Slashdot Mirror
Virginia Health Database Held For Ransom
An anonymous reader writes "The Washington Post's Security Fix is reporting that hackers broke into servers at the Virginia health department that monitors prescription drug abuse and replaced the homepage with a ransom demand. The attackers claimed they had deleted the backups, and demanded $10 million for the return of prescription data on more than 8 million Virginians. Virginia isn't saying much about the attacks at the moment, except to acknowledge that they've involved the FBI, and that they've shut down e-mail and a whole mess of servers for the state department of health professionals. The Post piece credits Wikileaks as the source, which has a copy of the ransom note left behind by the attackers."
I'm assuming that not even a governmental department can be stupid enough not to have copies of the backups in a fire safe, off-site location.
Silly rabbit
Luckily Of course a backup was made every hour. .. Oh what? Did not run backup for 3 weeks? Went fishing?
...since Virginia is for Lovers. The hardest part will be determining weather their prescription was for C1A1iS or V1AGR4
Introducing Microsoft Vacuum 1.0 The first Microsoft product that doesn't suck.
The phrasing "gone missing" makes him sound like he's from somewhere in the United Kingdom...
Yes, but the phrase "Now I hear tell" indicates Virginia! What a conundrum! This case will never be cracked! The full note text for those too lazy to click through wikileaks:
ATTENTION VIRGINIA
:(
;)
I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh
For $10 million, I will gladly send along the password. You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid. Now I don't know what all this shit is worth or who would pay for it, but I'm bettin' someone will. Hell, if I can't move the prescription data at the very least I can find a buyer for the personal data (name,age,address,social security #, driver's license #).
Now I hear tell the Fucking Bunch of Idiots ain't fond of payin out, but I suggest that policy be turned right the fuck around. When you boys get your act together, drop me a line at hackingforprofit@yahoo.com and we can discuss the details such as account number, etc.
Until then, have a wonderful day, I know I will
My work here is dung.
Why would the "cyber-terrorist" post an email address as the ransom contact? Isn't he/she just going to get spammed now?
I don't know, why don't you send hackingforprofit@yahoo.com an e-mail and ask them?
Oops, did I just post hackingforprofit@yahoo.com without obfuscating it? Here, let me fix that:
hackingforprofit(at)yahoo(dot)com
My apologies to hackingforprofit@yahoo.com if this results in an increase of SPAM.
My work here is dung.
The state of Michigan had this same scenario play out two years ago. The only difference: it was part of one of their Cyberstorm security exercises. At a round table discussion, the acting IT infrastructure director talked about how the exercise opened. He sat down at his desk one day, opened his e-mail, and found a ransom note that mirrors exactly what's going on now in Virgina.
It gets better. Certain key members of the IT infrastructure were given instructions ahead of time to take the day off, not tell anyone they were told to take the day off and, best of all, not answer their phone or e-mail unless they were being contacted by a specific person. (Someone who was 'in' on the exercise, and who had the authority to say "ah crap, XYZ is down and it's not part of the exercise, call Bob and let him know we actually need him.")
All in all it was an interesting discussion of "what if?" that I'd love to try out in my own workplace. Sure, if someone's on call and doesn't answer their phone, you beat them with at bamboo cane a the next opportunity. But what do you do in the meantime? If crap hits the fan, do your managers & team leads really know their call flows? Or does everyone just freak out and call the guy that usually knows what he's doing? What happens when that guy gets hit by a bus?
There are some people that if they don't know, you can't tell 'em.
Ah, Watson, but notice this curious "Fucking Bunch of Idiots". A Frenchman or Russian could not have written that. It is the German who is so uncourteous to his nouns.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
10 million records... did he really "download" that over the internet and not get noticed? I guess he did deface their webpage. He's already giving him/herself away. But could it also be that he/she got the backup tapes and stole the data that way? Or did some moron lose their USB key with an export of the data on it? Or, did he/she just deface the web page and spin a story about stealing data?
Did they also threaten to release the Da Vinci virus?
A timely illustration of the critical importance of security in electronic medical records.
The attackers claimed they had deleted the backups, and demanded $10 million for the return of prescription data on more than 8 million Virginians.
Damn, I'd pay $10 mil for data on more than 8 million virgins. That's more than you get for martyrdom in the... oh, read it wrong. Never mind.
== Jez ==
Do you miss Firefox? Try Pale Moon.
That make me very happy I get all my medication from the 2 dudes on the streetcorner.
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
This is tragic, and please don't view the following unrelated rant as indicating lack of sympathy or some kind of judgement against the public agency that's getting slammed in this case.
A couple of weeks ago I spent a few days at the RSA security conference, one of the biggest conferences/trade shows in the security industry. Roughly 7 out of 10 of the products being hawked were absolute nonsense: buzzword-compliant BS. "Security risk management" software, hacked-together IDS systems, encryption systems that have pretty Windows GUIs (and probably, lots of pretty Windows code vulnerabilities), AV that's easy to circumvent, etc. They'd do absolutely nothing to protect you in the face of a serious attack. I say this as both a security professional and a business owner, which makes me somewhat well qualified to make that judgement. Often the most obviously ineffective products were the best sellers.
My point? In terms of commercial spending, "security" has so far been an excuse to spend a bunch of money and check a lot of little boxes. Corporations and organizations aren't really serious about preventing attacks, because for the most part it isn't happening (to most companies). An executive wants to say he "did something", so he buys a bunch of stuff and wastes time configuring it. It probably doesn't protect him against a motivated attacker, and he doesn't have the skills in-house to deal with it (which would be a lot more valuable than the equipment and software he purchased).
When I see something like this story, well, it's absolutely not gratifying. It's tragic. And of course, the fact that it's hitting a public agency makes it even nastier. But at very least, I hope that things like this do at least scare the crap out of some of the companies buying this nonsense, and convince a few of them to take the problem seriously. Because it is a problem. The reason we have the luxury of pretty trade shows that sell fluffy products is because this very real problem just hasn't manifested itself in an expensive enough way to shock people into taking the problem seriously. I really hope people start taking it seriously before this kind of thing becomes too pernicious.
Well... he has an email address that he wants people to talk to him on. The person is asking to be caught already. Even assuming Tor use, etc., that's a definite lead back to him right there. You're talking an open invitation for some agency to coerce Yahoo to plant something on his browser when that login is detected (a cookie would probably do for the simple cases, a Flash/Java/browser exploit or similar in an advert would easily do for the more complex). Hell, I wouldn't be surprised if it wasn't possible to get a Microsoft-signed Java app (and, thus, automatically run without prompting) into the pages that are made for his login with their co-operation and have it reveal the *real* IP address / routing.
You can *easily* string him along for four or five emails. He would have to be using extremely tight security each and every time in order to communicate safely (and thus I hope he ran / is running a sandboxed system via a good anonymising network for the purpose of creating and checking that mail account each and every time and that he *never* uses that sandbox for anything else).
And you're talking confidential patient records - this is no hero of the citizenry, it's some pillock with nmap. So I hope he does get caught. Yeah, expose the security holes (though even that is just asking for jailtime) but don't play with people's lives.
How he expects to receive any money is beyond me... there's no such thing as a "safe" bank account except in the movies. Or is he hoping for a large bag of cash to be thrown from the Golden Gate bridge at 13:37 or similar? I'm guessing that, somewhere, he's made a stupid, elementary and critical mistake which means that he'll be "caught" quite soon (as in, people know who he is and just have to do the paperwork to get him), if he's not already.
If you want to make a stand, make a stand, target an organisation, pick a purpose, hit the critical points without collateral damage. If you want to dick about and show what a hacker you are, that's when you take whatever you *can* find (e.g. extremely private medical records and personal details of random people) and threaten to spread it unless a ransom is paid. In short,
Go to Jail. Go directly to Jail. Do not pass Go. Do not collect $10 million.
FBI will set up a covert action obviously. They will pretend to be someone with the highest bid who wants to buy it. They will pay, then follow the money trail, then revert the bank transfer, just like you do with your credit cards.
Or something similar to that.
#
#\ @ ? Colonize Mars
#
It's not about being able to recover the data, it's also about everyone's medical records being sold. If medical records can't even be protected at the state level, what makes people believe that national electronic health records will be any safer? Just wait until your laying in the hospital, but you can't be treated because access to your online health records are down.
I'm increasingly amazed by the willingness of people to bitch and moan about incompetent and inefficient bureaucrats, while at the same time, insisting on turning over more and more important societal functions to these same bureaucrats.
You don't make the poor richer by making the rich poorer. - Winston Churchill
This is super cool, and if they are using Oracle, super easy. The Transparent Data Encryption "Feature" included with Oracle database can be initialized and enabled without any visible change to users or even administrators. Once it's up and running, you copy and delete the "wallet" used to start the database and turn on encrypted backups. You wait a little while, until their unencrypted backups are too old to be any good, then shutdown the database and tell them what you've done. It won't start, and the backups won't restore without the wallet you stole.
The beauty part is, you can't "disable" the TDE feature. The only way to do that is to turn it on, and not use it. That requires.... Wait for it....
A license.
Ha ha. If you configure it, to disable it, you have to pay for it. I love Oracle.
Just for clarification, the Virginia Department of Health Professionals is not the same agency as the Virginia Department of Health.
Each Virginia agency is its own little independent IT fiefdom, with all the disparity of budget and clue that entails. At least until their IT is taken over by Northrop Grumman, which is another clusterfuck entirely...
It's kind of completely obvious in retrospect but I remember being so proud coming up with an idea like this way back when I was first getting into computers and reading way too much cyberpunk. The scenario I imagined was someone hacking into a corporate network and planting a virus that gets wormed into all the backups. The ransom note goes something like this:
1. Hi. I compromised your systems.
2. You have no idea when I compromised them and I won't tell you. Rest assured it's been for more than months.
3. I planted a virus.
4. It's in all your backups now.
5. It's set to start deleting everything next week.
6. You could conceivably take everything offline and pay security geeks big bucks to scrub it down. My guess is it'd take you weeks and cost $x megabucks.
7. For $.1x megabucks, I'll give you the disarm code.
I thought it was a kewl idea but the part that I could never figure out was how to make contact with the company without giving everything away. The only thing I could come up with is the old standby from TV and movies, the "numbered swiss bank account." Presumably your identity would be kept private, you would know when the deposit was made, end of story. But it always seemed like there would be some hole in the process that would leave a big red arrow pointing back to the hacker.
Of the historic hackers we've read about, the ones who have gotten caught, it's always some fuckup that gets them nailed, usually not being able to keep their yaps shut. This does make me wonder if we don't hear about the successful hacks because a) the good ones can keep their yaps shut and b) nobody wants to advertise getting pwn'd hard by some punk.
The other factor is a hack like this is so big and flashy, it's just bound to get law enforcement to throw more bucks at the case than it would normally warrant, just because it's so brazen, blatant, and just begging the feds to overreact.
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne