Russia’s Internet Sovereignty Law, Supply Chain Attacks, a Spectre / Meltdown Silver Lining
TLP White: In this edition of Hacking Healthcare, we examine the implications of Russia’s new internet sovereignty law. We then break down a worrying trend in supply chain attacks. Finally, we dive into how Spectre and Meltdown have changed the way industry approaches hardware vulnerabilities and disclosures.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog.
Welcome back to Hacking Healthcare.
Hot Links –
1. Russia Tightens Its Grip.
Last week, Vladimir Putin signed a law that continues to take Russia further down the road of internet sovereignty and isolationism. The new law requires networks in the Russian Internet to provide more information to state regulators and expands the ability of the state to block or remove content that may threaten law and order or national security.[1] This law follows the recent declaration that Russia must construct its own Domain Name System (DNS) so that it may be able to operate in the event that Russia’s connection to the Internet is severed. While the Russian state maintains the need for such a system is purely defensive and would be necessary in the event of a sophisticated attack against it, experts and free speech activists have called that explanation a convenient pretext for exerting even more control over what Internet content is accessible.
Once in effect, currently scheduled for November, the law would go a long way toward centralizing Russian Internet routing, which will make it considerably easier for the state to monitor Russian Internet users. Currently, ISP hopping and VPNs can still be used to navigate around the censorship the Russian state has attempted to put in place, but laws like this one move closer to making these techniques ineffective while turning the country’s Internet into a walled garden.[2]
2. Supply Chain Menace.
If you’ve wondered about the increased attention given to supply chain attacks lately, the Barium group might be the culprit. This group of hackers, alternatively called Shadowhammer, Wicked Panda, and Shadowpad, have been on a supply chain rampage over the past few years. A new Wired report asserts that they have hit six different software distribution channels in the past three years, and their handiwork was behind the Asus attack earlier this year, the attack on PC cleanup software CCleaner, and may have been behind the breach on Bayer.[3],[4] Security researchers like Silas Cutler at Chronical are thankful that the group appears to be more interested in spying than in creating havoc. However, if they do ever switch tactics, he believes their sophistication would allow them to be more damaging than NotPetya.[5]
Some researchers think that the Barium group is doing more than enough damage already. Vitaly Kamluk of Kaspersky believes that the insidiousness of Bariums attacks is caused by the damage to the trusted systems that underlie the security ecosystem. Kamluk reasons that “This is much more important and has a bigger impact than regular exploitation of security vulnerabilities or phishing or other types of attacks. People are going to stop trusting legitimate software updates and software vendors.”[6]
3. Hardening the Hardware and Developing Disclosure.
Despite the repercussions surrounding the discovery and subsequent fallout of Spectre and Meltdown, there is a silver lining worth mentioning. For years the vast majority of resources have been focused on creating processes and mitigations for software vulnerabilities. This made sense, because software vulnerabilities made up the vast majority of all known vulnerabilities. However, when Spectre and Meltdown were found to make nearly every modern processor vulnerable to exploitation, it jolted the industry into awareness of hardware vulnerabilities in addition to their software counterparts.[7]
That awareness has led to significant developments in the process of finding and fixing hardware vulnerabilities. Intel has streamlined their patching processes in an effort to make it less burdensome on users. This has culminated in an expanded hardware vulnerability team and microcode patches being bundled with operating system updates.[8] This not only should help with the rate of adoption for updates, but will also give Intel metrics to be better able to measure that adoption rate within their chip ecosystem.[9]
Additionally, the focus on this issue has led people to rethink the hardware vulnerability disclosure process. A notable outcome has been the recent release of the Center for Cybersecurity Policy and Law’s Improving Hardware Component Vulnerability Disclosure paper.[10] The paper outlines a number of recommendations for improving the current system and speaks to the need for continual iteration to gradually decrease the amount of time it takes for the disclosure and mitigation process to work.[11]
Congress –
Tuesday, May 7th:
Hearings to examine implementing the 21st Century Cures Act, focusing on making electronic health information available to patients and providers, part II. – Senate Committee on Health, Education, Labor, and Pensions Hearings to examine privacy rights and data collection in a digital economy. – Senate Committee on Banking, Housing, and Urban Affairs
Wednesday, May 8th:
Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security – House Committee on Energy and Commerce (Subcommittee on Consumer Protection and Commerce)
Thursday, May 9th:
–No relevant hearings.
International Hearings/Meetings –
EU – No relevant hearings.
Conferences, Webinars, and Summits –
–2019 H-ISAC Spring Summit – Ponte Vedra Beach, FL (5/13/19-5/17/19) <https://www.marriott.com/hotels/travel/jaxsw-sawgrass-marriott-golf-resort-and-spa/>
–HEALTH IT Summit (Florida) – Wesley Chapel, FL (5/21/19-5/22/19)
<https://h-isac.org/hisacevents/health-it-summit-florida-2019/>
–HEALTH IT Summit (Mid-Atlantic) – Philadelphia, PA (6/3/19-6/4/19)
<https://endeavor.swoogo.com/2019-Philadelphia-Health-IT-Summit>
–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)
<https://h-isac.org/hisacevents/health-it-summit-southeast-2019/>
–H-ISAC Healthcare Cybersecurity Workshop- Buffalo, NY (6/18/2019-6/19/2019)
<https://h-isac.org/hisacevents/h-isac-cybersecurity-workshop-buffalo-ny/>
–Healthcare Cybersecurity Workshop – London, UK (7/10/19)
<https://h-isac.org/hisacevents/workshop-london/>
–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)
<https://h-isac.org/hisacevents/cybsec-and-blockchain-health/>
–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)
<https://h-isac.org/hisacevents/health-it-summit-rocky-mountain/>
–HEALTH IT Summit (California) – Los Angeles, CA (9/19/19-9/20/19)
<https://endeavor.swoogo.com/2019-LosAngeles-Health-IT-Summit>
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)
https://h-isac.org/hisacevents/health-it-summit-northeast/
–2019 H-ISAC European Summit – Zurich, Switzerland (10/16/2019-10/17/2019)
< /summits/;
–HEALTH IT Summit (Southwest) – Houston, TX (11/14/19-11/15/19)
<https://endeavor.swoogo.com/2019-Dallas-Health-IT-Summit>
–Health IT Summit (Northwest) – Seattle, WA (11/19/19-11/20/19)
https://endeavor.swoogo.com/2019-PacificNorthwest-HITSummit
–2019 H-ISAC Fall Summit – San Diego, CA (12/2/19-2/6/19)
<https://www.loewshotels.com/coronado-bay-resort>
Sundries –
–Majority of SMB execs willing to pay in a ransomware situation
https://www.scmagazine.com/home/security-news/ransomware/majority-of-smb-execs-willing-to-pay-in-a-ransomware-situation/
–50,000 companies exposed to hacks of ‘business critical’ SAP systems: researchers
https://www.reuters.com/article/us-sap-security/50000-companies-exposed-to-hacks-of-business-critical-sap-systems-researchers-idUSKCN1S80VJ
–Database Exposes Medical Info, PII Data of 137k People in U.S.
https://www.bleepingcomputer.com/news/security/database-exposes-medical-info-pii-data-of-137k-people-in-us/
–MITRE asks vendors to do more to detect stealthy hacks
–Hacker Lexicon: What Is Application Shielding?
https://www.wired.com/story/what-is-application-shielding/
–The hype cycle of AI in healthcare
https://www.healthcareitnews.com/news/asia-pacific/hype-cycle-ai-healthcare
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1] https://www.bbc.com/news/technology-48147515
[2] https://www.wired.com/story/putin-russia-internet-law-security-roundup/
[3] https://www.cyberscoop.com/bayer-breached-china-wicked-panda/
[4] https://www.wired.com/story/barium-supply-chain-hackers/
[5] Ibid
[6] Ibid
[7] https://meltdownattack.com/
[8] https://www.cyberscoop.com/jolted-meltdown-spectre-intel-aims-accelerate-patching-process/
[9] Ibid
[10]https://static1.squarespace.com/static/5acbb666f407b432519ab15e/t/5cc86f37c830251f28d258fc/1556639544235/The+Center+for+Cybersecurity+Policy+and+Law_Improving+Hardware+Component+Vulnerability+Disclosure_April+2019.pdf
[11] https://www.cyberscoop.com/jolted-meltdown-spectre-intel-aims-accelerate-patching-process/