Month: October 2018

Healthcare Lags Other Industries in Phishing Attack Resiliency Rate

Posted on

Originally Seen: September 18, 2018 on Thinkstock by Fred Donovan

Healthcare lags behind other major industries in its phishing attack resiliency rate, which measures the ratio between people who report a phish versus those who fall victim to one.

 Healthcare trails other major industries in its phishing attack resiliency rate, which measures the ratio between people who report a phish versus those who fall victim to one, according to a report released Sept. 17 by Cofense.

The healthcare resiliency rates for the last 12 months was 1.49, compared with an average resiliency score of 1.79 for all industries examined by Cofense (formerly PhishMe).

By comparison, the energy sector had a resiliency rate of 4.01, the insurance industry had a rate of 3.03, and the financial services had a rate of 2.52. The data is based on phishing simulations that Cofense uses to test employees at customer organizations.

“One factor that surely inhibits the industry’s resiliency: high turnover. With physicians, registered nurses, and administrative staff constantly churning, it’s hard to gain traction in the fight against phishing,” the report commented.

The top five phishing scenarios that healthcare workers most frequently clicked on were Requested Invoice, Manager Evaluation, Package Delivery, Halloween eCard Alert, and Beneficiary Change.

“The healthcare industry knows better than most that phishing is a serious problem. But the industry is still playing catch-up in phishing resiliency,” the report noted.

Unfortunately, phishing has become the preferred method for hackers to get access to healthcare organizations to steal valuable medical data.

The 2018 Verizon Data Breach Investigations Report (DBIR) found that phishing and financial pretexting represented 93 percent of all breaches investigated by Verizon, with email being the main entry point (96%).

Phishing is also a way attackers deploy ransomware, which has devastated the healthcare industry over the last couple of years. The Verizon report found that ransomware accounts for 85 percent of the malware in healthcare.

In a phishing campaign, an attacker poses as a legitimate person or entity in an email to get the target to provide valuable information, such as credentials, or click on a link that results in ransomware being downloaded on the victim’s machine.

It only takes one person to fall for the bait for an entire organization to be infiltrated.

According to an American Medical Association and Accenture survey of 1,300 US physicians, 83 percent of respondents had experienced a cyberattack and more than half of those said the attack came in the form of a phishing email.

Nearly two-thirds of all the physicians who experienced a cyberattack experienced up to four hours of downtime before they resumed operations, and approximately one-third of physicians in medium-sized practices that suffered a cyberattack said they experienced nearly a full day of downtime.

More than half of the physicians were very or extremely concerned about future cyberattacks in their practice. In addition, physicians were most concerned that future attacks could interrupt their clinical practices (74%), compromise the security of patient records (74%), or impact patient safety (53%).

Data from Wombat Security’s learning management system revealed that healthcare industry is one of the worst when it comes to data security knowledge, answering 23 percent of IT security best practice questions wrong on average.

The Wombat learning management system includes questions about avoiding ransomware attacks and identifying phishing threats, two topics dear to the heart of healthcare CISOs.

Alan Levine, a cybersecurity advisor to Wombat Security, told “If an email purports to come from a person who seems to be an authority, then it is very likely that people who receive the email will not look for the specific things that may indicate that there is a potential risk with the email and will instead be more interested in promptly reacting to it.”

The primary purpose of a phishing attack is to gain a foothold inside the organization by infecting a computer or other endpoint.

“Then an attacker will use that individual platform that he now controls to do a variety of things,” Levine said. “He wants to move from PC to PC, within a subnet, and laterally across subnets in order to compromise or control as many other devices as possible. Now he has a base of operations.”

“By collecting information from an individual compromised asset,” he continued, “an attacker learns a great deal about the institution itself in which that compromised machine now operates. Maybe he gets a copy of the GAL, which is the global address list. Now he’s got a lot more email addresses he can send phishes to.”

To combat phishing, organizations need to train employees on how to spot and avoid phishing emails. They also need to adopt security best practices and deploy appropriate technology to lessen the chances that a phishing attack will succeed.

Health care cyber experts tout progress in vulnerability disclosure at BSides Vegas

Posted on

Written by  on 


The delicate process for disclosing software and hardware bugs in medical devices has made important strides in recent years, according to experts, as big manufacturers have set up disclosure programs and the threat of lawsuits against security researchers has receded. Health care cybersecurity hands are now looking to capitalize on what they say is growing trust between manufacturers and researchers to strengthen vulnerability disclosure in the industry.

“There’s still a lot of work to be done to make it better, but man, has it come a far way,” Jay Radcliffe, a cybersecurity researcher at medical device manufacturer Boston Scientific, said at the BSides Las Vegas conference Tuesday.  “And as a researcher, that makes me a lot more comfortable doing my disclosures and doing my research.”

Radcliffe, who is diabetic, told the story of a presentation he gave at Black Hat in 2011 on hacking insulin pumps.

“At that time, the state of disclosure was pretty chaotic,” he said. “I didn’t feel comfortable enough going to the manufacturer to disclose that before my talk” out of fear of getting sued.

The Digital Millennium Copyright Act, for example, could have been used to prosecute researchers for accessing copyrighted data on a device. But a three-year exemption to that DMCA provision for “good faith” research, instituted in October 2015, has helped lift the specter of lawsuits. And last year, Radcliffe said he worked hand-in-hand with a different manufacturer when he found the same type of vulnerability in an insulin pump.

“They said, ‘Great. We have a vulnerability intake program and we want to work with you and make sure that we address these issues correctly and safely,’” he recalled. That greater collaboration between researchers and manufacturers in health care mirrors the progress in vulnerability disclosure made in other sectors, such as the automotive industry.

Health care delivery organizations are demanding more secure devices, according to Radcliffe. “They actually are doing their homework and they’re asking lots of questions of us – of how we are testing these devices, how are we guaranteeing that these devices that they’re buying are going to be secure not only now, but secure going forward for the next five, 10, 15 years,” he said.

In recent years, industry heavyweights like Johnson & Johnson have set up vulnerability disclosure programs, while the Food and Drug Administration has advised manufacturers to “systematically” address cybersecurity risk, including through a coordinated disclosure process. Nonetheless, industry insiders say more work is needed to make these practices widespread.

Suzanne Schwartz, a top cybersecurity official at the FDA, said she would like to see wider adoption of vulnerability disclosure programs among medical device manufacturers beyond the “two handfuls” of companies that are leading the way. Within the next year, she said, industry groups will be identifying the concerns and challenges that may be keeping many manufacturers from setting up programs. The goal, she said at the BSides panel, is to ramp up the number of companies that have programs from roughly 15 today to, say, 100.

The maturing of vulnerability disclosure programs comes as the health care industry has grappled with the persistent threat of ransomware, with hackers looking to exploit health care facilities’ reliance on sensitive data. In January, for example, the SamSam ransomware struck an Indiana hospital’s computer network, and hospital officials paid hackers roughly $50,000 to unlock the data.

To prepare for attacks like that, Radcliffe said hospitals need to have a clearer understanding of their IT assets and how to make them more secure. “It makes me very nervous to see the amount of devices that go unpatched,” he said.

For her part, Schwartz said the FDA has been working with cybersecurity company MITRE and the states of Massachusetts and New York to produce “playbooks” in helping hospitals prepare for and respond to such cyberattacks.

Credit Freezes are Fee-Free

Posted on

Originally seen on KrebonSecurity, 9/10/18

Later this month, all of the three major consumer credit bureaus will be required to offer free credit freezes to all Americans and their dependents. Maybe you’ve been holding off freezing your credit file because your home state currently charges a fee for placing or thawing a credit freeze, or because you believe it’s just not worth the hassle. If that accurately describes your views on the matter, this post may well change your mind.

A credit freeze — also known as a “security freeze” — restricts access to your credit file, making it far more difficult for identity thieves to open new accounts in your name.

Currently, many states allow the big three bureaus — EquifaxExperian and TransUnion — to charge a fee for placing or lifting a security freeze. But thanks to a federal law enacted earlier this year, after Sept. 21, 2018 it will be free to freeze and unfreeze your credit file and those of your children or dependents throughout the United States.

KrebsOnSecurity has for many years urged readers to freeze their files with the big three bureaus, as well as with a distant fourth — Innovis — and the NCTUE, an Equifax-operated credit checking clearinghouse relied upon by most of the major mobile phone providers.

There are dozens of private companies that specialize in providing consumer credit reports and scores to specific industries, including real estate brokers, landlords, insurers, debt buyers, employers, banks, casinos and retail stores. A handy PDF produced earlier this year by the Consumer Financial Protection Bureau (CFPB) lists all of the known entities that maintain, sell or share credit data on U.S. citizens.

The CFPB’s document includes links to Web sites for 46 different consumer credit reporting entities, along with information about your legal rights to obtain data in your reports and dispute suspected inaccuracies with the companies as needed. My guess is the vast majority of Americans have never heard of most of these companies.

Via numerous front-end Web sites, each of these mini credit bureaus serve thousands or tens of thousands of people who work in the above mentioned industries and who have the ability to pull credit and other personal data on Americans. In many cases, online access to look up data through these companies is secured by nothing more than a username and password that can be stolen or phished by cybercrooks and abused to pull privileged information on consumers.

In other cases, it’s trivial for anyone to sign up for these services. For example, how do companies that provide background screening and credit report data to landlords decide who can sign up as a landlord? Answer: Anyone can be a landlord (or pretend to be one).


The truly scary part? Access to some of these credit lookup services is supposed to be secured behind a login page, but often isn’t. Consider the service pictured below, which for $44 will let anyone look up the credit score of any American who hasn’t already frozen their credit files with the big three. Worse yet, you don’t even need to have accurate information on a target — such as their Social Security number or current address.

KrebsOnSecurity was made aware of this particular portal by Alex Holden, CEO of Milwaukee, Wisc.-based cybersecurity firm Hold Security LLC [full disclosure: This author is listed as an adviser to Hold Security, however this is and always has been a volunteer role for which I have not been compensated].

Holden’s wife Lisa is a mortgage broker, and as such she has access to a more full-featured version of the above-pictured consumer data lookup service (among others) for the purposes of helping clients determine a range of mortgage rates available. Mrs. Holden said the version of this service that she has access to will return accurate, current and complete credit file information on consumers even if one enters a made-up SSN and old address on an individual who hasn’t yet frozen their credit files with the big three.

“I’ve noticed in the past when I do a hard pull on someone’s credit report and the buyer gave me the wrong SSN or transposed some digits, not only will these services give me their credit report and full account history, it also tells you what their correct SSN is,” Mrs. Holden said.

With Mr. Holden’s permission, I gave the site pictured above an old street address for him plus a made-up SSN, and provided my credit card number to pay for the report. The document generated by that request said TransUnion and Experian were unable to look up his credit score with the information provided. However, Equifax not only provided his current credit score, it helpfully corrected the false data I entered for Holden, providing the last four digits of his real SSN and current address.

“We assume our credit report is keyed off of our SSN or something unique about ourselves,” Mrs. Holden said. “But it’s really keyed off your White Pages information, meaning anyone can get your credit report if they are in the know.”

I was pleased to find that I was unable to pull my own credit score through this exposed online service, although the site still charged me $44. The report produced simply said the consumer in question had requested that access to this information be restricted. But the real reason was simply that I’ve had my credit file frozen for years now.

Many media outlets are publishing stories this week about the one-year anniversary of the breach at Equifax that exposed the personal and financial data on more than 147 million people. But it’s important for everyone to remember that as bad as the Equifax breach was (and it was a total dumpster fire all around), most of the consumer data exposed in the breach has been for sale in the cybercrime underground for many years on a majority of Americans — including access to consumer credit reports. If anything, the Equifax breach may have simply helped ID thieves refresh some of those criminal data stores.


According to the U.S. Federal Trade Commission, when the new law takes effect on September 21, EquifaxExperian and TransUnion must each set up a webpage for requesting fraud alerts and credit freezes.

The law also provides additional ID theft protections to minors. Currently, some state laws allow you to freeze a child’s credit file, while others do not. Starting Sept. 21, no matter where you live you’ll be able to get a free credit freeze for kids under 16 years old.

Identity thieves can and often do target minors, but this type of fraud usually isn’t discovered until the affected individual tries to apply for credit for the first time, at which point it can be a long and expensive road to undo the mess. As such, I would highly recommend that readers who have children or dependents take full advantage of this offering once it’s available for free nationwide.

In addition, the law requires the big three bureaus to offer free electronic credit monitoring services to all active duty military personnel. It also changes the rules for “fraud alerts,” which currently are free but only last for 90 days. With a fraud alert on your credit file, lenders or service providers should not grant credit in your name without first contacting you to obtain your approval — by phone or whatever other method you specify when you apply for the fraud alert.

Under the new law, fraud alerts last for one year, but consumers can renew them each year. Bear in mind, however, that while lenders and service providers are supposed to seek and obtain your approval if you have a fraud alert on your file, they’re not legally required to do this.

A key unanswered question about these changes is whether the new dedicated credit bureau freeze sites will work any more reliably than the current freeze sites operated by the big three bureaus. The Web and social media are littered with consumer complaints — particularly over the past year — about the various freeze sites freezing up and returning endless error messages, or simply discouraging consumers from filing a freeze thanks to insecure Web site components.

It will be interesting to see whether these new freeze sites will try to steer consumers away from freezes and toward other in-house offerings, such as paid credit reports, credit monitoring, or “credit lock” services. All three big bureaus tout their credit lock services as an easier and faster alternative to freezes.

According to a recent post by, consumers can use these services to quickly lock or unlock access to credit inquiries, although some bureaus can take up to 48 hours. In contrast, they can take up to five business days to act on a freeze request, although in my experience the automated freeze process via the bureaus’ freeze sites has been more or less instantaneous (assuming the request actually goes through).

TransUnion and Equifax both offer free credit lock services, while Experian’s is free for 30 days and $19.99 for each additional month. However, TransUnion says those who take advantage of their free lock service agree to receive targeted marketing offers. What’s more, TransUnion also pushes consumers who sign up for its free lock service to subscribe to its “premium” lock services for a monthly fee with a perpetual auto-renewal.

Unsurprisingly, the bureaus’ use of the term credit lock has confused many consumers; this was almost certainly by design. But here’s one basic fact consumers should keep in mind about these lock services: Unlike freezes, locks are not governed by any law, meaning that the credit bureaus can change the terms of these arrangements when and if it suits them to do so.

If you’d like to go ahead with freezing your credit files now, this Q&A post from the Equifax breach explains the basics, and includes some other useful tips for staying ahead of identity thieves. Otherwise, check back here later this month for more details on the new free freeze sites.


Posted on

Originally Seen on Wired by: Andy Greenberg on 8/13/18

WHEN THE CYBERSECURITY industry warns about the nightmare of hackers causing blackouts, the scenario they describe typically entails an elite team of hackers breaking into the inner sanctum of a power utility to start flipping switches. But one group of researchers has imagined how an entire power grid could be taken down by hacking a less centralized and protected class of targets: home air conditioners and water heaters. Lots of them.

At the Usenix Security conference this week, a group of Princeton University security researchers will present a study that considers a little-examined question in power grid cybersecurity: What if hackers attacked not the supply side of the power grid, but the demand side? In a series of simulations, the researchers imagined what might happen if hackers controlled a botnet composed of thousands of silently hacked consumer internet of things devices, particularly power-hungry ones like air conditioners, water heaters, and space heaters. Then they ran a series of software simulations to see how many of those devices an attacker would need to simultaneously hijack to disrupt the stability of the power grid.

Their answers point to a disturbing, if not quite yet practical scenario: In a power network large enough to serve an area of 38 million people—a population roughly equal to Canada or California—the researchers estimate that just a one percent bump in demand might be enough to take down the majority of the grid. That demand increase could be created by a botnet as small as a few tens of thousands of hacked electric water heaters or a couple hundred thousand air conditioners.

“Power grids are stable as long as supply is equal to demand,” says Saleh Soltan, a researcher in Princeton’s Department of Electrical Engineering, who led the study. “If you have a very large botnet of IoT devices, you can really manipulate the demand, changing it abruptly, any time you want.”

Just a one percent bump in demand might be enough to take down the majority of the grid.

The result of that botnet-induced imbalance, Soltan says, could be cascading blackouts. When demand in one part of the grid rapidly increases, it can overload the current on certain power lines, damaging them or more likely triggering devices called protective relays, which turn off the power when they sense dangerous conditions. Switching off those lines puts more load on the remaining ones, potentially leading to a chain reaction.

“Fewer lines need to carry the same flows and they get overloaded, so then the next one will be disconnected and the next one,” says Soltan. “In the worst case, most or all of them are disconnected, and you have a blackout in most of your grid.”

Power utility engineers, of course, expertly forecast fluctuations in electric demand on a daily basis. They plan for everything from heat waves that predictably cause spikes in air conditioner usage to the moment at the end of British soap opera episodes when hundreds of thousands of viewers all switch on their tea kettles. But the Princeton researchers’ study suggests that hackers could make those demand spikes not only unpredictable, but maliciously timed.

The researchers don’t actually point to any vulnerabilities in specific household devices, or suggest how exactly they might be hacked. Instead, they start from the premise that a large number of those devices could somehow be compromised and silently controlled by a hacker. That’s arguably a realistic assumption, given the myriad vulnerabilities other security researchers and hackers have found in the internet of things. One talk at the Kaspersky Analyst Summit in 2016 described security flaws in air conditioners that could be used to pull off the sort of grid disturbance that the Princeton researchers describe. And real-world malicious hackers have compromised everything from refrigerators to fish tanks.

Given that assumption, the researchers ran simulations in power grid software MATPOWER and Power World to determine what sort of botnet would could disrupt what size grid. They ran most of their simulations on models of the Polish power grid from 2004 and 2008, a rare country-sized electrical system whose architecture is described in publicly available records. They found they could cause a cascading blackout of 86 percent of the power lines in the 2008 Poland grid model with just a one percent increase in demand. That would require the equivalent of 210,000 hacked air conditioners, or 42,000 electric water heaters.

The notion of an internet of things botnet large enough to pull off one of those attacks isn’t entirely farfetched. The Princeton researchers point to the Mirai botnet of 600,000 hacked IoT devices, including security cameras and home routers. That zombie horde hit DNS provider Dyn with an unprecedented denial of service attack in late 2016, taking down a broad collection of websites.

Building a botnet of the same size out of more power-hungry IoT devices is probably impossible today, says Ben Miller, a former cybersecurity engineer at electric utility Constellation Energy and now the director of the threat operations center at industrial security firm Dragos. There simply aren’t enough high-power smart devices in homes, he says, especially since the entire botnet would have to be within the geographic area of the target electrical grid, not distributed across the world like the Mirai botnet.

‘If you have a very large botnet of IoT devices, you can really manipulate the demand, changing it abruptly, any time you want.’


But as internet-connected air conditioners, heaters, and the smart thermostats that control them increasingly show up in homes for convenience and efficiency, a demand-based attack like the one the Princeton researchers describes could become more practical than one that targets grid operators. “It’s as simple as running a botnet. When a botnet is successful, it can scale by itself. That makes the attack easier,” Miller says. “It’s really hard to attack all the generation sites on a grid all at once. But with a botnet you could attack all these end user devices at once and have some sort of impact.”

The Princeton researchers modeled more devious techniques their imaginary IoT botnet might use to mess with power grids, too. They found it was possible to increase demand in one area while decreasing it in another, so that the total load on a system’s generators remains constant while the attack overloads certain lines. That could make it even harder for utility operators to figure out the source of the disruption.

If a botnet did succeed in taking down a grid, the researchers’ models showed it would be even easier to keep it down as operators attempted to bring it back online, triggering smaller scale versions of their attack in the sections or “islands” of the grid that recover first. And smaller scale attacks could force utility operators to pay for expensive backup power supplies, even if they fall short of causing actual blackouts. And the researchers point out that since the source of the demand spikes would be largely hidden from utilities, attackers could simply try them again and again, experimenting until they had the desired effect.

The owners of the actual air conditioners and water heaters might notice that their equipment was suddenly behaving strangely. But that still wouldn’t immediately be apparent to the target energy utility. “Where do the consumers report it?” asks Princeton’s Soltan. “They don’t report it to Con Edison, they report it to the manufacturer of the smart device. But the real impact is on the power system that doesn’t have any of this data.”

That disconnect represents the root of the security vulnerability that utility operators need to fix, Soltan argues. Just as utilities carefully model heat waves and British tea times and keep a stock of energy in reserve to cover those demands, they now need to account for the number of potentially hackable high-powered devices on their grids, too. As high-power smart-home gadgets multiply, the consequences of IoT insecurity could someday be more than just a haywire thermostat, but entire portions of a country going dark.