Tuesday, February 23, 2016

Hospital Held Hostage, FBiOS and CEO Phishing

   I usually don't do "news of the week" commentary posts, but too much has happened this past week and we need to discuss it!

Hospital Held Hostage.

   I'm sure by now you've seen some info on what happened at Hollywood Presbyterian Medical Center in California.  Just in case you were on a desert island... on Feb. 5 HPMC experienced a cryptoware attack.  We've talked about those before... it's malicious software that encrypts files so that only the attacker can read them... the people who need to can't.  The story broke about 10 days later.

   Cryptoware becomes ransomware when the attackers offer to fix the problem - decrypt the files - for a "small consulting fee", usually not small and paid in bitcoin, an untraceable online currency.

   The situation itself is, unfortunately, not unique.  These kinds of attacks have been happening everywhere for years.  But there are two things that happened in this case that are unique.  First, the cryptoware completely shut down all the computerized systems in the hospital.  That means no electronic medical records, radiology, anesthesiology... just about any -ology and most hospital functions are computerized.  The hospital reverted to paper and had to turn away surgery patients or those needing more complex diagnosis, tests or procedures.  

   Second, the hospital paid the ransom.  This is the first publicized case of both a hospital shut down in this way and paying the ransom to restore their files.

   Most hospitals have procedures, called "down time procedures" for operating without some computerized resources.  And there is an incident handling process called HICS - Hospital Incident Command System - based on US FEMA (Federal Emergency Management Agency) NIMS (National Incident Management System).  But there are still medical procedures that can't be done with out access to the electronic data or computer-controlled systems.

   This attack is not OK.  Stealing people's data is bad enough.  But this affects lives.

FAQ:
   Can this happen here (wherever "here" is)?  It can, it has, it does and it will.  All industries and even home systems have been hit.  It's not "if", but "when".

   Can't we prevent it?  Yes!

   Wait.  What?  There's more to that story.  An attack like this can be prevented, but systems would have to be locked down so tight that they might not be usable.  And that's not a solution.  But there are some proactive things that can be done:
  • Don't click!  Most of these kinds of attacks start with the click of a link on a website or in an email, or opening an email attachment.  We've discussed this many times before... if you're not expecting it, if it doesn't look right, if it's not consistent... don't click!
  • Endpoint controls.  These are controls on your desktop or laptop computer including old-school anti-virus, application whitelisting, and execution controls; operational procedures like having a standard workstation configuration and regular patching.
  • Network/System controls.  Like monitoring and keeping all applications up to date with the latest versions and patches, and reliable and tested offline backups.
  • Internet controls.  Like web site filtering and email controls.
   So why did they pay?  Isn't that bad?  In some cases, if the cryptoware infection gets so bad that the organization cannot recover, there may be no other choice then to pay.  And even that's no guarantee that the attackers will or can give you the key to decrypt the files.  In some attacks, if the victim doesn't pay in time, the key is deleted and the files could be unrecoverable.  It's obviously better not to pay (or not to have to pay!), but the organization might not have a choice.

   CSI:Cyber did an episode on a hospital malware attack in Nov. 2015.  I wrote about that here.

   Just a quick commentary on the other two issues.

CEO Phishing.

   Or perhaps more correctly... phishing from your CEO!  In this phishing attack variant, an email comes from "the CEO" (or other highly placed official) demanding some kind of immediate action, typically involving wiring money.  All too often, the recipient does what they're told and sends the funds.

   Recent issues in the US and in France have kept this in the news.  Now Microsoft is getting in on the act, trying to make improvements to Outlook to help with this problem.

   As we've discussed in the past, if something on a web page or email doesn't look right, it probably isn't.  Don't click; Report it!  And even if you did click, report it!

FBiOS.

   After the San Bernadino, California terrorist shooting last December, Federal authorities captured one of the attacker's cell phone.  It is an Apple 5C.  Because of the way Apple encrypts its phones, law enforcement has been unable to view the contents of the phone.

   This week a federal judge ordered Apple to help unlock the phone.  The order is based upon the 1789 law called the All Writs Act.  Apple has chosen not to comply and that has led to plenty of discussion on both sides of the issue.  Apple says helping would set a bad precedent and weaken their phones' protections.  The FBI says it's Apple's duty to help with this criminal investigation.

   As is so often the case, there is no perfect answer.

   As Benjamin Franklin famously did not say, "Those who give up liberty for security deserve neither".  The reality for encryption is, if we make technology that law enforcement can crack, then anyone can crack it.  This is true because of the law no one can break - the law of mathematics!

   However, the Apple 5C uses an older encryption method than their newer phone.  So in this case, Apple could help without compromising everyone else's security and privacy.

   There's some great in-depth discussion of this issue on the TWIT podcast this week.

   Here are some good articles with more details.  We'll watch to see how this plays out.

Tuesday, February 9, 2016

How To Vault (part 1)

   I was recently asked to provide more information on vaults.  I think this is a memorable one :-).


  Well, to be more precise, the question was about password vaults...
you've talked about password vaults and it seems like something should do, but I'm not sure how to start and it still seems a bit scary.
   That is a great question.  We've talked about passwords and password vaults a number of times in the past including here, here and here.

   But why do we even need something like a password vault.  There are a few reasons, and they have to do with the problems passwords pose: