The Ugly Version of Ransomware

As hackers are discovering that some organizations are opting to not pay the ransom after a ransomware attack, either because they have backups or they do not want to support criminals, the criminals are changing tactics – something we warned about months ago.

In this case, CarePartners, a home healthcare service provider in Ontario announced last month that it had been breached.  At that time it said that personal health and financial information of patients had been inappropriately accessed and nothing more.

This is where the ugly starts.

Since CarePartners was managing spin and, apparently, not telling the whole story, the hackers reached out the CBC News and spilled the beans.

They provided a sample of the data that was involved in the ransom and said that they were going to release it if the ransom was not paid.  Of course, there is no way to know if they will release it, even if the ransom is paid.

The “sample” includes thousands of patient medical records with phone numbers, addresses, birth dates, health ID numbers, detailed medical conditions, diagnoses, surgical procedures, care plans and medications.

Other documents shared include credit card numbers and related information.

Now CarePartners says the breach could affect up to 237,000 patients.

Since this particular ransom attack took place in Canada, the penalties would be governed by PIPEDA, the Canadian privacy law, which is pretty tough.

What does this mean for you?

First, you should plan for the worst case situation of a ransom attack where the attacker says that if you don’t give us the money, we are going to release your data publicly.  OUCH!

Second, be ready to figure out what the attackers took.  A month after the attack, CarePartners said that they have identified 627 patient files and 886 employee records that were accessed, but the “partial” data provided to CBC News contained 80,000 records.  HUH?!

Next, apparently, the servers did not have current patches installed.  They were two years out of date.

And then, the data was not encrypted.

When CBC News contacted some of the people matching the records that the hackers gave them, they said they were patients of CarePartners, but had not been contacted by them.

CarePartners is working with the Herjavec Group (as in the guy on Shark Tank and yes, they are a legit and well known security company).

CarePartners said that they take security seriously and they have outsourced their IT to someone else.  Apparently that third party isn’t doing a very good job and CarePartners will get to pay the fine,  deal with the lawsuits and have their reputation damaged.  In their case, they are a contractor to the local government, so they could have their contract cancelled as well.  Remember, you can outsource the responsibility but you cannot outsource the liability, so make sure that you are effectively managing any third parties that claim to be taking care of your security.  

Lets assume this breach costs CarePartners a couple of million dollars, which is reasonable.  They need to make sure that they can afford to pay that bill and that their outsource security provider can reimburse them for that cost – hopefully, in both cases, through adequate insurance.

Information for this post came from CBC News.

 

Facebooktwitterredditlinkedinmailby feather

Sextortionists Shift Scare Tactics

Sextortion is the act of convincing vulnerable people, often teenagers, to provide the sextortionist with sexually explicit photographs and videos under the threat of releasing other embarrassing material, such nude pictures that may already privately exist in the victim’s email, text messages or private social media.

The attacker does this by convincing the victim that they have hacked into their victims digital life and already have what is there.

99% of the time, this is a complete scam,but scared people do desperate things – like sending (more) sexually explicit material to the attackers in the hopes of getting them to not publicly release material the hackers claim to have.  The hacker asks for a fraction of a bitcoin in payment.

One new tactic – including so called “legitimate” passwords to say, the user’s email account, in the pitch message.  These passwords are often legitimate in the sense that the user used it at one time.  This lends credibility to the pitch and the panicked victim does not think through how the hacker may have gotten that password. The attacker likely got the password from one of the thousands of cyber breaches.

So what should you do?  Well, there is before you get a request and after you get a request from a hacker.

Before, you should practice good cyber hygiene.  Install patches promptly for all software, stay away from sketchy web sites, choose good passwords, etc.

Second, enable two factor authentication – using either a text message to your phone as the second authentication factor, or, better yet, using one of the authenticator apps such as  Facebook authenticator or Google authenticator as the second factor.

For parents, talk with your kids about the risk of taking pictures that if, in the wild, would embarrass themselves or worse.

Finally, parents need to talk to their kids about sharing compromising pictures and videos with others, no matter how  much they think they are in love and no matter how many promises the other person makes.  Understand that kids may be under amazing social pressure to conform – do not underestimate that.

After the fact, kids need to trust their parents, even though they are embarrassed, confused and scared.  Parents need to work beforehand to get kids to understand that this is not something they can deal with by themselves.

Unfortunately, you may need to get legal advice and you should definitely not believe the hackers.  One suggestion:  ask for a sample of the photos that they claim to have.  If the hack is legit – likely it is not – then you need to decide what to do.  The police are going to say that you should go to them and that is probably an OK idea, but unless the hacker is someone you know, I would not get your hopes up.  

On the other hand, it may be someone your child knows.  In that case, you need to understand your options and a lawyer may be helpful.  Releasing so-called revenge porn is a crime in many states.

Certainly prevention is easier than dealing with something after the fact and there are no easy answers as kids, especially, tend to do unexpected things.  Discussing and planning is likely a good idea.

Source: Threatpost.

 

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for Week Ending July 13, 2018

Timehop Hack Compromises 21 Million Users

In a bit of good news/bad news, the social media time capsule site Timehop said that it was hacked around July 4th, but that they interrupted the hack in progress.  Still the hackers got usernames, passwords, email addresses, date of birth, gender, some phone numbers and other information for 21 million users.

More importantly, the security tokens that Timehop uses to access the social media sites like Twitter were also compromised.  Part of the good news is that since they detected this hack in progress, they were able to immediately disable those tokens, reducing the damage.

Still this does point out the risk of granting someone else proxy to your data – in this case, 21 million users were compromised because of a breach of a third party.  The data here was not particularly sensitive – unless your FB posts are sensitive, but that is purely accidental.

One bit of bad news in all of this (beyond all the bad news above for the people who’s data was stolen).  This attack in December 2017.  The hacker logged on in March and April 2018 also.  The hacker next logged in on June 22 and finally, stole the data on July 4, 2018.

Why is that important?  Because GDPR went into effect on May 25, 2018 and the data was stolen on July 4, 2018.  I hope they have deep pockets or a lot of insurance.  The Register article has a table with the number of GDPR impacted records, but I am having a hard time making sense of it.  For sure, it is in the millions.  (Source: CNet and The Register)

Apple Adds Security Feature to iOS11.4.1

Apple has added USB restricted mode to the current release of iOS.  Restricted mode locks down the lightning port of an iPhone or iPad after it has been locked for another so that it cannot be used for data access, only charging.  It defaults to enabled although you can manually turn the feature off.  This is designed to make it harder to hack an iPhone/iPad.

This will make it harder for law enforcement to hack into phones, but some of the hackers are saying that they have figured out a workaround.  The cat and mouse game continues.  (Source: The Verge)

Another Hospital Invokes Emergency Procedures Due to Ransomware

Cass Regional Medical Center in Harrisonville, MO.  put ambulances on diversion and invoked its incident response protocol earlier this week due to a ransomware attack.  They shut down their EHR system to make sure it did not become a casualty of the ransomware attack.  The day after the attack they said that they had begun decryption of the affected systems, which, while they are not saying, is likely a result of paying the ransom and getting the decryption key from the attacker.  The wording of the statement did not say that they were restoring the affected systems from their backups.  Other hospitals, which chose not to pay the ransom, took weeks to recover, so the reasonable assumption is that they paid off the hackers.  (Source: Cass Regional web site)

The Insider Threat is a Real Problem

We are seeing an increasing number of insider threat issues; some are accidental, some are intentional.

A hacker was found to be selling manuals for the Reaper MQ-9, a $17 million military drone for less than $200 on the dark web.  He got them by hacking an Air Force Airman’s home Internet router which was not patched for a known vulnerability.  It is likely that the Airman was not involved, but it is not clear if he was authorized to have the manuals on his personal home computer (Source: Defense One).

In another case, an employee of a Navy contractor stole thousands of documents from his soon to be former employer before going to work for a competitor.  He was caught and convicted (Source: The Hartford Courant).

These are just two examples of many.  Most do not get caught because the company that was hacked does not want the bad publicity.  Still it is a multi-billion dollar a year problem.

Facebooktwitterredditlinkedinmailby feather

Complying with GDPR and California’s New Privacy Law (CCPA) – Step 1

This is step one of a multi-part series on complying with the new privacy rules, both in Europe and, just recently, in California.  Watch for further steps over the next several weeks.

While companies are supposed to be compliant with GDPR already, many are not and the California law’s effective date is still almost 18 months away.  In either case, these tips should be useful in either case.  With regard to California’s law, the steps needed are complex and far reaching, so getting started now is a good idea, even if the law changes a little bit before it goes into effect.

While there are many differences between the two laws, there are many similarities as well.  These similarities allow us to cover major aspects of both laws together.

The core component of both laws is to give consumers more control – a lot more control – over what companies do with the data that is collected about them and, in many cases, sold.  For both laws, while there are aspects of the law that only apply if your data is sold (with the term “sold” having an extremely broad definition), there are many aspects that apply even if the data is never, ever sold.

One of the requirements of the law is to give consumers a right to ask a company what data the company has collected about them, where the data is stored, who they shared it with and to obtain a copy of it.

Another right is, in at least some cases, to request that the company delete the data,  again, no matter where it lives.

These rights make it critical that a company understands what data it has, where it lives and what the data “flows” are.

For both laws, it does not matter where the company is located, but rather where their customers are located.  For GDPR, those customers who live inside the European Union are covered.  For CCPA, those customers who live in California are covered.  For CCPA alone, there are probably over a half million businesses that are impacted.

With all that background, here is our recommendation for step 1.

STEP 1 – CREATE A VENDOR DATA INVENTORY.

Our vendor data inventory or VDI process identifies all vendors that a company does business with – from the Post Office to some niche cloud based software service.

For each vendor, we collect information such as what type of data is collected, how it is shared, where it is stored, what the risk level of the exposure is, whether there is a contract with the vendor, who in the company is ACCOUNTABLE for that vendor relationship and many other fields.

Even for a small company, we have found that there are often 100-200 vendors in this list.

For larger companies, it could be up to a thousand.

The company identifies a point person to work with us and the process begins.

In many cases, we discover that NO ONE is accountable for a particular vendor relationship.  In some cases, very few people are even aware that it exists.

Often accounting is a good place to start because usually,  but certainly not always (Ex: Gmail is free) vendors get paid.

Of course, even the free vendors have to be accounted for.  Also the vendors that are paid for by someone in a branch office on a personal credit card which is later reimbursed have to be captured.

One way to catch the personal credit card payment is for accounting to refuse to reimburse employees for these charges.  Once the particular account is turned over by the employee to IT or vendor management and the company has control of the account and the data, then accounting will be authorized to reimburse the employee.

Remember, whether the account is free, employee paid for or company paid, the company still owns the liability in the case of both laws.

If this seems daunting, it can be, but we can make the process less painful.

Watch for the next step – create data flow maps.

Facebooktwitterredditlinkedinmailby feather

Third Party (Vendor) Cyber Risk Management Rears its Ugly Head AGAIN!

This seems to be a recurring topic, but it doesn’t seem to be getting any better, so I will leap back into the fray.

Last month Ticketmaster announced they had a breach and they led people to believe that it was isolated and that it had something to do with their software.

According to RiskIQ, the breach at Ticketmaster is due to a third party vendor named Inbenda, but that is just one vendor affected – the one that Ticketmaster uses.

Tools that may be affected or infected include Magento, Powerfront and Opencart.  Payment services including Braintree and Verisign may be being targeted.

The attack has been refined over time since 2016.

RiskIQ has identified 800 infected websites including some from very big companies.

Magecart, which is what they are calling the attack itself, continues to expand and some of the infected tools could capture 10,000 victims at a time.

So what do YOU do?

First of all, you need to identify all of the third party software that you use and that your contract developers use.  This includes software that is integrated into the various software products and tools that are installed on the servers where the products run.  It doesn’t matter if the software is commercial or open source.

Then you need to create a vendor cyber risk management program.  That will measure the overall cyber security awareness and preparedness of each vendor.

YOU need to make sure that these vendors are on top of bugs in their systems and then you need to make sure that your IT and development teams have created a way to be alerted BOTH when bugs are found and then when patches are released.

Finally, you need to make sure that ALL patches are installed on all machines.  Depending on the piece of software affected, it may require a completely new build from the vendor and then a reinstall of the product.  Make sure that you understand what is required because it may not be obvious.

Then, of course, you need to test the patch to make sure that it really fixed the bug.  They don’t always!

If this seems like a pain in the &^%$#, it is.  Sorry.

And, you need to do this for each software product from each vendor.  On each computer on which it is installed.

That is why many companies don’t have a vendor cyber risk management program and why many companies get caught in breaches like this.  Sometimes they don’t even know that they are vulnerable or that they have been compromised.

Information for this post came from RiskIQ.

Facebooktwitterredditlinkedinmailby feather

Why Your Incident Response Program is Critical

Police think that hackers hacked the pumps at a Detroit area gas station allowing drivers to get free gas.

Ten cars figured it was okay to steal gas from “The Man” to the tune of about 600 gallons.  While 600 gallons of gas is not the end of the world, it does make a point.

The article said that the gas station attendant was unable to shut off the pump that was giving away free gas for 90 minutes until he used something called an emergency kit.

This happened at 1:00 in the afternoon – in broad daylight, a few minutes from downtown Detroit, so this is not a “in the dark of night in the middle of nowhere” kind of attack.

One industry insider said that it is possible that the hackers put the pump into some kind of diagnostic mode that had the pump operate without talking to the system inside the booth.

In the grand scheme of things, this is not a big deal, but it does make a point.

If the gas station owner had an incident response plan, then it would not have taken 90 minutes to turn off the pump.

For example, the circuit breakers that power the pumps in the tanks are in the booth where the person is.  I PROMISE that if you turn off the power to the pumps, you will stop the flow of free gas.  Then you can put a sign on the pumps that say that you are sorry, but the pumps are not working right now.

This time is was a gas station, but next time, it could be much worse.

But the important part is that you need to have an incident response plan.

The article said that the didn’t call the police until after he figured out how to turn off the pump after 90 minutes.  Is that what the owner wants to happen?

It doesn’t say if he talked to the owner during that 90 minutes.

Is there a tech support number he should have called to get help?

Bottom line is that even a low tech business like a gas station needs a plan.

You have to figure out what the possible attacks are.  That is the first step.

Then you have to figure out what the course of action should be for each scenario.

After that, you can train people.

Oh yeah, one last thing.  How do you handle the scenario that you didn’t think about?

That is what incident response plans need to be tested and modified.  Nothing is forever.

Information for this post came from The Register.

 

 

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed