One Article Review
| Source |  Veracode |
|---|---|
| Identifiant | 2103331 |
| Date de publication | 2020-08-06 10:16:00 (vue: 2020-12-15 21:05:43) |
| Titre | Live from Black Hat: Healthscare – An Insider\'s Biopsy of Healthcare Application Security with Seth Fogie |
| Texte |  Healthcare providers heavily leverage technology.ツ?In his talk, Seth Fogie,ツ?informationツ?security director at Penn Medicine takes apart different vendor systemsツ?at the ???fictitious??? Black Hat Clinic. Fogie gives a lot of examples and drives home the point that you shouldn???t just look at network security ??ヲ you have to dig deep into the applications to ensure the security of your data.
Following the patient???s journey.
Fogie followsツ?the patient???s journey of now geriatric Alice and Bob, our quintessential victims in the security realm. Taking on the perspective of Mallory, the malicious attacker, he goesツ?to town taking apart one system after another.
For example, patient entertainment systems not only let you watch television but also give access to patient data.ツ?The first system he looks at providesツ?access to patient health information without authentication and usesツ?client-side authentication for PINsツ?that are easilyツ?overcome whenツ?using a proxy server between the client and the server.ツ?ツ?
A different system, a clinical productivity system, hasツ?a backdoor with a daily password that is generated with a pre-determined algorithm.ツ?ツ?
Next, he looksツ?at the drug dispensary system, which hasツ?an unauthenticated network share. Investigating the binaries, he findsツ?the SQL decryptionツ?key.ツ?This leads to full system access of the server, which providesツ?access not only to user data but a full table of encrypted passwords that they were able to decrypt using the same decryption key.ツ?ツ?ツ?
Fogie then looksツ?at the temperature monitoring system that is used to chill blood bags, insulin, and other drugs. Usingツ?WireShark, heツ?findsツ?a few authentication codes and passwords.ツ?(Around this point my head and keyboard startツ?to smoke as Fogie speedsツ?through his results faster than I canツ?screenshot.)
In the end, he compromisesツ?all seven systems, mostly through the use of clientツ?software. No vendors areツ?harmed in this presentation as Fogie blurred out all screens.ツ?He also worked with vendors to notify them of the security issues. Where software was no longer maintained, he patched the client software himself by setting a unique and complex password for a backdoor he found.ツ?ツ?
Managing 225,000 patient records, Black Hat Clinic could have been on the hook for millions of dollars in fines. Healthcare records are particularly popular on the dark web because they often contain a lot of information that helps fraudsters steal the identity of their victims andツ?use their credit.
|
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | 000 101 225 able about access advice advise after agree algorithm alice all also alsoツ andツ another anyツ apart apis application applications applicationsツ apps are areツ around ask asking attacker attestation authentication automated backdoor bags because been being between beツ binaries binary biopsy black blood blurred board bob bring but buyer can canツ chill client client/server clientツ clinic clinical codes completely complex compromisesツ conduct contain continually controller conversation could course credentials credit customers daily dark data database debug/patchable decrypt decryption decryptionツ deep default design determined develop development devsecopsツ did different dig director dispensary dollars domain don download drives drug drugs easilyツ educated employee encrypted end ensure entertainment errors etc example examples exposed faster fellow fictitious file findsツ fines first fix flags flaws fogie follow following followsツ found fraudsters from full generated geriatric get getting give gives goesツ guide had harder harmed has hashed hasツ hat hat: have head health healthcare healthscare heavily help helps heツ himself his hold home hook house how identity including information informationツ insider insulin investigating isac issues jobs journey just keep key keyboard keys lack leads let leverage like lite live longer look looks looksツ lot maintained make malicious mallory management managing manual market may med medicine millions mind:ツ monitoring more mostly need network new next not notify now often one only onツ organizations other out over overcome owasp participating particularly password passwords patched patient penetration penn pentestツ perspective picking pinsツ plaintext plea please pleaseツ plugged plus point popular practices practitioners pre presentation pressure prior process productivity products program protocol protocols providers provides providesツ proxy putting quintessential rather reach realm recommend recommendsツ records red reduce regulators release resources responsive results review risk run same screens screenshot seal secrets secure security seeing server seth setting seven share shift shouldn side single smoke software some space specific speedsツ sql stakeholders started startツ steal step system systems systemsツ table take takes taking talk team technology television telling temperature test testing tests than them then theツ through time town toツ try trying type ultimate unauthenticated unique use used user usesツ using usingツ vendor vendors vendors: veracode verifiedツ victims watch web what whenツ where which wireshark without worked your |
| Tags | Guideline |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.