News Bites – Appalachin Healthcare, Business Email Compromise and NITs

September 20, 2016 CyberCecurity Leave a comment

ITEM 1: As I wrote about a couple of weeks ago, Appalachian Regional Healthcare was attacked with some form of malware, forcing them to shut down every single computer in every hospital that they run. Finally, after twenty days, the hospital chain says that things are back to normal.

Appalachian says that they do not believe data was compromised, but they have not released any details about what happened, so we do not know if data was not compromised or if that is just wishful thinking. The hospital chain operates 11 hospitals in Kentucky and West Virginia.

During those almost three weeks, employees were forced to write down instructions on paper, ambulances were redirected, in some cases, to other hospitals and doctors told their patients to bring their medications to office visits so that the doctors would know what the patients were taking.

Is your company ready for a twenty day outage like this?

ITEM 2: A small investment fund, Tillage Commodities was the victim of a Business Email Compromise that played the company that they hired to protect their investor’s money for a fool.

Not only did the management company that Tillage hired not follow its own rules, but when the wires that they sent to China, supposedly at the request of Tillage, but in reality at the request of hackers, failed, they fixed them for the hackers.

Tillage closed their doors – an unfortunately too common occurrence after these email scams and are suing the management firm, SS&C Technology, to recover their investor’s money.

Tillage hired SS&C because, as a small firm, they didn’t think they had the needed controls to avoid things like this. Instead, by trying to do the right thing, they got put out of business by a lack of employee training and policy execution.

Reading the details, SS&C appears to have completely screwed up and if they are smart, they will settle quickly to make this go away – before other customers become rattled that they will do this to them and not stand behind their mistake. As it is, they probably have already sustained some damage.

ITEM 3: The FBI has a kinder, gentler term for hacking into your computer and it is called a Network Investigative Technique or NIT. Different courts have held differently as to whether the FBI hacks are searches and I suspect this will go on for a while until the Supremes figure it out.

In the case in question, the FBI Hacked – oh, wait, NITted – thousands of computers to figure out who was accessing a web site that contained illegal images.

A court in Texas says that yes, causing a web server to install unauthorized software on someone’s – or many someones’ – computers is a search and does require a warrant.

One judge went so far as to say that users who used the TOR network – who’s only purpose is to create a small degree of privacy for the user – had no expectation of privacy and hence the FBI didn’t need a warrant.

The Supremes recently granted the FBI’s request to allow a single judge of the FBI’s choosing, anywhere in the country, to issue a warrant to allow the FBI to hack into an unlimited number of computers anywhere in the world. Assuming Congress doesn’t pass a law in the next 60 days rolling back the Supremes’ action, which it likely will not do, this will become the law on December 1. If the new rule 41(b) does go into effect then the FBI will likely get into the hacking business in an even bigger way than it is already.

Information for the Appalachian news came from Information Management.

Information for the Tillage news item came from CSO.

Information for the FBI news item came from Techdirt.