Ransomware & HSE

skimpydoo

ixoy wrote: »

I believe, according to an IT expert here, one person could do it all in six months - upgrade it all and push into the cloud

You gotta love armchair IT experts.

ClosedAccountFuzzy

They really need to update the vaccine statistics. I’m seeing out of date data from 11 May being used all over the place online and it’s making out vaccine programme look like it’s lagging very far behind the rest of the EU.

I don’t see how this information can’t be updated manually. Surely they know how many vaccines they’re dosing each day?

Van.Bosch

FuzzyThinking wrote: »

They really need to update the vaccine statistics. I’m seeing out of date data from 11 May being used all over the place online and it’s making out vaccine programme look like it’s lagging very far behind the rest of the EU.

I don’t see how this information can’t be updated manually. Surely they know how many vaccines they’re dosing each day?

They do but getting the data from the GPs is the issue I think. Even publishing the MVC’s would be preferable and update when GP data is restored.

ineedeuro

What would be very useful is if the hackers released a statement on what happened. Never mind the HSE doing a "review"
Explain how they got in and did they expect such a huge impact? did the actions of the HSE help or hinder the progress of the virus.

kippy

ineedeuro wrote: »

What would be very useful is if the hackers released a statement on what happened. Never mind the HSE doing a "review"
Explain how they got in and did they expect such a huge impact? did the actions of the HSE help or hinder the progress of the virus.

Are you serious?

VinLieger

ineedeuro wrote: »

What would be very useful is if the hackers released a statement on what happened. Never mind the HSE doing a "review"
Explain how they got in and did they expect such a huge impact? did the actions of the HSE help or hinder the progress of the virus.

If we were dealing with white hats yes that would happen maybe not in a public fashion but they would definitely give the HSE a debrief.

But then we also wouldn't be in the situation we are now with the system having been encrypted and potential data leaking so tbh your comment is pointless.

plodder

It would be very useful also if the hackers got on a plane and handed themselves in to the Gardai in Dublin.

Tow

plodder wrote: »

It would be very useful also if the hackers got on a plane and handed themselves in to the Gardai in Dublin.

More change of Ryanair diverting their flight into Baldonnel.

But I had to laugh when I heard they were sent a copy of the HSE's High Court Injunction and replied back with a question mark!

ClosedAccountFuzzy

Considering they attacked a public healthcare system, one can only assume very deliberately during a pandemic as they felt they could maximise the ability to extort money, you should know the kind of utter lowlifes you’re dealing with.

They don’t care if they cause chaos or even kill people as the result of their actions.

There were cyber attacks on Spanish hospitals at the very peak of the pandemic there, while they were trying to deal with overflowing ICUs and people dying in corridors. The hackers saw that as an opportunity to extract cash.

There are also two recent attacks in France that caused the disruption of two hospital groups. https://www.euroweeklynews.com/2021/02/16/cyber-attacks-strike-two-french-hospitals-in-one-week/

Then the worst I’ve seen ever was the hack on a Finnish mental health provider. The hackers went after individual patients, demanding money to prevent release of mental health notes. https://www.wired.com/story/vastaamo-psychotherapy-patients-hack-data-breach

You’re dealing with some of the nastiest individuals on the internet. It’s about as low as anyone could possibly go in terms of crime.

You’re absolutely kidding yourself if you think they’re going to be nice, sit down and explain themselves.

I’m extremely sceptical about why they’ve handed over the decryption key. I wouldn’t be surprised if it’s some kind of further trap.

They’re still almost certainly going to try and extort money with threats of dumping data into the public domain and you can be very sure that they’ll just sell the data anyway.

kippy

FuzzyThinking wrote: »

Considering they attacked a public healthcare system, one can only assume very deliberately during a pandemic as they felt they could maximise the ability to extort money, you should know the kind of utter lowlifes you’re dealing with.

They don’t care if they cause chaos or even kill people as the result of their actions.

There were cyber attacks on Spanish hospitals at the very peak of the pandemic there, while they were trying to deal with overflowing ICUs and people dying in corridors. The hackers saw that as an opportunity to extract cash.

There are also two recent attacks in France that caused the disruption of two hospital groups. https://www.euroweeklynews.com/2021/02/16/cyber-attacks-strike-two-french-hospitals-in-one-week/

Then the worst I’ve seen ever was the hack on a Finnish mental health provider. The hackers went after individual patients, demanding money to prevent release of mental health notes. https://www.wired.com/story/vastaamo-psychotherapy-patients-hack-data-breach

You’re dealing with some of the nastiest individuals on the internet. It’s about as low as anyone could possibly go in terms of crime.

You’re absolutely kidding yourself if you think they’re going to be nice, sit down and explain themselves.

I’m extremely sceptical about why they’ve handed over the decryption key. I wouldn’t be surprised if it’s some kind of further trap.

They’re still almost certainly going to try and extort money with threats of dumping data into the public domain and you can be very sure that they’ll just sell the data anyway.

The only answer is proper international co-operation and sanctions to deal with these threats.
It's the very definition of Cyber Terrorism and needs to be stamped out.

ineedeuro

VinLieger wrote: »

If we were dealing with white hats yes that would happen maybe not in a public fashion but they would definitely give the HSE a debrief.

But then we also wouldn't be in the situation we are now with the system having been encrypted and potential data leaking so tbh your comment is pointless.

I would expect the HSE currently has pen testers working trying to find external gaps.
Everyone expects to have a report of what happened. Based on previous government reports these are a sham and everything is covered up. It would be nice to get the information so number 1 we can make sure it never happens again and number 2 find out the truth on what happened

ClosedAccountFuzzy

There’s also going to be a genuine need not to expose the details of what is clearly a vulnerable system that has holes in it.

There’ll be a report and probably a major public inquiry whenever this is over, but I wouldn’t be expecting to see a full breakdown of exactly the technicalities of what happened in the middle of a live hack.

Any information they publish is also available to the hackers.

Their priority is to secure and restore the systems, to get services up and running again. After that, then the fighting out how it happened and what needs to be done to prevent it reoccurring needs to happen and quickly.

There’s a possible that we are just diving into eHealth way too deeply and too soon. If these kinds of attacks are going to be a feature of life and IT competence isn’t really a strong point, I could see things becoming a lot more circumspect about some of these grand projects of putting everything into databases and online services.

It’s great when it works but if you’re just creating Giant honeypots for hackers to try to open, I’m left wondering about the benefits vs the risks.

ineedeuro

FuzzyThinking wrote: »

Considering they attacked a public healthcare system, one can only assume very deliberately during a pandemic as they felt they could maximise the ability to extort money, you should know the kind of utter lowlifes you’re dealing with.

They don’t care if they cause chaos or even kill people as the result of their actions.

There were cyber attacks on Spanish hospitals at the very peak of the pandemic there, while they were trying to deal with overflowing ICUs and people dying in corridors. The hackers saw that as an opportunity to extract cash.

There are also two recent attacks in France that caused the disruption of two hospital groups. https://www.euroweeklynews.com/2021/02/16/cyber-attacks-strike-two-french-hospitals-in-one-week/

Then the worst I’ve seen ever was the hack on a Finnish mental health provider. The hackers went after individual patients, demanding money to prevent release of mental health notes. https://www.wired.com/story/vastaamo-psychotherapy-patients-hack-data-breach

You’re dealing with some of the nastiest individuals on the internet. It’s about as low as anyone could possibly go in terms of crime.

You’re absolutely kidding yourself if you think they’re going to be nice, sit down and explain themselves.

I’m extremely sceptical about why they’ve handed over the decryption key. I wouldn’t be surprised if it’s some kind of further trap.

They’re still almost certainly going to try and extort money with threats of dumping data into the public domain and you can be very sure that they’ll just sell the data anyway.

I 100% agree with all of this yet we are supposed to believe they handed over the encryption key to help resolve the issue free of charge.

So if they are helping to resolve the issue then why not help on identifying how they got in?

Donald Trump

ineedeuro wrote: »

I would expect the HSE currently has pen testers working trying to find external gaps.

I applied for a job at the HSE network security as a pen tester. They weren't interested as I had no experience with felt-tipped. Only biros and fountain.

TomSweeney

plodder wrote: »

It would be very useful also if the hackers got on a plane and handed themselves in to the Gardai in Dublin.

Ah Joe Duffy how are ya ?

ClosedAccountFuzzy

ineedeuro wrote: »

I 100% agree with all of this yet we are supposed to believe they handed over the encryption key to help resolve the issue free of charge.

So if they are helping to resolve the issue then why not help on identifying how they got in?

I would assume they gave the keys under pressure. It looked to me like they’ve over stepped the line and drew focus from intelligence agencies and law enforcement, potentially in countries that might be able to reach them too, not just “The West”.

This isn’t politically or geopolitically motivated stuff. It’s a financially motivated hack, so you can be sure all sorts of intelligence agencies are concerned about shutting them down, not just western ones.

They may also have wanted to present a more reasonable image online to perhaps avoid attention from other groups that might not like them very much.

There are many reasons why, but I’m highly sceptical about it being any kind of sudden change of heart.

For all we know the decryption key could be leaving systems more vulnerable or be some kind of trap.

It’s an absolute mess and I think the one thing it’s going to have to trigger is a massive trying of public use of IT systems here.

There needs to be a national cyber security agency that is capable of both handling a threat like this and mitigating against it.

We are relying far to much on assuming that “ah sure we’re little old Ireland” and have a bit of an imagination that we are entirely off the radar when it comes to being a target for serious international threats.

ineedeuro

ineedeuro wrote: »

I would expect the HSE currently has pen testers working trying to find external gaps.
Everyone expects to have a report of what happened. Based on previous government reports these are a sham and everything is covered up. It would be nice to get the information so number 1 we can make sure it never happens again and number 2 find out the truth on what happened

The results of any security review are kept internal, standard practice as you will learn on any decent cyber security 101 course.

Organisations can decide to release statements on how they were compromised, but they don't provide the security review report in full.

ClosedAccountFuzzy

The main thing that’s coming out of this is that we’ve inadequate investment into cyber security. We can’t just continue to imagine that we’re somehow immune from threats.

Ireland needs to step up to the plate on this and it’ll mean proper public investment into the kind of agency that might be needed. We have the skill sets, but we seem to face been doing it on a shoestring.

If you’re going to be reliant on big public and private IT systems, you need to protect them and ensure they’re designed to minimise vulnerability.

Often all of this stuff is just seen as an unnecessary overhead, because systems work without investing in them, but it’s like the way ancient wiring works until it doesn’t and one day your house burns down.

plodder

FuzzyThinking wrote: »

For all we know the decryption key could be leaving systems more vulnerable or be some kind of trap.

What people are calling a 'decryption key' is actually software containing an actual key, or keys. The HSE team seem to have put a lot of effort into extracting the actual key, so they can use their own software, which they can be sure doesn't contain any further malware.

Esho

kippy wrote: »

The state or any organisation connected to the state hasn't paid a ransom.
The data will most likely find its way into the public domain whether the ransom is paid or not.
Unless further pressure is put on these criminals-which will be interesting to see.

Very good point- the data is the brucey bonus on top of any ransom.
But what pressure is on the criminals.
The only pressure that would mean anything is a few of Putin's goons and a door-handle of Novichok.

gctest50

ineedeuro wrote: »

.......................

so number 1 we can make sure it never happens again......

Impossible

VinLieger

ineedeuro wrote: »

It would be nice to get the information so number 1 we can make sure it never happens again

What would be your suggestion for ensuring this because unless your suggesting we move 100% back to paper its not possible.

Wombatman

DubInMeath wrote: »

The results of any security review are kept internal, standard practice as you will learn on any decent cyber security 101 course.

Organisations can decide to release statements on how they were compromised, but they don't provide the security review report in full.

They were fairly quick with the statements big upping themselves after WannaCry. The DG and CIO front and center taking credit and promising to lean lessons.

Funny how so few are willing to countenance the reverse of this statement in light of what happened last week.

"The heightened vigilance and ramped up security measures implemented by the HSE’s Office of the CIO over last weekend prevented..."

Over 5,000 cyber-attack attempts discovered in one hospital


The HSE’s decision last Friday (May 12th) to shut down all external access to its IT Network was taken with the primary focus of protecting clinical services and ensuring minimum disruption to patients and service users.

While there has been some disruption within the health services, the prompt decision taken by the Director General of the HSE on Friday and the subsequent efforts by the Office of the Chief Information Office team has ensured that the impact on the delivery of care has been kept to a minimum.

The HSE is now reviewing its response and processes thoroughly to better understand the threat posed since last Friday and to ensure that lessons can be learned from the events of the past few days. So far this review has revealed that the threat posed through the number of “attack attempts” was significant. Initial results indicate that one major hospital had over 5,000 cyber-attack attempts between Friday (12th) and Saturday (13th). Over the weekend the HSE discovered a number of key sites that had the “wannacry” toolkit on machines. However, the work done by the team prevented this toolkit converting into the ransom ware and causing the designed level of disruption.

The HSE has already commenced the technical activity to re-connect the external access to the network including email services this morning. This activity should be complete in the mid-afternoon (Wed 17th May). The HSE will continue to scan all queued traffic to the network to protect against any infected e-mails that may remain unopened in the system.

All clinical information systems were re-booted yesterday (Tuesday May 16th) to ensure they are fully up to date with software that protects them from the most recent cyber threats. Teams worked through the night to ensure that all servers and systems are reconnected. Currently, all systems are functioning safely and in a protected manner.

Since Friday, only one health organisation (a voluntary Section 39 organisation that is not connected to the HSE Network) has been impacted by the “wannacry” virus. During the same period of time over 200 countries were impacted by the virus. Throughout the world, health systems, car manufacturers, mobile communications vendors, train operators and large parcel delivery functions were all impacted by the virus attack.

The Chief Information Officer for the HSE, Mr Richard Corbridge noted: “The heightened vigilance and ramped up security measures implemented by the HSE’s Office of the CIO over last weekend prevented the “ wannacry” virus from having the same kind of effect seen throughout the world over the last few days. While the threat has abated for now, the team remains on a high state of alert for additional ‘attack attempts’ on the HSE network.”

Last updated on: 17 / 05 / 2017

https://webcache.googleusercontent.com/search?q=cache:NEEWDXGMs7kJ:https://www.hse.ie/eng/services/news/media/pressrel/over-5-000-cyber-attack-attempts-discovered-in-one-hospital.html+&cd=2&hl=en&ct=clnk&gl=ie

ineedeuro

gctest50 wrote: »

Impossible

Really?
The whole HSE is affected. If they improve the security controls they might get attacked again but this could be minimise to sectors of the HSE and not across the entire organisation

So are they using network segmentation? if not if they introduce that if a sector gets attacked then it is restricted to that sector

From what is suggested the hackers had free reign around the entire HSE for a number of weeks. This can be stopped so it never happens again. Do you not agree?

Do they have a SOC/SIEM? was the rules set up correctly to see this type of activity across the network? can they be updated? if not this can be added/updated to track better.

This is just a start.

Hibernicis

Is there any bottom to the depths of Stephen Donnelly's stupidity.

https://www.irishexaminer.com/news/arid-40297913.html

Imagine being the minister in charge of the body which is accountable for the country's largest data breach going on air and saying "the HSE takes people's data very seriously" ???

Chamberlain "Peace for our time"
Nixon "'You know, I've always wondered about the taping equipment. But I'm damn glad we have it''
Bush (W) ''They misunderestimated me''
Sarah Palin: "Nuclear weaponry, of course, would be the be-all, end-all of just too many people on too many parts of our planet."
Trump "I will build a great, great wall on our southern border, and I will have Mexico pay for that wall. Mark my words."
Donnelly "the HSE takes people's data very seriously"

Seth Brundle

What do you expect him to say?

Wombatman

Seth Brundle wrote: »

What do you expect him to say?

We fecked up? We are sorry? We are going to radically change things? We take fully responsibility for what happened?

Seth Brundle

Seth Brundle wrote: »

What do you expect him to say?[/QUOT

I expect him to explain how seriously they take the data whilst obtaining information illegally on Autistic children?

https://www.irishtimes.com/news/health/call-for-inquiry-into-dossiers-collected-on-children-with-autism-1.4520038

Or why for example they didn't take important data seriously as regards contacting women in about their smear tests, this could have saved lives.

The HSE only take data seriously when it has been compromised AND ONLY then allowed to be in the public domain. I'm glad they got caught out and I'd be first in line to sue them into obscurity on this alone.

It would be hilarious if somebody set up face book page for victims who've been contacted and had their very personal information sold to the highest bidder.
They fought dying women tooth and nail into court and now they're flying the please don't sue us kite with this jockstrap attached the working end of it.

Seth Brundle

rusty cole wrote: »

It would be hilarious if somebody set up face book page for victims who've been contacted and had their very personal information sold to the highest bidder.

Surely Facebook would be the last place someone would go if they are concerned about their personal data being lost by an organisation that doesn't give a sh1te about the breach?

Hibernicis

Seth Brundle wrote: »

What do you expect him to say?

An apology
An explanation
Something that shows empathy for this e impacted
The establishment of an independent enquiry
An statement setting out high level remedial actions

Or just keep his trap shut

Anything other than "the HSE takes people's data very seriously" when even their most ardent supporters would have to say that that statement is seriously suspect and of very questionable merit in light of recent experience.