Information Technology

Image: Camilo Jimenez

German authorities are investigating the death of a patient following a ransomware attack on a hospital in Duesseldorf.
The patient, identified only as a woman who needed urgent medical care, died after being re-routed to a hospital in the city of Wuppertal, more than 30 km away from her initial intended destination, the Duesseldorf University Hospital.
The Duesseldorf hospital was unable to receive her as it was in the midst of dealing with a ransomware attack that hit its network and infected more than 30 internal servers on September 10, last week.
The incident marks the first-ever reported human death indirectly caused by a ransomware attack.
The patient’s death is currently being investigated by German authorities. If the ransomware attack and the hospital downtime are found to have been directly at fault for the woman’s death, German police said it plans to turn their investigation into a murder case.
According to German news outlet RTL, the ransomware gang has withdrawn its ransom demand after German police reached out. The hospital has since received a decryption and is restoring its systems.
In a tweet earlier today, hospital officials blamed the ransomware infection on a vulnerability in a widely used commercial software.
In a subsequent tweet, the same officials said they notified German authorities, such as the German cybersecurity agency BSI, who are responsible for issuing appropriate security warnings.
A day earlier, the BSI had issued a warning, out of the blue, asking German companies to update their Citrix network gateways for the CVE-2019-19871 vulnerability, a known entry point for ransomware gangs.
The Associated Press also reported today that the entire ransomware attack on the hospital’s network appears to have been an accident, with the ransom note being addressed to the local university (Duesseldorf Heinrich Heine University), and not the hospital, which was only part of the larger network. More

One of the most dangerous cyber criminal ransomware operations around today has deployed a new tactic to help attacks stay undetected until it’s too late, one most likely borrowed from another ransomware group.
What makes Maze so dangerous is that as well as demanding a six-figure – or higher – sum of bitcoin in exchange for the decryption key, they threaten to publish stolen internal data if their extortion demands aren’t met.
The group is already skilled at infiltrating the networks of organisations but now they’ve adopted a new tactic which makes it even harder for victims to detect that there are outsiders on the network by using virtual machines to distribute the ransomware payload.
A similar tactic has previously been used by the Ragnar Locker ransomware group and it appears that Maze has taken inspiration from them as an additional means of delivering ransomware.
Cybersecurity researchers at Sophos uncovered the similarities between Maze’s new tactics and the techniques pioneered by Ragnar Locker when investigating a Maze ransomware attack in July.
Using access to a file server, the hackers were able to deliver components required for the attack inside a virtual machine.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 
The way the virtual machine was programmed suggests that the attackers already had a strong hold on the victim’s network at this time – but by deploying ransomware via a virtual machine, it helped keep the attack under the radar until the encryption was triggered and the network could be held to ransom.
“The virtual machine gives the attackers an unprotected machine to freely run the ransomware without fear of detection,” Peter McKenzie, incident response manager at Sophos told ZDNet.
Maze is already a highly successful ransomware group, but the way it has adapted its tactics in this way shows that those behind it are continually attempting to find new ways to help make attacks even more successful – and therefore make more money from ransoms.
“Much like many of the other ‘human led’ ransomware gangs that use a combination of advanced hacking tools and human ‘hands-on’ techniques, they are able to continue trying different techniques until they succeed or the targeted organization identifies the seriousness of the threat and takes action to remediate it,” said McKenzie.
“Unfortunately many organizations have never had to deal with threats of this nature and are under-prepared to identify a human attacker on their network,” he added.
Organisations can help protect against attacks being deployed in this way by blocking the use of unnecessary applications on machines, so attackers aren’t able to exploit them.
Other steps organisations can take to avoid falling victim to a ransomware attack include ensuring that security patches are applied as soon as possible to prevent hackers from exploiting known vulnerabilities to gain a foothold inside the network in the first place, while organisations should also apply multi-factor authentication.
It’s also important that organisations understand their own network and know what’s usual behaviour – and thus what’s unusual behaviour – so cybersecurity personnel can more easily spot suspected malicious activity.
“Protection against human-led ransomware attacks requires not just the most advanced security software but also experienced threat hunters and incident responders that can spot the signs of an intruder on their network and take the appropriate actions to contain and neutralize the threat,” said McKenzie.
READ MORE ON CYBERSECURITY More

Microsoft has finally published a support document detailing its workaround for the August 2020 Patch Tuesday update for Windows 10 version 2004 that caused blue screens of deaths (BSODs) on newer Lenovo ThinkPads and broke Windows Hello biometric login. 
Users started reporting issues after the cumulative August update KB566782 for Windows 10 version 2004 and affected Lenovo ThinkPads made in 2019 and 2020. However, Microsoft notes that the issue actually appeared in the July 31, 2020 KB4568831 (OS Build 19041.423) Preview.   

Windows 10

Lenovo offered a workaround that involved disabling the Enhanced Windows Biometric Security setting in BIOS Setup in the security and virtualization settings section. 
The issue occurred when Lenovo’s Vantage app for updating hardware drivers attempted to use the Intel Management Engine to interface with firmware, which got blocked by the BIOS setting in the security update. 
Microsoft has now published a detailed rundown of the bug, its symptoms, cause and its workaround. It’s the same as Lenovo’s earlier workaround but comes with a stern security warning from Microsoft. Microsoft also explains how Lenovo Vantage violates Microsoft’s security controls in Windows. 
Users might bypass the BSOD screen, but they are endangering their computers by implementing the workaround, according to Microsoft.  
The workaround also affects some of Microsoft’s latest security features for Windows 10, such as Hypervisor Code Integrity for shielding the OS from malicious drivers, as well as Windows Defender Credential Guard.
“This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk,” Microsoft states. 
Microsoft explains that devices with the July 31, 2020 KB4568831 (OS Build 19041.423) Preview or later updates “restrict how processes can access peripheral component interconnect (PCI) device configuration space if a Secure Devices (SDEV) ACPI table is present and Virtualization-based Security (VBS) is running”. 
“Processes that have to access PCI device configuration space must use officially supported mechanisms,” it adds. 
According to Microsoft, the new restrictions aim to prevent malicious processes from modifying the configuration space of secure devices, such as peripherals. Windows restricts device drivers from changing the configuration space of these devices to its own bus interfaces. 
“If a process tries to access PCI configuration space in an unsupported manner (such as by parsing MCFG table and mapping configuration space to virtual memory), Windows denies access to the process and generates a Stop error,” Microsoft explains. 
It adds: “When Lenovo Vantage software runs, some versions may try to access PCI device configuration space in an unsupported manner. This action causes a Stop error.” 
The good news for affected ThinkPad users is that Microsoft and Lenovo are working together on a fix. However, Microsoft hasn’t said when that will be available. 
The error codes affected users would see include:  ‘SYSTEM_THREAD_EXCEPTION_NOT_HANDLED’ in the Stop error message screen, and ‘0xc0000005 Access Denied’ in memory dumps files and other logs. The associated process is ldiagio.sys.  More

iOS 14 is out, and if you’re brave enough to install it you will be getting some new security and privacy features. Some are visible, others are buried in the operating system.
Let’s go on a quick tour of five new settings and features you need to know about.
Must read: Coronavirus fears are destroying Ring doorbells
Camera and microphone access
Every time an app accesses your camera or microphone, a dot appears above the signal strength meter. A green dot for when the camera is accessed (similar to the green LED that lights up on Macs when the camera is on), and an orange dot for microphone access.

Camera access notification

Microphone access notification
Also, if you access Control Center, there’s a notice at the top showing you recent apps that have accessed the camera or microphone.

Microphone access notification in Control Center

Camera access notification in Control Center
This is automatic and there’s no user-input required and no way to turn it off.
Copy/paste notification
When data is copied and pasted a notification is shown on screen in the form of a popup. This is a simple yet effective way to know if apps are snooping on your clipboard.
This is automatic and there’s no user-input required and no way to turn it off.

Copy/paste notification
Don’t let apps get your precise location
Now you have the option to allow apps access to your general location, but not your precise location. It’s nice to have the choice to use location data without giving a pinpoint location.
To access this setting go to Settings > Privacy > Location Services and then check the settings for the apps that have access to your location.

Precise location or not
Apps requesting local network access
Another thing that you’ll see after installing iOS 14/iPadOS 14 is apps requesting local network access. Some apps need this — they may be used to control Bluetooth or WiFi gadgets — but why other apps need it is somewhat hazy.
You get the choice.

Local network access prompt
And if you change your mind, you can head over to Settings > Privacy > Local Network and change your mind.
Put a stop to Wi-Fi tracking
iOS 14/1PadOS 14 can supply a random “private” MAC address when you join or reconnect to a Wi-Fi network. This can help prevent you being tracked when using network connections.
This feature is on by default and you can find it by going Settings > Wi-Fi and then click on the “i” in a circle next to the network.

Private address
Note that while this works fine on most networks, it can cause issues. For example, some smart networks are designed to send out a notification when a new device connects. It can also mess with parental controls or corporate/enterprise networks where permissions are assigned based on MAC address (it not recommended to use MAC address for authentication, but it happens).
If you have problems on certain Wi-Fi networks, you may have to turn this feature off. More

Cyber criminals are increasingly targeting universities with ransomware attacks and academic institutions are being urged to make sure their networks are resilient enough to protect against them.
The warning from the UK’s National Cyber Security Centre (NCSC) – the cyber arm of GCHQ – comes following a recent spike in hackers targeting universities with ransomware attacks during August. In some instances, hackers have not only demanded a significant bitcoin ransom from victims of attacks, but they’ve also threatened to leak stolen personal data of students if they’re not paid.

More on privacy

The NCSC says it dealt with several ransomware attacks against universities that caused varying levels of destruction depending on the level of cybersecurity the institutions already had in place.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)    
And with colleges and universities gearing up to start the new academic year and welcome new students – while already facing challenges because of the ongoing coronavirus pandemic – they’ve been urged to make sure their cybersecurity infrastructure is ready to defend the additional challenge of a ransomware attack.
“This criminal targeting of the education sector, particularly at such a challenging time, is utterly reprehensible,” said Paul Chichester, director of operations at the NCSC.
“While these have been isolated incidents, I would strongly urge all academic institutions to take heed of our alert and put in place the steps we suggest, to help ensure young people are able to return to education undisrupted.
“We are absolutely committed to ensuring UK academia is as safe as possible from cyber threats, and will not hesitate to act when that threat evolves,” he added.
The Targeted ransomware attacks on the UK education sector alert details some of the most common attack infection vectors, including Remote Desktop Protocols (RDP), phishing emails and software and hardware that’s been left vulnerable due to lack of security patching.
Mitigation against ransomware attacks that universities are being urged to adopt include effective vulnerability management and patching, securing RDP services with multi-factor authentication, installing anti-virus software, and ensuring staff and students are aware of the risks posed by phishing emails.
It’s also recommended that universities have up-to-date and tested offline backups, so that if systems are encrypted by a ransomware attack, they can be restored without paying a ransom to cyber criminals.
SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened
The NCSC also urges universities to test how they’d respond to a ransomware attack by using the NCSC’s free Exercise in a Box tool, which allows organisations to see how their defences would hold up against hacking scenarios based on real events.
“As the last six months have shown us, it has never been more important for colleges to have the right digital infrastructure in order to be able to protect their systems and keep learning happening, whatever the circumstance,” said David Corke, director of education and skills policy at the Association of Colleges.
“This needs a whole college approach and for a focus wider than just systems, it needs to include supporting leaders, teachers and students to recognise threats, mitigate against them, and act decisively when something goes wrong. This guidance will prove incredibly useful for colleges to ensure that they can do just that,” he added.
MORE ON CYBERSECURITY More

New South Wales Police Force (NSWPF) have used Australia’s controversial Assistance and Access laws on a foreign operator, in an effort to “determine its capability to assist police”.
Responding to the Parliamentary Joint Committee on Intelligence and Security and its review of the amendments made to the encryption laws, NSW Police said issuing a Technical Assistance Request (TAR) to the overseas provider could not have happened without the Telecommunications and Other Legislation Amendment (Assistance and Access) Act (TOLA Act), since the provider would have previously informed its account holders of the request.
“The TOLA regime permitted NSWPF to make those enquiries using accompanying non-disclosure provisions. NSWPF was able to obtain information about some of the provider’s capability which was previously not known,” it said.
NSW Police said a combination of privacy protections, no profit/no loss costs agreements, and protection from civil liability had allowed the force to make requests it had previously not been able to.
In a separate question, NSW Police said an overseas provider could not complete the requirements of the request issued.
“A TAR (technology assistance request) was served on the provider, requesting the provision information that was available to the provider, referenced to times and dates identified during the period of a Telecommunications Interception Warrant,” it said.
“The provider responded they were unable to provide most of the requested information as they did not have access to the information sought.
“The provider indicated they had the capability of providing some of the information sought, however, this information would not be provided due to laws within their jurisdiction prohibiting disclosure to overseas authorities.”
Of the 14 TARs issued thus far by NSW Police, this was the only one to not be “complied with to the extent a provider was capable of doing so”.
By contrast, Australian providers were much more welcoming of the new powers handed to Australian law enforcement bodies.
“Two Australian-based [providers] expressly welcomed the non-disclosure and indemnity components of a TAR. Although these providers assisted NSWPF in the past without the need for a TAR, the amount of information provided, and the extent of the providers’ assistance was greater under a TAR than was traditionally sought or provided,” it said.
One Australian provider did ask that a request made under section 313 of the Telecommunications Act be requested under the TOLA regime instead.
Overall, NSW Police said nine different communications providers had been handed TARs from it.
The information provided in its response to the committee built upon its appearance before the committee in August.
NSW Police said at the time, its 13 TARs were related to investigations into murder, armed robbery, and commercial drug supply and importation. Since then, it has issued one further TAR, but has seemingly not extended the crimes investigated.
At the time of writing, its response to the committee — sometime after August 14 — NSW Police had issued four TARs that were in force for 20 days, one TAR issued on August 14 but without a timeframe given, with the remaining nine TARs having expired. These requests were in force for between 27 and 82 days, NSW Police said.
Further, it said all requests were issued with an expiry date, and no requests for extended, or varied.
Since 6 December 2018, NSW Police said it had made 367 requests under section 313 of the Telecommunications Act.
Under the TOLA Act, Australian law enforcement are able to issue voluntary TARs, as well as compulsory Technical Assistance Notices and Technical Capability Notices to compel providers to assist them. NSW Police said in August it had not issued any compulsory notices.
Related Coverage More

A panel of healthcare professionals have underscored there is still room to develop and improve the way health services are delivered in Australia, with the belief that technology has a crucial role to play.
Bendigo Health CEO Peter Faulkner labelled Australia’s healthcare sector as “fragmented”, particularly in how technology investments are made.
“Health services are very good at investing in clinical technology but are not so committed in the investment of information technology,” he said, speaking during a virtual event on Thursday.
“It does give rise to what I call ‘digital inequity’ and, in some instances, digital poverty within health systems and services, and certainly across communities.
“It’s also a reflection of the complexity of the service delivery system in Australia, with the Commonwealth, states, and territories all responsible for funding and operating different components of the health system. But also, the divide between public and private services within the system. It is a complex environment in that regard.”
Read more: The ADHA wants to end the use of fax machines in Australian healthcare  
Medibank boss Craig Drummond agreed, saying how unlike other sectors, such as banking, the healthcare industry are laggards when it comes to investing in technology aimed to improve customer experience.
“Broadly adopted technology has been less patient or consumer-centric … I think we’re at a very immature stage in healthcare and a lot of work needs to be done,” he said.
The panel’s conversation also turned to the federal government’s controversial My Health Record.
Faulkner acknowledged that while the Commonwealth has attempted to bring about what he referred to as a “unifying digital platform” through My Health Record, it also has shortfalls.
“It relies on providers to be able to generate digital content and to load that content into the national record,” he explained.
“From a health services perspective, this means we need to capture the information digitally in an electronic health record, or if you are using paper records, you need to be able to scan and upload it. I know of independent specialists in 2020 who continue to operate their entire clinical practice on paper.
“While we have a digital strategy across Australia, I don’t think we have a coherent investment program that incentivises and support practitioners across the country to invest in those fundamental interoperative platforms.”
Like Faulkner, City of Sydney councillor and general practitioner Kerryn Phelps described how she has witnessed first-hand a concerning number of medical practitioners who are still not equipped with some of the most basic technologies.
“A lot of practitioners are not even on computers at the moment and don’t have computer records … they’re not going to be able to upload files, even by scanning. We get a lot of faxes and hardcopy mail. We’re now getting more and more emails,” she said.
“The hospitals are getting much better at sending summary discharges to GPs that we can automatically upload. If you’re computerised, you can get pathology record directly uploaded … we can see digital images with MRI, CT scans, ultra-sounds, x-rays.”
Phelps’ main concern about My Health Record, however, remains to be around privacy, and who can access the data on the platform.
“We need the ethical and privacy framework very much in place on the outset, and I still have concerns … because there are too many ways of accessing that record by various entities without the patient’s permission or knowledge,” she said.
See also: My Health Record: Canberra is still missing the point
Similar privacy concerns have been previously shared about the federal government’s online medical file, particularly around its overly broad access for law enforcement and the retention of data even when a health record was cancelled.
As of July 2020, there are just over 22.8 million records and more than 70 million clinical documents on My Health Record.
Related Coverage More

A multi-nation study finds that many of us consider biohacking exciting, but fears concerning hacking and privacy remain. 

Human augmentation can describe many things. Hearing aids, pacemakers, and prosthetics are already in use, but in the future, we could be using the term for implants that improve cognitive abilities; chips that connect us to our smart devices, or bionic eyes that can restore lost sight, and more. 
When it comes to future applications, countries worldwide are pushing ahead with the development of new technologies which could result in enhancements to the human body. 
See also: Michigan tackles compulsory microchip implants for employees with new bill
For example, Japan has recently set $1 billion on the table for researchers willing to pursue everything from human augmentation to longevity, due to the need to tackle an aging workforce and shrinking population. 
At a roundtable discussion during Kaspersky NEXT 2020, senior security researcher David Jacoby and Director of Global Research & Analysis for Kaspersky Europe Marco Preuss cited military applications, industry, beauty, and healthcare as major biohacking arenas for future applications. 
It might be strange to ponder such a reality in a time where we are yet to establish internet connections that are not at risk of cutting out during live, remote events — but still, discussing the topic now may lead to preemptive regulation that can control the emerging industry — unlike the delay in dealing with the Internet of Things (IoT) industry that has opened the way for massive security problems. 
On Thursday, Kaspersky released a new report, “The Future of Human Augmentation 2020: Opportunity or Dangerous Dream?,” that sought to clarify citizens’ viewpoints in multiple countries on the prospect of biohacking. 
Taking place in July this year, the study included responses from close to 15,000 adults across 16 countries: Austria, Belgium, Czech Republic, Denmark, France, Germany, Greece, Hungary, Italy, Morocco, Netherlands, Portugal, Romania, Spain, Switzerland, and the United Kingdom.
In total, 91% of respondents said they would change a feature of themselves if they could, and 63% said they would consider human augmentation to do so.
Italians were the most likely to consider biohacking, in total, 81%. In contrast, the British are more prudent, with only 33% saying they would investigate human augmentation to change their own features. Spain, Portugal, Greece, and Morocco, too, are open to the idea of biohacking.
CNET: US charges Chinese hackers with ‘unprecedented’ attacks on gaming companies
Over half of the respondents, 53%, said that biohacking should be used for the good of all, such as in medical settings. However, 69% expressed concern that biohacking in the future will be reserved for the rich. 
During the keynote at Kaspersky NEXT, this was an opinion also expressed by Julian Savulescu, Oxford University Professor and Uehiro Chair in Practical Ethics. 
“It [human augmentation] will develop through market forces maximizing profits for large multinational companies,” Savulescu commented.
In other words, the economy and consumer demand could drive biohacking initiatives, rather than any quest toward a common good. 
Zoltan Istvan, the founder of the Transhumanist Party, agreed, noting that human augmentation is likely to be “controlled by capitalism to some extent,” and the “economy will be a driver, for better or worse.” 
TechRepublic: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened
According to Savulescu, if biohacking is not going to be driven purely by personal needs and economic factors, we need to develop an improved moral compass based on wellbeing and what enhancements are good for people in general. 
“You want duck lips? Good for you,” Savulescu said. “You want a monkey tail? Good for you. […] [However] We need to identify what is wellbeing, what is a good life, and what are good relationships, and use this account to identify what kind of enhancements are good for people, and what is not beneficial.”
In comparison, Istvan believes that biohacking is intrinsically the next step in humans “aspiring to be something greater than ourselves.”
“[I am] ultimately on the side of personal choice, as long as it doesn’t hurt anyone else directly,” Istvan said. “[…] Let people make those decisions themselves and the marketplace will follow.”
Other interesting statistics released in the report include:
88% of people stated that they feared their bodies could be hacked by cybercriminals
36% of women and 25% of men considered augmentation to improve attractiveness appealing
Men are more interested in improving strength via biohacking (23%) than women (18%)
47% believe governments should regulate human augmentation
“Human augmentation is one of the most significant technology trends today,” Preuss commented. “But people are right to be wary. Augmentation enthusiasts are already testing the limits of what’s possible, but we need commonly-agreed standards to ensure augmentation reaches its full potential while minimizing the risks.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More