communities Safe When Everything is Going Online

Honored to be speaking at 2017 NMHC OPTECH Conference & Exposition in Las Vegas October 25-27, 2017 Mandalay Bay Resort and Casino.

 

 

Hackable Apartments: How to Keep Our Communities Safe When Everything is Going Online
With the Internet of Things poised to revolutionize our systems and appliances just as the internet did with our information, the question remains—can we keep these devices safe? Today’s “smart” home demands a modern take on security and privacy as well as possible integrations with property management systems or even new voice activated consumer technology. Online security experts will assess the risk of the internet-enabled apartment and will present best practices to keep your residents and your enterprise safe from hackers.

 

U.S. warns public about attacks on energy, industrial firms

(Reuters) – The U.S government issued a rare public warning that sophisticated hackers are targeting energy and industrial firms, the latest sign that cyber attacks present an increasing threat to the power industry and other public infrastructure.

The Department of Homeland Security and Federal Bureau of Investigation warned in a report distributed by email late on Friday that the nuclear, energy, aviation, water and critical manufacturing industries have been targeted along with government entities in attacks dating back to at least May.

The agencies warned that hackers had succeeded in compromising some targeted networks, but did not identify specific victims or describe any cases of sabotage.

The objective of the attackers is to compromise organizational networks with malicious emails and tainted websites to obtain credentials for accessing computer networks of their targets, the report said.

U.S. authorities have been monitoring the activity for months, which they initially detailed in a confidential June report first reported by Reuters. That document, which was privately distributed to firms at risk of attacks, described a narrower set of activity focusing on the nuclear, energy and critical manufacturing sectors.

Department of Homeland Security spokesman Scott McConnell declined to elaborate on the information in the report or say what prompted the government to go public with the information at this time.

“The technical alert provides recommendations to prevent and mitigate malicious cyber activity targeting multiple sectors and reiterated our commitment to remain vigilant for new threats,” he said.

The FBI declined to comment on the report, which security researchers said described an escalation in targeting of infrastructure in Europe and the United States that had been described in recent reports from private firms, including Symantec Corp.

“This is very aggressive activity,” said Robert Lee, an expert in securing industrial networks.

Lee, chief executive of cyber-security firm Dragos, said the report appears to describe hackers working in the interests of the Russian government, though he declined to elaborate. Dragos is also monitoring other groups targeting infrastructure that appear to be aligned with China, Iran, North Korea, he said.

    The hacking described in the government report is unlikely to result in dramatic attacks in the near term, Lee said, but he added that it is still troubling: “We don’t want our adversaries learning enough to be able to do things that are disruptive later.”

The report said that hackers have succeeded in infiltrating some targets, including at least one energy generator, and conducting reconnaissance on their networks. It was accompanied by six technical documents describing malware used in the attacks.

Homeland Security “has confidence that this campaign is still ongoing and threat actors are actively pursuing their objectives over a long-term campaign,” the report said.

The report said the attacker was the same as one described by Symantec in a September report that warned advanced hackers had penetrated the systems controlling operations of some U.S. and European energy companies.

Symantec researcher Vikram Thakur said in an email that much of the contents of Friday’s report were previously known within the security community.

Cyber-security firm CrowdStrike said the technical indicators described in the report suggested the attacks were the work of a hacking group it calls Berserk Bear, which is affiliated with the Russian Federation and has targeted the energy, financial and transportation industries.

“We have not observed any destructive action by this actor,” CrowdStrike Vice President Adam Meyers said in an email.

It’s just a matter of time.

What You Should Know About the ‘KRACK’ WiFi Security Weakness

 

Researchers this week published information about a newfound, serious weakness in WPA2 — the security standard that protects all modern Wi-Fi networks. What follows is a short rundown on what exactly is at stake here, who’s most at-risk from this vulnerability, and what organizations and individuals can do about it.

Short for Wi-Fi Protected Access II, WPA2 is the security protocol used by most wireless networks today. Researchers have discovered and published a flaw in WPA2 that allows anyone to break this security model and steal data flowing between your wireless device and the targeted Wi-Fi network, such as passwords, chat messages and photos.

“The attack works against all modern protected Wi-Fi networks,” the researchers wrote of their exploit dubbed “KRACK,” short for “Key Reinstallation AttaCK.”

“Depending on the network configuration, it is also possible to inject and manipulate data,” the researchers continued. “For example, an attacker might be able to inject ransomware or other malware into websites. The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected.”

What that means is the vulnerability potentially impacts a wide range of devices including those running operating systems from Android, Apple, Linux, OpenBSD and Windows.

As scary as this attack sounds, there are several mitigating factors at work here. First off, this is not an attack that can be pulled off remotely: An attacker would have to be within range of the wireless signal between your device and a nearby wireless access point.

More importantly, most sensitive communications that might be intercepted these days, such as interactions with your financial institution or browsing email, are likely already protected end-to-end with Secure Sockets Layer (SSL) encryption that is separate from any encryption added by WPA2 — i.e., any connection in your browser that starts with “https://”.

Also, the public announcement about this security weakness was held for weeks in order to give Wi-Fi hardware vendors a chance to produce security updates. The Computer Emergency Readiness Team has a running list of hardware vendors that are known to be affected by this, as well as links to available advisories and patches.

“There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections,” reads a statement published today by a Wi-Fi industry trade group. “This issue can be resolved through straightforward software updates, and the Wi-Fi industry, including major platform providers, has already started deploying patches to Wi-Fi users. Users can expect all their Wi-Fi devices, whether patched or unpatched, to continue working well together.”

Sounds great, but in practice a great many products on the CERT list are currently designated “unknown” as to whether they are vulnerable to this flaw. I would expect this list to be updated in the coming days and weeks as more information comes in.

Some readers have asked if MAC address filtering will protect against this attack. Every network-capable device has a hard-coded, unique “media access control” or MAC address, and most Wi-Fi routers have a feature that lets you only allow access to your network for specified MAC addresses.

However, because this attack compromises the WPA2 protocol that both your wireless devices and wireless access point use, MAC filtering is not a particularly effective deterrent against this attack. Also, MAC addresses can be spoofed fairly easily.

To my mind, those most at risk from this vulnerability are organizations that have not done a good job separating their wireless networks from their enterprise, wired networks.

I don’t see this becoming a major threat to most users unless and until we start seeing the availability of easy-to-use attack tools to exploit this flaw. Those tools may emerge sooner rather than later, so if you’re super concerned about this attack and updates are not yet available for your devices, perhaps the best approach in the short run is to connect any devices on your network to the router via an ethernet cable (assuming your device still has an ethernet port).

From reading the advisory on this flaw, it appears that the most recent versions of Windows and Apple’s iOS are either not vulnerable to this flaw or are only exposed in very specific circumstances. Android devices, on the other hand, are likely going to need some patching, and soon.

If you discover from browsing the CERT advisory that there is an update available or your computer, wireless device or access point, take care to read and understand the instructions on updating those devices before you update. Failing to do so with a wireless access point, for example can quickly leave you with an expensive, oversized paperweight.

Finally, consider browsing the Web with an extension or browser add-on like HTTPS Everywhere, which forces any site that supports https:// connections to encrypt your communications with the Web site — regardless of whether this is the default for that site.

Another AWS leak exposes 150,000 Patient Home Monitoring Corp. client records

Another publicly accessible Amazon S3 repository has been once again been left exposing sensitive consumer information, this time affecting approximately 150,000 U.S. patients.

Kromtech Security Researchers discovered the exposed server belonging to Patient Home Monitoring Corp. which contained in 47.5 GB worth of data in the form of 316,363 PDF reports detailing weekly blood test results including patient and doctor names, case management notes, other client information and the Development Server Backup.

The vulnerable server was spotted on Sept. 29 and researchers said they notified the company on Oct 5. and by Oct. 6, the bucket had been secured. Kromtech pointed out that the company’s privacy page stated that patients have the right to be notified when their information is being accessed and that it’s unclear how or if patients will be notified of the incident.

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Most notifications must be provided without unreasonable delay and no later than 60 days following the discovery of a breach. fines can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation.

Some researchers aren’t surprised that admins are misconfiguring Amazon S3 buckets and leaving them exposed with the rapid adoption of the new technology.

“The Amazon S3 bucket can be easily switched from private to public access – with public being the default.” Josh Mayfield, platform specialist, Immediate Insight at FireMon said. “With the speed that organizations are moving to AWS and cloud infrastructure, it is only natural to miss something.”

Mayfield said companies should have policy controls that are automated irrespective of future technology so that admins don’t have to sacrifice security for speed and that added that policy management consoles with the flexibility to handle heterogeneous infrastructures and devices are invaluable.

Other researchers weren’t as forgiving. AlienVault Security Advocate Javvad Malik said the issue of misconfigured cloud services is a growing problem and a lack of skill may be to blame.

“As more and more companies migrate datasets to the cloud, it is becoming apparent that many lack the cloud skills needed to secure the cloud infrastructure, gain assurance that the cloud infrastructure is secured appropriately, or monitor their cloud environments for unauthorized access,” Malik said. “While cloud can bring benefits of having a resilient infrastructure, security cannot be outsourced, and much of the responsibility remains with the customer.”

Malik added that unfortunately, the people affected the most are the patients who have had their sensitive information exposed. Researchers agreed mistakes like this emphasize the impact breaches like this can have on individuals.

The narrative surrounding breaches is so often defined by the financial implications, but the impact of medical records being leaked on individuals could be equally if not more damaging,” DomainTools Senior Sybersecurity Threat Researcher Kyle Wilhoit said. “Revealing potentially sensitive personally identifiable information could impact an individual’s employment or it could be used by criminals/state entities for targeted attacks, such as spear phishing.”

Wilhoit said Medical organizations need to start taking the data they have access to as seriously as financial organizations, all assets must be discovered and tested against current vulnerabilities and patches must be deployed quickly.