Ask Slashdot: Dealing With Unwanted But Official Security Probes?

An anonymous reader writes "I manage a few computers for an independent private medical practice connected to a hospital network. Recently I discovered repeated attempts to access these computers. After adjusting the firewall to drop connections from the attacking computers, I reported the presumed hacker IP to hospital IT. I was told that the activity was conducted by the hospital corporation for security purposes. The activity continues. It has included attempted fuzzing of a web server, buffer overrun attacks, attempts to access a protected database, attempts to get the password file, etc. The doctors want to maintain a relationship with the hospital and are worried that involving law enforcement would destroy the relationship. What would you advise the doctors to do next?"

Be happy that their data is secure?

[PNutts]

They do know about HIPAA penalties for leaking data, right?

Re:Be happy that their data is secure?

[AK+Marc]

Has there ever been a fine for leaking data? I know of a few for not releasing data when required, but not any for unauthorized access of a computer.

You do know that HIPAA was more about owning your own records, than having them held hostage by doctors who required bribes to release your records to other doctors, right? And yes, that was common, especially with eye doctors requiring that prescriptions be filled at their office. Lose money on the exam, and make it up with the overpriced treatment was considered unethical.

Re:Be happy that their data is secure?

[Sir+Holo]

Possibly off-topic, but a physician of mine bragged that all of his many patients' data was very handily available to him at all times –– on a 32GB USB stick that he wore around his neck on a lanyard.

My first thought was, "Dude, what if you lost it?"

That is: HIPAA violations all over the place if he did.

Is this not your local net police?

[Dr.+Tom]

You can always run denyhosts, block any IP that attacks you, but it sounds like these guys are on your side, doing penetration testing.
If they are not, block the addresses. If they are local staff, call the IT dept. and talk to them, don't post to /.

Re:Is this not your local net police?

[sgt+scrub]

Or NAT their IP addresses to honey pots and watch them get sticky.

Re:Is this not your local net police?

[TrekkieGod]

If you weren't informed about it, how are you supposed to know that they are the good guys . . . ?

You shouldn't know,and you're supposed to treat them like the bad guys. Isn't that the entire point? How else are they going to know you're prepared against a real attack?

Re:Is this not your local net police?

[Hentes]

Probably not the best idea in a pentest, some of them might think they actually got through and that will be hard to explain later.

Re:Is this not your local net police?

[longk]

How is this not a real attack to begin with? Just because they cooperate in the medical business doesn't mean they have the right to penetrate each others IT systems.

Re:Is this not your local net police?

The hospital's network is responsible for the security of the ENTIRE network. If the "independent" practice is connected to their network, they fall under security's purview.

Re:Is this not your local net police?

[Jane+Q.+Public]

"They're not auditing their security. They're auditing somebody else's security. "Independent private medical practice" means a separate corporation that happens to have a network link. Not "within their rights", and not legal, either."

I hate to have to tell you this, but no.

If they are "connected to the hospital network", then the hospital network's security IS their security, and vice versa. You cannot separate the two, because lax security in one can enable entry into the other.

Having said that: I do think it would have been more professional to at least have informed them that security audits would be carried out, and not to worry about apparent attacks coming from IP addresses X, Y, and Z. As long as they did not pre-block those addresses, that would not affect any of the security audits in the slightest, and would ease any anxiety on the part of these people.

Re:Is this not your local net police?

[postbigbang]

Not so. There may be a contractual relationship allowing this. Otherwise, an unauthorized pentest is a hack attempt. If so, report them to the FBI and do a deny on their IPs.

If there's a contractual relationship with a clause governing over-arching compliance, then an audit better be agreed upon first, otherwise, see first paragraph.

I don't care if the address is across town, or across the seas, they get hammered and reported unless they're 1) covered by contract and 2) give us results. Otherwise, we suspect the worst and go for their lunch. Then we eat it.

Re:Is this not your local net police?

"They're not auditing their security. They're auditing somebody else's security. "Independent private medical practice" means a separate corporation that happens to have a network link. Not "within their rights", and not legal, either."

I hate to have to tell you this, but no.

If they are "connected to the hospital network", then the hospital network's security IS their security, and vice versa. You cannot separate the two, because lax security in one can enable entry into the other.

This is not entirely true either. If they are attacking a server not owned by the hospital and is owned by the private company, that would be an illegal attack. If you are connected to a network through your ISP you have no right to try to attack some other server on the ISP's network.

Re:Is this not your local net police?

[Hizonner]

Yes, the practice's security affects the hospital's. Your security affects mine, too, and in fact the security of everybody on the Internet affects the security of everybody else.

Nonetheless, it is not legal, ethical, or appropriate to go around attacking somebody else's systems without their explicit permission. It doesn't matter if you provide them with network service. It doesn't matter if you have (perhaps unwisely) given them access that makes them a potential threat to you. It doesn't matter if you're the "big" network, or if you have more to lose than they do. It doesn't matter if you feel you're "responsible for the whole network". It doesn't matter if they're completely incompetent and overrun with malware.

If you don't have advance permission, and you attack somebody else's system. you're in CFAA violation territory. And if you didn't get that permission in writing, you're an incompetent idiot.

This isn't the wild, wild west. Your motives do not matter. The effect on your own security does not matter. End of story.

Re:Is this not your local net police?

[Tom]

It depends on the testing. I've run security tests. Most of the time, you do notify the people involved and plan with them, especially if you are testing live systems. You don't want to interrupt service, after all.

However, sometimes you want to test humans and procedures as well. In those cases, you might notify only management, not the technical people involved. You definitely notify someone, but not necessarily the people who will notice your attack first.

Friends of mine do social engineering pentesting. That's the best example, because notifying people just that such a thing is going on already changes the results. So they will usually carry a letter signed by the CEO and the security chief that states a) these guys are legit and b) call me to verify. And, btw., people who don't do b) upon seing the letter fail the test because anyone could carry a forgery. But, back to the point, in most cases, the CEO and security chief and maybe two people in legal who handled the contract are the only people within the target company that know about the testing.

Same, but to a lesser extend, with other security tests. If you want to test the firewall, you can tell the firewall guy. But if you want to test the firewall guy, you can't. You tell his manager or if the corp has a seperate security chain-of-command, the next-higher-up in the security report chain, so he can calm him down and congratulate him when he storms into the office saying "we're under attack". But if you want to find out if he'll notice at all, you obviously can't tell him beforehand.

Key words for me: independent practice

Unless there are contractual terms which allow the hospital to pentest the independent medical practice, the hospital IT staff are probably violating the law. Get your legal counsel involved ASAP and let the lawyer deal with it.

Re:Hack back.

[PhamNguyen]

That would be responding to a company whose only fault is having a bad policy and poor training, by committing a serious crime!

Talk to the Intrusion Crew.

[darkonc]

One thing to note: If they manage to get in, the it's a good thing to know about how they did it.

In the meantime, you want to talk to the crew that's doing the intrusion testing and make sure that they'll be keeping anything they find confidential, and that you'll get the results of the work that they're doing. What they're doing is annoying, but it's better to have it done by friendlies than to have someone truly hostile find some day-0s that they can use against you (presuming that you're willing to close any holes that they find).

Re:Have you tried all these?

[Dan+Dankleton]

You've asked for a meeting with their security people so that you can jointly plan to do whatever is needed?

I never have mod points when there's something I want to moderate! This is the thing to do. Get in touch with the hospital's security people. If the scans are causing any problems with IT operations then arrange with them to schedule the scans differently. Otherwise, explain that you've picked up the scans and blocked them per procedure. Ask if they want you to unblock their specific scan so that they can find any issues which would reveal weaknesses you could defend against in more depth.

All this may be unwelcome but it doesn't sound like there's much you can do about it, so treat it as an opportunity.

Re:Find someone with a clue to do your job.

[pla]

Are they causing you harm? Are you just being uppity about log entries?

Flooding the logs with false positives does cause harm, in that he may miss real attacks in the flood of "test" ones.

Not to mention, who bears the liability if this testing actually manages to get in and cause data loss? The FP poster specifically mentions fuzzing inputs to the web server - That works great in a test environment; if it succeeds on a production system, god only knows what effects it will have.

My recommendation? Aggressively block this shit until your actual boss (not some random schmuck from "corporate") directly orders you to let it get through; and if ordered to let it continue, get it in writing (email would suffice).

Two things

[gman003]

First, as far as the network goes, treat it the same way you would treat any attack. Block IPs, add filters, whatever you normally do. If they are simulating an attack, you should simulate a defense.

Second, the human response. Make sure that this is actually an authorized security test. Tell them that if you cannot get confirmation that this is an authorized attack, you will have to treat it as an unauthorized one, which means contacting law enforcement, as per standard protocols for dealing with health information. This is "cover your ass" stuff here - if it actually isn't authorized, and you get hacked, you're likely to take the blame for it. And if it is authorized, well, you look like you're doing your job by detecting and responding to the threat.

Do I get that right?

[Opportunist]

Do I get this right? You are working for company A, but company B, with whom you have some kind of relationship, but are not a part of, tests your security?

First, make sure you have EVERYTHING in writing. At the very least as emails, but paper would be better. Make sure that everything you inform your IT superiors of is documented, and make sure every order you get from them is documented as well. Else selective amnesia might set in when the shit hits the fan. Tell your doctors to get in touch with the hospital CIO/CISO (or whoever is directing the tests), and make sure that they inform them that they want to cooperate to make sure the test makes sense. Else, what would you logically do? Right. Block the offending IP(s) until the storm is over. That's not really in the interest of the auditor either, since it's trivial to make something "secure" when I don't allow access to it by default and have every kind of access die at the front door (even though others might be allowed further in).

Personally I think it's highly unusual to conduct a pen test "against" a cooperating company. At the very least you should be informed that this has to happen (likely due to HIPAA or similar regulations), else the auditors are on VERY thin (juridical) ice. Essentially, they are conducting a hostile attack.

Tell your docs what the auditors do here is pretty much like performing an operation without the patient's consent, they'll immediately get that. It may be in the patient's interest, but cutting him open without immediate lethal danger and without consent is STILL a big nono.

How do you know THEY weren't hacked? You MUST act.

[Ungrounded+Lightning]

If you weren't informed about it, how are you supposed to know that they are the good guys . . . ?

You shouldn't know,and you're supposed to treat them like the bad guys.

How do you know that their machines haven't been hacked, and that ALL of the penetration attempts are actually tests?

If you talked to them on a phone rather than face-to-face at THEIR office (or even then), how do you know the person you talked to is actually a security guy or I.T. administrator at the hospital and not a freelance cracker, identity thief, spy, or even an assassin going after a patient? If somebody cracked, say, an VoIP. phone system, they could intercept your complaints and tell you it was standard operating procedure and to ignore such attacks.

Even if they are what they claim to be and ALL the attacks are from them, by telling you it's just a test, you should ignore it, and continuing to "test" you, they've just TOLD YOU TO IGNORE ATTACKS. If you do, you FAIL.

IMHO (IANAL) you MUST attempt to halt the attacks and treat them as real or you are in violation of HIPAA.

You're a complete idiot...

I once worked on a team doing such internal audits. After a YEAR we finally had our network looking pretty tight from the disaster it had been - this was a very large network. One day someone asked me to take a look at a WEB app they had created to demonstrate something for me - I couldn't reach the address. Neither could anyone else on my team. I asked friends via IM elsewhere on the network if they could reach the IP and they could. Suspicious I told my boss about it and he confirmed the blockage by attempting access via RDP from a machine we kept remotely on the network - he was able to access it. Suspicions confirmed he twiddled a few things and moved our DHCP IP range to a completely different set of addresses and instructed our team to goto work. We found quite a bit wrong with the network space behind that router! When the network team responsible for that router was drilled they claimed no knowledge of the filtering rule that had been blocking our IP space and no documentation of it's creation existed despite strict rules about such things.

What you're advocating is akin to stripping off street signs and house numbers so that the fire and police depts can't find your home when soliciting for donations. This has the additional side effect of also making sure they cannot find your home should a fire or robbery occur and is stupidity to say the least!

Yes, security scans like this can be bothersome. They can even crash machines and applications that aren't coded properly and if you've not locked all your doors and sealed the windows someone might crawl in. My all-time favorite was a NAS that would corrupt multi-TB worth of data every time we scanned it - the vendor's response was to tell us to stop scanning it. Our's was to replace the fucking vendor! Stopping these scans by something as stupid as blocking the traffic is simply going to waste the companies money spent hiring these people and come home to roost when someone else crawls in and steals your shit. The difference between this and thieves or vandals is that if THESE guys get in they will let you know what they found and hopefully help you fix it. Which would you rather have? The fact that they have even been spotted is a plus, most of the folks I went up against never noticed us and the stupidity we uncovered was amazing.

Sadly, much as I'd like to NOT post this AC I'm going to have to but trust me simply blocking these guys is a really BIG mistake.

Re:You're a complete idiot...

[Runaway1956]

Nice story and all. Good moral, too. Cooperating with your IT department can only help everyone.

The flaw here, is that the vendor has not been warned that the hospital's IT department is going to be pentesting. Apparently, there is no contract, no new letter, no statement of policy. The vendor simply discovered that someone is testing his defenses, and the IP addresses have led him to believe the hospital is responsible.

It's possible that bad guys are doing all this testing, and the people at the hospital aren't really aware of what is happening.

Contacting the hospital's administration seems to be in order here.

Re: You're a complete idiot...

The vulnerability testers are probably using something like HP WebInspect (which I represent in my day job) or IBM AppScan.

In the vulnerability testing business, it is considered pretty poor form to scan someone's live app without permission first.

If the hospital doesn't own the doctors' website, what they are doing might be technically illegal in the US - it hasn't been tested in law to my knowledge.

In any case, a brief chat with these professionals should illuminate the situation.

All of these scanners have settings choices to NOT screw up sites. And in the worst "assault" mode, they will ruin almost anything.

TL;DR you are a jerk. And OP needs to make a phone call.

Escalate to their legal contacts now.

[billstewart]

There are three or four likely possibilities for what's going on here

* The hospital's lawyers and administration know what the IT guy is doing, and are ok with it. Therefore they'll be ok with you and your doctors' group lawyers talking to them about it, though you're going to have to have a long conversation about why this is not a good idea. * The hospital's lawyers and administration don't know what the IT department is doing, but the IT department thinks they're doing something officially useful, and need to get told it's inappropriate. * The hospital's IT department is doing this stuff on his own, for evil reasons, and needs to be caught and stopped. * Some outsider is masquerading as the hospital's IT department, and the email you contacted to tell them to stop doing stuff is really redirected to the bad guys. In that case, the hospital's in a real mess and needs to know about it.

. Either way, you've got a responsibility to your doctors and your patients, and you need to go to the top since going to the working-level people didn't get you taken seriously.