Contractor Folds After Causing Breaches

talkinsecurity writes "A single contractor, privately-held Verus Inc., has been traced as the source of no less than five hospital security breaches in the past two months — and those breaches have put the company out of business in a matter of weeks. Verus, which managed the websites of as many as 60 of the country's largest hospitals, has folded its entire business within the past few weeks, without a word to anyone. Apparently, a single IT error led to the exposure of at least five hospitals' patient data — at least 100,000 individuals' personal information — and caused Verus' primary investor to pull the plug. The hospitals, which initially reported their breaches separately, were left with no one to sue."

And that's the problem with corporations

[Overzeetop]

Nobody is held accountable for the actions of a corporation. The board of directors and all officers should be held personally liable.

(I happen to own a corporation, however as a professional engineer, I am also personally liable for everything which goes out the door.)

Start looking at MedSeek

[faloi]

I would think that if Verus is referring people to an alternate service, there would be some sort of contractual agreement between the two. The investors might have to assume some liability for preventing legal redress of problems.

For that matter, I would the federal government would be all over it for violation of HIPA regulations.

External security auditors were needed

[Dekortage]

Read the article. It was a single mistake -- leaving a firewall down after performing a transfer of data from one server to another. But, why would you need to take down a firewall to transfer data? Set up a VPN, or better yet, use hard drives and old-fashioned sneakernet to transfer the data.

What the vendor really needed was a security audit by an external security firm. I bet you will see more of that in its competitors (or ex-competitors).

See how far you'll get litigiously when...

[ahuimanu]

The company is in India, or China, or Indonesia or.... you get the point.

Hold your information close to your chest - there's a reason you used to pay a guy, an in-house guy mind you, the BIG BUCK$ to keep your information straight.

But noooooo...

We gotta OUTSOURCE because it looks good on a quarteryly statement.

Stew in it boyos, STEW IN IT!

Personal liability is not a solution

[TheSciBoy]

Who would take a job where you could be held personally liable for any mistake your subordinates may do? You have a company where the size is small enough that you can check everything, I guess, or you wouldn't be taking that responsibility, but would you really want to be personally liable if you had 1500 employees? Would you be able to check all their work for flaws?

In my opinion, this company has already been punished for their mistake. They exist no more. The employees who made the mistake have already lost their jobs. What would be the purpose of suing? Revenge?

Personal accountability is great but in a company, that accountability is handled internally. If an external party has been harmed by the mistake, they sue the corporation and the corporation pays. Internally, the company may fire anyone and everyone they find responsible but they cannot and should not be able to take the money they lost from those people. The whole point of starting a corporation, for goodness sakes, is to create an entity that is separate from the employees and even the owners so that the employees and owners are NOT personally responsible.

Sorry if I'm not crying when there is no one left to sue.

Re:And that's the problem with corporations

[Anonymous Coward]

>I happen to own a corporation

I did too, and I knew that as a director of the corporation I was personally liable for the corporations actions. You don't just get carte blanche as everyone here thinks you do. A corporation gives protection to its shareholders, who, in a larger corporation, have nothing to to do with the business.

The liability is still limited compared to a proprietorship, but it is necessary, as running a business opens up a huge can of worms -- If someone slips and falls at your house, they will not win millions of dollars against you (they may win a reasonable settlement, though). As a business, the standard is higher, and you will lose everything you own as a sole proprietorship and end up bankrupt. And, with that issue in mind, few to no people would open new businesses, since the business wouldn't have the money to cover all losses to that extent.

I studied this concept very carefully, as I owned a satellite company in Canada, a VERY dangerous and VERY liable to be sued (by the government) business. More than half of the satellite companies in my city have been sued out of existence, the government managing to end up seizing not only the assets of the company, but eventually managing to seize personal assets as well. The "crime" being selling US satellite equipment or service. Considering it took my company 18 months to be signed on to sell for a Canadian satellite company (ExpressVu), which only happened under CRTC threat, I can understand the motivation. The last move by the government here was to extend the fines and reach of the laws (luckily it didn't pass as it was election time) so that a corporation importing a single US receiver (not even selling it or purchasing service for it) would be liable for up to $750,000 in damages between the government fines, and set fines for ExpressVu and StarChoice. Ho-hum. For a canadian household it would "only" be $200,000... Enough whining, anyways. :D

All right IT monkeys..

[__aagbwg300]

From the FA:

While reports of the breaches have been issued in dribs and drabs, all of the data losses can now be attributed to a single incident, in which Verus employees left a firewall down following the transfer of data from one server to another, according to David Levin, vice president of marketing at MedSeek.

Can someone explain to me why you would need to open EVERY PORT on a computer to transfer data across two machines? Is there any possible reason why this would be considered? Seriously?

Re:And that's the problem with corporations

[Applekid]

I think you missed the point. If Engineers are legally liable for their work that can put people at risk, perhaps Programmers should be legally liable for their work that can put people at risk. Maybe instead of figuring out how to line their pockets with money with their "certifications," Novell, Microsoft, Cisco, et al. could pool resources and lobby for a legally-weighty certification for Software Engineers much conventional Engineers already have. Perhaps an Engineer could enlighten me on the history of how those things evolved for them.

You could have a Class-C license to code and that would mean you know how to develop without buffer-overrun vulnerabilities, SQL-injection vulnerabilities, things like that. A top Class-A license to architect secure designs and robust inter-system communications.

CEOs and board members only know how to run a company: you know, management, budgets, allocations, etc. I'd be very surprised if Widgets, Inc. CEOs know the exact procedure and design decisions that lead to Widget Model 3928 being the way it is.

Of course, the court system will help determine whether it was a renegade programmer or whether board-imposed policies and procedures lead to the hiring of an unlicensed one.

Re:left with no one to sue

[Gordonjcp]

(because I don't care: the big guys give me a better price).

Do they really? Remember that the price is rather more than a number written on a ticket - you need to look at the value of what you're buying too. For instance, I buy most of my groceries in small independent shops rather than supermarkets, because I get better value for money. Yes, the number at the bottom of the receipt is a little higher, but the quality of the produce is much higher.

Re:left with no one to sue

[bepo]

I'd start with the ex-CEO. The 'company' did not make decisions, people did. They should be held accountable.

If accountability is what you want then why are you looking at the CEO? Shouldn't the technician who left the router down be personally liable? You could say that the CEO had the responsibility for ensuring methods were in place to prevent this. You could also say that the data was the responsibility of the hospital and paying a contractor does not eliminate that responsibility.

It can happen to anybody

[Jimithing DMB]

I hate to admit it, but a few years ago I did an update on a Fedora box which renamed protocol 50 from ipv6-crypt to esp or something of the sort. Due to this, the firewall rules failed to load at startup which left the outside portion of the network completely unfirewalled instead of nearly completely firewalled.

Now ordinarily this wouldn't be a huge problem as one should reasonably hope that even an unfirewalled system is secure. And indeed, the Windows 2000 webserver we had was reasonably secure. It was up to date with all the patches and running great. The ultimate attack vector had nothing to do with lack of patches but rather an ultra-weak password. You see, someone else had an account in the administrators group with a password of 121212. With the firewall being down this account could be used to log in to the SMB shares and thus execute anything with that account's privileges.

Fortunately, the webserver had absolutely nothing to do with the rest of the network which was behind a second firewall with a totally different authentication/directory system and a different set of usernames and passwords. So the attacker was able to get access to a webserver with nothing of any interest on it. It is at that point when I began to research how the hell he got in and realized that the firewall was not firewalling anything. Later on, we decided the 121212 password on an Administrators group account was the ultimate culprit.

This just goes to show you that a break-in can happen to anybody. Granted, in this story's case, taking down a firewall on purpose to transfer some data was probably not a good idea and could/should have been avoided. But that's a mistake, not an invitation to burn the perpetrator at the stake.

Ultimately, a security failure should result in a procedural change. In our case, checking that the firewall rules installed correctly at boot became part of the checklist of things to do when upgrading that server. We also changed the passwords on the webserver and implemented several new policies. Prior to the attack, the webserver passwords were a combination of knowable information like birthdate, hire date, and part of SSN. Their purpose was to secure read-only access to a site with company policy information so it wasn't thought they needed to be highly secure. Unfortunately, all of the users were full Windows users so for all we know it might not have been the weak password on the admin account but instead an disgruntled (ex-)employee coupled with a possible privilege elevation bug. Due to this, we changed all of the user's passwords to be random and moved all of the users out of the Users group and into a group that only allowed logins to the website and not on the console.

All that for a measily webserver with some simple read-only access to data that doesn't have to be all that secure. Now consider having a web application with critical data like patient reecords and several thousand users all from different hopsitals. That's basically an accident waiting to happen. If I were a company doing that, I'd be sure to have a huge insurance policy to cover the liabilities and/or make damn sure the contracts with customers indemnified the company against lawsuits for accidental breaches.

Re:Capitalism Rules!

[Draknor]

Yes, but nothing's stopping these people from forming a new company and doing the same thing again.

1. Assuming the new company needs capital investment, they have to convince someone to invest. If investors don't do their homework, then they have only themselves to blame if the investment goes south (as presumably this one did).

2. If you contract with that new company without doing a little bit of background research, and your data gets exposed next time -- well, I guess that means selecting a vendor wasn't important enough to take the time to do it right, correct?

3. The IT mistake was not intentional / malicious, it was a mistake. While that should be a black mark on the reputation of former employees / owners, it shouldn't prevent them from ever working again; they just have to convince investors / clients that they have learned from that mistake and have policies / procedures in place to prevent it from happening again (assuming said investors / clients actually do their homework & check the vendor's reputation).

I'm guess that means your corporate reputation goes out the window, for not doing sufficient research on vendors for critical services.

Re:Your reasoning is flawed

[jc42]

Actually, engineers routinely do get out of responsibility for disasters. Part of the reason is that they let their bosses and the prosecutors know about the "paper trail" that they have kept. They threaten to show in court that they knew about the problems, warned their superiors about the problems, and were ordered to ignore the problems. The prosecutors then carefully forget about them.

The poster child for this, of course, is NASA's history after the Challenger disaster. The immediate desire was to blame the engineers. But the engineers were happy to cooperate with the investigations, because they had copious records showing that they knew about the potential problems, tried to delay the launch, and were overridden by management. Subsequent analyses (by engineers ;-) showed that what went wrong was a known possibility during cold-weather launches, and that a lot of the engineers had indeed tried to delay the launch.

The real disappointment in this and similar disasters is that the managers who override (or ignore) the engineers are almost never held responsible. NASA did do a bit of management shuffling, true, but nobody takes this seriously. With most corporate disasters, even when the CEO or other officer "resigns", he typically walks off with huge amounts of money and no punishment at all. The exceptions are so rare (think Ken Lay) that corporate managers really don't consider it a serious possibility.

In the case of software, it's routine for management to order the use of packages that the engineers know to be insecure and/or unsecurable. I've seen it over and over. The developers know that they just have to live with this, and make the best of a bad management decision. The only way to change this is to make the actual decision makers responsible for the consequences. Does anyone seriously think this is likely to ever happen?

Re:Capitalism Rules!

[cayenne8]

"Right, so get rid of corporations. That's what the OP was trying to say in the first place."

Well, that's not a great thing actually. The vast majority of companies and businesses are SMALL businesses. If you take that shielding away, you'd open up most businesses that are small, mostly private individuals, and you'd have them risking personal bankruptcy and ruin, for even minor problems.

No one is going to risk their families welfare that way, and you'd kill small businesses in the US. For a person to take risks and be small business, which employs the majority of US citizens, they need to have some personal protection from liability.

Especially given the litigious society we now live in...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Capitalism Rules!

[RexRhino]

Bullcrap. In a nutshell, corporations are above the law.

However, the alternative to corporations: Government controlled monopolies, are also above the law (try suing the Social Security administration or IRS for compromising your data!!). And the police and justice system that is supposed to "regulate" the corporations are above the law (or do you expect the FBI to be abolished and the President to go to prison for those illegal wiretaps they were doing?!).

All large social entities: governments, corporations, religions, are above the law, because the concepts of law and justice apply to individuals, not masses of people.

Re:Not very much, and I don't want to go back ther

[ShieldW0lf]

How much was consumed in cold war spending?

It's not on me to get into a debate about the efficiencies of historical systems with different problems in different environments, the point is that these technological marvels are not the sole province of modern capitalism and the corporate structure, as you insinuated.

Do you believe that we've achieved Utopia, a state beyond our capacity to surpass?

Do you think there will not be a better system that isn't a stepwise refinement, but a replacement?

This whole system is optimized towards dealing with scarcity, it uses scarcity to provide the motive force to keep people industrious, and it destroys wealth with artificial scarcity to keep that going.

We've developed the tools necessary to destroy scarcity in a wide range of sectors, but our economic systems equate "plenty for all" with "utterly worthless". That needs to stop if we're going to progress.

That means new political-economic systems with supporting infrastructure, and it's not going to build itself, and no one motivated by the love of money is going to invest because it's going to devalue everything that they have built their power upon, but it's still going to have to be done.

And when it's done, and done right, things will be markedly better than they are now, and more efficient, not less. Any group who competes the old way will lose.

And I'll miss the wintel legacy not at all, I don't imagine.

Re:Things did get done before corporations

[spun]

If limited liability only applies to capital, then why do corporations rather than the CEO or board get fined when the corporation commits a crime? People use corporations as a shield against prosecution all the time. It sickens me to see what they get away with, and that's just what we hear about. Corporations don't kill people, the people running corporations kill people, and they get away with it. For instance, why did Warren Anderson [wikipedia.org] go free?

Re:Capitalism Rules!

[thomas.galvin]

Unfortunately, when the company folds protecting the stakeholders there is nobody left to sue! Oooops! There goes that darn accountability!

Eh? The company was destroyed. If you think the company should be punished, is there any better punishment? Isn't this a good thing? It means that the company is not going to do that again. Maybe it would satisfy people if the guy killed himself?

The problem with that is that a corporation is kind of an ethereal entity to begin with: it never really existed, except as an abstract concept, so "punishing" it is kind of meaningless.

Here's an analogy. Steve is a plumber. You hire Steve to replace the pipes in your house. Instead, he screws up so badly that you can no longer live in your house. You go to sue him, but he says "sorry, I'm not Steve any more. You can call me Frank, and you can't sue me, 'cause I'm not Steve."

That's basically what's happening here. The people responsible for this cannot be held accountable, because they no longer call themselves Careless, Inc.

IANAL, YMMV, HAND, etc, ad infinitum.