White Hat Hacking with TDL | Security Vulnerabilities in OpenEMR

padlock

 

Hacker Summer Camp!

In August this year, InfoSec professionals descended on Las Vegas for 3 major security conferences – Black Hat, DefCon and B-Sides Las Vegas. Stay tuned over the coming weeks for some interesting announcements and updates from these 3 conferences.

 Some of the interesting presentations at Black Hat this year include:

  • Detecting credential compromise in AWS – how Netflix discovers credential compromise in AWS
  • Outsmarting the city – covering insecurities in multiple smart-city IoT devices
  • Applied self-driving car security – security concerns in autonomous vehicles, presented by the team who remotely hacked a Jeep a few years ago
  • Mobile POS security – vulnerabilities and strategies to mitigate risks
  • Understanding and exploiting embedded medical devices – exploitation of pacemakers, pacemaker infrastructure etc.

There will be some eye-opening presentations and very interesting learnings to emerge from Hacker Summer Camp 2018.

OpenEMR Medical Records Storage System

Security researchers at Project Insecurity, have discovered 23 security vulnerabilities in the widely used OpenEMR medical records storage system. The vulnerabilities were discovered in version 5.0.1.4 which was patched last month after responsible disclosure by the security researchers. According to The Register, the list of vulnerabilities includes “four remote code execution flaws; nine SQL injection vulnerabilities; arbitrary read, write and deletion bugs; three information disclosure flaws; a cross-site request forgery allowing for remote code execution; deep breath; an unrestricted file upload hole; a patient portal authentication bypass flaw; and administrative actions that can be performed simply by guessing a URL path.”

For Australians, the timing of this release has to prove a little unnerving, given that we are in the middle of the My Health Record opt-out period, and has to raise concerns around the security of the data stored in our own national centralised medical records storage system. The My Health Record opt-out period ends on 15th November.

For those who are interested, the full disclosure report can be found here.

Phishing and Phishing Kits Explained

We talk about it a lot, but do you really understand what phishing is and how it works? This article on CSO online provides really good coverage of phishing, how it works, the components involved and how to protect yourself.  

A couple of the key takeaways from the article are:

  • Phishing is a social attack, directly related to social engineering
  • Phishing attacks work because humans are helpful by nature, curious and as a rule don't expect bad things to happen to them as they go about their daily routine
  • Phishing attacks typically stress urgency or play on a person's willingness to help. Phishing attacks can also evoke a sense of fear, by warning of serious consequences
  • Question everything and use two-factor authentication (2FA) whenever possible

Social engineers are masters of their craft, as they know how to pray on our cognitive biases. They know how to push people’s buttons to achieve an outcome – all they have to do is discover the right buttons to push. All of us can fall victim to social engineering if we make these buttons easy to find. So, the biggest takeaway has to be this – be careful what information you share online, as the more you share, the more a social engineer has to work with, and the easier it is to locate the right buttons.

Contact Us today to find out how Thomas Duryea Logicalis can support you with your organisation's security concerns and posture.

Tags Security, HTTP, Google Chrome, 2-Factor-Authentication, 2FA, HTTPS Sites, Crypt worm, SamSam, Databreach, Reddit

FOLLOW BLOG VIA EMAIL

Contact us