back to article Heartbleed implicated in US hospital megahack

The Heartbleed flaw is responsible for the high-impact US hospital hacking attack disclosed this week, an unnamed investigator told Bloomberg. As many as 4.5 million patient records have been exposed in an attack against Community Health Systems, a US hospital group that manages more than 200 hospitals. China-based attackers …

  1. Destroy All Monsters Silver badge
    Paris Hilton

    Probably the most expensive post-weekend-hackaton "git push" ever

    But what will "Chinese hackers" do with 4.5 million patient records?

    1. midcapwarrior

      Re: Probably the most expensive post-weekend-hackaton "git push" ever

      Dude did you miss the part about the social security numbers.

      with name and address info this is gold

      1. Destroy All Monsters Silver badge

        Re: Probably the most expensive post-weekend-hackaton "git push" ever

        But if they are chinese, aren't they govnmt sponsored and out for warcrap and other dregs of civilization?

        1. Anonymous Coward
          Anonymous Coward

          Re: Probably the most expensive post-weekend-hackaton "git push" ever

          "But if they are chinese, aren't they govnmt sponsored and out for warcrap and other dregs of civilization?"

          Would you say that if they were American, or British, or even Russian? People are people, and I have heard that free enterprise is now flourishing in China. Along with its universal concomitant, crime. (The difference between a successful business and a criminal organization is purely a matter of degree - how willing those involved are to risk a prison sentence).

          1. Destroy All Monsters Silver badge
            Paris Hilton

            Re: Probably the most expensive post-weekend-hackaton "git push" ever

            Crime is the concomitant of free enterprise?

  2. Tom 38
    Holmes

    When were the credentials stolen though?

    Did the credentials get taken via Heartbleed before or after the 7th of April, 2014? IE, was this an unfortunate case of being attacked with an unknown vulnerability, or did CHS expose insecure systems after the vulnerability was disclosed?

    1. John Brown (no body) Silver badge

      Re: When were the credentials stolen though?

      "One of the largest healthcare providers in the US claims Chinese hackers ran riot through its systems between April and June this year " reports El Reg

      So yes, it's possible they were compromised before Heartbleed was announced and without a full security audit, didn't notice the "attack" in progress even if they patched up ASAP

  3. Pen-y-gors

    A new definition of 'trusted'

    A person "involved in the investigation who wasn’t authorised to comment publicly" blamed the Heartbleed OpenSSL bug...

    "This confirmation of the initial attack vector was obtained from a trusted and anonymous source close to the CHS investigation

    So, you define someone who blabs about an ongoing investigation, even though they are banned from commenting, as 'trusted'? It's a strange world that some people live in.

    I would suggest sacking the entire team doing the investigation as at least one of them cannot be trusted, and therefore none of them can be trusted.

    1. DNTP

      Re: A new definition of 'trusted'

      It's smoke and mirrors- likely they authorized someone to comment anonymously in order to preempt or discredit any information given out by actual unauthorized disclosures.

      1. Aitor 1

        Re: A new definition of 'trusted'

        Waht they are saying, is that they have no idea how they got the user/password, but they do know that they patched the systems for heartbleed on JUNE.

  4. Anonymous Coward
    Anonymous Coward

    Meanwhile at PRISM HQ...

    Agent Smith: The facebook, gmail and google search data showed nothing how can this be? They must have googled how to do this and posted a brag on facebook?

  5. chris lively

    Wrong culprit identified

    At what point do we stop blaming a bug which PATCHES HAVE BEEN RELEASED FOR and start blaming the idiotic network admins who fail to apply said patches?

    The title of this story should be: "Dereliction of duty by Network Admins implicated in US hospital megahack"

    They said the attacks occurred between April and June. The patches were released on April 7. I'll grant them 3 days to do emergency testing and patch their systems (which is way too much). That leaves approximately 80 days of time in which these attacks should have been stopped cold.

    1. Sven Coenye

      Re: Wrong culprit identified

      Sure, but note the breach point: a Juniper firewall. A quick search shows Juniper was not done updating their Heartbleed vulnerability advisories until April 30th. The patch advisory updates ran until May 6th. That falls right in the middle of the attack window. Without knowing the exact model, one can't say when the vulnerability was disclosed and when the patch was available.

  6. Nuno trancoso

    Not saying this is the case, but poor Heartbleed seems to be supporting a really heavy load on it's shoulders. Data breach? Heartbleed. Security fuckup? Heartbleed. etc etc etc...

    Maybe we should have a HB every month so that no f***wit that should be sacked on sight ever looses his job again.

    Not that it happens a lot mind you, since "the system" seems to be tolerant towards negligent dimwits. Maybe because negligent dimwits are running "the system", go figure...

    1. StimuliC

      Well You know Blame it on the Heartbleed

      The trouble with Heartbleed is that they may have gotten the usernames and passwords pretty damn quick and once they have access it relies on the system admin to make sure that everyone that uses that system changes their password so that no access can be made to the system if it had been attacked.

      Any Sys Admin worth their salt would have taken the stance as soon as the news broke that their system may have been attacked. Those that didn't should not have had jobs. Saying that they waited for notification is a pretty poor excuse. They should have checked themselves or proactively had it checked and had it patched.

      This vulnerability showed no evidence of ever having been used all the cases where it has been used were after the patch was available and after the news broke.

      I think you are very right the 'system' is very tolerant towards negligent dimwits.

      It seems though that quite possibly there are other forms of hacking taking place and rather than admit that their system was hacked through other forms of negligence or lack of security companies are falling back on the

      "Let's blame heartbleed"

      rather than be honest. I suspect that in some of the cases that crawl out of the woodwork that Heartbleed is the fallguy rather than admit that other methods were used that may leave the company out in the line of fire for a lawsuit.

  7. lambda_beta
    Linux

    PR Guys at it again

    This outfit must be working the PR guys overtime. I just love how they do this crap and get away with it.

    - "an unnamed investigator"

    - A person "involved in the investigation who wasn’t authorised to comment publicly" blamed the Heartbleed OpenSSL bug

    - "This confirmation of the initial attack vector was obtained from a trusted and anonymous source"

    Anytime I want to know something I always go to an unnamed investigator who wasn’t authorised to comment publicly but learned this from a trusted and anonymous source.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like