

Heartbleed Flaw Said Used in Hospital Hacking - rbc
http://www.bloomberg.com/news/2014-08-20/heartbleed-flaw-said-used-by-chinese-in-hospital-hacking.html

======
mholt
I thought Heartbleed attacks were difficult to detect. How did they determine
they used the Heartbleed vulnerability, especially since the attack happened
only a week after Heartbleed was revealed?

> "Community Health ... disclosed yesterday that Chinese hackers stole
> patients’ Social Security numbers, names and addresses, without revealing
> how the hackers got in."

And then...

> “We never had any tangible proof of an attack until now,” said David
> Kennedy, founder of TrustedSec LLC, a security consulting company based in
> Cleveland, Ohio, who first reported Heartbleed was used to attack Community
> Health on his company’s website.

Here's the report: [https://www.trustedsec.com/august-2014/chs-hacked-
heartbleed...](https://www.trustedsec.com/august-2014/chs-hacked-heartbleed-
exclusive-trustedsec/) \-- but I still wonder how it was detected.

~~~
ejr
That says they used a vulnerability in a "Juniper device"; probably a
router/firewall appliance. There have been quite a few vulnerabilities[1] in
their Junos line[2], but any or all of these ones seems likely[3]

[1] [http://www.cvedetails.com/vulnerability-
list/vendor_id-874/y...](http://www.cvedetails.com/vulnerability-
list/vendor_id-874/year-2014/Juniper.html)

[2] [https://en.wikipedia.org/wiki/Junos](https://en.wikipedia.org/wiki/Junos)

[3]
[http://www.cvedetails.com/cve/CVE-2014-3816/](http://www.cvedetails.com/cve/CVE-2014-3816/)

[http://www.cvedetails.com/cve/CVE-2014-3412/](http://www.cvedetails.com/cve/CVE-2014-3412/)

[http://www.cvedetails.com/cve/CVE-2014-3411/](http://www.cvedetails.com/cve/CVE-2014-3411/)

[http://www.cvedetails.com/cve/CVE-2014-0615/](http://www.cvedetails.com/cve/CVE-2014-0615/)

~~~
warriar
Most probably a juniper Secure Access SSL VPN appliance. I was administrating
one too when heartbleed was "made public".

Luckily we were not running the latest Version Tree of the firmware so we were
still on an older openssl version.

I dont think Juniper Devices have more or less culnerabilities than other
vendors. Its highly developed stuf (chasing technical advances, bringing new
firmwares every other month).

You just shouldnt use .0-1 Versions of new Release Trees like with every
Vendor...

And for Heartbleed: Nearly Everyone based on linux/Openssl was affected
somehow.

~~~
ejr
Good point. VPN would have been an obvious target. Medical services especially
need to share data with healthcare providers to ensure clients get the
appropriate treatment and that usually involves secure connections between
locations.

------
hnnewguy
> _" The Chinese embassy in Washington said it wasn’t aware of the attack."_

It is utterly amazing to me how we view the Chinese people as such an evil
"other".

I'd love to know how they determined that this was Chinese hackers, which
doesn't appear in the Trusted Sec report, and from my amateur eyes would seem
near impossible to determine with certainty. But if it was the case, why the
first thought is that it was an action on behalf of the government instead of
a couple Chinese kids messing about. Count the "Chinese hackers" in the
article.

If the vulnerability was public at the beginning of April, how were there
attacks made in June?

Hard to believe they actually asked the embassy if they knew about the attack.
The embassy's reaction was understandable.

------
NamTaf
The scariest part of this is that even a week after Heartbleed went public,
there are InfoSec professionals out there who still hadn't patched/brought
down public-facing OpenSSL implementations.

~~~
rudimk
I'm pretty sure there's a scarier part where there are still InfoSec pros out
there who haven't bothered patching their OpenSSL implementation, months after
Heartbleed went public.

------
apstls
This is what happens when we live in a world that gives OpenSSL $2,000 a year
and Yo $1.5MM in funding...

~~~
ejr
The flaw, as I understand it, was as much a result of their development and
patch acceptance process as much as budgetary constraints.

There were many complaints before and since of how difficult it is to get bugs
patched and especially their idiosyncratic approach to development. In
essence, they duplicated OS functionality even when unnecessary and had a
large swath of code that was fundamentally redundant and/or broken.

~~~
barsonme
Spot on.

They supported everything. For example, they supported a variety of flavors of
MD5. (Apparently bloat that LibreSSL has gotten rid of, or so I've heard).

The whole package had around 300,000 lines of code. Even with funding it'd be
difficult to maintain.

