Tag Archives: security

NHS cyber-attack: hospital computer systems held to ransom across England

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Hospitals across England have been hit by a large-scale cyber-attack, the NHS has confirmed, which has locked staff out of their computers and forced many trusts to divert emergency patients.

The IT systems of NHS sites across the country appear to have been simultaneously hit, with a pop-up message demanding a ransom in exchange for access to the PCs. NHS England has declared a major incident. NHS Digital said it was aware of the problem and would release more details soon.

Details of patient records and appointment schedules, as well as internal phone lines and emails, have all been rendered inaccessible.

NHS Digital said: “A number of NHS organisations have reported to NHS Digital that they have been affected by a ransomware attack which is affecting a number of different organisations.

“The investigation is at an early stage but we believe the malware variant is Wanna Decryptor. At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this.

“NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and to recommend appropriate mitigations.

“This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors.

“Our focus is on supporting organisations to manage the incident swiftly and decisively, but we will continue to communicate with NHS colleagues and will share more information as it becomes available.”

According to reports, affected hospitals include those run by East and North Hertfordshire NHS trust, Barts Health in London, Essex Partnership university NHS trusts, the university hospitals of Morecambe Bay NHS foundation trust, Southport and Ormskirk hospital NHS trust and Blackpool teaching hospital NHS foundation trust.

More reports of affected hospitals are continuing to stream in, as well as claims that GP surgeries are coming down with the virus, which demands a payment of $300 to release files it claims have been encrypted. The NHS has been unable to give a full list of the sites affected.

British law enforcement believes the attack is criminal in nature, as opposed to be a cyber attack by a foreign power, and is being treated as serious but without national security implications.

The National Crime Agency, which is Britain’s version of the FBI, was taking the lead in dealing with the investigation into the attack. Investigators believe the attack is significant with many computers affected across the country.

A spokesman for the National Cyber Security Centre said: “We are aware of a cyber incident and are working with NHS digital and the NCA to investigate.”

In a message to a Guardian reporter, one NHS IT worker said: “At approximately 12.30pm we experienced a problem with our email servers crashing. Following this a lot of our clinical systems and patient systems were reported to have gone down.

“A bitcoin virus pop-up message had been introduced on to the network asking users to pay $300 to be able to access their PCs. You cannot get past this screen. This followed with an internal major incident being declared and advised all trust staff to shut down all PCs in the trust and await further instructions.

“This is affecting the east of England and number of other trusts. This is the largest outage of this nature I’ve seen in the six years I’ve been employed with the NHS.”

Another NHS worker, who works at an Essex hospital but asked to remain anonymous, said: “We got some ransomware that came through on the computers at about 2pm. We were told to shut down, take out network cables and unplug the phones. A message came up for just one of our team about the fact that all the files would be wiped in two hours unless we gave $300 in bitcoins.”

She confirmed that the image that appeared on her colleague’s screen was the same as one that has already been circulated on Twitter, which says: “Ooops, your files have been encrypted!

“Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.”

The screen tells users to send $300 worth of bitcoin to a bitcoin wallet address. It adds: “You only have three days to submit the payment. After that the price will be doubled. Also if you don’t pay in seven days, you won’t be able to recover your files forever.”

A Barts spokesman said it was experiencing “major IT disruption” and delays at all four of its hospitals, The Royal London, St Bartholomew’s, Whipps Cross and Newham. He said: “We have activated our major incident plan to make sure we can maintain the safety and welfare of patients.

“We are very sorry that we have to cancel routine appointments, and would ask members of the public to use other NHS services wherever possible. Ambulances are being diverted to neighbouring hospitals.”

GP surgeries across Liverpool and parts of Greater Manchester also appeared to have been affected by the cyber-attack.

The NHS Liverpool clinical commissioning group said: “Please be aware the NHS is experiencing serious IT problems today. Please only contact your GP surgery or hospital in a genuine emergency.”

One Liverpool GP, John Caldwell, said he had “no access to record systems or results” and described the disruption as “very limiting”. Dr Chris Mimnagh, a GP in Liverpool, told the Guardian that his surgery had “severed links” to the wider NHS network as a precaution.

He said: “Unable to access our clinical system – as a precaution our area has severed links to the wider NHS, which means no access to our national systems, no computers means no records, no prescriptions, no results, we are dealing with urgent problems only, our patients are being very understanding so far.”

A spokesman for the Royal Liverpool and Broadgreen university hospitals trust said it was “aware that there’s an issue nationally and we’re reviewing our IT systems”.

A spokeswoman for Central Manchester university hospitals, the largest NHS trust in Greater Manchester, said she was “genuinely not sure” if they had been affected and that they were investigating.

A GP surgery in Bury, Greater Manchester, said all networks in the region had been affected. Peel GPs said on Twitter: “All Greater Manchester networks down – we cannot access any patient info plz RT @NHSBuryCCG.”

Doctors have been posting on Twitter about what has been happening to their systems.

A screengrab of a instant message conversation circulated by one doctor says: “So our hospital is down … We got a message saying your computers are now under their control and pay a certain amount of money. And now everything is gone.”

East and North Hertfordshire NHS trust said in a statement: “Today (Friday, 12 May 2017), the trust has experienced a major IT problem, believed to be caused by a cyber attack.

“Immediately on discovery of the problem, the trust acted to protect its IT systems by shutting them down; it also meant that the trust’s telephone system is not able to accept incoming calls.

“The trust is postponing all non-urgent activity for today and is asking people not to come to A&E – please ring NHS111 for urgent medical advice or 999 if it is a life-threatening emergency.

“To ensure that all back-up processes and procedures were put in place quickly, the trust declared a major internal incident to make sure that patients already in the trust’s hospitals continued to receive the care they need.”

The attack comes as several Spanish companies, including the telecoms giant Telefónica, were also targeted by a “massive ransomware attack”, according to Spain’s national cyber-security centre. The attack appears to present the same message to users as those targeting the NHS.

In a statement released following an apparent wave of attacks on Friday morning, the National Cryptology Centre said a cyber assault had been launched “against various organisations”, affecting Windows systems and corrupting networks and archives.

The ransomware used in the Spanish attacks is a version of the WannaCry virus, which encrypts sensitive user data, the National Cryptology Centre said. Telefónica confirmed there had been “a cybersecurity incident” affecting the intranet of some computers at its Madrid headquarters.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Amazon AWS S3 outage is breaking things for a lot of websites and apps

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Amazon’s S3 web-based storage service is experiencing widespread issues, leading to service that’s either partially or fully broken on websites, apps and devices upon which it relies. The AWS offering provides hosting for images for a lot of sites, and also hosts entire websites, and app backends including Nest.

The S3 outage is due to “high error rates with S3 in US-EAST-1,” according to Amazon’s AWS service health dashboard, which is where the company also says it’s working on “remediating the issue,” without initially revealing any further details.

Affected websites and services include Quora, newsletter provider Sailthru, Business Insider, Giphy, image hosting at a number of publisher websites, filesharing in Slack, and many more. Connected lightbulbs, thermostats and other IoT hardware is also being impacted, with many unable to control these devices as a result of the outage.

Amazingly, even the status indicators on the AWS service status page rely on S3 for storage of its health marker graphics, hence why the site is still showing all services green despite obvious evidence to the contrary.

We’re monitoring the situation and will provide more info as it becomes available.

Source: https://techcrunch.com/2017/02/28/amazon-aws-s3-outage-is-breaking-things-for-a-lot-of-websites-and-apps/

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Serious Bug Exposes Sensitive Data From Millions Sites Sitting Behind CloudFlare

Facebooktwittergoogle_plusredditpinterestlinkedinmail

A severe security vulnerability has been discovered in the CloudFlare content delivery network that has caused big-name websites to expose private session keys and other sensitive data.

CloudFlare, a content delivery network (CDN) and web security provider that helps optimize safety and performance of over 5.5 Million websites on the Internet, is warning its customers of the critical bug that could have exposed a range of sensitive information, including passwords, and cookies and tokens used to authenticate users.

Dubbed Cloudbleed, the nasty flaw is named after the Heartbleed bug that was discovered in 2014, but believed to be worse than Heartbleed.

The vulnerability is so severe that it not only affects websites on the CloudFlare network but affects mobile apps as well.

What is Cloudbleed?

Discovered by Google Project Zero security researcher Tavis Ormandy over a week ago, Cloudbleed is a major flaw in the Cloudflare Internet infrastructure service that causes the leakage of private session keys and other sensitive information across websites hosted behind Cloudflare.

CloudFlare acts as a proxy between the user and web server, which caches content for websites that sits behind its global network and lowers the number of requests to the original host server by parsing content through Cloudflare’s edge servers for optimization and security.

Almost a week ago, Ormandy discovered a buffer overflow issue with Cloudflare’s edge servers that were running past the end of a buffer and were returning memory containing private data like HTTP cookies, authentication tokens, and HTTP POST bodies, with some of the leaked data already cached by search engines.

“I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings,” Ormandy wrote in a blog post that was also published Thursday. “We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”

According to Ormandy, Cloudflare had code in its “ScrapeShield” feature that did something similar to this:

int Length = ObfuscateEmailAddressesInHtml(&OutputBuffer, CachedPage);
write(fd, OutputBuffer, Length);

But the company was not checking if the obfuscation parsers returned a negative value because of malicious HTML.

The Cloudflare’s “ScrapeShield” feature parses and obfuscates HTML, but since reverse proxies are shared among customers, it would affect all CloudFlare customers.

Ormandy contacted Cloudflare and reported it about his findings. The company identified the cause of the issue, and immediately disabled 3 minor Cloudflare features — Email obfuscation, Server-side Excludes, as well as Automatic HTTPS Rewrites — that were using the same HTML parser chain, which was causing the leakage.

Ormandy observed encryption keys, passwords, cookies, chunks of POST data, and HTTPS requests for the other leading Cloudflare-hosted websites from other users and immediately contacted Cloudflare.

Since CloudFlare patched the issue but did not notify customers by Wednesday of the data leak issue, Ormandy made public his findings on Thursday, following Project Zero’s seven-day policy for actively exploited attacks.

Following Ormandy’s public disclosure of the vulnerability on Thursday, CloudFlare confirmed the flaw, ensuring its customers that their SSL private keys were not leaked.

“Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug,” Cloudflare CTO John Graham-Cumming wrote in a blog post. “The bug was serious because the leaked memory could contain private information and because it had been cached by search engines.”

“We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information,” he added. “We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.”

 

The Root Cause of Cloudbleed:

The root cause of the Cloudbleed vulnerability was that “reaching the end of a buffer was checked using the equality operator and a pointer was able to step past the end of the buffer.” 

“Had the check been done using >= instead of == jumping over the buffer end would have been caught,” said Cumming.

Cloudflare has also confirmed that the greatest period of impact was between February 13 and February 18 with almost one in every 3,300,000 HTTP requests via Cloudflare potentially resulting in memory leakage, which is about 0.00003% of requests.

However, the researcher argued that the DNS provider was double-dealing, claiming that the Cloudbleed vulnerability had existed for months, based on Google’s cached data.

How Does Cloudbleed Affect You?

There are a large number of Cloudflare’s services and websites that use parsing HTML pages and modify them through the Cloudflare’s edge servers.

Even if you do not use CloudFlare directly, that does not mean that you are spared. There is always a chance that websites you visit and web services you use may have been affected, leaking your data as well.

Of course, if you are using Cloudflare services in front of your site, the flaw could impact you, exposing sensitive information that flowed between your servers and end-users through CloudFlare’s proxies.

While CloudFlare’s service was rapidly patched the bug and has said the actual impact is relatively minor, data was leaking constantly before this — for months.

Some of this leaked data were publicly cached in search engines such as Google, Bing, Yahoo, who now removed it, but some engines like DuckDuckGo still host those data.

Also, other leaked data might exist in other services and caches throughout the Web, which is impossible to delete across all of these locations.

Cloudbleed Also Affects Mobile Apps

Cloudbleed also affects mobile apps, because, in many cases, the apps are designed to make use of the same backends as browsers for content delivery and HTTPS (SSL/TLS) termination.

Users on YCombinator have confirmed the presence of HTTP header data for apps like Discord, FitBit, and Uber by searching through DuckDuckGo caches with targeted search terms.

In an analysis conducted by NowSecure, the researchers have discovered some 200 iOS apps that identified as using Cloudflare services from a sampling of some 3,500 of the most popular apps on the app store.

There is always a possibility of someone discovering this vulnerability before Tavis, and may have been actively exploiting it, although there is no evidence to support this theory.

Some of the Cloudflare’s major customers affected by the vulnerability included Uber, 1Password, FitBit, and OKCupid. However, in a blog post published by 1Password, the company assured its users that no sensitive data was exposed because the service was encrypted in transit.

However, a list of websites that have potentially been impacted by this bug has been published by a user, who go by the name of ‘pirate,’ on GitHub, which also included CoinBase, 4Chan, BitPay, DigitalOcean, Medium, ProductHunt, Transferwise, The Pirate Bay, Extra Torrent, BitDefender, Pastebin, Zoho, Feedly, Ashley Madison, Bleeping Computer, The Register, and many more.

Since CloudFlare does not yet provide the list of affected services, bear in mind that this is not a comprehensive list.

What should You do about the Cloudbleed bug?

Online users are strongly recommended to reset their passwords for all accounts in case you have reused the same passwords on every site, as well as monitor account activity closely as cleanup is underway.

Moreover, customers who are using Cloudflare for their websites are advised to force a password change for all of their users.

Update: Uber representative reached out to me via an email and said their investigation revealed that the CloudBleed bug exposed no passwords of their customers. Here’s the statement provided by Uber:

“Very little Uber traffic actually goes through Cloudflare, so only a handful of tokens were involved and have since been changed. Passwords were not exposed.”

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Hacking Drones

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leaked emails between Italian spyware vendor Hacking Team and Boeing subsidiary Insitu revealed that drones carrying malware to infect targeted computers via Wi-Fi by flying over their proximity is close to becoming a reality.

Spyware-carrying drones were being discussed by Insitu, a division of Boeing and now-disgraced malware firm Hacking Team, according to leaked emails from the recent breach of the Italian company which have been posted on WikiLeaks, Engadget reported.

It was only the failure to come to terms over a non-disclosure agreement that kept Insitu and Hacking Team ‘teaming up’ together in order to create the malware infesting drone.

Early conversations took place regarding the inception and the possibility of a spy drone created by Boeing’s aircraft expertise, carrying malware that Hacking Team is notorious for. The concept was designing a drone capable of intercepting communications and hacking on-the-fly, via Wi-Fi. Discussions didn’t get far, however, when lawyers representing both companies couldn’t see eye-to-eye on a viable non-disclosure agreement.

The Talks Behind the Flying, Hacking Drone

Initial discussions kicked off when Giuseppe Venneri, a mechanical engineering graduate from UC and internee at Insitu took notice of Hacking Team’s “Galileo”, a piece of hardware otherwise known as the Tactical Network Injector. This is essentially designed to infiltrate networks and insert the malicious code via Wi-Fi networks to launch man-in-the-middle attacks and other exploits.

Venneri wrote to Emad Shehata, Hacking Team’s key account manager, stating:

We see potential in integrating your Wi-Fi hacking capability into an airborne system and would be interested in starting a conversation with one of your engineers to go over, in more depth, the payload capabilities including the detailed size, weight, and power specs of your Galileo System.

Shehata replied by sending in the standard Hacking Team NDA, to which Venneri responded with Boeing’s own PIA (Proprietary Information Agreement) which the intern noted “must be signed before we engage with potential partners.”

“Signing our PIA (attached) will dramatically shorten the authorization process at our end,” Venneri added. “Let me know if you are willing to sign our document to engage in conversations with us.”

It was at this point when Hacking Team’s Chief Operating Office Giancarlo Russo stepped into the conversation, taking the authority and stating: “I saw your document and it will require additional legal verification from our side regarding the applicability of ITAR and other U.S. Law,” he said. “In my opinion, for a preliminary discussion our non-disclosure agreement should be sufficient to protect both companies and as you will see it is including mutual provision for both parties and it will make things easier and faster for us.”

Venneri’s response was short and succinct: “If you are unable to review/sign our form, know it will take some time on our side to seek approval from our Boeing parent. Are you willing to consider our form?”

Communications went quiet for about a month after this exchange and Venneri sent in another email on 11 May 2015: “We corresponded with you about a month ago and were unsure about the progress going forward with preliminary discussions regarding any future collaborations. If you could please reconsider our mutual PIA, know that the questionnaire at the beginning of the document is just for gathering information and has no impact on the PIA itself. We have lots of Non-US companies under our PIA. If you or your legal team have any requested changes to our PIA please don’t hesitate to add them in the attached document.”

This was the last known correspondence taken from the leaks which came from the data breach two months later in July 2015. All NDAs are have been rendered obsolete and ineffective due to the Hacking Team hack.

Images from Wikimedia Commons and Shutterstock.

Original Source

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Hacker given in-game death sentence

Facebooktwittergoogle_plusredditpinterestlinkedinmail

A character controlled by a hacker who used exploits to dominate online game Guild Wars 2 has been put to death in the virtual world.

The character, called DarkSide, was stripped then forced to leap to their death from a high bridge.

The death sentence was carried out after players gathered evidence about the trouble the hacker had caused.

This helped the game’s security staff find the player, take over their account and kill them off.

Death leap

Over the past three weeks many players of the popular multi-player game Guild Wars 2 have been complaining about the activities of a character called DarkSide. About four million copies of the game have been sold.

Via a series of exploits the character was able to teleport, deal massive damage, survive co-ordinated attacks by other players and dominate player-versus-player combat.

To spur Guild Wars’ creator ArenaNet to react, players gathered videos of DarkSide’s antics and posted them on YouTube.

The videos helped ArenaNet’s security head Chris Cleary identify the player behind DarkSide, he said in a forum post explaining what action it had taken. Mr Cleary took over the account to carry out the punishment.

The video shows DarkSide being stripped to his underwear then made to leap from a high bridge in one of the game’s cities. It also shows the character being deleted by Mr Cleary.

“Oh yah, he’s also banned,” he wrote. Several other accounts belonging to the same player have also been shut down.

ArenaNet did not reveal any information about how the player behind DarkSide had managed to exploit the game or whether the vulnerabilities used had been patched.

The punishment has sparked comment among Guild Wars players with some welcoming the action saying it felt like “justice”.

Others wondered what effect it would have and if it would deter anyone else from seeking out and using exploits in the same way.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Wake up, daddy’s looking for you’: Creepy hacker accesses baby monitor and speaks to frightened tot at night

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Mum and dad left distraught after sick hacker spied on their three-year-old through their baby monitor

 

A horrified couple have revealed how a sick hacker gained remote access to their baby monitor, then spied on their toddler son and spoke to him as he lay in his cot.

The child’s terrified parents only realised what was happening when they heard a stranger’s voice coming over the device saying : “Wake up little boy, daddy’s looking for you.”

The mother then broke down in tears as the penny dropped the monitor and its camera had been remotely hacked.

Her shocking discovery came after the three-year-old had been complaining that somebody was talking to him at night.

The parents, who want to remain anonymous for fear the hacker might track them down, thought it was down to the toddler’s overactive imagination until they heard the voice themselves.

The mum told CBS New York.: “I started to cry in there, because it all started coming back to me, and I started figuring things out.”

Technology experts are now warning parents that new baby monitors are at risk of hacking as many connect to the internet.

Worried mums and dads are being urged to change passwords and security settingsto make it harder for sinister strangers to infiltrate their child’s bedroom.

In a chilling warning Lance Ulanoff, chief correspondent for the digital media website Mashable, said when hackers succeed: “It’s basically like they’re standing next to you in your house.”

This is not the first time parents have found hackers remotely accessing baby monitors.

In November last year, hacked footage from baby monitors, webcams and CCTV systems in Britain were broadcast live by a Russian website.

And earlier this year a nanny described the terrifying moment she heard a stranger’s voice from her baby monitor calling the little girl “cute.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Attack code for ‘unpatchable’ USB flaw released

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Computer code that can turn any almost any device that connects via USB into a cyber-attack platform has been shared online.

Computer security researchers wrote the code following the discovery of the USB flaw earlier this year.

The pair made the code public in an attempt to force electronics firms to improve defences against attack by USB.

One of the experts who found the flaw said the release was a “stark reminder” of its seriousness.

Attack tools

Details of the BadUSB flaw were released at the Black Hat computer security conference in August by Karsten Nohl and Jakob Lell.

Their work revealed how to exploit flaws in the software that helps devices connect to computers via USB. The biggest problem they discovered lurks in the onboard software, known as firmware, found on these devices.

Among other things the firmware tells a computer what kind of a device is being plugged into a USB socket but the two cybersecurity researchers found a way to subvert this and install attack code. At Black Hat, the BBC saw demonstrations using a smartphone and a USB stick that could steal data when plugged into target machines.

Mr Nohl said he and his colleague did not release code in order to give firms making USB-controlling firmware time to work out how to combat the problem.

Now researchers Adam Caudill and Brandon Wilson have done their own work on the USB flaw and produced code that can be used to exploit it. The pair unveiled their work at the DerbyCon hacker conference last week and have made their attack software freely available via code-sharing site Github.

“We’re releasing everything we’ve done here, nothing is being held back,” said Mr Wilson in a presentation at DerbyCon.

“We believe that this information should not be limited to a select few as others have treated it,” he added. “It needs to be available to the public.”

Mr Wilson said cybercrime groups definitely had the resources to replicate the work of Mr Nohl and Mr Lell to produce their own attack code so releasing a version to the security community was a way to redress that imbalance.

Responding to the release of the attack tools Mr Nohl told the BBC that such “full disclosure” can motivate companies to act and make products more secure.

“In the case of BadUSB, however, the problem is structural,” he said. “The standard itself is what enables the attack and no single vendor is in a position to change that.”

“It is unclear who would feel pressured to improve their products by the recent release,” he added. “The release is a stark reminder to defenders, though, that BadUSB is – and always has been – in reach of attackers.”

Facebooktwittergoogle_plusredditpinterestlinkedinmail