Apr 232018

Zack Whittaker reports:

Atlanta spent more than $2.6 million on recovery efforts stemming from a ransomware attack, which crippled a sizable part of the city’s online services.

The city was hit by the notorious SamSam ransomware, which exploits a deserialization vulnerability in Java-based servers. The ransom was set at around $55,000 worth of bitcoin, a digital cryptocurrency that in recent weeks has wildy fluctated in price.

But it’s understood that the ransom was never paid — because the portal used to pay the ransom (even if the city wanted to) was pulled offline by the ransomware attacker.

Read more on ZDNet.

Apr 232018

Alexander Berengaut writes:

Last summer, Marcus Hutchins, the security researcher who stopped the “WannaCry” malware attack, was arrested and charged for his role in allegedly creating and conspiring to sell a different piece of malware, known as Kronos.  As we have previously discussed on this blog, however, the indictment was notable for its lack of allegations connecting Hutchins to the United States, which raises constitutional due process issues, and Hutchins subsequently moved to dismiss the indictment on this basis.

The government has now responded to Hutchins’ motion.  It makes two main arguments.  First, the government maintains—as a factual matter—that the allegations in the indictment do allege a sufficient nexus between Hutchins and the United States.  Second, the government argues, as a legal matter, that if Hutchins’ indictment is defective because it fails to allege conduct specifically directed at the United States, then there is no country on Earth where Hutchins could be prosecuted.  Both arguments appear to fall short.

Read more on Covington & Burling Inside Privacy.

Apr 232018

Stephanie Barry reports on a case that I don’t recall ever hearing about before:

Jury selection will begin this morning in the trial of Rita Luthra, a former gynecologist accused of violating patient confidentiality laws, witness tampering and lying to federal investigators.

The case against Luthra, of Longmeadow, is a significantly watered-down version of the original criminal indictment brought in 2015 against the former physician, That charged an alleged kickback scheme involving a pharmaceutical company, which Luthra denied.


She now faces three revised criminal charges after the government dismissed its original indictment. Those are one count of violating the Health Information Portability and Accountability Act (HIPAA), one count of witness tampering, and one count of obstruction of a criminal health care investigation.

Read more on MassLive.

Apr 232018

Sum Lok-kei reports:

Hong Kong’s second-largest residential broadband provider will purge the data of 900,000 former customers, as well as reducing how long it holds information, after a hack last week compromised the data of hundreds of thousands of customers.

Hong Kong Broadband Network (HKBN) announced the new security measures as CEO William Yeung Chu-kwong admitted on Monday the hacked personal information of 380,000 current and former customers was stored in an unencrypted database.

Read more on South China Morning Post.

Apr 232018

Brian Krebs reports:

MEDantex, a Kansas-based company that provides medical transcription services for hospitals, clinics and private physicians, took down its customer Web portal last week after being notified by KrebsOnSecurity that it was leaking sensitive patient medical records — apparently for thousands of physicians.

On Friday, KrebsOnSecurity learned that the portion of MEDantex’s site which was supposed to be a password-protected portal physicians could use to upload audio-recorded notes about their patients was instead completely open to the Internet.

Read more on KrebsOnSecurity.