Aftermath... Report of an Audit

Aftermath Report of an Audit

I was called into St. James s (a relatively wealthy hospital in the South African city of Johannesburg) to perform an audit of the hospital s wireless network after a systems administrator employed by the hospital discovered that a rogue MAC (or Media Access Control) address had been added to the list of trusted MAC addresses on the hospital s primary wireless appliance. Although my initial thoughts were that a mistake may have been made by hospital staff, suggesting to the hospital that the purported rogue address perhaps had been added legitimately, through cross-referencing a list of all authorized hospital wireless appliances against the list of MAC addresses held on the master appliance, there was no doubt in my mind that a discrepancy was present. Further, a month-old backup of the wireless appliances configuration was checked against the current configuration. In theory, the configurations should have been identical, because no authorized configuration modifications had been made in over six months. But again, the very same MAC address appeared in the current configuration, but was not present in the backup configuration.

The information security organization I worked for is paid to perform wired and wireless network security audits in order to assess the vulnerabilities to which an organization is exposed. Our tests normally consist of running an out-of-the-box security scanner and formatting the report, outputted by the automated scanner in our company colors, complete with logos and other marketing fluff. To this end, dealing with a real incident was entirely new territory and somewhat out of my remit. But now I was interested, and since the hospital was a regular client, my line manager was keen for me to remain on site and help the client in any way you can. Because of my lack of knowledge in this area, I spent the next few days reading through a handful of books recommended to me by a friend.

Over those two days, I attempted to cram my brain with information ranging from methodologies used for characterizing cyber adversaries, wireless war drives , to performing forensic testing on compromised computer systems. The hacker underground sure did seem to be a far more complex and larger beast than I had ever previously imagined. Many of the tools that I discovered on the Internet were far more complex than anything I previously had used ”the hacker training into the use of automated, graphical user interface security auditing tools that I had received from my employer was of no use to me now. The tools and information I found were simply in another league than what I was used to.

After questioning several hospital systems administrators, it was apparent that no obvious system compromise had occurred as a result of any compromise of the hospital s wireless network, which may or may not have happened . With little information more than the rogue MAC address left in the wireless appliances configuration to go on, I decided that the best course of action was to use the techniques I learned over the past two days to perform a wireless audit of the hospital and surrounding plaza . To my surprise, the hospital wireless network appeared to be available for some three blocks away from the hospital itself. Among the wireless traffic being emitted from the hospital, I also discovered three or four wireless networks that appeared to be those belonging to several local caf s and local businesses. From my reading, I knew that wireless networks could travel at least two hundred feet, but had never come across a wireless network as widespread as the hospital network appeared to be ”I knew something was amiss. Upon discovering this, I returned to the hospital to have lunch with Dan Smith, one of the systems administrators, in the hospital s restaurant facility.

Dan Smith was also the individual assigned to leading the incident investigation for the hospital, so he was my primary point of contact for any findings I made during the course of my testing. After disclosing the results of my morning s work, Dan asserted that the wireless equipment was thoroughly tested after its installation and was found to be available at (approximately) a one-block radius around the hospital s perimeter ”a distance, which at the time, the hospital had determined to be an acceptable amount. After insisting that the signal I received must have originated from another wireless network and that my data was inaccurate, I was compelled to present Dan with the technical data I had collected that morning. The results displayed precise GPS (global positioning satellite) coordinates for each of the networks that had been detected by my laptop. In addition to the wireless network coordinates, my laptop collected sufficient wireless traffic to perform what I had read was an attack against the RC4 crypto algorithm, used to encrypt the hospital s wireless network traffic. Upon reading the hospital s WEP (Wired Equivalent Privacy) key displayed in clear text on my laptop screen, Dan s jaw dropped. After gazing at my screen for what seemed like three or four minutes, Dan made a telephone call to his superiors and scheduled an urgent meeting for one hour s time, to which I was invited to present my findings. Although this was now well outside of my regular remit, the hospital was a good client, and I had been instructed to do all I could to aid the hospital in their investigation, so without hesitation I agreed to attend .

As I was collecting my equipment from the restaurant table, a middle-aged lady placed her hand on my shoulder and in a timid voice said Excuse me, sir?

Yes, can I help you? I replied. The lady was dressed in what appeared to be a white doctor s uniform; her name tag read Dr. Sarah F. Berry. The lady claimed to be the mother of Daniel Berry, a teenager in his sophomore year who was purportedly somewhat of a wireless expert. Intrigued, I inquired as to why she thought he was such an expert on the topic.

Well you see, he goes to these clubs where all they do is talk about wireless and security, and he was here just a few weeks ago with his friends helping to set up a new wireless network at the hospital, she replied.

Pretending not to find this information at all useful or interesting, I proceeded to make my excuses and leave the hospital restaurant in order to prepare for the presentation that I was now due to give in a little under 45 minutes. Hurriedly, I made my way to the office of Dan Smith to inquire into the legitimacy of Dr. Berry s offspring s activities over the past weeks. It became apparent that this was something of which Smith had no knowledge, and he pressed me for everything I had been told by Dr. Berry. Although Smith was impatient to confront Dr. Berry regarding the activities of her son, I explained that through what I had read regarding characterizing cyber adversaries and more precisely, potential insider cases, a direct confrontation often is the worst thing that can be done.

If Dr. Berry s son was indeed involved in the wireless incident at the hospital, he may well have retained access to computer systems and may be in a position to wreak havoc if he were to be confronted. Time was running out, and we agreed to take the discussion of what to do with Dr. Berry into the meeting with Dan Smith s superiors. As planned, I presented my findings to a na ve hospital IT management team. As with Smith, they, too, were keen to confront Dr. Berry and her son, a move I explained could cause more problems for the hospital. As an alternative, I offered to take responsibility for having a chat with Dr. Berry s son upon his return from the next meeting of his group in three days time. I would pose as a reporter who had heard of the hospital wireless project and wanted to write an article in a local paper regarding how local residents can get access to the wireless network.

The hospital records office provided us with the home address of Dr. Berry and as planned, two nights later from my position outside of the address I observed a boy in his mid-teens leave the house at approximately 18:00 hours. Sure enough, some three hours later, the boy returned. I made my move and stepped out of the car. Mr. Berry, I yelled.

The boy swung round and in a timid voice replied Yes, but are you looking for my pa?

No, I replied. Are you Daniel? My name is Simon, I work with your mother. She said that you were somewhat of a computer and wireless network genius, that you had something to do with the new wireless network at St. James hospital. As the boy approached me, he inquired as to my identity. I am a reporter for the St. James hospital newsletter, I replied. I would like to write an article in the hospital newsletter regarding the new network and how it makes the hospital one of the most technologically advanced in Johannesburg.

The boy laughed. It s not that advanced! he exclaimed.

Well, perhaps you can tell me more about it? I inquired.

He responded, You d be better off talking to my friend Saul. I just helped him set up some wireless appliances, Saul is the real wireless genius.

How can I get in touch with Saul? I asked. The boy reached into his backpack and pulled out a pad and pen. He scribbled down an e-mail address through which I could purportedly contact this Saul character. I thanked him for his help, and assured him that he would be credited for his help in the hospital newsletter.

As I turned away to return to my car the boy yelled out Hey! I turned around. Please don t mention my name in your newsletter. My friends just call me Bender.

Chuckling under my own breath , I agreed and thanked the boy again. With that, he turned and ran off up the street to his home.

As far as I was concerned , this was all I needed; this was getting way too serious for a simple security consultant to be dealing with. It was time to inform the hospital of my full findings and recommend that law enforcement be informed of the incident.

I rushed home to draft my report for the hospital, and if the hospital chose to, for the consumption of law enforcement officers.

 Dear Sirs, I have been called upon by my firm (on behalf of St. James hospital) to investigate the possible wireless compromise that purportedly occurred over the past three or four weeks. Although it was my initial inclination to believe that the purported event was perhaps a false alarm, an audit of the hospitals wireless appliance configuration indicated that certain unauthorized activities had indeed taken place. Wireless appliances often contain a list of "authorized" appliances to which they can "talk." These addresses are often referred to "MAC" addresses or a HW (Hardware) address. All rogue addresses that had been added to the device shared the same hexadecimal prefix to the devices used in the hospital, indicating that rogue devices used to ultimately expand the hospital network were manufactured by the same firm (Lucent) as the wireless appliances used legitimately by the hospital. From my reading of various publications pertaining to the characterization and attribution of cyber adversaries, it is my opinion that whomever carried out these attacks against the hospital wireless network was both fairly skilled and well funded or resourced. After carrying out a number of what are known as "war walks" around the hospital perimeter, I found that at least four, perhaps five wireless access points were used to extend the hospitals wireless coverage. This is not the sort of equipment that most people have laying around in their basement, let alone the purported perpetrators, a group of teenage boys. Several days into the investigation, Dan Smith and I sat in the hotel restaurant to discuss my days findings. As I was about to leave, a Dr. Berry, who I presume overheard our conversation, approached me to inform me that her son was an expert in wireless networking and security and would be an invaluable resource in whatever it was we were discussing (Dr. Berry was clearly not technical in this area). Further to this, she informed me that her son was at the hospital only two weeks ago "doing something" to the "new" wireless network at the facility. On discussing this point with Dan Smith, these activities were carried out without the knowledge of Dan or any of his team.  With the above facts in mind, I engaged the son of Dr. Berry, posing as a reporter for the hospital newsletter, claiming to be writing a story on the "new" wireless network. Of course, while I didnt indicate otherwise to him, her son genuinely believed that his activities were legitimate, directing me to a friend of his named "Saul" who was apparently the individual responsible for arranging the activity. Accordingly, I have passed his e- mail address, provided by Dr. Berrys son, to Dan Smith.  The following questions remain. The hospital wireless network does not offer any kind of Internet access; it simply acts as a gateway to the hospital network, allowing doctors to modify patient records and other data from their wireless PDA device.  To this end, who would want to extend such a network, and for what purpose? Given the highly sensitive nature of the resources that are potentially accessible via the hospital wireless network, it is very possible that whomever orchestrated this project was interested only in the theft and potential modification of patient data. Given that we already have determined that those behind it were well resourced, both financially and technically, apparently making use of individuals who believe what they are doing is legitimate, I am inclined to suggest that whomever is behind this is highly determined, and whatever it is that they want, they clearly want it badly enough to invest considerable resource in getting it.  I have therefore recommended to a slightly dubious Dan Smith that his administration team consider disabling the hospital wireless network until law enforcement have concluded their investigation into who it was and why it was that the hospital network was extended to an almost three-block radius outside of the hospitals perimeter fence. Regards, Simon Edwards Mickey Mouse Security LLC "Running automated scanners since 1998" 

So there it was; as far as I was concerned this was now in the hands of law enforcement and the hospital administration. I didn t tell Dan or my employer directly, but whoever was behind this probably has already gotten what they wanted from the hospital network. And from what I have read about hackers ”well, put it this way ”this wasn t just a lame Web site defacement or a denial of service. Whoever was behind this was well resourced, highly capable, and highly motivated about what they were doing. In a place like a hospital that makes for a pretty dangerous person.