Cyber Advisors Business Blog

In the Know - Cyber Security Update - Week of August 27th-September 3rd

Written by Eric Brown | Sep 5, 2017 12:42:32 PM
St. Jude pacemakers get a patch, your Amazon wishlist could be exposed to anyone who knows your email address, security researchers deconstruct a gift card attack, yet another unsecured Amazon S3 bucket exposes millions of records, and Google reminds site administrators the next version of Chrome will warn visitors if a site isn’t protected with an SSL certificate.


1.  
465,000 St. Jude pacemakers to receive a critical patch - a year after a vulnerability was discovered 

A critical flaw in the code of St. Jude, now Abbot, pace makers manufactured before August 28th 2017 allows, would be, attackers the ability to gain access and control the device from up to 50 feet away.

The attacker could issue commands to change the way the device functions or cause it to stop functioning all together.

A year ago (8/26/16) security researchers partnered with an investment firm and published this information.   The investment firm drew ire for shorting the stock, but believed that publishing was the only way to get St. Jude to take action, and that the people who had these devices inside their bodies had a right to know.

“We have seen demonstrations of two types of cyber attacks against STJ implantable cardiac devices (“Cardiac Devices”): a “crash” attack that causes Cardiac Devices to malfunction – including by apparently pacing at a potentially dangerous rate; and, a battery drain attack that could be particularly harmful to device dependent users.”

The report goes on to say that attacks do not take much skill and can be directed to any device within a 50 foot radius through the “Merlin@home” home monitoring kits.  “These units are readily available on Ebay, usually for no more than $35. Merlin@homes generally lack even the most basic forms of security, and as this report shows, can be exploited to cause implanted devices to malfunction and harm users”

Open Letter to Doctors:

https://www.sjm.com/~/media/galaxy/hcp/resources-reimbursement/technical-resources/product-adviseries-archive/cybersecurity-pacemaker-firmware/pacemaker-firmware-update-doctor-letter-aug2017-us.pdf

MuddyWaters Cyber Security report:

http://d.muddywatersresearch.com/wp-content/uploads/2016/08/MW_STJ_08252016_2.pdf

2. Your Amazon Wishlist is open to anyone who knows your email address

In the age of information, it’s easy for someone to gain information about you.  One of those ways is through your Amazon Wish list.  Wishlists are open to the public to see, all that is needed is the email address you use on Amazon, or in the case of some recent members of President Trump’s inner circle a unique spelling of your name.

Take a moment, review your publicly exposed Amazon Wishlist, and delete anything that you don’t literally want the world to see. 

Amazon Wishlist & Registry Search
https://www.amazon.com/gp/registry/search

Some members of President Trump’s Inner Circle Amazon Wish List

https://www.wired.com/story/trump-world-amazon-wish-lists/?mbid=social_twitter_onsiteshare

3.  A security researcher reveals how to easily attack gift cards

A security researcher for Evolve Security shows how to hack retail gift cards 

  1. Obtain a target company’s gift card to determine possible card numbers.  Some card numbers increment by 1, others are random.  The more sample cards available, the easier it will be to establish a pattern.  Typically the last 4 digits are randomized.
  2. Visit webpage that the retail entity uses to check card value (Example Best Buy: https://www-ssl.bestbuy.com/site/olspage.jsp?id=pcat17043&type=page&CMP=ocss)
  3. Use a brute force tool such as Burp Intruder to cycle through card numbers & PIN numbers. 10,000 Numbers will take about 10 minutes.

 Once this information is obtained, they can be used on the retailer’s site.  Or written to a blank plastic card with a magnetic stripe writing device available on Amazon for $60.  https://www.amazon.com/MSR605X-3-Track-Magnetic-Stripe-Encoder/dp/B01N6NUQMY/ref=sr_1_2?ie=UTF8&qid=1504487343&sr=8-2&keywords=magnetic+stripe+writer

Some retailers have removed the balance checking feature of their cards or implemented strong CAPTCHAs.

Full Wired Article:
https://www.wired.com/story/gift-card-hacks/

4.  Another Amazon Cloud Storage Leak – 4 Million Time Warner Cable Records

Big companies continue to make rookie mistakes when handling data storage in the cloud.  Broadsoft, a service provider partner, left 4 Million Time Warner Cable records exposed on two Amazon S3 buckets without a password.  The 600 GB of exposed records date back to 2010 and include email addresses, financial transactions, user names, billing addresses and MAC addresses.

Users of the TV providers’ mobile app are vulnerable.  Charter Communications (now Spectrum), who owns Time Warner Cable is recommending that users change passwords.

Gizmodo Article:
https://gizmodo.com/millions-of-time-warner-customer-records-exposed-in-thi-1798701579

5.  Google Reminding Site Administrators that HTTP pages will be marked “NOT SECURE” in October.

With the next stable release of Google’s Chrome browser, Version 62, visitors to HTTP sites that include text input fields will receive a “NOT SECURE” warning popup. 

Google has been actively seeking ways to encourage website owners to implement SSL certificates. SSL allows websites to be accessed over HTTPS, which encrypts information sent between the visitor and web server.

Is your site affected?

  1. Does your site take any text input? This includes email signup forms, search bars, login panels, etc.
  2. Is your website using HTTP:// in the address bar?

If the answer to both questions is “yes” then SSL needs to be implemented to avoid a “NOT SECURE” designation in visitors to your site using a Chrome (version 62 or later) browser.

Many hosting providers include a secure certificate.  Let’s Encrypt, an organization dedicated to making 100% of websites HTTPS, provides free certs.

In August 2017 Google Chrome Browsers represented 57% of the web browser market share, followed by Safari (15%), and Internet Explorer/Edge (9%).

Google Security Blog:
https://security.googleblog.com/2017/04/next-steps-toward-more-connection.html

Let’s Encrypt:
https://letsencrypt.org/