Tag Archives: ransomware

News Bites for the Week Ending November 30, 2018

Microsoft Azure and O.365 Multi-Factor Authentication Outage

Microsoft’s cloud environment had an outage this week for the better part of a day, worldwide.  The failure stopped users who had turned on two factor authentication from logging in.

This is not a “gee, Microsoft is bad” or “gee, two factor authentication is bad” problem.  All systems have failures, especially the ones that businesses run internally.  Unfortunately cloud systems fail occasionally too.

The bigger question is are you prepared for that guaranteed, some time in the future, failure?

It is a really bad idea to assume cloud systems will not fail, whether they are from a particular industry specific application or a generic one like Microsoft or Google.

What is your acceptable length for an outage?  How much data are you willing to lose?

More importantly, do you have a plan for what to do in case you pass those points of no return and have you recently tested those plans?

Failures usually happen when it is inconvenient and planning is critical to dealing with it.  Dealing with an outage absent a well thought out and tested plan is likely to be a disaster. Source: ZDNet.

 

Moody’s is Going to Start Including Cyber Risk in Credit Ratings

We have said for a long time that cyber risk is a business problem.  Business credit ratings represent the overall risk a business represents.

What has been missing is connecting the two.

Now Moody’s is going to do that.

While details are scarce, Moody’s says that they will soon evaluate organizations risk from a cyber attack.

Moody’s has even created a new cyber risk group.

While they haven’t said so yet, likely candidates for initial scrutiny of cyber risk are defense contractors, financial, health care and critical infrastructure.

For companies that care about their risk ratings, make sure that your cybersecurity is in order along with your finances.  Source: CNBC.

 

British Lawmakers Seize Facebook Files

In what has got to be an interesting game, full of innuendo and intrigue, British lawmakers seized documents sealed by a U.S. court when the CEO of a company that had access to them visited England.

The short version of the back story is that the Brits are not real happy with Facebook and were looking for copies of documents that had been part of discovery in a lawsuit between app maker Six4Three and Facebook that has been going on for years.

So, when Ted Kramer, founder of the company visited England on business, the Parliament’s Sargent-at-arms literally hauled Ted into Parliament and threatened to throw him in jail if he did not produce the documents sealed by the U.S. court.

So Ted is between a rock and a hard place;  the Brits have physical custody of him;  the U.S. courts could hold him in contempt (I suspect they will huff and puff a lot, but not do anything) – so he turns over the documents.

Facebook has been trying to hide these documents for years.  I suspect that Six4Three would be happy if they became public.  Facebook said, after the fact, that the Brits should return the documents.  The Brits said go stick it.  You get the idea.

Did Six4Three play a part in this drama in hopes of getting these emails released?  Don’t know but I would not rule that out.  Source: CNBC.

 

Two More Hospitals Hit By Ransomware

The East Ohio Regional Hospital (EORH) and Ohio Valley Medical Center (OVMC) were both hit by a ransomware attack.  The hospitals reverted to using paper patient charts and are sending ambulances to other hospitals.  Of course they are saying that patient care isn’t affected, but given you have no information available to you regarding patients currently in the hospital, their diagnoses, tests or prior treatments, that seems a bit optimistic.

While most of us do not deal with life and death situations, it can take a while – weeks or longer – to recover from ransomware attacks if the organization is not prepared.

Are you prepared?  In this case, likely one doctor or nurse clicked on the wrong link;  that is all it takes.  Source: EHR Intelligence.

 

Atrium Health Data Breach – Over 2 Million Customers Impacted

Atrium Health announced a breach of the personal information of over 2 million customers including Socials for about 700,000 of them.

However, while Atrium gets to pay the fine, it was actually the fault of one of their vendors, Accudoc.  Accudoc does billing for them for their 44 hospitals.

Atrium says that the data was accessed but not downloaded and did not include credit card data.  Of course if the bad guys “accessed” the data and then screen scraped it, it would not show as downloaded.

One more time – VENDOR CYBER RISK MANAGEMENT.  It has to be a priority.   Unless you don’t mind taking the rap and fines for your vendor’s errors.   Source: Charlotte Observer.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending September 28, 2018

Cisco Will Eliminate Hard Coded Passwords One Per Month

It seems like every patch cycle, Cisco admits to another app that has an undocumented hard coded password.  I have lost track of how many of them they have removed so far, but the number is scary large.

What is more scary is that I bet Cisco is far from unique – they are just being more honest about it.  Are all the other hardware vendors pure as the driven snow.  NOT LIKELY!

In this case, very embarrassingly, the hard coded password was in Cisco’s video surveillance manager.  In other words, the bad guys could secretly watch the watchers.

Cisco CLAIMS this was because they forgot to disable this hard coded ID (maybe used for testing) before the production code was released.

Recently Cisco has removed hard coded credentials from their Linux based OS, IOS XE, from their Digital Network Architecture server and from the Cisco Provisioning Server.  That is just recently.

This bug rated a 9.8 out of 10 on the severity Richter scale (CVSS V3).   Source: ZDNet.

Gig Workers Targeted by Malicious Attackers

This one is classically simple.

Gig workers, who have no IT department, are responding to gig requests on sites like Fiverr and Freelancer.

Unfortunately, those requests have documents associated with them that are infected.  When the gig worker opens the file to understand if he or she wants to bid on the gig, his or her computer is infected.  MAYBE the gig worker’s anti virus software will catch it, but if they are crafted just slightly differently for each attack, the AV software will be blind to it.

Freaking genius.  As long as it doesn’t happen to you.  Source: ZDNet.

Your Tax Dollars At Work

Like many public sector (not all!) networks, the security of the Pennsylvania Democratic Caucus was, apparently, not so great.  Equally unsurprisingly, their computers became infected with ransomware.

So they had two choices.  Pay the bad guys $30,000.

OR

Pay Microsoft $703,000 plus.

Of course, since this isn’t coming out of their pockets, they opted for the gold plated, diamond encrusted deal from Microsoft.

Surely, some local outfit would have rebuilt their servers for less than three quarters of a million dollars.

According to Homeland Security, over 4,000 ransomware attacks happen every day.  I have NO way to validate that claim, but I am sure the number is big.  Source : The Trib.

Uber Agrees to Pay $148 Million for Breach – Instead of $2 Billion under CCPA

Uber agreed to pay $148 million to settle claims that it covered up a breach in 2016 by PAYING OFF the hackers to keep quiet and supposedly delete the data.

Lets compare that to what they might have paid under CCPA, the new California law.

57 million records – say 5% in California = 2,850, 000 records.

Private right of action up to $750 per user without showing damage.  Let’s reduce that to $500 x 2.85 million = $1.425 billion.

AG right to sue for malicious non-compliance.  $7,500 (treble damages since the cover up was willful) x 2.85 million = $21.375 billion.

WORST CASE = A little over $22 BILLION.

BEST CASE (Maybe) = 10% of that, maybe $2 billion.

They got off light.

By the way, THIS is why companies are scared of the new law.

Source: Mitch

Newest iPhone, Newest iOS – Hacked in a Week

We tend to think of iPhones as secure.  Secure is a relative term and relatively, the iPhone is secure.

iOs 12 was released on September 17th, along with the new iPhones, the XS and the XS Max.

Today is the 28th and news articles abound that the  pair (new phone plus new software) has been hacked.

To be fair, Pangu team, the ground that announced the hack, said that they had hacked the beta back in June.

So, as long as you don’t think secure means secure, the iPhone is secure.

Less insecure might be a better term.  Source: Redmondpie .

Facebooktwitterredditlinkedinmailby feather

Security News Bites for Week Ending July 13, 2018

Timehop Hack Compromises 21 Million Users

In a bit of good news/bad news, the social media time capsule site Timehop said that it was hacked around July 4th, but that they interrupted the hack in progress.  Still the hackers got usernames, passwords, email addresses, date of birth, gender, some phone numbers and other information for 21 million users.

More importantly, the security tokens that Timehop uses to access the social media sites like Twitter were also compromised.  Part of the good news is that since they detected this hack in progress, they were able to immediately disable those tokens, reducing the damage.

Still this does point out the risk of granting someone else proxy to your data – in this case, 21 million users were compromised because of a breach of a third party.  The data here was not particularly sensitive – unless your FB posts are sensitive, but that is purely accidental.

One bit of bad news in all of this (beyond all the bad news above for the people who’s data was stolen).  This attack in December 2017.  The hacker logged on in March and April 2018 also.  The hacker next logged in on June 22 and finally, stole the data on July 4, 2018.

Why is that important?  Because GDPR went into effect on May 25, 2018 and the data was stolen on July 4, 2018.  I hope they have deep pockets or a lot of insurance.  The Register article has a table with the number of GDPR impacted records, but I am having a hard time making sense of it.  For sure, it is in the millions.  (Source: CNet and The Register)

Apple Adds Security Feature to iOS11.4.1

Apple has added USB restricted mode to the current release of iOS.  Restricted mode locks down the lightning port of an iPhone or iPad after it has been locked for another so that it cannot be used for data access, only charging.  It defaults to enabled although you can manually turn the feature off.  This is designed to make it harder to hack an iPhone/iPad.

This will make it harder for law enforcement to hack into phones, but some of the hackers are saying that they have figured out a workaround.  The cat and mouse game continues.  (Source: The Verge)

Another Hospital Invokes Emergency Procedures Due to Ransomware

Cass Regional Medical Center in Harrisonville, MO.  put ambulances on diversion and invoked its incident response protocol earlier this week due to a ransomware attack.  They shut down their EHR system to make sure it did not become a casualty of the ransomware attack.  The day after the attack they said that they had begun decryption of the affected systems, which, while they are not saying, is likely a result of paying the ransom and getting the decryption key from the attacker.  The wording of the statement did not say that they were restoring the affected systems from their backups.  Other hospitals, which chose not to pay the ransom, took weeks to recover, so the reasonable assumption is that they paid off the hackers.  (Source: Cass Regional web site)

The Insider Threat is a Real Problem

We are seeing an increasing number of insider threat issues; some are accidental, some are intentional.

A hacker was found to be selling manuals for the Reaper MQ-9, a $17 million military drone for less than $200 on the dark web.  He got them by hacking an Air Force Airman’s home Internet router which was not patched for a known vulnerability.  It is likely that the Airman was not involved, but it is not clear if he was authorized to have the manuals on his personal home computer (Source: Defense One).

In another case, an employee of a Navy contractor stole thousands of documents from his soon to be former employer before going to work for a competitor.  He was caught and convicted (Source: The Hartford Courant).

These are just two examples of many.  Most do not get caught because the company that was hacked does not want the bad publicity.  Still it is a multi-billion dollar a year problem.

Facebooktwitterredditlinkedinmailby feather

Ransomware, The Gift That Keeps On Giving

Just a few years ago most people had not even heard about ransomware.  Today, if you have not been hit by a ransomware attack, you certainly have heard about attack after attack.  Ranging from massive attacks that affected companies like Fedex and Merck pharmaceuticals to  hospitals to little mom and pop stores, ransomware is the scourge of our technical world.

There really is one major reason for ransomware attacks – money.  If you pay the ransom, even what you perceive to be a small  one, it sustains the attacker’s morale and encourages more attacks.

Although no one really knows the statistics, people do  make educated guesses.  According to security firm Kaspersky, In Q1 2016 an individual was attacked every 20 seconds; a business was attacked every 2 minutes (I assume that most of these attacks were NOT successful).  By Q3 2016, those numbers were 10 seconds and 40 seconds respectively.

In Q1 2017, 60% of all malware payloads were ransomware, according to malwarebytes.

And, according to Cybersecurity Ventures, ransomware damages are predicted to exceed $5 billion in 2017 when the stats finally come in.  That includes a billion dollars for WannaCry alone.

People are paying millions in ransom as well.

See this article for more stats.

So why are we seeing the increase in ransomware?

#1 – as credit card companies improve their security, it is becoming harder to cash in on stolen credit cards.  Hackers are turning to other ways to make money.

#2 – Complex hacks to steal data and then monetize it are becoming harder and riskier as companies up their games when it comes to cybersecurity.

#3 – The emergence of Bitcoin and other crypto-currencies have made it easier for hackers to get paid in a way that is difficult to trace, if done correctly.

So here are some thoughts about dealing with ransomware.

In two recent attacks at organizations with a few thousand user devices each, ransomware spread quickly.  In these cases several thousand devices were compromised in an hour.  That doesn’t give you much time to detect the attack, never mind respond to it.

In the first organization, they did not have robust detection software and so the attack ended when all of the vulnerable machines were compromised.  The other organization did detect it and were able to take some machines offline and save them, but still many machines were compromised.

Here in Colorado, the Colorado Department of Transportation was hit by a ransomware attack twice in a period of a week or two.  Weeks later, many of their computers are still only useful as doorstops.

Lets assume you get attacked and are not able to stop it (by the way, there are likely better ways to contain an attack than that decades old anti virus software that you are using) – then there are two options.

First, you don’t pay the ransom.  Assuming you have good backups and depending on the size of the organization, it could take weeks to months to recover all of your systems.

Assuming you do pay the ransom you only have 50/50 odds of getting a key that will successfully decrypt your devices.

But in either case, have you really eliminated the malware on those computers and have you closed the flaw that allowed the ransomware attack to work and spread?  PROBABLY NOT!

The best technique for preventing successful ransomware attacks is training your users.  Clicking on links and opening attachments are likely the two most common ways to get infected.

There is software that can improve the odds of stopping an attack, but that software is likely NOT what you are using today.

The next thing that you have to have is a very robust incident response program.

When I speak at seminars I talk about the Sony attack disaster.  A few months before that, there was a similar attack that you likely never heard of – because they have a great incident response program and empowered individuals to take actions.  The organization was the Sands Hotel and casino and IT security made the decision to start literally unplugging computers from the network.  They had people running through the casinos pulling cables.  The result was a greatly diminished attack.

On the other hand, a local municipality in the Denver area was hit by a denial of service attack and once they got approval to disconnect from the Internet,  it took them hours to figure exactly how to do that.    A lot of damage can be done in hours.  You need to have the plan in place and the approval pre-made so that you can make decisions in minutes, preferably less.

Two different organizations, two different outcomes.

Given the trends, it is more likely than you might like that your organization will get hit by a ransomware attack.  How devastating that attack is will be based on how prepared you are.

How prepared are you?

Information for this post came from SecurityInfoWatch.

Facebooktwitterredditlinkedinmailby feather

Davidson County, NC Hit By Ransomware – Reverts to Paper

While yet another local government being shut down by a ransomware attack is old news these days, it still can point to a few valuable things.

This time it is Davidson County, NC, home of Greensboro.

At 2:00 in the morning the county’s CIO was woken up – there was something strange going on with the 911 system.

What they figured out what that ransomware had compromised 70 servers and an unknown number of desktops and laptops.

Oh, yeah, and the phones weren’t working, which is sort of a problem for the 911 dispatchers.

The county manager said it could take weeks or months to fully resolve.  He also said that this kind of attack is common in Europe.  It is, but it is equally common in the U.S.  Just recently neighboring county Mecklenburg had the same problem.

One bit of good news is that they have cyber insurance.  That likely will help them pay for some of the costs.  At the time of the first article, they had not decided if they were going to pay the ransom.

By Monday the county said that 911 was working as was the tax collector.  You can see why both of these are important to the county.

They continue to work on the restoration, but did not give a time when things would be back to normal – just soon.

What what are the takeaways here?

  • Have a disaster recovery plan – it sounds like they did have one of these.
  • Have a business continuity plan  – how do we the doors open or answering the phone.  And, if you are a web based business and your web site is down, now what?
  • Having cyber insurance will help pay for all this.
  • Make sure you have backups.  Make sure it covers ALL of your data and systems.
  • Figure out how long it will take to restore those backups.  For nearby Mecklenburg, it was a couple of months.  Is that OK?  If not, what is plan B?
  • How are you going to communicate about it.
  • MUTUAL AID – this one is easier for non-profits and the public sector, still it is worth considering.  Davidson County received offers of assistance from the nearby City of Lexington and from Rowan County as well as the North Carolina Association of County Commissioners.  And they are talking with Mecklenburg County – that went through the same ordeal recently.  When I was in college in upstate New York (this was in the dark ages before the Internet), the volunteer fire departments up and down the Finger Lakes would invoke that mutual aid using fog horns that traveled across the lakes for miles.  A particular  burst meant that this fire department or that needed help.  It was a life saver, literally.  Maybe it is with a customer or a business partner or an investor.  You may not need the aid, but having it available could make a huge difference.

Ultimately, having a plan and testing that plan is hugely important.  Don’t hope it won’t happen to you.  That might be the case, but then again, it might not be the case.  Will you be ready if it happens to you?

Information for this post came from the Dispatch and Greensboro.com

Facebooktwitterredditlinkedinmailby feather

Ransomware. Backups. MTTR. Disaster Recovery. Business Continuity.

Ransomware and hospitals.  Not a great combination.

The Register is reporting that Hancock Hospital paid ransom attackers $60,000 to get control of their system back.

Pictured: Hancock Health, 801 N. State St. in Greenfield.(Tom Russo | Daily Reporter)

Hancock Health in Indiana was hit with a ransomware attack last week.  As the hospital detected “something wrong”, they decided to shut down all hospital systems, all wellness center systems, Physicians offices systems and, in fact, the entire Hancock Health Network.

The attack put the hospital and its affiliates back into the medical stone age.  No electronic medical records.  No email.  All paper.

Like many other attacks, this attacker, apparently, found a publicly exposed remote desktop protocol (RDP) open port and the rest, as they say, was history.

When the hospital figured out that it was being attacked they contacted the FBI and an outside IT specialist.  However, the Lone Ranger used all of the silver bullets up – there are  none left.

This is where the title of this blog post comes in.

If you get hit with a ransomware attack, the experts say that you are okay if you have good backups.  Well, maybe.

But there is more to it.

Business continuity –  can you continue to operate while you sort things out.  In this case, the hospital reverted to paper.  But paper is slow and cumbersome and introduces errors.

Disaster recovery – do you have a plan for how you are going to recover from the disaster.

MTTR – MTTR standards for mean time to repair.  That goes along with RTO or Recovery Time Objective and RPO or Recovery Point Objective.  All of these mean HOW LONG WILL IT TAKE TO GET BACK IN OPERATION?  And, HOW MUCH DATA ARE YOU WILLING TO LOSE?

That is what tripped up Hancock.  They decided to pay the $60k and get working again.

The county in which Charlotte, NC is in, Mecklenburg, decided that they were not going to pay the ransom and it is still recovering, months later.

In late 2016,  Madison County, Indiana, decided to pay their ransom to get access to their data – it cost them $200,000.

According to the FBI, there are thousands of these attacks every day.  According to some reports, ransomware is a $9 billion industry.

So as you think about how to deal with a possible ransomware attack; think about this:

  • Backups
  • Mean Time To Repair
  • Business Continuity
  • Disaster Recovery

Put those all together and you will be in pretty good shape.

 

Information for this post came from The Register and The Greenfield Reporter.

Facebooktwitterredditlinkedinmailby feather