Show Notes: error.show/49

The post Not Dead Yet | User Error 49 first appeared on Jupiter Broadcasting.

Find out about another hospital that accidentally took advantage of free encryption, researchers turn up a DDoS on the root DNS servers & the password test you never want to take.

Plus your batch of networking questions, our answers & a packed round up!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Researchers at VeriSign investigate DDoS on root DNS servers

• Researchers from VeriSign, the company that runs the .com and .net registries, and operations 2 of the 13 critically import root DNS servers, will be giving a talk at a conference detailing their investigation into the attack
• Their findings suggest the attack, which took place in November of 2015, was not directed at the root name servers directly, but was an attempt to down two chinese websites
• The attack had some interesting patterns, likely caused by design decisions and mistakes made by the programmer of the botnet that was used in the attack
• The provide a video showing a breakdown of the attack
• It was interesting to learn that Randall Munroe (of XKCD fame) actually came up with the best way to visualize the distribution of IP addresses, with a grid where sequential numbers are in adjacent squares
• Only IP addresses in the first 128 /8 netbooks were used. The use of 128/8 specifically suggests an less than or equal, rather than an equal was used during the comparison of IP addresses
• It is not clear why a larger set of addresses were not used
• The attack seemed to use 3 or 4 different groups of bots, sending spoofed DNS requests
• Two of the larger groups of bots sequentially cycled through the 2.0.0.0/8 through 19.0.0.0/8 subnets at different speeds
• Attacks were not seen from the 10.0.0.0/8 and 127.0.0.0/8 networks, for obvious reasons
• However, a delay in the attacks sourced from 11.0.0.0/8 suggests that the botnet attempted to use the entire 10 block, but the packets just never left the source networks
• “The researchers also note that Response Rate Limiting was an effective mitigation in countering up to 60 percent of attack traffic. RRL is a feature in the DNS protocol that mitigates amplifications attacks where spoofed DNS queries are used to target victims in large-scale DDoS attacks.”
• “In addition to RRL, the researchers said attack traffic was easily filterable and through filtering were able to drop response traffic for the attack queries, leaving normal traffic untouched. One of the limitations with this approach is that it’s a manual process”

Virus hits Medstar hospital network, Hospital forced to shutdown systems

• “The health system took down some its computers to prevent the virus from spreading, but it’s not clear how many computers — or hospitals — are affected”
• “A statement by the health system said that all facilities remain open, and that there was “no evidence of compromised information.””
• “The not-for-profit healthcare system operates ten hospitals across the Washington and Baltimore region, with more than a hundred outpatient health facilities. According to the system’s website, it has more than 31,000 employees and serves hundreds of thousands of patients annually.”
• “One visitor to the hospital told ZDNet that staff switched the computers off after learning about the virus. The person, who was visiting a patient in one of the healthcare system’s Washington DC hospital, said the computers were powered off for more than an hour, with all patient orders lost, the person said.”
• “It’s not clear exactly what kind of malware was used in Monday’s cyberattack. A spokesperson for MedStar Health did not immediately respond to a request for comment.”
• An FBI spokesperson confirmed that it was “aware of the incident and is looking into the nature and scope of the matter.”
• Additional Coverage: Threat Post
• After a few days, the medical network was recovering
• “The healthcare provider said the attack forced it to shut down its three main clinical information systems, prevented staff from reviewing patient medical records, and barred patients from making medical appointments. In a statement issued Wednesday, it said that no patient data had been compromised and systems were slowly coming back online.”
• “Clinicians are now able to review medical records and submit orders via our electronic health records. Restoration of additional clinical systems continues with priority given to those related directly to patient care”
• “While the hospital still won’t officially confirm the attacks were ransomware related, The Washington Post along with other news outlets are reporting that employees at the hospital received pop-up messages on their computer screens seeking payment of 45 Bitcoins ($19,000) in exchange for a digital key that would decrypt data”
• “The MedStar cyberattack is one of many hospitals in recent months targeted by hackers. Last week, Kentucky-based Methodist Hospital paid ransomware attackers to unlock its hospital system after crypto-ransomware brought the hospital’s operations to a grinding halt. Earlier this year Los Angeles-based Hollywood Presbyterian Medical Center paid 40 Bitcoin ($17,000) to attackers that locked down access to the hospital’s electronic medical records system and other computer systems using crypto-ransomware.”
• As long as hospitals continue to pay out, this will only grow to be a worse problem
• “Medical facilities don’t give security the same type of attention that other verticals do,” said Craig Williams, senior technical leader for Cisco Talos. “They are there to heal people and cure the sick. Their first priority is not to take care of an IT environment. As a result it’s likely the hackers have been out there for quite some time and realized that there are a lot (healthcare) sites that have a lot of base vulnerabilities.”
• As you might expect: 1400 vulnerabilities to remain unpatched in medical supply system
• Additional Coverage
• In related news:
• Canadian hospital website compromised serves up the Angler malware kit to visitors
• The site is for a hospital in a small city that serves a mostly rural area. Happens to be where I grew up, and the hospital I was born in
• The hospital site is run on Joomla, and is running version 2.5.6, which has many known vulnerabilities. The latest version of Joomla is 3.4.8
• “Like many site hacks, this injection is conditional and will appear only once for a particular IP address. For instance, the site administrator who often visits the page will only see a clean version of it, while first timers will get served the exploit and malware.”
• The obvious targets are “staff, patients and their families and visitors, as well as students”
• The hospital became a teaching facility for McMaster University’s Faculty of Health Sciences in 2009
• “The particular strain of ransomware dropped here is TeslaCrypt which demands $500 to recover your personal files it has encrypted. That payment doubles after a week.”

CNBC Password Tester — How not to do it

• CNBC has a post about constructing secure passwords
• The basic idea was that you submit your password, and it tells you how strong it is
• There are obvious problems with this idea. Why are you giving out your password anyway?
• Of course, the CNBC site is served in plain text (which is fine for a news site), but it means your password is sent to them in the clear
• Worse, they had the site adding all of the submitted passwords to a google spreadsheet, also in the clear
• Because the password was submitted as a GET variable, and was in the URL, it was also included in the referral information sent to all of the advertising networks in the CNBC site, including DoubleClick, ScoreCardResearch, something hosted at Amazon AWS, and any other widgets on the site (Facebook, Gigya)
• If you actually did want to build a tool like this, at least use javascript to perform the calculations on the users’ device and never transmit their passwords
• Of course, users should never type the password into another website. This is the definition if a phishing attack
• The page has since been removed
• Additional Coverage

Feedback:

• pfSense question ALERT!
• OpenVPN vs IPSec VPN
• leaky DNS

Round Up:

• Finnish supercomputer suffers largest unplanned outage in years, provides post mortem
• Mattel hit by fake CEO scam, for $3 million. Managed to get it back because the next day was a bank holiday in China
• Google offers a free DDoS shield to news papers and other sites that seek to expose corruption, and may face state-level DDoS attacks attempting to silence them
• EFF Proposes “DRM Non-Aggression Pact” as part of W3C standard for DRM. Asks signatories to agree not to go after security researchers or those making ‘compatible’ technologies
• Amazon Updates Its Policies To Ban USB Type-C Cables That Are Not Fully Spec Compliant
• TrendMicro A/V software accidently exposes debugging console that can be exploited
• US Federal court warns of scammers trying to get people to pay hefty fines for missing fake jury duty
• HID Networking Door Controllers have remote root vulnerability, hilarity ensues
• A Romanian ex-minister faces jail time after embezzling the windfall from the 47% discount Microsoft gave the government for a 5 year deal to use MS Office in all Schools and Public Institutions
• New SideStepper exploit allows Man-in-the-Middle attacks against iOS devices, requires phishing or otherwise tricking the user
• Enders Analysis ad blocker study finds ads take up 79% of mobile data transfer
• Operating Blockbuster, an investigation into the Sony Pictures Entertainment wiper hack
• How Wi-Fi Works

The post Holding Hospitals Hostage | TechSNAP 261 first appeared on Jupiter Broadcasting.

More and more data breaches are leading to blackmail but the stats don’t tell the whole story. We’ll explain.

Plus the latest in the Sony hack, and the wider reaction. Plus a great batch of emails & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Illinois Hospital being blackmailed with stolen Patient Data

• “An Illinois hospital says someone attempted to blackmail it to stop the release of data about some of its patients.”
• The hospital chain received an anonymous email asking for a substantial amount of money in order to prevent the release of patient data. A sample of the data was included in the email as proof
• “The hospital says it immediately notified law enforcement agencies.”
• “An investigation discovered the data relates to patients who visited Clay County Hospital clinics on or before February 2012. A hospital representative declined to disclose how many people are involved but said the data is limited to their names, addresses, Social Security numbers and dates of birth. No medical information was compromised in the breach”
• “The hospital believes the data has not been released so far. It didn’t disclose how the data was obtained but said an audit by an outside expert concluded the hospital hadn’t been hacked.”
• The age of the data suggests that the compromise may have involved backups and/or cold storage
• It is not clear of the Hospital stores the older data themselves, or if they rely on a 3rd party provider that may have been compromised
• “A recent report by the Identity Theft Report Center found that by early December there had been 304 breaches so far this year in the U.S. healthcare sector. That’s 42 percent of the 720 breaches reported across the country. But, in part because of the massive breaches at major retailers, the entire healthcare sector only accounted for 9.7 percent of all records compromised in reported breaches so far in 2014.”

Sony cancels the release of “The Interview” – plays the victim

• Sony has apparently cancelled the release of the film that is apparently the cause of the hack of their systems
• A number of cinemas had declined to screen the file after vague threats of physical violence were made
• “We are deeply saddened at this brazen effort to suppress the distribution of a movie, and in the process do damage to our company, our employees, and the American public,” Sony’s statement continues. “We stand by our filmmakers and their right to free expression and are extremely disappointed by this outcome.”
• If they stand for freedom of expression, they wouldn’t have cancelled the movie
• A number of people believe that the hackers may have found something especially damaging to Sony, and Sony is hoping to avoid the disclosure
• Bruce Schneier – “It’s really a phenomenally awesome hack—they completely owned this company,”
• “this is like Snowden, only with Sony.” He said that releases from the hack could go on for months.
• That seems to suggest that the hackers will soon leak something that will look very, very bad for the company, Schneier says.
• Earlier this week, Sony sent a letter to news outlets reporting on the leaks, saying that they could face prosecution for downloading stolen information. That letter, Schneier said, was a signal that the worst is still to come.
• Gawker posts a copy of the threatening letter
• “The fact that they sent that letter tells me there is stuff still to be found that Sony is terrified of. There’s some really bad stuff in there—stuff they did, stuff they said, stuff that’s illegal. Someone [from Sony] is going to jail for this.”
• Reaction to the Sony hack is beyond the realm of stupid – This is not terrorism
• Cisco analysis of Wiper malware used at Sony
• Newer version of Wiper malware signed with stolen Sony certificate
• ThreatPost Digital Undergound Podcast – Details of the Sony Breach
• The leak has also covered a number of different plans and plots by the MPAA
• Inclusing the MPAA’s post-SOPA plan to make ISP DNS Servers block sites

Feedback:

• FW Question

• IP management with 257 devices

• Isolating a server

• Certificate for web site
  • Mozilla TLS Server Side settings

• OpenYourMouth · GitHub

• Cipherli.st – Strong Ciphers for Apache, nginx and Lighttpd

Round Up:

• Viber calls out ESET for flagging them, ESET responds with a digital uppercut
• Yahoo releases new disclosure policy, all new bugs it finds will be disclosed within 90 days
• Report: Mysterious Russian Malware Is Infecting 100,000+ WordPress Sites
• Red October APT team is back, with the CloudAtlas APT attack
• Verizon’s new “end-to-end” encrypted calling app, includes “Government Access Option” – Cellcrypt’s vice president for North America, disputes the idea that building technology to allow wiretapping is a security risk. “It’s only creating a weakness for government agencies,” he says. “Just because a government access option exists, it doesn’t mean other companies can access it.”
• Leaked Government documents reveal Canadian Telco’s offering the Government “Surveillance Ready Networks”, to avoid legislation, and to force small operators out of the market
• Ars was briefly hacked yesterday; here’s what we know (Ars uses PHPass to hash passwords, that is 2048 rounds of MD5. Not as bad as it sounds: If you want to put this into “OL Hashcat” terms, a single R9 290X (video card) can pull ~ 12.2 GH/s on raw MD5, but only 3 MH/s against PHPass. Divide that by 1,071,734 unique salts, and that means our effective speed is only 2.86 H/s. That’s beyond properly slow.)
• A small bank in Kansas may be the future of banking, replacing ‘batched processed’ ACH transfers with instant transfers backed by the existing ATM processing network
• phpBB Status Update
• Study by Dell SecureWorks researchers finds that prices on the Internet Underground are rising

The post Don’t Fire IT | TechSNAP 193 first appeared on Jupiter Broadcasting.