Home > Guides > Security > General Security and Privacy

Security Reference Guide

Hosted by

How to Steal 80,000 Identities in One Day

Last updated May 23, 2003.

Author’s Note: How do you get the attention of the executives at your company if you feel the security systems are lacking? Fake a news article on a huge break in, and place it on the CEO’s desk. We were asked to create such a story, and wanted to share it with you as a case study as to just how someone could Steal 80,000 Identities in One Day.

April 1st started like any other for Acme Medical Services. Patients were calling in to cancel appointments due to scheduling conflicts, staff members were alerting their managers that they couldn't come into work because they were sick, and the IT department was busy with their normal morning routine. From the perspective of Acme, all appeared normal.

However, by April 3rd, Acme's situation would be anything but normal. Administrative staff would be busy informing patients their personal data was stolen, managers would be calling their health care professionals to tell them to stay home because the offices were closed until further notice, and the IT department would be busy trying to figure out just how they had lost control of the personal information of over 80,000 of their clients. Life at Acme would be anything but normal.

The Story Breaks

Acme Medical Services (AMS) provides several essential and money-saving functions for large companies. From onsite health units, to policy and compliance issues, AMS is focused on providing quality, friendly and honest health services. To keep the company responsive, they maintain a complex database that stores important client data. This includes health history, personal identification information such as social security numbers, and previous financial transaction information. This information is stored at one location and is kept secure via a complex set of access control rules based on need to know, position, and location within the network. So, it came as a big surprise to discover that over 80,000 records from this database had found its way online to an underground chat board — one that we at Disclosing IT happened to notice.

Upon finding this information, we immediately contacted AMS and informed them of the incident and asked them if they were aware of the leak. After about two hours of being passed up through the chain of command, explaining who we were and what we found several times, our call finally landed at the desk of Mr. John Dewno, the Chief Technical Officer for ASM. We discussed our find with Mr, Dewno and agreed not to post the news in our online periodical until they had time to investigate the break-in, as long as they were willing to provide us with an internal look at the details of investigation. AMS agreed, because it would help them maintain some control over the situation. Plus, once clients were notified that their personal information was stolen, it would only be a matter of time before the incident would become headline news.

AMS Goes Offline

At this stage, AMS knew they had lost control over their data. Now they had to find out how. The first step was to immediately lock down the entire network, including the database server, the backup server, and all connected systems that could have been used to gain access to the network. This was necessary to ensure that any and all evidence on the computers would be available for analysis and for evidence. If the systems were not properly managed, files and/or memory on the system could be erased, which could contain important evidence. In addition, if the attacker was still connected to the database server, shutting down the network would prevent them from cleaning up their hack attempt. At the same time, the FBI was alerted to the situation.

As a result, AMS was offline and unavailable for several days. The actual dollar value for this downtime was estimated to be $1.5 million dollars because all health care-related appointments had to be outsourced to a third party while the investigation occurred. Unfortunately, the total impact of the attack will take years to determine, and is estimated to reach as much as $20 million dollars.

Finding the Trail

AMS maintains a fairly secure network. They use an Active Directory-based system built on Windows 2003 server for authentication and identification. Passwords are required to be greater than eight characters and to include at least one number and capital letter. In addition, invalid authentication attempts are logged and accounts are disabled after three invalid attempts. There is also a firewall in place, with a secure remote access software program (VPN) in place to allow the executive staff to work from home. Finally, there are several layers of security that protect the individual user systems from becoming infected with a virus, such as anti-virus on the email server and on each computer, anti-spam filters, and host based firewalls installed on each computer.

While the above does provide for a fair amount of protection, the attacker had obviously found a way around or through the protections in place. The investigation team had to figure out what went wrong, and where the attack originated from.

The first thing AMS staff did was perform a review of the Active Directory logs. They looked for obvious signs of an unauthorized attack, such as locked out accounts, login times that were later than the norm, and other such anomalies. However, there was nothing out of the ordinary.

Next, AMS staff turned their attention to the database server that also keeps a log of account logins. It was here that they noticed some unusual activity on a Dr. Mary Smith's account. According to the logs, her account had made several connections to the database server from 11PM to 5AM on the night of April 1st. Upon a cursory review of Dr. Smith's previous access history, it became evident that this was not normal behavior.

Finding the Backdoor

After informing the CTO and CEO of the find, the investigation team immediately located Dr. Smith and confiscated her laptop. The forensics analysis of the laptop located several files that warranted further investigation. The team setup a lab and copied the files onto an isolated system for testing. Upon execution, and a close examination of the system, it was discovered that the laptop had been infected with a new breed of Trojan and a custom-built key logger. The key logger capture file was located on Dr. Smith's laptop and a quick review of the text file indicated that Dr. Smith had logged into the corporate VPN and had access the database server. However, the timestamps on the keylogger file indicated that this login had occurred prior to the activity in question, plus it matched up with the logs from the Active Directory and database server.

The focus of the investigation next focused on the Trojan, which appeared to be a modified version of "The Beast" that disabled all anti-virus software and disabled the firewall. With this Trojan, it would have been possible for an attacker to connect to the infected device and remotely control it. This Trojan, in combination with the capture credentials of the VPN login, also meant that an attacker could have taken over Dr. Smith's laptop in the dead of the night, and remotely logged into the VPN and accessed the database server without anyone the wiser.

But how did she get these files on her computer?

The Wireless Backdoor

Dr. Smith tends to put long hours in at the office. She is responsible for overseeing the staffing of Acme's Onsite Health Unit's that are spread through out the state, which also means she needs unrestricted access to the database server. Thanks to her department, the overall costs at several fortune 500 companies have been decreased by half. To help clear her head, Dr. Smith often enjoys a half hour break down at the local Starbacks where she enjoys a Tall Mocha Latte and reads up on the latest medical journals on her laptop using the public wireless hotspot.

Unlike many wireless users, Dr. Smith is fully aware that people can see the traffic passing to and from his computer when she is using an insecure connection, such as the one at Starbacks. As a result, she avoids sensitive sites and never checks her email for fear of the user account information being captured. Unfortunately, she never realized that a malicious person can use a public hotspot against a victim in many other ways, which is where this intrusion actually started.

At first the investigation team was a bit confused as to how the malware had been installed on the laptop. The date stamp indicated that the malicious software was installed on April 1st around 2:00PM. They examined the inbox for attachments, reviewed the system for any indication of manual installation, but could find no clues. Dr. Smith was asked if she could recall where she was during the suspected timeframe and she was able to provide the investigators with the tip they needed.

After a close review of the cached web history, the culprit was located. What they found was the cached page of CNN's news site contained a malicious embedded script that exploited a recently discovered vulnerability in Internet Explorer. Since the vulnerability was not patched yet by Microsoft, an attacker could exploit the flaw to download and install software from the internet — without the user's permission. While this explained how the Trojan was installed, it was a bit disconcerting that the script appeared to come from CNN's website.

The investigation team was initially going to contact CNN because it appeared as if their website was serving up malicious content. However, this attack appeared to be focused and it would be impossible to for an attacker to infect CNN's website for just the one user. So, the team started to research other possibilities. Since Dr. Smith was on an insecure network, they considered the idea that the request for CNN's webpage was redirected to the attacker's server via malicious redirection. However, the computer’s firewalls logs showed the right address for the web server.

The investigators had hit a wall. How could the malicious script have been placed into the webpage? It took a few hours of searching, numerous phone calls to security experts, and several hours in the lab, but eventually the team found a way to reproduce the attack.

Since Dr. Smith was on a public hotspot, all her traffic was being sent as plaintext over the air. She was aware of this and avoided anything sensitive, which was wise. However, each time a webpage is requested, the requesting computer is exposed for a brief period of time. In this short time, a local attacker can detect the request, and inject a seemingly valid response into the wireless network and into the target’s computer. Basically, a normal web request has to travel over the air, onto Starbucks network, out into the internet. Then CNN's web server has to send the response back the same path to the waiting computer. This all takes time, though only a few seconds. However, if an attacker is sitting 100 feet from the victim, they can reply in milliseconds. As a result, it is possible for a person to inject one packet of data right into the user's computer, where it will be treated as valid content.

Summary of the Attack

So, let's put this all together. The attacker wanted to gain access to AMS's database. So, they found one of a handful of people that would be guaranteed to have full access to the data they desired — Dr. Smith. They followed Dr. Smith around and discovered that she used a public hotspot every day for about a half hour. The attacker then waited until a vulnerability was found for Internet Explorer, and injected an exploit into her browser using a freely available program called airpwn. This allowed the attacker to infect Dr. Smiths computer with a Trojan and keylogger. Later that day, Dr. Smith took her laptop home and logged into AMS's network, all of which was captured by the keylogger. The customized Trojan allowed the attacker to connect to the infected computer, read the keylogger file, and log in to the corporate network via the VPN. Then using the borrowed credentials, was able to connect to the database, and download the records for 80,000 people.

Lessons Learned

The attack was made possible due to three main issues. First, antivirus programs are not fool proof. The Trojan slipped through the cracks because it was customized, and as such, not recognized by the protection software. Second, using a public hotspot is dangerous. There are several ways for an attacker to hijack or inject malicious content into a connection. Third, while there were complex security controls in place, the weakest link was a simple username and password — and these forms of credentials are often guessable or easy to steal.

Fortunately for AMS, the attacker was apprehended because they failed to notice a security camera at the ATM outside the coffee shop. In addition, the website that the data was posted to was within the United States, and was quickly shutdown. The logs for the web server were reviewed and each person who had viewed the content was questioned. While it was still possible that the data could be leaked at a later date, AMS and the FBI were fairly certain that the breach had been plugged and the threat of identity theft was minimal.

But what if the attacker had gotten away with it?