Posted in Commentary with tags Hacked on February 5, 2024 by itnerd
Late last week, the Lurie Children’s Hospital in Chicago stated they had experienced a cyberattack and had taken their IT systems offline, impacting normal operations. According to local news, they’ve had to cancel children’s appointments for six days and counting.
Lurie Children’s is “Illinois’ leading provider for pediatric care” with 360 beds, 1,665 physicians covering 70 sub-specialties providing care for over 200,000 children annually.
The incident impacted the hospital’s internet, email and phone services. Some elective surgeries and procedures had to be canceled, ultrasound and CT scan results are unavailable, and prescriptions are given in paper form. Also, the hospital has reverted to following a first-come, first-served approach to emergency situations.
“[…] we have intentionally limited our e-mail system, so it is unable to send to or receive emails from non-Lurie Children’s e-mail addresses. We’ve also prevented outbound internet traffic and took our electronic health record offline. We are unable to receive external phone calls, except for calls to our call center,” the hospital said on their website yesterday.
A dedicated helpline has been set up to address patient needs, such as non-urgent inquiries, care-related questions, details about scheduled appointments, and requests for prescription refills.
“The cyberattack on Lurie Children’s Hospital in Chicago highlights the alarming vulnerability of healthcare institutions to cyberattacks threats. The attack took all computers, internet and phones offline, disrupting access to care and making critical information inaccessible.
“The hospital’s decision to resort to a manual-first approach in response to the cyberattack is typical of how real-time service providers must respond to losing their communication networks and emphasizes the severity of the situation. The majority of cyberattacks on medical facilities typically include ransomware, though the hospital has yet to provide details confirming this, but with services down for six days now, this is a major disruption.
“Every such breach, every successful attack, emphasizes the urgent need for increased cybersecurity investments in healthcare. Strengthening defenses against cyber threats is essential to safeguarding patient well-being and ensuring uninterrupted medical services.”
“As many talk about cyber priorities for 2024, events like the cyberattack at the Lurie’s Children’s Hospital in Chicago highlight just how important it is to implement cyber resiliency strategies and solutions. Attacks are not only causing financial or reputational damage, are increasingly impacting critical infrastructure and potentially affecting human lives.”
Any cyberattack is bad. A cyberattack against a health care facility is worse because it’s a threat to life. That’s why defending against such attacks has to be top of mind for anyone in these environments. Otherwise you get a situation like this. Which is very bad.
“Healthcare remains a prime target for cyber threats due to the sensitive information they handle. With threat actors exceeding the number of available cybersecurity experts, healthcare entities need to adopt automated tools to help small security teams manage threats more effectively. Additionally, regular training on security awareness for staff is crucial for identifying and circumventing prevalent cyberattack strategies. Finally, healthcare institutions could benefit from collaborating with specialized security services that provide hard-to-find expertise, enhancing their internal defenses.”
Posted in Commentary with tags Apple on February 5, 2024 by itnerd
I’ve been watching the Apple versus for Masimo battle where the latter has stopped Apple from selling the Apple Watch Series 9 and Ultra 2 with the blood oxygen monitor sensor disabled. I’ve been wondering why Apple has not been willing to pay off Masimo to make this problem go away. Well, via this AppleInsider article we have Tim Cook spelling out what his strategy is:
Apple CEO Tim Cook told CNBC in a statement shared on live television that Apple is focused on appeals, implying the company has no intention to license Masimo’s patents. While it seemed likely that was the case, the company hadn’t said as much publicly until now.
“We’re focused on appeal,” Cook’s statement said. “There’s lots of reasons to buy the watch even without the blood oxygen sensor.”
So what’s clear from this statement is that Apple for whatever reason is willing to die on this hill. I’m guessing that it’s like I said here:
The cynic in me says that if you accept that Apple “Sherlocked” Masimo to get this feature into the Apple Watch, then Apple may be afraid that every other company that they’ve “Sherlocked” over the years will come out of the woodwork looking for their pay day. But that’s just speculation on my part. Though I suspect that it has an air of truth to it.
The bottom line is that this fight between the two companies will not be ending anytime soon. Though that may change if Apple loses their appeal.
Posted in Commentary with tags Scam on February 5, 2024 by itnerd
Well, we seem to have an example of one of the worst case scenarios that many envisioned when it comes to AI. By that I mean this story where fraudsters used AI-generated deepfakes to impersonate the CFO at a multinational company to trick a finance employee into sending them over $25 million:
This incident marks the first of its kind in Hong Kong involving a large sum and the use of deepfake technology to simulate a multi-person video conference where all participants (except the victim) were fabricated images of real individuals. The scammers were able to convincingly replicate the appearances and voices of targeted individuals using publicly available video and audio footage. The Hong Kong police are currently investigating the case, with no arrests reported yet.
The scam was initially uncovered following a phishing attempt, when an employee in the finance department of the company’s Hong Kong branch received what seemed to be a phishing message, purportedly from the company’s UK-based chief financial officer, instructing them to execute a secret transaction. Despite initial doubts, the employee was convinced enough by the presence of the CFO and others in a group video call to make 15 transfers totaling HK$200 million to five different Hong Kong bank accounts. Officials realized the scam occurred about a week later, prompting a police investigation.
Kevin Vreeland, General Manager of North America at Veridas had this to say:
“The presentation attack employed by the threat actors targeting this multinational company for millions showcased a high level of sophistication. The employee initially followed proper protocols, correctly identifying the attack as potentially rooted in phishing. However, the escalation of the incident highlights how artificial intelligence has given attackers a leg up and created a plethora of security challenges for organizations, particularly in the era of widespread remote work.
With the evolution of artificial intelligence and increased identity-based security threats, companies must implement updated and improved methods of verification and authentication. These measures should focus on detecting the liveness and proof-of-life of their employees. Currently, there are companies developing biometric solutions focused on how to face the new forms of fraud, through a robust biometric engine and aligned to quality and security certifications, such as NIST and iBeta.
It’s also important that companies educate their employees about the dangers of deepfakes similar to other types of scams. Deepfakes usually contain inconsistencies when there is movement. For example, an ear might have certain irregularities, or the iris doesn’t show the natural reflection of light.”
If you want an example of what Kevin Vreeland is talking about in the last paragraph of his comment, I’ll use this example of the Apple Vision Pro Persona feature. If you keep what he said in mind, you’ll see what he’s talking about.
This case highlights the challenges posed by AI and its use by threat actors. We all need to alter how we look and view the universe so that we can protect ourselves from all the threats that are sure to come because threat actors have found ways to use AI for criminal gain.
UPDATE: Shawn Loveland, COO, Resecurity had this comment:
The deepfake market is a multifaceted domain involving academia, hobbyists, emerging technology, commercial services, and threat actors.
Initially, deepfakes were developed by researchers as a byproduct of machine learning and AI studies. However, such technology has quickly spread beyond the academic circle to include hobbyists, enthusiasts, and commercial services who also contribute to building deepfake tools. Often, they share these tools on forums and open-source platforms. Some of these services are marketed to cybercriminals and fraudsters as threat actors have determined this technology is valuable for scams, identity theft, and misinformation campaigns.
The actual size of the dark market deepfake industry is challenging to determine due to its secretive nature, as malicious actors utilize this technology. Similarly, the size of the commercial deepfake market is also hard to determine due to its rapidly evolving nature and marketing hype/misinformation. Moreover, as the relatively low barrier to entry for new services providing deepfake technology continues to expand, we can expect an increase in the number of scenarios that will benefit from it.
There is a growing demand for deepfake content, specifically in the entertainment, gaming, and advertising sectors. This includes using deepfake technology for creating films, marketing campaigns, and virtual customer service representatives. Unfortunately, there is also a dark side to the technology, which involves the creation of illegal deepfakes. These are used to produce fake pornographic content, impersonate individuals for fraudulent purposes, or spread fake news.
And the spectrum ranges widely. On one end, legitimate companies use similar technology for benign purposes like dubbing movies and creating digital avatars. Conversely, a significant portion of the deepfake market is associated with cybercrime. This includes creating non-consensual adult content, extortion, and undermining public trust in media.
The rise of deepfake technology is a cause for concern for organizations across the globe. This technology has dual-use capabilities, which can be used for beneficial and malicious purposes. Although deepfakes have legitimate uses, their potential for harm, particularly in cybercrime, makes them a serious issue that requires an active and robust response from individuals, businesses, and governments alike.
Deepfakes violate the terms of use (TOU) or terms of service (TOS) of many online commercial platforms, especially when used to impersonate others, spread misinformation, or create non-consensual adult content. Most social media platforms, content-sharing services, and online communities have specific guidelines against posting deceptive or abusive content and infringing on another person’s rights. It is recommended that potential TOU and TOS issues be reported to the commercial service hosting or distributing the content.
However, despite the rules and regulations established by many online platforms, services catering to threat actors can still offer deepfake services. This is why such services are readily available for threat actors to use.
The emergence of deepfakes has caused concerns about verifying digital identities, protecting media content integrity, and preventing potential political manipulation. Businesses must invest in detection technology and training to avoid fraud and protect their reputations.
It is worth noting that deepfakes aren’t just a theoretical attack. They have already been used to impersonate executives for financial gain and create false narratives that sway public opinion or affect stock prices.
Ultimately, the problem with deepfakes is an ever-changing one. The technology and its usage are evolving rapidly, and those who use deepfakes to cause harm are also improving their methods to avoid detection. Regulations and laws are still struggling to keep up with this technology, but there is an increasing movement to create legislation to combat the malicious use of deepfakes.
The long-awaited day is upon us. Gmail has officially started to temporarily reject messages that fail their new authentication requirements. Gmail and Yahoo Mail have been preparing the email world for this day, and right on cue, it’s begun:
It has never been a more important time to authenticate your email. According to the new rules, today you will start to see temporary errors for unauthenticated mail. And starting in April, unauthenticated mail that does not pass DMARC will start to be rejected.
There is no need to get caught off guard by these rejections!
Our CTO, Seth Blank, has a long history of playing a critical and active role across the email ecosystem to drive new technology and change that raises the bar for everyone. He is Co-Chair of the IETF DMARC Working Group, Chair of the AuthIndicators (BIMI) Working Group, and has developed ARC, BIMI, and DMARC 2.0, amongst others. With these new requirements, he has already been providing ecosystem and customer feedback directly to Google and Yahoo, helping to clarify guidance and ensure all senders are set up for success with the new rules.
Authentication matters, now more than ever, or the errors will flow. There are still many questions to be answered as these new requirements continue to roll out, but Valimail is committed to providing timely, accurate clarification to senders of all types.
In the meantime, if you want to protect your domain, sign up for our brand new product, Align, specifically created to help you meet the new email authentication requirements. It’s automated, simple, built for marketers, and priced to make it easy for companies of all sizes to meet the requirements.
Since its founding in 2015, Valimail has worked hard to provide automated email authentication solutions ranging from free to enterprise and FedRAMP, and we now have more than 38,000 customers protecting themselves with our industry-leading DMARC software. We’ve always believed that it’s in everyone’s interest to make sure your email domain isn’t spoofed and to thereby help stamp out criminal abuse of your email and brand.
This isn’t just about protecting yourself – done right, email authentication protects partners, consumers, and anyone receiving email. If we can get to herd immunity (approximately 70% adoption of the largest senders), exact domain spoofing (the most pernicious) becomes economically uninteresting and criminals move on to other forms of phishing, spoofing, etc.
Valimail is here to help you. Ultimately, all mail sent to Gmail and Yahoo Mail must pass DMARC to be delivered. As the world’s leader in DMARC, we’ve got you covered.
First let me get to the top level item. Remote access software provider AnyDesk has put out a statement that said the following:
Following indications of an incident on some of our systems, we conducted a security audit and found evidence of compromised production systems. We immediately activated a remediation and response plan involving cyber security experts CrowdStrike. The remediation plan has concluded successfully. The relevant authorities have been notified and we are working closely with them. This incident is not related to ransomware.
We have revoked all security-related certificates and systems have been remediated or replaced where necessary. We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one.
Our systems are designed not to store private keys, security tokens or passwords that could be exploited to connect to end user devices. As a precaution, we are revoking all passwords to our web portal, my.anydesk.com, and we recommend that users change their passwords if the same credentials are used elsewhere.
To date, we have no evidence that any end-user devices have been affected. We can confirm that the situation is under control and it is safe to use AnyDesk. Please ensure that you are using the latest version, with the new code signing certificate.
Well, this is not trivial. It seems like the threat actor was trying to pull of some sort of supply chain attack where the threat actor pwns AnyDesk to pwn AnyDesk customers. At this point it looks like they got stopped before any real damage was done. But we’ll have to see if that’s true in the coming days, weeks, and months as companies who are downstream victims of a supply chain attack will often find out that they got pwned much later. Having said that, if you use AnyDesk, it might be worth your while to bring in an expert now to make sure you haven’t got pwned in any way.
What’s ironic about this is the fact that AnyDesk for many years has been the tool of choice by threat actors in general, but more specifically scammers who are often based in India to get and maintain persistent access to victims computers. Now to be fair to AnyDesk, they have been trying to fight back against this with the help of some well known scam baiters. But for them to get pwned is a bit ironic.
Posted in Commentary with tags Hacked on February 5, 2024 by itnerd
Back in August of last year, Clorox disclosed that they got pwned in a cyberattack. An attack that took them down for a considerable amount of time. Fast forward to today and we now know what that attack cost. Here’s the section of their Q2 report that speaks to this. Click to enlarge:
In short, recovering from this cyberattack cost them $49 million. Not a trivial amount of cash. And it illustrates that not doing enough to keep the bad guys out can be expensive. Plus you have to wonder what the repetitional damage is since the fact that Clorox got pwned is back in the news. Have you got any guesses on that?
Lurie Children’s Hospital Pwned In Cyberattack
Posted in Commentary with tags Hacked on February 5, 2024 by itnerdLate last week, the Lurie Children’s Hospital in Chicago stated they had experienced a cyberattack and had taken their IT systems offline, impacting normal operations. According to local news, they’ve had to cancel children’s appointments for six days and counting.
Lurie Children’s is “Illinois’ leading provider for pediatric care” with 360 beds, 1,665 physicians covering 70 sub-specialties providing care for over 200,000 children annually.
The incident impacted the hospital’s internet, email and phone services. Some elective surgeries and procedures had to be canceled, ultrasound and CT scan results are unavailable, and prescriptions are given in paper form. Also, the hospital has reverted to following a first-come, first-served approach to emergency situations.
“[…] we have intentionally limited our e-mail system, so it is unable to send to or receive emails from non-Lurie Children’s e-mail addresses. We’ve also prevented outbound internet traffic and took our electronic health record offline. We are unable to receive external phone calls, except for calls to our call center,” the hospital said on their website yesterday.
A dedicated helpline has been set up to address patient needs, such as non-urgent inquiries, care-related questions, details about scheduled appointments, and requests for prescription refills.
Carol Volk, EVP, BullWall had this to say:
“The cyberattack on Lurie Children’s Hospital in Chicago highlights the alarming vulnerability of healthcare institutions to cyberattacks threats. The attack took all computers, internet and phones offline, disrupting access to care and making critical information inaccessible.
“The hospital’s decision to resort to a manual-first approach in response to the cyberattack is typical of how real-time service providers must respond to losing their communication networks and emphasizes the severity of the situation. The majority of cyberattacks on medical facilities typically include ransomware, though the hospital has yet to provide details confirming this, but with services down for six days now, this is a major disruption.
“Every such breach, every successful attack, emphasizes the urgent need for increased cybersecurity investments in healthcare. Strengthening defenses against cyber threats is essential to safeguarding patient well-being and ensuring uninterrupted medical services.”
HYAS CEO David Ratner follows with this:
“As many talk about cyber priorities for 2024, events like the cyberattack at the Lurie’s Children’s Hospital in Chicago highlight just how important it is to implement cyber resiliency strategies and solutions. Attacks are not only causing financial or reputational damage, are increasingly impacting critical infrastructure and potentially affecting human lives.”
Any cyberattack is bad. A cyberattack against a health care facility is worse because it’s a threat to life. That’s why defending against such attacks has to be top of mind for anyone in these environments. Otherwise you get a situation like this. Which is very bad.
UPDATE: Emily Phelps, Director, Cyware adds this:
“Healthcare remains a prime target for cyber threats due to the sensitive information they handle. With threat actors exceeding the number of available cybersecurity experts, healthcare entities need to adopt automated tools to help small security teams manage threats more effectively. Additionally, regular training on security awareness for staff is crucial for identifying and circumventing prevalent cyberattack strategies. Finally, healthcare institutions could benefit from collaborating with specialized security services that provide hard-to-find expertise, enhancing their internal defenses.”
Leave a comment »