A hack nearly gained access to millions of computers. Here’s what we should learn from this.

A hack nearly gained access to millions of computers. Here’s what we should learn from this.

https://www.vox.com/future-perfect/24127433/linux-hack-cyberattack-computer-security-internet-open-source-software

America’s potential Achilles’ heel in a cyber battle with China: Guam

“Chinese hackers have found a dangerous vulnerability in U.S. military computer networks nearly 8,000 miles from the Pentagon — on the serene South Pacific island of Guam.
They attacked essential infrastructure in the military outpost in May, infiltrating networks in the U.S. territory closest to China. Lawmakers and federal officials fear these attacks, which used a new method that allows intruders to linger undetected, could threaten security in the volatile region and sabotage any U.S. response to a Chinese invasion of Taiwan.”

“Officials in Guam welcome the help.

“When it comes to not just cyber, but our critical infrastructure as a whole, it’s important to realize that we are isolated,” Scott said. “We have proximity to the pacing threats, and we don’t have a lot of the resources on our own to self-sustain.””

https://www.politico.com/news/2023/09/16/potential-cyber-threat-guam-00116354

The rise of the Trump-Russia revisionists

“Does the media’s Trump-Russia coverage hold up? It depends on what coverage you’re talking about. The “Trump as Manchurian candidate” theories, the frenzied hunt to unearth any suspicious-sounding “contacts” with any Russians, and anything based on the Steele dossier — the explosive document that purported to have the goods on Trump but very much didn’t — have not aged well.
But the coverage and scandal were about more than that. Though it’s inconvenient for the revisionists’ narrative, the Russian government really did intervene in the 2016 election by hacking leading Democrats’ emails and having them leaked. Much of the coverage of the scandal now derided as “Russiagate” was about the investigation into whether anyone associated with Trump was involved in that Russian effort, treating this as an open question to which we simply didn’t yet know the answer.

Much of what the critics are arguing here is less about the facts of the scandal and more about the larger narrative around it. Should the media have treated Trump-Russia as the biggest political story in the country? Did the overall amount and tone of the coverage leave a false impression of his guilt? How does it compare to scandal coverage of other politicians, like Hillary Clinton?

And was the media and liberal establishment too suspicious of Trump in treating him like an unprecedented threat to the nation or have his subsequent actions proven they were right all along? The revisionists, in arguing that Trump got a raw deal, want to focus more attention on the overreaching of his liberal and establishment critics, but their one-sided account distorts the full picture of what happened, and reveals their own blind spots about the former president as he runs for office again.”

“A fuller recap of what the scandal was all about would go something like this: What became the FBI’s investigation into Trump-Russia was opened in the summer of 2016 for reasons having nothing to do with Steele, Fusion, or Alfa Bank.

That year, leading Democrats had seen their emails and documents stolen in hacks, later to surface on mysterious websites or to be published by WikiLeaks. Initial assessments blamed the Russian government for the hack (and Mueller’s team later confirmed those assessments, fleshing them out with much more detail).

Trump viewed these leaks as highly beneficial to him, touting them constantly on the campaign trail, and even publicly calling on “Russia, if you’re listening” to find more Clinton emails. (He then claimed this was a joke, but in private, he urged his campaign advisers to try and get ahold of more Clinton emails.)

While this was unfolding, the FBI received a tip that a little-known Trump foreign policy aide, George Papadopoulos, had been saying he knew Russia had damaging emails related to Clinton before any hack news was public. So the bureau opened a counterintelligence investigation originally focused on a discrete question: Had the Russian government conveyed information about their plans to interfere in the 2016 election to someone on Trump’s team?

This was, I would argue, an entirely reasonable question. And with hindsight, due to this investigation and reporting, we know that many shenanigans were indeed afoot.

Trump’s longtime adviser Roger Stone was trying to get hacked Democratic emails from WikiLeaks in advance, while apparently informing Trump about his efforts.
Trump campaign chair Paul Manafort was sharing the campaign’s polling data and strategy with an associate the FBI claims is tied to Russian intelligence.
Trump’s personal attorney, Michael Cohen, had reached out to the Russian government to try to get a Trump Tower Moscow project going, though it didn’t end up happening.
Donald Trump Jr. even welcomed an emailed offer of dirt on Hillary Clinton that was said to be “part of Russia and its government’s support for Mr. Trump,” setting up a meeting with Manafort and Jared Kushner to discuss it. (They didn’t find the information useful.)
Additionally, Trump later tried to get a different foreign government to help him win the 2020 election, in his effort to strong-arm Ukrainian president Volodymr Zelenskyy into investigating the Biden family — so it’s not like he’s ethically opposed to colluding with a foreign government to help him win the presidency.”

“the revisionists too rarely acknowledge that many other media outlets, including the New York Times and the Washington Post, were more cautious about Steele’s claims, and about theories of Trump being Putin’s puppet. Much of their coverage of the Trump-Russia investigation and the topic generally was newsworthy and stuck to the facts, making clear that it wasn’t known whether Trump conspired with the Kremlin.”

“recall that Trump fired the FBI director and then quickly contradicted his own aides’ explanation for why he did so, saying it was because of “the Russia thing.” Should the assumption have been that Trump had nothing to hide? (Gerth puts great weight on Trump also saying that he thought the firing actually might prolong the Russia investigation, ignoring the false explanation Trump’s team initially offered for Comey’s firing and sounding rather too credulous about whether Trump truly would have let such an investigation proceed.)”

“How should the media cover these unfolding investigations when information about them is incomplete and imperfect and the full story really isn’t initially clear? How much coverage is too much and how much is not enough? Can the press really know in advance which investigation is a nothingburger and which isn’t? These are tough questions with no easy answers.”

“To be clear, there was too much hysterical and flawed reporting in Trump-Russia coverage, and that shouldn’t be defended. But a great deal of thoughtful, rigorous, and newsworthy work took place on that beat too. Journalists did not in the end find that Trump cut a deal with the Kremlin in 2016, but they unearthed a great deal about Trump and his allies in the process.

Dismissing the whole thing as a hoax or debacle — as the revisionists are doing — is too pat a dismissal. It was a complicated, messy endeavor”

Hackers have laid siege to U.S. health care and a tiny HHS office is buckling under the pressure

“the Department of Health and Human Services’ Office for Civil Rights, which is tasked with investigating breaches, helping health care organizations bolster their defenses, and fining them for lax security, is poorly positioned to help. That’s because it has a dual mission — both to enforce the federal health privacy law known as HIPAA and to help the organizations protect themselves — and Congress has given it few resources to do the job.
“They’re a fish out of water … They were given the role of enforcement under HIPAA but weren’t given the resources to support that role,” said Mac McMillan, CEO of CynergisTek, a Texas firm that helps health care organizations improve their cybersecurity.

Due to its shoestring budget, the Office for Civil Rights has fewer investigators than many local police departments, and its investigators have to deal with more than a hundred cases at a time. The office had a budget of $38 million in 2022 — the cost of about 20 MRI machines that can cost $1 million to $3 million a pop.

Another problem is that the office relies on the cooperation of the victims, the institutions that hackers have targeted, to provide evidence of the crimes. Those victims may sometimes be reluctant to report breaches, since HHS could then accuse them of violating HIPAA and levy fines that come on top of costs stemming from the breach and the ransoms often demanded by the hackers.

Depending on the circumstances, it can seem like blaming the victim, especially since the hackers are sometimes funded or directed by foreign governments. And it’s raised questions about whether the U.S. government should be doing more to protect health organizations.”

Health systems want government help fighting off the hackers

“Cyberattacks on health systems are on a steady rise, and their costs are mushrooming. Experts said there are a variety of reasons for the increase, including that criminals are getting more advanced and more aspects of health care are online.

When a cyberattack struck Sky Lakes Medical Center, a community hospital in southern Oregon, in late October 2020, its computers were down for three weeks. The most mundane tasks became arduous. Nurses had to check on critical patients every 15 minutes in case their vital signs changed. Doctors scribbled down their orders and the swelling mounds of paper took over whole rooms. In three weeks, the hospital ran through 60,000 sheets of paper.

Sky Lakes had to rebuild or replace 2,500 computers and clean its network to get back online. Even after it hired extra staff, it took six months to input all the paper records into the system. In total, John Gaede, Sky Lakes director of information services, says his organization spent $10 million — a big expense for a nonprofit with roughly $4.4 million in annual operating income (the organization did not pay a ransom).

For hospitals with limited budgets, there are questions about how well they can protect themselves. The attack on Sky Lakes was part of a wave of attacks in 2020 and 2021 connected to a criminal group in Eastern Europe.

“Our budgets typically have a margin of maybe 3 percent a year,” Gaede said, “but we’re supposed to compete with nation-state actors?”

Health data is lucrative on the black market, making hospitals a popular target. Plus, if a health system has ransomware insurance, criminals may think they’re guaranteed a payout. Ransomware ties up hospital records in encrypted files until a fee is paid.

“Back when ransoms were $50,000, it was cheaper to pay them than to deal with a lawsuit that would have cost far more,” says Omid Rahmani, associate director at Fitch Ratings, a credit rating agency, adding that ransoms now cost millions. “The landscape’s changed and because of that the cyber insurance side has changed — and that’s really connected to the rise of ransomware.”

In its annual cost of a data breach report, IBM writes the global average cost of an attack on a health system rose from about $7 million to over $9 million in 2021. But remediating these violations in the U.S. can be far more expensive.”

How a major oil pipeline got held for ransom

“the company was likely breached through a leaked password to an old account that had access to the virtual private network (VPN) used to remotely access the company’s servers. The account reportedly didn’t have multifactor authentication, so the hackers only needed to know the username and the password to gain access to the largest petroleum pipeline in the country.”

How a major oil pipeline got held for ransom

“Reports varied on whether Colonial paid the ransom or not until May 19, when Colonial acknowledged that it did indeed pay $4.4 million worth of bitcoin (which may not be worth $4.4 million anymore). CEO Joseph Blount told the Wall Street Journal that it was a difficult decision, but one that he felt was “the right thing to do for our country.”

Blount added that it will cost Colonial far more — tens of millions of dollars — to completely restore its systems over the next several months.”

We Can Take Advantage of the Russian Hack. Here’s How.

“Russia, China and others knowingly exploit two fundamental gaps in our cybersecurity architecture. They acquire or co-opt domestic computers and cloud services as a platform to launch malicious cyber operations. They appreciate that our intelligence services are focused on cyber activities beyond our borders, and that these services are generally not allowed to track foreign mischief once it moves onshore. Moreover, the private sector — very much a component of our national security — is largely left to fend for itself against foreign cyberattacks, yielding a situation inconsistent with the federal government’s role of providing our “common defense” under the Constitution.
Addressing these gaps raises enormously complex legal and policy questions about the scope of government in protecting us from foreign cyber malevolence. Yet our understandable hesitancy in confronting these questions allows adversaries to continue to exploit the situation. We must start that discussion and consider how our foreign intelligence services could work with the FBI and CISA — in a manner fully consistent with our values and the Constitution — to pursue foreign cyber maliciousness when it involves using domestic parts of the internet.

To have prevented this hack, we would have had to piece together information from the intelligence community about Russian intentions and activity, link it to hints (from affected agencies or DHS) that some government systems had suspicious domestic internet connections, and then monitor those internet connections. Media reports indicate that the Russians used a domestic internet domain leased from Go Daddy, a reputable and popular host for web domains, to control the malware that was inserted in government networks. Normally a search warrant or other legal process, often taking days, is required before the FBI can fully review the traffic connecting with a suspected malicious internet site. None of the foregoing steps could, at least under current structures, have been taken in sufficient time to detect the attack in the first place; at a very minimum, we could be better structured to stop such attacks from spreading.

There is no single structural or legal solution to the problem of foreign cyberattacks. More robust sanctions against foreign adversaries and better international efforts to stop the export of cyber mischief and bring cyber criminals to justice will also help. Working with other like-minded nations, we need to raise the risks and costs of cyber espionage and cyber damage.

But steps like those outlined above are also needed to bolster our federal government’s defenses and to give us more robust tools to use against foreign cyber wrongdoers. That, along with more vigorous sharing with private businesses of otherwise classified information about the techniques of those wrongdoers, would go a long way to addressing the vulnerabilities of the private sector, and thus help fulfill government’s responsibilities in that regard. As if we needed an illustration of the private sector’s vulnerability, the recent sophisticated attack was undetected even by cybersecurity incident response firm FireEye, apparently itself a victim, with some of its cybertools used to test customer network security audaciously stolen by the intruders.”