Tag Archives: Ireland

Could America’s Healthcare Suffer Similar Fate to Ireland’s

About ten days ago Ireland’s healthcare system was forced to shut down its computers due to a ransomware attack. Ireland’s health minister said the attack was having a severe impact on the health and social services.

In today’s healthcare world, having doctors and hospitals run without computers means no patient charts and a very labor intensive process to take care of emergencies. Many healthcare visits get cancelled.

BBC is reporting that there were actually two separate attacks. Because they have to figure out how deep the hackers burrowed into the network, it will take a while to recover. That will also depend on how good their backups are and how well they have planned for a situation like this. It also depends on how quickly they were able to contain it so that maybe, not every computer was infected.

The system has some 2,000 software applications to rebuild and as of a couple of days ago, some appointments are still being cancelled.

Unlike the Colonial Pipeline company or CNA insurance, Ireland says they are not paying the hackers. That might be an indication that after Not Petya, they started taking security more seriously and have better disaster recovery and business continuity plans.

Just to understand, this is the only safe way to recover from an attack – they are having experts build a completely new, separate network and rebuilding systems on that network. That is a huge amount of work. Some of these systems have been in use since the 1980s, so likely their security model is a bit old.

Could this happen in the U.S.?

Well, probably not, but maybe.

One thing that is different between the U.S. healthcare system and the healthcare system in Ireland is that in Ireland there is basically one healthcare system for the entire country. In the U.S. there are probably millions of separate healthcare systems – from individual doctors, to clinics, to private hospitals to public ones. Each one uses their own healthcare system.

BUT, there are common weaknesses. Many medical facilities have outsourced their systems to one of a few big providers. While these providers likely spend a lot of effort trying to protect their systems, they are a common weakness.

Going back to 2015, Epic, one of those shared health records systems, said that their software contained the records on 54% of Americans and 2.5% of patients worldwide. While they have a lot of competitors and even Epic doesn’t house all of those records in one system, that would be the one place to attack if you wanted to maximize the harm. Likely both Epic and the feds realize this.

So could an attack like what we saw in Ireland happen in the U.S.? It seems that is definitely possible. Hundreds of hospitals in the U.S. have already been hit by ransomware attacks and likely thousands of other medical practices have too – just more quietly.

Unfortunately, this is likely to get worse before it gets better.

What can help is getting better prepared. That is what, likely, allowed Ireland to flip hackers the bird.

It is also, likely, what forced CNA insurance to pay a $40 million ransom. Ransom demands are getting higher, so assume that whatever people paid last year is obsolete this year.

Are you prepared? Or you hoping that you are lucky? Luck is not a strategy.

Credit: Metacurity, BBC, WSJ

Security News for the Week Ending September 11, 2020

Pioneer Kitten Sells Compromised Corporate Credentials

Pioneer Kitten, an Advanced Persistent Threat group backed by Iran, is compromising corporate systems and then selling those credentials to the highest bidder. Like all large organizations, they want to diversify from just ransomware and stealing credit cards. Now they have a new and apparently very lucrative revenue stream. Credit: Threat Post

Ireland Unfriends Facebook

In the aftermath of the Schrems II decision, Ireland has told Facebook to stop sharing data from the EU to the US. Of course Zucky says that they have a right to do that using standard contract clauses (and they could possibly be right), but there will be a fight. Stay tuned. Credit: The Register

Pentagon has a New Way to Protect Their Browsing

In case you thought I was going to diss DISA, the Pentagon’s IT department, nope, not this time. Actually, I really like what they are doing and hope some enterprising company offers it as a service.

The Pentagon plans to roll it out to 1.5 million users in the first year. What they are doing is instead of opening a browser on your computer, you open a window to a browser in the cloud from your computer. You then surf in that sandbox, containing any explosive debris from malware. When you drop the connection, the sandbox goes away, along with any malware. In addition, since these sandboxes live in the data center, the amount of data bandwidth required at the user’s location goes down dramatically. It is a brilliant idea. Credit: Government Computer News

After Microsoft Outs Russian Election Hacking White House Sanctions 4 Russians

The same day that Microsoft published details of Russians who are trying to hack the 2020 US Elections, the White House added 4 Russians to the Treasury’s equivalent of the do not fly list called OFAC. This is also after the whistleblower at DHS came out saying he was told by the head of DHS not to say anything about Russian hacking. Maybe the three events are not related. Maybe the Republican administration was forced to do something to look like it was being tough on Russia. The hacking includes publishing fake news designed to spark false corruption investigations in an effort to affect the election outcome. Other Russians stole US citizens’ identities to open fake bank and cryptocurrency exchange accounts. Microsoft said that it detected attacks targeting both the Biden and Trump campaigns. The Russians also used traditional attacks like phishing and brute force password attacks. Credit: Dark Reading

Army Cyber Command Moves to Fort Gordon

While the move of Cybercom to Fort Gordon in and of itself may not be exciting, it may be an indication of how serious the Army is taking cyber. The Army built a new 336,000 SF building for them, consolidating folks who were at Forts Belvoire and Meade. More importantly, consider who else is at Gordon. This move puts Cybercom at the same garrison as the Army Cyber Center of Excellence, Army Cyber Corps and Army Signal Corps. It also houses Homeland Security training, Naval Information Ops Command and Joint Strategic Intelligence Command, among others. Putting all these cyber and information folks within walking distance has to allow them to better coordinate and cooperate. Credit: Security Week

Friday News for May 11th, 2018

Irish High Court Deals Blow to Facebook

In yet another case that could deal a blow to the way that Facebook and others transfer data between the EU and the US, the Irish High Court told Facebook that it would not stay it’s “referral” to the European Court of Justice.  The case in question is a ruling about whether “Standard Contract Clauses” and the U.S. Privacy Shield provide sufficient protections for E.U. residents private data.  Facebook wants to appeal the decision to turn the question over to the ECJ to the Irish Supreme Court because the last place they want to be is at the ECJ – who ruled against them in their last privacy suit that destroyed the predecessor to Privacy Shield,  Safe Harbor (Source: Reuters).

Georgia Governor Vetos Cybersecurity Bill

The Georgia legislature recently passed a cybersecurity bill that would have likely criminalized cybersecurity research and allowed so-called hack back attacks where victims can hack the hackers (what could possibly go wrong when security novices go after professional hackers?).  The law, written by lawyers, was so vague that it might have made reporting a vulnerability a crime.  Equally likely, the large cybersecurity firms with offices in Georgia would have left the state and security researchers at Georgia Universities would have likely found more understanding states to do their research in.  Faced with a horribly drafted bill and the prospect of losing hundreds or maybe thousands of high paying jobs, the governor did the expedient thing – he vetoed the bill and told the legislature to find someone who knows something about security before they wrote the next version (Source: CSO Online).

IBM Bans All Removable Storage

IBM has issued a new company-wide policy that bans ALL FORMS OF REMOVABLE STORAGE from the company.  IBM’s Global Chief Information Security Officer made the announcement saying “the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised.” IBM isn’t saying “Why now?” , but likely someone screwed up big time.

That being said, it is relatively easy to technically implement this ban and, if done along side a policy on the appropriate use of services like Dropbox, Box, One Drive and others, it likely will reduce the certain types of information leakage.

What is or should be your company’s policy?  (Source: Gizmodo)

Beware of those Browser Extensions

Social engineering is still a very popular way to get you to load malware.  Researchers are warning people of a campaign, said to have already infected a hundred thousand users, where people are lured to click on a link on social media which redirects them to a page that tells them that they have to install a plugin or browser extention to continue reading the page.  DON’T!  Once the software is invited in by the user,  it steals passwords for a variety of accounts.  Other variants of this type of attack could empty your bank account when you log in to your bank or forward all of your email to the hacker, as other examples.

If you think you need a plugin or browser extension to view a page and  it is not already installed, independently find that extension and install it from the vendor’s site.  Make sure that the site is not one with a name similar to the real site (think App1e is not Apple, for example) that hackers have set up to fool you (source: The Hacker News).

The Dangers Of Government Surveillance

The conversation often comes up about trusting the government with all of the data that they have of ours.   Some people say there is nothing to worry about if you didn’t do anything wrong.

And then reality creeps in.

Sheriff Cory Hutcheson of Mississippi County, MO, used a service sold by Securus Technologies that is used to record and track phone calls to and from prisoners,

Unfortunately, he used it to track calls of a Judge and members of the State Highway Patrol.  This would allow him to track the location and obtain call data of these people. And anyone else he wanted to.

Securus requires someone to upload a document authorizing the request and certify that the activity was legal – basically, pinky swearing.

When the sheriff was arrested and the media went to Securus to ask about their practices, they claimed that they weren’t judges or lawyers, so, basically, they just trust people.

Sometimes trust is good, but verifying usually better.

How much of this activity goes on – who knows (Source: NY Times)?

In Ongoing Battle over Email, Microsoft Wins This Round

Microsoft has been fighting with the U.S. Department of Justice since 2013 when the DoJ tried to get Microsoft to get them to hand over data belonging to a user, stored exclusively in Ireland.  This case has gone back and forth in the courts since then.

The bottom line issue is whether a U.S. Court can force a U.S. based company to break foreign law because the U.S. Court says so.

In this case, the emails in question are stored in Ireland and Irish privacy law is pretty strict.  Microsoft says that they are absolutely willing to hand over the emails if the DoJ convinces an Irish court to issue a subpoena to the Microsoft Ireland subsidiary.  The DoJ, for whatever reason, doesn’t want to do that.  I suspect that they would like to create a precedent that U.S. law trumps Irish law in U.S. Courts.

Microsoft, pretending to be a friend of privacy when it suits them, is saying that they want to protect their user.  They may be more concerned about breaking Irish law and the penalties that come from that.

The EU General Data Protection Regulation, which goes into full effect in 2018, allows a country to fine a business up to 4% of their gross annual revenue for privacy violations.  That doesn’t mean that they have to or will, but they can.  For Microsoft, based on 2015 revenue of $93 billion, that means a POTENTIAL MAXIMUM fine of almost $4 billion.

A short summary of the 180+ page GDGR law is available at Deloitte’s web site, here.  Note that this appears to be a Dutch version of the site, so the notices about privacy and cookies are in Dutch, but the summary text is all in English.

Since 2013, this case has bounced around the courts.  Most recently, this month, the DoJ told the Second Circuit Court of Appeals that the Justice Department has the right to demand the emails of anyone, anywhere in the world from an email provider headquartered in the United States.

By logical extension, that means that China could demand emails of U.S. citizens from Google because their court said so.  I don’t think that U.S. courts would be thrilled about that quid pro quo.

The DoJ says that YOUR email is a business record OWNED by Microsoft, not you, hence they should be able to demand that Microsoft give them copies of their business records.  That is a pretty scary concept.  Two lower courts have ruled in favor of the DoJ.

What if those emails were letters and those letters were stored in an office in Ireland.  Would the U.S. DoJ be able to send a Marshal to Ireland, hand them the U.S. search warrant and expect to get those letters?

What if North Korea presented a search warrant to a U.S. company asking for some information on a customer.

As you can see, this gets messy quickly.

Microsoft wanted to make a ‘federal case’ over this and so they told the lower court to hold them in contempt for failing to turn over the emails.

It is important to understand here is that this is different than say the WhatsApp case in Brazil where a Brazilian court put a freeze on $6 million of Facebook’s money because WhatsApp doesn’t have the decryption keys and therefore can’t give them the messages unencrypted.  Since WhatsApp doesn’t have any offices or presence in Brazil, they went after Facebook instead (Facebook owns WhatsApp).  In this case, Microsoft could, technically, turn over those emails in readable format.

But, if Microsoft chose to comply with this warrant, their business model would shrivel up and die.

What foreign company would do business with an American company if they knew that the U.S. government could demand that that U.S. business turn over the foreign company’s records, stored in that foreign country, totally bypassing the legal system in that country.

Currently, companies like Google and Microsoft deal with that by setting up subsidiaries in different countries and have users be customers of that local country subsidiary.

While I don’t even pretend to be a lawyer, even on the Internet, the concept here is called extraterritoriality, meaning that a government declares that their law applies in another country.  While a country can do that, absent the other country agreeing to that statement, the likelihood of the other country enforcing that law is very low.

Microsoft says that if the U.S. wants to go after data stored in foreign countries, that is fine.  What they need to do is pass a law that says that they claim that right and then negotiate treaties with each other country that they want to enforce it.  There are many examples of this today, but it is a complicated process.

For one thing, each other country will likely demand reciprocal rights and those countries will likely demand that those laws can only be enforced if they provide similar rights that the citizen in question has in their country.

In the Microsoft case, that means that, if there was a treaty in place, and if U.S. provided the same protections as Irish law, then Ireland would honor the U.S. law.

Great Britain is trying this same gig with the proposed Snooper’s Charter bill currently in their parliament and while Britain might pass such a law, the likelihood of it being enforced in at least some other countries is basically zero.

For those of you who read this tome hoping I would tell you how it turned out – the appeals court ruled in Microsoft’s favor.

Whether the DoJ chooses to appeal this to the Supreme Court or wait until after the November elections and hope that Trump gets elected and stacks the court the way they would like, is unclear.  If Clinton gets elected it is unlikely that the DoJ would get the judge that they want.  In fact, whoever gets elected will likely control the slant of the court for decades to come and that is probably the most important issue related to the U.S. Presidential elections, bar none.