Should we be worried

About state-sponsored attacks against hospitals?

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

The Rising Threat of Offensive AI

Can we trust what we see, hear and are told?

Who'd want to be a CISO?

Challenging job, but increasingly well paid

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

Behind the Great (Fire) Wall

The Great Chinese Firewall.
June 20, 2014
For anyone who hasn’t been to China yet, the realization when you get there that the ‘Internet’ isn’t the ‘Internet’ can be slightly alarming. China blocks many of the most popular web sites and services that the Free World uses on a daily basis.

Forget updating your Facebook page, YouTube, or your personal blog to 'show and tell' your friends and family about your wonderful trip to the Great Wall, Forbidden City, or Summer Palace. Forget also about catching up on news from popular news sites. Most are blocked - especially if there's a story about China!

No other country censors the Internet quite like the People’s Republic of China does. It determines almost completely what it allows its 1.4 Billion citizens to read, write, listen to, watch, or post. .... No other country that is, excluding the more than slightly isolated hermit kingdom of North Korea where there’s often no electricity even if you are one of the few elites allowed to access a computer.

Twitter, Blogger, Gmail, Google Plus, even the Google Search Engine are all blocked at the present time. Major publications like The New York Times, The Wall Street Journal, BBC, The Times, and Bloomberg are blocked also. China doesn’t permit the free flow of information in or out of the country, so if you want your service to be accessible to China’s 618 million online users you have to abide by China’s rules, and that means you need to self-censor or be blacked out entirely. Some companies like Google for example refuse to censor the truth, re-write history, or compromise its charter to “do no evil’ for the sake of doing business in China. Consequently, and at the present time, Google is to put it lightly, not particularly liked by the China Net Police.

China effectively has its own 'national intranet', with its own providers and its own rules. So far, none of the big U.S. Internet firms has managed to make significant headway there, and the ones who try must play by the rules. LinkedIn, for instance, which entered the market this year, is drawing flak for blocking posts about political matters in China. Even sensitive pages in Wikipedia are blocked.

Bing and Yahoo search engines work but forget searching for such heinous terms as ‘Tienanmen Square Massacre’, ‘Dalai Lama’, ‘Muslim ethnic riots', ‘protests in Tibet’ or ‘Chinese Official corruption’. These things don’t exist as far as China is concerned unless the government says so. They are mere ‘untruths’ fabricated by the West to make China look bad. Its not quite George Orwell’s '1984', but there are a lot of similarities. China allows just enough freedom to make its citizens believe that they have free access. It regards its filtering actions as being nothing more than paternalistic protection of its citizens.

There is no official warning or 'verboten' page for trying to access blocked content. Your request will just time-out as if the web site is down rather than being blocked. Sometimes its hard to know whether the site or service is purposely blocked, or whether the traffic-slowing 'Great Firewall', or the less than stellar China network is to blame. You just have to try later. The notion of things like 'Internet quality of service' (QOS) in China simply doesn’t exist. One day you can connect with decent bandwidth, the next, nothing seems to work properly. That is however as much for internal China hosted web sites as it is for ones hosted overseas.

There is no official censorship list either. Sites and services just get blocked - sometimes returning, sometimes not, depending upon relationships with the West, and internal political activities like self immolation in Beijing, or Lhasa, protesting of any kind, or the cause of ethnic Uighur separatists in Western China’s Xinjiang province much of which was once called 'East Turkestan' before China occupied it in 1949.

Pro Democracy Protests / Tiananmen Square Massacre
Of course the 25th anniversary this month of the Tiananmen Square Massacre in which untold thousands of Chinese students and ordinary citizens, along with paramedics and doctors treating the injured, were gunned down, bayoneted, or purposely run over by tanks has been an especially auspicious time for the censors. The mere thought that the Chinese population should find out about the events of 1989 when China's leaders mobilized complete battalions of the Peoples Liberation Army (PLA), and sent over 300,000 armed troops and tank regiments into Beijing to break up the peaceful democracy protest, sends shivers down their spines. This month, even shortwave radio is blocked - just in case the BBC Word Service or Voice of America should mention the anniversary.

As for available services - unblocked web sites or email for example, forget the idea that your surfing or email messages are private. You should fully expect that someone, somewhere, in China is monitoring what you do, what you read and what you write. Even SSL/TLS email and web sites are often decrypted by the Great Firewall, examined and filtered before being sent on or dropped.

Don't expect western style privacy in China but something closer to Orwell's "1984"
Your only option for secure communications with the outside world is VPN and even then it can be touch and go, and you absolutely need to set this up before landing in China. Encryption keys need to be long and complex and set to the highest encryption strength supported by your provider or VPN termination device outside of China. The web sites of companies that offer VPN services are generally blocked in China, so if you don’t have a service agreement beforehand and your encryption keys along with your setup information with you when you arrive in China, tough luck!

PPTP is generally blocked. I’ve found it to work at major western branded hotels in big cities like Beijing, but blocked in the same hotel chain in other cities.

L2TP is a lot better and generally works in many upmarket western or Chinese hotels.

The fact is that things change all the time in China so come prepared.

Your best bet however, is SSL VPN which uses SSL rather than an IpSec tunnel to encapsulate traffic. Services and complexity of setup for both client and server can be more difficult, but its worth the extra cost and effort to ensure connectivity. Most SSL VPN clients can be configured to attempt connection on a number of ports and protocols. Your best bet is to include TCP port 443 in your configuration. This is the port commonly used for secure https web communications, so if your connection on a higher custom port fails, you can normally always get out and obtain a secure tunnel on TCP 443.

OS X, Windows and most Linux distros already contain the software needed to support PPTP and L2TP VPN connections. Third party applications such as Viscosity and Tunnelblick can be downloaded to support SSL VPNs and software found on the Apple Store and Google App Store for iOS and Android devices.

Hotels in China usually provide both wired and wireless Internet access. Wireless is usually ‘open’ meaning that your communication to the WiFi Access Point is unencrypted and could easily be observed, intercepted or exploited by ‘man-in-the-middle' attacks. You want to avoid connecting to any open wireless connection in China. Make sure that you bring an Ethernet cable and if using a Mac or slim laptop then a dongle to allow you to use the RJ45 socket in your room. A wired Ethernet connection could still be intercepted, but there's less chance of your average China hacker doing so. Besides, you can employ extra layers in your cyber defense as I'll explain.

Security in China is a MUST so rather than rely upon directly connecting your laptop to the wired network, and to facilitate access for other devices that only have WiFi connection capabilities - iPads, iPhones, etc., consider bringing a simple wireless router-firewall and loading it with the open source DD-WRT firmware. You then have this router open an SSL VPN out of China so you can use one tunnel for everything, and secondly can setup a WPA2 WiFi network for your wireless devices in your hotel room so that they can connect securely too.

Builds of DD-WRT have been written and can be easily downloaded freely for most common consumer WiFi Routers from Linksys, Netgear, D-Link, etc., but you need to load a larger 'FULL' or 'VPN 'build to be able to use it as a your SSL VPN termination point. That usually requires more RAM and Flash memory than the cheapest routers to load and run the build than an 'light or 'regular' build. Check out the DD-WRT Router Database for supported hardware and the Wiki for how to flash and configure both DD-WRT and to setup your VPN. Interestingly, older versions of the same router may often contain more RAM and Flash storage than the latest version in which case go check out eBay for the version you need.

OpenWRT is an alternative project to DD-WRT though not as many devices are supported and its a little tougher to configure. It has great support for Linksys hardware however. There are a number of different projects within OpenWRT, including Tomato which is one of the more popular distros, but an Internet search will tell you what hardware is supported on which distro.

Remember to build out, test and if needed, troubleshoot your DD-WRT / OpenWRT loaded router BEFORE your trip to China.

Before purchasing or re-imaging a router, ensure that is has sufficient RAM and Flash memory to support a 'Full' or 'VPN' build of DD-WRT / OpenWRT.

Secondly, make sure that its power adapter is multi-voltage as China uses 220 to 240volts
.
A decent surge protector for all your electronic gear is probably a good investment also as the power in China is often quite dirty.

As to the privacy of your computer, tablet or smartphone, forget that too unless it never leaves your side. Web pages where you agree to the Internet access terms of service in the coffee shop or hotel, sometimes have malicious code that is automatically pushed without your knowledge to your system unless you have that system locked down WAY tighter than most users would. Creating a user account with minimal privileges is definitely a good precaution. The more concerned may consider taking a blank machine with nothing more than a locked hypervisor and a read-only virtual machine.

And forget leaving your device in your locked hotel room or safe while you go for breakfast too. You are not the only one with a key - even to a combination lock. The maid will have a forensic acquisition of your hard drive completed before you get to your second breakfast cup of coffee - even if that hard drive is full-disk-encrypted!

Big Brother is watching you

Of course if you happen to be in China on business, then expect to be targeted. Chinese companies, most of which are owned by the Chinese State or Peoples Liberation Army (PLA) have been issued 'five year plans' to catch up and surpass their western counterparts using any and all means available including outright theft of intellectual property and trade secrets. The paternalistic monitoring forces of China are eager to aid in this endeavor even in just the acquisition of your phone contacts, so don’t lose sight of your phone or anything else.

Watch out for hidden cameras too - especially if you maybe targeted. Cover keyboards and be very careful when entering passwords in computers, phone or hotel safes. And be concerned what you do / who you bring back to your room. Just assume that you are always being watched and that anything you do, can and usually will be used against you.
Big Brother IS watching you in China
That being said, China is a great place to visit, so come prepared and enjoy your stay! Just be aware of the risks you face and take the appropriate precautionary measures to protect yourself and the data you may have with you.

See also: Why is the Chinese Military so focussed on the theft of Intellectual Property


Post Script
Eric Jacksch recently published an interesting article on the use of Chromebooks for international travel in order to safeguard private information. If crossing an international border concerns you with information on your laptop that simply should not be disclosed then this might be an option for you. However the same concerns exist for unfiltered and un-monitored access to the Internet when in China. Read Eric's full article

Mricon.com also published a Linux / Chromebook setup guide for attending conferences or meetings in China.

MacWorld published a Data Security Guide while traveling with your Mac, iPad or iPhone.

Network World recently published a crackdown by the Communist Chinese Government on ISPs to block VPNs out of the country. China goes after unauthorized VPN access from local ISPs


Not Opting-Out doesn’t mean that I am Opting-In!



Does the fact that I didn't explicitly ‘opt-out’ of your email list mean that I agree implicitly to you sending me unsolicited spam email, or any partners you may decide sell my contact information to?

Does the fact that I missed or failed to uncheck the tiny radio button in your 17 page agreement mean that I agree to providing you access to datamine my contacts, my bookmarks, or my internet history?

Most users would say, “No!” However, Facebook announced recently that it intends to start targeted advertising to its users, by pulling their interests, passions and surfing habits from their Web browser histories.
The free content ad network said in a blog post that Facebookers who hate the idea of yet more intrusive advertising, can switch the feature off via the "industry-standard Digital Advertising Alliance opt out". In other words, all Facebook users in the US will have their browsing behavior tracked by default. The company would not be able to do the same stealth-ad-bomb exercise in the European Union, however, because consent for such a mechanism has to be granted first.
While one can appreciate the need for companies that offer free services, to pay for those services via advertising - a principle that many a Web-based business uses, the fact that a U.S. based user is deemed to have consented to the use of their personal and private information, as Web browsing history surely is, only because they haven’t yet opted out is ridiculous.

Are you sharing a computer between several people? You'd better hope that one of them doesn’t like to surf porn or your Facebook targeted advertising could be interesting!

Less than 1% of users ever read the small print of the absurdly long, unintelligible and usually highly legalese user agreements, let alone the constant changes of agreements as a company updates its policy. For a company to claim then that users have been informed and are fully cognizant, aware and agree with the company’s latest policies is delusional. Most users have no idea what they are agreeing with; they just want to get on to Facebook to see who has posted to them on their way home from work, school or the airport.

To further claim that because a box agreeing to give up some aspects of a user’s privacy is checked by default by the owner of that page, and that a user must uncheck such a box or radio button to NOT grant such access, before clicking the large bright button at the end of the agreement, which states “I agree,” is insane to rational and intelligent users.

“I didn’t agree to that!” is what I often hear from common users – and quite rightly so.

Yet in the United States this assumed legitimacy of the corporations to pillage whatever private information they please goes largely unchecked. In Europe or Australia (other modern and arguably more advanced civil societies) such actions would land those corporations in court, having to cough up hefty fines and punitive damages while forcing them to leave court with a preverbal corporate tail between their legs!

As recently as June 1st, a UK Court ruled against a large retail store for spamming a prospective customer who inquired about home delivery of groceries and had to enter his home and email addresses in order to find out if they serviced his area. He failed to notice the hidden checkbox that the retailer had checked by default asking for permission to add him to the store’s email list. The court ruled against the retailer and awarded damages to the plaintiff.

The store argued that because the plaintiff had not opted-out of receiving their emails, he had automatically opted-in. The court however agreed with the plaintiff that ….
"..an opportunity to opt-out that is not taken is simply that. It does not convert to automatic consent under the law and companies risk enforcement action if they use pre-ticked boxes.”
If the owner of a web page checks a box granting consent to itself and the onus is on the individual to reverse that action then the owner has not received permission to whatever agreement the checkbox referred.

Facebook said it planned to start offering ad preferences controls to US users over the next few weeks. The policies governing its new targeted advertising initiative however will not be released until later this year.

That’s akin to Congress passing a law and deciding what to put in that law at some point after the Bill has been passed and gone into law......and Americans sometimes wonder why the rest of the world doesn't take them seriously!

Why is the Chinese Military so focused on the theft of Intellectual Property?

PLA Cyber Troops

Yesterday’s indictment of five People's Liberation Army (PLA) cyber espionage officers on charges of hacking into US companies in order to steal trade secrets was no surprise to most of us in the cybersecurity business. Nor was it to China-watchers who have become used to seeing mainland China do whatever it takes to catch up with the rest of the world following its more than half-century of economic stagnation under communism.

The fact that the indictment handed down in the District Court of the Western District of Pennsylvania only named five mid-level officers, says that this highly unusual activity by the US Department of Justice (DOJ) to prosecute the agents of a foreign government, is very much a test case. It's also an open and very public wake-up call to Mainland China to cease and desist its rampant and prolific cyber espionage activities against western commercial businesses.

Despite years of protestations by the US and other law abiding nations, and a very revealing Mandiant report last year detailing the activities of PLA Unit 61398 or ‘APT1’ as it is also known, regarded as the most prolific of over 20 PLA cyber warfare units, China has refused to acknowledge or stop its state-sponsored cyber theft activities, and has further demanded that the US prove its allegations. Perhaps then this is a water-tight test case in which the perpetrators can be proven guilty of not only cyber theft, but also to have acted on the orders of the Chinese State. What's more, this verdict can be handed down in a globally respected US court of law - something for which China, with its general lack of law or an independent judicial system, can only aspire.

Having spent a lot of time in the People's Republic of China since the early 90s, I’m sure that the Chinese leadership will continue to loudly profess its innocence and abhorrence at US accusations, for such is the game that is played in China whenever anyone is caught red-handed. I’m also sure that China will respond in a tit-for-tat manner accusing the US of cyber spying against the People's Republic in order to save the all-important ‘Chinese Face’. However in this case the Chinese leadership in Beijing may well be largely ignorant of the true activities of one of its PLA units located in an innocuous twelve story building on the outskirts of distant Shanghai.

China’s national leaders, in fact, hold very little power in the overall command-and-control structure of the world’s fastest growing economy and most populist nation. Instead China is really commanded and run by regional power players as it has been right the way back to the Qin Dynasty in 221BC. It is these Warlords who hold the real economic and often grass-roots political power in China. A fact that Beijing and the Central Committee puts up with, but doesn't necessarily like. All too often when one of these regional barons or princelings gets too powerful and steps over the line, Beijing is forced to make an example of them with a high-profile execution or life imprisonment as was the case with Bo Xilai 薄熙来 in September 2013.

This regional power model extends down as Marx would have put it to ‘the ownership of the means of production’. Most of China's private companies that emerged during the late 80s and early 90s were, in fact, owned and managed by the PLA, which expanded into manufacturing, hotels and other commercial activities. The revenue from these activities proved to be not only profitable, but also a vital means by which PLA units were able to expand their regional power and influence, and develop a near monopoly of local commerce. These PLA units were directly or indirectly run by local warlords. In fact, many of today’s modern Chinese mega-corporations, some of which are now publicly traded, are still controlled and run by the very same power barons.

And this perhaps explains best the close link in China between official military espionage and the commercial targeting of western companies for intellectual property theft. It's all about the pursuit of power and taking, by whatever means is available, competitive advantage over opponents, even if that involves the outright and very public theft of internationally recognized trade secrets.

Memories are short and China is banking that no one will care 10 or 20 years from now just how Chinese corporations became the biggest and richest in the world, or how everyone else went broke!

See also: Behind the Great (Fire) wall

PROVE IT!


In this age of commodity IT cybersecurity (cyber) is no longer immune to the C-level challenge to “Prove it!”

Many industries are still making deep spending cuts, and plying customers with “Cyber is ROI” and “Think of it like insurance!” simply doesn’t resonate.

Executives hear “investment” as code for “long time plus big price tag". Despite best efforts, there remains a major disconnect between cyber value and business value.

If you want to compete in the cyber market then the discussion is inevitably a hard dollars and business sense conversation: “Our time to market for mobile apps increased 50% after we deployed a secure app store solution.” Real stories, real metrics, real value.
There are two kinds of companies: those that know they’re compromised and those that don’t.
The imperative today: products and services must work AND must deliver fast. CIOs and CSOs know they will have to have a conversation with their CFOs. As security professionals we need to help them. We must speak their language. The F&A floor is seldom impressed by products that are cool. Even less so if cool can’t demonstrably convey assurance, cost reduction or realized business enablement.

“But we just found a zero day APT!” Not surprised. Breaches are inevitable. This approach, however, is not convincing to the finance director. Anecdotes are good, but they lack tangibility. The new reality is that there are two kinds of companies: those that know they’re compromised and those that don’t.

“So, raise the cost in the kill chain?” Okay, but to what end. Threat identification is a good thing—it’s good to know who’s been living in your house and who’s eating that last slice of pie when all are a slumber. There’s more value if you can estimate marginal benefit (and cost) so we know how much to spend. At some point, there are always diminishing returns for raising that bar. Finance folks understand that. If we want to make our case, we need to be on their page.

Here are a few of leading questions to consider. Your ability to answer questions like this will help demonstrate bona fides:
  1. Did the tool we bought measurably decrease our per incident mitigation costs? 
  2. Did we lower our audit costs because we had evidence-based artifacts? 
  3. Did we increase our up-time during core productivity hours? 
The cost of doing business in the information age is cyber—‘tis a fait accompli'. But the language of business, even in government, is still finance. Numbers get people’s attention, especially executives whose success or failure rides on quarterly statements to their shareholders. Their proof is always in the numbers. As industry professionals, our job is to help make the business case. And if cyber as an industry wants to have a seat at the big table, then we must improve the language we speak.

Written by good friend and colleague Michael Lucero

IE - A Single Point of Failure



The news this weekend of yet another Microsoft Internet Explorer Zero Day vulnerability and working exploit has been met by the IT community with the usual disdain.

It was followed on Monday morning and much of Tuesday by frantic activity to update or completely remove Adobe Flash Player (needed by the current exploit to prepare memory prior to the installation of drive-by-Malware), and by the unregistering of VGX.DLL which provides support for Vector Markup Language (VML). Combined these activities are believed to thwart would-be attackers using the currently known exploit, until such times that Redmond can come up with an official patch.

The known exploit can be executed by Remote Code Execution. A user need not do anything more risky than simply visit a booby-trapped web page or view an image file that has been compromised to trick Internet Explorer into installing Malware or other executable code from the Internet. No dialog, no warning, no sign what-so-ever that a system has just been infiltrated!

The issue is not just that this is another zero day exploit - (one for which there is no readily available patch which with to remediate and protect), although that’s bad enough in itself.

The issue is not just that the vulnerability affects every current version of Microsoft Internet Explorer from version 6 to the latest release of Version 11. Or that it affects nearly every current computer operating system that runs Windows - PCs, laptops, AND more worryingly servers.

The issue is not even that a large number of Windows systems will never be patched by Microsoft since Redmond just withdrew support for Windows XP, which by some estimates still accounts for nearly 40% of computers in use globally.

The issue is with corporate IT and a double dependency with the computer systems that run business enterprises and much of industry the world over, nearly all of which have built a reliance upon Windows and its virtually uninstallable web browser, Internet Explorer.

After a series of lawsuits and hefty fines in the late 1990s and early 2000s from the European Community and other countries for anti-competitive behavior following Microsoft’s bundling of its web browser with copies of Windows and the subsequent ridding of competition, Microsoft tightly bound Internet Explorer into the core of its operating systems as a defense against future law suits, claiming that it was vital to the operating system, furthermore that is was in fact PART of the operating system and therefore inseparable. With the demise of competition (until recently), the result has been a near total dominance of Internet Explorer in the workplace and on enterprise managed PCs despite the rise in use of other browsers at home.

The trouble with this is that IT departments along with many of the world’s leading business software vendors, have written their applications to run solely on Internet Explorer, using proprietary functionality built by Microsoft into its web browser rather than following WC3 cross browser standards - an international body setup to govern the growth of the World Wide Web.

Many internal applications written by IT departments along with the customized implementation of leading ERP systems and other business applications such as SAP, simply won’t work on Firefox, Chrome, Safari, Opera or any non-Microsoft web browser. Many IT departments don’t even give their users a choice of web browser so everyone is stuck with the company approved version of Internet Explorer. A web browser as we have already noted that is at present, totally open to drive-by attacks. This in turn could infect and severely impact, (or totally impede), corporate networks just as other vulnerabilities have done in the past. Corporate IT now finds itself up the preverbal creek and without a paddle!

The dilemma for corporate IT is how does it engineer its way out of the single point of failure currently holding company application infrastructure hostage via an unhealthy dependance on Internet Explorer? It will no doubt take time, lots of money and effective governance to ensure that all current and future applications are (re)written to cross-browser W3C standards - something that they should be been written to all along. At least then, business users will have a choice and IT will be able to either disable vulnerable applications like Internet Explorer till safe, or request that users employ other web browsers till patches can be applied to remove risks.

The dilemma for others however is less clear-cut, particularly the further you get away from Redmond, WA and those who for whatever reason have not upgraded hardware and operating systems to support a currently accepted patch-receiving Windows platform.

With so many millions of Windows systems now unlikely to ever receive another patch, the prospect for future safe and efficient Internet usage for the rest of us is very much in doubt.

There is a very real and present danger of a Zombie computer army consisting of up to 40% of the world’s computer systems managed by command and control centers owned by nefarious players that could hold the entire Internet to ransom or bring everything to its knees. That includes business and business applications as well as the web surfing public.

An ethical and political question should be raised to Microsoft. Is it really acceptable to the rest of us for Microsoft to withdraw the patching of vulnerabilities in its code of older and still very popular Windows XP systems, when failure to patch known vulnerabilities could have such far-reaching impact on everyone, including those who have paid for Microsoft’s latest systems?

Many companies can not afford to upgrade tens of thousands of workstations running Windows XP and the associated work involved in re-writing hundreds of applications to run on newer operating systems from Redmond or elsewhere.

Many poorer countries have no intention of purchasing new computer hardware to support Microsoft’s current and more demanding operating systems. Nor do they have the money to purchase new versions of Windows even at hugely discounted local prices. These systems will remain unpatched and unprotected for years to come not just against this critical threat, but also against the no doubt hundreds or thousands of other vulnerabilities and potential exploits which will be discovered in Microsoft code over the next decade.

With so many of its users excluded from support, what responsibility should Microsoft bear to ensure that common shared resources such as the Internet are not negatively impacted by computers running its abandoned operating systems?

Governments and most individuals widely consider there to be an economic utility in population health. If the person next to me on a crowded plane, train, office or school is sick with a communicable disease then the chances are I may be infected, so its in my best interest to ensure that everyone is as healthy as possible. Should not the same rules of population health and economic utility then apply to communicable diseases (viruses, Malware, etc.) in computer systems?

Healthcare's Continuing Heartbleed


It has been nearly two weeks since the Heartbleed vulnerability shook the global e-commerce industry with the realization that Web servers around the world were open to a vulnerability in OpenSSL’s heartbeat feature — and they’d been that way for the past two years. Fortunately, a large number of vulnerable systems have been fixed by now, and most healthcare websites across North America and Europe have been patched and use new server certificates and keys.

It’s still unknown at this stage just how many sites and systems were exploited and what data was compromised, but at least a few large organizations appear to have suffered breaches and, as investigations continue, more will likely join the list. It also remains to be seen whether any significant breaches of personal health information have occurred as a result of Heartbleed and whether regulatory agencies will conduct (expensive) onsite investigations of entities unfortunate enough to be hit.

Healthcare providers have reviewed and patched most of their primary systems, portals and websites that rely on OpenSSL. However, most providers have not considered the vulnerabilities that may exist still in secondary and tertiary systems, many of which include embedded versions of OpenSSL.

Secondary systems, such as hospital VPNs that provide remote access to patients, visitors, partners and business associates, use OpenSSL. Most enterprise routers, firewalls, switches and other key networking components contain a Web server for setup and management. Smaller networking devices, such as cable modems, DSL routers, etc., that provide network access from branch clinics and physician offices to their local hospitals, also contain embedded Web servers, and most also leverage OpenSSL.

If a hacker can use Heartbleed to compromise the router in a small clinic, for example, he or she can obtain the encryption keys or certificates used to secure remote access to hospital networks and information systems. Those keys and certificates may not be unique to that particular clinic and could be common to all VPNs of a particular hospital supporting literally hundreds of other clinics and physician offices.

A multi-million-dollar hospital operation is only as secure as its weakest link and, in this case, could be compromised easily by a $30 consumer router left forgotten and unpatched in a remote clinic. Of course, keys and certificates should be unique to each connection, but best security practices are not always followed in healthcare.

Lesser-known building management systems (BMS) used to manage hospital infrastructure —HVAC, power, water and a heap of other services vital to the successful delivery of healthcare — are now managed by offsite, third-party service providers. Most of these remotely access systems via the devices’ Web interface, often secured only by an SSL connection.

Most hospital security and IT leaders have little or no understanding of these potentially vulnerable BMS devices scattered around various sites, nor do they have access to or an inventory of most of them. Many have been in place for years and may have been installed by outside electrical or HVAC contractors and never documented. Only the facilities department would have the slightest idea of their whereabouts or functionality.

All of these ancillary systems will need to be discovered, documented, carefully investigated and patched if vulnerable. This gargantuan task will take weeks of investigative work and examination, and require security staff to visit all kinds of locations to verify that their core network is not likely to be compromised.

Any devices or services — and the systems accessed by them — that are found to be vulnerable and accessible will need further investigation for unauthorized data access.

Unfortunately, as much as we would like to think that Heartbleed is behind us now, the fact is that for most of us in the healthcare industry, it has only just begun.

What is Heartbleed and why is it different from just another cybersecurity vulnerability?


We have all, to a large degree, become numb to the constant stream of cybersecurity vulnerabilities and mass of patches forced upon us each month. As our IT systems become ever more complex and the code behind them ever longer, so too does the likelihood that the code will contain an unknown security vulnerability that could be exploited by hackers.

If a security vulnerability is discovered in the operating system of your Windows laptop for example, it's a simple case of Microsoft creating a patch and making it available for download so that you can fix the vulnerability before someone creates an exploit and turns your laptop into a zombie machine used for some nefarious purpose.

The theory is that if you patch quickly and you run anti-virus/anti-malware software you should be fairly safe. Systems running other operating systems, Apple OS X or Linux for example, are much newer than Windows, have less legacy code and less vulnerabilities, and by and large are smaller targets for hackers. Vulnerabilities are usually unique to an operating system or application, and therefore only affect a subset of Internet users.

Heartbleed is a little different. It's a vulnerability in the server security component designed to protect web-based traffic and a heap of other communications by encrypting and protecting the data going back and forth. The security is provided by Secure Sockets Layer/Transport Layer Security (SSL/TLS), which makes the difference between an HTTP and HTTPS address in the URL or address bar of your web browser. It also provides the green padlock on some browsers to signify that it's safe to enter confidential information, such as your name, address or credit card number. As mentioned earlier, SSL/TLS is also used several other ways, but its use in securing web traffic and e-commerce is ubiquitous and global.

A sudden and protracted widespread loss of confidence in the ability of users to interact securely with websites would have far reaching impact to Internet commerce, online banking, auction and travel websites and, perhaps topical for this time of year, in the United States and Canada, tax returns. In fact on Friday the Canadian government turned off the ability to submit tax return information online until it had a chance to assess the security of its systems.

Governments and commercial business now rely heavily on the ability to conduct business via the Internet so reluctance by consumers to also conduct business this way could have a massive impact on national and potentially global economies. This is why Heartbleed is SO significant above all other recent bugs and why a small error in the code behind TLS could possibly slow the world economy.

Of course this is a bit of a doomsayer view and in all likelihood, vulnerabilities will be patched within days the world over and security restored to the web and e-commerce. Two issues remain, however. First, the vulnerability in question has existed in certain versions of OpenSSL for two years.‘Should’ anyone have discovered this and exploited it to their own nefarious purposes, then there ‘could’ be all kinds of identity theft, and credit card and banking fraud, in addition to a heap of other problems related to the theft of Personal Identity Information, Protected Health Information and other confidential information.

The second issue is that consumers have been lulled and courted into using the Internet for the past 25 years on the promise that it was secure and that their information and finances were protected. This has allowed companies and governments to adopt more efficient and cost effective models of doing business that could now be challenged by a loss of confidence amongst their consumers. Depending upon media hype and whether anyone really was compromised, this could have a long-standing impact on the growth of business in this area.


What is the Heartbleed bug exactly?

It's a bug in certain versions of the ‘heartbeat’ feature of the TLS protocol used by OpenSSL that affects roughly two-thirds of the web servers that power the Internet. Hence the “Heartbleed” name. It's programming error was pushed to web servers over the past two years as they were upgraded to newer versions of OpenSSL and could affect the protection of the encryption keys and certificates used to identify users and to validate websites. It affects OpenSSL versions 1.0.1 released in December 2011 through 1.0.1f, which was until very recently the current version, along with certain beta versions of 1.02.

It doesn't affect Microsoft or Apple web servers, but it does affect a very large number of Apache web servers, which run mainly on Linux or Unix.

The heartbeat vulnerability was discovered a month ago and kept quiet while a patch was written and provided to systems administrators. Widespread publication of the Heartbleed vulnerability took place April 7th, and ever since there has been frantic activity by systems administrators and security professionals to patch systems before they could be compromised.

The OpenSSL 'Heartbeat' feature is used to maintain state and session information on users while they read, process or fill out web pages. It avoids a nasty time-out message and the need for the user to re-enter information again. Essentially it sends a 'heartbeat' back and forth to the web browser to see if the user is still there or not.

Instead of validating the advertised size of the heartbeat payload that OpenSSL writes to its memory, buggy versions of OpenSSL read back the payload from its first byte in memory to the length advertised for the heartbeat payload. Thus non-heartbeat information stored in memory is released if the advertised size of the payload is falsely provided. This is dangerous because that memory could contain confidential information posted by a user: passwords, account information, credit card numbers or , much worse, the encryption keys used to protect the entire server.

A simple exploit of the vulnerability thus works on the basis on passing false heartbeat information to a web server in order to retrieve information stored in its memory. It does this 64Kb at a time. 64Kb might not sound like a lot of memory but its more than enough to capture all the information a hacker could want and what’s more, the exploit can be run time and time again pulling information from affected web servers.

Even more worrying, it appears that exploiting this bug leaves no trace in the server’s logs, so there’s no easy way for a system administrator to know if servers have been compromised.

Rather than try to explain the technical details behind the vulnerability let me show you a video blackboard explanation of the vulnerability and potential attack by Zulfikar Ramzan, MIT Ph.D. and CTO of cloud security firm Elastica, this video does a great job of explaining things in easy to understand graphical terms.




So what should you do to protect yourself?

First, don't panic. Systems administrators and cybersecurity professionals have spent the last few days reviewing and patching their web servers and other systems reliant upon TLS to remove this vulnerability. They have also changed the encryption keys used on these servers. Some web sites that have been exposed have instituted a password reset, so that any passwords that users were using can no longer be used to access secure content, just in case these have been compromised.

It may take a few more days or even a another week or so for systems administrators to patch the majority of vulnerable systems - particularly those overseas where the message may take longer to reach. Many systems - those not running the vulnerable OpenSSL code - of course do not need patching as they were never at risk.

When the time is right, users should change their passwords for websites they use that may have been compromised. A fairly good list has been published by the folks at Mashable.

If a website or email service provider isn't listed, then you should look on the provider's website for information on Heartbleed for direction, and if none is provided, change your password anyway.

Of course if you rush out and change your password today, before the server vulnerability has been patched, then you run the risk of having to repeat the exercise again once it has been!

Once you've found that a website has been updated with the fix, change your password. Use a different password for each website on which you have an account. This keeps a hacker from potentially getting access to all of the accounts where you used the same password.

Systems administrators have a lot more work to do. The Heartbleed vulnerability may have exposed a lot more than user information and passwords. Not only will OpenSSL libraries need to be updated, but server certificates also will need regenerating, passwords changed and other vulnerable services using TLS updated. This includes services like FTP and VPN and even home network appliances like routers and firewalls most of which use TLS.

Systems Administrators should act quickly to patch all vulnerable systems and test patched systems to ensure that security vulnerabilities do not still exist.

Only then will user confidence be restored and our love relationship with conducting business from the comfort of our homes and workplaces reinstated - albeit more securely than it has been for the past two years!

New Guidelines for Securing Medical Devices and Networks

Medical Device Security

The increased use of technology in healthcare over the past decade has resulted in greatly improved patient outcomes. However, the addition of IP-enabled devices has elevated concerns about security. The U.S. Food and Drug Administration recently published an advisory on Cybersecurity for Medical Devices and Hospital Networks and a new draft guidance document, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.

It’s likely that the FDA’s guidance responds to a presidential Executive Order and Policy Directive aimed at reducing critical infrastructure risk and a Department of Homeland Security bulletin about the vulnerability of health system LANs due to unsecured medical devices connected to them.

As things stand, medical devices, which include everything from intravenous pumps and pharmacy robots to implanted pacemakers, can represent a huge vulnerability to the security of networks used to deliver healthcare. Many networks connect to hospital LANs via older, insecure wireless technology. Furthermore, many still retain their default security settings, making them easy targets for hackers. Medical devices have become, therefore, a potentially unsecured backdoor to vast amounts of highly valuable, personally identifiable health information stored on healthcare networks.

Not all providers have firewalled and segmented their networks to isolate these insecure medical devices, or implemented “bent-pipe” application security to encapsulate all communications to and from endpoints. As the black market price of a medical record continues to soar, cybercriminals are directed increasingly to the easy pickings of poorly secured healthcare networks, making the risks all the more apparent.

While the FDA’s guidance to medical device manufacturers has been a long time coming, in its current form it directs manufacturers to evaluate and address cybersecurity risks and vulnerabilities for current and planned devices. It does not necessarily address the millions of devices that may no longer be supported by manufacturers, but that still dominate hospitals and healthcare systems.

Despite an increased awareness about the vulnerability of these older devices, financial pressure on healthcare delivery makes it challenging for health providers to rip and replace them. Alternative security controls need to be considered to protect these devices and the networks to which they are attached.

While the new FDA guidelines and DHS bulletin stress the risks that medical devices pose to hospital networks, we also need to take into account the reverse situation. If hospital networks can be compromised via wireless medical devices, it stands to reason that life-sustaining medical devices can be compromised through poorly secured hospital networks. While some healthcare providers have state-of-the-art networks with high levels of performance, reliability and security, others have yet to make this investment in people, process and technology.

With ever-growing numbers of medical devices used in critical patient care, the risks that one or more will be compromised should be a huge concern to all of us. As they stand currently, these life-sustaining devices could be targets for cyberassassins or cyberterrorists seeking to extort or hold for ransom patients, medical device manufacturers and healthcare providers.

While attacks of this sort are not yet common, some have already occurred. A real possibility exists that more attacks of this type will take place in the not-too-distant future unless better security controls are used to protect these devices and the networks to which they are connected.

This post was co-authored with Sam Visner, who leads CSC’s global company‐wide cyber strategy.


The King is dead. Long live the King


Welcome to the new site. I retired and archived the old blog site in favour of the enhanced functionality of this new presentation template. I hope you agree that it presents information in a much cleaner format.