Hackers Corrupt Data For Cloud-Based Medical Marijuana System (bostonglobe.com) 146
Long-time Slashdot reader t0qer writes:
I'm the IT director at a medical marijuana dispensary. Last week the point of sales system we were using was hacked... What scares me about this breach is, I have about 30,000 patients in my database alone. If this company has 1,000 more customers like me, even half of that is still 15 million people on a list of people that "Smoke pot"...
" No patient, consumer, or client data was ever extracted or viewed," the company's data directory has said. "The forensic analysis proves that. The data was encrypted -- so it couldn't have been viewed -- and it was never extracted, so nobody has it and could attempt decryption." They're saying it was a "targeted" attack meant to corrupt the data rather than retrieve it, and they're "reconstructing historical data" from backups, though their web site adds that their backup sites were also targeted.
"In response to this attack, all client sites have been migrated to a new, more secure environment," the company's CEO announced on YouTube Saturday, adding that "Keeping our client's data secure has always been our top priority." Last week one industry publication had reported that the outage "has sent 1,000 marijuana retailers in 23 states scrambling to handle everything from sales and inventory management to regulatory compliance issues."
" No patient, consumer, or client data was ever extracted or viewed," the company's data directory has said. "The forensic analysis proves that. The data was encrypted -- so it couldn't have been viewed -- and it was never extracted, so nobody has it and could attempt decryption." They're saying it was a "targeted" attack meant to corrupt the data rather than retrieve it, and they're "reconstructing historical data" from backups, though their web site adds that their backup sites were also targeted.
"In response to this attack, all client sites have been migrated to a new, more secure environment," the company's CEO announced on YouTube Saturday, adding that "Keeping our client's data secure has always been our top priority." Last week one industry publication had reported that the outage "has sent 1,000 marijuana retailers in 23 states scrambling to handle everything from sales and inventory management to regulatory compliance issues."
Re:Border control (Score:4, Insightful)
You can only perjure yourself in a court of law, under oath.
You can be charged with lying to a federal officer. Not perjury, but still a problem if it happens to you.
Re: (Score:1)
Any oath or sworn statement, by federal statute (Score:4, Informative)
The federal perjury statute says a person is guilty of perjury if they lie in either of these two types of instances"
A) They've taken an oath in front of *any* court or competent *person* in any circumstance in which federal law allows an oath.
Or
B) Any written statement declaring "under penalty bof perjury", including a DMCA notice and certain customs forms.
Here's the actual text of the statute:
Whoeverâ" ...
(1) having taken an oath before a competent tribunal, officer, or person, in any case in which a law of the United States authorizes an oath to be administered, that he will testify, declare, depose, or certify truly, or that any written testimony, declaration, deposition, or certificate by him subscribed, is true, willfully and contrary to such oath states or subscribes any material matter which he does not believe to be true; or
(2) in any declaration, certificate, verification, or statement under penalty of perjury
* In a DMCA notice, the complainant swears under penalty lf perjury that they are the copyright holder or the copyright holder's representative. They do NOT swear under penalty of perjury that a jury won't later determine that it's fair use or any other issue of law.
Re: (Score:1)
That's why Clinton could not be prosecuted for Perjury
The case was "utterly without merit" said Republican Judge Susan Weber Wright, and thus only a civil fine for "substantially false and evasive answers" was lawful
?!?!? Lying about the exact focus not immaterial (Score:3)
Huh?!?!? Are you saying the stuff she lied about was immaterial to the investigation? She was being being investigated for sending classified information via a non-secure email system. She said "I did not send material marked classified over non-secure email". How the hell is that immaterial to the subject of the investigation?
PS, as is often the case with the Clintons, her words were *very* carefully chosen to say one thing to anyone listening, while technically saying something completely different, in
Re: ?!?!? Lying about the exact focus not immateri (Score:3)
Now, if the charges were lying and deception it'd be a different story . . . but then again, compared to the PEOTUS she's friggin' Mother Teresa. I hope you enjoyed the 1950's, 'cause that's where we're heading
FBI director announced two things (Score:3)
The Director of the FBI, who is appointed by the President, said two things of import in his announcement:
A) Mrs. Clinton was "extremely careless" with classified information. (Being negligent with classified information is a federal crime).
B) He would not recommend prosecution. (Of the person who was about to become his boss, in all likelihood.)
So basically the FBI announced she was guilty, but they weren't going on record as recommending that the (expected) new boss be prosecuted.
Prosecutions for *perjur
Re: (Score:3)
This was the same FBI director who released an, er . . . interestingly timed statement about HRC's emails, yes?
Occam's Razor suggests that the simpler explanation is correct - that the reason the FBI didn't recommend charges was because charges weren't justified.
No interpretation, direct quote from FBI (Score:2)
No interpretation required. The FBI announced that she was without a doubt "very careless with classified information." That's a fact. The relevant crime is being "negligent" with classified information. That's a fact, no interpretation.
It's also a fact that in the same announcement, FBI director Comey, appointed by Obama, stated that other people would be prosecuted if they were similarly negligent. I'm not interpreting anything, that's what the FBI announced.
Re: (Score:1)
Re: (Score:2)
It is also a fact that nobody is criminally prosecuted for being negligent with classified information - at least in no cases I could find. Deliberate mishandling is frequently criminally prosecuted, regardless of pretty much anything else. Negligence is not. (Okay, there was one guy who agreed to plead guilty to a misdemeanor charge, which is technically criminal, but he didn't have to in the end.)
Someone lied to you. I know two cases in a year (Score:2)
Off the top of my head, I know of two cases prosecuted in the 12 months before the Clinton announcement. One Navy sailor was prosecuted for taking a selfie aboard ship, and is currently incarcerated. US Navy ships are classified.
Brian Nishimura didn't instruct others to unlawfully remove classification markings in order to obscure his action of carrying classified information on a personal device, but he too was prosecuted.
Keep in mind when you hear Hillary or one of her team defend her illegal actions by
Re: (Score:2)
The guy who deliberately took a picture of stuff he knew was classified? That was deliberate violation, and such things are, as I said, prosecuted. I don't have information about the alleged order to remove classification markers, but I'm willing to allow Cabinet-level officers some leeway in their departments.
I didn't take Clinton's claims at face value. First, Comey said she wouldn't be prosecuted. Then, a hostile Congressman said that that was the case and it was too bad. Finally, I went looking
Re: (Score:2)
Occam's Razor suggests that the simpler explanation is correct - that the reason the FBI didn't recommend charges was because charges weren't justified.
My Occam's Razor says the simplest answer was "In this Political Environment no reasonable prosecutor would pursue this matter.", but saying the "In this Political Environment " part out loud would have been suicidal.
Re: (Score:1)
Here you go, I've had it memorized for 20 years (Score:2)
I've had the Black's definition and various cases on what constitutes negligence memorized for 25 years now, so let me just recite it for you.
Negligence:
failure to exercise the degree of care expected of a person of ordinary prudence in like circumstances
"Extremely careless" is roughly equivalent to "gross negligence", defined as " a conscious, voluntary act or omission in reckless disregard of a legal duty". By instructing subordinates to remove the "classified" markings before sending her the documents,
Re: (Score:1)
Careless is a MUCH less precise statement, saying only " Failed to act on the ASSUMPTION"
So, once again, you lose.
Re: (Score:1)
Btw, I was talking about Bill
Re: (Score:2)
You must have been the cool kid in school. Everyone wanted to be friends with you, right?
Re: this sounds like crypto (Score:2)
Re: (Score:2)
Actually, no. He encrypted the data and made backups.
Shorter summary (Score:1)
Some idiot used Windows, didn't bother upgrading some old software because it was closed source and upgrades expensive and got what they deserved.
Re: (Score:1)
If you missed the hypocrisy exposure for a "Lock her up" (without evidence) fan suddenly demanding someone ELSE be accountable for a crime.....
Re: (Score:3)
Hypocrisy- I don't think that word means what you think it means. Well that or there is a lot more to this story than what is printed on this page.
Even if we buy into the suggestion that the GP is a "lock her up" fan (there is evidence in word or text of law of wrong doing, Comey inserted a mens rea test into the application of a law which the law in question specifically avoids in order to say no charges are warranted because Hillary didn't mean to break the law. The only people not questioning that are Hi
Re: (Score:1)
Look up "intent"
Re: (Score:2)
actually, no it does not. Look up strict liability for instance.
Another instance, you could borrow someone's car who failed to renew their vehicle registration. You get a ticket for driving on expired tags, no mens rea needed as the act of driving the car with expired registration is enough.
Re: (Score:1)
Good news, a ticket isn't a criminal complaint.
Bad news? There goes your example.
Strict liability attaches only to generally dangerous acts (that is, dangerous to all persons in proximity, not just the accused), thus the "Dynamite" exception.
Classified material can only be illegally distributed WITH INTENT, such as Betray-Us did.
Re: (Score:2)
https://www.law.cornell.edu/us... [cornell.edu]
Check out section (d)
I guess congress is dumber than you or something.. More like something I would guess.
Re: (Score:2)
Comey inserted a "mens rea" test that applies historically to prosecution, whether or not it's in the law. Historically, people who did what Clinton did have not been criminally prosecuted. Some have lost jobs or clearances, but the closest to facing criminal charges was one guy who thought he'd have to plead guilty to a misdemeanor.
Re: (Score:2)
That's fine and all but it doesn't change the facts. All it does is illustrate that there is law for you and them. Just like cops who speed down the road in their personal vehicles don't get a ticket- even when they are on their way home from a shift in which they just issued you a speeding ticket.
But there are sources out there that seem to disagree with Comey's interpretation of events. I found two that closely match hillary. It seems to be a biased site and your mileage may vary.
http://www.thepoliticalin [thepoliticalinsider.com]
Right (Score:2)
Like it would have made any difference if they had an outdated Linux distribution.
Re: (Score:2)
You can update outdated Linux distributions for free, there is no valid excuse to using old and outdated open source software. Closed software often has the drawback that you're "locked in" by whatever vendor, they can increase the upgrade price ten-fold and you'd have no options.
On the other hand, even outdated Linux distributions pose a significantly lower risk of a successful hack.
Re: (Score:2)
Fuck you. No one deserves to have a piece of shit corrupt their data "because I can."
People that do shit like that on purpose deserve a bullet to the back of the head.
Re: (Score:2)
So you leave your front door wide open when you go on vacation because no piece of shit should walk in and steal or vandalize your stuff? Yeah, whoever does that intentionally and maliciously deserves to be punished (although a bullet is a bit far) but the 'owners' are also responsible to take precautions.
Re: (Score:2)
we don't know that, for all we know they were one of those mongodb databases that got cryptolocker-ed.
Except that you're describing it wrong. Cryptolocker has nothing to do with the over 20,000 MongoDB databases that have been subjected to ransom.
Here's what's happened...and may well be the case in this particular instance as well. MongoDB, by default, has no controls on being able to write, read, or even delete information. If you make the database accessible via the Internet, odds are you haven't fixed that default state..and that's exactly what's happened to tens of thousands of public-accessible Mong
Top priority? Always? (Score:2, Troll)
The company's CEO announced on YouTube Saturday, adding that "Keeping our client's data secure has always been our top priority."
If your companies top priority is to keep data secure, they how/why did you get hacked. They always say that, but clearly that is not the Top Priority
Re: Top priority? Always? (Score:1, Insightful)
Because not everybody is perfect, you smug asshole.
Re: (Score:2)
Not being smug at all. I've had my medical (hospital) information, insurance (2 different insurance companies), 3 credit card companies hacked over the period of the last 2 years and each time, they always say the same thing. Security is our top priority , but then you find out it really wasn't. They were doing unsecure processes which is how they got hacked, had been warned about their practices etc...
I have no choice if I use these services (other than to not get medical, insurance and use a credit ca
Re: Top priority? Always? (Score:2)
Re: (Score:3)
Or, you know, it's just hard to secure things.
I'm not saying they couldn't do a better job, but there are a lot of competing requirements. For example, for medical information, how far do you lock it down? If there is someone crashing in a hospital, you have to be able to pull up their information - or they might die. For credit cards, not only are there a ton of retailers that have to access them, but they also have to handle companies with shared cards, different state and federal regulators, and a ton
Re:Top priority? Always? (Score:5, Funny)
"I was gonna keep our clients' data secure . . . but then I got high . . ." -- Afroman, https://www.youtube.com/watch?... [youtube.com]
CEO is shown lying by his company's own actions (Score:5, Interesting)
then
If the first was true, the second wasn't necessary.
Re: (Score:2, Interesting)
You must have an MBA. Today's security is a continuous process and most if not all security procedures will last longer than a few years and will result in a near zero chance of getting hacked. This is a medical marijuana dispensary, not even a hospital or credit card company, the reason they got hacked is because they lacked the skills or didn't want to spend the money necessary to secure themselves.
Keep your systems updated, remove encryption standards that are out of date, close services and ports you do
Re: CEO is shown lying by his company's own action (Score:1)
Ah the magic of open source where there are no long standing, highly damaging security flaws /s
Re:CEO is shown lying by his company's own actions (Score:4, Insightful)
Keep your systems updated, remove encryption standards that are out of date, close services and ports you don't need, don't use Windows, and if you must, don't give your users Administrator or root rights and if your software tells you otherwise, get different software.
Ok, you've eliminated maybe 10% of the attack vectors.
will result in a near zero chance of getting hacked
Oh, I see. You know nothing about security.
You WILL get hacked. Expect it, plan for it, invest in delaying it for as long as possible and minimising its impact when it does, but you will get hacked.
Re: (Score:1)
Also, security has a finite limit against the cost of doing business.
In other words, you admit that security is not their top priority. Thank you for agreeing with us.
Re: (Score:2)
If the first was true, the second wasn't necessary.
Not at all true. If I have a budget of $5m and dedicate $2m to security, $1.9m to operations, and $1.1m to other then security is still my top priority, even though spending on it can be increased and it could be made better.
Absolute security is not a thing.
Re: (Score:1)
If I have a budget of $5m and dedicate $2m to security, $1.9m to operations, and $1.1m to other then security is still my top priority, even though spending on it can be increased
Not at all true. If that $2 goes to performing the minimum required, while the $1.9 and $1.1 goes to extravagances, security is not your top priority. Largest cost != highest priority.
Secure and Available:related, yet not synonymous (Score:2)
"Secure" and "Available" are related but not synonymous.
It is possible to have a system that is secure against data exfiltration, but still susceptible to intentional corruption. I'm not saying this is necessarily true in this case, but it is certainly a possibility.
Fear of data leakage is just one of many reasons why a black market will continue to exist, even with "medical" and decriminalization. There's still a social stigma against pot and THC users (stronger in certain areas and cultures than o
Re: (Score:3)
Re:Top priority? Always? (Score:4, Informative)
HIPAA rules do not describe how to secure your data. It only tells you that you need to secure your data and the procedures to follow when you're not compliant. It doesn't prescribe a particular encryption or what needs to be encrypted.
Case in point, most hospitals do not use encryption when exchanging private health information (because systems from idiots like EPIC are simply incapable of it). HIPAA just says you have to document it and mitigate. In most cases, the mitigation is "our internal network is secure, external sites use VPN" and then it doesn't matter the external VPN vendor only supports DES (yes, still single DES in 2016/2017), it's documented as being "encrypted", any hacking would be the result of 'evil hackers' which they can't do anything against and then it becomes the FBI's responsibility to catch the criminals, the hospitals have done their due diligence and don't need to report breaches because they have gone according to HIPAA standards.
"Medical" should be in quotes (Score:2)
I assume HIPAA rules apply since this is medical usage. Were they adhered to?
You forgot the quotes around "medical". In 99.9999% of cases it has nothing to do with medicine or treating any illness. If this really was medicine it would sold through a normal pharmacy and have FDA approval and double blind efficacy tests like every other drug. While I do not dispute that there are likely medicinal uses for some of the ingredients in marijuana, let's not pretend that the VAST majority of people who are "seeking treatment" are anything other than just recreational users. I have no pr
Re: (Score:2)
No worries, then (Score:2)
> no problem at all with safe recreational use but calling it "medical marijuana" is just an insult to the intelligence of anyone with a functioning brain.
No problem, then. The term is used by and for potheads, not for people with a functioning brain.
Many years ago, I was into NORML and the marijuana legalization movement. (We called it "decriminalization".) I wrote some articles that were well received by my NORML peers. Looking back on what I wrote now, I think "what the hell? Wtf was I smoking when
Re: "Medical" should be in quotes (Score:2)
Re: (Score:2)
We have been here before. Late in the Prohibition era, people were getting prescriptions written for "medical beer."
http://www.smithsonianmag.com/... [smithsonianmag.com]
Re: (Score:3)
" In 99.9999% of cases it has nothing to do with medicine or treating any illness. "
Oh come on! That's an exaggeration and you know it. It's "medical marijuana" because it requires a prescription.
The f***ing FDA doesn't give a damn about The People. It is owned by the big pharmaceutical corporations! A majority of Congress is likewise owned based on their recent bi-partisan vote to keep the ban on importing drugs from Canada. Note that these same corporations are funding anti-decriminalization efforts
Show me the evidence (Score:2)
The overwhelming pressure for access from recreational users does in fact spill over to the medical user community. We are not happy about it. It gives asshats like you ammo to a completely falacious argument.
Fallacious? Ok smart guy. Show me ANY actual evidence that the vast majority of the millions of users of "medical" marijuana are not in actuality recreational pot users and have legitimate medical conditions that are demonstrably not responsive to any of the rest of modern medicine. Go ahead. I'll wait.
[crickets]
Yeah I thought so... You acknowledge my point. The recreational users are the main driver for legalization and they vastly out number any medical users that might exist. They are getting fake
Show me evidence (Score:2)
Fuck you asshole. How do you know they weren't self medicating themselves under the table before the option was available.
It's adorable how worked up people get when you point out an inconvenient truth. If you are one of the few who are actually helped by pot then by all means do whatever you need to do. I'll back you up. But don't blow smoke (literally) up my ass and try to tell me that we have some epidemic of people who have serious medical conditions that only pot can treat or that modern medicine is full of quacks and idiots. Most of the "medical marijuana" users do NOT have any medical condition. If you have actual
Re: (Score:2)
"I assume HIPAA rules apply since this is medical usage. Were they adhered to?"
I don't think you can use protection of a Federal Act to protect yourself from a Federal Crime. Somehow, I don't think dog hunts.
Top priority = profits (Score:2)
If your companies top priority is to keep data secure, they how/why did you get hacked. They always say that, but clearly that is not the Top Priority
Their top priority is obviously making a profit, just like any other company. Data security is only a priority insofar as it affects their ability to continue to make a profit. If the cost of data security is higher than the value of a breach then guess what is going to happen sooner or later...
Re:Top priority = profits (Score:4, Funny)
Their marijuana data will vanish in a puff of smoke?
Re: (Score:2)
If your companies top priority is to keep data secure, they how/why did you get hacked. They always say that, but clearly that is not the Top Priority
I see you're doing your part by not using dangerous apostrophes where they are needed!
Implicit in any company's statement that security is their top priority is the large bundle of compromises that don't go away whether or not that is your top priority. They could make the data perfectly secure by disconnecting the servers and putting them in a bank vault. They could make sure the data can't be breached by simply destroying all of it. See?
Security can be your Top Priority, but it has to be done in th
Re: (Score:2, Insightful)
You have a very classical 'marijuana needle' view of marijuana users. Most users I know, myself included actually get a sort of zen state of mind and do a lot of work. Cleaning, dishes, cooking, programming, these are all things I and others do much more of in a significantly more focused way.
The art of chemical mental alternation is a very large domain. College students use various drugs to enhance mental activity. The sales and marketting world several years ago had a significant problem with quaalude
"All the data was encrypted" (Score:1)
Does that mean, translation, we got hit by ransomware?
probably done by the competition (Score:2)
Re: (Score:2)
You, sir, win the Internet.
Dude.. (Score:2)
The Cloud! (Score:3, Insightful)
A gigantic target for hackers with every clients info in one place.
Great job.
Re: (Score:3)
Have to agree with the AC here.
The "cloud" is a great place to keep your music and cat videos. If you are keeping sensitive data there, you are an idiot.
Re: (Score:1)
Lol, yeah sure (Score:2)
" No patient, consumer, or client data was ever extracted or viewed," the company's data directory has said. "The forensic analysis proves that. The data was encrypted -- so it couldn't have been viewed -- and it was never extracted, so nobody has it and could attempt decryption."
Oh sure, I totally believe this 100%.
Like they would even know for sure if it had been extracted.
Re: (Score:2)
Well for the most part, the security of encrypted data is The_perceived_value / Cost_of_decryption. Cost_of_decryption would be high if your trying to brute-force the database encryption, not so much if you have a key-logger installed on a POS and force everybody to change password to access their cloud data and a copy of the software used.
Trusting stoners to protect your data (Score:1)
Let me get this straight. These people are trusting their personal data to a company that literally is based around sales and use of a drug known and acknowledged to impair judgement and productivity? Awesome plan. I'm sure they were moving heaven and earth to secure their data... That's about as smart as hiring an alcoholic to be your limo driver. You might get there in one piece but I wouldn't count on it.
Re: (Score:2)
No, the company that literally is based around sales and use of a drug known and acknowledged to impair judgement, is trusting their data to a cloud based storage and software company who's product is an ERP software specifically tailored for the marijuana industry. They, by law have to track inventory from seed to retail sale, this data was destroyed. Apparently there were offline or off-site backups that are being used to restore the service.
Re: (Score:2)
Nope. It's more like hiring a liquor store clerk to be your limo driver.
Re: (Score:2)
You may want to refresh your understanding of US laws. They're a bit outdated.
Wow. (Score:3)
> medical
> cloud-based
OK.
Medical marijuana in a cloud (Score:2)
Whats wrong with this? (Score:2)
Vandals destroy very valuable property
The law of firm of Dewy Chetham and Howe reported yesterday that vandals destroyed very valuable property. Spokesperson of the firm Insanei Rony said, :The firm keeps all their files in unlocked cabinets in the back porch open to the public, in order to serve our clients better. This allows our clients to work at their schedule and come in drop off their forms and depositions at their convenience. On Friday evening a group of vandals,
Re: (Score:2)
Why would I imagine a news story like that? It has no fucking relevance at all.
Shit, why am I replying to an obvious troll. I must be tired. Goodnight.
Tradition (Score:2)
Ripping off stoners since 1964.
Guess who? (Score:1)
Unless, of course, it was the RUSSIANS again! They may be looking to sell pot to Americans to make us all easier targets for take-over!!!!
Naaa. It was the US gov looking to make trouble where laws get in their way.
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Dude! Where's my shift key?
Re: (Score:2)
Ummm... what?