Many clinical and administrative staff will be treating patients and accessing data remotely after the COVID-19 crisis settles, experts said during a Canadian webinar on the effects of the pandemic on the healthcare sector.
“Remote access is here to stay. In a big way,” said Kashif Pervaiz, CISO of Toronto’s University Health Network (UHN), a group of three hospitals, rehabilitation centres and a clinician training school.
Delivering services efficiently as well as assuring patient privacy is “definitely going to be big,” he said. UHN now has a group led by an executive vice-president dealing with ways of safely delivering virtual care, he noted, stressing that the effort is executive-led.
To deal with the pressure of operational and medical staff suddenly having to work remotely, some security policies needed “to be bent a little bit,” Pervaiz admitted. “We haven’t thrown security out of the window (but) we have had to adapt a bit.”
That meant re-thinking how to deliver remote access. Instead of relying on virtual private networks (VPNs), UHN turned to web-enabled solutions in some cases. That means his environment is “somewhat device-independent,” lowering the attack surface. He also increased network monitoring and incident response procedures.
“The days of saying no right away are long behind us,” he warned CISOs.
Pervaiz was speaking on the first day of a week-long series of webinars called siberXchange run by Richmond Hill, Ont., based SiberX, which produces cybersecurity events. Each day this week has a set of panels or speakers centred on a single topic. Tuesday’s topic is business continuity, Wednesday’s is women in cybersecurity, Thursday’s is aimed at CISOs and Friday’s theme is smart cities.
Panellist Ali Shahidi, director of information security management and privacy for Ontario Health – a group of 20 agencies including 14 local health integration networks and the Ontario Telemedicine Network (OTN) – said his agency has had to face several remote access challenges due to the pandemic.
Thanks to some “leeway” from the provincial information and privacy commissioner, the agency was able to change some security and remote access procedures, he said. Some access projects that might have taken months were done in two weeks, he explained, thanks to staff working round the clock. “It showed we can be agile.”
Shahidi, Pervaiz and panellists Daniel Pinksy, manager of the information security program at IT provider CDW Canada and Hoda Nasseri, a cyber defence manager at KPMG Canada, also said that the number of COVID-related email threats to the healthcare sector has increased. As reported elsewhere, Nasseri said there are also government warnings that other countries are interested in stealing COVID-19 related vaccine research.
However, she added, most nation state-attacks aren’t complicated. Hospitals and clinics that perform basic cybersecurity hygiene, including patching and using multi-factor authentication to protect administrative accounts, will be protected against most targeted attacks, she said.
Ultimately, said Pinksky, the goals of infosec teams need to be driven by the goals of the organization. “we exist to enable the business.” If the business changes, information security has to adapt.
The question, he said, is how does IT pivot and continue to support and enable the business, while at the same time managing risk?
Microsoft has joined the recently launched Open Source Security Foundation (OpenSSF) to help create a healthier, more secure open-source software ecosystem for all, the company announced yesterday in a blog post.
Collaborative efforts such as OpenSSF aim to address these concerns in open-sourced projects. Major technology players including Microsoft, Google, IBM, and others, are confirmed members of the organization’s governing board. Together, OpenSSF says they help set guidelines on vulnerability disclosures, security tooling, and threat identification. Each of the working groups has its won technical steering committee and is self-governed.
“We believe open source is a public good and across every industry we have a responsibility to come together to improve and support the security of open-source software we all depend on,” said Jim Zemlin, executive director at The Linux Foundation. “Ensuring open source security is one of the most important things we can do, and it requires all of us around the world to assist in the effort. The OpenSSF will provide that forum for a truly collaborative, cross-industry effort.”
Microsoft has warmed up to open source in the last few years. Earlier this year, the company finally admitted that it was wrong about open-source, referring to an era when Steve Balmer fiercely belittled Linux. Since Satya Nadella took the helm, however, Microsoft has been actively embracing open source with projects like Visual Studio Code, Linux subsystem on Windows, and open-sourcing some of its older projects. On June 4, 2018, the company officially acquired GitHub, one of the world’s largest code repository hosting platform, for US$7.5 billion.
Open-sourcing relies on public governance and support from its user base. The code can be scrutinized by anyone to validate their security, and any party can modify the solution to suit their own needs.
But the very nature of open-source software raises inherent security risks. Since support is decentralized, no one person or party is responsible for bugs. There’s also the risk of attackers, under the guise of a maintainer, injecting malware into popular projects. And because popular tools are cloned and continuously modified, version verification is a time-consuming process.
Named PE Tree, the app for Linux, Mac, and Windows can reverse-engineer and analyze the internal structure of Portable Executable (PE) files, according to BlackBerry. PE files are popular with malware authors who hide malicious payloads inside them.
“The cybersecurity threat landscape continues to evolve and cyberattacks are getting more sophisticated with potential to cause greater damage,” said Eric Milam, vice-president of research operations, BlackBerry, in a press release.
Businesses today have to contend with more diverse malware sprouting like weeds, and it’s not just the Emotets and TrickBots of the world, but Ryuk and Sodinokibi, both of which caused significant disruptions globally in 2019. Meanwhile, malware like SecurityRun, according to a report from Malwarebytes, can achieve high distribution almost “exclusively against business victims.”
That same report also says there was an average of 11 threats per Mac endpoints in 2019, nearly double the average of 5.8 threats per endpoint on Windows.
The open-source tool’s list of features include:
- Standalone application and IDAPython plugin
- Supports Windows/Linux/Mac
- Rainbow PE ratio map:
- High-level overview of PE structures, size and file location
- Allows for fast visual comparison of PE samples
- Displays the following PE headers in a tree view:
- MZ header
- DOS stub
- Rich headers
- NT/File/Optional headers
- Data directories
- Debug information
- Load config
- Version information
- Extract and save data from:
- DOS stub
- Send data to CyberChef
- VirusTotal search of:
- File hashes
- PDB path
- Section hash/name
- Import hash/name
- Export name
- Resource hash
- Certificate serial
- Standalone application;
- Double-click VA/RVA to disassemble with capstone
- Hex-dump data
- IDAPython plugin:
- Easy navigation of PE file structures
- Double-click VA/RVA to view in IDA-view/hex-view
- Search IDB for in-memory PE files;
- Reconstruct imports (IAT + IDT)
- Dump reconstructed PE files
- Automatically comment PE file structures in IDB
- Automatically label IAT offsets in IDB
PE tree isn’t the only tool of its kind: a similar app developed by malware analyst Aleksandra “Hasherezade” Doniec, who also works for Malwarebytes, can be found here.
Gemini Advisory, a U.S. cybersecurity firm, warned Thursday that hackers might have found a way around the tough security on ATM access cards with data-encrypting Europay, Mastercard, and Visa (EMV) without cloning them. The sale of stolen card data from two hacks in the U.S. this year is likely the result of the vulnerability being abused by cybercriminals, Gemini said in a report.
The report highlights that the technique can be “dangerously effective” if banks don’t perform a check when processing card transactions. The reverse is also true: If banks properly do security checks, the technique is blunted.
Gemini calls the technique “EMV by-pass cloning.” Briefly, by using malware on point-of-sale (POS) machines, a small but vital piece of data is extracted from the EMV chip called the iCVV number, which is needed for transaction verification. This number can then be copied onto the magnetic stripe on the back of a blank payment card. The criminal then swipes (not taps, because it doesn’t have a chip) the new card in a bank or retailer’s card reader, which reads the mag stripe and sees the iCVV. Without proper processing by the financial institution, it might be accepted as if it was the original card with an EMV chip.
In short, a crook can take information from an EMV chip and transfer it to a mag stripe on a different card. No need to clone the chip; the scam works because POS machines around the world still accept the less secure mag stripes for transaction information.
Gemini credited a report issued earlier this month by a consulting firm called Cyber R&D Lab with discovering the technique. Lab researchers did a proof of concept and then tested it on cards from 11 unnamed banks in Europe and the U.S., out of which four accepted transactions using the fake cards.
After reading the report, Gemini says it believes that this discovery explains the recent sale on the dark web of 720,000 payment card numbers with iCVV numbers from the January hack of a northeastern U.S. supermarket chain and the June 29 hack of card data from a wine and liquor store in the state of Georgia. Gemini also says it believes that the cybercriminals must have used the EMV by-pass cloning technique to get the iCVV numbers.
There is another way of getting iCVV numbers, and that’s by secretly installing an electronic shimmer inside a point of sale device or ATM to capture the number as customers use the cards. However, Gemini notes the two hacks involve too many payment card numbers for even several compromised POS devices to capture. So, it concludes, the by-pass cloning technique was used in those hacks.
“EMV technology has until now been as secure as it gets,” Christopher Thomas, an intelligence production analyst at Gemini Advisory, said in an interview. “So it’s significant there’s a workaround… That is certainly a cause for alarm. However, it’s also important to note that Cyber R&D Lab compromised four out of 11 cards, the verification systems of the other banks did work. This seems to be a problem that only affects banks that are not verifying the way they should be.”
The Canadian Bankers’ Association, which represents the country’s major banks, wouldn’t comment on the Gemini report. Instead, it issued the following statement, “Banks are leaders in cybersecurity and their highly-skilled IT security teams use advanced technologies to safeguard their operations and keep their customers’ money and data safe from illegitimate acts. Banks constantly scan the threat horizon to stay on top of ever-evolving fraud typologies and thwart attacks of all kinds.”
Now for the more detailed explanation of the Gemini and Cyber R&D Lab reports: Most people know the back of payment or access cards have a CVV number for card and transaction verification in what the payment industry calls “card not present” purchases over the phone or online. Buyers are sometimes asked to read out or type in the number.
The CVV number is also part of the hidden information (including issuing bank, cardholder name) on the magnetic stripe on the back of cards for point-of-sale machines to read when the cards are swiped in “card present” purchases in stores. The coding on mag stripes was cracked by cybercriminals decades ago, allowing them to create counterfeit payment cards with cloned mag stripes, thus forcing banks and credit card companies to adopt the EMV chip.
These chips are protected by tough data encryption that prevents cloning. The transaction data on every chip includes an iCVV number, which is different from the card’s CVV number. When processing a transaction with an EMV card, bank computer systems are supposed to compare the CVV number on the mag stripe to make sure it hasn’t been substituted for an iCVV number. If the card has it, then the card isn’t safe.
EMV chips have foiled counterfeiters since they were introduced in the late 1990s, first in Europe, then in Canada and more recently in the U.S. Last year’s Visa said for those merchants whose stores had converted to accepting EMV cards saw a 76 per cent drop in fraud over three years.
Criminals who use stolen credit cards for card-not-present transactions rely on data they can take from magstripes.
Use of NFC data
If it’s not hard to clone mag stripes, Cyber R&D Lab wondered if EMV data could be transferred to a mag stripe, getting around the problem of cloning chips. It did it by using the wireless Near Field Communication (NFC) capability on many EMV cards, the technology that enables tap-and-go transactions. To read the data from the NFC interface of real credit cards, researchers used an Android app called Card Reader Pro. This data was then compared to the data on the card’s magstripe for similarities or differences. Using that data the researchers could calculate the card’s iCVV number and substitute it on the mag stripe of a cloned card.
When a point of sale machine is used for a transaction, a bank is supposed to check the card security code for validity. If the process isn’t done right, a mag stripe card will seem to the bank to be an EMV card.