Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Virginia Health Database Held For Ransom

timothy posted more than 5 years ago | from the single-point-of-failure dept.

Security 325

An anonymous reader writes "The Washington Post's Security Fix is reporting that hackers broke into servers at the Virginia health department that monitors prescription drug abuse and replaced the homepage with a ransom demand. The attackers claimed they had deleted the backups, and demanded $10 million for the return of prescription data on more than 8 million Virginians. Virginia isn't saying much about the attacks at the moment, except to acknowledge that they've involved the FBI, and that they've shut down e-mail and a whole mess of servers for the state department of health professionals. The Post piece credits Wikileaks as the source, which has a copy of the ransom note left behind by the attackers."

cancel ×

325 comments

Sorry! There are no comments related to the filter you selected.

Goddamn commie bastards !! (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27829265)

Why 10 million anyway? It's a whole fucking state, more than their commie land has ever had.

Re:Goddamn commie bastards !! (1, Informative)

Anonymous Coward | more than 5 years ago | (#27829565)

  HTTP/1.1 200 OK
  Server: Microsoft-IIS/5.0
  MicrosoftOfficeWebServer: 5.0_Pub
  PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2002.01.30T11:07-0400" exp "2035.12.31T12:00-0400" r (v 0 s 0 n 0 l 0))
  Connection: keep-alive
  Content-Location: http://www.dhp.virginia.gov/Default.htm
  Date: Tue, 05 May 2009 13:22:56 GMT
  Content-Type: text/html
  Accept-Ranges: bytes
  Last-Modified: Fri, 01 May 2009 20:54:08 GMT
  ETag: "0d886f89ecac91:af5"
  Content-Length: 18149

First (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27829273)

Troll Troll Troll

Re:First (-1, Offtopic)

Foldarn (1152051) | more than 5 years ago | (#27829333)

Fail Fail Fail

Non-story? (5, Insightful)

Jane_Dozey (759010) | more than 5 years ago | (#27829277)

I'm assuming that not even a governmental department can be stupid enough not to have copies of the backups in a fire safe, off-site location.

Re:Non-story? (5, Funny)

Anonymous Coward | more than 5 years ago | (#27829373)

The Internet. A miracle of the 21st Century, providing high quality information and education to all, breaking down social barriers and creating a new info-democracy the likes of which our fathers could only dream about. Few would disagree that the Internet is a wonder of the modern world, and one of America's greatest contributions to science.

However, as with all emergent technologies sooner or later, abuse by the uneducated masses causes the need for regulation to arise. As more people adopt a technology, the more likely that technology will be used by irresponsible individuals who try to spoil things for the rest of us.

This is why the time has come to introduce licensing for Internet users.

        * Hunting
        * Fishing
        * Watching TV
        * Driving an automobile
        * Using a PC
        * Carrying a firearm
        * Building a house
        * Selling an alcoholic beverage
        * Staging a rock concert
        * Trading in securities
        * Developing software

What do the activities listed above have in common ?

The answer is that all are potentially dangerous activities for which one must obtain a license if one wishes to remain on the right side of the law.

It is surprising to me that one potentially dangerous activity is conspicuously missing from the above list. We all accept without question the need for regulation where dangerous technologies are concerned (as the list clearly demonstrates). So why should the Internet be exempt ? What is so special about 0s and 1s travelling along a wire that makes us give it 'special treatment' ? Why should this important resource not enjoy the protection from abuse that regulation would undoubtably provide ?

In the old days of the Internet, its usage was confined to academia, and the military. Back in those days, one could be fairly sure that Internet users were responsible citizens, who would not abuse their 'net access, after all our educators and defenders are people we knew we could trust.

These days, with the explosive growth in Internet usage, it is impossible to control who goes online. Indeed, many Internet Service Providers (ISPs) market themselves on how 'easy to use' their service is. You are just as likely to find senior citizens, children, teenagers and housewives online these days, as you are to find a world class physicist or a military intelligence officer.

As you would expect, with such a large number of uneducated people given unrestricted access to such a powerful tool, the results have not always been pleasant, and abuse has run rampant. You can find bomb making instructions, Islamic fundamentalist propaganda, pornography, hate sites, left wing and right wing extremism, pornography, fascism in all its different and elaborate disguises, Radical androphobic feminism, autism, pornography, questionable politics, pornography, blasphemy against Jesus, and yet more pornography.

This is the mere tip of the iceberg, since the Internet is estimated to have as much as 100 Gigabytes of this kind of offensive material, and it is growing larger by the week, as more and more uneducated people rush to 'get online' so that they may 'surf the web' with their equally poorly-educated beer-swilling redneck buddies.

As with all technologies, the Internet has matured to the point where regulation is not just desirable, it has become inevitable. You don't need to be Kreskin to predict that unless the Internet is regulated, and regulated quite heavily, it will soon collapse under the sheer weight of pointless traffic Britney Spears fan sites, uninteresting personal home pages and the extra load placed on the 'net infrastructure by illegal protocols such as Aimster Napster, Bearshare Gnutella and the like.

As with automobiles, firearms, and TV ownership, the only way to ensure the Internet is used responsibly is to introduce a system of licencing and mandatory education for its users. Such a system would ensure that only those with a complete understanding of the Internet and a responsible approach to online activities would be entrusted with access to the 'net. After all, Internet access should be a privilege, not a right.

There may be some opposition to begin with, but I predict that as with other forms of licensing, most people will be happy to give up a small amount of their freedom in order to take advantage of the many benefits promised by more control of the 'net.

I would envisage centers being set up all over the country, where 'newbies' could go and practice surfing in a safe environment, and receive instruction on a curriculum to include basic 'nettiquette' and 'safe surfing' in a non-threatening environment.

After practicing and receiving instruction, a net user would then take their 'Internet test' which would qualify them to surf the net without supervision. Subsequent higher level tests would enable the would-be surfer to improve his or her skills to the point where access to more advanced net-surfing technology would be permitted.

It may be that these centers will need a safe practice Internet of their own, disconnected from the dangers of the real Internet (although this may not be required if tools such as net nanny, surfsafe, cyber guard zone alarm and web-washer offer sufficient protection). Obviously the details of this need to be thrashed out by our elected representatives and legislators.

Since different people have different capacities for learning I propose that we have different categories of Internet license based on several factors:

        * Class C Internet License

            Allows the user to surf the Internet over a dial-up connection, at speeds of up to 56kbps, using an industry standard OS, such as Windows ME or Windows XP. Net Nanny, or Cyber Patrol must be activated at all time during the session. IE6 is the only browser that may be used by holders of this license.

        * Class B Internet License

            Allows the user all the priveleges of the Class C license, plus the license holder is now entitled to surf the Internet over a DSL or Cable Modem connection,(either directly connected or in conjunction with an 802.11b wireless network), and may if he or she chooses, use 'alternative' Operating systems such as BeOS, or MacOS X. Cyber Patrol and Net Nanny may be used at the discretion of the individual surfer. The user may utilize IE6 or at his or her discretion other commercial grade browsers such as Opera or Netscape.

        * Class A Internet License

            Allows the user all the priveleges of the Class B license, plus the license holder is now entitled to surf the Internet over a T1 or OC3 connection or faster, and may utilize any Operating system they choose (including net-unfriendly OS's such as BSD Unix and Linux), and may use the browser of his/her choice, including lynx and Mozilla.

Of course there will need to be age restrictions as well. Nobody under the age of 14 or over the age of 75 will qualify for an Internet license. The very young need to develop their personalities, and exposure to the solitary net-surfing experience could severely stunt their mental and social development leading to autism or extremely violent behavior (or at the very least, social ineptitude, whilst the very old would be at risk of heart seizures and other complications caused by some of the more extreme content that is to be found on the Internet.

Enforcement of the Internet license may also prove to be problematic. However it needn't be so. A minor reworking of the TCP/IP protocol stack to include a license verification phase as part of the three way handshake, combined with strong encryption and digital signatures, and biometric scanning devices attached to every PC should make it trivial to ensure that the net is free from unlicensed surfers. Combine this with the threat of having your Internet license revoked for misbehaviour and you have a very powerful mechanism to control misuse of the 'net.

In the same way that posession of motor vehicle drivers license does not protect the driver from the occasional fender-bender, likewise the Internet license will not prevent the occasional abuse of the Internet from taking place. In order to provide a means of redress for those affected by a licensed surfer's poor nettiquette, there will need to be a mandatory insurance law. All licensed Internet users will need to take out insurance to cover their liabilities for any abuses they perpetrate online (whether accidental or intentional).

The regulation of the Internet promises to improve the Internet for everyone. By eliminating the irresponsible individuals who spoil the web for the rest of us, we will be able to enjoy an enhanced web surfing experience free from h4x0rs, skR1p7 K1dd135, spammers, misinformation, porn, extreme political lunatics, lame-assed websites and just about every other problem that plagues the Internet today. Your Internet license could become just as important to a future employer as a driver's license or a high school diploma is today! Of course, the Privacy Nazis and Freedom Fascists will trot out that familiar tired old chestnut:- that people who sacrifice their freedoms do not deserve them in the first place, but most of those kind of people are not parents and are unconcerned about protecting our children from the very real dangers of the unregulated Internet.

I hope I have given you surfers some food for thought. If you think I am being a control freak, just try to imagine the state our highways would be in today if anyone regardless of age or ability were entitled to drive an automobile, anyone regardless of age or ability were entitled to carry a gun and anyone regardless of age or ability were entitled to sell liquor to whomesoever they chose.

It's a sobering thought I think you will agree.

Re:Non-story? (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27829475)

no +1 troll ?

Re:Non-story? (1)

Hijacked Public (999535) | more than 5 years ago | (#27829665)

More like +1 Adequate

Re:Non-story? (1)

Jaysyn (203771) | more than 5 years ago | (#27829803)

Obvious Troll is obvious.

Re:Non-story? (1, Offtopic)

Pederson (1431413) | more than 5 years ago | (#27830399)

No. Just, no. Seriously, are you that much of a conforming zero that you strive for others to control even MORE aspects of your life? People have licenses for things such as driving because any idiot can jump into a car, and run over ten people. However, not any idiot can jump on a computer and deface a government hosted site/database. Also, I'm fairly certain you don't need a license to use a PC, watch/own TV, or develop software. Sad, so sad. Some people here have the right idea. Yeah, this guy is an idiot and he's doing wrong. However, ultimately good will come of this. Hopefully companies (and more importantly public services/data) will understand the need for security and seriously look at the field (which creates jobs for guys like me.. when I get out of school).

Re:Non-story? (1)

sadness203 (1539377) | more than 5 years ago | (#27829389)

Yeah... see, actually, government has the good habit of not having backup when they need to answer accountability question, fraud, etc.

Some people might say they erase it by "accident".

I think they are just careless with the data, or clueless, actually. So I would not be surprised.

Why isn't this encrypted? (1)

spineboy (22918) | more than 5 years ago | (#27829569)

With the data being decoded by another computer. This would prevent crap like this from occurring again.

Re:Non-story? (4, Insightful)

cayenne8 (626475) | more than 5 years ago | (#27830277)

Even if that weren't the case.

Sure should put a damper on people wanting a national central medical record database.

Well, it would for reasonable people, but, that has nothing to do with politicians and agendas.

Re:Non-story? (1)

taliesinangelus (655700) | more than 5 years ago | (#27829545)

Clearly you have not dealt with Virginia government departmental politics and their recent IT snafu. Hiring a defense contractor to do all your IT... I guess somebody thought it was a good idea.

Re:Non-story? (3, Interesting)

medarby (757929) | more than 5 years ago | (#27829633)

Maybe or maybe not, but my guess is that they do. However, even if they did pay the ransom, the hacker will still release it into the wild to the highest bidder. VA only choice is not to pay the ransom and to notify all of their customers that their personal information is compromised.

Re:Non-story? (0, Redundant)

Yvanhoe (564877) | more than 5 years ago | (#27829647)

Ha ha ha ha ha !
Wait ? You are serious ?

Re:Non-story? (4, Funny)

tomhudson (43916) | more than 5 years ago | (#27829741)

Did you read the note? It's offering to sell the personal data

ATTENTION VIRGINIA

I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(

For $10 million, I will gladly send along the password. You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid. Now I don't know what all this shit is worth or who would pay for it, but I'm bettin' someone will. Hell, if I can't move the prescription data at the very least I can find a buyer for the personal data (name,age,address,social security #, driver's license #).

Now I hear tell the Fucking Bunch of Idiots ain't fond of payin out, but I suggest that policy be turned right the fuck around. When you boys get your act together, drop me a line at hackingforprofit@yahoo.com and we can discuss the details such as account number, etc.

Until then, have a wonderful day, I know I will ;)

Sorry, Virginia, there's no Santa Claus.

Maybe it's someone doing it for the lulz. After all, a REAL ransom note would have used either the evil MS-Comic font, font of ill will [slashdot.org] , or a genuine Ransom font [1001fonts.com] .

Re:Non-story? (0)

Anonymous Coward | more than 5 years ago | (#27829915)

Mod parent up, +1 Funny!

Re:Non-story? (0)

Anonymous Coward | more than 5 years ago | (#27830167)

Yeah but the real problem is all the people's identities that are now on the open market.

I wonder if Virginia will even notify everyone that is in the data.

You've never worked for the government (3, Informative)

wiredog (43288) | more than 5 years ago | (#27830261)

have you?

I've been working for contractors for 10 years now, and am still surprised by the level of incompetence that some government IT folks demonstrate.

Some are good. NOAA OMAO really has its stuff together. DoJ? Not so much..

Even an off-site backup is vulnerable (1)

davidwr (791652) | more than 5 years ago | (#27830477)

Off-site backups are vulnerable to:
1) corrupt employees or contractors
2) physical disasters at the off-site location
3) tampering with the back-up and back-up-verification procedure which causes backups to be corrupted for several months or years, then erasing the live data. This tampering may be electronic or social i.e. bribing or blackmailing key employees.

You mitigate likely disasters, you accept that there are some things that aren't cost-effective to mitigate for.

email address as contact (2, Funny)

Anonymous Coward | more than 5 years ago | (#27829287)

Why would the "cyber-terrorist" post an email address as the ransom contact? Isn't he/she just going to get spammed now?

Re:email address as contact (5, Funny)

eldavojohn (898314) | more than 5 years ago | (#27829387)

Why would the "cyber-terrorist" post an email address as the ransom contact? Isn't he/she just going to get spammed now?

I don't know, why don't you send hackingforprofit@yahoo.com an e-mail and ask them?

Oops, did I just post hackingforprofit@yahoo.com without obfuscating it? Here, let me fix that:

hackingforprofit(at)yahoo(dot)com

My apologies to hackingforprofit@yahoo.com [mailto] if this results in an increase of SPAM.

Re:email address as contact (3, Funny)

Anonymous Coward | more than 5 years ago | (#27829823)

Damn you! My mailbox is FULL with SPAM!!

Ironically (1)

geoffrobinson (109879) | more than 5 years ago | (#27830157)

He'll probably get a bunch of spam for Cialis.

Excuse me, C1@lis. Need to get this post through the spam filters.

Sounds like an inside job. (2, Interesting)

tjstork (137384) | more than 5 years ago | (#27829295)

I would be more than willing to bet that the attacker works in some way for the State of Virginia. The phrasing "gone missing" makes him sound like he's from somewhere in the United Kingdom... so now you are looking for English, Irish, Scottish or perhaps Indian guys working for the state of Virginia...

A voice tempts - gee, if we could do FISA wiretaps, perhaps a quick search of all the electronic correspondence of all the people who work(ed) for the state might turn up who it is...

Re:Sounds like an inside job. (4, Informative)

eldavojohn (898314) | more than 5 years ago | (#27829345)

The phrasing "gone missing" makes him sound like he's from somewhere in the United Kingdom...

Yes, but the phrase "Now I hear tell" indicates Virginia! What a conundrum! This case will never be cracked! The full note text for those too lazy to click through wikileaks:

ATTENTION VIRGINIA

I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(

For $10 million, I will gladly send along the password. You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid. Now I don't know what all this shit is worth or who would pay for it, but I'm bettin' someone will. Hell, if I can't move the prescription data at the very least I can find a buyer for the personal data (name,age,address,social security #, driver's license #).

Now I hear tell the Fucking Bunch of Idiots ain't fond of payin out, but I suggest that policy be turned right the fuck around. When you boys get your act together, drop me a line at hackingforprofit@yahoo.com and we can discuss the details such as account number, etc.

Until then, have a wonderful day, I know I will ;)

Re:Sounds like an inside job. (4, Funny)

hey! (33014) | more than 5 years ago | (#27829439)

Ah, Watson, but notice this curious "Fucking Bunch of Idiots". A Frenchman or Russian could not have written that. It is the German who is so uncourteous to his nouns.

Re:Sounds like an inside job. (2, Informative)

Anonymous Coward | more than 5 years ago | (#27829505)

No doubt a reference to the FBI.

Re:Sounds like an inside job. (0)

Anonymous Coward | more than 5 years ago | (#27829773)

Ingenious!

Re:Sounds like an inside job. (-1, Troll)

value_added (719364) | more than 5 years ago | (#27829535)

Ah, Watson, but notice this curious "Fucking Bunch of Idiots". A Frenchman or Russian could not have written that. It is the German who is so uncourteous to his nouns.

Hmm. Here we have a serious security breach but the details are so sketchy we're resorting to ethnic humour and the finer points of grammar to fill in the time. Allow me to offer up my guesses as to what Really Happened(TM):

The server was recently migrated to Windows Vista from RedHat, the hackers were Chinese nationals who coordinated their actions using Hotmail accounts, and needed funding for the Virgina health department IT department was cut by Republicans in the stimulus bill.

Discuss.

Re:Sounds like an inside job. (2, Insightful)

Culture20 (968837) | more than 5 years ago | (#27829975)

Hmm. Here we have a serious security breach but the details are so sketchy we're resorting to ethnic humour and the finer points of grammar to fill in the time. Allow me to offer up my guesses as to what Really Happened(TM): The server was recently migrated to Windows Vista from RedHat, the hackers were Chinese nationals who coordinated their actions using Hotmail accounts, and needed funding for the Virgina health department IT department was cut by Republicans in the stimulus bill. Discuss.

But Republicans weren't cutting spending recently, only taxes.

Re:Sounds like an inside job. (1)

Kokuyo (549451) | more than 5 years ago | (#27829799)

Or it might have been a jab at the FBI that you have thoroughly missed... Or I just missed YOUR joke ;).

Re:Sounds like an inside job. (1)

Darth_brooks (180756) | more than 5 years ago | (#27829907)

Yeah, quite the master hacker they seem to have on their hands.

Anyone wanna lay odds as to how long it takes for him to get caught? Ten bucks bucks says the state responds to that e-mail with a 1x1 transparent gif in the message, and nails this uber-genius at a Starbucks.

Re:Sounds like an inside job. (0)

Anonymous Coward | more than 5 years ago | (#27830363)

Ten bucks bucks says the state responds to that e-mail with a 1x1 transparent gif in the message, and nails this uber-genius at a Starbucks.

I'll take that bet. Even my grandma knows to set her email client to plain-text only. Also, Y!Mail is accessible (albeit clumsily) via Lynx - GIF/Boobytrap avoided.

Re:Sounds like an inside job. (0)

Anonymous Coward | more than 5 years ago | (#27829963)

So when they ask for his bank details...they can trace him down in some way. I doubt someone who goes for one states database is likely to have half a brain rather than taking several...doubt he has it all planned..

The real problem is this: (1)

EvilBudMan (588716) | more than 5 years ago | (#27830045)

Each state has it's own database farmed out to a 3rd party without oversight. The lowest bidder no doubt with Virginia.

BTW Virginia is also a commonwealth state. The UK is a commonwealth nation. Coincidence, No I don't think so. So that means you guys in the UK are responsible.

Re:Sounds like an inside job. (2, Insightful)

jotok (728554) | more than 5 years ago | (#27830069)

Trivial for FBI to get a warrant for the guy's login details from Yahoo.

Of course, if he's using TOR, then they're hosed.

Re:Sounds like an inside job. (2, Interesting)

T Murphy (1054674) | more than 5 years ago | (#27830105)

...why did he tell them he will put the info on the black market? Virginia paying him off doesn't deprive him of the data, so he can sell the info anyways- alerting people to the risk will devalue the information, and in the event he gets caught they have another charge to follow up on. Sure, the average person might react to the threat, but he knows the FBI will be called up, and they have plenty of experience with threats like this I would assume.

Re:Sounds like an inside job. (4, Interesting)

Janek Kozicki (722688) | more than 5 years ago | (#27830407)

FBI will set up a covert action obviously. They will pretend to be someone with the highest bid who wants to buy it. They will pay, then follow the money trail, then revert the bank transfer, just like you do with your credit cards.

Or something similar to that.

Re:Sounds like an inside job. (2, Funny)

Shakrai (717556) | more than 5 years ago | (#27829537)

perhaps Indian guys working for the state of Virginia...

Well, at least that means that Macaca has discovered the real world of Virginia ;)

Re:Sounds like an inside job. (1)

Xest (935314) | more than 5 years ago | (#27829603)

The language of the whole threat makes it sound like he's about 8 years old, so using that logic we should also be looking for an 8 year old.

I'm not sure how two words, "gone missing" indicate being from the UK. I'm pretty sure many people speaking English worldwide who aren't British have used those two words in that way before.

Re:Sounds like an inside job. (3, Funny)

corsec67 (627446) | more than 5 years ago | (#27829697)

The language of the whole threat makes it sound like he's about 8 years old, so using that logic we should also be looking for an 8 year old.

Or someone from Virginia?

Re:Sounds like an inside job. (0)

Anonymous Coward | more than 5 years ago | (#27829609)

It is. I am guessing this is going to be somebody who is a rougue NSA agent(s). They are going to know the FULL capabilities of our ability to spy. Even the email is a joke. I am betting that they are SENDING emails there for the FBI to read. As to picking Virgina, SMART move. Most of congress lives there. Senators, etc. And most are old and fat (i.e. need drugs and are idiots).

Re:Sounds like an inside job. (1)

Ginger Unicorn (952287) | more than 5 years ago | (#27829881)

starting a sentence with "hell" and dropping the g off of betting and describing the data as "this baby" makes it sound like "good ol' boy" style american to me. I'm english and it's affectatious to use those colloquialisms over here.

Re:Sounds like an inside job. (2, Interesting)

Metasquares (555685) | more than 5 years ago | (#27830349)

If I can find a corpus of geographically labeled text documents, I'll run a few text mining algorithms on the letter and see what pops up (yes, your writing can now give away things that you never thought possible, at least probabilistically).

Apparently the author likely has an ESTJ personality in the Myers-Briggs system and is probably male.

Deleted all the backups??? (2, Insightful)

Nutria (679911) | more than 5 years ago | (#27829297)

Don't these jackasses know what Iron Mountain is, and what tape drives are for???????

Re:Deleted all the backups??? (0)

Anonymous Coward | more than 5 years ago | (#27829417)

Don't these jackasses know what Iron Mountain is, and what tape drives are for???????

They do know...now.

Re:Deleted all the backups??? (2, Informative)

Lumpy (12016) | more than 5 years ago | (#27829797)

Nope.

and here's somethign that will scare you.

MOST Companies don't know what iron mountain is and what tape drives are for. a bulk of companies and corporations have incredible jokes they call their backup system/policy.

They spend more on the CEO's toilet than they do on data security and integrity.

Re:Deleted all the backups??? (1)

EmagGeek (574360) | more than 5 years ago | (#27830027)

Our company uses Iron Mountain. Every morning at 5am when I come to work, there's a locked box of tapes in the custody of a minimum wage building security officer waiting for the pickup.

Now THERE's security...

Re:Deleted all the backups??? (2, Insightful)

IsThisNickTaken (555227) | more than 5 years ago | (#27830467)

Since all the backup data in encrypted, then what's the problem?

Backup? (4, Funny)

wondercool (460316) | more than 5 years ago | (#27829301)

Luckily Of course a backup was made every hour. .. Oh what? Did not run backup for 3 weeks? Went fishing?

Re:Backup? (1)

SystematicPsycho (456042) | more than 5 years ago | (#27829329)

It's funny because it's true.

inside job? (1, Redundant)

rhendershot (46429) | more than 5 years ago | (#27829303)

This sounds like an insider attack as there are just too many coincidences. Backups gone missing, many sites hacked, demand for millions of dollars (pay to whom?!), etc. No wonder every information request is referred to the FBI.

Anonymous Coward (0)

Anonymous Coward | more than 5 years ago | (#27829319)

Ah, What about the off-site secure backups?
What? Some PHB didn't want to spend the money, I though it was a waste.

Shouldn't be hard to re-create (5, Funny)

Skraut (545247) | more than 5 years ago | (#27829325)

...since Virginia is for Lovers. The hardest part will be determining weather their prescription was for C1A1iS or V1AGR4

Re:Shouldn't be hard to re-create (0, Offtopic)

forand (530402) | more than 5 years ago | (#27830039)

How is this insightful? Funny maybe but not insightful.

Re:Shouldn't be hard to re-create (0)

Anonymous Coward | more than 5 years ago | (#27830141)

weather their prescription was for C1A1iS or V1AGR4

Partly cloudy with a chance of boners?

Proper backup procedures (3, Insightful)

Ender_Stonebender (60900) | more than 5 years ago | (#27829339)

Hopefully the state of Virginia follows proper backup procedures, and has a copies of the data that are off-site and off-line. It may take a day or so for someone to go fetch the tapes, but the data shouldn't be lost. So the people trying to ransom this data should be screwed.

Re:Proper backup procedures (1)

Shrike82 (1471633) | more than 5 years ago | (#27829527)

It's not totaly impossible that whoever is responsible managed to disrupt the back-up procedure. They sound fairly confident that the backups won't work. Perhaps they managed to intercept the treansmission of the backup data, or destroy or steal the physical media that the backups are stored on.

I've seen quite a few companies that store their backups on tapes which are just put on a shelf - and while you'd hope that a governmental body would be more responsible, we've all seen the monumental blunders such as leaving laptops, memory keys etc. in public places.

Re:Proper backup procedures (1)

FTWinston (1332785) | more than 5 years ago | (#27829791)

They sound fairly confident that the backups won't work.

Of course he's confident, didn't you see the size of his e-peen?

Re:Proper backup procedures (1)

vlm (69642) | more than 5 years ago | (#27830285)

It's not totaly impossible that whoever is responsible managed to disrupt the back-up procedure. They sound fairly confident that the backups won't work. Perhaps they managed to intercept the treansmission of the backup data, or destroy or steal the physical media that the backups are stored on.

I've had to set up backup systems like this. I have a better imagination, so I found several more problems I was able to avoid in my actual deployed systems.

No need for such complicated mission impossible stuff. Merely gain access to the backup server. You know, the server that everyone in IT needs access to, so they made the password "Password1". Everyone having access is a bad idea.

Then using the handy web console that requires no training or skill, instead of backing up /dev/sda1, backup /dev/random or even better, some large temp file. dd if=/dev/random of=/temp/blah bs=1k count=1M and then backup /temp/blah instead of /dev/sda1. Or, if the backup system insists on backing up ext2 filesystem, do similar with mke2fs. Or if the backup system insists on backing up "a" sql database, change it from backing up "sekret_perscription_db" to backing up "test". Or execute some simple SQL commands to create a db with the same name with "_test" or perhaps "_version2" suffixed, then stop backing up the real one and start backing up the fake one. Simple web consoles are a bad idea. Putting a fisher-price interface on a nuclear reactor doesn't magically make it suitable for toddlers to play with.

My backup routine encrypts everything with mcrypt. Using the handy dandy web interface, simply change the password thats passed to mcrypt. For extra bonus fun make is look similar, like "ell" for "one" and "Oh" for "Zero".

Or, even more fun, if you have a centralized backup server tape farm, simply delete the entire database backup routine. I'm sure the simple web console has a simple interface to remove stuff just as easily as adding it. Its certain that someone was assigned the job of setting up a centralized backup system. Its possible, although there are numerous exceptions, that someone was assigned the job of maintaining the system on a day to day basis when it breaks. Its very unlikely anyone was assigned the job of verifying restores work, verifying actual data is being written, etc. No one is going to notice that the centralized backup server takes 1 minutes less or the tape is 1% less full...

You can also have fun like configure the server to write 160 GB of data to each... 20 GB tape.

Re:Proper backup procedures (1)

Swizec (978239) | more than 5 years ago | (#27829683)

Actually it doesn't really matter whether the backups exist or not, someone WILL pay large amounts of money for all that personal information. Whom, I don't know, but there's bound to be someone out there.

Hell, it could just be bought by someone to cause a political scandal over "data loss", then create a large "data protection for governments" corporation and use this incident to gain clients.

Re:Proper backup procedures (1)

Osric250 (1388823) | more than 5 years ago | (#27830343)

The hospital having the data itself offsite won't screw over the hackers. Because they can just sell all of the information on the black market. Who wants to get prescriptions of anything you want? Since I'm pretty sure out of 38 million prescriptions you should be able to find whatever you want. Add on top of that another 8 million of personal data and they'll get a nice chunk of change out of it anyway.

Michigan (5, Informative)

Darth_brooks (180756) | more than 5 years ago | (#27829399)

The state of Michigan had this same scenario play out two years ago. The only difference: it was part of one of their Cyberstorm security exercises. At a round table discussion, the acting IT infrastructure director talked about how the exercise opened. He sat down at his desk one day, opened his e-mail, and found a ransom note that mirrors exactly what's going on now in Virgina.

It gets better. Certain key members of the IT infrastructure were given instructions ahead of time to take the day off, not tell anyone they were told to take the day off and, best of all, not answer their phone or e-mail unless they were being contacted by a specific person. (Someone who was 'in' on the exercise, and who had the authority to say "ah crap, XYZ is down and it's not part of the exercise, call Bob and let him know we actually need him.")

All in all it was an interesting discussion of "what if?" that I'd love to try out in my own workplace. Sure, if someone's on call and doesn't answer their phone, you beat them with at bamboo cane a the next opportunity. But what do you do in the meantime? If crap hits the fan, do your managers & team leads really know their call flows? Or does everyone just freak out and call the guy that usually knows what he's doing? What happens when that guy gets hit by a bus?

Re:Michigan (1)

SystematicPsycho (456042) | more than 5 years ago | (#27829487)

Isn't that a public relations disaster? "It was just a drill"... it's bound to make some people made even if they know it's a drill later.

Re:Michigan (5, Interesting)

burnin1965 (535071) | more than 5 years ago | (#27829739)

key members of the IT infrastructure were given instructions ahead of time to take the day off, not tell anyone they were told to take the day off and, best of all, not answer their phone or e-mail

if someone's on call and doesn't answer their phone, you beat them with at bamboo cane a the next opportunity

Actually it looks like the scenario was designed to show that management should be severely caned for using on-call support as a means of running an operation.

Forcing employees to adhere to an on-call schedule is a bullshit method of saving on labor expenses by shifting the cost to the employee who is then forced to tailor their personal life to support their employer.

For all you on-call sysadmins out there I have a bit of information for you. I've seen a semiconductor factory that runs 24/7 and the support departments always had a paid crew working 24/7 to support production. The on shift crew was always enough to maintain operations and respond to disasters, i.e. power outages and bumps that take equipment down. While this may sound like an expensive solution for 24/7 operations it is actually cheaper if properly implemented. One of the keys to success is spreading the support work load across the shifts. The benefit is also a faster response to issues rather than waiting on a pager response.

And one last concept I'd like to plant, that Blackberry they give you to carry on your hip every waking hour of every day including your days off is not a perk. You may feel all geeky and important with your company paid geek status symbol but in reality its simply a corporate slave leash.

Re:Michigan (4, Funny)

Xest (935314) | more than 5 years ago | (#27829749)

See in the UK we have a better approach with protecting the public from the effects of cyber attacks.

We just allow our public sector to be so fucking useless no one misses them when their systems go offline anyway.

Re:Michigan (1)

Lumpy (12016) | more than 5 years ago | (#27829877)

If crap hits the fan, do your managers & team leads really know their call flows? Or does everyone just freak out and call the guy that usually knows what he's doing? What happens when that guy gets hit by a bus?

they post an ad on monster.com with unrealistic qualification requirements and at 30% less pay than he was getting.

Honestly, MOST companies, even after SOX still have incredibly little planning in backup or data security.

Was attack over the network or stolen backups? (5, Insightful)

Anonymous Coward | more than 5 years ago | (#27829443)

10 million records... did he really "download" that over the internet and not get noticed? I guess he did deface their webpage. He's already giving him/herself away. But could it also be that he/she got the backup tapes and stole the data that way? Or did some moron lose their USB key with an export of the data on it? Or, did he/she just deface the web page and spin a story about stealing data?

Re:Was attack over the network or stolen backups? (3, Informative)

LUH 3418 (1429407) | more than 5 years ago | (#27829641)

Even if it was 10GBs worth of data, once an attacker can sneak into the system, it's possible to download it all without getting noticed... If the server has a fat pipe, it's likely nobody will notice a minor amount of additional overhead. However, there remains the question of how the attacker could know that there are no additional backups.

There have been ransom cases like this before, dating as far back as the 80s I believe (perhaps even the 70s), where it was an inside job, and the attackers stole all the physical backup media. It's possible the attackers worked there, and thought they could get enough money this way to "disappear". This seems stupid to me, however. There just doesn't seem to be a way for them to get those 10 millions without being traced.

Re:Was attack over the network or stolen backups? (5, Insightful)

ledow (319597) | more than 5 years ago | (#27829649)

Or none of the above. What about he gained remote access to the backup servers, encrypted their backups with a password of his choosing and deleted their other (presumably, rewritable / otherwise on-line) backups?

That way, he personally had access to them (without having to download them) and has removed everyone else's access. Even if he has just "lost" the latest backups for them, that's an incredibly serious breach that he could even get that close and relevant to a lot of people. He *could* have downloaded whatever he wanted and could have wreaked enormous havoc by *corrupting* the backups beyond recognition and not even get noticed. How many other large organisations use their host's backup facilities (which are normally run as "on-line" backups with occasional "off-line"/"off-site" backups) instead of their own? I know of several, but they don't host anything anywhere near as critical to this.

Either way, it's piss-poor server/network management and someone should be fingered for it. I'm guessing it's more likely an "IT Consultant" and/or someone who didn't listen to their systems administrator at the last round of budget estimates than the actual implementors of the system.

Re:Was attack over the network or stolen backups? (1)

Nihixul (1430251) | more than 5 years ago | (#27830103)

Either way, it's piss-poor server/network management and someone should be fingered for it.

I'd be satisfied if they were just fired.

Not surprising (0)

Anonymous Coward | more than 5 years ago | (#27829451)

it is another Windows POS. When will the west learn to care about security?

One Question (5, Funny)

MistrBlank (1183469) | more than 5 years ago | (#27829473)

Did they also threaten to release the Da Vinci virus?

Re:One Question (0)

Anonymous Coward | more than 5 years ago | (#27830085)

fucking slashdot. if i had mod points i'd mod you up Funny.

G4's been playing it on the "movies that don't suck" programming block. Its usually either that or Enter the Dragon, but i usually watch either one they show.

Whitehouse take note (4, Insightful)

2phar (137027) | more than 5 years ago | (#27829507)

A timely illustration of the critical importance of security in electronic medical records.

Don't mess with Virginia (0)

Anonymous Coward | more than 5 years ago | (#27829529)

The Pentagon lives here.

Stupid criminals (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27829571)

If it's real it's stupid.

Can a governmental agency even pay a ransom? Are they allowed? Would they even consider it?

I would think they would just go to the cops. This makes ransoming the data of a government agency an all risk no reward proposition.

Maybe you could blackmail the head of IT but you have to keep the threat on the DL and the data going missing is the threat. Also I think 10 mill is out of the question in the later case.

Damnit... (5, Funny)

jez9999 (618189) | more than 5 years ago | (#27829589)

The attackers claimed they had deleted the backups, and demanded $10 million for the return of prescription data on more than 8 million Virginians.

Damn, I'd pay $10 mil for data on more than 8 million virgins. That's more than you get for martyrdom in the... oh, read it wrong. Never mind.

Re:Damnit... (1, Funny)

Anonymous Coward | more than 5 years ago | (#27830469)

The attackers claimed they had deleted the backups, and demanded $10 million for the return of prescription data on more than 8 million Virginians.

Damn, I'd pay $10 mil for data on more than 8 million virgins. That's more than you get for martyrdom in the... oh, read it wrong. Never mind.

CmdrTaco would like a word with you about your generous offer.

It's situations like this (5, Funny)

mandark1967 (630856) | more than 5 years ago | (#27829615)

That make me very happy I get all my medication from the 2 dudes on the streetcorner.

State control (2, Insightful)

ChrisMaple (607946) | more than 5 years ago | (#27829617)

This is what happens when you let the government in to places where it shouldn't be. There shouldn't be a state record of prescriptions, in fact the entire idea of government restricting the sale of certain chemicals to a doctor-monopoly is wrong. You statists are getting what you deserve; unfortunately the rest of us have to pay for it too.

Re:State control (0)

Anonymous Coward | more than 5 years ago | (#27829831)

Absolutely correct.

On our honeymoon in the Caymans (it was very cool to live like the free men), my wife got severely sunburnt. To get Silverdyne, it was only $10 at the drug store. No prescription required. In the US, it would have required a doctor's visit, a prescription, and the meds would have costed $80.

Re:State control (1, Informative)

Anonymous Coward | more than 5 years ago | (#27830267)

Silvadene is avail in a generic. Yes it requires an Rx but you can get 50gm for near $10, nowhere near $80.
 
/Pharmacist

Re:State control (1)

CastrTroy (595695) | more than 5 years ago | (#27830047)

It depends. All things can be used for bad and for good. While it kind of sucks in this case that the records database got broken into there are some good points to this. If you were in an accident, it sure would be nice if the hospital was able to look up any prescriptions you were on before administering other drugs which may be harmful when used with you current medication.

Re:State control (1)

Just Some Guy (3352) | more than 5 years ago | (#27830127)

This is what happens when you let the government in to places where it shouldn't be. There shouldn't be a state record of prescriptions, in fact the entire idea of government restricting the sale of certain chemicals to a doctor-monopoly is wrong.

The Libertarian in me agrees with you. The Realist in me who watches soccer moms stuff antibiotics into their cold-infected children for two days and then stopping disagrees wholeheartedly.

There are some things that inherently need to be done under professional supervision. Medicine dosing is one of them.

An unrelated comment (5, Insightful)

dachshund (300733) | more than 5 years ago | (#27829723)

This is tragic, and please don't view the following unrelated rant as indicating lack of sympathy or some kind of judgement against the public agency that's getting slammed in this case.

A couple of weeks ago I spent a few days at the RSA security conference, one of the biggest conferences/trade shows in the security industry. Roughly 7 out of 10 of the products being hawked were absolute nonsense: buzzword-compliant BS. "Security risk management" software, hacked-together IDS systems, encryption systems that have pretty Windows GUIs (and probably, lots of pretty Windows code vulnerabilities), AV that's easy to circumvent, etc. They'd do absolutely nothing to protect you in the face of a serious attack. I say this as both a security professional and a business owner, which makes me somewhat well qualified to make that judgement. Often the most obviously ineffective products were the best sellers.

My point? In terms of commercial spending, "security" has so far been an excuse to spend a bunch of money and check a lot of little boxes. Corporations and organizations aren't really serious about preventing attacks, because for the most part it isn't happening (to most companies). An executive wants to say he "did something", so he buys a bunch of stuff and wastes time configuring it. It probably doesn't protect him against a motivated attacker, and he doesn't have the skills in-house to deal with it (which would be a lot more valuable than the equipment and software he purchased).

When I see something like this story, well, it's absolutely not gratifying. It's tragic. And of course, the fact that it's hitting a public agency makes it even nastier. But at very least, I hope that things like this do at least scare the crap out of some of the companies buying this nonsense, and convince a few of them to take the problem seriously. Because it is a problem. The reason we have the luxury of pretty trade shows that sell fluffy products is because this very real problem just hasn't manifested itself in an expensive enough way to shock people into taking the problem seriously. I really hope people start taking it seriously before this kind of thing becomes too pernicious.

This is joke (0)

Anonymous Coward | more than 5 years ago | (#27829763)

sounds like a false flag hacking. Thanks gov for making people who use computers look like threats to freedom again...

Re:This is joke (0)

Anonymous Coward | more than 5 years ago | (#27829801)

Sounds like you're talking out of your ass. Proof?

Ummm... (5, Insightful)

ledow (319597) | more than 5 years ago | (#27829867)

Well... he has an email address that he wants people to talk to him on. The person is asking to be caught already. Even assuming Tor use, etc., that's a definite lead back to him right there. You're talking an open invitation for some agency to coerce Yahoo to plant something on his browser when that login is detected (a cookie would probably do for the simple cases, a Flash/Java/browser exploit or similar in an advert would easily do for the more complex). Hell, I wouldn't be surprised if it wasn't possible to get a Microsoft-signed Java app (and, thus, automatically run without prompting) into the pages that are made for his login with their co-operation and have it reveal the *real* IP address / routing.

You can *easily* string him along for four or five emails. He would have to be using extremely tight security each and every time in order to communicate safely (and thus I hope he ran / is running a sandboxed system via a good anonymising network for the purpose of creating and checking that mail account each and every time and that he *never* uses that sandbox for anything else).

And you're talking confidential patient records - this is no hero of the citizenry, it's some pillock with nmap. So I hope he does get caught. Yeah, expose the security holes (though even that is just asking for jailtime) but don't play with people's lives.

How he expects to receive any money is beyond me... there's no such thing as a "safe" bank account except in the movies. Or is he hoping for a large bag of cash to be thrown from the Golden Gate bridge at 13:37 or similar? I'm guessing that, somewhere, he's made a stupid, elementary and critical mistake which means that he'll be "caught" quite soon (as in, people know who he is and just have to do the paperwork to get him), if he's not already.

If you want to make a stand, make a stand, target an organisation, pick a purpose, hit the critical points without collateral damage. If you want to dick about and show what a hacker you are, that's when you take whatever you *can* find (e.g. extremely private medical records and personal details of random people) and threaten to spread it unless a ransom is paid. In short,

Go to Jail. Go directly to Jail. Do not pass Go. Do not collect $10 million.

Re:Ummm... (5, Insightful)

Mendoksou (1480261) | more than 5 years ago | (#27830077)

Right, and he intends to get the money somehow... as if it couldn't be tracked. My guess is that this guy is as good as caught, or its a hoax. Either way, expect to see more restrictive internet legislation because of this.

Re:Ummm... (0)

Anonymous Coward | more than 5 years ago | (#27830239)

Internet cafes and open wifi hotspots are easy enough to come by. I think it's far more likely that a zombie network is checking his yahoo account and distributing it to another zombie net or elsewhere. I'm assuming for the few thousand bucks it takes to buy a botnet if your ROI is measured in millions of dollars, it would make sense.

i mean, when the data shows up on 1400 machines at once and the feds kick in some middle-aged grocery manager's door and take his infected PC, this guy is pretty much now a needle in a haystack.

Re:Ummm... (1)

batquux (323697) | more than 5 years ago | (#27830279)

Just a couple thoughts on the money thing. Perhaps the idea was never to collect ransom, but to sell the information on the black market where tracing isn't as much of an issue. You might nab this person by posing as a potential illegal buyer, or at least you could get a better deal on it than the $10 million up front. With this kind of access to this particular database, the easier way to make money would be to enter fake prescription data for addicts or dealers.

Re:Ummm... (0)

Anonymous Coward | more than 5 years ago | (#27830371)

Or he could choose to not try and extort a government, which can basically force collaboration out of any organization he might be using to conceal his identity. He thinks he's smart which means he knows the email address would be a dead giveaway, and will probably never have the yarbles to log into it again, if he's in the US, which is doubtful. More likely he is framing someone else with that email address for crossing him.

Is that the state population? (1)

s2jcpete (989386) | more than 5 years ago | (#27830009)

The 2000 census has the state population at about 7 million. 8.1 would be reasonable in the time since 2000.

Error in Title: (1)

EmagGeek (574360) | more than 5 years ago | (#27830057)

Should read:

"Data changed since last nightly off-site backup held for ransom."

We have the system partially restored (1)

codepunk (167897) | more than 5 years ago | (#27830079)

Woop De Doo, the data has already been stolen, now what?

yahoo (1)

madcat2c (1292296) | more than 5 years ago | (#27830195)

I have a feeling yahoo is tracing some IP's right now.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>