Slashdot Log In
Botnet Attack Shuts Down Hospital Network
Posted by
Zonk
on Sun Feb 12, 2006 09:46 AM
from the that's-not-cool-man dept.
from the that's-not-cool-man dept.
aricusmaximus writes "A California student is now facing felony conspiracy charges after
unleashing a botnet attack that shut down the network of a Seattle hospital intensive care unit. This indictment comes a few weeks after another California man pled guilty to similar charges. Both attacks were attempts to make money off of adware affiliate programs. So who's really at fault here? The students? The hospital for not securing their computers and network? Or the adware companies for providing the incentive?"
Related Stories
[+]
IT: Interview with a Botmaster 291 comments
An anonymous reader writes "The Washington Post is running a fascinating feature profiling a couple of botnet operators who make thousands of dollars each month installing adware on machines they infect. This is by far the most detailed examination of this issue I've seen so far -- and includes an interview with the CEO of 180Solutions, as well as interviews with some of the botmasters' victims. From the story: 'Most days, I just sit at home and chat online while I make money,' 0x80 says. 'I get one check like every 15 days in the mail for a few hundred bucks, and a buncha others I get from banks in Canada every 30 days.' He says his work earns him an average of $6,800 per month, although he's made as much as $10,000. Not bad money for a high school dropout.'"
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Student's Fault (Score:4, Insightful)
Colt manufactures guns. Man opens fire in public with a Colt pistol. Who's at fault? The shooter, of course.
I don't want to hear any psychology bullshit claiming it's not their fault--that it's society's fault for making them desire more money. I don't want to hear any bullshit that they didn't know what they were doing or the hospital should have had better security. This is an aggressive act against a public service--the internet. Computer savvy students implement code that shuts down many computers for the purpose of advertising profit. They didn't realize what they were doing? Oh, come on. Even if they didn't, it's a valuable lesson and a few less spammers to ruin the world when they graduate. Tough. You like computers? How about five to ten in federal-pound-me-in-the-ass prison?
I'll bet they wished they had enrolled in Computer Ethics 101 before going on this capital venture. As an additional punishment, they should be forced to code software to stop stuff like this from happening and tailor it for medical equipment/computers.
And what kind of intensive care unit is "shut down" when they can't use computers? It's not like their work would have to grind to a stand still. I don't want to sound like a luddite but are we really that dependent on computers? They're medical professionals, I hope they did just shut down and stop working when the computers crashed.
This student is in deep trouble. He chose actions that had grave consequences and now he'll face the charges resulting from those actions.
Inignot: Your stereo is now his stereo by way of my actions.
Shake: Yes meatwad, with actions.
Re:Student's Fault (Score:5, Informative)
Parent
Re:Student's Fault (Score:5, Insightful)
On a computer system, yes.
WTF do they need to be on the Internet for?
Parent
Re:Student's Fault (Score:4, Insightful)
And I suppose they might need the internet for paging their doctors - since it is probably a third party company that has a laughably bad ("Oh look, we ported our paging app to java and can run it over the web! Goodie Golly!") interface - but I'm pretty sure it can be done a bit more elegantly and can be made a bit more resilient.
What the fuck their keycard access system was doing on the same network as some of the infected computers is a complete mystery to me though.
Parent
Re:Student's Fault (Score:5, Insightful)
One hospital, a major level 1 trauma center, has a medical record system that's almost entirely on computer. It actually works pretty well. The application runs under X11, and bounces off a server program which is basically a middle-end to some SQL database software. So instead of going out and buying some PCs, installing Linux or BSD on them, and running their app, they splurge and spend much more for these IBM workstations. Again, no big deal. Then, because they're worried about fires, etc., they have several fallback servers which are basically mirrored copies of the database clustered around the hospital. I was bored one night in the E.R., where one of these fallover servers is, and got sick of an AIX login prompt staring at me. "login: root" "password: " Boom. Root prompt. (And am I going to report this? HELL NO. "Hey, that doctor hacked the network! REPORT HIM TO THE STATE! AIEEEEE!")
This same place at least did something sane. They have a bunch of Winblows machines running on their major network. They subnetted the AIX machines such that they can't access the Internet, and can only access the health information systems. The problem, however, is since now they had a bunch of Windows machines around that nobody ever used, they installed some kind of X11 server, and opened the network to these machines. So the AIX machines can't talk to the Internet. However, the Windows machines -- the one which are most likely to get infected with something -- can talk to the Internet and the medical records network with impunity. Oops.
Another hospital installed a software package which was a IBM DB2 frontend of some sort, written in ncurses. It left some things to be desired, but worked okay once you got used to it. (I prefer CLIs, damn it!) For various reasons, there were mechanisms to directly access the SQL database -- free of auditing, access restriction, or anything else -- from within the CLI, provided that you had a database login and password. Normally what happened is that the client program had the DB login and password locked away somewhere, and merely "authorized" you to use it. So one day I hit the wrong button and accidentally tell it I want straight SQL access. This system used a period to indicate "Oops. No, um, take me back." So I hit a period. "Password: " Uh. Period. I GET SOMETHING SAYING MY PASSWORD HAS EXPIRED AND I MUST RESET IT! Since it won't let me out otherwise, I set it to "12345" and get the hell out.
Two years later when I left that hospital, I checked on my last day. The password still worked.
The point is that hospitals are run by the same kind of incompetent Devry dingbats that corporate America is. It's just that they don't know it. So I'm not surprised that this hospital's network setup was so bad that this kid managed to pull this off.
I also think the kid is a supreme idiot, and given exactly what he did, I'd like to beat him with a crowbar.
Parent
Re:Student's Fault (Score:5, Funny)
Haven't you been reading the summary? It's the victim's fault for not wearing a bullet proof vest!
Parent
Re:Student's Fault (Score:5, Informative)
I work in a hostpital as one of the business continuity team; we keep the place running in the event of something just like this, and have to evaluate the problems that'll occur in an outage if it happens.
ITU is dependant on having patient records, history, full charts and responses available in a very rapid fashion. When the computers go down, they don't stop working, just all the communications that happen near instantly suddenly have to be ordered from medical records, and use sneakernet, which is a massive time overhead. In time critical requirements, this may mean the difference between life and death.
Fair enough, the hospital should have been more secure, but there again, it all comes down to how many admins they have on the job. I know my time is allocated (still) in a very small part on security. I'm pressing to have more allocated. And my budget for security tools is small. Hell, with the NHS budget cuts next year, we'll be lucky to have much budget at all. Still, it's improving slowly. I'm still not happy with it, which gives me more incentive to work harder on it.
But anyone who would attack a hospital system has to be aware that lives are at stake here, not just a few pounds/dollars. In commercial places, I'd frequently warn people if I could work out who they were, or the admin of the sytems they came in from if I couldn't. Eventually, I'd call the police if I believed they were being too persistent, as a last resort.
In the hospital, I spot an attack, police will be warned promptly. No messing around. The place I work at saved my brother's life years back in ITU (when, by rights, his injuries should have killed him). I'm a little protective of the work they do, and the systems that let them do their job more efficiently. After all, they may just make that difference between life and death in the borderline cases, and every little win by the skin of the teeth means a lifetime to somebody.
That was just a clarification, not a dispute. I'm behind you all the way in the sentiment you express. They're in trouble, and justly so.
Parent
Re:Student's Fault (Score:5, Insightful)
Parent
Re:Student's Fault (Score:5, Insightful)
YES
Though not all to the same degree as I'm sure you would agree. The student is of course the one that chose to break the law, and is most directly responsible for his actions. He was influenced by the adware company that offered incentive to break the law, "conspiracy to commit felony" or some such law. It's not as severe of a punishment as the felony (usually) but it's still illegal and clearly wrong.
"blame the victim" is a more controversial issue. I believe that "gross neglegence to protect one's own best interests" should in itself place a small amount of the blame on the victim. The world is not perfect, everyone is not honest, and you cannot possibly convince me that anyone in the world believes everyone around them is a saint. By not taking basic precautions when exposed to the general public, you dramatically increase your risk of becoming a victim, and that is your fault.
If I leave my car parked for a week downtown with the doors unlocked and the keys in the ignition, I'd be quite surprised to find it there a week later when I returned for it. Am I the one that stole the car? Of course not. But did my actions (or lack of actions) knowingly contribute to the theft? Of course. Were they easily preventable? Of course. That's why many insurance companies will not insure against theft if you leave your car unlocked and keys in the ignition, they recognize that you invited unnecessary and excessive risk.
I believe that the ones who so strongly resist blaming the victim are those that either have been victims in the past or that are afraid of becoming a victim, and believe that they have no responsibility to take care of themselves, and that the world should protect them. They are living in a fantasy world.
Looked at another way, criminals prefer easy targets, and this is a known factor. By taking less precaution for your safety and security than the average person, you attract the criminals to you and increase your odds of becoming a victim. Choosing to do that has got to be considered an error in judgement.
Parent
Re:Student's Fault (Score:5, Insightful)
The criteria for responsibility is cause and effect. If one entity was not present or did not perform an action (or held an inaction), and the problematic event did not occur, than that entity is responsible.
Victims should not deserve any benefit of lax criticism solely for being a victim. Furthermore, those who wrongfully claim to be a victim when they are not victims are clearly liars.
In this case, the victim is not just the hospital. The victims are also the patients of this hospital. However, the patients were at more of a loss than the hospital itself. There has been little discussion of how the hospital staff should be protecting the patients from this attack. The staff is complacent in their inability to protect the integrity of the hospital and, more importantly, the well being of the patients.
Consider the following examples. If a hospital did not use use sterile equiptment and patients become infected with a pathogen, should the hospital be responsible, or should the pathogen be responsible. By your logic, the pathogen will be responsible. However, the hospital is clearly at fault here.
If a network of computers becomes zombies after an individual invades them, would you consider the owners of the computers to be at fault? Clearly, you might not. However the computers are similar to pets of an owner. If a pet kills a person, the owner is also at fault. Similarly, the owners of the computer(s) are also at at fault because their property is being used, addendum a hypothesis that the zombies are to be used in an invasive act, should be partially responsible. If one does not believe that the computer owners are at fault, then one can not support laws of most Western societies in their entirety.
Parent
Re:Student's Fault (Score:5, Insightful)
Returning to your analogy, it would be like a gun shop not properly securing its merchandise and then shrugging its shoulders when there was a massacre using firearms stolen from said shop.
So the merchant is responsible for someone stealing his merchandise (an illegal act) and then psychoing out somewhere (another illegal act)? If someone steals a car during a test drive, goes out and gets hammered and plows through a line of school children, are you suggesting the dealer is at fault for not "properly securing their merchandise"? I'm having trouble seeing the logic here.
Parent
Re:Student's Fault (Score:5, Insightful)
If a car shop allows a visibly drunk man with no drivers licence to test drive a car then while not responsible for the deaths caused, they should bear some responsibility for fulfulling their legal obligations (assuming they have any).
Parent
Re:Student's Fault (Score:4, Insightful)
Real easy: The principles are the consiprators. They are the ones that planned the attack, launced it, and used the tools. Personal responsability is not mitigated by availiability, oportunity or circumstance. Just because they saw how to use a tool in such a way does not make them any less the guilty. The gun analogy here does not quite work. Why? Because the adware network had to be changed in order to get it work. So there was more planning, work, testing, etc., which proves more culpability and the maliciious nature of the act. In the case of gun, you just load, point and click. In this case, an entire bot net was pointed at a target, programmed and then used to attack. It is a whole lot different than pointing one gun, it is the equivalent of pointing thousands of guns, and then firing them. Worst yet, it is the equivalent of pointing thousands of guns and then blackmailing someone by saying you won't do it unless they pay you not to do it. So sure they saw that they could do it. They did it. But that does not in any way mitiagate there culpability.
As much as I hate the adware people, they are just as much as a victem too. Assume that the software was legitimately on the computers they hijacked, then this stunt was in violation of the computer tresspass laws. Further, there software was reversed engineered, hacked and then used on a hospital in an attempt to get the money.
So painting the hospital and the adware company as secondaries is foolish. When some decides that they are going to exploit someone or something and use illegal methods to gain, everybody in the chain becomes a victem, regardless of their degree of contributing participation. If the adware company had the forsight to know that its software could have been used to do such a thing, then it would reasonable to blame them, but I seriously doubt they did.
Otherwise, rest the blame squarely on the shoulders of the princple attackers. Personal responsability is what matters. The attackers used what they knew to exploit the tools.
Parent
Re:Student's Fault (Score:5, Insightful)
I used to be on the "Microsoft sucks" bandwagon, but then realized that "security vulnerabilities" would not exist if there were no dirtbags exploiting them.
No, vulnerabilities or not, it is not Microsoft's/Bill Gates' or Steve Jobs' or Linus Torvald's fauly when some criminal with a computer wreaks havoc on the internet or a private network. It is ALWAYS the criminal's fault.
An unsecured system is no more an "invitation" to exploit than a short skirt is an invitation to rape.
Parent
Who's at fault? (Score:5, Funny)
This is slashdot. The answer to that question is either Bill Gates or George Bush.
The Perpetrators Are At Fault (Score:4, Informative)
Re:The Perpetrators Are At Fault (Score:4, Insightful)
No, it's a well-established legal theory, known as "contributory negligence". The perps are the main culprits, but it's quite likely that the hospital and several of their vendors will end up tapping their liability insurance to the tune of some millions of dollars.
-jcr
Parent
Re:The Perpetrators Are At Fault (Score:5, Insightful)
So do you lock the front door when you leave the house?
Yes? But why, surely it's not your fault if someone comes in and takes everything, it's entirely their fault, no?
Lock your car too? Use passwords on your PC? Do you walk along flashing your cash at all and sundry?
You're right, it's the choice of these kids to break the law - but a hospital ought to 'lock the doors'... Not least because if they have a system that literally controls whether people live & die, they should not let just anyone have access to it. I want to know why the Intensive Care unit was on the Internet at all. If ever there was a system that should have an 'air gap' to the real world, it's that.
And the people saying 'the hospital isn't to blame any more than a woman in a short skirt is to blame for being raped' - it's not about blame, it's about responsible actions. If a woman dressed provocatively walks home alone on darkened streets, of course she doest not want to be raped, but she has to appreciate it raises the likelihood. Rapists exist, and every woman has a duty to herself not to make herself a target. Criminals exist, and every person (institution, business) have a duty to themselves (and their customers) not to make themselves targets too. If you walk down the street with your iPod in your hand, a mugger is more likely to target you than if you don't - doesn't mean it's not his fault, just that you didn't try and protect yourself.
Agreed, the 'short skirt' argument shouldn't get the rapist a lighter sentence, just because his justifcation was 'she was asking for it' any more than the hospital being insecure should reduce the penalty on these cretins. But I hope the judge says 'you see the scum that's out there? Be smart, be safe, and don't take the risk'.
It's possible for both sides to be at fault - but that seems to elude a large number of the Slashdot 'group thinkers'. Lock these guys up as long as you like, but if you don't also get the hospital to wise up then it's pointless - there's a never ending collection of criminals out there... and next time someone could die.
Mark
Parent
All three + few more (Score:4, Insightful)
if you make promotions that encourage antisocial behavior you should be ashamed..
if you try to steal money frm above promitions by using above holes you are ofcourse a thing called criminal.
And the extras: Companies making unsecure products..
At fault: all three (Score:5, Insightful)
The students should be taken out and beaten. Anyone with any level of computer knowledge these days should know such activities are both highly immoral and illegal. This isn't stealing MP3s. And to attack a hospital? How thoughtless can you get? However, it's easy to be tempted by this type of thing, while these students got caught, many more got away with it at some point.
The Hospital should be scolded, but it's hard to know just from the story to what degree. It could range from a slap on the wrist to a lawsuit. If they had good computer security, then the students were just good at getting through. If it was bad computer security, then they need to step up and admit it. In any case, they are a hospital that appears to be running Windows to control their sensitive security systems. Bad choice, and that alone warrants one finger pointed at the hospital, if it's true. However, many hospitals are notoriously underfunded. In any case, I hope the IT staff of the hospital reviews this situation and revamps their software to minimize this risk in the future.
The adware makes should all be taken out and shot. They are the immoral facilitators and the ones who should take the most blame. They are the modern day equivalent of drug dealers. They didn't kill the person taking their drugs, but they knew it eventually would come to that, and they never stopped selling. They put all the risk for the crime on the students, knowing full well they could get caught, and that someone elses computer system would be seriously damaged. Something very gruesome and painful should befall them, before execution.
Stupid question (Score:5, Insightful)
Note that what follows below is only based on RTFA wich as usuall when dealing with mainstream press reporting on tech may be wrong or inaccurate or indeed made up on the spot. Nonetheless based on this I conclude the following.
That the student used zombie computers to install adware software that would then generate 'hits' for the students account so that he would be paid. He was using computers he did not own to defraud adware companies by generating false ad hits. This is a wellknown fraud dealing mostly with pay-per-click style ad schemes.
So who takes blaim here and for what? Funny enough that the 'question' left out the first and most obvious cullprit.
I am amazed that MS was not mentioned as one of the cullprits. How often does their software got to lead to crap like this before people will finally ban it for any serious use. Would we accept a hospital that used say oxygen bottles filled by the local scuba diver club? Use alcohol produced in someone's bathtub?
I would very much like to hear that the person responsible for that hospitals computer systems is fired and never allowed to work again. Yes the student is the criminal here who deserves jail time but a sysadmin who installs windows deserves the chair. And yes I would be happy to throw the switch. Hell I would be happy to peddle on a bike to generate the electricity.
If I sound a bit biased against MS it is because I have once again been drafted in working on some piece of crap MS setup because some MSCE idiot made a nice sales pitch. Why don't you just put a sign on your server "Own me!" and be done with it.
Re:Student's Fault (Score:4, Insightful)
The students, clearly.
Colt manufactures guns. Man opens fire in public with a Colt pistol. Who's at fault? The shooter, of course.
The difference is that colt doesn't pay people to fire their pistols in public. Now, this doesn't absolve the dumbass of any responsibility, but it sure as hell makes the adware company an accessory. Seriously, they didn't think anything was going on when someone gained 50,000 PCs in a couple of weeks? They knew and didn't give a shit because they were paid even more money by the people whose "content" (read: shit) they were serving up.
Kneecap 'em both (yes, there are more than 2 people involved) - and I mean this quite literally, this sort of shit would get nipped in the bud quite quickly if we went IRA on them and used a makita drill (or would it have to be Black and decker, you know, for the whole "made in america" thing.)
A couple hundred companies should also be knocking on the adware companies' doors, "politely" asking for a refund and leaving letters from their lawyers.
And, to be quite honest, a couple sysadmins also need a kick in the ass with a steel tipped pointy boot. Why would your keycard system be connected to your network, especially in a hospital situation? To say nothing of the fact that the pager system got owned (from what I understand, pagers are sort of important to doctors in hospitals) and it seems that pretty much everything was disrupted because ~15% of their computers were infected.
Not blaming them for the attacks, of course, but lets be serious, this was a pretty big screwup on their part. Then again, given hospital politics, it probably wasn't the sysadmin's fault, but a department head who has no training in IT, but does everything Toilet and Douche tells him to do.
Finally, id by some small chance, Christopher Maxwell is reading this, I can only hope that in 15 years you will remember your job at WalMart and recall how it was the best job you ever had.
Don't drop the soap, bud.
Before you blame the admins... (Score:4, Insightful)
Yet another slashdot thread where everyone immediately starts screaming "Linux!" "BSD!" the second they hear the term "security breach". Of course, it'd be nice if there were actually a lot of applications for healthcare that run on those OSs - which there aren't. OSS is pretty thin on the ground when it comes to this field.
Why don't you look and see what's involved in hospital IT? I've been there, and it's a major headache for admins. You have administrators who don't really know much about computers and doctors who are frequently the biggest prima donnas in the world when it comes to getting what they want, in a corporate culture which caters to them.
Add in software developers who frequently have no clue as to what's actually needed, how to make a useable UI, and how information flows in a healthcare setting. But they have a hell of a sales pitch to the doctors and administrators, and you're the one who has to make it work.
Now try to secure it. Really! Wait until the first time Doctor X decides they're going to install their personal software on the workstation. Never mind that supposedly they're not allowed to do that - they'll do it anyways and then scream at you when you take it off. Take a wild guess as to who the hospital's going to back!
It's easy to blame the IT people, and the use of Windows, here. Wrong, but easy. They picked it up pretty quickly, and dealt with it. I'm sure they'd have loved to have more control, but unfortunately it's a question of what you're allowed to do, not what you want to do.
Why do they need the internet in the first place? (Score:5, Insightful)
WHY WERE THE HOSPITAL'S COMPUTERS CONNECTED TO THE INTERNET IN THE FIRST PLACE?
I can't think of a single reason that the computers containing confidential information, personal medical records, and systems necessary for the day-to-day running of the hospital weren't on a stand-alone network in the first place. There are probably some tools that require internet connection, but why weren't these tools run on separate computers? It's fairly easy to transfer data from an internet-connected computer to a non-internet-connected computer (and vice-versa) with floppy discs, removable drives, CDs, DVDs, etc. It may create a small extra step every once and a while, but it's not like the dangers of computers being hacked over the internet is unknown. Even if it did not create an ethical dilemma to have patient records possibly available to a competent internet hacker, the threat of massive lawsuits should such information be stolen should be enough to create some justifiable paranoia about internet attacks. Also, if someone had died because of a slowing of communications within the hospital due to the current hacking, the hospital probably would have been faced with a wrongful death suit. Whether the hospital lost such a lawsuit or not, it would still cost a lot of money and effect the bottom line.
Come on, people, this should be a case of enlightened self-interest. It may be the robber's fault if the robber comes into your house through an unlocked door, but the insurance company won't cover your losses if you left the door unlocked. Locking your doors can be a bit inconveninent if you have to get the door open again while carrying an armload of groceries, but it's worth the security in the long run.
Re:So who's really at fault here? (Score:5, Insightful)
It is a pity that the US legal system is no longer about justice; it is now about what can be proven.
I don't understand your comment. If you cannot prove a person is guilty, punishing them is not justice.
Parent