A server storing sensitive patient information for more than 230,000 people was breached by unknown hackers so they could use its resources to host the wildly popular Call of Duty: Black Ops computer game. New Hampshire-based Seacoast Radiology warned patients on Tuesday that the hacked server stored their names, social …
"The breach was discovered on November 12, after an admin noticed a loss of bandwidth. It was unclear how long the hackers had access to the server before the hack was discovered."
Obviously they don't keep logs or network data all that long.
I'm reading sentences like this a lot recently:
"spoof their IP address"
If you spoof your IP address you will not receive the data. If you HIDE your IP address with the likes of Tor you certainly won't be playing Call of Duty. If you login to a server and change the log files such that your IP is hidden that is also not spoofing.
Yep, although not just recently. People have been getting all confused about that for years, It's a useful indicator to tell if if they have any clue what they're talking about, which usually, they don't.
And you certainly would not be playing call of duty on an American server from Scandinavia. The latency is sufficient to make any hard core gamer choke on their beverage of choice at the mere suggestion of doing so.
You use Tor to comprimise the machine and set it up as a game server.
Then you don't use Tor to connect as a regular player (not doing anything wrong!) and enjoy.
I would doubt it was a scandinaivan who comprimised the machine, It would be a local player wanting a good ping. However since Tor is popular in scandinavia I would guess that Tor was used to comprimise the machine, hence looking like a scandinavian hack.
I think usually it's meant that the break in happens via a chain of compromised machines.
There are attacks that don't require receiving responses, so spoofing can be used in a narrow set of cases - but not if you want to install a CoH server!
@Anton Ivanov, you make a very good point, (which seems to be overlooked by a lot of people judging from your votes up).
Scandinavian gamers/hackers wouldn't use an American server, the ping would easily be up in the hundreds of milliseconds. That may not sound like much latency to non-gamers, but it would be laughed at as unusable and pointless by gamers.
I wonder if this is an insider job so to speak, where it could simply have been setup by an in house IT worker as a gaming server for him and some friends, all likely based in America. Maybe someone tried to connect from Scandinavia but I doubt they would have got far in the game. There may very well have been no actual hacker, but simply some IT worker using the medical server as a gaming server and now its been found, they know they are in trouble and so are trying to cover up what they did by saying, oh it was hackers, I'll help you find them. Problem is the paranoia around the word "hacking" these days could easily result in non-technical managers freaking out at the word "hacker" in association with their beloved servers. Which would just dig a bigger hole for the worried IT worker.
(I've even worked in companies where we have put gaming servers on office servers, its just the bosses were ok with it (in one case, they even joined in :) ).
Also a gaming server is likely to be a lot of data, when adding in all the maps data, so whilst not impossible to upload, its a major pain to upload it all. Much easier to install if you just do it via an internal intranet connection.
I bet its just a now somewhat worried IT worker, trying to say it was hackers. :)
"Scandinavian gamers/hackers wouldn't use an American server, the ping would easily be up in the hundreds of milliseconds. That may not sound like much latency to non-gamers, but it would be laughed at as unusable and pointless by gamers."
WHAT?!?! IIRC, the official definition of an LPB was < 200ms ping rates. When did 100 start to classify as "high ping"? Granted, something like 450-500 would brand you an HPB even in the old days of dialup, but associating three-digits to "high ping" is an exaggeration.
Oh well, I'm off to fire up QuakeWorld ;)
Anyone care to venture a guess as to why...
a server hosting sensitive patient information was open to the internet, from the sounds of it with a whole lot of non-standard UDP and TCP ports open?
So that the data could be acessed by Doctors outside the hospital...
Or why the data was not encrypted?
beacusae someone who works there is a fan of COD?
@as to why
I would guess that the system owners would rather spend limited money on patient care than internet security. No-one ever values insurance of any kind, and enhanced security is particularly irritating because you never hear when it works.
As for why what looks like the server of a specialty radiology outfit was open to the internet I'd guess they need to exchange HL7 messages with the doctors who ordered the pictures.
You go to your GP with a set of symptoms, the GP orders some kind of radiological pictures from a dedicated lab and would like to get them back electronically. Medical systems increasingly needs internet access to talk to each other. No excuse for the lax security of course, and the data should be encrypted on disk anyway...
In the world of the lowest bidder local ecryption won't be happening untill it's reqired explicitly by law.
There's a sysadmin somewhere needs to be sacked. Why was a machine hosting database services containing sensitive data attached to the internet? If remote access of this was required, have they not heard of VPNs?
Seious, serious, serious fail.
...being essentially just a bunch of XML junk, can be relayed via a web server. I'd be rather cautious about sending that sort of thing over the interweb anyway. What with the identifying patient data that they contain. The proper solution for that would be for the GP to log into a secure server and relay any data through a password-secured VPN, avoiding the unencrypted net entirely.
Also, AFAIK, HL7 messages wouldn't contain pictures, unless there's something in the spec that I don't know about (entirely possible). The use I know for them is to relay clinical information, such as dates and times of hospital visits between modeical systems.
Certainly in the UK, the NHS does require proper security on this sort of data by law. This may not be so in the US, but should be.
Nowhere in the article does it say that the data was not encrypted.
I reckon about a quarter of the first person shooter servers you see on game browsers are running on boxes like this, hosting these things can be a major expense (especially large 32 -> 64 people games.)
A lot like xdcc servers. Why would people host stuff at a cost to themselves when they can break into a high bandwidth poorly secured server somewhere and have them serve it instead.
Then most of the people using the resource have no idea it was nicked as it just appears as something like "MarkBot" in the case of xdcc or "-=NigHtWinZ0rZ=- 64 man carnage machine" - in the case of an fps.
but hey ho, don't secure your network and worse still don't monitor your systems, these things happen to you. Right or wrong, that's just the way the world is.
Hacking a medical server to save the $20 or so a month it costs to have your own CODBLOPS server (the largest you can have is 24 player anyway)? Really? What a set of cheap, cheap bastards.
I don't suppose children have access to that sort of money
if daddy isn't willing to fund their gaming beyond the initial outlay. On the other hand, many children are quite PC-literate, therefore "borrowing" someone else's server is an obvious solution (albeit illegal, immoral, etc.).
Reminds me of those days when we set up the least-used PCs in campus with the QuakeWorld server, CTF maps, Serv-U FTP for updates & patching and a nifty "hide these windows plz" program so the sysadmins wouldn't find out our server.
Ah, the days before NAT and Firewalls, when everyone had a globally routeable IP...
Did they also discover 'Some hackers' had installed COD on all the network admins pc's aswell?
Of the time me and the rest of the class of computer systems students all joined the sysadmin's quake server at college *many* moons ago. Somebody spotted they were running dedicated server in their little office. Since they oh so helpfully put a little sticker on the front of each machine with it's IP written on, it would've been rude not to frag them to pieces, no?....
Good times :)
Can you say firewall..
so they were able to open the ports on the organisations firewall aswell? or was the shebang just hanging on the cloud, every port wide open.
Sounds like incompetance again.
modern docs need roaming access to patients
@AC : the server is probably part of the Electronic Patient File system, allowing doctors to access a patient medical history and info from anywhere in the hospital and likely also remotely. no suprise there.
Open for local intranet use, sure, that's obvious. But "...and likely also remotely." fails. Remote access to a company's servers usually involves a VPN connection to the firewall. If they did (unlikely) just stick this machine in the DMZ or outside the firewall, then yes, they should be sacked. Assuming that is what they did? No, I don't see it. Even a radiology clinic with no IT staff would still be behind a DSL/cable modem/router with a built-in firewall and the machine given a 192.168.0.0/16 address. at the very least. So, the "breach" was likely port-forwards or other security slight. Granted, since they had a CoD server running, that means they had port-forward capability on the firewall/modem/etc or the machine WAS in the DMZ....still, fail for assuming and not thinking it through.
Both parties should be hauled into court!
"New Hampshire-based Seacoast Radiology warned patients on Tuesday that the hacked server stored their names, social security numbers, medical diagnosis codes, address, and other details."
Yeah they're bloody stupid to have "nicked" someone else work server for hosting a game, but FFS, storing sensitive private info on a public facing server?
"The breach was discovered on November 12, after an admin noticed a loss of bandwidth on his porn torrent after hours"
If they've fixed THE problem.. they haven't fixed the problem.
If they really think any security breach is totally attributable to one technical 'weakness' then they will be getting hacked again.
seriously, hosting a COD server used a huge amount of bandwidth? That doesn't make sense - the bandwidth used to connect to a game server is pretty small, it has to be or the game would lag like a bitch. To make any kind of impact they'd have to be hosting and serving patches and all sorts of other stuff - unless of course this NHS machine wasn't actually doing anything much in the first place which would be a bit of a shock. The NHS doesn't waste money on IT hardware, now does it.
I'm on the Playstation network, so I know all about lag. Wish there was a way to set up dedicated servers on PSN.
Not a UK NHS machine, its based in the USA.
New Hampshire is in the USA, so it won't be an NHS machine
Was the machine definatly accessable via the web?
I don;t think someone thought that through very well
New Hampshire = Not NHS
The subject says it all, really.
As said likely to be ports open, Any to any rules allowed, ping (and ariston and on and on......). And no doubt linked to other systems so no IDS. Ho hum.
Surely this server being compromised breaches the HIPAA regulations and leaves the owner liable for some serious fines?
HIPAA & Electronic Info
HIPAA has actually very little to do with specific regulation on technology and how it relates to the storage of electronic information. I was shocked at how little of a ruling it has over how data is stored/compromised, etc.
Read up on HITECH HIPAA. Covers network perimeter and remote access, data storage, archiving, etc.
COD Black Ops
I thought there were no private servers, you have to rent them from gameservers.com who have a monopoly.
Internet Routing/Response Times
Some seem to believe that speed would be a factor in this situation, and that it could have only been an inside job, because response times to Scandinavia would be slow.
It seems that some may be unclear about the way internet routing, and its protocols such as BGP (Border Gateway Protocol), actually works.
I have connected to servers all over the world, even for gaming, with latency times well below 100ms.
This is, my dear friends, because the response times/latency has NOTHING to do with LOCATION. It has to do with the number of hops it takes between YOU and YOUR DESTINATION IP, and those individual routers' load at the time of traffic passthrough.
Just because it's in a different country does not mean that the response times are going to be all that bad.
In some cases, your response times to servers outside your country will be better than within.
Internet response times are not measured with units such as Kilometers or Miles.
This wasn't meant to be mean or anything, just a clarification.
People who live in glass houses...
Dear, oh dear.
It looks like the lid was left off the acronyms box again and someone is waving one around to try to gain credibility.
The routing protocol used has almost nothing to do with WAN latency. There are many choices, each with their advantages and disadvantages.
The fact is though, that there is a direct relationship between the distance between two points and the minimum latency for data transmission between them. It happens to be pretty close to the speed of light.
That would only give you the minimum, however. In practice the actual time taken will be increased because very few circuits follow a straight line path between two points.
"That would only give you the minimum, however. In practice the actual time taken will be increased because very few circuits follow a straight line path between two points."
So, I read this as: "I agree with your assessment that physical distance has no bearing on response times".
"It looks like the lid was left off the acronyms box again and someone is waving one around to try to gain credibility."
Okay. If you look at, and COMPREHEND, my writing, you'll notice the two, ever-so-special words "SUCH AS", as in "for example". Thus, I am not using that acronyms to spout knowledge, but merely using it as an example of an internet protocol.
The speed of light only applies when fiber optics are the cables used, and even then, there is latency buildup, and repeaters are needed (because the signal deteriorates given that we have not perfected fiber-optics, and there are still impurities). This is demonstrated by the basic PHYSICS properties of current fiber optic technology. Thus making link speed variable.
Jacho is not going to like this. Jacho is an outside org that audits hospitals in the US and they can fine the hell out of them. Then report them to the Feds for a second round of special loving.
Security is not a matter of cost
It's easy, don't put medical servers containing sensitive data directly on the internet in the first place. That doesn't cost a whole load of money, just a little bit of common sense.
Also the whole angle of this story is hugely misleading. No one pillaged a medical server specifically to play games, they pillaged an insecure server indescriminantly.
"People with the smarts to...."
"People with the smarts to compromise a medical group's server also have the ability to spoof their IP address."
Wat? They're doctors, radiologists, nurses and secretaries! Not 1337 h4x0rz. They go apeshit about HIPPA because their insurance company tells them to. They neither know nor care why they shouldn't be using ie6 anymore. Medical professionals aren't usually IT experts.
Not the employees
Eh - what are you talking about?
Some hackers outside of the company or its users hacked the server obviously - NOT the "doctors, radiologists, nurses and secretaries" that are normally able to access it.
Read the article.
Wot? Laggy? @ Daniel B
A ping time of 100 - 150ms is considered laggy but playable. Above that is is just unplayable. The lower the ping, the better an edge you have as your 'reactions' are quicker. I was getting 5ms on Virgin cable, now that was fun!