September 2021

Canadian Vaccine Passport App Exposes Data

Canadian Vaccine Passport App Exposes Data

Canadian vaccine passport app PORTpass may have exposed personal information belonging to hundreds of thousands of users. 



According to a report by CBC News, the app’s operators left data, including names, identification documents, and email addresses, on an unsecured website. The personal information was allegedly stored in plain text and could be accessed by the public. 



Following a tipoff received on Monday, the news source investigated the security of the PORTpass website. CBC News said it was able to verify that app user’s information, among others: “Email addresses, names, blood types, phone numbers, birthdays, as well as photos of identification like driver’s licenses and passports can easily be viewed by reviewing dozens of users’ profiles.”



In an article published September 28, the news source wrote: “CBC is not sharing how to access those profiles, in order to protect users’ personal information.”



CBC added: “The information was not encrypted and could be viewed in plain text.”



The team behind the app is based in Calgary and led by Chief Executive Officer Zakir Hussein. In response to concerns over the app’s security, Hussein reportedly denied that PORTpass was experiencing any verification or security issues.



However, the app’s website has been taken offline, and visitors to the site are currently met with the message, “We are updating. Stay tuned.”



PORTpass is described on Google Play as “a secure and contactless way for a member of the public to gain access to a building, site, or ticketed event using their secure MapleCode.”



Hussein reportedly said the app has more than 650,000 registered users across Canada. 



Trevor Morgan, product manager with data security experts comforte AG, commented: “Unless the app vendor goes to great lengths to apply data-centric security such as format-preserving encryption or tokenization to protect sensitive data by obfuscating sensitive data elements, situations like this one will happen again and again, and people will hesitate to adopt such tools. 



“Any time an organization collects and processes peoples’ health information, it has the ultimate responsibility to protect that data and ensure it is never presented in readable format to unauthorized users.” 



Source: Infosecurity
Canadian Vaccine Passport App Exposes Data

US Mulls Cyber-attack Reporting Mandate

US Mulls Cyber-attack Reporting Mandate

Legislation requiring critical infrastructure companies to report cyber-attacks to the federal government has been introduced in the United States Senate.



Leaders of the Senate Homeland Security and Governmental Affairs Committee put forward the new cyber-incident reporting bill yesterday. If enacted, critical infrastructure owners and operators would have to report cyber-attacks to the government within 72 hours. 



The proposed bill echoes the defense authorization bill passed by the House of Representatives that requires critical infrastructure owners and operators to report significant cybersecurity incidents within a 72-hour time frame.



Included in the new legislation is a proposal to create a Cyber-Incident Review Office within the Cybersecurity and Infrastructure Security Agency (CISA). The role of the office would be to receive, aggregate, and analyze reported incidents.



The new bill would also make it mandatory for organizations, including businesses with more than 50 employees, nonprofits, and state and local governments, to inform CISA of any ransomware payments they make. Organizations infected with ransomware would be required by law to consider recovery tactics other than paying their attackers. 



CISA would be empowered under the new legislation to subpoena entities that flout the incident-reporting and ransomware-payment requirements. Potential penalties for those that do not comply include referral to the Department of Justice and being banned from federal contracting. 



Under the legislation, participants from federal agencies would create a Joint Ransomware Task Force “to coordinate an ongoing, nationwide campaign against ransomware attacks, and identify and pursue opportunities for international cooperation.”



Homeland Security and Governmental Affairs chairman Gary Peters, who introduced the bill, said it could help to limit the impact of cyber-assaults.



“When entities, such as critical infrastructure owners and operators, fall victim to network breaches or pay hackers to unlock their systems, they must notify the federal government so we can warn others, prepare for the potential impacts, and help prevent other widespread attacks,” said Peters in a statement.



Earlier this month, Peters said that the Federal Information Security Modernization Act – which was last updated over six years ago – did not go far enough to protect federal networks. He then called for cyber-attack reports to be shared by the federal government in a timely manner.



Source: Infosecurity
US Mulls Cyber-attack Reporting Mandate

YouTube Pledges to Block all Anti-Vaccine Content

YouTube Pledges to Block all Anti-Vaccine Content

YouTube has announced it will block all anti-vaccine content on its platform, expanding beyond COVID-19.


The video-sharing site outlined its updated medical misinformation policy in a blog post published earlier today. This includes content that alleges approved vaccines cause chronic health effects, such as autism, cancer or infertility, that they do not reduce transmission or contraction of disease or that substances in vaccines can track those who receive them.


These rules will apply both to routine immunizations for conditions like measles or hepatitis B, as well as general statements about vaccines.


YouTube explained it had “learned important lessons about how to design and enforce nuanced medical misinformation policies at scale” while tackling misinformation about the COVID-19 pandemic in conjunction with health authorities. In this process, it “looked to balance our commitment to an open platform with the need to remove egregious harmful content” and revealed it had removed more than 130,000 videos for violating its COVID-19 vaccine policies since last year.


The social media company added: “We’ve steadily seen false claims about the coronavirus vaccines spill over into misinformation about vaccines in general, and we’re now at a point where it’s more important than ever to expand the work we started with COVID-19 to other vaccines.”  


However, it said there are “important exceptions” to these new guidelines due to “the importance of public discussion and debate to the scientific process.” As such, the site will continue to allow content around vaccine policies, new vaccine trials and historical vaccine successes and failures. Additionally, personal testimonials relating to vaccines are permitted as long as the channel “doesn’t show a pattern of promoting vaccine hesitancy.”


YouTube stated: “Today’s policy update is an important step to address vaccine and health misinformation on our platform, and we’ll continue to invest across the board in the policies and products that bring high-quality information to our viewers and the entire YouTube community.”


The announcement follows the decision by YouTube on Tuesday to remove Russian state-backed broadcaster RT’s German-language channels from its site for violating its COVID-19 misinformation policy.


Many in the cybersecurity industry argue that disinformation is a cybersecurity issue. Otavio Freire, CTO at Safeguard Cyber, argued last year that: “Disinformation is a cybersecurity issue. It has already been used as a means for brand value destruction to create divisiveness and conflict within a company’s employees, used as a social engineering lure, and as a form of ransomware; where if you want the disinformation to stop, you need to pay.”


These actions come amid growing criticism of social media firms like YouTube, Facebook and Twitter for failing to stem the flood of vaccine misinformation on their sites this year. 


Source: Infosecurity
YouTube Pledges to Block all Anti-Vaccine Content

CVE-2021-23446

The package handsontable before 10.0.0; the package handsontable from 0 and before 10.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) in Handsontable.helper.isNumeric function.
Source: NIST
CVE-2021-23446

Mental Healthcare Providers Report Data Breaches

Mental Healthcare Providers Report Data Breaches

Data breaches at two American mental healthcare providers may have exposed thousands of individuals’ personal health information (PHI). 



Horizon House, Inc., which is in Philadelphia, Pennsylvania, warned that 27,823 people might have been impacted by a cyber-attack that took place in the late winter.



The mental health and residential treatment services provider detected suspicious activity on its IT network on March 5. An investigation revealed that the healthcare provider’s IT system had been infected with ransomware. 



In a security notice, Horizon House said: “Horizon House systems were accessible by an unknown actor between March 2, 2021, and March 5, 2021, and certain data was exfiltrated from the Horizon House systems.”



A review of the files compromised in the incident determined that the unknown cyber-attacker gained access to data including names, addresses, Social Security numbers, driver’s license numbers, state identification card numbers, dates of birth, financial account information, medical claim information, medical record numbers, patient account numbers, medical diagnoses, medical treatment information, and health insurance information.



Horizon House has notified all the individuals affected by the security breach and advised them to be on the lookout for fraudulent activity. 



Meanwhile, the Samaritan Center of Puget Sound issued a data breach warning after a computer, server and other electronic equipment were stolen from its locked offices in Seattle, Washington.



Although the stolen computer and server were password-protected, the Center raised concerns that a brute-force attack could render them accessible. 



Data stored on the stolen server included the names, appointment dates, diagnoses, copies of charting content, addresses, phone numbers, copies of deposited checks, training videos, insurance information, Social Security numbers, and copies of billing statements of clients who accessed services before July 19.



The Center, which provides spiritually integrated counseling and mental health support, reported the July 19 theft to the HHS’ Office for Civil Rights as a data breach impacting 20,866 individuals. 



“The Ravenna facility has been the subject of a number of attacks and break-ins during the last year,” wrote the Center’s clinical director, Matthew Percy.



He added that physical and electronic security were both being tightened.



Source: Infosecurity
Mental Healthcare Providers Report Data Breaches

CVE-2021-40716

XMP Toolkit SDK versions 2021.07 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Source: NIST
CVE-2021-40716

CVE-2021-39861

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of arbitrary memory information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Source: NIST
CVE-2021-39861

CVE-2021-39862

Adobe Framemaker versions 2019 Update 8 (and earlier) and 2020 Release Update 2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Source: NIST
CVE-2021-39862

CVE-2021-39860

Acrobat Pro DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability. An authenticated attacker could leverage this vulnerability to disclose sensitive user memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Source: NIST
CVE-2021-39860