Archive for NEWS

Healthcare site leaks personal health information via Google and Meta tracking pixels

Advocate Aurora Health has disclosed that by visiting its websites users may have shared personal information, and possibly protected health information (PHI), with Google and Meta (Facebook).

Advocate Aurora Health is the 11th largest not-for-profit, integrated health system in the US and provides care for about 3 million patients. The company used tracking technology provided by Google and Meta to understand how patients and others interact with its websites.

The questions Advocate Aurora Health wanted to answer were no different than any other website owner: How do visitors use its website, what draws them here, and which pages do they visit? That is very useful information if you want to optimize your website, attract more visitors, and build something that actually fits users needs.

And their solution was no different either: They turned to Google and Meta, who provide website owners with this information through the use of tracking “pixels”. The code behind a tracking pixel can give a website owner useful information about their visitors, such as the type of device they are using, their approximation location (which can be worked out from a user’s IP address), and how they move from page to page across a website. It can also reveal if visitors are coming from a paid ads on Google, Twitter, or Facebook, so companies can tell whether their marketing dollars are being spent productively.

How data can be leaked

What the Advocate Aurora Health’s disclosure doesn’t reveal is how the information was shared, or whether or not Google and Meta were aware of it. We note that the language it uses is “disclosed” rather than “gathered”, suggesting the website over-shared rather than an overreach by the trackers.

Although both Google and Meta have, rightly, earned repuations for rapacious data gathering, the details of how their pixels work, and what they do and don’t care about, are important where health information is concerned. It is possible that neither were aware of the nature of the data being shared, and that neither would want the legal or compliance headaches that come with handling it.

If that is the case, it wouldn’t be the first time. Just two months ago North Carolina-based Novant Health notified 1.3 million patients that using the Meta pixel code may have led to unauthorized disclosure of PHI.

In 2015, when the Affordable Care act’s website first launched, it was also found to be leaking data to third parties, and it provides a useful lesson in how it can happen.

Simplistically, web analytics and web ad tracking systems want to know the number of indvidual visitors to the different URLs on a website, and how those visitors got there. Each time a visitor lands on a page a tracking pixel sends the URL (along with some extra information, such as the browser type, screen resolution, IP address etc) to Google, Meta, or whoever, so that they can add +1 to the count for that URL.

The site used URL parameters to pass information from page to page as people moved through the site. The parameters included the user’s age, zip code, income, and whether or not they were a smoker or pregnant. Since the URLs contained that information, and the URLs were sent to third party trackers to be counted, the third parties found themselves inadvertently receiving and storing privileged information.

Research done by TheMarkup in June of 2022 showed that Meta’s pixel could be found on the websites of 33 of the top 100 hospitals in America.

What was disclosed

For Advocate Aurora Health customers, the following information may have been involved:

  • IP address
  • The dates, times, and/or locations of scheduled appointments
  • Their proximity to an Advocate Aurora Health location
  • Information about their provider
  • The type of appointment or procedure
  • First, last name, first name of a proxy, and medical record number
  • Information about whether they had insurance

According to Advocate Aurora Health, no social security number, financial account, credit card, or debit card information was involved in this incident.

Stop tracking me

Advocate Aurora Health disabled and/or removed tracking pixels on patient websites and applications. Luckily, not every website has to worry about that type of private information. Full disclosure, even this site uses tracking technology, but we do understand that you wish website owners didn’t.

There are several things you can do to stop this kind of tracking or limit the consequences.

  • Use a browser that values your privacy. Unfortunately there is a low correlation factor between what most people find the best browsers and what are the best browsers when it comes to privacy and security.
  • You can frustrate tracking by blocking and deleting cookies and making sure you log out of Facebook and Google before you visit other sites. However, this requires your full attention and in some of these cases you are relying on technology provided by Google and Facebook.
  • Anti-tracking software is your easy way out. We at Malwarebytes, recommend Malwarebytes Browser Guard. You can keep on using Chrome, Firefox, Edge, or Safari and after the install you can set and forget about trackers. Our  browser extension blocks tech support scams, hijackers, pop-up ads, trackers, and more to keep users secure and free from online harassment.

Posted in: NEWS

Leave a Comment (0) →

An odd kind of cybercrime: Gift vouchers, medical records, and…food

Someone with a gift for technology but a nasty habit of using it for very bad things has been spared from going to jail with a suspended sentence. Peter Foy, 18 at the time of his antics, racked up a remarkable, and slightly peculiar, list of compromises before being brought before the court.

A strange combination

According to Brighton and Hove news, his spree began in 2019 with the initial purchase of a laptop from Amazon, bought with “fake Honey gift vouchers”. I would love to know more about how this initial foray into system compromise worked, as one would imagine purchasing anything with fake vouchers would be a bit of a tall order. Nevertheless, he did it, and from here a somewhat short life of crime beckoned.

From the South East Regional Organised Crime Unit:

The court heard that on 13 October, 2019, Foy committed fraud in that he made a false representation to Amazon—that he was entitled to use gift vouchers to buy an Acer laptop. It was using this laptop that Foy committed further offences.

From this report, it’s hard to tell if the vouchers were indeed fake, or obtained without permission. His compromise modus operandi was a combination of breaking into networks run by food retailers, and breaking into networks containing confidential patient records. That’s quite a peculiar mixture.

On the one hand, he was “arranging food deliveries” at a cost of thousands to the affected businesses. On the other, he was accessing patient records of a third party company providing services to the National Health Service. As the release notes, this is during the COVID-19 pandemic, where the last thing we needed was people potentially breaking health record services. Food delivery services also played an important role during lockdown, so any disruption here would also be potentially very disruptive for those most at risk. A strange combination, then, but not a very pleasant one.

Not quite Robin Hood

Eventually, he was grabbed by the long arm of the law. None of the available information explains how this happened, but it’s likely that a trail was left across the compromised businesses. Even a pro can slip up! One last roll of the dice for the defendant remained in the form of claiming that he was notifying and helping the organisations he compromised.

However, he “demanded financial rewards” from the victims, which isn’t how legitimate help works. If this was his version of a bug bounty program, it isn’t a very good one.

The attempt to downplay the crimes didn’t impress the judge much, and he was sentenced to 18 months’ custody, suspended for two years. In addition to this, he’ll also have to perform 300 hours of unpaid work. There’s no word if any sort of ban from using digital technology is included in any of this.

A hopefully short-lived impact

The details released on this set of attacks are unfortunately sparse, and perhaps not as specific as you’d expect. Detective Inspector Rob Bryant had this to say:

This case also serves as a timely reminder to anyone using their financial details online to check the security of the data. Foy was able to gain access to many victims’ accounts as they often used the same passwords across more than one account.

The Detective Inspector also went on to suggest making use of two-factor authentication (2FA), which is great advice.

If you’re notified in the near future that you’ve been impacted, or indeed have been contacted already, here’s what you can do:

  • Take the advice on 2FA. Options include SMS, various apps, or even a physical hardware key. A FIDO2 hardware key is the best option.
  • Grab yourself a password manager. They create and remember strong passwords to prevent reuse, and many will refuse to sign in to bogus websites.
  • The various attacks outlined above likely resulted in the attacker seeing personal data he shouldn’t. This could put those people at an increased risk of social engineering or identity theft.

Posted in: NEWS

Leave a Comment (0) →

Looking for student debt relief? Watch out for scammers says the FBI

The FBI believes that scammers may be after people applying for the One-Time Federal Student Loan Debt Relief, a program announced by the Biden-Harris Administration in August 2022 that provides up to $20,000 in student loan debt relief. In a recent public service announcement, the agency warned of fraudulent websites, emails, texts, or phone scams aiming to defraud applicants.

Debt relief is open to people with an income of less than $125,000. Qualified Pell Grant recipients can get up to $20,000, while non-recipients can get up to $10,000.

That’s huge money, so scammers are likely to be paying attention. The FBI wants people to be on their guard for scammers pretending to be working on behalf of the program:

Cybercriminals and fraudsters may purport to offer entrance into the Federal Student Loan Forgiveness program, contacting potential victims via phone, email, mail, text, websites, or other online chat services

It warns that fraudsters may attempt to charge users for services that are free (entrance into the student loan relief program is free and never requires payment), or use the program as an excuse for collecting personal information from victims.

Keeping away from scammers

Here are some to-dos to remain vigilant against scammers who are after student loan relief applicants:

  • Only use official US government websites.
  • Remember that the US government doesn’t charge processing fees.
  • Use your common sense: Think twice before clicking links in emails, downloading attachments, or entering data into webites.
  • Be wary of emails, texts, or phone calls from individuals claiming to be from the government and offering assistance on how to qualify or apply for student loan relief.
  • When you have questions about loan repayments, talk directly with the financial institution or company providing the loan.

If you think you’ve been defrauded, file a report with the FBI’s Internet Crime Complaint Center (IC3), the Department of Education, and the Consumer Financial Protection Bureau (CFPB); call your financial institution to stop or reverse the transaction; and monitor your accounts and credit reports for fraud activity.

Stay safe!

Posted in: NEWS

Leave a Comment (0) →

Former cop abused unrevoked system access to extort women

When Bryan Wilson, a former Louisville Metropolitan Police Department (LMPD) officer in Kentucky, pleaded guilty to cyberstalking charges in June, details of his crime weren’t revealed. Now they have.

A new court document discloses facts about how he stole sexually explicit photos and videos from private Snapchat accounts, and what he did with them.

Wilson used his privileged access to Accurint, a powerful data-combining software, to retrieve information about his potential targets. He then shared this information with a criminal hacker, who broke into the womens’ accounts to get their nude photos and videos. After acquiring explicit photos and videos, he then attempted to involve their owners in a sextortion scheme.

The FBI defines sextortion as “a serious crime that occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money”.

An example of how Wilson did this is provided by the court document:

Wilson: I’m curious which picture you’d prefer me to use as the focal point of a collage im making…

Victim: Who is this?

Wilson: You cool with me posting em? Im telling you, everyone will LOVE them!

Victim: How did you get these

Wilson: …I had planned to send your pictures to your parents, brother, grandparents, sisters, friends, facebook, pornhub, employer, etc but I would gladly keep all of this between you and I (and tell you who sent them to me) if you promise to leave me out of the drama and show me a few more pics that way we can both benefit…

The document doesn’t reveal if any of Wilson’s victims complied, but it said he posted the explicit content online and bragged about his exploits. In one case, Wilson sent a victim’s photos to her employer, which almost resulted in her termination.

Furthermore, Wilson conspired with others to engage in cyberstalking and extorting young women online. They would give Wilson a target by reaching out to him via his Kik account. Once he had successfully hacked the victim’s account, Wilson shared the stolen media with them.

“Wilson caused his victims untold psychological trauma, not only by extorting them and publishing their explicit photographs and videos online, but also by demeaning and insulting them during his text exchanges, calling them sluts, whores, and bitches,” the document states.

What wasn’t included in the court document but Courier Journal touched on was the fact that Wilson was no longer an LMPD officer when he stalked and extorted his victims. Two months after his resignation in July 2020, Wilson still had access to the Accurint system until it was disabled sometime in October 2020, when his crime spree officially ended.

“Upon discovering this, LMPD immediately disabled the Accurint access,” a statement from the department said. “A review was performed, and procedures have been put in place to ensure all access is suspended once a member separates from LMPD.”

Wilson faces a maximum penalty of 15 years in prison. This includes the sentence for a separate case wherein he violated the civil rights of Louisville pedestrians by throwing beverages at them while in uniform.

Posted in: NEWS

Leave a Comment (0) →

Gas, a positive social network for teens (no, really)

A new social network is currently in the news, billed as a positive space for teens to enjoy themselves. I’m all for positive spaces online, but what is it, and will teens really be happier there than (say) Instagram, or even just hanging out in WhatsApp groups?

Pump the gas

Launched in August of this year, Gas is an iPhone app aimed at teens. When you sign up, you use location services to allow the app to figure out which schools are nearby. During sign-up you add friends, and according to this review, it requests access to your contacts.

Once all of this is done, it allows users to share polls (with four options for each, based on what I’ve seen so far) and these happy, friendly polls let you “see who secretly likes you”, or feel a dopamine rush as you find out you’re most likely to do a really cool thing at band practice.

That seems to pretty much be it. The Gas app team refer to it as “The only wholesome place left on the internet” on their TikTok profile. In fact, with the app being very region restricted, it’s one of the first times I’ve had to figure out what something actually does by trawling through TikToks in the first place.

How restricted? We’re not talking about countries. We’re talking about individual states in the US, with Michigan being the initial launchpad, with several more added since.

A little too exclusive

This is the very definition of a super exclusive Internet club, but often to the app’s detriment if you’re trying to find out what it does and does not do. For example, I had to find out about location tracking and messaging policies through a TikTok video.

For reference, the TikTok clip states that messaging is not allowed; all that you can do is “answer polls about friends”. It also says that Gas “only uses your rough location to join a school and never saves it”. Even so, it’s not unreasonable to think that even if rough locations are never saved, having a user associated with a physical object (the school) means an association to location as far as the users are concerned, even if the app has no interest in such things. Generally speaking, school buildings don’t move around very much!

On the flip slide, this is something very unlikely to cause an issue given how limited the app is in terms of functionality. There isn’t much scope for social engineering when there’s no messaging allowed and only polls to click on.

A neutered net?

There don’t appear to have been any major complaints in relation to the app so far, and as far as we can tell, users’ experiences have been consistent with the developers’ claims. Even so, there are still a lot of unknowns here. Are you able to create custom polls, or is everything done via pre-selected polls which you can lightly customise? We don’t know, and poll creation isn’t touched on in the news.

Is there a possibility of Fear of Missing Out (FOMO) if children aren’t selected in polls? Perhaps, but as the developers mention, children who haven’t been picked “recently” will find themselves automatically dropped into other polls more frequently to give them a chance. How online can we consider these teens to be if all of their possible routes for interaction with other people is clicking one of four options in a poll? And how online will they feel, if their peers are using Instagram, SnapChat, WhatsApp, and TikTok?

Perhaps they’ll grow bored of Gas, or use it alongside their usual haunts. There isn’t enough data available yet, so we’re just going to have to see where it goes. Cyberbullying is an awful thing to have happen to your child, and the increasingly long list of things you need to do in these situations is always a cause for concern.

If the app is doing what it claims and kids are getting a positive buzz from interactions from a fairly closed circle, who am I to argue?

Posted in: NEWS

Leave a Comment (0) →
Page 5 of 311 «...34567...»