10.3.18

In the US, one in five healthcare employees willing to sell patient data, study finds



Almost one in five (18%) employees in the healthcare industry in the United States and Canada said that they would be willing to give access to confidential medical data about patients to an unauthorized outsider for financial gain, a survey for Accenture has revealed.
They would expect no more than $500 to $1,000 for their login credentials or for deliberately installing tracking software or downloading the data to a portable drive.
The remaining 82% said that no amount of money would make them sell the records, according to the survey, called Losing the Cyber Culture War in Healthcare: Accenture 2018 Healthcare Workforce Survey on Cybersecurity.
The problem was particularly acute among provider organizations, as opposed to payer organizations (21% vs. 12%). Also, and perhaps counterintuitively, staff with more frequent cybersecurity training were more inclined to such practices.
In addition, this way of compromising patient data is not a purely hypothetical phenomenon. Roughly one in four (24%) respondents said that they were actually aware of a co-worker who had made a profit by providing a third party with access to such information.
Accenture noted that such conduct contributes to the fact that healthcare organizations in seven countries spent an estimated $12.5 million each, on average, dealing with impacts of cybercrime in 2017. The figure comes from the firm’s report called 2017 Cost of Cyber Crime Study.
Meanwhile, there was an almost universal (99%) sense of responsibility among the respondents for data security. Nearly all (97%) also claimed that they understand the data security and privacy standards of their organization. And yet there is some disconnect, as one in five (21%) of healthcare workforce admitted to writing down their login credentials near their computers.
A total of 912 employees of provider and payer organizations in the US and Canada were polled for the survey, which was conducted online in November. All of the respondents have access to electronic health data such as personally identifiable information (PII), payment card information (PCI), and protected health information (PHI).
In another study by Accenture in 2017, 88% of patients in the US said that they trust their physicians or other healthcare providers to ensure security for their electronic medical data. A quarter said that they had experienced a breach of such data.
Author Tomáš Foltýn, ESET

8.3.18

Trends 2018: The ransomware revolution



This is actually where I came in, nearly 30 years ago. The first malware outbreak for which I provided consultancy was Dr. Popp’s extraordinary AIDS Trojan, which rendered a victim’s data inaccessible until a ‘software lease renewal’ payment was made. And for a long time afterwards, there was not much else that could be called ransomware, unless you count threats made against organizations of persistent DDoS (Distributed Denial of Service) attacks.
All-too-plausible deniability
While Denial of Service attacks amplified by the use of networks of bot-compromised PCs were becoming a notable problem by the turn of the century, DDoS extortion threats have accelerated in parallel (if less dramatically) with the rise in ransomware in the past few years. However, statistics may be obscured by a reluctance on the part of some victim organizations to speak out, and a concurrent rise in DDoS attacks with a political dimension rather than a simple profit motive. There are other complex interactions between malware types, though: there have been instances of ransomware variants that incorporated a DDoS bot, while more recently the charmers behind the Mirai botnet chose to DDoS the WannaCryptor (a.k.a. WannaCry) “kill switch” in order to allow dormant copies of the malware to reactivate.
The worm turns
Of course, there’s a great deal more to the malware ESET calls Win32/Filecoder.WannaCryptor than the Mirai factor. The combination of ransomware and worm accelerated the spread of the malware, though not as dramatically in terms of sheer volume as some of the worm attacks we saw in the first decade of the millennium, partly because its spread was reliant on a vulnerability that was already widely patched. However, its financial impact on major organizations caught the attention of the media worldwide.
Pay up! and play our game*
One of the quirks of WannaCryptor was that it was never very likely that someone who paid the ransom would get all their data decrypted. That’s not unique, of course: there are all too many examples of ransomware where the criminals were unable to recover some or any data because of incompetent coding, or never intended to enable recovery. Ranscam and Hitler, for example, simply deleted files: no encryption, and no likely way the criminal can help recover them. Fortunately, these don’t seem to have been particularly widespread. Perhaps the most notorious example, though, is the Petya semi-clone ESET detects as DiskCoder.C, which does encrypt data. Given how competently the malware is executed, the absence of a recovery mechanism doesn’t seem accidental. Rather, a case of ‘take the money and run’.
Wiper hyper
While the DiskCoder.C malware sometimes referred to as NotPetya clearly doesn’t eschew making some profit by passing itself off as ransomware, other ‘wipers’ clearly have a different agenda, such as the (fairly) recently revived Shamoon malware. Malware with wiper functionality aimed at Ukraine include KillDisk (associated with BlackEnergy) and, more recently, one of the payloads deployed by Industroyer.
What can you learn from these trends?
Holding your data to ransom is an easy way for an attacker to make a dishonest profit, and destroying data for other reasons such as a political agenda seems to be on the rise. Rather than speculate about all the possible variations on the theme of data mangling, let’s look at some measures that reduce the risk across the board.
1.     We understand that people choose to pay in the hope of getting their data back even though they know that this encourages the criminals. Before paying up, though, check with your security software vendor (a) in case recovery may be possible without paying the ransom (b) in case it’s known that paying the ransom won’t or can’t result in recovery for that particular ransomware variant.
2.     Protecting your data proactively is safer than relying on the competence and good faith of the criminal. Back up everything that matters to you, often, by keeping at least some backups offline – to media that aren’t routinely exposed to corruption by ransomware and other malware – in a physically secure location (preferably more than one location). And, obviously, backups defend against risks to data apart from ransomware and other malware, so should already be part of a disaster recovery plan.
3.     Many people and organizations nowadays don’t think of backup in terms of physical media like optical disks and flash storage, so much as in terms of some form of cloud storage. Which are very likely to be offsite, of course. Remember, however, where such storage is ‘always on’, its contents may be vulnerable to compromise by ransomware in the same way that local and other network-connected storage is. It’s important that offsite storage:
1.     Is not routinely and permanently online
2.     Protects backed-up data from automatic and silent modification or overwriting by malware when the remote facility is online
3.     Protects earlier generations of backed-up data from compromise so that even if disaster strikes the very latest backups, you can at least retrieve some data, including earlier versions of current data.
4.     Protects the customer by spelling out the provider’s legal/contractual responsibilities, what happens if the provider goes out of business, and so on.
4.     Don’t underestimate the usefulness of backup media that aren’t rewriteable/reusable. If you can’t modify what’s been written there, then neither can ransomware. Check every so often that your backup/recovery operation is (still) working properly and that your media (read-only, write-disabled, or write-enabled) are still readable (and that write-enabled media aren’t routinely writeable). And back up your backups.
5.     I’m certainly not going to say that you should rely on backups instead of using security software, but bear in mind that removing active ransomware with security software that detects ransomware is by no means the same as recovering data: removing the ransomware and then deciding to pay up means that the data may no longer be recoverable even with the cooperation of the criminals, because the decryption mechanism is part of the malware. On the other hand, you certainly don’t want to restore your data to a system on which the ransomware is still active. Fortunately, safe backups can save your data if/when something malicious slips past your security software.
And the future?
“Don’t make predictions about computing that can be checked in your lifetime” – wise words from Daniel Delbert McCracken. Still, we can risk some extrapolation from the recent evolution of ransomware in order to offer some cautious thoughts about its future evolution.
Targeting
The AIDs Trojan was pretty specific in its targeting. Even then, not many people were interested in the minutiae of AIDS research, distribution of the Trojan by floppy disk was relatively expensive, and the mechanism for paying the ransom didn’t really work to the attacker’s advantage. (Of course, in 1989 Dr. Popp didn’t have the advantage of access to cryptocurrency or the Dark Web, or easy ways to use Western Union (the 419 scammer’s favorite) or to monetize nude photographs.)
The attack itself was ‘classic’ ransomware, in that it deprived the victim of his or her data. Later, DoS and DDoS attacks deprived companies of the ability to benefit from the services they provided: while customers were deprived of those services, it was the provider who was expected to pay. However, as the non-corporate, individual use of the Internet has exploded, the attack surface and the range of potential targets have also widened. Which probably has an influence on the promiscuous distribution of most modern ransomware.
Non-targeting
While the media and security product marketers tend to get excited when a highly visible or high-value victim is disclosed – healthcare sites, academic institutions, telephony service providers, ISPs – it’s inappropriate to assume that these institutions are always being specifically targeted. Since we don’t always know what vector of compromise was used by a specific campaign, we can’t say ‘It never happens!’. But it looks as if ransomware gangs are doing quite nicely out of payments made by large institutions compromised via lateral attacks from employees who have been successfully attacked when using their work accounts. The UK’s NHS Digital, for example, denies that healthcare is being specifically targeted – a view I happen to share, in general – while acknowledging that healthcare sites have ‘often fallen victim’.
Could this change?
At the moment, there still seem to be organizations that are prepared to spend relatively large sums in ransom payment. In some cases, this is a reasonable ‘backup strategy’, acknowledging that it’s sensible to keep a (ransom)war(e) chest topped up in case technical defences fail. In other cases, companies may be hoping that paying up will be more cost-effective than building up complex additional defences that cannot always be fully effective. That in itself may attract targeting of companies perceived to be a soft touch or especially able to pay (financial organizations, casinos). The increased volume of wiper attacks and ransomware attacks where payment does not result in recovery may mitigate this unhealthy trend, but companies that are still perceived as unlikely to harden their defences to the best of their abilities might then be more specifically targeted. It is, after all, likely that a successful attack on a large organization will pay better and more promptly than widespread attacks on random computer users and email addresses.
Data versus Devices
Looking at attacks on smartphones and other mobile devices, these tend to be less focused on data and more on denying the use of the device and the services it facilitates. That’s bad enough where the alternative to paying the ransom may be to lose settings and other data, especially as more people use mobile devices in preference to personal computers and even laptops, so that a wider range of data might be threatened. As the Internet of Unnecessarily Networked Things becomes less avoidable, the attack surface increases, with networked devices and sensors embedded into unexpected items and contexts: from routers to fridges to smart meters, from TVs to toys, from power stations to petrol stations and pacemakers. As everything gets ‘smarter’, the number of services that might be disrupted by malware (whether or not a ransom is demanded) becomes greater. In previous years we’ve discussed the possibilities of what my colleague Stephen Cobb calls the Ransomware of Things. There are fewer in-the-wild examples to date of such threats than you might expect, given the attention they attract. That could easily change, though, especially if more conventional ransomware becomes less effective as a means of making a quick buck. Though I’m not sure that’s going to happen for a while…
On the other hand, there’s not much indication that Internet of Things security is keeping pace with IoT growth. We are already seeing plenty of hacker interest in the monetization of IoT insecurity. It’s not as simple as the media sometimes assume to write and distribute malware that will affect a wide range of IoT devices and beyond, so there’s no cause for panic, but we shouldn’t underestimate the digital underworld’s tenacity and ability to come up with surprising twists.
* Apologies to the shade of Henry Newbolt who wrote Vitai Lampada, from which I’ve misquoted: https://en.wikipedia.org/wiki/Henry_Newbolt

6.3.18

‘INTERPOL Digital Security Challenge’ Global police test their cyber-chops in simulated IoT attack



Cybercrime investigators from across the world joined a training exercise recently that had them dealing with a simulated attack launched through an Internet-of-Things (IoT) device.
A total of 43 investigators and experts in digital forensics from 23 countries investigated the would-be attack on a bank. The exercise, called the ‘INTERPOL Digital Security Challenge’, was organized by INTERPOL in Vienna, Austria, and took place over three days in February.
The organization noted that police forces worldwide are often unaware of how to collect forensic evidence from devices other than computers and mobiles. This issue is especially relevant considering the significant cybersecurity risks that the proliferation of vulnerable IoT devices represents.
“Cybercrime investigations are becoming more and more complex and operational exercises such as the Digital Security Challenge, which simulate some of the hurdles that investigators face every day, are vital for the development of our capacities,” Peter Goldgruber, Secretary General of the Austrian Ministry of the Interior, was quoted as saying.
The set-up
In INTERPOL’s scenario, adversaries deployed malware in an attempt to siphon off large amounts of money from the bank.
The investigators applied digital forensics to establish when and where on the bank’s computers the malicious code was installed.
“Through this digital forensic examination, the teams discovered the malware was contained in an e-mail attachment sent via a webcam which had been hacked, and not directly from a computer,” said INTERPOL. The organization added that this “emerging modus operandi” is aimed at helping cover up the source of the attack.
After examining data on the hacked webcam, the investigators identified the command and control (C&C) server that was used for controlling the webcam remotely and for carrying out the attack itself.
The investigators later identified another C&C server, as well as a number of server vulnerabilities that “could be used to prevent further attacks”, said INTERPOL.
The financial sector in general remains a juicy target for cyber-thugs, as shown by recent incidents in Russia and India, and earlier in Bangladesh.
In INTERPOL’s Digital Security Challenge in February 2017, investigators were tasked with tracking down the perpetrator of a ransomware attack.
In the first incarnation of the event in 2016, they had to come to grips with the challenge of identifying, within 52 hours, a blackmailer who demanded a ransom of 10,000 bitcoin on pain of releasing sensitive corporate information.

5.3.18

Peut-on concevoir une maison intelligente sécuritaire?


Quand on parle de l’Internet des objets (IdO), la plupart d’entre nous pensons spontanément aux appareils que nous connectons à un réseau pour la commodité, comme les thermostats, les interrupteurs, les voitures connectées et les jouets interactifs pour nos enfants.
Si l’IdO est en effet une merveilleuse invention, conçue pour rendre la vie numérique quotidienne encore plus facile, dans quelle mesure est-elle sécuritaire en matière de protection de votre vie privée?
J’ai étudié quelques-uns des appareils de l’IdO les plus populaires sur le marché avec une équipe de chercheurs d’ESET. Le but : créer une « maison intelligente » de base, avec des objets connectables susceptibles tels que ceux qu’on peut trouver dans un foyer typique.
Les notions d’interconnectivité et de maison intelligente sont rarement au cœur des récits de science-fiction, mais font souvent partie du contexte de ces récits. Grâce à l’IdO, la maison intelligente parait aujourd’hui non seulement réaliste, mais même banale à certains égards.
Dans quelle mesure peut-on vraiment créer sa propre maison intelligente? De nombreux problèmes peuvent surgir lorsque vous tentez de créer votre propre foyer interconnecté. L’interopérabilité entre les appareils fournis par différents fabricants et l’harmonisation de ceux-ci représente l’un des défis importants auxquels quiconque désirant créer une maison intelligente, ou aussi intelligente que possible!
Nous avons acheté quelques appareils de l’IdO qui pourraient être considérés comme essentiels pour la création d’un kit de démarrage pour expérimenter une maison interconnectée. Nous avons également acheté un assistant personnel virtuel (un appareil qui prend les commandes verbales et peut contrôler plusieurs des appareils achetés; en fait, ce type d’appareil peut effectivement permettre de démarrer une maison intelligente, qui peut ensuite prendre de l’expansion avec d’autres appareils connectés).
Notre préoccupation première était de concevoir une maison intelligente sans compromettre la vie privée. Nous craignions que les appareils à la maison puissent recueillir des données privées. Bien entendu, nous savions que la plupart des appareils et services ont besoin d’obtenir des informations personnelles de base. Fait inquiétant : nous avons cependant constaté que les entreprises utilisaient souvent l’expression « mais non limité à », ce qui ihttps://www.welivesecurity.com/2016/01/05/consumers-cautious-iot-device-security/mplique qu’elles pourraient capter plus de données personnelles que celles listées dans la politique de confidentialité correspondant.
Au total, nous avons testé douze produits provenant de sept fournisseurs, dont un produit que nous n’avons pas inclus dans le rapport final, en raison de la découverte de vulnérabilités importantes. En tant qu’entreprise de sécurité, nous sommes fermement engagés dans la divulgation responsable et le caractère collaboratif de l’industrie de la sécurité des TI. Nous avons donc avisé l’entreprise en question en présentant des détails précis sur les lacunes de l’appareil;  nous ne publierons pas les détails avant que le vendeur n’ait eu le temps de corriger ces problèmes.
Bien que chaque appareil mis à l’essai ait soulevé quelques questions en matière de protection de la vie privée, c’est le rôle des assistants intelligents activés par la voix qui a suscité les plus sérieuses préoccupations. Cela est dû, entre autres, à la crainte d’un trop grand partage des données par les services commerciaux, à l’insuffisance de la protection des données personnelles stockées et à la possibilité d’interception du trafic numérique, par des cybercriminels par exemple. 
Pouvez-vous créer une maison intelligente sécuritaire?
Pour tout dire… Peut-être. Aucun dispositif ou logiciel ne peut garantir d’être sécurisé ou immunisé contre les vulnérabilités potentielles. Cependant, on peut juger de la culture de sécurité d’une entreprise en fonction de sa réaction lorsque des vulnérabilités sont divulguées. Certains des périphériques testés présentaient des vulnérabilités qui ont été traitées rapidement grâce à de nouveaux logiciels et microprogrammes. Lorsque les vulnérabilités ne sont pas corrigées rapidement (ou pas du tout), il vaut probablement mieux opter pour un dispositif équivalent. Mais avec un bon jugement et de la prudence, vous pouvez effectivement commencer à créer une maison intelligente de base.
Conclusion
 Au début, l’objectif de ce projet était de créer une maison intelligente de base, s’apparentant à ce qu’on pourrait retrouver dans un foyer typique. La préoccupation de notre équipe de recherche était : « Et si nous ne trouvons pas de problèmes? » Malheureusement, ce n’est pas ce qui s’est passé. En fait, la conclusion que j’ai rédigée s’avère bien différente de ce que nous avions envisagé au départ.
Le risque que les données collectées par les fournisseurs de services Internet sur la maison, le mode de vie, la santé, ou même l’ensemble des données connectées par les fournisseurs de services Internet, ne soient accessibles à une seule entité ne devrait être accepté qu’après avoir dûment pris en considération les conséquences.
Pour la liste complète des dispositifs testés, ainsi qu’une description plus technique des produits, consultez notre nouveau livre blanc : IdO : Vie privée et la conception d’une maison intelligente.