El arte de hackear

datos médicos
Nov 2020
 Agenda

1 Digital Risks in healthcare

2 Examples

3 Recommendations

2 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

Digital risks in healthcare today

Insiders
Hacking Blackmailing

Data Breaches
Phishing

Account Impersonation
Takeover SE

© 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

 Organizational Threats
ACCOUNT TAKEOVER

© 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

 What is a data breach?

What is a data breach?

5 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.
 In 2019, identity-based breaches continued to grow with a much wider
set of personally identifiable information exposed as well as the largest
increase in clear-text passwords circulated.

66
© 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

 No end in sight..

Every month ~450 M identities/people are victims of identity theft which is

more population than USA!

Every day, 17 companies suffer a data breach.

In average the number of exposed identities per breach is <1M

14.7 M of identities are exposed every day.

77
© 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

Are we victims of this problem?
4 Address

5 Birthday
Before Dec. 2015 Before June 2012 Be June 2013

1 Credit or debit card

11 Email

Before Oct. 2013 Before April. 2014 Before May 2014

1 Employment history

3 Names

Before April. 2014 Before Feb. 2015 Before Jan. 2014

12 Password

7 Phone number

? 9 Security questions
Before March. 2015 Before Feb. 2013 Jun. 2016

8 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

The Attack
Account Takeover Attack
BLACK MARKETS

Bank Credentials Credit Cards Fullz

10% account $5-$8 $20-$45
balance +BIN#:$15 +SSN, PIN, KBA +

Cloud Services Emails credentials Online Payments

$6-$10 Varies (.08) $50 - $300

Where
Everything
Healthcare Documents
Records
Has a Price
(passports, bills)
$20-$50 $50-$300

10 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Account Takeover Attack - Sentry MBA

----------------

11 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

“Reuse of passwords is #1 cause of harm on the Internet”
- Alex Stamos, fb CISO

PASSWORD DECRYPTED
EMAILS BREACH/SITE
ALGORITHM PASSWORD
mzuckerb@fas.harvard.edu Linkedin SHA1 dadada
dadada
mzuckerb@fas.harvard.edu MySpace SHA1 *****fee
mzuckerb@fas.harvard.edu Last.fm MD5 *****v3a
mzuckerb@fas.harvard.edu Adobe 3DES dadada
dadada
zuck@facebook.com Tumblr SHA1 *****nis
mark@facebook.com Dropbox SHA1 *****325
mark@facebook.com Fling None *****980
mark@facebook.com VK None *****123
mark@facebook.com Adobe 3DES dadada
dadada

People reuse 3-4 passwords across about 30 accounts

12 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

 Organizational Threats
PHISHING

© 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

 How Cyber-criminals Attack

14 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

 Common Phishing Threats

20XX 20XX 20XX 20XX

Credit/Gift Cards Bank E-Commerce Cloud Services

The backbone of any
successful phishing attack
is a well-designed spoofed
email or spoofed website,
which is why
Bank customers are
popular targets of those
who engage in phishing
attacks
The websites of professional Phishers know precisely
businesses and organizations are how to design spoofed
generally sleek and stylish. If you emails to look like their
visit one that seems to look a little legitimate counterparts.
ramshackle, there’s a very good
chance that you’ve stumbled
upon a spoofed site.

15 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Phishing vs Spear Phishing

16 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Spear Phishing

“ By clicking on the accompanying

malicious link, victims are unknowingly
giving the adversaries access to their
bookings. An additional message
demanding that they send an advance
payment for their booked vacations to
“
a bank account belonging to the
cybercriminals. - scmagazine These messages look like the real deal
because they include stolen personal
information such as names, addresses,
phone numbers, dates, booking prices, etc

17 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

6 Examples of

PHISHING
1. Classic Phishing Email

Email phishing is a numbers game.

Attackers will usually try to push

users into action by creating a
sense of urgency.

19 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

1. Classic Phishing Email

Links inside messages resemble

their legitimate counterparts, but
typically have a misspelled

20 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

1. Classic Phishing Email

21 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

1. Classic Phishing Email

22 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

2. Infected Attachments

23 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

3. Macros With Payloads

Links inside messages resemble

their legitimate counterparts, but
typically have a misspelled

24 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

4. Social Media Exploits

25 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

5. LinkedIn Phishing Attacks

26 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

5. LinkedIn Phishing Attacks

27 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

6. Whaling Phishing

Whale phishing targeting

executives and VIPs

28 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

The Attack
Phishing tool

30 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Phishing tool

31 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Phishing tool

32 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

 Organizational Threats
HACKING

© 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Types of Malware

34 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

Ransomware

● Infiltrates endpoints and

encrypts all the files, demanding
a ransom payment $300 USD in
bitcoin.

● Exploits a known Windows

vulnerability that enables
remote code execution.

● Affected at least 100K

organizations across multiple
industries in over 150 countries.

35 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Remote Access Trojan (RAT)

36 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

RAT Example

37 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

 Organizational Threats
INSIDERS

© 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

 Insiders Motivation

1 2 3

Sensitive Information Theft & Trading Sabotage

Modifying or stealing Theft of trade secrets or Sabotage of organization’s data

confidential or sensitive customer information to be systems or network
information for personal used for business
gain advantage or to give to a
foreign government or
organization

39 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

3 Examples of

INSIDERS
Insider Example

“ The alleged factory sabotage at Tesla

has definitely stolen the insider threats
highlights reel for 2018 so far.
- darkreading
“ News broke via the leak of a company
email from CEO Elon Musk, who alleges a
trusted insider was deliberately
sabotaging software systems that control
the car company's manufacturing
processes.

41 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

Insider Example

Feb 4, 2019

I work for bank come across thousands of

checks per day! If u know how to drop
checks in account HMU aloo 1 can use
some help for check. I'm having problems
getting BOA to hit (crack card) I also can
edit check to the name/drop that your
using.

745780626 ICQ ME

© 2019 4iQ.com All rights reserved.

Insider Example

Feb 20, 2019

I work at bank have access to checks from

every bank! HMU ASAP on ICQ 745788626

If you need MORE proof I’ll even write ur

prtship username on check to show u I’m
legit! No games these ways let’s make
money not waste time

© 2019 4iQ.com All rights reserved.

 Organizational Threats
BLACKMAILING

© 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Sextorsion

“ Todo comienza con un correo electrónico. En él,

los delincuentes alertan a la víctima de que
poseen su contraseña personal o de que han
infectado su portátil y tienen material
comprometido. "Estoy al tanto de que tu
contraseña es...has visitado páginas
porno...tienes 24 horas para hacer el pago".
“ Este modus operandi responde a una
- Público nueva variedad de sextorsión de la que la
Policía Nacional ha alertado en un
comunicado este sábado tras recibir
miles de correos desde el mes de junio de
distintas víctimas en España.

45 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

VIP blackmailing

Gaining access to the company’s infrastructure.

Demanding ransom to keep this information

secret.

VIP impersonation

Executing fraudulent transactions in financial

institutions.

46 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

 Organizational Threats
Data Breaches

© 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

 How Data Breaches Occur
1 Research 22Stage Attack 3 Exfiltrate

SOCIAL ENGINEERING
HTTP-based path,
FTP, email, etc.
Phishing email, spam with
malware, phone call, dress
like the night janitor, etc.

INFRASTRUCTURE WEAKNESS
DATABASE AND
FILE SERVER

FIREWALL WEBSITE WEB SERVER

SQL Injection, vulnerability exploitation, Personally identifiable information (PII), credit card
session hijacking, etc. numbers, email addresses, other social details, etc.

Attacker looks for Once the attacker

Attacker may need to keep staging attacks Accessed data is
weaknesses he can maintains access to the
until he desired information is obtained or the exfiltrated back to attacker
exploit system,
desired access to the network is achieved

48 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

Exfiltrate Company Information

Dropbox breach

49 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Fraud example from breached data

“ The data compromised included “full

name, billing address, email address,
password, telephone number and
payment card information, including
card number, expiry date and CVV,”
according to Vision Direct.
“
- scmagazine Personal and financial data entered by
customers who ordered or updated
information on the VisionDirect.co.uk
website was compromised and stolen
between November 3 to November 8

50 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

 Organizational Threats
SOCIAL ENGINEERING &
IMPERSONATION ATTACK

© 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

 Social Engineering

● Información Personal (Teléfono, Emails)

● Localizaciones geográficas e idiomas
● Skills
● Contactos
● Obtener información de la empresa
● Ofertas de empleo
○ Nos da información sobre la tecnología que usa la empresa
○ Localización de sedes
○ Carencias que puede tener (QA, IT Administrator para linux)

52 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

Impersonation Attack

Difficult to detect

Permanent

High Damage

53 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

Impersonation Attack

54 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

Healthcare
Examples
Ransomware Example

“ El pasado 9 de septiembre una de las mayores

aseguradoras de España sufrió un ataque de
ransomware de sus servidores, apagándola
digitalmente por completo, que afectó a millones de
usuarios. Los sistemas informáticos, como los que
gestionan las autorizaciones de pruebas médicas y las
pólizas de los usuarios, dejaron de funcionar de un día
para otro.
“ Aun así, el ciberataque ha provocado seis
semanas de intentos de recuperación del
- cybersecuritynews apagón digital, luchando contra el
ransomware. Provocando una situación
muy delicada durante este mes y medio, y
no será hasta el este viernes, 30 de
octubre, cuando recupere su actividad al
100%.

56 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

Ransomware Example

“ Today, officials from the FBI and the

U.S. Department of Homeland Security
hastily assembled a conference call
with healthcare industry executives
warning about an “imminent
cybercrime threat to U.S. hospitals and
“
healthcare providers.”
- krebsonsecurity “Multiple hospitals have already been
significantly impacted by Ryuk
ransomware and their networks have
been taken offline,” Carmakal said.

57 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

Ransomware Example

“ The hospital is still moving forward with

scheduled procedures, although those requiring
imaging services may be delayed, according to
a Herald and News report.
“ Klamath Falls, Ore.-based Sky Lakes
- beckershospitalreview Medical Center's computer systems were
compromised by a ransomware attack
Oct. 27, according to a post on the
hospital's Facebook page.

58 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

 Data Leakage - Example

59 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

 Data Leakage - Example from third party

60 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

 Security Camera Plan - Example

61 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

 TAC SERVER

62 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

 Compromised credentials

63 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

Real Data for Sale on the Dark Web

Selling 35K health records for all

countries, including ID Card,
Authority Card, Picture, etc.

64 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Looking for health data

Requesting health information on

the Dark Web.

65 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Patient Data Exposed

Personal Records
exposed

66 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Health Sector is clearly a target

9.7K Sites hospital

sites hacked!

67 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Recommendations
69 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Copyright © 2017 4iQ.com

Use a password manager

70 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

 Don’t use compromised passwords

* Publication 800-63B
5 Authenticator and Verifier Requirements
5.1.1.2 Memorized Secret Verifiers

When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that
contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to :

● __________________________________
Passwords that are used and obtained from previous data breaches.
● Words that are from Dictionary.
● Usage of repetitive or sequential characters for example; ‘abcdefghij´ or `ssss12345´.
● Context-specific words, such as the name of the service, the username, and derivatives thereof.

71 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Two Factor Authentication (2FA)

72 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Update your browser

Security patches are released

in response to the security
loopholes that phishers and
other hackers inevitably
discover and exploit.

73 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Firewalls

74 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Antivirus

75 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Be wary of Pop-Ups & fake apps

76 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

Encrypted Communication

77 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.

 Questions?

“ “
“I’ve learned that people will forget what you said, people will forget what you
did, but people will never forget how you made them feel”
– Maya Angelou

#Cybersecurity
alberto.casares@4iq.com #Research & Development
_albertocasares #Digital Risk Management
#e-Crime
#OSINT
Alberto Casares

78 © 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.