Slashdot Mirror
Kentucky Hospital Calls State of Emergency In Hack Attack (cnbc.com)
An anonymous reader quotes a report from CNBC: A Kentucky hospital is operating in an internal state of emergency following an attack by cybercriminals on its computer network, Krebs on Security reported. Methodist Hospital, based in Henderson, Kentucky, is the victim of a ransomware attack in which hackers infiltrated its computer network, encrypted files and are now holding the data hostage, Krebs reported Tuesday. The criminals reportedly used new strain of malware known as Locky to encrypt important files. The malware spread from the initial infected machine to the entire internal network and several other systems, the hospital's information systems director, Jamie Reid, told Krebs. The hospital is reportedly considering paying hackers the ransom money of four bitcoins, about $1,600 at the current exchange rate, for the key to unlock the files.
Looks like someone opened it there....
This is a good time to test their disaster recovery.
...this clearly wouldn't have happened.
Those employees better not be thinking of running an ad-blocker after this! Those heathens!
Why such a low ransom for such a high risk?
I bet the hospital has more $ in its petty cash drawer...
Perhaps this is a proof-of-concept run for the attackers...
$1.6K is like what half a day in the ER chump change for them.
When the FBI has everything backdoored, we will be safe.
The option of proper backups or better security seems to be in the past and remaining options are to pay up or figure out to get by without the data. For an hospital ponying up 4k$ or losing tons of important data shouldn't be much of a choice at all, most important step is to understand that coughing up the cash is the only hope of getting the data back.
Backups people, it's not hard using current technology and you get extra points for verifying those backups once you've done them. After all, a set of blank tapes in the safe are no good to man nor beast. This is a damn hospital with people's lives at stake and you'd think that they would take more care with their date!
Let's use a car analogy.
Say you are "stupid enough" drive to a bad neighborhood. You leave your car parked, but accidentally left one of the doors unlocked. Should it now be perfectly legal to steal that car, or smash the windows, or commit whatever property crime you want on it?
The people who sent the ransomware, and their families should be rounded up and tortured , and killed. I'm actually quite serious. It will send a message to those who think that they can get away with this crap.
No, but you're a fucking idiot if you don't expect it to happen.
stop blaming the victims.
I've seen huge upswings in locky and other ransomware hitting the email gateway since the first. Literal 30x upswing.
Lots of the locky infected messages are mimicking fax gateways and network-to-email scanner/mfp devices. The others are the usual tracking, invoice, tax, payment, etc social engineering schemes.
Via email, most use executables in zip files.
I've banned zip file attachment just to cut down on the load.
I've heard reports that there are some really aggressive targeting via ad networks too.
Backup, backup, and backup some more. Then audit. Then do DR drills. Then Audit the DR drills.
Your user's endpoints aren't secure. Locky and company work inside a user's context and do not need admin privs. Backup is the only thing that will save you.
electronic medical records.
If this turns out to be a typical outcome of medical facility IT administration, then electronic medical records might not be such a good idea, at least not without adjustments to how the records are hosted.
Just like "critical infrastructure" should not be connected to the Internet, it seems medical facility records infrastructure needs to be separate as well. Perhaps this is a general architectural strategy that should be implemented wherever organizations process sensitive information - one level of infrastructure for general purpose communications and Internet access, another (separate) level of infrastructure for the sensitive information, with an acceptance of the higher cost of maintaining the proper separation. One big mashup appears to have some significant risks.
Problem is, if you're a hospital you have thousands of people who can screw up. Any time you have thousands of people who can screw up, it's just a matter of time before someone does.
I also read in another article that they just said "No." and restored from backups.
What about the elderly?!
Minimum threshold fixed. Thanks!
I want to congratulate BigBuckHunter, for being a presumptuous ass. We can only hope that he go away, and that a someone with a shred of human decency and who doesn't make such assumptions will replace him.
literally a taste of their own medicine!
Do they have any?
thegodmovie.com - watch it
Good thing a big fancy place like a hospital, you know, with all that juicy mission critical data, has a solid and well tested disaster recovery plan, right?
Right?
hahahaahhaah
Mod me down with all of your hatred and your journey towards the dark side will be complete!
The sad thing is, I don't think this is limited to certain hospitals ... their core competency is health care, and the fact that IT in hospitals has been underfunded or badly done for years isn't exactly news.
We've been hearing these same stories for years now.
Yes, brilliant, let's hope hospitals go out of business so we can waste money starting from scratch, that will totally be efficient.
Lost at C:>. Found at C.
Immutable, append-only event streams cannot be crypto-lockered away. Bonus: also trivial to send securely to an offsite location for additional secure archiving.
Gotta blame someone. The victim seems about as good a choice as any.
Who else you going to blame? Trump? Global warming?
Methodists obviously don't have good computer security because they don't smoke enough pot.
You're being too kind. Most of a decade ago 2 hours in ER cost me way over $4k - and that's after months of negotiation and paying some cash under the table.
Why guess when you can know? Measure!
Not that they are behind this.
Shit, your honor, that moron was stupid enough to walk down my street, he knows we hate his kind. He must have deserved it.
That said, I would support charging anybody who pays a ransom as a accomplice in whatever crime is involved, be it kidnapping, (ocean) piracy, or extortionate encrypting.
I would even support an enhanced sentence for the ransom-payer, maybe double the sentence of the base crime.
people on here cackling about the incompetence of government workers in regards to the iPhone issue (no MDM software installed), the IRS hack and a few other items.
Considering the near daily reports of private industry being hacked or compromised, it looks like the government has some work to do if it wants to run its operations like private industry does as some say should be done.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
So, a stupid macro virus open thousand files on a PC at full speed, delete them, and create another one with .locky extension. No AV software has he capability to detect something unusual ? dangerous ? Suspect ? (I wonder how AV waste my CPU and disk IOs so badly...)
This locky shit has been around for a few month, and no AV can do anything about it ?? seriously ? They did not even bother changing the .locky file extension...
Is there a fuckin' echo in here?? AIRGAP THE FUCKING NETWORKS!!
[Filter error: Don't use so many caps. It's like YELLING.]
There is plenty of blame to go around and Methodist Hospital deserves its fair share. Primary blame goes to the hackers, some goes to the OS vendors, the email vendors, etc... Some goes to the users who probably clicked on something they shouldn't, and some certainly goes to the hospital.
If a victim is a victim only because they are a juicy target then they don't deserve blame. When a victim is a company that should have done a better job protecting themselves then they do deserve a portion.
their core competency is health care
I have yet to observe a hospital that this actually applies to.
Tell everyone far and wide that the scammers took your money and REFUSED to give the encryption key, and that you had to restore everything from old backups.
Ruin the assholes' business model, since no one is going to pay if they are known to take the ransom and skip out.
hackers infiltrated its computer network, encrypted files and are now holding the data hostage
There's a meat slicer from the beginning of the original Children of the Corn with their name on it.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Well, don't stop there. There's really no reason why electronic health records should have been mandated in the first place.
Most hospitals use a handful of privately-developed and maintained systems also, which makes problems with security worse, because there's only a handful of security systems malicious infiltrators need to worry about.
It used to be that hospitals had control over their own records system, but now that's not the case anymore. Maybe open source will help, but I'm not holding my breath (not because of open source, but because of the medical system).
Government regulation and a culture of rigid hierarchy is driving health care costs through the roof. No one talks about this, which is at the core of increases in health care costs; it's always assumed that more regulation is better. So what we're left with is overpriced nonsense.
Electronic health records systems are no exception. The mandates left hospitals vulnerable to corporations taking advantage of their situation, and huge record system implementation costs. These security problems are the next step.
The sad thing is this probably isn't even Methodist Hospital's fault. If they're anything like other hospitals, they were probably dragged into this by the government; it probably cost 1.5-2x as much money as originally budgeted; and they probably outsourced their IT at least in part. I could be totally wrong about this, but that's a totally typical scenario.
Security people have for decades said "STOP PUTTING EVERYTHING ON THE INTERNET!". And yet we have just about everything including public infrastructure on the Internet. The lies about "why" are very consistent. "Saves money" is probably the most popular, yet who is seeing that savings? Has the cost for you improved, or are the savings are going to execs and bureaucrats? You (Consumer) are the most at risk due to these policy decisions.
A specific class of people saying "do it anyway" does not mean it should be done, it means that people should be better than lemmings. Eventually it will happen, because it will have to happen.
While I certainly feel sorry for anyone who is personally harmed by losing data housed on these systems, I also hope it serves as a wake up call. "Centralized" is not usually the best option.
Blaming the victim, if you claim the Hospital is the victim, is actually appropriate. Blaming the person who's identity may be stolen or trashed was not being done, and those are the real victims here.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
No, it should not be legal.
But I am glad to see this sort of thing happening for such reasonable ransoms. It will definitely motivate people to start paying attention to security, while being cheap enough to pay that nobody actually dies.
Shit, your honor, that moron was stupid enough to walk down my street, he knows we hate his kind. He must have deserved it.
Took care of that Trayvon Martin fucker, didn't it?
I hope you understand that it's not always the IT Administration that causes this, right? Many, many. many times it's the non-IT business units that demand we DONT put prevention in place because it will make them have 2 more steps to log in, can't save anywhere they want w/o elevating their status, can't just plug any old USB device in to their PCs, they have to change their passwords every 30 days and can't be one of their last 6, they demand to have YouTube or Facewebs or whatnot, the execs NEED to have access to their home DVRs and Home Automation systems so we have to poke firewall holes and install some insecure version of some remote control application.... Or... We're not allowed to partition out network segments because when Jim Bob needs that 1 file, on that 1 server, those 3 times a year and can't wait an extra 20m to have the access granted, he whines to his boss to yells at my boss's boss and I then have to put a permanent unlock in place. Then his buddy wants a similar deal for another file on a different server. Or... We don't like this version of MDM on our personal phones and don't think you IT people need access to them.. It's out personal phone, what business of yours is it if I download some nasty files at home and then plug my phone in to my work PC or put it on the internal WiFi network? It's my personal phone.. You don't need to know what I do with it. No.. Truly it's the IT Administration that's always at fault because we just sit around doing nothing all day... H*ll, I know I pretty much have my Firewall in Porn Star mode... It'll take it through whatever hole you find.
Engines want to be free!
I've seen more and more malware make it through my spam filters (amavis + spam assassin + clamav). I can tell by looking at it. Occasionally I pull the zips into a VM and look at the fake excel files filled with Javascript.
You can't protect against this kind of stuff as an IT admin, without making e-mail even more unreliable than it actually is (I wrote a post about this last year: http://penguindreams.org/blog/how-google-and-microsoft-made-email-unreliable/).
Sure, you shouldn't let workstations have write access to critical data infrastructure, but how knows how this happened? What if it was opened in user mode, someone called help desk, they remoted in and ran some tools as an admin user and boom, it goes and encrypts their rdesktop shaed volumes and spreads that way.
It's more complicated than you think.
How come these hackers aren't using proper encryption with a government back door?
Are they criminals or something?
Good victim blaming there.
Who knows? Pricing for hospital services is all over the place and not public. That may only buy a couple of hours in one hospital's ER while at another it may pay for an entire day.
It's absurd. Imagine if all restaurants did the the same thing. And it was "Chef's Choice" each time. Now, the chef is the expert and can make some delicious meals, but you never know what food you'll be served and you never know how much it's going to cost.
That's because you're a moron. I only open official, trusted documents like PamelaAndersonXXX.jpg.vbs
If someone dies in the hospital and it can be traced to critical files being unavailable, the malware owners could be charged with murder.
https://en.wikipedia.org/wiki/...
But not in Kentucky.
https://en.wikipedia.org/wiki/...
The world is made by those who show up for the job.
Not sure. But I do know if you have a bevy of Microsoft desktops in your org, the windows are already broken. Does that qualify as "stupid enough"?
and then you get a bill in the mail from the runner / server for there own work. (it's not part of the bill you paid at the restaurants)
Yes! Because you answered your own question. You parked in a bad neighborhood. If you leave your car unlocked, you should expect things to go missing.
Yes, administering hospital networks very similarly nuanced and complicated as being responsible for a single motor vehicle. Great analogy, 10/10.
I see where you are coming from, but I fail to see the point of punishing someone for taking an action that might free their relative or friend from a kidnapper who the government is clearly unable to prevent from operating.
It feels very wrong that the only person who managed to save the kidnapped person from being killed might be the only one who would be going to jail.
Yes, let the cops do their job. However, if the cops fuck up, or they can't protect you, then you do what you need to do.
I would support charging anybody who pays a ransom as a accomplice in whatever crime is involved, be it kidnapping
Yep, my child was kidnapped, and I do have the money they asked for, so I supposed I could just pay the ransom and let the authorities try to figure it out after the fact. But no, out of principle, I'll just say "sorry son, sucks to be you. Lets hope the feds can find you while you are still alive, but if not, your sister has called dibs on your old room".
So criminals aren't at fault, people who get tricked are.
God the world will be a better place when you're dead.
The Criminals are always 100% at fault.
However, you have to expect people that deserve to be killed to act like this.
Methodist should have prepared for this garbage to act like garbage.
Sad state of affairs.
That's a stupid argument! That's like saying banks shouldnt lock any doors because people shouldn't commit crimes/theft.
That's an excuse for one computer getting infected. That's not an excuse for the whole hospital getting infested.
Hourglass says she knows a kid in Iowa who grows up to be president.
Bad guys are only asking for $1600? Without hesitation they should, pay it, get their shit together, and move on. $1600 is chump change.
Jesus H. Christ. That is a perfectly asinine view. I cannot believe anyone is that morally bankrupt. So some scum kidnaps your elderly mother, threatens you that you will neer see her again, and you pay the ransom. Do you really think you should be charged with being accomplice to kidnapping? THINK. I know it's hard, but try.
Look, I know the situation with this ransomware shit is exasperating. It's pretty much a no-brainer that you pay the ransom if it makes financial sense and you can't rescue it otherwise, but after that is done and the data is restored, and maybe after you take serious and effective steps to make sure that it can never happen again, you (and the system) go after the scum-sucking low-lifes who are responsible for the ACTUAL law-breaking, and all others like them, with a fury and resolve that knows no bounds. These ransomware attacks should be crimes of a very high order, and a first offense should be a minimum multi-decade sentence.
Making the victim a double victim (victim of the law as well as victim of micreants) is absolutely the worst idea I ever heard of.
I hope you understand that it's not always the IT Administration that causes this, right? Many, many. many times it's the non-IT business units that demand we DONT put prevention in place because it will make them have 2 more steps to log in, can't save anywhere they want w/o elevating their status, can't just plug any old USB device in to their PCs, they have to change their passwords every 30 days and can't be one of their last 6, they demand to have YouTube or Facewebs or whatnot, the execs NEED to have access to their home DVRs and Home Automation systems so we have to poke firewall holes and install some insecure version of some remote control application....
You're right on the money brother.
The thing many forget is that security and securing the network, SAN, virtual infrastructure, servers, workstations, etc, etc is actually pretty low on the priority list for "real world" admins out there. Were too busy "taking care of business", you know, keeping things running smoothly to ensure profits, etc. Unfortunately many things admins do to increase security will annoy or slow down someone or something, and many times are inevitably undone so that little jimmy from marketing can get to those pdfs easier, etc.
We play the game with the bravery of being out of range
As well they should pay it.
I have ZERO sympathy for insecure IT systems. I also have ZERO sympathy for "victims" of scams. If you're stupid enough to leave your shit wide open, or Western Union money to Albania, that's on you. It should be perfectly legal to take advantage of stupid people. Consider it a learning experience.
No bring in the FBI and have the FBI compel a solution.
While I have little sympathy for bad management there is a lesson here
that cyber crimes are a reality and each device that touches a network
will be attacked.
A hack on a hospital could cause numerous fatalities from the NICU, to
the ICU to surgery centers to failure of autoclaves, refrigeration, AC, loss or
corruption of data needed to track blood and other medications and people.
Some worry about the IoT where folk worry about the NEST thermostat
invasion of privacy. Hospitals are more integrated and automated than
the average person knows. Robots deliver drugs upstairs and down.
Drug metering systems are networked and administer pain medications
within narrow limits.
In one context this is a crime and law enforcement thinks they have
a say in this. The reality is law enforcement has little reach to deal
with the international criminals and international borders for things
like this.
The FBI in San Bernardino is feathering their own nest and ignoring the
international risk of their writ at the same time that they wish to react
to the international terror risks.
Back to stupid hospital folk.
We need to train management at all levels so they make good decisions.
Cost is a factor but a lot spent badly is less secure than a little spent well.
Ignorance is not an option.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
Sorry chap. Nature cannot prune itself fast enough for stupid people. The stupid ones are reproducing at a very quick rate!
Because victims never contribute to their state of being a victim?
Saying victim blaming is wrong is saying that if you become a victim you instantly become infallible, could not have contributed to the problem in anyway and are a completely innocent party.
I modded you troll. Its your own fault because you posted here and knew perfectly well how easy it is to get modded as a troll.
I can see you haven't been in an ER for half a day, or know anybody who has.
I can't think of a rational or moral excuse for letting these people remain on earth, to encourage more. If you don't stop it, it won't stop.
For several years now, every single security analyst, including the FBI (https://securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom/) I've come across has said the same thing about crypto-ransomware: pay them.
There is time to be idealistic later. Right now, you're being mugged: Do what you need to survive.
The Daddy casts sleep on the Baby. The Baby resists!
I really don't see why it isn't illegal. Get both the US and EU to pass laws banning the paying of ransomware and you've destroyed the lion's share of their income. You can't totally prevent people from paying, but you'll stop most of it.
Being infected by ransomware should basically become "bad news - your data was destroyed in a file".
Hourglass says she knows a kid in Iowa who grows up to be president.
well that may be there profit after paying out the staff and buying the drugs.
Victim blaming? I hate this attitude when it comes to these sorts of things, it always sends the message that people don't have to worry about their own security and safety. In the end, it is partially the victim's fault because if the victim had decided to employ more security and caution, they would not have had their car stolen. Same as how it's the criminal's fault because if they had not decided to be a shitty person on that day, no car would have been stolen. There's a legitimate difference between employing all the security measures you could but still finding yourself in a situation where you are forcefully unlocking your car door by gun point, and in a different scenario having said "fuck security, it's never the victim's fault" and just leaving your car door unlocked of your own volition.
Right, so as long as you think it is going to help your poor elderly mom, then you could rob a bank, or assist in any other crime, too?
Since you started talking about Jesus without even establishing that you understood the moral issues, and started calling names at that stage, maybe you didn't really think through the moral implications as completely as you thought?
I'll give you a hint, when you're calling people names and ignoring what their actual view was while bringing in mom and completely not even addressing the actual situation discussed... you probably do not have the moral high ground. ;)
Maybe think first. Nothing you said even addresses what I said, and yet you're totally exasperated. Well, it isn't going to make more sense by going further off the rails.
You assert that people paying a ransom are victims, but I think there are a lot of people in the world who agree that they are literally assisting the perpetrators to benefit from their crime. Which literally makes them an accomplice under existing law in most places, even if it isn't prosecuted that way. Why is a kidnapping victim under threat in the first place? Because the last asshole's family paid them for doing it.
The fact that there was a crime does not negate or diminish the poor decisions that led up to the crime taking place. Everything is not pure black or pure white. In fact the overwhelming majority of the world is gray. Sure, hold the criminals accountable for their actions. That said you also must hold the actors who presented the opportunity accountable for their actions.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
$1600? At a hospital, that's about the price of of a band-aid and a few Ibuprofen.
If you have other peoples' property in the car, or materials that your staff depends on to protect the life and health of those people, and you leave the car door unlocked, then yes, you'd better believe that any court in the U.S. would find you liable.
Ketucky. KET.
Even the NSA allowed Snowden, a SharePoint administrator working for a contractor, access to some pretty critical data. If they can't properly control access to information, especially given how many tools there are out there to do so, it's not a shocker that private businesses fail to do so also.
The ransomware epidemic illustrates a very good point -- companies still treat their internal networks as 100% trusted. Once a machine is plugged in, there's nothing stopping it from roaming around the interior. This is the main problem -- laptops get taken home, executives demand admin access to the OS, they bring a virus, Trojan or other nasty in, and suddenly everyone has a bad day.
Internal networks should at the very least have separation of critical systems, preferably air-gaps between seriously critical systems. But that's expensive and companies refuse to spend any money on IT.
The other problem with this "never blame the victim" mentality is that it seems to assume that bad humans shouldn't exist.
For a different example than the car theft in a bad neighborhood one, how about if you park your car under a really big, old tree as a giant storm is blowing in, and the tree falls over and smashes your car? (Let's suppose that you live here and you should know full well that this tree is really old and could fall over.) No other humans were involved here, just you and your dumb parking job. Is it wrong to assign some of the blame to you for parking next to the old tree? Most people would probably say no, you do deserve some blame, depending on how much you could be expected to know about the state of the tree.
So why should you be absolved of all blame when you park in a bad neighborhood and your car gets broken into?
Bad human behavior exists whether you want it to or not, so you can either refuse to accept it and become a victim, or you can try to minimize your risk by avoiding situations where you're more likely to be a victim. It's only sensible to do the latter.
The analogy isn't exact, it's like passing by a bad neighborhood on the freeway and risk getting shot at.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Bad news - your son died because we didn't know he was allergic to the meds we gave him because that information was destroyed by hackers.
Just revert to the backup. Right?
Seven puppies were harmed during the making of this post.
The word I would use is enticing. They're enticing the criminals to commit the crimes. If they didn't make money doing this, they wouldn't do it. If it becomes illegal to help them, and if people are aware that it is illegal to do so then that will make those sorts of criminal behavior much less effective, and fewer people will bother.
At least that's the GP's theory. Personally, I think that there's a sucker born every minute, so making it a crime to pay a ransom won't make a dime's worth of difference.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Curious how you failed to mention that Locky requires Windows & Office to work ..
One can and certainly should blame companies for not applying best practices (and most likely their legal requirement) to keep information safe. In terms of companies, if they're unable to be effective, they deserve to go out of business. If I drive down the road without car insurance and a deer hits me, do I blame the deer or myself for not getting insurance?
Bye!
I think the victim should be punished severely too, or else these attacks will keep happening. The victim decided to be a victim, to make himself open to this attack, and this affects the lives of many people at this hospital.
The victim, in this case, is whatever manager or managers decided to have crappy IT security.
IT managers need to start going to prison when these things happen. (Or, if they can show that it was the CEO who prevented them from implementing proper security, the CEO should go to prison.)
Ransomware attacks like this are due to nothing more than sheer negligence. The negligent party should be identified and strongly punished.
$1.6K is the cost of an aspirin in the ER.
No, hackers shouldn't get any blame at all. The hackers were doing their jobs, and they did them well as you can see by their success.
It was the IT people at the hospital who failed. Their *job* was to prevent this kind of thing, and they failed miserably.
Malicious hackers are going to exist whether you like it or not, and trying to "blame" them makes as much sense as blaming a hurricane for the damage it does. There's nothing productive about that; you're not going to convince hurricanes to not happen or to take different courses by talking to them and trying to convince them they're wrong. The same goes for career criminals. The only thing you can do is try to reduce your risk from hurricanes and criminals, by designing and building better buildings, not building next to the shore in a hurricane-prone area, and by using good IT security practices.
The IT Manager was probably at his pizza parlor making pizzas when this all went down.
That was never going to happen - the question was about whether to restore from backups, or pay the trivial ransom amount. They made the right call, and went to backups, despite that costing more than $1600 in people's time.
Socialism: a lie told by totalitarians and believed by fools.
Might as well blame it on Jupiter and Vertumnus, Roman Gods of storms and trees respectively. Next time, when parking under a tree, you need to pour some wine on the roof of your car while reciting "Vertumne, uti te ture ommovendo bonas preces bene precatus sum, eiusdem rei ergo macte vino inferio esto."
Let's get real though: How are you going to stop an ignorant person like an orderly or doctor from doing really stupid things 0.1% of the time?
In my mind, the only way to control the issue of ransomware is to limit the potential impact a user can have. Comparing $2,000 to the time required to shut systems down, grab a tape, and restore files... you really need to be in a situation where the recovery takes less than an hour rather than paying the ransom. To make that viable no user would be able to encrypt more than (say) 50GB before their network connection is shut down. By my math, that gives you somewhere between 5 minutes and an hour to detect and act. If they distribute the infection before starting encryption in a synchronized manner, you would be down to mere seconds; with sufficient computers and users infected you could even rate-limit to limit the easiest means of detection.
The only thing I can think of is an antivirus in reverse, confirming that files written are valid, but how would you pull that off?!
Clearly; their core competency is in invoicing.
By that logic those nut jobs that triggered the bombs in Brussels should get none of the blame. They were terrorist doing there job! Complete and utter BS.
Of course the hackers should get the majority of the blame. Criminals doing their job don't get any credit for doing their job.
Since IT managers can never get the folks with the money to release some of it to secure the network, I would say jailing them for the inability to work miracles is a bit of an over-reach.
I figure if the government starts fining the shit out of corporations who are lax on network security ( especially those that deal in sensitive personal information ) they'll get the point and start taking things seriously.
If all they have to pay is ~$1600, that's not even worth firing the IT folks over.
It's a but of a stretch to be saying that hackers infiltrated the network blah blah blah.
A hospital employee opened an email with a Locky file attachment and it then encrypted what that user had access to.
Ransomware sucks donkey dicks. There are various mitigation techniques, some effective, some not so much, and sometimes the effective methods are too much of an impediment to do company work. But, a decent administrator should have backups.
The effective recovery from ransomware is restoring from backup. Paying these cock gobblers is just encouraging more of them.
It's called duress. If someone kidnaps your mom and forces you by reason of violence to commit an unlawful act you may in fact be innocent in the eyes of the law. Depending on your jurisdiction of course.
If she hadn't worn that damn short skirt
You sound like the PR rep for the hackers. And your statement about the IT department failing miserably is quite an indictment. Are you aware of the details of this particular attack? Do you think your superior skills could have prevented this hack or any similar attack because you are master of the universe when it comes to computer security? By your logic every single computer system that has ever been successfully hacked proves that all IT professionals are idiots and if they just gave you a call their problems would have never occurred.
Not only did the hospital IT fail, there are federal policies that are made to help protect against this. A hospital should be doing a risk assessment annually, and is required to document why specific remediation weren't followed per HIPAA. 164.306 is very clear on this all; even the policies that are "addressable" still require them to "Document why it would not be reasonable and appropriate to implement the implementation specification;"
They could be hit with "civil money penalties" of "$50,000 for each violation", and this can be " a separate violation occurs each day the covered entity or business associate is in violation of the provision. " The ONLY thing that might save the hospital is that PHI hasn't actually been exposed. Source
Because victims never contribute to their state of being a victim? Saying victim blaming is wrong is saying that if you become a victim you instantly become infallible, could not have contributed to the problem in anyway and are a completely innocent party.
There's two fundamentally different but overlapping meanings of blame. One is the perp's blame - the thief, the murderer, the rapist who is obviously the ultimate cause of everything. But we also used it in the meaning "failed to protect", like if the President got shot many people would blame the Secret Service even though they didn't have any part in it. They just failed to prevent it. The first one isn't really a subject of debate. The second? Well you can implicate almost anyone and everyone if you want to, like take the terror attacks in Brussels. Some will blame the police for not being able to stop it. Some will blame the politicans, the mosques and so on. Who could have done something? Who should have done something differently?
The latter often ends up in some conflict of idealism versus reality. Nobody has any more right to steal from me because I forget to lock the door. But I obviously made it a lot easier for them. Or the mere absence, does the fact that I don't have a home alarm mean I'm more to blame if burglars loot my apartment? This is where victim blaming comes in, you shouldn't do that, be there, get that drunk, wear that skirt, walk those streets. Idealistically, the answer is of course hell no you shouldn't let that control your life. Practically, it's a mixed bag. I lock my door, I don't live in a prepper's bunker. But if bad shit happen, I'd be pretty pissed if you blamed me for not doing enough because it's still not my fault.
Live today, because you never know what tomorrow brings
Of course it's chump change, since even most individuals could actually afford that payment if they really needed to. What they're considering is either the negative publicity paying off criminals would have on their organization, or perhaps the moral implications of paying off criminals.
Irony: Agile development has too much intertia to be abandoned now.
Come to Canada. Don't get me wrong we aren't perfect by a long shot but it isn't all about the bill if you can say "hoser" with a straight face and know what the last hockey game score is, eh.
Actually I'd bet Canadian hospital IT is somewhat safer because most of the machines are older.
Not all components in source and target of the analogy need to be analogous. The burden of liability in failed security is roughly the same here, so the analogy fits. Not locking your car doors in 1973 in my suburb: acceptable. Not locking your car doors in 2016 in my neighborhood: stuff is missing from your car. It's well-known. In the same way, being ignorant of bad guys and malware on the internet in 1993 is acceptable because the risk was much lower. Being ignorant in 2016 is not acceptable and deviates from standard cultural knowledge.
Sorry, but NO!!!
There exist, or used to exist, hackers who didn't deserve any blame. The "cookie monster" hack, e.g., was a warning and didn't do any harm. The implementers of that were hackers who didn't secerve any blame. I don't quite remember the context, but the Morris Worm was, IIRC, an edge case. IIRC he didn't intend any harm, but he made a programming mistake that let the worm get out of control. Sorry, blame is deserved, though not in huge amounts.
The distinction is between warnings and damage. And, or course, intention...which doesn't change the culpability, but may change the deserved amount of blame.
Malicious hackers are going to exist, but they deserve to be blamed for the damage they do. Even unintentional damage, though in that case proving that it was unintentional would be quite a feat.
And guess what? There *IS* no perfect security. NONE! Even instantaneous writes to a WORM aren't perfect security, and are ghastly expensive to run and store, much less to retrieve from. And all storage media have a certain risk of failure.
That said, I agree that most computer systems don't pay sufficient attention to system security. But there's always a trade off, you invest your time and effort where it seems worthwhile to you. And nobody can predict things perfectly. Computer people tend to be aware of computer security, but don't pay enough attention to the service degradation that enhanced security can sometimes cause. And often make silly choices, or choices that don't consider all the effects. Like requiring passwords to be changed every week to something impossible to memorize, and not expecting post-it notes to appear on monitors.
I think we've pushed this "anyone can grow up to be president" thing too far.
Let's get real though: How are you going to stop an ignorant person like an orderly or doctor from doing really stupid things 0.1% of the time?
...
Getting real is spot on.
An orderly or doctor will from time to time will do stupid stuff.
It takes much less than you're 0.1% stupidity rate for this to be an issue.
System need to be patched.
Systems need strong capability models such that no orderly, doctor, nurse or
patient has sufficient capability to cause harm.
Consider the national security issue of an unpatched flaw known to
one or more TLA but kept secret because it is seen as a bit of power.
The reality it is first hand knowledge of a domestic vulnerability
that needs prompt attention. Those with blinders only looking out
(like management) fail to have the intellect to see the risk from the
outside in without getting smacked alongside the head with a thick
phone book. Once educated, selfishness, malice and malfeasance
come to play.
The Maginot Line intended to protect France failed for much the same cognitive
reason that a chicken will fail to walk around a short fence when there is food
immediately on the opposite side.
See: "Cognitive Psychology and Implications"
By John R. Anderson
The reality is a chicken is so focused on the food directly in front of it
that they will not be able see that walking around the short fence
is an option.
Managers often rise to power by will of force and single mindedness
in the attainment of goals. The efficiency of such single minded goal oriented
cognition gets rewarded with a promotion. Ultimately inventiveness
and thinking around the fence and out of the box is required and the department,
company or nation fails.
See also: ... fence, and something they wanted was placed
"Kohler's first experiments (1925), he presented the following detour problems to a young child,
a dog and a chicken (Figure 2-19). A fence
at position G on the other side — within sight but out of reach."
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
The reason why we have EMRs is because companies like McKesson lobbied to have them in the bill. They make a lot of money from medical software. A LOT of it.
If my car gets a window smashed (and the time it happened it appeared to be because I had locked the doors) or stolen, that inconveniences me. It doesn't really affect others that much. If I'm transporting valuables for someone else, fail to lock the car, and they get stolen because of that, I am to blame.
In a case like this, I blame the criminals, of course, and I also blame those responsible for the lack of sufficient precautions, whoever they may be.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Weekend before last, I went to an urgent care center because I was having serious problems and it was a weekend. It wasn't anywhere near my normal clinic. The doctor I saw had full information on me, including my drug allergies, so she knew to find something that didn't have sulfa in it. I went to my regular doctor the next day, since I like to keep him in the loop. He looked at my test results and other things, and gave me some additional instructions.
Without some sort of electronic record system, what would have happened? The doctor at the urgent care center would've asked about drug allergies, but there's no guarantee I'll be conscious when hauled into such a situation. Somebody would have had to move a paper copy of my test results somewhere my regular doctor could see it, and it wouldn't have happened fast enough.
I really do benefit from electronic medical records.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Joe_Dragon may not be from the US. ERs in other countries often charge far less than what the US charges.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Just silly. Every single iota of your LAN does not need to be on the WAN Those days are long gone.
Maybe it's just me, but as an I.T. security guy, this sounds like a shoddy admin had no backups when common encrypting malware hit. I'd be stunned if this were an 'active hack'.
Um, you're confusing "the hackers" with "all hackers".
I was only talking about blaming the hackers who were directly responsible for this particular incident. I'm not talking about all hackers (which is a pretty vague term BTW) for all history. Maybe I wasn't clear, and should have used the term "these hackers".
But blaming these hackers I think is counter-productive. It's as pointless as blaming "the Chinese hackers" for the OPM data breech last year. They're doing their jobs. Blaming them is pointless, because you're making a moral judgment that they shouldn't do what they did. They disagree. Esp. for the Chinese, where they're doing the right thing by hacking into US government computers. If you disagree, then you have to also denounce the US government for employing hackers who do the same thing to other nations. There is no moral high ground anywhere here.
It's very simple: if you don't want to be hacked, then improve your security. Not using Windows is a good, first, easy step. There's no such thing as ransomware for Linux systems.
What gets overlooked, and I'll argue intentionally, is that people are not being held accountable for their actions. This is the flaw I constantly see in discussions regarding "Social Justice". You just attempted to do just that, using a very odd example. Given your example, the secret service would be blamed if the President got shot. And they should be blamed. Numerous people assigned to Presidential detail failed if that was to happen. Bob gets paid to take a bullet for the President, and he hid when trouble started. Jerry neglected email about a shooter, Beth ignored the metal detector because that lady just looked nice, etc.. etc...
Sure, the person who pulled the trigger is a criminal. The other people don't get a free pass at negligence and/or bad decisions because of the crime.
One more example: Say you are in a public park and a big guy sits across from you on a different bench. You start tossing pebbles and they land close to his feet. He gives you a look that lets you know he's not happy, but you continue to toss pebbles. A dozen or so pebbles later he walks over and punches you in the face.
Was he right to punch you in the face? No, he is absolutely guilty of assault. On the other hand, you instigated the encounter and are accountability for your actions. Your broken nose in no way negates the fact that you were instigating the encounter.
You don't have to learn the lesson that you were taught, and the next big guy coming along will still be wrong to punch you in the face. You will still be an instigator deserving of a broken nose.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
By that logic, when a wartime enemy drops bombs on your city, you shouldn't bother with any AAA defenses to keep their bombers away, you should just sit around and let yourself be bombed, and then just talk about how bad the bombers are for bombing you.
You are mixing two categories of things. Some are unequivocally stupid, but done anyway. Like demands to access sites using flash or more than basic javascript. (I'm dubious about ANY site that uses javascript, including this one.) Especially is it uses javascript to invoke sites not a part of the host domain. Others, like demanding passwords be changed frequently and to something non-memorable are stupid, and lead to their own category of security hazards.
I think we've pushed this "anyone can grow up to be president" thing too far.
I've spent a lot of time in that hospital -- not in their care -- but as a recurrent visitor of friends and family.
Most of the physicians who work there are refugees from malpractice lawsuits.
Based on what we've experienced there, it would be a service to the community to turn the whole place into a nice park with swings and playgrounds.
In this one case, I wish the black hats the best of luck and suggest they raise the ransom.
Especially in a case like Hospitals, of which this is the second I've heard of this month. The first was here in LA County somewhere.
Hospitals are required by HIPAA to keep patients' medical records private. That at least implies an obligation to take network security seriously, and it may even explicitly require it.
I can see the fnords!
In the previous decades we wore bracelets with drug allergies.
just try https://noransom.kaspersky.com
besides, one of recent ransomwares had plain-text unlocking pass in one of the files - so long for "strong encryption"
An email that originated from inside the network pretended to be from the U.S. Postal Service. A few hundred systems were infected. Everyone was told to turn off the viewing pane in Outlook to avoid automatically launching the script inside the email. Nasty little bugger.
And learn from it. Secure your networks, introduce user training, a decent enterprise virus checker and lock down PC's. Also setup a disaster recovery system.
We got hit by a rootkit ransom ware virus a couple of years ago and I admit our virus checking and control of user pc's was piss poor - it took out nearly everything, proved impossible to remove without destroying the pc setups.
Fortunately we had virtualised all our workstations a year before (Proxmox Cluster - kvm) and had full image backups of everything with a 6 month rolling history, plus online data backups. We were able to rollback the whole cluster two months and restore data from online. Took a weekend but saved our bacon.
Since then we have rolled out webroot to all the VM's and forced firewalls plus windows defender via group policy. Haven't had a problem since.
We've been knee deep in this malware swamp and sinking since Win98. This shit happens when you use shit and there is no need to panic and scare the horses.
There are plenty of options, all time consuming and expensive, but having to rebuild the critical information by getting the medical histories of everyone in the place is not the end of the world. The rest, frankly (but we miss it because we are IT geeks) doesn't really matter and can be put together from scratch and whatever bits remain as needed. While robust systems, real backups etc would be nice there's no point crying about having a home computer system running a hospital after the fact.
Outlook not so good.
I have most people on Thunderbird but a couple of people who insisted on using MS Outlook were hit by something similar on different occasions. The servers all had regular file system snapshots (ZFS FTW!) and those variants of cryptolocker made encrypted copies of files then deleted the originals so "photorec" recovered the local files that were needed. Of course I had to reinstall (on new disks while I was recovering files from the old ones) because you never know what sort of things could be lurking on a machine that has been "0wned" by criminals. As the antivirus saying paraphrased from a movie goes "dust off and fdisk from orbit, it's the only way to be sure".
You can cheat with a lot of filesystems with different levels of access - but in large orgs middle management that want to snoop on others and have a desire to appear to be more important than their superiors can throw a spanner in the works demanding full access to everything. In large places it's policy that fucks you up more than actual technical issues so even the real segmented ideal can be screwed up by such things.
Similarly on the MS side you can run virtual machines for some segregation but not really security other than by obscurity. On the *nix side there are zones and containers to give the appearance of multiple machines for segregated tasks and it was designed with security in mind so can be trusted a bit more than virtual machines
Please contact me, for $40,000 I will deliver the 4 bitcoins to the ransomware attackers and retrieve your stolen data.
The excuse is shared network drives that act as if they are part of the computer that was infected. Convenience over segmentation resulted in the whole hospital getting infested.
The single user not networked MSDOS mentality is still alive, well and why we are neck deep in a reeking malware swamp.
Of course they are, they've got nothing better to do while they wait for the hackers to verify receipt of the wire transfer, or for IT to restore from the most recent backup set.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Why is this just now on here? Has it happened again? All of this was fixed last week.
Or that once you pay, you're known as a likely payout.
The bad guys want to be paid with Bit Coins. Is there anything related to Bit Coins that enables criminals to cover their tracks easily? Do Bit Coins enable crime?
There's a lot more people with drug allergies than I've seen wearing bracelets, and that's from before electronic records. Moreover, the fact that I have a mild shellfish allergy turned out to be relevant for treatment of my heart attack.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
As I said before, if the IT manager can show why his hands were tied by the CxO, then the CxO should go to jail instead.
So naturally, the police will be charged as accomplices if they fail to prevent the kidnapping. Also, charge the victim (posthumously)?
How about we just charge the people who did the crime!
No, you're doing an underpants gnome routine on that one. There is no logical connection between what I said, and what you just said. You simply assert that oranges would become apples ... because.
Might as well blame it on Jupiter and Vertumnus, Roman Gods of storms and trees respectively. Next time, when parking under a tree, you need to pour some wine on the roof of your car while reciting "Vertumne, uti te ture ommovendo bonas preces bene precatus sum, eiusdem rei ergo macte vino inferio esto."
I love you slashdot... and god of seasons
So you're claiming that police failing to either prevent the crime or resolve it themselves does nothing at all to encourage more of the same?
It really is just about the same argument.
Well you are completely right in all your suggestions. Do these few things and your world will be safer. I've been a Pen Tester for over 15 years. I've seen it all. Hospital network security IS! a fucking joke on EVERY hospital I have tested. I've tested 100s. When I see the word "hospital" on a project I know I will pwn them in less than an hour and have the whole network in my pocket before the day is out. My 10 year old Granddaughter could crack a hospital.
Just last month I tested a hospital and big one in Florida. In less than an hour I found that the Domain Administrator's password was "password" YEP! password and from there you can guess where the rest of the test went. I even checked Fred Flintstone into the hospital got him a room set up and operation for him the next day to have his woman parts removed. Got into the Drug web app and could have sent myself all the drugs I could ever want. I also locked out the CIO's account and the Information Security Officer;s account just as a joke and iceing on the cake.
Admins of hospitals would have no clue of how to set up what you suggest. I have often wonder why is it EVERY hospital is this way? You hear all the shit about HIPPA but you have to remember there is no controlling body over enforcement of the rules with HIPPA. Just words on a paper. With credit cards you do have PCI which does require testing and requires you TO PASS IT. I have tested one hospital two years in a row and the exact same problems including the same passwords were still there. You know how that one went too.
There is better network security at an adult toy store site than at a hospital. I'm not joking. A dildo is safer than your health records.
I'm not interested in your argument that oranges are really just about the same as apples.
Obviously you didn't understand my statement, if you think your extrapolation is somehow on the same subject. It isn't analogous at all. And furthermore, I expressed a mainstream opinion that is actually the law in some places; none of the major groups supporting this view would support what you said, or think it was similar. Your claim that it is similar shows that you haven't thought deeply about the subject, AND you also haven't read about differing opinions on it.
For a basic walk-through of the subject and the things that are being discussed, see: http://webcache.googleusercont...
There is nothing in the hardline "do not support kidnappers" line that would be anti-police, or have confused the job of police to be some kind of "pre-crime" unit. Rather, the more obvious companion view would be to support strong police or military action against kidnappers. Exactly the opposite direction than you tried to run with your apples=oranges nonsense. Notice how much better "military action" combines with "make it illegal to pay ransoms" than what you came up with as your idea for what my views would be?
Wow, talk about apples and oranges, the article you pointed to is talking about the U.S. government not paying ransom to terrorists who kidnap someonme. That is a rather small subset of kidnappers. Had you properly constrained your statement to that small subset, it might have made sense. Alas, you didn't.
Note as well, that in those limited cases, it is common that special forces responds vigorously and lethally to rescue the hostages and crush the kidnappers. Quite a substantial effort to strongly discourage such crimes.
In contrast, these filesystem encryption people don't seem to be pursued at all. Track them down and send them a cruise missile and we'll talk. Unless or until that sort of thing happens (or they at least end up locked up), there is no moral high ground to charge the victim with a crime.
I believe if you re-examine the parallels you've drawn, you may see that you are the one who has conflated apples with oranges.
You post removed your moderation! HAH!