Monday, July 19, 2021

Security Smorgasbord, vol. 13 no. 3

Insurance Industry consortium grappling with ransomeware payments:

Both are signs of the cyber insurance world trying to wrap its arms around ransomware, a phenomenon that is leading to costlier payouts, prompting insurers to demand security improvements from policyholders and in some cases driving companies to step back from what they’re willing to cover.

For instance, the annual growth rate in cyber insurance premiums the past four years has been 20%, while the average growth in claims has been more than 39%, according to a report from credit agency AM Best that warned of a “grim” cyber insurance market. Ransomware, AM Best said, now accounts for 75% of cyber claims.

The dirty secret is that insurance has been negotiating payouts with hacking gangs for years.  Unsurprisingly, this has made ransomeware a viable business model for the gangs.

Western Digital mybook live storage system gets remote data wipe command from factory:

Western Digital, maker of the popular My Disk external hard drives, is recommending that customers unplug My Book Live storage devices from the Internet until further notice while company engineers investigate unexplained compromises that have completely wiped data from devices around the world.

The mass incidents of disk wiping came to light in this thread on Western Digital’s support forum. So far, there are no reports of deleted data later being restored.


“I have a WD mybook live connected to my home LAN and worked fine for years,” the person who started the thread wrote. “I have just found that somehow all the data on it is gone today, while the directories seem there but empty. Previously the 2T volume was almost full but now it shows full capacity.”

Other My Book Live users quickly joined the conversation to report that they, too, had experienced precisely the same thing. “All my data is gone too,” one user soon responded. “I am totally screwed without that data... years of it.”

This is exactly why you have more than one backup.  Like with carry guns, two is one and one is none.  And I've recommended Western Digital in the past.  I guess I need to reassess that.

Medicate lacks consistent oversight of Cykbersecurity for networked medical devices:

CMS's survey protocol does not include requirements for networked device cybersecurity, and the AOs do not use their discretion to require hospitals to have such cybersecurity plans. However, AOs sometimes review limited aspects of device cybersecurity. For example, two AOs have equipment-maintenance requirements that may yield limited insight into device cybersecurity. If hospitals identify networked device cybersecurity as part of their emergency preparedness risk assessments, AOs will review the hospitals' mitigation plans. AOs told us that in practice, however, hospitals did not identify device cybersecurity in these risk assessments very often. Assessing hospital safeguards for the privacy of medical records may prompt AOs to examine networked devices. Finally, CMS and the AOs do not plan to update their survey requirements to address networked devices or general cybersecurity.

I've been posting for years about how security for medical devices isn't an afterthought.  It wasn't thought of at all.

Windows Print Spooler under attack:

Microsoft has provided mitigation guidance to block attacks on systems vulnerable to exploits targeting the Windows Print Spooler zero-day vulnerability known as PrintNightmare.

This remote code execution (RCE) bug—now tracked as CVE-2021-34527—impacts all versions of Windows per Microsoft, with the company still investigating if the vulnerability is exploitable on all of them.

CVE-2021-34527 allows attackers to take over affected servers via remote code execution with SYSTEM privileges as it enables them to install programs, view, change, or delete data, and create new accounts with full user rights.

Under active exploitation

The company added in a newly released security advisory that PrintNightmare has already been exploited in the wild. Microsoft didn't share who is behind the detected exploitation (threat actors or security researchers).

This is exactly the sort of attack that you would expect.  The print spooler code is almost certainly very old and not really maintained from a security perspective.  It's deployed everywhere and very often enabled by users who have been burned once too much by clicking "No" to "Do you want me to turn this on?" messages.  And so print spoolers are enabled all over the place when there's very little reason for the software to be running at all.  If you have a modern printer (i.e. 5 year old or newer network attached printer) there is no reason for you to have the printer service enabled.  You can turn this off via the instructions in the link.


Old NFO said...

This is only going to get worse unless the white hats start hacking the hackers and taking the money back. Grrr...

Eagle said...

If you want network security, unplug your network device from the wall. No, not just the network: unplug it from the AC wall socket and remove the batteries.

Otherwise, you're vulnerable. Period.

The Freeholder said...

I was taught that there needed to be three copies of the data, or it didn't exist. Before I retired, I was up to four copies with one stored offsite, and at this point I'm probably move to five as an adequate number, with two stored offsite at separate locations. All copies save the working copy encrypted, and encrypt the working copy if I can figure out a way how. I may have to set up my own cloud storage provider to make that happen.