Friday, February 10, 2017

Get Ready for Hospital Ransomware Attacks 2.0

Hollywood Presbyterian Medical Center
View the original article by Jack Danahy here at Becker's Hospital Review. Image courtesy of the LA Times

On February 5, 2016, staff members at Hollywood Presbyterian Medical Center began having difficulty accessing the hospital's computer network. The IT department was called in to investigate, and quickly, their worst fears were confirmed — the hospital's network had been infected with ransomware.

Shortly afterwards, hospital staff declared an internal state of emergency, and IT systems were forced offline, knocking out access to electronic health records. This decision triggered a chain reaction of service delays and outages that spread throughout the organization with serious effects: Staff reverted to communicating via fax machines. Paperwork was completed by hand. Lab work and test results were inaccessible. CT scanning and the radiation oncology department were temporarily shut down. Some emergency patients had to be diverted to other hospitals for care.

What had started out as files getting encrypted had quickly snowballed into hospital-wide operations grinding to a halt.

The disruption lasted for 10 days. In the end, the hospital determined that paying a ransom of $17,000 was "the quickest and most efficient way" to get things back up and running. Yes, they were paying to restore the encrypted data, but more importantly, they were paying to be back in business.

Still think the primary threat of ransomware is data loss?

Make no mistake — the ultimate objective of hackers targeting institutions like hospitals isn't to encrypt their files. The true goal is to frighten the victim into paying by creating widespread disruption. File encryption has simply been a common means to that end. As the attack becomes more debilitating to the victim's operations, it grows more and more likely that the attacker will be able to demand, and receive, a bigger ransom payment.

Hollywood Presbyterian wasn't the only healthcare provider to suffer through ransomware attacks and pay ransoms in 2016. Marin Medical Practices and Kansas Heart Hospital were two other prominent cases. Educated by these successes, criminals are now tailoring their attacks to make them even more effective. Here are three tactics we've seen in the wild that are likely to become more widespread in 2017.

Beyond encryption: 3 ways criminals are making their attacks more disruptive

1) Developing ransomware strains that spread like a virus

Imagine a ransomware attack that not only encrypts files but also turns them into ticking time bombs, designed to spread their infection to more machines and users as soon as it executes. That's the direction new variants like Virlock are taking to expand the scope of their disruption. By adopting traditional parasitic virus techniques, it does more than simply encrypt victim files, it also injects them with malicious code that kicks off new attacks to replicate itself from one machine to another.
The latest version of Virlock can even spread through cloud storage and collaboration applications, making it possible for one infected user to spread it across an entire enterprise network.

2) Creating new versions of ransomware that disable the victim systems

The popularity of file encryption as the primary threat in ransomware began, at least in part, because that type of transformation is straightforward, leaving the system capable of connecting to the network for payment and decryption, and showing the victim the comforting, if frustrating, local presence of their valued files. As the frequency and public reporting of ransomware has increased, organizations have moved to improve their recovery strategies, particularly in the form of more comprehensive and tightly managed backups. In the presence of these backups (a common best practice in any case), paying the ransom is much less likely, since restoration of data is a sure thing without paying criminals.

Seeing this, some attackers have changed their tactic to disabling the system entirely. Ransomware variants such as Petya attack systems at the boot-level, preventing rebooting to any but the Petya screen, and encrypting the tables which describe the locations of all of the data on the disk. An attack like Petya, combined with parasitic expansion capabilities like Virlock, would create campaigns that could routinely cause the kind of debilitating breach that would take days or weeks to resolve.

3) Turning ransomware attacks into data breach events

Threatening to permanently destroy encrypted files is a common ransomware tactic. Many variants even incorporate a countdown element, adding a sense of urgency to the victim's decision to pay.

New strains are taking things a step further. Instead of threatening to destroy encrypted information, they're threatening to release it publicly — a tactic known as doxxing. An example is Jigsaw, which not only encrypts a victim's data, but threatens to send copies of those stolen files to all of the victim's contacts. This shift in tactics is especially relevant for hospitals and other healthcare service providers who are required to report exposures of private patient medical records, and who can be fined extensively for violations.

This changes the ransom equation completely, since the very best backup will not be able to put the private data genie back into the secure storage bottle. Criminals are raising their demands accordingly. On January 11, an Indiana-based cancer services agency received a demand for $43,000 in exchange for the hackers not releasing the data of thousands of cancer patients. This was done interactively, by a human, but with tools like Jigsaw available, the automation and anonymization of this tactic is not far off.

Prescription: A tight focus on prevention
The best way for healthcare organizations to avoid extensive damage from the next evolution of ransomware attacks will be to avoid them in the first place.

While attack tactics and technology change constantly, one relative constant has been the entry point that criminals target most often — users and their endpoints. By committing to improving user training and establishing better endpoint security that protects users even if they do make a mistake, hospitals can reduce their risk considerably and block attacks before they spiral out of control.

Tuesday, January 17, 2017

Wide Impact: Highly Effective Gmail Phishing Technique Being Exploited

Image Source: Shutterstock
There is a highly effective phishing technique stealing login credentials that is having a wide impact, even on experienced technical users.

The Phishing Attack: What you need to know

A new highly effective phishing technique targeting Gmail and other services has been gaining popularity during the past year among attackers. Over the past few weeks there have been reports of experienced technical users being hit by this.

This attack is currently being used to target Gmail customers and is also targeting other services.

The way the attack works is that an attacker will send an email to your Gmail account. That email may come from someone you know who has had their account hacked using this technique. It may also include something that looks like an image of an attachment you recognize from the sender.

You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again. You glance at the location bar and you see in there. It looks like this….

You go ahead and sign in on a fully functional sign-in page that looks like this:

GMail data URI phishing sign-in page

Once you complete sign-in, your account has been compromised. A commenter on Hacker News describes in clear terms what they experienced over the holiday break once they signed in to the fake page:

“The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.

For example, they went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.”

The attackers signing into your account happens very quickly. It may be automated or they may have a team standing by to process accounts as they are compromised.

Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot.

Now that they control your email address, they could also compromise a wide variety of other services that you use by using the password reset mechanism including other email accounts, any SaaS services you use and much more.

What I have described above is a phishing attack that is used to steal usernames and passwords on Gmail. It is being used right now with a high success rate. However, this technique can be used to steal credentials from many other platforms with many variations in the basic technique.

How to protect yourself against this phishing attack

You have always been told: “Check the location bar in your browser to make sure you are on the correct website before signing in. That will avoid phishing attacks that steal your username and password.”

In the attack above, you did exactly that and saw ‘‘ in the location bar, so you went ahead and signed in.

To protect yourself against this you need to change what you are checking in the location bar.

This phishing technique uses something called a ‘data URI’ to include a complete file in the browser location bar. When you glance up at the browser location bar and see ‘data:text/html…..’ that is actually a very long string of text. If you widen out the location bar it looks like this:

GMail phishing data uri showing script

There is a lot of whitespace which I have removed. But on the far right you can see the beginning of what is a very large chunk of text. This is actually a file that opens in a new tab and creates a completely functional fake Gmail login page which sends your credentials to the attacker.

As you can see on the far left of the browser location bar, instead of ‘https’ you have ‘data:text/html,’ followed by the usual ‘….’. If you aren’t paying close attention you will ignore the ‘data:text/html’ preamble and assume the URL is safe.

You are probably thinking you’re too smart to fall for this. It turns out that this attack has caught, or almost caught several technical users who have either tweeted, blogged or commented about it.  There is a specific reason why this is so effective that has to do with human perception. I describe that in the next section.

How to protect yourself

When you sign in to any service, check the browser location bar and verify the protocol, then verify the hostname. It should look like this in Chrome when signing into Gmail or Google:

Gmail phishing secure URI example

Make sure there is nothing before the hostname ‘’ other than ‘https://’ and the lock symbol. You should also take special note of the green color and lock symbol that appears on the left. If you can’t verify the protocol and verify the hostname, stop and consider what you just clicked on to get to that sign-in page.

Enable two factor authentication if it is available on every service that you use. GMail calls this “2- step verification” and you can find out how to enable it on this page.

Enabling two factor authentication makes it much more difficult for an attacker to sign into a service that you use, even if they manage to steal your password using this technique. I would like to note that there is some discussion that indicates even two factor authentication may not protect against this attack. However I have not seen a proof of concept, so I can not confirm this.

Why Google won’t fix this and what they should do

Google’s response to a customer asking about this was as follows:

“The address bar remains one of the few trusted UI components of the browsers and is the only one that can be relied upon as to what origin are the users currently visiting. If the users pay no attention to the address bar, phishing and spoofing attack are – obviously – trivial. Unfortunately that’s how the web works, and any fix that would to try to e.g. detect phishing pages based on their look would be easily bypassable in hundreds of ways. The data: URL part here is not that important as you could have a phishing on any http[s] page just as well.”

This is likely a junior person within the organization based on the grammatical errors. I disagree with this response for a few reasons:

Google have modified the behavior of the address bar in the past to show a green protocol color when a page is using HTTPS and a lock icon to indicate it is secure.

Gmail phishing secure URI example

They also use a different way of displaying the protocol when a page is insecure, marking it red with a line through it:

During this attack, a user sees neither green nor red. They see ordinary black text:

That is why this attack is so effective. In user interface design and in human perception, elements that are connected by uniform visual properties are perceived as being more related than elements that are not connected. [Read more: Gestalt principles of human perception and ‘uniform connectedness’ and Content Blindspots]

 In this case the ‘data:text/html’ and the trusted hostname are the same color. That suggests to our perception that they’re related and the ‘data:text/html’ part either doesn’t matter or can be trusted.

What Google needs to do in this case is change the way ‘data:text/html’ is displayed in the browser. There may be scenarios where this is safe, so they could use an amber color with a unique icon. That would alert our perception to a difference and we would examine it more closely.

Update: How to check if your account is already compromised

There is no sure way to check if your account has been compromised. If in doubt, change your password immediately. Changing your password every few months is good practice in general.

If you use GMail, you can check your login activity to find out of someone else is signing into your account. Visit for info. To use this feature, scroll to the bottom of your inbox and click “Details” (very small in the far lower right hand corner of the screen). This will show you all currently active sessions as well as your recent login history. If you see active logins from unknown sources, you can force close them. If you see any logins in your history from places you don’t know, you may have been hacked. [Thanks Ken, I pasted your comment in here almost verbatim. Very helpful.]

There is a trustworthy site run by Troy Hunt who is a well known security researcher where you can check if any of your email accounts have been part of a data leak. Troy’s site is and it is well known in security circles. Simply enter your email address and hit the button.

Troy aggregates data leaks into a database and gives you a way to look up your own email in that database to see if you have been part of a data breach. He also does a good job of actually verifying the data breaches he is sent.

Spread the word.

Friday, December 16, 2016

Yahoo Says 1 Billion User Accounts Were Hacked                                           

The newly disclosed 2013 attack involved sensitive user information, including names, telephone numbers, dates of birth, encrypted passwords and unencrypted security questions that could be used to reset a password.

View the original article from The New York Times here.

SAN FRANCISCO — Yahoo, already reeling from its September disclosure that 500 million user accounts had been hacked in 2014, disclosed Wednesday that a different attack in 2013 compromised more than 1 billion accounts.

The two attacks are the largest known security breaches of one company’s computer network.
The newly disclosed 2013 attack involved sensitive user information, including names, telephone numbers, dates of birth, encrypted passwords and unencrypted security questions that could be used to reset a password. Yahoo said it is forcing all of the affected users to change their passwords and it is invalidating unencrypted security questions — steps that it declined to take in September.

It is unclear how many Yahoo users were affected by both attacks. The internet company has more than 1 billion active users, but it is not clear how many inactive accounts were hacked.

Yahoo said it discovered the larger hacking after analyzing data files, provided by law enforcement, that an unnamed third party had claimed contained Yahoo information.
Security has taken a back seat at Yahoo in recent years, compared to Silicon Valley competitors like Google and Facebook. Yahoo’s security team clashed with top executives, including the chief executive, Marissa Mayer, over the cost and customer inconvenience of proposed security measures.

And critics say the company was slow to adopt aggressive security measures, even after a breach of over 450,000 accounts in 2012 and series of spam attacks — a mass mailing of unwanted messages — the following year.

“What’s most troubling is that this occurred so long ago, in August 2013, and no one saw any indication of a breach occurring until law enforcement came forward,” said Jay Kaplan, the chief executive of Synack, a security company. “Yahoo has a long way to go to catch up to these threats.”

Yahoo has made a steady trickle of disclosures about the 2014 hacking, which it has been investigating with the help of federal authorities. The company said Wednesday that it now believes the attacker in that breach, which it says was sponsored by a government, found a way to forge credentials to log into some users’ accounts without a password.

Bob Lord, Yahoo’s chief information security officer, said in a statement that the state-sponsored actor in the 2014 attack had stolen Yahoo’s proprietary source code. Outside forensics experts working with Yahoo believe that the state-sponsored hackers used Yahoo’s code to access user accounts without their passwords by creating forged “cookies,” short bits of text that a website can store on a user’s machine. By forging these cookies, attackers were able to impersonate valid users, gaining information and performing actions on behalf of their victims. The company has not disclosed who it believes was behind the attack.

In July, Yahoo agreed to sell its core businesses to Verizon Communications for $4.8 billion. Verizon said in October that it might seek to renegotiate the terms of the transaction because of the hacking, which had not been disclosed to Verizon during the original deal talks.

After the latest disclosure Wednesday, a Verizon spokesman, Bob Varettoni, essentially repeated that position.

“As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation,” he said. “We will review the impact of this new development before reaching any final conclusions.”

Mr. Lord said Yahoo had taken steps to strengthen Yahoo’s systems after the attacks. The company encouraged its users to change passwords associated with their Yahoo account and any other digital accounts tied to their Yahoo email and account.

In the hacking disclosed Wednesday, Mr. Lord said Yahoo believed an “unauthorized third party” managed to steal data from one billion Yahoo user accounts. Mr. Lord said that Yahoo had not been able to identify how the hackers breached Yahoo’s systems, but that the company believed the attack occurred in August 2013.

Changing Yahoo passwords will be just the start for many users. They will also have to comb through other services to make sure passwords used on those sites are not too similar to what they were using on Yahoo. And if they were not doing so already, they will have to treat everything they receive online, such as email, with an abundance of suspicion, in case hackers are trying to trick them out of even more information.

Yahoo recommended that its customers use Yahoo Account Key, an authentication tool that verifies a user’s identity using a mobile phone and eliminates the need to use a password on Yahoo altogether.

Security experts say the latest discovery of a breach that happened so long ago is another black mark for the company. “It’s not just one sophisticated adversary that gets in,” said Ben Johnson, co-founder and chief security strategist at Carbon Black, a security company. “Typically companies get compromised multiple times due to the same vulnerability or employee culture.”

Mr. Johnson added that the scale of the breaches is only increasing as companies store more and more troves of information in similar databases. “When you have these huge databases of information, it’s millions — and now billions — of accounts lost,” he said.

Correction: December 14, 2016
An earlier version of this article misstated the day Yahoo announced 1 billion user accounts had been compromised. It was Wednesday, not Thursday.

Monday, November 28, 2016

Passengers Ride Free on San Francisco Subway after Ransomware Attack

Hard-drive-scrambling ransomware menaced more than 2,000 systems at San Francisco's public transit agency on Friday and demanded 100 bitcoins to unlock data.

San Francisco Subway Car in Station

View the original article from The Register here.

Ticket machines were shut down and passengers were allowed to ride the Muni light-rail system for free on Saturday – a busy post-Thanksgiving shopping day for the city – while IT workers scrambled to clean up the mess.

A variant of the HDDCryptor malware infected 2,112 computers within the San Francisco Municipal Transportation Agency, the ransomware's masters claimed in email correspondence seen by El Reg.

These systems appear to include office admin desktops, CAD workstations, email and print servers, employee laptops, payroll systems, SQL databases, lost and found property terminals, and station kiosk PCs. We told that the worm-like malware automatically attacked the agency's network, and was able to reach the organization's domain controller and compromise network-attached Windows systems. There are roughly 8,500 PCs, Macs and other boxes on the agency's network.

After the vulnerable computers were infected and their storage scrambled, they were rebooted by the malware and, rather than start their operating system, they instead displayed the message: "You Hacked, ALL Data Encrypted, Contact For Key ( ID:601."

HDDCryptor and its cousins encrypt local hard drives and network-shared files using randomly generated keys and then overwrite the hard disks' MBRs, where possible, to prevent systems from booting up properly. A machine is typically infected by an employee accidentally opening a booby-trapped executable in an email or download, and then the infection spreads out across the network.

When the 100-bitcoin ransom – right now about $73k – is paid, the crooks supposedly hand over a master decryption key to restore the ciphered drives and files. A bitcoin wallet into which the transit agency is expected to pay remains empty.

The extortionists behind the malware have complained that no one at the agency has so far spoken to them let alone offered to pay. The crooks said they will give Muni officials another day or so to get in touch before walking away. They also offered to decrypt one machine for one bitcoin to prove restoration is possible.

"Our software [is] working completely automatically and we don't [launch] targeted attacks ... SFMTA's network was very open and 2,000 server/PCs [were] infected by software," the ransomware's masterminds claimed in a statement in broken English on Sunday via email. "So we are waiting for contact [from] any responsible person in SFMTA but I think they don't want a deal. So we close this email [account] tomorrow."
You've been hacked ... Message left on a PC screen at a San Francisco Muni kiosk on Saturday (Photo by Colin Heilbut)

Buses and the underground-overground Muni rail system continue to run. The Muni's turnstiles were left open from Friday night, though, allowing people to travel for free. Ticketing systems were halted with "out of service" messages in the wake of the infection.

"There’s no impact to the transit service, but we have opened the fare gates as a precaution to minimize customer impact," the transit agency's spokesman Paul Rose said on Saturday. "Because this is an ongoing investigation it would not be appropriate to provide additional details at this point."

San Francisco's public transit system joins the ranks of hospitals, businesses, police stations and other organizations hit by ransomware. Some cough up cash to the extortionists who spread the file-encrypting software nasties, some don't. Meanwhile, Cisco-owned Talos has an open-source tool for protecting MBRs from ransomware and other malware. ®

Friday, November 4, 2016

Computer Virus Forces Hospitals to Cancel Operations

A computer virus has forced three hospitals offline and caused the cancellation of all routine operations and outpatient appointments.

The hospital says the "major incident" means patients should avoid visiting if possible.
Image: ZDNet

View the original article from ZDNet here.

The Northern Lincolnshire and Goole NHS Foundation Trust says a "major incident" has been caused by a "computer virus" which infected its electronic systems on Sunday. As a result of the attack, the hospital has taken the decision to shut down the majority of its computer networks in order to combat the virus.

"A virus infected our electronic systems [on Sunday] and we have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it," said Dr Karen Dunderdale, the trust's deputy chief executive, according to the BBC.

The use of a shared IT system also means the United Lincolnshire Hospitals Trust has been taken offline as staff attempt to combat the attack.

As a result of the attack, all outpatient appointments and diagnostic procedures that were set to take place at the infected hospitals on Monday and Tuesday have been cancelled, while medical emergencies involving major trauma and women in high-risk labor are being diverted to neighboring hospitals.

The NHS Trust hasn't provided specific information about the sort of virus or malware which has infected its systems -- or how it managed to breach any defenses.

The hospital says that from Wednesday appointments in some areas -- audiology psiological measurement, antenatal, community and therapy, chemotherapy, pediatrics, and gynecology -- will be going ahead and it will be contacting patients who are able to be seen.

Northern Lincolnshire and Goole NHS Foundation Trust says it is reviewing the situation on an hourly basis and offers its apologies to patients who are being affected.

Monday, October 3, 2016

October 2016 Security Awareness

Throughout October, Technology Services will offer interactive educational activities to help you achieve those goals—for each activity you complete, you will be entered into a drawing at the end of the month for an Apple TV. As well, participation in each week’s activity will gain you access to the weekly drawing for a $25 Amazon gift card!
Watch CougarTrack for the weekly activity announcement!

Monday, August 1, 2016

Who's on the other end of that line? An imposter

Who's on the other end of that line? An imposter

In an imposter scam, fraudsters take on the identity of someone else -- a government agency, a sweepstakes company, or even a relative desperate for help -- to pressure victims into paying money for taxes, a prize, or a quick personal loan. Regardless of the ruse, these scams are designed to do one thing: quickly separate victims from their money.

Imagine the scenario: Your phone rings and the voice on the other end congratulates you for winning a sweepstakes. Great news, right?

Now imagine another scenario: You receive a call from someone claiming to be tech support for your computer. They say they’ve received reports that your machine may be infected with a virus and they need you to give them access so they can look into it.

Here’s an even worse thought: Your phone rings, but the caller says that they’re with the IRS, that you owe the government money, and that you will go to jail if you do not pay up immediately.

Depending on which scenario plays out on your phone line, you could be overjoyed or afraid. The odds are, however, that regardless of whether the caller says you’re a sweepstakes winner or that you owe the government money, you have just become a victim of one of the most popular scams around: the imposter scam.

In imposter scams, con artists pose as someone else -- the IRS, a sweepstakes company, or a long-lost relative in need. The caller might say they need money for unpaid “taxes” owed to the IRS, or “processing fees” to claim a prize, or “lawyers fees” to get a loved one out of a jam. The set-ups vary, but these high-pressure con artists are good at what they do -- convincing victims they need to pay up -- or hand over personal information -- in order to quickly resolve an issue.

If the victim agrees to pay, scammers typically ask for payment via a hard-to-track method such as a wire transfer, reloadable debit card, or iTunes gift card.

Unfortunately, these high pressure and often intimidating tactics appear to be working. Last year, these scams were the third most common complaint that the Federal Trade Commission (FTC) received, with more than 350,000 consumers reporting they’d fallen victim. They’re also one of the top scams that we hear about at year in and year out.

A consumer complaint we received at recently is typical of this scam. A grandfather in Florida received a phone call from a girl in tears pretending to be his granddaughter. His “granddaughter” said that she was arrested after an auto accident and that drugs were found in her car. The girl was supposedly overseas at the time and said that the American Embassy needed $1,150 to be wire transfered to her attorney overseas so that her lawyer could pay her bond, and then get her on an evening flight back home.

In this case and many others, the consumer fell victim to the imposter scam and lost the money he was tricked into sending the scam artist.

With the imposter scam coming in so many different variations, how can you and your loved ones learn to spot it and avoid becoming its next victim? Here are some basic tips you can use to help identify and protect yourself from a potential imposter scammer:
  1. You can’t trust Caller ID. Scammers are pro’s at tricking Caller ID systems into showing the caller information they want it to show. Just because the Caller ID says “IRS,” “police,” or “National Consumers League,” that does not guarantee that the person on the other end is with that organization.
  2. Don’t engage. Hang up. If you receive a call from someone urgently requesting money, don’t try and figure out whether they’re legitimate or not while they’re on the phone with you. Scammers are professionals who know exactly what buttons to push to get you to make a quick decision. The best thing you can do is simply hang up.
  3. Be careful of emails, too. Scammers also run the imposter scam over email. If you receive an email from someone demanding money right away, it’s probably a scam. Instead of replying, simply delete the email. Don’t click on any links or attachments that come with the email. They could contain malware that will infect your computer and steal your personal information.
  4. Look up the information on your own. If you’re concerned that the caller or email sender was for real, look up the phone number for the individual or agency in your phonebook or on the agency’s or company’s official website. Call that number yourself and check to see if what you were told by the caller is accurate.
  5. Never pay for a prize. If someone informs you that you won a prize, you should not have to pay any taxes, delivery fees, or insurance payments to collect it. If they tell you otherwise, it’s a scam.
  6. If asked for payment with a wire transfer, cash-reload card, or gift card--it’s a scam. These are all ways that scammers love to be paid because it’s practically impossible to track.
  7. Report suspected fraud. If you become a victim of an imposter scam or you suspect you have spotted one, report it! You can file a complaint at via our secure online complaint form. We’ll share your complaint with our network of more than 90 law enforcement and consumer protection agency partners who can and do put fraudsters behind bars. The Federal Trade Commission also has many great resources on imposter scams available
  8. Print our Avoid Imposter Scams graphic and leave it by your phone to help loved ones know what to do in case they receive a call.