Hacking the Healthcare Conference
By John Gomez
Outside it was 19 degrees and snow continued to fall as it had for the last few days. Inside the two-story brick building in downtown Asbury Park, NJ, a group of operators huddled around a set of whiteboards and large flat-screen TVs doubling as computer monitors that are connected to a variety of computer hardware.
One of the screens provided satellite images of a convention center. Another screen detailed the locations of all the hotels being used by attendees of a healthcare conference. Yet another screen highlighted the booth locations of the key exhibitors, with cross-references to their key clients, employees, and partners with their LinkedIn, Facebook, and Twitter account names and pages.
The operators had been developing cyber-attack plans for one of the largest healthcare information technology conferences in the world. The Alpha teams would focus on infiltrating the conference itself, while Bravo team members would exploit opportunities at hotels, restaurants, and the popular vendor-sponsored parties. The current debate was centered around if team members should register to attend the conference or simply swipe the passes of attendees and blend in with the crowd.
The last team, Command One, would provide command and control. It had already secured several adjoining suites at a hotel across from the convention center. The suite would provide real-time, 24×7 communications to the team members as well as manage the botnet and provide the initial command and control capabilities for the RAT software the field teams would be deploying.
The RATs being deployed by the field team were custom developed using a derivative of Stuxnet. This assured that the RATs would work across operating systems and devices. It also assured that the RAT would lie dormant for the most part except in some special cases.
One of those special cases was that if the RAT determined it was on a laptop, it would turn on the computer’s microphone and camera to record confidential conversations between vendors and clients as well as between vendor teams about their clients. The hope was to garner details that could later be used to exploit employees or other details that could lead to further compromises. RATs deployed to machines running a server operating system or Linux variant would replicate, eventually being introduced to a corporate network and then become active establishing themselves inside the corporate infrastructure of vendors and attendees.
Aside from the RATs, the Bravo teams had already visited area hotels and catalogued the wireless networks and their providers, deploying SDR and other toys to about 40 hotels. The goal was to eventually compromise the wireless networks using man-in-the-middle attacks and other techniques. In situations where they could not bypass the hotel’s wireless infrastructure, the team planned to compromise targets of opportunity being used in lobbies and public areas.
The team was now in its final planning stages. “Do we have the dummy business cards?”
The team had created a fictitious company, complete with a website, Delaware LLC, and 800 phone number complete with employee directory and voicemail. The team also had false employee IDs issued by the fictitious company. This allowed the team to play the role of a vendor attending the conference.
A subset of the team had spent the past two weeks becoming familiar with their cover of representing a new hospital system being created in the Midwest. The team included a fake CMIO, CIO, and VP of operations. The team developed LinkedIn accounts with complete work and educational histories as well as a fake website for the new healthcare system, with architectural renderings of their new 650-bed acute care facility and their upcoming regional clinical care centers.
At this point, you are probably wondering if what you are reading is an expose of a crack hacking team or simply a fictional piece of work. It is actually a little of both.
One of the things my team often does is to run simulated attacks on a variety of targets. We basically map out the entire attack and do all the prep work, short of launching the attacks. In this scenario, we decided to attack a healthcare conference.
The simulation was actually carried out over a period of three days. Everything you read is real. All the techniques, tools, and practices are the actual methods we would use to carry out a large scale cyber-attack against a healthcare conference. Our goal in doing this was to help develop suggestions for those attending any healthcare conference in hopes of making the lives of people like us much more difficult.
The above doesn’t include everything we would do or how we would do it, but what I did divulge is not all that sophisticated or uncommon. There is nothing in the story that isn’t already known or possibly already being undertaken by cyber-criminals, cyber-terrorists, or cyber-spies. Although we would never carry out this type of activity, there are those who would and probably will. Hopefully you will heed our counsel and employ the suggestions below, thereby keeping you and your organization a little safer.
- Share the wealth. One of the most important things you can do is educate others on the possible threats that exist when attending conferences of any size. An easy way to do that is forward this article to your teams. Like GI Joe once said, “Knowing is half the battle,” and that is especially true in the world of cyber-security. Most people don’t realize the sheer audacity that attackers employ. Hopefully the above story illustrates a little bit of that audacity.
- Encryption matters. All of your devices should use local file encryption, especially if you are going to be shipping them where they are out of your control. This also applies to any device that you are taking with you on the road — laptop, tablets, etc. All communication should be encrypted, even if you are using a closed network, but especially if you are connecting to the Internet.
- Stay In control. Do not leave your laptops or other computing devices in your hotel. If you are going to leave them behind, lock them in a safe and make sure the device is encrypted.
- Remove history. Delete your web browser history every day and also delete all previous wireless access points from your computing device history. For example, if your iPad is setup to automatically connect to your home wireless network, delete that before you go to a conference. Why? Because I can use the MAC address of your home network to find your home address. Don’t believe me? Email me your MAC address and we can bet a cafe mocha.
- Just say no to thumb drives and DVDs. If anyone — partner in crime, spouse, child, parent, boss, vendor, speaker (including George Bush) — offers to give you a thumb drive or DVD for any reason, just say no. Ask them to e-mail you the item, or better, print it out. If they e-mail it, do a virus scan and make sure it is from someone you met before the show. Otherwise, FedEx works great to mail you documents quickly. Thumb drives and DVDs can harbor malware. Even if you know the person, you don’t know where they got the thumb drive or how they made the DVD. Save yourself a lot of pain and just say no.
- Lock down machines. Vendors should lock their server rooms and demo equipment. You shouldn’t hire third-party security — you should be your own security during off hours. I know this sucks and is a burden, but it’s your technology. If the answer to this is that you wipe your equipment, good for you, but I am not after your equipment — I am after your data and network. Wipe away — chances are someone on your team will connect to your demo network.
- No demo networks. Don’t connect to demo networks. You don’t know what is on them no matter what your IT team tells you.
- Limit Wi-Fi. If you must use Wi-Fi, limit it to your hotel (it’s not the safest, but it’s better than a coffee shop or airport) and use a secure connection over a VPN. A better alternative, though not cheap, is your own personal hotspot over a secure connection.
- Wipe machines. After every conference, you should do a DoD-level format of all hardware used at the conference. This includes a visual inspection of the internals, if possible, to assure that nothing was added by your third-party, $10 per hour security resource.
- Lock down demo machines. Tape over webcams, disable USB drives, and put tape over the ports. Disable unused ports and other services. Hire someone to attack your demo environment.
- Establish a conference VPN. Set up a VPN just for the conference and require two-factor authentication using something like Google Authentication to connect back to your corporate resources. After the conference, disable the VPN system and never use it again.
- Establish BIOS passwords.
- Create a bootable DVD. A great option for vendors is to use a bootable DVD with your demo clients on them. Please don’t tell me that you use virtual machines and somehow that makes you safer. If you believe that, you have a lot to learn about cyber-security.
- Awareness. If something doesn’t feel, smell, or seem right, it probably isn’t. Conferences are highly social venues. It is important that you don’t forget that most of what happens to you is because you let it happen. This applies in the real and cyber worlds and is critical in both to maintain your personal security.
- Email invites and marketing. Vendors love to send you all kinds of invites, updates, tidbits, and other neat stuff via e-mail during a conference. I would suggest you unsubscribe or just delete mass e-mailing from any vendor. A better option is to inform your rep that you will only accept e-mails from them directly and would appreciate minimizing things you have to click on. Think this is overboard? Consider that Anthem was compromised with a single click in an e-mail message.
- Blips matter. Ever say, “That was strange,” or “What just happened?” and then things go back to normal? Often this is just an anomaly, but it could also be an indication that your computer device is under attack. Think about what you were doing right before the blip — surfing the web, opening an e-mail, connecting to a network, clicking a link, downloading something. Put things in context, and if you get nervous for any reason, say something to your IT team.
Hopefully if nothing else this article will get you to think and ask questions of your teams and how well you are prepared to attend a conference. Conference operators do all they can to provide a safe and secure environment. But in this day and age, there is only so much they can do. The real burden of security — physical and cyber — is on the shoulders of individuals. This is how it should be because security works best when it is a personal responsibility.
Take time to talk with your teams (exhibitor or attendee) about security best practices. The pre-meeting is a great time to brief your teams on security practices or invite someone to speak to them. You should also have a cyber-security response plan for the conference that includes who to speak to, what to do if there is a threat, and how to report information to the conference coordinators so that multiple incidents can be correlated and viewed through a broader lens.
The reality is that life has changed.
The simulation outlined in the opening of this article was simply that — a planning simulation for a real-world attack. The emphasis is on real-world attack planning. The only thing that kept us from carrying out that simulation is that we fight for good, but there are plenty of others out there who don’t — we call them the bad guys.
John Gomez is CEO of Sensato of Asbury Park, NJ.