Virginia Health Database Held For Ransom 325
An anonymous reader writes "The Washington Post's Security Fix is reporting that hackers broke into servers at the Virginia health department that monitors prescription drug abuse and replaced the homepage with a ransom demand. The attackers claimed they had deleted the backups, and demanded $10 million for the return of prescription data on more than 8 million Virginians. Virginia isn't saying much about the attacks at the moment, except to acknowledge that they've involved the FBI, and that they've shut down e-mail and a whole mess of servers for the state department of health professionals. The Post piece credits Wikileaks as the source, which has a copy of the ransom note left behind by the attackers."
Sounds like an inside job. (Score:3, Interesting)
I would be more than willing to bet that the attacker works in some way for the State of Virginia. The phrasing "gone missing" makes him sound like he's from somewhere in the United Kingdom... so now you are looking for English, Irish, Scottish or perhaps Indian guys working for the state of Virginia...
A voice tempts - gee, if we could do FISA wiretaps, perhaps a quick search of all the electronic correspondence of all the people who work(ed) for the state might turn up who it is...
Re:Non-story? (Score:3, Interesting)
Re:Michigan (Score:5, Interesting)
Actually it looks like the scenario was designed to show that management should be severely caned for using on-call support as a means of running an operation.
Forcing employees to adhere to an on-call schedule is a bullshit method of saving on labor expenses by shifting the cost to the employee who is then forced to tailor their personal life to support their employer.
For all you on-call sysadmins out there I have a bit of information for you. I've seen a semiconductor factory that runs 24/7 and the support departments always had a paid crew working 24/7 to support production. The on shift crew was always enough to maintain operations and respond to disasters, i.e. power outages and bumps that take equipment down. While this may sound like an expensive solution for 24/7 operations it is actually cheaper if properly implemented. One of the keys to success is spreading the support work load across the shifts. The benefit is also a faster response to issues rather than waiting on a pager response.
And one last concept I'd like to plant, that Blackberry they give you to carry on your hip every waking hour of every day including your days off is not a perk. You may feel all geeky and important with your company paid geek status symbol but in reality its simply a corporate slave leash.
Re:Sounds like an inside job. (Score:3, Interesting)
Re:Sounds like an inside job. (Score:3, Interesting)
If I can find a corpus of geographically labeled text documents, I'll run a few text mining algorithms on the letter and see what pops up (yes, your writing can now give away things that you never thought possible, at least probabilistically).
Apparently the author likely has an ESTJ personality in the Myers-Briggs system and is probably male.
Re:Sounds like an inside job. (Score:5, Interesting)
FBI will set up a covert action obviously. They will pretend to be someone with the highest bid who wants to buy it. They will pay, then follow the money trail, then revert the bank transfer, just like you do with your credit cards.
Or something similar to that.
Re:Ummm... (Score:2, Interesting)
Maybe he won't ask for the money.
Split it to 1,000 homeless shelters... and don't give the password until the money is spent.
Food pantries, job centers, etc... 10 mill would make a lot of people's lives just a bit better.
What better way of using tax payers' dollars than taking care of those folks?
All Your Database.... (Score:4, Interesting)
This is super cool, and if they are using Oracle, super easy. The Transparent Data Encryption "Feature" included with Oracle database can be initialized and enabled without any visible change to users or even administrators. Once it's up and running, you copy and delete the "wallet" used to start the database and turn on encrypted backups. You wait a little while, until their unencrypted backups are too old to be any good, then shutdown the database and tell them what you've done. It won't start, and the backups won't restore without the wallet you stole.
The beauty part is, you can't "disable" the TDE feature. The only way to do that is to turn it on, and not use it. That requires.... Wait for it....
A license.
Ha ha. If you configure it, to disable it, you have to pay for it. I love Oracle.
Heh, seeing more and more of these (Score:5, Interesting)
It's kind of completely obvious in retrospect but I remember being so proud coming up with an idea like this way back when I was first getting into computers and reading way too much cyberpunk. The scenario I imagined was someone hacking into a corporate network and planting a virus that gets wormed into all the backups. The ransom note goes something like this:
1. Hi. I compromised your systems.
2. You have no idea when I compromised them and I won't tell you. Rest assured it's been for more than months.
3. I planted a virus.
4. It's in all your backups now.
5. It's set to start deleting everything next week.
6. You could conceivably take everything offline and pay security geeks big bucks to scrub it down. My guess is it'd take you weeks and cost $x megabucks.
7. For $.1x megabucks, I'll give you the disarm code.
I thought it was a kewl idea but the part that I could never figure out was how to make contact with the company without giving everything away. The only thing I could come up with is the old standby from TV and movies, the "numbered swiss bank account." Presumably your identity would be kept private, you would know when the deposit was made, end of story. But it always seemed like there would be some hole in the process that would leave a big red arrow pointing back to the hacker.
Of the historic hackers we've read about, the ones who have gotten caught, it's always some fuckup that gets them nailed, usually not being able to keep their yaps shut. This does make me wonder if we don't hear about the successful hacks because a) the good ones can keep their yaps shut and b) nobody wants to advertise getting pwn'd hard by some punk.
The other factor is a hack like this is so big and flashy, it's just bound to get law enforcement to throw more bucks at the case than it would normally warrant, just because it's so brazen, blatant, and just begging the feds to overreact.
Re:Non-story? (Score:3, Interesting)
Of course, this information is already tracked by private companies, and their information is just as vulnerable. Or didn't you read the original article [washingtonpost.com], which noted that Express Scripts has had the same problem?
Re:Non-story? (Score:5, Interesting)
I'm assuming that not even a governmental department can be stupid enough not to have copies of the backups in a fire safe, off-site location.
Wouldn't surprise me in the least, but not because it's the government. The problem is that every organization of any size has under-the-radar skunkworks IT projects. There's always some guy in a field office who doesn't like central IT (often with good reason), doesn't like bureacracy, has a slow link to the home office, etc. Sometimes he's an amateur computer buff as well.
Next think you know, he's got a couple Gentoo boxes running under his desk with a MySQL + PHP app he's cooked up himself that his whole team is relying on. It works great (for them). Years go by and suddenly someone in central IT learns of it. They try to take it away and standardize it, but he goes to the business side and says "our customers will complain, they rely on it" and business tells IT to knock it off.
Usually about then, one of three things happen:
I've seen the above scenario in at least three large private firms. In this case, we're talking 10,000,000 records. That could live on someone's laptop or desktop. Central IT might not even know it exists. I could easily see someone office saying "we just got a grant for $5 million to study trends in prescriptions to look for abuse patterns, can you send over a disc with a data extract"? Hell, that might have happened ten years ago and it's been sitting on some share ever since, long forgotten.
Re:Non-story? (Score:3, Interesting)
Uh, my healthcare is not tied to my job. It's my own private insurance. Anyway.....
An employer is still less-likely to hire someone with a high risk of heart attack. That's essentially what the movie GATTACA is about, where a person's health history is just as important as his resume. Got a father or grandfather who had heart attacks? No job for you! They want an Adonis - a 100%-healthy employee who won't be calling-in sick every other month, or otherwise clocking lost time. This would be true even for European or Japanese corporations.
Re:Non-story? (Score:3, Interesting)
You can't install cable yourself because you have to connect to the distribution box owned by the cable provider. But actually, when my dad used to do phone installs, he would run the final run to the phone dist box and punch down the wires, as I recall.
You can do pretty much everything except the final cutover when installing gas and electric (including pulling the wires from your home's main panel to the vault) and the same is true for gas--but the cutover requires shutting off the electricity/gas of other users and the danger of actual physical harm, something that's not present with computers.
Somehow I (and most non-techies I know) find arguments that try and create a parallel between death by third degree burns and getting malware on a PC quite a bit less than compelling.
Re:Heh, seeing more and more of these (Score:1, Interesting)
Of the historic hackers we've read about, the ones who have gotten caught, it's always some fuckup that gets them nailed, usually not being able to keep their yaps shut. This does make me wonder if we don't hear about the successful hacks because a) the good ones can keep their yaps shut and b) nobody wants to advertise getting pwn'd hard by some punk.
This reminds me of something similar I encountered a while back. There was this online game that was going out of service for the North America/International region. Natrually all the players were outraged, but nothing could be done. So, the natural course of action was to get an account for, say, the Korean region. Oh, turns out they thought of that already. To register a Korean account, you needed a valid Korean SSN. Stuck? Nope. A few days later, someone posts a HUGE list of Korean names and SSNs. Pages and pages. We all just picked a cool looking SSN and registered. If you played this game you probably know exactly what I'm talking about.
I like to think of this as the exact opposite end of the spectrum when hacking personal information. Absolutely no harm... we could care less about abusing the SSNs (not that we could think of any way to), we just wanted to play. The forum was private so only registered members could see it; very unlikely someone looking for SSNs to use maliciously would come across this forum. I don't know where they got the SSNs from, but its likely they don't even know they were taken.
Fun times.
No reason to pay (Score:3, Interesting)
The hacker is an idiot. There is no reason to trust that the data he returns is correct. This is vital information, if any of the data has been tampered it could very easily be fatal.
Unless the Virginia authorities have some way of verifying that the data hasn't been changed (unlikely, since they don't have backups), there's no point in paying the ransom at all.