Slashdot Mirror
Hackers Corrupt Data For Cloud-Based Medical Marijuana System (bostonglobe.com)
Long-time Slashdot reader t0qer writes:
I'm the IT director at a medical marijuana dispensary. Last week the point of sales system we were using was hacked... What scares me about this breach is, I have about 30,000 patients in my database alone. If this company has 1,000 more customers like me, even half of that is still 15 million people on a list of people that "Smoke pot"...
" No patient, consumer, or client data was ever extracted or viewed," the company's data directory has said. "The forensic analysis proves that. The data was encrypted -- so it couldn't have been viewed -- and it was never extracted, so nobody has it and could attempt decryption." They're saying it was a "targeted" attack meant to corrupt the data rather than retrieve it, and they're "reconstructing historical data" from backups, though their web site adds that their backup sites were also targeted.
"In response to this attack, all client sites have been migrated to a new, more secure environment," the company's CEO announced on YouTube Saturday, adding that "Keeping our client's data secure has always been our top priority." Last week one industry publication had reported that the outage "has sent 1,000 marijuana retailers in 23 states scrambling to handle everything from sales and inventory management to regulatory compliance issues."
" No patient, consumer, or client data was ever extracted or viewed," the company's data directory has said. "The forensic analysis proves that. The data was encrypted -- so it couldn't have been viewed -- and it was never extracted, so nobody has it and could attempt decryption." They're saying it was a "targeted" attack meant to corrupt the data rather than retrieve it, and they're "reconstructing historical data" from backups, though their web site adds that their backup sites were also targeted.
"In response to this attack, all client sites have been migrated to a new, more secure environment," the company's CEO announced on YouTube Saturday, adding that "Keeping our client's data secure has always been our top priority." Last week one industry publication had reported that the outage "has sent 1,000 marijuana retailers in 23 states scrambling to handle everything from sales and inventory management to regulatory compliance issues."
The company's CEO announced on YouTube Saturday, adding that "Keeping our client's data secure has always been our top priority."
If your companies top priority is to keep data secure, they how/why did you get hacked. They always say that, but clearly that is not the Top Priority
it probably came from within the pharmaceutical industry, or they paid to have it done, medical marijuana is taking income away from the pharmaceutical industry. eventually the pharmaceutical industry will have to accept marijuana as a legitamite product and should consider making remedies with the active ingredients of marijuana
Politics is Treachery, Religion is Brainwashing
"I was gonna keep our clients' data secure . . . but then I got high . . ." -- Afroman, https://www.youtube.com/watch?...
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
then
If the first was true, the second wasn't necessary.
I assume HIPAA rules apply since this is medical usage. Were they adhered to?
Where's my encryption keys??
You have a very classical 'marijuana needle' view of marijuana users. Most users I know, myself included actually get a sort of zen state of mind and do a lot of work. Cleaning, dishes, cooking, programming, these are all things I and others do much more of in a significantly more focused way.
The art of chemical mental alternation is a very large domain. College students use various drugs to enhance mental activity. The sales and marketting world several years ago had a significant problem with quaaludes.
Perhaps less humorous judgmental off the cuff remarks, and a more informed opinion would help you understand.
Stoners do scramble, they scramble and work and work and work like everyone else. There are no prototypical stoners who just sit around and smoke pot because it is no longer a survivable thing to do, you'll lose your home and starve and we are all far too scared to allow that to happen.
Being stoned isn't a scooby do moment for everyone, for some people it's a much more zen focused time to accomplish tasks. Scrambling fits directly into their psychological profile along with professionalism in the quality of the work they do, you can only actually find such quality among the obsessives.
Not being smug at all. I've had my medical (hospital) information, insurance (2 different insurance companies), 3 credit card companies hacked over the period of the last 2 years and each time, they always say the same thing. Security is our top priority , but then you find out it really wasn't. They were doing unsecure processes which is how they got hacked, had been warned about their practices etc...
I have no choice if I use these services (other than to not get medical, insurance and use a credit card), and no control over their lack of security.
In this case, it looks like the hack didn't actually pull any data, but how many times has the scope of the hack been under reported or not reported at all for a long time only to find out that really is not what happened.
A gigantic target for hackers with every clients info in one place.
Great job.
Yes, this new Marijuana thing is certain to be society's doom.
You can only perjure yourself in a court of law, under oath.
You can be charged with lying to a federal officer. Not perjury, but still a problem if it happens to you.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Does that mean, translation, we got hit by ransomware?
HIPAA rules do not describe how to secure your data. It only tells you that you need to secure your data and the procedures to follow when you're not compliant. It doesn't prescribe a particular encryption or what needs to be encrypted.
Case in point, most hospitals do not use encryption when exchanging private health information (because systems from idiots like EPIC are simply incapable of it). HIPAA just says you have to document it and mitigate. In most cases, the mitigation is "our internal network is secure, external sites use VPN" and then it doesn't matter the external VPN vendor only supports DES (yes, still single DES in 2016/2017), it's documented as being "encrypted", any hacking would be the result of 'evil hackers' which they can't do anything against and then it becomes the FBI's responsibility to catch the criminals, the hospitals have done their due diligence and don't need to report breaches because they have gone according to HIPAA standards.
Custom electronics and digital signage for your business: www.evcircuits.com
" No patient, consumer, or client data was ever extracted or viewed," the company's data directory has said. "The forensic analysis proves that. The data was encrypted -- so it couldn't have been viewed -- and it was never extracted, so nobody has it and could attempt decryption."
Oh sure, I totally believe this 100%.
Like they would even know for sure if it had been extracted.
Just cruising through this digital world at 33 1/3 rpm...
I assume HIPAA rules apply since this is medical usage. Were they adhered to?
You forgot the quotes around "medical". In 99.9999% of cases it has nothing to do with medicine or treating any illness. If this really was medicine it would sold through a normal pharmacy and have FDA approval and double blind efficacy tests like every other drug. While I do not dispute that there are likely medicinal uses for some of the ingredients in marijuana, let's not pretend that the VAST majority of people who are "seeking treatment" are anything other than just recreational users. I have no problem at all with safe recreational use but calling it "medical marijuana" is just an insult to the intelligence of anyone with a functioning brain.
My place of employment had a dispensary open up literally next door to us a few years back. I can assure you with good certainty from first hand observations that nobody that showed up was a medical patient under any reasonable definition of the term. They were recreational users who were taking advantage of a loophole in the law. Anyone saying "medical marijuana" should be doing so with an exaggerated wink or finger quotes when they say it.
If your companies top priority is to keep data secure, they how/why did you get hacked. They always say that, but clearly that is not the Top Priority
Their top priority is obviously making a profit, just like any other company. Data security is only a priority insofar as it affects their ability to continue to make a profit. If the cost of data security is higher than the value of a breach then guess what is going to happen sooner or later...
I can imagine the discussion on security.
The federal perjury statute says a person is guilty of perjury if they lie in either of these two types of instances"
A) They've taken an oath in front of *any* court or competent *person* in any circumstance in which federal law allows an oath.
Or
B) Any written statement declaring "under penalty bof perjury", including a DMCA notice and certain customs forms.
Here's the actual text of the statute:
Whoeverâ" ...
(1) having taken an oath before a competent tribunal, officer, or person, in any case in which a law of the United States authorizes an oath to be administered, that he will testify, declare, depose, or certify truly, or that any written testimony, declaration, deposition, or certificate by him subscribed, is true, willfully and contrary to such oath states or subscribes any material matter which he does not believe to be true; or
(2) in any declaration, certificate, verification, or statement under penalty of perjury
* In a DMCA notice, the complainant swears under penalty lf perjury that they are the copyright holder or the copyright holder's representative. They do NOT swear under penalty of perjury that a jury won't later determine that it's fair use or any other issue of law.
> medical
> cloud-based
OK.
pr0n - keeping monitor glass spotless since 1981.
Am I the only one giggling at this point or is just because I'm stoned?
Vandals destroy very valuable property
The law of firm of Dewy Chetham and Howe reported yesterday that vandals destroyed very valuable property. Spokesperson of the firm Insanei Rony said, :The firm keeps all their files in unlocked cabinets in the back porch open to the public, in order to serve our clients better. This allows our clients to work at their schedule and come in drop off their forms and depositions at their convenience. On Friday evening a group of vandals, criminals, who have absolutely no right to be on the property, who have no business with the firm, trespassed into our public porch, we stress it is private property though it has no gates, alarms or security guards and is accessible to public, and destroyed our valuable records. We demand the police, funded by taxpayers to act as our private security guards, and patrol our premises regularly and spend more of their resources to track down and apprehend the criminals, we stress it is a criminal act, and it is the duty of the police to apprehend the criminals. The firm also pays taxes, and it is entitled to the protection and the services of the police, even if we pay less than 0.01% of the cost the police and even if this investigation consumes 99.99% of its resources, we plan to stand our right to the service and prosecute our case vigorously."
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I would agree but what happens now? I am also surprised that this info comes from boston and not from Colorado, Washington DC, california, or in places where its more prominent? so am I to deduct that going back to a street dealer is safer then going to a dispensary? WTF? to much $, to much crap, not enough people.. ]its all corrupt, ever since the big money players came in, thats when it got all messed up. if there is taxation involved where is proper representation and or protection? If there are HIPPA concerns why are thy not being addressed?
> no problem at all with safe recreational use but calling it "medical marijuana" is just an insult to the intelligence of anyone with a functioning brain.
No problem, then. The term is used by and for potheads, not for people with a functioning brain.
Many years ago, I was into NORML and the marijuana legalization movement. (We called it "decriminalization".) I wrote some articles that were well received by my NORML peers. Looking back on what I wrote now, I think "what the hell? Wtf was I smoking when I wrote THIS? You'd have to be stoned out of your mind to believe any of this crap." Then I remember wtf I was smoking, and that my readers were indeed stoned out of their mind.
If your companies top priority is to keep data secure, they how/why did you get hacked. They always say that, but clearly that is not the Top Priority
I see you're doing your part by not using dangerous apostrophes where they are needed!
... and of course nobody could or would want to use the system or pay the monthly fee needed to keep something like that alive.
Implicit in any company's statement that security is their top priority is the large bundle of compromises that don't go away whether or not that is your top priority. They could make the data perfectly secure by disconnecting the servers and putting them in a bank vault. They could make sure the data can't be breached by simply destroying all of it. See?
Security can be your Top Priority, but it has to be done in the context of things like still making it available to users across the internet. Doing it while not going bankrupt. Making the service competitively priced so that it can actually be afforded and put to work.
They could have said that the system could only be used on equipment they ship to their clients, connected to the back end through a hardware-based dedicated VPN with biometrics, dongles, and constant nagging by three-factor comms surrounding every time someone hits the enter key
They may very well put security at a higher priority than chipping away at a long list of UX updates, performance under load, documentation, multi-language support, and a thousand other things. Doesn't mean that doing so means they'll be perfect in their security results. Ever run a business like that? No? Give it a whirl. Make security your top priority, and then start paying attention to what that decision means in real life - including in your ability to get and retain customers during that balancing act.
Don't disappoint your bird dog. Go to the range.
Sarcasm alert!
If you missed the hypocrisy exposure for a "Lock her up" (without evidence) fan suddenly demanding someone ELSE be accountable for a crime.....
Like it would have made any difference if they had an outdated Linux distribution.
Only the State obtains its revenue by coercion. - Murray Rothbard
Huh?!?!? Are you saying the stuff she lied about was immaterial to the investigation? She was being being investigated for sending classified information via a non-secure email system. She said "I did not send material marked classified over non-secure email". How the hell is that immaterial to the subject of the investigation?
PS, as is often the case with the Clintons, her words were *very* carefully chosen to say one thing to anyone listening, while technically saying something completely different, in her mind. She said "I never sent material *marked* classified. She [unlawfully] removed the markings, in most cases (but not always, so it was a lie both ways).
You may want to refresh your understanding of US laws. They're a bit outdated.
Now, if the charges were lying and deception it'd be a different story . . . but then again, compared to the PEOTUS she's friggin' Mother Teresa. I hope you enjoyed the 1950's, 'cause that's where we're heading now. A shame our PEOTUS has no decency, sir.
Ransomware.
The Director of the FBI, who is appointed by the President, said two things of import in his announcement:
A) Mrs. Clinton was "extremely careless" with classified information. (Being negligent with classified information is a federal crime).
B) He would not recommend prosecution. (Of the person who was about to become his boss, in all likelihood.)
So basically the FBI announced she was guilty, but they weren't going on record as recommending that the (expected) new boss be prosecuted.
Prosecutions for *perjury* are rare, for practical reasons. Less than 1% of people who clearly commit perjury are prosecuted for it.
Hypocrisy- I don't think that word means what you think it means. Well that or there is a lot more to this story than what is printed on this page.
Even if we buy into the suggestion that the GP is a "lock her up" fan (there is evidence in word or text of law of wrong doing, Comey inserted a mens rea test into the application of a law which the law in question specifically avoids in order to say no charges are warranted because Hillary didn't mean to break the law. The only people not questioning that are Hillary supporters and never trump'rs) , I still don't see the hypocrisy here- or even a connection to the new AG or some Alt Right team member- whatever that is supposed to mean anyways.
The overwhelming pressure for access from recreational users does in fact spill over to the medical user community. We are not happy about it. It gives asshats like you ammo to a completely falacious argument.
Fallacious? Ok smart guy. Show me ANY actual evidence that the vast majority of the millions of users of "medical" marijuana are not in actuality recreational pot users and have legitimate medical conditions that are demonstrably not responsive to any of the rest of modern medicine. Go ahead. I'll wait.
[crickets]
Yeah I thought so... You acknowledge my point. The recreational users are the main driver for legalization and they vastly out number any medical users that might exist. They are getting fake prescriptions for non-existent conditions because our government has an idiotic "war on drugs".
If you saw me, you would have absolutely NO WAY of knowing I have a medical problem. Funny thing is, without cannabis, I can't eat anything. I'll literally get diahreah from plain rice, or wheat thins. WITH cannabis, I can digest just about any food normally.
If you are the exception then you are the exception that proves the rule. I've met plenty of pot users in the last several decades. Most are quite up front about the fact that they are recreational users. They are also up front about the fact that "medical marijuana is just a convenient way to do an end run around the legal system. I don't actually care that they use pot recreationally but I'm insulted that they think I don't see through their little charade.
"Medical" doctors, don't have a fucking clue what is wrong with me.
There are lots of things modern medicine doesn't understand. One thing they do understand is that there isn't an epidemic of 22 year olds with glaucoma or other conditions that by some miracle only smoking pot can treat. If you are a patient with a condition that is only responsive to pot then doctors would be clamoring to write papers about you because obviously there is something interesting to examine about you. Just because doctors don't understand what (you claim) is wrong with you doesn't mean they don't care or that they are idiots.
Fuck you asshole. How do you know they weren't self medicating themselves under the table before the option was available.
It's adorable how worked up people get when you point out an inconvenient truth. If you are one of the few who are actually helped by pot then by all means do whatever you need to do. I'll back you up. But don't blow smoke (literally) up my ass and try to tell me that we have some epidemic of people who have serious medical conditions that only pot can treat or that modern medicine is full of quacks and idiots. Most of the "medical marijuana" users do NOT have any medical condition. If you have actual evidence to the contrary I'll happily retract that statement but until then fuck off and take your indignation with you.
"I assume HIPAA rules apply since this is medical usage. Were they adhered to?"
I don't think you can use protection of a Federal Act to protect yourself from a Federal Crime. Somehow, I don't think dog hunts.
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Or, you know, it's just hard to secure things.
I'm not saying they couldn't do a better job, but there are a lot of competing requirements. For example, for medical information, how far do you lock it down? If there is someone crashing in a hospital, you have to be able to pull up their information - or they might die. For credit cards, not only are there a ton of retailers that have to access them, but they also have to handle companies with shared cards, different state and federal regulators, and a ton of different banks that have to be able to create, issue, and revoke $CREDIT_CARD_BRAND.
Oh, and let's not forget that there is a LOT of money available for that kind of information, so disgruntled employees are also a danger. Or even happy employees, that just want $METRIC_FRACK_TONS of money.
So, sure - they could probably do better; but it is not a simple problem.
Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
Dude! Where's my shift key?
Have gnu, will travel.
Ripping off stoners since 1964.
Have gnu, will travel.
"Secure" and "Available" are related but not synonymous.
It is possible to have a system that is secure against data exfiltration, but still susceptible to intentional corruption. I'm not saying this is necessarily true in this case, but it is certainly a possibility.
Fear of data leakage is just one of many reasons why a black market will continue to exist, even with "medical" and decriminalization. There's still a social stigma against pot and THC users (stronger in certain areas and cultures than others). I still want to see Obama reschedule it, not so much because I care about the legal status of marijuana, but more because it would really piss off Mike Pence.
I do not deploy Linux. Ever.
No interpretation required. The FBI announced that she was without a doubt "very careless with classified information." That's a fact. The relevant crime is being "negligent" with classified information. That's a fact, no interpretation.
It's also a fact that in the same announcement, FBI director Comey, appointed by Obama, stated that other people would be prosecuted if they were similarly negligent. I'm not interpreting anything, that's what the FBI announced.
Fuck you. No one deserves to have a piece of shit corrupt their data "because I can."
People that do shit like that on purpose deserve a bullet to the back of the head.
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
That's one reason why you should never make any definitive statement to a federal officer.
"Trump!!", the new Godwin.
we don't know that, for all we know they were one of those mongodb databases that got cryptolocker-ed.
Except that you're describing it wrong. Cryptolocker has nothing to do with the over 20,000 MongoDB databases that have been subjected to ransom.
Here's what's happened...and may well be the case in this particular instance as well. MongoDB, by default, has no controls on being able to write, read, or even delete information. If you make the database accessible via the Internet, odds are you haven't fixed that default state..and that's exactly what's happened to tens of thousands of public-accessible MongoDB installations.
Krebs on Security has an excellent writeup here: https://krebsonsecurity.com/20...
For your security, this post has been encrypted with ROT-13, twice.
No, the company that literally is based around sales and use of a drug known and acknowledged to impair judgement, is trusting their data to a cloud based storage and software company who's product is an ERP software specifically tailored for the marijuana industry. They, by law have to track inventory from seed to retail sale, this data was destroyed. Apparently there were offline or off-site backups that are being used to restore the service.
Sounds like they may be building from a combination of full and incremental backups.
Apocalypse Cancelled, Sorry, No Ticket Refunds
You must have been the cool kid in school. Everyone wanted to be friends with you, right?
Actually, no. He encrypted the data and made backups.
So you leave your front door wide open when you go on vacation because no piece of shit should walk in and steal or vandalize your stuff? Yeah, whoever does that intentionally and maliciously deserves to be punished (although a bullet is a bit far) but the 'owners' are also responsible to take precautions.
Custom electronics and digital signage for your business: www.evcircuits.com
Ummm... what?
My guess is that the hack was a US government agency.
Unless, of course, it was the RUSSIANS again! They may be looking to sell pot to Americans to make us all easier targets for take-over!!!!
Naaa. It was the US gov looking to make trouble where laws get in their way.
Self-importance and self-indulgence is the root of ALL evil.
Correct.At no point did she lie about having access and using her private email server
Btw, I was talking about Bill
And Mens Rae must be satisified for any prosecution.
Look up "intent"
I've had the Black's definition and various cases on what constitutes negligence memorized for 25 years now, so let me just recite it for you.
Negligence:
failure to exercise the degree of care expected of a person of ordinary prudence in like circumstances
"Extremely careless" is roughly equivalent to "gross negligence", defined as " a conscious, voluntary act or omission in reckless disregard of a legal duty". By instructing subordinates to remove the "classified" markings before sending her the documents, Mrs. Clinton demonstrated her conduct was not a mere error, but a "conscious, voluntary disregard of a legal duty" to protect the information.
actually, no it does not. Look up strict liability for instance.
Another instance, you could borrow someone's car who failed to renew their vehicle registration. You get a ticket for driving on expired tags, no mens rea needed as the act of driving the car with expired registration is enough.
Comey inserted a "mens rea" test that applies historically to prosecution, whether or not it's in the law. Historically, people who did what Clinton did have not been criminally prosecuted. Some have lost jobs or clearances, but the closest to facing criminal charges was one guy who thought he'd have to plead guilty to a misdemeanor.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Off the top of my head, I know of two cases prosecuted in the 12 months before the Clinton announcement. One Navy sailor was prosecuted for taking a selfie aboard ship, and is currently incarcerated. US Navy ships are classified.
Brian Nishimura didn't instruct others to unlawfully remove classification markings in order to obscure his action of carrying classified information on a personal device, but he too was prosecuted.
Keep in mind when you hear Hillary or one of her team defend her illegal actions by saying "X never", or "always Y", or "I didn't Z", she's not a reliable source. She's an attorney defending someome, and she's the accused - her claims that "nobody is ever prosecuted", or any other claims, can't be taken at face value.
Nope. It's more like hiring a liquor store clerk to be your limo driver.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
So now you want to insert the "Dynamite" exception to the "intent" specification of the laws on handling of classified material?
Good news, a ticket isn't a criminal complaint.
Bad news? There goes your example.
Strict liability attaches only to generally dangerous acts (that is, dangerous to all persons in proximity, not just the accused), thus the "Dynamite" exception.
Classified material can only be illegally distributed WITH INTENT, such as Betray-Us did.
https://www.law.cornell.edu/us...
Check out section (d)
I guess congress is dumber than you or something.. More like something I would guess.
That's fine and all but it doesn't change the facts. All it does is illustrate that there is law for you and them. Just like cops who speed down the road in their personal vehicles don't get a ticket- even when they are on their way home from a shift in which they just issued you a speeding ticket.
But there are sources out there that seem to disagree with Comey's interpretation of events. I found two that closely match hillary. It seems to be a biased site and your mileage may vary.
http://www.thepoliticalinsider...