Monthly Archives: March 2016

Avast

Hospitals and healthcare providers under cyberattack

Hospitals are vulnerable to cyberattacks

Hospitals are vulnerable to cyberattacks

The recent ransomware attack on the Hollywood Presbyterian Medical Center in Los Angeles has spooked the healthcare community. Hackers installed *ransomware in the hospital computer system and held patient records hostage while demanding payment. The hospital eventually paid $17,000 to have their files unlocked.

Attacks on major insurance and healthcare systems last year including Excellus BlueCross BlueShield and Anthem Inc. resulted in 100 million individual records being stolen.

Electronic medical records are a treasure trove of data and fetch a price 20 times more than that a stolen credit card numbers. The cost for the U.S. healthcare industry is $6 billion dollars annually, with the average data breach costing a hospital $2.1 million.

According to a study by the Ponemon Institute, healthcare organizations average about one cyberattack per month with more than half of all organizations surveyed saying they experienced at least one cyberattack in the last 12 months.

Organizations major concerns are system failures (legacy software and devices are common), unsecured wearable biomedical technology that puts patients at risk, and something that other industries face – BYOD (bring your own device)  – as employees increasingly using their personal devices for work-related activities. One of the real threats is that hackers can compromise healthcare mobile apps and expose confidential medical records.

Stop by to visit the Avast Virtual Mobile Platform booth at HIMMS16

Stop by to visit the Avast Virtual Mobile Platform booth at HIMMS16

This week, cybersecurity in healthcare is a major discussion point at the Healthcare Information and Management Systems Society 2016 Conference in Las Vegas. Avast Virtual Mobile Platform (VMP) will demonstrate how hospitals, insurance companies, and others can use Avast VMP to ensure secure, HIPAA-compliant access to mobile apps such as instant messaging, EHR, document storage and more. Avast will also demonstrate how VMP uses virtualization to instantly secure healthcare mobile apps.

Follow HIMSS16 on Twitter.

*Ransomware commonly enters a computer system when a user is tricked into clicking an infected link in an email or an infected ad on a website. The ransomware then locks all the files in the system and demands money for a key that will unlock the files.

Drupal

Node Notify – Critical – Multiple Vulnerabilities – SA-CONTRIB-2016-013 – Unsupported

Description

Node Notify is a lightweight module to allow subscription to comments on nodes for registered and anonymous users.

The module doesn’t sufficiently sanitize some user provided content, leading to a Cross Site Scripting vulnerability.

Additionally, some paths were not protected against CSRF. An attacker could cause another user to subscribe and unsubscribe notifications by getting the user’s browser to make a request to a specially-crafted URL.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • All versions of Node Notify module.

Drupal core is not affected. If you do not use the contributed Node Notify module, there is nothing you need to do.

Solution

If you use the Node Notify module for Drupal 7.x you should uninstall it.

Also see the Node Notify project page.

Reported by

Fixed by

Not applicable.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal

Hubspot CTA – Moderately Critical – Cross Site Scripting (XSS) – SA-CONTRIB-2016-012 – Unsupported

Description

This module enables you to embed a Hubspot CTA buttons widget in a Bean block.

The module allows configuration of a CTA ID and Account ID while adding a bean block for a CTA button, but doesn’t sufficiently sanitise these parameters, allowing a potential cross-site scripting attack.

This vulnerability is mitigated by the fact that an attacker must have a role with the permissions “administer beans” or “Hubspot Calls-to-action: Add Bean”.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • All versions of Hubspot CTA module.

Drupal core is not affected. If you do not use the contributed Hubspot CTA module, there is nothing you need to do.

Solution

If you use the Hubspot CTA module you should uninstall it.

Also see the Hubspot CTA project page.

Reported by

Fixed by

Not applicable.

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal

Google Analytics Counter – Moderately Critical – CSRF – SA-CONTRIB-2016-011

Description

The Google Analytics Counter module provides total pageview counts for each page on a website. In that it is similar to the core Statistics module counter, but it is much lighter and ultimately faster because it draws on data from Google Analytics. This is why it is also able to effortlessly count views of cached pages.

The module doesn’t sufficiently protect against cross-site request forgery when it comes to the configuration reset link on its dashboard page. If the reset link were to be sent to a user with the right permissions, it could lead to an unwanted reset of the module’s settings (including its OAuth credentials).

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Google Analytics Counter 7.x-3.x versions prior to 7.x-3.2.

Drupal core is not affected. If you do not use the contributed Google Analytics Counter module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Google Analytics Counter project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Security

Red Hat Security Advisory 2016-0303-01

Red Hat Security Advisory 2016-0303-01 – OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength, general purpose cryptography library. A padding oracle flaw was found in the Secure Sockets Layer version 2.0 protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN.

Security

Red Hat Security Advisory 2016-0302-01

Red Hat Security Advisory 2016-0302-01 – OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength, general purpose cryptography library. A padding oracle flaw was found in the Secure Sockets Layer version 2.0 protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN.

Drupal

USASearch – Moderately Critical – Access Bypass – SA-CONTRIB-2016-010

Description

This module indexes public content using USASearch, a program of the General Services Administration’s Office of Citizen Services and Information Technology (OCSIT), which offers free search services to any federal, state, local, tribal, or territorial government agency that can be used to search one or many sites. Read more at http://search.usa.gov/program .

The module may index unpublished content making content accessible through search.

This vulnerability is mitigated by the fact that it only affects unpublished content that has been saved and content that was published and subsequently unpublished.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • usasearch 7.x-5.x versions prior to 7.x-5.1.

Drupal core is not affected. If you do not use the contributed DigitalGov Search (machine name: USASearch) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the DigitalGov Search (machine name: USASearch) project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Drupal 6.x
Drupal 7.x