Category Archives: Windows Security

How to get on a USA Government Surveillance list

Use any advanced search techniques in Google and you’re a Cyber-Terrorist

A recent warning was posted to USA law enforcement listing advanced Google search techniques as indicators of Cyber-Terrorism is slightly chilling. Thanks to: Sadly, this is not the Onion
saw this story. The advanced techniques are old school ways of ensuing you return only the filtered data you want in a more accurate manner. Google Dorking, as it’s called in slang is a method of searching for a specific keyword in specific conditions. For example, if you want to search only the website CNN.com for the keyword LolCats in Dorking terms is: site:CNN.com + “LolCats”.

Sean Gallagher from ArsTechnica, commented he believed the notice is meant to be more of a wakeup call to make law enforcement IT more aware of the techniques. I slightly disagree and saw only FUD in the law enforcement notice. The same story commentary also mentions how using advanced Google searches has already landed some reporters in trouble and wrongfully accused of criminal activity due to massive technology misunderstandings. Using a search engine is not illegal, at least not yet.

My advice if you are a law enforcement agency IT, learn more about Open Source Intelligence and disregard FUD notices written by technologically challenged policy makers. Here are ten friendly tips to help find or protect your internet exposed assets:

  1. Keep all public facing digital assets updated and harden them. There is no reason why you should be running old, weak crud on the internet.
  2. Apache Security read if you are running an Apache web server.
  3. How to Improve Security on the Edge with Windows Web Server 2008 and Internet Information Services with Security Guidance of ISS Security if you are running Windows Server.
  4. Best option: Rent space on Amazon AWS or Microsoft Azure they have DDoS defenses and can get you an inexpensive, new server version up and running. This gets a web server off your network, cheaply, with defenses available and limits damage only to reputation no information leakage. Also, if hardware breaks, no interruption for the most part and they fix everything within tight time service level agreements.
  5. Scan your public servers and internal servers with Evil FOCA from Informatica64. Scan all your domains, download all documents, analyze and take a look at what you have up for the public to see and the baddies to exploit. Review your metadata exposure.
  6. Google Dorking is a good passive reconnaissance tool but if I wear my Ethical Hacker Hat I wouldn’t use it before committing a crime. I would move to non-tracking search engines such as DuckDuckGo.com also combined with untraceable connections and several hops away. Run regular searches using different search engines to learn your public exposure.
  7. Use ShodanHQ against your domain, IP range and keywords by using a filter. I love Shodan J Try a super advanced search word like: police. I’m disappointed but not surprised: Owen Sound Police Services – FirePro event data server and Wildwood Crest Police webmail server. Try and limit the amount of data available on your public facing assets. Please don’t advertise unless you are running a Honeypot so obviously!
  8. If budgets have your IT bogged down. Network and pool external resources and contractors. What if four departments could share 1 full time, traveling IT Security contractor?
  9. Cover over all Web enabled Cameras when not in use, especially in interrogation rooms!:

  1. Read the SANS Diary Internet Storm Center every day and listen to the Podcast.

 

Using Google Dorking or any other advanced internet searches are not illegal nor indicators of cyber terrorism. However, exposing private IT assets to the internet without proper hardening helps no one but criminals.

Hospital patient insecurity due to lacking patches or decent passwords

This time only 493,000 patients lost their privacy, systems left wide open for years.

A hospital in Gouda, the Netherlands called Groene Hart Ziekenhuis (Green Heart Hospital) had according to Bonnie at the Nederlands Genootschap van Hackende Huisvrouwen (Netherlands Society of Hacking Housewives) and reported to the journalist Brenno de Winter (@brenno) allowed weakly configured servers which contained confidential information accessible to the internet which contained patient data for almost half a million people. These sensitive systems had been left in an insecure state for several years. This is nothing new in the Netherlands; the same group reported a similar data leak involving over 800,000 Dutch citizens and residents at another facility in July, 2012.

Information which was exposed:

  • Patient Name
  • Date of Birth
  • Address
  • Tax ID number (BSN like US Social Security number)
  • Telephone number
  • Patient number
  • Insurance number
  • Diagnosis
  • Medication
  • Lab results
  • X-rays and similar medical imaging
  • Treatment plans

Why was the information accessible?

  1. Unpatched and outdated versions of Microsoft, Adobe Flash and VMWare. Recently the CSIS Denmark released a report that highlighted 99.8 % of malware or virus infections could be mitigated by patching these applications along with Adobe Reader and Java.
  2. The password for the administrator account was ‘groen2000‘. The password is both easily guessable and extremely weak 40 bit strength. Using Jack the Ripper, and a beefed up system could crack the password in seconds. I wonder if 2000 was the last year the systems were patched?

Why are medical facilities, hospitals, insurance companies and doctor offices seemingly so lacking in security and unsympathetic towards patient privacy?

  • Shockingly, the maximum fine in the Netherlands for data breaches is only 4,500 euro. This is cheaper in some cases then implementing anti-virus or buying a decent firewall. My previous Dutch GP once told me without flinching “Our systems are secure because we use MacOS, no anti-virus is needed.” If the punishment is cheaper, way cheaper that remediation I would take a fine any day.
  • DRA the agency tasked with ensuring data privacy and investigating breaches is staffed with about 80 personnel, which includes all support staff whilst the Dutch Animal Police has over 500 officers.

Link to original story:

http://www.nu.nl/binnenland/2927832/groene-hart-ziekenhuis-lekt-medische-dossiers.html

More proof that patching, keeping systems on supportable versions and strong, secured passwords are a basic requirement for you and all organizations. Lastly, Dank uw wel/thank you very much to Bonnie and the
Nederlands Genootschap van Hackende Huisvrouwen, it is good to know we have highly technical, expert, hacker housewives willing to take a risk and help protect our privacy when governments fail to do so.