Thursday, August 6, 2020

BH20: The Dark Side of the Cloud - How a Lack of EMR Security Controls Helped Amplify the Opioid Crisis

Mitchell Parker, CISO, Indiana University Health

The Opioid crisis has caused mass addiction and broken up families and support systems. Why is this of interest to Black Hat? A major root cause of the crisis was due to underhanded manipulation of an Electronic Medical Record (EMR) system.

Practice Fusion, now a division of Allscripts. They had advertisements in their EMR, which seemed like a violation of the Stark Act.   Many smaller practices used them, because they couldn't afford better systems. Had over 100K customers at their peak.

Many hospitals and small practices are losing money or barely staying afloat - so they were using this system, as it was 'free'.

EMRs are digital version of paper records.  They can be on mobile, desktop, browser or application - often with remote access, as physicians are overworked, too, and would rather complete their charting from home.

EMRs need to be certified to be eligible for federal reimbursement, and are meant to be kept up to date. Lots of HIPAA violations are caught in the big EMR companies, so it's hard to say what's happening in the smaller providers. 

These systems tend to be lacking 2 factor authentication for system access, which means you can even get system administrator access this way.   The physicians are overworked and focused on spending time with patients, not spending time on IT and compliance.

Most of the revenue for Practice Fusion came from advertisements, even though it was a violation for Anti-Kickback Statute. They additionally marketed themselves to drug manufacturers as willing to customize clinical decision support alerts - Pharma Co. X paid $1M to add custom alerts to recommend extended release opioids.  They were able to prove that doctors that saw this alert prescribed at a higher rate than those who did not.

Death and Opioid abuse is not new, was impacting parts of our  America as far back as the late 1990s.

People died and became drug addicts because of a marketing department.

To help stem this type of abuse, there are proposed changes to the Department of Health and human services regulations.  Additionally, Mitchel would like to see diversion monitoring software and privacy monitoring. 

Additionally, recommending that doctors use the larger providers - those have already been set up to limit opioid prescriptions.

Going forward, EMRs should have 2-factor auth, limited access and configuration change reporting. 

We tell our doctors everything about our lives, so this information must be protected. When that trust is broken, it is tragic.


BH20: A Framework for Evaluating and Patching the Human Factor in Cybersecurity

Ron Bitton, Principal Research Manager, Cyber Security Research Centre at Ben Gurion University

Social engineering attacks go beyond just phishing and no longer limited to PCs, but most solutions don't distinguish between different types of attacks or platforms.

The existing methods are based around self-reported measures, attack simulations,  and training (with some mitigation).

But the self-reported method is biased and resource intensive, so cannot be done continuously.  The attack simulations are typically limited to classic phishing, and cannot be used to evaluate users vulnerability to other attack vectors.   The training workshops are great, but unlikely to reflect the users normal behaviour - as they know they are in training.  Additionally, employees are not big fans of forced training, and may not be engaged.

Most technological mitigations are limited to specific environments (like the office, specific browser).

The researchers have created a new toolkit: SafeMind.   The researchers looked into specific areas of awareness models, and worked with other security researchers to help rate the importance of the criteria, which helped them narrow down the most  critical areas to measure.

Created an endpoint solution, attack simulator and network solution. The endpoint solution looks at a lot of things on the endpoint - sensors on social media activity, security settings, certificate management - to create a profile of the user.  Using this profile, could target attack simulations for that user. 

Over 7 weeks they experimented on 162 subjects. They could see that those users with lower security knowledge were less successful at mitigating some attacks.  Users self-reported behaviour may differ significantly from their actual behaviour, whereas their research could predict more accurately their actual behaviour.

BH20: Keynote: Hacking Public Opinion

Renée DiResta, Research Manager, Stanford Internet Observatory

Vocab background: Misinformation, the sharer thinks the information is true, and sharing out of trying to help people. Disinformation, the sharer knows the information is false.  Propoganda is information that is created to make you feel and act a certain way (not always false). Finally, there's an agent of influence - someone acting on behalf of someone else (Nation State, etc). 

Dissemination is an important part of sharing information. In the past, someone would have to physically hand out flyers.  This got easier with tv and radio, but still restricted.  Then, we got zero-cost publishing with blogging - but attracting the audience was still tricky.  Now we have social media - the feeds are designed for engagement and dissemination. 

Now we have a glut of material, no editors, no gatekeepers - just an algorithm that rates, ranks and disseminates.  These algorithms are gameable, and the systems are open to everyone.

We are now going beyond influencing public opinion to hacking public opinion.  It's easy and cheap to create fake media companies and personas, it's how the platform was designed.

We see distraction, persuasion, entrenchment (to highlight and exacerbate existing divisions), and then divide.

Now our broadcast media feeds into social media - and it also flows in the reverse! Both of these can be easily influenced by bad actors.

Renee then walked through a few examples from China - obvious government propaganda, less obvious and then "news" coming from a fabricated news company on twitter to make China look good.  In addition, many Chinese news agencies have facebook pages - even though Facebook is banned in China.  Why? To influence China's image in countries that do have access to Facebook, used recently to discredit Hong Kong protestors.

She did a great breakdown, as well, on creation of twitter bots and figuring out their purposes - and also how effective they were (engagement, number of retweets, etc.)

Memes are properties created for social media, and are easily digestible, identity focused. Often created by state actors to create more division - on both sides of the political spectrum.

Great deep dive into the Russian interference in the 2016 election, with lots of great graphics.

Well researched state agents will exploit divisions in our society using vulnerabilities in our information ecosystem. They will likely target voting machines again and to infiltrate groups. But most of all, they will aim to reduce trust in the US elections.

The more these images and stories are spread, they start to influence and impact people, though direct measurement of impact on each individual is more difficult and will be part of further research. They can see disinformation jumping from one group to another, which seems to demonstrate people are believing it and feel strongly enough to reshare.

An excellent talk - I highly recommend you catch it on YouTube when posted!





Wednesday, August 5, 2020

BH20: Hacking the Voter: Lessons from a Decade of Russian Military Operations

Nate Beach-Westmoreland, Head of Strategic Cyber Threat Intelligence, Booz Allen Hamilton

Nate has been involved in elections since a youth.  For background, read Russian's Military Doctrine that explains tactics, targets & timing of GRU operations.  Long story short: they've been doing what they said they would do!

This is not a new thing - been doing this at least since the 1970s.  Many of the strategies haven't changed, either. what has changed is the technology and who is doing it. In the 1980s, it was the KGB and the Propaganda department.

In the late 1990s, Russia switched to the tactic of Information Confrontation - the continuous competition over beliefs, opinions, perceptions and feelings to enable the furthering of states' agendas.  This has been adopted by the Russian Military and is even documented on their website!

The Information Confrontation has two sides: informational-psychological and informational-technical capabilities.  These are used for more than just swaying an election.  Moscow's preferred candidates have rarely won, but they did succeed at undermining the winner - making them weaker, less able to oppose Russia. 

Information conflict is both offensive and defensive - can demonstrate that "fair, free and democratic" societies are not desirable nor obtainable - So, Russians should stick with the status quo.

Look at what happened in the Ukraine in 2014.  Attacks against the Ukrainian election started a few days in advance, trying to destroy the vote counting system.   They took over websites of officials, creating fake announcements that the system had been breached and then attacked the vote reporting site to show a fringe candidate as winning - all to delegitimize the actual election results.


Similarly in Bulgaria, the GRU launched an DDOS on voter registrar sites, so voters could not find their polling place.

In France (2017), the GRU started phishing Macron's campaign, and started blasting Macron with all sorts of falsehoods about Macron's character.  Even though they were easy to debunk, they built a story that Macron may be a seedy character.  France has a ban on campaigning and commentary within 48 hours of the election, and released more falsehoods and private campaign documents right before.

Similar things happened in Montenegro in 2016.

Then in the US in 2016, similar tactics again: leaking internal campaign - time released to maximally inflame divisiveness. They started spreading fear about election infrastructure and threats of large scale fraud/vote rigging.

When Russia is caught, they go on a "whataboutism" campaign - 'So, what, our athletes were doping, your athletes have done the same thing - what about those athletes?" How can you be angry about us trying to interfere in your election, when US does it to other countries? 

As we've already seen Russia attack power grids, what would happen if they did it on an election day?  Either in the US or other nations?


BH20: We Went to Iowa and All We Got were These Felony Arrest Records

Justin Wynn, Senior Security Consultant, Coalfire Systems
Gary Demercurio, Senior Manager, Coalfire Systems

Client asked them to come on sight and test physical penetration and plantation of drone device.  They were requested by the client to do the work at night/after hours.  What was said later to the press by the client was very different.  Originally it was night only, but they changed the contract later to add social engineering during the day.  It wasn't just the pentesters on the phone with the client, but also their project manager, manager and another pen tester. 

They also received a letter of authorization that also asked them to begin on Sunday (when the court house is closed), so for the client later said they only wanted it to happen during business hours (courthouses are closed on weekends).  The pentesters were given restrictions for each of the 5 buildings, like which floors are off limits, which data centers are in scope/out of scope. This was worked out building by building.  The contract was more generic, and the scoping call was more detail (lesson learned: record your scoping call)!

Charges were filed against each of them independently.

Spent the day on Sunday scoping locations, during business hours they got tours (some public/free access, some with escorted tour).

Started out Monday night at Judicial branch - a State Trooper came by (as expected), who said this was common practice and asked for a business card.  They did get inside, got into the IT department and left a card on his desk. The contact from client sent a "can't wait to see how this was done", reviewed the overnight footage, and didn't say anything.  Everything was seeming fine to the researchers.

Started again on Tuesday night, breached 3 more buildings with no alarms. They knew the last building had an alarm, and were hoping they would set it off.   they arrived at 11:30PM on Tuesday, did a brief walk around - could see the sheriff department across the street.  They found an open door when they arrived - wow.  They closed it, and then re-breached the door.  they tried the default codes for the alarm, didn't work - so they decided to hang out and wait for the police to arrive. 

They wanted to make sure they did not scare the police, or get surprised, so they called out regularly as they were moving down to the ground floor. 

Then we got to watch the body cam footage from first officer on scene, and can hear the police talking, seemed fine with the researchers and they were told they were good to go.

then the sheriff arrived.....and the police officers turn off their body cams.  Suddenly sheriff said the client didn't have the authority to authorize the pen test (state vs county property), and decides to arrest them for burglary. 

Up until when the sheriff arrives, everyone was very professional, then suddenly everyone's attitude changes. Suddenly, the fact that they are penetrating with commonly available tools, they couldn't possibly be professionals (!?!?!?).

Now being questioned about whether or not one of the testers was an actual marine, took a lot of pushing to get them to say they were under arrest.  Finally got ahold of the client, to let them know they were in jail. Asked for help.   "Andrew" was supposed to talk to the sheriff, but the sheriff won't budge because it's a county building - "nothing" can be done.

Judge at arraignment was not pleased that they had been arrested breaking into her courthouse... thought their client would come and protect them, but instead noted they were a flight risk - set their bail at $50,000 (same as people are given for murders).

This led into jurisdictional infighting. Client removed documents from Coalfire portal.

They want someone to be responsible for this.  Polk County DA was not going to charge the speakers, as he was aware that it was the three contacts from the client were at fault, but Polk County Sheriff was defensive of Dallas County Sheriff and threatens Coalfire CEO.

While things are moving forward, in their favor, the Chief Justice dies and everything dies with them.

Now they both have permanent felony records.  Cannot get firearms.

They have laws in the state that are more concerned with liability and less about the security of their infrastructure.  Based on this, all offensive security has stopped in Iowa. 

They would like to get laws passed to prevent this from happening again - if you can help, reach out!

[Q&A]

Do you still have a felony record? Yes.

Was the sheriff of Dallas County ever reprimanded? No.

BH20: Election Security: Securing America's Future

Chris Krebs, Director, Cybersecurity & Infrastructure Security Agency (CISA)

About this time in 2016, it became very clear that Russia was intent on disrupting our election in several ways, including information disruption, election tampering, etc.   There was an ad-hoc response pulled together, as it hadn't been clear this was going to happen in advance.  The Russians did research and targeted attacks on all 50 states, but did not seem to be able to impact a vote via cyber means.

Why was it an ad-hoc response? there was no dedicated approach on election security.  The security research community was aware, but there was nothing dedicated at the federal level. Pulled it together last minute and provided a successful defense from a cyber security standpoint.  Then a playbook was brought out now that others can study.

What are the implications of what happened in 2016? it was a Sputnik type moment - for the first time, the Soviets had a way to reach out and touch us, geographic isolation was no longer in our favor.  Now they could use cyber techniques to destabilize and election. gave the US heads up that we had a lot at stake in 2018 and 2020.  

We have 3 distinct advantages now: vibrant election security community, better understanding of risks, better visibility of what is happening with elections.   Federal gov't is here to support state and local governments run their elections.  Since 2016, pulled together and information sharing infrastructure. sharing threats, strategic and defense tactics. Been providing services / tech capabilities to partners in local government.   Been working together to analyze trends and issues, helping others to buy-down risk with the tools & techniques that have been developed. 

We have a much better understanding now than we did in 2016 how different states and counties are running elections - we are listening to them about what their risks and issues are.  One of the best risk management technique: paper.  We are asking states to switch to a system that has a paper record. for 2020, we may hit 92% or higher with a paper trail.  The paper trail is needed for audibility.

We now have a much better understanding & visibility of what is happening in the election space and worked hard to develop trust with state & local election authorities.  We've been able to provide tools, like intrusion detection, deployed across all 50 states (not necessarily all counties). 

Even with all these preparations, still more work to do - there could be more disruptions, we have Covid-19, and we need voters to be informed.

Today, in 2020, the focused mission of NSA, Intelligence, etc - watching out for Russia, China, and other state actors targeting our infrastructure. Lots of scanning, but not seeing anything at the level we saw in 2016.   But, still seeing too many ransomeware attacks of hospitals and financial institutions - do not want to see this happen to election systems. Helping with tools and techniques to protect these systems.

Looking at the failover mechanisms - analog backups of voter registration databases, etc. we need to make sure that the voters can vote, no matter what.  We also have provisional ballots as a backup.

We have Albert Sensors (IDS), but we also need end point detection, capabilities on individual hosts. We have to continue to improve security at all levels.

In terms of Covid, that's why he's here talking to us today.  Covid will change how we do elections - we realized in February that Covid was going to change the voting process. We are, at the very least, going to need PPE for poll workers, sanitation procedures, etc.   But not just about in-person voting, many states are adopting absentee & mail-in balloting. This takes time & money.  States like New Jersey could not identify budget for doing things like upgrading their machines to have paper audit,  but now they are moving to more mail-in system - so they may get the paper trail this year.

It's quite possible that we won't know on November 3 who won the election. Please be patient. 

We need informed voters - something will change in the way you vote. May be a new polling location: schools & aged homes may not be available. Have a plan for how you will vote.  Take advantage of early voting, absentee or mail-in.   Be a part of the solution.

[Q&A - Live Commentary section]

Under the constitution, states will determine the time, place and manner of an election.  Congress has a role here as well, but local & state has to carry the bulk of the burden.  CISA and the intelligence committee are here to help and support. 

Couple of developments since this was recorded: have set up a vulnerability disclosure guidance, saw University of Chicago is providing free support to state & local election boards, and launching an end-point detection system pilot in 29 states.

We are trying to help with debunking/prebunking of disinformation, in a balanced way. 

Last fall pushed out a state & local disinformation kit, so they can tailor to their local needs, and also leveraged that for Covid related disinformation.  they launched the War on Pineapple campaign, benign and easy to understand. 

Working to help the states adjust and studying the equipment and risk controls, adjusting our approach to do more remote pen testing.

Unfortunately for us, he can't discuss confidential information ;-)

Be prepared, participate - we need 250K poll workers, and be patient!

BH20: Keynote: Stress-Testing Democracy: Election Integrity During a Global Pandemic

Great intro from Dark Tangent (as per usual) - there are people attending from 117 different countries!  Lots of great scholarships this year as well. 

It's strange attending from home - no laser show!

Keynote Speaker: Matt Blaze, Georgetown University

Early elections in the US used little technology - they were literally just in a room and raising hands, but that doesn't scale and it is also not secret.  The earliest technology was simple paper ballots that were hand counted.  As long as the ballot box wasn't tampered with, you could have high confidence your ballot was counted. It was also easy to observe/audit. 

We moved onto machine counted ballots or direct-recorded voting machines, and finally computers. The technology doesn't matter as much as the voters trust the technology and the outcome.

It can be hard to get right - do to some conflicting requirements: secrecy and transparency. How do you audit and make sure everyone's vote was counted in the way they wanted it counted, but w/out disclosing how they voted? 

It is impossible to re-do an election. They need to be certified by a certain date and you cannot really do them again, there's not enough time to do it before transition of power should occur.

The federal government doesn't have as much oversight over each state for a federal election as you might think - they are mostly run by counties, with guidance and standards set federally.  There is no place to change everything nationwide. 

The ballots can (and usually do) vary even within the county - think about school board, city council, local ordinances, etc.  In 2016, there were 178,217 distinct ballots in the US. Sixty percent of eligible voters participated in the election, 17% cast in-person in early voting and 24% was by mail, but the majority were still in person.

In the US, we spend more money campaigning than on running the election itself.

Traditional threats to voting: vote selling, ballot stuffing or mis-counting.  Foreign state adversaries are also a threat, but they may not care about who wins - just that the process is disrupted and cast doubt on the legitimacy of the election.

Taking a walk down memory lane: hanging chads!  Florida was using a punch card system (aside: we used the same system in Santa Clara county when I moved here, except we didn't have the "assistance" of the physical ballot - I had to bring in my sample ballot so I'd know which holes to punch.  In that case, since the Supreme Court stopped the count, we ended up with a certified election that nobody (but the winner) was satisfied - they did not feel their votes were counted.

This debacle did lead to HAVA (Help America Vote Act) - mandated every one to change their voting equipment and did provide funding to purchase it.  Unfortunately, improved tech wasn't widely available,  Most common were DRE (Direct Recording) voting machines - it's computerized. This is different than the older model, where we used offline computers to tally the votes.  These new machines are networked, and much more reliant on software.

As you are aware - software is hard to secure.  There are no general techniques to determine if it is correct and secure.  SW is designed to be easily changed - maybe too easy, if you're not authorized and still able to make a change.  This is a problem for these voting machines.

E-voting, in practice, has a huge attack surface: firmware, software, networking protocols, USB drives floating around, non-technical poll workers, accidental deletion of records, viruses....

Every current system that is out there now is terrible in at least one way, if not several.   There is an exception from the DMCA to do security research on voting machines.  This makes the DefCon voting village a lot of fun (and will be available this year as well). 

Some people are suggesting hand count all - but, there are just too many items per ballot.  The amount of work to do a complete hand count is infeasible. 

The other extreme: the blockchain!  But, it makes us much more dependent on the SW and the client (and what it puts in the blockchain). This does address tamper detection, but not prevention/recovery.  Also, civil elections aren't a decentralized consensus process.

There have been two important breakthroughs - first form Ron Rivest on Software Independence: a voting system is software independent if an undetected change or error in its software cannot cause an undetectable change or error in an election outcome. .... but not how to accomplish that.  Stark came up with Risk-Limiting audits: statistical method to sample a subset of voting machines for post-election hand audit to ensure they reported correct results.  if that fails, hand count the rest.

You can learn more in the paper of "Securing the Vote" from the National Academy.

Everything seemed like 2020 was going to go well... until... March.  Who would've expected a global pandemic?

When we think about voter disruption, you might not be able to get to the polling place due to travel or disability - you can get an absentee ballot (including "no excuse" ballot) - but, with the exception of states like Oregon, they are a small percentage.

If there are local or regional emergencies, like an earthquake or hurricane, that may prevent polling places from opening.  There was an election in NYC on September 11, 2001 - it was definitely disrupted and then highly contested. 

Postponing election is a very disruptive thing - have to figure out what that means for the US? Who then becomes president while we wait for the election? Are there other options?

In an emergency, people may not be able to vote in their normal way: there may not be enough poll workers, they may be in the hospital, recently moved, etc. We are seeing increased pressure on the counties for this, in a time of decreased funding.

Matt then did a great walkthrough of vote-by-mail, how signatures are verified and ballot processing. How do we scale this up?  Exception handling can be very labor intensive, and there is high pressure on chain of custody.   it's hard to know how many people will ask for absentee ballots - they may not have enough, and they can't just copy ballots - so there is a necessary lead time.

how can you help? Volunteer as a poll worker, election judge, wherever your county needs assistance with this election.