Report Outlines Dangerous Shortcomings in Healthcare Application Security
Baltimore based firm Independent Security Evaluators is presenting a report on the state of Healthcare Application Security. The report details the ability of researchers to hack hospital systems over 24 months at 12 healthcare facilities, 2 healthcare data facilities and involved 2 healthcare technology platforms and 2 active medical devices.
The report details, among others, a web attack against an Electronic Health Record (EHR) Platform to perform record retrieval and manipulation.
The Barracuda Web Application Firewall can help protect against the web-based attacks on healthcare applications. To learn more, visit the following resources:
- Barracuda Web Application Firewall: Safeguarding Healthcare Web Applications and ePHI (Whitepaper, pdf)
- Healthcare System Strengthens Web Application Security to Ensure Protection of Patient Data (Case study, pdf)
- Webinar: Protect the Soft Underbelly of Healthcare IT: Secure Your Web Applications, March 16 2016, 10:00am PDT. Register here.
Modern Web Apps: Not The Risk They Used To Be (They’re Worse!)
There is an interesting article from Dark Reading that can help you understand how even a tiny Web application without a single byte of confidential data can expose your corporate crown jewels to cybercriminals.
A snippet from the article:
Once, one of the developers was debugging the backup for a non-sensitive Web application designed for a charity project. He tried to connect to the backup server with another account of a sensitive Web application. After the backup was finally working, credentials for the sensitive app were left [commented] in the configuration file. Few weeks later, the charity Web application was hacked via a new WordPress vulnerability. Attackers managed to get access to all the files (including the backup config), connect to the backup of the sensitive Web application and extract all source codes and hardcoded databases credentials.
These simple but painful examples are proof positive that even a tiny Web application, with not a single byte of confidential data, may open access to your crown jewels. Companies need to maintain up-to-date inventory of all their websites and Web applications, and pay close attention to every Web application security that is accessible externally. A good place to start is with ISACA’s 10 Important DevOps Controls, and apply the most appropriate ones, such as regular vulnerability scanning, WAF and continuous monitoring, on every externally accessible Web application.
Controlling Vehicle Features of Nissan LEAFs Across the Globe via Vulnerable APIs
Troy Hunt, a well-known security researcher, speaker and educator, details the ability to control the features of a Nissan Leaf using the official NissanConnect EV application. He walks through the vulnerability in the API – it was not authenticating the user – and how it could be used to control practically any Leaf around the world!
It is a long read, but both the post and the accompanying video are very interesting and eye opening.
The Barracuda WAF helps secure your APIs effectively and easily. For more information on this, see our blog post series on API security and the WAF, or download this whitepaper (pdf): How the Barracuda Web Application Firewall Secures Your Mobile and IoT Services.
Multiple CMS Vulnerabilities and Attacks:
The last year has been remarkable for the number of CMS (WordPress, Drupal etc.,) vulnerabilities and the breaches that have resulted. The latest in this line was the breach of the Linux Mint website.
Linux Mint is the most popular Linux distribution these days. In February, the website was hacked via an (as yet) undisclosed WordPress Vulnerability. The attackers used this vulnerability to break into the backend of the site and replaced the Linux Mint OS downloads with their own versions of the OS – with malware baked in.
In the upcoming 8.1 firmware release, the Barracuda Web Application Firewall will provide an easy way to secure your WordPress sites via the new template feature. To know more, stay tuned for our detailed blog post on this feature.