HIMSS Warns of Abuse of API Weaknesses and USB-Based Cyberattacks


HIMSS has issued its June Healthcare and Cross-Sector Cybersecurity Statement in which healthcare companies are warned about the danger of abuse of weaknesses in application program writing interfaces, man-in-the-middle attacks, cookie meddling, and distributed denial of service (DDoS) attacks. Healthcare companies have also been suggested to be vigilant to the likelihood of USB appliances being used to gain access to secluded systems and the rise in the use of Unicode characters to create fake domains for use in phishing attacks.

API Attacks Might Be the Following Big Attack Vector

Perimeter fortifications are improving, making it tougher for cybercriminals to gain access to healthcare systems. Nevertheless, substitute possibilities are being searched by hackers searching for an easier way to gain access to confidential data. Weaknesses in APIs might be a weak point and numerous cybersecurity specialists think APIs might well prove to be the next largest cyber-attack vector.

API use in application development has become the custom, in any case, it is easier to use a third-party solution than to develop a solution from scratch. APIs let healthcare companies assimilate third-party facilities. A study by One-Poll indicates that on average, companies are handling 363 different APIs and two-thirds of companies disclose the APIs to the public or their partners. As with any software solution, if weaknesses exist, it is only a matter of time before they are abused.

Torsten George at Security Week has described a number of methods that APIs can be abused to gain access to confidential data.

Unicode Characters Used in Persuading Impersonation Attacks

The capability to include Unicode characters in domain names is letting cybercriminals to simply create highly persuading domains using homographs. These domains can be almost identical to the actual domain to the casual eye, making them ideal for use in phishing attacks. Instances include the use of the Cyrillic small letter a in place of a customary a, or the use of the Latin small letter iota or the Latin small letter dotless i, in lieu of an i. Farsight Security has issued a useful report on the matter in its Global Internationalized Domain Name Homograph Report.

New USB-Based Attack Technique Known

A new attack technique has been detailed by Eleven Paths on the exploitation of concealed networks created by USB appliances. This attack technique might allow access to be gained to secluded computers not linked to the Internet. Simply separating a computer from Wi-Fi or not linking the appliance to a network via an Ethernet cable might not be enough to avoid a malevolent actor from gaining access to the appliance and confidential data, as was shown by the infection of a secluded computer with Stuxnet malware at a Nuclear power plant.