The CyberWire Daily Podcast 3.29.16
Ep 66 | 3.29.16

Healthcare cyber risks. Jihadi's iPhone accessed. Working with MSSPs.


Dave Bittner: [00:00:03:10] MedStar Health gets hacked, and the FBI investigates as speculation suggests ransomware. Ransomware continues to spread, with the latest targets being mobile devices. Turla spyware hijacks satellites to keep its command-and-control up. Crooks are going after legacy point-of-sale systems, and hard. They want to beat the move to chip-and-pin. Surveys say that the general public doesn't like that Dark Web thing they've been hearing about. And the Department of Justice says, "Thanks, your honor, but the FBI's cracked that iPhone after all."

Dave Bittner: [00:00:35:07] This Cyberwire Podcast is made possible by the generous support of ITProTV, the resource to keep your cyber security skills up to date, with engaging and informative videos. For a free seven day trial and to save 30%, visit and use the code CYBER30.

Dave Bittner: [00:00:57:22] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, March 29th, 2016.

Dave Bittner: [00:01:04:17] Yesterday personnel reporting to MedStar Health hospitals in the Baltimore and Washington regions of the US found their systems inaccessible. MedStar, one of the larger US healthcare providers, had detected "a virus" in its networks and shut down both email and access to its medical records database as a precaution. Hospital personnel are using hard-copy records as backups in caring for patients until the systems are restored. Early speculation suggests a ransomware attack, as opposed to a medical device hack or an identity theft caper, but the story's still developing. The FBI is investigating.

Dave Bittner: [00:01:40:01] Ransomware may or may not be behind the incident at MedStar, but it's a growing problem. Blue Point, Tripwire, Kroll and K2 all note an increase in the targeting of mobile devices, particularly mobile devices used by law firms, and the US FBI has both come out unambiguously against victims paying the ransom and has asked industry for its help. On Friday, the Bureau asked private sector enterprises to alert the FBI's CYWATCH cyber center if they come across any indication they've been hit with ransomware. Among ransomware variants recently discovered, in this case by Trend Micro, is Petya, which infects victims who believe they're accessing a résumé stored in some online sharing site. Often that site is Dropbox. And should you find yourself infected, by all means, call the FBI.

Dave Bittner: [00:02:29:23] The controllers of the Turla spyware Trojan, widely believed to be connected with Russian security and intelligence services, is proving dismayingly resilient. Kaspersky reports that Turla's hijacking asynchronous satellite Internet connections, thereby working around the many shutdowns of its command-and-control servers.

Dave Bittner: [00:02:49:15] FireEye warns that the long-expected, slowly developing migration of US point-of-sale systems to a more secure chip-and-pin architecture is driving a spike in point-of-sale exploits as criminals attempt to get their last shots in against legacy systems.

Dave Bittner: [00:03:05:05] In industry news, several firms announce new products or significant enhancements to existing lines. CloudLock's "Cloud Threat Funnel" purports to offer a fresh approach to reducing false alarm rates by recognizing and isolating behavior that poses a genuine threat to an enterprise. AlgoSec has extended its security policy management solution to Microsoft's Azure cloud platform. Ntrepid announces that it's enhanced the capabilities of its Passages Enterprise secure virtual browser by improving the user interface and integrating advanced malware scanning from Cylance. We talked to another company, Zimperium, about its successful experience integrating its mobile security solution with the services of a major telecommunications company.

John Michelsen: [00:03:47:21] Although Deutsche Telekom has some great mobile security expertize, it's a, it's a very specialized skill to be able to build really sophisticated detection technology on Android, IOS and soon other model platforms and I think if I were in Deutsche Telekom's position, I'd rather partner with leading technology than try to go build my own and to compete with it. When they decided to build the organization T-Sec, they would have had a year's long effort to build the product from scratch. Instead, they were able to identify the leading technology in the market which happened to be us, and bring it to market for their customers within just a few months and of course for Zimperium, we get a lot more reach with our product, and that's fantastic, and, and in the end the customer really wins because it's an easier process for the customer to acquire and to manage and maintain.

Dave Bittner: [00:04:41:04] That's John Michelsen from Zimperium. We'll hear more about their partnership with Deutsche Telekom, the challenges, the successes and their thoughts on protecting your intellectual property when you're partnered with a giant on tomorrow's Podcast. Zimperium's website is

Dave Bittner: [00:04:58:22] The Dark Web's reputation is sufficiently dark that surveys indicate most people would like to see it shut down, privacy or no privacy. The New York Times reports that one of the key ISIS figures in Western European attacks was selected by his masters specifically for his proficiency with TrueCrypt, but TrueCrypt's actual use in any terrorist operation remains largely a matter of conjecture.

Dave Bittner: [00:05:20:20] The long-running dispute between Apple and the FBI is over, at least in court. The Bureau announced late yesterday that it had succeeded in gaining access to the contents of the San Bernardino jihadi's iPhone. How it did so the Bureau's not saying, and legal observers think that Apple will have difficulty getting the FBI to tell it. But the services of Cellebrite are still widely believed to have made a central contribution to getting into the phone.

Dave Bittner: [00:05:46:02] Ever taken the SAT? Sure you have, or at least, a lot of you have, or soon will. It seems the SAT's been leaky for a while, with answer keys widely distributed, especially in Asia. So here's a sample question, kids, to help you with the reading comprehension section of the exam. What's one indication that a test just might have been compromised? (A) The test reuses old questions. (B) A lot of people from Taipei seem to be getting perfect scores. (C) Answer keys are for sale online. Or could it be (D) All of the above? Here's a hint. The answer's usually B or C, we hear, but in this case, pick D.

Dave Bittner: [00:06:29:21] This CyberWire Podcast is brought to you by the Digital Harbor Foundation, a non-profit that works with youth and educators to foster learning, creativity, productivity and community through technology education. Learn more at

Dave Bittner: [00:06:49:23] Malek Ben Salem is the R&D manager for security at Accenture Technology labs, one of our academic and research partners. I know you all are doing some research when it comes to the data protection in the healthcare industry, what can you share with us about that?

Malek Ben Salem: [00:07:03:01] So as you know, in 1996 the, the HIPAA Act was enacted and that act set some strict privacy requirements that healthcare providers must abide by in handling the sensitive electronic data and one of the things it requires is minimum privilege access to patient medical records. Now, hospitals and healthcare providers struggle with enforcing or implementing those requirements, but as you know when providing healthcare services, in many cases doctors or nurses may need emergency access to patient data that, based on their role, they should not have access to. So what happens is that these healthcare providers do not restrict access to patient records but rely on auditing mechanisms to see when their doctors or nurses have accessed patient data that they did not need to access. There are millions and millions of accesses and these logs are huge. So many hospitals do not even do that audit either. So not only do they not enforce or comply with the HIPAA requirements, those minimum or at least privileged access, but they don't even audit them. So what we tried to do is develop a tool that could be used by healthcare providers to, one, infer a de facto access control policy based on the audit logs that they've collected, and two, identify if they have an access control policy in place, where was that access control policy violated?

Dave Bittner: [00:08:48:10] So it's really digging into the data and automating the process for the auditors?

Malek Ben Salem: [00:08:53:22] Exactly. And, and that gives them the opportunity based on the insights that they can get from that, it gives them the opportunity to, to identify the violation, perhaps go back to, you know, reduce or lower the access privileges of certain users, or of certain peer groups, if they're not using those privileges. For a long time, that probably means that they don't need those privileges, so they can go back and at least try to implement the spirit of HIPAA even though they cannot implement it completely. So the point here is to make sure that we can balance the usability with protecting the privacy of the patients as well.

Dave Bittner: [00:09:34:24] Malek Ben Salem from Accenture Labs, thanks for joining us.

Dave Bittner: [00:09:40:10] And that's the CyberWire. For links to all of today's stories, visit and while you're there, subscribe to our popular daily news brief. Our editor is John Petrik. I'm Dave Bittner. Thanks for listening.