One of the most fundamental pillars of cybersecurity is cryptography, and most of the cryptography tools used today rely on computational assumptions, such as the difficulty of factoring 2048 bit numbers.
Two decades ago, we learned that the quantum paradigm implies that essentially all of the deployed public key cryptography will be completely broken by a quantum computer, and brute force attacks of symmetric ciphers can also be sped up significantly. Fortunately, quantum computers did not exist at the time.
Today, the wait-and-see approach is no longer a responsible option. Protecting against quantum risk takes many years of planning and deployment. The realistic timelines for evolving to a quantum-safe infrastructure are comparable to the timelines for the quantum risk to become a reality. If one is responsible for providing medium- or long-term confidentiality, the risk of waiting is even more acute.
Research advances in the past decade have brought security experts close to having a blueprint of a robust scalable quantum computing system, which will be followed by a focused engineering effort to build large-scale quantum computers. While it is hard to predict how long these final stages will take, there is no reason for people to be confident that it will take much more than a decade or so.
At present, I estimate a 1 in 7 chance of breaking RSA 2048 by 2026 and a 1 in 2 chance of breaking it by 2031. Recently, the US National Security Agency (NSA) announced preliminary plans for transitioning to quantum-resistant algorithms.
In my recent Journal article, “Cybersecurity in the Quantum World,” I explain quantum technologies and how they threaten cybersecurity. The article also discusses timelines for managing this quantum risk and the kinds of approaches an organization can take.
A few days ago, we investigated a new malware called XcodeGhost that modifies Xcode, infects iOS apps and is seen in the App Store. We also found more than 39 iOS apps were infected, including versions of some pretty popular apps like WeChat or Didi, potentially affecting hundreds of millions iOS users. We also analyzed XcodeGhost’s remote control functionalitiesthat can be used by attackers to phish or to perform further attacks. In this post we will discuss a few more details since learned about XcodeGhost and its behavior.
Actions to Stop the Attack
Since our post on September 18, Palo Alto Networks has cooperated with Apple, Amazon and Baidu to share samples, threat intelligence and research. All of them have taken actions to stop the attack or to mitigate the security threat.
Starting September 18, Apple began to remove some iOS apps infected by XcodeGhost from its App Store. Apple also sent an email to affected developers, guiding them to recompile their products by official Xcode, and to re-submit again. Apple has acknowledged XcodeGhost as malware and that it has affected the App Store.
Figure 1. The “Railway 12306″ were temporarily removed in App Store
Amazon has also taken action, including to shutdown all C2 servers on Amazon Web Services that XcodeGhost was seen to have used to upload privacy information and dispatch controlling commands.
Baidu has removed all malicious Xcode installers from its cloud file sharing service, making it much harder for a developer to download an infected Xcode unintentionally.
As of this writing, on Monday, September 21, we notice that there are still some previously known infected iOS apps available in App Store, among them China Unicom Mobile Officeversion 3.2.(Figure 2).
Figure 2. An infected app is still available in App Store in Monday morning
More Infected Apps Disclosed
In the last few days, other security companies claimed many more iOS apps being infected by XcodeGhost. For example, Qihoo 360 listed 344 infected apps in their blog. Pangu Teamclaimed detection of 3,418 different iOS apps being infected. Pangu Team also released an iOS app to detect the trojanized iOS apps they’ve found.
We have not verified their results. However, considering that the malicious Xcode installers were spread since March 2015, the C2 servers also launched in March, and search engines’ results were polluted, it wouldn’t be surprising if the affected number of iOS apps is far greater than we thought.
In this presentation, researchers from Sandia Notional Laboratories presented the idea of attacking the Xcode to infect apps on both iOS and OS X. Note that The Intercept reported this presentation in March 10, 2015 – the same month XcodeGhost was launched.
Figure 3. Document leaked by Edward Snowden showed the same attacking method
In our September 17 report, we introduced that XcodeGhost added malicious “CoreServices” object files to those Xcode installers. When developers using infected Xcode to compile an app, the linker will link these malicious object files to the app’s executable file. How is this accomplished?
By analysis, XcodeGhost also modified this file in Xcode to control the linker:
In Xcode, this Ld.xcspec file contains configurations used by the ld linker. In the end of this file, the definition of the “DefaultValue” variable was changed by XcodeGhost by appending a string of:
Using this method, the malicious object file will be forcibly linked to target executable file. This modification won’t be showed in Xcode’s user interface but will be listed in the compiling logs.
Prompting Alert Dialog
In previous reports, we discussed that XcodeGhost’s malicious code can be used for phishing by prompt deceptive alert dialog with built-in remote control functionalities. Here we actually made a mistake in our initial reporting. In the current version of the code, XcodeGhost cannotbe directly used to phish iCloud passwords. However, by changing a few simple lines of code, itcan do that. .
In iOS, if an app prompts a dialog by the UIAlertView class, there’s a property alertViewStyle to specify which kind of dialog it wants to show. For example, if a password input dialog is needed, the property should be assigned to UIAlertViewStyleLoginAndPasswordInput. If the iOS developer didn’t specify any value, by default the dialog will have no input form but is just an alert with message and buttons.
We checked all versions of malicious files in XcodeGhost we have available, and didn’t find any one of them specified this property when prompting the alert dialog. Hence, current XcodeGhost cannot be directly used for iCloud password phishing.
However, it’s pretty easy for the author to add an alertViewStyle value and a delegate to handle user’s input. In this way, XcodeGhost can be used to phish any kind of password.
Potential Vulnerability in XcodeGhost
XcodeGhost used HTTP to upload information and receive C2 commands. The content in these HTTP requests and responses were encrypted by DES algorithm in ECB mode. It’s also not hard to find the encryption key in its code by reverse engineering.
Consider that HTTP traffic can be hijacked or faked in many ways. There’s a vulnerability in the infected iOS apps whereby the malicious code in them can be controlled by any man in the middle. By exploiting this vulnerability, an attacker can construct any URL in any scheme and control infected apps to open, or prompt an alert dialog for further attacks.
Note that although the malware’s C2 servers were shutdown, this vulnerability still exists and can be exploited in all affected iOS devices.
Security Suggestions to iOS Users
iOS users can install Pangu Team’s app (by directly visiting x.pangu.io in iPhone or iPad) to detect whether their installed apps were infected. If there is any infected app, we suggest users temporarily delete it until there is an updated version available from its developer.
Two more actions will also be helpful to mitigate potential attacks or exploitation in further. One is to enable two-step verification for your Apple ID, and the other is to avoid using untrusted WiFi network.
Even with all of these steps, it’s still a challenge for iOS users to protect themselves from this kind of malware. The attention this has received will hopefully incent Apple and developers to prevent similar attacks in the future.
Suggestions to iOS and OS X Developers
In order to avoid being affected by similar malware in the future, we recommend that all developers should always directly download official development tools from official channels. This includes downloading Xcode, SDKs and the Command Line Tools from Apple’s websites or from Mac App Store, and downloading third-party libraries such as Unity3D from their original providers.
Second, we suggest all developers set the Gatekeeper protection level to default value in their Mac computers for development, for integration and for deployment. To do this, go to System Preferences, Security & Privacy, and set only allowing apps downloaded from “Mac App Store and identified developers.”
Last, we urge iOS and OS X developers check the integrity of their development tools and libraries before a new version of product will be released – every time. This can be done by the “codesign” utility or by hash values checking.
Acknowledgements
Thanks @noar for notifying us the modification in the Ld.xcspec file.
Over the ages, philosophers challenged the conventions of traditional thinking by meditating upon a “koan.” A koan is similar to a riddle, except that there is no punchline. It typically involves a paradoxical statement that is subject to a multitude of interpretations, many of which are correct in their own peculiar way. And even when analyzed with a great deal of time and deep thought, the koan defies an answer.
For security practitioners, the topic of what to do about mobile devices introduces a series of modern-day koans.
How could your network security policies apply to users who are not in the office?
How do you inspect traffic when users are not behind your firewall?
How can you provide security while respecting privacy?
How can you protect business data on a device that you don’t own?
These questions were not easily solved, primarily because conventional thinking led to more dead ends. Organizations accustomed to having total control over fairly stationary, corporate-owned devices found themselves in an entirely different world when faced with mobile devices and BYOD. And trying to apply such measures often led to stalemates or unacceptable compromises to the protection of the company’s data or user’s expectation of privacy.
In order to address concerns with mobile security, and break through the questions around past approaches, Palo Alto Networks partnered with VMware/AirWatch to bring forward fresh thinking. The Palo Alto Networks next-generation security platform provides the most comprehensive approach to stopping threats, based on prevention. AirWatch has deep expertise for managing mobile devices and applications. By providing integration points between these two sets of products, we can provide our respective customers a solution to deliver security for business assets on a device while honoring privacy for both personal data and traffic.
The first aspect of the integration is the use of AirWatch’s enrollment process to provision the GlobalProtect app. During enrollment, an unmanaged mobile device (including one that is personally owned) is loaded with the appropriate configuration and enterprise applications that prepare it for use in a business environment. The organization can manage the business assets separately from the personal apps and content on the device. The GlobalProtect app can be transparently installed during enrollment, providing the key capability of establishing an app-level VPN tunnel back to the next-generation firewall for traffic visibility, the enforcement of policy, and threat prevention. The traffic from personal apps remains untouched, thus honoring the user’s expectation for privacy with non-business-related activity.
A second aspect of the integration is the use of threat intelligence from WildFire to detect mobile devices with malware. Since AirWatch knows about the inventory of apps on a mobile device, integration with WildFire allows the organization to spot devices that are infected. AirWatch can apply a workflow to address the issue, such as alerting the user or quarantining the device until the problem has been corrected.
With these new capabilities, organizations have a more nuanced and balanced approach to mobile security, one that’s focused on the specific requirements of protecting the business apps and data without having to cross personal boundaries. By applying an integrated approach, the mobile security koans now have answers that are readily available. The organization can move forward with the adoption of mobile computing by having the requisite security for business content while honoring their employees’ expectations of privacy for personal data.
To learn more about this integration, visit http://paloaltonetworks.com/airwatch for more information. Palo Alto Networks will also be on hand at AirWatch Connect in Atlanta this week. Watch this space for more thoughts following my time there.
Health IT’s most pressing issues may be so prevalent that they can’t be contained to a single post, as is obvious here, the fourth installment in the series detailing some of the biggest IT issues. There are differing opinions as to what the most important issues are, but there are many clear and overwhelming problems for the sector. Data, security, interoperability and compliance are some of the more obvious, according to the following experts, but those are not all, as you likely know and we’ll continue to see.
Here, we continue to offer the perspective of some of healthcare’s insiders who offer their opinions on health IT’s greatest problems and where we should be spending a good deal, if not most, of our focus. If you’d like to read other installments in the series, go here: Health IT’s Most Pressing Issues, Health IT’s Most Pressing Issues (Part 2) and Health IT’s Most Pressing Issues (Part 3). Also, feel free to let us know if you agree with the following, or add what you think are some of the sector’s biggest boondoggles.
First and foremost, of all the issues facing healthcare technology, I believe the top issue is the interoperability (or lack thereof) of most electronic medical records systems. Interfacing systems from disparate vendors usually takes expensive custom development, but hopefully the push for free access to EMR/EHR APIs in Stage 3 of the Meaningful Use Incentive program will finally bring semantic interoperability to health IT.
Paul Cioni, senior vice president, Healthcare & Infor Solutions Sales, Velocity Technology Solutions The top issue facing healthcare CIOs is that there is simply too much for them to do, including major initiatives involving information security, patient confidentiality, and revenue cycle management and reimbursement. Most are focusing on what’s urgent, rather than on what’s important. All of these issues are not only competing for a CIO’s budget, but also for his/her time. With so many things on the “as soon as possible” priority list, healthcare CIOs barely have time to strategically plan. It’s difficult for CIOs to create a five-year plan for the organization’s IT when they’re trying to figure out the next five months. A disaster recovery plan, for example, may not get created when CIOs are more concerned with downtime of clinical applications or the reporting of a data breach to the regulatory authorities.
Paul Cioni
The use of the cloud — with a comprehensive but flexible portfolio of service options- helps relieve CIOs from what I call the “tyranny of the urgent.” By allowing a cloud provider to manage a variety of back-office and ERP-related functions, the CIO can shift his focus to systems that affect clinical outcomes. Extending the secure, private cloud approach to clinical systems liberates key resources — budget and people — to focus on achieving meaningful use or embracing population health initiatives. Cloud deployment options like disaster recovery as a service or desktop as a service can conserve capital dollars and speed time to outcome. It’s not one issue – it’s all of them.
Lynn O’Connor Vos, CEO, Grey Healthcare Group (ghg): The rapid acceleration of advancements in health information technology is leading to greater efficiency and productivity in the industry. At the same time, while technology has improved healthcare delivery in certain respects, significant challenges remain, particularly in areas related to the collection and transfer of health information and the user experience of healthcare providers and patients throughout this process. A perfect example of this is EHR/e-Prescribe systems, which are being adopted to solve a number of problems, including inaccurate prescriptions and portability of patient data, but which have also introduced other issues, in that healthcare providers (HCPs) are now burdened with time-consuming data entry that may be impacting their efficiency with chart updates.
With the goal of improving outcomes, patient adherence to medication is a critical factor in achieving the outcomes needed in chronic disease. At present, paper prescriptions leave too much to chance and it is well known that a significant number of prescriptions never get filled, and about six out of 10 patients report that they do not always take their medication as directed (according to the American Academy of Family Physicians). Health IT can play a vital role in supporting the healthcare process at every stage of a patient’s journey. However, true, efficient interoperability between healthcare systems is still a goal, rather than a reality, and immediate solutions are required to meet the needs of patients, caregivers, their healthcare providers and other stakeholders. A relevant example of this is the process of filling a prescription. As payers make efforts to control costs in the marketplace, an increasing number of prescriptions now require prior authorization (PA). Incredibly, even with the latest advancements in health IT, a patient generally doesn’t learn that their prescription has been rejected because of a PA requirement until they are standing at the pharmacy attempting to pick it up. The subsequent process to obtain a completed PA and successful submission is labyrinthine, and unfortunately, a number of drop off points exist, leading to a significant gap between PAs required and PAs successfully submitted. According to market research, upwards of 40 percent of patients who receive a PA forego treatment altogether, and only 30 percent of patients receiving a PA receive the originally prescribed medication. These data indicate that significant barriers to care exist as patients denied prescriptions at the pharmacy as a result of PA requirement are less likely to get that prescription filled at all.
Lynn O’Connor Vos
Given the barriers with PAs, services have emerged to facilitate the process and attempt to improve the outcome. The challenge is that the complexity of forms and information required and the submission process itself present obstacles that are often difficult for busy healthcare providers to overcome. Administrative and logistical barriers include failure to notify the HCP about the PA requirement, incorrect form submission, submission of incomplete or inaccurate information, and confusion in completing a non-standard form. Numerous handoffs along the way also increase the likelihood that the form may never be successfully completed or submitted. To date, Health IT has not provided a seamless solution to these challenges.
The administrative onus for PAs falls heavily on physicians and pharmacies, and can bring significant effort and frustration for them. It can take an average of 30 to 45 minutes to complete a prior authorization, while denial rates can be high, often because of minor errors and omissions, and appeal processes can be cumbersome. In an environment that increasingly aligns health outcomes to reimbursement rates, unsuccessful prior authorization submissions can result in fewer patients receiving the medicine they need, poor outcomes and lost revenue. Fortunately, the prior authorization process does not have to rely solely on technology and automation. PARx Solutions provides a concierge approach to the problem, engaging clinical staff to work one-on-one with physician offices and pharmacies to help streamline prior authorization processes and improve success rates. The company’s holistic solution, which combines automated software systems with clinical staff attention and follow through, ensures a higher success rate of submission than wholly automated solutions.
Health IT has come a long way in automating many important healthcare processes; however, instant data exchange and true interoperability are still future goals, and meeting the user experience needs of healthcare constituents is still a significant challenge. Healthcare stakeholders must focus on providing immediate solutions to bridge these gaps, and some of these may require a combination of technology and human attention. To become a true service industry, healthcare must provide patients with personalized care, not systematic care. For some, this may include tangible incentives to keep to care plans, such as reduced monthly contributions to individual’s health plans by agreeing to certain commitments. For others, it may be decision-making support. Regardless of the approach, the challenge for health IT is to better support physicians and patients in more personalized ways that allow them the flexibility to drive the health care needs of each patient effectively.
Eric Rice
Eric Rice, chief technology officer, Mach7 Technologies
Many of the current Health IT issues are around interoperability and the ability to provide a “complete” patient record. The majority of HIT systems don’t communicate with one another effectively, if at all. A single unified platform upon which to plug in best-of-breed or specialty/departmental solutions can enable communication across an enterprise, IDN or region, consolidating storage of the data.
Key issues:
— Achieving MU 2 and 3, image enabling the EMR
— Providing access and sharing of patient imaging data across the enterprise, IDN, region
— Ability for providers and clinicians to select their best-of-breed visualization solutions
— Consolidating storage / controlling storage cost
— No system in place to effectively and efficiently manage growth (i.e. organic, M&A…); need a scalable, highly-available platform
Healthcare IT organizations are being bombarded from all sides. Not only are they tasked with managing complex, diverse and disparate IT environments of any industry, they must often do so on a budget and with limited human capital. Compounding these pressures is the fact that clinicians and business stakeholders rely heavily on IT systems to manage patient care and outcomes.
Take the ICD-10 migration, for example. Working with our customers, we’ve realized that one of the foundational challenges of this migration has simply been the ability to quickly and easily identify the components in their environment that interact with ICD codes. HDOs need this information in order to understand how these codes flow through the organization, and to develop a roadmap for migration. Incomplete migration when the new standards go into effect on October 1 of this year will have a major impact on the business side of healthcare, impacting billing and reimbursement. It will also impact patient care if patient conditions are improperly coded, making it more difficult to provide proper care and deliver good outcomes.
Health IT’s most pressing issues may be so prevalent that they can’t be contained to a single post, as is obvious here, the third installment in the series detailing some of the biggest IT issues. There are differing opinions as to what the most important issues are, but there are many clear and overwhelming problems for the sector. Data, security, interoperability and compliance are some of the more obvious, according to the following experts, but those are not all, as you likely know and we’ll continue to see.
Here, we continue to offer the perspective of some of healthcare’s insiders who offer their opinions on health IT’s greatest problems and where we should be spending a good deal, if not most, of our focus. If you’d like to read the first installment in the series, go here: Health IT’s Most Pressing Issues and Health IT’s Most Pressing Issues (Part 2). Also, feel free to let us know if you agree with the following, or add what you think are some of the sector’s biggest boondoggles.
The healthcare industry has undoubtedly become a bigger target for security threats and data breaches in recent years and in my opinion that can be attributed in large part to the industry’s movement to virtualization and the cloud. By adopting these agile, effective and cost-effective modern technological trends, it also widens the network’s attack surface area, and in turn, raises the potential risk for security threats.
We actually conducted some research recently that addresses evolving security challenges, including those impacting the healthcare industry, with the introduction of cloud infrastructures. The issue is highlighted by the fact that the growing popularity of cloud adoption has been identified as one of the key reasons IT and security professionals (57 percent) find securing their networks more difficult today than two years ago.
Paul Brient
Paul Brient, CEO, PatientKeeper, Inc. No industry on Earth has computerized its operations with a goal to reduce productivity and efficiency. That would be absurd. Yet we see countless articles and complaints by physicians about the fact that computerization of their workflows has made them less productive, less efficient and potentially less effective. An EHR is supposed to “automate and streamline the clinician’s workflow.” But does it really? Unfortunately, no. At least not yet. Impediments to using hospital EHRs demand attention because physicians are by far the most expensive and limited resource in the healthcare system. Hopefully, the next few years will bring about the innovation and new approaches necessary to make EHRs truly work for physicians. Otherwise, the $36 billion and the countless hours hospitals across the country have spent implementing electronic systems will have been squandered.
Email security is one of healthcare’s top IT issues, thanks, in part, to budget constraints. Many healthcare organizations have already allocated the majority of IT dollars to improving systems that manage electronic patient records in order to meet HIPAA compliance. As such, data security may fall to the wayside, leaving sensitive customer information vulnerable to sophisticated cyber-attacks that combine social engineering and spear-phishing to penetrate organizations’ networks and steal critical data. Most of the major data breaches that have occurred over the past year have been initiated by this type of email-based threat. The only defense against this level of attack is a layered approach to security, which has evolved beyond traditional email security solutions that may have been adequate a few years ago, but are no longer a match for highly-targeted spear-phishing attacks.
Dr. Rae Hayward, HCISPP, director of education and training at (ISC)²
Dr. Rae Hayward
According to the 2015 (ISC)² Global Information Security Workforce Study, global healthcare industry professionals identified the following top security threats as the most concerning: malware (77 percent), application vulnerabilities (74 percent), configuration mistakes/oversights (70 percent), mobile devices (69 percent) and faulty network/system configuration (65 percent). Also, customer privacy violations, damage to the organization’s reputation and breach of laws and regulations were ranked equally as top priorities for healthcare IT security professionals.
So what do these professionals believe will help to resolve these issues? Healthcare respondents believe that network monitoring and intelligence (76 percent), along with improved intrusion detection and prevention technologies (73 percent) are security technologies that will provide significant improvements to the security posture of their organizations. Other research shows that having a business continuity management plan involved in remediation efforts will help to reduce the costs associated with a breach. Having a formal incident response plan in place prior to any incident decreases the average cost of the data breach. A strong security posture decreases not only incidents, but also the loss of data when a breach occurs.
One of the major challenges the healthcare industry is navigating is how to enable more effective communication and collaboration across care teams, while also being HIPAA compliant. Physicians, nurses and all care team members need to be able to send and receive information on a patient’s condition in real-time, without compromising protected health information.
Providers often try to address secure communication with point solutions (secure texting), yet these tools are incomplete and the kind of collaboration that needs to occur doesn’t happen. In many cases, it’s just too hard for one clinician to connect with other care team members because the initiator needs to know the workflow of the person they need to reach.
For example, a physician who admits a patient into a hospitalist service may be listed in the EHR as the attending doctor. However, the patient is likely to be reassigned to a different hospitalist, say one of seven in the group, within a few hours. In the EHR, the name of the admitting doctor does not change. So, the question becomes, “Who is the hospitalist covering the patient right now?” An effective communication solution will address this variable as part of the communications process. Building on this, rotating schedules and multiple communication modalities creates uncertainty for how to reach a clinician at any given point. All of this contributes to delays in patient care.
As an industry, we’re making strides to facilitate more efficient and secure communication and collaboration, but the challenge needs to be addressed at the root – which is about process and workflow.
Dwain Wright, senior security consultant, ControlScan
From an IT security standpoint, poorly managed third-party relationships continue to create multiple points of vulnerability for healthcare organizations. These relationships include application management, installation of services and the management of security infrastructure (firewalls, malware systems, etc.).
There are three primary reasons today’s third-party relationships are unnecessarily risky:
Lack of due diligence in up-front discussions — When purchasing a piece of software or a service, many HIT professionals are walking away from the table without a clear understanding of what’s required to maintain the security posture of the product once it’s installed in their environment. Similarly, while the third-party may be providing a service, you still have to be knowledgeable on how that service will be performed such that it won’t impact the security posture or practices of your organization. It’s also essential to properly vet the service provider based upon their own security posture and credentials.
Lack of oversight during implementation — All software is “customizable” to some extent. At best, the third-party provider will establish initial settings that conform to their understanding of your IT organization. Unfortunately, we see many instances where settings have been incorrectly configured or left at their defaults. It is the HIT professional’s responsibility to ensure that all software, apps and services are implemented in accordance with data security and privacy best practices and standards.
Lack of formal, defined processes for maintenance and updates – As mentioned in #1 above, many HIT professionals are behind from the very beginning because they don’t ask important security-related questions early in the relationship. Consequently, we see many instances where patches and updates aren’t applied in a timely manner, or even at all. This is especially prevalent when internal and external roles and responsibilities aren’t pre-defined.
Recently I was on-site with an organization that manages a network of hospitals and clinics. We were discussing the settings of a specific application and determined that it was necessary to contact the third-party vendor for clarification. While we were talking with the vendor, they remotely accessed the application before our very eyes-without any granting of access on the client side! The client was completely unaware that the vendor had this capability.
Third-party relationships are not bad in and of themselves; in fact, they are essential to organizational growth. The key is to build those relationships on strong communication and knowledge sharing so that your organization and the information it works with remain secure.
Dr. Donald Donahue, Lieutenant Colonel, U.S. Army (Ret.)
Dr. Donald Donahue JR.
The single greatest issue facing health IT is interoperability. When health systems cannot share data — or worse, when functions within a healthcare facility cannot share information — the promise of improved outcomes and lower costs evaporates.
