“The U.S. Federal Trade Commission (FTC) on Thursday (Feb. 25) screamed “the Emperor has no clothes” by reporting to consumers that one of the largest firms issuing “Verified Secure Breach Protection” seals doesn’t really verify much at all. The practical impact of the ruling for E-Commerce sites is unclear, both because the FTC has little authority to enforce its rulings and because consumers have typically been impressively apathetic about security and privacy issues.”

http://www.storefrontbacktalk.com/securityfraud/ftc-to-controlscan-your-web-site-security-seals-are-lies/

and

http://www.databreaches.net/?p=10165

According to the New York Times, a single credit card number was going for as much as $100 on the black market in 2005. The black market has gone through turmoil similar to the stock market and the same number today sells for about $6 dollars to as little as $0.40 cents per number. The market has become flooded with numbers and banks are able to detect fraud more quickly because of online banking and increased awareness. The amount of attention focused on credit card fraud, coupled with the loss of profitability for thieves, has made it tough for criminals so their interest is shifting to healthcare identities.

Enter electronic medical records (EMR). EMRs are essentially an identity plus medical information. In 2007, an identity typically sold for $14 to $18 dollars. An EMR will usually contain a name, address, Social Security Number, date of birth, prescription information, medical history, and possibly a picture of a driver’s license. A single hospital would retain this information for every person who has ever checked in and this is all the information an identity thief would need. Patients with recent birth or death events would be perfect candidates for identity theft as no one is usually monitoring their credit. Medical records that were previously boxed up in the basement are now ripe for the picking as hospitals make the move to digitize EMRs and are slow to adopt the processes and technology needed to protect this information.

Identity theft is only half the picture. A trend is emerging with thieves targeting patient records for the medical information contained within them. These data breaches started with simple hostage/ransom demands of large record holders. In October 2008, Express Scripts was notified by an attacker that records of millions of their customers would be released into the public if ransom was not paid. In a similar April 2009 incident, an attacker hijacked the Virginia Prescription Monitoring Program web site and posted a message demanding a $10 million ransom from the state.

A shift has started where attackers are starting to sell the actual electronic medical and health insurance information. In October 2009, it was discovered that a company in India was selling British medical records. The seller told undercover investigators “I have 30,000 files to give you today, right now. I’ve around 140 diseases here. You just tell me which disease you’re looking out for – I can give you anything”. This data breach was blamed on the British hospital outsourcing its medical record transcription to a third-party business associate who in turn outsourced it to another company in India. These records were fetching £4 ($6.24) each, but the World Privacy Forum claims these records can get upwards of $50 dollars per record.

It is only a matter of time before these stolen records are regularly used for social engineering attacks against patients. Also, people desperate for medical care will begin looking to the black market to buy an insurance identity to file fraudulent claims. Several of these cases, dating back to 2005, are documented by the World Privacy Forum along with many other patient record thefts. They also note an increase in medical identity theft victims from 86,168 in 2001 to 255,565 in 2005, and this number is still increasing. Only time will tell what new crimes come with the theft of electronic medical records.

How Can an Information Security Program help?

As with most technological challenges, there are no quick fixes or easy solutions, however, there are steps you can take to mitigate data breaches. Medical records and health insurance information need to be available to those who require access and secured from thieves trying to steal the data. One cannot just say “those records are encrypted” and think they’re set, the company must demonstrate a true commitment to a complete Information Security Program (ISP). Safeguarding EMRs requires management and implementation tasks that range across the entire business enterprise.

The following recommendations can help a healthcare organization get on the right track:

1. Demonstrate a true commitment to information security across the entire enterprise – not just within the IT arena. The most effective Information Security Program takes a risk-based approach, balancing potential risks against the convenience and expense to mitigate identified risks.
2. View IT Security as a Competitive Advantage as companies that experience IT security breaches are subject to damaging consequences such as:
   • Large monetary penalties from regulators
   • Loss of mission-critical IT systems including web applications, business associate networks and internal networks
   • Breach notifications to customers/patients and the media
   • Legal action by affected customers/business associates/vendors
   • Theft and/or misuse of data
3. Implement and follow well-documented security policies and procedures. Periodically review and adjust these and monitor and measure compliance to industry best practices.
4. Collaborate with business associates on the implementation of EMR security programs.
5. Conduct independent security assessments. HIPAA law requires covered entities to conduct routine evaluations of the effectiveness of EMR security programs, policies and procedures. It is also important to evaluate business associates with whom health data is exchanged.

As with any new regulated law, it is important to take a step back and fully understand how this impacts your organization. There are no “cookie-cutter” solutions however understanding the current infrastructure by taking a holistic, risk-based approach and balancing potential risks against the convenience and expense to mitigate identified risks are the recipe for success. Strong leadership, organizational competency, risk classification, collaboration and continuous process improvements are the benchmarks for best practices in healthcare information security and compliance.

Even with extensive security training, security controls are very difficult to get right. It requires extensive understanding of potential attacks, as well as implementation skill. Furthermore, a lot of things can go wrong – failure to perform output encoding, weak hashes and lack of access control, just to name a few areas.

A leveraged way to solve this problem is to take advantage of the open source work that OWASP has done with the Enterprise Security API.

As shown in the diagram above these libraries cover a wide range of security issues.  They are a standard, high quality and well tested set of security controls that developers should take advantage of. ESAPI is available for a wide range of development environments including Microsoft .NET, J2EE and PHP. This can be an important foundation for an application security program.

http://www.breach.com/resources/whitepapers/top-web-incidents-2009.html

For healthcare plans the benefits include easier reconciliation of payments and remittances as well as better control over cash flows. For healthcare providers the benefits include reduced billing and insurance related processing costs as well as improved cash flows. Another significant area is the potential for increased focus on patient care. On average, physicians currently spend three hours per week interacting with health plans, at a cost estimated from $23 billion to $31 billion each year according to the Health Affairs Journal. Electronically automating and properly securing the payments and remittance processes will decrease the time physicians have to spend with insurers, giving doctors more time to focus on patient care.

For both providers and plans now is the time to streamline administrative processes and benefit from cost savings initiatives. Of course with automation comes exposure to risks of fraud and information theft. To take full advantage of the potential cost savings associated with electronically automated processes, both healthcare providers and plans must invest in an information security risk management program. We have developed information security best practices in this area over the course of several years, primarily with leading companies in the financial sector.

Getsystem uses several techniques for priv escalation:

• Windows Impersonation Tokens (fixed by MS09-012)
• Abusing LSASS via token passing (Pass-the-Hash) which requires Administrator anyway.
• Exploiting weak permissions (read and write) in the services (most of them by default run as SYSTEM, if you are lucky they run as a domain administrator).
• Improved KiTrap0D exploit released by Tavis Ormandy ( MS10-015 patched as of now)

As more privilege escalation exploits appear this year they will no doubt be rolled into the Getsystem extension which i will be keeping a watchful eye on. Thanks to Stephen Fewer for adding the new functionality to Getsystem.

Also, check out Bernardo Damele’s (author of SQLmap!) walkthrough on integrating Metasploit privilege escalation via SQLmap for post database exploitation. Here.

And a sample of the KiTrap0D exploit below in MSF by Pieter Danhieux (not Getsystem but same functionality):

Kitrap0d in Metasploit 3.3.4-DEV

meterpreter > use priv
Loading extension priv…success.

meterpreter > getsystem -h
Usage: getsystem [options]
Attempt to elevate your privilege to that of local system.
OPTIONS:

-h Help Banner.
-t The technique to use. (Default to ‘0′).
0 : All techniques available
1 : Service – Named Pipe Impersonation (In Memory/Admin)
2 : Service – Named Pipe Impersonation (Dropper/Admin)
3 : Service – Token Duplication (In Memory/Admin)
4 : Exploit – KiTrap0D (In Memory/User)

meterpreter > getsystem -t 1
…got system (via technique 1).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

• Social engineering and security awareness
• Risk management

Social engineering and security awareness can be thought of your new front line of defense, your users. They need to be cognizant of the attacks that are being directed at them and the role they play in defending the organization and corporate assets.

Risk management can be implemented by following the process depicted above. From the standpoint of defending against cyber crime, the process helps identify the areas that are of highest impact to your business, and organizes controls to defend against the threats. Another important benefit is that business unit leaders and executive management are drawn into the process, and thus gain an understanding of the security issues and risks. Furthermore, implemented properly, risk management just becomes part of running the business similar in nature to the way the financial organization closes the books every month.

Here at Redspin we can help you understand your risks, educate your workforce and modernize your defenses.

Similar to the db_autopwn via fasttrack script (available in Backtrack 4), Nsploit does even more granular service level Nmap scanning to identify vulnerable software versions and map corresponding exploits. It then passes these to Metasploit and launches the pain at your target box.

It Uses Nmap’s NSE’s to trigger Metasploit commands via XMLRPC. Anything we can identify with an Nmap Script we can launch and get a shell… hopefully a meterpreter shell

Check out Ryan’s blog http://blog.happypacket.net/ and learn more about Nsploit from the 2009 SecToor Presentation Nsploit-(Popping-boxes-with-Nmap) hosted by securitytube.com.

PDF slides here

Download

Usage videos below:

Nsploit Multi-Host Ownage from Ryan Linn on Vimeo.

Nsploit Single Host Ownage from Ryan Linn on Vimeo.