This Week In Cybersecurity

This week on Between The Hacks: A dental data breach, the U.S. IoT Security Law, a 2020 Microsoft vulnerability report, the final sunset of Adobe Flash, Rebooting by Lisa Forte and the Smashing Security Christmas party.

One Million US Dental Patients Impacted by Data Breach

Dental Care Alliance (DCA), a Sarasota, FL based dental support company, has begun notifying more than one million patients that DCA was victim of an attack resulting in a data breach.

The attacks began on September 18 but weren’t discovered until October 11. By October 13, the attack was contained.

Infosecurity reports, ”Patient data that may have been accessed in the security incident included names, addresses, dental diagnosis and treatment information, patient account numbers, billing information, bank account numbers, the name of the patient's dentist, and health insurance information.”

Even with so much sensitive personal and medical data impacted (pun intended), DCA does not seem to be providing remediation services, like credit monitoring, to the more than 1 million affected by the breach. Databreaches.net asked about this and was told by Dave Quigley, General Counsel for DCA, “Thank you for your inquiry. DCA has notified impacted individuals and all relevant regulatory bodies of this matter. We have seen no specific evidence that personal information was used for malicious purposes. We will continue to do all that is necessary and appropriate to support and inform impacted individuals in the days ahead.”

U.S. IoT Security Law

An important step toward securing the Internet was achieved on December 4, 2020, when President Trump signed an IoT security bill into law. The Internet of Things Cybersecurity Improvement Act of 2020 has been in the works since 2017 and was passed by the U.S. House of Representatives in September 2020 and the U.S. Senate in November 2020.

The bi-partisan team that backed the IoT bill included Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Tex.), and Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo), and was backed by multiple tech companies, including BSA (The Software Alliance), Cloudflare, CTIA, Mozilla, Rapid7, Symantec, and Tenable, according to SecurityWeek.

Read more on Between The Hacks coverage of this story from earlier in the week.

2020 Microsoft Vulnerability Report

Beyond Trust has released their 2020 Microsoft Vulnerabilities Report. The 18-page report, “compiles every Microsoft security bulletin from the past 12 months, analyzes the trends, and includes viewpoints from security experts.”

Some of the key findings from this year's report include:

• In 2019, a record high number of 858 Microsoft vulnerabilities was discovered

• The number of reported vulnerabilities has risen 64% in the last 5 years (2015-2019)

• Removing admin rights would mitigate 77% of all Critical Microsoft vulnerabilities in 2019

• 100% of Critical vulnerabilities in Internet Explorer & Edge would have been mitigated by removing admin rights

• 80% of Critical vulnerabilities affecting Windows 7, 8.1 and 10 would have been mitigated by removing of admin rights

This Beyond Trust 2020 Microsoft Vulnerabilities Report has been added to the 2020 Cybersecurity Report Roundup where Between The Hacks currently lists 28 similar cybersecurity reports.

A Long Awaited Farewell to Adobe Flash

Last week, Adobe released its final patch updates for Adobe Flash and confirmed that they will, “no longer be supporting Flash Player after December 31, 2020 and Adobe will block Flash content from running in Flash Player beginning on January 12, 2021.” Adobe also, “strongly recommends all users immediately uninstall Flash Player to help protect their systems.”

Flash has been in the cross-hairs of the Infosec community for well over a decade. Some companies have banned the application from their enterprise and Apple’s Steve Jobs famously banned Flash on iOS in 2010 because, “Jobs had no faith that Adobe would adequately address the software’s security problems” reported the Cult of Mac.

“Apple, Google, Microsoft, and Mozilla stopped Flash from playing in their browsers years ago, and have committed to excising any remaining Flash-related code entirely by the end of 2020” reports Tripwire.

Over the past 14 years, Adobe Flash has accumulated 1,118 vulnerabilities according to the CVE database. That is an average of almost 80 vulnerabilities per year, or 1 vulnerability discovered every 4.6 days. While Adobe has been responsible about patching, many have waited for this dinosaur code to be put to bed.

You likely do not have Flash on your computer, but if you do, now is the time to remove it. You can do this by following Adobe’s instructions to uninstall Flash for Windows and Mac.

Tip of the Week

REBOOTING By Lisa Forte

Do you want to learn more about cybersecurity from some of the biggest names in the business and get a good laugh? If so. check out Rebooting by Lisa Forte, on Youtube. Some of her interviews have included, Troy Hunt, Shannon Morse, Graham Cluley, Ian Murphy, Chris Hadnagy, Jake Moore, Ken Munro and Kenton Cool.

Lisa is humble, but an infosec powerhouse in her own right. Not only is she producing some informative and entertaining video content, but she is also a Partner at Red Goat Cyber Security and co-founder of Cyber Volunteers 19, a team of infosec professionals whose mission is to, “help healthcare organisations identify, protect, detect and respond to existing and emerging cyber threats using volunteers.”

Rebooting is only six months old but with Lisa’s Rolodex and creativity, I think we can look forward to many great episodes to come.

Picture of the Week

This week’s picture of the week is actually a link to the Smashing Security Christmas Party on YouTube.

“Join Graham Cluley and Carole Theriault for some ho-ho-ho and seasonal hijinx with special guests on THURSDAY DEC 17th. Make sure to hit the [Reminder] button above so you don't forget! Never listened to the "Smashing Security" podcast? Learn more at https://www.smashingsecurity.com or in your favourite podcast app.”