Security News for the Week Ending October 30, 2020

Louisiana National Guard Called in to Help Local Election Officials

According to tips, the state of Louisiana had to call out the National Guard after some number of small government offices across the state were hit by ransomware. Experts say the tools have the hallmarks of the North Koreans, so all of the major attackers – Russia, China, Iran and now North Korea – are all trying to compromise our elections. This problem is not going away. Credit: Business Insider

Attacks on Cryptocurrency Continue

A hacker stole $24 million of cryptocurrency service Harvest Finance, a company that allows users to arbitrage cryptocurrencies. The company was hit by a $570 million “bank run” after the attack. They claim they know who the attacker is. One more time, software has bugs and can be exploited. Who would have thunk? Credit: Coindesk

Ransomware Disables GA. County Election Database

This is both good news and bad news. Hall County, GA was hit by a ransomware attack earlier this month. The attack, disabled the voter database, along with other systems like phones. The county claims that they will still be able to run the election because they can manually verify signatures from voter registration cards. They are also using a state database that was not affected. This points out that attacking some small county in a state is probably not the best way to change the outcome of an election. Credit: Gainesville Times

Trump Website Briefly Defaced

One of the campaign’s websites was briefly defaced Tuesday night and the site was replaced by a message similar in style to the messages put on a website that the government seizes. The message looked like this:

Image

Of course the site had not been seized and it was returned to its normal state after a little while. To be honest, I am surprised not more has occurred given the other events going on in the country. This seems pretty childish, but we don’t know if the warning on the site is true; stay tuned.

Regarding the hack, CISA Director Chris Krebs said on Twitter, “Like I said yesterday, website defacements are noise. Don’t fall for these attempts designed to distract, sensationalize, and confuse. Ultimately they’re trying to undermine your confidence in our voting process.” Credit: Variety

Wisconsin Repubs Say Hackers Duped Them Out of $2 Million+

The Wisconsin Republican Party says that hackers scammed them out of more than $2 million of donors’ money using very traditional business email compromise attacks creating fake invoices from real vendors and paid to the hackers’ bank accounts. The Wisconsin Dems say that they have been targeted by over 800 attacks, but so far, none (that they know of) have been successful. Credit: AP

FBI, Homeland Says Hospitals Under Cyberattack

I have gotten more notices on this particular alert than usual, so I suspect that means that there is more fire than anyone is admitting.

The FBI, Homeland Security and Health and Human Services issued a joint alert that hospitals and other public health organizations are being targeted by malware, especially ransomware. They are calling it an imminent threat. Security experts say that they are seeing chatter from the Russian cybercrime groups that say that they plan to deploy ransomware to 400 hospitals this week.

Just this week the Saint Lawrence Health System in upstate New York, Sky Lakes Medical Center in Oregon, The University of Vermont Health Network and several others have admitted that they have been attacked.

Mandiant says that they identified three attacks on Tuesday and one attack on Wednesday.

The result is that hospitals have to revert to paper based systems.

That also means that they do not have access to patients’ charts, their medical history, online pharmacies, automated case file transcription and other typical hospital services.

Just what doctors and nurses need during a pandemic.

One result, many times, is that hospitals are forced to refuse ambulances. When that happens, ambulances need to find another hospital, typically further away. Recently, in Germany, the first ADMITTED case happened where a patient died as a result of being turned away at a hospital that had been hacked. The cops caught the hacker later and are threatening to charge him with MURDER.

In the FBI/DHS/CISA/HHS alert, they gave hospital IT and security teams details of what strings to add to their alerting systems. Which is great if a hospital, in the time of massive craziness, has the resources to do something with that information. And also, assuming that the malware doesn’t morph (it does). Large organizations with massive IT departments probably can, but medium size and smaller hospitals can’t.

When patients die, hospitals get sued. Also not great. During a pandemic or at any other time.

Lets assume that you don’t run a hospital or other public health service – do you care? Or should you care?

The answer to this is yes because, especially in times like these, it stops these organizations from executing their mission and possibly, from saving your life. If they have to worry about how to manage patient records by hand rather than taking care of those patients, care suffers.

Every hospital will say – with a straight face – that in the case of a cyber attack, patient care doesn’t suffer, but think about this. If they could provide equally good care without all of those computers and software as with it, then why are they spending billions on those computers? It doesn’t make any sense.

Of course they have to say that – saying that patient care has suffered would open them up to even more lawsuits than the actual breach will, but still, if you or a loved one were to be hospitalized, you want that hospital to be operating with every tool that they have, not reverting to the way they did business in 1960.

And it doesn’t seem like the hacks are letting up, which will force them to divert money away from patient care and research to hiring folks like Mandiant – and they are not cheap. Brian Krebs has also written about this issue.

5G For Everyone!

For those of you who read my blog regularly, you know that I have spent a lot of digital ink on the hype-machine called 5G Cellular.

Well, I am not about to stop now 🙂 . Sorry.

Honestly, my complaint is NOT about the tech or its importance, but rather how long it is going to take to get enough infrastructure working to make the claims somewhat match reality.

So, while the traditional companies like Verizon and T-Mobile are running around the country installing as many cell towers as they can afford (I saw a stat the other day that says that Verizon’s 5G reaches 1% of the population), other folks are trying different strategies (T-Mobile and AT&T reach much larger groups of people, it is just that their version of 5G is no faster that what you have today with 4G). Here are two.

British startup Stratospheric Platforms wants to fly liquid hydrogen powered high altitude pseudo satellites (pseudo because they only stay up there for maybe a month or two at best) to provide connectivity. There are lots of places that need it, from me (rural America) to Africa and many places in between. They tested a prototype over Germany, flying at 45,000 feet, and using a 4G phone – not a 5G phone – got speeds of 70 megabits a second down and 23 megabits up, which is QUITE respectable. The problem, of course, is to do that at volume.

This is similar to Google’s loony idea called the Google Loon. The Loon is balloon based and Google has already gotten FAA and FCC approval to fly their loony thing over disaster areas to provide free Internet.

But there are a couple of problems with all of these solutions.

One is that they are solar powered (for the cellular part, not the airplane part) and that doesn’t really give them enough power to scale. A small nuclear reactor would work – like they use on satellites – but what could go wrong?

The other thing is landing the beast to refuel. While real satellites burn up on reentry (hopefully) and last for years, these things would need to land every month or so and you certainly don’t want to throw away that many pretend satellites. Credit: The Register

SpaceX, also has a similar dog in the fight (except it is using more conventional, but still low orbit, satellites) has announced pricing for rural America. $99 a month for speeds that vary from 50 megabits a second to 150 megabits. Plus $500 for the equipment. Given that is 2 to 6 times the speed I get now (on a good day), for a slightly more expensive price, I might try it. SpaceX figures that even though the FCC says everyone has access to broadband Internet (they include high priced, low performing traditional satellite providers like Hughes), SpaceX more accurately says that 40% of rural America has NO broadband. Since even farmers need high speed Internet to power their GPS controlled tractors, this might be an easy sell. Credit: The Register

Here is the good news.

SpaceX is basically here now (at least in beta). While the FCC has been pretending that there is no problem as a way to protect the big cable companies (I wasn’t aware that was in their charter), all of these startups are working on ways to nibble the incumbents to death.

This doesn’t count Facebook’s plans to launch a couple of thousand satellites to provide Internet, nor does it include Dish’s plan to do the same.

SpaceX plans to launch 12,000 satellites by itself.

I do know a promising career. Keeping track of tens of thousands of near space objects. That is going to be a task.

While none of helps those of us in the Internet desert TODAY, the fact that all of these companies are competing for our money dramatically improves the odds of getting something in the next few years.

One other thing.

While many cities have limited the number of Internet providers by regulation and some states have actually banned cities from going into the Internet business, this falls under the control of the FAA and FCC. While they continue to lie about broadband availability today, they seem perfectly willing to allow these billionaires to spend billions of dollars trying to solve the problem and do not seem to want to limit competition.

Which is good for everyone in the Internet desert.

Stay tuned.

The Challenges of Ransomware 2.0

The Finland-based psychotherapy group Psychotherapy Center Vastaamo may need some therapy itself.

They claim that in late 2018-early 2019 hackers broke into their network.

Just this month it has come out that the company, which has 20+ offices and 300 or so shrinks may have lost the data of 40,000 patients, some of whom are high profile. The hacker(s) tried to blackmail the company to the tune of about a half million bucks, but they did not bite.

So the hackers posted the clinical files of 300 patients on the dark web as a threat and then started extorting more patients to pay a ransom of between 200 and 500 Euros not to publish their file.

The Finnish version of the FBI says don’t pay the ransom.

That is kind of easy for them.

What people tell their therapists is sometimes not great for public consumption.

It can get you fired.

It can get you divorced.

It can end your political career.

Some people even commit suicide.

It can cost you tens if not hundreds of thousands of dollars, so paying a 500 Euro bribe, even if you are not sure that it will protect you, may seem reasonable.

I asked one of my friends at the FBI what his thoughts are and I will update this post when I hear back.

Some people will decide that it is not worth the risk and not get mental health support or other treatments. Or not tell their medical professional the truth or the whole truth.

It certainly is worthwhile asking about security, but the likelihood of getting an honest answer is almost zero. After all, doesn’t every company say they care about your data? After they get hacked.

Until the financial equation changes it is unlikely that the problem will be solved. In part, this is due to the fact that strong security is inconvenient. In this case, this is a GDPR violation and it covers sensitive data, so they will likely be fined a lot.

I am not sure what it will take.

The Defense Department has one strategy. They are beginning to require that their contractors be certified by a third party. No certification, no contract. That seems like it could be effective. Credit: The Register

Security News for the Week Ending October 23, 2020

Iran or Russia – Who Should We Worry About?

The FBI and the US government’s Cybersecurity and Infrastructure Security Agency on Thursday issued a joint warning that a Kremlin hacking crew is probing or breaking into systems belonging to the US government and aviation industry.

The joint advisory states that the team, known as Energetic Bear among other monikers, has been specifically going after US state, local, territorial, and tribal (SLTT) government networks, as well as aviation, since at least September 2020. We’re told:

It appears the goal of the Russians is to obtain the necessary inside information or access to systems to ultimately stir up civil unrest and distrust in the results of the November 3 US elections. Credit: The Register

Snowden Granted Permanent Residency in Russia

The AP is reporting that Russia has granted Edward Snowden permanent residency status. Basically, Putin poked Trump in the eye with a sharp stick two weeks before the election. In what is clearly a calculated political move by former KGB operative Putin, he decided to do this right before the U.S. Presidential election, rather than wait a couple of weeks. Is this an effort by Putin to affect the election? Don’t know, but I am pretty sure it is not a coincidence. Credit: AP

WordPress Forced Updates to Entire Base of Site Due to Plug-in Bug

A critical bug in the Loginizer plug-in which would allow a hacker to bypass the login process caused WordPress to force an emergency update to its entire user base. While some admins whined about the forced update, Loginizer says that 89% of its installations have been updated. Forced updates have been used, rarely, by every major software vendor – inclusing Apple and Microsoft on a more frequent basis – because users just don’t deal with patches quickly, much of the time. Credit: ZDNet

MicroChipping Humans – Its a Thing and Soft of Illegal in a Few States

Apparently, embedding microchips in humans is a thing in some places. Some employers are doing that to employees – voluntarily at this point, to act as a replacement for badge. But a badge you can leave at home if you are off work. A microchip is on 24×7.

As a result, 7 states have passed laws making MANDATORY chipping of humans illegal. And it is a variety of states. You would expect California to ban that, but also Utah. Maryland, New Hampshire, North Dakota, Oklahoma and Wisconsin round out the list. Michigan is working on becoming number 8. Interesting.

U.S. v. Google – Let the Games Begin!

In a fight the likes of which we have not seen since the battle between Microsoft and the DoJ that ended around 20 years ago, the Justice Department sued Google this week, accusing it of using its market dominance to hobble its rivals.

Just to be clear from the beginning, I am not a huge fan of Google’s actions and I think its motto of do no evil is probably a bit tarnished at best.

Like the Microsoft case, which distracted the company for close to a decade, this fight is likely to go on for a long time. And be at least equally distracting.

The downside for Google, which is likely pretty clear to them, is that the government can literally print money to fight this battle and Google has to use its investor’s cash for their defense. Also, the government probably doesn’t care much if the case takes a decade to resolve. Google, on the other hand, probably does not want to be burdened by a decade of litigation by a legal team that has unlimited resources.

What we don’t know is what might happen if there is a change in teams in Washington in January. It may not make any difference.

The DoJ and the Attorneys General of 11 states say that Google used its monopoly power to crush competitors in the search and search advertising business.

While Facebook does have a very thriving advertising business, most other competitors have withered.

And, when it comes to search, Google has become a verb, as in “go Google it”. That cannot be a factor in their favor.

The Government says that Google has 90% of all general search engine traffic in the U.S. and 95% of all mobile search.

When asked if DoJ wants to break up Google, the attorneys said that they will leave that up to the court. Fat chance; it is just that this is not the time to show your hand.

Justice says that Americans have been hurt by having less choice, less innovation and less competitive pricing.

Not surprisingly, Google said nah!, that’s not true. What else might they say?

There is some truth to the suggestion that Google or Alphabet, Google’s parent, is incredibly intertwined with hundreds of entities and would be ridiculously hard to unwind. A few hundred billion dollars in cash (to fund competitors) as a penalty is a possible alternative.

Given that this was done a couple of weeks before a Presidential election, it could be seen as a political move and probably Bill Barr did push for the filing to occur before the election since Trump has, on many occasions, threatened to crack down on tech companies that he sees as his enemies. Still, it is HIGHLY unlikely that DoJ filed this lawsuit if it didn’t think it had a reasonable chance of getting something out of it.

The 11 AGs that joined the suit are all Republicans. That doesn’t mean that the Democratic AGs love Google. It may mean that they want to file their own competing lawsuit. All this is great news for law firms. There will be hundreds of thousands of billable hours. Credit: Reuters