Wednesday, July 06, 2016
Local. The hackers were inside but opted to test their ransomware rather than steal just a few thousand patient records? Or perhaps they did that first.
Jennie Trejo reports:
Allergy, Asthma & Immunology of the Rockies, P.C. (AAIR), a full-service allergy clinic, found evidence of ransomware on its computer systems on May 16.
Kari Hershey, an attorney for AAIR, said the disturbance was first noticed when they had trouble accessing a few of the documents.
“They weren’t able to track exactly what the hackers did, but what they did find was a draft of the ransom letter on the system,” Hershey said. “The way it was explained to me is that it essentially looked like the hackers were still testing out the ransomware.”
Because the ransomware was still in its early stages, there is no evidence that any of the information on the system has been copied or used in any way, although it did pass through a password protected firewall. Hershey said they would expect to know if sensitive information was harvested by this point in the investigation.
“Having said that, there was a breach of the system. Just out of an abundance of caution, we do want people to sign up for an identity theft protection program. That way if they do have a problem they can get help.”
Read more on the Post Independent.
The incident was reported to HHS as affecting 6,851 patients.
For my Computer Security students – at least those who drive to school.
Automotive cybersecurity; what we don't hack will probably be used to kill us
… Just imagine your own car traveling at speed and having your ability to steer, alter speed, and brake, taken away and then being ransomed to regain control.
Think this impossible? Last year, Wired wrote about a couple of hackers remotely disabling a Chrysler Jeep Cherokee while it was heading down a freeway at 70 miles per hour.
… The subsequent paper by Miller and Valasek, Remote Exploitation of an Unaltered Passenger Vehicle, goes into to even more detail on how the hack was engineered
… Should you want to know more about automotive hacking, you might like to check out the recently published The Car Hacker’s Handbook: A Guide for the Penetration Tester by Craig Smith.
Together, a userid and password are intended to identify an individual. Sharing them for any reason defeats the purpose.
Court decision raises issues about sharing passwords
An appeals court has ruled that a former employee of a company, whose computer access credentials were revoked, had acted “without authorization” in violation of the Computer Fraud and Abuse Act, when he and other former employees used the login credentials of a current employee to gain access to data on the employer’s computers.
The opinion of the court is likely to be controversial as it is expected to have implications on commonplace sharing of passwords by husbands, co-workers and friends even for innocuous purposes.
One of the three judges, Stephen Reinhardt, dissented from the majority opinion, stating that “people frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it.”
The CFAA in his view “does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals.”
This could be useful.
Microsoft Proposes Independent Body to Attribute Cyber Attacks
Microsoft has published a paper that proposes a series of recommended 'norms' of good industry behavior in cyberspace, and also a route towards implementing and achieving those norms. Most of the norms are uncontentious and self-evident - but one in particular (which is a form of 'responsible disclosure') is less so. Furthermore, the key feature in implementing these norms (the attribution of attacks to attackers) is particularly troublesome.
From Articulation to Implementation: Enabling progress on cybersecurity norms was developed by a team led by Scott Charney, Microsoft's Corporate Vice President for Trustworthy Computing.
Something subtle for my Computer Security students to ponder.
How social media is changing what can be said, when and where
… When Dave closes a deal he takes the team out for beers, treats his family to a nice dinner out and brags about it on his social media accounts.
… Amy, in your accounting department has a different social media presence
She blogs regularly on Tumblr and posts selfies on Instagram while in pensive poses when problems overwhelm her.Both Dave and Amy represent major risks for your company.
… Dave is a bit of a braggart and read his tweets with interest. When he tweets about beating his toughest competitor in a sales presentation and landing a big contract, the investors buy.
Dave has given them insider information and doesn't even know it.
… Employees who follow Amy's social media accounts sense that there's something wrong. They see her stress level increasing, note the workload on her desk and worry about their own future. Productivity drops. Rumors start. Bad things happen.
… Both Dave and Amy have innocently been doing what millions of people do every day - they have been posting about their personal lives on their social media accounts. But what they haven't realized - and what may affect your company - is that what they write, post or repeat on social media can cause employee problems, productivity issues and even financial damage.
It's because your company doesn't have a social media policy. In today's world you need to be aware of, or perhaps even control, what is said on your employee's Facebook, Twitter, Instagram or even Pinterest accounts.
Interesting, thoughtful and amusing.
Did The FBI End Clinton’s Email Problems Or Make Them Worse?
The future of company devices may be ‘as-a-Service’
… The ability to deploy only assets as needed based on workload is a big one. This means a company has the ability to flex up, adding devices as needed when its workforce grows. More importantly, however, is the ability to flex down. The problem with the traditional PC procurement model is companies that decrease the size of their workforce due to seasonal changes, layoffs, or the like, have to deal with the surplus of PCs (and sunk costs) that result. In a DaaS model, the provider takes back those devices, potentially redeploying them with another client.
I wonder if it would recognize all the hand gestures I learned back in New Jersey? If so, would it try to run me down?
Google's robot cars recognize cyclists' hand signals — better than most cyclists