Slashdot Mirror

← Back to Stories (view on slashdot.org)

Virginia Health Database Held For Ransom

Posted by timothy on from the single-point-of-failure dept.

An anonymous reader writes "The Washington Post's Security Fix is reporting that hackers broke into servers at the Virginia health department that monitors prescription drug abuse and replaced the homepage with a ransom demand. The attackers claimed they had deleted the backups, and demanded $10 million for the return of prescription data on more than 8 million Virginians. Virginia isn't saying much about the attacks at the moment, except to acknowledge that they've involved the FBI, and that they've shut down e-mail and a whole mess of servers for the state department of health professionals. The Post piece credits Wikileaks as the source, which has a copy of the ransom note left behind by the attackers."

5 of 325 comments (clear)

  1. Re:Michigan by burnin1965 · · Score: 5, Interesting

    key members of the IT infrastructure were given instructions ahead of time to take the day off, not tell anyone they were told to take the day off and, best of all, not answer their phone or e-mail

    if someone's on call and doesn't answer their phone, you beat them with at bamboo cane a the next opportunity

    Actually it looks like the scenario was designed to show that management should be severely caned for using on-call support as a means of running an operation.

    Forcing employees to adhere to an on-call schedule is a bullshit method of saving on labor expenses by shifting the cost to the employee who is then forced to tailor their personal life to support their employer.

    For all you on-call sysadmins out there I have a bit of information for you. I've seen a semiconductor factory that runs 24/7 and the support departments always had a paid crew working 24/7 to support production. The on shift crew was always enough to maintain operations and respond to disasters, i.e. power outages and bumps that take equipment down. While this may sound like an expensive solution for 24/7 operations it is actually cheaper if properly implemented. One of the keys to success is spreading the support work load across the shifts. The benefit is also a faster response to issues rather than waiting on a pager response.

    And one last concept I'd like to plant, that Blackberry they give you to carry on your hip every waking hour of every day including your days off is not a perk. You may feel all geeky and important with your company paid geek status symbol but in reality its simply a corporate slave leash.

  2. Re:Sounds like an inside job. by Janek+Kozicki · · Score: 4, Interesting

    FBI will set up a covert action obviously. They will pretend to be someone with the highest bid who wants to buy it. They will pay, then follow the money trail, then revert the bank transfer, just like you do with your credit cards.

    Or something similar to that.

    --
    #
    #\ @ ? Colonize Mars
    #
  3. All Your Database.... by Anonymous Coward · · Score: 4, Interesting

    This is super cool, and if they are using Oracle, super easy. The Transparent Data Encryption "Feature" included with Oracle database can be initialized and enabled without any visible change to users or even administrators. Once it's up and running, you copy and delete the "wallet" used to start the database and turn on encrypted backups. You wait a little while, until their unencrypted backups are too old to be any good, then shutdown the database and tell them what you've done. It won't start, and the backups won't restore without the wallet you stole.

    The beauty part is, you can't "disable" the TDE feature. The only way to do that is to turn it on, and not use it. That requires.... Wait for it....

    A license.

    Ha ha. If you configure it, to disable it, you have to pay for it. I love Oracle.

  4. Heh, seeing more and more of these by jollyreaper · · Score: 4, Interesting

    It's kind of completely obvious in retrospect but I remember being so proud coming up with an idea like this way back when I was first getting into computers and reading way too much cyberpunk. The scenario I imagined was someone hacking into a corporate network and planting a virus that gets wormed into all the backups. The ransom note goes something like this:

    1. Hi. I compromised your systems.
    2. You have no idea when I compromised them and I won't tell you. Rest assured it's been for more than months.
    3. I planted a virus.
    4. It's in all your backups now.
    5. It's set to start deleting everything next week.
    6. You could conceivably take everything offline and pay security geeks big bucks to scrub it down. My guess is it'd take you weeks and cost $x megabucks.
    7. For $.1x megabucks, I'll give you the disarm code.

    I thought it was a kewl idea but the part that I could never figure out was how to make contact with the company without giving everything away. The only thing I could come up with is the old standby from TV and movies, the "numbered swiss bank account." Presumably your identity would be kept private, you would know when the deposit was made, end of story. But it always seemed like there would be some hole in the process that would leave a big red arrow pointing back to the hacker.

    Of the historic hackers we've read about, the ones who have gotten caught, it's always some fuckup that gets them nailed, usually not being able to keep their yaps shut. This does make me wonder if we don't hear about the successful hacks because a) the good ones can keep their yaps shut and b) nobody wants to advertise getting pwn'd hard by some punk.

    The other factor is a hack like this is so big and flashy, it's just bound to get law enforcement to throw more bucks at the case than it would normally warrant, just because it's so brazen, blatant, and just begging the feds to overreact.

    --
    Kwisatz Haderach
    Sell the spice to CHOAM
    This Mahdi took Shaddam's Throne
  5. Re:Non-story? by afabbro · · Score: 4, Interesting

    I'm assuming that not even a governmental department can be stupid enough not to have copies of the backups in a fire safe, off-site location.

    Wouldn't surprise me in the least, but not because it's the government. The problem is that every organization of any size has under-the-radar skunkworks IT projects. There's always some guy in a field office who doesn't like central IT (often with good reason), doesn't like bureacracy, has a slow link to the home office, etc. Sometimes he's an amateur computer buff as well.

    Next think you know, he's got a couple Gentoo boxes running under his desk with a MySQL + PHP app he's cooked up himself that his whole team is relying on. It works great (for them). Years go by and suddenly someone in central IT learns of it. They try to take it away and standardize it, but he goes to the business side and says "our customers will complain, they rely on it" and business tells IT to knock it off.

    Usually about then, one of three things happen:

    • The disk on the recycled Packard Bell desktop that's running the database eats itself and he loses all the data.
    • Someone in auditing gets a clue and raises holy hell about HIPPA, SOX, etc.
    • There's a break-in because he has lousy security.

    I've seen the above scenario in at least three large private firms. In this case, we're talking 10,000,000 records. That could live on someone's laptop or desktop. Central IT might not even know it exists. I could easily see someone office saying "we just got a grant for $5 million to study trends in prescriptions to look for abuse patterns, can you send over a disc with a data extract"? Hell, that might have happened ten years ago and it's been sitting on some share ever since, long forgotten.

    --
    Advice: on VPS providers