Baptist Medical Center Pwned…. 1.24 Million Patients Data Is In The Wild

Posted in Commentary with tags on June 28, 2022 by itnerd

Baptist Medical Center has suffered a malware attack, which involved the exfiltration of data affecting more than 1.24 million patients from two Texas hospitals, according to a statement from Baptist Medical Center:

On April 20, 2022, it was discovered that certain systems within our network may have been infected with malicious code as a result of potentially unauthorized activity. In response to this incident, user access was immediately suspended to impacted information technology applications, extensive cybersecurity protection protocols were executed, and steps were quickly taken to restrict further unauthorized activity. In parallel, an investigation of the incident was immediately launched, and a national forensic firm was engaged to assist with investigation and remediation efforts. Although the investigation is ongoing, it has been determined that an unauthorized third party was able to access certain systems that contained personal information and remove some data from the network between March 31, 2022 and April 24, 2022. As a result of this review, it appears that your personal information may have been involved.

Clearly this isn’t a trivial event given the large number of people who were affected.

I have two comments on this. The first is from Saryu Nayyar, CEO and Founder of Gurucul:

     “Here is yet another example of a security lapse involving a third party. All network access should be monitored continuously in order to detect unauthorized access by malicious insiders, third party contractors, and cybercriminals. Insider threats can quickly become external threats as we’ve seen in this case. Organizations need to re-evaluate their threat detection, investigation and response (TDIR) programs to enhance insider risk and threat initiatives. The most effective defense is an advanced set of behavioral analytics, to baseline and monitor for unusual user behaviors and catch bad actors in real-time before data is exfiltrated.”

The second comment is from Artur Kane, VP of Product for GoodAccess:

     “Hospitals are a tempting target for financially oriented cyberattacks, as the records of malware and ransomware incidents from the past couple of years show. There are three main reasons why cyber criminals like to pick them:

  • First, they have a lot of data to steal. Healthcare institutions contain enormous troves of patients’ personal data, which provides hackers with plenty of loot to sell, if not exploit directly. 
  • Second, hospitals are more likely to pay a high ransom. Healthcare institutions often have large budgets that are required to sustain the large number of highly qualified staff in their employment and cover the upkeep of hi-tech medical equipment. But when a ransomware attack encrypts their sensitive information, hospitals face the threat of a data leak and, worse still, they can no longer provide treatment, which directly threatens human lives. Under such circumstances, healthcare institutions are pushed to comply with the ransom demands to allow them to resume providing medical services.
  • Third, hospitals often lack defenses. Hospitals are similar to banks in how much sensitive data they curate, but they don’t have information protection so deeply rooted in their pedigree. Their purpose is to provide health care, not guard someone’s assets. This could be why their IT is often understaffed and their vast infrastructures often contain vulnerabilities or run-on legacy systems, offering exploitable points of entry for potential attackers. Some of their medical equipment can also harbor malware without it being detected, such as an MRI scanner that runs on Windows but doesn’t even have an antivirus. Their priority is uptime, not security.

However, healthcare institutions can still significantly reduce the risk of an attack by implementing a few security measures:

  • The first is regular and thorough backup of all sensitive data. This is an absolute no-brainer. The likelihood of attacks on healthcare institutions borders on the inevitable and having the ability to recover lost data can save millions of dollars in ransom or damages.
  • Next is adopting a zero-trust network access (ZTNA) policy, which on its own brings several benefits. Under ZTNA, users have to use strong authentication, typically reinforced by multiple identity factors (multi-factor authentication). This makes it much harder for attackers to exploit stolen access credentials. In addition, proper ZTNA keeps logs on all access attempts by users, which can be a helpful resource for tracing the progress of the breach during post-compromise analysis and patching up vulnerabilities thus discovered.

ZTNA operates on the least-privilege principle, which means that users can only access those systems they require for their work, but no others. This approach segments the network, confining the attacker only to a pool of systems to exploit, but denying them free rein of the network, causing difficulty escalating the attack further.

  • Lastly, healthcare institutions need real-time end-to-end network-centric threat detection. Even with the latest patches and vulnerability updates in place, compromise is likely, and hospitals need to invest in solutions that can detect threat activity in network traffic, such as NDR (network detection and response). Given the exorbitant cost of damage that hospitals suffer as a result of malware and ransomware attacks, the investment pays for itself rapidly.”

Things really need to improve as these events keep happening and it is my perception that little is being done until after the event happens. That needs to change or else I suspect that events like this will become more frequent and more severe.

Google for Startups Accelerator expands support for Underrepresented Founders with applications for the Black Founders & Women Founders programs

Posted in Commentary with tags on June 28, 2022 by itnerd

Today, Google Canada announces applications are open for the 2022 cohorts of both the Google for Startups Accelerator: Black Founders program and the Google for Startups Accelerator: Women Founders program, marking the third year for both programs across North America. 

Black and women entrepreneurs continue to be underrepresented in Canada’s tech startup ecosystem because many lack access to resources required to launch their business. 

  • For Black founders, a recent study underscores how securing funding, financing, capital or sales is the most significant barrier to scaling their business. 
  • Similarly for women founders, women are less likely to receive venture capital or angel funding and other forms of leverage such as trade credit or capital leasing, compared to their male counterparts.

To address the challenges underrepresented founders face, up to twelve technology startups from across North America will be selected to participate for each accelerator, providing unique programming that addresses the specific needs of Black and women-led startups and include deep dives and workshops focused on product design, customer acquisition and leadership development for founders.

You can read more info in their blog post. Applications for the program are now open to startups across all sectors until July 28. 

How Do You Minimize The Impact Of A Ransomware Attack? PhishLabs Can Help You With That

Posted in Commentary with tags on June 28, 2022 by itnerd

Ransomware operators are strategically targeting enterprises, disabling critical systems, and publishing stolen data. The average ransom demand has increased 144% and the pressure to pay is evident with payments met more than half the time. Industries of all types are being targeted, with critical services and infrastructure no longer immune to attack.

This leads to the question of how you can protect yourself from a ransomware attack? Or if you are the unfortunate victim of one, how do you minimize the impact?

Eric George, Director, Solution Engineering at PhishLabs by HelpSystems says:

“Businesses that fall prey to ransomware often feel helpless determining a solution post incident because the threat itself is in a constant state of evolution. Determining what action your organization should take in the wake of an attack is more than a binary decision and must be approached in a comprehensive manner that adds layers of depth to existing security measures.

Ultimately, enterprises experience the most pain when they are faced with compromise and lack options or a clear path of action. If unprepared, enterprises can find themselves in a situation in which the only viable option is to pay the ransom and hope the threat actor honors the agreement. Multiple ransomware actors and complex campaigns make this choice problematic however, as compromised data is likely to be leaked or sold regardless of whether the ransom is paid.”

This is why PhishLabs has a security playbook that can help an organization.:

  1. Identify and mitigate attacks before they occur
  2. Maintain broad visibility into data leaks and threat actor activity
  3. Prepare a plan of action in the event data is further compromised

You can find the playbook here. I had a look at it last night and I believe that this will be really helpful to organizations of all sizes as threat actors are targeting everyone these days.

BenQ Announces InstaShow WDC30  

Posted in Commentary with tags on June 28, 2022 by itnerd

BenQ has announced its new ultra-secure InstaShow WDC30. Featuring three layers of wireless protection — Wi-Fi 6 encryption, ISO EAL6+, and FIPS 140-3 — the InstaShow WDC30 is engineered and certified to meet the stringent security requirements of U.S. government agencies, financial institutions, healthcare organizations, and other high-risk enterprises. Users can instantly connect the germ-resistant WDC30 button to their laptop and tap to present sensitive data with stunning, smooth 4K@60fps video output to up to two displays without network logins or software downloads, which can pose network security threats.

Focused on Security
Meetings are a vital part of ensuring the smooth operation of banks and government agencies. However, these meetings can contain highly sensitive and confidential data and intellectual property that can be leaked or accessed when shared via an app-, network-, or USB-based wireless presentation systems (WPS). Likewise, these types of systems can expose the connected device and the network. Unlike any other WPS, BenQ’s InstaShow WDC30 protects data, devices, and the network with robust security certification. Its network-free, secure, button-based design prevents vulnerabilities caused by network exposure, reliance on apps or software, or malicious USB inputs. 

Opening up the option for financial institutions and government agencies to wirelessly present without an expensive HDMI matrix system, sharing cables, and network patches, the WDC30 triple protects the wireless transmission of data from cyberattacks in three key ways: 

  • WPA3™ -Encrypted Wi-Fi 6 Technology: Wi-Fi 6 technology not only ensures a fast, stable connection but also the highest grade of encryption available. WPA3’s cutting-edge security protocols enable more robust authentication, deliver increased cryptographic strength for highly sensitive data markets, and maintain the resiliency of mission-critical networks. 
  • ISO EAL6 Tested and Certified Design: The Evaluation Assurance Level (EAL) in Common Criteria ranges from EAL1 to EAL7, and EAL6+ is defined as a level that offers extremely high security assurance for protecting high-value assets against severe security risks. The certification, done by a third-body security party, took BenQ two years to achieve. Only EAL7 military-grade certification is higher.
  • FIPS 140-3-Certified Crypto Module: Federal Information Processing Standards (FIPS) certification is required by the U.S. government and other regulated industries (e.g., financial and healthcare) that collect, store, transfer, share, and disseminate sensitive data. Compliant with 140, Level 3, the WDC30 has enhanced physical security, which includes BenQ’s InstaShow chip that has no ability to communicate with or send data to devices or networks. 

More Flexible, Simpler Meetings
In addition to its evolutionary security infrastructure, the InstaShow WDC30 supports wireless presentations in any shared space, providing instant connection in frequently challenged environments and allowing devices to connect up to 90 feet away. It works with any type of presentation device and any operating system, with the split-screen function supporting up to four inputs from multiple devices simultaneously and fast switching between presenters. With quick, one-tap presentation technology, presenters don’t have to hassle with logins or software downloads, allowing meetings to start right on time. It can present any content, including crisp text and smooth video at up to 60 fps at 4K resolution, to up to two displays. Plus, each secure button features BenQ’s silver ion coating to help prevent the spread of germs between users. 

More information on the full line of BenQ WPS is available at www.benq.com/en-us/business/index.html

Guest Post: The Most dangerous and safest US travel destinations by cybercrime in 2022 According To Atlas VPN

Posted in Commentary with tags on June 28, 2022 by itnerd

The summertime is synonymous with the travel season. Before departing for their destination, tourists frequently assess a variety of health and physical safety precautions; however, only a few consider their online safety.

In 2021, around 500,000 Americans were victims of cybercrime and lost an excess of $6 billion, but how does that look on a state-by-state basis? 

The Atlas VPN research team has created a list of the most dangerous and secure US travel destinations in terms of cybercrime. 

The safety of each US state was ranked according to its cybercrime index. 

To calculate the cybercrime index, Atlas VPN first worked out each state’s victim count per 100,000 population. For the second measure, Atlas VPN calculated each victim’s average losses.

To determine the final ranking, each measure was normalized on a 0-1 scale, with 1 corresponding to the measure that would most negatively impact the final score. These measurements were then summed up and converted to a score scale of 100.

The initial cybercrime victim and cybercrime loss numbers for each state were based on Federal Bureau of Investigation 2021 statistics. Atlas VPN also included each state’s ranking according to its popularity as a travel destination.

The calculations reveal that North Dakota and Nevada are by far the most dangerous states in terms of online safety. Both states have unique cybercrime profiles and a cybercrime index of over 57.

North Dakota is distinctive because even though there were only 87 victims per 100k population, the losses per victim stood at $31,711, which is the highest in all of America. 

While victims in Nevada lost an average of $4,728 per scam, it was also the state with the highest number of victims per 100k population. The Battle Born State is also the third most common travel destination in the US. 

The Golden State is also at the top of the list, with 169 victims per 100k citizens and losses at $18,302. Unsurprisingly, California ranks as the most popular travel destination. 

New York is the 5th most visited state and, at the same time, 4th in terms of cybercrime severity. New Yorkers lost around $19,266 for each internet fraud case, with 151 individuals out of 100,000 encountering this misfortune.

The District of Columbia also makes the top 5 list, mainly due to the high number of victims per 100k population. 

To see the comprehensive research, which includes an analysis of all US States, please head over to:
https://www.atlasvpn.com/travel-destinations-by-cybercrime

Black Basta Ransomware Group Going After New Targets: Report

Posted in Commentary with tags on June 27, 2022 by itnerd

Security researchers with Cybereason have warned that the Black Basta ransomware-as-a-service group has been observed targeting manufacturing, construction, pharmaceuticals and other industries, in the latest update of the new threat group. Additionally, the ransomware syndicate has developed a Linux variant, designed to attack VMware ESXI virtual machines running on enterprise servers.

Chris Olson, CEO, The Media Trust had this to say:

“Today, data breaches aren’t just about stealing sensitive data for financial gain: they are also a danger to public safety. On average, cyber defenders have less than an hour to stop a ransomware event in progress. In addition to virtualization and cloud computing software, web and mobile apps are increasingly targeted by cyber actors using sophisticated techniques such as obfuscated and polymorphic code to dodge blockers or URL filters. Businesses must pivot to prevention over treatment, monitoring IT and digital infrastructure in real time while working to harden entry points.”

I’ve written about the fact that you have less than an hour to stop a ransomware attack here. That alone makes defending against these attacks a must. I would read the warning and my previous story so that you can harden your enterprise accordingly.

UPDATE: I have additional commentary from Jake Williams who is the Executive Director of Cyber Threat Intelligence for SCYTHE:

The Black Basta threat group is a capable player in ransomware operations. Their capability to encrypt ESXi servers underscores the necessity of security access to hypervisor systems. While Black Basts isn’t the first to develop capabilities against ESXi (LockBit, Hive, and Cheerscrypt already have demonstrated ESXi capabilities), this shows the relative sophistication of the teams working under Black Basta performing the ransomware operations. 

Use of commodity malware like Qakbot demonstrates that there is no such thing as a “commodity” malware infection. Organizations must treat every malware detection as an opportunity for a threat actor to deploy ransomware. Black Basta highlights just how damaging the outcome can be if commodity malware infections are ignored simply because they were “mitigated” by endpoint protection platforms. Other threat actor malware can be – and often is – in the network.

And I have additional commentary from Robert Shaughnessy, VP, Federal for GRIMM:

“Ransomware-as-a-service (RaaS), including groups like “Black Basta,” is a fast-growing business, with comparisons being made to traditional Software-as-a-Service (SaaS) offerings. It may be more accurate to think of groups like Black Basta as loosely affiliated criminal gangs forming from the leftovers of larger organized criminal organizations. Conti, for example, has been broken up as if a lockpick, alarm specialist, appraiser, and accountant who met in prison decided to rob houses together. Enterprises are the houses, and their data are the jewels. Like home invaders, the Black Basta syndicate is looking for enterprises with a combination of valuable data and vulnerable defenses. With Black Basta, the current thinking is it was formed from former members of Conti and REvil, the leading Ransomware gangs from 2021, and leveraging partnerships including with the QBot malware. As reported recently by Nathan Eddy, writing for DARKReading (https://www.darkreading.com/threat-intelligence/black-basta-ransomware-esxi-servers-active-campaign), one interesting feature of Black Basta is a trend toward encrypting Virtual Machines (VMs) via the VM ESXi hypervisor. Leveraging larger servers, typically acting as ESXi hypervisor host machines, provides Black Basta with access to much more powerful processing and memory pools than a single workstation would typically have, resulting in faster encryption times and reducing the overall Time to Ransom. This makes it substantially harder for defenders to detect, isolate, and remediate attacks. Even though emerging ransomware gangs are beginning to use novel Tools, Techniques, and Procedures (TTPs), including VM hypervisor attacks, they are not invincible. As with most ransomware campaigns, a good defense against Black Basta starts with basic cyber hygiene: conduct regular in-depth threat assessments, ensure complete enterprise visibility, keep all systems properly patched, employ a zero-trust model across the enterprise, and closely monitor systems for the earliest signs of atypical utilization and access rights modifications.”

Lithuania Hit By Cyber Attack From A Russian Linked Threat Actor

Posted in Commentary with tags on June 27, 2022 by itnerd

Reuters is reporting that Lithuania has been hit by a cyber attack. Specifically that Lithuanian state and a some private institutions were hit by a denial-of-service cyber attack on Monday the National Cyber Security Centre said in a statement released by the defence ministry. Considering that the country is in a “feud” with Russia over scansions related to Russia’s invasion of Ukraine, it’s likely not a shock that this happened. Nor is it a shock that a Russian linked hacker group has claimed responsibility for the attack.

Chris Clymer who is a Director & CISO at Inversion6 had this comment:

Every significant military power in the world has developed cyber capabilities. These have evolved from espionage tools into full fledged weapons to be used as part of a coordinated military response. Targeting another country with these arguably constitutes an act of war, but one less severe than kinetic attacks with missiles and tanks.  Russia has a collection of theoretically autonomous groups like Killnet which give it the ability to strike at its enemies while still denying responsibility – not a new tactic.  This year alone, Killnet has reportedly targeted Romania, Moldova, Czech Republic, and Italy with Lithuania now added to the list. This harassment will continue, and what’s more interesting is that it doesn’t seem to have targeted the US and major European powers as strongly as first expected. With what we know of internet infrastructure, it’s hard to believe this is because those targets are stronger. Perhaps the Russians are trying to stay focused on targets it feels it can afford to antagonize.

Clearly we live in an era where the battlefield includes cyberspace. Thus it makes anyone and everyone a target. Thus now is a really, really good time for everyone to review their cyber defences so that they aren’t the next target.

Waze Welcomes Tour de France To Its Global Event Partner Program

Posted in Commentary with tags on June 27, 2022 by itnerd

Waze, the world’s largest community-based traffic and navigation app, today announced a three-year sponsorship and partnership with the Tour de France and the Tour de France Femmes avec Zwift, as the prestigious cycling race returns for its 109th year. The Tour is the latest event to join more than 300 event producers around the world as a Waze Global Event Partner, harnessing the power of Waze to make travelling to and from the race as seamless as possible for fans, while minimizing the impact of traffic for all travellers on the road.

In a first-of-its kind collaboration, Waze is the Tour’s Official Traffic Manager, providing its tools, data and insights to drivers, athletes, fans and more. Ahead of the start line, Waze’s community of volunteer map editors will update the maps with 4,000KM of road closures, the start and finish points, temporary car parks and live traffic speeds, ensuring drivers can navigate event traffic.

Waze will also become an official event sponsor, supporting logistics and branding four safety vehicles and a guest car in the Tour’s famous ‘caravan’: a procession of vehicles that precedes the riders onto the track at each stage, from Copenhagen to Paris and from Paris to the Super Planche des Belles Filles.

Established as a two-way data share, Waze provides partners with real-time, anonymous, Waze-generated incident and slow-down information directly from the source: drivers themselves. The Waze Global Event Partner Program allows partners to utilize Waze tools, data and insights to help alleviate event-day parking and traffic challenges, leading to happier fans.

Download Waze to complete your Tour de France experience: https://www.waze.com/apps. Find out more about the Waze Global Event Partner program: https://www.waze.com/wazeforcities.

Cafe Press Fined $500K For Data Breach

Posted in Commentary with tags on June 27, 2022 by itnerd

This is the sort of story that I like writing about as it illustrates that companies who don’t seriously protect their customer’s data will be held to account. In this case Cafe Press who I’ve written about before has been fined $500,000 for a data breach that affected 23 million customers. You can read about it here, but I’ll hit the highlights for you:

  • Residual Pumpkin and PlanetArt who now own Cafe Press have to implement multi-factor authentication
  • They have to minimize the amount of collected and retained data
  • They have to encrypt all stored Social Security numbers.
  • PlanetArt is being ordered to alert buyers and sellers whose personal info was accessed or stolen during the security breaches and provide them with information on how they can protect themselves

All of this centers around a February 2019 breach of CafePress’ servers where unknown attackers gained access to, stole, and later put up for sale on the dark web personal information belonging to 23,205,290 CafePress users. Then CafePress tried to cover this up until it was reported by Bleeping Computer. And to top it all off, the company knew they had issues but didn’t do anything about it. And they also didn’t investigate any of the attacks. Which makes it pretty clear that dealing with Cafe Press is a bad idea. Though this fine may have them rethink how they handle customer data going forward.

Another Reason Not To Buy The M2 13″ MacBook Pro… The SSD Is SLOW

Posted in Commentary with tags on June 26, 2022 by itnerd

Frequent readers of this blog know that I wrote a story about why nobody should buy the 13″ M2 MacBook Pro. Besides everything that I mentioned in that article, there’s a brand new reason that people who have gotten their hands on this computer from Apple have found.

The SSD’s are slower than the ones in the M1 13″ MacBook Pro.

YouTube channels such as Max Tech and Created Tech tested the 256GB model with Blackmagic’s Disk Speed Test and found the SSD’s are about 30% slower than the M1 versions. This is due 256GB model is equipped with only a single NAND flash storage chip. The M1 version had two NAND chips that were likely 128GB each. This creates a RAID like setup that resulted in better performance. The only reason why I can think that Apple did this to save a few bucks so that they can have higher margins on the computer. And what makes that worse is that Apple raised the price this time around. What’s even more interesting is that reviewers who got the new computer early didn’t note this. But they were apparently supplied with 1TB models. That implies that either they have a pair of 512GB NAND chips or any speed differences were glossed over because Apple doesn’t hand over computers for review to just anyone. They only hand over computers to reviewers that are friendly to Apple.

The bottom line is this, the 13″ MacBook Pro was a bad deal before. It’s a worse deal after this revelation. My advice is to avoid this model altogether. And in a bonus piece of advice, I would also suggest waiting for the first reviews by Max Tech and Created Tech of the M2 MacBook Air to see if Apple pulled the same stunt. Because it wouldn’t surprise me if they did. Which means that you need to be aware of that if you plan on putting down your hard earned money on one.