A healthcare system spanning 29 states announced on Monday that cybercriminals operating from China stole information on approximately 4.5 million patients, including names, birth dates, and Social Security numbers.
Community Health Systems, which comprises 206 facilities in the southern and western states, announced the incident in an 8-K filing submitted to the Securities and Exchange Commission (SEC). The data breach likely stems from compromises in April and June of this year, involved sophisticated malware, and is apparently connected to China, the company stated.
"The attacker was able to bypass the Company’s security measures and successfully copy and transfer certain data outside the Company," CHS said in its 8-K filing. "Since first learning of this attack, the Company has worked closely with federal law enforcement authorities in connection with their investigation and possible prosecution of those determined to be responsible for this attack."
On August 7, as Def Con was kicking off far below in the bowels of the Rio Hotel’s convention center in Las Vegas, I was ushered into a suite on the 19th floor to see a man who has one of the most high-profile security gigs in the industry: Joe Sullivan, Facebook’s chief security officer. An acquisition of a security startup company announced that same day and a huge internal investment in security technology development have created a software security giant that has but one paying customer—Facebook itself. Sullivan explained the PrivateCore deal as an investment in Facebook’s future—especially when viewed within the context of the company’s Internet.org effort to bring affordable Internet access (and Facebook) to the still-unwired parts of the planet. “PrivateCore is a perfect fit for the future of Facebook,” Sullivan told Ars.
A VM in a vCage
The technology PrivateCore is developing, vCage, is a virtual “cage” in the telecom industry’s usage of the word. It is software that is intended to continuously assure that the servers it protects have not had their software tampered with or been exploited by malware. It also prevents physical access to the data running on the server, just as a locked cage in a colocation facility would.
The software integrates with OpenStack private cloud infrastructure to continuously monitor virtual machines, encrypt what’s stored in memory, and provide additional layers of security to reduce the probability of an outside attacker gaining access to virtual servers through malware or exploits of their Web servers and operating systems. If the “attestation” system detects a change that would indicate that a server has been exploited, it shuts it down and re-provisions another server elsewhere. Sullivan explained that the technology is seen as key to Facebook’s strategy for Internet.org because it will allow the company to put servers in places outside the highly secure (and expensive) data centers it operates in developed countries.
The news over the past few years has been spattered with cases of Internet anonymity being stripped away, despite (or because) of the use of privacy tools. Tor, the anonymizing “darknet” service, has especially been in the crosshairs—and even some of its most paranoid users have made a significant operational security (OPSEC) faux pas or two. Hector “Sabu” Monsegur, for example, forgot to turn Tor on just once before using IRC, and that was all it took to de-anonymize him. (It also didn’t help that he used a stolen credit card to buy car parts sent to his home address.)
If hard-core hacktivists trip up on OPSEC, how are the rest of us supposed to keep ourselves hidden from prying eyes? At Def Con, Ryan Lackey of CloudFlare and Marc Rogers of Lookout took to the stage (short their collaborator, the security researcher known as “the grugq,” who could not attend due to unspecified travel difficulties) to discuss common OPSEC fails and ways to avoid them. They also discussed their collaboration on a set of tools that promises to make OPSEC easy—or at least easier—for everyone.
Called Personal Onion Router To Assure Liberty (PORTAL), the project is a pre-built software image for an inexpensive pocket-sized “travel router” to automatically protect its owner’s Internet traffic. Portal provides always-on Tor routing, as well as “pluggable” transports for Tor that can hide the service’s traffic signature from some deep packet inspection systems.