CSIS Report: Securing Cyberspace

Re: CSIS Report: Securing Cyberspace

http://www.mcgrewsecurity.com/2009/0...texodus-part2/

The kid was a late night security guard at the hospital. While working he used his access badge to put an IRC bot onto a machine. How he got into the HVAC screens is unknown. Then he videos the exploits using his laptop. I do like that he puts on latex gloves *after* he logs in so that he's not caught. Not like there's any evidence.

Hmm, logon to the machine
His badge being used to get to the floor possibly into the door also
His face
His uniform on under the sweathshirt.
I'll just take a guess and assume he then access the IRC bot from the Hospitals network so that he could get video of it.

Watch the videos they're quite a amusing. This guy is 1337, phear him.

Re: CSIS Report: Securing Cyberspace

I can think of two reasons right off the top of my head.

The HVAC system isn't under the domain of the IT department and is administered by an outside firm, and they didn't want to complicate it by adding security because the personnel that normally operate it aren't considered sophisticated enough to understand security.

If it is under the domain of the IT department, they didn't think that it could actually cause any damage if anyone got into it. After all, it's just HVAC, what bad could possibly come of someone messing with it.

Re: CSIS Report: Securing Cyberspace

Here's some more info on this case:

Dark Reading article:
http://www.darkreading.com/insiderth...leID=218300006

FBI's Arrest/Search Warrant affidavit:
http://mcgrewsecurity.com/codedump/m..._complaint.pdf

FBI Press Release:
http://dallas.fbi.gov/dojpressrel/pr...9/dl063009.htm

Wesley McGrew's blog: (McGrew is the FBI's "CW-1" or "Confidential Witness #1")
http://www.mcgrewsecurity.com/2009/0...clinic-part-1/

It makes one wonder about what happened. With so much attention paid to the health care system, why and how could a hospital's HVAC system be left that wide open? Is the Carrell Clinic's IT staff completely incompetent when it comes to security or was it a matter of the IT staff focusing on the things like HIIPA compliance for the Electronic Medical Records that they missed other things that need to be secured? The first possibility is downright scary, and hopefully isn't true. The second possibility is probably closer to the truth, and should serve as a remind to all of us not to forget all the "other" attack vectors when we're working on securing one area.

BTW, last week "GhostExodus" took his original posts about the HVAC attack off the AnarchistCookBook.com Forum:
http://anarchistcookbook.com/f25/hva...he-bot-t30304/

But our eveil genius seems to have forgotten Google Cache:
http://74.125.47.132/search?q=cache:...ient=firefox-a

Re: Brag about crimes == Jail Time!

This is exactly why human security guards need to be replaced with their ED-209 equivalents.

I just recompiled my SCADA hacking articles PDF. It's now 484 Pages.

http://members.netjunkies.net/streak...g Articles.zip

Enjoy.

Re: Brag about crimes == Jail Time!

Interesting.

What's even more interesting is the thread on the "Warezscene.org" forums where this clown not only bragged about it, but posted screenshots from the HMI.

http://www.warezscene.org/hacking/79...er-hacked.html

He was clearly looking for bragging rights, but along with the bragging rights, he made himself high profile. If he'd posted posted screen shots of the HVAC controls to the executive offices, probably no one would have cared. However, once he posted showed screenshots of labeled "Surgery Center", "OR-2" through "OR-5", and "Alarm (from) Sterile Storage Humidity", he was bound to attract attention.

Yeah, I've never understood why evil geniuses don't just shoot the good guy. "What shall we kill the hero with? Thirty cent bullet, or million dollar laser? Hmmm.... I know, LASER!"

Of course, it does make for more macho dialog:

Re: Brag about crimes == Jail Time!

I call this the SPECTRE syndrome also known as the Dr. Evil syndrome.

Dr. Evil: Scott, I want you to meet daddy's nemesis, Austin Powers
Scott Evil: What? Are you feeding him? Why don't you just kill him?
Dr. Evil: I have an even better idea. I'm going to place him in an easily escapable situation involving an overly elaborate and exotic death.

Dr. Evil: All right guard, begin the unnecessarily slow-moving dipping mechanism.
[guard starts dipping mechanism]
Dr. Evil: Close the tank!
Scott Evil: Wait, aren't you even going to watch them? They could get away!
Dr. Evil: No no no, I'm going to leave them alone and not actually witness them dying, I'm just gonna assume it all went to plan. What?
Scott Evil: I have a gun, in my room, you give me five seconds, I'll get it, I'll come back down here, BOOM, I'll blow their brains out!
Dr. Evil: Scott, you just don't get it, do ya? You don't.

He forgot to ask for the::

One... Hundred... BILLION DOLLARS!

xor

What is with the younger generation today, they simply don't know how to commit crimes. I guess we have a new politically correct word; the criminally challenged? These guys are like TV criminals.

Brag about crimes == Jail Time!

http://www.theregister.co.uk/2009/07...cker_arrested/

Not exactly the sharpest tool in the shed. I'll never understand why people feel the need to brag about their crimes, in public no less.

Of course, if criminals were smart, they probably wouldn't be criminals. This is just another example though of an attack that was coming from the inside, I'm just glad that it wasn't an actual IT person. It does make you wonder why he was able to compromise the machines, I'd say the IT department wasn't doing something they should to have prevented such access.

It could be that they were complacent with their 'own' people (even though he was a contract guard), they might not have viewed their security personnel as a threat.

Re: CSIS Report: Securing Cyberspace

Thanks for putting that up! I snagged it and am looking forward to jumping into it. Keep us posted about your presentation.

Regards,

valkyrie
__________________________________________________ __
sapere aude

Re: CSIS Report: Securing Cyberspace

Disclaimer: These are articles that I pulled from varying news sources over the past couple of years. Take them for what you will.

This has ballooned to 427 pages and about 14Mb. Happy reading.

http://members.netjunkies.net/streak...g_Articles.pdf

I am currently working on a presentation with all the information that I've compiled from all of this. I don't actually have a venue to present it at yet, so I'm kind of working on that too.

I'll have some more news about this about mid April too.

Re: CSIS Report: Securing Cyberspace

Please do, I look forward to reading it as well.

Re: CSIS Report: Securing Cyberspace

I'll do it a little later today. I found a couple more articles to compile into it.

Re: CSIS Report: Securing Cyberspace

Streaker69, please do so. I am interested in reading your compilation.

Regards,

valkyrie
__________________________________________________ ________
sapere aude

Re: CSIS Report: Securing Cyberspace

It's actually a fairly good read. Most of the articles aren't typical blah blah news stuff. I've only made it about 1/4 of the way through so far.

I'll post it when I get back, I gotta go sniff some wires right now.

Re: CSIS Report: Securing Cyberspace

Sorry; I meant the typical new story about how someone might do it without going into ANY details. I'd love to read stories with some meat, but the average story has none. Given what some folks have sent in huge volumes of news stories... there's no telling. If they're talking about specifics, host that baby up!

Re: CSIS Report: Securing Cyberspace

There is no 'might' about it. It can and has been done, quite easily.

If you don't feel it's interesting, then chances are, you probably shouldn't have posted anything.