Medical information found open on the Internet, Lumin hacked, unsafe routers and more.
Welcome to Cyber Security Today. It’s Wednesday September 18, I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com.
To hear the podcast, click on the arrow below:
Doctors know a lot about medicine but apparently some know very little about cyber security. That’s the conclusion to be drawn from an investigation of the health industry by the news site ProPublica and a German public broadcaster. They found medical images and health data belonging to millions of patients in a number of countries sitting unprotected on the Internet. In the U.S. alone there were 187 servers with data on 5 million people unprotected by passwords or basic security precautions. These servers were in doctors’ offices, medical imaging centers and mobile X-ray services. When notified most of the offices immediately closed the holes. Understandably, a security researcher called the lack of security on these servers “utterly irresponsible.” Unfortunately too many in the medical community assume office managers, IT administrators or laboratories that do tests are properly looking after data security.
If you subscribed to or bought the Lumin app for editing PDF documents, your online name and email address could be among the 24 million users that have been exposed by a hacker. According to the ZDNet news service, the hacker published the extensive list on Monday. Many people use Lumin to edit documents held in their Google Drive. What’s worrying is that the stolen database not only has those names and email addresses, but also a piece of code called a Google access token for verifying logins. An attacker could use a stolen token. to pretend to be the real user and log into their Google Drive account. To prevent this Google will probably reject existing Lumin tokens and force users to log in and get a new one.
Customers of the U.S.-based firm Restaurant Depot, which sells to the commercial food industry, are being warned to be careful about clicking on email invoice attachments. it looks like someone got hold of Restaurant Depot’s customer list and is emailing them phony invoices. The messages look like they came from the company because “restaurantdepot” is in the sender field. But it’s a fake address. Click on the invoice and you get infected.
Manufacturers of computer equipment for homes and small offices still aren’t making them secure enough. That’s the conclusion of a study released this week by a U.S. consulting firm called ISE. It tested 13 Wi-Fi router and network-attached storage devices and found security vulnerabilities in all of them. Some were serious and could allow an attacker to take over devices without being authenticated. This was a follow-up test to one done in 2013, which included some of the same devices. Apparently manufacturers haven’t learned from that test. Manufacturers must begin training their developers on security best practices, the report concludes. As for consumers, they should avoid manufactures with a history of security problems. Look at how a manufacturer handles patching and updates, as well as how long it offers security patches. And disable remote access capability if you don’t need it.
Finally, if you use the LastPass password manager, make sure you have the latest update. There’s a big bug that needs to be fixed. Unless you’ve tampered with the settings LastPass should update automatically, but check to be sure.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.