Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
FYI—This just in... Bluffdale, UT—April 1, 2016—Hacker cooperative Anonymous today announced that they have successfully hacked the NSA's massive Bluffdale, UT, data storage complex and encrypted all of its petabytes of data with ransomware. According to an Anonymous spokesperson "sneaker", "This is the largest encryption operation ever attempted, and the Salt Lake City lights dimmed measurably throughout the computationally intensive process." Anonymous continued, "We are not holding this data hostage nor are we asking for any Bitcoins. We will leave the decryption keys to this data under the front doormat of a U.S. government facility somewhere in the world." An NSA spokeswoman said that she "could neither confirm nor deny" the Anonymous claims, but she did admit that whenever snow fell on the Bluffdale facility, it immediately melted. Anonymous was able to hack into the Bluffdale facility via a simple e-mail phishing attack that promised cheats, mods and hacks of the Minecraft video game. A retired DoD official "close to the NSA" said that it took an entire year for Anonymous to encrypt all these petabytes of data, but NSA hadn't noticed because the Bluffdale stores only internationally intercepted data, which NSA seldom—if ever—examines. Story developing...
"Apple Offers to Buy CryptoWall for $10 Billion" "Plans to dominate the burgeoning data protection market" One Infinite Loop, Cupertino, CA—April 1, 2016—Apple Computer today announced its plan to purchase the data protection business CryptoWall for $10 billion. The deal is expected to close before the end of 2016 after securing the approval of regulators. Apple CEO Tim Cook laid out the rationale for the purchase: "Apple Computer has always insisted upon the privacy and security of its customers. We were the first to incorporate default full-disk encryption, and CryptoWall is the obvious next step in protecting our customers' data confidentiality." "CryptoWall's product is in daily use by government agencies, businesses, and ordinary citizens; they have the best name recognition and brand image in the data-protection business," explained Cook.
“We are pleased to announce an agreement with the Department of Justice to satisfy 90% of our customers' uses of encryption while meeting law enforcement needs'' said an Apple spokesperson. “The changes will take effect on all Apple devices with the next software update.'' Critics decried the encryption standard, known as ROT13, as *a step backward* and *almost the same as no encryption*. “ROT13 provides sufficient encryption for the vast majority of our customer needs.'' Apple responded, adding that “third-party software can provide higher security for those rare cases where it is needed.'' Industry insiders note that high-security apps are systematically excluded from the Apple Store.
One Infinite Loop, Cupertino, CA—April 1, 2016—Apple Computer and the FBI made a joint announcement today regarding a breakthrough solution to the collision between Apple's full-disk encryption system and lawful searches pursuant to court orders. "We have to thank FBI Director Jim Comey for continuing to insist upon thinking out of the box; he thought all along that the tekkies in Silicon Valley would eventually be able to come up with an equitable solution for all parties. We and the FBI have been working around the clock for the past several months and this cooperation has finally paid off." "We at Apple have agreed to put all of our customers' public keys into an escrow database managed by the FBI. When a court so orders, the FBI can search this database and produce any particular customer's public key," said Apple CEO Tim Cook. FBI's Jim Comey enthusiastically supports the new key-escrow system. "Back in the '90's, there were many key escrow suggestions that just couldn't be made to work. But this new key-escrow system—which I named 'public key escrow'—is an idea whose time has finally arrived." MIT Professor Ronald Rivest—the 'R' in the 'RSA' public-key cryptographic system devised in the 1970's—said "The idea of putting the public key into an escrowed database managed by a trusted third party never occurred to any of the three of us during the past 40 years." Rivest continued, "Now that this 'public key escrow' idea is out there, I can see other potential applications—such as hiding one's public key under his own front doormat." Whit Diffie—one of the inventors of the Diffie-Hellman exchange so critical to e-commerce today—praised the innovative thinking behind the public key escrow system, "It's nice to see that both Apple and the FBI will be able to save face and claim victory here; this is a win-win solution for everyone." Apple's Cook added, "We believe we can trust the FBI with our users' public keys; after all, our country has trusted the FBI with so many citizens' private data ever since its founding by J. Edgar Hoover in 1924. Apple is also pleased that the FBI has stepped up to operate this 'public key escrow' database; the Internet industry has had trouble coming up with a business model to support this activity." [I simply don't know how all of these four items could all appear in the same issue, even though it is 1 April 2016! PGN]
In-and-Out Burger is reportedly contemplating some experimental installations involving completely automated operations at selected locations around the U.S. The concept does away with local managers, counter personnel, cooks, clean-up staff, and other employees, and would use advanced robotics. It could vastly increase the potential size of their so-called Secret Menu [*]—permitting selections from among your own individualized computer-stored customer profiles, specifying your favorite alternative combinations of ingredients to which you can give your own creative names (rather than having locally famous people's names). Their automation is expected to greatly reduce operational costs, while enabling the company to guarantee that no jobs would be shipped off-shore. Employees having to pay taxes on tips would be avoided completely. The company press release indicates they will use secure computing to hinder surveillance by governments and competitors. while keeping your own preferences private. However, based on your past orders, they may suggest that you might be interested in emerging new options—based on your historical profile. For example, they might offer mathematicians items such as the Fibonacci Burger, which is expected to grow on you organically. Ethereum will be a favored unconventional currency, because of its Turing-complete smart contracts. Real-time individualized anomaly detection will ensure both quality and safety of delivered and served food and beverages. I&OB's Corporate executives and their techies appear to be on the cutting edge of personalized burgerdom, well aware of recent advances in both artificial intelligence and security that could greatly increase both efficiency and security. Financial backers may see this as a harbinger for a new wave of completely automated restaurants—although problems might arise such as when the just-in-time food supplies do not arrive just-in-time, or when your steak is overcooked. Progress in restaurant automation could also be spun off into the Internet of Things, exploiting experience gained in robotic service and maintenance. * Secret? Perhaps it uses Hambermorphic Encryption? PGN
[Peter, Even though my response is in fact rational, it belongs in the April 1 issue.] Assuming the facts are correct at stated (which they rarely are), this sounds as if at least two people should go to jail, and likely many more as co-conspirators. For the workers in the US government, in particular the military, it's called treason, and since we are at war with ISIS, I believe the penalty is death. Military tribunal is called for. The lesser charge of fraud should be charged against the non-government employees, and of course their companies should be debarred from further US government work until the companies return all monies in excess of the original bid and produce a working product. Note they should also have to pay all late penalties associated with not delivering on time. Fred Cohen - 925-454-0171 - All.Net & Affiliated Companies http://all.net/ PO Box 811 Pebble Beach, CA 93953
[Re: Microsoft servers to bottom of ocean (I-HLS), RISKS-29.36. PGN] Another true one for April 1: A project currently being proposed will heat up deep sea water to reduce global warming. The project is intended to take the periodic cold water upsurges from the Monterey Bay deep sea canyon and use them to cool a major datacenter to be placed near the shore. The proponents state that the computers will then be used to model the change in the ocean temperatures by those studying global climate change. They will also provide the first ecologically sound major data center in the central coast area, which will also support other research and business development. Waste water from the plant will be used to warm up pools used to help recovering sea mammals who get sick from domoic acid (also associated with climate impacts of warmer sea temperatures)—which increases algae and accumulates in shellfish, sardines, and anchovies. [For non-Californians, I note that domoic acid essentially demolished (domolished?) the crab season, which was shut down this year until just a few days ago. PGN] On an unrelated [???] story, the recent collapse of shellfish populations in the area is being addressed by a ban on fishing in protected fisheries in the Monterey Bay area. The reason behind the collapse is unknown, but will be studied by placing additional ultra-high-speed computing resources at the planned Monterey Bay data center. The loss in shellfish is being replaced by local restaurants by new sardine-based dishes.
Hard to believe, but that really is the headline. To the Pyxis' credit, they appear to have handled the situation much better than most. Darlene Storm, Computerworld, 30 Mar 2016 Excerpts: Security researchers found 1,418 remotely exploitable flaws in CareFusion's Pyxis SupplyStation medical dispensing system. 715 of those vulnerabilities in “automated supply cabinets used to dispense medical supplies'' have a severity rating of high or critical. The Pyxis SupplyStation system is a 'secure storage device; for medical supplies that documents supply usage and interfaces with software to bill the patient. The vulnerabilities can be exploited remotely and exploits for targeting the flaws are publicly available, the ICS-CERT advisory notes. Wait, it gets better as it apparently would not require a l33t [for those behind the times, this refers to *leetspeak*, also known as *leet*, *eleet*, and even 1337; PGN] hacker to exploit the medical system. ICS-CERT noted, “An attacker with low skill would be able to exploit many of these vulnerabilities.'' ... There are numerous Pyxis software versions affected (8.0, 8.1.3, 9.0, 9.1, 9.2 and 9.3) running on Server 2003 or XP, but since those versions are running end-of-life software, “a patch will not be provided.” ... Ahmadi first sent notification of the vulnerabilities to the FDA, he said, which sent the report on to DHS ICS-CERT. While communicating with ICS-CERT and CareFusion, Ahmadi said he was impressed that CareFusion “ now BD “ “did not deny any of the vulnerabilities existed, and also offered up all affected systems, voluntarily for use in the advisory.” Ahmadi said it is important to note “that the issues are in the third-party packages, which we have been preaching about for the last several years. Up to 90% of the software used in development today is third-party.” The 1,418 bugs are present in seven third-party software packages including Microsoft Windows XP, Sybase SQL Anywhere 9, Symantec Antivirus 9 and Symantec pcAnywhere 10.5. CareFusion is attempting to contact affected customers and advising them to upgrade. Otherwise, ICS-CERT has the list of CareFusion's suggested mitigations for customers using legacy operating systems. http://www.computerworld.com/article/3049361/security/1-418-remotely-exploitable-flaws-found-in-automated-medical-supply-system.html Drew Dean, Computer Science Laboratory, SRI International [Cave Con-em! PGN]
2,000 tons of nuclear material may not be well secured. http://www.emergencyemail.org/newsemergency/anmviewer.asp?aT54 https://gwtoday.gwu.edu/nuclear-materials-just-aren't-secure-they-need-be' http://www.defenseone.com/ideas/2016/03/all-too-human-reason-nuclear-material-isnt-secure-enough/126864/ There are lots of stories about missing nuclear material. The missing WMD of Iraq, claimed in the 1st Gulf War, may have gone to Iran; or may have been a false statement by a prisoner of torture, telling what he thinks the torturers wanted to hear; or a false statement by anti-Saddam movement thinking that will bring in the American rescuers. https://fas.org/article/u-s-military-nuclear-material-unaccounted-missing-action-just-sloppy/ http://www.cnn.com/2016/02/29/americas/mexico-radioactive-device-missing/ https://www.washingtonpost.com/news/worldviews/wp/2013/12/06/this-alarming-map-shows-dozens-of-nuclear-materials-thefts-and-losses-every-year/ http://www.nti.org/analysis/articles/2012-nis-nuclear-trafficking/ What could go wrong? Terrorists could deliver dirty bombs to disrupt commerce through busy ports, canals, government and financial centers, and their usual mass attack sites. One target might be the facilities they are constantly stealing the materials from, if they begin to have competent security. Criminals could announce that such a dirty bomb has been planted some place, and in exchange for a large sum of money, they will reveal where it is, but if they are not paid within a week, they will let it go off. At nuclear power plants, where security is a joke, attackers could seize them, like they have hijacked airliners, taken over hotels etc. In such an attack, they might try to dynamite, or otherwise disrupt the concrete basement which is designed to stop a melt down from exiting. Then they would trigger a melt down accident on purpose. Terrorists could work on making a real atomic bomb. Arms smugglers may deliver more enriched uranium to Iran, North Korea, and other nations not supposed to have any more. We may be hearing about this thanks to the 2016 Nuclear Security Summit (NSS) at the Walter E. Washington Convention Center in Washington, DC from March 31 - April 1, 2016 https://www.whitehouse.gov/the-press-office/2016/03/29/fact-sheet-nuclear-security-summits-securing-world-nuclear-terrorism https://content.govdelivery.com/attachments/USDHSFEMA/2016/03/31/file_attachments/525467/FEMA%2BDaily%2BOps%2BBriefing%2B03-31-2016.pdf
Jordan Robertson, Michael Riley, and Andrew Wills, Bloomberg, 31 Mar 2016 http://www.bloomberg.com/features/2016-how-to-hack-an-election/ Andres Sepulveda rigged elections throughout Latin America for almost a decade. He tells his story for the first time [perhaps in hopes of getting his sentence reduced!] In July 2015, Sepulveda sat in the small courtyard of the Bunker, poured himself a cup of coffee from a thermos, and took out a pack of Marlboro cigarettes. He says he wants to tell his story because the public doesn't grasp the power hackers exert over modern elections or the specialized skills needed to stop them. “I worked with presidents, public figures with great power, and did many things with absolutely no regrets because I did it with full conviction and under a clear objective, to end dictatorship and socialist governments in Latin America. I have always said that there are two types of politics—what people see and what really makes things happen. I worked in politics that are not seen.''
[Note: This item comes from friend Steve Goldstein. DLH] Tech titans release new email security standard Michelle Goodman, FierceCIO, 22 Mar 2016 http://www.fiercecio.com/story/tech-titans-release-new-email-security-standard/2016-03-22 Thanks to a collaboration among developers from Google, Microsoft, Yahoo, Comcast, LinkedIn and 1&1 Mail and Media Development and Technology, email security is getting a much needed overhaul. This engineering dream team has outlined a new safeguard—called SMTP Strict Transport Security—in a draft that's up for consideration as an Internet Engineering Task Force standard. SMTP Strict Transport Security would enable email providers to create policies and rules for sending and receiving encrypted email over the Internet. Such a mechanism is long overdue. SMTP, or Simple Mail Transfer Protocol, was established in 1982 and did not allow for encryption. In 2002, the STARTTLS extension was added to the protocol to improve security of SMTP connections. But for the most part, email providers lagged in adopting STARTTLS. All that changed in 2013, when Edward Snowden revealed the prevalence of email and other online surveillance by various government intelligence agencies. As InfoWorld reported, today STARTTLS is fairly ubiquitous in Internet messaging. Only problem is, the protocol can easily be decrypted or otherwise compromised. Enter the new SMTP Strict Transport Security mechanism, which takes a number of steps to eliminate these vulnerabilities. Just how vulnerable is today's email? Google has found that among Gmail users, 83 percent of outgoing messages sent to other email providers around the globe are encrypted. Incoming emails from other providers worldwide fare much worse though, with just 69 percent of them arriving encrypted. As InfoWorld noted, the level of email encryption varies throughout the world. For instance, Asian and African email providers are much less reliable than those based in Europe and the U.S. The Internet Engineering Task Force isn't the only team of engineers working on the email encryption problem. Last week, the privacy-minded Swiss startup ProtonMail launched a free, encrypted email service that's supposedly impossible for governments to crack. [...] Draft of the new standards: https://tools.ietf.org/html/draft-margolis-smtp-sts-00
Many things on the Internet are broken, including some people trying to teach the public about cyber security guidelines. CNBC offered users a way to test passwords to allegedly find one which was pretty good, and test any you are now using. However, this password tutorial had a number of flaws. * Its password testing form was transmitted in the clear, which means that anyone who shared your Internet connection (that is, everyone on the same WiFi or neighborhood-wide cable modem connection as you) could see you sending it. * CNBC website doesn't use HTTPS web encryption. * The way that CNBC's website was set up, all 30 of the advertisers, whose ads appeared on the page, could also spy on your password. * CNBC sent all the passwords it received to a Google Doc spreadsheet (itself a prime target for hacking/breaching), despite a notice that said, "No passwords are being stored." * CNBC's system wasn't very good at scoring passwords, giving them higher grades than they deserved. http://boingboing.net/2016/03/30/cnbcs-secure-password-tutori.html http://motherboard.vice.com/read/cnbc-tried-and-massively-failed-to-teach-people-about-password-security CNBC has taken this down, but you can see an archive of it here: https://archive.is/kaczF
The Apple-FBI Battle Is Over, But the Crypto Wars Have Just Begun http://www.wired.com/2016/03/apple-fbi-battle-crypto-wars-just-begun/
Room for Debate, with debaters Fred Kaplan, Alan Butler, Katie Moussouris, and Matt Blaze http://www.nytimes.com/roomfordebate/2016/03/30/should-hackers-help-the-fbi/constantly-bolstering-computer-security-is-vital
[Note: This item comes from friend Steve Goldstein. DLH] Hackers Seek Ransom From Two More California Hospitals Chad Terhune, Medscape, 24 Mar 2016 <http://www.medscape.com/viewarticle/860921> Hackers demanded a ransom from two more Southern California hospitals last week and federal authorities are investigating the case. Prime Healthcare Services Inc., a fast-growing national hospital chain, said the attackers infiltrated computer servers on Friday at two of its California hospitals, Chino Valley Medical Center in Chino and Desert Valley Hospital in Victorville. The company said the cyberattack had not affected patient safety or compromised records on patients or staff. Two sources familiar with the investigation said the hackers had demanded a ransom to unlock the hospital computer systems, similar to what happened last month at Hollywood Presbyterian Medical Center in Los Angeles. Hollywood Presbyterian said it paid $17,000 in bitcoin to hackers to regain access to the institution's computers. Fred Ortega, a spokesman for Prime Healthcare, declined to comment on whether Prime received a ransom demand or paid any money, citing the ongoing investigation. “This is similar to challenges hospitals across the country are facing, and we have taken extraordinary steps to protect and expeditiously find a resolution to this disruption, The concern now is to let law enforcement do their thing and find the culprit.'' FBI spokeswoman Laura Eimiller said Tuesday “we are investigating a compromise of the network at these locations.'' She declined to discuss specifics of the case. The FBI also has been investigating the attack at Hollywood Presbyterian. Ortega said the two hospitals affected remain operational and steps are being taken to restore their computer systems to full functionality. He said some IT systems were shut down by hospital staff as a preventive measure so malicious software didn't spread further. The company said it's working with data security experts and the California Department of Public Health on the matter. Prime Healthcare, based in Ontario, Calif., has acquired struggling hospitals across the country and has become one of the nation's largest health systems. It runs 42 hospitals in 14 states. The company is led by its outspoken chairman and chief executive, Dr. Prem Reddy. A series of high-profile data breaches in the past year have raised fresh questions about the ability of hospitals, health insurers and other medical providers to safeguard the vast troves of electronic medical records and other sensitive data they are stockpiling on millions of Americans.
[Note: This item comes from friend Steve Goldstein. DLH] Santiago Tiongco, Tech Times, 26 Mar 2016 http://www.techtimes.com/articles/144306/20160326/smooth-criminal-meet-usb-thief-a-malware-that-can-attack-systems-without-leaving-any-trace.htm Another new malware has surfaced, but this one is unlike the others. This alarmingly stealthy trojan cannot be copied or replicated and it can set up camp in your computer without you ever having a clue. Nicknamed 'USB Thief' by security experts from the ESET antivirus firm, this new USB trojan is equipped with self-protecting mechanisms that enable it to escape detection. It can even infiltrate air-gapped systems, making it an exceptionally useful tool in industrial as well as cyber espionage. In relation to this malware's ability to access air-gapped computers - that is, computers not connected to the Internet for security reasons - the trojan is introduced to a system via USB devices that contain portable installers of widely-used applications such as Firefox, NotePad++, and TrueCrypt. USB Thief exploits this trend by penetrating the command chain of these applications either as a plugin or a dynamically linked library (DLL), which is why each time you run the application, the trojan is also executed in the background. A key aspect of this malware is that it has a highly sophisticated mechanism for self-protection against copying or reverse engineering by employing two operations: AES128 encryption of certain files and generation of filenames from cryptographic elements. First, an AES encryption key is computed from that unique USB device ID and certain disk details from the USB drive hosting the malware, which means the malware can only successfully run on that one particular USB device. Second, the naming of the subsequent file in the malware execution chain is based on actual file content and its creation time, effectively making the file names different for every instance of this trojan. Because of these techniques, copying or reproducing the malware is virtually impossible. In addition to the malware's multi-step self-protection and ability to not leave any trace on the targeted computer, its data-stealing payload is also extremely powerful and easily modified. [...]
MedStar http://www.medstarhealth.org/ is a $ 5 billion non-profit health care provider which operates 10 hospitals and 120-250 clinics (conflicting news stories) serving the Baltimore Maryland area including Virginia and Washington DC, so it will probably get much more news coverage than the almost 2,000 other victims of Ransomware. MedStar treated 4.5-million patients in 2015. They have 30,000 employees and 6,000 affiliated physicians. https://en.wikipedia.org/wiki/MedStar_Health There are different kinds of cyber security incidents, happening at a high rate of speed. With some, they release necessary details, then soon the public forgets, in the wake of hundreds of incidents reported at other places, but looks like MedStar is operating on the dribble approach, let info dribble out as they figure things out, and permit any of the 30,000 employees to speak with the media, which guarantees that with each drop of additional info, news media around the world will be trumpeting the story again, so this place's problems will be remembered for much longer than most others. Initially they said virus, no evidence any info stolen, too early to say ransomware, no disruption to health care for patients. Now we know it is ransomware, and there has been disruption to patients and their families. We also know, that to install the ransomware, the hackers had to have had access to PII of patients, employees, their medical records, financial info, all of the computer records impacted, which invokes some laws regarding disclosure of numbers of people potentially at risk of breach. Later info may dribble out from investigations, to refresh the news stories. This close to DC, Congress will probably hold hearings on this and other similar incidents. http://www.zdnet.com/article/virus-hits-medstar-health-hospital-network-but-denies-data-theft/ When the first stories came out about the apparent virus attack on MedStar, we were not being told many details. On Monday 28 Mar morning, the hospital discovered the problem, that many computer access points had been attacked, so they shut the whole system down to try to stop the spread of whatever it was. That afternoon, they released a statement about the situation on their web site, and Facebook page. The shutdown impacts access to Electronic Health Records (EHR), e-mail, laboratory results, financials, just about all record keeping you would expect at any medical institution. Many doctor PCs are okay, showing data from the days before the attack, they just cannot access the MedStar network, or access this week's e-mail. I hope their ISP has sufficient data storage to hold the accumulated e-mail until these systems are back up again. The old paperwork system "works" for employees who remember it, but there may be recovery hassles after systems restored, making sure the records are complete for the downage days. The FBI had been contacted. Initially we were not told what kind of attack it was, but from clues, there was lots of speculation. https://www.washingtonpost.com/local/virus-infects-medstar-health-systems-computers-hospital-officials-say/2016/03/28/480f7d66-f515-11e5-a3ce-f06b5ba21f33_story.html http://www.healthcare-informatics.com/article/breaking-news-medstar-health-hacked-ehr-down-fbi-investigating http://money.cnn.com/2016/03/28/technology/medstar-hospital-hack/ http://inhomelandsecurity.com/virus-infects-medstar-health-systems-computers-hospital-officials-say/ On Monday 28 Mar, hospital spokespersons had claimed that this incident would not disrupt health care. On Tuesday, news media was publishing lots of stories about disruptions to patient health care, thanks to this incident. By Wednesday, historical EHR records were accessible read-only, but not from all work stations. Some patients have been turned away, because of this incident, refused renewal of prescriptions. Hospital spokespersons said that no one will get delayed medical treatment because of this, but news media has been interviewing patients for whom that was exactly what happened, and/or subjected to scary, and health-threatening, inconveniences. One hospital lost track of a man's invalid wife, falsely claiming she had been released, which caused him lots of anxiety until they located her getting the proper treatment. Patients arrive for appointments, only to find they have been canceled because the medical staff cannot do a proper job without access to the computer records, and apparently they also need access to the computer to notify patients that their appointments have been canceled. Other patients get daily calls "Don't come in, the computers are down again today." In addition to official spokesperson statements, news media is talking with lots of the medical staff, who explain serious medical safety issues, which the official spokesperson is down playing. https://www.washingtonpost.com/local/medstar-health-turns-away-patients-one-day-after-cyberattack-on-its-computers/2016/03/29/252626ae-f5bc-11e5-a3ce-f06b5ba21f33_story.html http://wtop.com/local/2016/03/medstar-still-dealing-problems-cyber-attack/ http://www.usnews.com/news/articles/2016-03-29/medstar-struggles-to-work-around-computer-hacking-crisis http://www.pressreader.com/usa/the-washington-post/20160331/282024736400036/textview There's also news stories about what Congress persons are saying. They passed a law in 2015 calling for the federal Health and Human Services (HHS) to: * Create a task force of health industry leaders and cyber security professionals to identify the biggest threats, and to suggest mitigation approaches; * Provide doctors and hospitals with guidance on the best ways to protect themselves from cyber attack, * Have service from the agency, to help any medical institution which suffers a cyber attack; * Issue reports to the health industry on emerging threats and risks they need to protect themselves against; * And more . the legislation = Information Sharing Act of 2015. http://www.healthcareinfosecurity.com/obama-signs-cyber-info-sharing-bill-a-8762 So far HHS has not yet implemented any of this, according to some news stories, while others talk about the progress being made implementing it. But without the task force, it has been a slow learning process for an agency new to this topic, making some judgment errors, in selecting which risks to prioritize warnings about. There may be a need for agencies, experienced in cyber-threats by industry and how attackware gets delivered, to provide initial training for agencies new to providing cyber security guidance. Other people are calling for an update to HIPPA = US gov regulations about health care records. That system already has a requirement for hospitals to report incidents like this. HHS Office of Civil Rights (OCR) investigates all cyber incidents of health care providers, either reported to them directly, under HIPPA regulations, or found out via news reports. They also have guidance on how to report incidents, such as to the FBI Internet Crime Complaint Center. http://www.ic3.gov/default.aspx They have also told medical institutions about the Better Business Bureau's scam tracker. https://www.bbb.org/scamtracker/us Apparently some people are ignorant of the fact that there are laws already on the books, calling for the reporting of cyber insecurity incidents, some of which have not yet been implemented, or are not enforceable. Almost every state of the USA has a requirement that places hit by cyber attack, either located in that state, or with customers in that state, report them to the Attorney General of the state, and take measures to compensate victims of the attacks (their customers, and others). However, many institutions do not know they are under attack, until the damage has been done, plus some do not know what to do, after they discover they have been attacked. http://www.govinfosecurity.com/ransomware-time-for-hipaa-update-a-9002 http://www.healthcareinfosecurity.com/ocr-cyber-awareness-effort-will-have-impact-a-8846 So proper precautions have been sporadic throughout the health care industry. * We can see from the discrepancies between stories of medical staff and hospital spokesperson statements, that there's a lack of training how to deal with this kind of incident, and a lack of internal communications to cope when computers are down. * We have not yet been told how this happened to MedStar, but with many other institutions it was a lack of training to avoid one employee victimized by phishing taking down the entire computer system. There's also backups, and keeping software up to date. http://hitconsultant.net/2016/03/30/medstar-cyber-attack/ When the US government first was pushing EHR, there was an outpouring of cyber security concerns from the security industry. The medical profession and government had to learn from medical breaches that those concerns were valid, and remediation investment was essential. We are flooded with cyber security warnings, and few employers have budgeted the resources to cope with them effectively. In April 2014, there was an FBI warning about a growth in cyber attacks upon the health care industry. The FBI predicted that movement to on-line systems, without provision for how to handle themselves, when those systems go down, is inviting trouble. That trouble has now arrived, inconveniencing many portions of the health care industry. http://www.fiercehealthit.com/story/when-it-comes-cybersecurity-staff-education-matters/2016-03-29 Next the news media learned that MedStar was a ransom ware attack, where if the hospital pays $18.5K in bitcoins, the crooks promise to send the keys to unlock their system. Instead, the hospital system is restoring from backups, with partial recovery, and has suffered at least $1 million per day thanks to the down time. http://www.baltimoresun.com/health/bs-md-medstar-ransom-hack-20160330-story.html http://www.ibtimes.co.uk/hospitals-crippled-by-cybercriminals-ruthless-medstar-hack-demands-12900-unlock-computers-1552429 I found out about this news story, because I subscribe to KnowBe4—training in how not to be a victim of cyber attacks. They use breaking news stories about cyber security incidents to explain how their training can prevent such incidents. https://www.knowbe4.com/ The challenges, the hospital staff and patients are dealing with, demonstrates some flaws in planning for the possibility of computer downtime, when everyone becomes dependent on the digital data. What could go wrong, when a hospital runs purely on electronic records, then their computer systems go down? MedStar has learned about that this week, and also has had earlier lessons. http://catless.ncl.ac.uk/Risks/29.31.html#subj4 Before any hearings into what if anything should be done about such incidents, maybe Congress should get a report from CRS = Congressional Research Service, https://www.fas.org/sgp/crs/misc/ and from GAO = Government Accountability Office, http://www.gao.gov/products/GAO-16-265 to communicate: * What laws and regulations already exist regarding health care cyber incidents, their prevention and disclosure. * What is the status of implementation of those rules. * Statistics on this kind of attack. * Status of investigations into major attacks. Here are some CRS reports on Health Care, other than the cyber security dimension: http://www.ncsl.org/research/health/congressional-research-service-reports-on-health.aspx
Ransomware <https://en.wikipedia.org/wiki/Ransomware> is a threat to: * Hospitals * Police stations * Cloud services * Mobile phones http://krebsonsecurity.com/tag/ransomware/ In addition to all the data placed at risk, which I mentioned in my earlier MedStar post, medical devices may also be at risk. * To install the ransomware, the hackers had to have had access to PII of patients, employees, their medical records, financial info, all of the computer records impacted, which invokes some laws regarding disclosure of numbers of people potentially at risk of breach. Sergey Lozhkin, a senior researcher at Kaspersky Lab said “in lots of cases medical equipment is not isolated from the local office network.'' A month ago, he detailed the results of his penetration test of a Moscow hospital. Among other issues, Lozhkin discovered a login portal for a CT scan machine on the open Internet, and once inside the hospital's local network, he found a control panel for an MRI machine that was not password protected. <https://threatpost.com/medical-device-health-care-security-continues-to-ail/116228/> There have been at least a dozen hospitals, or hospital chains, inflicted with ransomware just in March 2016. http://motherboard.vice.com/read/the-spreading-epidemic-of-hospital-ransomware Thursday, March-31, the U.S. Department of Homeland Security (DHS). and the Canadian Cyber Incident Response Centre, issued a joint alert about the risk of ransomware. http://www.reuters.com/article/us-cyber-ransomware-alert-idUSKCN0WY3BN US Hospitals are juicy targets for ransomware because: * Their care depends on access to up-to-date complete records, which thanks to the US government, are now electronic. * Their care is critical. Disrupting it can mean serious complications for patients. And law suits because of that. * Very few hospitals conduct security training for their staff. * What has been more critical for them is HIPPA compliance, because the US government has emphasized patient privacy much more than cyber security. http://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/ MedStar reacted by shutting down their servers the moment they realized they'd been hit. KnowB4 says that is the correct first step. They distribute a 20-page hostage manual (.pdf) instructing ransomware victims on what to do after an attack, and how to prevent one. <http://www.wired.com/wp-content/uploads/2016/03/RansomwareManual-1.pdf> There are several ways computers get hit by ransomware. * Someone falls for a phishing spam scam, which installs attackware on their computer. * Hacked or malicious sites exploit browser vulnerabilities with drive-by attackware. * Once either approach has gained access to a system, the hackers can easily follow, to perform their mischief. It goes after individual PCs, servers, while deleting any connected backups. In MedStar's case, the malware is Samsam, also known as Samas and MSIL. This tells us a hacker had to install the ransomware, but it does not tell us how the hacker got into MedStar's systems. Samsam exploits vulnerabilities which have been patched, so this also tells us that MedStar had not stayed current on critical patches for their systems. http://arstechnica.com/security/2016/03/maryland-hospital-group-hit-by-ransomware/ The FBI issued alerts about this recently. https://motherboard.vice.com/read/fbi-warns-about-ransomware-attacks-infecting-whole-networks https://www.fbi.gov/news/stories/2015/january/ransomware-on-the-rise I believe IT should take systems down, so nothing connected to Internet, to run a complete backup to media not left connected to the servers, then let the network re-connect, only after each device is checked to be clear of security problems, and make sure its backup is up-to-date. Unfortunately, many outfits need to be up 24x7, and won't approve the resources needed to run high speed backups, in short scheduled down time, like wee hours, when business is at its lowest volume, or have client devices which gather info to update the server, from activity during the short down time for backup. I believe all institutions should do a periodic search, to identify all the ways they are connected to the Internet, in case of any inadvertent errors, adding poorly secured links. https://www.shodan.io/ Search for *hospital* and find * 144 in USA * 133 in Brazil * 69 in Thailand * 67 in South Korea * 54 in India Connection info for specific hospitals is provided. No hits for MedStar—hopefully that means that any past flaws have now been fixed. Example of a USA hit: Health First Viera Hospital 6450 US Highway 1, Rockledge, FL 32955
In any breaking story, mainstream media has high levels of speculation, leading to conflicting stories. Fraudulent bank transfers were allegedly communicated via the SWIFT network. Some stories say SWIFT was compromised. Others say no SWIFT was not compromised, rather the communications system at one end was breached. The Bangladesh Central Bank may sue the NY Fed, to try to recover some of the lost money. I predict this effort will fail, because US courts have usually ruled in favor of the bank which held the money which was stolen, and against the business enterprises that owned that money. Judges have ruled that way, even when it is proven that the NY Fed equivalent institution was in the wrong, or made cyber security errors. So far, no evidence has surfaced in the news media, that the NY Fed did anything wrong. http://www.nbcnews.com/tech/tech-news/bangladesh-bank-might-sue-ny-fed-after-1b-hack-heist-n544046 http://www.en.prothom-alo.com/bangladesh/news/98969/Bangladesh-Bank-weighs-lawsuit-against-NY-Fed In this case, the Bangladesh Central Bank has been found to have been infected with malware, which facilitated access to their credentials for managing money. Invariably in past US court cases, when the business, owning the bank account, was hacked, breached, or social engineered, triggering info needed to file a false money transfer request, judges have ruled that the bank from which the money was transferred from, is not responsible for the negligence of the place which got malwared, hacked, breached, etc. How the malware got onto the Bangladesh Central Bank system, has not yet been made public by investigators. Spam Phishing is the usual route. http://www.marketwatch.com/story/malware-used-in-100-million-bangladesh-bank-heist-2016-03-21 Philippine authorities now believe 2 Chinese men stole the Bangladesh money, but are they mules paying off casino debts, or addicted to gambling, where the casino operators aided in setting up the money transfer system? Since those 2 men have been identified, but not yet located, are they in fact false identities created by a casino operator and a friend at the Philippine bank? The money arrived in fictitious accounts at RCBC bank in the Philippines. Bank officials have conflicting testimony about the process by which those accounts were authorized & setup. http://www.securityweek.com/chinese-high-rollers-moved-stolen-bangladesh-millions-philippines-witness http://www.straitstimes.com/asia/se-asia/missing-link-in-us81-million-bangladesh-bank-heist-set-to-testify-before-philippine http://www.themalaymailonline.com/world/article/witness-millions-from-bangladesh-bank-heist-moved-to-philippines-by-chinese WSJ has a video of what's known so far about the travels of the stolen money. http://www.wsj.com/articles/businessman-denies-planning-central-bank-heist-1459261342 Philippine legislators have had a hearing on where the money ended up, and how it got there. Now US Congress woman Carolyn Maloney (D-NY) http://carolynmaloney.com/ wants a US hearing on this bank heist, and what standards are needed to put a stop to such activities. There may be no solution so long as: * Businesses are vulnerable to phishing, malware, hackers taking over their institutions, with them oblivious to this happening; * Judges rule in favor of banks which violate contracts, to not move money to new locations, or in excess of some ceilings, without personal contact with officials of institution owning the money, who are authorized to approve such actions. http://carolynmaloney.com/multimedia/latest_news/view/2016-03-maloney-wants-probe-on-bangladesh-bank-heist http://news.yahoo.com/u-congresswoman-wants-probe-bangladesh-bank-heist-200449682.html Wikipedia is periodically updated as more info is found, released, and confirmed. https://en.wikipedia.org/wiki/2016_Bangladesh_Bank_heist
ACM and Infosys Foundation Honor Innovator in Network Security Research Association for Computing Machinery (03/30/16) ACM TechNews, 30 Mar 2016 Stefan Savage from the University of California, San Diego has been selected to receive the 2015 ACM-Infosys Foundation Award in the Computing Sciences. Savage was cited for research in network security, privacy, and reliability that has showed people how to perceive attacks and attackers as components of an integrated technological, societal, and economic framework. Savage's approach is embodied in his recent work with collaborators to fight spam by exploring how spammers generate revenue, and what steps might be taken to neutralize this incentive. One project involved the researchers infiltrating a botnet to extract insights about the economics of spam schemes. By monitoring millions of spam emails and identifying the individual services needed to monetize them, Savage's team built a model of dependencies in the spam supply chain. They demonstrated merchant bank accounts used to receive credit card payments were the most valuable and prone to disruption. "Stefan Savage has shifted thinking and prompted us to ask ourselves how we might impede the fundamental support structure of an attacker," says ACM president Alexander L. Wolf. "His frameworks will continue to significantly influence network security initiatives in the coming years." http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-ed5ax2e0c5x065760&
Please report problems with the web pages to the maintainer