This is the Shared Security Weekly Blaze for March 12, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston.
Show Transcript
This is your Shared Security Weekly Blaze for March 12th 2018…with your host…Tom Eston
In this week’s episode: Malicious Healthcare Workers, New Attacks on Mobile Networks, and Facebook Messenger for Kids
Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
I have a few shout outs this week to several of our listeners for commenting, liking and sharing our posts on social media @karinavold, @Yohun and @securid on Twitter as well as @Itincloud and @wearethelightpodcast on Instagram and Tom, Shawn, Malcom and William on Facebook. Thanks to all of you for your support of the show!
If you go to your doctor or to the hospital, have you ever wondered if your private healthcare information is being properly protected? Well this past week there were two reports released showing that its own workforce is the biggest cybersecurity problem for the healthcare industry. According to the 2018 Protected Health Information Data Breach Report released by Verizon, 58% of data breach incidents involved insiders. Most of the breaches noted by Verizon were because of corrupt healthcare workers stealing data to commit tax fraud, opening lines of credit from patient data or by looking up personal records of celebrities and family members. Another report, based on a survey of healthcare employees from consulting firm Accenture, showed that 18% of respondents were willing to sell confidential patient data for as little as $500 or $1,000. This data could include selling your login credentials, putting your data on portable drives to be sold and installing malware on internal systems to capture confidential patient data.
I don’t know about you but reports and surveys like these are very concerning considering the fragile state of healthcare, especially here in the US. Whether it’s failed security policy oversight or lack of security controls, healthcare remains one of the number one sources for criminals to gain access to your private information for medical identity theft. This is despite having healthcare laws such as HIPAA which are supposed to enforce good security practices within the industry. Like other types of fraud we’ve talked about on the show, you need to take steps to defend against someone using your information to commit fraud or identity theft. Unfortunately, we can’t rely on others like the healthcare industry or the government to properly protect our information.
Much of the same advice we’ve given to protect against fraud, like putting a freeze on your credit and creating strong and unique passwords, also apply to the issues we’re seeing with healthcare data breaches. Some other tips specific to medical identity theft is to keep accurate records of your medical history, always review your medical statements to ensure they are accurate, be aware of fake or real calls from medical debt collectors and physically shred any healthcare related documentation containing personal information. Check out our show notes for a great guide from the Federal Trade Commission about detecting and preventing medical identity theft.
Security researchers announced several new security vulnerabilities in 4G LTE mobile networks this past week. The researchers, who are from Purdue University and the University of Iowa, said quote “Among the 10 newly detected attacks, we have verified eight of them in a real test bed with SIM cards from four major US carriers”. End quote. The researchers also noted that using publicly available software-defined radio devices as well as open source software, anyone with enough knowledge could build a tool around $1,300 – $4,000. A fairly cheap solution for most attackers.
The vulnerabilities that were identified could be used by criminals to create spoofed locations, impersonate an existing mobile number and allow someone to create mass hysteria over a fake emergency alert sent to thousands of mobile devices all at once. You may remember a few months ago when the Hawaii Emergency Management Agency accidentally sent out an emergency alert to all mobile devices in Hawaii about an impending missile attack. Could you imagine the fallout from something like this happening on a much broader scale?
The good news is that it appears that the US carriers that were identified in the research are working to fix these vulnerabilities and the exploit code was not publicly released. There isn’t much we can do at this point but wait for the mobile carriers to fix these vulnerabilities and update their infrastructure to 5G technology which has more robust security features.
I should also note that attacks on 4G LTE are not new. Law enforcement and governments have been using devices called IMSI catchers or what are also known as stingray devices for many years now. These devices force your mobile phone to either downgrade to a less secure communication protocol or force your phone to connect to a fake cell tower where communication through voice and text messaging on your device can be intercepted and monitored. If you are concerned about sending and receiving text messages and phone calls securely you should use an application like Signal which would protect you from interception attacks like these. Check out episode 60 of the podcast for more information on Signal and other secure messaging apps.
Late last year Facebook released new app called “Facebook Messenger Kids” which is designed for kids age 6 to 13 as safer way for them to message friends and parents. The app includes kid friendly stickers, masks and frames which encourage using the app. Some of the safety features in the app ensure that parents have to approve who their kids are communicating with and that there is no advertising within the app itself. This past week CNBC reported that during Facebook’s testing of the Messenger Kids app last year that quote “It was hard for kids to initiate the communication” and that quote “we wanted to give them nudges to start the conversation” end quote. This news have led many critics and child-advocacy groups to say that social media use by young people may be detrimental to their mental health and that kids that young may not be ready or have the mental capacity to use social media.
It’s also important to note that last year Facebook said that they had worked with different privacy and child advocacy groups before launching the app in December. What they didn’t tell you was that many of these groups received funding from Facebook. For example, the National PTA who coordinated roundtable discussions about the app and New Mexico State, which conducted some of the research, all received various financial funding from Facebook. These are definitely things that make you go…hmmmm.
I’m sure you’re asking yourself why in the world would young kids need the ability to use a Facebook social messaging app? Well according to Facebook, kids are already on social media and they need to learn how to use it safely. However, many others feel that Facebook is using the Messenger kids app to “groom” impressionable young people into getting “hooked” to Facebook so when they become older they continue to use the “adult” version of Facebook. This seems a lot like the path to an addition, doesn’t it?
I always go back to education being the best approach when parents need to make decisions about allowing their kids to use apps like Messenger Kids. Educate yourself on the risks as well as the motives that a company may have with the apps kids are using. That means reading the terms of service and privacy policy for apps like these. If you’re a parent check out our show notes for a link to the Messenger Kids privacy policy. It’s ultimately up to you to decide, not Facebook, on what’s best for you kids.
That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or now on iHeartRadio. If you like our podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and attract more great listeners like you. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.