uncompiled.com

The Veterans Affairs Department’s inspector general has launched a criminal investigation into a physician assistant’s alleged downloading of veterans’ clinical data at its Atlanta medical center, sources have told Nextgov.

The assistant allegedly recorded two sets of patient data on to a personal laptop for research purposes. One set included three years’ worth of patient data and another held 18 years of medical information, according to a source familiar with the incident and who asked not to identified.

Roger Baker, VA’s chief information officer, commented on an item about the incident that was posted Monday evening on a Nextgov blog that the physician assistant’s laptop was never connected to the VA network and any data she recorded on her laptop was “hand entered.”

But the source told Nextgov the VA inspector general is investigating whether the assistant used two thumb drives to transfer the data to the laptop.

The department has not disclosed the number of patients involved in the incident, what kind of personal data was copied, or whether it plans to notify the veterans whose records were downloaded.

VA spokeswoman Katie Roberts said she cannot comment in detail on the Atlanta breach because it is under investigation. But in an e-mail, she stated, “VA is committed to protecting the privacy of veterans who have used our health care facilities. VA’s Office of Inspector General is currently investigating a report that a former VA physician assistant stored unauthorized clinical data about patients at the Atlanta [VA medical center] on a personal laptop computer.

“VA’s Office of Information and Technology is trying to gather more details about the circumstances, including the number of veterans whose information was involved and the nature of the information affected. The results of the investigation and analysis will help determine whether to send notifications and offers of credit protection services to the affected veterans.”

The inspector general has asked VA’s Office of Information and Technology, which Baker heads, to determine how many veterans were involved in the data breach and what kinds of personally identifiable or private health information might be involved.

The inspector general has determined that multiple documents on the laptop “appear to have come from an unapproved research project,” noted a document about the incident, which Nextgov obtained.

The incident is reminiscent of a 2006 cybersecurity breach at VA. In what was one of the largest security lapses in the department’s history, a Veterans Affairs analyst downloaded information on 26.5 million patients — practically every living veteran — on to the hard drive of his personal laptop so he could work on a research project at home. The laptop was later stolen and recovered. Investigators determined the personal information likely was not accessed.

But the breach resulted in VA instituting policies to bar the connection of personal computers to Veterans Affairs networks and to encrypt all patient data stored on department computers. Violation of the policies could result in could result in administrative, civil or criminal penalties.

In his comment on the Nextgov blog, Baker said those policies worked in the Atlanta case and the physician assistant was denied access to VA systems. In addition, a nurse scientist and visiting scholar at the medical center stopped the assistant from using the data after learning about the unapproved research project, according to the document on the incident. The nurse told the physician assistant to destroy the data, and when it was not destroyed, the nurse informed a research compliance officer in Atlanta on Feb. 8. The physician assistant resigned on Feb. 26, according to the document.

The breach illustrates the need for patients, not clinicians, to control their medical records, said Dr. Deborah Peel, founder of Patient Privacy Rights, a nonprofit based in Austin, Texas, that works to ensure medical information remains restricted. She said control should include a requirement to obtain a patient’s consent to send clinical information to another doctor or to use it for research. Peel added electronic consent software currently exists to automate the process.

Source

The former National Security Agency technical director told the RSA Conference he doesn’t trust cloud services and bluntly admonished vendors for leaving software vulnerabilities unpatched sometimes for years.

Speaking for himself and not the agency, Brian Snow says that cloud infrastructure can deliver services that customers can access securely, but the shared nature of the cloud leaves doubts about attack channels through other users in the cloud. “You don’t know what else is cuddling up next to it,” he says.

Snow was speaking as a member of the annual cryptographers panel at RSA Conference. Another panelist said he doesn’t trust clouds either, but his reluctance was based upon worry about what NSA might be up to.

Adi Shamir a computer science professor at Israel’s Weizmann Institute of Science and also the “S” in the RSA encryption algorithm, warned against trusting cloud computing services for the same reason he suspects the confidentiality of transmissions over telecom networks and the Internet. He says the phone systems are secure, but that major crossroads in their networks are tapped by the NSA. “There’s a pipe out of the back of an office at AT&T in San Francisco to NSA,” he said.

Government access to assets entrusted to public cloud providers will be similar, he says. He suspects in some cases cloud providers will be companies influenced by government spy agencies, similar to the way Crypto AG security gear gave the NSA backdoor access to encrypted messages sent by foreign governments that had bought the gear. “Please don’t use Crypto AG,” he said.

On another topic, Snow said many commercial applications and security products contain known flaws or shortcomings that users accept without understanding them or analyzing them thoroughly. That trust is similar to the trust investors had in unsound Wall Street derivative investment products, he said. Just as the country’s financial markets melted down last year, he said network security could face a “trust-bubble meltdown”.

He alluded to a 17-year-old Microsoft vulnerability that went unpatched. Fixing such problems before they are exploited gives vendors a commercial advantage, so they should do so. “Fix vulnerabilities before you first smell an attack,” he said. “End of message.”

Also during the panel, Snow acknowledged that cryptographers for the NSA have been losing ground to their counterparts in universities and commercial security vendors for 20 years but still maintain the upper hand in the sophistication of their crypto schemes and in their ability to decrypt.

“I do believe NSA is still ahead, but not by much — a handful of years,” said Snow, the former technical director for the agency. “I think we’ve got the edge still.”

He said that in the 1980s there was a huge gap between what the NSA could do and what commercial encryption technology was capable of. “Now we are very close together and moving very slowly forward in a mature field,” Snow said.

Source

The Mariposa botnet had the power to dwarf Georgia and Estonia cyberattacks if it had been used to launch denial of service attacks, say Spanish police.

Months of investigations by the Guardia Civil in Spain, the FBI and security firm Panda Security and Defence Intelligence led to the takedown of the 12.7 million strong zombie network in December and the arrest of three suspects in Spain two months later.

At a press conference announcing the operation in Madrid on Wednesday, Spanish police said they recovered the personal details of 800,000 people from systems recovered from three alleged cybercriminals. This cache of stolen information includes bank login credentials from businesses and consumers as well as email passwords.

Three Spanish residents suspected of running the botnet have been charged with online offences: the most senior alleged botmaster, nicknamed “Netkairo”, 31, from Balmaseda in the spanish province of Vizcaya, as well as his two alleged lieutenants JPR, 30, from Molina de Segura Murcia and JBR, 25, from Santiago de Compostela in La Coruña. None of the suspects have been named at this stage of proceedings.

In a statement (in Spanish here), Guardia Civil officers said they were also on the trail of a fourth suspect nicknamed Phoenix, who’s possibly based in Venezuela.

Defence Intelligence discovered the botnet last May and formed a team that brought in security experts from Bilbao-based Panda and computer scientists at Georgia Tech Information Security Center. Security researchers infiltrated the botnet’s command and control systems, learning enough to mount a successful takedown operation in cooperation with ISPs on 23 December.

Netkairo responded to this by launching a retaliatory denial of service attack against Defence Intelligence that took out customers at a Canadian ISP for several hours. In wrestling to obtain control of the botnet he made the mistake of connecting to compromised systems using his home PC, a mistake that led to his identification (as explained in our earlier story on the takedown operation).

Luis Corrons, technical director of PandaLabs, explains the Mariposa botnet’s business model and the takedown operation in a video below. ®

Source

Authorities in Spain have arrested three men accused of operating a massive botnet composed of 12.7 million PCs that stole credit card and bank log-in data and infected computers in half of the Fortune 1,000 companies and more than 40 banks, according to published reports.

The botnet “Mariposa,” which means butterfly in Spanish, first appeared in December 2008 and grew to be one of the largest botnets ever, The Associated Press reported. It spread the Butterfly worm via removable drives, MSN Messenger, and peer-to-peer programs and targets Windows XP and older systems.

Unlike many underground hackers, the alleged ringleaders of the operation were not skilled programmers, but had contacts who were, authorities said.

“They’re not like these people from the Russian mafia or Eastern European mafia who like to have sports cars and good watches and good suits–the most frightening thing is they are normal people who are earning a lot of money with cybercrime,” Cesar Lorenza, a captain with Spain’s Guardia Civil, which is investigating the case, told the news service.

In Spain, names and mug shots of arrested citizens are not released to protect their privacy, though they were identified by their Internet aliases: “netkairo,” 31; “jonyloleante,” 30; and “ostiator,” 25. They face up to six years in prison if convicted of the hacking charges.

More arrests are expected, authorities said. The botnet is no longer operating, according to the AP report.

Source

The web site cryptome.org is currently online at http://cryptomeorg.siteprotect.net/ until the domain can be transferred away from Network Solutions. The following is from the temporary site:

This is temporary Cryptome address until the Cryptome.org domain is transferred. Network Solutions shut Cryptome.org and has placed a “legal lock” on the domain name, preventing its transfer, until the “dispute” is settled. Some recent files are available now and the full collection is being transferred.

Swedish investigators are probing a hacker U.S. authorities accuse of unlawfully intruding into Cisco Systems, NASA’s Ames Research Center and NASA’s Advanced Supercomputing Division, the authorities said Monday.

Philip Gabriel Pettersson, known in the hacking world as “Stakkato,” allegedly seized computer code that controls internet traffic. After the 2004 breach of Cisco, the proprietary source code for Cisco’s IOS operating system was discovered on a Russian website.

Pettersson was indicted in the United States in May on five hacking counts, (.pdf) but could not be brought from Sweden to the United States for trial. Sweden does not extradite its own citizens, but said it was examining whether to prosecute him in Sweden after U.S. authorities in San Francisco initiated that request.

“The intrusions to Cisco Company and NASA are regarded as computer intrusion according to Swedish law,” Swedish prosecutor Chatrine Rudstrom told federal prosecutors in San Francisco, according to documents released Monday.

Still, Rudstrom told San Francisco federal authorities that Sweden was not guaranteeing it would charge the 21-year-old suspect.

Petterrson was convicted in 2007 of invading the networks of three Swedish universities and ordered to pay $25,000 in damages. He was 16 at the time of the intrusions.

Source

Cryptographers have broken the proprietary encryption used to prevent eavesdropping on more than 800 million cordless phones worldwide, demonstrating once again the risks of relying on obscure technologies to remain secure.

The attack is the first to crack the cipher at the heart of the DECT, or Digital Enhanced Cordless Telecommunications, standard, which encrypts radio signals as they travel between cordless phones in homes and businesses and corresponding base stations. A previous hack, by contrast, merely exploited weaknesses in the way the algorithm was implemented.

The fatal flaw in the DECT Standard Cipher is its insufficient amount of “pre-ciphering,” which is the encryption equivalent of shaking a cup of dice to make sure they generate unpredictable results. Because the algorithm discards only the first 40 or 80 bits during the encryption process, it’s possible to deduce the secret key after collecting and analyzing enough of the protected conversation.

“This standard, as with everything else we have broken, has been designed some 20 years ago, and it is proprietary encryption,” said Karsten Nohl, one of the cryptographers who helped devise the attack. “It relied on the fact that the encryption was unknown and hence could not be broken. This is a case where something that has some potential for being strong is broken by just this one design decision that in any public review would have been spotted immediately.”

Nohl, 28, is the same University of Virginia microscope-wielding reverse engineer to crack the encryption in the world’s most widely used smartcard. In December, he struck again after devising a practical attack for eavesdropping on cellphone calls.

He and fellow researchers Erik Tews of the Darmstadt University of Technology and Ralf-Philipp Weinmann of the University of Luxembourg, plan to present their findings Monday at the 2010 Fast Software Encryption workshop in Korea.

Like several of Nohl’s previous hacks, it began with nitric acid and an electron microscope. After dissolving away the epoxy on the silicon chip and then shaving down and magnifying the section dedicated to the DECT encryption, he was able to glean key insights into the underlying algorithm. He then compared the findings against details selectively laid out in a patent and exposed during a debug process.

The results of all three probe methods revealed the fatally insufficient amount of pre-ciphering in the DECT Standard Cipher.

In practical terms, the attack works by collecting bits of the encrypted data stream with known unencrypted contents. In cordless phones, this often comes from a device’s control channel, which broadcasts a variety of predictable data, including call duration and button responses. Sniffing an encrypted conversation with a USRP antenna and the average PC, an attacker would need to collect about four hours of data to break the key in typical scenarios.

In others – such as where DECT is used in restaurants and bars to wirelessly zap payment card details – the time needed to crack the key could be dramatically shorter, Nohl said. The time can also be sped up in a variety of other ways, including by adding certain types of graphics cards to beef up the power of the attacking PC. In some cases, the attack can retrieve the secret key in 10 minutes.

“We expect that some smarter cryptographers than ourselves will find better attacks, of course,” Nohl told El Reg. “We found the algorithm and then implemented the first attack. It’s almost guaranteed that this is not the best attack.”

The DECT Forum, the international body that oversees the standard, said it takes the attack scenarios laid out in the paper seriously and “continues to investigate their applicability.”

The crack of DECT is only the latest time Nohl has defeated the proprietary encryption of a device with critical mass. His 2008 attack on the Mifare Classic smartcard used similar techniques of filing down a silicon chip and then tracing the connections between transistors. His proposed attack of GSM encryption affects cellphones used by more than 800 carriers in 219 countries. ®

Source

What is believed to be the country’s biggest hacker training site has been shut down by police in Central China’s Hubei province. Three people were also arrested, local media reported yesterday.

The three, who ran Black Hawk Safety Net, are suspected of offering others online attacking programs and software, a crime recently added to the Criminal Law. A total of 1.7 million yuan ($249,000) in assets were also frozen.

According to the provincial public security department of Hubei, the closure of the website had its roots in a previous Web attack and virus dissemination case in the city of Macheng in 2007, when police found some of the suspects caught were members of Black Hawk Safety Net.

Hubei province named Black Hawk Safety Net as the largest hacker training site in China, which openly recruited members and disseminated hacker techniques through lessons, trojan software and online forum communications.

Since it was established in 2005, the site had recruited more than 12,000 VIP members and collected more than 7 million yuan in membership fees. More than 170,000 people registered for free membership.

Police said more than 50 officers had been investigating the case.

They seized nine Web servers, five computers and one car, and shut down all the sites involved in the case, according to the provincial public security department.

“I could download trojan programs from the site which allowed me to control other people’s computers. I did this just for fun but I also know that many other members could make a fortune by attacking other people’s accounts,” said a 23-year-old member of Black Hawk Safety Net in Nanjing of East China’s Jiangsu province, who asked to remain anonymous.

“It is not very difficult to do simple hacker tasks. Some hacker members are teenagers who dropped out of school and make money by stealing accounts,” he said.

A 20-year-old college student who registered with three different hacker training sites said a hacker training course costs from 100 to 2,000 yuan.

“Basically students were told how to steal accounts and use trojan programs. Sometimes trainers show us how to write programs,” he said.

“But now it’s very difficult to become a registered member. Some well-known hacker training sites have not been accessible since November,” he said.

According to a report released by the National Computer Network Emergency Response Coordination Center of China, the hacker industry in China caused losses of 7.6 billion yuan in 2009.

Source

In 2001, Larry Ellison brashly proclaimed in a keynote speech at the computing conference Comdex that his database software was “unbreakable.” David Litchfield has devoted the last nine years to making the Oracle chief executive regret that marketing stunt.

At the Black Hat security conference Tuesday afternoon, Litchfield unveiled a new bug in Oracle’s 11G database software, a critical, unpatched vulnerability that would allow a hacker to take control of an Oracle database and access or modify information at any security level. “Anything that God can do on that database, you can do,” Litchfield told Forbes in an interview following his talk.

The attack that Litchfield laid out for Black Hat’s audience of hackers and cybersecurity researchers exploits a combination of flaws in Oracle’s software. Two sections of code within the company’s database application–one that allows data to be moved between servers and another that allows management of Oracle’s implementation of java–are left open to any user, rather than only to privileged administrators. Those vulnerable subroutines each have their own simple flaws that allow the user to gain complete access to the database’s contents.

Litchfield says he warned Oracle about the flaws in November, but they haven’t been patched. Oracle didn’t immediately respond to a request for comment.

The bug is far from the first that 34-year-old Litchfield has outed on Oracle’s behalf. As a cybersecurity researcher and penetration tester, Litchfield has exposed more than a thousand database software security flaws, mostly in Oracle’s code.

Source

Google today said that a “highly sophisticated and targeted” attack against its network last month originated in China, and tried to access the Gmail accounts of Chinese human rights activists.

In a blog post Tuesday, David Drummond, Google’s chief legal officer, said that attacks have forced the company to “review the feasibility of our business operations in China.” Google, continued Drummond, is “no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all.”

The end result of those discussions, said Drummond, may be that Google shuts down its search engine and close its offices in the People’s Republic of China.

“This is a bold and a very difficult move on [Google's] part,” said Leslie Harris, the president and CEO of the Center for Democracy & Technology (CDT), a Washington, D.C.-based civil liberties group. “But with the revelations that there have been major cyber attacks aimed at human rights activists, both in China and in the West, it’s hard to see how Google could have remained silent.”

According to Drummond, Google was one of at least 20 large companies that were targeted by massive attacks in December. In Google’s case, the attacks resulted in the theft of some company intellectual property.

More troubling, said Drummond, was that the attacks were aimed at accessing the Gmail accounts of human rights activists in China. Gmail is officially unavailable in the country, but activists and others use anonymous proxies to circumvent that rule.

“We have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists,” said Drummond, who added that with the exception of two accounts, those attacks had been unsuccessful. The message content of those accounts was not compromised, Drummond claimed; instead, only some information, such as subject lines and the date the account was created, was accessed.

Drummond also said Google had discovered that the Gmail accounts of dozens of U.S.- and Europe-based advocates of human rights in China had been “routinely” accessed by unauthorized users.

“We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech,” said Drummond.

Source