Medical device containing patient information stolen from DePaul Hospital

SSM Health has notified 836 patients that their personal information may have been compromised after a medical device was stolen from DePaul Hospital. 

The device looks like a laptop and that's likely why it was stolen -- not because it contained patient information, SSM Health, owner of DePaul Hospital in Bridgeton, said in a statement.

Limited patient information was loaded on the device, which included patient names, birthdates, medical record numbers and a brief chief medical complaint.

The device did not contain Social Security numbers, addresses, phone numbers or financial information.

The medical device was used only on patients of Dr. Syed Khader who participated in a study from 2002 to 2017. Khader is part of SSM's orthopedic group. He specializes in non-operative pain management of the back, spine and neck.

The device is a part of an electromyography, which measures the health of muscles and can also detect problems with the nerves.

The laptop-like device was stolen sometime between the night of April 12 and the morning of April 13. Police were notified, SSM said in a statement.

"Because protected patient information was on the device, it is considered a privacy breach under the Health Insurance Portability and Accountability Act (HIPAA). Letters were sent to the 836 patients identified who were impacted, and a notification was posted on the SSM Health Medical Group website home page," according to the statement.

SSM said any patients of Khader who did not receive a letter or those who have more questions should call: 1-855-989-3662.

Read More

Police dismantled the Cron gang that targeted Bank Accounts via Android Malware

Russian authorities dismantled a major criminal ring that was targeting bank accounts by using an Android malware, dubbed ‘Cron,’ that compromised more than one million Android smartphones.

According to the Russian Interior Ministry, the criminal organization had stolen nearly $900,000 from bank accounts.

Law enforcement, assisted by the cyber security firm Group-IB have identified 25 members of the organization led by a 30-year-old living in the city of Ivanovo.

16 members of the gang were detained in November 2016, while the last active member was arrested in April.

The Cron Trojan was first spotted in March 2015, when the crime gang had been distributing the malware disguised as Viber and Google Play apps.

Early 2016, investigators discovered that an Android banking Trojan dubbed ‘Cron Bot’ was offered for rent in the criminal underground. According to the experts from the IBM X-Force the Cron Bot had been leased for between $4,000 and $7,000, depending on the configuration chosen by the buyer.

The Cron gang used spam SMS messages to spread the malware to individuals in Russia, the attackers used a very effective social engineering technique. The SMS messages informed recipients that their ads or photos had been shared on a website, and included links to a site that tricked victims into downloading and executing the malicious code.

“Spam SMS messages with a link to a website infected with the banking Trojan. The message was of the following form: “Your ad is posted on the website ….”, or “your photos are posted here.” After the user visits the compromised website, the malware will be downloaded on the device, tricking the victim to install it.” reads the report published by Group-IB.

“The victim could install the malicious program on the phone by downloading fake applications masked as legitimate ones. The Trojan is distributed under the guise of such applications as Navitel; Framaroot; Pornhub; Avito.“

Once the Cron Trojan infected a device, the malware could send SMS messages to any phone number, upload SMS messages received by the victim to C&C servers, and hide SMS messages coming from the bank. Using the features the malware can intercept 2FA messages sent to the users to authorize fraudulent transactions conducted by crooks.

The Cron gang earned approximately $900 000 USD (50 million rubles) with its activity.

“Every day Cron malware attempted to steal money from 50-60 clients of different banks. An average theft was about 8,000 rubles ($100). According to crime investigators, the total damage from Cron’s activity amounted to approximately $800 000 USD (50 million rubles). ” continues the report.

The investigators discovered the Cron Gang decided to extend its activity to other countries, they rented the Tiny.z banking Trojan for $2,000 per month.

Experts speculate the hackers had been planning on targeting France banking users because the Cron gang developed web injections for several of French banks, including Credit Agricole, Assurance Banque, Banque Populaire, BNP Paribas, Boursorama, Caisse d’Epargne, Societe Generale and LCL.

Read More

1.5 million students’ data leaked online, put up for sale for up to Rs60,000

Phone numbers, email ID and addresses of at least 1.5 million students are available for a price, although it isn’t clear how this happened.

For between Rs1,000 and Rs60,000 it is possible to get information on at least 1.5 million students who appeared for examinations of several types since 2009.

From the datasheets—samples are available for free—on websites such as studentsdatabase.in, kenils.co.in, and allstudentdatabase.in, it is clear that the students whose information is being sold have appeared for MBA entrance tests (CAT, MAT, MBA CET, CMAT, XAT, and others), some engineering and medical entrance tests, Class X or Class XII board examinations (only some boards), or final year examinations at some universities (Lucknow, Pune).

The source of this data isn’t clear, although there are several possible ones: the board, university or body in-charge of the examination; or the ubiquitous prep schools that prepare students for these tests.

None of the websites responded to queries.

The information available is exhaustive: student name, score, percentile, gender, category, complete address, mobile number, and email ID. Some of that is unlikely to change, making even older data valuable.

Some of the buyers of this data are business schools.

“On average, I get three to four calls every day from representatives of various B-schools… the frequency is at its peak in the months of April-June probably because a lot of students are left without admits from premier B-schools at that point in time and these institutes are left with a lot of seats to fill before their academic session starts...” said Shashank Prabhu, who appeared for MBA entrance exams in 2010-11 and graduated from FMS Delhi in 2013. He is now the founder of LearningRoots, a training institute for Common Admission Test (CAT).

There’s no doubt that the sale of this data is in violation of the law—unless students providing the data were told at the time that it could be collated and shared or sold later. The onus, according to law, is on the entity collecting the data, said an expert.

“The IT Act includes Sec 43A, which specifically covers the measures required to be followed by any entity which is collating sensitive information from individuals…The act mandates that while collecting information, there is a need to declare the purpose of collation of sensitive information and need to protect the information thereafter… and there is a need to have consent from individual on usage of the information,” said Atul Gupta, partner and cybersecurity lead at KPMG India.

The conveners of CAT are clueless about the data being publicly available.

IIM Ahmedabad professor and CAT 2015 convener Tathagata Bandyopadhyay says that “the data is supposed to be strictly confidential and even the faculty members of IIMs do not have access to it use it.”

IIM Bangalore was the convener of CAT 2016. An institute spokesperson said: “The CAT centre respects the privacy of all CAT takers, and does not share any data of the test takers with anyone, except with the IIMs and the non-IIM member institutions as listed on the CAT website. Even while sharing the CAT scores with the non-IIM member institutions, we do not share any contact details (like address, mobile number, email ID etc) with them.”

A spokesperson for All India Management Association (AIMA), which conducts the Management Aptitude Test (MAT), declined to comment.

The Directorate of Technical Education that conducts Maharashtra MBA CET 2016, Central Board of Secondary Education that conducts National Eligibility cum Entrance Test (NEET) and JEE and XLRI that conducts XAT, did not respond to e-mails seeking comment.

“Any individual whose information is included in the database and is in violation of the reason why the information was provided, can seek legal recourse,” added Gupta.

Read More

Qatar's State News Agency Hacked By 'Unknown Entity'

Qatar said Wednesday its official state news agency was hacked and subsequently carried a "false statement" on sensitive regional topics attributed to the country's Emir, Sheikh Tamim bin Hamad Al-Thani.

Among the issues allegedly addressed by the Qatari ruler were the Palestinian-Israeli conflict, strategic relations with Iran, and comments about Hamas.

There were also alleged negative comments about Qatar's relationship with the new administration of US President Donald Trump.

Doha though said the statement was completely untrue.

"The Qatar News Agency website has been hacked by an unknown entity," reported the Government Communications Office in a statement.

"A false statement attributed to His Highness has been published."

It added that an investigation would be launched into the security breach.

At this stage it was unclear who was behind the hack.

The "false statement" said the emir spoke on Tuesday, two days after the Qatari leader and Trump met in Saudi Arabia as part of the president's recent visit to the Middle East.

The remarks posted on QNA as a result of the hack were picked up and reported by broadcasters in the region, including some in the United Arab Emirates.

They also caused a stir on social media in the Gulf, before Doha scrambled in the early hours of Wednesday morning to deny the claims.

The communications office added that the "State of Qatar will hold all those" who committed the breach accountable.

Qatar is home to the former leader of Hamas, Khaled Meshaal, who earlier this month used his Doha base, where he has lived in exile for several years, to launch a new policy document.

Last weekend, Doha said it had been the victim of an orchestrated smear campaign over its alleged "support" for terrorism. 

Read More

WannaCry Profits Finally Hit $100,000

The infamous WannaCry ransomware has finally generated over $100,000 in payments over a week after it first landed, but profits remain relatively low considering the vast number of global users affected by the incident.

The campaign first landed on Friday May 12, with the black hats behind it demanding $300 in Bitcoin from victims in return for the decryption key for their files. That sum doubles to $600 if the ransom isn’t paid within 72-hours.

However, it appears from a Bitcoin tracker set up to monitor the digital wallets tied to the attack, that users are following the advice of security experts and law enforcers.

At the time of writing, the total raised by the cyber-criminals had reached just over $109,000.

This is a minute percentage of the hundreds of thousands of victims said to have been infected around the world.

Europol chief Rob Wainright claimed just two days after the ransomware landed that it had affected more than 200,000 netizens in 150 countries.

Some estimates now claim that figure is closer to 300,000.

Their decision may have been influenced by a few factors; not least getting hold of the digital currency itself and reports that those that paid up had not received their decryption key.

It will also lend weight to the argument that those behind the campaign were nation state hackers rather than financially motivated cyber-criminals, although the North Korea-linked Lazarus Group mentioned by some as potentially involved has previous launching both destructive, disruptive attacks and money-grabbing raids.

WannaCry infections have now dropped to virtually zero, but newer variants are emerging to try and ride on its coat tails, using the same NSA exploits, according to some experts.

Read More

US politicians think companies should be allowed to 'hack back' after WannaCry

US politicians are drafting a bill that - if approved - could allow companies and individuals to "hack back", allowing victims of a hack to "access without authorization the computer of the attacker... to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim's own network."

The Financial Times reports that US Congressman Tom Graves, a Republican from Georgia, who is drafting the Active Cyber Defense Certainty (ACDC) bill with Arizona democrat Kyrsten Sinema, believes that the recent WannaCry ransomware attack could have been prevented if victims had been able to hack their attackers:

"I do believe it would have had a positive impact potentially preventing the spread to individuals throughout the US. Our proposal is to empower individuals and companies to fight back basically and defend themselves during a cyber attack."

Yes, the same companies who failed to install a critical Microsoft security patch released over a month before the WannaCry malware struck are being encouraged to hack other people's computers... can anyone else see a problem here?

As the Financial Times reports, although the bill currently being proposed would give a green light for companies hit by internet attacks to access third-party computers used in the attack without authorisation for the purposes of disruption or gathering information to share with law enforcement, there are limits. For instance, they would not be allowed to destroy data on the remote system, cause physical injury or create a threat to public health or safety.

This would be my big concern. Often internet attackers hijack innocent computers to do their dirty work for them, meaning their owners' simply aren't aware that their systems are being abused as part of a larger criminal endeavour. If your counterattack disrupts or wipes data on someone else's computer then how are you any better than the people who attacked you?

If you launched a denial-of-service attack against a computer that you believed was attacking yours, isn't there a danger that you could be impacting other innocent companies that might be sharing the same server infrastructure? Isn't there a risk that you're having a financial impact on hosting companies and service providers in between you and the attackers?

Furthermore, blundering onto a server controlled by a hacker risks unintentionally disrupting efforts by law enforcement to gather evidence that could lead to the identification and successful prosecution of hackers.

Finally, can you ever be truly confident that your counterattack is being targeted against the right person? Reliable attribution of internet attacks is notoriously difficult.

Take-downs of criminal computer systems should be done by the authorities, not internet vigilantes.

If we allow 'amateurs' to launch counterattacks there is always the danger that an existing investigation is being compromised, preventing the collection of information required for a successful prosecution, or making it difficult to provide evidence has not been corrupted by those retaliating.

And I can't see how a "vigilante hack" would have helped defend any organisation against WannaCry, anyway. The simplest way to defend your systems from the way that ransomware spread was to have the Microsoft patch in place. If you weren't able to have that basic protection in place I question your ability to take down a hacker.

Read More

DaFont hacked: accounts and passwords stolen

A hacker has obtained over 685,000 usernames and passwords for the popular free font site.

DaFont.com is probably the best known source of free fonts on the web – offering over 32,000 free fonts, some great and some examples of the worst font design ever committed. But ZDNet is reporting that earlier this month, a hacker gained access to its database and has stolen 699,464 user accounts – and has managed to crack over 98 percent of its passwords.

He downloaded the database, which also included all of the site’s forums – including private messages. The hacker supplied the database to ZDNet for verification, which they were able to do, and the the site Have I Been Pwned, which allows you to enter your email address and see if it’s in some of the hacked databases available on the web (mine appears in data stolen from Adobe, Dropbox and LinkedIn, apparently).

The hacker claims that others have also hacked the database, and are sharing it on the web – which is why he came forward. He says that it was relatively easy to access the site’s database using a 'union-based SQL injection vulnerability in the site's software’ and crack the hashed passwords, which had been encrypted using a deprecated MD5 algorithm.

The journalist who wrote the story says that he’s been attempting to contact the site’s owners – Rodolphe Milan and Nicolas Peton – but has been unable to do so.

Will the DaFont hack affect me

The hack will only affect you if you’ve registered an account on DaFont.com – which isn’t necessary to download fonts. Registering an account is required to comment on fonts or within the forum – or to upload fonts to the site. So font designers will be most affected by this.

If you have registered an account, there’s probably little to worry about unless you’ve said anything embarrassing in a private message – or you’ve used a username/email address and password combination that will also work on another site. If you have used that combo on other sites, go change them now.

If you're not sure if you've ever registered account, Have I Been Pwned will tell you if you're in the stolen database (and others too).

Read More