Ransomware is Turning Very Ugly

For a long time I have said that there are multiple forms of ransomware such as:

  • The hacker encrypts your computer and gives you the decryption key if you pay the ransom.
  • The hacker encrypts your computer and DOES NOT give you the decryption key when you pay the ransom.
  • The hacker PRETENDS to encrypt your computer but instead deletes and overwrites your files and it doesn’t matter whether you pay the ransom or not, you are not getting your files back

But the one that is the scariest of all is this last one.

  • The hacker steals your files and demands a ransom in order not to publish your files.  In this last case, there is not much that you can do to protect yourself.  Possibly encrypting your files with a key that is not stored on the system under attack would help, but conventional encryption (like Bitlocker or TrueCrypt) would do no good.

This last one is what is happening to the Grozio Chirurgija clinic in Lithuania.  Grozio Chirurgija is a plastic surgery clinic.  Lithuania is a medical tourism hotspot (see article).

Hackers broke into the clinic’s computer systems and stole thousands of files.  In March they published hundreds of photos, including nude photos (remember this is a plastic surgery clinic and they love to take pictures – before and after – of their work).  Then the hackers asked individual clients to pay a ransom of up to 2,000 Euros not to have the rest of their photos published.

In addition to potentially compromising photos, the hackers have copies of passports, social security numbers and other data that the clinic held.

In April the hackers, calling themselves Tsar Team (whom the experts say is the same group as the Russian hacking team APT28), demanded that the clinic pay a ransom of 344,00 Euros.  They said this is a small penalty to pay for having hackable computers.

The clinic did not pay and this month the hackers posted 25,000 pictures.   Norwegian police said that there was no guarantee that those blackmailing would keep their promises (meaning, I assume, to NOT publish the photos if they got paid).

The hackers promised to publish all the data if they didn’t get their ransom.  The ransom wasn’t paid.  The hackers published the photos.  So the hackers kept their promises.

For for a lot of medical tourists their data, passports and maybe nude photos are floating around the Internet.  Making them vulnerable to both identity theft AND blackmail.

The clinic is, not surprisingly, aghast.  One would assume that their cllients will find other places to go once the word gets out.  Most plastic surgery clients would not be happy if before and after nude photos of themselves got out in the wild and/or were used to blackmail them.

For businesses, the moral is that there is a cost – as we saw with businesses that were attacked by WannaCry – to having poor cyber security practices.

For clients, the moral is to be careful about who you give your data to (meaning that, perhaps, that the lowest cost clinic may not have the best cyber practices).  Note that this does not mean that the most expensive clinic has the best cyber practices.

Information for this post came from the UK Metro.

Guess How Long It Takes For Thieves to Use Stolen Data?

The FTC recently did an experiment to see how quickly thieves used stolen data after it was posted on the dark web.

They created 100 fictitious consumers and gave them credit cards or bitcoin wallets.  Each fictitious consumer had a name, email and passwords as well.

They posted the data twice – first on April 27th and then again on May 4th.

There are two kinds of thieves, the FTC says.  Ones who run test transactions to see if the card still works and others who just make big purchases right off the bat.

After the data was published on May 4th, it took thieves NINE MINUTES to start using the data.  On April 27th, it took a little longer – NINETY MINUTES.

In either case, it says that it doesn’t take very long.

In total there were over 1,200 attempts to use the bogus accounts.  In addition, there were close to 500 attempts to access the bogus emails.  The attempted transactions were for more than $12,000.

One note that the FTC did make – none of the accounts that had two factor authentication enabled were accessed.   Almost everyone offers two factor authentication these days.  We recommend that you use two factor authentication whenever it is available.

Information for this post came from CNN.

How to Spend $100 Million Without Even Trying

UPDATE: The Sun, not always the most reliable information source, is saying the outage and trickle down affected 300,000 passengers and may cost the airline $300+ million.  The CEO, Alex Cruz, allegedly said, when warned earlier about the new system installed last fall, that it was the staff’s fault, not the system’s, that things were not working as desired.   Cruz, trying to rein in the damage, said in an email to staff to stop talking about about what happened.  Others have said that the people at Tata did not have the skills to start up and run the backup system – certainly not the first time you wind up with a bumpy situation when you replace on-shore resources with much lower paid off-shore resources – resources who have zero history in the care and feeding of that particular very complex system.  Even if the folks at Tata were experienced at operating some complex computer system, no two systems are the same and there is so much chewing gum and bailing wire in the airline industry holding systems together, that without that legacy knowledge of that particular system, likely no one could make it work right.  

Of all of the weekends for an airline to have a computer systems meltdown, Memorial Day weekend is probably not the one that you would pick.

Unfortunately for British Airways, they didn’t get to “pick” when the event happened.


Early Saturday British Airways had a systems meltdown.  This really is a meltdown since the web site and mobile apps stopped working, passengers could not check in and employees could not manage flights, among other things.

Passengers at London’s two largest airports – Heathrow and Gatwick – were not getting any information from the staff.  Likely this was due to the fact that the systems that the staff normally used to get information were not working.

Initially, BA cancelled all flights out of London until 6 PM on Saturday, but later cancelled all flights out of London all day.

Estimates are that 1,000 flights were cancelled.

Given this is a holiday weekend, likely every flight was full.  If you conservatively assume 100 passengers per flight, cancelling 1,000 flights affected 100,000 passengers.  Given the flights are all full, even if they wanted to rebook people, there probably aren’t available seats during the next couple of days.  That means that for a lot of these passengers, they are going to have to cancel their trips.  Given that the airline couldn’t blame the weather or other natural disasters, they will likely have to refund passengers their money.  This doesn’t mean giving people credit towards a future trip, but rather writing them a check.

In Britain, airlines are required to pay penalties of up to 600 Euros per passenger, depending on the length of the delay and the length of the flight.

In addition they are required to pay for food and drinks and pay for accommodations if the delay is overnight – and potentially multiple nights.

Of course there are IT people working around the clock trying to apply enough Band-Aids to get traffic moving again.

Estimates are, so far, that this could cost the airline $100 million or more.  Another estimate says close to $200 million.  Hopefully they have insurance for this, but carrying $200 million in business interruption insurance is unlikely and many BI policies have a waiting period – say 12 hours – before the policy kicks in.

But besides this being an interesting story – assuming you were not travelling in, out or through London this weekend – there is another side of the story.

First, one of the unions blamed BA’s decision to outsource IT to a firm in India (Tata).  BA said that was not the problem.  It is true that BA has been trying to reduce costs in order to compete with low cost carriers, so who knows.  In any case, when you outsource, you really do need to make sure that you understand the risks and that doesn’t matter whether the outsourcer is local or across the globe.  We may hear in the future what happened, but, due to lawsuits, we may only hear about what happened inside of a courtroom.

Apparently, the disaster recovery systems didn’t come on line after the failure as they should have.  Whether that was due to cost reduction and it’s associated secondary effects or not we may never know.

More importantly, it is certainly clear that British Airways disaster recovery and business continuity plan was not prepared for an event like this.

One one point the CEO of BA was forced to say, on the public media, that people should stay away from the airport.  Don’t come.  Stay home.  From a branding standpoint, it doesn’t get much worse than that.  Fly BA – Please stay home.

As part of the disaster recovery plan, you need to consider contingencies.  In the case of an airline, that includes when you cancel flights, how do you get bags back to your customers.  Today, two days later, people are saying that they still don’t have their luggage and they can’t get BA to answer their phones.  BA is now saying that it could be “Quite a while” before people get their luggage back and if they don’t, that is more cost for BA to cover.

One has to assume that the outcome of all of this will be a lot of lawsuits.

From a branding standpoint this has got to be pretty ugly.  You know that there has been a lot of social media chatter on the horror stories.  In one article that I read, a passenger was talking about taking a trip from London to New York and that all the money they were going to lose for things that they planned on doing when they got to New York.  Whether BA is going to have to pay for all of that is unclear, but likely at least some of it.

You also have to assume that at least some passengers will book their next flight on “any airline, as long as it is not BA”.

To be fair to BA, there have been other, large, airline IT systems failures in the last year, but this one, it’s a biggie.   Likely these failures are, at least in part, due to the complex web of automation that the airlines have cobbled together after years of cost cutting and mergers.  Many of these systems are so old that the people who wrote them are long dead and the computer languages – notably COBOL – are considered dead languages.

The fact that there were no plans (at least none that worked) for how to deal with this – how to manage tens of thousands of tired, hungry, grumpy passengers – is an indication of work for them to do.

But bringing this home, what would happen to your company if the computers stopped working and it took you a couple of days to recover.  I know in retail, where all the cash registers are computerized and nothing has a price on it any more, businesses are forced to close the store.    We saw a bigger version of that at the Colorado Mills Mall in Golden earlier this month.  In that case likely a number of businesses will fail and people will lose their jobs and their livelihoods.

My suggestion is to get people together, think about likely and not so likely events and see how well prepared your company is to deal with each of them.  Food for thought.

Information for this post came from the Guardian here and here The Next Web  and Reuters.

OWASP Top 10 Gets A Makeover

For those of you who are not familiar with the OWASP Top 10, it is a great set of vulnerabilities to check your web application for.  If your software QA team, in addition to the normal functional stuff that they check for can also check for these exposures, that will likely catch a number of bugs.  While nothing is perfect, if you don’t have a huge QA budget, using this list is a great first step toward improving software reliability and security.

Every few years the Open Web Application Security Project revises their top 10 list of vulnerabilities.  For the most part, the items remain the same, but one or two items change.

Going back to 2010, here is the top 10 list (note that each item is a clickable link – if you dare):

The next time it was revised was in 2013 and here is that top 10 list:

You can see that there is a lot of similarity, but a couple of items changed and the order changed.

It looks like about every 3-4 years they update the list so now is the time to make the next change.  Here is the proposed draft list for 2017.  It will be finalized in July or August.  You will notice that the 2010 and 2013 lists have live links to more information.  Apparently because the 2017 list is still a draft, that isn’t the case, so here is that list.  You can go to OWASP’s web site (OWASP.Org) to get more information.

  • A1 – Injection
  • A2 – Broken Authentication and Session Management
  • A3 – Cross site scripting (XSS)
  • A4 – Broken Access Control (Original category in 2003/2004)
  • A5 – Security misconfiguration
  • A6 – Sensitive data exposure
  • A7 – Insufficient attack protection (NEW)
  • A8 – Cross site request forgery (CSRF)
  • A9 – Using components with known vulnerabilities
  • A10 – Underprotected APIs (NEW)

Their explanation for the changes this time are:

1) We merged 2013-A4: Insecure Direct Object References and 2013-A7: Missing Function Level Access Control back into 2017- A4: Broken Access Control

In 2007, we split Broken Access Control into these two categories to bring more attention to each half of the access control problem (data and functionality). We no longer feel that is necessary so we merged them back together

2) We added 2017-A7: Insufficient Attack Protection

For years, we’ve considered adding insufficient defenses against automated attacks. Based on the data call, we see that the majority of applications and APIs lack basic capabilities to detect, prevent, and respond to both manual and automated attacks. Application and API owners also need to be able to deploy patches quickly to protect against attacks

3) We added 2017-A10: Underprotected APIs:

Modern applications and APIs often involve rich client applications, such as JavaScript in the browser and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and contain numerous vulnerabilities. We include it here to help organizations focus on this major emerging exposure.

4) We dropped: 2013-A10: Unvalidated Redirects and Forwards:

In 2010, we added this category to raise awareness of this problem. However, the data shows that this issue isn’t as prevalent as expected. So after being in the last two releases of the Top 10, this time it didn’t make the cut.

So again, if your organization develops web apps, this list should be pinned to the wall of every developer cube and it should be part of the todo list for QA.

For more information visit the Owasp web site at www.owasp.org.

When Medical Devices Get Hit With Ransomware

Is it possible that North Korea used stolen NSA hacking tools to infect medical devices at U.S. hospitals?  Forbes says, yes it is.

When the WannaCry ransomware spread out of control last week infecting 48 hospital trusts in the UK and unnamed medical facilities in the U.S. for the most part U.S. businesses were not affected.  Except for some.

For those people who work in offices, the effects of ransomware are annoying and if there are not sufficient backups, it can lead to losing data and losing customers.  And lawsuits.

But when it comes to hospitals, in addition to all of the above, it can lead to people dying.

Forbes was given an image of a Bayer Medrad power injector (shown below) that manages the injection of MRI contrast die into patients.

Many of these medical devices in hospitals are connected to Windows PCs and those PCs are often connected to email and the Internet.  When they are – and even if they are not – they can get infected with malware.  Think Iran and Stuxnet.  Those centrifuge controllers were not connected to anything and we still infected them.

Bayer acknowledged that at least two devices were infected here in the U.S., but they were able to restore them in 24 hours.

Microsoft released a patch for the bug that allows the ransomware to work in March.  Bayer said that it plans to release that same patch to its customers “soon”,  That means that hackers – say, perhaps, the North Koreans – have at least three months, maybe more after the patch is released to reverse engineer the patch and use that knowledge to infect medical devices.  From what I have heard. three months from vendor patch release to medical device patch release is super speedy.  And don’t forget that you have to add the time it takes the hospital to approve deploying that patch.

While this particular attack would, if effective, take the machine offline and not directly kill anyone, that is only THIS particular malware.

We have already seen demonstrations of hacking changing the settings inside drug infusion pumps.  If that bit of maliciousness propagated in the wild, it could change the dosage of drugs being dispensed to patients without any obvious indication externally (set it to 10 and it dispenses 50 for example) and then people would die.

In the case of that brand of infusion pumps, after beating up the vendor and the FDA for a year, the FDA finally issued a warning.  Hackers don’t use that kind of time scale.  You have to be able to warn hospitals in hours and the FDA and medical device industry are no where near the capability to do that.

Lets say that instead of locking up Windows PCs, the WannaCry worm instead infected infusion pumps.  Granted the same bug would not work in infusion pumps, but lets say there was a different one.   Think about how fast that worm spread around England, Scotland and a hundred plus other countries.  Could the national medical device regulators in all of those countries respond to that kind of event before people died.  Sadly, I don’t think so.

According to the article, the medical device manufacturers rushed out an alert telling hospitals that they were working on a patch and would release it sometime in the future.

HITRUST, a private company that helps the medical industry deal with cyber security issues said that it had reports of both Bayer and Siemens being affected.  Siemens said it could not confirm or deny reports of their machines being infected.

The Department of Homeland Security’s Computer Emergency Response Team (CERT) said that many industrial control systems vendors are issuing alerts also.  They said that ICS devices were infected and did have impact.

While this particular attack didn’t have deadly consequences, unless the medical device and industrial control industries up their cyber security game, it is just a matter of time before something bad happens.

Information for this post came from Forbes.

Business is Not The Only Source of Data Breaches

We hear a lot about data breaches of businesses.  Target.  Home Depot.  Anthem Blue Cross.  21st Century Oncology and thousands of others.

But there is a whole other category of breaches.  Government.  At all levels from local to national.  Everyone remembers the OPM’s loss of 20+ million security clearance background checks.  Or the IRS’s loss of millions of tax returns.  These breaches are happening more frequently in government for the same reason they are happening more often in private industry – because there is more data being stored electronically.

And it is not only the federal government that is affected.  Here are some breaches.

Minnesota’s Mille Lacs county settled a $1 million class action lawsuit after a now former employee illegally accessed driver’s license records.

Three years earlier Rock County Minnesota paid $2 million to settle a suit after an employee accessed the same database illegally.

In 2013 the Maricopa County Community College District paid $26 million to settle lawsuits and deal with a hack of their data.  $9.3 million in attorney’s fees,  $7.5 million in network upgrades and $7 million to notify victims and pay for credit monitoring.

In 2014 Health and Human Services fined Skagit County, Washington $215,000 for posting protected health information of around 1,600 people on a public server.

We hear about government data breaches all the time.

Ultimately, this paid form 100% with your tax dollars because, for the most part, government entities are self insured and even those that are not likely don’t cyber breach insurance.

In part this is due to the fact that the government doesn’t use modern technology.  The system breached at the OPM was built in the 1960s.  Yes, you read that correctly.  While that is a bit extreme, both the IRS and FAA have systems that date back 30, 40 or more years. Those systems were not designed with the Internet in mind.

While there is not a lot that we as taxpayers can do, we can certainly participate in the governing process and ask our elected officials very pointed questions.  Since politicians typically do not like to be the center of attention – and even those that do don’t want to be the point of attention when the news is bad, shining a bright light on things may be effective at causing change.

Information for this post came from Governing.com .