UK Security Chief: C1 Attack Likely in Next Two Years

The head of the UK’s National Cyber Security Center (NCSC), Ciaran Martin, said that a major cyber-attack on the UK is a matter of when, not if.

Martin said that the UK had been lucky to avoid  a so-called category one (C1)  attack.    Luck?  That’s comforting.

A C1 attack is defined as an attack that might cripple infrastructure such as energy supplies or the financial services sector.

Other countries, such as France and the US have already had C1 attacks.

The US?  Really?  That is because interference with the elections is considered a C1 attack also.

Martin, in an interview with the Guardian, said that he anticipated a C1 attack in the next two years – that he doesn’t expect to make it to 2020 avoiding such an attack.

The NCSC is the public face of GCHQ, the British version of the NSA, so they likely have a pretty good idea of what is happening.

The worst attack the UK has faced so far was WannaCry last year.  The NCSC categorized that as a C2 because there was not imminent threat of loss of life.  It certainly had an impact on healthcare in the UK.

The NCSC has classified 34 attacks at the C2 level since it opened through the end of 2017 – about 15 months.  They cataloged 762 C3 attacks in that same period.

We don’t have similar numbers for the US, but if we did, they would likely be larger.  We are a bigger target than most.

President Trump suggested he might use nuclear weapons in case of a cyber attack.  Hopefully, he was just bluffing, but that would be a good way to start World War III.

Cyber attacks are not going away any time soon.  For nation states, it is pretty easy to “encourage” private hackers in another country to be their attack proxy, which is why using nukes to retaliate is so scary.  What if the Chinese made an attack look like it came from Russia?  Or Germany?  Sometimes attribution is easy, but only if we have already hacked the hacker’s network.  If a nation state is effective at getting hackers in another country to launch an attack, then attribution is hard.  What if Chinese hackers compromise some computers in some place in the US, say Iowa, and launch an attack from those compromised PCs.  If the PCs are consumer owned, it is unlikely that there are any logs to help figure out where the attack was launched from.  At that point, figuring out where the attack came from is very, very difficult.

Information for this post came from The Guardian.


Is Turnabout Fair Play?

Tech Crunch is reporting that Intel told customers about the Meltdown and Spectre flaws before the public announcement, but they did not tell the U.S. Government about it.

Most of the time, it is the other way around.  The U.S. Government knows about a flaw but doesn’t tell the company who can do something about it.

One kind of strange twist to this is that, apparently, they did tell some Chinese customers, who likely did tell the Chinese government about it.

There certainly is no law that requires them to tell the U.S. Government about the flaw, ever.  Just like there is no law that requires the U.S. Government to tell Intel about any flaws that it knows about.

Still, it seems odd that they would opt to tell a Chinese company (likely a large OEM, maybe Lenovo?) and not tell Homeland Security.

They claimed that they were unable to tell everyone they planned to tell because the news leaked early.

Just to be clear – they knew about the problem since June.  They PLANNED to announce the bug on January 9th, but it was leaked on January 3rd.

This means that even if they did plan to tell the Feds about the “issue”, they didn’t plan to tell them in enough time to do anything about it.  Intel declined to say who they did tell about the bug or who they were planning to tell about it.

There is another part to this story, however.

There was a research paper published about this flaw in 1992.  That would be 26 years ago for those who are not good at math.  There was another paper on the subject around 1995. The NSA is VERY good at reading research and figuring out if they can exploit it.  That is what they are supposed to do and even though people like to complain about them, they are pretty damn good.  Maybe not perfect, but VERY, VERY good.

SO, an argument could be made, but not proven, that (a) the NSA and maybe other parts of the government knew about this flaw, (b) other governments, friendly and not so friendly knew about it and (c) some of them might have been selectively exploiting it.  For possibly, up to 25 years.  Even if the various governments who are likely to have known about it (Russia, China, Israel, U.S. and others) denied that they knew about it, would you believe them?  After all, lying is part of their business also.

For Intel, this is just more bad news to tarnish their reputation, although it doesn’t seem to be hurting their stock price at the moment.

Still, with AMD about to release their Ryzen Threadripper 2 later this year, which is supposed to be  much faster than the new Intel i9 at less than half the price, they don’t really need any more good news.

Who said there was no such thing as bad publicity?  That person might want to talk to Intel and see if they agree.

Information for this post came from Tech Crunch.


Two Cryptocurrency Attacks In One Week

Cryptocurrency is an interesting beast.  Unregulated by governments.  Not backed by reserves or governments.  Difficult to track IF DONE RIGHT.  Completely transparent if not done right.

For all of these reasons, it is the target of attackers of all stripes.

The first attack this week was in England.  Armed robbers broke into the home of Bitcoin trader Danny Aston and forced him at gunpoint to transfer an unknown amount of Bitcoin from his account to an account under the control of the burglars.

The attack is kind of old school.  Hold someone up at gunpoint and make them turn over their money.

But a couple of things are different.  First, unlike money you can’t deposit it in a bank where there is government assurances of protection.  Also, it is highly unlikely that you can obtain insurance to protect yourself in this case, although it is possible that traditional burglary insurance might cover it.  Typical burglary insurance, however, has very small limits of reimbursement like a thousand dollars of cash or maybe a few thousand.

On the other hand, I am not quite sure how the burglars are going to convert the bitcoin into cash.  The blockchain is very transparent – every transaction is visible to anyone who wants to see it.  In this case since we know or could know the wallet ID of Danny Aston, we could follow the bitcoin no matter how many twists and turns it makes.  But, there is a problem – of course.  While we know Danny’s wallet ID, if it went from there to wallet A, then B, then C and D and so on, there may not be a way to identify those other wallets.  Especially if the wallet is not associated with a Bitcoin exchange (it doesn’t have to be) or is associated with an exchange in a country not friendly to us.  In any case, the bread crumbs will live on for ever, so those robbers need to not make any mistakes.  Ever.

Now onto the second incident.

Hackers stole more than $500 million in a cryptocurrency called NEM.  The NEM coins were stolen from a cryptocurrency exchange called Coincheck.  Apparently, the wallet from which the money was stolen was a “hot” wallet, meaning that it was connected to the Internet.  I don’t know about you, but I wouldn’t leave a half billion dollars exposed to the Internet.

There has been no explanation of how the attack was carried out.

The good news is that Coincheck says that they are going to reimburse depositors some percentage of their money, but have not explained how, when or where they are getting the half billion or so dollars to do that.  Likely depositors will NOT get reimbursed for 100% of their losses.

And so, the attacks continue and are not likely to stop any time soon.

And equally likely, people will continue to lose their money.

None of the attacks that I have seen attempt to compromise the cryptography.  Instead they either find software bugs or just do an old fashioned stick-em-up (although that was the first time a Bitcoim stickup was ever reported in England).

Even if Coincheck does come up with the half billion dollars to reimburse the depositors, someone is going to be out the money.   After all, unlike the government, Coincheck can’t just print more money.

Information for this post came from the Telegraph and CNBC.

Is Kinetic War Obsolete?

Kinetic warfare, a term that seems to have roots with former defense Secretary Donald Rumsfeld (see article), is the kind of war we are most familiar with – bombs, guns, bullets, poison gas.  I don’t think it is going anywhere any time soon, but what is clear is that cyber warfare is likely to play a much more important role over the short and long term.

There are a number of reasons for this, in my opinion.

Lets look at traditional kinetic warfare first:

  • Massing an army takes time, is expensive and has bad PR value when citizen’s children die or come home with physical and psychological problems.  It is also expensive long term as the country has to care for those veterans.  If the country doesn’t do a good job of that, there is more bad PR (look at the mess our veterans health care system is in).
  • Building traditional weapons systems is very expensive.  Look at our F-35 fighter as a example;  we have spent tens of billions of dollars on it so far.
  • If you mass an army and build weapons, it costs a huge amount to keep that capability working – just look at our defense budget.
  • It is hard to do this secretly.

These comments are not meant to detract from what we are doing;  it just points out that maintaining a kinetic warfare capability is neither cheap nor easy.

Now lets look at cyber warfare, the alternative to kinetic warfare.

  • Training cyber warriors is also hard, but hackers rarely die or come home from cyberwar with missing body parts.  The long term care costs are much lower because of these reasons.
  • The hacking tools are mostly free; the rest are really cheap compared to a fighter aircraft or even a bomb.
  • The operational cost is also low.  Hackers can go home at night and sleep in their own beds.
  • It is much easier to hide.  Hackers look like any other white collar worker in an office.

That said, the threat of your enemy’s airplanes dropping bombs on your country – either conventional or nuclear – is a pretty strong deterrent, which is why it isn’t going anywhere anytime soon.

But lets look at cyber warfare.

We saw the Russians knock out the power in Ukraine twice during 2015 and 2016.  These attacks were mostly designed to get people’s attention as opposed to doing horrible damage, but turning off the power in the middle of the winter when the temperature is below zero will get your attention.

The U.S. Department of Energy’s Idaho National Laboratories demonstrated their ability to remotely cause a generator to blow itself up.  The video is available on Youtube.  To be fully honest, they did add some theatrics to get Congress attention (which failed), but the failure of the generator is very real.

And cyber warfare isn’t new.  Under then President Ronald Reagan, the CIA got the Russians to use some American SCADA software (that runs the valves and controls for a gas pipeline in this case) which caused an explosion in Siberia that was so big that it could be seen from space (see article).

Fast forward to today.

Britain’s Defense Secretary Gavin Williamson, in an interview with the Telegraph, said that the Russians were researching the UK’s critical national infrastructure and how it connects to the continental power supplies with a view to creating panic and chaos.

To be fair, I am sure that this is EXACTLY what every other country’s intelligence agencies are doing.  If they are not, they are missing something.

There is a step between understanding how to execute a cyber attack and actually executing one, but if you are the head of a country’s military and you have to make a choice as to whether to deploy troops, drop bombs or blow up a pipeline or electric grid, you want to have all available options.

Of course Russia is denying this, but I wouldn’t expect anything else and the denial is meaningless.

Congress has been been effectively sticking its collective head in the sand when it comes to cyber warfare – meaning not spending anywhere near enough money to prevent it.  In part this is due to the fact that almost all gas and electric utilities in the U.S. are privately owned.  Most water and sewer utilities are municipally owned, but owned by one of thousands of local utility districts.  All but a few telephone and Internet utilities are privately owned.  Just to be clear, when I say private, I mean non-government.  Many of these are publicly traded companies, owned by investors.

Almost all of these utilities have to go to regulators to raise their prices and raising prices is considered consumer unfriendly.  Spending money on non-revenue generating activities isn’t popular with investors either.  UNTIL, of course, some utility gets taking out by hackers.  Then all hell will break loose.

These utilities are doing small things to help protect themselves.  After 9/11, we saw many utilities erect fences around their facilities.  That is probably useful but unlikely to stop a determined attacker and a fence won’t stop a cyber attack.

The government is trying to play this threat down because they don’t want people to panic.  Panic is not good for politician’s careers.

Hopefully, however, people are beginning to realize that it may well be easier to turn off the lights, heat and water to a country and politically more palatable at home than a conventional war.

One thing that our Homeland Security folks are working on is trying to figure out how to respond.  For example, in the U.S. there are tens of millions of transformers that help distribute power.  Most of the largest ones are unique and not built in the U.S.  It could take a year to get a replacement shipped from overseas.  What Homeland Security is trying to figure out is if an attacker figures out how to damage or destroy a bunch of these, how can we keep the power working while new transformers are built.  Similarly, if a gas pipeline is destroyed and the distribution network for gas is interrupted – as we have seen by non attack based failures – gas prices skyrocket, shortages appear, rationing is needed, etc.  How can we deal with that.

There is no short term answer to these problems and it will take a lot of work, but we better get to work on it because the Russians are and likely so are the Chinese and others.

Just saying!

Information for this post came from the Telegraph.



The Times They Are A Changin

In spite of all of the data breaches that we see on an almost daily basis, we have seen time and again that the courts have dismissed lawsuits for a variety of reasons.  In many cases, the reason is called lack of standing.

Under U.S. Federal law, standing is based on Article III of the U.S. Constitution.  Article III requires you have injury in fact to your own legal interests, in other words, you have suffered some sort of actual harm.  That only applies to lawsuits filed in Federal court.  This is one reason why credit card companies credit you for fraudulent charges,  No lost money, no harm, no ability to sue.

But judges have been loosening the definition of actual harm over the last few years in light of all of the breaches.

Now the Connecticut State Supreme Court has ruled that there is a DUTY of confidentiality between doctor and patient and patients may sue in cases of unauthorized disclosure of protected health information or PHI.

In this case, the plaintiff was pregnant and asked the doctor not to release information to the father of the child, whom the plaintiff was no longer in relationship with.

The practice received a subpoena and in response mailed a copy of the patient’s medical records to the court.

Only problem is, that wasn’t what the subpoena told the doctor to do.  All it said was that the custodian of the records had to appear before the attorney who requested the subpoena.

HIPAA, which governs the disclosure of medical records, says that records may be disclosed in the case of a subpoena, but only if the patient has received adequate notice or a qualified protective order has been issued.

The doctor did none of these things.

Other state courts are also wrestling with these issues.

So now, at least in Connecticut, patients have an expectation of privacy in their medical records and if doctors and hospitals don’t take that expectation seriously enough, patients do have the ability to sue.

It seems to be that the courts are chipping away at this standing conversation, understanding that people are actually being harmed, even if it is not in a measurable, financial way.

While the Connecticut Supreme Court ruling is not binding in any other states, that does not mean that judges won’t be looking at that ruling.

An important note here – this lawsuit is not based on a breach or a hack.  This was based on an inappropriate action of a staff member in the doctor’s office.  It seems unlikely that if the disclosure was due to a breach that the answer from the court would have been any different, but of course, we don not know.

Information for this post came from Health IT Security.


Have You Planned For Cloud Outages

Allscripts, the $1.5 billion medical technology and services firm, hosts a number of cloud based applications that doctors and hospitals use to run their operations.  Hancock Health, that I wrote about on Monday, is one of their clients according to HealthcareITNews.  About a week ago Allscripts was hit with a ransomware attack caused by the malware called SamSam.

After the attack Allscripts did what too many companies do and tried to pretend that it wasn’t a big problem, that is wasn’t affecting many people and that is wasn’t a big deal.

A week later Allscripts applications are still not working right.

Doctors can get to the login screen, but they can’t actually log in.

This means that they can’t get to patient records and can’t bill insurance carriers.

Allscripts, in a continuing denial of reality, said that the system was back up but doctors still couldn’t log in.

Doctors are freaking out a bit because they are losing revenue and cannot take care of patients.  Other than that, it isn’t a problem.

It appears that today, Allscripts is finally admitting that they have a big problem.

If you run a doctor’s office or hospital and are an Allscripts client, this is a big problem for you.

Whether you are an Allscripts client or not, here are a couple of things to consider:

  • What is your business continuity plan if your cloud provider has an outage?  For an hour?  For a day?  For a week?
  • Do you have a Service Level Agreement with your cloud provider in case of an outage?  Are the penalties sufficient compensate you for your losses or are they basically meaningless?
  • Do you have cyber risk insurance?  If you do, does it cover business interruptions (BI)?  Often BI has a waiting period before coverage kicks in.  Sometimes it is as long as 12 or 24 hours.  Is your BI coverage appropriate for your business needs?

Hopefully this attack is not affecting you, but whether it is or it is not affecting you, now is a great time to make sure that you are as prepared as you can be.

And, even if your cloud service provider is yourself (AKA Amazon, Google, Microsoft, Rackspace or the like), the problem is the same.

Information for this post came from FierceHealthcare, Healthcare IT NewsHealthcare IT News, again and FierceHealthcare, again.