Forgot your password?
typodupeerror
Security Government United States News

Virginia Health Database Held For Ransom 325

Posted by timothy
from the single-point-of-failure dept.
An anonymous reader writes "The Washington Post's Security Fix is reporting that hackers broke into servers at the Virginia health department that monitors prescription drug abuse and replaced the homepage with a ransom demand. The attackers claimed they had deleted the backups, and demanded $10 million for the return of prescription data on more than 8 million Virginians. Virginia isn't saying much about the attacks at the moment, except to acknowledge that they've involved the FBI, and that they've shut down e-mail and a whole mess of servers for the state department of health professionals. The Post piece credits Wikileaks as the source, which has a copy of the ransom note left behind by the attackers."
This discussion has been archived. No new comments can be posted.

Virginia Health Database Held For Ransom

Comments Filter:
  • Non-story? (Score:5, Insightful)

    by Jane_Dozey (759010) on Tuesday May 05, 2009 @09:03AM (#27829277)

    I'm assuming that not even a governmental department can be stupid enough not to have copies of the backups in a fire safe, off-site location.

    • by Anonymous Coward on Tuesday May 05, 2009 @09:10AM (#27829373)

      The Internet. A miracle of the 21st Century, providing high quality information and education to all, breaking down social barriers and creating a new info-democracy the likes of which our fathers could only dream about. Few would disagree that the Internet is a wonder of the modern world, and one of America's greatest contributions to science.

      However, as with all emergent technologies sooner or later, abuse by the uneducated masses causes the need for regulation to arise. As more people adopt a technology, the more likely that technology will be used by irresponsible individuals who try to spoil things for the rest of us.

      This is why the time has come to introduce licensing for Internet users.

      * Hunting
      * Fishing
      * Watching TV
      * Driving an automobile
      * Using a PC
      * Carrying a firearm
      * Building a house
      * Selling an alcoholic beverage
      * Staging a rock concert
      * Trading in securities
      * Developing software

      What do the activities listed above have in common ?

      The answer is that all are potentially dangerous activities for which one must obtain a license if one wishes to remain on the right side of the law.

      It is surprising to me that one potentially dangerous activity is conspicuously missing from the above list. We all accept without question the need for regulation where dangerous technologies are concerned (as the list clearly demonstrates). So why should the Internet be exempt ? What is so special about 0s and 1s travelling along a wire that makes us give it 'special treatment' ? Why should this important resource not enjoy the protection from abuse that regulation would undoubtably provide ?

      In the old days of the Internet, its usage was confined to academia, and the military. Back in those days, one could be fairly sure that Internet users were responsible citizens, who would not abuse their 'net access, after all our educators and defenders are people we knew we could trust.

      These days, with the explosive growth in Internet usage, it is impossible to control who goes online. Indeed, many Internet Service Providers (ISPs) market themselves on how 'easy to use' their service is. You are just as likely to find senior citizens, children, teenagers and housewives online these days, as you are to find a world class physicist or a military intelligence officer.

      As you would expect, with such a large number of uneducated people given unrestricted access to such a powerful tool, the results have not always been pleasant, and abuse has run rampant. You can find bomb making instructions, Islamic fundamentalist propaganda, pornography, hate sites, left wing and right wing extremism, pornography, fascism in all its different and elaborate disguises, Radical androphobic feminism, autism, pornography, questionable politics, pornography, blasphemy against Jesus, and yet more pornography.

      This is the mere tip of the iceberg, since the Internet is estimated to have as much as 100 Gigabytes of this kind of offensive material, and it is growing larger by the week, as more and more uneducated people rush to 'get online' so that they may 'surf the web' with their equally poorly-educated beer-swilling redneck buddies.

      As with all technologies, the Internet has matured to the point where regulation is not just desirable, it has become inevitable. You don't need to be Kreskin to predict that unless the Internet is regulated, and regulated quite heavily, it will soon collapse under the sheer weight of pointless traffic Britney Spears fan sites, uninteresting personal home pages and the extra load placed on the 'net infrastructure by illegal protocols such as Aimster Napster, Bearshare Gnutella and the like.

      As with automobil

      • by Jaysyn (203771)

        Obvious Troll is obvious.

      • by nospam007 (722110) *

        Hurray! Now we just need some 200 countries and ungoverned territories to agree, hold your breath.

    • Re: (Score:3, Interesting)

      by medarby (757929)
      Maybe or maybe not, but my guess is that they do. However, even if they did pay the ransom, the hacker will still release it into the wild to the highest bidder. VA only choice is not to pay the ransom and to notify all of their customers that their personal information is compromised.
    • by tomhudson (43916) <barbara.hudsonNO@SPAMbarbara-hudson.com> on Tuesday May 05, 2009 @09:39AM (#27829741) Journal

      Did you read the note? It's offering to sell the personal data

      ATTENTION VIRGINIA

      I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(

      For $10 million, I will gladly send along the password. You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid. Now I don't know what all this shit is worth or who would pay for it, but I'm bettin' someone will. Hell, if I can't move the prescription data at the very least I can find a buyer for the personal data (name,age,address,social security #, driver's license #).

      Now I hear tell the Fucking Bunch of Idiots ain't fond of payin out, but I suggest that policy be turned right the fuck around. When you boys get your act together, drop me a line at hackingforprofit@yahoo.com and we can discuss the details such as account number, etc.

      Until then, have a wonderful day, I know I will ;)

      Sorry, Virginia, there's no Santa Claus.

      Maybe it's someone doing it for the lulz. After all, a REAL ransom note would have used either the evil MS-Comic font, font of ill will [slashdot.org], or a genuine Ransom font [1001fonts.com].

      • by afabbro (33948)

        Did you read the note?

        No, every link from the WikiLeaks article seems Slashdotted ;-)

      • Re: (Score:3, Funny)

        by penguin_dance (536599)

        Did you read the note? It's offering to sell the personal data.

        Who's going to want to buy it? I mean, it's a list of drug addicts--their CREDIT scores are going to suck!

        • by gbjbaanb (229885)

          surely, if there's ever a targetted list of people who are going to actually buy penis enlargement pills and anti-ageing wrinkle cream, this is it.

        • Re: (Score:3, Insightful)

          by dpilot (134227)

          > Who's going to want to buy it? I mean, it's a list of drug addicts--their CREDIT scores are going to suck!

          It's *Virginia*, for Pete's sake. Since I visited there a year ago, I remember driving through Arlington and Alexandria - two bedroom suburbs of Washington, DC. Obviously politicians would want to keep their problems out of such a database - heck, anyone would. Most probably some politicians, political workers, lobbyists, and such are among those 8 million names. Their credit scores won't suck,

    • by wiredog (43288) on Tuesday May 05, 2009 @10:11AM (#27830261) Journal

      have you?

      I've been working for contractors for 10 years now, and am still surprised by the level of incompetence that some government IT folks demonstrate.

      Some are good. NOAA OMAO really has its stuff together. DoJ? Not so much..

    • Re:Non-story? (Score:4, Insightful)

      by Curunir_wolf (588405) on Tuesday May 05, 2009 @10:37AM (#27830679) Homepage Journal

      They don't need that data anyway. The only thing it's used for is to inform the DEA of people that might be abusing prescription drugs (yea, like Limbaugh). So, good riddance.

      The real issue is that the state (and all the others, BTW) is collecting all this personal information on their citizens and storing it in a database that is vulnerable to attack by identity thieves. It's one of the problems with all of these "citizen tracking" systems (like, for instance, Real ID [realnightmare.org]). It's an unnecessary government intrusion that collects personal information for tracking its citizens, and providing them the ability to use citizens' own information against them. The excuse is always for "security". Well, you see now how good the government is at security.

      Just wait until they have all your health records in an electronic health record database. It'll be available to everyone, everywhere. Authorized personnel only, of course. Yea, right.

      • Re: (Score:3, Interesting)

        by laura20 (21566)

        Of course, this information is already tracked by private companies, and their information is just as vulnerable. Or didn't you read the original article [washingtonpost.com], which noted that Express Scripts has had the same problem?

    • Re:Non-story? (Score:5, Interesting)

      by afabbro (33948) on Tuesday May 05, 2009 @12:23PM (#27832495) Homepage

      I'm assuming that not even a governmental department can be stupid enough not to have copies of the backups in a fire safe, off-site location.

      Wouldn't surprise me in the least, but not because it's the government. The problem is that every organization of any size has under-the-radar skunkworks IT projects. There's always some guy in a field office who doesn't like central IT (often with good reason), doesn't like bureacracy, has a slow link to the home office, etc. Sometimes he's an amateur computer buff as well.

      Next think you know, he's got a couple Gentoo boxes running under his desk with a MySQL + PHP app he's cooked up himself that his whole team is relying on. It works great (for them). Years go by and suddenly someone in central IT learns of it. They try to take it away and standardize it, but he goes to the business side and says "our customers will complain, they rely on it" and business tells IT to knock it off.

      Usually about then, one of three things happen:

      • The disk on the recycled Packard Bell desktop that's running the database eats itself and he loses all the data.
      • Someone in auditing gets a clue and raises holy hell about HIPPA, SOX, etc.
      • There's a break-in because he has lousy security.

      I've seen the above scenario in at least three large private firms. In this case, we're talking 10,000,000 records. That could live on someone's laptop or desktop. Central IT might not even know it exists. I could easily see someone office saying "we just got a grant for $5 million to study trends in prescriptions to look for abuse patterns, can you send over a disc with a data extract"? Hell, that might have happened ten years ago and it's been sitting on some share ever since, long forgotten.

  • by Anonymous Coward

    Why would the "cyber-terrorist" post an email address as the ransom contact? Isn't he/she just going to get spammed now?

    • by eldavojohn (898314) * <eldavojohn@nOspAM.gmail.com> on Tuesday May 05, 2009 @09:11AM (#27829387) Journal

      Why would the "cyber-terrorist" post an email address as the ransom contact? Isn't he/she just going to get spammed now?

      I don't know, why don't you send hackingforprofit@yahoo.com an e-mail and ask them?

      Oops, did I just post hackingforprofit@yahoo.com without obfuscating it? Here, let me fix that:

      hackingforprofit(at)yahoo(dot)com

      My apologies to hackingforprofit@yahoo.com [mailto] if this results in an increase of SPAM.

      • Re: (Score:3, Funny)

        by Anonymous Coward

        Damn you! My mailbox is FULL with SPAM!!

        • Re: (Score:3, Funny)

          by flonker (526111)

          Dear Sir/Madam,

          I am fine today and how are you? I hope this letter will find you in the best of health. I am Joe Fitz, and I recently hacked the "Virginia Department of Health Professionals". They have paid me a ransom of $10,000,000 (TEN MILLION DOLLARS). However, this balance of US$10,000,000.00 has been secured in form of Credit/Payment to a foreign contractor, hence we wish to transfer into your bank account as the beneficiary of the fund. We have also arrived at a conclusion that you will be given 20

      • Re: (Score:3, Funny)

        by powerlord (28156)

        Hmm perhaps if we contacted the people at hackingforprofit@yahoo.com then they could answer some questions? Perhaps they could even be the next "Ask Slashdot"?

        I could see it now:

        "Slashdot: Post your questions for the hackingforprofit@yahoo.com group! The top five will be sent in, and hopefully answered in an anonymous fashion."

        Q: 5) Are you idiots?
        A: Well ... I DO live in Virginia, and worked for a local IT dept. Since they had a security break-in, on a system I was responsible for, I'd say yes.

        Q: 4) What

  • by tjstork (137384) <todd@bandrowsky.gmail@com> on Tuesday May 05, 2009 @09:05AM (#27829295) Homepage Journal

    I would be more than willing to bet that the attacker works in some way for the State of Virginia. The phrasing "gone missing" makes him sound like he's from somewhere in the United Kingdom... so now you are looking for English, Irish, Scottish or perhaps Indian guys working for the state of Virginia...

    A voice tempts - gee, if we could do FISA wiretaps, perhaps a quick search of all the electronic correspondence of all the people who work(ed) for the state might turn up who it is...

    • by eldavojohn (898314) * <eldavojohn@nOspAM.gmail.com> on Tuesday May 05, 2009 @09:09AM (#27829345) Journal

      The phrasing "gone missing" makes him sound like he's from somewhere in the United Kingdom...

      Yes, but the phrase "Now I hear tell" indicates Virginia! What a conundrum! This case will never be cracked! The full note text for those too lazy to click through wikileaks:

      ATTENTION VIRGINIA

      I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(

      For $10 million, I will gladly send along the password. You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid. Now I don't know what all this shit is worth or who would pay for it, but I'm bettin' someone will. Hell, if I can't move the prescription data at the very least I can find a buyer for the personal data (name,age,address,social security #, driver's license #).

      Now I hear tell the Fucking Bunch of Idiots ain't fond of payin out, but I suggest that policy be turned right the fuck around. When you boys get your act together, drop me a line at hackingforprofit@yahoo.com and we can discuss the details such as account number, etc.

      Until then, have a wonderful day, I know I will ;)

      • by hey! (33014) on Tuesday May 05, 2009 @09:15AM (#27829439) Homepage Journal

        Ah, Watson, but notice this curious "Fucking Bunch of Idiots". A Frenchman or Russian could not have written that. It is the German who is so uncourteous to his nouns.

        • Re: (Score:2, Informative)

          by Anonymous Coward

          No doubt a reference to the FBI.

        • by Kokuyo (549451)

          Or it might have been a jab at the FBI that you have thoroughly missed... Or I just missed YOUR joke ;).

        • Yeah, quite the master hacker they seem to have on their hands.

          Anyone wanna lay odds as to how long it takes for him to get caught? Ten bucks bucks says the state responds to that e-mail with a 1x1 transparent gif in the message, and nails this uber-genius at a Starbucks.

        • Re: (Score:2, Funny)

          by Anonymous Coward

          Aah... so the perpetrator has English, Scottish, Irish and German forefathers - and he lives in Virginia.
          This should be an easy case to crack.

      • Each state has it's own database farmed out to a 3rd party without oversight. The lowest bidder no doubt with Virginia.

        BTW Virginia is also a commonwealth state. The UK is a commonwealth nation. Coincidence, No I don't think so. So that means you guys in the UK are responsible.

        • BTW Virginia is also a commonwealth state.

          As are Pennsylvania, Kentucky and Massachusetts.

          *cue spooky music*
      • Re: (Score:3, Insightful)

        by jotok (728554)

        Trivial for FBI to get a warrant for the guy's login details from Yahoo.

        Of course, if he's using TOR, then they're hosed.

      • Re: (Score:3, Interesting)

        by T Murphy (1054674)
        ...why did he tell them he will put the info on the black market? Virginia paying him off doesn't deprive him of the data, so he can sell the info anyways- alerting people to the risk will devalue the information, and in the event he gets caught they have another charge to follow up on. Sure, the average person might react to the threat, but he knows the FBI will be called up, and they have plenty of experience with threats like this I would assume.
        • Re: (Score:3, Insightful)

          by mewsenews (251487)

          Leaking the entire database to identity thieves is part/most/all of the hacker's threat if the ransom is not delivered. If the database is lost and they have to start from scratch -- big deal. If the database is lost AND in the hands of well paying criminals -- uh oh.

      • by Janek Kozicki (722688) on Tuesday May 05, 2009 @10:21AM (#27830407) Journal

        FBI will set up a covert action obviously. They will pretend to be someone with the highest bid who wants to buy it. They will pay, then follow the money trail, then revert the bank transfer, just like you do with your credit cards.

        Or something similar to that.

    • Re: (Score:3, Funny)

      by Shakrai (717556)

      perhaps Indian guys working for the state of Virginia...

      Well, at least that means that Macaca has discovered the real world of Virginia ;)

    • by Xest (935314)

      The language of the whole threat makes it sound like he's about 8 years old, so using that logic we should also be looking for an 8 year old.

      I'm not sure how two words, "gone missing" indicate being from the UK. I'm pretty sure many people speaking English worldwide who aren't British have used those two words in that way before.

    • starting a sentence with "hell" and dropping the g off of betting and describing the data as "this baby" makes it sound like "good ol' boy" style american to me. I'm english and it's affectatious to use those colloquialisms over here.
    • Re: (Score:3, Interesting)

      by Metasquares (555685)

      If I can find a corpus of geographically labeled text documents, I'll run a few text mining algorithms on the letter and see what pops up (yes, your writing can now give away things that you never thought possible, at least probabilistically).

      Apparently the author likely has an ESTJ personality in the Myers-Briggs system and is probably male.

  • by Nutria (679911) on Tuesday May 05, 2009 @09:05AM (#27829297)

    Don't these jackasses know what Iron Mountain is, and what tape drives are for???????

    • Re: (Score:3, Informative)

      by Lumpy (12016)

      Nope.

      and here's somethign that will scare you.

      MOST Companies don't know what iron mountain is and what tape drives are for. a bulk of companies and corporations have incredible jokes they call their backup system/policy.

      They spend more on the CEO's toilet than they do on data security and integrity.

  • Backup? (Score:4, Funny)

    by wondercool (460316) on Tuesday May 05, 2009 @09:05AM (#27829301) Homepage

    Luckily Of course a backup was made every hour. .. Oh what? Did not run backup for 3 weeks? Went fishing?

  • inside job? (Score:2, Redundant)

    by rhendershot (46429)

    This sounds like an insider attack as there are just too many coincidences. Backups gone missing, many sites hacked, demand for millions of dollars (pay to whom?!), etc. No wonder every information request is referred to the FBI.

  • by Skraut (545247) on Tuesday May 05, 2009 @09:07AM (#27829325) Journal
    ...since Virginia is for Lovers. The hardest part will be determining weather their prescription was for C1A1iS or V1AGR4
  • by Ender_Stonebender (60900) on Tuesday May 05, 2009 @09:08AM (#27829339) Homepage Journal

    Hopefully the state of Virginia follows proper backup procedures, and has a copies of the data that are off-site and off-line. It may take a day or so for someone to go fetch the tapes, but the data shouldn't be lost. So the people trying to ransom this data should be screwed.

    • by Shrike82 (1471633)
      It's not totaly impossible that whoever is responsible managed to disrupt the back-up procedure. They sound fairly confident that the backups won't work. Perhaps they managed to intercept the treansmission of the backup data, or destroy or steal the physical media that the backups are stored on.

      I've seen quite a few companies that store their backups on tapes which are just put on a shelf - and while you'd hope that a governmental body would be more responsible, we've all seen the monumental blunders suc
      • They sound fairly confident that the backups won't work.

        Of course he's confident, didn't you see the size of his e-peen?

      • by vlm (69642)

        It's not totaly impossible that whoever is responsible managed to disrupt the back-up procedure. They sound fairly confident that the backups won't work. Perhaps they managed to intercept the treansmission of the backup data, or destroy or steal the physical media that the backups are stored on.

        I've had to set up backup systems like this. I have a better imagination, so I found several more problems I was able to avoid in my actual deployed systems.

        No need for such complicated mission impossible stuff. Merely gain access to the backup server. You know, the server that everyone in IT needs access to, so they made the password "Password1". Everyone having access is a bad idea.

        Then using the handy web console that requires no training or skill, instead of backing up /dev/sda1, backup /dev/random

    • by Swizec (978239)
      Actually it doesn't really matter whether the backups exist or not, someone WILL pay large amounts of money for all that personal information. Whom, I don't know, but there's bound to be someone out there.

      Hell, it could just be bought by someone to cause a political scandal over "data loss", then create a large "data protection for governments" corporation and use this incident to gain clients.
    • by jcnnghm (538570) on Tuesday May 05, 2009 @10:25AM (#27830483)

      It's not about being able to recover the data, it's also about everyone's medical records being sold. If medical records can't even be protected at the state level, what makes people believe that national electronic health records will be any safer? Just wait until your laying in the hospital, but you can't be treated because access to your online health records are down.

      I'm increasingly amazed by the willingness of people to bitch and moan about incompetent and inefficient bureaucrats, while at the same time, insisting on turning over more and more important societal functions to these same bureaucrats.

    • by nurb432 (527695)

      What if they planned this for several years and infected all the backups with someting so they wont restore?

      Not saying they did, but anything is possible.

  • Michigan (Score:5, Informative)

    by Darth_brooks (180756) * <clipper377@gm a i l . c om> on Tuesday May 05, 2009 @09:12AM (#27829399) Homepage

    The state of Michigan had this same scenario play out two years ago. The only difference: it was part of one of their Cyberstorm security exercises. At a round table discussion, the acting IT infrastructure director talked about how the exercise opened. He sat down at his desk one day, opened his e-mail, and found a ransom note that mirrors exactly what's going on now in Virgina.

    It gets better. Certain key members of the IT infrastructure were given instructions ahead of time to take the day off, not tell anyone they were told to take the day off and, best of all, not answer their phone or e-mail unless they were being contacted by a specific person. (Someone who was 'in' on the exercise, and who had the authority to say "ah crap, XYZ is down and it's not part of the exercise, call Bob and let him know we actually need him.")

    All in all it was an interesting discussion of "what if?" that I'd love to try out in my own workplace. Sure, if someone's on call and doesn't answer their phone, you beat them with at bamboo cane a the next opportunity. But what do you do in the meantime? If crap hits the fan, do your managers & team leads really know their call flows? Or does everyone just freak out and call the guy that usually knows what he's doing? What happens when that guy gets hit by a bus?

    • Isn't that a public relations disaster? "It was just a drill"... it's bound to make some people made even if they know it's a drill later.

    • Re:Michigan (Score:5, Interesting)

      by burnin1965 (535071) on Tuesday May 05, 2009 @09:39AM (#27829739) Homepage

      key members of the IT infrastructure were given instructions ahead of time to take the day off, not tell anyone they were told to take the day off and, best of all, not answer their phone or e-mail

      if someone's on call and doesn't answer their phone, you beat them with at bamboo cane a the next opportunity

      Actually it looks like the scenario was designed to show that management should be severely caned for using on-call support as a means of running an operation.

      Forcing employees to adhere to an on-call schedule is a bullshit method of saving on labor expenses by shifting the cost to the employee who is then forced to tailor their personal life to support their employer.

      For all you on-call sysadmins out there I have a bit of information for you. I've seen a semiconductor factory that runs 24/7 and the support departments always had a paid crew working 24/7 to support production. The on shift crew was always enough to maintain operations and respond to disasters, i.e. power outages and bumps that take equipment down. While this may sound like an expensive solution for 24/7 operations it is actually cheaper if properly implemented. One of the keys to success is spreading the support work load across the shifts. The benefit is also a faster response to issues rather than waiting on a pager response.

      And one last concept I'd like to plant, that Blackberry they give you to carry on your hip every waking hour of every day including your days off is not a perk. You may feel all geeky and important with your company paid geek status symbol but in reality its simply a corporate slave leash.

    • Re:Michigan (Score:5, Funny)

      by Xest (935314) on Tuesday May 05, 2009 @09:39AM (#27829749)

      See in the UK we have a better approach with protecting the public from the effects of cyber attacks.

      We just allow our public sector to be so fucking useless no one misses them when their systems go offline anyway.

      • See in the UK we have a better approach with protecting the public from the effects of cyber attacks.

        We just allow our public sector to be so fucking useless no one misses them when their systems go offline anyway.

        And there are a lot of people who want us to emulate your health care system.
        The first thing I thought of was, what happens when the new national medical records system goes online with a similar level of security.

    • by Lumpy (12016)

      If crap hits the fan, do your managers & team leads really know their call flows? Or does everyone just freak out and call the guy that usually knows what he's doing? What happens when that guy gets hit by a bus?

      they post an ad on monster.com with unrealistic qualification requirements and at 30% less pay than he was getting.

      Honestly, MOST companies, even after SOX still have incredibly little planning in backup or data security.

  • by Anonymous Coward on Tuesday May 05, 2009 @09:15AM (#27829443)

    10 million records... did he really "download" that over the internet and not get noticed? I guess he did deface their webpage. He's already giving him/herself away. But could it also be that he/she got the backup tapes and stole the data that way? Or did some moron lose their USB key with an export of the data on it? Or, did he/she just deface the web page and spin a story about stealing data?

    • Re: (Score:3, Informative)

      by LUH 3418 (1429407)
      Even if it was 10GBs worth of data, once an attacker can sneak into the system, it's possible to download it all without getting noticed... If the server has a fat pipe, it's likely nobody will notice a minor amount of additional overhead. However, there remains the question of how the attacker could know that there are no additional backups.

      There have been ransom cases like this before, dating as far back as the 80s I believe (perhaps even the 70s), where it was an inside job, and the attackers stole al
    • by ledow (319597) on Tuesday May 05, 2009 @09:31AM (#27829649) Homepage

      Or none of the above. What about he gained remote access to the backup servers, encrypted their backups with a password of his choosing and deleted their other (presumably, rewritable / otherwise on-line) backups?

      That way, he personally had access to them (without having to download them) and has removed everyone else's access. Even if he has just "lost" the latest backups for them, that's an incredibly serious breach that he could even get that close and relevant to a lot of people. He *could* have downloaded whatever he wanted and could have wreaked enormous havoc by *corrupting* the backups beyond recognition and not even get noticed. How many other large organisations use their host's backup facilities (which are normally run as "on-line" backups with occasional "off-line"/"off-site" backups) instead of their own? I know of several, but they don't host anything anywhere near as critical to this.

      Either way, it's piss-poor server/network management and someone should be fingered for it. I'm guessing it's more likely an "IT Consultant" and/or someone who didn't listen to their systems administrator at the last round of budget estimates than the actual implementors of the system.

  • by MistrBlank (1183469) on Tuesday May 05, 2009 @09:18AM (#27829473)

    Did they also threaten to release the Da Vinci virus?

  • by 2phar (137027) on Tuesday May 05, 2009 @09:20AM (#27829507)

    A timely illustration of the critical importance of security in electronic medical records.

  • Damnit... (Score:5, Funny)

    by jez9999 (618189) on Tuesday May 05, 2009 @09:27AM (#27829589) Homepage Journal

    The attackers claimed they had deleted the backups, and demanded $10 million for the return of prescription data on more than 8 million Virginians.

    Damn, I'd pay $10 mil for data on more than 8 million virgins. That's more than you get for martyrdom in the... oh, read it wrong. Never mind.

  • by mandark1967 (630856) on Tuesday May 05, 2009 @09:28AM (#27829615) Homepage Journal

    That make me very happy I get all my medication from the 2 dudes on the streetcorner.

  • State control (Score:2, Insightful)

    by ChrisMaple (607946)
    This is what happens when you let the government in to places where it shouldn't be. There shouldn't be a state record of prescriptions, in fact the entire idea of government restricting the sale of certain chemicals to a doctor-monopoly is wrong. You statists are getting what you deserve; unfortunately the rest of us have to pay for it too.
    • by CastrTroy (595695)
      It depends. All things can be used for bad and for good. While it kind of sucks in this case that the records database got broken into there are some good points to this. If you were in an accident, it sure would be nice if the hospital was able to look up any prescriptions you were on before administering other drugs which may be harmful when used with you current medication.
    • This is what happens when you let the government in to places where it shouldn't be. There shouldn't be a state record of prescriptions, in fact the entire idea of government restricting the sale of certain chemicals to a doctor-monopoly is wrong.

      The Libertarian in me agrees with you. The Realist in me who watches soccer moms stuff antibiotics into their cold-infected children for two days and then stopping disagrees wholeheartedly.

      There are some things that inherently need to be done under professional supervision. Medicine dosing is one of them.

      • by b96miata (620163)

        Requiring scripts is fine. Having a government database of them is not.

        I'd much rather a few thousand addicts had an easier time getting their next fix than have my personal details on the open market. (I live in VA and have filled prescriptions at pharmacies here, so I can only assume my personal data is part of this breach.)

        This incident (well, the threat of it) is pretty much the textbook argument against government databases. Too bad no one will pay attention when it actually happens.

      • There are some things that inherently need to be done under professional supervision. Medicine dosing is one of them.

        Who do you think whores out all those prescriptions to those soccer moms if not your precious "medical professionals"? You think your soccer moms just dreamed up all those pills? It's the doctors who are the drug pushers. Without them the public wouldn't have a fraction of the dangerous chemicals they're shoving into their faces as we speak.

    • by rtb61 (674572)
      Now that is really a stupid idea. of course there should be an independent review of all prescriptions provided. Seriously get the prescription wrong and people die, an independent check can prevent a lot tragic consequences. Added benefit is tracking of bad side affects especially where those side affects cause greater harm than the condition the prescription is trying to mitigate and, of course tracking down and managing any addictive prescription is also very important, especially as there can be non-add
  • by dachshund (300733) on Tuesday May 05, 2009 @09:38AM (#27829723)

    This is tragic, and please don't view the following unrelated rant as indicating lack of sympathy or some kind of judgement against the public agency that's getting slammed in this case.

    A couple of weeks ago I spent a few days at the RSA security conference, one of the biggest conferences/trade shows in the security industry. Roughly 7 out of 10 of the products being hawked were absolute nonsense: buzzword-compliant BS. "Security risk management" software, hacked-together IDS systems, encryption systems that have pretty Windows GUIs (and probably, lots of pretty Windows code vulnerabilities), AV that's easy to circumvent, etc. They'd do absolutely nothing to protect you in the face of a serious attack. I say this as both a security professional and a business owner, which makes me somewhat well qualified to make that judgement. Often the most obviously ineffective products were the best sellers.

    My point? In terms of commercial spending, "security" has so far been an excuse to spend a bunch of money and check a lot of little boxes. Corporations and organizations aren't really serious about preventing attacks, because for the most part it isn't happening (to most companies). An executive wants to say he "did something", so he buys a bunch of stuff and wastes time configuring it. It probably doesn't protect him against a motivated attacker, and he doesn't have the skills in-house to deal with it (which would be a lot more valuable than the equipment and software he purchased).

    When I see something like this story, well, it's absolutely not gratifying. It's tragic. And of course, the fact that it's hitting a public agency makes it even nastier. But at very least, I hope that things like this do at least scare the crap out of some of the companies buying this nonsense, and convince a few of them to take the problem seriously. Because it is a problem. The reason we have the luxury of pretty trade shows that sell fluffy products is because this very real problem just hasn't manifested itself in an expensive enough way to shock people into taking the problem seriously. I really hope people start taking it seriously before this kind of thing becomes too pernicious.

    • Re: (Score:3, Informative)

      by Lord Ender (156273)

      It's true. Where I work, we have very good security. This is because we have very good security engineers who select (or write) the tools they use, rather than having some shitty pie-chart generating security app shoved on us by some middle manager who liked the sales presentation.

      Infosec really is an art at this point. Managers, don't tell the artist what equipment he can use. Your $40,000 SIM is going to be completely wasted, because syslog + a perl script will get him exactly what he needs in exactly the

    • by Rich0 (548339)

      The issues with IT security are due to smart marketing - they know where the money is and they cash in on it.

      There isn't much money in helping a CEO to find some guy who can competantly run his IT show.

      What the CEO needs is a way to get his friend's cousin an IT security certification so that he can justify hiring him. You see, his friend is the CEO of OtherCorp and he just hired his nephew for $250k/yr, and it is time to pay back the favor. However, the guy's cousin could turn out to be an idiot and that

  • Ummm... (Score:5, Insightful)

    by ledow (319597) on Tuesday May 05, 2009 @09:47AM (#27829867) Homepage

    Well... he has an email address that he wants people to talk to him on. The person is asking to be caught already. Even assuming Tor use, etc., that's a definite lead back to him right there. You're talking an open invitation for some agency to coerce Yahoo to plant something on his browser when that login is detected (a cookie would probably do for the simple cases, a Flash/Java/browser exploit or similar in an advert would easily do for the more complex). Hell, I wouldn't be surprised if it wasn't possible to get a Microsoft-signed Java app (and, thus, automatically run without prompting) into the pages that are made for his login with their co-operation and have it reveal the *real* IP address / routing.

    You can *easily* string him along for four or five emails. He would have to be using extremely tight security each and every time in order to communicate safely (and thus I hope he ran / is running a sandboxed system via a good anonymising network for the purpose of creating and checking that mail account each and every time and that he *never* uses that sandbox for anything else).

    And you're talking confidential patient records - this is no hero of the citizenry, it's some pillock with nmap. So I hope he does get caught. Yeah, expose the security holes (though even that is just asking for jailtime) but don't play with people's lives.

    How he expects to receive any money is beyond me... there's no such thing as a "safe" bank account except in the movies. Or is he hoping for a large bag of cash to be thrown from the Golden Gate bridge at 13:37 or similar? I'm guessing that, somewhere, he's made a stupid, elementary and critical mistake which means that he'll be "caught" quite soon (as in, people know who he is and just have to do the paperwork to get him), if he's not already.

    If you want to make a stand, make a stand, target an organisation, pick a purpose, hit the critical points without collateral damage. If you want to dick about and show what a hacker you are, that's when you take whatever you *can* find (e.g. extremely private medical records and personal details of random people) and threaten to spread it unless a ransom is paid. In short,

    Go to Jail. Go directly to Jail. Do not pass Go. Do not collect $10 million.

    • Re:Ummm... (Score:5, Insightful)

      by Mendoksou (1480261) on Tuesday May 05, 2009 @09:59AM (#27830077)
      Right, and he intends to get the money somehow... as if it couldn't be tracked. My guess is that this guy is as good as caught, or its a hoax. Either way, expect to see more restrictive internet legislation because of this.
    • by batquux (323697)

      Just a couple thoughts on the money thing. Perhaps the idea was never to collect ransom, but to sell the information on the black market where tracing isn't as much of an issue. You might nab this person by posing as a potential illegal buyer, or at least you could get a better deal on it than the $10 million up front. With this kind of access to this particular database, the easier way to make money would be to enter fake prescription data for addicts or dealers.

    • Re: (Score:2, Interesting)

      by binaryspiral (784263)

      Maybe he won't ask for the money.

      Split it to 1,000 homeless shelters... and don't give the password until the money is spent.

      Food pantries, job centers, etc... 10 mill would make a lot of people's lives just a bit better.

      What better way of using tax payers' dollars than taking care of those folks?

    • Re:Ummm... (Score:5, Funny)

      by magbottle (929624) on Tuesday May 05, 2009 @11:21AM (#27831359) Journal

      How he expects to receive any money is beyond me... .

      A good plan would be to identify two similarly hackable situations, crack one and post a ransom note on the main page. Then kick back and read Slashdot to figure out how best to exploit hack situation number two.

      We give the best advice.

  • Woop De Doo, the data has already been stolen, now what?

  • by Anonymous Coward on Tuesday May 05, 2009 @10:33AM (#27830591)

    This is super cool, and if they are using Oracle, super easy. The Transparent Data Encryption "Feature" included with Oracle database can be initialized and enabled without any visible change to users or even administrators. Once it's up and running, you copy and delete the "wallet" used to start the database and turn on encrypted backups. You wait a little while, until their unencrypted backups are too old to be any good, then shutdown the database and tell them what you've done. It won't start, and the backups won't restore without the wallet you stole.

    The beauty part is, you can't "disable" the TDE feature. The only way to do that is to turn it on, and not use it. That requires.... Wait for it....

    A license.

    Ha ha. If you configure it, to disable it, you have to pay for it. I love Oracle.

  • DHP != VDH (Score:5, Informative)

    by elbuddha (148737) on Tuesday May 05, 2009 @10:49AM (#27830849)

    Just for clarification, the Virginia Department of Health Professionals is not the same agency as the Virginia Department of Health.

    Each Virginia agency is its own little independent IT fiefdom, with all the disparity of budget and clue that entails. At least until their IT is taken over by Northrop Grumman, which is another clusterfuck entirely...

  • by jollyreaper (513215) on Tuesday May 05, 2009 @10:58AM (#27830997)

    It's kind of completely obvious in retrospect but I remember being so proud coming up with an idea like this way back when I was first getting into computers and reading way too much cyberpunk. The scenario I imagined was someone hacking into a corporate network and planting a virus that gets wormed into all the backups. The ransom note goes something like this:

    1. Hi. I compromised your systems.
    2. You have no idea when I compromised them and I won't tell you. Rest assured it's been for more than months.
    3. I planted a virus.
    4. It's in all your backups now.
    5. It's set to start deleting everything next week.
    6. You could conceivably take everything offline and pay security geeks big bucks to scrub it down. My guess is it'd take you weeks and cost $x megabucks.
    7. For $.1x megabucks, I'll give you the disarm code.

    I thought it was a kewl idea but the part that I could never figure out was how to make contact with the company without giving everything away. The only thing I could come up with is the old standby from TV and movies, the "numbered swiss bank account." Presumably your identity would be kept private, you would know when the deposit was made, end of story. But it always seemed like there would be some hole in the process that would leave a big red arrow pointing back to the hacker.

    Of the historic hackers we've read about, the ones who have gotten caught, it's always some fuckup that gets them nailed, usually not being able to keep their yaps shut. This does make me wonder if we don't hear about the successful hacks because a) the good ones can keep their yaps shut and b) nobody wants to advertise getting pwn'd hard by some punk.

    The other factor is a hack like this is so big and flashy, it's just bound to get law enforcement to throw more bucks at the case than it would normally warrant, just because it's so brazen, blatant, and just begging the feds to overreact.

  • by DynaSoar (714234) on Tuesday May 05, 2009 @11:55AM (#27831971) Journal

    "replaced the homepage with a ransom demand."

    What was discovered was vandalism -- an altered web page and deleted data. There's no evidence besides the vandals' word that anything was downloaded. The same source claims the backups were missing, and that they wanted ransom for return of the data. This is Rx tracking data, not financial or personal ID data.

    If it had been personal data, and it'd been downloaded by real ID thieves, they would NOT have notified the world of the event immediately (in fact, while in progress) by defacing the site. They'd have wanted to get away clean and sell off the data if possible before the theft was noticed. And they'd have sold it rather than proving their stupidity by demanding ransom. If they couldn't sell it they'd trash it rather than risk getting caught.

    The site collects data from Rx dispensing sites across the state. All the data exists elsewhere, making the claim of no backups irrelevant. This site simply puts in one place what's spread out and not commonly available, so other dispensing sites can know whether someone's getting too much controlled prescription meds. Everything that was deleted can be re-obtained from the same places it was gotten all along.

    The incident is a HIPAA violation. The FBI investigates those as well as computer security issues, explaining their presence in light of the fact that no real damage was done. If it were an inside job, it wouldn't have been done because nothing of value was to be gained from that particular collection of data, and an insider would know that. From the inside there are far more valuable collections of data that could be had from that system, such as payment records for license fees of registered Virginia health professionals.

    The presence of the FBI and the "neither confirm nor deny" response of Va DHP, and those facts being realted by WP, makes it seem like there's a story here. Not hardly.

  • by Tolvor (579446) on Tuesday May 05, 2009 @12:57PM (#27833129)

    Time for the Hacker Intelligence test

    It's easy to break something. It's much harder to completely cover the evidence of who is responsible.

    Question 1 - Why did the hacker target the Virginia Health Department?? That wouldn't be a site that most hackers would even think about much less target for major intrusion. Did the hacker in question cover his tracks as to why he chose this obscure site? Might he have been familiar with it because it tracks potential perscription drug abuse, and he had been flagged for further investigation before? Does he have a history with this company?

    Question 2 - Did he cover his visits? Few people can find a potential site, explore the site for vulnerabilities, get access to the site, explore the internal structure of the site, devise an attack plan, code it, execute it, and get out in just one sitting. It usually requires several sessions, each time gaining more access and having better intelligence. The last visit can be covered up, but did he cover up the logs of the first few times when he didn't have complete control, and his tracks and actions may still be in an access log?

    Question 3 - What methodology did he use to gain access? Having access to the database (and backups) to the degree that an encryption command can be executed would be difficult. It requires the ability to execute several commands remotely on the server. Were these commands given thru web-page vulnerabilities? Did it require log-in credentials, and if so, whose? Did access require special in-house knowledge, and if so, who knew it?

    Question 4 - Where did he do this from, and what is his IP address? Hiding your IP address is next to impossible and there are multiple logs kept of access, including by the ISP. Did he do this from home? (If so, FAIL) Did he do this from a public wireless access point? If so did he cover his tracks there? (It's amazing where they put surveillance cameras nowdays) Anonymizer services will usually hand over the original IP addresss if requested by federal authorities, so that isn't going to work. Did the hacker consider that?

    Question 5 - Where is he checking that yahoo address from? See question 4.

    Question 6 - Is he using a different computer now? If I wanted to be really sneaky I'd ask yahoo to check not only the Yahoo cookie when someone logs into that account, but *also* get the Google one also, and 10 others. Send the cookies to the relavent companies for the data it contains. Is he using a fresh computer to erase tracks left there?

    Question 7 - Did he cover up his phrasing carefully from others he used pubicly? Phases like "Uhoh" "gladly" "not to pony up" "Fucking Bunch of Idiots" "bettin'" "drop me a line" "to have gone missing, too" (weird extra comma here and other places) seem to be rather unique. Some of it can be faked, but the phrasing we use says a lot about us.

    Question 8 - How is he planning on collecting the money? Most people think international banks (Caymen islands is common) is the answer. No. Most countries/locations (ex Caymen islands) have easy business registration/taxation rules, but are poor choices for trying to stash/launder money. It's not easy collecting large amounts of money. Does the hacker have a plan on how to collect that money?

    Question 9 - Is he going to revisit the scene of the crime? Is he checking the internet news sites to find stories about m^Hthis crime? Is he going to give himself away by visiting such a site (like Slashdot) and visiting, leaving his IP address. Who knows, maybe he'll even gladly, comment. ;)

    Comments can be left at hackingforprofit(the at sign)gmailcom. Drop me a line. ;)

  • No reason to pay (Score:3, Interesting)

    by Chris Pimlott (16212) on Tuesday May 05, 2009 @05:56PM (#27838449)

    The hacker is an idiot. There is no reason to trust that the data he returns is correct. This is vital information, if any of the data has been tampered it could very easily be fatal.

    Unless the Virginia authorities have some way of verifying that the data hasn't been changed (unlikely, since they don't have backups), there's no point in paying the ransom at all.

"You know, we've won awards for this crap." -- David Letterman

Working...