Medical records hold a mass amount of data. These include not only the medical diagnosis but may also include payment information along with health insurance data. Per each individual record, the sales price may not be large, however, the value resides more in the data itself. The price depends on not only the data in each file but also how these are bundled.
The medical records are limited as to the access. Not every person in the medical facility requires access to these. The data may lure staff members of the medical facility to view these records, when not authorized, to gain knowledge. Certainly, this could be more of a curiosity issue or more of a malicious slant with the exfiltration and sale of the data. In prior years, this had occurred with celebrities or other prominent figures.
Another incident of this type occurred recently. Sutter Health in California recently fired two employees after they accessed medical records. Normally this would not be an issue as many persons are allowed to view medical records as part of their role and responsibility for their position, however, the staff members were not authorized to do so. The two employees allegedly accessed the medical records of Joseph DeAngelo. He is suspected to be the Golden State Killer.
Naturally, medical records are to be held in an exceptionally secure manner and accessed by authorized parties only when required for their position. This not only includes data segregation and encryption but also authorization.
Showing posts with label hacking. Show all posts
Showing posts with label hacking. Show all posts
Saturday, November 10, 2018
Cosmos Bank Compromise
Banks are a universal feature throughout the world. These are present in the varied governmental forms, in various asset sizes, and to make loans in various amounts. The loan sizes vary from the micro-loan of a few hundred dollars to millions of dollars in most cases. India is no different than the other countries as it relates to banking. One of the banks in India is Cosmos Bank, which is the 2nd largest cooperative bank. The bank is based in the western city of Pune.
Attack
Banks are attacked and compromised for two primary reasons. There is ample personal data for the clients. This includes but is not limited to legal name, address, credit score, social security number, account numbers with balances, and an epic amount of further data. There is also the little issue of money, which may be exfiltrated physically or digitally.
This attack occurred from August 11 to 13, 2018. Malware was placed on the bank’s ATM servers, which approve the transactions. In this case, which made this work so well, the main banking system received debit card payment requests through a “switching system”. With the attack, this system was bypassed after the firewall in place had been bypassed. The attackers put a proxy switch in the network. The approvals for the fraudulent payments were made through this alternative, unauthorized false proxies.
The attack operation itself occurred within the three days and was well-planned. This attack was intended to be carried out in multiple phases. First, there were 12k-15k withdrawals done within a relatively short time period from the affected accounts. The fraudulent proxy server approved the transactions without verifying the card’s authenticity. These 12k withdrawals added up to a rather significant amount. Of the 12k transactions, a majority occurred overseas. All of the countries in which these occurred had not been released yet. A sample of these includes Canada, Hong Kong, India, and other countries. The ATM portion of the overall attack operation occurred within 7 hours in these 22-28 countries with 450 cloned cards. Curiously many of these transactions occurred in Canada. Even with merely these specific security issues, the bank’s chairman stated the bank’s security systems had not been compromised. Clearly, this process was well-managed.
Later in the day on August 11, 2018 there were another 2,800 card transactions used to steal 2.5 crore rupees. Also, 944m rupees or $13.5M USD was wired to a Hong Kong-based entity. On August 13, 2018, the last day of the attack $2.1m USD or 13.94 crore rupees was wired to the ALM Trading Ltd., a Hong Kong company. The wires or transfers were done within the SWIFT system.
After the Attack
As a natural standard operating procedure, the bank filed a complaint with the police. The bank alleged in the complaint the malware used by the attackers to breach the system was also used to clone the customer’s cards. With the extent of the breach and what attackers were able to accomplish, the situation makes one question what fraud and cybersecurity processes were in place at the bank and “actively” working.
The bank’s response, in a statement, was the bank had adequate IT security in place, although the facts discourage this interpretation. The bank also contracted with a professional cybersecurity forensic agency. The firm began reviewing the logs. As the investigation continues, there are a number of questions left to be answered. These include:
How many ATMs were used for the withdrawals across the various countries?
A mass number of people had to be involved to operate and manage the attacks. What entity was the primary managing entity for the operation across all the countries?
With this large number of cards used in so many countries, who created and distributed these cards?
There should have been a fraudulent activity monitoring system in place, yet there were no issues noted through a majority of the attack. Was this actively monitoring the system’s transactions in real time?
The attack and exfiltration were unfortunate, however, this was a well-planned and distributed attack. There are many areas to be reviewed.
Resources
Dimitrova, M. (2018, August 16). Indian cosmos bank malware attack ends with theft of $13.5 million. Retrieved from https://securityboulevard.com/2018/08/indian-cosmos-bank-malware-attack-ends-with-theft-of-13-5-million/
Goswami, S. (2018, August 17). Police investigate cosmos bank hack. Police investigate cosmos bank hack. Retrieved from https://www.bankinfosecurity.com/police-investigate-cosmos-bank-hack-a-11379
Hindu Business Line. (2018). Cosmos bank’s server hacked; Rs 94 cr siphoned off in 2 days. Retrieved from https://www.thehindubusinessline.com/money-and-banking/cosmos-banks-server-hacked-rs-94-cr-siphoned-off-in-2days/article24675
Inamdar, N. (2018, August 14). 15,000 transactions in 7 hours: Cosmos bank’s server hacked, Rs 94 cr moved to Hong Kong. Retrieved from https://www.hindustantimes.com/india-news/15-000-transactions-in-7-hours-cosmos-bank-s-server-hacked-rs-94-cr-moved-to-hong-kong/story-wazUXZs3LRhcbPlg7Lyx
Jadhav, R. (2018, August 14). India’s cosmos bank loses $13.5 mln in cyber attack. Retrieved from https://www.reuters.com/article/cyber-heist-india/indias-cosmos-bank-loses-135-mln-in-cyber-attack-idUSL4N1V55l1G
Nichols, S. (2018, August 15). India’s cosmos bank raided for $13m by hackers. Retrieved from https://www.tgheregister.co.uk/2018/08/15/cosmos_bank_raided/
PTI. (2018, August 14). Cosmos bank’s server hacked; $s 94 crore siphoned off in 2 days. Retrieved from https://enconomictimes.com/industry/banks-server-hacked-rs-94-crore-siphoned-off-in-2=days/articleshow/65399477/cms
Tanksale, M., & Iyer, S. (2018, August 14). Pune-based cosmos bank loses rs 94 crore in cyber attack. Retrieved from https://timesofindia.indiatimes.com/busienss/india-business/pune-based-cosmos-bank-loses-rs-94-crore-in-cyber-hack/cyber-hack/articleshow/65399204.cms
Attack
Banks are attacked and compromised for two primary reasons. There is ample personal data for the clients. This includes but is not limited to legal name, address, credit score, social security number, account numbers with balances, and an epic amount of further data. There is also the little issue of money, which may be exfiltrated physically or digitally.
This attack occurred from August 11 to 13, 2018. Malware was placed on the bank’s ATM servers, which approve the transactions. In this case, which made this work so well, the main banking system received debit card payment requests through a “switching system”. With the attack, this system was bypassed after the firewall in place had been bypassed. The attackers put a proxy switch in the network. The approvals for the fraudulent payments were made through this alternative, unauthorized false proxies.
The attack operation itself occurred within the three days and was well-planned. This attack was intended to be carried out in multiple phases. First, there were 12k-15k withdrawals done within a relatively short time period from the affected accounts. The fraudulent proxy server approved the transactions without verifying the card’s authenticity. These 12k withdrawals added up to a rather significant amount. Of the 12k transactions, a majority occurred overseas. All of the countries in which these occurred had not been released yet. A sample of these includes Canada, Hong Kong, India, and other countries. The ATM portion of the overall attack operation occurred within 7 hours in these 22-28 countries with 450 cloned cards. Curiously many of these transactions occurred in Canada. Even with merely these specific security issues, the bank’s chairman stated the bank’s security systems had not been compromised. Clearly, this process was well-managed.
Later in the day on August 11, 2018 there were another 2,800 card transactions used to steal 2.5 crore rupees. Also, 944m rupees or $13.5M USD was wired to a Hong Kong-based entity. On August 13, 2018, the last day of the attack $2.1m USD or 13.94 crore rupees was wired to the ALM Trading Ltd., a Hong Kong company. The wires or transfers were done within the SWIFT system.
After the Attack
As a natural standard operating procedure, the bank filed a complaint with the police. The bank alleged in the complaint the malware used by the attackers to breach the system was also used to clone the customer’s cards. With the extent of the breach and what attackers were able to accomplish, the situation makes one question what fraud and cybersecurity processes were in place at the bank and “actively” working.
The bank’s response, in a statement, was the bank had adequate IT security in place, although the facts discourage this interpretation. The bank also contracted with a professional cybersecurity forensic agency. The firm began reviewing the logs. As the investigation continues, there are a number of questions left to be answered. These include:
How many ATMs were used for the withdrawals across the various countries?
A mass number of people had to be involved to operate and manage the attacks. What entity was the primary managing entity for the operation across all the countries?
With this large number of cards used in so many countries, who created and distributed these cards?
There should have been a fraudulent activity monitoring system in place, yet there were no issues noted through a majority of the attack. Was this actively monitoring the system’s transactions in real time?
The attack and exfiltration were unfortunate, however, this was a well-planned and distributed attack. There are many areas to be reviewed.
Resources
Dimitrova, M. (2018, August 16). Indian cosmos bank malware attack ends with theft of $13.5 million. Retrieved from https://securityboulevard.com/2018/08/indian-cosmos-bank-malware-attack-ends-with-theft-of-13-5-million/
Goswami, S. (2018, August 17). Police investigate cosmos bank hack. Police investigate cosmos bank hack. Retrieved from https://www.bankinfosecurity.com/police-investigate-cosmos-bank-hack-a-11379
Hindu Business Line. (2018). Cosmos bank’s server hacked; Rs 94 cr siphoned off in 2 days. Retrieved from https://www.thehindubusinessline.com/money-and-banking/cosmos-banks-server-hacked-rs-94-cr-siphoned-off-in-2days/article24675
Inamdar, N. (2018, August 14). 15,000 transactions in 7 hours: Cosmos bank’s server hacked, Rs 94 cr moved to Hong Kong. Retrieved from https://www.hindustantimes.com/india-news/15-000-transactions-in-7-hours-cosmos-bank-s-server-hacked-rs-94-cr-moved-to-hong-kong/story-wazUXZs3LRhcbPlg7Lyx
Jadhav, R. (2018, August 14). India’s cosmos bank loses $13.5 mln in cyber attack. Retrieved from https://www.reuters.com/article/cyber-heist-india/indias-cosmos-bank-loses-135-mln-in-cyber-attack-idUSL4N1V55l1G
Nichols, S. (2018, August 15). India’s cosmos bank raided for $13m by hackers. Retrieved from https://www.tgheregister.co.uk/2018/08/15/cosmos_bank_raided/
PTI. (2018, August 14). Cosmos bank’s server hacked; $s 94 crore siphoned off in 2 days. Retrieved from https://enconomictimes.com/industry/banks-server-hacked-rs-94-crore-siphoned-off-in-2=days/articleshow/65399477/cms
Tanksale, M., & Iyer, S. (2018, August 14). Pune-based cosmos bank loses rs 94 crore in cyber attack. Retrieved from https://timesofindia.indiatimes.com/busienss/india-business/pune-based-cosmos-bank-loses-rs-94-crore-in-cyber-hack/cyber-hack/articleshow/65399204.cms
Thursday, June 21, 2018
Railway breach in Europe
For a business to be targeted, there needs to be something of value to exfiltrate.
The attackers are not going to go through the effort of the full attack cycle for
practice. If there were to happen to be a breach, there should be tools in place
monitoring activities so the attacker’s actions would be noticed and halted.
The attackers are not going to go through the effort of the full attack cycle for
practice. If there were to happen to be a breach, there should be tools in place
monitoring activities so the attacker’s actions would be noticed and halted.
An incident occurred in Europe on their railway system. If you happen to be
traveling on the rail in Europe, naturally the traveler has to purchase a ticket.
This process includes the usual information with credit card numbers, full legal
name, mailing address, email, and phone numbers. This information in its entirety
would provide for a nice target for any attacker. THis sensitive data used in unison
could provide for a fair number of successful attacks.
traveling on the rail in Europe, naturally the traveler has to purchase a ticket.
This process includes the usual information with credit card numbers, full legal
name, mailing address, email, and phone numbers. This information in its entirety
would provide for a nice target for any attacker. THis sensitive data used in unison
could provide for a fair number of successful attacks.
Such an incident occurred in late 2017. On November 29, 2017, the Rail Europe
system was breached. If this was not bad enough for a scenario, the attackers
had accessibility from the breach (November 29, 2017) through February 16, 2018.
During this time, the attackers had time to exfiltrate the PII and data they desired.
To further worsen the situation, Rail Europe was not aware they had been breached.
A bank affiliated with RENA noted this and informed the company. The number of
affected clients was unknown. The number could be rather substantial, as RENA
had transactions with 5M Americans.
system was breached. If this was not bad enough for a scenario, the attackers
had accessibility from the breach (November 29, 2017) through February 16, 2018.
During this time, the attackers had time to exfiltrate the PII and data they desired.
To further worsen the situation, Rail Europe was not aware they had been breached.
A bank affiliated with RENA noted this and informed the company. The number of
affected clients was unknown. The number could be rather substantial, as RENA
had transactions with 5M Americans.
The recommendation at this point is for RENA customers to change their password
and watch their accounts. There is also identity theft protection available, which over
the long-term may not have a substantial amount of value, as the attackers would be
able to use certain data indefinitely, not just a year.
and watch their accounts. There is also identity theft protection available, which over
the long-term may not have a substantial amount of value, as the attackers would be
able to use certain data indefinitely, not just a year.
The vulnerability involved the webpage used by the clients. This was infected by
malware coded to log the client’s information, including the debit and credit card
numbers, expiration date, and the important CVV numbers.
malware coded to log the client’s information, including the debit and credit card
numbers, expiration date, and the important CVV numbers.
There are several areas to focus on with this compromise. Primarily, the lesson
would be to monitor the logs, network, and access. The business should have
known something was occurring within the network over the three months of exfiltrating
so many records
(https://www.informationsecuritybuzz.com/expert-comments/rail-europe-customer-data-breach/).
This amount of traffic should have been noticed on some level at some junction of time.
would be to monitor the logs, network, and access. The business should have
known something was occurring within the network over the three months of exfiltrating
so many records
(https://www.informationsecuritybuzz.com/expert-comments/rail-europe-customer-data-breach/).
This amount of traffic should have been noticed on some level at some junction of time.
Wednesday, June 20, 2018
Medical Data Targeted!
Medical Data is such a significant target for the attackers. The data is able to be bundled
together or separated to be sold, dependent on the type of data and the potential markets
on the dark web.
together or separated to be sold, dependent on the type of data and the potential markets
on the dark web.
Yet another example of this was reported in May 2018. LifeBridge Health appears to
have been targeted and compromised. It appears the compromise of 500k patient
records occurred on September 27, 2016. This was detected in March 2018. Thus it
took approximately 1.5 years for the business to realize they had been targeted, recon
had occurred, and the system was compromised. This was not noted by the business
or its InfoSec Department, but after a forensic firm had been hired. The data probably
exfiltrated was patient names, addresses, birth dates, insurance information, and the
gemstone of the patient’s social security number.
have been targeted and compromised. It appears the compromise of 500k patient
records occurred on September 27, 2016. This was detected in March 2018. Thus it
took approximately 1.5 years for the business to realize they had been targeted, recon
had occurred, and the system was compromised. This was not noted by the business
or its InfoSec Department, but after a forensic firm had been hired. The data probably
exfiltrated was patient names, addresses, birth dates, insurance information, and the
gemstone of the patient’s social security number.
Although the press release states the business takes protecting the patient’s data
very seriously, as these all do, the breach and also compromise timeline is problematic.
The patient’s data was exposed on the dark web for sale and abuse for up to 1.5 years.
The InfoSec team should have been able to notice the traffic moving the data from the business.
very seriously, as these all do, the breach and also compromise timeline is problematic.
The patient’s data was exposed on the dark web for sale and abuse for up to 1.5 years.
The InfoSec team should have been able to notice the traffic moving the data from the business.
Monday, June 18, 2018
Sharing is not caring: Yes you can share too much information
There have been many instances on Facebook and other social media intent on separating the consumer from their private, confidential data. One of the latest noted was a way to choose an alternative name for yourself. The questionnaire asked for the respondent’s parent’s last name, the street they grew up on, pet’s name, and other data. To most people, this would seem to be innocuous, and a fun little game. The people put this data in, and the app responds with a new comical name for you based on the data.
What is not so funny with this activity is the consumers providing this data unknowingly have also provided, unknowingly, the much of the information an identity thief would need to steal the person’s identity and begin to leverage this. Although this is is clearly not all the data they would need to secure person’s identity, get new credit cards, or other credit, this certainly helps the criminal move along with the data they would need to perpetrate such a crime. They could also secure needed data from other sources individually or leverage this to get the other data.
Personal information should be kept personal or should be kept personal or shared only with people you know, not just a computer screen with anyone on the other end.
There has also been the relatively new form of providing too much personal data known as sharenting, or parents who decide to share too much of their children’s information social media. The parents may provide the full, legal names for their children along with birth dates as they post too much of their child’s life for everyone to see.
In both examples, the consumers and parents have a false sense of security, as they have been lulled into believing these are fine, and not an issue. The seemingly innocent act of sharing with “friends” has direct consequences at times.
Saturday, May 19, 2018
VW compromise an issue again
As technology advances, there are more opportunities for vulnerabilities to be researched and published. These continue to abound throughout the industries using these technologies. With computer chips, there have been the Spectre and other vulnerabilities, and smartphones, Rowhammer, and many others for the different platforms. Vehicles have the same issues, as these are much of the same equipment. There may not be as many issues published, however, there are still critical issues with these.
These issues, if properly executed, have the overt, direct potential to compromise a vehicle. This could have a rather immediate and drastic effect. Two examples having expansive effects would be locking up the brakes while on the expressway or diverting the vehicle to make an 85-degree turn in rush hour while traveling 70 mph on the way to work.
These vulnerabilities, when published, creates quite a buzz. With the amount of press these historically have been with each vulnerability, and pertinence these machines play in our life and culture, the focus is only going to grow in attention and depth of importance.
This coupled with the exponential advances in autonomous drive (AD) and connected vehicles (CV), the connected and autonomous vehicles (CAV) market and vehicle offerings are growing and providing more of a product base to test and more modules to fail.
Infotainment Hacking
The latest subject vulnerability involves the infotainment system with two VW and Audi vehicles. The infotainment system has been defined as the hardware and software functional modules located in the vehicle, which provides entertainment to the occupants. This is recognized by most consumers by the tv screen/monitor in their vehicle’s dash. Using this module, the consumers are able to access the internet, listen to their music selection, call other parties, review maps, and many other options This system, while exceptional, also has in the past and present, provided access points and vulnerabilities.
These issues generally are not easy to fix due to the complexities in the modules, the millions of lines of code (LoC), and more to the point, bringing the many groups together to analyze, review, and mitigate the issue.
For the subject test, the module was tested by the Dutch cybersecurity firm Computest. As the infotainment system was the focal point, the researchers, Daan Keuper and Thijs Alkemade, tested the 2015 Volkswagen Golf GTE and Audi A3 e-tron.
It is notable that the researchers were responsible for their testing and research publication process. The test was successful in the researchers noted vulnerabilities and were able to execute the exploit. The researchers did not fully disclose their process or finding. With this vulnerability, the issue has to be corrected at the dealership. As this is not able to be fixed with a firmware-over-the-air (FOTA) update, this will take time to implement through the fleet. For the researchers to publish the details of the attack prior to allowing the auto manufacturers adequate to fix this, may have put people in harm’s way.
Report
The research report itself is freely available online. The link is noted in the resources section Compliments are due to the researchers at Computest. This was well-thought through and organized. The report was presented with a sufficient amount of technical jargon, while still being perfectly digestible by others not in the same sub-industry. The steps used in the report also were laid-out.
The report had a single question to be researched and answered. This was, from page 8 of the report, “Can we influence the driving behavior or critical security systems of a car via an internet attack vector””
The short answer was Yes.
Research – Subject Hardware (HW)
As noted, the focus was on the infotainment system for the vehicle. As for the hardware, this module used a system manufactured by Harman and is known as the Modular Infotainment platform (MIB). The tested hardware was the version 2.
Research Process
With any product testing, it is best to know what the subject product or module has to offer. The more data and information, the better as it provides more for the researcher to work with.
The initial and basic step was completed with a basic port scan on the VW module. This scan found several ports open, including the telnet port In particular, port 49152 was open and used a UPnP service, which used the Plutino Soft Platinum UpNp. This is an open source app, and happened to be used with the Audi A3 2015 model year.
As this curiosity was noted, the Audi was also scanned. This model only had two ports open. One of these was 49152 with the same service running. In this particular section of the trust, no exploit was noted with the limited testing that was completed.
As the testing continued, the researchers found a vulnerability to exploit. This allowed researchers to read files from the disk and achieve the researcher’s end goal of a remote code execution This allowed for a plethora of other tests and attacks. In short, the researchers got root. With these, the attackers would also be able to toggle on or off the microphone in the vehicle, review the address book, and history of the conversations. This was not fully disclosed due to safety issues. This was acknowledged however by VW.
The researchers also analyzed the Renasas V850 chip. This is connected to the CANBus with a serial connector. This manages the CAN communication for the vehicle. The researchers did not test this, however, theorized, with a firmware image, which is not easy to find and secure a backdoor could be placed into the modified firmware, and reflash the image.
But wait, there’s more…
The research report noted several instances of potential vulnerabilities to be tested. These and others were not tested. The researchers had the opportunity to research and document, however, stopped.
As they did gain root, a number of these other tests were available to do. An example of this involves the infotainment system. This is indirectly connected to the vehicle acceleration and braking modules, which are targets.
The researchers ended up ceasing their efforts due to the testing itself. This testing could have involved VW’s intellectual property. The researchers, with continuing the research and testing, may have found themselves working through legal ramifications.
Resources
Cimpanu, C. (2018, April 30). Volkswagen and audi cars vulnerable to remote hacking. Retrieved from https://www.bleepingcomputer.com/news/security/volkswagen-and-audi-cars-vulnerable-to-remote-hacking
Computest. (2018). The connected car: Ways to get unauthorized access and potential implications. Retrieved from http://www.computest.nl/wp-content/uploads/2018/04/connected-car-rapport.pdf
Dunn, J.E. (2018, May 2). Volkswagen and audi car infotainment systems hacked remotely. Retrieved from https://nakedsecurity.sophos.com/2018/05/02/volkswagen-and-audi-car-infotainment-systems-hacked-remotely/
Information Security Newsletter. (2018, May 1). With this vulnerability you can remotely hack Volkswagen and audi cars. Retrieved from http://www.securitynewspaper.com/2018/05/01/vulnerability-can-remotely-hack-volkswagen-audi-cars/
McGlaun, S. (2018, May 1). VW and audi cars have infotainment systems vulnerable to remote hacking. Retrieved from https://www.slashgear.com/vw-and-audi-cars-have-infotainment-systems-vulnerable-to-remote-hacking-01529071/
Smith. (2018, May 1). Car hackers find remotely exploitable vulnerabilities in volkswagen and audi vehicles. Retrieved from https://www.csoonline.com/article/3269299/security/car-hackers-find-remote-exploitable-vulnerabilities-in-volkswagen-and-audi-vehicles.html
Sussman, B. (2018, May 1). Research: VW and audi cards hacked through infotainment system. Retrieved from https://www.secureworldexpo.com/industry-news/research-vw-and-audi-cars-hacked-through-infotainment-system
Tung, L. (2018, May 1). VW-audi security: Multiple infotainment flaws could give attackers remote access. Retrieved from https://www.zdnet.com/article/vw-audi-security-multiple-infotainment-flaws-could-give-attackers-remote-access/
Wood, D.A. (2018, May 1). Volkswagen and audi vehicles remotely hacked. Retrieved from https://www.carcomplaints.com/news/2018/volkswagen-audi-vehicles-remotely-hacked.shtml
Subscribe to:
Comments (Atom)