Krebs: A Case Study in Hospital (In)Security

Last week, the FBI put health care providers on notice; They’re simply not ready for attacks that could bilk their employees’ or patient’s digital records.

This morning, (infamous) information security blogger Brian Krebs (@BrianKrebs) posted a case study in just how one hospital was breached — targeted by a tax fraud gang.

From KrebsOnSecurity:


FBI Cyber Attack Warning Follow Georgia’s ‘Lax’ Hospitals


In the ever sounding alarm warning us about our most valuable (digital) details, the FBI has begun alerting healthcare providers that their systems would fall short of protecting patients’ records in the event of a cyber attack.

According to a Reuters report published last week:

“The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely,” the Federal Bureau of Investigation said in a private notice it has been distributing to healthcare providers, obtained by Reuters.

The notice, dated April 8, did not mention the Obamacare website,, which has been criticized by opponents of the Obama administration for security flaws. It urged recipients to report suspicious or criminal activity to local FBI bureaus or the agency’s 24/7 Cyber Watch.

Georgians should be especially worried — not only because the details gleaned from hospital records could lead to bigger personal identity thefts than those that involve credit card details (read: the massive Target breach).

But, because medical breaches are especially salient, here.

From an AJC story, published last summer:

Personal health information breaches in Georgia have affected nearly a half-million people in the last four years, according to a review of federal records by The Atlanta Journal-Constitution. And that includes just the major incidents — those involving at least 500 people — that were reported. Nationwide, these major breaches have affected 22 million.

Medical records breaches are part of a much broader identity theft problem: One study determined that U.S. victims of identity theft lost $21 billion last year.

Critics say those who touch health data are sometimes lax and they know it.

An annual survey of health care organizations by Ponemon Institute, a privacy management firm, found that 94 percent admitted confidentially that they had suffered at least one data breach. Most “say they have insufficient resources to prevent and detect data breaches,” said Larry Ponemon, head of the institute.

A horrible foreshadowing for what is sure to become an even larger issue.

Why Bitcoin is a Bad Investment

Today, some asshole posted a fake list of private keys attached to digital wallets. This deceipt caused the value of the currency to swing wildly (see above tweet).

Regardless, this belies the most important fact about Bitcoin, something many seem to forget in the hype surrounding the crypto-currency.

You see, Bitcoin is for payments; Not for speculators.

Already, the network supporting the currency is larger than Discover and fifth behind Amex, China UnionPay, Mastercard and Visa.

Twitter Authentication: Laggard to Leader

After countless account takeovers that compromised brands, news organizations and individual users, Twitter has revamped its authentication.

At the beginning of August, the social media giant made the changes. And, recently, Twitter forced me to reset my password.

The process was exhaustive.

Going first from the desktop, where I chose a new login; to an SMS message, where I was sent a special code; and then finally back to my iPhone where Twitter’s app chose a random 16-digit back-up code for me to plug into my browser.

In the background, Twitter generated a private key on my smartphone that it then sent back to its servers.

In the future, whenever I (or anyone else who demands multi-factor auth) try to login, the protocol will generate a “challenge and request ID” — pinging my phone to make sure that it’s really me who’s trying to access the account.

The method is more secure than other, more traditional multi-factor structures, Twitter explains, in a blog post.

Traditional two-factor authentication protocols require a shared secret between the user and the service. For instance, OTP protocols use a shared secret modulated by a counter (HOTP) or timer (TOTP). A weakness of these protocols is that the shared secret can be compromised if the server is compromised. We chose a design that is resilient to a compromise of the server-side data’s confidentiality: Twitter doesn’t persistently store secrets, and the private key material needed for approving login requests never leaves your phone.

Other previous attacks against two-factor authentication have taken advantage of compromised SMS delivery channels. This solution avoids that because the key necessary to approve requests never leaves your phone. Also, our updated login verification feature provides additional information about the request to help you determine if the login request you see is the one you’re making.

Twitter also recently installed a security feature that requires users to confirm app logins from their phones.

These techniques, however, could be confusing, says CA Technologies chief security architect Jim Reno, in a blog post.

While I found the new technique generally easy to use, I think the presence of both cryptographic and SMS-based verification, enabled in two different ways, will cause confusion to some users.  In fact I was able to confuse Twitter’s servers: at one point I had the server thinking it was using SMS-based verification while the phone thought it was using cryptography.  The result was being blocked at the server until I disabled verification at the phone, as well as getting SMS messages containing long, cryptic strings, obviously intended for the app, not the human.

Can banks learn anything from Twitter’s new security standard? Or is single factor username/password coupled with taking a customer out of band — to a call center — when there is a problem the best way to handle online authentication?

NYT Website Outage Exploit Could Easily Affect Bank Websites


For the several hours that the New York Times’ went digitally dark Tuesday, bankers would have been smart to pay attention.

The exploit is common and virtual thieves have been employing the tactic since domain registrars changed website information after being prompted by a fax.

”If your registrar uses single factor authentication, you are just as vulnerable” as the NYT is, a source told me. “If that [registrar] gets pilfered, every single domain name that is associated with that username and password is vulnerable to that same attack.”

Indeed, banks are no more safe or unsafe than any other company that does business on the net.

Financial services companies are completely at the whim of their vendor’s security standards.

And it’s as easy as finding out the domain registrar of Bank of America.

You see, if MarkMonitor Inc. is allowing its users to login online using only a username and password, the bank is screwed.

Guess what? 


NYT’ Website Attacked; Syrian Electronic Army Takes Credit

For the second time in as many weeks, the New York Times’ website is 404 — this time as the result of the efforts of digital criminals.

The Times’ virtual registration records are seemingly being altered by the Syrian Electronic Army.

The newspaper’s site went down at around four in the afternoon.

The SEA is also taking credit for altering the whois records of the UK digital edition of the Huffington Post and Twitter.

From Wikipedia:

WHOIS (pronounced as the phrase who is) is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format.[1] The WHOIS protocol is documented in RFC 3912.

The Times is copping to an “external attack,” according to a spokeswoman. And in its wake, the newspaper company immediately began instructing its employees…

Continue reading

Asbury Park’s Website Potentially Spread Malware During Brief Attack


Asbury Park’s website was felled by Turkish hackers this week in an exploit that apparently took advantage of the site’s content management system.

The city’s internet presence is maintained by local design company M Studio — which immediately shuttered the site once employees noticed the issue.

From @BrianKrebs:

If you run a site powered by the Joomla content management system and haven’t yet applied a critical update for this software released less than two weeks ago, please take a moment to do that: A trivial exploit could let users inject malicious content into your site, turning it into a phishing or malware trap for visitors.

Without seeing the exploit code it’s impossible to know exactly what these cyber criminals were after, but it’s safe to say it wasn’t solely mischief.

There are only two reasons why these sites are attacked, says Ken Baylor, a research vice president at the information security research and advisory company NSS Labs.

1) recruit DDoS zombies to attack banks (and a few other paid targets)

Here the focus is on taking over machines that are hosted in facilities with large internet connected pipes. Once compromised, these machines attack bank web servers. Servers in these facilities can generate much larger amounts of traffic than a home machine (as the internet connection is faster) and can do much more damage. This is common in the at Qassam bank DDos attacks

Sometimes third parties like Gwapo will offer a service to ‘wipe a company off the net’: see here:

2) distribute account takeover trojans.

This relies on unpatched wordpress and joomla servers. These servers display webpages just like a blog or a news site. Hackers change the code (via an injection) so that not only is the normal page displayed, but their code is executed when a victim machine visits the site. When this code is executed it forces the victim to download an account take over trojan.

Added information on this exploit from Versafe — a press release, and additional research.