Friday 11 January 2013

Security: Healthcare systems are "soft-targets": the Next Big Exploit

Previous pieces on Security:
I'd been racking my brains as to how Cybercriminals can "monetise" e-Health Records and writing to someone else, think I've understood it finally after a "Top of the News" report by the Security for Professionals: SANS.

There are two ways to monetise e-Health Records:
  • Identity Theft. Huge amount of high-quality info. Medicare Cards are worth 'points' as Govt. ID's.
  • Ransomware: healthcare can't operate without its data and they print money by the truckload.
I'm wondering if the attacks reported out of QLD by /AUSCERT on Medical Practices is accidental.
If the CyberCrims haven't understood this yet, they will in 12 months.

In 1998, I couldn't see a way to monetise MP3's on the Internet. How do you charge for freely distributed files?
A: You don't... Apple invented end-to-end Security to sell iTunes to Content Providers.

The other group of attackers to be aware of are "Advanced Persistent Threats" (APT's) - known to do Cyber-Terrorism, and what better target than disrupting Healthcare? It is commonly believed the resources of Nation States are needed to pursue APT's.


The day this piece was written, I'd received a SANS Newsletter, the read for IT Professionals. The lead piece was a long investigative piece by the Washington Post on vulnerabilities in Healthcare Systems.

This is going to be a long running story with some really deep and disturbing implications and exploits.
What other practices/ventures of Organised Crime will we see turn up on the Internet?? We can only wonder...

Since 2004 when the Hackers turned Pro, Organised Crime has been moving in and repeating its real-world trade/tricks on-line. We've also seen more Organisation and increasingly "Industrial Scale" operations...


From the Washington Post article, a quote that shows NO understanding of the CyberCrime world and how dangerous this ignorance is:
OEMR’s leaders acknowledged the flaws but said it would take an experienced hacker to exploit them.
Yes, exactly correct, BUT dangerously ignorant and wrong:
  • which is why since the days of "script kiddies", pre-2000, the actual coders have packaged their exploits and on-sold them. That's the primary trade, the secondary market is those whom we perceive to be CyberCriminals... They are clowns running software they didn't write and don't know much about - but just as effective as anyone.
Also, theWashington Post article doesn't ask, "Why Eastern Europe?"
  • they are poor and their economies in disarray. People will do "whatever they have to do".
  • in the post Soviet Union era, that corrupt system has transformed into Organised Crime
  • there are large numbers of very talented, highly-trained and and motivated people available
  • they have some areas of very good Internet connectivity
News letter on SANS website.
**************************************************************************
SANS NewsBites                December 28, 2012          Vol. 14, Num. 102
**************************************************************************
TOP OF THE NEWS
  Health Care Sector Lagging Behind Others in Cybersecurity
  Banking Regulator Issues Warning Regarding DDoS Attacks Against Financial Institutions
  FOIA Docs Reveal NSA Industrial Control System Vulnerability Research
  US Legislators Approve National Defense Authorization Act Requiring Contractors To Report Breaches

***************************************************************************


TOP OF THE NEWS
 --Health Care Sector Lagging Behind Others in Cybersecurity
(December 25, 2012)

Researchers say that the health care sector is vulnerable to a variety of cyberattacks. The industry moved quickly to embrace the benefits offered by the Internet but in doing so, exposed medical devices and computers at medical facilities to hackers, who could potentially steal patient information to commit identity fraud and even launch attacks on critical systems within hospitals. Health care "lags behind [other industries] in addressing known problems." Granted, medical facilities have not been the target of attacks as frequently as financial, corporate, and military networks have, but the US Department of Homeland Security (DHS) has recently become concerned that health care could prove an enticing target for hackers. The most recent cybersecurity guidance from the Food and Drug Administration, which oversees medical devices, dates to 2005.

http://www.washingtonpost.com/investigations/health-care-sector-vulnerable-to-hackers-researchers-say/2012/12/25/72933598-3e50-11e2-ae43-cf491b837f7b_story.html

[Editor's Note (Murray): The healthcare sector lags in use, let alone the management, of IT.  Their failure to use electronic healthcare records is killing and impoverishing us.]

NBN: the business case for 100-1000Mbps symmetric for SOHO & SME

Backups don't just protect you from fire, theft or hardware failure: they are now a critical element of security. If you're business cannot run with its computer systems, you cannot run your business without trusted backups.

Around Christmas 2012, there were reports of Ransomware attacks in Queensland. But it was Old News... "Police knew of 30 attacks" two months earlier. Nigel Phair, author of a book on Cybercrime, was quoted in multiple sources.


Potentially Medical Records are being especially targeted. This is Hacking-for-Cash, not healthcare related hacktivism as seen in the UK. AFR had a story in early December and mentioned AusCERT's posts on ransomware.

Regardless how a system is compromised, the only reason "ransomware" can succeed is simple:
People cannot restore from backups.
As the AusCERT post says, just because you once scheduled backups to run, doesn't mean they are running.
Case 2: Medical centre

The attacker took control of the doctors’ database containing patient records. The attacker provided proof that recovery was possible by safely returning two sample files belonging to the medical centre. The ransom demand was $4,000.

In this case, the attacker had actually infiltrated the medical centre some weeks prior to the ransom demand. During this time the attacker had made numerous strategic changes within the system such as disabling the patient database in the tape backup scheduler. After several weeks of backup tape rotations, recent backups were not available even in the medical centre’s offsite storage location. Additionally the medical centre’s USB hard disk backup device was plugged in to the system, and had therefore already been seized by the attacker.

The cure was to erase and rebuild the server, and recover older data from backup tapes. In this case, the medical centre had good practices such as keeping two different types of backup, applying security patches and maintaining an up-to-date business continuity plan. However, repelling these targeted ransomware attacks requires stronger defenses.
AusCERT advises those affected to not engage with the attackers. There's a simple reason:
They want to make the maximum amount of money from you, they aren't bound by any  code of ethics or morality, as demonstrated by the metaphorical gun to the head of the hostage, they can't be tracked easily and dealing with International cyber-criminals is notoriously difficult.
The initial payment you make will only be the first payment of many, not full and final as they'd like you to believe. Like any good parasite, they'll quickly figure out how much blood they can draw: how much this thing is worth to you and your capacity to pay.

What the "authorities" aren't saying is how far and how fast this particular monetisation of exploits will travel.
We know its not going to double its reach every few seconds like "slammer", because of the manual work involved in identifying targets and setting up the backups.

Even if it doubles just every month, that's a 1000-fold increase in a year. Because the Internet is "born global", what we see in Australia will happen everywhere.
Business Case for High-Speed symmetrical links

Every small business that doesn't want to be shutdown by hackers needs guaranteed, verified off-site backups. Just like fire and theft insurance, you need good backups - and via the NBN is what you want. For this is to be useful in an age of Gigabyte and Terrabyte data storage is at least 100Mbps (gives you 3.6Gb/hour). But it needs to be symmetrical, the same upstream as downstream, to be useful for both backups and restores.

Remember: no user has ever asked for a backup, they only ever ask for restores.

Ideally, Retail Service Providers and ISP's will offer local access off the same PoI (Point of Interconnect, the NBN version of a Telephone Exchange for 100,000 subscribers). This means your data packets won't have to travel down and back the transit/backhaul link from the PoI to the ISP/RSP, uselessly consuming expensive bandwidth and clogging the ISP's network.

Which may need the co-operation of NBN Co for ISP/RSP's to install the appropriate network appliance at the PoI.

In a reasonable world, you'll be able to partner with someone you know in your area and each serve as the off-site backup site for the other. If the hardware fails or fills up, they are close by and you can buy a new disk and dash over there...

But that only works if:
  • links are fast (daily backups under and hour, weekly under 10 hours), and
  • access is cheap. (not $1,000's/month for 10Mbps, but ~$100/mth for 100Mbps symmetrical).

Wednesday 9 January 2013

NBN: Creating opportunity out of disaster

There's an opportunity for electricity/utility suppliers and distributors in the current bushfires sweeping South Eastern Australia and Tasmania:
There will be hundreds, if not thousands, of kilometers of electricity network (poles and wires) to be replaced. This is the perfect opportunity to either add fibre optical cable to the poles or make them "fibre ready" by installing non-metallic strain cables.
The incremental cost of adding conduit and fibre to new or replaced underground or overhead utility distribution networks, like electricity, gas, water, storm-water or sewerage, is minor, whilst the on-going returns are substantial.


The network owner can do everything from own and supply full network services to rent their network to NBN Co or other comms networks.

It was only after gas suppliers had installed a few thousand kilometers of new trunk and reticulation network up the East Coast of Australia that an ISP in one town, Cooma, asked if they could lay conduit in their trenches. You could hear the collective, "Do'Oh!" by the Board from Melbourne to Sydney, when they'd realised they'd passed up a massive recurrent income opportunity, simply by always doing what they'd done.


[10-Jan-2013] Paul Budde commented in an email [with permission to quote]:
I discussed this situation with Conroy after the bushfires in Victoria in 2009.
I suggested to use this opportunity to look at a combined NBN/smart grid deployment. Within days it was however clear that this would never happen.

All of those organisations operate in silos and there are no plans in place to change that. In the rush to get people connected old technologies rather than new ones are used so every single time the opportunity is missed.

Now, 4 years later nothing has changed.

Unless there is a holistic plan in place can such a united initiative be implemented. Trying to get such a plan in place after a disaster is totally impossible because of that silo thinking.

Despite many inquiries no comprehensive plans have been developed to overcome this.
The only one who can change this is the government they need to direct the utilities to work together towards a trans-sector approach.

Paul