Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoins to a hacker who seized control of the hospital’s computer systems and would give back access only when the money was paid, the hospital’s chief executive said Wednesday.
The assault on Hollywood Presbyterian occurred Feb. 5, when hackers using malware infected the institution’s computers, preventing hospital staff from being able to communicate from those devices, said CEO Allen Stefanek.
The hacker demanded 40 bitcoins, the equivalent of about $17,000, he said.
“The malware locks systems by encrypting files and demanding ransom to obtain the decryption key. The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek said. “In the best interest of restoring normal operations, we did this.”
The hospital said it alerted authorities and was able to restore all its computer systems by Monday with the assistance of technology experts.
Firewalls and medical devices are extremely vulnerable, and everyone’s pointing fingers
By Monte Reel and Jordan Robertson | November 2015
from Bloomberg Businessweek
In the fall of 2013, Billy Rios flew from his home in California to Rochester, Minn., for an assignment at the Mayo Clinic, the largest integrated nonprofit medical group practice in the world. Rios is a “white hat” hacker, which means customers hire him to break into their own computers. His roster of clients has included the Pentagon, major defense contractors, Microsoft, Google, and some others he can’t talk about.
He’s tinkered with weapons systems, with aircraft components, and even with the electrical grid, hacking into the largest public utility district in Washington state to show officials how they might improve public safety. The Mayo Clinic job, in comparison, seemed pretty tame. He assumed he was going on a routine bug hunt, a week of solo work in clean and quiet rooms.
But when he showed up, he was surprised to find himself in a conference room full of familiar faces. The Mayo Clinic had assembled an all-star team of about a dozen computer jocks, investigators from some of the biggest cybersecurity firms in the country, as well as the kind of hackers who draw crowds at conferences such as Black Hat and Def Con. The researchers split into teams, and hospital officials presented them with about 40 different medical devices. Do your worst, the researchers were instructed. Hack whatever you can.
Like the printers, copiers, and office telephones used across all industries, many medical devices today are networked, running standard operating systems and living on the Internet just as laptops and smartphones do. Like the rest of the Internet of Things—devices that range from cars to garden sprinklers—they communicate with servers, and many can be controlled remotely. As quickly became apparent to Rios and the others, hospital administrators have a lot of reasons to fear hackers. For a full week, the group spent their days looking for backdoors into magnetic resonance imaging scanners, ultrasound equipment, ventilators, electroconvulsive therapy machines, and dozens of other contraptions. The teams gathered each evening inside the hospital to trade casualty reports.
“Every day, it was like every device on the menu got crushed,” Rios says. “It was all bad. Really, really bad.” The teams didn’t have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn’t be changed, and so on.
The Mayo Clinic emerged from those sessions with a fresh set of security requirements for its medical device suppliers, requiring that each device be tested to meet standards before purchasing contracts were signed. Rios applauded the clinic, but he knew that only a few hospitals in the world had the resources and influence to pull that off, and he walked away from the job with an unshakable conviction: Sooner or later, hospitals would be hacked, and patients would be hurt. He’d gotten privileged glimpses into all sorts of sensitive industries, but hospitals seemed at least a decade behind the standard security curve.
The U.S. described a vast, multi-year criminal enterprise centering on hacks of at least nine big financial and publishing firms and the theft of information on 100 million of their customers that fueled a web of stock manipulation, credit-card fraud and illegal online casinos.
Two indictments, unsealed Tuesday, tied three of four suspects to previously reported hacks of JPMorgan Chase & Co., E*Trade Financial Corp., Scottrade Financial Services Inc. and Dow Jones & Co., a unit of News Corp.
Hackers and conspirators in more than a dozen countries generated hundreds of millions of dollars in illicit proceeds om pump-and-dump stock schemes and particularly lucrative online gambling, prosecutors said.
From 2012 to mid-2015, the suspects and their co-conspirators successfully manipulated dozens of publicly traded stocks, sent misleading pitches to clients of banks and brokerages whose e-mail addresses they’d stolen, and profited by using trading accounts set up under fake names, prosecutors said.
Along the way, members of the ring tried to extract nonpublic information from financial corporations, processed payment information for fake pharmaceuticals and fake anti-virus software, falsified passports and took control of a New Jersey credit union, said prosecutors. They used 75 companies and bank and brokerage accounts around the world to launder money, prosecutors wrote. Other alleged offenses include hacking, securities fraud, wire fraud and identity theft.
Ridgewood NJ, Ridgewood Police report that on Sunday, October 11, 2015, a Corsa Terrace resident reported that his/her computer had been hacked resulting in his/her identity being stolen. The victim, who had implemented a program to improve his/her computer’s performance and remove viruses, was contacted by a male caller claiming to represent “Celox Support”. The caller persuaded the victim to allow him remote access to his/her computer and credit card account information.
It is suggested that consumers provide credit card account information only after positively verifying that they are dealing with a legitimate service provider. The Ridgewood Police Department is also aware that this is a very popular scam at this time and residents should always be wary of someone contacting them by phone and offering to “fix” computer problems.
Patreon: Some user names, e-mail and mailing addresses stolen
At least passwords were encrypted with 2048-bit RSA, hashed via bcrypt, and salted.
by Cyrus Farivar – Oct 1, 2015 3:30pm EDT
Patreon, the website that allows people to maintain regular donations to a website, an artist, or project, announced late Wednesday that it had sustained a security breach.
The site said some registered names, e-mail addresses, and mailing addresses were accessed after someone managed to access a “debug version of our website” that at the time was accessible to the public.
Jack Conte, the co-founder and CEO, wrote in a statement:
We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key.
Conte specified that user passwords are hashed with bcrypt and salted as well, but he encouraged patrons to change their password anyway as a precaution.
The Office of Personnel Management announced Wednesday that 5.6 million people are now estimated to have had their fingerprint information stolen.
That number was originally thought to be about 1.1 million, OPM said in a statement. About 21.5 million individuals had their Social Security Numbers and other sensitive information affected by the hack.
According to OPM, “federal experts believe that, as of now, the ability to misuse fingerprint data is limited.” The office acknowledged, however, that future technologies could take advantage of this information.
Despite a hack two years ago that publicly exposed Hillary Clinton’s emails, the State Department took no action to shore up the security of the former secretary of state’s private computer server.
A State Department official said the department could not do anything in response to the March 2013 hack of longtime Clinton confidant Sidney Blumenthal because it occurred on a non-governmental computer system. The hacked emails, which included Blumenthal’s frequent correspondence with Clinton while she was in office in 2012, were sent by the Romanian hacker to media organizations, which later posted them online.
The disclosure renews questions of when State Department officials first learned that Clinton was doing department business on a private server and what steps they took to safeguard her sensitive diplomatic communications, some of which have been deemed classified.
Aug 17, 3:50 PM EDT
BY STEPHEN OHLEMACHER
ASSOCIATED PRESS
WASHINGTON (AP) — A computer breach at the IRS in which thieves stole tax information from thousands of taxpayers is much bigger than the agency originally disclosed.
An additional 220,000 potential victims had information stolen from an IRS website as part of a sophisticated scheme to use stolen identities to claim fraudulent tax refunds, the IRS said Monday. The revelation more than doubles the total number of potential victims, to 334,000.
The breach also started earlier than investigators initially thought. The tax agency first disclosed the breach in May.
The thieves accessed a system called “Get Transcript,” where taxpayers can get tax returns and other filings from previous years. In order to access the information, the thieves cleared a security screen that required knowledge about the taxpayer, including Social Security number, date of birth, tax filing status and street address, the IRS said.
The personal information was presumably stolen from other sources. The IRS believes the thieves were accessing the IRS website to get even more information about the taxpayers, which could help them claim fraudulent tax refunds in the future.
“As it did in May, the IRS is moving aggressively to protect taxpayers whose account information may have been accessed,” the IRS said in a statement. “The IRS will begin mailing letters in the next few days to about 220,000 taxpayers where there were instances of possible or potential access to `Get Transcript’ taxpayer account information.”
Ridgewood NJ, Ridgewood Police report that on Tuesday August 4, 2015 a West side resident reported discovering fraudulent charges had been made on one of his/her credit card accounts. Information concerning prevention/reporting identity theft is available at the Ridgewood Police Department. While reports of similar incidents continue to be on the rise it is prudent to closely monitor your credit history as well as incoming mail at your residence.
Earlier on Monday July 27, 2015 a resident reported that an unidentified actor had opened several credit cards accounts utilizing his/her personal information. The matter is being investigated by the detective bureau. Information concerning prevention/reporting identity theft is available at the Ridgewood Police Department. While reports of similar incidents continue to be on the rise it is prudent to closely monitor your credit history as well as incoming mail at your residence.
Identity Theft Protection Tips
Identity theft is a crime in which an impostor obtains key pieces of personal identifying information (PII) such as Social Security numbers and driver’s license numbers and uses them for their own personal gain. It can start with lost or stolen wallets, stolen mail, a data breach, computer virus, “phishing” scams, or paper documents thrown out by you or a business (dumpster ).
How can I minimize my risk of becoming an identity theft victim?
As consumers, you have little ability to stop or prevent identity theft. However, there are some positive steps to take which will decrease your risk.
Don’t give out your SSN unnecessarily (only for tax reasons, credit or verified employment.) Before providing personal identifiers, know how it will be used and if it will be shared.
Use a cross-cut shredder to dispose of documents with personal information. Also, use a specialized gel pen when writing out checks.
Place outgoing mail in collection boxes or the U.S. Post Office.
Know your billing cycles and contact creditors when bills fail to show up. Review bank and credit card statements carefully.
Password protect your financial accounts. A strong password should be more than eight characters in length, and contain both capital letters and at least one numeric or other non alphabetical character. Use of non-dictionary words is also recommended.
Don’t give out personal information on the phone, through the mail or over the Internet unless you initiated the contact.
Use firewall software to protect computer information. Keep virus and spyware software programs updated.
Reduce the number of preapproved credit card offers you receive: 888-5OPT-OUT
Order your free annual credit reports on-line at: www.annualcreditreport.com or by calling (877) 322-8228
You may also “freeze” your credit report. For more information on this, go to: State Resources
Booby-trapped MMS messages and websites exploit flaw in heart of Android.
Almost all Android mobile devices available today are susceptible to hacks that can execute malicious code when they are sent a malformed text message or the user is lured to a malicious website, a security researcher reported Monday.
The vulnerability affects about 950 million Android phones and tablets, according to Joshua Drake, vice president of platform research and exploitation at security firm Zimperium. It resides in “Stagefright,” an Android code library that processes several widely used media formats. The most serious exploit scenario is the use of a specially modified text message using the multimedia message (MMS) format. All an attacker needs is the phone number of the vulnerable Android phone. From there, the malicious message will surreptitiously execute malicious code on the vulnerable device with no action required by the end user and no indication that anything is amiss.
In a blog post published Monday, Zimperium researchers wrote:
A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual—with a trojaned phone.
The vulnerability can be exploited using other attack techniques, including luring targets to malicious websites. Drake will outline six or so additional techniques at next month’s Black Hat security conference in Las Vegas, where he’s scheduled to deliver a talk titled Stagefright: Scary Code in the Heart of Android.
David Shepardson, Detroit News Washington Bureau3:53 p.m. EDT July 24, 2015
Washington — Under government pressure, Fiat Chrysler Automobiles NV agreed Friday to recall 1.4 million vehicles that can be cyber-hacked remotely — as Congress, automakers and regulators are raising increasing concerns about vehicle communications.
The first-of-its-kind callback came just days after a magazine report showed hackers could wirelessly take control of some functions of a Jeep Cherokee.
The National Highway Traffic Safety Administration said it will open an investigation into the recall to ensure all vehicles that could be affected are covered. “Opening this investigation will allow NHTSA to better assess the effectiveness of the remedy proposed by Fiat Chrysler,” NHTSA Administrator Mark Rosekind said in a statement, acknowledging the agency had urged the move.
Owners will get a USB device that they may use to upgrade vehicle software, which provides additional security features independent of the network-level measures that largely addresses the problem.
The federal personnel agency announced Thursday a massive hack.
BY KAVEH WADDELL AND DUSTIN VOLZ
More than 21 million Social Security numbers were compromised in a breach that affected a database of sensitive information on federal employees held by the Office of Personnel Management, the agency announced Thursday.
That number is in addition to the 4.2 million social security numbers that were compromised in another data breach at OPM that was made public in June.
Of the 21.5 million records that were stolen, 19.7 million belonged to individuals who had undergone background investigation, OPM said. The remaining 1.8 million records belonged to other individuals, mostly applicants’ families.
The records that were compromised include detailed, sensitive information about the individuals, including fingerprint data. OPM says 1.1 million compromised files included fingerprints.
Beyond the fingerprints and Social Security numbers, some of the files in the compromised database included “residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details,” OPM said.
(CBS) — It’s been a high-tech nightmare in the financial, and airline industries today because of separate glitches.
Trading was halted at the New York Stock Exchange for 3 1/2 hours after what has been described as an “internal problem.” Trading later resumed, with sizeable losses.
This was followed by temporary trouble accessing the Wall Street Journal’s website, and a flood of conspiracy theories on social media about a coordinated hack attack.
But before all this happened, United Airlines grounded flights across the country for nearly two hours, because of what they call a “router issue.”
CBS 2’s Mike Parker reports in every one of these incidents, it was computer technology breakdowns, not a hostile set of attacks. But one local expert says more of those are sure to come and we should be ready.
With the outages at the NYSE and United Airlines, some people wonder if this brave but vulnerable new world of computers could be open to a much bigger failure: a major enemy hack attack.
Anonymous issued cryptic tweet on eve of NYSE suspension
New York trading was suspended around 11:30 a.m. Wednesday due to a “technical issue,” the exchange said in a statement posted to Twitter.
The Department of Homeland Security said there was no indication the NYSE had been hacked, according to Bloomberg and CNN. The exchange said the glitch could not be attribute to “a cyber breach.”
“The issue we are experiencing is an internal technical issue and is not the result of a cyber breach,” it said in another statement. “We chose to suspend trading on NYSE to avoid problems arising from our technical issue. NYSE-listed securities continue to trade unaffected on other market centers.”
The White House said President Obama had been briefed on the issue. Earlier in the day, United Airlines briefly grounded all of its flights due to a systemwide failure.
Anonymous has previously targeted Wall Street and made headlines in 2011 when it threatened to “destroy” the New York Stock Exchange.
The message could also be seen as an allusion to economic unrest in China and Greece, which has contributed to global market turmoil in recent days. U.S. stocks saw modest losses in the early hours of trading Wednesday.
WASHINGTON (AP) — A major federal union says the cyber theft of employee information is more damaging than it first appeared, asserting that hackers stole personnel data and Social Security numbers for every federal employee.
The Obama administration had acknowledged that up to 4 million current and former employees are affected by the December cyber breach of Office of Personnel Management data, but it had been vague about exactly what was taken.
But J. David Cox, president of the American Federation of Government Employees, said in a letter Thursday to OPM director Katherine Archuleta that based on incomplete information OPM provided to the union, “we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to 1 million former federal employees.”
The OPM data file contains the records of non-military, non-intelligence executive branch employees, which covers most federal civilian employees but not, for example, members of Congress and their staffs.
The union believes the hackers stole military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; and age, gender and race data, he said.
Also Thursday, Sen. Harry Reid of Nevada, the Democratic Senate leader, said that the hack was carried out by “the Chinese” without specifying whether he meant the Chinese government or individuals. Reid is one of eight lawmakers briefed on the most secret intelligence information. U.S. officials have declined to publicly blame China, which has denied involvement.
More than 3.5 million people’s sexual preferences, fetishes and secrets have been exposed after dating site Adult FriendFinder was hacked.
Already, some of the adult website’s customers are being identified by name.
Adult FriendFinder asks customers to detail their interests and, based on those criteria, matches people for sexual encounters. The site, which boasts 64 million members, claims to have “helped millions of people find traditional partners, swinger groups, threesomes, and a variety of other alternative partners.”
The information Adult FriendFinder collects is extremely personal in nature. When signing up for an account, customers must enter their gender, which gender they’re interested in hooking up with and what kind of sexual situations they desire. Suggestions AdultFriendfinder provides for the “tell others about yourself” field include, “I like my partners to tell me what to do in the bedroom,” “I tend to be kinky” and “I’m willing to try some light bondage or blindfolds.”
The hack, which took place in March, was first uncovered by independent IT security consultant Bev Robb on her blog Teksecurity a month ago. But Robb did not name the site that was hacked. It wasn’t until this week, when England’s Channel 4 News reported on the hack, that Adult FriendFinder was named as the victim.
