
The stupid
It literally burns.
UnitedHealth CEO Andrew Witty will tell US lawmakers Wednesday the cybercriminals who hit Change Healthcare with ransomware used stolen credentials to remotely access a Citrix portal that didn't have multi-factor authentication enabled. Once they were into that management system, the miscreants were able to move through the …
Willfully paying organised criminals? Isn't that already an offence?
If it can be argued that the ransomware crooks are Terrorists, then paying them is already an offence, even in the US.
Attacking critical health infrastructure certainly sounds like it could fit the definition of terrorism ...
You can argue it all you want, but it still won't be true. It's perfectly legal to pay them unless the particular group you're paying happens to be on a sanctions list.
It *should* be a criminal offense. Not because guys like that should go to jail, but because they shouldn't have to make the decision... and the decision not to pay only really works if there's nearly universal solidarity behind it anyway. By outlawing paying, you can really affect the attacker's calculations ahead of time.
Sounds like some jail time needed, and no plea bargain bullshit.
Assuming the buck stops here and he is not inflicted with Murdochitis - ‘didn’t see anything, didn’t hear anything, don’t know anything. I’m just the lowly CEO/Chairman’
* see UK Leveson Inquiry, or more recently the Post Office Fujitsu/Horizon scandal.
It's a weird Americanism that CEO's of corporations get called up to explain themselves in front of Senate committees like they're naughty schoolboys and nobody else seems to think it's odd.
I wonder what would happen if this CEO tells the Headmaster that how he runs the business is none of theirs?
Contempt of Congress can be punished with imprisonment. They have the power to summon *anyone* and force them to answer *any* question, under oath. In public, if they want to. It's a constitutional power, too, not something that an easily be changed.
I suspect it's not a uniquely American thing, either. I think the *UK's* particular style would be more to make you explain yourself to the Minister of This or That in private, but even there I suspect that refusing to talk to the Minister would be a bad move. Other countries do various other things.
Oh, and on edit: In this particular case, I doubt he was very reluctant to begin with. Lets him get his story out there.
In the UK that would be a Select Committee of the House of Commons. Very likely that's where Congress got the idea.
Only if the company was owned by HMG, an arrangement where government really didn't want to take any blame for what it did, say the Post Office, would a Minister be involved and even then as remotely as possible. That doesn't preclude having to spend 3 days answering questions in a public enquiry with live reporting and coverage on the Beeb's web site.
It’s the same at a UK Statutory Public Inquiry
But that didn’t stop The Murdochs at Leveson or all the scum from Post Office/Fujitsu having mass amnesia, blindness and deafness at the Horizon one currently playing out, or the same at the UK Government Covid Inquiry plus added mass WhatsApp message deletion/phone wiping outbreak.
“A vulnerability that allows attackers to bypass multifactor authentication and access enterprise networks using hardware sold by Citrix is under mass exploitation by ransomware hackers despite a patch being available for three weeks.”
Appariently Citrix multifactor authentication runs on an APP on your phone or a SMS msg. As such it's as vulnerable to bugs as any other software. A better solution would be a hardware dongle that issues a challenge-response request on login.
Good luck with that :( I am in the search for legal representation right now and all I'm getting is refusals...but none of them, not a one, has seen a single record or document. They simply refuse the case based upon...what, I can't say. They won't even tell me why. Even though I have an expert report analysis stating that I have a case, all I've been getting is a "No, thank you".
So getting responsibility when no one want to admit to responsibility? Again, good luck with that.
Or, how about a more 'base' solution?
The UnitedHealth Citrix data doesn't say, but in the story it states that Northeast Ohio Neighborhood Health had *51GB* of data stolen.
51GB. Why is 51GB of data download even allowed without question, from a supposedly "secure" site? Have they never heard of 'access allowed only as necessary'? What about 'data throttling and limiting for broad-search general access'?? No hospital or provider is going to request 51GB of data at a time, especially via a data dump; they access per-patient or possibly 'per report' as in "We need our quarterly performance data".
51GB of general data download. Are you really that gullible to allow that in your systems without a single question, not raising a single early alarm??!
I guess the answer is, "Yes". By the gods these people are stupid.
Witty says he supports policy changes to mandate better cybersecurity practices among healthcare organizations.
Would it be too much for him to take the responsibility for securing his organization's assets? Do we legislate that they have to have locks on the doors of their buildings?
"The team replaced thousands of laptops, rotated credentials, rebuilt Change Healthcare's data center network and core services, and added new server capacity," Witty's testimony reads. "The team delivered a new technology environment in just weeks — an undertaking that would have taken many months under normal circumstances."
So they get to save money not employing proper security and practices.
Pay off the attackers
Keeps the job and gets to glad hand it with Congress.
And then gets a brand new DC in weeks, in this climate of years lead times in some cases for the same, professionally set up and with new security.
So they did nothing, got attacked for it, get rewarded for it and then get a professional data centre makeover too.
This job sounds easy.
1. I like the idea of those little crypto-number response boxes, far better than and I hate any security scheme based on smartphone-related functionality, as smartphones are pre-compromised, ineffectively-remediable devices.
2. Weren't a metric crap-ton of such boxes discovered to be vulnerable to an attacker, due to an error in the software which the hardware correctly implemented, or due to an error in the hardware implementation of the (correct) software? Were those compromised devices ever replaced?
Having a company with x number of employees is like trying to protect a castle with x number of doors. You only have to leave 1 door open, and your castle is breached. With an attack occurring every 70 seconds, surely, it's inevitable that every company will eventually succumb to a cyber security breach. It’s like a constant war of attrition.
And if that company only has a small IT component it's even more likely to occur due to low quality security design and inadequate staffing.
I know a guy who was president of a network of small old folks homes. They live inches from solvency, are mostly concerned with trying to keep enough staff to stay in business, and yet are tasked with holding a ton of resident and employee data, both personal and medical. They got breached and just went ahead and paid to get their data back because there was exactly zero chance they could rebuild their systems without it. Unprofessional IT shop? Absolutely. But his choice was to write one check (and then hire someone to rebuild IT from there) or literally close the doors and send these people out in the street. Not a hard choice for him.
If you don't like the drama of old people then think of poorly defended dentist offices, or law offices, or any small business that doesn't have the knowledge that moving to a SaaS would be easier, safer and cheaper than keeping whatever old system is running under Sheryl's desk alive. They don't even know they are in trouble but employee and customer and payment data is laying all over the place. telling many of these places they can't write the check just means they go out of business. The reason most haven't been hit yet is because they aren't wealthy enough for criminals to spend the time on, but as the script kiddie tools get better they will be worth that tiny effort.