Thursday, May 28, 2020

Adding the next layer of security: offensive cybersecurity research

Offensive cybersecurity researcher Vasilios Hioureas
With the recent reports about the cybersecurity vulnerabilities of PACS systems and networks, PARCA eNews reached out to cybersecurity expert Vasilios Hioureas, who is an offensive cybersecurity researcher for Malwarebytes. Malwarebytes proactively protects people and businesses against dangerous threats such as malware, ransomware and exploits that escape detection by traditional antivirus solutions. Mr. Hioureas is a software engineer and analyst with more than 15 years experience in analyzing security weaknesses in a variety of systems. He previously held positions as Information Security Engineering Manager at ARES Management, malware analyst at Kaspersky Lab and software engineer for gaming developers. At Malwarebytes, Mr. Hioureas creates and tests exploit proofs of concept, cloud infrastructure vulnerabilities and leaks, and creates automated tools for discovery of public cloud infrastructure vulnerabilities. Mr. Hioureas has written and commented on a variety of cybersecurity issues for a number of online publications including ZDnet, Security Boulevard, Wired, and Digital Trends.

Q. To start with, tell us a little bit about yourself and how you got to be an offensive security researcher, and what does that actually mean?

A. I was doing some work for companies testing their software and doing malware research and that kind of evolved into offensive security. To define it, offensive security is proactive research; basically, offense for the sake of defense, and it can take many different forms. Most of the time it's performing simulated attacks, as a hacker would, towards an application or a company's infrastructure. Usually we have access to internal resources, so let's say I work for company X and they develop software. Well, I'll have access to their actual code and it'll give me a leg up on the ability to develop or discover vulnerabilities in the code whereas the hacker comes at it from the outside.

Q. Is it the same as a cyber threat hunter?

A. Cyber threat hunting is actually quite different. Cyber threat hunting is actually on the defensive side. I think the reason that it gets confused is that it's kind of an active role within the defense side. Normally pure defense is like, ‘okay, we're going to build protections and then when something happens we will act on it and respond to it.’

Threat hunting is basically going out and taking an active role in finding new exploits in the wild and then trying to apply the things you've discovered to your network. You’re taking an active role in finding new hacks and trying to see how a new hack might look on your own data set. So basically in the end it is going through all the logs and network logs and hunting for new attack types that they've discovered but on the data that already exists in the company. But these events have already occurred in your network so by definition it is reactive.

Q. Sorry, can you say that one more time? What distinguishes cyber threat hunting from what exactly you do?

A. What I'm doing is actually trying to discover things that have never been either thought of or discovered that can be used against the company that I’m working for.
I'm trying to basically act as the hacker would. Cyber threat hunters are still responding to a hacker or hacker attempts that are happening. Those are the two big differences.

Q. What are the skills needed to be an offensive security researcher?

A. Definitely programming skills, and the ability to reverse engineer binary code, and then just kind of have the desire to mess with things. Basically your goal is breaking things, right? And the methods can range from just blindly trying to throw a million different inputs at something to break it, or you're going to surgically go in and analyze code and say ‘oh if I do this, I can actually get this program to do something wrong.’

Q. On your LinkedIn profile you say you created a zero-day exploit for power grid weaknesses, what was that about?

A. Yeah, that was really interesting, actually. There are basically radio towers up on the hills all around cities that broadcast the signals that instruct the electrical systems of certain homes that are registered in the system with the electrical company. The electric company has installed these remote devices on the houses as a safety feature. Whenever the power grid load is too high, they'll be able to send signals via radio frequency from the antennas up on the hills and it will cut off certain systems in those houses to lower the load on the grid and prevent a blackout.

I was able to intercept this radio communication and actually modify it and then rebroadcast it into these homes. I of course had one of these installed devices in my own house, so I wasn’t messing with the neighbor's house. But essentially I was able to do whatever I wanted. I could turn on the air conditioning unit or turn it off, so you can imagine that if I have the power now to turn on anybody's home air conditioning system, then I can make the grid load just skyrocket by hitting many houses all at once and actually cause a blackout.

Q. Is that something that nation-states cybercriminals would be likely to be doing?

A. It's a possibility, you know, obviously we've heard about nation-states messing with the power grid and messing with different critical infrastructure. So those areas are definitely targets of importance. If somebody can mess with critical infrastructure and they can do a lot more damage as opposed to other things.

Q. How do you do your work in your day-to-day kind of routine?

A. It depends on the engagement, of course, but you know, sometimes it's just as simple as reading code the programmers have written and going through and trying to find bugs in that code that I can take advantage of. Then say to them ‘hey look, this is what's written into the code. If I do X and Y, I can exploit that portion of a code.

Other times, going at it on from a blind perspective. I have no knowledge of a system. I can't look into it, but I'm going to be bombarding it with things and I try to break it. It all depends on the type of engagement.

Q. Have you worked on PACS systems?

A. Yes I have you worked with PACS systems looking at security.

Q. What are some of the common things that you found and then maybe some more of the advanced threats that PACS administrators need to be aware of.

A. As you already mentioned, I've found that a lot of systems in the medical industry are very dated compared to other Industries, so a lot of times we'll see vulnerabilities that probably wouldn't have existed elsewhere. For the most part, however, in the medical world the kinds of vulnerabilities that we find are not that different from what other industries experience. As an example, API leaks are a huge problem in all Industries, but in some ways it matters more in the medical world than it might in some other Industries because of the sensitivity of that data.

Q. What is an API leak?

A. Basically API is just a system or a program running on a server that's expecting commands via the web. Via the website, you can send it commands and APIs will respond. An API leak is basically either unintentionally or for whatever other reason a way to get around the authentication for that API. For example, if I can find a way around being logged in as a registered user. Once past that authentication, I can now extract data from the database.

APIs are probably one of the biggest vulnerabilities as far as medical servers or PACS servers are concerned. The first thing to look at is to make sure the APIs are secure because that's the outward facing component of the network.

As far as what other advice for PACS admins, as you mentioned, I would say there's also different ways to get into a system. There are also the cases of how the PAC systems run on a network infrastructure, and there's been cases where I found that the PACS itself is secure, and it's rock solid, meaning I can't find a vulnerability. But the server software it is running on is dated. And actually that's something that we do see in the medical industry a lot. Even if it's new and secure PACS software, you might find it on very dated hardware and very dated operating systems. And so that's another avenue. I don't need to go and exploit a PACS server if I can just exploit the web server it is running on instead and then get in from the backdoor basically.

Another one, and this is a huge one especially for the medical industry, but for many others as well, are side channels, as I'll call them. And that's basically any data that might be dealt with from the PACS server, but by other company side servers. One specific example is Amazon or AWS or S3 as they call it. It's cloud storage that Amazon offers and the PACS server communicates with it. That's all good, normal, but again, if S3 was not set up properly, if Amazon was not set up properly then there's your side channel. Even if the PACS is perfectly secure, if the storage server is insecure, then your data can be leaked via that side channel.

As the hacker, I don’t need to hack the PACS server if I discover that this company has an insecure Amazon server. I can just walk right into that Amazon server since it was not set up with the proper security and now I’ve got all of the data that the PAC server deals with anyway, so that's a huge problem. And that's probably one of the more common ones that you see, these Amazon leaks of the data.

Q. You wrote a blog post about open source implementations of PACS where the APIs were not activated or were activated without authentication. Does that happen with commercial vendor PACS implementations?

A. Okay, I would say yes, definitely that it can happen with anything because there's not much difference with open source vs closed source. Just because software cost more money doesn't make it more secure. In my career, I have found vulnerabilities in both open source and closed source software. If you think about the major software that you use today, how often do you hear in the news that Microsoft Windows has a vulnerability that was hacked. Closed source doesn't protect anything from hackers.  

The thing with closed source is that you don't know, you are kind of trusting that the company that is developing it has a security staff that's properly vetting all the code. So that's kind of one negative of the closed-source. There's pros and cons to both. Sometimes it's easier for people to get started with the open source because, you have code in front of you and you could look at it.

The other thing about open source is that it often may come up as a topic because you can legally mention it by name. If somebody does research on open source, you can legally mention it, whereas if somebody's researching closed software and they are not under an engagement with that company to actually attack it then, you know, you can't really talk about it. It's not exactly legal.

Q. In such a case would you approach that company and say look you found this vulnerability, or does that happen?

A. In such cases it would be that they have already asked us or asked me to analyze their software. Essential they ask you ‘We are building this software, can you take a look at and try to find exploits?’ I personally do not just go and hack random people asking for them to pay me to disclose it, mainly because that is borderline becoming extortion.

 Q. I take it this profession that you're in is beginning to explode. Are more and more people turning to your specialty. Are more organizations realizing that react and defend just isn't enough anymore?

A. I think that's definitely a trend. You need both, I'm not trying to say that you don’t need react and defend, you need both. To be secure you need to have layers, and this is just one of those layers and I think people are realizing now that that's just something that's a necessity. So many vulns are being found with these assessments through pen-tests or with offensive research that it is proving itself valuable.

Q. Other than the types of attacks you've mentioned that threaten PACs systems are there any more advanced attacks that that are emerging?

A. Advanced attacks that are emerging, I wouldn't say something specific towards PACS but towards IT networks in general. There doesn’t seem to be software exploits that may be targeted towards PACS servers globally, there's not a specific thing that globally all PACS servers suffer from that can be exploited which has been the case with some other systems.

Q. Why are hospitals or healthcare systems being targeted. It seems from what I see on the ONC website the number of attacks seem to be rising year after year.

A. I would say that is happening for a couple reasons. One, obviously the value of that data, you know, that's the starter. Medical data is super valuable. It can be worth much more for people on the black market than just plain financial data.

Q. What makes medical data so valuable?

A. With financial data you get somebody's credit card. All you can do is charge something on the credit card and then eventually it'll get blocked and then okay cool that data is useless now for you if you're a criminal, whereas medical data can be very long running as far as what you can do with it.

Obviously, you can turn around and sell it on the black market for a quick buck. But there are a lot of other options with medical data. There was a case, that I was a little bit blown away by when I heard about it.

There was actually a case where a hacker had basically stolen tons of medical data and he had everything on these people, all their personal information, x-rays, various things like that. He then turned around and he actually created a medical practice a fake medical practice and started using this stolen data to pretend that these patients were stepping into his office, and he was collecting insurance money for these fake patients. The real people had no knowledge of that he was doing it and they never obviously stepped into his office.

He actually built a medical practice for insurance fraud to steal all this insurance money based on medical data. He did get caught eventually but it illustrates the value of this medical data and it shows the threat to healthcare.

Q. Is the threat to healthcare becoming more sophisticated, more frequent, or more costly or all three?

A. I think all three in general everything is having to get more sophisticated. Defenses are getting more sophisticated so in general, attacks are definitely having to make up for that. but I would say that if I'm a hacker, I have to decide ‘am I going to target a bank to try to get some value out of this hacking or am I going to target some medical organization?’, I'm going to go to the medical organization 100% because medical organizations unfortunately are well known for not having kept up with technology. For a hacker they know it's an easier to target than going after a big organization or some corporate organizations.

So while attacks on the medical industry are getting more sophisticated, still, they are a little bit behind. So while some other industries may be really secure and difficult to get into, medical IT is kind of a step back and a little bit easier for hackers in some ways.

Q. What are say two or three of the most important things that PACS administrators should do to protect their systems?

A. I would say definitely, they should add this active approach, it's necessary. The second thing would be to assume nothing. You can't assume that because you paid for something that it's secure and that it's secure out of the box. I think that's a big mistake that a lot of people make when they buy software.

As an example, a PACS server that I evaluated had security built in
but it's up to the administrator to do the reading and the research to know what the security features of any given software whether that's a PACS server, or your Amazon AWS. You have to activate the security features and set them up properly and not just assume that, ‘oh, I'm buying this product. I'm paying a lot of money for it, so it must just be secure out of the box.’ You can't assume that; in fact it is almost never the case. You really have to make sure that you do your research and you know how to properly set it up because that can be worse. you can buy the best piece of software and if you don't set it up properly it's worthless basically.

Q. One of the things that I write about a lot is that the efforts to make data sharing among physicians and clinics and hospitals easier, of course, it is a double-sided sword, the more people who have access to this kind of data, the more vulnerable you are to hackers. How would you recommend to defend against that?

A. That's kind of a problem in general. It's difficult to answer that question because you hear in the news every so often all kinds of very critical data is getting leaked by all kinds of different companies, financial as well as healthcare institutions. The solutions that exist are mostly secure. Unfortunately it is also the case that you can't ever really say anything is a hundred percent secure.

In general if you have a knowledgeable internal security staff within your organization a lot of times that is enough to stop the majority of these attacks because for the most part, hackers are not going to spend years trying to attack your company, if your security staff is doing very well in building up your internal security. They'll just move on real quick. If in the the first day of checking out your network the hacker sees these guys are doing a good job of securing the network they are just going move on to another company because there's a million others that are not as secure.

Q. A lot of middle-sized hospitals and smaller hospitals might not have somebody on their IT staff like you, how would they go about hiring an offensive security researcher?

A. Security companies offer offensive security research as a service so you can go to any security company that you work with to purchase penetration testing, or red teaming services and things like that and oftentimes it's better to have somebody from the outside doing this rather than an internal security. So that comes with its benefits.

An expert from the outside is going to really give you the idea of how a real hacker in the wild is going to be behaving. So that's good. In my case you can just reach out to Malwarebytes and we can discuss your situation and your needs.


No comments:

Post a Comment

Followers