Virginia Health Database Held For Ransom

An anonymous reader writes "The Washington Post's Security Fix is reporting that hackers broke into servers at the Virginia health department that monitors prescription drug abuse and replaced the homepage with a ransom demand. The attackers claimed they had deleted the backups, and demanded $10 million for the return of prescription data on more than 8 million Virginians. Virginia isn't saying much about the attacks at the moment, except to acknowledge that they've involved the FBI, and that they've shut down e-mail and a whole mess of servers for the state department of health professionals. The Post piece credits Wikileaks as the source, which has a copy of the ransom note left behind by the attackers."

Non-story?

[Jane_Dozey]

I'm assuming that not even a governmental department can be stupid enough not to have copies of the backups in a fire safe, off-site location.

Re:Non-story?

The Internet. A miracle of the 21st Century, providing high quality information and education to all, breaking down social barriers and creating a new info-democracy the likes of which our fathers could only dream about. Few would disagree that the Internet is a wonder of the modern world, and one of America's greatest contributions to science.

However, as with all emergent technologies sooner or later, abuse by the uneducated masses causes the need for regulation to arise. As more people adopt a technology, the more likely that technology will be used by irresponsible individuals who try to spoil things for the rest of us.

This is why the time has come to introduce licensing for Internet users.

* Hunting
* Fishing
* Watching TV
* Driving an automobile
* Using a PC
* Carrying a firearm
* Building a house
* Selling an alcoholic beverage
* Staging a rock concert
* Trading in securities
* Developing software

What do the activities listed above have in common ?

The answer is that all are potentially dangerous activities for which one must obtain a license if one wishes to remain on the right side of the law.

It is surprising to me that one potentially dangerous activity is conspicuously missing from the above list. We all accept without question the need for regulation where dangerous technologies are concerned (as the list clearly demonstrates). So why should the Internet be exempt ? What is so special about 0s and 1s travelling along a wire that makes us give it 'special treatment' ? Why should this important resource not enjoy the protection from abuse that regulation would undoubtably provide ?

In the old days of the Internet, its usage was confined to academia, and the military. Back in those days, one could be fairly sure that Internet users were responsible citizens, who would not abuse their 'net access, after all our educators and defenders are people we knew we could trust.

These days, with the explosive growth in Internet usage, it is impossible to control who goes online. Indeed, many Internet Service Providers (ISPs) market themselves on how 'easy to use' their service is. You are just as likely to find senior citizens, children, teenagers and housewives online these days, as you are to find a world class physicist or a military intelligence officer.

As you would expect, with such a large number of uneducated people given unrestricted access to such a powerful tool, the results have not always been pleasant, and abuse has run rampant. You can find bomb making instructions, Islamic fundamentalist propaganda, pornography, hate sites, left wing and right wing extremism, pornography, fascism in all its different and elaborate disguises, Radical androphobic feminism, autism, pornography, questionable politics, pornography, blasphemy against Jesus, and yet more pornography.

This is the mere tip of the iceberg, since the Internet is estimated to have as much as 100 Gigabytes of this kind of offensive material, and it is growing larger by the week, as more and more uneducated people rush to 'get online' so that they may 'surf the web' with their equally poorly-educated beer-swilling redneck buddies.

As with all technologies, the Internet has matured to the point where regulation is not just desirable, it has become inevitable. You don't need to be Kreskin to predict that unless the Internet is regulated, and regulated quite heavily, it will soon collapse under the sheer weight of pointless traffic Britney Spears fan sites, uninteresting personal home pages and the extra load placed on the 'net infrastructure by illegal protocols such as Aimster Napster, Bearshare Gnutella and the like.

As with automobil

Shouldn't be hard to re-create

[Skraut]

...since Virginia is for Lovers. The hardest part will be determining weather their prescription was for C1A1iS or V1AGR4

Re:email address as contact

[eldavojohn]

Why would the "cyber-terrorist" post an email address as the ransom contact? Isn't he/she just going to get spammed now?

I don't know, why don't you send hackingforprofit@yahoo.com an e-mail and ask them?

Oops, did I just post hackingforprofit@yahoo.com without obfuscating it? Here, let me fix that:

hackingforprofit(at)yahoo(dot)com

My apologies to hackingforprofit@yahoo.com if this results in an increase of SPAM.

Michigan

[Darth_brooks]

The state of Michigan had this same scenario play out two years ago. The only difference: it was part of one of their Cyberstorm security exercises. At a round table discussion, the acting IT infrastructure director talked about how the exercise opened. He sat down at his desk one day, opened his e-mail, and found a ransom note that mirrors exactly what's going on now in Virgina.

It gets better. Certain key members of the IT infrastructure were given instructions ahead of time to take the day off, not tell anyone they were told to take the day off and, best of all, not answer their phone or e-mail unless they were being contacted by a specific person. (Someone who was 'in' on the exercise, and who had the authority to say "ah crap, XYZ is down and it's not part of the exercise, call Bob and let him know we actually need him.")

All in all it was an interesting discussion of "what if?" that I'd love to try out in my own workplace. Sure, if someone's on call and doesn't answer their phone, you beat them with at bamboo cane a the next opportunity. But what do you do in the meantime? If crap hits the fan, do your managers & team leads really know their call flows? Or does everyone just freak out and call the guy that usually knows what he's doing? What happens when that guy gets hit by a bus?

Re:Michigan

[burnin1965]

key members of the IT infrastructure were given instructions ahead of time to take the day off, not tell anyone they were told to take the day off and, best of all, not answer their phone or e-mail

if someone's on call and doesn't answer their phone, you beat them with at bamboo cane a the next opportunity

Actually it looks like the scenario was designed to show that management should be severely caned for using on-call support as a means of running an operation.

Forcing employees to adhere to an on-call schedule is a bullshit method of saving on labor expenses by shifting the cost to the employee who is then forced to tailor their personal life to support their employer.

For all you on-call sysadmins out there I have a bit of information for you. I've seen a semiconductor factory that runs 24/7 and the support departments always had a paid crew working 24/7 to support production. The on shift crew was always enough to maintain operations and respond to disasters, i.e. power outages and bumps that take equipment down. While this may sound like an expensive solution for 24/7 operations it is actually cheaper if properly implemented. One of the keys to success is spreading the support work load across the shifts. The benefit is also a faster response to issues rather than waiting on a pager response.

And one last concept I'd like to plant, that Blackberry they give you to carry on your hip every waking hour of every day including your days off is not a perk. You may feel all geeky and important with your company paid geek status symbol but in reality its simply a corporate slave leash.

Was attack over the network or stolen backups?

10 million records... did he really "download" that over the internet and not get noticed? I guess he did deface their webpage. He's already giving him/herself away. But could it also be that he/she got the backup tapes and stole the data that way? Or did some moron lose their USB key with an export of the data on it? Or, did he/she just deface the web page and spin a story about stealing data?

Re:Was attack over the network or stolen backups?

[ledow]

Or none of the above. What about he gained remote access to the backup servers, encrypted their backups with a password of his choosing and deleted their other (presumably, rewritable / otherwise on-line) backups?

That way, he personally had access to them (without having to download them) and has removed everyone else's access. Even if he has just "lost" the latest backups for them, that's an incredibly serious breach that he could even get that close and relevant to a lot of people. He *could* have downloaded whatever he wanted and could have wreaked enormous havoc by *corrupting* the backups beyond recognition and not even get noticed. How many other large organisations use their host's backup facilities (which are normally run as "on-line" backups with occasional "off-line"/"off-site" backups) instead of their own? I know of several, but they don't host anything anywhere near as critical to this.

Either way, it's piss-poor server/network management and someone should be fingered for it. I'm guessing it's more likely an "IT Consultant" and/or someone who didn't listen to their systems administrator at the last round of budget estimates than the actual implementors of the system.

One Question

[MistrBlank]

Did they also threaten to release the Da Vinci virus?

Damnit...

[jez9999]

The attackers claimed they had deleted the backups, and demanded $10 million for the return of prescription data on more than 8 million Virginians.

Damn, I'd pay $10 mil for data on more than 8 million virgins. That's more than you get for martyrdom in the... oh, read it wrong. Never mind.

It's situations like this

[mandark1967]

That make me very happy I get all my medication from the 2 dudes on the streetcorner.

An unrelated comment

[dachshund]

This is tragic, and please don't view the following unrelated rant as indicating lack of sympathy or some kind of judgement against the public agency that's getting slammed in this case.

A couple of weeks ago I spent a few days at the RSA security conference, one of the biggest conferences/trade shows in the security industry. Roughly 7 out of 10 of the products being hawked were absolute nonsense: buzzword-compliant BS. "Security risk management" software, hacked-together IDS systems, encryption systems that have pretty Windows GUIs (and probably, lots of pretty Windows code vulnerabilities), AV that's easy to circumvent, etc. They'd do absolutely nothing to protect you in the face of a serious attack. I say this as both a security professional and a business owner, which makes me somewhat well qualified to make that judgement. Often the most obviously ineffective products were the best sellers.

My point? In terms of commercial spending, "security" has so far been an excuse to spend a bunch of money and check a lot of little boxes. Corporations and organizations aren't really serious about preventing attacks, because for the most part it isn't happening (to most companies). An executive wants to say he "did something", so he buys a bunch of stuff and wastes time configuring it. It probably doesn't protect him against a motivated attacker, and he doesn't have the skills in-house to deal with it (which would be a lot more valuable than the equipment and software he purchased).

When I see something like this story, well, it's absolutely not gratifying. It's tragic. And of course, the fact that it's hitting a public agency makes it even nastier. But at very least, I hope that things like this do at least scare the crap out of some of the companies buying this nonsense, and convince a few of them to take the problem seriously. Because it is a problem. The reason we have the luxury of pretty trade shows that sell fluffy products is because this very real problem just hasn't manifested itself in an expensive enough way to shock people into taking the problem seriously. I really hope people start taking it seriously before this kind of thing becomes too pernicious.

Ummm...

[ledow]

Well... he has an email address that he wants people to talk to him on. The person is asking to be caught already. Even assuming Tor use, etc., that's a definite lead back to him right there. You're talking an open invitation for some agency to coerce Yahoo to plant something on his browser when that login is detected (a cookie would probably do for the simple cases, a Flash/Java/browser exploit or similar in an advert would easily do for the more complex). Hell, I wouldn't be surprised if it wasn't possible to get a Microsoft-signed Java app (and, thus, automatically run without prompting) into the pages that are made for his login with their co-operation and have it reveal the *real* IP address / routing.

You can *easily* string him along for four or five emails. He would have to be using extremely tight security each and every time in order to communicate safely (and thus I hope he ran / is running a sandboxed system via a good anonymising network for the purpose of creating and checking that mail account each and every time and that he *never* uses that sandbox for anything else).

And you're talking confidential patient records - this is no hero of the citizenry, it's some pillock with nmap. So I hope he does get caught. Yeah, expose the security holes (though even that is just asking for jailtime) but don't play with people's lives.

How he expects to receive any money is beyond me... there's no such thing as a "safe" bank account except in the movies. Or is he hoping for a large bag of cash to be thrown from the Golden Gate bridge at 13:37 or similar? I'm guessing that, somewhere, he's made a stupid, elementary and critical mistake which means that he'll be "caught" quite soon (as in, people know who he is and just have to do the paperwork to get him), if he's not already.

If you want to make a stand, make a stand, target an organisation, pick a purpose, hit the critical points without collateral damage. If you want to dick about and show what a hacker you are, that's when you take whatever you *can* find (e.g. extremely private medical records and personal details of random people) and threaten to spread it unless a ransom is paid. In short,

Go to Jail. Go directly to Jail. Do not pass Go. Do not collect $10 million.

Re:Ummm...

[Mendoksou]

Right, and he intends to get the money somehow... as if it couldn't be tracked. My guess is that this guy is as good as caught, or its a hoax. Either way, expect to see more restrictive internet legislation because of this.

Re:Ummm...

[magbottle]

How he expects to receive any money is beyond me... .

A good plan would be to identify two similarly hackable situations, crack one and post a ransom note on the main page. Then kick back and read Slashdot to figure out how best to exploit hack situation number two.

We give the best advice.

Re:Proper backup procedures

[jcnnghm]

It's not about being able to recover the data, it's also about everyone's medical records being sold. If medical records can't even be protected at the state level, what makes people believe that national electronic health records will be any safer? Just wait until your laying in the hospital, but you can't be treated because access to your online health records are down.

I'm increasingly amazed by the willingness of people to bitch and moan about incompetent and inefficient bureaucrats, while at the same time, insisting on turning over more and more important societal functions to these same bureaucrats.