Checklist 381: Kaspersky Ban, the Change Hack, and Virtual Bugs

US Bans Kaspersky Software Citing National Security Concerns

The US Commerce Department has announced a ban on the sale of Kaspersky’s antivirus software to new customers, effective from July 20, citing potential national security threats. Current users will be able to receive updates until September 29, 2024, after which no new features or security updates will be provided. The move aims to prevent any alleged misuse of Kaspersky’s software by the Russian government.

National Security Concerns

Commerce Secretary Gina Raimondo emphasized that the decision was driven by the need to protect national security, highlighting the dual-use nature of technology and data. The ban follows warnings from the US intelligence community regarding the potential for Kaspersky’s software to be used for espionage by Moscow.

Raimondo stated, “When you think about national security, you may think about guns and tanks and missiles… But the truth is, increasingly, it’s about technology, and it’s about dual-use technology, and it’s about data.” She added that the decision came after attempts to find alternative solutions, which ultimately failed due to the Russian government’s offensive cyber capabilities.

Impact on Businesses and Consumers

TechCrunch reported that US resellers of Kaspersky products are facing significant challenges. They must transition their clients to new security platforms by the September deadline. One reseller expressed concerns about financial losses and the lack of clarity on refunds or compensation from wholesalers and Kaspersky.

Commerce Secretary Raimondo urged individual consumers to “immediately stop using that software and switch to an alternative in order to protect yourself and your data and your family.”

Kaspersky’s Response

Kaspersky has denied the allegations and plans to pursue legal options to continue its operations. In a statement to Wired, the company argued that the ban was based on geopolitical tensions rather than a thorough evaluation of their products. Kaspersky stated, “Kaspersky does not engage in activities which threaten US national security.”

Sources: TechCrunch, Wired

Change Healthcare Hack Exposes Sensitive Patient Information

Earlier this year, a significant cyberattack targeted Change Healthcare, a company that handles insurance and billing for a vast portion of the U.S. healthcare sector. With access to the health information of roughly half of all Americans, the breach has far-reaching implications.

Breach Details and Security Flaws

In a podcast episode titled “Checklist No. 373 – Change We Can’t Believe In,” the initial breach details were discussed, revealing that the hackers exploited a server without multi-factor authentication (MFA). Andrew Witty, CEO of UnitedHealth, Change Healthcare’s parent company, attributed the lapse to ongoing system upgrades following the 2022 acquisition. Witty expressed frustration, stating, “We were in the process of upgrading the technology that we had acquired. But within there, there was a server, which I’m incredibly frustrated to tell you, was not protected by MFA.”

Exposure of Sensitive Information

The severity of the breach was further detailed in a follow-up episode, “Checklist 374 – 2FA Minus One,” where it was confirmed that the lack of MFA facilitated the attack. Recently, Change Healthcare provided more specifics about the compromised data. According to The Register, the exposed information includes:

• Personal details: First and last names, dates of birth, phone numbers, email addresses
• Health insurance information: Policy details, insurance companies, member/group ID numbers, Medicaid-Medicare-government payer ID numbers
• Health information: Medical record numbers, providers, diagnoses, medications, test results, images, care and treatment
• Financial information: Claim numbers, account numbers, billing codes, payment cards, financial and banking information, payment history
• Additional personal data: Social Security numbers, driver’s licenses or state ID numbers, passport numbers

Despite the breadth of the data, Change Healthcare asserted that full medical histories have not appeared in the data review.

Impact and Notifications

The company has yet to determine the total number of individuals affected. Change Healthcare is working to identify and notify affected individuals, although it may lack sufficient addresses for all. Notifications are expected to start in late July, sent via traditional mail.

Ongoing Concerns

The breach has caused significant concern among patients and healthcare providers. The delay in providing detailed information and the uncertainty about the number of affected individuals exacerbate the issue. Change Healthcare’s handling of the situation continues to be scrutinized, with many awaiting further updates on the security measures being implemented to prevent future incidents.

Source: The Register

Apple Pays Bug Bounty for Vision Pro Vulnerability

In a recent incident, Apple addressed a potentially alarming bug in its Vision Pro headset that could have filled users’ virtual spaces with unwanted virtual objects, such as spiders, bats, or even clowns. The discovery was made by cybersecurity researcher Ryan Pickren, whose findings highlight both the potential dangers of augmented reality (AR) technology and the importance of vigilant cybersecurity practices.

The Vulnerability

According to a report from 9to5Mac, the vulnerability exploited an AR feature that Apple introduced in WebKit back in 2018, which is still present in the latest visionOS. This feature lacks a permission model in Safari, allowing the execution of 3D, animated objects with sound without user consent. Pickren explained that this oversight allowed malicious actors to fill a Vision Pro user’s space with disturbing virtual entities merely by having the user visit a specific website.

Pickren described how Apple’s system usually requires explicit user permission for immersive VR experiences via an OS-level prompt. However, this safeguard was bypassed due to the old AR feature in WebKit, enabling the potential for pranksters or malicious individuals to cause significant distress or even physical harm.

Apple’s Response

Apple promptly patched the vulnerability upon its discovery, ensuring that such exploits could no longer occur. The fix came just in time to prevent any widespread misuse of the bug. For his efforts in identifying and reporting the issue, Pickren was awarded a bug bounty from Apple. While the exact amount of the reward remains undisclosed, it acknowledges the significance of his contribution to the security of Apple’s spatial computing technology.

This incident underscores the critical nature of cybersecurity in emerging technologies like AR and VR. While the bug could have had serious consequences, Apple’s quick response and the bug bounty system’s effectiveness highlight the collaborative efforts needed to maintain robust security standards. The resolution of this vulnerability ensures that Vision Pro users can continue to enjoy their immersive experiences without the threat of unexpected virtual intrusions.

Source: 9to5Mac