The Empire State Strikes Back
Silly Government Cyber Security
Tricks: Part 2
source:
https://www.top10films.co.uk/39366-network-still-mad-hell/
On January 15, 2023, The New York Post published an article entitled, "NY
lawmakers vow to tackle cyber hack attacks against hospitals, schools."
That's right, folks. We got trouble right here in River
City. Indeed,
The Empire State intends on Striking Back against
those nefarious 21st century Pirates of the Deep Web, The
Hackers.
And
I am sure with the best intentions, too. A recent example of the
depth of the problem in New York is exemplified by a recent report dated
December 12, 2022. The New York Times reported on a
cyberattack that crippled a Brooklyn based hospital group that mainly
serviced lower income patients.
The group, One Brooklyn Health, was hit by the attack in late November, officials confirmed. Now, even as cybersecurity experts work to get its three hospitals fully back online, doctors and nurses are forced to rely on methods most hospitals left behind in the 1990s: pen-and-paper patient care.
It was the forced reliance on analogue systems
that hospital staff were never trained
to use which contributed greatly to the cascading failures resulting in
the death of Baby Nicko Silar.
Attacks on healthcare facilities across the US have become numerous; and
these attacks have been well reported in various news outlets. A
December 28, 2022, article on the Politico website
was quite pessimistic about the situation improving any time soon.
The article states succinctly what truly lies at stake when hospitals'
computer systems are made inoperable by ransomware.
It’s time “to view these types of attacks, ransomware attacks on hospitals, as threat-to-life crimes, not financial crimes,” said John Riggi, the national adviser for cybersecurity and risk at the American Hospital Association. Ransomware attacks — in which hackers encrypt networks and demand payment to unlock them — have been some of the most common strikes against medical facilities.
So in rides the Legislative Cavalry to save the day — well sorta. As
was reported in the NY Post article cited above: "State
senators who oversee homeland security and technology are considering
holding hearings on cybersecurity ransomware threats this year."
Well,
bless their little pea pickin hearts. Let me
forecast what some of the facts that these stalwart people's representatives
will likely be forced to encounter and come to grips with. For those keeping score at
home, a term to learn here is
Remote Access.
There is an aspect of
the practice of modern medicine that is both necessary and very likely to
result in hospital networks being compromised. A medical
specialist will remotely log onto a hospital's various departments in order to
quickly make a snap and hopefully correct diagnosis of an accident
victim, let's say, at 2:00 am If
that specialist does not make that correct snap diagnosis, the patient
might well end up a stiff on ice in the hospital basement by 2:30. The
application our specialist will most likely use is some iteration of VPN
software by
software vendor Citrix. In my consulting years, I have setup
Remote Access to both hospitals and universities using Citrix VPN apps.
Now Citrix software products, like scores of other widely used
applications, has a long and sullied history of critical
vulnerabilities. Again, for those following along at home, it
would be of value to peruse the
list of CVEs concerning Citrix software. The
most recent vulnerabilities are dated 11/28/2022. For CVE, see "Common
Vulnerabilities and Exposures," over at the Oracle.
The job of a legislature is to investigate issues of grave public
concern and then pass laws that will improve the situation that the
public is so concerned about. If what I have written herein is true,
then what new laws might the NY legislature pass; and what might be the penalties for
violating those newly enacted laws? Will the mighty NY legislature
impose penalties on
LogMein, Citrix parent, for producing such a
shoddy product? What about that medical
specialist who accessed the hospital using the same computer that the
doc uses to [fill in the blank].
Shouldn't that person know better? Maybe our erstwhile lawmakers
will simply point the finger at the hospital's network administrator who
may have been reluctant to install the latest patches for so many valid
reasons, and that single unpatched vulnerability caused a cyberattack
that bought down an entire hospital chain. How much time should
that network admin serve? She, if anyone, certainly should have
known better. All the while, the real crooks are most likely off
US shores and out of the reach of any State Laws.
Of course, none of those actors would
have knowingly committed any crime.
Each was simply doing her or his job as best they could.
Schools
also face
even greater challenges than ever before while trying to cope with the
dark side of Remote Access to its classrooms via
the Internet. A common misperception is that schools cannot be of
any real interest to the cyber crooks. Why on Earth hack a school?
The answer is simple, yet also complex.
Schools offer hackers cash and information that can be turned into cash.
Schools manage more than enough money to capture the attention of cyber criminals, to say nothing of the value of the data they hold. While most cyber criminals couldn’t care less about students’ algebra grades, it turns out that the identity information of minors is especially valuable to criminals interested in perpetrating credit and tax fraud. And, given that other kinds of organizations which may have more money or more valuable data tend to be much better protected, schools represent an attractive target for some criminal groups.
When the lawmakers consider new
proposals in order to improve the cyber security of New York's
schools, who will the legislators hold responsible for any breaches? In
an era an of multiple pandemics who will be held
responsible for any ensuing cyberattack that is traced back to when a teacher phoned in a lesson from her cellphone over
Zoom? Once again, for those keeping score at home, I refer to
the list of CVE's that have plagued Zoom.
[ed. pun intended]
Are ill children going to be chastised for their remote learning
sessions platformed on the same notebook that the student goes a TikTokin on?
What how about all the admonitions for teachers to use email today?
Teachers today are encouraged to use email for any number of usual
teacher activities. From
sending lesson plans to
communication with parents, teachers utilize email
today as much as in any other profession. Along with all the ensuing risks
to networks that
email portends.
Lock 'em all up. That's what I say. Teach those
pigs feeding off the public trough a lesson.
And all those brats need their comeuppance, too. Yeah. Right.
It is incorrect to consider cyberattacks as
single player actions targeting one network for
God, Glory, and Gold, or whatever motivates these
misguided miscreants, and their Terrible, Horrible, No Good, Very Bad
agenda. If ever there were a real world and modern example of
a hydra headed monster, it is
The World of Hacking today. This monster
lurks deep in the the dark oceans of our Internet connected world.
The F.B.I. hasn't licked this monster. The NSA seems relatively
toothless in the face of this cyber pandemic.
Nations of the world can ban together to fight the scourge.
And it is all well and good, indeed. Yet, a
January 7, 2023, "Cyber-attack on ShipManager servers,"
caused... "Around
1000 shipping vessels [to] have been impacted by a ransomware attack."
That could just as easily be an
air traffic control system. Oh, I'm so sorry.
My bad.
I wish The Empire State Good Luck and Godspeed in its worthwhile attempt to grasp some understanding of these devastating issues of hacking in general and, specifically, ransomware. I am sure their investigations, and any resulting efforts, are all well intentioned. Nonetheless, NY doesn't need to spend any taxpayers money to get to the bottom of things. Simply peruse all of the great body of information readily available for anyone to read, digest, and come to a better understanding of this incredibly complicated issue. What Empire State legislators will learn, if a thorough and unbiased investigation is made, is what Walt Kelly told us over 50 years ago:
Walt Kelly
Pogo
April 22, 1971
Ink and blue pencil on paper
Pogo Collection
source: https://library.osu.edu/site/40stories/2020/01/05/we-have-met-the-enemy/