Sign in / up

back to article Planned Parenthood confirms cyber-attack as RansomHub threatens to leak data

Planned Parenthood of Montana's chief exec says the org is responding to a cyber-attack on its systems, and has drafted in federal law enforcement and infosec professionals to help investigate and rebuild its IT environment. This comes as ransomware crew RansomHub boasted it had broken into the nonprofit, and stolen its data …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    Make sharing illegal

    Stolen info will be hosted somewhere. So make it illegal to share such content with 24h removal window, including domain take-down if necessary. Also make it illegal advertising the links.

    But it should be the data owner to monitor, find, and report the content for taking-down. Maybe third party businesses will appear to help with such tasks.

    3 0 Reply
    1. Tron Silver badge
      Reply Icon

      Re: Make sharing illegal

      That would criminalise a lot of journalists who covered the Paradise Papers release of data, exposing corruption. All data is not equal.

      3 1 Reply
  2. Tron Silver badge

    an especially low act

    All crime is low. Criminals are not nice people. Having failed to deal with the Taliban and Houthi, the US are also failing to deal with ransomware gangs. Don't you have to come out on top occasionally to merit that 'superpower' moniker? These are attacks upon the general public, which makes them acts of terrorism. So let's see some ransomware crews in body bags on the news.

    If you have gigabytes of sensitive data, it should be on a system that is not connected to the public internet. That may just mean having two systems on every desk with a human bridge. It's simple. It works. If you hold sensitive data you should also encrypt it. So if it gets nicked, it is worthless and no harm is done.

    We have had computers for long enough for this to be the default in these cases. It doesn't require an infosec wizard to implement this.

    It's not victim-blaming to demand that IT professionals in charge of holding honeypots of data that are likely to be targeted should be fined or imprisoned if it all gets nicked. They have a duty of care over data, to keep it secure. That is why they are paid a wage.

    5 4 Reply
    1. Neil Barnes Silver badge
      Reply Icon
      WTF?

      Re: an especially low act

      This. If you have _any_ sensitive data, it should not be on a system connected to a public internet. (Equally, any sensitive control systems... though I suppose that's too much to hope for, so perhaps we might settle for encrypted command and control and verification.)

      And for pete's sake: domestic PCs have been able to encrypt everything by default for years; why is this not the default on this kind of server?

      Are we getting to the point where the safest way to store anything sensitive is on paper, in filing cabinets? Shouldn't we have moved on from there?

      1 8 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: an especially low act

        Having to deal with this on a daily basis: it's not as easy as you believe it is to properly encrypt data in a business environment. You could end up with all your business data unreadable and no key, except without even the ransomware attack.

        Definitely not just ticking a box.

        4 0 Reply
      2. MyffyW Silver badge
        Reply Icon

        Re: an especially low act

        Encrypting data at rest and in transit doesn't guard against someone using a privileged account to export it. Criminally motivated people have shown down the years an ability to work around systems, so you need strength in depth - covering human as well as systems weaknesses.

        It is tempting to say "don't have any sensitive data on the public Internet" but that goes against the past 20+ years of Internet development and growth. And still doesn't guard against the compromised user who exfiltrates the data from internal systems by another means. Even the swivel chair, two screens approach wouldn't stop somebody taking screen shots, or scribbling notes.

        Infosec is hard.

        9 0 Reply
      3. Anonymous Coward Silver badge
        Reply Icon
        Boffin

        Re: an especially low act

        For data to be usable in any way, it will need to be decrypted. If the hack can be implemented at that level, it's game-over for the encryption.

        Domestic PCs (I assume you're referring to BitLocker) will encrypt data at rest such that a stolen drive is useless, but does absolutely nothing to stop software running on that PC from accessing the data.

        5 0 Reply
    2. Cav
      Reply Icon

      Re: an especially low act

      Just how do you think you are going to get people from Russia, China or Belarus into those body bags?

      And whyever would you need two PCs?!

      Few hackers are breaching customer interfaces. They are breaking into networks and then poor segmentation means they spread through the whole network.

      There will always be accounts that can access the data, encrypted or not. If someone breaches the network and installs sniffers or key loggers then they can easily get access to the credentials of such accounts.

      Do you work in IT?

      1 1 Reply
    3. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: an especially low act

      There is a enormous dearth of competent IT security personnel, as opposed to very numerous gangs of talentless clock punchers going through the security theater motions. Also the US healthcare and most other sectors are IT monocultures, MS Windows and nothing else, making even one zero day exploit capable of spreading throughout an entire organization.

      0 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    It would be interesting to extend personal information with discardable identifiers, similar to throw-away email aliases.

    If one is compromised, you delete it, but the main ID is protected.

    A similar concept can be developed for SIN, adresses, and other information.

    Key personal information could be checked by a central authority if that is actually needed.

    ID theft would be greatly mitigated when you can log in to your citizen portal, and check an alias to your SIN as compromised.

    You can even take it one step further and leverage public key cryptography, where you're issued digital keys with revocation dates, and a digital fingerprint.

    If you get a notification it is in a breach, it takes one command to remove its value. The central authority could do it in one fell swoop for 1000+ citizens.

    The central authority would need protection, but at least you reduce the surface from anyone that ever hovers up your data to one party, with a local MP on hand for some oversight.

    Enforcement and education will not do much as long as the business model has such high returns.

    It is possible to reduce the market/demand in some of these scenarios, but few economies seem to dislike companies that harvest data, so I'm not holding my breath.

    1 0 Reply
    1. tiggity Silver badge
      Reply Icon

      Would be easy to do

      @ian_victor

      Many systems already use that type of approach for card details (though not with one trusted authority, but a token to represent card details)

      e.g. when customer first uses a particular card, details sent via API to your card details / payments provider, they validate it (or not! - depending on scenarios may involve doing micro payment / reimbursement, MFA not just lune style checks) - and if valid you get a token to represent that card (in some cases you get a token without it being fully validated e.g. scenarios where MFA route and return a token but you get appropriate data so you know it is still pending full verification & no payments can be made until it finally passes).

      You store that token in your system and use it for any card payments with your provider, until that card hits expiry date (as you then get validation message about expiry)

      This is good as you store no card details, just a token - responsibility for the sensitive data* relies with payment provider (you may or may not decide to store e.g. 4 chars of card number just so can give a hint to customer what card they have linked, but no need as most providers give APIs so you can get card number if required (& just hold that data transiently) so can quite happily function with no card details permanently stored on "your end")

      * there's a lot of legislation to conform to if you want to hold card data non transiently so for most companies far less grief to let one of the "trustworthy" payment providers** do it for you.

      ** a whole story could be written on the grief in trying to definitively find out how good (or not) various card handling / payment providers are in terms of best practices, getting audited etc. when you are enquiring as a "non entity" (relatively small in number of transactions number and / or amount of cash involved PA)

      0 0 Reply
  4. Anonymous Coward
    Anonymous Coward

    Extend all resources...

    ... to catch, and torture these bastards.. painfully, and public ally.

    With the current fundamentalist environment in the USA, the release of this data is likely to lead to murders.

    11 4 Reply
  5. Anonymous Coward
    Anonymous Coward

    These guys disrupt critical systems such as hospitals and utility infrastructure thus endangering lives. They aren't just criminals. Lethal force should be applied like against 'conventional' terrorists. If they hide overseas send in special forces.

    3 0 Reply
    1. Cav
      Reply Icon

      A ridiculous comment. Are you going to send special forces into Russia or China to kill their citizens? You want WW3? And if they are caught and paraded on TV?

      Absolutely clueless.

      0 1 Reply
    2. Ken Hagan Gold badge
      Reply Icon
      Mushroom

      If they are overseas, it is an act of war.

      Don't believe me? Trying taking out a few large IT systems in Russia and then tell Mr Putin that it's just a matter for the local police.

      On second thoughts ... don't.

      0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like