From the “this seemed like a good idea at the time” department comes BlueCross and BlueShield of Alabama and their decision to mail out policy details on a USB key, along with instructions to insert the key into a PC. Here’s the problem according to the fellow who brought this to light via a LinkedIn post:
You should never insert an unknown usb device into your computer or run an unknown program. If you do, it is possible for that device to install software on your computer that may not have the best of intentions.
I am not accusing BCBS of creating software that is less than aboveboard. However, now someone wanting to exploit your computer can copy this concept and just start randomly mailing these out to companies hoping that they will insert it into their computer and run their nefarious software. The fact that BCBS appears to have officially sent these out increases the likelihood that someone will trust the next wave of them whether they are official or forged.
This, to me, should be something that even the most junior cyber security consultant would understand is a bad idea. A corporation the size of BlueCross should have the resources to make sure ideas like this never see the light of day.
Clearly someone at this organization didn’t think this through. Thus I suspect heads will roll over this as in the age of epic pwnage, this would be an easy to exploit attack vector.
Like this:
Like Loading...
Related
This entry was posted on July 13, 2017 at 8:16 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
#Fail: US Health Insurer Mails Coverage Information On USB Keys Which Could Lead To Pwnage
From the “this seemed like a good idea at the time” department comes BlueCross and BlueShield of Alabama and their decision to mail out policy details on a USB key, along with instructions to insert the key into a PC. Here’s the problem according to the fellow who brought this to light via a LinkedIn post:
You should never insert an unknown usb device into your computer or run an unknown program. If you do, it is possible for that device to install software on your computer that may not have the best of intentions.
I am not accusing BCBS of creating software that is less than aboveboard. However, now someone wanting to exploit your computer can copy this concept and just start randomly mailing these out to companies hoping that they will insert it into their computer and run their nefarious software. The fact that BCBS appears to have officially sent these out increases the likelihood that someone will trust the next wave of them whether they are official or forged.
This, to me, should be something that even the most junior cyber security consultant would understand is a bad idea. A corporation the size of BlueCross should have the resources to make sure ideas like this never see the light of day.
Clearly someone at this organization didn’t think this through. Thus I suspect heads will roll over this as in the age of epic pwnage, this would be an easy to exploit attack vector.
Share this:
Like this:
Related
This entry was posted on July 13, 2017 at 8:16 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.