back to article Feds: Hospital hacker's 'massive' DDoS averted

The leader of a malicious hacker collective who used his job as a security guard to breach sensitive Texas hospital computers has been arrested just days before his group planned a "massive DDoS" attack for the July 4 Independence Day holiday. Jesse William McGraw, 25, of Arlington, Texas, was taken into custody late Friday …

COMMENTS

This topic is closed for new posts.
  1. James O'Brien
    Grenade

    How stupid can people be?

    I mean to leave evidence that lets anyone and their mother know who you are, and to do something like this is just absolutely retarded. Seeing as he is in Texas and what could have happened had someone been in the operating room and died chances are he will get death :P

    Hope they shove this up his backside.

  2. Anonymous Coward
    FAIL

    "It really shows how dangerous even a low-skilled attacker can be."

    No - it shows how dangerous an unsecurable operating system can be.

  3. Destroy All Monsters Silver badge
    Flame

    A new kind of "summerfag"

    "It's all about respect and fame and the respect of their equally weird peers."

    It's all about about retardedness and being the most mentally challenged unemployable jerk in the cracker ghetto.

  4. Anonymous Coward
    Anonymous Coward

    10 years in the slammer should help

    This type of malicious hacking deserves ten years or more to "educate" the perp.

  5. James Woods

    not surprising

    First of all, this dude is lame, who would brag about pwning a freaking hospital HVAC unit. It's like walking into a school with a gun, yeah wow look at you, your cool.

    Hospitals for the most part are half-hazardously protected from attacks of all levels. I took a tour of one of our local hospitals and it was scary that they had no camera units, and only a few contracted foot guards with no weapons.

    Hospitals seem to be as virgin territory as our schools are just waiting for nuts to come in and have a field day.

    I wonder how cool this guy will be in jail, maybe he'll run into the maytag man and they can talk appliances.

  6. Anonymous Coward
    FAIL

    This guy is no hacker, he's sub-script kiddy even.

    The title really should be, "Idiot uses skills possessed by most twelve year olds to DDoS attack a grossly insecure IT system in use by a hospital"

  7. Efros

    What a complete

    Bawbag.

    Hopefully soon to be a cell companion of Bubba!

  8. Jimbo 7

    audit?

    maybe strange idea, but should we have a law which requires to pass annual security audit for organization like hospitals, railway systems, airports, ....

  9. Solomon Grundy

    The Really Scary Part

    Is the fact some 3rd party was able to track the "hacker" down. Yes, I know he posted a lot of stupid incriminating evidence but the sleuth that found him used Craigslist as one the the tools in finding him.

    That's scary and potentially a great way to join the Craigslist Murderer/Rapist club if you troll enough boards that post IP's then compare them with Craigslist ads or the reverse...

  10. Adam White

    "massive DDoS"

    If ETA really is planning a "massive DDoS" how does arresting this guy avert it?

  11. unitron

    a bunch of the boys were whooping it up...

    McGrew vs. McGraw. Where's Robert W. Service when we need him?

    Seriously, though. Congrats to McGrew. Tell MSU to give him a raise, or at least tenure.

  12. Flocke Kroes Silver badge

    @ AC 22:59

    If someone has physical access to a PC, then they can root it - no matter what operating system is installed. You can slow someone down by locking the case, glueing covers on the USB ports and changing the BIOS manufacturer's backdoor password. Using Linux (or a BSD) provides some protection from remote attacks - depending on what demons you leave running and how you configure them. You still need to lock people out of the server room.

  13. Chris King
    FAIL

    SCADA systems insecurity

    If you've ever watched an "engineer" install a SCADA system, you'd know that these things are easy targets - they do a default install of an OS without hardening it or patching it, slap the SCADA software on top, say "job's a good 'un" and run away. It doesn't matter what platform the SCADA runs on - these guys could even turn VMS into an instant cracker magnet.

    I acutally had to stop one SCADA engineer from "upgrading" a SCO Openserver box to Win95 because he mistook the Motif UI for Windows 3.1 !

    Some of these things were never designed to be connected to a network, but some bright spark sees an ethernet port on the back of the box and instantly gets funny ideas. Insecure protocols and little or no authentication make these things a security nightmare.

    Ask the manufacturers about turning off telnet/FTP/RSH or applying patches, and some of them will tell you that modifying the system in any way voids your warranty.

  14. Chris C

    Idiot

    If he did maliciously adjust a hospital's HVAC system, then he doesn't deserve to live. Fucking with weak and helpless people does not generate respect. Quite the opposite, actually. For $deity's sake, even in times of war, you don't attack the medic or the hospital.

    As for idiot AC @ 22:59 -- "No - it shows how dangerous an unsecurable operating system can be." -- who the hell said anything about an operating system? This guy had physical access to the systems. It wouldn't matter if they were running Windows, OSX, Linux, BSD, or OS/2; with physical access to the system, and especially with access to a logged-in terminal, no operating system could have stopped him. The weak links in this scenario were: 1) lack of application security; 2) lack of user education (as evidenced by the user leaving the terminal while logged in); and 3) lack of screen saver with password protection. Additional possible weak links were users leaving their passwords written down nearby, lack of physical security, and lack of identity verification.

  15. Andy Enderby 1
    WTF?

    what a week for stupidity eh ?

    First it's murderous phreakers, now it's this witless wonder. Texas in July and hospital full of potentially frail patients when the aircon is scheduled to go breasts uppermosts......Throw the whole bookcase at him, then summon tthe hospital IT management and slap them around a bit until they realise that such functions should be secure. God knows what else this narcissistic microbrain could have gotten himself into.

  16. Trevor 3
    WTF?

    @james woods

    "...I took a tour of one of our local hospitals and it was scary that they had no camera units, and only a few contracted foot guards with no weapons.

    "

    Jesus Christ man, come over to England and visit our hospitals.

    Very few Cameras, one or two unarmed dudes who you *never* see.

    In the UK we go to hospital to get better, and strangely we all seem to have that kind of respect built in.

    I can't remember the last time we had a "nut-job" go round a hospital injuring the already injured.

    Only in America would they

    A) Not have the respect

    B) Have the stupidity to hurt people in the only place where they can get patched up quickly

    You don't here about the Swiss going mental and gunning people down do you, and they have more guns than people, just about.

    Where would you stop James?

    Cops with guns in schools, in birthing centres (where new mums recouperate)? Zoos? Parks? Work? Primary schools/kindergarten?

    Glad to be in Europe, I am.

  17. Anonymous Coward
    Headmaster

    Hospital or torture theatre?

    "air-conditioning systems that cool operating rooms and other critical areas of the Texas hospital, where temperatures regularly hit the triple digits"

    Kelvin and I can understand it, Centigrade and I'm amazed.

    ...and am I right in thinking temperatures reguarly hit the triple digits *despite* the air conditioning?

  18. Ian Ferguson
    FAIL

    Screenshot

    The worst part about him? He used AOL!

    He is obviously the devil incarnate and should be executed forthwith. (that's what happens to criminals in Texas, right?)

  19. Matt B
    Grenade

    The the idiotic post of the day goes to...

    @ AC 1st July 2009 22:59 GMT

    "No - it shows how dangerous an unsecurable operating system can be."

    ===============

    No OS is secure if you have physical access to it even if the machine runs a linux distro or is a Mac...

  20. The Fuzzy Wotnot
    WTF?

    Utter cretins!

    Sounds like a sad bunch of losers with too much talent, too much time and no brains, desperate for their 15 mins in the spotlight!

  21. Anonymous Coward
    FAIL

    It's all about respect

    So, how much respect is due for having a "6 months AOL broadband" icon on your desktop worth?

  22. Anonymous Coward
    FAIL

    Whut

    The thread he posted. He states that the infection came form a torrent.

    He is an Anon too.

    See his GSM jammer on his vampire freaks page? Theyre easy to buy....

  23. Anonymous Coward
    FAIL

    @ AC 22:59

    Yeah blame the OS you Luser

    "As so i found out, one of the users was torrenting and came accross my bot. So i got the rdp and logmein information, so there was no brainstorm but all payload."

    read again ...

    Somebody was torrenting on that machine, prolly a sys admin Which im guessing isnt allowed in a hospital.

    So fuck all to do with the OS.

    tbh the admin should of shut down the torrenting ports

  24. David 22

    @Hospital or torture theatre?

    fahrenheit

  25. Anonymous Coward
    Coat

    Just a minor point but

    "showed off Wireshark and other hacking tools"

    Wireshark is a network analyser, since when did it become a hacking tool? Yes, it *could* be used for hacking but by the same yardstick a pc is hacking tool, so is a modem (remember them?) or a router, notepad.exe......

    As for the webcam over the door - since they were in fact watching him, perhaps he was not actually paranoid, even a bit low scoring in the common sense department.

    Mine's the one with a web cam trained on each pocket so I can look back later and see where I put my keys....

  26. Ermie Mercer

    @AC (not Air Conditioning) 08:22

    Here in the US, Daniel Fahrenheit rules. As do pounds, feet, inches and miles.

  27. Lionel Baden
    Pirate

    hey!!

    where is my abusive post ??

  28. Peter Murphy
    Alert

    Not Kelvin, not Celcius

    "air-conditioning systems that cool operating rooms and other critical areas of the Texas hospital, where temperatures regularly hit the triple digits"

    I assume that this is triple digits Farenheit.

  29. Cameron Colley

    RE: Hospital or torture theatre?

    I think they mean in degrees above the temperature of icewater with salt in it, where tripple digits is over the body heat of some German bloke. For some reason our colonial cousins seem to love strange units of measurement.

  30. Greg D
    Alert

    AC @ 8.22

    I would say Farenheit :)

  31. Anonymous Coward
    FAIL

    sick bastard.......

    deserves one of those ridiculouslyu long sentences they dish out in fantasy land USA.

  32. MarkJ
    FAIL

    @Trevor 3

    Try A+E on a Friday/Saturday night in a big city in the UK. Epic fail for your 'respect for medics' theory.

    Oh and that would be Fahrenheit that hits triple digits, some people dislike SI units.

  33. MinionZero
    Alert

    Wow what an evil minded narcissistic

    Just as well he also had a strong need for attention. This guy easily scores high at psychology bingo, for example, without even trying much we have such highlights as:

    * Shows everyone he has power over people with screen shots to prove it

    * Threatens to cause harm to others to also show he has power over people

    * Seeks a job as a security guard, so he can act as if he has some power

    * Seeks to bully the place he works and gains access to allow him to bully them

    * Shows a very strong need for attention

    Wow talk about having issues. He's really putting some effort into this. So basically he is an attention seeking bully. A Narcissistic combined with Histrionic. Given that kind of profile it strongly suggests he suffered childhood parental neglect and some kind of abuse and so is now taking his anger out on others. Its also interesting his target is a hospital, a place usually associated with giving care to people. So he is also able to hit out at carers, which also goes back to his anger at parents who should have be carers to him. So he's behaving like a milder less harmful version of so called, Angels of Death, health care workers who kill (full on serial killers who go into health care jobs to seek victims). In his case he is just showing he has the power to abuse others, although given his behavior, if he wasn't stopped he could easily have ended up killing.

    @Trevor 3: “I can't remember the last time we had a "nut-job" go round a hospital injuring the already injured.”

    In that case you must have been living in a cave. For example, from the British Medical Association: http://www.bma.org.uk/sc/employmentandcontracts/morale_motivation/violenceagainsthealthcareworkers.jsp

    e.g. “Nearly half (43.1%) of junior doctors reported both physical and verbal abuse at work”.

    And Trevor3, when you've finished reading that, then you can learn some more reading these cases:

    http://en.wikipedia.org/wiki/Category:Health_care_professionals_convicted_of_murdering_patients

    This case is a good example of why narcissistics are such a problem and even at times a danger to everyone. (Yet ironically narcissistics seek and easily get into positions of power over people).

  34. Sarah Bee (Written by Reg staff)

    Re: hey!!

    I don't know. Where are your manners?

  35. Anonymous Coward
    Unhappy

    It could happen here

    I'm in IT in a big hospital - hence anonymous. While we impose sane IT security, the users don't -- we regularly find passwords stuck to screens and you can't just BOFH the department. Laying down the law is a management issue and they're too soft: it hasn't gone wrong yet, after all. Our staff turnover ("churn") is so great that there are always plenty of new faces around, so a new cleaner wouldn't attract attention so long as he had a staff ID and a bottle of Hospec.

    Passwords stuck to screens is platform-independent. ;)

  36. Anonymous Coward
    FAIL

    Screen Capture states BACtalk - Runs on Windows OS with unsecured webserver

    Having been in the controls industry for over 20 years I can tell what happened from just looking at the screen capture on the 2nd page of the article.

    The HVAC control system in question communicates via BACnet, an open protocol building management system. In this case, it appears that the "hacker" gained access to a poorly secured webserver component of the building management system.

    It was probably wide open to the world because many "canned" specifications require that these systems be "accessible from any network users computer" especially the hospitals HVAC technicians who are probably looking at the system from their home PC (you know, the one their wife and kids use???!!!!)

    All that would have happened is for one user to fall prey to a password sniffer and this "hacker" got root access.

    This is one primary reason why we dislike BACnet, LONworks or other "Webserver" based HVAC control systems. The software cannot be easily modified by the control contractor, is inherently insecure since it is based on a "webserver" running on a Windows OS and in order to comply with many state and federal specifications, the system must be available to every network Luser in the building.

    Outside network access must be strong password protected and the control system must require IP authentication of the remote access user as well. Use of proprietary communication protocols and secured ftp programs also helps to limit the potential for outside attacks such as this one.

    This is a case of a Hospital administrator getting exactly what he didn't pay for. Lowest bid does not mean least costly.

    The system was crap, probably installed by plumbers who had no idea what they were doing, who undercut legitimate HVAC control system vendors who know better and can provide a competent, secure system.

  37. Dave 85

    Scriptkiddy

    Oh, come on now... on that desktop their are shortcuts for WMP, "Dell Support", and "6 months of AOL". Obviously a complete noob.

  38. Lionel Baden
    Happy

    @sarah

    Sorry "please"

    I was also being impatient :D

  39. Sarah Bee (Written by Reg staff)

    Re: @sarah

    Impatient *and* abusive. But er, honest at least, I suppose.

    What abusive post is this? And why am I even asking you? You have no idea how many abusive posts I boot off here in a day. More at the moment, in fact, because I would like the world to be a kinder happier place.

  40. Ed Blackshaw Silver badge
    Joke

    Of course, this could never happen in the UK...

    ...Our hospitals don't have air conditioning...

    Joke icon, but not actually too far from the truth

  41. Inachu
    Grenade

    Hahahahahaha!!!!

    Again pure fail because he wanted to brag about it.

  42. Anonymous Coward
    Thumb Down

    Just another skill-less idiot seeking attention

    Most others have nailed the guy's character right-on, but I'd like to say that even if this idiot had no access to a computer, he's likely the kind of guy that would drop a roofie in your drink, key your car, or piss in your coffee, just " 'cause it's fun" Another emotionally stunted scumbag that could probably benefit from psychotherapy.

  43. Trevor 3
    Pint

    @minionzero

    If we had someone enter a hospital and went around kicking the living poo out of staff and other patients alike it would be on the news, and then I'd start thinking that maybe we need some betruncheoned security guards in them.

    I can understand(not condone) that we do have some physical abuse in hospitals, I don't think that there is one job in the world where you come into contact with the public at large and don't get a bit of abuse to be honest. You don't need an _armed_ guard in Curries or Tesco though do you? And footfall is bigger through there than a hospital, so you are bound to get more loonies in.

    I live in Southampton, and have been in A&E a few times, even on a Friday (and a Saturday once) and mainly at night (my nipper being asthmatic, want some stats on night time attacks vs daytime?). I must have been seriously bloody lucky, because all the patients I saw were too pissed to do anything apart from puke. Which was funny. Well I enjoyed myself anyway.

    I was surprised more than anything at James' shock at a hospital having no armed guards.

    Thanks for the stats. But I still don't believe hospitals need armed guards.

    As for doctors/health professionals killing people....that's been happening since there have been "doctors". Unfortunate, but also true.

    Pint because....well, it's nearly Friday

  44. Jimbo 7

    re: It could happen here

    "we regularly find passwords stuck to screens and you can't just BOFH the department"

    i know it's easy to be critical, no matter how good IT team you have, budget can screw and stop quite a lot of projects... I really think that public or semi-public places which have computers everywhere like hospital, airports should NOT use password access. It should be hardware token with pin - something like this (http://www.cryptocard.com/products/cryptocardauthenticationtokens/sc-3usb-styletoken/)

  45. Matthew Anderson

    poor guy

    He obviously just has a personality disorder and needs some help.

  46. Anonymous Coward
    Anonymous Coward

    @AC - It could happen here

    I used to work in IT in the NHS back in late 80's early 90's. We spotted that open terminals were a weak point (used thin clients) with passwords so what we did was give staff a barcode on the back of their badges that they needed to scan in addition to userid/password. Terminals already had barcode wands to scan barcodes from patient notes.

    This was all done in house, in DOS. There really isn't an excuse with more modern equipment and facilities like smart cards we didn't have back then.

  47. Tom 13

    @Chris C

    You forgot the most important security consideration:

    0) Decent background check on the people you hire for your facility, especially the ones who are nominally in charge of physical security. Too many minimum wagers as rent-a-cops here in the states. It's a serious job that requires serious attention. Security shouldn't be Walmart door greeters. If you want a minimum wage door greeter, fine--hire one and give him the appropriate title. Don't hire a rent-a-cop for it. Security should be professional, and focused securing the facility. Security begins with access, and physical access trumps all other forms of access.

    Otherwise you're spot on.

  48. ZenCoder

    Security

    You can't secure everything, actually you can't secure most things, at least not in a way that is effective, allows work to be done and doesn't cost so much that it drives you out of business.

    There are plenty of physical systems that are very vulnerable. You could walk into a hospital and idk ... start putting paperclips into power outlets and trip all their circuit breakers, snatch important paperwork sitting on desks and toss them into the trash, go to the bathrooms and dump all the rolls of TP into the toilet. Pull fire alarms.

    Real world security relies on the assumption that people are reasonable nice and don't want to cause problems, and it usually take a strong profit motive for them to betray your trust.

    So no you don't attempt to secure every computer system from abuse by people with physical access anymore than you put padlocks on every power outlet.

  49. Jesse
    Alert

    ^Security, part 2

    Security guards do not need access to IT equipment other than camera screens displaying the inside of a secured IT center.

    This screw up was like an IT guy having keys to the facility's weapons closet.

    On a related tangent, I think it is documented psychology that power hungry people will often vie for positions that give them more power. Police work, security guard, etc. This is why it isn't uncommon for cops to screw with teenagers as retribution for some ill towards them in high school. It probably also fuels "hackers" intents to cause problems for other people as a way to even the score psychologically.

  50. Jimbo 7

    today

    so I was in a hospital in San Francisco today (couple hours after the good article came out) ... I was in a room with a nurse who put some info into DELL PC, then he left for 10 minutes.

    1. I could do quite a lot. I did not touch it of course, but could (there was no password screen after he left), the computer was right next to me

    2. the PC was sitting there, I could (again I did not) quickly plug keystroke catcher between keyboard and PC to get all key strokes (of course I do not own one, but I saw it I think on engadget while back)

    (1) is big issues

    (2) is issue, but very hard to protect thanks to kinda lack of industrial design (most of PCs for home and business are the same - easy to open and easy to re-plug)

  51. Nordrick Framelhammer
    Grenade

    I suspect that

    The reason this looser is a wannabe script kiddie is because he has an inverted penis, pretty much like the rest of his lackwit mates, so he is trying to compensate for this by running scripts created by someone else then claim the "glory" due to him for other sad, spotty faced herberts still living with mummy.

    I think the hospitals should, when he next goes in for surgery, operate on him without anaesthetic, but with as muscle relaxant so he cannot scream then have him recover in a room where the temperature is oscillating between frigid and boiling while lying on a metal trolley with no mattress, sheets or blankets and being forced to listen to Kenny G music while strobes flash randomly.

  52. Anonymous Coward
    Go

    Lesser Evil

    We need morons like this. The system the hospital was using and many others may seem bad, but imagine how much worse they would be if nobody ever forced people to pay attention. Accumulate the extra complacency that implies over the entire history of computing to the present. Imagine also that in the absence of these fuckwits there is someone out there who's actually quite smart who also happens to be a little evil.

  53. Andus McCoatover

    @Not Kelvin, not Celcius

    <pedant>

    Kelvin/Fahrenheit at Texas July temps. both have triple digits. e.g. 113F, 318K, 45C

    </pedant>

    I thought only USA and Libya still used the scale? Seems Belize does, too.

    Bit of fun googling: http://www.sizes.com/units/temperature_Fahrenheit.htm. History bit's almost keyboard-icon-worthy.

    'Merkans partially basing their temperature scale on the temperature of Mrs Fahrenheit's armpit??? D'uh? Goddammit, imagine if he'd measured it rectally....Best not, actually. It's lunchtime here.

  54. Enigma9
    Boffin

    Idiot

    Another Skiddiot Bites the Dust...

    I am not surprised he was leaving the Job of security officer, some security officer, hack your own work places machine's, dude if I had done that 6 years ago when I worked for a court house as a security guard I would be in Jail right about now being anally raped repeatedly.

This topic is closed for new posts.

Other stories you might like