An Irish water treatment plant is temporarily shut by cyber attack, WordPress issues a security patch, and more.
Welcome to Cyber Security Today. It’s Monday, December 11th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
 |
 |
 |
Another water treatment plant has been hacked over its use of Israel-made equipment. It happened last week in an east coast area of Ireland called Erris. About 180 residences were without water for two days when the hackers got past the systems’ firewall and shut a small utility. Last week I reported that a hacking group believed to be from Iran called CyberAv3ngers is going after utilities using equipment from Israeli companies.
December is the second anniversary of the revelation of a serious vulnerability in the Apache Log4j2 open-source library used in many applications. So how many applications have been patched since then? Not enough, according to researchers at Veracode. They estimate 38 per cent of current applications are still vulnerable to attacks. Many of them are using a version of Log4j2 that stopped getting support in August, 2015 and can’t be patched. Do you know what’s in your organization’s software?
Here’s some healthcare-related cyber news:
Louisiana-based Lafource Medical Group has agreed to pay US$480,000 to the U.S. Department of Health and Human Services after one of the owners fell for a phishing email in 2021. That exposed some patient health data. An investigation showed that before the incident the company never conducted a security rule risk analysis or had procedures to regularly review records of IT system activity. In addition to the financial settlement the medical group also agreed to implement security measures to reduce the risks to electronic patient records as required by federal health law.
Norton Healthcare, which runs eight hospitals in Kentucky and Indiana, is notifying 2.5 million patients, as well as current and former employees, that their personal data might have been copied in a ransomware attack in May. The attacker got into network storage servers.
By the way, last week the Health and Human Services Department released a proposed plan to tighten cybersecurity requirements for American hospitals. As part of the plan the government will publish cybersecurity performance goals that hospitals ought to aim for, as well as new cybersecurity requirements they have to meet. The department is seeking comment before finalizing the plan.
New U.S. rules start a week today obliging publicly traded companies to publicly disclose material cyber incidents to the Securities and Exchange Commission within four business days. Companies can ask for a delay for national security or public safety reasons. Small companies will have an extra 180 days to comply.
Americold Logistics, a cold storage company based in Atlanta, is notifying just over 129,000 people of a data breach. It says got into its IT system in April. Data stolen may have included names, addresses, Social Security numbers, Drivers licence numbers and employment-related health insurance and medical information.
U.S. hotel chain Red Roof Inns is notifying over 27,000 people their personal information may have been stolen in a September ransomware attack. The data may have included credit or debit card numbers and their related security, access, PIN codes or passwords.
Among the latest American firms reporting data thefts in the hacks of MOVEit file transfer applications is Independent Living Systems. It which provides managed long-term services and support to people covered by certain health plans. It is notifying just under 20,000 people their personal information may have been copied when the company’s MOVEit Transfer application was hacked.
Officials from Google, Meta and X will testify later today and on Wednesday at Canadian parliamentary hearings into social media platforms. The committee is particularly looking into personal information data collection by platforms as well as the abuse of platforms by foreign governments.
Parliamentary hearings on Canada’s proposed federal privacy and artificial intelligence legislation continue on Tuesday. Privacy commissioners from Alberta, British Columbia and Quebec are scheduled to testify.
Here’s some patching news:
A new security update from WordPress is now available that fixes several problems including a big vulnerability. Threat actors could leverage it through some plugins, so install this update fast. You need to be running version 6.4.2.
Twenty-one new serious vulnerabilities have been found and need patching in Sierra Wireless Airlink cellular routers. That’s according to researchers at Forescout. Of the routers Forescout sees that are exposed to the internet, 90 per cent haven’t had patches installed that were released in 2019. And of those that expose a specific management interface, 90 per cent are end of life and can’t be patched. In addition to installing the latest patches, the default SSL certificates for Sierra Wireless routers have to be changed. This is an inventory control problem as well as a technology problem. Why? Because hardware and software can’t be patched if administrators don’t know about them. And they have to learn how devices like routers can be patched.
Finally, lots of companies offer utilities through app stores to help you do things better. But some of those apps may lead to the downloading of malware. Researchers at Spin.AI say this is especially important during this holiday period when people may be tempted to download shopping, news, travel and chat browser extensions that aren’t from reputable developers. Be suspicious of apps that aren’t regularly updated or ask for high levels of permissions to access your contact list and photos.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon
