Information Technology

A fertility clinic in Georgia has notified about 38,000 patients that their medical information and other data like social security numbers had been accessed by cybercriminals during a ransomware attack in April.Matthew Maruca, general counsel for Reproductive Biology Associates and its affiliate My Egg Bank North America, wrote in a letter that a file server containing embryology data was encrypted on April 16 after attackers gained access to the company’s systems starting on April 7. 

The attackers stole names, addresses, SSNs, laboratory results and “information relating to the handling of human tissue,” according to Maruca. Maruca said the company started an investigation in April that lasted until June 7, when they officially confirmed that patient data had been accessed and taken during the attack. While Maruca does not explicitly say that a ransom was paid, the company was eventually able to regain access to the encrypted data and were told by the attackers that “all exposed data was deleted and is no longer in its possession.””In an abundance of caution, we conducted supplemental web searches for the potential presence of the exposed information, and at this time are not aware of any resultant exposure,” Maruca said. “We are continuing to conduct appropriate monitoring to detect and respond to any misuse or misappropriation of the potentially exposed data.”The company offered free monitoring services for those affected and said it hired a cybersecurity company to secure its systems. 

Multiple studies from cybersecurity firms have shown that even after being paid, ransomware gangs often keep or even post stolen information. A Coveware report from November showed that there have been a number of cases where victims have paid attackers and still had their data published online. Javvad Malik, a security awareness advocate at KnowBe4, told ZDNet that once data has been accessed by criminals, even if an organization can restore from backup or pay a ransom, there is no limitation to what the criminals can do with the stolen data. “This can include selling the data on to other criminals or using the data themselves to attack unsuspecting victims,” Malik said.”Organizations such as fertility clinics may consider themselves as lower risk than, say, hospitals, but the truth is that they have just as much sensitive personal information that is of value to criminals and can disrupt daily operations.”The incident caps off a whirlwind week where multiple healthcare institutions notified patients of breaches that leaked their personal information to attackers or the web. Minnesota Community Care, Cancer Centers of Southwest Oklahoma, San Juan Regional Medical Center, Little Hill Foundation for the Rehabilitation of Alcoholics and St. Joseph’s Hospital in Savannah, Georgia all reported breaches or ransomware attacks that led to the exposure of patient data over the last week. The notices came as US President Joe Biden implored Russian President Vladimir Putin last week to limit attacks on critical industries like healthcare and end protection for groups routinely ransoming hospitals across the US.  More

Image: Office of the eSafety Commisioner
The Office of the eSafety Commissioner has published a set of assessment tools that it hopes will be used by tech companies to ensure they are building safety into their products and services. While eSafety is an Australian agency, the “safety by design” assessment tools are available globally, as the majority of tech industry innovation occurs far away from Australia’s shores.Released today are two interactive assessment tools: The startup edition for early-stage technology companies and the enterprise edition for mid-tier or enterprise companies.”For tech companies developing platforms that enable social interaction, safety risks should be assessed upfront. Protective measures need to be put in at the start of the product design and development process. We call this ‘safety by design’,” eSafety said.The tools are aimed at helping organisations develop safe products, and assist them to embed safety into the culture, ethos, and operations of their business. The tools and accompanying guidance materials steps participants through five interactive and modules, each with a specific set of questions addressing core safety topics and issues: Structure and leadership; internal policies and procedures; moderation, escalation, and enforcement; user empowerment; and transparency and accountability.The user is served a report at the end of each module, which acts as a safety health check, but also, eSafety said, as a learning resource that can be drawn upon and used to help make refinements or innovations in the future.

The online tool is around a seven-hour commitment. eSafety said it receives no personal or corporate information or data from those using the tools and it is completely voluntary.”Our entire mission is about helping Australians have safer and more positive experiences online, one of the ways we achieve that is by helping the industry lift their standards and achieve better levels of safety,” eSafety Commissioner Julie Inman Grant told ZDNet.The safety by design initiative kicked off in 2018 with the major tech platforms. In April, eSafety said it was engaged with about 180 different technology companies and activists through the initiative. 40 companies took part in the preview of the toolkit.Inman Grant previously called it a “cultural change issue”; that is, tweaking the industry-wide ethos that moving fast and breaking things gets results.The solution, she said, isn’t the government prescribing technology fixes, rather a duty of care should be reinforced when companies aren’t doing the right thing, such as through initiatives like safety by design. In a former life, Inman Grant was the director of public policy for Twitter in Australia and Southeast Asia; she was also Microsoft’s global director of privacy and internet safety.Speaking with media on the launch of safety by design, Inman Grant said she raised the idea during her time with the Windows-maker.”While I was there, I tried to introduce safety by design as an initiative for Microsoft to take on, they were doing security by design, privacy by design really well and I just wanted them to slip safety in,” she said.”But they felt like they were becoming an enterprise company and were never going to be a social media company, even when I pointed out that Xbox at the time was a bit toxic and Skype was a primary vector for child sexual abuse material, wasn’t something that was taken up.”It was a similar story at Twitter, she disclosed.While the ideal scenario would be to prevent the harms from happening in the first place, behavioural change takes a long time, so eSafety is hopeful initiatives like safety by design can “move the needle and minimise the threat surface for the future”. “Safety by design is fundamental because online safety is a shared responsibility and we needed to find a way to shift the responsibility back onto platforms themselves, just as product liability serves to do around toy and goods manufacturing, or food safety standards,” Inman Grant said.”None of these standards exist in the technology world and I also believe, philosophically, that mandating protections and innovations that companies should take is not going to achieve the right end. “We had to do this with the industry rather than to the industry.”We’d love to see a race to the top in terms of online safety standards and this is precisely what this tool is meant to do.”eSafety is also working with universities on how to insert a safety by design ideal into studies.”Creating that next generation of engineers and computer scientists … to code with conscience or to think ethically and responsibly about what they’re doing,” she said. “We’re working with four different universities right now in embedding elements of this curriculum into multi-disciplinary programs … safety by design won’t just be this tool, it will grow and evolve.”MORE FROM ESAFETYAustralia’s eSafety and the uphill battle of regulating the ever-changing online realmThe eSafety Commissioner has defended the Online Safety Act, saying it’s about protecting the vulnerable and holding the social media platforms accountable for offering a safe product, much the same way as car manufacturers and food producers are in the offline world.eSafety prepares for Online Safety Act with AU$3m software pilot and 20 new staffThe eSafety Commissioner has only been able to action 72 of the 3,600 adult cyber abuse complaints it has received, and it’s hopeful the new Online Safety Act will allow it to do more. More

Smart home gadgets are all the rage, but it’s a slippery slope. As soon as you’re done installing your first gadget, you’re in the market for the next, and it can get pretty expensive.  Amazon Prime Day is a good time to pick up  your next smart home device for less, because there are some fantastic deals out there on a whole range of devices. With that in mind, I’ve trawled through the unbelievable number of deals that are available over Prime Day 2021 — tens of thousands! — and distilled them down into a handful of the best. Deals come and go over the two days, and I’ll be updating this post with fresh deals, so keep checking back. Also, if you find a good deal I’ve missed, feel free to drop me a note (a Twitter DM probably gets the quickest response). 

27% off

Ring

With its 8-inch HD touchscreen, adaptive color, and stereo speakers, the all-new Echo Show 8 is the perfect hub for your smart home setup.8.0-inch touchscreen 1280 x 800 resolution display.13 MP camera that uses auto-framing to keep you centered.Built-in camera shutter and microphone/camera off button

$95 at Amazon

50% off

Ring

It might be tiny, but it packs all the power and punch of a full-sized Echo! There’s a reason why this is Amazn’s most popular smart speaker!Better speaker quality than Echo Dot Gen 2 for richer and louder sound. Pair with a second Echo Dot for stereo sound.Stream songs from Amazon Music, Apple Music, Spotify, Sirius XM, and others.Turn on lights, adjust thermostats, lock doors, and more with compatible connected devices. Create routines to start and end your day.Call almost anyone hands-free. Instantly drop in on other rooms in your home or make an announcement to every room with a compatible Echo device.

$20 at Amazon

41% off

Ring

Blink Outdoor wireless battery-powered HD security camera with infrared night vision.Runs for up to two years on two AA lithium batteries (included).Store video clips and photos in the cloud with the Blink Subscription Plan or save locally to the Blink Sync Module 2 via a USB flash drive (sold separately).Built to withstand the elements.No wiring or professional installation required.Get motion detection alerts on your phone.See, hear, and speak to visitors with live view in real time and two-way audio features on your Blink app.

$225 at Amazon

36% off

Certified Refurbished Video Doorbell Pro has been refurbished, tested, and certified to look and work like new, and also comes with the same limited warranty as a new device.1080p HD video doorbell that lets you see, hear and speak to people from your phone, tablet, or select Echo device. Includes privacy features, such as customizable privacy zones and audio privacy, to focus only on what’s relevant to you.Get notifications whenever motion is detected by customizing your motion zones.With Live View, you can check in on your home any time through the Ring app.

$89 at Amazon

30% off

Ring

At the heart of any good smart home system is a solid, reliable Wi-Fi connection, and things don’t get much better than the Amazon eero Pro mesh.The Amazon eero Pro mesh WiFi kit (3 eero Pros) replaces the traditional WiFi router, WiFi extender, and internet booster.Capable of covering a 5+ bedroom home with fast and reliable internet powered by a mesh network.Unlike the common internet routers and wireless access points, eero automatically updates once a month, always keeping your home WiFi system on the cutting edge.eero mesh WiFi network leverages multiple wireless access points to create an incredibly dependable internet experience, all on a single mesh WiFi system.Quick & easy setup.

$349 at Amazon

40% amount off

Ring

Quickly and easily setup your Ring Alarm by plugging in your base station, connecting to wifi via the Ring app, and placing your sensors in their ideal locations.A great fit for 1-2 bedroom homes.Kit includes one base station, one keypad, four contact sensors, one motion detector, and one range extender.Optional 24/7 professional monitoring with Ring Protect Plus for $10/month.

$150 at Amazon

More Prime Day 2021 deals

We plan to update this guide with more smart home device deals as we spot them.

Amazon Prime Day 2021 More

Image: Getty Images/iStockphoto
The system administrator of Australia’s oft-criticised My Health Record has agreed to a number of recommendations made by the Joint Committee of Public Accounts and Audit as part of its probe into the security resilience of the online medical file.The committee in 2019 scrutinised a report from the Australian National Audit Office (ANAO) which pointed out a number of security issues concerning the Australian Digital Health Agency’s (ADHA) My Health Record implementation that otherwise widely gave ADHA the tick as “largely effective”.In a response [PDF] to the committee, ADHA provided an update to its ANAO My Health Record Performance Audit Implementation Plan, which was developed in February 2020. One of the recommendations made by ANAO was that ADHA conduct an end-to-end privacy risk assessment of the operation of the My Health Record system under the opt-out model, including shared risks and mitigation controls. It also recommended for the agency to incorporate the results of this assessment into the risk management framework for the My Health Record system.The agency said it would work with public and private sector healthcare providers, professional associations, consumer groups, and medical indemnity insurers on an “overarching privacy risk assessment”, and incorporate results into the risk management plan for My Health Record. With a privacy risk assessment completed in September, and initial risk register updates flagged as done as of February, the ADHA has given itself until November to complete the risk management work.Another recommendation was that the ADHA, with the Department of Health and in consultation with the Information Commissioner, review the adequacy of its approach and procedures for monitoring use of the emergency access function within the online medical file.

After delivering a compliance framework and an emergency access compliance plan in February, the ADHA said it will continue to monitor emergency access and engage with system participants to “promote a sound understanding of the legislative provision and relevant reporting arrangements, so that unauthorised use is recognised and reported to the Information Commissioner, as required”.It also flagged November as completion date for this work.ADHA was also asked by ANAO to develop an assurance framework for third party software connecting to the My Health Record system, including clinical software and mobile applications, in accordance with the federal government’s Information Security Manual.”An assurance framework exists for systems (including clinical software and mobile applications) connecting to the Healthcare Identifiers Service and the My Health Record system, including processes to confirm conformance,” ADHA said in response to the recommendation.”The agency will review the standards that apply to these systems, and alignment with the Information Security Manual. We will work with industry to update the assurance framework as required.”The agency also agreed to develop, implement, and regularly report on a strategy to monitor compliance with mandatory legislated security requirements by registered healthcare provider organisations and contracted service providers and develop and implement a program evaluation plan for My Health Record.While not requested by ANAO, ADHA said it is also working to ensure shared privacy risks are identified and appropriately managed between the agency and My Health Record stakeholders and that it is distributing guidance materials and other resources to help with this.It is also mandating software developers undertake a conformance process for the new Security Requirements for Connecting Systems, when requested by ADHA.RELATED COVERAGE More

Image: iStock
The federal opposition has introduced a Bill to Parliament that, if passed, would require organisations to inform the Australian Cyber Security Centre (ACSC) before a payment is made to a criminal organisation in response to a ransomware attack. The Ransomware Payments Bill 2021 was introduced in the House of Representatives on Monday by Shadow Assistant Minister for Cyber Security Tim Watts.According to Watts, such a scheme would be a policy foundation for a “coordinated government response to the threat of ransomware, providing actionable threat intelligence to inform law enforcement, diplomacy, and offensive cyber operations”.The ransom payment notification scheme created by the Bill, Watts said, would be the starting point for a comprehensive plan to tackle ransomware. It follows his party in February calling for a national ransomware strategy focused on reducing the number of such attacks on Australian targets. At the time, Watts, alongside Shadow Minister for Home Affairs Kristina Keneally, declared that due to ransomware being the biggest threat facing Australia, it was time for a strategy to thwart it.The Bill introduced by Watts would require large businesses and government entities that choose to make ransomware payments to notify the ACSC before they make the payment. “This will allow our signals intelligence and law enforcement agencies to collect actionable intelligence on where this money is going so they can track and target the responsible criminal groups,” Watts said. “And it will help others in the private sector by providing de-identified actionable threat intelligence that they can use to defend their networks.”

As laid out in the Bill’s explanatory memorandum [PDF], if an entity makes a ransomware payment, they must provide ACSC with their details, the details of the attacker, and information about the attack to the extent that it is known. Information about the attack includes cryptocurrency wallet details, the amount of the payment, and indicators of compromise. Failure to notify the ACSC would attract a penalty.The ACSC would be required to de-identify the information for the purpose of informing the public and private sector about the current threat environment and disclosing information to Commonwealth, state, or territory agencies for the purpose of law enforcement.Under the Bill, it would be an offence to disclose personal information except for use by law enforcement.”We should be clear … ransoms should not be paid. Ever,” Watts said. “Paying a ransom does not guarantee you’ll be able to quickly bring your systems back online or prevent further disruption, it does not guarantee your data won’t be leaked. “What it does do is provide further resources to the criminal organisations mounting these attacks and create an incentivise for them to carry out more attacks.”But where organisations feel compelled to make these payments, government should be involved.”Using the claim that there has been a 200% increase in ransomware attacks on Australian organisations, Watts pointed to the likes of JBS Foods, UnitingCare Queensland, the Eastern Health hospital network in Victoria, Lion brewers, the NSW Labor Party, Toll logistics — which copped two attacks, Bluescope, PRP Diagnostics, Regis Healthcare, Law In Order, Carnegie Clean Energy, coffee roaster Segafredo Zanetti, and Taylors Wine as examples of why such a Bill is required.JBS paid $11 million in ransom.”Talking to the incident responders combatting this tidal wave of attacks, it’s clear to me that for every ransomware incident you read about in the papers, there are a dozen happening outside public view,” he told the House of Representatives. “These attacks are an intolerable burden on Australian organisations.”According to Watts, the current trajectory of these attacks and the traditional response of asking organisations to implement an “ever-increasing uplift in cyber resilience” was inefficient and not sustainable.”A hospital shouldn’t be forced to use more and more of its scarce resources fighting cybercriminals, it should be using its resources to make sick people better,” he said. “The boards and executive teams of our nation should be able to focus on making investments in its core business that create new jobs and increase shareholder returns, rather than constantly ratcheting cybersecurity investments. “Tackling ransomware may begin with organisational security, but that is not the end of the conversation.”Unfortunately, that’s the state of the policy response to ransomware under the Morrison Government — blaming the victims.”The federal government in March provided advice on how to counter ransomware in Australia, encouraging the use of multifactor authentication and urging businesses to keep software up to date, archive data and back-up, build in security features to systems, and train employees on good cyber hygiene.At the time, Watts called the ransomware paper a missed opportunity. To Watts, it’s not good enough to tell businesses to defend themselves by “locking their doors to cyber-criminal gangs”.”Mandating reporting of ransom payments is far from a silver bullet for this national security problem, but it’s an important first step,” he said on Monday.RELATED COVERAGE More

Recorded Future
A North Korean hacking group with a history of high-profile attacks against South Korea allegedly breached the network of South Korea’s state-run nuclear research institute last month. Representative Ha Tae-keung of the People Power Party, South Korea’s main opposition party, claimed 13 unauthorised IP addresses accessed the internal network of Korea Atomic Energy Research Institute (KAERI) on May 14. Some of the addresses could be traced back to Kimsuky, a North Korean cyber espionage group, Ha claimed. “If the state’s key technologies on nuclear energy have been leaked to North Korea, it could be the country’s biggest security breach, almost the same level as a hacking attack by the North into the defense ministry in 2016,” the lawmaker said. According to the US Cybersecurity and Infrastructure Security Agency, Kimsuky is an advanced persistent threat group likely tasked by the North Korean regime with a global intelligence-gathering mission, with a focus on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions. Prior to its alleged attack against KAERI, the group was thought to have been installing malware inside documents detailing South Korea’s response to the COVID-19 pandemic in 2020. The group is also thought to be behind a series of phishing attacks in 2019 against the South Korean police and Ministry of Unification. Kimsuky’s most notorious cyber attack was made in 2014 against Korea Hydro & Nuclear Power, South Korea’s nuclear and hydroelectric utility.

In response to Ha’s claims, KAERI issued a statement, saying an unidentified outsider accessed parts of its system using weaknesses in its virtual private network (VPN). The institute then blocked its IP and updated the security of its network, it said. It has since been working with authorities to investigate the scope of the damage and who was behind the attack, KAERI added.  KAERI officials were unavailable for further comment. On Sunday, local media reports claimed that Daewoo Shipbuilding & Marine Engineering, a supplier of ships and submarines to the South Korean military, has been suffering cyber attacks since last year from groups thought to be run by North Korea. The Defense Acquisition Program Administration, a subagency of the Ministry of National Defense responsible for procuring weapons, confirmed there were attempted hacking attacks against Daewoo last year but denied they were connected with North Korea. Related Coverage More

Western Australia’s auditor-general has reported 553 IT systems weaknesses to 59 state government entities, saying she was “disappointed” only 50% of them have met the benchmark in information security.In the auditor-general’s latest report [PDF], Information Systems Audit Report 2021 – State Government Entities, it was revealed that 42% of the findings made this year were previously reported to the 59 entities.”One way entities can remain vigilant against the rapidly changing threats to information systems is by promptly addressing audit findings,” state Auditor-General Caroline Spencer said. “Poor information security controls leave entity systems and information vulnerable to misuse and may impact critical services provided to the public.”36 of the 59 entities were provided with capability maturity assessments and were asked to self-assess their general computer controls. While entities improved their controls in four out of six categories — business continuity, IT operations, change control, and physical security — and remained constant in management of IT risks, while going backwards in the infosec category.”We continue to find a large number of weaknesses that could compromise the confidentiality, integrity and availability of information systems. Information security remains our biggest area of concern,” the 13th report from the Office of the Auditor-General (OAG) said.Ratings for general computer control findings in each control category
Image: OAG
The 36 assessments saw the OAG rate entities maturity level across the six categories, using a 0-5 rating system. Level 3, “defined”, is the minimum standard that entities are required to meet. 50% of entities found themselves rated at level 3 or above for infosec; 62% for business continuity; 78% for the management of IT risks; 82% for IT operations; 85% for change control, and physical security was the highest scoring, with 91% of entities hitting level 3 or above.

“The number of entities who met our benchmark for information security decreased from 57% in 2018-19 to 50% in 2019-20. We continue to see little improvement in this space over the last 13 years,” the report said.Common weaknesses found included inadequate information security policies, ineffective management of technical vulnerabilities, inadequate access controls, administrator privileges not managed well, lack of data loss prevention controls, inappropriate network segregation, unauthorised device connectivity, weak database security controls, and poor cloud security controls.Some of the recommendations made include requesting state infosec executive managers ensure patching and vulnerability management, application hardening and control, and strong passphrases/passwords and multi-factor authentication are in place, as well as implement admin account restrictions, segregate networks and prevent unauthorised devices, and secure cloud infrastructure, databases, email, and storage.The OAG also wants cybersecurity monitoring, intrusion detection, and protection from malware to be prioritised. Common weaknesses found under the business continuity header were a lack of business continuity planning, no backup testing procedures, inadequate IT disaster recovery plans, and a lack of disaster recovery plan testing.Management of IT risks issues included inadequate processes to identify, assess, and treat IT risks, as well as a lack of accountability. For change control, common problems included a lack of formalised change management processes within entities, and when they do exist, they weren’t being followed.IT operation common weaknesses, the OAG said, included a failure to review policies and procedures, inadequate staff termination processes, ineffective IT asset management, a lack of supplier performance management, and an overall inadequacy in monitoring events.Lastly, issues with physical security across the entities probed included unrestricted access to server rooms, combustible materials being stored in server rooms, and a lack of fire suppression systems in place.Data#3, a supplier of IT to the state’s whole-of-government GovNext-ICT initiative, has meanwhile taken it upon itself to help WA entities with security, launching Project Fortify.Project Fortify, supported by the Office of Digital Government and the Department of Finance, aims to assist state entities with security operations, Essential 8 compliance, and legacy systems risk assessments. “This is a great opportunity for agencies with limited resources to accelerate their cybersecurity maturity and improve the public sector’s resilience to cyberthreats,” WA chief information security officer at the Office of Digital Government Peter Bouhlas said.Funding for the initiative comes by way of a Digital Innovation Fund, which was created under the WA Government Microsoft Licensing Agreement Data#3 picked up in 2019.MORE FROM THE OAG More

Connecting to a Wi-Fi hotspot with a specific name can cause your iPhone’s Wi-Fi functionality to break, and even a reboot won’t fix it.The bug, spotted by reverse engineer Carl Schou and first reported by Bleeping Computers relies on attempting to connect to a hotspot with a specific name. Schou first noticed the issue when trying to connect to his hotspot named with the SSID %p%s%s%s%s%n.

After joining my personal WiFi with the SSID “%p%s%s%s%s%n”, my iPhone permanently disabled it’s WiFi functionality. Neither rebooting nor changing SSID fixes it :~) pic.twitter.com/2eue90JFu3— Carl Schou (@vm_call) June 18, 2021

I’ve tested this with an iPhone running iOS 14.6, and it does indeed disable Wi-Fi, and a reboot doesn’t fix it.Must read: Apple will finally give iPhone and iPad users an important choice to make
So, how do you fix it if, like me, you’re relying on your iPhone?The fix is to go to Settings > General > Reset > Reset Network Settings.After doing this you will have to reconfigure your network settings.

OK, but how do you prevent this from happening in the first place? After all, little stops pranksters — or possibly a hacker using this as a vulnerability to do something more malicious — from setting up Wi-Fi hotspots with this name and no password.Got to Settings > Wi-Fi and make sure that Auto-Join Hotspots in set to Ask to Join or Never. Better safe than sorry!I can also confirm that this does not seem to be an issue for Android users. I tried a number of handsets and they all connected fine. More