• Cybercrime
  • Combat phishing with Imprivata’s four steps

    Firewalls and high fences aren’t sufficient to stop phishing attacks. Imprivata, an ICT security firm, says only 33% of organisations feel fully prepared to defend against phishing, but now there’s whaling and spear phishing too, aiming at precise targets with maliciously disguised techniques. Its report Avoid becoming the catch of the day: Four steps to combat phishing attacks, says preventing phishing depends on users’ abilities to deal with the difference between legitimate and illegitimate information requests, but it’s becoming harder to do. Imprivata proposes:

    Asses internal vulnerabilitiesTake away the keysImprove the lockIncrease end-user education.

    Assess risks of internal vulnerabilities needs CIOs and cyber-security teams to:

    Identify the most likely forms of attack, such as key employee behavioursIdentify contributing factors and workflow needs that cause clinical and administrative staff to favour risky behaviours using techniques such as internal penetration testingUnderstand why these vulnerabilities existEliminate vulnerabilities’ root causes by managing risky employee behaviours through technology, policy, and social means.

    Taking away the keys starts with improving passwords, hackers’ keys that can be easily stolen by preying on human nature. Single Sign On (SSO) can eliminate access to most keys by replacing manual password entry with automated authentication, such as a proximity badge. It can eliminate the need for manually entered passwords and time-consuming logins.

    Improving the lock’s need where passwords are still needed, such as access to remote networks access, such as Virtual Private Networks that need a username and password. These are locations for vulnerabilities. Two-factor authentication technologies can help to protect them, such as using an eToken that can’t be used by hackers, then a username and password

    Easing user education should include information that users can apply promptly. Examples are:

    Never enter usernames and passwords their apps on the premises because the ICT is already enabledIf they’re prompted for passwords, something’s wrong and needs red-flagging for the ICT and cyber-security teams.Configuring systems so users can’t enter their passwords manually.

    As cyber-criminals turn to Africa’s eHealth, health systems can consider these as part of their defences. It costs, but so does a successful phishing attack.

  • What’s your health record worth to cyber criminals?

    Cyber-crime in the health care sector is growing. Latest reports show that the healthcare has the highest occurrence of cyber-security mishaps of all industries. It’s bottom of the league table for its ability to fix software vulnerabilities. But there may be a very small silver lining. Healthcare records are not as valuable as banking details to cyber-criminals.

    An article in ITONLINE says the price per record for stolen patient medical records remains lower than financial account records and retail payment account information. This is a finding from Intel Security’s McAfee Labs Health Warning which:

    Assesses the marketplace for stolen medical recordsCompares it with the marketplace for stolen financial services dataIdentifies healthcare cyber-crime trendsProfiles cyber-crime targeting intellectual property in the pharmaceutical and biotechnology industries.

    The Intel Security research asserts that the development of the market for stolen data and related hacking skills indicate that cyber-crime in healthcare is growing.

    “In an industry in which the personal is paramount, the loss of trust could be catastrophic to its progress and prospects for success,” says Raj Samani, Intel Security’s chief technology officer for Europe, the Middle East, and Africa. “Given the growing threat to the industry, breach costs ought to be evaluated in the Second Economy terms of time, money, and trust, where lost trust can inflict as much damage upon individuals and organisations as lost funds.”

    In recent years, the cyber-criminal community has extended its data theft efforts beyond financial account data to medical records. Although credit and debit card numbers can be canceled and replaced quickly, protected health information (PHI) which doesn’t change. PHI could include family names, mothers’ maiden names, social security or pension numbers, payment card and insurance data, and patient address histories.

    This dynamic has led to industry speculation that the price per medical record could soon rise or even eclipse that of financial account or payment card data, but Intel Security’s 2016 research doesn’t support this theory. It found the average health record price was greater than that of basic personally identifiable information, but still less than personal financial account data. The per-record value of financial account data ranged from $14 to $25 per record, credit and debit cards drew around $4 to $5. Medical account data earned between $0.03 to $2.42.

    The findings suggest that financial account data continues to be easier to realise than personal medical data. Stealing medical records may enable cyber-criminals to analyse it, and cross-reference it with other data to identify lucrative fraud, theft, extortion, or blackmail opportunities. Financial data still presents a faster, more attractive return-on-investment for cyber-criminals.

    Healthcare records may not currently be as valuable as banking details to cyber criminals, but this may change. Healthcare organisations need to be more vigilant than ever to ensure the security of their systems and their patients’ data. Training and educating staff is an essential component to keeping healthcare data safe and should not be part of each healthcare orginisations’ cyber-security policies.

  • A shock-horror ransomware tale’s real

    Suddenly, a deluge of internal calls to the ICT help service had users clamouring for their files to be restored. The ICT team of three, including a new starter on the day of the cyber-attack, couldn’t cope with the volume or the problem. The story unfolds in a blog from Barkly.

    A call for help to the ICT consultant used for backups hadn’t been keeping them up to date. The team placed another call to its ICT supplier. In the meantime, a secondary server stopped and wouldn’t restart. Dozens of folders with important data, located on shared drives didn’t have duplicates located separately.

    Then, the new starter had opened an email from a company never used saying it had a shipping invoice, but couldn’t remember if she had opened the attached .zip file. Ooops.

    Five weeks were dominated by servers, networks, backup research, data recreation and disaster communications. All the other projects were on hold until the server was replaced with and installed, databases were upgraded, fixing software that wasn’t compatible with the newer operating system, rebuilding the network from scratch, but with better group policies and permissions, and suggesting a more secure infrastructure and backup environment to minimise risks and future costs, a battle only partially won.

    The result was being more secure than before the attack. This was not enough. Systems weren’t as secure and recoverable as they could’ve been. Four lessons emerged from the harrowing episode:

    Some scary things are realAlways try to fix broken systems without delay straight away, even if someone else broke them before you inherited themThe pain of forking over some time and cash to set things up right is nothing compared to scrambling to recover from a disasterUse multi-layered security and backups.

    Cyber-security was identified as an important issue at Acfee’s African Economic Forum in September. It’s assembling white papers reports and stories like this to provide Africa’s eHealth leaders with access to advice on cyber-security so they can take action before waiting until there’s a breach.

  • Sharing to beat cyber-attacks needs more standardisation

    Africa’s eHealth needs more cyber-security initiatives to prepare to respond better to future onslaughts. Three measures are identified in FierceHealthcare. They’re:

    More sharing about breachesStandardise as many platforms as possible to increase the transferability, so value, of shared cyber-threat experiencesClassify and report all ransomware attacks as cyber-security breaches.

    These are some of the views of Jeffrey Vinson, chief information security officer at the USA’s Harris Health System. In his interview with HealthcareInfoSecurity.com, he goes on to say that platforms are also not yet mature, so healthcare organisations can’t find enough reliable, realistic, actionable intelligence from the information coming to them. They also face resource challenges in digesting the information and taking effective action.

    These views are drawn from a Harris Health System project financed by a Department of Health and Human Services grant to study the healthcare cybersecurity landscape. It’s now in its second phase of polling organisations about capacity planning.

    While ransomware’s on the increase, and now one of the biggest threats, Vinson says there’s not much guidance on what organisations need to do I the event of an attack. This highlights a challenge for Africa’s health systems too. This may be rectified when the Office of the National Coordinator for Health IT selects one organisation to take a lead role in cyber-threat information sharing. This could be a model for Africa’s health systems.

  • McAfee Labs: Cyber attacks on hospitals on the rise

    Following the targeted ransomware attacks on hospitals earlier this year, Intel Security investigated the attacks, the ransomware networks behind them, and the payment structures enabling cybercriminals to monetise their malicious activity. The article in IT-Online identified nearly $100 000 in payments from hospital ransomware victims to specific bitcoin accounts. While healthcare is still a small proportion of the overall ransomware ‘business,’ McAfee Labs expects the numbers to grow.

    They attribute the increased focus on hospitals to the reliance on legacy IT systems, medical devices with weak or no security, third-party services that may be common across multiple organisations and the need for hospitals to have immediate access to information to deliver the best possible patient care. “As targets, hospitals represent an attractive combination of relatively weak data security, complex environments and the urgent need for access to data sources, sometimes in life or death situations,” says Vincent Weafer, vice-president of Intel Security’s McAfee Labs. “The new revelations around the scale of ransomware networks and the emerging focus on hospitals remind us that the cybercrime economy has the capacity and motivation to exploit new industry sectors.”

    The report also found that retail and financial services organizations have deployed the most extensive protections against data loss, and have been very responsive to cyber-attacks Having sustained fewer cyber-attacks historically, healthcare and manufacturing enterprises have made fewer IT security investments and, accordingly, possess the least comprehensive data protection capabilities.

    The weaker defences in these two sectors are particularly disturbing given that cybercriminals are clearly shifting their focus to personally identifiable information, personal health records, intellectual property, and business confidential information.

    The cybercriminals’ motive is ease of monetisation, with less risk. Corporations and individuals can easily cancel stolen payment cards soon after a breach is discovered. But you can’t change your most personal data or easily replace business plans, contracts, and product designs.

    In the second quarter of 2016, McAfee Labs’ global threat intelligence network detected 316 new threats every minute, or more than five every second, and registered notable surges in ransomware, mobile malware, and macro malware growth:

    The 1,3 -million new ransomware samples in Q2 2016. It’s the highest ever recorded since McAfee Labs began tracking this type of threat. Total ransomware has increased 128% in the past year.Mobile malware. The nearly 2-million new mobile malware samples. Total mobile malware has grown 151% in the past year.Macro malware. New downloader Trojans such as Necurs and Dridex delivering Locky ransomware saw a 200% increase in new macro malware in Q2.Mac OS malware. The diminished activity from the OSX.Trojan.Gen adware family dropped new Mac OS malware detections by 70% in the second quarter.Botnet activity. Wapomi, which delivers worms and downloaders, increased by 8 percent in Q2.

    There is no denying that cyber crime activities and incidents are on the rise. Hospital and patient data is no longer safe. With new malaware and ransomware samples being created daily, hospitals need to be vigilant. Cybercriminals know that their patient data is valuable and hospitals are likely to pay to get their stolen data back. Hospitals need to constantly update their cyber security and train their staff so that they are aware of the risks and can identify and help plug possible loop holes.

  • A handbook for ransomware protection can help

    Ransomware’s grown rapidly from fringe cyber-attack activity to become a widespread epidemic. It’s affecting healthcare organisations directly. Ransomware Protection 101 A Healthcare IT Handbook from Barkly, an ICT security firm, describes how to prepare for the increasing probability of a ransomware attacks. It includes tips for avoiding infection too. It says that healthcare organisations are 4.5 times more likely than companies in other sectors to be attacked by CryptoWall, a very destructive variant of ransomware that holds your data hostage. Africa’s eHealth isn’t immune.

    The guides’ contents include:

    What a ransomware attack on a healthcare provider looks likeAn insight to the biggest healthcare ransomware attack to dateHow ransomware can affect your organisationThe first five things to do in the event of an attackHow to protect your organisation from a ransomware attackSix things to do to prevent and recover from ransomwareCheck how ready you are to prevent or recover from a ransomware attack checklist.

    While preventing ransomware is considerably better than recovering from it, in a large organisation, it’s not hard to guarantee complete protection. The checklist helps you to prepare for the disruptive eventuality. The handbook also helps you to develop you cyber-security strategy and eHealth regulations, which can’t be allowed to ossify as cyber-criminals find more ingenious ways to attack.


    Image from Kaspersky Lab

  • Beware; ransomware’s using Javascript

    There are many routes into your computer systems that ransomware can choose. They include email attachments, malicious websites, kits, infected USBs and network worms. Word documents containing malicious macros are common. When they’re authorised to run, they install and launch malware, without warnings or download dialogues.

    A drawback for cybercriminals is that macros are turned off by default, so users have to be tricked into switching them back on after malicious documents are opened. Typical emails used for his tell you, in simple language, you’re due in court in a few days, or you haven’t paid an invoice, so click on a link for more details. Now, cybercriminals are switching to more subtle methods. Naked Security by Sophos has a report saying ransomware using 100% pure JavaScript, a programming language used for websites, is on the loose.

    The .js suffixes on malicious documents don’t show in Windows because it drops the .js suffix. A Sophos example is Invoice.tsxt.js shows as Invoice.txt. They also have an icon like parchment scroll, so they look like documents, not programs. The .js file downloads the ransomware from a server as a Windows program as a .EXE file and launches it to do its devious, destructive deeds.

    Sophos has found a new JavaScript ransomware sample called RAA. It’s disguised as a document and starts encrypting files when it’s opened. While some email systems automatically block files with a .js suffix, advice is don’t open attachments from unknown sources.

    This more effective cyber-attack reinforces the need for Africa’s health systems to have sustained, regular and effective cyber-security training. It’s users that can make the difference.

  • Cyber-crime's becoming more personal

    Cyber attacks are constantly evolving. The latest trend among cyber-criminals is to target and even filter out specific countries when designing ransomware and other malicious cyberattacks. An article in IT-Online says this is one of the findings from SophosLabs research that includes information from millions of endpoints worldwide.

    Sophos says that to attract even more victims, cyber-criminals are now crafting customised spam to carry threats using regional vernacular, brands and payment methods for better cultural compatibility. Ransomware cleverly disguised as authentic email notifications, complete with counterfeit local logos, is more believable, highly clickable and therefore more financially rewarding to the criminals. 

    Cyber-criminals have even gone as far as impersonating reputable companies like local postal, tax and law enforcement agencies and utility firms, including phony shipping notices, refunds, speeding tickets and electricity bills. “You have to look harder to spot fake emails from real ones,” says Chester Wisniewski, senior security advisor at Sophos. “Being aware of the tactics used in your region is becoming an important aspect of security.”

    Researchers also saw historic trends of different ransomware strains that targeted specific locations. The analysis also shows Threat Exposure Rates (TER) for countries during the first three months of 2016. Although western economies are more highly targeted, they typically have a lower TER. Nations ranked with the lowest TER include France at 5.2%, Canada at 4.6%, Australia at 4.1%, the US at 3%, and the UK at 2%. 

    African countries were at an average level: 

    Tanzania 11.1% Kenya 11.5% South Africa 11.6% Egypt 12.4% Angola 15.7% Nigeria 15.7% Tunisia 16,.4% Morocco 16.6% Uganda 24.9% Ghana 25.5% Mozambique 28.3% Algeria 30.7 % Zambia 35.5 % Malawi 39.4%.

    Reasons behind specific country attacks remain unclear. One thing’ certain; all countries are at risk and anybody could be a cyber-crime victim.  

    Attacks on African countries have been on the rise, possibly due to their low security levels. Healthcare departments and hospitals need to be vigilant. While updating security software is crucial, educating staff and keeping them up to date on cybercrime trends is key to keeping data safe and secure.

  • Malvertisments are a growing cyber-threat

    Online adverts that slow down Internet access are annoying. It’s worse than annoying if they’re malevolent. A post on Trust wave says these malvertisements are a recent and growing threat, and sets out eight reasons why. 

    Malvertisement hide malicious code that can sneak past security barriers. Their popularity and use has increased by 300% from 2014 to 2015. Cyber-crooks can buy expired domains that include legitimate adverts, then embed malicious code into them. It’s vital that cyber-security measures deal with them because:

    Their use’s increasing since they were first used in 2007 They can crop up on any website They’re cheap to buy and can be customised They make more sense than compromising a single site They spread nasty payloads including Bedep Trojan and TeslaCrypt ransomware They neutralise the power of educated users because awareness doesn’t help They take advantage of overlooked patches and unused programs They can evade legacy security solutions.

    It’s another cyber-security headache for Africa’s health systems. The need for specialist teams is growing.

  • Ransomware's becoming more brutal

    Ransomware’s on the increase. eHNA recently posted on the increasing threat for healthcare. It seems its becoming much more brutal a harder to deal with, with healthcare still in its sights. Africa needs to prepare for it. Versions that are threatening are Petya and MSIL/Samas.

    Ransomware usually encrypts the files on the victim's hard drives and leaves the operating system working properly. The result is access denied to the encrypted documents. Bleeping Computer, a blog, says Petya Ransomware encrypts parts of the hard drive so computers can’t start.

    It looks for Window’s Master Boot Record and infects it with a malicious ransomware loader. It’ll then cause Windows to reboot to execute the new loader and display a screen pretending to be CHKDSK. Then, Petya encrypts the Master File Table on the drive, then computers don’t know where files are located, or if they exist, so they’re not accessible. 

    MSIL/Samas aims to encrypt data across networks using Jexboss, a publicly available security program that finds vulnerable JBoss versions, then attacking and scrambling data on servers when it does. Microsoft rates MSIL/Samas as a severe threat. It has a download that can detect and remove it. 

    The Microsoft Malware Protection Centre has a web page about ransomware. It sets out the top ten threats. Up to November 2015, Crowti was the biggest threat. FakeBsod was second.

    It’s unwise to assume that Africa’s health systems won’t be targets. Ransoms are not always huge payments, so all organisations are susceptible. Many ransomware attacks are hidden in attachments to plausible-looking emails, reinforcing the need for regular user education and training as an important line of vigilance and defence.