Data Breaches 2016 to 2021

A post was merged into an existing topic: Real-time payments are on the way

German security researchers scanning the internet have found hundreds of millions of sensitive medical images being easily accesible on unprotected servers worldwide, including around 2.6 million in Australia.

Security vendor Greenbone looked for internet-connected Picture Archiving and Communications Systems (PACS) servers that healthcare organisations use to store radiology images of patients for medical professionals to review.

sadly this doesn’t surprise me at all …

5 Likes

We have legislation to the whazoo about terrorism, cyber security etc and then they just leave the gate open on simple things like this. Who do they employ as their security team, Fred Flintstone? Though Fred Flintstone probably would be a bit better than who they currently employ and he is only a cartoon character.

500 of these servers with a CVSS score of 10.0 is just scary, hopefully none in Australia but going by the article it is likely that at least some are in this level. Just Wow!!

6 Likes

Fred Flintstone would store the data on stone tablets and noone ever accessed a stone tablet via the internet.

You are assuming that they have a security team???

This uses transmission control protocol (TCP) ports 104 and 11112

In the short term, until all the servers are fixed, maybe ISPs should be blocking those ports.

It is not clear whether any “exploit” of this is in the wild - but it will soon be.

I haven’t seen any probing of those ports recently. 445, a crowd favourite, seems to be getting the most attention.

3 Likes

And after all the shouting about the government’s ‘MyHealth’ data base posing a risk!

It appears there are still much broader concerns that need serious attention.

P.S.
Every medical referral links an individual to another medical practice.
I noted a recent referral for a CT linked the report to three different practices.

With many practices subscribing to one of only a handful of medical management systems (excluding MyHealth) are we looking at just one of many vulnerabilities in how the medical profession, and their proprietary management systems save our personal information?

A simple breech may lead to a great many other places.

3 Likes

Another one for the list.

3 Likes

Some interesting timing …

the data was accessed by an unauthorised third-party service provider on May 4

Users who had joined after April 5, 2018 were not affected

Is “May 4” this year or last?

Does this mean that a database backup was left lying around, without appropriate protection, and it was the backup that was accessed?

If the above info is correct then at least no Australian customers would be affected. ??

5 Likes

TAFE NSW had it’s payroll system hacked but not too many employees had their data apparently involved (30 of them)

British Airways had a flaw in their systems that could expose Passengers data and flight details:

These were among a list of 95 incidents in August 2019 produced by IT Governance https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-august-2019-114-6-million-records-leaked

Breaches exposed that are Australian

July’s list can be read at:

June’s list at:

May’s list (no Australian specific ones listed):

6 Likes

Of course, these are merely the larger breaches and those that have been discovered and made public.

This is the new normal.

5 Likes

It just keeps on going on.

4 Likes

Hmmm. I wonder whether ANU does not perform ingress filtering on incoming email. There can be legitimate reasons not to but not doing so may have contributed to the success of this breach.

There are not very many hard details provided in the report but this looks like a sophisticated attack. I can see why some people would blame China. This isn’t likely to be a keen script kiddy.

Report: https://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf

4 Likes

It is not explicit what the person did with the initial email other than “previewed” resulting in the U & P being stolen. Anybody know more detail? I expect there must have been some sort code execution involved.

2 Likes

Yes, the report lacks real detail.

I would guess that the “preview” problem is a software design issue in the mail client. In my experience (e.g. with web browsers) “preview” is just a bad idea. Whether it can be disabled, and what mail client this even was, is unknown.

Beyond that there is perhaps a coding error involving a deliberately malformed attachment. Alternatively though it could just be an attachment exploiting latent functionality.

Some companies block .zip file attachments outright but that seems not to be the case here.

All just speculation when we shouldn’t have to speculate because the report should be telling us.

My impression is that this was a blended attack involving the use of 3 or more different exploits, hence my suggestion that this attacker was sophisticated (and motivated).

2 Likes

Unfortunately most mail clients today support the execution of code such as javascript, and so unless you are paranoid (like me) and disable automatic display of images then you’re likely to be at risk. The risk is probably similar to one with PowerPoint and and hovering your mouse pointer over a URL, from a couple of years ago.

https://www.pcmag.com/news/354256/hovering-mouse-over-hyperlink-causes-malware-infection

4 Likes

That would make two of us who are “paranoid” then. :slight_smile: I disable images in email and then allow exceptions in trusted cases. (That might not be good enough in this scenario though because the email appeared to be internal, I think.)

4 Likes

Preview is something I advise all my friends to disable. It is a hole too easy to bridge if someone wants to get access to a machine. While it might seem to the user that it is only a “preview” and they haven’t opened the mail, the very act of generating the preview has accessed the email. If the script/malware is activated by the access then it is alive from that time of access.

All the email clients I have dealt with all allow a user to disable previewing of emails as it has been known to be a security hole for a very long time. Even if the email client is behind very secure anti-malware protection the problem is that all are based on reaction to threats and threat like behaviour (heuristic detection) that are also built on looking for how attacks are done. Innovative threats that use novel means are part of the problem security landscape these days. It should be a standard that previewing is disabled by default (at the least), but unfortunately it is the standard for preview to be enabled by default and needs to be disabled by user action.

4 Likes

Weird behaviour from the people who are supposed to be protecting us. Suelette Dreyfus is one of Australia’s most respected names in the field.

6 Likes

I would comment on this, but I don’t know who’s watching me.

:wink:

4 Likes

Money talks - not Dr Dreyfus and Thomas Drake.

3 Likes

A bit of follow-up:

Not that there’d be any connection, of course. :smirk:

Unless the issue in question relates to government deliberately compromising security in its own perverse interests.

https://www.innovationaus.com/2019/10/CyberCon-cancels-whistleblowers

5 Likes