Weekly podcast: LastPass (again), NHS phishing, garage doors and Samsung smart TVs

This week, we discuss a new vulnerability in LastPass’s browser extensions, phishing at the Leeds Teaching Hospitals NHS Trust, Internet-connected garage door opener Garadget, and a new exploit that hacks Samsung smart TVs via radio signals.

Hello and welcome to the IT Governance podcast for Friday, 7 April 2017. Here are this week’s stories.

A couple of weeks ago, I talked about a number of vulnerabilities affecting LastPass’s browser extensions, which could have allowed attackers to retrieve login credentials from its password manager. The following weekend, Tavis Ormandy of Google’s Project Zero, who discovered the flaws, tweeted that he’d had an epiphany in the shower: he’d worked out how to achieve remote code execution in LastPass version 4.1.43. He dutifully informed LastPass and put his pants on.

Last Friday, having fixed the issue, LastPass provided details. “This was a client-side vulnerability in the LastPass browser extensions,” it said, “[that] could be exploited to steal data and manipulate the LastPass extension” via an attack “executed through the user’s local browser” after they’d been lured “to a malicious website (through phishing, spearphishing, or other attack), or to a trusted website running malicious adware”.

An update has been released. Most users will be updated automatically, but, if you haven’t, you can – and, indeed, should – download version 4.1.44 from lastpass.com.

Phishing remains a popular method of spreading malware as it exploits human fallibility – which is widely recognised as the weakest link in the security chain. After all, no matter what technological solutions you have in place, a single employee’s ill-judged response to a phishing email can cause a data breach.

Healthcare organisations in particular are valuable targets because of the highly confidential data they store, so it’s worth applauding the actions of one of the biggest NHS trusts, the Leeds Teaching Hospitals NHS Trust, which recently undertook a cyber security exercise to test its staff’s responsiveness to phishing and spear-phishing attacks.

According to a report to its audit committee, it sent a fake phishing email to see whether any of its 17,000 members of staff would be tricked into disclosing confidential information. 400 employees (around 2.3% of all staff) responded, revealing confidential information, such as passwords or network credentials.

Testing staff vulnerability to phishing attacks is a vital part of any risk-based information security management system, and helps minimise the risk of attackers gaining access to your systems.

They say there’s no such thing as bad publicity. I wonder if Denis Grisak agrees. Grisak is the maker of Garadget – an Internet-connected garage door opener, which enables forgetful householders to open and close their garage doors via the Internet. According to the BBC, Garadget “raised nearly $63,000 (£50,000) on the crowdfunding site Indiegogo last year”, so things seem to have been going pretty well – even if a number of customers expressed dissatisfaction with the product.

When, on 1 April, Garadget customer Robert Martin called it “a piece of junk” in an Amazon review and a piece of something else in a post on Garadget’s own community board, Grisak took exception and the extraordinary step of blocking Martin from using it, saying: “I’m happy to provide the technical support to the customers on my Saturday night but I’m not going to tolerate any tantrums. […] Your unit ID 2f0036… will be denied server connection.”

Other forum users were quick to criticise, with some pointing out that his actions were illegal, prompting Grisak to quickly backtrack and restore Martin’s access, admitting that it wasn’t the “slickest PR move” on his part. Judging by the reviews that are still appearing on Amazon, he could be right. As one commenter on Garadget’s community board put it: “your sales are going to tank if people think you have a killswitch to be fired any time they say something you don’t like… Which, y’know, you currently do.”

Talking of the Internet of Things, you may remember that last month I mentioned the Weeping Angel attack, an exploit apparently used by the CIA to hack Samsung smart TVs – according to the last batch of documents released by WikiLeaks. Now, Ars Technica reports that security researcher Rafael Scheel has demonstrated another proof of concept exploit that hacks Samsung TVs. But this attack is far simpler: it “uses a low-cost radio transmitter to embed malicious commands into a rogue TV signal.”

The attack could work against many TVs at once. “Once a hacker has control over the TV […] he can harm the user in a variety of ways,” Scheel said. “Among many others, the TV could be used to attack further devices in the home network or to spy on the user with the TV’s camera and microphone.”

According to Ars Technica, if a TV station was compromised, “the attackers could surreptitiously embed malicious code into the signal being broadcast to millions of TVs. Embedding malicious commands into broadcasts from cable or satellite providers is also theoretically possible”.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

And don’t forget that IT Governance’s April book of the month is our bestselling GDPR pocket guide – the ideal resource for anyone wanting a clear primer on the principles of data protection and their new obligations under the General Data Protection Regulation. Save 10% if you order by the end of the month.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.