KY/WV Regional Healthcare System Hit by Something – Maybe Ransomware

Appalachian Regional Healthcare (ARH), which operates two hospitals in West Virginia and nine in Kentucky reported over the weekend that it was the target of a cyberattack that forced staff to revert to paper.

No email, no electronic health records, no other electronic systems.  Just paper.

The hospitals are assessing whether to transfer critically ill patients to other facilities.

ARH says it is working IT providers to restore their systems.  They are also working with the Feds to figure out what happened.

What we have not heard is what happened.  Was it a virus?  Ransomare?  A technical glitch?  ARH is not saying.

Was patient or staff information compromised?  Nope, don’t know that either.

Does ARH know what happened?  We don’t know.

Given the FBI is reporting that there are about 4,000 ransomware attacks reported every day, it is certainly possible that this is a ransomware attack, but we don’t know.

Some patients are running out of patience.  They want to know if there was a compromise and if there was, what was taken.  But the answer to that might not be so easy if the hospitals’ log records are lacking, damaged or erased.

The Department of Health and Human Resources is telling patients to file complaints with the Office of Civil Rights at 800-368-1019.  I am sure that the hospital is thrilled about that suggestion.

But, this points to the fact that the silent treatment will not work.  You have to have an incident response plan in place and tested.  You have to be able to figure out what was taken. And you have to be able to do that quickly.  ARH seems to have failed on all counts.

Stay tuned.

Information for this post came from the Charleston Gazette Mail and the Register-Herald.


New Russian Invoice Scam Targets Businesses

Mailguard is reporting a new phishing scam that uses the old “here is an invoice for you to review” or “here is a purchase order for you to review”.

A screenshot of one of the emails is shown below.


In both cases, the malware takes advantage of a vulnerability in Word that has been patched, but the patch may not be installed.

The malware operates with the same rights that the user has, so if the user is an admin, so will the malware be.

Mailguard says that only 5 of 60 “traditional” Anti Virus vendors detected this and of course, all the authors need to do is change the encryption key for the malware and signature based (traditional) anti virus products would be blind to it again.

This is a great teaching moment for companies.

ANY email like this needs to be scrutinized VERY closely.  If your people are not expecting an invoice or PO from that sender or don’t normally see POs or invoices, then they should contact IT and not open the attachment.

In addition, people can call the sender and verbally confirm the contents of the email.  DO NOT USE EMAIL TO VERIFY EMAIL -It is possible that email on one end or the other or both may be compromised.

Finally, companies should consider creating a secure portal for vendors to submit files.  The portal would have to be hacked in order for an attacker to spoof a legitimate user unlike email which has no security in it.  While not perfect, it is significantly better than the non-security of email.

Information and the screenshot for this post came from Mailguard.

Russian Lawmaker’s Son Convicted of Hacking – Faces 40 Years

It seems like there are a lot more breakins than there are convictions in court, but every now and then the feds catch a big one.

In this case it is Roman Seleznev, the son of a Russian lawmaker.  He was accused of costing banks about $170 million in losses and costs to repair the damage.

Roman made the mistake of vacationing in the Maldives in 2014.  The U.S. has a much friendlier relation with Maldives than with Russia, so it probably seemed a whole lot easier to extradite him for Maldives.  Needless to say, his dad wasn’t happy that he was arrested on vacation.  He calls it a kidnapping.  However the government has done this many times and it seems to be completely legal.  He was charged with 38 counts.

When he was arrested, he had 1.7 million stolen credit card numbers on his laptop,

Supposedly, he hacked into the Point of Sale systems of hundreds of businesses and cost 3,700 banks almost $200 million.

Last week he was convicted and will be sentenced in December.  He faces up to 40 years in prison.

But here is the problem.  This one conviction will have zero impact on cyber crime.  Hackers never think they are going to be arrested.  Roman didn’t figure that he was going to be caught.

And even if a few guys decide that they might get caught, there are so many of them that those few will not make a difference.

So in the end, while the prosecutors are trying hard, they will have little effect on the outcome.

Which means that, more than ever, it is up to you to keep yourself safe.

Just Sayin’.

iPhone Hack Exposes Camera, Microphone, Texts, Even Passwords

When is a hack not a hack?  When an Israeli company sells it as a feature.  The company, NSO Group, sells the software, to governments among others.

The software allows the attacker to:

  • Control the camera
  • Listen to the microphone
  • Track the phone’s location
  • Intercept text messages
  • Intercept emails
  • Download the calendar data
  • Download your contacts
  • Record phone calls and messages from WhatsApp and Viper
  • Access iMessage, Gmail, Facebook, Skype and Line apps
  • And even extract passwords from the keychain

So much for iPhones being secure.

The software exploits three unknown or zero day bugs; Apple released patches for iOS 9 and iOS 10 beta this week.  iOS 9 users should be on version 9.3.5.

The attack is called Trident since it uses three zero day bugs.

It appears that governments used the software to target journalists and human rights workers.  Given this is a business for NSO, who knows who they went after.  I assume they had to sell many copies to stay in business.

The software gets loaded via text message.  YUP!  The attacker sends the victim a text message that looks like it came from The Red Cross or a news organization or even a tech company (Apple, perhaps).  If the user clicks on the link in the message, it is, as they say, game over.

NSO pleaded ignorance, of course.  They say that their customers sign a piece of paper that says that they are going to use it legally.

Sure, we will work with that.  First, how would NSO ever know if they used it illegally.  Second, what would they do if they did know – sue the government.  No, the piece of paper is cover fire in case they get outed, like it appears that they did last week.

One interesting part of this story is that the software uses 3 zero day exploits.  That is like Stuxnet – which by the way, also came from Israel, supposedly.  Using three zero days at once is very risky because if you get outed you lose three very valuable assets, not just one or two.  And zero days are hard to come by.  At least we think they are.  Maybe not?!

So for all you iPhone users, install the patches right away.

Information for this post came from CNN.



Hotel Chain Learns Of Breach – When Secret Service Pays A Visit

It seems like I write one of these every day.  Today it is Millennium Hotels and Resorts, an international hotel chain based in Colorado.  They are saying customers that used their credit cards at 14 of their hotels between early March and the end of June need to keep an eye on their credit card bills.

What is important here is not that another hotel has less than stellar information security practices.  It is not that the hackers were in the system for 4 months before they were detected (actually, that is less than the average of around 200 days).

What is important about this breach is how they (and we) found out about it is that the United States Secret Service paid Millenium Hotels a visit and, to paraphrase that famous NASA quote said, “err, Boulder, we have a problem!”

What we don’t know is whether this is part of the Oracle Micros breach;  hopefully Millennium  will release more details soon.

What is important to point out is this.  They would not know today that they had been breached if the Secret Service did not pay them a visit.  

Let that sink in for a minute.

The Secret Service can only work on a TINY fraction of all of the breaches out there due to limited resources.  Since this breach is not, in itself, huge, I have a thought that it may be part of a larger breach, hence my comment about Oracle above.

So if your company is not lucky enough (if that is the right term) to be breached in a way that the Secret Service thinks it is important enough to work the case, you might never know that you have been breached.  Credit card fraud is easy to detect.  Stolen intellectual property is ten times harder to detect.

This takes us back to former FBI Director Robert Mueller’ quote:

ž“I am convinced that there are only two types of companies:  those that have been hacked and those that will be.  And even they are converging into one category:  companies that have been hacked and will be hacked again “

So if we take the depressing view that you are going to get hacked at some point in time, what does that mean?

It means you should plan to deal with it –

  • Create a cyber incident response plan
  • Identify and engage the third party resources that you will likely need in case of an incident, in advance.  They last thing you want to do after you have a breach is be negotiating terms of a letter of engagement.
  • Identify your internal breach response team
  • Train that team so that they know what they should do in case of a breach.  Think of this as a cyber fire drill.
  • Review the results and tweak the system

Some of you may be old enough to remember the Cocoanut Grove fire in Boston in 1942.  It was – and still is – the deadliest nightclub fire in history.  492 people lost their lives.

Why did so many people lose their lives?  Because the club was not prepared for an event like this.  Today, many businesses are not prepared for a cyber breach incident and while, for the most part, people won’t die because of this, businesses will spend millions to hundreds of millions of dollars as a result.

After the Cocoanut Grove fire, United States building codes were revised.  Emergency exits were required, signs with independent power were required; flammable decorations were banned along with other changes.

In the cyber security business, we have not had the equivalent of a Cyber Cocoanut Grove, although you would think that Target, Home Depot, Anthem Blue Cross or the Office of Personnel Management would qualify.

What is true is that behind the scenes there are a lot of efforts going on to legislate changes.  When or what we will see is not known.  Many businesses have realized that it makes sense to get in front of that freight train rather than looking at that bright headlight and wondering what is coming their way.

We are also seeing cyber insurance carriers refusing to pay out in case of breaches where they think the companies contributed to the breach in a way that violates the terms of the policy.

If your company is not ready for a Cyber Cocoanut Grove, now is the time to get started.

And, equally importantly, if your key vendors are not ready for a Cyber Cocoanut Grove, it is your tushy that is going to be in  tight spot.  The stories this week and last about all of these hotel and retail breaches that are tied to a third party should bring this part home.

If you need help with this, please contact us.

Information for this post came from the Denver Business Journal.

Information on the Cocoanut Grove fire can be found here.


VW Vulnerability Affects Almost Every VW Sold Since 1995

A few years ago, computer researchers discovered a problem with the VW keyless ignition system.  VW sued the researchers rather than fixing the problem and delayed the release of the information about the vulnerability for two years.   In VW’s defense, maybe it was difficult to close the vulnerability and it certainly would take time.

Apparently that ticked off the researchers, so they continued to dig and now they have found two other vulnerabilities – this time it affects the door locks of a hundred million cards.

The vulnerability affects almost every VW sold since 1995.

Researchers at the Usenix Security Conference revealed two different vulnerabilities.  One would allow attackers to unlock almost every car VW has sold in the last 20 years;  the other affects other brands too – ones that use the VW system – like Alfa Romeo, Fiat, Ford, Mitsubishi, Nissan and others.

The two attacks are relatively easy to do – intercept the radio signal and clone it.  You could do it with a laptop or an Arduino board shown below (Photo from Wired Magazine).

VW Hack

The first hack, the one that affects the VW cars, is vulnerable because VW hard coded a secret key into the car.  When you press the button to unlock the car, it sends a car unique code – the same code every time.  The attacker’s laptop or Arduino combines the unique code with the secret code and voila.  You own the car.

Apparently there is more than one secret key, but only a  handful.  The four most common keys will unlock almost a hundred million cars,  The VW Golf 7 is different in that it uses a unique key!

The second attack breaks the HiTag2 crypto system.  It apparently uses  rolling set of keys that changes unpredictably with every button press.  The researchers say that they found a vulnerability in HiTag2 which allows them to break in within 60 seconds.

The HiTag2 system is almost 20 years old and the manufacturer, NXP,  told car companies to replace it, but, apparently, VW hasn’t listened to them – yet.

While this particular hack only allows hackers to unlock your car and steal all of its contents with no tell tale signs – something that has been stumping cops for years – it could be combined with other hacks to steal the car as well.

The challenge is that for those 100 million cars, they may wind up being vulnerable until they are crushed unless VW can come up with a fix.

One workaround would be to disable the key fob, if that is possible, and lock and unlock the car with a metal key.  Security. Convenience. Pick one.  If your car or your possessions wind up being stolen as a result of this hack, your convenience factor might change.

Information for this post came from Wired.