Category: News

Hollywood Hospital Pays Hacker Ransom

For many years, those of us working in IT security have heard phrases like ‘why should hackers target us?’.  They think they’ve nothing to hide, there’s no gain to be made attacking them so security is neglected on this basis.  Unfortunately virtually any individual, company or organisation is a potential target as the Hollywood Presbyterian Medical Centre recently discovered.

Hollywood Presbyterian Centre

The incident occurred on february 5th when hackers managed to infiltrate the hospital’s servers and infected them with malware effectively blocking all communication within the hospital.  The software was actually a specific type of malware known as ransomware – specifically designed to hold the victim to ransom – pay up or lose your data.  There are two main types of ransomware (although probably more will be developed) –

  • Lockscreen – Locks you out of your computer either by blocking boot-up or a screen saver preventing access.  There will be usually be a message on how you can regain access.
  • File Encryption – Normally will leave the majority of your computer alone but will encrypt all data files making them inaccessible.  Again you’ll usually get a message on how to obtain the decryption key.

The lock-screen types can usually be bypassed with some technical assistance, in fact it’s usually very simple  to fix.  The file encryption ransomware is much more difficult to get rid of if implemented correctly, the only solution is normally to get the decryption key.

Unfortunately for the Hollywood Presbyterian Medical Centre, they were subjected to the file encryption attack which encrypted many of the core data files on the hospital’s computer systems.  This paralysed the hospital who were forced to use pen and paper for ongoing record keeping.  The hospital realised that the quickest solution was to pay the $17000 ransom to obtain the decryption key despite the obvious risks.

The CEO Allen Stefanek made this call and fortunately with some technical assistance and the decryption key they were able to restore all it’s computer systems.  Stefanek stated that patient care was never compromised, nor were hospital records.

However this is a difficult statement to believe although patient care might have been protected, it’s impossible to know whether the hospital records and patient data were compromised.  If you have allowed malware onto your computer systems then there’s no way you can be 100% sure what else that software has done, it could have easily stolen data records as well as encrypting them.

The case has been now passed to the FBI, so there is a very strong chance the culprits will be caught.  The most difficult part of these attacks is hiding your tracks and is rarely accomplished completely.  The attackers did demand payment in bitcoins which is much harder to trace but there network and computer forensics will often leave clues as the origin on the infection or from the ransom demand communication.

Do You Trust Your TV? It Could be Spying on You.

Well if you have a new Samsung TV then perhaps you should think twice before answering that question.  Their new generation of Smart TVs have a voice activation feature that allows you to switch on and off, change channels and stuff like that, but it’s possible that this comes at a significant cost.

 

An eagle eyed EFF activist called Parker Higgins, took the time to read the privacy policy of these TVs and discovered a rather alarming paragraph which stated –

Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.

So let’s just have a think about this, if you enable the voice recognition function on your shiny new Samsung Smart TV, the bloody thing will not only listen to all your conversations it will also transmit them to a myriad of  third party companies.  Your TV would actually be sitting in the corner of your room spying on you!

Now putting aside my personal dislike of all voice enabled devices, I mean why is talking to an inanimate device preferable to pushing a button, this is a seriously worrying threat to people’s privacy.  For a start you’d have to be permanently on your guard, who knows where your conversations are going to – just some spotty Samsung technical geek  or more likely a selection of marketing companies?   Secondly, it’s not only spying on you the owner of the TV but anyone who happens to be in the room – have they given their permission ?  Should anyone entering your living room be given a disclaimer and need to sign a consent form !!

Samsung have now modified the wording in their policy insisting that the TV doesn’t in fact listen to ordinary conversations.  This is however rather difficult to believe after the initial policy wording,  I mean you’d never put that down in writing if it wasn’t in some way true.  There is obviously little thought being put into the design of these devices, as far as privacy goes – relying on stuffing a few sentences deep in the TVs documentation (which it probably thought nobody would read).

There are other aspects to the technology which makes it even more unlikely that conversations can’t be monitored by the device.  For start the TV is capable apparently of recognising complex requests like –

‘recommend a good Sci-Fi Movie’ or ‘open BBC iPlayer

I mean a TV would have to listen to pretty much everything to pick up and filter requests like that, this is beyond someone like me shouting OFF  in his stupid accent.

What is more that the TV doesn’t have a single microphone, you can’t just huddle in the corner away from the TV whispering – there’s another in the damn remote control.   Cunning move, the TV remote in my house for example it is the singlest most difficult to find device by far.  It routinely turns up in all sorts of obscure locations and I’m sure my children are on some sort of retainer to hide it every time they’ve finished watching.

Well I for one, will not be purchasing one of these things, however unfortunately it will also involve me upgrading my general level of paranoia.  I foresee a future of creeping around electronic stores or checking the backs of friends TV sets when I enter their house  (and of course enquiring about the location of the remote).

Does anyone really need this rubbish !!

Turkish Hacker Sentenced

If you’re thinking of setting up for a career in computer crime, there’s many very tempting options for locating your centre of operations.  The obvious place is somewhere like Russia, where as long as you make money the police will be likely to turn a blind eye for a few dollars. There are many other places where minimal law enforcement exist particularly in relation to computer crime which mean the risks are relatively negligible particularly if there’s a lack of any extradition treaties to the developed world.
turkish-hack

However some countries are a staggeringly bad idea to base a criminal cyber empire and it looks like Turkey is one of those. The reason is now becoming clear to a 26 year old Turkish hacker named Onur Kopcak who was sentenced on Sunday for stealing 11 people’s credit card information and selling them online to other criminals. It wasn’t the world’s worst cyber crime and in fact would largely pass unnoticed in many places.

Although to be fair  Onur’s crimes did extend to a few more people after more were discovered from the initial investigation – in all 54 in total claimed to have their card details stolen by him. He, along with a few other hackers set up a few interfaces designed to mimic a bank’s internet portals and combined with a phishing campaign were beginning to see some results from their criminal enterprise.

Unfortunately for the fledgling gang and in particular Onur Kopcak,  these crimes were heard and sentenced separately and Onur received a 199 year sentence for the initial victims followed by an additional 135 years for the later offences. The crimes were listed as identity fraud, access device fraud, wire fraud and website forgery which are all criminal offences in Turkey.

So for a crime which probably netted only a few hundred dollars before they were caught Kopçak has been sentenced to 334 years in prison. It’s a staggering sentence and Onur will probably look in awe at the sentence handed to a UK fraudster called Theogenes de Montford who stole 35,000 credit card details and was sentenced to 4 and a half years in prison for his role in the theft.

So remember all you budding cyber criminals – setting up in Istanbul or anywhere in Turkey is likely a very bad idea if there’s the slightest risk that you’ll be caught.

EU Change Forces iPlayer Rethink

There’s encouraging news that the European Union is going to be forcing the way forward in the market for digital services and one of the biggest impacts could be on the BBC iPlayer.   As you probably know the BBC iPlayer works wonderfully if you’re actually in the United Kingdom but stops working the moment you try and access it from anywhere else.  Which leads to the situation where a BBC license fee payer is blocked simply because they are outside the country,  so you can’t watch the News on holiday or keep up with your favorite soaps.

europe-558828_1280

Obviously there’s now a whole range of VPN and IP proxy products available to circumvent the blocks but should it really be necessary for a valid purchaser to use these just because they happen to be out of the country for whatever reason.

The BBC is not alone, virtually every large digital media company on the internet operates under similar restrictions.  You can’t watch Hulu or HBO from outside the USA, M6 Replay is blocked outside France and so on.  Even supposedly global digital companies do the same, your Netflix account will only work if you are in a country it which it operates,  certainly seems a nonsense in this digital world.

EU Proposals are designed to move towards a single European digital market with the idea that if you legally buy content in one country there should be no restrictions on accessing them in any other country.   Currently there are all sorts of restrictions on digital content usually fuelled by complex copyright rules and regulations.    However these could all be overruled if it became a new right for EU citizens that these digital products were portable across European boundaries.

As it stands it’s just a proposal, the planned implementation if it gains approval is 2017 however we might have to wait a little longer than that.  Firstly there are genuine concerns that some countries will not be keen to support this proposal, particularly those who like to protect their own culture and national media.

There are also some powerful and well funded lobby groups who feel that it is a fundamental right to be able to control production and distribution based on specific territories.  However of course, they would say that because it enables them to operate profit maximisation techniques by selling for different prices in European regions – certainly not the definition of a single market.

For the BBC there will also be some technical difficulties in implementing a system which allows license fee payers the rights to watch wherever they are in Europe, the current BBC iPlayer has no real authentication system like Netflix or Sky. It is likely that the changes required will take some time, perhaps even beyond the 2017 implementation proposal.

However at least there is hope on the horizon that we will genuinely be able to access digital content internationally without having to use a VPN or Smart DNS that we have legitimately bought, without having to pay individually in each country we want to access it from.

The IQ of Cyber Criminals – the Bootle Cyber Attacker

There is I suspect rather a misconception about the IQ level of your average cyber criminal. From your harmless hacker to the sophisticated cyber crime networks of Asia and Eastern, everyone involved is normally portrayed as sophisticated, misguided and highly intelligent. The reality is I’m afraid far from truth and a huge proportion of those who commit cyber crimes are pretty damn stupid.

Meet Mr Ian Sullivan, from Bootle who has just been jailed for 8 months for conducting a series of DDoS attacks on high profile websites.

cybercrime

The 51 year old, unemployed father of six conducted these attacks against 300 websites taking many of them offline.  A DDoS attack involves saturating the target servers with thousands of requests which are difficult for the server to process.   It simply aims to overload the target server with these connections until it falls over.

DoS – Denial of Service Attack (Single attack)

DDoS – Distributed Denial of Service Attack ( attack involving multiple machines usually using malware installed on ordinary computers)

There are a variety of these attacks, most involve volume but often involve specialist techniques crafted against certain types of web servers.  Have a google of these attacks if you want to know more

  • Buffer Overflow
  • Smurf Attack
  • Ping of Death
  • SYN Attack
  • Teardrop Attack

However the thing to remember about the vast majority of DDoS attacks is that you can conduct them through a simple software interface i.e. you need very little technical knowledge.  Of course, there are very skilled attackers out there who can bring down servers with individually crafted attacks against specific targets however these are certainly the exception not the rule.  Mainly there’s little to be gained from Denial of Service attacks although many try extortion to stop them.

Although Mr Sullivan claimed some sort of affiliation with the activist group Anonymous, there are suspicions that his technical knowledge was perhaps limited. One of the biggest clues that this wasn’t the work of a digital moriarty is the fact that he would post warnings to the websites he attacked with his Twitter account.  It’s kind of like posting a self addressed letter to the victim, it does help tracking down criminals when they leave huge clues like this.

I think  the point to take away from this, is that computer crime is actually very easy to do.  Many popular attacks have been automated so you only have to fill a few fields in on a web front end, pay a few bucks to for a service from the Darkweb or install a DoS program on yours and a few computers.   The important part is that you need the intelligence and the knowledge to hide your tracks which is much, much harder.

When they looked up Mr Sullivan’s Twitter account and paid him a visit they found lots of  DDoS/DoS related software installed on his machine using simple computer forensics techniques.  Probably his only smart move was to plead guilty, which presumably led to the relatively low sentence of 8 months in prison.  He would not have got away so lightly if he’d performed this attack in the US or against a US based server though.

What a cyber muppet !!