‘From USA with love’: The Jester goes after Russia as payback

The Jester. The computer vigilante who has claimed a number of DDoS attacks from the past 5 years like those on the Westboro Baptist Church, Wikileaks and dozens of Islamist websites, is back to take down US enemies.

Friday night, the “Batman of the internet,” as he’s called by the FBI, went after the website of Russian Foreign Affairs as payback for attacks on US officials, DNC, voting systems and the Dyn DNS shutdown, which he believes Russia is responsible for, the hacker said in an exclusive interview with CNNMoney. He says he is a former US soldier and his actions are carried out of patriotism.

“Comrades! We interrupt regular scheduled Russian Foreign Affairs Website programming to bring you the following important message. Knock it off,” he wrote. “You may be able to push around nations around you, but this is America. Nobody is impressed. Let’s get real, I know it’s you, even if by-proxy, and you know it’s you. Now, get to your room. Before I lose my temper.”

Source: Ars Technica

Although several media outlets picked up the news and announced the Jester had taken down the Russian Foreign Affairs website, Ars Technica discovered it was a trick. He took advantage of a cross-site scripting vulnerability in the Russian website and displayed a message that it was hacked.

The Foreign Ministry site was “a former site which has not been used for a long time,” said Maria Zakharova, Russian Foreign Ministry spokesperson.

When asked about the results of the investigation by their security specialists, she said that “if they find out it was a cyberattack from America, it means that either a cyber-machine of destruction Biden and McFaul have spoken about is already at work or that the evil provocative election campaign in the United States has driven people to a state where they are ready to wreak havoc.”


Treasury Dept Tells Financial Orgs to Report Computer Crime and Attacks

The United States Treasury Department has told financial organizations to report instances of computer-related crime and attacks.On 25 October, the Financial Crimes Enforcement Network (FinCEN) of the Treasury Department issued an advisory (PDF) to financial institutions on computer crime and attacks.The resource explains that organizations must file what is known as a suspicious activity report (SAR) whenever they experience a suspicious transaction that succeeds in stealing or attempts to steal 5,000 USD or more in funds and other assets.Computer crime or attacks could require institutions to file a SAR. If that’s the case, FinCEN wants organizations to include some additional information.As the Treasury Department office explains in the advisory:“When filing a mandatory or voluntary SAR involving a cyber-event, financial institutions should provide complete and accurate information, including relevant facts in appropriate SAR fields, and information about the cyber-event in the narrative section of the SAR—in addition to any other related suspicious activity.”


That information includes relevant details about the computer attack such as indicators of compromise, relevant IP addresses and timestamps, device identifiers, methodologies used, and other relevant information.FinCEN feels those pieces of data can help law enforcement shut down computer criminal networks, such as those actors who abused the Society for Worldwide Interbank Financial Telecommunications (SWIFT) network to steal 81 million USD from the Bangladesh Bank.


The Health of Healthcare’s Cyber Security

The current diagnosis for healthcare cyber security is frightening.Here’s our current assessment:One in three healthcare records were compromised in 2015 (IBM 2016).Healthcare is the number one industry when it comes to its records being breached (IBM 2016).Ransomware is on the rise, with 88 percent of attacks occurring in healthcare (Solutionary 2016).The price of electronic healthcare records is going down from $75-$100 to $70-$50 because of the ease of breaching this data. It’s all about supply and demand. (Institute for Critical Infrastructure Technology)ConsumersFor consumers, this should be concerning on many fronts. From a privacy standpoint, such information can be sold for fraudulent pursuits (someone could attempt to get services under another person’s plan), putting victims in a difficult position to resolve. Some providers are sensitive to this and are now asking for proof of a photo ID.From a safety point of view, the data could be manipulated and offered as incorrect information to healthcare providers, which may service victims with medication that could be harmful for them.There is also the potential for tax fraud since many medical records use Social Security Numbers. Unlike credit card data, where the consumer impact is minimized because it is protected and insured money, with consumer’s healthcare data, there is little recourse for the consumer.ProvidersEqually as concerning are the consequences for providers. The global cost of a data breach per lost or stolen record in healthcare is $355, with the average across all industries at $158. While HIPAA compliance with an annual maximum penalty fee of $1.5 million can be daunting, the loss of consumers’ confidence in provider services following a breach can be even more damaging.That doesn’t even cover providers’ liability of inadvertently or incorrectly servicing patients’ health needs, which could cause long-term and/or lethal impacts.There is a good incentive for healthcare organizations to address some of the security issues from the Office Civil Rights (OCR) with Phase 2 of HIPAA audits this year and next year. What is disconcerting is the fact that IT security spending for the healthcare industry is about one-tenth of what other industries spend, according to KPMG.The rise of the ransomware epidemic in healthcare also nourishes the sophistication of the ransomware. The first strains that attacked hospitals were Locky and TeslaCrypt. Both targeted specific content files.One of the latest samples, which goes by the name Crysis, targets all files on a computer except for the ones that allow a user to turn on the machine. It can gain login credentials and take control of a computer until the credentials are changed. Crysis will then exfiltrate data and take control of the data on the hacker’s server.As experience tells us, we can count on more sophistication in the realm of ransomware.There has been some talk about whether ransomware is really a data breach because in most cases they simply lock it up and don’t steal it. Unavailable data still comes with some serious risks, however. For healthcare, if you can’t access the information, you cannot treat or care for your patients. It disrupts your ability to serve.By the way, HIPAA recently classified ransomware as a security incident in their guidelines:“The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule.”The biggest OMG moment in this health check up is the latest HIMMS cyber security survey of 2016. The lack of adoption for basic security controls is startling.

HIMMS Cybersecurity Survey 2016

HIMMS Cybersecurity Survey 2016Ok, enough of the bad news. So what can a healthcare provider do?Here’s a list of recommendations:Make cyber security a top priority in the boardroom to investments.Review ransomware prevention tips.Implement basic security: Critical Controls.Build a Resilient Architecture (part 1).Next month, Tripwire will be attending the National Health Information Sharing and Analysis Center NH-ISAC conference, where healthcare professionals come to talk and network about their cyber security efforts. NH-ISAC is a membership-based organization that offers a wide range of services to empower healthcare organizations to protect against cyber threats. Participation is highly encouraged.Please stop by Tripwire’s table while you’re there.