The Doctor Will See You, After He Pays the Ransom

The latest threat to everyone’s business (not just the Doctor) is ransomware.

Ransomware is malicious software that makes it onto your network, usually because a staff member opened an email or email attachment containing the malware, that encrypts all of your files on your PC and all of the files on any network servers it can find.

You cannot open encrypted files unless you have the unlock key.

This paralyzes your business because none of your software programs work, your shared files are not accessible, you may lose access to your email, etc., etc., etc.

There are only two ways to recover from this:

  • have a good current backup that can be used to restore your files prior to the ransomware being installed
  • pay the ransom and pray that the crooks give you the key to unlock your files

Rewarding bad behavior ususally fosters more bad behavior. So, we do not believe in paying the ransom.

That means you had best have a really good Backup and Disaster Recovery (BUDR) system in place.

We sell a superior BUDR system that will backup your servers every hour, create virtual machines that can be used in place of your physical servers if there is a problem and move your data to an offsite Data Center on a daily basis.

Call me for the details.

Your biggest risk is with
your gullible staff member.

Hank Wagner
757-333-3299 x232
hank.wagner@computernetworksinc.com

img1

from Hacker News April 29, 2016 –Mohit Kumar

Typical Ransomware targets a victim's computer, encrypts the files on it, and then demands a ransom -- typically about $500 in Bitcoin -- in exchange for a key that will decrypt the files.

Guess what could be the next target of ransomware malware?

Everything that is connected to the Internet.

There is a huge range of potential targets, from pacemakers and cars to the Internet of Things, that may provide an opportunity for cybercriminals to launch ransomware attacks.

Recently, the American public utility Lansing Board of Water & Light (BWL) announced that the company had become a victim of a Ransomware attack that knocked the utility company’s internal computer systems offline.

The attack took place earlier this week when one of the company’s employees opened a malicious email attachment.

Once clicked, the malware installed itself on the employees computer and quickly began encrypting the organization's files, according to the Lansing State Journal.

BWL quickly decided to shut down its networks and suspend some services, including accounting and email service for about 250 of its employees, in order to prevent further damages. Power and water shut-offs by BWL were also suspended.

Though the ransomware type is still unknown, BWL is currently working with the Federal Bureau of Investigation (FBI) and local law enforcement authorities to investigate the incident.

BWL assured its 96,000 customers that no personal information related to its customers or employees had been compromised by the ransomware intrusion into the corporate computer network.

However, it is not yet clear whether BWL paid the Ransom to regain its data. BWL said law enforcement has limited them from discussing the issue in public, at least for now.

You Are Kidding Me, Right?

Apr 29, 2016 | HIPAA Journal

img2A recent mailing sent to American Dental Association (ADA) members included a USB stick containing malware. The USB drive contained a file with code that directed users to a domain which could enable cybercriminals to install malware, potentially allowing them to gain control of the computers.

The USB stick sent by the ADA was a credit card-sized drive that can be plugged into a laptop computer or a desktop. The device was used to send an electronic copy of the 2016 CDT manual containing dental procedure codes.

One recipient of the device decided to check the contents of the USB stick on a spare machine as he was wary of using the device on a machine that contained sensitive data. He discovered the drive contained an HTML launcher in a hidden iframe that contained a potentially malicious URL with a Chinese ccTLD. An autorun file was also included on the device according to his DLS Reports post. ADA was informed about the malware infection and an investigation was launched.

ADA informed Krebs on Security that the infection was introduced on certain devices during production in China. 37,000 of the devices were manufactured and mailed in total, although not all had been infected with malware. The infection was believed to be limited to a small percentage of the devices.

One of the duplicating machines had been infected during production and transferred that infection to the clean image used to transfer data onto the devices. The infection was believed to have been introduced on one of three production runs.

The company that manufactured the devices was a subcontractor of the company contracted by the ADA. A sample of the devices were tested prior to shipping, although those tests did not reveal any malware infection.

ADA emailed members for whom it had an email address and advised them to trash the USB device if it had not been used already. Members were also emailed a link which could be used to obtain an electronic copy of the manual which was sent on the USB sticks. Members were also told “Your anti-virus software should detect the malware if it is present.”

This incident has caused ADA to review its policy of sending files to members on USB drives.

USB drives are a common source of malware. Plugging in an infected USB drive can result in a virus being transferred undetected or code being run automatically. HIPAA covered entities should be wary about plugging in any unknown USB drives into computers used to store the PHI of patients, even when the devices have been sent from a trusted source such as the ADA.

Fraudsters Steal Tax, Salary Data From ADP

img3Identity thieves stole tax and salary data from payroll giant ADP by registering accounts in the names of employees at more than a dozen customer firms, Krebs on Security has learned. ADP says the incidents occurred because the victim companies all mistakenly published sensitive ADP account information online that made those firms easy targets for tax fraudsters.

Patterson, N.J.-based ADP provides payroll, tax and benefits administration for more than 640,000 companies. Last week, U.S. Bancorp (U.S. Bank) — the nation’s fifth-largest commercial bank — warned some of its employees that their W-2 data had been stolen thanks to a weakness in ADP’s customer portal.

ID thieves are interested in W-2 data because it contains much of the information needed to fraudulently request a large tax refund from the U.S. Internal Revenue Service (IRS) in someone else’s name. A reader who works at U.S. Bank shared a letter received from Jennie Carlson, the financial institution’s executive vice president of human resources.

“Since April 19, 2016, we have been actively investigating a security incident with our W-2 provider, ADP,” Carlson wrote. “During the course of that investigation we have learned that an external W-2 portal, maintained by ADP, may have been utilized by unauthorized individuals to access your W-2, which they may have used to file a fraudulent income tax return under your name.”

The letter continued:

“The incident originated because ADP offered an external online portal that has been exploited. For individuals who had never used the external portal, a registration had never been established. Criminals were able to take advantage of that situation to use confidential personal information from other sources to establish a registration in your name at ADP. Once the fraudulent registration was established, they were able to view or download your W-2.” ]

From Krebs on Security - http://krebsonsecurity.com/

A 22 physician practice, has agreed to pay $750,00 to settle charges that it potentially violated the HIPAA Privacy Rule by giving protected health information (PHI) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement (BAA).

The federal Health and Human Services Office of Civil Rights (OCR) initiated its investigation of Raleigh Orthopaedic Clinic after receiving a breach report on April 30, 2013. OCR’s investigation indicated that Raleigh Orthopaedic released the x-ray films and related PHI of 17,300 patients to an entity that promised to scan the images in exchange for harvesting the silver from the x-ray films. Raleigh Orthopaedic failed to execute a BAA with the entity prior to turning over the x-rays (and PHI).

“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the OCR. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”

In addition to the $750,000 payment, Raleigh Orthopaedic is required to revise its policies and procedures to:

  1. Establish a process for assessing whether entities are business associates
  2. Designate a responsible individual to ensure BAAs are in place prior to disclosing PHI to a business associate
  3. Create a standard template BAA
  4. Establish a standard process for maintaining documentation of a BAA for at least six years beyond the date of termination of a business associate relationship
  5. Limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.

The Resolution Agreement and Corrective Action Plan can be found on the HHS website.http://www.hhs.gov/hipaa/for-rofessionals/compliance-enforcement/agreements/raleigh-orthopaedic-clinic/index.html

Funnies

These are from a book called Disorder in the Courts and are things people actually said in court, word for word, taken down and published by court reporters that had the torment of staying calm while the exchanges were taking place.

ATTORNEY: What was the first thing your husband said to you that morning?

WITNESS: He said, 'Where am I, Cathy?'

ATTORNEY: And why did that upset you?

WITNESS: My name is Susan!

ATTORNEY: The youngest son, the 20-year-old, how old is he?

WITNESS: He's 20, much like your IQ.

ATTORNEY: Doctor, before you performed the autopsy, did you check for a pulse?

WITNESS: No.

ATTORNEY: Did you check for blood pressure?

WITNESS: No.

ATTORNEY: Did you check for breathing?

WITNESS: No.

ATTORNEY: So, then it is possible that the patient was alive when you began the autopsy?

WITNESS: No.

ATTORNEY: How can you be so sure, Doctor?

WITNESS: Because his brain was sitting on my desk in a jar.

ATTORNEY: I see, but could the patient have still been alive, nevertheless?

WITNESS: Yes, it is possible that he could have been alive and practicing law.

Do You Really Need Your Fridge
To Reorder Your Groceries?

The Internet of Things (IoT)

The next big technical advancement is the Internet of Things. The Internet of Things, often shortened to IoT, is all about connecting everyday devices to the Internet, devices from doorbells and light bulbs to toy dolls and thermostats. These connected devices can make our lives much simpler; for example, having your lights automatically activate as your phone recognizes when you get close to home.

The IoT market is moving at an amazing pace, with new devices appearing every week. However, like mobile devices, IoT devices also come with their own individual security issues.

The power of IoT is that most of these devices are simple. For example, you simply plug your coffee machine in and it asks to connect to your home Wi-Fi network. However, all that simplicity comes at a cost.

The biggest problem with IoT devices is that many of the companies making them have no experience with security. Instead, their expertise is manufacturing household appliances. Or perhaps they are a startup trying to develop a product the most efficient, fastest way possible.

These organizations are focusing on profits, not cyber security. As a result, many IoT devices purchased today have little or no security built into them. For example, some have default passwords that are well known, perhaps even posted on the Internet, and cannot be changed.

Tips to be secure

  • Connect only what you need
  • Use a separate Wi-Fi network
  • Update software when possible
  • Use strong passwords