Slashdot Mirror
Hackers Corrupt Data For Cloud-Based Medical Marijuana System (bostonglobe.com)
Long-time Slashdot reader t0qer writes:
I'm the IT director at a medical marijuana dispensary. Last week the point of sales system we were using was hacked... What scares me about this breach is, I have about 30,000 patients in my database alone. If this company has 1,000 more customers like me, even half of that is still 15 million people on a list of people that "Smoke pot"...
" No patient, consumer, or client data was ever extracted or viewed," the company's data directory has said. "The forensic analysis proves that. The data was encrypted -- so it couldn't have been viewed -- and it was never extracted, so nobody has it and could attempt decryption." They're saying it was a "targeted" attack meant to corrupt the data rather than retrieve it, and they're "reconstructing historical data" from backups, though their web site adds that their backup sites were also targeted.
"In response to this attack, all client sites have been migrated to a new, more secure environment," the company's CEO announced on YouTube Saturday, adding that "Keeping our client's data secure has always been our top priority." Last week one industry publication had reported that the outage "has sent 1,000 marijuana retailers in 23 states scrambling to handle everything from sales and inventory management to regulatory compliance issues."
" No patient, consumer, or client data was ever extracted or viewed," the company's data directory has said. "The forensic analysis proves that. The data was encrypted -- so it couldn't have been viewed -- and it was never extracted, so nobody has it and could attempt decryption." They're saying it was a "targeted" attack meant to corrupt the data rather than retrieve it, and they're "reconstructing historical data" from backups, though their web site adds that their backup sites were also targeted.
"In response to this attack, all client sites have been migrated to a new, more secure environment," the company's CEO announced on YouTube Saturday, adding that "Keeping our client's data secure has always been our top priority." Last week one industry publication had reported that the outage "has sent 1,000 marijuana retailers in 23 states scrambling to handle everything from sales and inventory management to regulatory compliance issues."
I am sure the border guard service would love to have a copy of this data. They could then ask people if they had ever used marijuana, and charge them with perjury if they say they haven't.
Some idiot used Windows, didn't bother upgrading some old software because it was closed source and upgrades expensive and got what they deserved.
Custom electronics and digital signage for your business: www.evcircuits.com
The company's CEO announced on YouTube Saturday, adding that "Keeping our client's data secure has always been our top priority."
If your companies top priority is to keep data secure, they how/why did you get hacked. They always say that, but clearly that is not the Top Priority
Of all the things, scrambling isn't something stoners do.
Apparently, the attackers made off with the collection of ZZ Top and Crosby, Stills Nash and Young vinyl records covered with seed debris, but somehow missed the ten Maxwell House coffee cans under the counter, where the customer records were stored.
Oh, maaan...
it probably came from within the pharmaceutical industry, or they paid to have it done, medical marijuana is taking income away from the pharmaceutical industry. eventually the pharmaceutical industry will have to accept marijuana as a legitamite product and should consider making remedies with the active ingredients of marijuana
Politics is Treachery, Religion is Brainwashing
"I was gonna keep our clients' data secure . . . but then I got high . . ." -- Afroman, https://www.youtube.com/watch?...
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
then
If the first was true, the second wasn't necessary.
I assume HIPAA rules apply since this is medical usage. Were they adhered to?
Where's my encryption keys??
Not being smug at all. I've had my medical (hospital) information, insurance (2 different insurance companies), 3 credit card companies hacked over the period of the last 2 years and each time, they always say the same thing. Security is our top priority , but then you find out it really wasn't. They were doing unsecure processes which is how they got hacked, had been warned about their practices etc...
I have no choice if I use these services (other than to not get medical, insurance and use a credit card), and no control over their lack of security.
In this case, it looks like the hack didn't actually pull any data, but how many times has the scope of the hack been under reported or not reported at all for a long time only to find out that really is not what happened.
A gigantic target for hackers with every clients info in one place.
Great job.
Yes, this new Marijuana thing is certain to be society's doom.
Waiting for CIA report on that
Does that mean, translation, we got hit by ransomware?
HIPAA rules do not describe how to secure your data. It only tells you that you need to secure your data and the procedures to follow when you're not compliant. It doesn't prescribe a particular encryption or what needs to be encrypted.
Case in point, most hospitals do not use encryption when exchanging private health information (because systems from idiots like EPIC are simply incapable of it). HIPAA just says you have to document it and mitigate. In most cases, the mitigation is "our internal network is secure, external sites use VPN" and then it doesn't matter the external VPN vendor only supports DES (yes, still single DES in 2016/2017), it's documented as being "encrypted", any hacking would be the result of 'evil hackers' which they can't do anything against and then it becomes the FBI's responsibility to catch the criminals, the hospitals have done their due diligence and don't need to report breaches because they have gone according to HIPAA standards.
Custom electronics and digital signage for your business: www.evcircuits.com
" No patient, consumer, or client data was ever extracted or viewed," the company's data directory has said. "The forensic analysis proves that. The data was encrypted -- so it couldn't have been viewed -- and it was never extracted, so nobody has it and could attempt decryption."
Oh sure, I totally believe this 100%.
Like they would even know for sure if it had been extracted.
Just cruising through this digital world at 33 1/3 rpm...
"The holy war against drug use was once again rewarded a sizable win after the anti-marijuana hackers poppied out of the parallel universe and executed data corruption attack against the industry. The sabotage amounted a sizable win to the healthcare industry as millions of registered patients had to renew their medical status relating to the vile practice, resulting a sizable bill to the insurance industry. Cthulhu can't rise fast enough. On to other news.."
I assume HIPAA rules apply since this is medical usage. Were they adhered to?
You forgot the quotes around "medical". In 99.9999% of cases it has nothing to do with medicine or treating any illness. If this really was medicine it would sold through a normal pharmacy and have FDA approval and double blind efficacy tests like every other drug. While I do not dispute that there are likely medicinal uses for some of the ingredients in marijuana, let's not pretend that the VAST majority of people who are "seeking treatment" are anything other than just recreational users. I have no problem at all with safe recreational use but calling it "medical marijuana" is just an insult to the intelligence of anyone with a functioning brain.
My place of employment had a dispensary open up literally next door to us a few years back. I can assure you with good certainty from first hand observations that nobody that showed up was a medical patient under any reasonable definition of the term. They were recreational users who were taking advantage of a loophole in the law. Anyone saying "medical marijuana" should be doing so with an exaggerated wink or finger quotes when they say it.
If your companies top priority is to keep data secure, they how/why did you get hacked. They always say that, but clearly that is not the Top Priority
Their top priority is obviously making a profit, just like any other company. Data security is only a priority insofar as it affects their ability to continue to make a profit. If the cost of data security is higher than the value of a breach then guess what is going to happen sooner or later...
maybe this is the DEA's new strategy....
Let me get this straight. These people are trusting their personal data to a company that literally is based around sales and use of a drug known and acknowledged to impair judgement and productivity? Awesome plan. I'm sure they were moving heaven and earth to secure their data... That's about as smart as hiring an alcoholic to be your limo driver. You might get there in one piece but I wouldn't count on it.
we r has the rats that cant get it illegal now,
let me put this in perspective , people go alllllll we need medical after they rat out and cant get it otherwise..now that list is a nice one , of where they are , who they are etc.
Where did it come from? I mean in my day we had safe drugs like OxyContin, Xanax, etc.. only doctors would let you have them. But weed? Sounds dangerous. /sarc
Well the advantage of cloud-based medical marijuana is you don't have to grow it in your basement any more.
I can imagine the discussion on security.
The federal perjury statute says a person is guilty of perjury if they lie in either of these two types of instances"
A) They've taken an oath in front of *any* court or competent *person* in any circumstance in which federal law allows an oath.
Or
B) Any written statement declaring "under penalty bof perjury", including a DMCA notice and certain customs forms.
Here's the actual text of the statute:
Whoeverâ" ...
(1) having taken an oath before a competent tribunal, officer, or person, in any case in which a law of the United States authorizes an oath to be administered, that he will testify, declare, depose, or certify truly, or that any written testimony, declaration, deposition, or certificate by him subscribed, is true, willfully and contrary to such oath states or subscribes any material matter which he does not believe to be true; or
(2) in any declaration, certificate, verification, or statement under penalty of perjury
* In a DMCA notice, the complainant swears under penalty lf perjury that they are the copyright holder or the copyright holder's representative. They do NOT swear under penalty of perjury that a jury won't later determine that it's fair use or any other issue of law.
underneith it all.. lets focus for a second on the root of this issue. ,their constituents, the product and the $ you would think there would have been some mitigation procedures put in place to deal with this type of event should it arise..
Why is it, that those whom deal with MJ seemed to get burned some way or another. Why is that?
lets look @ the org for a sec.. If these establish them selves as pillars in the community, then what the fuck?
the real deal probaly is that.
These individuals have probally burned enough people in the community to warrant this back-lash..
moving past that,
considering the investments put fourth to protect the establishments
with that said, are there std sets of policies and or procedures to deal with this type of private breach of service? Like have the patrons of these establishemnts been notified for the breach? If so when, if not why not?
more to the matter, whats the root cause analysis of this event? what are these places doing about it. More importantly whats the policy and procedure to deal with when it happens again..
I think there should be some policies and procedures put in place @ the local level to help deal with this since, NOW ITS ALL TAXED. I'm curious to know how the states will deal with this NOW THAT THEY ARE LEGITIMATELY MAKING MONEY OFF IT NOW?
at the end of they day i bet the states will (like every other individual in this system) will just take the money and run..I mean really who gives a fuck about the people they serve, Right?
are there fines to be handed out to those whom obviously improperly handled this situation?
is the establishment covered against being sued for improper handling of sensitive MEDICAL information? what is their culpability in this? does this also mean by definition of the establishment they cannot make good on their charter since they are all unable to secure their own information correctly, and unable to provide a safe and secure way to access the medication?
why dont we see, hear, or understand these issues at other establishements like: CVS, WALLGREENS, WALLMART, TARGET, SAFEWAY, VONS, TH ELIST GOES ON. Ya we hear about some retail issues but NEVER ANYTHING HAVING TO DO WITHE THE PRESCRIPTIVE/DRUG COMPONENT OF THEIR BUSINESS. Why is that? Are they not reported, or not happening?
If so why to either one?
> medical
> cloud-based
OK.
pr0n - keeping monitor glass spotless since 1981.
The left demands complete secrecy when it comes to who might be using marijuana. They would scream and shout if anyone suggested we should have some kind of national, public database of everyone who has bought the drug legally and how many times they did it. They would be very, very concerned if law enforcement was able to regularly check that database at every traffic stop or confrontation. Yet the left demands those very things from legal gun owners. In order to buy a gun, one must submit to a lot of paperwork and detailed information about every gun purchase. Background checks are conducted and every person can be denied the purchase based on it. I can see a lot of the logic behind that, but I can't see the logic behind the double standard. Drugs kill lots of people every day too. Why should their purchasers get anonymity while gun purchasers should not?
Never trust dispensary owners to be smart enough to understand that trusting an offsite point of sale system to run a business selling a still federally illegal substance is likely to have traffic crossing state lines, thus falling under interstate commerce and therefore full federal enforcement. I'm also typing this while stoned out of my mind. Not kidding.
Am I the only one giggling at this point or is just because I'm stoned?
Vandals destroy very valuable property
The law of firm of Dewy Chetham and Howe reported yesterday that vandals destroyed very valuable property. Spokesperson of the firm Insanei Rony said, :The firm keeps all their files in unlocked cabinets in the back porch open to the public, in order to serve our clients better. This allows our clients to work at their schedule and come in drop off their forms and depositions at their convenience. On Friday evening a group of vandals, criminals, who have absolutely no right to be on the property, who have no business with the firm, trespassed into our public porch, we stress it is private property though it has no gates, alarms or security guards and is accessible to public, and destroyed our valuable records. We demand the police, funded by taxpayers to act as our private security guards, and patrol our premises regularly and spend more of their resources to track down and apprehend the criminals, we stress it is a criminal act, and it is the duty of the police to apprehend the criminals. The firm also pays taxes, and it is entitled to the protection and the services of the police, even if we pay less than 0.01% of the cost the police and even if this investigation consumes 99.99% of its resources, we plan to stand our right to the service and prosecute our case vigorously."
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Dave's not here man..
Ah the magic of open source where there are no long standing, highly damaging security flaws /s
See,this is the bit that gets me confused,mj production,sale and use is legal in many states,but is still against federal law !!
In a state where it's all perfectly legal,what is to stop a federal law officer knicking you for possession while your still in that state ?
Millenials, druggies, hipsters. Everything thats wrong with Western society.
Again /. management can we get a modification to the lameness filter for idiots like this using the word "Hipster"?
> no problem at all with safe recreational use but calling it "medical marijuana" is just an insult to the intelligence of anyone with a functioning brain.
No problem, then. The term is used by and for potheads, not for people with a functioning brain.
Many years ago, I was into NORML and the marijuana legalization movement. (We called it "decriminalization".) I wrote some articles that were well received by my NORML peers. Looking back on what I wrote now, I think "what the hell? Wtf was I smoking when I wrote THIS? You'd have to be stoned out of your mind to believe any of this crap." Then I remember wtf I was smoking, and that my readers were indeed stoned out of their mind.
If your companies top priority is to keep data secure, they how/why did you get hacked. They always say that, but clearly that is not the Top Priority
I see you're doing your part by not using dangerous apostrophes where they are needed!
... and of course nobody could or would want to use the system or pay the monthly fee needed to keep something like that alive.
Implicit in any company's statement that security is their top priority is the large bundle of compromises that don't go away whether or not that is your top priority. They could make the data perfectly secure by disconnecting the servers and putting them in a bank vault. They could make sure the data can't be breached by simply destroying all of it. See?
Security can be your Top Priority, but it has to be done in the context of things like still making it available to users across the internet. Doing it while not going bankrupt. Making the service competitively priced so that it can actually be afforded and put to work.
They could have said that the system could only be used on equipment they ship to their clients, connected to the back end through a hardware-based dedicated VPN with biometrics, dongles, and constant nagging by three-factor comms surrounding every time someone hits the enter key
They may very well put security at a higher priority than chipping away at a long list of UX updates, performance under load, documentation, multi-language support, and a thousand other things. Doesn't mean that doing so means they'll be perfect in their security results. Ever run a business like that? No? Give it a whirl. Make security your top priority, and then start paying attention to what that decision means in real life - including in your ability to get and retain customers during that balancing act.
Don't disappoint your bird dog. Go to the range.
And domestic on these hackers as part of data protection. freedom protection.
Hacking will slow when they occupy the same seat as terrorist.
what malware garbles data other than crypto?
Like it would have made any difference if they had an outdated Linux distribution.
Only the State obtains its revenue by coercion. - Murray Rothbard
Huh?!?!? Are you saying the stuff she lied about was immaterial to the investigation? She was being being investigated for sending classified information via a non-secure email system. She said "I did not send material marked classified over non-secure email". How the hell is that immaterial to the subject of the investigation?
PS, as is often the case with the Clintons, her words were *very* carefully chosen to say one thing to anyone listening, while technically saying something completely different, in her mind. She said "I never sent material *marked* classified. She [unlawfully] removed the markings, in most cases (but not always, so it was a lie both ways).
Why should they? Security has no ROI.
So obvious... so embarrassing.. worst of all Microsoft does jack shit to fix this bug.
I'm personally very involved in this situation. The "hack" was a recent ex employee. And they have not migrated all customers over to a new environment. And when they do migrate, the customers have to redo their entire setup: enter in all products, inventory, users, etc.
Even when all that is done, customers will have to wait 3 weeks to 3 months to get their history back. Stores don't have sales data, patient information, anything.
Now, if the charges were lying and deception it'd be a different story . . . but then again, compared to the PEOTUS she's friggin' Mother Teresa. I hope you enjoyed the 1950's, 'cause that's where we're heading now. A shame our PEOTUS has no decency, sir.
The Director of the FBI, who is appointed by the President, said two things of import in his announcement:
A) Mrs. Clinton was "extremely careless" with classified information. (Being negligent with classified information is a federal crime).
B) He would not recommend prosecution. (Of the person who was about to become his boss, in all likelihood.)
So basically the FBI announced she was guilty, but they weren't going on record as recommending that the (expected) new boss be prosecuted.
Prosecutions for *perjury* are rare, for practical reasons. Less than 1% of people who clearly commit perjury are prosecuted for it.
The overwhelming pressure for access from recreational users does in fact spill over to the medical user community. We are not happy about it. It gives asshats like you ammo to a completely falacious argument.
Fallacious? Ok smart guy. Show me ANY actual evidence that the vast majority of the millions of users of "medical" marijuana are not in actuality recreational pot users and have legitimate medical conditions that are demonstrably not responsive to any of the rest of modern medicine. Go ahead. I'll wait.
[crickets]
Yeah I thought so... You acknowledge my point. The recreational users are the main driver for legalization and they vastly out number any medical users that might exist. They are getting fake prescriptions for non-existent conditions because our government has an idiotic "war on drugs".
If you saw me, you would have absolutely NO WAY of knowing I have a medical problem. Funny thing is, without cannabis, I can't eat anything. I'll literally get diahreah from plain rice, or wheat thins. WITH cannabis, I can digest just about any food normally.
If you are the exception then you are the exception that proves the rule. I've met plenty of pot users in the last several decades. Most are quite up front about the fact that they are recreational users. They are also up front about the fact that "medical marijuana is just a convenient way to do an end run around the legal system. I don't actually care that they use pot recreationally but I'm insulted that they think I don't see through their little charade.
"Medical" doctors, don't have a fucking clue what is wrong with me.
There are lots of things modern medicine doesn't understand. One thing they do understand is that there isn't an epidemic of 22 year olds with glaucoma or other conditions that by some miracle only smoking pot can treat. If you are a patient with a condition that is only responsive to pot then doctors would be clamoring to write papers about you because obviously there is something interesting to examine about you. Just because doctors don't understand what (you claim) is wrong with you doesn't mean they don't care or that they are idiots.
Fuck you asshole. How do you know they weren't self medicating themselves under the table before the option was available.
It's adorable how worked up people get when you point out an inconvenient truth. If you are one of the few who are actually helped by pot then by all means do whatever you need to do. I'll back you up. But don't blow smoke (literally) up my ass and try to tell me that we have some epidemic of people who have serious medical conditions that only pot can treat or that modern medicine is full of quacks and idiots. Most of the "medical marijuana" users do NOT have any medical condition. If you have actual evidence to the contrary I'll happily retract that statement but until then fuck off and take your indignation with you.
I won't bother hacking your homebrew system. I'll just convince someone in Big Gummint to demand the data under legal subpoena. Then I'll take it from them. Regulatory control already says you have to turn it over on demand.
"I assume HIPAA rules apply since this is medical usage. Were they adhered to?"
I don't think you can use protection of a Federal Act to protect yourself from a Federal Crime. Somehow, I don't think dog hunts.
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Or, you know, it's just hard to secure things.
I'm not saying they couldn't do a better job, but there are a lot of competing requirements. For example, for medical information, how far do you lock it down? If there is someone crashing in a hospital, you have to be able to pull up their information - or they might die. For credit cards, not only are there a ton of retailers that have to access them, but they also have to handle companies with shared cards, different state and federal regulators, and a ton of different banks that have to be able to create, issue, and revoke $CREDIT_CARD_BRAND.
Oh, and let's not forget that there is a LOT of money available for that kind of information, so disgruntled employees are also a danger. Or even happy employees, that just want $METRIC_FRACK_TONS of money.
So, sure - they could probably do better; but it is not a simple problem.
Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
Ripping off stoners since 1964.
Have gnu, will travel.
"Secure" and "Available" are related but not synonymous.
It is possible to have a system that is secure against data exfiltration, but still susceptible to intentional corruption. I'm not saying this is necessarily true in this case, but it is certainly a possibility.
Fear of data leakage is just one of many reasons why a black market will continue to exist, even with "medical" and decriminalization. There's still a social stigma against pot and THC users (stronger in certain areas and cultures than others). I still want to see Obama reschedule it, not so much because I care about the legal status of marijuana, but more because it would really piss off Mike Pence.
I do not deploy Linux. Ever.
No interpretation required. The FBI announced that she was without a doubt "very careless with classified information." That's a fact. The relevant crime is being "negligent" with classified information. That's a fact, no interpretation.
It's also a fact that in the same announcement, FBI director Comey, appointed by Obama, stated that other people would be prosecuted if they were similarly negligent. I'm not interpreting anything, that's what the FBI announced.
My guess is that the hack was a US government agency.
Unless, of course, it was the RUSSIANS again! They may be looking to sell pot to Americans to make us all easier targets for take-over!!!!
Naaa. It was the US gov looking to make trouble where laws get in their way.
Self-importance and self-indulgence is the root of ALL evil.
Correct.At no point did she lie about having access and using her private email server
Btw, I was talking about Bill
I've had the Black's definition and various cases on what constitutes negligence memorized for 25 years now, so let me just recite it for you.
Negligence:
failure to exercise the degree of care expected of a person of ordinary prudence in like circumstances
"Extremely careless" is roughly equivalent to "gross negligence", defined as " a conscious, voluntary act or omission in reckless disregard of a legal duty". By instructing subordinates to remove the "classified" markings before sending her the documents, Mrs. Clinton demonstrated her conduct was not a mere error, but a "conscious, voluntary disregard of a legal duty" to protect the information.
Off the top of my head, I know of two cases prosecuted in the 12 months before the Clinton announcement. One Navy sailor was prosecuted for taking a selfie aboard ship, and is currently incarcerated. US Navy ships are classified.
Brian Nishimura didn't instruct others to unlawfully remove classification markings in order to obscure his action of carrying classified information on a personal device, but he too was prosecuted.
Keep in mind when you hear Hillary or one of her team defend her illegal actions by saying "X never", or "always Y", or "I didn't Z", she's not a reliable source. She's an attorney defending someome, and she's the accused - her claims that "nobody is ever prosecuted", or any other claims, can't be taken at face value.
"I don't shoot my mouth off without knowing what I'm talking about" - by raymorris (2726007) on Thursday December 31, 2015 @09:29AM (#51215379)
Raymorris you shoot your mouth off f'ing up in 2 security fuckups https://it.slashdot.org/comments.pl?sid=5351503&cid=47379233/ & https://slashdot.org/comments.pl?sid=5351503&cid=47374033/ + raymorris = scriptkiddie https://politics.slashdot.org/comments.pl?sid=8895203&cid=51726265/
&
Tell us how ONLY 'newer script kiddie tools' have stringlength built in (when PASCAL had it for ages - my fav tool) https://slashdot.org/comments.pl?sid=8472509&cid=51114383/ YOU BLUNDERING WANNABE!
APK
P.S.=> You like to talk behind others' backs like the gossiping bitch TROLL you are raymorris https://slashdot.org/comments.pl?sid=9880997&cid=53312265/ well, here I am letting YOU TALK in those links, showing your FAILS wannabe ... apk
"I don't shoot my mouth off without knowing what I'm talking about" - by raymorris (2726007) on Thursday December 31, 2015 @09:29AM (#51215379)
Raymorris you shoot your mouth off f'ing up in 2 security fuckups https://it.slashdot.org/comments.pl?sid=5351503&cid=47379233/ & https://slashdot.org/comments.pl?sid=5351503&cid=47374033/ + raymorris = scriptkiddie https://politics.slashdot.org/comments.pl?sid=8895203&cid=51726265/
&
Tell us how ONLY 'newer script kiddie tools' have stringlength built in (when PASCAL had it for ages - my fav tool) https://slashdot.org/comments.pl?sid=8472509&cid=51114383/ YOU BLUNDERING WANNABE!
APK
P.S.=> You like to talk behind others' backs like the gossiping bitch TROLL you are raymorris https://slashdot.org/comments.pl?sid=9880997&cid=53312265/ well, here I am letting YOU TALK in those links, showing your FAILS wannabe ... apk