The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 42

Friday 1 April 2016

Contents

Anonymous hacks NSA's Bluffdale facility
Henry Baker
"Apple Offers to Buy CryptoWall for $10 Billion"
Henry Baker
Apple Agrees to DoJ Encryption Demands
Mark Thorson
Apple, FBI reach historic public key escrow agreement
Henry Baker
Advances in Autonomous Burgerdom?
PGN
Re: Pentagon skips tests on key component of U.S.-based missile defense system
Fred Cohen
Heating up deep sea water to reduce global warming
Fred Cohen
1,418 remotely exploitable flaws found in automated medical supply system
Darlene Storm via Drew Dean
2000 tons of nuclear materials `just aren't secure as they need be'
Al Mac
How to Hack an Election
Bloomberg
Tech titans release new email security standard
Michelle Goodman via DH
CNBC passwords, mother board
boingboing
The Apple-FBI Battle Is Over, But the Crypto Wars Have Just Begun
WiReD
Should hackers help the FBI?
NYTimes
Hackers Seek Ransom From Two More California Hospitals
Chad Terhune
Smooth Criminal: Meet USB Thief, Malware That Can Attack Systems Without Leaving Any Trace
Santiago Tiongco
More background on the MedStar fiasco
Al Mac
Why Ransomware loves Hospitals
Al Mac
Re: Bangladesh bank heist to Philippines to Chinese
sundry sources via Al Mac
Stefan Savage receives RISKS-relevant award
ACM/Infosys Foundation
Info on RISKS (comp.risks)

Anonymous hacks NSA's Bluffdale facility

Henry Baker <hbaker1@pipeline.com>
Fri, 1 Apr 2016 00:51:00 -0700
FYI—This just in...

Bluffdale, UT—April 1, 2016—Hacker cooperative Anonymous today
announced that they have successfully hacked the NSA's massive Bluffdale,
UT, data storage complex and encrypted all of its petabytes of data with
ransomware.

According to an Anonymous spokesperson "sneaker", "This is the largest
encryption operation ever attempted, and the Salt Lake City lights dimmed
measurably throughout the computationally intensive process."

Anonymous continued, "We are not holding this data hostage nor are we asking
for any Bitcoins.  We will leave the decryption keys to this data under the
front doormat of a U.S. government facility somewhere in the world."

An NSA spokeswoman said that she "could neither confirm nor deny" the
Anonymous claims, but she did admit that whenever snow fell on the Bluffdale
facility, it immediately melted.

Anonymous was able to hack into the Bluffdale facility via a simple e-mail
phishing attack that promised cheats, mods and hacks of the Minecraft video
game.

A retired DoD official "close to the NSA" said that it took an entire year
for Anonymous to encrypt all these petabytes of data, but NSA hadn't noticed
because the Bluffdale stores only internationally intercepted data, which
NSA seldom—if ever—examines.

Story developing...


"Apple Offers to Buy CryptoWall for $10 Billion"

Henry Baker <hbaker1@pipeline.com>
Fri, 1 Apr 2016 00:12:21 -0700
"Apple Offers to Buy CryptoWall for $10 Billion"
"Plans to dominate the burgeoning data protection market"

One Infinite Loop, Cupertino, CA—April 1, 2016—Apple Computer today
announced its plan to purchase the data protection business CryptoWall for
$10 billion.  The deal is expected to close before the end of 2016 after
securing the approval of regulators.

Apple CEO Tim Cook laid out the rationale for the purchase:  "Apple Computer
has always insisted upon the privacy and security of its customers.  We were
the first to incorporate default full-disk encryption, and CryptoWall is
the obvious next step in protecting our customers' data confidentiality."

"CryptoWall's product is in daily use by government agencies, businesses,
and ordinary citizens; they have the best name recognition and brand image
in the data-protection business," explained Cook.


Apple Agrees to DoJ Encryption Demands

Mark Thorson <eee@sonic.net>
Fri, 1 Apr 2016 00:01:02 -0700
“We are pleased to announce an agreement with the Department of Justice to
satisfy 90% of our customers' uses of encryption while meeting law
enforcement needs'' said an Apple spokesperson.  “The changes will take
effect on all Apple devices with the next software update.''

Critics decried the encryption standard, known as ROT13, as *a step
backward* and *almost the same as no encryption*.  “ROT13 provides
sufficient encryption for the vast majority of our customer needs.''  Apple
responded, adding that “third-party software can provide higher security
for those rare cases where it is needed.''  Industry insiders note that
high-security apps are systematically excluded from the Apple Store.


Apple, FBI reach historic public key escrow agreement

Henry Baker <hbaker1@pipeline.com>
Fri, 1 Apr 2016 00:34:19 -0700
One Infinite Loop, Cupertino, CA—April 1, 2016—Apple Computer and the
FBI made a joint announcement today regarding a breakthrough solution to the
collision between Apple's full-disk encryption system and lawful searches
pursuant to court orders.

"We have to thank FBI Director Jim Comey for continuing to insist upon
thinking out of the box; he thought all along that the tekkies in Silicon
Valley would eventually be able to come up with an equitable solution for
all parties.  We and the FBI have been working around the clock for the past
several months and this cooperation has finally paid off."

"We at Apple have agreed to put all of our customers' public keys into an
escrow database managed by the FBI.  When a court so orders, the FBI can
search this database and produce any particular customer's public key," said
Apple CEO Tim Cook.

FBI's Jim Comey enthusiastically supports the new key-escrow system.  "Back
in the '90's, there were many key escrow suggestions that just couldn't be
made to work.  But this new key-escrow system—which I named 'public key
escrow'—is an idea whose time has finally arrived."

MIT Professor Ronald Rivest—the 'R' in the 'RSA' public-key cryptographic
system devised in the 1970's—said "The idea of putting the public key
into an escrowed database managed by a trusted third party never occurred to
any of the three of us during the past 40 years."  Rivest continued, "Now
that this 'public key escrow' idea is out there, I can see other potential
applications—such as hiding one's public key under his own front
doormat."

Whit Diffie—one of the inventors of the Diffie-Hellman exchange so
critical to e-commerce today—praised the innovative thinking behind the
public key escrow system, "It's nice to see that both Apple and the FBI will
be able to save face and claim victory here; this is a win-win solution for
everyone."

Apple's Cook added, "We believe we can trust the FBI with our users' public
keys; after all, our country has trusted the FBI with so many citizens'
private data ever since its founding by J. Edgar Hoover in 1924.  Apple is
also pleased that the FBI has stepped up to operate this 'public key escrow'
database; the Internet industry has had trouble coming up with a business
model to support this activity."

  [I simply don't know how all of these four items could all appear in the
  same issue, even though it is 1 April 2016!  PGN]


Advances in Autonomous Burgerdom?

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 1 Apr 2016 01:23:58 PDT
In-and-Out Burger is reportedly contemplating some experimental
installations involving completely automated operations at selected
locations around the U.S.  The concept does away with local managers,
counter personnel, cooks, clean-up staff, and other employees, and would use
advanced robotics.  It could vastly increase the potential size of their
so-called Secret Menu [*]—permitting selections from among your own
individualized computer-stored customer profiles, specifying your favorite
alternative combinations of ingredients to which you can give your own
creative names (rather than having locally famous people's names).  Their
automation is expected to greatly reduce operational costs, while enabling
the company to guarantee that no jobs would be shipped off-shore.  Employees
having to pay taxes on tips would be avoided completely.  The company press
release indicates they will use secure computing to hinder surveillance by
governments and competitors. while keeping your own preferences private.
However, based on your past orders, they may suggest that you might be
interested in emerging new options—based on your historical profile.  For
example, they might offer mathematicians items such as the Fibonacci Burger,
which is expected to grow on you organically.  Ethereum will be a favored
unconventional currency, because of its Turing-complete smart contracts.
Real-time individualized anomaly detection will ensure both quality and
safety of delivered and served food and beverages.  I&OB's Corporate
executives and their techies appear to be on the cutting edge of
personalized burgerdom, well aware of recent advances in both artificial
intelligence and security that could greatly increase both efficiency and
security.  Financial backers may see this as a harbinger for a new wave of
completely automated restaurants—although problems might arise such as
when the just-in-time food supplies do not arrive just-in-time, or when your
steak is overcooked.  Progress in restaurant automation could also be spun
off into the Internet of Things, exploiting experience gained in robotic
service and maintenance.

  * Secret?  Perhaps it uses Hambermorphic Encryption?  PGN


Re: Pentagon skips tests on key component of U.S.-based missile defense system (Willman, RISKS-29.36)

Fred Cohen <fc@all.net>
Sat, 19 Mar 2016 06:24:14 -0700
  [Peter, Even though my response is in fact rational, it belongs in the
  April 1 issue.]

Assuming the facts are correct at stated (which they rarely are), this
sounds as if at least two people should go to jail, and likely many more as
co-conspirators.

For the workers in the US government, in particular the military, it's
called treason, and since we are at war with ISIS, I believe the penalty is
death. Military tribunal is called for.

The lesser charge of fraud should be charged against the non-government
employees, and of course their companies should be debarred from further US
government work until the companies return all monies in excess of the
original bid and produce a working product. Note they should also have to
pay all late penalties associated with not delivering on time.

Fred Cohen - 925-454-0171 - All.Net & Affiliated Companies
http://all.net/       PO Box 811    Pebble Beach, CA 93953


Heating up deep sea water to reduce global warming

Fred Cohen <fc@all.net>
Sat, 19 Mar 2016 06:36:55 -0700
  [Re: Microsoft servers to bottom of ocean (I-HLS), RISKS-29.36.  PGN]

Another true one for April 1:

A project currently being proposed will heat up deep sea water to reduce
global warming.

The project is intended to take the periodic cold water upsurges from the
Monterey Bay deep sea canyon and use them to cool a major datacenter to be
placed near the shore.  The proponents state that the computers will then be
used to model the change in the ocean temperatures by those studying global
climate change. They will also provide the first ecologically sound major
data center in the central coast area, which will also support other
research and business development. Waste water from the plant will be used
to warm up pools used to help recovering sea mammals who get sick from
domoic acid (also associated with climate impacts of warmer sea
temperatures)—which increases algae and accumulates in shellfish,
sardines, and anchovies.  [For non-Californians, I note that domoic acid
essentially demolished (domolished?) the crab season, which was shut down
this year until just a few days ago.  PGN]

On an unrelated [???] story, the recent collapse of shellfish populations in
the area is being addressed by a ban on fishing in protected fisheries in
the Monterey Bay area. The reason behind the collapse is unknown, but will
be studied by placing additional ultra-high-speed computing resources at the
planned Monterey Bay data center. The loss in shellfish is being replaced by
local restaurants by new sardine-based dishes.


1,418 remotely exploitable flaws found in automated medical supply system (Darlene Storm)

Drew Dean <ddean@csl.sri.com>
Thu, 31 Mar 2016 12:12:37 -0700
Hard to believe, but that really is the headline. To the Pyxis' credit, they
appear to have handled the situation much better than most.

Darlene Storm, Computerworld, 30 Mar 2016

Excerpts:

Security researchers found 1,418 remotely exploitable flaws in CareFusion's
Pyxis SupplyStation medical dispensing system. 715 of those vulnerabilities
in “automated supply cabinets used to dispense medical supplies'' have a
severity rating of high or critical.

The Pyxis SupplyStation system is a 'secure storage device; for medical
supplies that documents supply usage and interfaces with software to bill
the patient. The vulnerabilities can be exploited remotely and exploits for
targeting the flaws are publicly available, the ICS-CERT advisory
notes. Wait, it gets better as it apparently would not require a l33t [for
those behind the times, this refers to *leetspeak*, also known as *leet*,
*eleet*, and even 1337; PGN] hacker to exploit the medical system. ICS-CERT
noted, “An attacker with low skill would be able to exploit many of these
vulnerabilities.'' ...

There are numerous Pyxis software versions affected (8.0, 8.1.3, 9.0, 9.1,
9.2 and 9.3) running on Server 2003 or XP, but since those versions are
running end-of-life software, “a patch will not be provided.” ...

Ahmadi first sent notification of the vulnerabilities to the FDA, he said,
which sent the report on to DHS ICS-CERT. While communicating with ICS-CERT
and CareFusion, Ahmadi said he was impressed that CareFusion “ now BD “ “did
not deny any of the vulnerabilities existed, and also offered up all
affected systems, voluntarily for use in the advisory.”

Ahmadi said it is important to note “that the issues are in the third-party
packages, which we have been preaching about for the last several years. Up
to 90% of the software used in development today is third-party.”

The 1,418 bugs are present in seven third-party software packages including
Microsoft Windows XP, Sybase SQL Anywhere 9, Symantec Antivirus 9 and
Symantec pcAnywhere 10.5.

CareFusion is attempting to contact affected customers and advising them to
upgrade. Otherwise, ICS-CERT has the list of CareFusion's suggested
mitigations for customers using legacy operating systems.

http://www.computerworld.com/article/3049361/security/1-418-remotely-exploitable-flaws-found-in-automated-medical-supply-system.html

Drew Dean, Computer Science Laboratory, SRI International

  [Cave Con-em!  PGN]


2000 tons of nuclear materials `just aren't secure as they need be'

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Thu, 31 Mar 2016 15:43:08 -0500
2,000 tons of nuclear material may not be well secured.
http://www.emergencyemail.org/newsemergency/anmviewer.asp?aT54
https://gwtoday.gwu.edu/nuclear-materials-just-aren't-secure-they-need-be'
http://www.defenseone.com/ideas/2016/03/all-too-human-reason-nuclear-material-isnt-secure-enough/126864/

There are lots of stories about missing nuclear material.  The missing WMD
of Iraq, claimed in the 1st Gulf War, may have gone to Iran; or may have
been a false statement by a prisoner of torture, telling what he thinks the
torturers wanted to hear; or a false statement by anti-Saddam movement
thinking that will bring in the American rescuers.

https://fas.org/article/u-s-military-nuclear-material-unaccounted-missing-action-just-sloppy/
http://www.cnn.com/2016/02/29/americas/mexico-radioactive-device-missing/
https://www.washingtonpost.com/news/worldviews/wp/2013/12/06/this-alarming-map-shows-dozens-of-nuclear-materials-thefts-and-losses-every-year/
http://www.nti.org/analysis/articles/2012-nis-nuclear-trafficking/

What could go wrong?

Terrorists could deliver dirty bombs to disrupt commerce through busy ports,
canals, government and financial centers, and their usual mass attack sites.

One target might be the facilities they are constantly stealing the
materials from, if they begin to have competent security.

Criminals could announce that such a dirty bomb has been planted some place,
and in exchange for a large sum of money, they will reveal where it is, but
if they are not paid within a week, they will let it go off.

At nuclear power plants, where security is a joke, attackers could seize
them, like they have hijacked airliners, taken over hotels etc.  In such an
attack, they might try to dynamite, or otherwise disrupt the concrete
basement which is designed to stop a melt down from exiting.  Then they
would trigger a melt down accident on purpose.

Terrorists could work on making a real atomic bomb.

Arms smugglers may deliver more enriched uranium to Iran, North Korea, and
other nations not supposed to have any more.

We may be hearing about this thanks to the 2016 Nuclear Security Summit
(NSS) at the Walter E. Washington Convention Center in Washington, DC from
March 31 - April 1, 2016

https://www.whitehouse.gov/the-press-office/2016/03/29/fact-sheet-nuclear-security-summits-securing-world-nuclear-terrorism
https://content.govdelivery.com/attachments/USDHSFEMA/2016/03/31/file_attachments/525467/FEMA%2BDaily%2BOps%2BBriefing%2B03-31-2016.pdf


How to Hack an Election (Bloomberg)

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 31 Mar 2016 17:12:57 PDT
Jordan Robertson, Michael Riley, and Andrew Wills, Bloomberg, 31 Mar 2016
http://www.bloomberg.com/features/2016-how-to-hack-an-election/

Andres Sepulveda rigged elections throughout Latin America for almost a
decade.  He tells his story for the first time [perhaps in hopes of
getting his sentence reduced!]

In July 2015, Sepulveda sat in the small courtyard of the Bunker, poured
himself a cup of coffee from a thermos, and took out a pack of Marlboro
cigarettes.  He says he wants to tell his story because the public doesn't
grasp the power hackers exert over modern elections or the specialized
skills needed to stop them.  “I worked with presidents, public figures with
great power, and did many things with absolutely no regrets because I did it
with full conviction and under a clear objective, to end dictatorship and
socialist governments in Latin America.  I have always said that there are
two types of politics—what people see and what really makes things
happen. I worked in politics that are not seen.''


Tech titans release new email security standard

Dewayne Hendricks <dewayne@warpspeed.com>
Wed, Mar 23, 2016 at 4:30 AM
[Note:  This item comes from friend Steve Goldstein.  DLH]

Tech titans release new email security standard
Michelle Goodman, FierceCIO, 22 Mar 2016

http://www.fiercecio.com/story/tech-titans-release-new-email-security-standard/2016-03-22

Thanks to a collaboration among developers from Google, Microsoft, Yahoo,
Comcast, LinkedIn and 1&1 Mail and Media Development and Technology, email
security is getting a much needed overhaul.

This engineering dream team has outlined a new safeguard—called SMTP
Strict Transport Security—in a draft that's up for consideration as an
Internet Engineering Task Force standard. SMTP Strict Transport Security
would enable email providers to create policies and rules for sending and
receiving encrypted email over the Internet.

Such a mechanism is long overdue. SMTP, or Simple Mail Transfer Protocol,
was established in 1982 and did not allow for encryption. In 2002, the
STARTTLS extension was added to the protocol to improve security of SMTP
connections. But for the most part, email providers lagged in adopting
STARTTLS.

All that changed in 2013, when Edward Snowden revealed the prevalence of
email and other online surveillance by various government intelligence
agencies. As InfoWorld reported, today STARTTLS is fairly ubiquitous in
Internet messaging. Only problem is, the protocol can easily be decrypted or
otherwise compromised.

Enter the new SMTP Strict Transport Security mechanism, which takes a number
of steps to eliminate these vulnerabilities.

Just how vulnerable is today's email? Google has found that among Gmail
users, 83 percent of outgoing messages sent to other email providers around
the globe are encrypted. Incoming emails from other providers worldwide fare
much worse though, with just 69 percent of them arriving encrypted.

As InfoWorld noted, the level of email encryption varies throughout the
world. For instance, Asian and African email providers are much less
reliable than those based in Europe and the U.S.

The Internet Engineering Task Force isn't the only team of engineers working
on the email encryption problem. Last week, the privacy-minded Swiss startup
ProtonMail launched a free, encrypted email service that's supposedly
impossible for governments to crack. [...]

Draft of the new standards:
https://tools.ietf.org/html/draft-margolis-smtp-sts-00


CNBC passwords, mother board (boingboing)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Wed, 30 Mar 2016 12:43:12 -0500
Many things on the Internet are broken, including some people trying to
teach the public about cyber security guidelines.

CNBC offered users a way to test passwords to allegedly find one which was
pretty good, and test any you are now using.

However, this password tutorial had a number of flaws.

* Its password testing form was transmitted in the clear, which means that
  anyone who shared your Internet connection (that is, everyone on the same
  WiFi or neighborhood-wide cable modem connection as you) could see you
  sending it.

* CNBC website doesn't use HTTPS web encryption.

* The way that CNBC's website was set up, all 30 of the advertisers, whose
  ads appeared on the page, could also spy on your password.

* CNBC sent all the passwords it received to a Google Doc spreadsheet
  (itself a prime target for hacking/breaching), despite a notice that said,
  "No passwords are being stored."

* CNBC's system wasn't very good at scoring passwords, giving them higher
  grades than they deserved.

http://boingboing.net/2016/03/30/cnbcs-secure-password-tutori.html
http://motherboard.vice.com/read/cnbc-tried-and-massively-failed-to-teach-people-about-password-security

CNBC has taken this down, but you can see an archive of it here:
https://archive.is/kaczF


The Apple-FBI Battle Is Over, But the Crypto Wars Have Just Begun

Monty Solomon <monty@roscom.com>
Wed, 30 Mar 2016 08:27:01 -0400
The Apple-FBI Battle Is Over, But the Crypto Wars Have Just Begun
http://www.wired.com/2016/03/apple-fbi-battle-crypto-wars-just-begun/


Should hackers help the FBI?

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 30 Mar 2016 10:16:54 PDT
  Room for Debate, with debaters Fred Kaplan, Alan Butler, Katie Moussouris,
  and Matt Blaze

http://www.nytimes.com/roomfordebate/2016/03/30/should-hackers-help-the-fbi/constantly-bolstering-computer-security-is-vital


Hackers Seek Ransom From Two More California Hospitals Chad Terhune)

Dewayne Hendricks <dewayne@warpspeed.com>
Mon, Mar 28, 2016 at 11:59 PM
  [Note:  This item comes from friend Steve Goldstein.  DLH]

Hackers Seek Ransom From Two More California Hospitals
Chad Terhune, Medscape, 24 Mar 2016
<http://www.medscape.com/viewarticle/860921>

Hackers demanded a ransom from two more Southern California hospitals last
week and federal authorities are investigating the case.

Prime Healthcare Services Inc., a fast-growing national hospital chain, said
the attackers infiltrated computer servers on Friday at two of its
California hospitals, Chino Valley Medical Center in Chino and Desert Valley
Hospital in Victorville.

The company said the cyberattack had not affected patient safety or
compromised records on patients or staff.

Two sources familiar with the investigation said the hackers had demanded a
ransom to unlock the hospital computer systems, similar to what happened
last month at Hollywood Presbyterian Medical Center in Los Angeles.
Hollywood Presbyterian said it paid $17,000 in bitcoin to hackers to regain
access to the institution's computers.

Fred Ortega, a spokesman for Prime Healthcare, declined to comment on
whether Prime received a ransom demand or paid any money, citing the ongoing
investigation.  “This is similar to challenges hospitals across the country
are facing, and we have taken extraordinary steps to protect and
expeditiously find a resolution to this disruption, The concern now is to
let law enforcement do their thing and find the culprit.''

FBI spokeswoman Laura Eimiller said Tuesday “we are investigating a
compromise of the network at these locations.'' She declined to discuss
specifics of the case. The FBI also has been investigating the attack at
Hollywood Presbyterian.

Ortega said the two hospitals affected remain operational and steps are
being taken to restore their computer systems to full functionality. He said
some IT systems were shut down by hospital staff as a preventive measure so
malicious software didn't spread further.

The company said it's working with data security experts and the California
Department of Public Health on the matter.

Prime Healthcare, based in Ontario, Calif., has acquired struggling
hospitals across the country and has become one of the nation's largest
health systems. It runs 42 hospitals in 14 states. The company is led by its
outspoken chairman and chief executive, Dr. Prem Reddy.

A series of high-profile data breaches in the past year have raised fresh
questions about the ability of hospitals, health insurers and other medical
providers to safeguard the vast troves of electronic medical records and
other sensitive data they are stockpiling on millions of Americans.


Smooth Criminal: Meet USB Thief, Malware That Can Attack Systems Without Leaving Any Trace (Santiago Tiongco)

Dewayne Hendricks <dewayne@warpspeed.com>
Mon, Mar 28, 2016 at 11:32 PM
  [Note:  This item comes from friend Steve Goldstein.  DLH]

Santiago Tiongco, Tech Times, 26 Mar 2016
http://www.techtimes.com/articles/144306/20160326/smooth-criminal-meet-usb-thief-a-malware-that-can-attack-systems-without-leaving-any-trace.htm

Another new malware has surfaced, but this one is unlike the others. This
alarmingly stealthy trojan cannot be copied or replicated and it can set up
camp in your computer without you ever having a clue.

Nicknamed 'USB Thief' by security experts from the ESET antivirus firm,
this new USB trojan is equipped with self-protecting mechanisms that enable
it to escape detection. It can even infiltrate air-gapped systems, making
it an exceptionally useful tool in industrial as well as cyber espionage.

In relation to this malware's ability to access air-gapped computers - that
is, computers not connected to the Internet for security reasons - the
trojan is introduced to a system via USB devices that contain portable
installers of widely-used applications such as Firefox, NotePad++, and
TrueCrypt. USB Thief exploits this trend by penetrating the command chain of
these applications either as a plugin or a dynamically linked library (DLL),
which is why each time you run the application, the trojan is also executed
in the background.

A key aspect of this malware is that it has a highly sophisticated
mechanism for self-protection against copying or reverse engineering by
employing two operations: AES128 encryption of certain files and generation
of filenames from cryptographic elements.

First, an AES encryption key is computed from that unique USB device ID and
certain disk details from the USB drive hosting the malware, which means the
malware can only successfully run on that one particular USB device.
Second, the naming of the subsequent file in the malware execution chain is
based on actual file content and its creation time, effectively making the
file names different for every instance of this trojan. Because of these
techniques, copying or reproducing the malware is virtually impossible.

In addition to the malware's multi-step self-protection and ability to not
leave any trace on the targeted computer, its data-stealing payload is also
extremely powerful and easily modified.  [...]


More background on the MedStar fiasco (RISKS-29.41)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Thu, 31 Mar 2016 15:05:30 -0500
MedStar http://www.medstarhealth.org/ is a $ 5 billion non-profit health
care provider which operates 10 hospitals and 120-250 clinics (conflicting
news stories) serving the Baltimore Maryland area including Virginia and
Washington DC, so it will probably get much more news coverage than the
almost 2,000 other victims of Ransomware.  MedStar treated 4.5-million
patients in 2015.  They have 30,000 employees and 6,000 affiliated
physicians.

https://en.wikipedia.org/wiki/MedStar_Health

There are different kinds of cyber security incidents, happening at a high
rate of speed.  With some, they release necessary details, then soon the
public forgets, in the wake of hundreds of incidents reported at other
places, but looks like MedStar is operating on the dribble approach, let
info dribble out as they figure things out, and permit any of the 30,000
employees to speak with the media, which guarantees that with each drop of
additional info, news media around the world will be trumpeting the story
again, so this place's problems will be remembered for much longer than most
others.

Initially they said virus, no evidence any info stolen, too early to say
ransomware, no disruption to health care for patients.

Now we know it is ransomware, and there has been disruption to patients and
their families.

We also know, that to install the ransomware, the hackers had to have had
access to PII of patients, employees, their medical records, financial info,
all of the computer records impacted, which invokes some laws regarding
disclosure of numbers of people potentially at risk of breach.

Later info may dribble out from investigations, to refresh the news stories.

This close to DC, Congress will probably hold hearings on this and other
similar incidents.
http://www.zdnet.com/article/virus-hits-medstar-health-hospital-network-but-denies-data-theft/

When the first stories came out about the apparent virus attack on MedStar,
we were not being told many details.

On Monday 28 Mar morning, the hospital discovered the problem, that many
computer access points had been attacked, so they shut the whole system down
to try to stop the spread of whatever it was.  That afternoon, they released
a statement about the situation on their web site, and Facebook page.

The shutdown impacts access to Electronic Health Records (EHR), e-mail,
laboratory results, financials, just about all record keeping you would
expect at any medical institution. Many doctor PCs are okay, showing data
from the days before the attack, they just cannot access the MedStar
network, or access this week's e-mail.  I hope their ISP has sufficient data
storage to hold the accumulated e-mail until these systems are back up
again.

The old paperwork system "works" for employees who remember it, but there
may be recovery hassles after systems restored, making sure the records are
complete for the downage days.

The FBI had been contacted.

Initially we were not told what kind of attack it was, but from clues, there
was lots of speculation.

https://www.washingtonpost.com/local/virus-infects-medstar-health-systems-computers-hospital-officials-say/2016/03/28/480f7d66-f515-11e5-a3ce-f06b5ba21f33_story.html
http://www.healthcare-informatics.com/article/breaking-news-medstar-health-hacked-ehr-down-fbi-investigating
http://money.cnn.com/2016/03/28/technology/medstar-hospital-hack/
http://inhomelandsecurity.com/virus-infects-medstar-health-systems-computers-hospital-officials-say/

On Monday 28 Mar, hospital spokespersons had claimed that this incident
would not disrupt health care.  On Tuesday, news media was publishing lots
of stories about disruptions to patient health care, thanks to this
incident.

By Wednesday, historical EHR records were accessible read-only, but not from
all work stations.

Some patients have been turned away, because of this incident, refused
renewal of prescriptions.  Hospital spokespersons said that no one will get
delayed medical treatment because of this, but news media has been
interviewing patients for whom that was exactly what happened, and/or
subjected to scary, and health-threatening, inconveniences.  One hospital
lost track of a man's invalid wife, falsely claiming she had been released,
which caused him lots of anxiety until they located her getting the proper
treatment.

Patients arrive for appointments, only to find they have been canceled
because the medical staff cannot do a proper job without access to the
computer records, and apparently they also need access to the computer to
notify patients that their appointments have been canceled.  Other patients
get daily calls "Don't come in, the computers are down again today."

In addition to official spokesperson statements, news media is talking with
lots of the medical staff, who explain serious medical safety issues, which
the official spokesperson is down playing.

https://www.washingtonpost.com/local/medstar-health-turns-away-patients-one-day-after-cyberattack-on-its-computers/2016/03/29/252626ae-f5bc-11e5-a3ce-f06b5ba21f33_story.html
http://wtop.com/local/2016/03/medstar-still-dealing-problems-cyber-attack/
http://www.usnews.com/news/articles/2016-03-29/medstar-struggles-to-work-around-computer-hacking-crisis
http://www.pressreader.com/usa/the-washington-post/20160331/282024736400036/textview

There's also news stories about what Congress persons are saying.  They
passed a law in 2015 calling for the federal Health and Human Services (HHS)
to:

* Create a task force of health industry leaders and cyber security
  professionals to identify the biggest threats, and to suggest mitigation
  approaches;

* Provide doctors and hospitals with guidance on the best ways to protect
  themselves from cyber attack,

* Have service from the agency, to help any medical institution which
  suffers a cyber attack;

* Issue reports to the health industry on emerging threats and risks they
  need to protect themselves against;

* And more . the legislation = Information Sharing Act of 2015.
http://www.healthcareinfosecurity.com/obama-signs-cyber-info-sharing-bill-a-8762

So far HHS has not yet implemented any of this, according to some news
stories, while others talk about the progress being made implementing it.
But without the task force, it has been a slow learning process for an
agency new to this topic, making some judgment errors, in selecting which
risks to prioritize warnings about.  There may be a need for agencies,
experienced in cyber-threats by industry and how attackware gets delivered,
to provide initial training for agencies new to providing cyber security
guidance.

Other people are calling for an update to HIPPA = US gov regulations about
health care records.  That system already has a requirement for hospitals to
report incidents like this.

HHS Office of Civil Rights (OCR) investigates all cyber incidents of health
care providers, either reported to them directly, under HIPPA regulations,
or found out via news reports.  They also have guidance on how to report
incidents, such as to the FBI Internet Crime Complaint Center.

http://www.ic3.gov/default.aspx
They have also told medical institutions about the Better Business Bureau's
scam tracker.
https://www.bbb.org/scamtracker/us

Apparently some people are ignorant of the fact that there are laws already
on the books, calling for the reporting of cyber insecurity incidents, some
of which have not yet been implemented, or are not enforceable.

Almost every state of the USA has a requirement that places hit by cyber
attack, either located in that state, or with customers in that state,
report them to the Attorney General of the state, and take measures to
compensate victims of the attacks (their customers, and others).  However,
many institutions do not know they are under attack, until the damage has
been done, plus some do not know what to do, after they discover they have
been attacked.

http://www.govinfosecurity.com/ransomware-time-for-hipaa-update-a-9002
http://www.healthcareinfosecurity.com/ocr-cyber-awareness-effort-will-have-impact-a-8846

So proper precautions have been sporadic throughout the health care
industry.

* We can see from the discrepancies between stories of medical staff and
  hospital spokesperson statements, that there's a lack of training how to
  deal with this kind of incident, and a lack of internal communications to
  cope when computers are down.

* We have not yet been told how this happened to MedStar, but with many
  other institutions it was a lack of training to avoid one employee
  victimized by phishing taking down the entire computer system.  There's
  also backups, and keeping software up to date.

http://hitconsultant.net/2016/03/30/medstar-cyber-attack/

When the US government first was pushing EHR, there was an outpouring of
cyber security concerns from the security industry.

The medical profession and government had to learn from medical breaches
that those concerns were valid, and remediation investment was essential.

We are flooded with cyber security warnings, and few employers have budgeted
the resources to cope with them effectively.

In April 2014, there was an FBI warning about a growth in cyber attacks upon
the health care industry.

The FBI predicted that movement to on-line systems, without provision for
how to handle themselves, when those systems go down, is inviting trouble.

That trouble has now arrived, inconveniencing many portions of the health
care industry.

http://www.fiercehealthit.com/story/when-it-comes-cybersecurity-staff-education-matters/2016-03-29

Next the news media learned that MedStar was a ransom ware attack, where if
the hospital pays $18.5K in bitcoins, the crooks promise to send the keys to
unlock their system.  Instead, the hospital system is restoring from
backups, with partial recovery, and has suffered at least $1 million per day
thanks to the down time.

http://www.baltimoresun.com/health/bs-md-medstar-ransom-hack-20160330-story.html
http://www.ibtimes.co.uk/hospitals-crippled-by-cybercriminals-ruthless-medstar-hack-demands-12900-unlock-computers-1552429

I found out about this news story, because I subscribe to KnowBe4—training
in how not to be a victim of cyber attacks.

They use breaking news stories about cyber security incidents to explain how
their training can prevent such incidents.
https://www.knowbe4.com/

The challenges, the hospital staff and patients are dealing with,
demonstrates some flaws in planning for the possibility of computer
downtime, when everyone becomes dependent on the digital data.  What could
go wrong, when a hospital runs purely on electronic records, then their
computer systems go down?  MedStar has learned about that this week, and
also has had earlier lessons.

http://catless.ncl.ac.uk/Risks/29.31.html#subj4

Before any hearings into what if anything should be done about such
incidents, maybe Congress should get a report from CRS = Congressional
Research Service,
  https://www.fas.org/sgp/crs/misc/
and from GAO = Government Accountability Office,
  http://www.gao.gov/products/GAO-16-265

to communicate:

* What laws and regulations already exist regarding health care cyber
  incidents, their prevention and disclosure.

* What is the status of implementation of those rules.

* Statistics on this kind of attack.

* Status of investigations into major attacks.

Here are some CRS reports on Health Care, other than the cyber security
dimension:
http://www.ncsl.org/research/health/congressional-research-service-reports-on-health.aspx


Why Ransomware loves Hospitals

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Fri, 1 Apr 2016 00:16:28 -0500
Ransomware <https://en.wikipedia.org/wiki/Ransomware> is a threat to:

* Hospitals
* Police stations
* Cloud services
* Mobile phones
http://krebsonsecurity.com/tag/ransomware/

In addition to all the data placed at risk, which I mentioned in my earlier
MedStar post, medical devices may also be at risk.

* To install the ransomware, the hackers had to have had access to PII of
patients, employees, their medical records, financial info, all of the
computer records impacted, which invokes some laws regarding disclosure of
numbers of people potentially at risk of breach.

Sergey Lozhkin, a senior researcher at Kaspersky Lab said “in lots of cases
medical equipment is not isolated from the local office network.''  A month
ago, he detailed the results of his penetration test of a Moscow hospital.
Among other issues, Lozhkin discovered a login portal for a CT scan machine
on the open Internet, and once inside the hospital's local network, he found
a control panel for an MRI machine that was not password protected.
<https://threatpost.com/medical-device-health-care-security-continues-to-ail/116228/>

There have been at least a dozen hospitals, or hospital chains, inflicted
with ransomware just in March 2016.
http://motherboard.vice.com/read/the-spreading-epidemic-of-hospital-ransomware

Thursday, March-31, the U.S. Department of Homeland Security (DHS). and the
Canadian Cyber Incident Response Centre, issued a joint alert about the risk
of ransomware.
http://www.reuters.com/article/us-cyber-ransomware-alert-idUSKCN0WY3BN

US Hospitals are juicy targets for ransomware because:

* Their care depends on access to up-to-date complete records, which thanks
  to the US government, are now electronic.

* Their care is critical.  Disrupting it can mean serious complications for
  patients. And law suits because of that.

* Very few hospitals conduct security training for their staff.

* What has been more critical for them is HIPPA compliance, because the US
  government has emphasized patient privacy much more than cyber security.
http://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/

MedStar reacted by shutting down their servers the moment they realized
they'd been hit.  KnowB4 says that is the correct first step. They
distribute a 20-page hostage manual (.pdf) instructing ransomware victims on
what to do after an attack, and how to prevent one.
<http://www.wired.com/wp-content/uploads/2016/03/RansomwareManual-1.pdf>

There are several ways computers get hit by ransomware.

* Someone falls for a phishing spam scam, which installs attackware on their
  computer.

* Hacked or malicious sites exploit browser vulnerabilities with drive-by
  attackware.

* Once either approach has gained access to a system, the hackers can easily
  follow, to perform their mischief.

It goes after individual PCs, servers, while deleting any connected backups.

In MedStar's case, the malware is Samsam, also known as Samas and MSIL.

This tells us a hacker had to install the ransomware, but it does not tell
us how the hacker got into MedStar's systems.

Samsam exploits vulnerabilities which have been patched, so this also tells
us that MedStar had not stayed current on critical patches for their
systems.

http://arstechnica.com/security/2016/03/maryland-hospital-group-hit-by-ransomware/

The FBI issued alerts about this recently.

https://motherboard.vice.com/read/fbi-warns-about-ransomware-attacks-infecting-whole-networks
https://www.fbi.gov/news/stories/2015/january/ransomware-on-the-rise

I believe IT should take systems down, so nothing connected to Internet, to
run a complete backup to media not left connected to the servers, then let
the network re-connect, only after each device is checked to be clear of
security problems, and make sure its backup is up-to-date.  Unfortunately,
many outfits need to be up 24x7, and won't approve the resources needed to
run high speed backups, in short scheduled down time, like wee hours, when
business is at its lowest volume, or have client devices which gather info
to update the server, from activity during the short down time for backup.

I believe all institutions should do a periodic search, to identify all the
ways they are connected to the Internet, in case of any inadvertent errors,
adding poorly secured links.
https://www.shodan.io/

Search for *hospital* and find

* 144 in USA
* 133 in Brazil
* 69 in Thailand
* 67 in South Korea
* 54 in India

Connection info for specific hospitals is provided.

No hits for MedStar—hopefully that means that any past flaws have now
been fixed.

Example of a USA hit:
Health First Viera Hospital  6450 US Highway 1, Rockledge, FL 32955


Re: Bangladesh bank heist to Philippines to Chinese (RISKS-29.36,37,38,40)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Wed, 30 Mar 2016 15:01:38 -0500
In any breaking story, mainstream media has high levels of speculation,
leading to conflicting stories.

Fraudulent bank transfers were allegedly communicated via the SWIFT network.
Some stories say SWIFT was compromised.  Others say no SWIFT was not
compromised, rather the communications system at one end was breached.

The Bangladesh Central Bank may sue the NY Fed, to try to recover some of
the lost money.  I predict this effort will fail, because US courts have
usually ruled in favor of the bank which held the money which was stolen,
and against the business enterprises that owned that money. Judges have
ruled that way, even when it is proven that the NY Fed equivalent
institution was in the wrong, or made cyber security errors.

So far, no evidence has surfaced in the news media, that the NY Fed did
anything wrong.

http://www.nbcnews.com/tech/tech-news/bangladesh-bank-might-sue-ny-fed-after-1b-hack-heist-n544046
http://www.en.prothom-alo.com/bangladesh/news/98969/Bangladesh-Bank-weighs-lawsuit-against-NY-Fed

In this case, the Bangladesh Central Bank has been found to have been
infected with malware, which facilitated access to their credentials for
managing money.  Invariably in past US court cases, when the business,
owning the bank account, was hacked, breached, or social engineered,
triggering info needed to file a false money transfer request, judges have
ruled that the bank from which the money was transferred from, is not
responsible for the negligence of the place which got malwared, hacked,
breached, etc.

How the malware got onto the Bangladesh Central Bank system, has not yet
been made public by investigators.

Spam Phishing is the usual route.

http://www.marketwatch.com/story/malware-used-in-100-million-bangladesh-bank-heist-2016-03-21

Philippine authorities now believe 2 Chinese men stole the Bangladesh money,
but are they mules paying off casino debts, or addicted to gambling, where
the casino operators aided in setting up the money transfer system?  Since
those 2 men have been identified, but not yet located, are they in fact
false identities created by a casino operator and a friend at the Philippine
bank?

The money arrived in fictitious accounts at RCBC bank in the Philippines.

Bank officials have conflicting testimony about the process by which those
accounts were authorized & setup.

http://www.securityweek.com/chinese-high-rollers-moved-stolen-bangladesh-millions-philippines-witness
http://www.straitstimes.com/asia/se-asia/missing-link-in-us81-million-bangladesh-bank-heist-set-to-testify-before-philippine
http://www.themalaymailonline.com/world/article/witness-millions-from-bangladesh-bank-heist-moved-to-philippines-by-chinese

WSJ has a video of what's known so far about the travels of the stolen
money.
http://www.wsj.com/articles/businessman-denies-planning-central-bank-heist-1459261342

Philippine legislators have had a hearing on where the money ended up, and
how it got there.

Now US Congress woman Carolyn Maloney (D-NY) http://carolynmaloney.com/
wants a US hearing on this bank heist, and what standards are needed to put
a stop to such activities.  There may be no solution so long as:

* Businesses are vulnerable to phishing, malware, hackers taking over their
  institutions, with them oblivious to this happening;

* Judges rule in favor of banks which violate contracts, to not move money
  to new locations, or in excess of some ceilings, without personal contact
  with officials of institution owning the money, who are authorized to
  approve such actions.

http://carolynmaloney.com/multimedia/latest_news/view/2016-03-maloney-wants-probe-on-bangladesh-bank-heist
http://news.yahoo.com/u-congresswoman-wants-probe-bangladesh-bank-heist-200449682.html

Wikipedia is periodically updated as more info is found, released, and
confirmed.
https://en.wikipedia.org/wiki/2016_Bangladesh_Bank_heist


Stefan Savage receives RISKS-relevant award

"ACM TechNews" <technews-editor@acm.org>
Wed, 30 Mar 2016 12:22:14 -0400 (EDT)
ACM and Infosys Foundation Honor Innovator in Network Security Research
Association for Computing Machinery (03/30/16)
ACM TechNews, 30 Mar 2016

Stefan Savage from the University of California, San Diego has been selected
to receive the 2015 ACM-Infosys Foundation Award in the Computing Sciences.
Savage was cited for research in network security, privacy, and reliability
that has showed people how to perceive attacks and attackers as components
of an integrated technological, societal, and economic framework.  Savage's
approach is embodied in his recent work with collaborators to fight spam by
exploring how spammers generate revenue, and what steps might be taken to
neutralize this incentive.  One project involved the researchers
infiltrating a botnet to extract insights about the economics of spam
schemes.  By monitoring millions of spam emails and identifying the
individual services needed to monetize them, Savage's team built a model of
dependencies in the spam supply chain.  They demonstrated merchant bank
accounts used to receive credit card payments were the most valuable and
prone to disruption.  "Stefan Savage has shifted thinking and prompted us to
ask ourselves how we might impede the fundamental support structure of an
attacker," says ACM president Alexander L. Wolf.  "His frameworks will
continue to significantly influence network security initiatives in the
coming years."
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-ed5ax2e0c5x065760&

Please report problems with the web pages to the maintainer

Top