Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Health database breached

Published: 2009-05-05
Last Updated: 2009-05-05 19:04:50 UTC
by Bojan Zdrnja (Version: 1)
2 comment(s)

The wikileaks.org web site, which is a pretty famous repository of "leaked" documents that were never supposed to see light, is reporting about a supposedly large security breach of the Virginia Prescription Monitoring Program (VPMP). According to the web site and other sources around the web, the web site was defaced by an unknown hacker that left a ransom note asking for 10 million US$ in order to return the data.

According to the hacker, he acquired records on more than 8 million patients. The records include prescription data as well as patient's name, age, address, SSN and drivers license number.

Now, while this all has not been verified, there are couple of things we can already see. First of all, the hacker definitely managed to compromise the web site because the front end web page was modified. According to the message left by the hacker, he also deleted the backups (now, this raises some eyebrows, doesn't it?).

If this all is correct, it indicates that several protection layers failed at the VPMP. Without knowing more details we can't say if the web application was good or bad (maybe the hacker got access through a different vulnerability), but one thing that should never happen is ability for a hacker to delete your backups. And indeed, any decent backup system will only allow you to backup the data or read it – only the backup administrator should be able to delete the backups.

We'll see how things will develop here and update the diary if we get more information.
 

Keywords: breach health ransom
2 comment(s)

New version (v 1.4.2) of BASE available

Published: 2009-05-05
Last Updated: 2009-05-05 16:43:53 UTC
by Tom Liston (Version: 1)
0 comment(s)

While there isn't a writeup in the site's "news" section, I've confirmed with fellow InGuardian and BASE project-lead, Kevin Johnson, that there is indeed a new version (v 1.4.2) of BASE available.  If you're not familiar with it, BASE is a web interface to perform analysis of network intrusion data gathered by Snort.  You can download the latest version here.

Tom Liston - InGuardians - ISC Handler

Keywords:
0 comment(s)

Every dot matters

Published: 2009-05-05
Last Updated: 2009-05-05 09:33:56 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)

Couple of days ago, one of our readers, Lee Dickey, reported a strange behavior of a link on Microsoft's Technet web page with information about SP2 for Vista. At first look, it appeared that a web page hosted by Microsoft was compromised as it redirected the browser to an external web site which was simply some kind of a search engine.

The screenshot of the page is shown below, can you spot the error?

technetmicrosoft.com

That's right – a dot is missing between technet and microsoft.com, so the link actually pointed to technetmicrosoft.com, which is a domain registered by someone in the USA as easily checked with WHOIS.

So what happened here? Nothing malicious – it was simply an error by someone at Microsoft or a typo, however, what should be stressed out is the importance of link validation – if the owner of the technetmicrosoft.com domain was malicious, he could have done some serious damage. Luckily, Lee notified Microsoft as well and this was fixed quickly.

--
Bojan

0 comment(s)
Diary Archives