Lack Of Computer Security Can Kill You

The last story presented below is of a ransomware attack on a hospital system that has been listed as being responsible for 4 deaths. By comparison, the other incidents are just annoyances.

First we have Ransomware. And there is a lot of it. The Week in Ransomware – September 25th 2020 – A Modern-Day Gold Rush

Companies still refuse to take security seriously, and as a result, the Forces of Ransomware™ are running amok.

The linked article is dismaying, with how many cases/varieties of Ransomware have been discovered. There was one bright spot, in that the insurance companies are not just blindly underwriting insanity, but insisting on some security.

News also broke this week about how an insurance company utilizes security scans to find exposed and vulnerable devices on clients’ networks. These proactive scans have reduced their ransomware claims by 65%!

They have to do something, or they are going to put themselves out of business insuring companies that have limited security in place.

Then there is the continuing resistance to applying software updates. Over 247K Exchange servers unpatched for actively exploited flaw. I can’t even feel sorry for these people.

The systems in question have not been patched AT LEAST since February of 2020. So 7 months, soon to be 8 months.

Cyber-security firm Rapid7, added an MS Exchange RCE module to the Metasploit penetration testing framework it develops on March 4, after several proof-of-concept exploits surfaced on GitHub.

One week later, both CISA and the NSA urged organizations to patch their servers against the CVE-2020-0688 flaw as soon as possible given that multiple APT groups were already actively exploiting it in the wild.

That was back in March; here’s the situation today.

Rapid7 once again made use of its Project Sonar internet-wide survey tool for another headcount.

And the numbers are almost as grim as they were before, with 61.10% (247,986 out of a total of 405,873) of vulnerable servers (i.e., Exchange 2010, 2013, 2016, and 2019) still being left unpatched and exposed to ongoing attacks.

The company’s researchers found that 87% of almost 138,000 Exchange 2016 servers and 77% of around 25,000 Exchange 2019 servers were left exposed to CVE-2020-0688 exploits, and that roughly 54,000 Exchange 2010 servers “have not been updated in six years.” [My emphasis. Z-Deb]

So you don’t update your systems for 6 freaking years. What exactly do you think is going to happen? I can’t even feel sorry for any of these people.

And finally we have the RYUK attack on Universal Health Services. UHS hospitals hit by reported country-wide Ryuk ransomware attack.

“When the attack happened multiple antivirus programs were disabled by the attack and hard drives just lit up with activity,” one of the reports reads.

“After 1min or so of this the computers logged out and shutdown. When you try to power back on the computers they automatically just shutdown.

“We have no access to anything computer based including old labs, ekg’s, or radiology studies. We have no access to our PACS radiology system.”

And it isn’t just that a bunch of hospital employees can’t access their email, or billing records.

Four deaths were also reported after the incident impacting UHS’ facilities, caused by the doctors having to wait for lab results to arrive via courier. BleepingComputer has not been able to independently corroborate if the deaths were related to the attack.

Look I get that modern medicine is dependent on computers for a whole bunch of stuff, but this incident demonstrates that we are not doing it correctly. Not by half.

The internet was fun while it lasted. (Hat tip Security Now.)

5 thoughts on “Lack Of Computer Security Can Kill You

  1. Pingback: In The Mailbox: 09.30.20 : The Other McCain

  2. The thing that gets me about that is that the people killed in the hospital might have run their own computer network with the utmost attention to security and got killed by someone else’s “lack of computer security.”

    I’m consciously reducing my use of computers. There are no apps on my phone for anything financial, my tablet lives between my sofa and its charging station. If my phone gets ransomware attacked or otherwise bricked, I’m going to run my car over it a few times, sweep up the crumbs and toss them.

    Liked by 1 person

    • I don’t use my phone for much – which is why I don’t have $1000 phone. Music, email, and weather. The occasional web search to answer one of life’s burning questions, like “Who was in that movie?”

      On the PC I have everything segregated either between different browsers or between different containers on Firefox. So Twitter, YouTube, Spotify, whatever doesn’t know what else I am doing while online.

      Liked by 1 person

      • Everytime you entrust some part of your life to a company their level of computer security can become an issue for you. At hospitals, it can impact your health and your life.

        And the medical industry is VERY bad about updating stuff, in part because of the way .gov regulations are written and implemented. Can’t change anything to something that has been “certified” without getting re-certified, even if doing nothing clearly enables hackers to kill people.

        Update operating systems regularly? That is not how the regulations are written and NOTHING is more important – to a bureaucrat – than the regulations!

        Liked by 1 person

  3. This is what happens when you use an insecure steaming pile of dung OS like Windows.

    Compare to OpenBSD which has had a grand total of 2 security holes in the default install in the last 20 years. Windows gets that many every week.

    Like

Comments are closed.