Have you created a ShazzleMail account on your smartphone? This is a required first step.

Yes No

Free Encrypted Email

Posts Tagged ‘#securemail’

static2.politico.com

Cyber Ransom Attacks Panic Hospitals, Alarm Congress

July 21, 2016

When the Obama administration pushed out a $35 billion incentive program to pay doctors and hospitals to convert to electronic records, the idea was to modernize the health care industry, not serve it up on a platter to cyber criminals.
But now, American hospitals face weekly ransom threats. If they don’t pay up, files get frozen, surgeries delayed and patients sent across town. One of these days, someone could die as a result. And no one in government has a clear plan to handle it.
Such are the unintended consequences of shovel-ready projects.
The incentive program, which started paying out cash in 2011, “thrust tens of thousands of health care providers into the digital age before they were ready,” says David Brailer, chief of health IT in the second Bush administration. “One area where they were woefully unprepared is security. It created thousands of vulnerabilities in hospitals and practices that lack the budget, staff or access to technical skills to deal with them.”
Desperate hospitals have asked the feds for new financial incentives to boost their security. But Congress seems in no mood to cough up the necessary billions. It created a task force to come up with a report on how an alphabet soup of federal agencies can establish a chain of command for health care security.
Meanwhile, cybercrime attacks are mounting so rapidly that they challenge the financial stability of some health systems, according to experts in information security. The intrusions are interfering with efforts to improve data sharing in health care — and could even threaten patient safety.
Just this week, a Kansas hospital said it paid a large ransom to unblock frozen records — then was told it had to pay more in order to free all the files.
“It’s only a matter of time before someone gets hurt,” Sen. Sheldon Whitehouse (D-R.I.) said during a hearing this month after well-publicized ransomware attacks hit hospitals in Kentucky, California and the nation’s capital.
Whitehouse and Sen. Lindsey Graham (R-S.C.) filed a bill this month to punish cyber criminals if their attacks result in health care system deaths or injuries. But first, they’d have to find perpetrators — in Russia, Eastern Europe or in hidden recesses of the Dark Web.
More rules won’t help, Brailer says. Hospital licensing requirements and medical privacy laws already include extensive security requirements, but providers rarely follow best practices, he said.
The FDA and the Office for Civil Rights in the Health and Human Services department use penalties and guidance documents to push providers and device makers to use better “cyber hygiene.”
Members of Congress also want hospitals to be more dutiful. “If you aren’t following good practices, the regulatory environment isn’t going to save you,” says Rep. Will Hurd (R-Texas), leader of the House Oversight cybersecurity subcommittee. While FBI and other agencies can do better at sharing threat intelligence, “health care has to help itself.”
More federal inspections might increase readiness, but none of these measures attack the underlying problem — the massive gap between the industry’s needs and its resources, Brailer said.
Meanwhile, hackers are launching billions of health care-focused attacks. One major health system was bombarded with a million emails in March alone seeking to implant ransomware in its computers. A small Kentucky hospital had 3,500 attacks on Mother’s Day, according to Leslie Krigstein, vice president of the CHIME.
Last year there were 54 “zero-day,” or brand new attacks; approximately once a week, in other words, hackers sent out an electronic bug so novel that no computer could recognize it.
Ransomware is of particular concern. In these attacks, hackers send out code that freeze computer files until the owner pays ransom in untraceable Bitcoins in exchange for a numeric decryption to unfreeze them. The attacks allow hackers to cash in quickly, whereas stolen medical records may be more difficult to monetize. (More than 100 million records were stolen in 2015 — some for sale on the black market or use in Medicare fraud, some by state actors, apparently for intelligence purposes).
Freakout in the C-Suite
For the first time, the threat of cyberattacks is grabbing the attention of senior health care executives, said Russell Branzell, CHIME’s CEO, who says the executives are “freaking out” as we “enter into a security war for health care.”
Cybersecurity legislation signed into law last year allows health care companies to share information about threats they’ve encountered without risk of being sued for any data breaches they reveal. Other privately run organizations also serve this purpose.
But complying with such recommendations can require major investments — millions to hire new security teams and consultants and to buy new software. Added security spending might mean forgoing a new MRI system, or delaying the hiring of new nurses.
“Cyberthreats are knocking on your door every time you open your laptop or your phone,” said Ty Faulkner, a cyber consultant. “If you aren’t monitoring and checking your data, I question whether you are following good business processes.”
But “many of our members can’t afford the technology and tools they need at this point,” said Branzell. “It’s moving so fast that you could update everything, spend way more than you’re budgeting for, then the next wave of bad guy stuff comes up and you’re already behind again.”
“If you peer into the dark minds of a lot of hospital executives, they are rolling the dice as to where they allocate their budgets,” said Clinton Mikel, an attorney with Health Law Partners.
Health care firms are spending vast sums to lure chief information security officers away from the financial and energy sector. The job description hardly existed in health care two years ago — now there are 500 just in Branzell’s organization.
Some companies are hiring security consultants on a semi-permanent basis, said Mac McMillan, co-founder and CEO of CynergisTek — one of those firms. If they don’t spend that big dough, many worry, a criminal breach of their information could result in bankruptcy levels of litigation.
Cyber insurance protects against some costs, but underwriters won’t write a policy unless the hospital system can demonstrate it is already spending plenty to defend itself.
Successful attacks are inevitable, security experts say. They talk of techniques such as compartmentalizing software, so hacks can be confined to a small area of the computer system, or programs that detect unusual computer activity within an organization, signs a bug has already penetrated the system.
“Most organizations can’t do that for themselves,” McMillan said. “More and more, people are saying to us, ‘I want a partner’ because cybercrime has become an industry.”
Medical devices: A ripe target?
The targets of attack within health care are practically limitless. “It’s hard to imagine a more complex and diverse environment than a hospital,” said Dave Palmer of Darktrace, a company whose technology searches for unusual behavior within networks.
“You have doctors and staff walking around with tablets, millions of dollars worth of scanners and sensitive machinery, all of it digitally integrated. You have visiting consultants there, maybe only a few days a week. Staff, porters, cleaning people.”
Users may not understand that bedside devices like monitors need to be secured, said Dennis Gallitano, a leading cyber attorney. Most cyber strategies are built around detecting and keeping out bugs, but “what about tunnels through the backdoor — a fax machine or pump?”
Device manufacturers are not required to meet the privacy and security standards of the Health Insurance Portability and Accountability Act (HIPAA); security experts say their protection is often lax, offering an attractive target for hackers looking for new ways into health systems. The FDA has begun working with manufacturers to improve device cybersecurity.
Security conflicts with transparency
One of the main purposes of electronic health records is to encourage information sharing among doctors, so that patients can be looked after in a more holistic way. Cyberthreats, some worry, could lead to a clampdown, because health care companies are leery of sharing data with institutions that might not be secure.
“There is very much a conflict in health care,” Branzell acknowledged. “The traditional model is, ‘Lock the world down.’ That doesn’t work in a world where we’re being asked to become more and more transparent and engage with our patients … With more patient engagement you’ve got people working from home on their Wi-Fi networks.”
Security should not be used as an excuse to block transparency, says Fred Trotter, a hacker and data journalist who serves on HHS’ Cybersecurity Task Force. In Trotter’s view, the solution is to make a distinction between ordinary cybertheft and hacking that has patient safety implications.
Cyberattacks that might, say, cripple an MRI machine until a ransom is paid, he believes, should be classed with other health IT safety issues, such as poor usability or bad software design that could lead to medical errors.
An evil genius and a wayward duck (or chicken, or pig) are equally capable of starting a lethal viral epidemic. By the same token, it shouldn’t matter whether a hacker or a stuck mouse button creates a clinical safety problem, he said.
HHS’ Office of the National Coordinator for Health IT has tried for years to create a safety center where threats and problems with software can be shared, discussed and remedied.
Congress has refused to provide the budget.

Tags: , , , , , ,

Web threat

Call For Government, Industry To Share More On Cybersecurity Threats

July 18, 2016

The federal government and industry have been urged to work together to share information on cyber security threats and attacks to counter the increasing sophistication of cyber adversaries.
According to security vendor Palo Alto Networks’ APAC chief security officer, Sean Duca, the threat landscape in Australia, and around the world, is not abating and those looking to penetrate security are becoming more sophisticated, sharing tools, exploits and attack methods, and automating their processes. “In doing so, they have achieved a clear competitive advantage in cyberspace and are eroding trust in today’s digital age.”
Duca urged the federal government, with industry, to quickly put into action the recommendations for greater cyberthreat information sharing laid out in the government’s new Cyber Security Strategy announced in April.
“Cybersecurity threat information sharing within and across industries and with the public sector must be embraced by everyone. The faster organisations can share information, the better we can serve to protect each other and push the cost back to the adversary.
“Until the public and private sectors truly collaborate to build systemic information sharing partnerships, it’s like we’re combatting our adversaries with technological weapons that have no ammunition.”
According to Duca, cybersecurity provides longevity to a business and can help differentiate the business from its competitors – “for both good and not so good reasons”.
“Organisations, both in the public and private sector, need to have strong cybersecurity fundamentals to provide trust and confidence to citizens, businesses and customers alike.”
Duca says Australian industry can play a valuable role in combatting cybersecurity threats by participating in voluntary cyberthreat information sharing.
He says “operationalising” threat information sharing, both within and across industries, and between the private and public sectors, will dramatically shift the balance of power, close the competitive gap, “and realise exponential leverage against cyber adversaries by driving up the cost of successful attacks”.
Here’s what information Duca says should be shared between the private and public sectors:
• Threat Indicators: forensic artefacts that describe the attacker’s methodology;
• Adversary’s campaign plan: a collection of threat indicators for each link in the cyberattack lifecycle attributed to a specific adversary group;
• Context: additional non-campaign plan intelligence about an adversary group that is helpful for organisations to understand the adversary. This includes things like motivation, country of origin, and typical targets;
• Adversary dossier: campaign plans + context – a collection of threat indicators attributed to a specific adversary campaign or playbook (campaign plans), plus any additional context about the adversary group.
“Our mission should be to share all of the above but, most importantly, an adversary group dossier. Doing so will enhance the assessment of the adversary group’s potential, material impact to the targeted organisation, giving a better opportunity for that organisation to detect and prevent the attack, as well as deter an adversary,” Duca observes.
He cautions that the information (to be shared) itself is important – but it must be actionable, and must arrive in as close to real time as possible.
“As we have observed in some of the largest breaches, the best resourced security teams cannot scale manual responses to automated threats – only through automating prevention and detection can organisations be fast enough to adequately secure networks.”
According to Duca, government and industry must collaboratively build a “robust, automated information sharing architecture”, capable of turning threat indicators into widely distributed security protections in near-real time.
He acknowledges that there is apprehension amongst some Australian organisations that information sharing could negatively impact them and that many feel that that by sharing information that could be classified as sensitive and privileged, “they would be giving the upper hand to their competitors”.
“This sentiment from the business community is valid and should be acknowledged. But, as noted above, we should focus on sharing attack information – not information on who has been breached.”
Some of the other challenges and “perceived barriers” to greater cyberthreat information sharing that Duca maintains should be addressed:
• Privacy: Laws should not unduly prohibit the sharing of personal information that is necessary to identify and prevent attacks. At the same time, the Australian government should ensure that there are responsible privacy protections in place related to cyberthreat information sharing.
• Trust among private sector competitors: Some organisations consider cyberthreat information to be their own proprietary intellectual property (IP) and do not want to share it. We need to reverse this notion. The more one continues to treat this information as IP, and the more it is kept in silos within our own organisations, the greater opportunity the adversary has to strike again. Adversaries share tools, exploits and attack methods – so should we. Everyone should have access to the same body of threat information and collaborate to quickly translate it into security controls to use within their own organisations and their collective customer base.
• Antitrust concerns: There is a fear among some companies that sharing threat information between organisations makes them vulnerable to antitrust violations. The Australian government should clarify that cybersecurity threat information voluntarily shared, or received, by a private entity with another private entity is exempt from antitrust laws.
• Over-classification: The government, in some instances, may “over-classify” cyberthreat information it receives from both internal and external sources. It takes a significant effort — and valuable time — to declassify that same information to share with private companies and the public at large.

Tags: , , , , , ,

2014-12-20t131407z2lynxmpeabi0s6rtroptp3usa-fbi

FBI’s Secret Surveillance Tech Budget Is ‘Hundreds of Millions’

June 27, 2016

FBI’s Secret Surveillance Tech Budget Is ‘Hundreds of Millions’

The FBI has “hundreds of millions of dollars” to spend on developing technology for use in both national security and domestic law enforcement investigations — but it won’t reveal the exact amount.
Deputy Assistant Director of the FBI James Burrell spoke about the secretive budget of the Operational Technology Division — which focuses on all the bureau’s advanced investigative gizmos, from robots to surveillance tech to biometric scanners during a roundtable discussion on encryption technology.
In December 2015, The Washington Post reported the budget of the FBI’s Operational Technology Division at between $600 and $800 million, but officials refused to confirm the exact amount.
The FBI did not respond to a request for comment from The Intercept on the division’s budget.
The intelligence community sponsored the roundtable on Thursday and Friday to spark discussion among academics, scientists, developers, and tech officials on the finer points of encryption — and to try to answer whether it’s technically possible to give law enforcement access to secure devices without compromising digital security.
The National Academies of Science, Technology, and Medicine hosted the workshop, which included Chris Inglis, former deputy director of the NSA; James Baker, the top lawyer for the FBI; and tech officials from Apple, Microsoft, and other companies.
Burrell said the FBI divides its technical focuses into two areas: core IT capabilities, and the Operational Technology Division, which devotes resources to researching and developing technology “specifically for use in investigations.”
The division’s budget had to be put “into context,” Burrell stressed. Resources are split between tools developed for national security investigations versus domestic law enforcement. “Sometimes we’re not able to use the technology we develop for one side equally on the other,” because some technology is classified, he said.
The FBI has tried to keep evidence gleaned from its advanced, national security technology secret in court proceedings relating to domestic investigations — technology like Stingrays, which mimic cell phone towers to track location information of an entire geographical area. The FBI has even chosen to throw out legal prosecutions to hide its technical capabilities — a controversial decision that’s been criticized by advocates for transparency.
The bureau has also repeatedly stressed how challenging and expensive it is to develop capabilities to hack into devices rather than have a mandated access point in encryption. “Hacking devices, … of course we do it, but it is slow,” Baker said in his concluding remarks. “It’s expensive, it’s very fragile.”
The FBI has requested over $100 million more dollars for its operational technology division and cyber division for 2017 — pushing the grand total closer to a billion, if the Washington Post‘s figure is accurate. The FBI asked for over $85 million to bulk up its cyber offense and defense — and over $38 million to counter the problem encryption and other anonymity software poses during investigations through technological means.
“Of all kinds of government secrecy, budget secrecy is the least defensible,” Steven Aftergood, director of the Project on Government Secrecy run by the Federation of American Scientists, wrote in an email to The Intercept. Publishing the budget is required by the Constitution, he pointed out.
Agencies often prefer not to divulge budget in order keep some programs below the radar, or because keeping the amounts secret “helps to obscure large increases or decreases in funding that could attract unwanted attention,” he said.
“But spending levels do not reveal operational information — about targets, or capabilities, or vulnerabilities — and therefore they should almost always be disclosed,” he concluded.
The work done by the Operational Technology Division had received more attention after the 2015 San Bernadino shootings. Access to encrypted communications has become a national issue following the FBI’s battle with Apple over obtaining access to the San Bernardino shooter’s phone, which was encrypted.
Technology officials largely agree that giving any sort of “exceptional access” to software would damage an already fragile digital security regime experts have spent decades trying to improve.
During the first panel session, the conversation turned to what the FBI might be able to do instead of supporting mandated “backdoors” or security holes in products in order to intercept communications of suspects.
Baker, the bureau’s top lawyer, said the FBI’s technical capabilities are “finite” but “in some ways” are “better and increasing every day.”
By Jenna McLaughlin
www.theintercept.com

Tags: , , , , , , ,

Senate Majority Leader Mitch McConnell (R-KY) speaks during a news conference as Senator John Barrasso (R-WY) listens on Capitol Hill in Washington March 8, 2016.      REUTERS/Joshua Roberts

Invoking Orlando, Senate Republicans Set Up Vote To Expand FBI Spying

June 21, 2016

U.S. Senate Majority Leader Mitch McConnell set up a vote late on Monday to expand the Federal Bureau of Investigation’s authority to use a secretive surveillance order without a warrant to include email metadata and some browsing history information.
The move, made via an amendment to a criminal justice appropriations bill, is an effort by Senate Republicans to respond to last week’s mass shooting in an Orlando nightclub after a series of measures to restrict guns offered by both parties failed on Monday.
“In the wake of the tragic massacre in Orlando, it is important our law enforcement have the tools they need to conduct counterterrorism investigations,” Senator John McCain, an Arizona Republican and sponsor of the amendment, said in a statement.
The bill is also supported by Republican Senators John Cornyn, Jeff Sessions and Richard Burr, who chairs the Senate Intelligence Committee.
Privacy advocates denounced the effort, saying it seeks to exploit a mass shooting in order to expand the government’s digital spying powers.
Senator Ron Wyden, an Oregon Democrat, criticized a similar effort last month as one that “takes a hatchet to important protections for Americans’ liberty.”
The amendment would broaden the FBI’s authority to use so-called National Security Letters to include electronic communications transaction records such as time stamps of emails and the emails’ senders and recipients.
The Obama administration for years has lobbied for a change to how NSLs can be used, after a 2008 legal memo from the Justice Department said the law limits them largely to phone billing records. FBI Director James Comey has said the change essentially corrects a typo and is a top legislative priority for his agency.
NSLs do not require a warrant and are almost always accompanied by a gag order preventing the service provider from sharing the request with a targeted user.
The letters have existed since the 1970s, though the scope and frequency of their use expanded greatly after the Sept. 11, 2001, attacks on the United States.
The amendment filed Monday would also make permanent a provision of the USA Patriot Act that allows the intelligence community to conduct surveillance on “lone wolf” suspects who do not have confirmed ties to a foreign terrorist group. That provision, which the Justice Department said last year had never been used, is currently set to expire in December 2019.
A vote is expected no later than Wednesday, McConnell’s office said.

Tags: , , , , , , ,

Ransomware-Cryptofortress-TeslaCrypt1-825x510

With Ransomware On The Rise What Can You Do To Protect Yourself From Ransomware Attack

June 20, 2016

The recent attacks on hospitals across the world affecting hundreds of thousands patients information globally obtained by hackers emphasize the scale of the issue. The ever rising trend of cyber-attacks on healthcare with ransomware happens mainly through phishing email and the reason being is underestimated importance of cybersecurity measures to be taken in the healthcare industry.
In the instance of Wyoming Medical Centre cyber-attack through email scam the damage involved exposure of nearly 3,300 patient’s sensitive information. The attack performed through legitimate looking phishing email to which employee have responded, and thus letting hackers an access to Hospital network enabled them to obtain patients personal information as names, contact details, health insurance details, social security numbers and other sensitive data that may cause harm if landed in wrong hands.
Based on the scenarios of recent attacks on healthcare establishments, InfoSec industry suggests in the average several crucial tips to follow to prevent corporate email network from being a victim of a phishing scam:
1. If you received excel or other files instructing you to enable some options like macros to be able to view the so called “important information” – do not do it.
2. NEVER provide your password to anyone via email
3. If you are a Healthcare Establishment – use only HIPAA compliant email service (ShazzleMD is one of them and provides an easy solution, no password required and works like any other email)
Be suspicious of any email that:
4. Requests personal information.
5. Contains spelling and grammatical errors.
6. Asks you to click on a link.
7. Is unexpected or from a company or organization with whom you do not have a relationship.
If you are suspicious of an email:
8. Do not click on the links provided in the email.
9. Do not open any attachments in the email.
10. Do not provide personal information or financial data.
11. Do forward the email to the HHS Computer Security Incident Response Center (CSIRC) at csirc@hhs.gov and then delete it from your Inbox.
12. Although HHS’ CSIRC undoubtedly does not want a barrage of emails from non-government entity staff reporting potential phishing attacks, a covered entity or business associate should articulate a similar process for staff to follow when a suspicious email is identified.
Be suspicious of any email that:
13. Includes multiple other recipients in the “to” or “cc” fields.
14. Displays a suspicious “from” address, such as a foreign URL for a U.S. company or a Gmail or other “disposable” address for a business sender. However, even when the sender’s address looks legitimate, it can still be “spoofed” or falsified by a malicious sender.
Following the above mentioned tips will increase cyber security of a healthcare network, and not only, from a ransomware attack performed via phishing emails that are increasing with high tempo every month.

Tags: , , , , , ,

Introducing ShazzleMail Email and How it Works

Privacy is your Fundamental Human Right.

Our Daily Blog
1463600977631262
Google tightens grip on some Android data over privacy fears, report says
August 19, 2019

The search giant ends a program that provided network coverage data to wireless carriers. BY CARR...

Read more
4000
Wikipedia co-founder slams Mark Zuckerberg, Twitter and the ‘appalling’ internet
July 8, 2019

Elizabeth Schulze Wikpedia Co-Founder Larry Sanger said in an interview social media companies ...

Read more
venmo_pub_priv
Why America Needs a Thoughtful Federal Privacy Law
June 26, 2019

More than a dozen privacy bills have been introduced in this Congress. Here’s what it needs to do....

Read more
privacy-coins-and-bitcoin-dominance-guide
9 Important Privacy Settings for Windows 10
June 3, 2019

Matt Powell On Jun 3, 2019 At first glance, the Digital Age may seem like a wonderful thing. And ...

Read more
apple
Apple exec dismisses Google CEO’s criticism over turning privacy into a ‘luxury good’
May 29, 2019

By Jacob Kastrenakes@jake_k May 27, 2019, 12:18pm EDT Apple’s software chief, Craig Federigh...

Read more