The Federal Bureau of Investigations (FBI) is warning businesses to be on the lookout for a rise in ransomware attacks.
On Friday, the FBI published a letter revealing that the threat posed by ransomware to hospitals, state and local governments, law enforcement, small businesses, and private individuals is growing.
“Ransomware has been around for a few years, but during 2015, law enforcement saw an increase in these types of cyber attacks, particularly against organizations because the payoffs are higher,” the letter reads. “And if the first three months of this year are any indication, the number of ransomware incidents–and the ensuing damage they cause–will grow even more in 2016 if individuals and organizations don’t prepare for these attacks in advance.”
Along with an increase in the number of ransomware attacks, the FBI has observed a corresponding increase in the sophistication of attack campaigns. Computer criminals traditionally relied solely on spam mail to send out most forms of malware. Now they are turning to more sophisticated means, including spear-phishing (or whaling) emails and exploit kit attacks that don’t require user interaction.
The FBI has said in the past that paying the ransom fee is sometimes the only way for victims to recover their encrypted data. But in its letter, the FBI is careful to point out it does not support that course of action given certain negative consequences.
“Paying a ransom doesn’t guarantee an organization that it will get its data back–we’ve seen cases where organizations never got a decryption key after having paid the ransom,” explains FBI Cyber Division Assistant Director James Trainor. “Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
Acknowledging those repercussions, the FBI urges organizations to develop a business continuity plan they can implement in the event of an attack and to invest in ransomware prevention.
By David Bisson
Posts Tagged ‘ShazzleMail’
The Federal Bureau of Investigations (FBI) is warning businesses to be on the lookout for a rise in ransomware attacks.
The percentage of health care data breaches due to criminals has risen from 20 to 50 percent since 2010, but health care organizations are failing on defense, according to a new study.
On average, the percentage of health care organizations hit by a data breach has stayed steady, in the high 80s and low 90s, according to Larry Ponemon, chairman and founder at Ponemon Institute, which conducted the study, but the number of breaches due to accidentally lost devices has dropped.
Most recently, ransomware and denial-of-service attacks have become top security concerns. These kinds of attacks have the potential to shut down the operations of a health care organization, putting lives at risk.
Ransomware typically encrypts all data, making patient records inaccessible to doctors and nurses.
Denial-of-service attacks shut down the tools and systems used to access those records.
“A lot of these tools now are Internet-facing or are actually in the cloud,” Ponemon explained.
“I think we’re actually in a situation where the bad guys are winning at this point,” said Rick Kam, president and co-founder at ID Experts, which sponsored the report.
One reason is finger pointing, he said. Health care providers point to third-party business associates, such as drug companies and claims processors, while the business associates point the finger back at the health care providers.
“Neither the business associates nor the health care entities are doing their job,” he said. “There’s a small increase in security budgets, but that incremental spending is not keeping up with the threat.”
Another contributing factor, he added, is that the majority of the health care organizations are regional and local hospitals, which are not flush with cash.
Health care organizations understand that they are targets.
More than two-thirds, or 69 percent, said that they are at greater risk than other industries for a data breach.
And there has been some improvements.
Sixty-three percent of respondents said they have policies and procedures that are in place to effectively prevent or quickly detect unauthorized patient data access, up from 58 percent in 2015.
And 57 percent said they have the expert personnel to be able to identify and resolve data breaches, up from 53 percent in 2015.
In addition, 71 percent have an incident response plan process in place, with involvement from information technology, information security and compliance, a slight increase from 69 percent in last year’s study.
However, slightly more than half of health care organizations, 52 percent, said that security budgets have stayed the same since last year, and 10 percent said their budgets decreased.
By Maria Korolov
The head of the FBI said Wednesday that the government will bring more legal cases over encryption issues in the near future.
Speaking with reporters at FBI headquarters in Washington, FBI Director James Comey specifically said that end-to-end encryption on WhatsApp is affecting the agency’s work in “huge ways.” However, he noted the FBI has no plans to sue Facebook, the app’s parent company.
He also said that since October 2015, the FBI has examined “about 4,000 digital devices” and was unable to unlock “approximately 500.”
The FBI paid gray hat hackers at least $1.3 million for a way to get into the seized iPhone used by Syed Rizwan Farook, the now-dead terrorist involved in the December 2015 attack in San Bernardino, California. At the last minute, the Department of Justice canceled a highly anticipated court hearing over the issue in March 2016.
However, Comey said that the hackers’ identities are so closely held inside the government that even he doesn’t know who they are, according to Reuters.
By Cyrus Farivar
Two bitter rivals have agreed to drop mutual antitrust cases across the globe. Why? To fend off the greater regulatory threat of democratic oversight. Microsoft and Google, two of the world’s greatest monopolies, have been bitter rivals for nearly 20 years. But suddenly, in late April, they announced a startling accord. The companies have withdrawn all regulatory complaints against one another, globally. Rather than fighting their battles in public courts and commissions, they have agreed to privately negotiate.
This is a gentleman’s agreement. The specifics are secret, but the message on both sides is that the deal reflects a change in management philosophy. Microsoft’s new chief, Satya Nadella, is eager to push the vision of a dynamic, collaborative Microsoft, partnering with everyone from Apple to Salesforce.
The most dramatic of these partners is Google, a company that has long been considered Microsoft’s great arch-rival.
The wind started to change in September, just after Sundar Pichai became Google’s chief executive, when the two companies agreed to stop feuding over patents – a first step toward the current agreement. The common corporate line is that the companies want to compete on products, not court cases.
But this public relations gambit masks two far more interesting tales. One is about Microsoft and its desperate chase for relevance. The other is about Google, money and power. Both are part of a broader, deeply worrying narrative – a story about how tech companies are busy redrawing the lines around our lives, and facing little resistance in doing so.
Nobody ever wants to start a legal fight. Fractious, painful and wasteful, they divert huge resources, often for little productive gain. But this in itself fails to explain Microsoft’s decision to drop pending regulatory complaints against Google in Europe, Brazil and Argentina, as well as to cease funding and participating in lobby groups that it has backed for eight years, such as FairSearch.org and ICOMP, the Initiative for a Competitive Online Marketplace. So what does explain it?
It could be seen as a pragmatic move. Microsoft’s profits still exceed Google’s, but the ratio has been in decline for a decade. Meanwhile, since 2012, Apple has outstripped both companies combined (even if recent figures suggest this momentum might be slowing). A suite of regulatory enquiries into Google’s alleged abuses of its monopoly will continue even in Microsoft’s absence – both in places where Microsoft has filed complaints (Europe, Brazil, Argentina) and in others where it hasn’t, such as India.
With Microsoft’s withdrawal, it is clear that the remaining complainants in these fights – generally small, niche internet businesses – are legitimate critics in their own right. But then again, it takes serious coordination and resources to sustain and succeed in antitrust fights. Winning, especially in a broad and generally impactful manner, is a much taller order without a deep-pocketed supporter such as Microsoft.
But there’s another possible, rather more cunning, motive. Microsoft today is facing a very different business ecosystem to the one it dominated in the 1990s. It needs to adapt. And it appears to want to do so by positioning itself at the heart of what Satya Nadella describes as “systems of intelligence”.
Explaining this concept at Hannover Messe 2016, Nadella defined systems of intelligence as cloud-enabled digital feedback loops. They rely on the continuous flow of data from people, places and things, connected to a web of activity. And they promise unprecedented power to reason, predict and gain insight.
This is unbridled Big Data utopianism. And it is a vision that brings Microsoft squarely into Google territory. So maybe Microsoft is pulling out of regulatory battles because it doesn’t want to shoot itself in the foot. For emeritus Harvard Business School professor Shoshana Zuboff, this gets to the core of the Google-Microsoft deal.
Zuboff is a leading critic of what she calls “surveillance capitalism”, the monetization of free behavioral data acquired through surveillance and sold on to entities with an interest in your future behavior. As she explained to the Guardian: “Google discovered surveillance capitalism. Microsoft has been late to this game, but it has now waded in. Viewed in this way, its agreement with Google is predictable and rational.”
And here the most sinister upshot of Microsoft’s decision to stop needling Google with legal disputes becomes clear. “A key theme I write about is that surveillance capitalism has thrived in lawless space,” says Zuboff. “Regulations and laws are its enemy. Democratic oversight is a threat. Lawlessness is so vital to the surveillance capitalism project,” she continues, “that Google and Microsoft’s shared interest in freedom from regulation outweighs any narrower competitive interests they might have or once thought they had. They can’t insist to the public that they must remain unregulated, while trying to impose regulations on one another.”
What does all this mean for the cases pending against Google? For Maurice Stucke and Allen Grunes, American antitrust experts and co-authors of a comprehensive new book examining the deep and reaching implications of platform and data monopolies, Zuboff’s warning of a lawless alliance among tech giants such as Microsoft and Google only accentuates the demand for rigorous, intellectually led regulatory action. And when it comes to Google, the case for action is in their view clear.
“The one thing that any antitrust regime absolutely has to do, if it is to be effective, is to stand up to the most powerful companies of the time,” explains Grunes. “Take that away and antitrust ceases to be meaningful.
“The antitrust authorities in the US and EU did that in the case of Microsoft. It required brains, resources and relentless pursuit and commitment.”
Yet only the Europeans, he argues, seem to have the intellectual leadership to be doing it in the case of Google. “The failure of the FTC to take meaningful action against Google is without question one of the great failures of all time.”
Microsoft and Google’s new deal to stop fighting each other is an interesting, strategic corporate move. But it is a move accompanied by a much stronger, deeper play: to collect and capitalize data – including data about us, our behaviors, and our interactions. The challenge for regulators and citizens is complex but essential – and has only just begun.
By Julia Powels
For 10 days in February one hospital’s records hung in limbo. At Hollywood Presbyterian Medical Center in California, a ransomware attack kept health care records in control of anonymous hackers, until hospital officials paid $17,000 to take back their system.
Data ransom attacks are today’s technological version of kidnapping. It’s anonymous, more cost-effective and more appealing to criminal enterprises than taking physical hostages. And it’s the reason health care institutions today are taking steps to ensure security.
As part of an ongoing conversation, health care professionals and government agencies will meet on May 1-11 in Washington D.C. to discuss health data as part of the Health Datapalooza event presented by Health Data Consortium.
At Creighton University, law professor Edward Morse is researching the technological and legal limitations for paying data ransom.
“If you can deny access to patient care records, you shut down hospital operations,” Morse said. “With HIPAA, a patient’s electronic records are protected under law. But, a patient’s medical information is only as strong as an institution’s weakest link.
It can be as simple as a disgruntled employee; someone who is willing to give up a password to a potential hacker, so hospitals are working to increase security and limit the number of employees who can access sensitive data.
Adam Kuenning, attorney with Erickson | Sederstrom and a Creighton law professor, teaches HIPAA privacy and security.
“Patient care comes first for any medical professional,” Kuenning said. “The importance of keeping the information secure, may sometimes be lost while the medical professional is focused on the patient’s care.”
Any HIPAA breach of more than 500 patients must be reported to the media, and the Department of Health and Human Services keeps a record of these cases online. Since 2009, more than 1500 cases have been recorded. For cases affecting less than 500 patients, only a letter sent to affected persons is required.
To ensure HIPAA compliance, HHS is conducting audits healthcare companies, but often carelessness is the root cause of a breach. A frequent problem are laptops and thumb drives with private medical information left in an employee’s car.
“Data that’s not encrypted is being stolen somehow,” Kuenning said. “People are breaking into your office, stealing your computer, your servers when you didn’t encrypt your records that evening.”
In the California hospital case, an outside hacker stole records by taking over the computer system. In these cases, it’s common that patient information isn’t actually stolen; rather, hackers freeze the system, making the records inaccessible to medical personnel who need the information to properly care for the patients.
Last June, President Barack Obama stated while the U.S. government won’t pay ransom for hostages, American families have never “been prosecuted for paying a ransom.” In most health care cases, private ransom payments often go unnoticed. Few cases like Hollywood Presbyterian Hospital are publicized. According to Morse, thousands of attacks are attempted, but it’s unknown how many are successful.
“With this crime, it’s embarrassing to institutions, that their systems aren’t secure,” Morse said.
Payouts to criminal enterprises are relatively inexpensive. The black market values each patient’s record at $50 or $60, Morse found. According to a Ponemon Institute Survey, hackers only earn about $28,000 annually, but Morse notes that this wage could equate to a lot more with hackers coming from developing countries.
Without patient’s records, the hospital reaches a standstill, creating the need to comply and pay ransom.
“If you can pay, you would do it in a New York minute,” Morse said.
As the health care industry becomes more invested in technological innovations, institutions must keep privacy in mind, as a data breach can “ultimately, sully the reputation of an institution,” Morse said.
Source: Creighton University