Tuesday, 19 August 2014

Community Health Systems blames China for recent data breach

medical 3Community Hospital Systems (CHS), which operates just over 200 hospitals in 29 states, reported a data breach impacting about 4.5 million people on Monday. The incident, blamed on actors in China, was made public via an 8-K filing with the U.S. Securities and Exchange Commission.
Featured Resource
 
The 8-K itself was brief, offering few details on the incident.
However, the report stated that CHS believes that the network compromise occurred in April and June of 2014. Once discovered, CHS hired Mandiant (a FireEye Company), who speculated that the attacker was part of a group in China. How the attacker was able to plant the undisclosed malware onto the CHS network was not disclosed in the 8-K filing.
"The attacker was able to bypass [CHS'] security measures and successfully copy and transfer certain data outside [CHS]," the 8-K explained.
Law enforcement added to that profile, telling CHS that the intruder has typically sought valuable IP, such as device and equipment data.
"However, in this instance the data transferred was non-medical patient identification data related to [CHS'] physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with [CHS]," the 8-K continued.
Because the compromised information is governed under HIPAA, as it included names, addresses, dates of birth, phone numbers, and Social Security Numbers.
CHS has begun the process of notifying everyone affected by the breach and offer ID protection services.
"Obtaining personal information such as social security numbers, birth dates and physical addresses is similar to having a skeleton key which can open up many doors for someone nefarious. It can help create bogus accounts, can be sold, or in some cases, used as a form of currency," commented David Hobbs, Director of Security Solutions at Radware.
When asked if Radware disagreed with the assessment offered to CHS by Mandiant, Hobbs said no, but added that they're surprised to see this type of attack from alleged Chinese hackers.
"We don’t disagree with their findings – but we are surprised to see this type of attack vector from Chinese hackers. The theft of personal data is more indicative of an organized crime group and not one that normally conducts corporate espionage. What is also interesting to note is how this information wasn’t used for ransom purposes. Fines levied against data breaches can cost an organization $1.5 million per instance, which would force any business to be in a very precarious situation."
Towards the end of the SEC filing, CHS stated that - despite the large number of records and potential source of attack - they don't believe this incident will have a large impact on their business.
"[CHS] carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature. While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, the Company does not believe this incident will have a material adverse effect on its business or financial results."
A copy of the 8-K filing is available online.

Chinese man indicted over theft of Boeing C-17 secrets

A Chinese man has been indicted for allegedly directing two China-based hackers to infiltrate Boeing and other defense contractors to steal gigabytes of documents describing U.S. military aircraft.
Su Bin, a Chinese national in his late 40s, was indicted in the U.S. District Court for the Central District of California on charges of unauthorized computer access, conspiracy, conspiracy to commit theft of trade secrets and aiding and abetting. He was arrested in Canada in June.
Su allegedly worked with two unnamed and unindicted co-conspirators between 2009 and 2013 to obtain documents related to planes such as the C-17, a cargo aircraft, and the F-22 and F-35 fighter jets, according to the indictment.
Su, who ran a China-based aviation company called Lode Technology, is accused of trying to sell the information to state-owned companies in China and other entities.
Curiously, Su and the co-conspirators in part used free email accounts such as Gmail to communicate, which likely gave law enforcement a broad view into their alleged actions. U.S. prosecutors can obtain such communications with a court order.
Excerpts of the emails were included in an affidavit from FBI Special Agent Noel A. Neeman, which is contained in Su's court file.
An August 2012 email from one of the China-based hackers to the other one describes a painstaking, year-long 439,000 effort that successfully stole 85 GB of information about the C-17, including electronic cable wiring documents and detailed schematics.
Boeing's network is "extremely complex," the hacker wrote, adding the company has layers of security equipment including firewalls and intrusion detection and prevention systems.
The emails also provided insight into general methods the hackers used. To avoid diplomatic and legal problems, stolen documents were sent to servers in other countries, such as South Korea and Singapore, before being moved to Hong Kong or Macao, according to another email sent from co-conspirator #1 to co-conspirator #2.
From those locales, "the intelligence is always picked up and transferred to China in person," the email said.
Neeman's affidavit said that while the "success and scope" of the operation could have been exaggerated, there was evidence that it was successful "to some degree." His affidavit does not speculate if the co-conspirators are Chinese government employees.
The U.S. and China have traded sharp accusations over hacking in recent months, with each accusing the other of government-sanctioned intrusions.
In May, the U.S. Department of Justice filed a criminal indictment against five members of Chinese Army signal intelligence Unit 61398 with stealing nuclear, solar power and steel trade secrets from six U.S. organizations over eight years. China vehemently denied the accusations.

How hackers used Google to steal corporate data

A group of innovative hackers used free services from Google and an Internet infrastructure company to disguise data stolen from corporate and government computers, a security firm reported.
FireEye discovered the campaign, dubbed Poisoned Hurricane, in March while analyzing traffic originating from systems infected with a remote access tool (RAT) the firm called Kaba, a variant of the better known PlugX.
The compromised computers were discovered in multiple U.S. and Asian Internet infrastructure service providers, a financial institution, and an Asian government organization. FireEye did not disclose the name of the victims.
The unidentified hackers had used spear-phishing attacks to compromise the systems, then used the malware to steal sensitive information and send it to remote servers, FireEye said.
What was unique about the attackers was how they disguised traffic between the malware and command-and-control servers using Google Developers and the public Domain Name System (DNS) service of Hurricane Electric, based in Fremont, Calif.
In both cases, the services were used as a kind of switching station to redirect traffic that appeared to be headed toward legitimate domains, such as adobe.com, update.adobe.com, and outlook.com.
"It was a novel technique to hide their traffic," Ned Moran, senior threat intelligence researcher for FireEye, said Thursday.
The attackers' tactics were clever enough to trick a network administrator into believing the traffic was headed to a legitimate site, Moran said.
The malware disguised its traffic by including forged HTTP headers of legitimate domains. FireEye identified 21 legitimate domain names used by the attackers.
In addition, the attackers signed the Kaba malware with a legitimate certificate from a group listed as the "Police Mutual Aid Association" and with an expired certificate from an organization called "MOCOMSYS INC."
In the case of Google Developers, the attackers used the service to host code that decoded the malware traffic to determine the IP address of the real destination and edirect the traffic to that location.
Google Developers, formerly called Google Code, is the search engine's website for software development tools, APIs, and documentation on working with Google developer products. Developers can also use the site to share code.
With Hurricane Electric, the attacker took advantage of the fact that its domain name servers were configured, so anyone could register for a free account with the company's hosted DNS service.
The service allowed anyone to register a DNS zone, which is a distinct, contiguous portion of the domain name space in the DNS. The registrant could then create A records for the zone and point them to any IP address.
In addition, Hurricane did not check whether newly created zones were already registered or owned by other parties, FireEye said.
Google and Hurricane were notified of the malicious use of their services, Moran said. Both companies had removed the attack mechanisms.
"We appreciate FireEye discovering and documenting this unusual attack, so that we could immediately fix our service to eliminate the possibility of this type of abuse in the future," Mike Leber, a spokesman for Hurricane said in an email sent to CSOonline.
Moran believed the services were victims of hacker creativity versus a flaw.
"These are services offered online that can be used for good or ill," he said. "A gun can be used to protect and a gun can be used to hurt.

Nuke regulator hacked three times in three years

The US Nuclear Regulator Commission (NRC) has been hacked three times in as many years, according to documents obtained under freedom of information requests.
Unnamed foreign hackers sent hundreds of phishing emails - targeting 215 staff in one incident alone - in what was dubbed a 'credential harvesting campaign', according to an Inspector General report obtained by NextGov.
Phishing was used in all three attacks, which separately broke into the regulator by conning dozens of staff to enter their login details into fake web forums, as well as by tricking employees into downloading and executing malware hosted on a Microsoft SkyDrive account and contained within an attached PDF file.
The report did not say when the attacks occurred, determine if attackers were run-of-the-mill black hats or state sponsored pros, nor what data was or could have been compromised. El Reg has sought information from the NRC.
The NRC systems were not connected to nuclear facilities, according to a blog post reportedly made by NRC communications chap Scott Burnell as a response to the news.
"The NRC's computers cannot affect US nuclear power plant operations – the plants' safety and control systems are physically isolated and have no Internet connectivity," Burnell wrote on the NRC website.
The commission maintained information on the operation, location, and condition of US nuclear plants, including those involved in weapons production, and it requires operators to meet minimum security standards.

Security Vulnerabilities in Commercial-Aircraft SATCOM Kit

There has been some press in advance of previous week’s Black Hat conference speaking of vulnerabilities in commercial-aircraft flight management systems and possible implications for the safety of flight, for example in a Reuters article by Jim Finkle from August 4. The article is technically fairly accurate on the claims made and the manufacturer’s response, but it also includes comments such as this
Vincenzo Iozzo, a member of Black Hat’s review board, said Santamarta’s paper marked the first time a researcher had identified potentially devastating vulnerabilities in satellite communications equipment.
“I am not sure we can actually launch an attack from the passenger inflight entertainment system into the cockpit,” he said. “The core point is the type of vulnerabilities he discovered are pretty scary just because they involve very basic security things that vendors should already be aware of.”
Which sort of says what the Black Hat program committee know about airworthiness certification of avionics: not very much, if anything at all. The phrases “potentially devastating” and “pretty scary” are to my mind completely out of place. I have also seen some public discussion of the vulnerability claims which suggests the sky could, or is at least theoretically able to, or maybe possibly theoretically able to, fall. I figure it is worth saying a couple words about it here.
This note may seem ponderous, but I think it is important to give the complete background and references. Aviation airworthiness certification is one of the more developed safety assessment regimes and some public discussion is obviously ignorant of it. For example, some contributions fail to make the basic distinction between a vulnerability (which could pose a hazard) and the possible consequences of exploitation of that vulnerability (the severity of the hazard).
This distinction is basic to safety and security analysis for half a century or more. Its necessity is easy to see. People can demonstrate hacking bank ATMs at security conferences and have them spill banknotes all over the stage. But that doesn’t mean the hacker has access to all the networks at the bank in question and can embezzle trillions from their transaction systems. Indeed, no one thinks it does. The vulnerability is that a bank ATM can be compromised; the severity is (at least) that it loses its contents, and maybe more (maybe hackers can gain access to the central control SW). A bank can routinely cope with losing all the bank notes in an ATM; by all accounts attempts at fraud in financial transaction systems are orders of magnitude more severe and have been for decades. Vulnerability and consequences are connected but separate, and both or either could be rightly or wrongly assessed in any given proposal.
It appears vulnerabilities do exist in the systems investigated by the company IOActive and its associate Ruben Santamarta, but the severities of any such vulnerabilities have already been assessed by regulators during airworthiness certification and have been found to be negligible or minor.
There is a White Paper on their work from the company IOActive. It concerns vulnerabilities in satellite-communications (SATCOM) systems in general, mostly about ships and land-equipment for the military. There is one aviation application, as far as I can see. They claim to have compromised Cobham Aviator 700 and Aviator 700D devices. This kit contains software certified to DO-178B Design Assurance Level (DAL) E, respectively DAL D, they say. They also say it is installed on the military C-130J.
The first paragraph of “Scope of Study” in the company White Paper says that the researcher(s) didn’t have access to all the devices, but “reverse-engineered” those to which they didn’t have access and found vulnerabilities in their reverse-engineered copies.
DAL D software is that installed on kit whose malfunction could have at most a “minor effect“. DAL E software is that installed on kit whose malfunction could have at most “no effect”. These are technical terms: the notion of “effect” is the aviation-certification term for the possible consequences of a failure and corresponds with the more common term “severity” used in other safety-related engineering disciplines. A good general reference on certification of aviation equipment is Chapter 4 of Systematic Safety, E. Lloyd and W. Tye, CAA Publications, London, 1982. Lloyd and Tye categorise a Minor Effect as one “in which the airworthiness and/or crew workload are only slightly affected” and say that “Minor Effects … are not usually of concern in certification”. They don’t include them in the risk matrix which they use to illustrate the certification requirements. The risk matrix shows the slightly differing characterisations of the FAA and JAA certification regimes. The JAA was the former de facto certification authority in Europe and has been subsequently replaced by EASA. Most countries accept FAA and EASA airworthiness certification as adequate demonstration of airworthiness.
The Cobham Aviator series is kit which may or may not be fitted to any specific aircraft. The Cobham WWW site contains a number of data sheets about the Aviator series. It appears to be available for (retro)fit to the Dassault Falcon bizjet series and apparently NASA Armstrong FRC has some: here is a related purchase order.
The airworthiness of the Cobham Aviator 700 and 700D systems is governed by 14 CFR 25.1309 in the US, and Certification Specification 25 (CS-25) clause 25.1309 in Europe. There is an FAA Advisory Circular defining the acceptable means of compliance with this regulation, which includes the definitions of effects and their allowable probabilities: AC 25.1309-1A System Design and Analysis, issued 21 June 1988.
The specific definition of “Minor Effect” from AC 25.1309-1A is
Failure conditions which would not significantly reduce airplane safety, and which involve crew actions that are well within their capabilities. Minor failure conditions may include, for example, a slight reduction in safety margins or functional capabilities, a slight increase in crew workload, such as routine flight plan changes, or some inconvenience to occupants.
The CS-25 definition is similar.
The general vulnerabilities IOActive claim to have found in the Cobham Aviator devices are listed in Table 1 of their report:

Backdoors
Weak Password Reset
Insecure Protocols
Hardcoded credentials
IOactive has informed US-CERT about the vulnerabilities it has found in the Cobham Aviator 700 and 700D kit. The US-CERT entry in the Vulnerability Notes Database contains a rather more precise statement of the vulnerabilities found. The note says that the identified vulnerabilities are
CWE-327: Use of a Broken or Risky Cryptographic Algorithm – CVE-2014-2943
IOActive reports that Cobham satellite terminals utilize a risky algorithm to generate a PIN code for accessing the terminal. The algorithm is reversible and allows a local attacker to generate a superuser PIN code.


CWE-798: Use of Hard-coded Credentials – CVE-2014-2964 
IOActive reports that certain privileged commands in the the satellite terminals require a password to execute. The commands debug, prod, do160, and flrp have hardcoded passwords. A local attacker may be able to gain unauthorized privileges using these commands.
The Common Weakness Enumeration (CWE) derives from Mitre, and an explanation of, for example, CWE-327 is to be found on the CWE WWW site, as is an explanation of CWE-798.
IOactive says the following about the vulnerabilities of the Cobham 700 and 700D devices. I quote their report in full.

The vulnerabilities listed in Table 1 could allow an attacker to take control of both the SwiftBroadband Unit (SBU) and the Satellite Data Unit (SDU), which provides Aero- H+ and Swift64 services. IOActive found vulnerabilities an attacker could use to bypass authorization mechanisms in order to access interfaces that may allow control of the SBU and SDU. Any of the systems connected to these elements, such as the Multifunction Control Display Unit (MCDU), could be impacted by a successful attack. More specifically, a successful attack could compromise control of the satellite link channel used by the Future Air Navigation System (FANS), Controller Pilot Data Link Communications (CPDLC) or Aircraft Communications Addressing and Reporting System (ACARS). A malfunction of these subsystems could pose a safety threat for the entire aircraft.
This is the entire statement. IOActive is thus explicitly disagreeing with the regulators: they say the vulnerabilities “could pose a safety threat for the entire aircraft” whereas the regulators have determined during airworthiness certification that the consequences of any malfunction of the Aviator 700 and 700D are “No Effect”, respectively a “Minor Effect”.
It is certain that regulator and vendor have a significant amount of paperwork on file purporting to establish the severity of malfunctions of the Cobham Aviator 700 and 700D kit. Much of that will refer in detail to the kit, and therefore will contain proprietary information and will not be available to the general public.
In contrast, IOActive has merely asserted, as above, its deviant view of the severity, as far as I can tell without providing any reasoning to back up its claim.
The vendor has provided the following statement to US-CERT:
Cobham SATCOM has found that potential exploitation of the vulnerabilities presented requires either physical access to the equipment or connectivity to the maintenance part of the network, which also requires a physical presence at the terminal. Specifically, in the aeronautical world, there are very strict requirements for equipment installation and physical access to the equipment is restricted to authorized personnel.
The described hardcoded credentials are only accessible via the maintenance port connector on the front-plate and will require direct access to the equipment via a serial port. The SDU is installed in the avionics bay of the aircraft, and is not accessible for unauthorized personnel.
Cobham SATCOM will continue to evaluate any potential vulnerabilities with its equipment and implement increased security measures if required.
In other words, they don’t think the discovered vulnerabilities affect the use of its kit much at all, and presumably the regulator agrees – that is, it has already agreed in advance during airworthiness certification, and sees no reason to change its mind.
US-CERT judges

Impact

A local unauthenticated attacker may be able to gain full control of the satellite terminal.
Solution
The CERT/CC is currently unaware of a practical solution to this problem.
I would disagree with use of the words “problem” and “solution” here. Indeed the entire categorisation seems to be somewhat puzzling. Obviously the vendor could fix the vulnerabilities by using better crypto in places, and by using device-access authentication that is not hard-coded; that would surely constitute a “practical solution” and surely CERT is as aware of this as I am and the vendor is. It also appears that neither vendor nor regulator sees the need to undertake any action in response to the revelations. There is no record that the airworthness certification of the kit has been withdrawn and I presume it hasn’t been.
Summary: IOActive and US-CERT have said “you’re using risky or broken crypto, and you’re hard-coding authentication”. Vendor and (implicitly) airworthiness regulator have said “so what?”. End of Story, probably.
None of this is to say that airworthiness certification always gets it right. Indeed, it is clear that every so often it is gotten wrong. But it is a lot more effective than what people without any experience of it seem to be assuming in discussion.

Supermarkets Nationwide Affected by Albertsons, SUPERVALU Data Breach

albertsons data breach
Grocery giants Albertsons and SUPERVALU announced yesterday that a data breach may have exposed the credit and debit card information of an unknown number of its customers at various grocery store locations in more than 18 states.
Behind Kroger’s, Albertsons is the second largest grocery store chain in the United States. SUPERVALU is third. AB Acquisitions LLC, the company that operates the Albertsons grocery store empire, posted a data breach notification on their website Thursday, saying it had “recently learned of an unlawful intrusion to obtain credit and debit card payment information in some of its stores.” SUPERVALU wrote essentially the same.
The breach apparently began as early as June 22 and lasted until July 17 of this year at the latest.
The breach apparently began as early as June 22 and lasted until July 17 of this year at the latest.
AB Acquisitions is saying that Albertsons stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah were impacted. In addition to those, ACME Markets in Pennsylvania, Maryland, Delaware and New Jersey are said to be involved. Customers from Jewel-Osco stores in Iowa, Illinois and Indiana are affected. And Shaw’s and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island were all affected by this incident.
SUPERVALU is saying that 180 of its Cub Foods, Farm Fresh, Hornbacher’s, Shop ’n Save and Shoppers Food & Pharmacy supermarket and liquor store locations are impacted.
AB Acquisitions says it has notified the appropriate law enforcement agencies and is working with SUPERVALU, who it identifies as “its third party IT services provider,” to better understand the nature and scope of the compromise.
SUPERVALU owned and operated Albertsons, Acme, Jewel-Osco, Shaw’s and Star Market stores until a 2013, $3.3 billion sale to AB Acquisitions, which is an affiliate of Cerberus Capital Management, according to the Associated Press.
Threatpost reached out to an Albertsons spokesperson, but a request for comment was not returned by the time of publication.
In its own notification, SUPERVALU claims the “criminal intrusion may have resulted in the theft of account numbers, and in some cases also the expiration date, other numerical information and/or the cardholder’s name from payment cards used at some point of sale systems at some of the Company’s owned and franchised stores.”
Both companies say they have no evidence that stolen payment card information is being misused at this time.
“The safety of our customers’ personal information is a top priority for us,” said SUPERVALU President and CEO Sam Duncan. “The intrusion was identified by our internal team, it was quickly contained, and we have had no evidence of any misuse of any customer data. I regret any inconvenience that this may cause our customers but want to assure them that it is safe to shop in our stores.”
“We know our customers are concerned about the security of their payment card data, and we work hard to protect it,” said Mark Bates, Senior Vice President and Chief Information Officer at AB Acquisition LLC. “As soon as we were notified of the incident, we began working closely with SUPERVALU to determine what happened. It’s important to note that there is no evidence at this point that consumer data has been misused.”
As is the data breach standard, both companies are offering affected customers one year of free credit monitoring services.