This week’s news included a story about hackers that breached a server containing the private health information (PHI) of 230,000 cancer patients. While it’s common for insecure systems to be hacked, it’s been a while since I’ve heard of hackers breaking into a server with a clear intention of doing something other than stealing information. And that’s just what these guys did. It seems the hackers were in need of horsepower and bandwidth. What for? To install and play Call of Duty: Black Ops.
“Theft of service” (or servers in this case) isn’t unheard of. It’s just one of the many ways a digital miscreant can wreak havoc on poorly protected systems. In the case of Black Ops gone Hack Ops, it’s not the hack that caught my attention, but what tipped-off the organization that was hacked. It appears that a “loss of bandwidth” caused a network admin to investigate.
At least that was noticed.
But there’s a list of other events that should have been automatically detected, well before the mischievous gamers started annihilating Spetznaz operatives…
- The server was vulnerable. Whether the server was un-patched or had too many ports exposed to the Internet, this should have been flagged as a risk in a nightly vulnerability scan. You can setup this type of automated scanning for free using Nessus or for as little as $20/day using Qualys.
- The actual break-in. Possible methods include a remote exploit or a management interface like RDP with an easily guessed password. If it was a buffer overflow, a “warning flare” should have popped at the host-IPS, network –IPS, malware detection, or operating system layers. If a password was guessed, a series of failed login attempts should have been logged then reviewed — especially if the admin account was targeted. Either way, the logs should have contained enough data to alert an admin of suspicious activity before Call of Duty was installed.
- The game installation. We install software on our personal computers all the time. But the installation of software on business server is not a routine event. In fact, any unscheduled installation of software on a server should be investigated immediately. If it can be logged, an alert can be generated. On the right, you’ll see that my installation of Dragon Naturally Speaking was successful. Imagine an SMS alert/email at 1AM saying “Call of Duty… installation successful.” I think I just felt my chest tighten up.
- Anomalous network connections and traffic. The sudden and unusual surge in connections from the Internet to the compromised medical server can be detected and alerted with Netflow analysis. Even if it’s common for this server to sustain a high number of connections, the client/server sessions for Call of Duty should have stood-out as abnormal. Regardless, network interface monitoring with SNMP and latency checks with ICMP would also tip-off a network admin to the gamers’ activities.