Announcement

Collapse
No announcement yet.

Play Call of Duty on a radiology billing computer!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Play Call of Duty on a radiology billing computer!

    http://www.dotmed.com/news/story/15117

    A large radiology practice in New Hampshire said Wednesday hackers apparently breached a server containing Social Security numbers and medical codes for hundreds of thousands of patients, with the culprits likely rogue gamers looking for bandwidth to play the popular military shoot-'em-up Call of Duty: Black Ops.
    But the group said there's no evidence any of the information has been misused, and that identity theft probably wasn't the motivation. An investigation discovered the breach was likely caused by gamers based in Scandinavia, who were just looking for servers to run the best-selling video game, the group said.

    "They wanted to hijack space for bandwidth to play this game," Lisa MacKenzie, a spokeswoman for the group, told DOTmed News. "They didn't have any interest in this data."
    Dude, seriously, WHAT handkerchief?

    snooggums' density principal: "The more dense a population, the more dense a population."

    Iliana: "You're a great friend but if we're ever chased by zombies I'm tripping you."

  • #2
    Re: Play Call of Duty on a radiology billing computer!

    You know, all these sensitive information servers shouldn't really be open to the general network when it's not necessary, or rather, they act on the same principle as a biohazard level 4 room, utilizing the network equivalent of negative pressurization.

    Comment


    • #3
      Re: Play Call of Duty on a radiology billing computer!

      It's possible this server was the public-facing server for customers. That might be the case if the company didn't split the function into a front end without account info and a separate back end with the sensitive stuff.
      Dude, seriously, WHAT handkerchief?

      snooggums' density principal: "The more dense a population, the more dense a population."

      Iliana: "You're a great friend but if we're ever chased by zombies I'm tripping you."

      Comment


      • #4
        There's lots of sensitive information in the world, all of it the responsibility of fallible humans. It's easy for otherwise competent people to make mistakes that compromise the information.


        [Spartan 9]

        Comment


        • #5
          Re: Play Call of Duty on a radiology billing computer!

          Originally posted by ScratchMonkey View Post
          It's possible this server was the public-facing server for customers. That might be the case if the company didn't split the function into a front end without account info and a separate back end with the sensitive stuff.
          Which is clearly a gross violation of basic networking common sense.

          Sometimes, this level of stupidity makes me shake my head and ask not "why?" but "how?" And then I remember Carlin's line about remembering how dumb the average person is...then recognizing that half the population is dumber than that.

          Comment


          • #6
            Re: Play Call of Duty on a radiology billing computer!

            In other news, a site that allows you to see speed traps on your cell phone has been hacked to steal its password database:

            http://nakedsecurity.sophos.com/2011...ssword-breach/
            Dude, seriously, WHAT handkerchief?

            snooggums' density principal: "The more dense a population, the more dense a population."

            Iliana: "You're a great friend but if we're ever chased by zombies I'm tripping you."

            Comment


            • #7
              Re: Play Call of Duty on a radiology billing computer!

              Originally posted by Flarfignuggen View Post
              Which is clearly a gross violation of basic networking common sense.

              Sometimes, this level of stupidity makes me shake my head and ask not "why?" but "how?" And then I remember Carlin's line about remembering how dumb the average person is...then recognizing that half the population is dumber than that.
              If you have a proper two or three tiered environment with the presentation (web) layer outwardly facing for customer use but that server connects to a back-end database that actually houses the PII data, the front end server still has access to the back end data. You can still compromise the front end and then query the back end and get all that PII data as the back end will likely allow the ports and protocols required for the queries.

              I'm not saying that data can't be protected that's on the back end database systems, but simply segregating the two with a security boundary between them isn't as clear cut of a solution that most people believe it to be. Even if the data is encrypted on the database, the front end will USUALLY have the necessary credentials or access to stored procedures to decrypt the data.

              Solutions to resolve this type of issue are usually quite complex and expensive. Separating the two is a start, but by no means an actual solution.
              Diplomacy is the art of saying "good doggie" while looking for a bigger stick.

              Comment


              • #8
                Re: Play Call of Duty on a radiology billing computer!

                Originally posted by Apophis View Post
                Separating the two is a start, but by no means an actual solution.
                Defense in depth. It slows them down but doesn't stop them.

                You could perhaps throttle the internal link, so that one couldn't bulk-download the credentials rapidly for offline cracking.

                What other measures are available?
                Dude, seriously, WHAT handkerchief?

                snooggums' density principal: "The more dense a population, the more dense a population."

                Iliana: "You're a great friend but if we're ever chased by zombies I'm tripping you."

                Comment


                • #9
                  Re: Play Call of Duty on a radiology billing computer!

                  Originally posted by ScratchMonkey View Post
                  Defense in depth. It slows them down but doesn't stop them.

                  You could perhaps throttle the internal link, so that one couldn't bulk-download the credentials rapidly for offline cracking.

                  What other measures are available?
                  Separating the two alone really won't slow much down. Once you look at the web side and gain the connection info for the database instance, it's just as easy to pull the data off a remote DB server as it is a local DB server.

                  You hit the nail on the head with throttling the internal link. One common practice is to control the number of returned results per query. When I used to do IT audits in the financial industry, it was VERY common to see systems that only allow single records to be returned per query (where operationally applicable) from public facing web servers to the back end database. If queries of this type are occurring too frequently, that would trigger additional throttling and alerts if not complete isolation of either the database server or the client connections (depending on architecture and operational applications, naturally).

                  Deploying HSM hardware is also another thing that can be done. When data is encrypted in a database it normally only protects that data from being copied directly from the DB server (mdf files, etc) to an off-site location in non-encrypted form. Data is usually decrypted when queried from the DB server so the results sent to the presentation layer are in plain text. Proper implementation of HSM hardware helps but does not eliminate that threat.

                  Defense in depth is really the key, as you pointed out, but rarely is it as cut and dry as most non-technical people would like to believe. I think many people at TG have a leg up in this regard vs. the general population because we have a lot of tech savvy people around.
                  Diplomacy is the art of saying "good doggie" while looking for a bigger stick.

                  Comment


                  • #10
                    Re: Play Call of Duty on a radiology billing computer!

                    Originally posted by Apophis View Post
                    Defense in depth is really the key, as you pointed out, but rarely is it as cut and dry as most non-technical people would like to believe. I think many people at TG have a leg up in this regard vs. the general population because we have a lot of tech savvy people around.
                    Well, that and the military background where the concept originated. Tactical gaming also benefits from the practice. ;)
                    Dude, seriously, WHAT handkerchief?

                    snooggums' density principal: "The more dense a population, the more dense a population."

                    Iliana: "You're a great friend but if we're ever chased by zombies I'm tripping you."

                    Comment

                    Connect

                    Collapse

                    TeamSpeak 3 Server

                    Collapse

                    Advertisement

                    Collapse

                    Twitter Feed

                    Collapse

                    Working...
                    X