Archive for June 13, 2022

Kaiser Permanente Pwned…. Info On 70K Patients Exposed

Posted in Commentary with tags on June 13, 2022 by itnerd

Kaiser Permanente has issued a breach notice regarding a data breach which occurred in early April, exposing 70k patients’ names, medical record numbers, dates of service and lab test results. Although not specified in Kaiser’s breach notice, regulators from the US Department of Health and Human Services Office for Civil Rights confirms this as a result of the email security slip-up at Kaiser’s Washington unit that let threat actors get in and have a few hours of access before they were shut down. I use the words “slip-up” based on this from the breach notice:

The employee received additional training on safe email practices, and we are exploring other steps we can take to ensure incidents like this do not happen in the future.

That means that the employee was either phished or clicked on something that ran malware to allow this to happen.

Sanjay Raja, VP of Product, Gurucul:

“It is most likely that the threat actor(s) involved were already inside for some time and what was detected was the actual data being exfiltrated within hours. What is becoming more evident as we see attacks similar to the Kaiser disclosure is Identity Threat Detection and Response (ITDR) is a critical component of any security operations program. However, too many solutions are rushing to announce identity-based capabilities for XDR or SIEM, but are simply correlating Active Directory data, while claiming to offer ‘identity analytics. This does nothing to automatically detect a threat and leaves security teams to continue to manually determine if an attack is active, which also leaves them chasing a lot of false positives that can potentially waste a lot of time and resources. Incorporating a full-blown set of identity data ingestion, analytics on infrastructure activity, access privileges and entitlements, combined with user and entity behavior analytics can provide security teams with not only understanding of risky or suspicious activity, but rapidly determine if an actual attack is taking place. More importantly, the key to stopping data from being stolen is enabling identity-centric response based on a full understanding of the risk to an organization based on what the context discovered and analyzed. Unfortunately, the vendor marketing hype is in full force already.” 

Hopefully Kaiser Permanente does more than just do training on one employee. Because now that this is out there, a lot of patients are going to be worried about their personal information. Which will likely lead to some of them calling their lawyers. And that won’t end well for Kaiser Permanente.

“SeaFlower” Goes After Web3 Wallets On iOS And Android

Posted in Commentary with tags , , on June 13, 2022 by itnerd

Confiant’s Taha Karim has released a deep-dive into an extensive campaign from threat actor SeaFlower, where backdoored Web3 Wallets for iOS and Android mimics official cryptocurrency wallet websites intending to distribute apps that drain victims’ funds. The threat actor is likely Chinese according to the deep dive.

Chris Olson of The Media Trust had this to say:

“Cryptocurrency is rapidly becoming a battlefield for global cyber actors who target crypto owners through multiple channels. While many are waking up to the danger of email-based phishing scams, few are prepared for SEO and web-based attacks that target Internet traffic and mobile users. Aside from encouraging caution among NFT and crypto users, this incident has three implications: first, web and mobile devices are growing as threat surfaces – second, foreign actors can leverage those surfaces to target users around the world. Finally, Web3 may be vulnerable to the same threats that have made Web 2.0 unsafe for years, unless early adopters of the technology commit to minimal standards of digital safety and trust.”

There are mitigation strategies in the deep dive, along with promises of a “part 2” to this. Thus if you’re in the cryptocurrency space, you might want to stay tuned for that.

4-in-10 Canadian Organizations Still Struggling To Be Up To Date With Digital Attack Surface: Trend Micro

Posted in Commentary with tags on June 13, 2022 by itnerd

Trend Micro, the leader in cloud security, announced the findings of a new global study indicating that while organizations across the globe are struggling to define and secure an expanding cyber-attack surface, in Canada, 81% of organizations have at least somewhat defined it.

Trend Micro surveyed 6297 IT and business decision makers across 29 countries to compile the study. To read a full copy of the report, please visit:

The study revealed that 88% of respondents in Canada believe their organization have a well-defined way to assess the risk exposure of its digital attack surface, and more than half (53%) would describe their organization’s digital attack surface as being “complex but controlled.”

Despite the above, over two-thirds (69%) of Canadian respondents are concerned about having a broadening attack surface, and only 42% plan to invest in security tools and technologies to combat it this year.

Visibility challenges appear to be the main reason organizations struggle to manage and understand cyber risk in these environments.

The research shows that almost two-thirds (60%) of Canadian respondents said they have blind spots that hamper security, with cloud environments cited as the most opaque (41%). On average, respondents estimated having just 57% visibility of their attack surface.

These challenges are multiplied in global organizations. Two-fifths (40%) of respondents in Canada claimed that being an international enterprise that spans multiple jurisdictions makes managing the attack surface harder. 

Yet more than a quarter (27%) are still mapping their systems manually, and 20% outsource this task —which can create further silos and visibility gaps.

The study also revealed that over one-third (36%) of Canadian organizations don’t believe their method of assessing risk exposure is sophisticated enough. This is borne out in other findings:

  • 58% of organizations currently have a moderate risk exposure
  • Nearly half (48%) of respondents consider cloud service misconfigurations of cloud assets as the biggest risk exposure when it comes to their organization’s attack surface
  • 8-in-10 (84%) of organizations review/update their risk exposure in relation to their digital attack surface at least once a month
  • Just 18% review risk exposure on a daily basis
  • One-third (34%) of organizations feel fully exposed to the cyber risk of phishing
  • 44% of respondents consider phishing or email attacks as the primary way of a cyber-attack starting against their organization

Musk To Get Data To Prove Or Disprove His Beliefs About The Number Of Bots On Twitter

Posted in Commentary with tags on June 13, 2022 by itnerd

You might recall that Elon Musk as part of his attempt to buy Twitter claimed that there are way more bots on the platform than what Twitter reports. When Twitter called BS on that he than claimed that he was going to walk away from the deal. Though most see this as him trying to find an off ramp from an ill-advised decision. Fast forward to last week where it appears that Twitter is giving Musk what he wants:

Twitter is preparing to grant Elon Musk unprecedented access to platform data in an effort to address his concerns about automated accounts, The Washington Post reported on Wednesday. Citing a person familiar with the company’s thinking, the report says Twitter is preparing to give Musk access to the so-called “firehose” API that contains every tweet as it is posted.


Taken as a whole, Twitter’s firehose API shows what a user would see if they followed every account on Twitter — although the sheer volume of data is impossible to obtain or parse without automation. Nonetheless, it is one of the company’s most closely held resources, in part because of its value for ad-targeting and platform surveillance. Multiple companies and organizations have, or have had, access to the feed in real time, including MIT researchers and Google many years ago.

But while firehose data could be immensely valuable as raw material for a study on automated activity, the sheer scale of the data makes it unwieldy, and conducting a full study of automated activity would require significant time and resources. Nonetheless, providing the data will be politically useful as Twitter seeks to fend off Musk’s concerns and ensure that he honors the initial buyout deal.

I think that this could be “be-careful of what you wish for because you just might get it” situations. Assuming that this is accurate, this sounds like Twitter is saying “you’re a smart guy, here’s the data, you figure it out.” In short, they’re calling his bluff. And they’re making it more difficult for him to simply walk away from the deal without cutting a billion dollar cheque. It will be interesting to see where Musk goes from here and what he does to find an off ramp from this deal as I truly believe that this is what he is doing.

Trump’s Truth Social Promised Free Speech… But You’ll Get Punted From The Platform If You Talk About January 6th…. So Much For Free Speech

Posted in Commentary with tags on June 13, 2022 by itnerd

The clown show that is Donald Trump’s Truth Social continues with news that users are being punted from the site if they talk about the January 6th insurrection. Which goes against the platform’s promise of free speech:

The irony is rich: Truth Social, Donald Trump’s Twitter copycat claiming it is “free from political discrimination,” has reportedly banned users who posted information from Thursday’s congressional hearing on the Jan. 6 attack on the U.S. Capitol — in which the former president is a key focus.

That’s according to several posts on Twitter by users who claimed Truth Social was censoring them. Reps for Trump Media & Technology Group, which owns and operates Truth Social, did not respond to a request for comment.

Travis Allen, whose Twitter bio describes him as an information security analyst, on Thursday evening posted a screenshot from the Truth Social app that said “Account suspended,” and he wrote: “My Truth Social account was just permanently suspended for talking about the January 6th Committee hearings.”

He added, “So much for ‘free speech.’ This is censorship!” Allen did not provide details about what allegedly led to Truth Social kicking him off the platform.

While it is their right to punt people from the platform that violate their terms of service, it seems that Donald Trump and his lackeys are afraid of free speech. And they just want their own view of the universe on the Truth Social platform. Talk about being a bunch of snowflakes. This is yet another reason why this platform will simply crash and burn. And I think Trump and company are aware of that:

As of March 31, 2022, Trump Media & Technology Group had not generated any revenue to date and has warned investors that “TMTG may never generate any operating revenues or ever achieve profitable operations.” Sarasota, Fla.-based TMTG had approximately 40 full-time employees as of the end of March, per a regulatory filing by Digital World Acquisition Corp., a special purpose acquisition company (SPAC) that intends to merge with TMTG.

What this means is that these snowflakes will be out of business sooner or later. Which means that Truth Social will be a very minor footnote in history as a result.