Forgot your password?
typodupeerror
The Courts Government Security News

Botnet Attack Shuts Down Hospital Network 360

Posted by Zonk
from the that's-not-cool-man dept.
aricusmaximus writes "A California student is now facing felony conspiracy charges after unleashing a botnet attack that shut down the network of a Seattle hospital intensive care unit. This indictment comes a few weeks after another California man pled guilty to similar charges. Both attacks were attempts to make money off of adware affiliate programs. So who's really at fault here? The students? The hospital for not securing their computers and network? Or the adware companies for providing the incentive?"
This discussion has been archived. No new comments can be posted.

Botnet Attack Shuts Down Hospital Network

Comments Filter:
  • common factor .... (Score:3, Interesting)

    by 3seas (184403) on Sunday February 12, 2006 @09:56AM (#14699508) Journal
    computer industry....software...

    the analogies that others might post in this thread may not consider the possibility of doing it all different such that these problems either likley won't exist or they can't.

    Want protection from internet problems? Don't connect to it.But even the International Space Station has had its computer problems.

    Life support and computers......hmmmmm....
  • Re:Student's Fault (Score:3, Interesting)

    by eldavojohn (898314) * <.moc.liamg. .ta. .nhojovadle.> on Sunday February 12, 2006 @10:01AM (#14699529) Journal
    I agree with you completely.

    In fact, today we are treating many more patients and types of problems through the help of computers.

    To me, the phrase "shut down" means to close up shop. I know they didn't do this but it makes me wonder how much have hospitals suffered in capabilities by accepting automation?

    Advanced life support system may need to be on the network to send signals. But what about the EKG machine? The intravenous drip? These things should not be dependant on computers yet I know from a friend who works in a hospital that IVs have small computers on them to regulate the flow. I hope to god they are a safely restricted from internet access.
  • Product Liability (Score:1, Interesting)

    by Anonymous Coward on Sunday February 12, 2006 @10:02AM (#14699532)
    If GM sold a car that didn't have locks on the door, and they were always being stolen, they would be facing a class action lawsuit.

    But when Microsoft starts selling anti-virus software, and profits from the inherent insecurity of their crap operating system, shareholders applaud, and the public is silent. It's time to start holding Microsoft accountable for all the tens if not hundreds of billions of economic harm caused by their inattention to quality.

    Likewise, any IT administrator for a hospital that makes a demonstrably vulnerable OS a critical part of critical hospital operations should be shown the door. Quite frankly, it really doesn't matter if you buy the argument that Windows' security is appalling (it is), or not. Empirically, for whatever reason, Windows is under constant attack. Other operating systems are not. That much, at least, is plain on the face of it. Yet MS apologists are so addicted to their MS crack that, as we see here, they will actually put people's lives in danger. Sickening.
  • by loraksus (171574) on Sunday February 12, 2006 @11:51AM (#14699995) Homepage
    Surely the actual ICU equipment isn't networked at all

    Sure it is. If someone flatlines, the attending gets a page. Furthermore, like someone said, it is pretty simple to throw 20 ekg's on a 24" lcd and monitor all the patients in the ward from a single location. And, of course, they have alarms that go off when someone flatlines too.

    Now, there is a way of doing this and isolating it from the Internet (aka, The Right Way). There is also a Really Wrong, No Seriously, How Goddamn Stupid Do You Have To Be To Do It That Way.

    I really don't know why the door access was compromised. Maybe they ran it over the same network, maybe their access server got hit by the adware, it ultimately doesn't matter. It should be on a seperate set of wires, and really, should be an almost standalone system.
  • by Anonymous Coward on Sunday February 12, 2006 @12:23PM (#14700153)
    Never!

    The fact that there have been so many security holes over so long a time to make it worth the while of some miscreant to write the software to make botnets at all is evidence enough that there is something seriously wrong with using windows for ANYTHING remotely mission critical.
  • by DerekLyons (302214) <fairwater@gmai l . c om> on Sunday February 12, 2006 @01:38PM (#14700492) Homepage
    Yet another slashdot thread where everyone immediately starts screaming "Linux!" "BSD!" the second they hear the term "security breach". Of course, it'd be nice if there were actually a lot of applications for healthcare that run on those OSs - which there aren't. OSS is pretty thin on the ground when it comes to this field.
    It's not just healthcare apps... The vendor of vertical app my wife (who is the comptroller) uses in her business is switching from Linux to Windows - because their TCO is *higher* under Linux. The vendor is tired of supporting the OS as well as the app, and the businesses that run the app are tired of not being able to slide over to to $BIG_BOX_STORE, buying a box off the shelf, and being able to drop it on their network. (Instead they have to buy the box from the vendor - who wants to be in the software business, not the hardware business.)

    Linux may be 'cheaper' for the individual geek, or the large business with a dedicated IT staff - but the middle sized and small business it's a different kettle of fish.

  • by Dashing Leech (688077) on Sunday February 12, 2006 @01:47PM (#14700529)
    "If they had lost that connection, they would not have had sufficient staff to keep every patient adequately monitored."

    Hmm. Interesting. I work for a NASA contractor and the safety systems need to be 3 failures deep to go without being addressed as safety hazards, and that includes non-life-threatening risks (like laser damage to eyes). The above described scenario is one failure deep to become life-threatening. It's interesting that we put more emphasis on astronaut safety, who volunteer for dangerous jobs, than we do for ICU patients.

  • by hung_himself (774451) on Sunday February 12, 2006 @03:54PM (#14701044)
    Of course the students and adware companies were wrong but the scariest part of it was that the hospital - is getting off so easily - even in the land of geeks. What would be the reaction if the hospital had left its records, medications, instrumentation out in the open and physically rather than just electronically accessible to the public? If someone had died - who do you think would be sued - the idiot who tried to pawn the heart monitor or the hospital for leaving it on the street?

    For those not familiar with the health system here - it is a private one. The motive for hospitals is to maximize profit while minimizing costs. Since there is relatively little public accountability through the government, and individual patients are largely unaware of the relative quality of hospitals, health care insurers are the ones that keep costs from getting too high and malpractice suits keep quality of care from getting too low. Mistakes can cost money - but admitting mistakes can cost a lot more and thus the level of cover-your-butt here is amazingly high.

    In such a CYA environment, I question two things - the assertion that noone was hurt - and that the bot attacks were the ones that brought the network down. Both of these things may be true but are also things that administrators would say to prevent lawsuits. The fact that the staff was able to adapt so well to the computers being down suggests to me that this is not the first time that it has happened. In any case, there is no question that the computer network is poorly setup and that is almost certainly the fault of the administration. The docs can get away with small things like putting screensavers on their machines but it would take a high level admin who wanted to save money by using the same OS across the board and/or wanted remote connectivity so that his crackberry could work more easily to really screw things up. If there are lawsuits - things will probably change - not necessarily to do things in a sane matter - but so that they can't be sued. The same calculation (effect on lawsuits) will also be used to decide whether and who will be fired/scapegoated over this - and it won't be the admin with the crackberry. At worst he/she might be made to go on a junket to Japan to learn how to run a hospital more like a automotive assembly line...

  • Re:Student's Fault (Score:2, Interesting)

    by xmundt (415364) on Sunday February 12, 2006 @04:21PM (#14701150)
    Greetings and Salutations...
            For what it is worth, I feel I should point out that, in most cases, rape has nothing to do with sexual feelings. Rather it is a power trip where the rapist, through feelings of inadequacy and anxiety is terrorising a helpless victim. The length of the skirt does not matter, as there are thousands of cases of demurely dressed women being raped.
            Now...as to the topic at hand. It will be interesting to see what sentence Maxwell gets whacked with. I think the max is a bit over the top, actually, but, I could see the possibility of a suspended sentence, with community service, and supervised probation. Of course, the juveniles will, at worst, be stuck in jail until they are 18 (Perhaps a good paddling would be more effective...) In any case it sounds to me like they are nearly perfect Republicans, and a good mirror of American society. They seemed to be able to ignore the moral and ethical questions about damage to the systems they were taking control of, and seem to believe that the rules only apply to someone else. Would we feel any differently if they had managed to infiltrate a university system and cause disruption of class schedules, etc?
            As mentioned in other comments, there is plenty of blame to go around too. It sounds as if the sysadmins were woefully behind in keeping the network secure. While there is no comment as to what OS was being used, I suspect it was, indeed, Windows of some flavor. IF I was in charge of such a critical network, I would make damn sure that I had a real firewall between it and the rest of the world, and, that there were internal firewalls running on the various machines to keep things under some control.
              Of course, the fishing-net mesh of security holes in Windows keeps this a full-time job. Adding to that the fact that even today many sysadmins simply do not have a clue about good security procedures, makes this sort of disaster much more likely.
            Finally, I do lay some of the blame on the advertising model. While the whole idea of click-through charges can make internet advertising very attractive for the clients, it is a powerful incentive for greedy and unprincipled people to set up this sort of bot flood.
              How do we fix the problem? "don't use windows" is the easy, but alas, unrealistic option. Rather, sysadmins need to understand that security is not a moutaintop goal that we can reach, set up our lawnchair and kick back to enjoy the beautiful view! Rather, it is more like a 40 mile hike with full packs. All you can do is put your head down, and keep slogging along. The journey will, alas, unlike the hike, never end and, since the spammers and phishers and other scum continually find ways to get BY the security, we sysadmins have to continually patch the holes and update our fences.
              Regards
              Dave Mundt
  • Re:Student's Fault (Score:4, Interesting)

    by Randseed (132501) on Sunday February 12, 2006 @06:19PM (#14701591)
    WTF do they need to be on the Internet for?

    My experience with most doctors is if you take away WebMD and PDR.net from a doctor and you got a very insecure individual. Seriously though, if it's a large hospital with multiple campuses (or even not) the EMR will probably require internet access. Anything critical such as monitoring patient's equiptment etc is done over RF or rarely a seperate isolated network.

    Agreed. But the way this should be engineered is similar to how I've engineered my home network and office network.

    All the networks connect to the Internet. All of them are incoming firewalled against everything except what I explicitly want. (A deny-default model.) My router NATs to the other machines on my home network. My WiFi connection is over a VPN. Any communication between the computers that touches the Internet or WiFi is VPNed. One off site system which acts as a router to a bunch of Windows terminals, a backup system, distributed computing system, and fallback server, will not accept ANY connections, and, at most, will merely route NATed traffic to the Windows machines so that they can use the Internet.

    As a result, I'm not worried about someone evesdropping on my WiFi traffic, intercepting my traffic when I connect using my laptop from offsite, or anyone getting in at all really. The only access to the network on the incoming side is by OpenVPN and one machine which is running a chrooted SMTP server. The "secure" machines are unable to initiate connections outside except what I've explicitly allowed.

    So I'm not quaking in fear that someone is going to go hack my box. Incidentally, a security condition is that no Windows are on my network unless I have no choice, and if they are, they can ONLY talk to the Internet and back out; not to any of the internal machines.

    Now, why do I say all this? Because I'm a doctor, not an IT guy. The IT guys look at me like I'm some twit who just fell off the turnip truck. Maybe I did, but I sure as hell didn't hit my head in the process. Passwordless fallback servers, Windows machines which if infected act as a terrific bridge between the (insecure) fallback servers, EMR system, and the Internet, etc. It makes me want to barf.

    Oh, and why don't I say anything? I'll get blown off at best. At worst, I'll have some DeVry dipshit claim I "hacked the network." It's a sad, sad state of affairs.

    And yes, this thread pushed some of my buttons.

  • by Randseed (132501) on Sunday February 12, 2006 @06:25PM (#14701618)
    Considering that the various entry points need to communicate back to the central server ... and there's already all this cat5 cable run for the network ...

    Some "genius" decides to save money (always a good plan) and use the existing cable system to enable communication between the entry points and the security computer.

    You can laugh all you want, but my boss right now would take the savings and rely upon me to make sure that everything else was fully patched, anti-virused, locked down, etc.

    After all, I'm salaried and hardware / cable installation costs real money.

    The sad part about it is that even that isn't an excuse. What I'm about to suggest is far from perfect, but eliminates most of the attacks from dime-store techno-weenies.

    You have one cable. That cable is going to run between the keycard entry system, the monitor bank, the EMR system, and Windows machines which are chilling out, vulnerable as all hell, and generally being bad citizens. So you assign 10.1.1.0/24 to the keycard system. You assign 10.1.2.0/24 to the EMR system. You assign 10.1.3.0/24 to the monitor bank. You assign 10.1.4.0/24 to the Winblows boxes. You buy a $300 machine from Best Buy, say and AMD 3200+, and install Linux on it. Run the damned thing into a switch. Have the Linux machine only route data appropriately. In other words, it is going to sectoin the subnets.

    Now, you're still vulnerable to various attacks. I wouldn't suggest otherwise. Some ARP attacks come to mind. But this eliminates 99% of the attacks out there. Even if the Windows machines are infected all to hell, the Linux machine won't route 10.1.4.0/24 to 10.1.1.0/24, 10.1.2.0/24, or 10.1.3.0/24.

Always think of something new; this helps you forget your last rotten idea. -- Seth Frankel

Working...