• Cybercrime
  • A checklist can help combat ransomware

    As ransomware ratchets up as a cyber-security threat, extra and effective vigilance’s essential. WannaCry, reported on eHNA shows how it’s a bigger risk and priority. A ransomware checklist and kit as part of a seven file download from Sophos, a cyber-security firm provides timely advice. It has two main parts, essential technologies and best cyber-security practices. These are valuable for Africa’s eHealth. 

    There are two main types of ransomware attacks. One’s a plausible-looking email that’s booby-trapped email with a malicious attachment. The other’s from a compromised website. Both download ransomware when users click on links that work their way endpoints and servers. It seems that WannaCry stepped this up. It scans and hunts for vulnerabilities and includes a worm that extends across networks.

    If ransomware reaches endpoints and servers it’s essential it’s blocked and removed promptly, This may need tools. An example’s CryptoGuard Technology. Solutions must:

    • Complements existing cyber-security
    • Block processes trying unauthorised changes to data
    • Work against local and remote encryption
    • Automatically undo changes to avoid data loss
    • Exploit prevention by stopping ransomware exploiting weaknesses in other software products.

    Host Intrusion Prevention System (HIPS) with behaviour and file analytics are important too.  Tech Support Alert has a description of HIPS as a program that alerts users to malware programs such as a virus trying to run on users’ computers or that an unauthorised users such as a hacker may have accessed them. It achieve this by examining files’ components and structures of files for malicious elements and seeking code trying to modify registries.

    Other cyber-security technologies include: 

    • Web security scans checking web content for ransomware code
    •  Malicious Traffic Detection (MTD) looking for traffic to ransomware command and control servers, then blocking it when it’s found
    • Application control that restricts applications allowed to run
    • Blocking Wscript often used by ransomware
    • Application whitelisting to establishes a default deny policy on servers so only trusted applications can run, so preventing ransomware gaining a foothold
    • Stopping email threats using defences blocks ransomware emails
    • Time-of-click protection stops users clicking on links to websites hosting ransomware, even if they’re safe when they entered inboxes
    • Cloud-sandboxing to find zero-day threats that exploit unknown vulnerabilities by rigorously testing files in safe environments before users run them
    • Web gateways block web-borne ransomware before they reach users’ endpoints, such as:

    o   URL filtering that blocks websites hosting ransomware and stops ransomware communicating with its command and control servers

    o   Web filtering enforcing strict controls on ransomware file types, stopping them downloading

     Sophos’s nine best cyber-security practices are:

    • Backup regularly and keep recent backup copies off-line and off-site to minimise data loss
    • Enable file extensions to help identify unusual file type, such as JavaScript
    • Open JavaScript files in Notepad because it blocks them from running malicious scripts
    • Don’t enable macros in document attachments in emails because many infections rely on turning macros on
    • Always be cautious about unsolicited attachments, and check with senders
    • Don’t have more login power than needed because admin rights may expand a local infection across networks
    • Consider installing the Microsoft Office viewers to see what documents look like without opening them in Word or Excel
    • Patch early and often so there are fewer holes for ransomware to exploit
    • Keep up to date with new security features in business applications.

    These activities reveal the considerable range of activities needed for effective cyber-security. As threats become more sophisticated and effective, Africa’s eHealth needs to keep up with modern cyber-security.

  • Cyber-criminals like Ransomware

    Ransomware’s a favourite with many cyber-criminals. It’s cheap to produce and can provide big, illegal returns by encrypting users’ data. Decryption comes with a fee, but experts say users should never pay, but fix it by relying on up to date offline back-ups. It offers good returns because it mainly relies on unsuspecting users clicking on illicit links in emails and webpages so malicious ransomware’s downloaded. Acfee’s cyber-security overview eBook reports that  ransomware restricts access to computers, which is reinstated after paying a ransom often in Bitcoin to remove the restriction.. Cyber-criminals know this phishing approach that kidnaps information is  significantly more profitable than stealing  it. WannaCry made headlines  when cybercriminals launched a global cyber-attack. It’s a step up on lucrative conventional ransomware, being extremely predatory, scanning and hunting for networks’ vulnerabilities. It’s not clear if it used phishing, or was more sophisticated and sought vulnerabilities.


    An article in the NewYorkTimes says the cyber-attack affected more than 150 countries and inflicted 200,000 Windows computers.  Hackers mainly targeted hospitals, academic institutions and high profile global companies. Perpetrators used a digital code previously leaked as part of a document dump. A report by News 24 says it explains the virus’s rapid spread

    Healthcare news has an alarming estimate that  72% of malware attacks on healthcare used ransomware. Healthcare is particularly targeted by hackers as they know how crucial data is to daily hospital operations, and the gravely result it might have when leaked or placed in the wrong hands.   Verizon researched this. Its 2017 Data Breach Investigation Report    found  that 602 of 2,000 breaches stemmed from phishing emails. Symantec identified ransomware’s growth. Its report said  the number of ransomware detections increased by 36% during 2016, up from 340,000 in 2015 to 463,000 in 2016.

    Any organisation can fall victim to these attack, so they must impose strict measures to increase cyber-security  and ensure that all employees remain vigilant and alert.

  • WannaCry hack hits Africa

    As big scale hacks go, WannaCry’s malicious spread’s approaching an unprecedented pandemic. Data Protection Report from Norton Rose Fulbright, a global law firm, says the ransomware attack started infecting companies and healthcare organisations across the US, Europe and Asia early Friday morning, 12 May. Then it was 70 countries affected. On Sunday, the head of Europol told the BBC there’s more than 200,000 victims in 150 countries. Hacker News has posted that WannaCry v2.0 can by-pass the kill switch that stops v1 from spreading. This global cyber-attack may keep expanding. 

    Hackatrick has an article saying it’s believed to be the biggest ransomware attack ever seen. Over 75,000 PCs in 99 countries were infected, including US, Russia, Germany, Turkey, Italy, Philippines, Vietnam, India and UK in less than 24 hours. It has a map showing organisations in Angola, Egypt, Kenya, Nigeria, Tunisia and South Africa are affected. Affected systems have six hours to pay up. Delayed responses lead to an increased ransom.

    WannaCry’s spread by using a Windows vulnerability. On 14 March, Microsoft released a security patch, MS17-010, to close it. Some large organisations with far-reaching ICT networks can take up to four months to install it and update their systems, so can still be vulnerable. The attack’s huge scale means there are equivalent large-scale lessons to be learnt. 

    Initial ransom payments for the decryption key are about US$300, usually paid in Bitcoin within six hours. Delaying payment can result in increased ransoms. It seems the cyber-criminals haven’t raised much relative to the extent of the infections, maybe some US$20,000 in Bitcoins so far from under 200 payments, says the Guardian.

    Basic advice from Hackatrick’s:

    • Patch you operating system and reboot, especially MS17-010 for Windows machines and servers against EternalBlue exploit (MS17-010)
    • Beware of bogus emails
    • Backup your files remote from operational systems
    • Always have an up to date anti-virus software.

    A report from the BBC says WannaCry seems to have spread like a worm. It can move around network unaided. It’s more sophisticated that basic ransomware that relies on phishing emails to tricking users into clicking on attachments that download malicious code. When WannaCry’s inside a network, it scans and hunts for vulnerable machines to infect.

    WannaCry seems to stem from a bug found by the US National Security Agency (NSA). When its details were leaked, many security researchers predicted it would trigger the production of self-starting ransomware worms. 

    Africa’s health systems must learn and act on the lessons from WannaCry. Its wrecking effect on parts of the UK’s NHS is salutary, and partly attributed to using obsolete software, such as Windows XP.

  • Phishing attacks are a challenge for South Africa

    Phishing is one of the most common, dangerous and frequent cyber-attacks that poses serious threats. Phishingbox has an estimate saying that at least one in 1,846 emails is a phishing attack. Emails are not the only source. Cyber-criminals use fake websites and adverts to trap people too.

    In Acfee’s cyber-security overview eBook phishing is when cyber-criminals send apparently legitimate emails or website adverts to entice recipients to respond either by clicking on malicious links that can download ransomware, or by providing sensitive information like passwords, usernames and personal data, that can be used mainly for email fraud. Cyber-criminals are increasingly using invitations to connect to bogus websites to entrap unsuspecting users too.


    This form of cyber-attack is successful because some users are easily fooled by the emails or adverts which appear legitimate. These hoaxes convey a sense of urgency which prompt a respone for security reasons by clicking on a link in the email that directs them to the spoofed website. This type of bogus website is designed  to acquire information and identity theft and encrypt users for a ransom payment.


    An article in ITNewsAfrica says South Africa’s the second most targeted for phishing attacks. In 2013, phishing cost South Africa about US$320 million, about  ZAR4,256,340,017 billion. Since then, spear phishing has become aa common form of phishing. It bypasses most security defences by sending emails that  are significant to users. Anyone can fall victim to this scam. Banking has some tips to avoid phishing:      

    • Keep online IDs, passwords and PINs private and never write them down or share them with anyone
    •  Always log off or sign out at the end of a sessions
    • Never respond to emails that request personal details. Never use links in emails or adverts to access websites,  always use web address provided by their organisations
    • Type web addresses in browsers and ensure sites are secure by looking for the lock icon on browsers before logging on
    • Don’t open emails from unknown sources, even if the email addresses, titles and sender details look legitimate, and delete them immediately
    • Create longer passwords that combine letters, both lowercase and capitals, numbers and symbols that cannot be attributed to you
    • Avoid passwords that are too personal, too simple such as 1234 and don’t duplicate one password for several accounts
    • Ensure up-to-date anti-virus software  and frequently update security patches your operating systems.

    While these are generic, they’re essential for all Africa’s eHealth users. They fit personal use too. They require constant vigilance.

  • Will cyber-criminals go for medical devices next?

    Nothing on ICT landscape’s off limits for cyber-criminals. Attacking medical devices could be their next target. In the Rise of the Machines:  The Dyn Attack Was Just a Practice Run, the US Institute for Critical Infrastructure Technology (ICIT), a cyber-security think tank, says the Mirai Internet of Things (IoT) botnet has inspired more Distributed Denial of Service ( DDoS) botnet innovation. Its value’s enhanced by the lack of good practice cyber-security at design stages in the Internet and IoT devices. This harsh reality’s an opportunity for Africa’s eHealth to prepare for rigorous evaluations of IoT projects.

    Krebs on Security, a cyber-security news and investigation service, says  IOT’s botnet source code was responsible for the DDoS attack against it. A conclusion drawn from the incident by Kerbs is

    that the Internet will soon be flooded with threats and attacks from many new botnets powered by insecure routers, Internet protocol (IP) cameras, digital video cameras that can send and receive data with a computer network and the Internet, and used for surveillance, digital video recorders and other networked devices that are easy to hack. 

    ICIT provides a comprehensive and detailed analysis of the new threat. Stakeholders have been driven to recognise and accept the design security weakness and the prevalence of vulnerabilities inherent in IoT devices. Its report includes:

    •  A concise overview of the basic Internet structure, including key players and protocols of the International Organization for Standardization (ISO) Open Systems Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP), used to govern computer systems’ connections to the Internet
    • DDoS anatomy,  including details on constructing botnets, conventional  botnets compared to IoT botnets and launching a DDoS attacks
    • An overview of the Mirai Incidents, including KrebsonSecurity, OVH cloud and  Internet Service Provider (ISP), Dyn, Liberia, Finland, the US Trump and Clinton presidential campaigns, WikiLeaks and Russian banks
    • Evolution of IoT malware, including profiles Linux.Darlloz, a worm, Aidra, QBot and Qakbot, BASHLITE, Lizkebab, Torlus, gafgyt and Mirai
    • A discussion on the sectors at greatest risk including healthcare
    • Recommendations and remediation to combat these threats.

    The ICIT report is essential reading for Africa’s health systems. It can help to prepare cyber-security plans for their forthcoming IoT initiatives.

  • Cyber-crime’s rampant rise needs Africa’s health systems to respond

    The growing use of technology and connection to the Internet increases susceptibility cyber-crime. Sub-Saharan Africa’s ranked third highest exposure to cyber-crime globally. South Africa has the highest connectivity relative to other African countries, making it a hotspot for cyber-crime. It’s not too surprising it’s ranked first in Africa

    As South Africa’s eHealth blossoms, cyber-criminals have a growing interest in South Africa . Its health systems are not immune to cyber-attacks. Phishing’s the most common form of attack. It’s when cyber-criminals send an apparently legitimate email to entice recipients to respond by providing sensitive information like passwords to accounts and systems, usernames, personal data and other details that can be used mainly for fraud, but also enable ransomware downloads to extort money. It’s an unsophisticated cyber-attack, often successful and frequently used. Avoiding it needs constant vigilance, awareness and trained users.


    An article in the Cover says breaches in healthcare  outweigh all other industries and services. Its data collection, storage and sharing  of confidential patient information makes healthcare perfect targets for cyber-crimminals. If its leaked, it can potentially result in liability claims and grave reputational damage. As healthcare professionals become more reliant on eHealth and its, EHRs and technology, it opens cyber-security windows wider.


    In South Africa, cyber-crime has an economic impact on the nation. It costs an estimated R5.8 billion a year. It’s mainly attributed to risks of system failures and additional costs of restoring systems once hacked. The consequences includes loss of productivity and revenue. Adressing it needs strict legislation, regulation and policies to  help minimise risks and threats. But they’re not enough.


    Healthcare workers need to be more aware of risks and risky behaviours. This needs training and education on avoiding breaches and phishing attacks. They also need to be vigilent with their equipment and materials and adopt best practices.


    Even this is not enough. In a world increasingly driven by technology, having appropriate, effective and far reaching digital cover is imperative. It’s impossible to eliminate cyber-crime’s risks, so rigorous technological solutions are needed to minimise it.  Health systems and organisations have to implement and sustain the most effective holistic cyber-cover that build in modern techniques such as layering defences. Many cyber-attacks breach perimeter defences but don’t reach organisations’data. These are warning signs that need addressing and stopping. A sigh of relief isn’t cyber-security.

  • Cyber-criminals target hospitals in 2017

    As cyber-criminals step up their malevolent activities, health systems aspire to match them. Estimates from the Herjavec Group show that healthcare’s global spending on cyber-security is set to exceed US$65 billion by 2021. But, the real problem isn’t how much healthcare organisations spend, it’s how much they aren’t spending, says an article in HealthcareITNews.

    Herjavec Group’s report says cyber-attacks will become more damaging before they can be challenged. Matt Anthony, Herjavec Group’s vice president of incident response says healthcare organisations’ cyber-security’s set for a rocky year. “In 2017 healthcare providers are the bull’s-eye for hackers.”

    Bitcoin is helping cyber-criminals in their endeavours. It encourages them to pursue ransomware attacks. “Bitcoin is the engine for cybercriminality, and as long as there is an anonymous way for criminals to get paid, it’s not going to get better anytime soon,” says Anthony. “It’s a winning combination for organized crime

    Connected devices, Internet of Things (IoT), the cloud, EHRs and eHealth systems in general are not always built with cyber-security as their priority. This makes healthcare attractive to hackers.

    Hospitals also have little choice but to pay up after ransomware attacks to retrieve their patients personal data. They’re not usually prepared, underfunded, bogged down by legacy systems and really need the data cyber-criminals have encrypted. This makes them soft targets.

    “Hospitals will pay, they’ll pay fast and they’ll pay what it takes to get data back,” Anthony said. “We ask people not to pay but sometimes there’s no alternative in healthcare.”

    Access management tools and practices are slowly starting to improve, with healthcare organisations increasing the priority of cyber-security. There’s still plenty to do. Africa’s health systems implementing eHealth can learn from these experiences and ensure their systems and staff accord a priority to cyber- security measures from the onset.

  • Malicious insiders can be a major threat

    It’s important not to disregard the human side of cyber-crime and the threat it poses to healthcare, its EHRs and medical devices. The consequences can be devastating. External cyber-attackers aren’t the only threat. Real criminals can be inside healthcare. This is what happens when people trusted with personal and confidential information abuse trust and misuse their power. They’re known as malicious insiders.

    Employees, former employees, contractors or business partners can all have access to organisations’ networks, systems or data. Disgruntled, they may retaliate by stealing and releasing information that can damage organisations and patients. A global research study by Mimecast reported that an alarming 90% of organisations said malicious insiders pose a major threat.

    Findings from Pretenus Breach Barometer in an  article by Healthcare IT News reveal that the number of healthcare security breaches caused by insiders has doubled from January to February. Findings from 26 incidences reported that:

    1. Malicious insiders contributed to 58% of total breaches
    2. Their attacks are difficult to detect.

    More worrisome findings are:

    1. Only 23% of respondents are confident that their organisations have invested enough in monitoring systems
    2. The top three alleged instigators of malicious insiders threats are; 80% of employees meddling in their relatives or friends, 66% financial identity theft and 51% identity theft
    3. 57% of respondents believe that cyber-attacks are always an inside job
    4.  Attacks are usually for financial gain.  

    This evidence is a major public health concern. If disgruntled healthcare workers have access to personal and confidential patient data, it’s vital that measures are in place to deny them access. To protect patients and healthcare organisations from insider breaches the healthcare sector should invest in strengthening and protecting organisations’ networks, systems and databases especially those storing personal and confidential information.

    Acfee has information for health ICT professionals  on cyber security practices.

  • Cyber-attack exposes data of nearly 18,000 patients

    Cyber-attacks can have far reaching affects. These are multiplied when the target’s a healthcare organisation’s storing personal patient data. The  Metropolitan Urology Group in the US began notifying patients that a ransomware attack in November 2016 may have exposed their personal data. Nearly 18,000 patients were affected, according to the Department of Health and Human Services’ Office for Civil Rights, says an article in HealthcareITNews.

    The attack was on November 28, 2016. The organisation only discovered it on January 10. It took two months before it started sending notifications to patients on March 10.

    Two of the organisation’s servers were infected by a virus. It may have exposed data of patients attending between 2003 and 2010. The data contained names, patient account numbers, provider identification, medical procedure codes and dates of services. Roughly five of these patients had their Social Security numbers exposed too.

    Metropolitan Urology has been working with an ICT firm to remove the ransomware. Its learned from the experience too, and applying extra cyber-security measures to deter future attacks. All traffic from the affected servers is blocked, the firewall’s improved, email security’ stepped up and protection of all employee devices is in place. These are part of an overall upgrade to its policies and procedures. The organisation’s currently conducting a risk analysis of its ICT system to determine vulnerabilities.

    As compensation, all affected patients will receive one year of free credit monitoring. Metropolitan Urology has also set-up a call centre to answer questions about the breach.

    Any type of cyber-attack could have serious consequences for patients and the hospital. To protect patient data and ensure patients sustain their trust in eHealth services is crucial. It’s critical that organisations are aware of cyber-security threats and rectify and learn from them promptly. Regular staff training and awareness are crucial cyber-security components. Regular, routine and rigorous checks to ensure systems are intact and not breached are too. These are examples of how Africa’s health systems should approach their eHealth cyber-security endeavours.

  • How to combat SQL and XSS cyber-attacks

    Just because it’s an old hat doesn’t mean cyber-criminals give it up. Structured Query Language (SQL) the long-standing international standard for database manipulation, can still be part of a cyber-attack. SQL injection and Cross-Site Scripting (XSS) attacks enables cyber-attackers to inject client-side script, JavaScript, or Hypertext Markup Language HTML into web pages so other users can see them.

    JavaScript’s an object-oriented programming language for creating interactive effects in web browsers. HTML’s a standardised system for tagging text files to achieve font, colour, graphic, and hyperlink effects on web pages.

    SQL injections are common for Hypertext Preprocessor (PHP) applications, usually on Linux servers and with MySQL, and Active Server Page (ASP), Microsoft’s web server technology for creating dynamic, interactive sessions with users. Code Project has a post describes a small, sample code to deal with the vulnerabilities and combat these attacks. It’s available to download.

    There’s more help, advice and a demonstration on a webcast from Alien Vault. It’s released it partly because it says SQL injection and Cross-Site Scripting (XSS) attacks affect millions of users and they need Security Information and Event Management (SIEM) solutions to find these vulnerabilities. SIEM collects and correlates data to identify patterns and raise alerts on cyber- attacks.

    Watch this demo to learn more about how these attacks work and how AlienVault USM gives you the built-in intelligence you need to spot trouble quickly.

    1. How these attacks work and what you can do to protect your network
    2. What data you need to collect to identify the warning signs of an attack
    3. How to identify impacted assets so you can quickly limit the damage
    4. How Unified Security Management (USM) can simplify detection with built-in correlation rules and threat intelligence.

    Both sources offer Africa’s eHealth projects a start. It also needs to be part of comprehensive cyber-security strategies.