Dry the tears: WannaCry stymied, North Korea hackers suspect. Is this a poke for a worse attack?

Breaking News This morning’s (Tuesday 16 May) news is about reputable security organizations–Kaspersky Lab and Symantec–connecting the dots that lead for now to a North Korea-linked hacking organization, the Lazarus Group. This group has been identified in previous hack attacks and is based upon WannaCry code appearing in Lazarus programs. US Homeland Security has admitted seeing the same similarities, but all are working to gain more information.

Lazarus has been previously identified as the source of the 2014 Sony attack and the theft of $81 million from the Bangladesh central bank, again linked to fundraising for North Korea for its missiles, army, EMP and nuclear arming while its terrorized people starve. However, this attack was a flop; according to US Homeland Security, about $70,000 was raised in ransom. The Homeland Security spokesman also distanced the NSA from the original information which targeted weaknesses in Microsoft’s systems.

According to reports, WannaCry disproportionately affected Russia, Taiwan, Ukraine and India, according to Czech security firm Avast. No US Federal government systems were affected. China on Monday reported that it attacked traffic police and school systems.

The Telegraph has posted a speculative list of 34 NHS organizations which suffered IT failure during the WannaCry attack. The article includes a map produced by MalwareTech that geographically spots the infection locations; the Boston to Washington corridor is a sea of blue dots. And…Marcus Hutchins has been identified as the young UK tech working for Kryptos Logic who redirected the attacks by buying a domain embedded in the WannaCry code. How it worked, according to PC World, is that if the malware can’t connect to the unregistered domain, it infects the system. By registering the domain and creating a page for the malware to connect to, he stopped the malware spread. (Video in Telegraph article)  Also FoxNews

But is this a prelude to more and worse? Is this testing our preparedness? If so, we’ve been found wanting on an enterprise level with vulnerable systems and administrators not updating their software and OS. George Avetisov, the CEO of HYPR, a biometric authentication company, in The Hill, summarized it neatly today: “We’ve also learned the hard way that, simply through a coordinated phishing attack on unsuspecting users, hackers can disrupt the day-to-day activities of enterprises that provide communications, travel, freight and healthcare administration simply by remotely deploying malware.” He then goes on to praise President Trump’s executive order (EO), “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which he signed on Thursday–right before all this began. As if in confirmation…ShadowBrokers, the group that hacked the NSA files, today announced the availability of a subscription to a ‘members only data dump’ like a Wine of the Month Club. Watch out, banks and healthcare, it’s open season! NHS, better pay attention to another kind of hygiene–cyberhygiene. Without it, plans for patient apps and data sharing will go sideways–and deserved fodder for Dame Fiona [TTA 10 May]. The Hill  Earlier coverage here

IoT and the inevitable, looming Big Data Breach

click to enlargeThe Gimlet Eye returns to once again cast a baleful gaze on All Those Connected Things, or the Plastic Fantastic Inevitable. Those 6.4 million Wi-Fi-connected tea kettles, smart fridge, remotely adjusted pacemakers (and other medical devices) plus home security two way video systems that accost the dodgy door ringer sound just peachy–but how good is their security? Not very, according to the experts quoted in this ZDNet article. It’s those nasty security flaws in IoT which were patched out 10 years ago on PCs that make them incredibly risky to have, as they can vector all sorts of Bad Things into both personal and enterprise networks. Their prediction is that a Connected Device with a big flaw will become molto popular and provide a Target a Hacker Can’t Refuse within two years. Or that some really clever hacker will write ransomware that will shut down millions of Connected Cars’ CPUs or disable the steering and brakes if 40 bitcoins aren’t placed in a brown paper bag and left on the third stool of the pizzeria at 83rd and Third.

Not much has changed since Eye wrote about those darn Internet Thingys last year [TTA 22 Sept 15]. The mystery is of course why these antique flaws are even part of the design. Designers being cheapskates? No consideration of security? (more…)

The security risks, and the promise of, the Internet of Things

Jason Hope, who back in September wrote on how one of the greatest impediments to the much-touted Internet of Things (IoT) was not security, but the lack of a standardized protocol that would enable devices to communicate, has continued to write on both this topic and IoT security. While The Gimlet Eye had great fun lampooning the very notion of Thingys Talking and Doing Things Against Their Will [TTA 22 Sept 15], and this Editor has warned of security risks in over-connectivity of home devices (see below), relentlessly we are moving towards it. The benefit in both healthcare monitoring/TECS and safely living at home for older adults is obvious, but these devices must work together easily, safely and securely. To bend the English language a bit, the goal is ‘commonplaceness’–no one thinks much about the ubiquitous ATM, yet two decades ago ‘cash machines’ were not in many banks and (in the US) divided into regional networks.

As Mr Hope put it as the fifth and final prediction in his recent article:

The IoT Will Stop Being a “Thing”
How many times in the past week have you said, “I am getting on to the World Wide Web?” Chances are, not very many. How many times have you thought about the wonder of switching on a switch and having light instantly? Probably never. Soon, the Internet of Things, and connectivity in general, is going to be so common place, we also won’t think about it. It will just be part of life and the benefits and technology that wow us right now will cease to be memorable.

This Editor continues to be concerned about how hackers can get into devices, (more…)

90% of industries have had PHI data breach: Verizon (HIMSS Connected Health)

Reporting from the HIMSS Connected Health Conference (CHC)

Cybersecurity is one of the three central themes of this year’s HIMSS CHC, and excellent timing for releasing the highlights of Verizon’s first ever PHI (Protected Health Information) Data Breach Report. This is a spinoff of their extensive, eight years running international Data Breach Investigations Report (DBIR). 

It’s not just your doctor’s office, hospital or payer. It will be no surprise to our Readers that the healthcare sector is #7 in breaches–but that a PHI breach may come from non-healthcare (in US, HIPAA-covered) sources. This Editor spoke with Suzanne Widup, the lead author of the PHI Report and an info security/forensics expert, and included in that 90 percent are workers’ compensation programs, self-insured companies, the public sector, financial/insurance companies and–as a damper on this highly competitive (but hard to gauge results) area–wellness programs. Most organizations, according to Ms Widup, aren’t even conscious that they are holding this information and need to specially protect it from intrusion, as “PHI is like gold for today’s cybercriminal.”

Consistent with other authoritative tracking studies like Ponemon Institute’s and ID Experts’, the threat is from within: physical theft and loss, insider misuse and ‘miscellaneous’ account for 77 percent of theft. And as Bryan Sartin, managing director of Verizon’s RISK team noted in his keynote today, attacks take over a seven-month period on average to even be noticed. The breaches are long term, start small and sneaky. 2/3 of organizations don’t find out on their own, only when it starts to affect other partners. (Surprise!) Despite the proven Chinese and Black Vine involvement in several high profile, high-volume data hacks (Anthem), and ‘brute force’ hacks that make headlines (iCloud last year), the average breach is an inside job where “assets grow legs and walk off” in Dr Widup’s words, or privilege misuse.

When I asked Ms Widup about the Internet of Things (which is moving high on the hype curve, from what your Editor has experienced to the nth degree at this conference), she confirmed that this is an area that needs extra cybersecurity protection. (more…)

UCLA Health data breach may affect 4.5 million patients

click to enlargeBreaking news out of Los Angeles this afternoon is that the UCLA Health System’s computer network was compromised by an external cyberattack, compromising an estimated 4.5 million patient records. According to the LA Times, “the hospital saw unusual activity in one of its computer servers in October and began investigating with assistance from the FBI. The investigation confirmed May 5 that the hackers had gained access to parts of UCLA Health’s computer system where some patient information was stored. The hackers gained access to names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information like patient diagnoses and procedures.” There also appears to have been a delay in the realization that the sensitive PHI had been accessed, and that the suspicious activity could have started as early as September 2014. Yet the UCLA Health statement equivocates: “At this time, there is no evidence that the attacker (more…)

58 percent of health data breaches due to simple theft, not hacking: JAMA

click to enlarge Criminal activity is the cause of nearly 6 out of 10 data breaches, according to a study published in JAMA last week (subscription required). Cyberbreaches–the infamous hacking attacks–produce breaches in the millions, but the far more typical and frequent breach, if smaller, is caused by simple theft of records–electronic and paper. HealthLeaders We’ve reported previously that stolen records (over 500) have ranged from laptops to paper records as landfill and even old-style X-rays in dead storage sought after for mercury content. So if Hackermania is not always running wild, except when it is, how to keep those records secure? According to West Virginia United Health System’s assistant CIO interviewed by FierceHealthIT at HIMSS, it requires a policy change of staff education, expectations, understanding that protecting patient information is part of holistic care–and frequent audits. Trust, but verify. Encrypt–and keep passwords secure, multiple and frequently changed.