Slashdot Mirror
Virginia Health Database Held For Ransom
An anonymous reader writes "The Washington Post's Security Fix is reporting that hackers broke into servers at the Virginia health department that monitors prescription drug abuse and replaced the homepage with a ransom demand. The attackers claimed they had deleted the backups, and demanded $10 million for the return of prescription data on more than 8 million Virginians. Virginia isn't saying much about the attacks at the moment, except to acknowledge that they've involved the FBI, and that they've shut down e-mail and a whole mess of servers for the state department of health professionals. The Post piece credits Wikileaks as the source, which has a copy of the ransom note left behind by the attackers."
I'm assuming that not even a governmental department can be stupid enough not to have copies of the backups in a fire safe, off-site location.
Silly rabbit
Don't these jackasses know what Iron Mountain is, and what tape drives are for???????
"I don't know, therefore Aliens" Wafflebox1
Hopefully the state of Virginia follows proper backup procedures, and has a copies of the data that are off-site and off-line. It may take a day or so for someone to go fetch the tapes, but the data shouldn't be lost. So the people trying to ransom this data should be screwed.
Loose things are easy to lose. You're getting your hair cut. They're going there to see their aunt.
10 million records... did he really "download" that over the internet and not get noticed? I guess he did deface their webpage. He's already giving him/herself away. But could it also be that he/she got the backup tapes and stole the data that way? Or did some moron lose their USB key with an export of the data on it? Or, did he/she just deface the web page and spin a story about stealing data?
A timely illustration of the critical importance of security in electronic medical records.
If it's real it's stupid.
Can a governmental agency even pay a ransom? Are they allowed? Would they even consider it?
I would think they would just go to the cops. This makes ransoming the data of a government agency an all risk no reward proposition.
Maybe you could blackmail the head of IT but you have to keep the threat on the DL and the data going missing is the threat. Also I think 10 mill is out of the question in the later case.
This is what happens when you let the government in to places where it shouldn't be. There shouldn't be a state record of prescriptions, in fact the entire idea of government restricting the sale of certain chemicals to a doctor-monopoly is wrong. You statists are getting what you deserve; unfortunately the rest of us have to pay for it too.
Contribute to civilization: ari.aynrand.org/donate
This is tragic, and please don't view the following unrelated rant as indicating lack of sympathy or some kind of judgement against the public agency that's getting slammed in this case.
A couple of weeks ago I spent a few days at the RSA security conference, one of the biggest conferences/trade shows in the security industry. Roughly 7 out of 10 of the products being hawked were absolute nonsense: buzzword-compliant BS. "Security risk management" software, hacked-together IDS systems, encryption systems that have pretty Windows GUIs (and probably, lots of pretty Windows code vulnerabilities), AV that's easy to circumvent, etc. They'd do absolutely nothing to protect you in the face of a serious attack. I say this as both a security professional and a business owner, which makes me somewhat well qualified to make that judgement. Often the most obviously ineffective products were the best sellers.
My point? In terms of commercial spending, "security" has so far been an excuse to spend a bunch of money and check a lot of little boxes. Corporations and organizations aren't really serious about preventing attacks, because for the most part it isn't happening (to most companies). An executive wants to say he "did something", so he buys a bunch of stuff and wastes time configuring it. It probably doesn't protect him against a motivated attacker, and he doesn't have the skills in-house to deal with it (which would be a lot more valuable than the equipment and software he purchased).
When I see something like this story, well, it's absolutely not gratifying. It's tragic. And of course, the fact that it's hitting a public agency makes it even nastier. But at very least, I hope that things like this do at least scare the crap out of some of the companies buying this nonsense, and convince a few of them to take the problem seriously. Because it is a problem. The reason we have the luxury of pretty trade shows that sell fluffy products is because this very real problem just hasn't manifested itself in an expensive enough way to shock people into taking the problem seriously. I really hope people start taking it seriously before this kind of thing becomes too pernicious.
Well... he has an email address that he wants people to talk to him on. The person is asking to be caught already. Even assuming Tor use, etc., that's a definite lead back to him right there. You're talking an open invitation for some agency to coerce Yahoo to plant something on his browser when that login is detected (a cookie would probably do for the simple cases, a Flash/Java/browser exploit or similar in an advert would easily do for the more complex). Hell, I wouldn't be surprised if it wasn't possible to get a Microsoft-signed Java app (and, thus, automatically run without prompting) into the pages that are made for his login with their co-operation and have it reveal the *real* IP address / routing.
You can *easily* string him along for four or five emails. He would have to be using extremely tight security each and every time in order to communicate safely (and thus I hope he ran / is running a sandboxed system via a good anonymising network for the purpose of creating and checking that mail account each and every time and that he *never* uses that sandbox for anything else).
And you're talking confidential patient records - this is no hero of the citizenry, it's some pillock with nmap. So I hope he does get caught. Yeah, expose the security holes (though even that is just asking for jailtime) but don't play with people's lives.
How he expects to receive any money is beyond me... there's no such thing as a "safe" bank account except in the movies. Or is he hoping for a large bag of cash to be thrown from the Golden Gate bridge at 13:37 or similar? I'm guessing that, somewhere, he's made a stupid, elementary and critical mistake which means that he'll be "caught" quite soon (as in, people know who he is and just have to do the paperwork to get him), if he's not already.
If you want to make a stand, make a stand, target an organisation, pick a purpose, hit the critical points without collateral damage. If you want to dick about and show what a hacker you are, that's when you take whatever you *can* find (e.g. extremely private medical records and personal details of random people) and threaten to spread it unless a ransom is paid. In short,
Go to Jail. Go directly to Jail. Do not pass Go. Do not collect $10 million.
Hmm. Here we have a serious security breach but the details are so sketchy we're resorting to ethnic humour and the finer points of grammar to fill in the time. Allow me to offer up my guesses as to what Really Happened(TM): The server was recently migrated to Windows Vista from RedHat, the hackers were Chinese nationals who coordinated their actions using Hotmail accounts, and needed funding for the Virgina health department IT department was cut by Republicans in the stimulus bill. Discuss.
But Republicans weren't cutting spending recently, only taxes.
Trivial for FBI to get a warrant for the guy's login details from Yahoo.
Of course, if he's using TOR, then they're hosed.
"replaced the homepage with a ransom demand."
What was discovered was vandalism -- an altered web page and deleted data. There's no evidence besides the vandals' word that anything was downloaded. The same source claims the backups were missing, and that they wanted ransom for return of the data. This is Rx tracking data, not financial or personal ID data.
If it had been personal data, and it'd been downloaded by real ID thieves, they would NOT have notified the world of the event immediately (in fact, while in progress) by defacing the site. They'd have wanted to get away clean and sell off the data if possible before the theft was noticed. And they'd have sold it rather than proving their stupidity by demanding ransom. If they couldn't sell it they'd trash it rather than risk getting caught.
The site collects data from Rx dispensing sites across the state. All the data exists elsewhere, making the claim of no backups irrelevant. This site simply puts in one place what's spread out and not commonly available, so other dispensing sites can know whether someone's getting too much controlled prescription meds. Everything that was deleted can be re-obtained from the same places it was gotten all along.
The incident is a HIPAA violation. The FBI investigates those as well as computer security issues, explaining their presence in light of the fact that no real damage was done. If it were an inside job, it wouldn't have been done because nothing of value was to be gained from that particular collection of data, and an insider would know that. From the inside there are far more valuable collections of data that could be had from that system, such as payment records for license fees of registered Virginia health professionals.
The presence of the FBI and the "neither confirm nor deny" response of Va DHP, and those facts being realted by WP, makes it seem like there's a story here. Not hardly.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
Time for the Hacker Intelligence test
It's easy to break something. It's much harder to completely cover the evidence of who is responsible.
Question 1 - Why did the hacker target the Virginia Health Department?? That wouldn't be a site that most hackers would even think about much less target for major intrusion. Did the hacker in question cover his tracks as to why he chose this obscure site? Might he have been familiar with it because it tracks potential perscription drug abuse, and he had been flagged for further investigation before? Does he have a history with this company?
Question 2 - Did he cover his visits? Few people can find a potential site, explore the site for vulnerabilities, get access to the site, explore the internal structure of the site, devise an attack plan, code it, execute it, and get out in just one sitting. It usually requires several sessions, each time gaining more access and having better intelligence. The last visit can be covered up, but did he cover up the logs of the first few times when he didn't have complete control, and his tracks and actions may still be in an access log?
Question 3 - What methodology did he use to gain access? Having access to the database (and backups) to the degree that an encryption command can be executed would be difficult. It requires the ability to execute several commands remotely on the server. Were these commands given thru web-page vulnerabilities? Did it require log-in credentials, and if so, whose? Did access require special in-house knowledge, and if so, who knew it?
Question 4 - Where did he do this from, and what is his IP address? Hiding your IP address is next to impossible and there are multiple logs kept of access, including by the ISP. Did he do this from home? (If so, FAIL) Did he do this from a public wireless access point? If so did he cover his tracks there? (It's amazing where they put surveillance cameras nowdays) Anonymizer services will usually hand over the original IP addresss if requested by federal authorities, so that isn't going to work. Did the hacker consider that?
Question 5 - Where is he checking that yahoo address from? See question 4.
Question 6 - Is he using a different computer now? If I wanted to be really sneaky I'd ask yahoo to check not only the Yahoo cookie when someone logs into that account, but *also* get the Google one also, and 10 others. Send the cookies to the relavent companies for the data it contains. Is he using a fresh computer to erase tracks left there?
Question 7 - Did he cover up his phrasing carefully from others he used pubicly? Phases like "Uhoh" "gladly" "not to pony up" "Fucking Bunch of Idiots" "bettin'" "drop me a line" "to have gone missing, too" (weird extra comma here and other places) seem to be rather unique. Some of it can be faked, but the phrasing we use says a lot about us.
Question 8 - How is he planning on collecting the money? Most people think international banks (Caymen islands is common) is the answer. No. Most countries/locations (ex Caymen islands) have easy business registration/taxation rules, but are poor choices for trying to stash/launder money. It's not easy collecting large amounts of money. Does the hacker have a plan on how to collect that money?
Question 9 - Is he going to revisit the scene of the crime? Is he checking the internet news sites to find stories about m^Hthis crime? Is he going to give himself away by visiting such a site (like Slashdot) and visiting, leaving his IP address. Who knows, maybe he'll even gladly, comment. ;)
Comments can be left at hackingforprofit(the at sign)gmailcom. Drop me a line. ;)
Leaking the entire database to identity thieves is part/most/all of the hacker's threat if the ransom is not delivered. If the database is lost and they have to start from scratch -- big deal. If the database is lost AND in the hands of well paying criminals -- uh oh.