Get Started Today!  732-747-9373   

Fotolia 68929807 M new

DeckerWright Corporation Blog

DeckerWright Corporation has been serving the Red Bank area since 1984, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

The Week in Breach: 11/20/19 - 11/26/19

cyber criminalsUnited States - Select Health Network

Exploit: Unauthorized Email Account Access
Select Health Network: Indiana-Based Collection of Healthcare Providers

An employee’s compromised email account credentials were used to access sensitive data for thousands of patients. The data was accessed between May 22 and June 13, and it’s unclear why it took the company so long to identify the breach and to report it to patients. Regardless, a small vulnerability will likely result in a sizable blow-back in the form of regulatory scrutiny, brand erosion, and potential financial repercussions.

United States - PayMyTab

Exploit: Accidental Data Exposure
PayMyTab: Hospitality Payment Platform

Cyber-security researchers located an unsecured Amazon Web Services bucket that contained the personal data for tens of thousands of PayMyTab users. Notably, the data packet was exposed because PayMyTab personnel failed to follow Amazon’s security protocols. Fortunately, the error was discovered by white hat hackers and was reported to the company, but the bucket had been exposed since July 2, 2018, giving bad actors plenty of time to locate and exploit the information first.

United States - Solara Medical Supplies

Exploit: Compromised Email Account
Solara Medical Supplies: Supplier of Diabetes-Related Treatment Products

An unauthorized third-party gained access to several employee accounts containing patient and employee data. The breach was first discovered on June 20th, and the compromised data was exposed between April 2nd and June 20th. In response, the company reset account passwords, and Solara is updating its policies to ensure that a similar scenario doesn’t occur again in the future. Unfortunately, such maneuvers won’t help patients whose data was already stolen in the breach. Moreover, the company’s lengthy response time will certainly invite increased regulatory scrutiny while giving consumers fodder for criticism during the recovery effort.

0 Comments
Continue reading

The Week In Breach: 11/13/19 - 11/19/19

cyber attackUnited States - Florida Blue

Click here for more information.

Exploit: Phishing Attack
Florida Blue: Health Insurance Provider

A phishing attack at one of Florida Blue’s third-party vendors successfully duped an employee into compromising patients’ personally identifiable information (PII). The event included less than 1% of Florida Blue’s members, but it shines a spotlight on the underlying cyber-security vulnerabilities within third-party partnerships. Now, because of an event outside of their immediate control, Florida Blue will face intense regulatory scrutiny and suffer from less-quantifiable reputational damage in the wake of breach.

United States - SmartASP.NET

Click here for more information.

Exploit: Ransomware Attack
SmartASP.NET: Web Hosting Platform

Hackers encrypted the web hosting platform’s data, crippling both its IT infrastructure and customer data. After the attack, the company’s phones and website were both inaccessible, and SmartASP.NET was forced to notify customers that their data was encrypted. In addition to encrypting customer-facing infrastructure, a common target for ransomware attacks, the attack locked up significant amounts of back end data and delayed recovery efforts considerably.

United States - Starling Physicians

Click here for more information.

Exploit: Phishing Attack
Starling Physicians: Connecticut-Based Healthcare Group

Three employees fell for a phishing scam, providing hackers with access to their email accounts which contained patients’ personally identifiable information. The breach originally occurred on February 8th but wasn’t discovered until September. It’s taken the company two months to identify those impacted by the breach and send notifications. This lengthy response time will make it more difficult for patients to protect their information, while also opening the company up to increased regulatory scrutiny that could result in fines or penalties that will compound the financial implications of the breach.

0 Comments
Continue reading

The Week In Breach: 11/06/19 - 11/12/19

the week in breach

United States - InterMed

Exploit: Compromised Email Account
InterMed: Maine-Based Physician Group

Hackers gained access to four employee email accounts that contained patients’ protected health information. The first employee account was accessed on September 6th, and the subsequent accounts were available between September 7th and September 10th. Although InterMed did not report the specific vulnerability that led to the breach, credential stuffing and phishing attacks were likely the culprit. The company’s slow response time and the sensitive nature of the compromised data will result in regulatory scrutiny that will amplify the post-breach impact.

United States - Brooklyn Hospital Center

Exploit: Ransomware
Brooklyn Hospital Center: Full-Service Community Teaching Hospital

A ransomware attack struck Brooklyn Hospital Center, making some patient data inaccessible while deleting other information entirely. The ransomware originated with unusual network activity in July, but it wasn’t until September that the hospital determined that certain data would never be recoverable. However, it’s unclear why it took another month to notify the public of the disabled or missing data. As healthcare providers both big and small face the threat of ransomware attack, this lengthy reporting delay can compound the problem as it ushers in the opportunity for more hostile consumer blowback.

United States - Utah Valley Eye Clinic

Exploit: Unauthorized Database Access
Utah Valley Eye Clinic: Utah-Based Eye Clinic

A cyber-security vulnerability at a third-party affiliate compromised personal data for thousands of the clinic’s customers. The incident resulted in patients receiving fraudulent emails indicating that they received a payment from PayPal. The breach was only recently discovered, originally occurring on June 18, 2018, so patient data has been exposed for a significant duration. As a result, the company will likely face legal penalties and lost revenue due to exposed protected health information (PHI).

0 Comments
Continue reading

Security Concern #3 - Physical Security

physical securityOne of the lesser emphasized areas of cyber security is physical security. HIPAA regulations cover in detail the physical security of computer systems. If you get a HIPAA Risk Assessment and it doesn’t include on-site visits to each location, the Risk Assessment document is incomplete. A growing area of concern is mobile computing, and multi-factor authentication using smart phones. With data now readily accessible outside the office, physical security has taken on new meaning. 

Breaching physical security of data systems means that a person who is unauthorized gains access data. The unauthorized person is most likely an employee, but could be a client, vendor, criminal or other person. The most common physical data breach happens when a computer systems is left logged in and unattended. A curious employee would be able to impersonate an authorized person and gain access to data they should be seeing. 

As part of a HIPAA Risk Assessment, physical security of a company’s data systems are evaluated. Are the computers in areas secured from unauthorized persons? Very often computers need to be in areas where they intersect with unauthorized persons, such as in a retail environment. In cases like this, computers should be set with short timeouts to lock the computers when not in use. Laying out a work space so that monitors are not facing public areas is also a good practice. 

Local data storage on servers, computers and storage devices must also be protected. The best practice is to have the servers hosting the data to be in a secured and locked room. The room must have adequate ventilation to ensure the room remains at room temperatures. Servers need to be protected from theft so that the data on them is protected. 

The latest threat to physical security is the increasing dependence on mobile computing. Smart phones, tablets and laptops are setup to access corporate data with remote access software. Sometimes corporate data is also stored on these devices. Since there is no way to “lockup” a mobile device, precautions must be implemented to protect the corporate access to data on the devices. Devices should be protected with a password or bio-metrics for access. Any data on the devices should be encrypted. The operating assumption from a security perspective isn’t if the device will be lost or stolen, it is when the device is lost or stolen.  Without planning and implementing best policies on mobile devices, a criminal can gain access to corporate data by stealing a mobile device. 

The smart phone has become the de facto “token” for multi factor authentication (MFA). Smart phones serve as MFA tokens either by getting a text message with a six digit code, or through apps like Google and Microsoft Authenticator. A criminal wanting to impersonate you has a high interest in stealing your cell phone. A recent Wall Street Journal article chronicles how cyber criminals targeted a person and stole his phone to gain access to his MFA (He Thought His Phone Was Secure; Then He Lost $24 Million to Hackers). His estimated loss was over $24 million dollars.

https://www.wsj.com/articles/he-thought-his-phone-was-secure-then-he-lost-24-million-to-hackers-11573221600

Physical security is often over looked in our high tech industry, but it must be considered and planned for in order to protect corporate data.

Click HERE for HIPPA physical security regulations.

0 Comments
Continue reading

The Week In Breach: 10/23/19 - 10/29/19

United States - BillTrust

Exploit: Ransomware Attack
BillTrust: B2B Billing Service Provider

A ransomware attack crippled BillTrust’s customer-facing systems, forcing them to bring all infrastructure offline to stop the malware’s spread. The company discovered the attack on October 17th, and it’s taken nearly a week just to begin recovery efforts. Fortunately, Billtrust maintained backups that were unaffected by the attack, which made it possible to avoid paying the ransom demand. Nevertheless, the lost revenue, reputational damage, and recovery expenses will definitely chip away at the company’s bottom line.

United States - Kalispell Regional Healthcare

Exploit: Phishing Attack
Kalispell Regional Healthcare: Family Healthcare Provider

Several employees fell for a phishing campaign that compromised their login credentials and patients’ personally identifiable information. Hackers accessed the data between May 24, 2019 and August 28, 2019. As a result, the company will bear the cost of identity and credit monitoring services for all victims, and they will face intense regulatory scrutiny. Brand reputation is also jeopardized, as the hospital was formerly recognized as a highly-ranked healthcare provider for their cybersecurity practices.

United States - Ocala City

Exploit: Spear Phishing Attack
Ocala City: Local Municipality

A spear phishing attack convinced an Ocala City employee to transfer $640,000 to a fraudulent bank account. The account still had $110,000 left when the city identified the scam, but cybercriminals still walked away with over $500,000. To trick the employee, cybercriminals sent an email purportedly from one of the city’s construction contractors and requested payment to a bank account that did not belong to the contractor. While the email and bank account were fraudulent, the invoice was legitimate, which made this incident especially difficult to detect.

0 Comments
Continue reading

The Week in Breach: 10/30/19 - 11/5/19

WEB.COM

Exploit: Unauthorized Database Access
Web.com: Domain Name Registration and Web Services Provider

An unauthorized third party accessed Web.com’s network, which compromised their customers’ personally identifiable information. The intrusion took place in August 2019, but IT personnel were not able to identify the breach until October 16th. Data breach notifications went out this week, but the significant detection delay will certainly compound the damage for both the company and its customers

sPower

Exploit: Cyber-Attack
sPower: Renewable Energy Provider

sPower was the victim of a cyber-attack that brought down its services and disconnected its hardware from the electrical grid. Although the attack occurred in April, the details are emerging as part of a Freedom of Information Act filing by reporters covering the energy sector. Hackers were able to leverage a vulnerability in the company’s firewall that allows outside entities to access their network. The event could significantly harm the company’s reputation within the energy industry, impacting its ability to land future contracts and compete with other companies.

United States - City of San Marcos

Exploit: Cyber-Attack
City of San Marcos: Local Government Municipality

Hackers accessed the city’s computer systems and restricted access to significant portions of their IT infrastructure. The attack, which began on October 24th, brought down email accounts and other communication services. As a result, messages sent to city employees were not delivered, though government facilities remain open. Recovering from the attack is proving especially difficult, as the services are still restricted for more than a week after the initial event. To prevent further attacks, employees are being asked to change their passwords and enable two-factor authentication on their accounts.

0 Comments
Continue reading

The Week in Breach: 10/16/2019 - 10/22/2019

CyberCriminalUnited States - Pitney Bowes Inc.

Exploit: Malware attack
Pitney Bowes Inc.: Mail Management Company

A malware attack prevented Pitney Bowes’ employees and customers from accessing critical services. The company, which specializes in mail management, lost business directly as a result of the attack. Customers were unable to refill postage or upload transactions on their mailing machines. In addition, news of the announcement sent the company’s shares down 4%, which underscores the many ways that a cybersecurity incident can negatively impact a company’s bottom line.

United States - Alphabroder

Exploit: Ransomware Attack
Alphabroder: Promotional Product Supplier

A ransomware attack temporarily halted Alphabroder’s processing and shipping platform. Since the ransomware prevented the company from executing orders, Alphabroder was forced to make a statement on social media and interrupt most business processes. Alphabroder did subscribe to cybersecurity insurance to help offset the costs, but the reputational damage and long-term infrastructure costs can be difficult to quantify and are capable of significantly dampening the company's financial prospects in the near term.

United States - Stripe

Exploit: Phishing Attack
Stripe: Online Payment Processing Company

Hackers are deploying fake and invalid Stripe support alerts to engage customers and procure user credentials. After clicking on the fictitious support alert, users are prompted to enter their bank account information and user credentials on a fake customer login page. This isn’t the first time that Stripe customers have been targeted in phishing attacks, and such attacks are becoming increasingly sophisticated and prevalent.

0 Comments
Continue reading

The Week in Breach 10/02/19 - 10/08/19

cyber criminalsUnited States - Zynga

Exploit: Unauthorized Database Access
Zynga: Social Game Development Company

Hackers gained access to the company’s database, which exposed the personally identifiable information (PII) for millions of customers. The company discovered the breach in September, and they responded by hiring an external investigator to determine the scope and severity of the breach. Unfortunately, by the time they responded, hackers uploaded user data to various hacker forums.

The data breach applies to all users of the platform’s popular Words with Friends gaming app on Android and iOS who registered on or before September 2, 2019. In addition, some users of Draw Something, another mobile game produced by Zynga, were compromised. The exposed information includes names, email addresses, login IDs, hashed passwords, password reset tokens, phone numbers, Facebook IDs, and other Zynga account details. Since this information is already available to bad actors on the Dark Web and will be used to perpetuate additional cybercrimes, those impacted by the breach should carefully monitor their accounts while being especially watchful for other fraudulent communications.

United States - Tomo Drug Testing

Exploit: Unauthorized Database Access
Tomo Drug Testing: Medical Laboratory Providing Drug and Screening Services

An unauthorized user gained access to Tomo’s customer database, which contained a treasure trove of personal data. Upon discovering the access, Tomo hired an external forensic firm to investigate the incident, which confirmed that customer data was either deleted or removed from the database. Although Tomo can’t confirm that hackers downloaded data, they are charged with notifying their customers and regulatory bodies of the incident. This could bring additional expenses and revenue reductions to the drug testing company. Moreover, the company will certainly face additional criticism and scrutiny for its lengthy reporting process and the sensitive nature of the compromised information in question. The breach occurred on July 1, 2019 but wasn’t officially reported until this week.

Tomo confirmed that personal data, including names, driver’s license numbers, Social Security numbers, and drug test results could be compromised. The drug testing company has set up a designated helpline, and they encourage those impacted by the breach to acquire a free credit report to identify abnormalities.

United States - Zendesk

Exploit: Unauthorized Database Access
Zendesk: Customer Service Software company

More than three years after the event, Zendesk acknowledged a data breach after a third party notified the customer service software company of unauthorized data access. The breach impacts Support and Chat accounts, and it includes personal data from all categories of Zendesk users, including customers, agents, and end users. The company is resetting all passwords for users that registered before November 1, 2016. However, the platform touts many high-profile companies as clients, which means that the breach could have far-reaching repercussions for all stakeholders involved.

 The personal details of customers, agents, and end users were compromised in the breach. This includes names, email addresses, phone numbers, passwords, and other technically-oriented data. The company is contacting all customers who could be impacted by the breach, and those affected should reset their Zendesk passwords and any redundant passwords used on other platforms.

0 Comments
Continue reading

Security Concern #2 - Employees

security concernsDespite the industry focus on cyber-criminals and defending against different attack methods, employees continue to be the primary source of data loss to businesses. In this article we will discuss different documented ways employees have stolen corporate data for the employee’s benefit.

Employees achieve economic gain by stealing business data through three primary methods. First, an employee can steal cash from a business. Often an employee is entrusted with taking care of the company’s financials. If the employee has end to end authority over financial transactions, it is easy for the employee to divert funds into their pockets. There are many examples of this type of employee criminal behavior including processing false reimbursement vouches, cashing fraudulent checks and paying factious invoices to company’s controlled by the employee or an accomplice. Safeguarding the company’s accounting system is based on establishing clear procedures with at least two people involved in every transaction. The person processing accounts payable should NOT be the person paying the bills.  Expense vouchers and bills should be reviewed by a second person prior to payment to reduce fraud.

The second way employees attempt to profit by stealing business data is to use that data to either enhance their position with a new employer, or to start their own business. The most common theft is of client contact and sales information which can be used by the new entity to market to company’s clients.  There are two ways to combat this type of loss. One method uses tools after the theft to legally pursue the former employee, and the second relies on technology to try and stop a theft in progress. In order to pursue a former employee for possible data theft a company needs both contractual protection and electronic proof of theft. Legal protection is normally included in the employee hand book or employment contract. Electronic proof can come from phone logs, computer security logs, videos, emails and hi-tech monitoring software. Putting together the evidence of theft is often impossible for companies that haven’t done the proper up front work to retain log files and archive emails. 

The third way employees attempt to capitalize on business data theft is by selling the data. A recent example of this was the Capital One data theft. The cyber-criminals used knowledge gained as a former employee to gain access to Capital One’s client financial data. Once stolen, the employee attempted to market the data on the internet. These types of threats are increasing in frequency and intensity. Methods to prevent these types of business losses include limiting employee access to only the data they need to perform their business tasks. Make sure logging is enabled and that log files get archived so that if there's a breach, log file forensics can determine who and what was taken.

DeckerWright supports multiple employee tracking software systems including Veriato and Teramind. These software solutions track everything an employee does and can provide alerts if the employee is doing suspicious activities. While these solutions aren’t cheap, they do provide a method for using technology to both prevent and then document employee data theft.

Click HERE for more information.

0 Comments
Continue reading

Remote Users: Security Concern #1, Cyber Criminals

BOYDOne of the major trends in our industry has been the proliferation of remote workers using “Bring Your Own Device” (BYOD). Since the devices are owned by the employee, corporate security teams cannot install their software. Company data may be accessed by two methods, either directly through apps, or indirectly through remote desktop capabilities. Both methods rely on a device that is outside of the corporate IT infrastructure in the possession of an employee. Either method exposes the company’s data to loss to cyber criminals. To understand why, this article discusses some of the tools cyber criminals can deploy to exploit remote employees. 

In the normal course of our business, we help clients monitor activity of their employees on their devices. The “good guy” monitoring software provides a window into the types of tools used by cyber criminals to compromise a company’s security and gain access to valuable data. These tools include key stroke logging, click logging, URL logging, screen shots, access to log files and an inventory of software used by the employee. In the hands of a skilled cyber-criminal these tools would allow the cyber-criminal to impersonate the employee to gain access to the companies systems.

Here’s how. The software inventory tells the cyber-criminal what software they need installed to make the connection. The key stroke logger will provide the user name and password, and the screen shots will provide information about the connection, including clues about the multi-factor authentication. If a VPN tunnel is setup, the cyber-criminals can remote control the employee’s computer to gain access to the configuration of the VPN tunnel to gain any keys. With no multi-factor authentication (MFA), the cyber-criminal would have enough information to gain access to most systems with just this information. 

The most common form of multi-factor authentication is to a cell phone. Cyber-criminals have two methods for getting the MFA codes from a smart phone. One method is to get malware installed on the employee’s phone that forwards any codes received to the cyber-criminal, or allows the cyber-criminal remote control.  The more common method used today is for the cyber-criminals to take the employees phone number by impersonating the employee with the cellular phone company. Once the phone number is switched to their own device, the criminals can get the MFA codes directly. Both of these methods have been documented as used by cyber-criminals. 

A cyber-criminal could also use an active session to impersonate an employee when they aren’t working to gain access to information. Cyber-criminals controlling a device could also inject code into a company’s systems to search for and exploit weaknesses in internal systems. Since the screen shots will reveal the company’s internal systems, the cyber-criminals can tap the vast library of hacker’s tools to compromise the system. The success of either of these methods may allow the cyber-criminal to gather corporate information.

Any remote device compromised and controlled by a cyber-criminal can become a gateway to your company’s data.

Click here for more information.

0 Comments
Continue reading

Mobile? Grab this Article!

Qr Code

Latest Blog

United States - Select Health NetworkExploit: Unauthorized Email Account Access Select Health Network: Indiana-Based Collection of Healthcare ProvidersAn employee’s compromised email account credentials were used to access sensitive data for thousands of patients. ...

Account Login