LifeLabs hacked; patient data compromised

Some security breaches are worse than others. If your bank suffers a breach, the potential for damage is enormous, because banks necessarily store a lot of critical information about you and your money.

Almost as bad are breaches of health-related services, because those systems may store extremely private information about you and your medical history.

Which makes the recently-announced breach of Canada’s LifeLabs (PDF) very disturbing.

The Ars Technica story about this provides a helpful summary of what happened, although it starts out by saying that LifeLabs “paid hackers an undisclosed amount for the return of personal data they stole”. Data can be copied, and when someone copies data to which they have no legal access, it’s a crime. But the idea that data can be ‘returned’ is bizarre.

It’s more likely that LifeLabs was the victim of a ransomware attack, in which data is encrypted by attackers, rendering the data useless until a ransom is paid and the data decrypted by the attackers.

However, it’s also possible that the attackers copied the data to their own systems before encrypting it, with the aim of selling that extremely valuable data, containing names, addresses, email addresses, customer login IDs and passwords, health card numbers, and lab tests. So far, there’s no evidence that the data has made its way to any of the usual dark web markets for such data, but there’s no way to be sure that won’t happen.

Charles Brown, President and CEO of LifeLabs, posted An Open Letter to LifeLabs Customers on December 17, in which he discloses the breach and apologizes to customers. While it’s good to see the company take responsibility, an apology is hardly sufficient. Even the offer of “one free year of protection that includes dark web monitoring and identity theft insurance” seems unlikely to satisfy affected customers. There’s at least one petition in the works, “calling on Parliament’s Standing Committee on Access to Information, Privacy and Ethics (ETHI) to investigate LifeLabs, and put forward recommendations to ensure this doesn’t happen again.”

In British Columbia, users access their LifeLabs test results online using a service called eHealth. It’s not clear whether LifeLabs’ relationship with eHealth is in any way related to this breach. At this point it appears that it makes no difference whether you signed up to access your test results using eHealth. In other words, changing your eHealth password, while advisable, seems unlikely to mitigate the potential damage.

However, as usual in the case of any breach, you should review your passwords, and if you’ve used your LifeLabs or eHealth password for any other site or service, change those passwords to something unique. Do it now.

More about those troubling emails

Some months ago I wrote about the flood of ‘sextortion’ emails almost all of us have been receiving since mid-2018.

Now Brian Krebs reports that the person who most likely wrote the code that started the wave of sextortion emails has surrendered to authorities in France, after being pursued across Europe.

It’s too soon to know what kind of punishment this jerk will face, but here’s hoping it’s significant.

Patch Tuesday for December 2019

This month we’ve got a new version of Reader from Adobe, along with the usual heap of updates affecting Microsoft software.

Analysis of Microsoft’s Security Update Guide for December shows that there are thirty-two updates in all, affecting Internet Explorer 9 through 11; Office 365, 2013, 2016, and 2019; Visual Studio; Windows 7, 8.1, and 10; and Windows Server 2008, 2012, 2016 and 2019. Thirty-seven vulnerabilities (CVEs) are addressed, of which seven are flagged as having Critical severity.

The easiest way to install Microsoft updates is via the Windows Update Control Panel (prior to Windows 10) or Settings > Update & Security on Windows 10.

Adobe logoAdobe released updates for several of its software products on Tuesday, but the only one likely to be installed on your computers is the ubiquitous Acrobat Reader DC, Adobe’s free PDF file viewer.

A new version of Acrobat Reader DC, 2019.021.20058, addresses at least twenty-one vulnerabilities in previous versions.

Recent versions of Reader seem to keep themselves updated, but if you use Reader to view PDF files from dubious sources, you should definitely check whether your Reader is up to date. Do that by running it, then choosing Check for Updates... from the Help menu.

About CVEs

I usually refer to security bugs as vulnerabilities. There’s another term that I sometimes use (see above): CVE. That’s an abbreviation for Common Vulnerabilities and Exposures. If you’d like to know more, there’s a helpful post about CVEs over on the SecurityTrails web site. Here’s a quote:

CVE was launched in 1999 by the MITRE Corporation, a nonprofit sponsored by the National Cyber Security Division, or NCSD. When a researcher or a company discovers a new vulnerability or an exposure, they add them to the CVE list so other organizations can leverage this data and protect their systems.

It’s a worthwhile read, even for non-technical folks.

Firefox 71.0

Firefox is my current web browser of choice. I use Google Chrome sparingly, because it’s gotten so bloated and resource-intensive that I can’t leave it running. Perhaps that will change; it wasn’t that long ago that Chrome seemed like the best choice.

I still use Opera and Vivaldi for certain specific activities. And while there’s still no way I can stop using Internet Explorer altogether, I only do so when absolutely necessary. I avoid Edge completely, as it seems hopelessly buggy. There are other alternatives, but for now, Firefox is my main browser.

The latest version of Firefox is 71.0. The new version improves some existing features and adds a few more. Several bugs are fixed, including some security vulnerabilities.

New in Firefox 71.0

  • The integrated password manager, which Mozilla calls Lockwise, now differentiates between logins for different subdomains. If you have one login for subdomain1.domain.com and another for subdomain2.domain.com, they will no longer be conflated.
  • Lockwise will also now display a warning if it finds one of your passwords in a list of potentially compromised passwords.
  • The Enhanced Tracking Protection feature will now show a notification when Firefox blocks cryptomining code. You can see what Firefox is blocking by clicking the small shield icon at the far left of the address bar.
  • You can now view video in a floating window using the Picture-in-picture feature. Look for a small blue button () along the right edge of a video and click it to pop out the PiP window.

Security fixes

Eleven security vulnerabilities are addressed in Firefox 71.0. None of them are ranked as critical, and there doesn’t seem to be any evidence that any have been used in actual attacks. Still, it’s best to close those holes before they can be exploited.

How to update Firefox

Check which version of Firefox you’re running by navigating its ‘hamburger’ menu (at the top right) to Help > About Firefox. If you’re not running the latest version, you should see a button that will allow you to upgrade.

MORE Windows 10 update problems

Today’s nightmare is brought to you by Microsoft

An open letter to Microsoft:

Dear Microsoft –

Please either allow us to disable Windows 10 updates, or stop pushing out updates that break millions of computers worldwide every few weeks.

Sincerely,
Almost a billion Windows 10 users

The problems with Windows 10 updates are getting worse, not better. The last major feature update (1903) had major issues at release, and more seem to be turning up with each new set of “quality” updates. Those quotes around the word ‘quality’ are very intentional, by the way.

I’ve just spent most of a day troubleshooting and fixing a heinous set of problems related to printing, affecting most of the computers at a retail client. Printing is a critical function for this client, as it is for most businesses.

What follows is the sequence of events leading up to the printing problem, and what finally fixed it.

All of the computers are running 64-bit Windows Professional release 1903 (build 18362.356).

SUMMARY: Update 4522016, which apparently caused these printing problems on some computers, was never installed on any of the affected PCs at this business. Update 4524147 caused the printing problems it was supposed to fix. Uninstalling update 4524147 fixed the printing problems on three otherwise up-to-date Windows 10 PCs.

  1. 2019Oct03: Update 4524147 was installed automatically on all affected PCs. This happened overnight, which is normal for these PCs.
  2. 2019Oct04: The client reported printing problems on several PCs.
  3. 2019Oct04: The usual troubleshooting for printing issues was ineffective. Research eventually showed that a recent Windows update (4522016) was causing printing problems for many users. But that update was never installed on any of the affected PCs.
  4. 2019Oct04: Since printing was working fine before 4524147 was installed, I uninstalled that update, and printing started working again. Repeating this on all affected computers resolved all the printing problems.
  5. 2019Oct05: On trying to log into one of the recently-fixed PCs, Windows 10 told me that the Start menu was broken. Research showed that update 4524147 was causing this problem (the second time an update broke the Start menu in recent weeks). I checked, and sure enough, 4524147 had been reinstalled automatically overnight. Uninstalling it fixed the Start menu.
  6. 2019Oct05: To delay recurrence of the printing problem, I used the Advanced settings on the Windows Update screen to delay updates as long as possible. On most of the PCs, I was able to delay updates for between 30 and 365 days. On one PC, these settings were inexplicably missing. I eventually had to use the Local Group Policy Editor to make the necessary changes.
  7. 2019Oct04: I reported this bizarre situation to Microsoft via its Windows 10 Feedback hub. It’s difficult to know whether anyone at Microsoft will actually see this, or take it seriously. I have doubts, which means that this problem seems likely to reappear at some point.

As predicted

This is in fact the nightmare scenario envisioned by myself and others when it became clear that Windows 10 updates would not be optional. While Microsoft has — grudgingly — made it possible to delay updates, it’s still not possible to avoid them completely, and if you’re one of the unlucky Windows 10 Home users, even that’s not an option.

Questions for Microsoft

Why did an update intended to fix printing problems actually cause those exact problems?

Why are some of the advanced Windows Update settings missing from one of several identically-configured Windows 10 PCs running the same build?

Why are you inflicting this garbage on us? Do you hate us?

WHY DON’T YOU LET US TURN OFF UPDATES? This is the simplest solution, and while I understand that you want Windows 10 installs to be secure (and that means installing fixes for security vulnerabilities), until you can produce updates that don’t cause massive problems, we don’t want them.

Related links

Update 2019Oct10: Apparently update 4517389, released on October 8 along with the rest of October’s updates, addresses this problem.

Firefox 69.0.1

A small update to Firefox 69 was released last week: 69.0.1. The new version addresses a single security vulnerability, fixes a rather annoying new bug that caused processes launched from Firefox to be hidden by Firefox, and fixes a few other minor issues.

Check your version of Firefox by clicking its ‘hamburger’ menu button at the top right, then navigating to Help > About Firefox. If a newer version is available, you’ll see an Update button.

Emergency fix for Internet Explorer

If you’ve ignored the almost continuous advice of IT experts over the last decade or so, and are still using Internet Explorer for web browsing, you should stop what you’re doing and install a new security update, just released by Microsoft.

The update fixes a critical vulnerability (CVE-2019-1367) in IE 9, 10, and 11 that could allow a remote attacker to execute code on your computer, if they are able to trick you into visiting a specially-crafted web page.

Even if you don’t actively use IE, if it’s installed on your Windows computer (and it almost always is), you may run it accidentally, or it may become the default web browser because of another Microsoft update. In other words, everyone running Windows 7, 8.1 and 10 needs to install the fix, which exists in several different versions, each for a specific combination of Windows version and IE version (as outlined in Microsoft’s related security bulletin).

For example, on my main Windows computer, on which I run 64-bit Windows 8.1 and IE 11, the relevant update is designated 4522007.

These updates are not available via Windows Update. To install the update for your computer, follow the appropriate link in the security bulletin. Eventually you’ll end up at the Microsoft Update Catalog. Locate the update you want, then click the Download button to begin.

Four security fixes in Chrome 77.0.3865.90

Like it or not, Chrome is the web browser that’s taking over the world. I use Chrome sparingly these days, mainly because recent versions have problems playing streaming video reliably, and because it seems to drain system resources more than other browsers — especially on mobile devices.

Still, Chrome has a lot going for it, and it remains a solid alternative to Firefox and the numerous browsers that, like Chrome, are based on the Chromium engine. Google welcomes — and indeed, rewards — vulnerability reports, and they act quickly to fix and release updates for Chrome.

Chrome 77.0.3865.90 includes fixes for four security vulnerabilities, all of which were reported by researchers not employed by Google. The full change log lists a few minor tweaks and obscure bug fixes.

Check your Chrome version and update it to the latest version by clicking the browser’s ‘three vertical dots’ menu button and navigating to Help > About Google Chrome.

Opera security updates

Two new versions of Opera were released recently. The first, Opera 63.0.3368.88, includes security fixes and crash fixes. The release announcement doesn’t mention the vulnerabilities addressed in 63.0.3368.88, and neither does the change log, which is annoying. Presumably it’s left as an exercise for the user to research vulnerabilities in Opera, as documented on sites like Mitre.

The second new version, Opera 63.0.3368.94, sports a new version of the Chromium engine and more crash fixes. Again, there’s not much to learn from the release announcement or change log.

To check the version of Opera you’re running and install any available new version, click Opera’s menu button (the big ‘O’ at the top left usually) and navigate to Update & Recovery…

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.