DNS Hijacking Threatens Remote Employees

In a recent discovery by Bitdefender, new router DNS (Domain Name System) hijacking attacks have been targeting home routers and redirecting victims to fake coronavirus pages. These attacks have focused on leading people to download applications that are infected with Oski malware. The malware has the ability to extract browser credentials, cryptocurrency wallet passwords, and other valuable information. In a time where many employees are working remotely from home offices, this attack is an even bigger threat to organizations. Without proper secure remote access protocols in place, you’re leaving your employees vulnerable to vicious attacks.

The Attack Explained

Hijacking traffic is possible because hackers are searching for vulnerabilities and brute forcing passwords to gain access to routers’ DNS settings. A brute force attack is a simple method of using bots to guess potential passwords until access is granted. According to Bitdefender and Bleeping Computer, the attacks are targeting both Linksys and D-Link routers. Once the DNS settings are changed, the hackers can redirect victims to any webpage. The false coronavirus webpage involved in this attack claims to share a message from the World Health Organization. Since the domain name looks legitimate, victims can be easily fooled by this attack.

Once the victim opens the file on the webpage, they download the malware and their valuable data can be stolen. Reports claim the attack began on March 18 and, as of March 26, has targeted at least 1,193 victims in the U.S., Germany, and France. As more and more organizations migrate to remote work, the likelihood these attacks will grow in number is high.

What This Means for Remote Security

The Founder and President of KirkpatrickPrice, Joseph Kirkpatrick, when discussing this hack, said, “This is an example of why remote access security is so important right now. Attackers are hitting the soft targets: home routers.” You need to protect your remote employees from the threats that are exploiting vulnerabilities in their own homes. Home routers are more vulnerable than corporate networks because they tend not to follow the same security protocol.

Eventually, the malware on remote devices can find other access points into your network. Your remote employees could potentially be the host for a threat to steal data from your organization. Do you have a secure remote access plan in place to combat these threats? Does it involve the implementation of controls that will mitigate vulnerabilities and prevent attacks such as the DNS hijacking we’ve seen recently? To test your remote access plan, contact KirkpatrickPrice, today!

More Resources

Stay Productive During Workplace Changes with KirkpatrickPrice’s Remote Services

Business Continuity Plan Checklist

Mistakes Businesses Make When Preparing for Pandemics like Coronavirus

Coronavirus Hits Healthcare’s Cyber Readiness

Healthcare organizations all around the world are fighting the coronavirus pandemic, but they are fighting more than just the virus. While the healthcare industry is focused on public health and patient care, hackers are taking this opportunity to target them with all types of cyber attacks. Has the lack of cyber readiness finally caught up to the healthcare industry? Is it taking a global pandemic for healthcare organizations to face the facts: they need to improve their security hygiene once and for all?

HHS Network Targeted

The U.S. Department of Health and Human Services (HHS) was targeted in what looks like an attempt to overload its website with millions of hits. They detected a significant increase in activity on HHS cyber infrastructure, appearing to be an attempted Distributed Denial of Service (DDoS) attack. Fortunately, this attack was unsuccessful and no federal networks were impacted. HHS Secretary, Alex Azar, said, “We have extremely strong barriers, we had no penetration into our networks, no degradation of the functioning of our networks, we had no limitation on the ability or capacity of our people to telework, we’ve taken very strong defensive actions.”

Fake Coronavirus Map from Johns Hopkins

As hackers leverage our fear, they find new ways to deliver malware. In one of the latest attacks, an interactive map that reports on coronavirus infections and deaths, produced by Johns Hopkins, is being using maliciously. Brian Krebs reported, “Late last month, a member of several Russian language cybercrime forums began selling a digital Coronavirus infection kit that uses the Hopkins interactive map as part of a Java-based malware deployment scheme.” The user believes they are using the legitimate map, but they’re actually spreading password-stealing malware.

Ransomware on Illinois Public Health Network

On March 10, a ransomware attack on the Champaign-Urbana Public Health District in Illinois took down their website. The timing of this attack couldn’t be worse, as the organization needs to communicate critical and ongoing coronavirus updates. No critical systems, PHI, or ePHI were compromised during the attack and the website has since been restored – but an investigation did confirm that it was caused by Netwalker (MailTo) ransomware.

Your Cyber Readiness

Healthcare organizations are particularly vulnerable to cyber attacks on any given day, but especially during this time of unpredictability. Now that you’ve seen scenarios like the HHS defending its network versus Champaign-Urbana Public Health District’s network going down, it’s time to consider how your organization would respond. If you’re interested in testing your incident response plan, participating in pen testing, or consulting on your cyber readiness, we’re ready to help!

More Healthcare Resources

Dangers of XXS Attacks in Healthcare

Why is Information Security So Important in Healthcare?

Achieving SOC 2 and HIPAA Compliance with the Online Audit Manager

Privacy Concerns During the Coronavirus

How does privacy law come into play when a pandemic hits? Do the rules change? How do business associates and covered entities know when and where they can share PHI related to the pandemic? Let’s discuss so that you know the impact to your organization.

HIPAA Privacy Rule and Pandemics

The HHS recently released a memo that explains how the HIPAA Privacy Rule balances protection of PHI with protection of national public health. During pandemics like the coronavirus, the HHS outlines the unique disclosure permissions in the HIPAA Privacy Rule:

  • Treatment – Covered entities may disclose, without a patient’s authorization, PHI about the patient as necessary to treat the patient or to treat a different patient.
  • Public Health Activities – Covered entities may disclose, without a patient’s authorization, PHI about the patient when it is legitimately required by public health authorities to carry out their public health mission.
  • Disclosures to Family and Friends – Under specific scenarios outlined by the HIPAA Privacy Rule, a covered entity may share PHI with a patient’s family members, relatives, friends, or others involved in the patient’s care.
  • Preventing Serious and Imminent Threats – Covered entities may share PHI with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.
  • Disclosures to the Media – Reporting to the media or the public at large about an identifiable patient or their treatment is not permitted without the patient’s written authorization.
  • Minimum Necessary Disclosures – Covered entities must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary.”

For business associates, the main impact will potentially be requests from their covered entity to facilitate PHI disclosures to local, state, and federal health authorities as well as to friends and families of patients. For covered entities, a point of focus should be involving and preparing their Privacy and Compliance Officers to ensure proper disclosures and minimum necessary standards are being followed.

If you are a business associate or covered entity impacted by the HIPAA Privacy Rule, we encourage you to study the DHHS’ memo to reacquaint your organization with the unique disclosure permissions caused by a pandemic.

GDPR and Pandemics

Will coronavirus test Europe’s commitment to privacy? GDPR does allow for the temporary suspension of privacy requirements for certain crises like this pandemic. Article 9 addresses how long the information can be stored and where, who has access to it, and when the data should be purged after the crisis passes.

Some European countries have adopted their own guidance on privacy in the time of the coronavirus – Italy has adopted Civil Protection Ordinance No. 630 to temporarily lift restrictions on sharing personal data related to public health issues. France has published guidelines for data sharing and data retention related to coronavirus response. Germany’s Federal Data Protection Act addresses processing special categories of personal data.

Your Response to Coronavirus

In times like this, we never want your organization to feel uncertain about your privacy practices. If your Privacy or Compliance Officers have questions about how to handle this pandemic, don’t hesitate to reach out. We do not want you to just survive this crisis. We want you to emerge stronger and more secure on the other side of it.

More Privacy Resources

Business Continuity and Disaster Recovery Planning Checklist

CDC – Coronavirus Disease 2019 (COVID-19)

Trends in Privacy, Breach Notification, Data Security Legislation in 2019

Mistakes Businesses Make When Preparing for Pandemics like Coronavirus

The Global Impact of COVID-19

It’s been nearly two months since China confirmed an outbreak of a novel coronavirus, COVID-19, in Wuhan. With over 93,000 confirmed cases reported globally, including more than 200 in the United States, countries across the globe have started to feel the impact of the virus. Industries like manufacturing, farming, travel, healthcare, finance, banking, retail, and technology have all taken a hit from the global outbreak, forcing them to deal with delayed products, slow distribution, low earnings, and falling stock prices.

Major technology companies like Apple have begun feeling the impact of the virus as their manufacturers are slow to return to their factories in Zhengzhou, delaying the production of parts needed to manufacture the iPhone 11s. Mobile applications, like the fintech trading software, Robinhood, also have felt the brunt of the outbreak: with the stock market violently fluctuating, investors were shocked to find the software unable to handle the large volumes of people trying to trade. Similarly, airlines, such as United, have suspended international and domestic flights – a move that will ultimately end up hurting their bottom line.

No matter their industry, size, or location, all businesses are susceptible to falling victim to man-made or natural disasters, including pandemics like SARS, H1N1, and now, COVID-19. But, while pandemics may seem like they are far less likely to occur, they should still be a critical part of your business continuity planning. Why? Let’s see what KirkpatrickPrice specialists had to say about the recent, ongoing pandemic, the coronavirus.

Testing Your Business Continuity Plan

Because pandemics don’t happen very often, it can be easy for organizations to procrastinate about testing their BCP in such situations. But this only leads to chaos when an outbreak does occur. When a pandemic occurs, almost every industry in the world is impacted – manufacturing, farming, travel, healthcare, finance, banking, retail, technology – causing stock markets to crash, layoffs to occur, death numbers to rise, and panic to ensue. We see this every day in coronavirus updates. This means that not only are businesses struggling to continue production, distribute product, and earn profits, but they also have to protect their personnel.

In fact, it is not uncommon that one of the top responses to pandemics is isolating community members, which means that it’s likely your personnel will either be required to work remotely under government orders or that you have policies that require such precautions in the event of a global outbreak. In the US, many major businesses, like Amazon, Twitter, Microsoft, and JPMorgan, have already delayed or suspended travel for employees, canceled meetings and conferences abroad, and some have even sent their employees home to work remotely until further notice. What could be this pitfall of this? While businesses think they’re doing the right thing and preventing community spread of the disease, such responses can have detrimental effects on a business if not properly tested in advance.

Richard Rieben, a Lead Practitioner at KirkpatrickPrice, explains, “The biggest issue a lot of firms face [regarding pandemics] is that they will tell themselves they’re prepared for everyone to work from home and for everything to keep running exactly as it does every day. But the reality is, unless those plans are fully tested and exercised in a practical manner, there is a strong likelihood that something that was never thought of will become an issue. Real testing of BCPs (including pandemic response) is the best way to capture valuable lessons learned which will go far beyond a basic tabletop talk-through of the plan.”

What Should Your BCP Include About Pandemics?

In order to establish a robust business continuity plan to combat the effects of a pandemic, you’ll need to consider the following:

  • Who are the necessary personnel needed to ensure that critical business processes can continue?
  • Which employees must work remotely?
  • What assets do employees need to continue their day-to-day tasks from remote locations?
  • What does your network and remote access abilities look like? Can they handle large volumes?
  • How will you ensure the security of your remote workers?
  • What change management and access management protocols must be used/controlled?
  • How will you test this plan for accuracy? Will it be annually? How often will your personnel be able to work remotely?

There’s usually no telling how long a pandemic will last, and if you fail to implement a robust business continuity plan, your company may not survive the outbreak. At KirkpatrickPrice, we partner with out clients to create, implement, and test strong BCPs so that they can feel confident when a pandemic like the coronavirus occurs. Let us help you, too. Contact us today.

More Business Continuity Plan Resources

Cloud Security: Business Continuity and Incident Response Planning

Business Continuity and Disaster Recovery Planning Checklist

CDC – Coronavirus Disease 2019 (COVID-19)

The 2020 Iowa Caucus Coding Errors: A Failed Attempt to Modernize Elections

In a day and age where mobile apps are heavily relied on for business, social interaction, and everyday activities, we have to ask: is there really a place for mobile apps in our election system? Or, more importantly, do we emphasize the security of mobile apps enough to allow them to play such a critical role in our elections? The Iowa caucus coding errors revealed at the 2020 Iowa caucuses is a sobering reminder that this is not the case just yet, and many developers have a long way to go when it comes to developing applications that are secure enough to hold a place in our election system.

So, what happened in Iowa? What can we learn from it? Let’s discuss.

What Were the Coding Errors at the Iowa Caucus?

The Iowa caucuses were held on Monday, February 3rd, 2020, and what should have resulted in a clear winner only resulted in confusion, frustration, and ultimately, distrust in the election system. After the 2016 elections, where there was much discussion and skepticism over hacking and foreign interference in the election, the stakes and expectations around election integrity in 2020 are high. As the infamous first caucus took place, Iowa instantly fueled more fears about the 2020 election season when they contracted a third party, Shadow, Inc., to create a mobile application that would tally the caucus results.

As the caucus took place, precinct leaders quickly realized the mobile app did not operate as intended. Many received error messages upon login filled with undecipherable tech jargon. Others simply could not get the mobile app to open. The developers apologized for the delays through a series of tweets and a statement on their website, but the realizations about the app, its development, and the negligence on behalf of the Iowa Democratic Party were striking.

3 Key Takeaways from the Iowa Caucus Mishap

Vendor Management

As we often point out at KirkpatrickPrice, vetting vendors is one of the most important decisions a business will make, and in this case, the Iowa Democratic Party is learning that lesson the hard way. When they partnered with Shadow to provide a mobile app for tallying purposes, they failed to investigate the development procedure and status of the application before using it. Instead, they blindly trusted this third party to provide a secure mobile app that ultimately was released in a beta version. When thorough code review or penetration testing isn’t performed before putting an app into production, it can have damaging effects.

Mobile App Security

With an influx of IoT devices and mobile apps, DevSecOps is a hot topic and security must be ingrained in the development process instead of being something that developers review after the product is made, or even worse – after it’s put into production. In Shadow’s case, they failed to thoroughly test the product before allowing it to be used. This is especially surprising because they were contracted to create this app specifically for the Iowa caucuses. They released a beta version knowing that it could encounter errors and have trouble being used by large amounts of users. According to some reports, they didn’t even distribute the app through Apple’s App Store or the Google Play Store – both of which have rigorous security testing measures in place. Why didn’t they do this? What motivation was more important than securing the app used for such an important event?

Relying on Personal Devices

Regardless of the security issues found within Shadow’s app, the mere fact that the Iowa Democratic Party instructed precinct leaders to download the untested, unsecure mobile app on their personal devices is asinine. Personal devices are increasingly susceptible to vulnerabilities that can easily be tampered with and exploited by malicious third parties.

While what happened in Iowa outraged many people and further heightened the fear of yet another year with election issues, it’s not the first time an organization failed to properly vet a third party, nor is it the first time a mobile app developer failed to properly undergo thorough security testing, like the kind of mobile app pen testing we offer at KirkpatrickPrice. And, unfortunately, it’s likely that this won’t be the last time. As technology develops and continues to modernize the way we do business and go about our lives, we have to consider if we are ready to modernize our elections. Do we value security and privacy enough to ensure that our election system won’t be compromised by negligence or malicious users?

More Resources

What is Mobile Application Penetration Testing?

Vender Due Diligence Checklist (With Downloadable PDF)

Think Like a Hacker: How Could Your Mobile Apps Be Compromised?

Disclaimer: This blog post does not reflect any political position of KirkpatrickPrice, Inc.