Botnet Attack Shuts Down Hospital Network 360
aricusmaximus writes "A California student is now facing felony conspiracy charges after
unleashing a botnet attack that shut down the network of a Seattle hospital intensive care unit. This indictment comes a few weeks after another California man pled guilty to similar charges. Both attacks were attempts to make money off of adware affiliate programs. So who's really at fault here? The students? The hospital for not securing their computers and network? Or the adware companies for providing the incentive?"
common factor .... (Score:3, Interesting)
the analogies that others might post in this thread may not consider the possibility of doing it all different such that these problems either likley won't exist or they can't.
Want protection from internet problems? Don't connect to it.But even the International Space Station has had its computer problems.
Life support and computers......hmmmmm....
Re:Student's Fault (Score:3, Interesting)
In fact, today we are treating many more patients and types of problems through the help of computers.
To me, the phrase "shut down" means to close up shop. I know they didn't do this but it makes me wonder how much have hospitals suffered in capabilities by accepting automation?
Advanced life support system may need to be on the network to send signals. But what about the EKG machine? The intravenous drip? These things should not be dependant on computers yet I know from a friend who works in a hospital that IVs have small computers on them to regulate the flow. I hope to god they are a safely restricted from internet access.
Product Liability (Score:1, Interesting)
But when Microsoft starts selling anti-virus software, and profits from the inherent insecurity of their crap operating system, shareholders applaud, and the public is silent. It's time to start holding Microsoft accountable for all the tens if not hundreds of billions of economic harm caused by their inattention to quality.
Likewise, any IT administrator for a hospital that makes a demonstrably vulnerable OS a critical part of critical hospital operations should be shown the door. Quite frankly, it really doesn't matter if you buy the argument that Windows' security is appalling (it is), or not. Empirically, for whatever reason, Windows is under constant attack. Other operating systems are not. That much, at least, is plain on the face of it. Yet MS apologists are so addicted to their MS crack that, as we see here, they will actually put people's lives in danger. Sickening.
Re:It can't be networked... (Score:3, Interesting)
Sure it is. If someone flatlines, the attending gets a page. Furthermore, like someone said, it is pretty simple to throw 20 ekg's on a 24" lcd and monitor all the patients in the ward from a single location. And, of course, they have alarms that go off when someone flatlines too.
Now, there is a way of doing this and isolating it from the Internet (aka, The Right Way). There is also a Really Wrong, No Seriously, How Goddamn Stupid Do You Have To Be To Do It That Way.
I really don't know why the door access was compromised. Maybe they ran it over the same network, maybe their access server got hit by the adware, it ultimately doesn't matter. It should be on a seperate set of wires, and really, should be an almost standalone system.
When is the last time you heard of a Linux botnet? (Score:1, Interesting)
The fact that there have been so many security holes over so long a time to make it worth the while of some miscreant to write the software to make botnets at all is evidence enough that there is something seriously wrong with using windows for ANYTHING remotely mission critical.
Re:Before you blame the admins... (Score:3, Interesting)
Linux may be 'cheaper' for the individual geek, or the large business with a dedicated IT staff - but the middle sized and small business it's a different kettle of fish.
Re:When my dad was in a cardiac ICU (Score:4, Interesting)
Hmm. Interesting. I work for a NASA contractor and the safety systems need to be 3 failures deep to go without being addressed as safety hazards, and that includes non-life-threatening risks (like laser damage to eyes). The above described scenario is one failure deep to become life-threatening. It's interesting that we put more emphasis on astronaut safety, who volunteer for dangerous jobs, than we do for ICU patients.
STRAW MAN! Patients - not hospital are victims... (Score:3, Interesting)
For those not familiar with the health system here - it is a private one. The motive for hospitals is to maximize profit while minimizing costs. Since there is relatively little public accountability through the government, and individual patients are largely unaware of the relative quality of hospitals, health care insurers are the ones that keep costs from getting too high and malpractice suits keep quality of care from getting too low. Mistakes can cost money - but admitting mistakes can cost a lot more and thus the level of cover-your-butt here is amazingly high.
In such a CYA environment, I question two things - the assertion that noone was hurt - and that the bot attacks were the ones that brought the network down. Both of these things may be true but are also things that administrators would say to prevent lawsuits. The fact that the staff was able to adapt so well to the computers being down suggests to me that this is not the first time that it has happened. In any case, there is no question that the computer network is poorly setup and that is almost certainly the fault of the administration. The docs can get away with small things like putting screensavers on their machines but it would take a high level admin who wanted to save money by using the same OS across the board and/or wanted remote connectivity so that his crackberry could work more easily to really screw things up. If there are lawsuits - things will probably change - not necessarily to do things in a sane matter - but so that they can't be sued. The same calculation (effect on lawsuits) will also be used to decide whether and who will be fired/scapegoated over this - and it won't be the admin with the crackberry. At worst he/she might be made to go on a junket to Japan to learn how to run a hospital more like a automotive assembly line...
Re:Student's Fault (Score:2, Interesting)
For what it is worth, I feel I should point out that, in most cases, rape has nothing to do with sexual feelings. Rather it is a power trip where the rapist, through feelings of inadequacy and anxiety is terrorising a helpless victim. The length of the skirt does not matter, as there are thousands of cases of demurely dressed women being raped.
Now...as to the topic at hand. It will be interesting to see what sentence Maxwell gets whacked with. I think the max is a bit over the top, actually, but, I could see the possibility of a suspended sentence, with community service, and supervised probation. Of course, the juveniles will, at worst, be stuck in jail until they are 18 (Perhaps a good paddling would be more effective...) In any case it sounds to me like they are nearly perfect Republicans, and a good mirror of American society. They seemed to be able to ignore the moral and ethical questions about damage to the systems they were taking control of, and seem to believe that the rules only apply to someone else. Would we feel any differently if they had managed to infiltrate a university system and cause disruption of class schedules, etc?
As mentioned in other comments, there is plenty of blame to go around too. It sounds as if the sysadmins were woefully behind in keeping the network secure. While there is no comment as to what OS was being used, I suspect it was, indeed, Windows of some flavor. IF I was in charge of such a critical network, I would make damn sure that I had a real firewall between it and the rest of the world, and, that there were internal firewalls running on the various machines to keep things under some control.
Of course, the fishing-net mesh of security holes in Windows keeps this a full-time job. Adding to that the fact that even today many sysadmins simply do not have a clue about good security procedures, makes this sort of disaster much more likely.
Finally, I do lay some of the blame on the advertising model. While the whole idea of click-through charges can make internet advertising very attractive for the clients, it is a powerful incentive for greedy and unprincipled people to set up this sort of bot flood.
How do we fix the problem? "don't use windows" is the easy, but alas, unrealistic option. Rather, sysadmins need to understand that security is not a moutaintop goal that we can reach, set up our lawnchair and kick back to enjoy the beautiful view! Rather, it is more like a 40 mile hike with full packs. All you can do is put your head down, and keep slogging along. The journey will, alas, unlike the hike, never end and, since the spammers and phishers and other scum continually find ways to get BY the security, we sysadmins have to continually patch the holes and update our fences.
Regards
Dave Mundt
Re:Student's Fault (Score:4, Interesting)
Agreed. But the way this should be engineered is similar to how I've engineered my home network and office network.
All the networks connect to the Internet. All of them are incoming firewalled against everything except what I explicitly want. (A deny-default model.) My router NATs to the other machines on my home network. My WiFi connection is over a VPN. Any communication between the computers that touches the Internet or WiFi is VPNed. One off site system which acts as a router to a bunch of Windows terminals, a backup system, distributed computing system, and fallback server, will not accept ANY connections, and, at most, will merely route NATed traffic to the Windows machines so that they can use the Internet.
As a result, I'm not worried about someone evesdropping on my WiFi traffic, intercepting my traffic when I connect using my laptop from offsite, or anyone getting in at all really. The only access to the network on the incoming side is by OpenVPN and one machine which is running a chrooted SMTP server. The "secure" machines are unable to initiate connections outside except what I've explicitly allowed.
So I'm not quaking in fear that someone is going to go hack my box. Incidentally, a security condition is that no Windows are on my network unless I have no choice, and if they are, they can ONLY talk to the Internet and back out; not to any of the internal machines.
Now, why do I say all this? Because I'm a doctor, not an IT guy. The IT guys look at me like I'm some twit who just fell off the turnip truck. Maybe I did, but I sure as hell didn't hit my head in the process. Passwordless fallback servers, Windows machines which if infected act as a terrific bridge between the (insecure) fallback servers, EMR system, and the Internet, etc. It makes me want to barf.
Oh, and why don't I say anything? I'll get blown off at best. At worst, I'll have some DeVry dipshit claim I "hacked the network." It's a sad, sad state of affairs.
And yes, this thread pushed some of my buttons.
Re:Here's one scenario: (Score:3, Interesting)
The sad part about it is that even that isn't an excuse. What I'm about to suggest is far from perfect, but eliminates most of the attacks from dime-store techno-weenies.
You have one cable. That cable is going to run between the keycard entry system, the monitor bank, the EMR system, and Windows machines which are chilling out, vulnerable as all hell, and generally being bad citizens. So you assign 10.1.1.0/24 to the keycard system. You assign 10.1.2.0/24 to the EMR system. You assign 10.1.3.0/24 to the monitor bank. You assign 10.1.4.0/24 to the Winblows boxes. You buy a $300 machine from Best Buy, say and AMD 3200+, and install Linux on it. Run the damned thing into a switch. Have the Linux machine only route data appropriately. In other words, it is going to sectoin the subnets.
Now, you're still vulnerable to various attacks. I wouldn't suggest otherwise. Some ARP attacks come to mind. But this eliminates 99% of the attacks out there. Even if the Windows machines are infected all to hell, the Linux machine won't route 10.1.4.0/24 to 10.1.1.0/24, 10.1.2.0/24, or 10.1.3.0/24.