Information Technology

Fortune favours Matt Damon.
Image: Crypto.com
After issuing hints at final numbers during the week, Crypto.com has made an official statement on the incident that saw it pause its users’ ability to withdraw funds. The company said on Monday that 483 users were impacted by unauthorised cryptocurrency withdrawals on their accounts. “In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed,” the company said. “Unauthorised withdrawals totalled 4,836.26 ETH, 443.93 BTC, and approximately US$66,200 in other cryptocurrencies.” At the time of writing, the amount of ether was just shy of $14 million and the fiat value of bitcoin was sitting over $17 million. All up, that put the total figure around the $31 million mark, depending on the volatile prices of cryptocurrency on any given day. Crypto.com explained it saw transactions occurring on early Monday morning UTC, where users’ two-factor authentication was not involved. “Crypto.com revoked all customer 2FA tokens, and added additional security hardening measures, which required all customers to re-login and set up their 2FA token to ensure only authorized activity would occur. Downtime of the withdrawal infrastructure was approximately 14 hours,” it said.

“In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure.” The company said it has also added a new policy where the first withdrawal to a whitelisted address must wait 24 hours, as well as a program to refund users up to $250,000 if unauthorised withdrawals are made, and certain terms are met. These terms include having multi-factor authentication on all transactions where possible, creating an anti-phishing code at least 21 days prior to the unauthorised withdrawal, users cannot use a jailbroken phone, they must file a police report and send the company a copy, and answer a “questionnaire to support a forensic investigation”. “Terms and conditions may vary by market according to local regulations. Crypto.com will make the final determination of eligibility requirements and approval of claims,” the company said. Related Coverage More

Image: Getty Images
Home Affairs secretary Mike Pezzullo has made clear his intended approach to the reform of Australia’s electronic surveillance laws: Bulldoze everything and start again. We also need “a broader societal discussion about privacy”, he said. Speaking at a seminar organised by the Australian Strategic Policy Institute (ASPI) on Thursday, Pezzullo described the surveillance law reforms now under way as more of a rebuild, not just a renovation. “I’d like to get to a point if we can design the legislation almost as if we are… not just renovating an existing structure, but literally clearing a site, levelling it, understanding what’s in the ground, what all the different conditions are in relation to that site, and building the new structure together,” he said. Pezzullo wants “everyday Australians” to have the confidence that it would be “highly unusual for any of their data, any of their devices, or indeed any of their engagement through their devices with data, to be the subject of surveillance or interception”. He wants to “move hopefully away from a notion, which has crept into the discussion around surveillance, of the mass ingestion of data almost for a ‘store and use it later’ basis”. Dennis Richardson’s 1,300-page review of the national intelligence community’s legislative framework, released in December 2020, recommended a whole new electronic surveillance Act. The aim would be to clean up what has, over four decades, become a tangled mess of laws.

The government agreed, and last month the Department of Home Affairs released a discussion paper outlining this goal: “A consistent approach in terms of thresholds, purposes, safeguards, or accountability” with better privacy protections, and a consistent approach to different communications and data technologies into the future. “[We would like to engage] in a very genuine, deep, consultative process. We really want to hear from experts in the field about the challenges that are discussed in the discussion paper,” Pezzullo said. “How do you get these balances right, almost at a philosophical level, between security and liberty?” Spies will always be “much more restricted” than surveillance capitalism That said, according to Pezzullo, we should be more concerned about what’s being done by commercial operators in the name of so-called surveillance capitalism. “It’s more than passing strange to me … that we shed more of our own personal and sometimes quite intimate data in ways that we probably don’t fully understand or appreciate,” Pezzullo said. “I think the more immediate pressing problem for the citizenry is to actually understand what companies are doing with that personal and sometimes intimate data,” he said. “Everything that government will do will always be purposely designed by the parliament to be much more restricted than that.” Pezzullo’s argument is that commercial operators project their gaze as widely as possible to maximise profits, whereas law enforcement and intelligence agencies are required to limit their attention to people who are lawfully being investigated for serious crimes. “That’s very different, a very different direction from the way in which all of society’s otherwise going,” he said. “We’d very much like to land this legislation as a model exemplar back to the private sector about how to engage in moderated self-restraining surveillance.” Katherine Jones, secretary of the Attorney-General’s Department, says she is “on a unity ticket” with Pezzullo in wanting a wide-ranging consultation process. “Working closely with Home Affairs, we’re able to be engaged as these reforms have been considered, discussed, with stakeholders, designed, and ensure that we can put in absolutely the most effective safeguards that are built into the legislation, but also the most effective oversight mechanisms.,” Jones said. “I think we have a generational opportunity to improve in this space,” she said. “We’ve got an opportunity to do that in a much more embedded-by-design way, rather than the ad hoc way it’s been developed over the last 30 years.” A question of thresholds: Which crimes are ‘serious’? One question which continues to plague Australia’s patchwork of electronic surveillance laws is about the kinds of crimes against which they can be used.As Rachael Falk, CEO of the Cyber Security Cooperative Research Centre, pointed out, the UN’s International Covenant on Civil and Political Rights does have “clear carve outs regarding when privacy can legitimately be a secondary concern”. “These are extreme circumstances — significant national security threats, threat to life, threat to public order — which must be used proportionately to the threat at hand,” Falk told ZDNet. “In such extreme circumstances, privacy, while still vitally important, comes second place to the common good.” But which crimes are “serious”? For example, as your correspondent has previously noted, Australia’s controversial anti-encryption laws can be use for offences “punishable by a maximum term of imprisonment of 3 years or more or for life”. Looking around the various jurisdictions, this could cover such existential national security threats as graffiti, criminal damage, menacing phone calls, or even pranks. The Home Affairs discussion paper does float the options of setting the thresholds at sentences of three years, or five, or seven. But other measures could also be used, such as for when a crime causes serious harm. A key factor here is gaining the public’s trust that the balance is right, something the UK recognised in the report from its own consultation on these issues, A question of trust: report of the investigatory powers review. The report presented a range of case studies which, while not giving away any classified information, explained how and why the powers were used. As Falk told the ASPI seminar, “They [in the UK] go to great lengths to explain the what and the why”. “It’s important that the public have a clear-eyed view,” she said. Home Affairs is accepting public submissions relating to its discussion paper [PDF] until February 11. Assuming the timeline remains the same after the forthcoming federal election, an exposure draft of the legislation would be published before the end of this year, with another round of public consultation before legislation is introduced into parliament some time in 2023. Richardson estimated that the whole process would take two to three years and cost around AU$100 million, with another couple of years to rework IT systems and retrain staff. Related Coverage More

Popular NFT marketplace OpenSea confirmed an outage that affected its API, causing problems for multiple sites that use it to display NFTs. On Thursday, several people took to social media to report issues with their NFTs displaying. MotherBoard was the first to report the outage.An OpenSea spokesperson said the outage occurred at 6:05am PT and by 8:30am PT, the outage was resolved. But their own status update page shows the outage lasted far longer, with programmatic access to the API being fully restored by about 3:30pm PT.OpenSea said the time discrepancy was because they kept their programmatic API disabled while monitoring their fix to ensure site reliability.OpenSea initially told ZDNet that their platform team was “immediately all hands on deck to identify and correct the issue.””We know how important a reliable site with minimal downtime is to our community, and are working quickly to address this area in a number of ways, including expanding our engineering team to more than 200 people by the end of this year, re-architecting OpenSea for scale, and reducing our customer support times significantly,” the OpenSea spokesperson said. The spokesperson added that the NFT ecosystem exploded last year and interest in NFTs skyrocketed. OpenSea’s transaction volume increased over 600x in 2021, according to the spokesperson, who added that the massive increase in user activity prompted “technical growing pains” as they tried to scale rapidly.

Data from tradingplatforms.com shows that NFT global sales surpassed the $4 billion mark over the last 30 days. OpenSea topped the sales charts, handling nearly 500,000 transactions that earned $3 billion in returns. The platforms transactions grew 20%.The OpenSea spokesperson pointed to a blog released two weeks ago from OpenSea CEO Devin Finzer that sought to address the site stability challenges that the platform has experienced over the last few months.”I recognize that the impact of OpenSea downtime is significant for many of you who depend on our platform. We take accountability for the recent instabilities – and I wanted to personally apologize, explain, and outline our plans to prevent this from affecting you in the future,” Finzer said.”Improving site reliability has been a priority for some time (in fact, it’s one of the focus areas I mentioned in our recent funding announcement). We were a team of just seven people at the start of 2021, and as NFTs took off last year, we had to scale fast. That kind of scale comes with growing pains, which many of you have experienced firsthand.”Finzer reiterated what the OpenSea spokesperson told ZDNet, pledging to build out the engineering team, rearchitect OpenSea and reduce customer support times. In October, security firm Check Point Research said that flaws in the OpenSea NFT marketplace could have allowed “hackers to hijack user accounts and steal entire crypto wallets of users, by sending malicious NFTs.”The outage on Thursday occurred on the same day that Twitter announced it would allow some users to use NFTs as their profile picture. More

Google is calling on lawmakers in the US and Europe to establish new rules for a secure data transfer framework.Kent Walker, President of Global Affairs and Chief Legal Officer at Google, published a blog post on Wednesday about the current data framework that is causing issues between the US and the European Union.

The General Data Protection Regulation (GDPR) went into effect in 2018 as a data privacy law to provide more privacy for citizens, deliver a better understanding of their rights when handing over personal data, and encourage organizations to take more precautions when handling information.Under the terms of the GDPR, organizations must ensure that personal data is gathered legally and under strict conditions. In addition, those who collect and manage data must protect it from misuse or exploitation and respect the rights of data owners — or else face penalties.The issues between US tech companies and the GDPR have been ongoing. Last week, the Austrian Data Protection Authority (DSB) decided that a local Austrian website breached the GDPR by using Google Analytics. The DSB said that Google Analytics did not provide an adequate level of protection for users’ data.This isn’t the first time Google has been in hot water over the GDPR. In 2019, the French data protection authority, CNIL, issued a fine to Google. CNIL alleged that the tech giant was breaking the rules around transparency when processing people’s data for advertising purposes.Google’s current stance is clear: It wants more transparency between the US and the EU in regards to the GDPR. “A durable framework — one that provides stability for companies offering valuable services in Europe — will help everyone, at a critical moment for our economies,” Walker wrote. 

Walker warned that if a framework is not created and data flows become blocked, it would “highlight the lack of legal stability for international data flows facing the entire European and American business ecosystem.” More

Even if you’re not a frequent flyer, you’ve probably heard that the Federal Aviation Administration (FAA) and numerous airlines are claiming that AT&T and Verizon Wireless’s recently approved C-Band 5G will dangerously interfere with airplanes take offs and landings.Will this new 5G be dangerous? Can a 5G call knock a plane out of the sky? Here’s what we know:

What kind of 5G is potentially dangerous?

There are three basic kinds of 5G: Millimeter wave (mmWave): Very fast, up to 1 Gigabit per second (Gbps), but has an extremely short range.Midband: Has speeds around 100 Megabit per second (Mbps) and 4G range.Lowband: Only comes with speeds around 20Mbps, but it has a range of dozens of miles. What has the FAA and the airlines worried is a new midband variation: C-Band 5G.The chunk of spectrum known as C-Band lies between 3.7 GHz and 4.2 GHz and it’s capable of speeds in the 200-800Mbps range. In the past, it was used for satellite video providers and satellite phone services. AT&T and Verizon bought up the bulk of this spectrum for a combined $68 billion. You don’t spend that kind of money unless you plan on using it. Quick Note: There’s no evidence behind the rumors that other kinds of 5G cause health problems.

What’s the problem with C-Band 5G and airplanes?

The FAA has warned airlines that these signals could interfere with some altimeters that pilots use to land in conditions with low visibility. According to a report from the Radio Technical Commission for Aeronautics (RTCA) — a technical non-profit used by government and industry regulatory authorities — “this frequency band may introduce harmful radio frequency (RF) interference to radar altimeters currently operating in the globally-allocated 4.2–4.4 GHz aeronautical band. Radar altimeters are deployed on tens of thousands of … aircraft …  to support several critical safety-of-life aircraft functions throughout multiple phases of flight.”The specific concern is that the altimeters’ radios may not filter out signals lapping over from another part of the spectrum, aka spurious emissions. In short, interference from C-Band 5G will keep the altimeters from working properly. Shrihari Pandit, co-founder and CEO of NYC-based internet provider Stealth Communications, said, “Both smaller and older aircraft don’t have a filter in place that would allow them to only receive signals designated to their systems.” Pandit continued, “Radar Altimeters are allocated 4.2 to 4.4 GHz, and are based on a radar modulation known as Linear Frequency Modulation… Unfortunately, most altimeters in the field do not use a crystal oscillator to stabilize the signal, thus altimeter signals may drift outside or to the edges of the 4.2 and 4.4 GHz band.” This, combined with the altimeters’ high receiver sensitivity, means they’re all too susceptible to interference. Making matters even worse is there are no, I repeat no technical standards for altimeters. The FAA said in a Special Airworthiness Bulletin that airlines and pilots must “be prepared for the possibility that interference from 5G transmitters and other technology could cause certain safety equipment to malfunction.” Such “5G interference with the aircraft’s radio altimeter could prevent engine and braking systems from transitioning to landing mode, which could prevent an aircraft from stopping on the runway.”This is a huge deal. The RTCA warns, “Radar altimeters are the only sensor onboard a civil aircraft which provides a direct measurement of the clearance height of the aircraft over the terrain or other obstacles, and failures of these sensors can therefore lead to incidents with catastrophic results resulting in multiple fatalities.”However, not everyone agrees with this worst-case assessment.

Is it really that bad?

The Federal Communications Commission (FCC) concluded in 2020 that studies warning of this danger did “not demonstrate that harmful interference would likely result under reasonable scenarios” or even “reasonably ‘foreseeable’ scenarios.”Tom Wheeler, a visiting Brookings Institution fellow and former FCC head, said in a paper that he doesn’t think there’s a real technical problem (the paper bears the rather alarming title, “Will 5G mean airplanes falling from the sky?”).The long-term answer to this problem is to “improve the resilience of future radar altimeter designs to RF interference.” In the meantime, Wheeler pointed out, “The FCC created a guard band between the 5G spectrum and the avionics spectrum in which 5G was forbidden. Boeing, in a filing with the FCC, had proposed just such a solution. The Boeing proposal was to prohibit 5G ‘within the 4.1-4.2 GHz portion of the band.’ The FCC agreed and then doubled the size of Boeing’s proposed guard band to a 220 MHz interference buffer between the upper 5G usage at 3.98 GHz, and avionics usage at 4.2 GHz.”That’s all well and good, but the FAA and major US and international airlines aren’t buying it.

What are airlines doing now?

On Monday, the major airlines warned that operating commercial networks on C-Band 5G could cause a “catastrophic” aviation crisis. Specifically, it could render many widebody aircraft unusable, “could potentially strand tens of thousands of Americans overseas,” and could cause “chaos” for US flights.Numerous international airlines are no longer flying their full scheduled US flights, including Emirates, Japan Airlines, British Airways, Singapore Airlines, Korean Air, and Air India. Some are canceling flights altogether, while others are switching out planes.As Emirates President Tim Clark told CNN, the airline was not aware of potential 5G rollout problems until the last minute. He called the C-Band 5G situation “one of the most delinquent, utterly irresponsible” he had ever seen.

How was Europe able to deploy C-Band 5G without any trouble?

US C-Band spectrum and European C-Band spectrum are not the same thing. In the EU, C-Band 5G works in the spectrum 3.4 to 3.8 GHz range. This is further away from the radar altimeters’ spectrum, which lies between 4.2 and 4.4 GHz.

Which planes are safe and which aren’t?

According to the FAA, some Boeing 717, 737, 747, 757, 767, 777, MD-10/-11, and Airbus A300, A310, A319, A320, A330, A340, A350, and A380 models use one of five approved safe altimeters. At first, 777s were not considered safe, and many flights using this plane have been canceled. Now, 777 flights are back on schedule. On the other hand, the FAA warns that Boeing 787-8, 787-9, and 787-10 airplanes’ altimeters may not be safe when exposed to C-Band 5G. Without going into any more detail, however, the FAA warned yesterday that only about 62% of the US commercial airplanes are safe to perform low-visibility landings at airports where C-band 5G has been deployed.Faye Malarkey Black, head of the Regional Airline Association (which represents smaller, regional airlines) tweeted that “0% of the regional airline fleet has been cleared to perform low visibility landings at #5G impacted airports if/when weather drops below minimums. Today’s fair weather is saving rural America from severe air service disruption.”The FAA claims it is “reviewing testing data for altimeters used in regional jets.”

Which airports are safe?

The FAA reports originally agreed to delay C-Band 5G deployments near 50 airports. Following an outcry from several major US airlines and aircraft manufacturers, resulting in a joint letter being sent to multiple government agencies, both AT&T and Verizon agreed to hold off on launching their C-Band services within two miles of any US airports at all. This means that all US air travel hubs should be technically safe. However, that hasn’t stopped some disruptions from occurring anyway, as mentioned above.

When will C-Band 5G be deployed near airports?

After many delays, C-Band 5G no longer has a scheduled deployment date anywhere near airports in the US. Both AT&T and Verizon agreed to the aforementioned last-minute delays of their planned 5G C-Band rollouts within two miles of airports. Although both carriers quickly offered new launch dates during previous delays, the pair now seems to be taking a “wait and see” approach. Given the secondary and tertiary launch dates that both telecom companies have already had to postpone, it’s understandable they wouldn’t want to make yet another commitment that they’ll end up having to plug the plug on at the last minute, if this conflict between regulators can’t be settled. 

How did we ever get to a point where the FAA and the FCC were so completely disconnected from each other?

Washington Post columnist David Von Drehle puts the blame squarely on the FAA. “5G — the long-promised next step in cellular technology. … wasn’t a secret. … Yet it seems to have caught the FAA by surprise. … Various compromises and delays [have been] offered by the wireless industry — all met with last-minute panic-mongering by the FAA.Wheeler, however, puts the blame squarely on former President Donald Trump’s administration for neglecting the problem. Wheeler said:The Department of Commerce’s National Telecommunications and Information Administration (NTIA) is supposed to be the telecommunications advisor to the president. It was NTIA that was tasked with developing the national spectrum plan that never was. Unfortunately, and reportedly as a consequence of a spectrum dispute, the NTIA head was axed and the agency remained without a permanent leader for the last 20 months of the Trump administration.The consequence of this absence in both framework and leadership meant there was no underlying rationale nor consistent team to adjudicate among the various spectrum claimants. This left government agencies free to advocate their own spectrum policies. In such a situation, it is only natural that the individual agencies would retreat into their comfort zones and view spectrum only within their parochial interests.

Where do we go from here?

According to President Joe Biden in a January 19th press conference, “I’ve … pushed as hard as I can to have 5G folks hold up and abide by what was being requested by the airlines until they could more modernize over the years so that 5G would not interfere with the potential of the landing.  So, any tower — any 5G tower within a certain number of miles from the airport should not be operative.”In a statement, Biden added, “My team has been engaging non-stop with the wireless carriers, airlines, and aviation equipment manufacturers to chart a path forward for 5G deployment and aviation to safely co-exist – and, at my direction, they will continue to do so until we close the remaining gap and reach a permanent, workable solution around these key airports.”And when will that be? We simply don’t know. 

Related Stories: More

The US Treasury Department announced sanctions against four Ukrainians accused of helping further Russian attempts to destabilize Ukraine and build support for an eventual invasion. The US claimed Russia “has directed its intelligence services to recruit current and former Ukrainian government officials to prepare to take over the government of Ukraine and to control Ukraine’s critical infrastructure with an occupying Russian force.” 

The Treasury Department’s Office of Foreign Assets Control (OFAC) issued sanctions against Taras Kozak, Oleh Voloshyn, Volodymyr Oliynyk,m and Vladimir Sivkovich — four current and former Ukrainian officials the US said were involved in efforts to gather information and spread disinformation. Kozak and Voloshyn are both current members of the Ukrainian Parliament and Oliynyk is a former government official who fled to Russia. Sivkovich is the former Deputy Secretary of the Ukrainian National Security and Defense Council.The sanctions mean any US property owned by the four is blocked and must be reported to OFAC. The four are also blocked from doing business in the US. The US worked with Ukrainian government officials on the sanctions. “The United States is taking action to expose and counter Russia’s dangerous and threatening campaign of influence and disinformation in Ukraine,” said Deputy Secretary of the Treasury Wally Adeyemo. “We are committed to taking steps to hold Russia accountable for their destabilizing actions.”

Kozak, Voloshyn, Oliynyk, and Sivkovich are accused of working with Russia’s Federal Security Service (FSB) on efforts to influence public opinion and create a climate in Ukraine that would make it easier for a new Russian-controlled government to operate and manage Ukraine’s critical infrastructure using an occupying Russian force. Both Kozak and Voloshyn are part of a political party led by Victor Medvedchuk, who has previously been sanctioned by the US for alleged efforts to destabilize Ukraine in 2014. Medvedchuk is closely tied to the Russian government, according to the Treasury Department. Also: Ukraine says 70 state websites were defaced, 10 were subjected to ‘unauthorized interference’Kozak manages a number of news outlets in Ukraine, and the Treasury Department noted that he was also involved in spreading misinformation about the 2020 US election in coordination with the FSB. Voloshyn has close ties to Konstantin Kilimnik, who was previously sanctioned by the US for his role in spreading misinformation about the 2020 US presidential election. Oliynyk is accused of helping the FSB gather information about Ukrainian critical infrastructure, and he currently lives in Moscow. According to the Treasury Department, Sivkovich worked with the FSB on a plot to “build support for Ukraine to officially cede Crimea to Russia in exchange for a drawdown of Russian-backed forces in the Donbas.” The US noted that the sanctions are only one part of the US effort to “inflict significant costs on the Russian economy and financial system if it were to further invade Ukraine.” The sanctions come one day after US President Joe Biden warned that there would be a response to the website defacements and cyberattacks conducted against Ukrainian government systems. “The overall strategy is designed to pull Ukraine into Russia’s orbit by thwarting Ukraine’s efforts at Western integration, especially with the European Union (EU) and North Atlantic Treaty Organization (NATO),” the Treasury Department added.

Government

“[Russia] has focused on disrupting one critical infrastructure sector in particular: Ukraine’s energy sector. Russia has also degraded Ukraine’s access to energy products in the middle of winter. Acting through Russia’s state-owned gas company Gazprom, Russia has repeatedly disrupted supplies to Ukraine — a vital transshipment country with pipelines to other European countries — due to purported disputes over gas pricing.”LogPoint CTO Christian Have, who previously served as head of network security for the Danish National Police, told ZDNet that the recent cyberattacks against Ukraine were disruptive but not destructive to critical infrastructure or defense operations.He called equating the recent cyberattacks to cyber warfare or advanced attacks “foolish” because no government services were disrupted. But the attacks, from a Russian perspective, were effective because they are a relatively low-cost, low-harm measure that would not provoke a harsh response yet would still send a clear signal about Russia’s cyber capabilities.The attacks also put pressure on Ukraine to reach a new settlement in the ongoing political talks, he added.But Have noted that the recent attacks could be a cover-up for something else, like credential harvesting in preparation for a bigger attack later. He theorized that the attackers may have been harvesting login details and then defaced the websites when the operational objective was reached. “This is a tactic that has been used by Belarusian threat actors, that are suspected for involvement in the Ukraine attacks. They have previously used credential harvesting domains attempting to spoof legitimate webmail providers, generic login pages, and the legitimate websites of their targets,” Have said. “While the origin of the attacks is still not determined, Russia’s cyber capabilities are well-established.” More

More than half of the connected medical devices in hospitals pose security threats due to critical vulnerabilities that could potentially compromise patient care. 

According to the 2022 State of Healthcare IoT Device Security Report from Cynerio, 53% of internet-connected medical devices analyzed were found to have a known vulnerability, while one-third of bedside devices were identified to have a critical risk. Cynerio analyzed over 10 million medical devices at more than 300 global hospitals and medical facilities.    The report warns that if these medical devices were to be accessed by hackers, it would impact service availability, data confidentiality, and even patient safety.  “Healthcare is a top target for cyberattacks, and even with continued investments in cybersecurity, critical vulnerabilities remain in many of the medical devices hospitals rely on for patient care,” said Daniel Brodie, the CTO, and co-founder, Cynerio, in a statement. “Hospitals and health systems don’t need more data — they need advanced solutions that mitigate risks and empower them to fight back against cyberattacks, and as medical device security providers, it’s time for all of us to step up. With the first ransomware-related fatalities reported last year, it could mean life or death.”  Out of all the medical devices, the report found that infusion (IV) pumps are the most common device with some type of vulnerability at 73%, especially since they make up 38% of a hospital’s IoT. If attackers were to hack into an IV pump, it would directly affect the patients since the pumps are connected. Some of the causes of these vulnerabilities result from relatively simple things, such as outdated programs. For example, the report found that most medical IoT devices were running older Windows versions, specifically, older than Windows 10. In addition, default passwords that are the same throughout an organization are common risks, especially since these weak default credentials secure about 21% of devices. Healthcare has become the number one target for cybercriminals in recent years, primarily due to outdated systems and not enough cybersecurity protocols. More than 93% of healthcare organizations experienced some type of data breach between 2016-2019. 

Just last month, Maryland’s Department of Health experienced a ransomware attack that affected the department for weeks. The attack left the department scrambling since it could not release COVID-19 case rates amid the Omicron surge, and the number of COVID-19 deaths were not reported in the state for almost all of December.  Cynerio notes that the solution to mitigating these vulnerabilities to reduce ransomware attacks is network segmentation. By dividing up a hospital’s network, more than 90% of critical risks in medical devices would be addressed. More

The US government has urged organizations to shore up defenses “now” in response to website defacements and destructive malware targeting Ukraine government websites and IT systems. The US Cybersecurity and Infrastructure Security Agency (CISA) has published a new ‘CISA Insights’ document aimed at all US organizations, not just critical infrastructure operators. The checklist of actions is CISA’s response to this week’s cyberattacks on Ukraine’s systems and websites, which the country’s officials have blamed on hackers linked to Russian intelligence services. Ukraine officials also told media that dozens of systems in at least two government agencies were wiped during an attack last week. The use of destructive malware is reminiscent of NotPetya in 2017, which was effectively ransomware that lacked a recovery mechanism. It hit several global businesses, most notably shipping giant Maersk which needed to overhaul 45,000 desktops and 4,000 servers, although the actual target was probably businesses in Ukraine. Many NotPetya victims were infected through a hacked update for a Ukrainian software accounting package.”The identification of destructive malware is particularly alarming given that similar malware has been deployed in the past—e.g., NotPetya and WannaCry ransomware—to cause significant, widespread damage to critical infrastructure,” CISA notes in the Insights document. Prior to the latest cyberattacks on Ukraine, CISA published an advisory aimed primarily at US critical infrastructure operators detailing recent Russian state-sponsored hacker tactics, techniques, and attacks on enterprise systems such as VPNs, Microsoft Exchange, VMware, Oracle software. It also spotlighted destructive attacks on operational technology (OT)/industrial control systems (ICS) networks in the US and Ukraine.  The new CISA document stresses that “senior leaders at every organization in the United States are aware of critical cyber risks and take urgent, near-term steps to reduce the likelihood and impact of a potentially damaging compromise.” It added “If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.”

Microsoft on Saturday said it had found destructive malware on dozens of systems at government, non-profit and IT organizations, all located in Ukraine. The malware displays a ransom demand but this is just a ruse, as it overwrites the Windows Master Boot Records (MBR) and lacks a recovery mechanism, according to Microsoft.   Multi-factor authentication is central to CISA’s recommendations. It should be used by all organizations for network and systems that require privileged or admin access. The other is patching systems with available updates. Also, organizations should disable all non-essential ports and protocols, implement controls for using cloud services, and conduct vulnerability scanning. CISA also recommends preparing a crisis-response team, developing response plans and nominating key personal, and practicing incident response. To build resilience to destructive malware, CISA urges everyone to test backup procedures, ensure backups are isolated from network connections, and ensure that critical data can be rapidly restored. Organizations with ICS or OT systems should endure critical functions remain operable in a network outage.     More