Article Details

Royal Mail cyber security still a mess, say infosec researchers. ALSO: most Mainers are MOVEit victims, NY radiology firm fined for not updating kit, and some critical vulnerabilities. Infosec in brief After spending almost a year cleaning up after various security snafus, the UK's Royal Mail has left an open redirect flaw on one of its sites, according to infosec types. We're told this vulnerability potentially exposes customers to malware infections and phishing attacks. Open redirects essentially allow attackers to use a legitimate website or a web application – in this case, a Royal Mail website – to redirect users to a malicious website by manipulating the URL. It occurs when the application doesn't validate user input, so miscreants can manipulate it as they please.  Once they've tricked users into going to a fake website, criminals can steal credentials and financial account information, or fool visitors into downloading malware. According to a Cybernews investigating team, one of the British postal service's websites has this type of security flaw, which potentially sets customers up for phishing attacks. The researchers did not say which site has the issue, since it appears to be still actively exploitable. "We've repeatedly informed the company about the flaw, and the site in question has been down for months now, indicating that Royal Mail is working to mitigate the issue or has already done so," Cybernews's Jurgita Lapienytė explained. "The company has yet to respond to our requests for comments."  The Register hasn't heard back, either.  Critical vulnerabilities of the week It's been a bit quiet this week – great for giving overworked security professionals a bit of a break. That said, there are a few new critically risky vulnerabilities to report, and one new known exploit to be wary of – even though it's not critical.  The issue, CVE-2023-29552, is in the Service Location Protocol, which is used by a wide variety of devices to find services on local area networks. A vulnerability in the protocol allows unauthenticated remote attackers to register arbitrary services, which can be used to spoof UDP traffic and conduct a denial-of-service attack. Elsewhere: Nearly everyone from Maine is a MOVEit victim, state admits Attention, residents of the US state of Maine: There's a distinct possibility that your data was exposed when the state government's MOVEit instance was compromised earlier this year. Maine's government has admitted that it, too, was a victim of mass exploitation of vulnerabilities in Progress Software's MOVEit file transfer application, which it said is used by several state agencies. According to Maine's investigation of its MOVEit breach, data belonging to approximately 1.3 million people was compromised.  According to the most recent US census data, Maine's population is around 1.39 million.  The data stolen varies from person to person based on their association with the state government, but includes name, social security number, birthdate, tax information, and medical information. More than half of the data stolen originated with the Maine Department of Health and Human Services, with another 10 to 30 percent stolen from the Maine Department of Education.  Maine's government is asking everyone to contact the state's call center dedicated to the MOVEit breach, which is linked above. Affected individuals are being offered free credit monitoring services.  New York radiology firm pays $450k for failing to protect patient data A ransomware attack on a radiology group in New York state that affected 92,000 residents has resulted in a $450,000 fine because the company failed to upgrade its systems to prevent known attacks. According to the New York Attorney General's office, US Radiology Specialists "failed to adopt reasonable data security practices to protect patients' personal information by failing to protect its firewall from a known vulnerability."  "When patients visit a medical facility, they deserve confidence in knowing that their personal information will not be compromised when they are receiving care," said NY AG Letitia James. The incident that spurred the payout occurred in late 2021, and affected a number of healthcare firms that US Radiology contracted with. The AG's office said that attackers made off with names, birthdates, social security numbers, drivers license information, diagnoses and other personal information. A total of 198,260 had data stolen, including the 92,000 New Yorkers.   "In the face of increasing cyber attacks and more sophisticated scams to steal private data, I urge all companies to make necessary upgrades and security fixes to their computer hardware and systems," James warned.