SlideShare a Scribd company logo

Fingerprinting healthcare institutions

Download as PPTX, PDF
securityxploded
securityxploded

Presented by Anirudh Duggal in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more information

Internet
1 of 56
Fingerprinting Healthcare Institutions – EMR systems - Anirudh Duggal Disclaimer: All the views / data presented are my own and do not reflect the opinions of my employer.
#whoAmI • Work with Philips healthcare • Hack anything • Sustainability enthusiast • Research on healthcare security – protocols, devices, infrastructure • Play guitar in free time • Speak at conferences • Hospitalsecurityproject.com
Agenda • Why healthcare? • Beyond phishing – targeted attacks • How to fingerprint? • EMR fingerprinting • Fingerprinting beyond servers • Q&A
Why healthcare? • Easy targets • High payoff • Still to mature on terms of security • Less awareness
Posted on 13th Feb 2016
Overall • Healthcare institutions are easy to fingerprint • They are “considerably less protected” • Many entry points • Quite many targets
What to expect?
And…
Inside a hospital
Text • Text • Text • Text Text • Text • Text • Text Network 1 Network 2 Healthcare centers and hospitals – ideal situation HVAC system Lighting system Hospital servers Waste management systems Medical devices Monitoring devices Computers, phones, tablets Water controls NAT / Bridged network with an IDS / IPS Other hospitals Vendor servers “service portals” Vendor servers Intranet Internet Encrypted communication Encrypted communication Encrypted communication Computers , phones, tablets
Text • Text • Text • Text Text • Text • Text • Text But what do we get? HVAC system Lighting system Hospital servers Waste management systems Medical devices Hospital computers Monitoring devices Tablets / phones Water controls “service portals” Security systems guests Internet
Basics of fingerprinting • Find unique but common headers • Be consistent • Use multiple tools – shodan, censys, matego • Verify manually • Use google
So what can you fingerprint? • Medical devices • Routers • Data center • EMR software • HVAC controls • Lighting controls
Finding hospitals • Generic searches • Name searches • Hospital name searches • Sometimes the name is too generic • Narrow down search parameters
Generic hospital searches • Hospital • Hospital* • Healthcare • Healthcare* • <name of the hospital> • <name of the software / protocol>
Generic searches
Narrowing the searches to regions • Narrow down searches by • Country • Technology (HTTP(S), NetBIOS ) • Type of infrastructure (VPN, cloud)
Healthcare “chains”
Narrowing down • Narrow down to FTP servers ;) • Port 80 will show interesting results
But… • Sometimes the names are too generic • Narrow down technology • Look at other parameters – don’t fall into honeypots • Use google - Search for address and verify
EMR solutions • “goldmine” for attackers • Easy to attack • High point of impact • Ransomware attacks
A typical hospital scenario EMR (electronic medical record)Patient monitors / healthcare devices LAN / WIFI/ Bluetooth/ Doctor's PC / Secretary PC Doctor's Mobile/ Nurse mobile Other hospitals
Fingerprinting EMR solutions • Use shodan / censys / maltego • Searches vary on what you're trying to find • How I started • Create a list of 200 popular EMR solutions • Start searching by name • Look for characteristics – deployment scenario, url constructs, technology • Look for manuals • Change language – Chinese, Russian • Find bugs ;)
Shodan • Can search using name • Less false positives • Shows ready exploits for OS
Search by exploring EMR structures • Look at unique parameters • Filter by name
Problem • Results not constant • Need more access to data • You can’t find some systems
Thinking beyond Shodan • Shodan (Shodan.io) • Easiest deep web tools • Cache information • Due to the paid nature, results may vary • Lacks multi lingual capabilities • Censys (censys.io) • Provides raw data for research • Support Regex and can concatenate different parameters • Maltego (thick client) • For advanced recon • Can fingerprint infrastructure
Searching by names
Multi – lingual search -Russian
Multi – lingual search -Chinese
Multi – lingual search - Arabic
Using censys efficiently
Combining searches with google results • Google gives better results with specific headers
Running Maltego
When everything fails • Some systems could not be found at all • Find the manual!
Easy way - visit the vendor website site ;)
Logging on the PACS system
Cloud based EMR • Easy to find • “scalable and reliable” • Many entry points – web, mobile, IOT devices • Google is very effective in searching such solutions
In a nutshell • Finding EMR is easy • Your EMR might be secure, other infrastructure might be not • Attacks go beyond your audits and process
Besides servers
Routers and internet access points
Cams – smile ;)
HVAC controls!
Insider attacks • Generic system attacks – MITM , BSOD , Network exploits • HL7 exploits
Defending hospitals • Secure networks • Have Public and Private networks • Harden routers and firewalls – have a patching policy • Look out for shodan and censys • Assume the network will be compromised • Isolate high value components • Encrypt and Backup • Know your devices –vendor management
Thank you Minatee Mishra Michael Mc Neil Ben Kokx Jiggyasu Sharma Sanjog Panda Pardhiv Reddy Ajay Pratap Singh Neelesh Swami Archita Aparichita Sagar Popat Narendra Makkena Kartik Lalan Pratap Chandra Ashish Shroff Swaroop Yermalkar
Questions? • anirudhduggal@gmail.com • Anirudh Duggal – facebook • @Duggal_anirudh– twitter ; @secure_hospital • Hospitalsecurityproject.com
Thank you

Recommended

Breaking into hospitals
Breaking into hospitalsBreaking into hospitals
Breaking into hospitals
securityxploded
 
Network Situational Awareness using Tripwire IP360
Network Situational Awareness using Tripwire IP360Network Situational Awareness using Tripwire IP360
Network Situational Awareness using Tripwire IP360
Tripwire
 
Intruders
IntrudersIntruders
Intruders
Dr.Florence Dayana
 
Fingerprinting healthcare institutions
Fingerprinting healthcare institutionsFingerprinting healthcare institutions
Fingerprinting healthcare institutions
anirudh duggal
 
Intruders
IntrudersIntruders
Intruders
techn
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
EduclentMegasoftel
 
Malicious Client Detection using Machine learning
Malicious Client Detection using Machine learningMalicious Client Detection using Machine learning
Malicious Client Detection using Machine learning
Cysinfo Cyber Security Community
 
IDS n IPS
IDS n IPSIDS n IPS
IDS n IPS
SAurabh PRajapati
 

Recommended

Breaking into hospitals
Breaking into hospitalsBreaking into hospitals
Breaking into hospitals
securityxploded
 
Network Situational Awareness using Tripwire IP360
Network Situational Awareness using Tripwire IP360Network Situational Awareness using Tripwire IP360
Network Situational Awareness using Tripwire IP360
Tripwire
 
Intruders
IntrudersIntruders
Intruders
Dr.Florence Dayana
 
Fingerprinting healthcare institutions
Fingerprinting healthcare institutionsFingerprinting healthcare institutions
Fingerprinting healthcare institutions
anirudh duggal
 
Intruders
IntrudersIntruders
Intruders
techn
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
EduclentMegasoftel
 
Malicious Client Detection using Machine learning
Malicious Client Detection using Machine learningMalicious Client Detection using Machine learning
Malicious Client Detection using Machine learning
Cysinfo Cyber Security Community
 
IDS n IPS
IDS n IPSIDS n IPS
IDS n IPS
SAurabh PRajapati
 
Introduction IDS
Introduction IDSIntroduction IDS
Introduction IDS
Hitesh Mohapatra
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)
Digital Bond
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
ANURAG CHAKRABORTY
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
Netwax Lab
 
Port of seattle security presentation david morris
Port of seattle security presentation david morrisPort of seattle security presentation david morris
Port of seattle security presentation david morris
Emily2014
 
Cs8792 cns - unit v
Cs8792 cns - unit vCs8792 cns - unit v
Cs8792 cns - unit v
ArthyR3
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet Noise
Ashwini Almad
 
Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known Incident
EndgameInc
 
Ids & ips
Ids & ipsIds & ips
Ids & ips
Lan & Wan Solutions
 
Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1
Saksham Agrawal
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
Nikhil Raj
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
rajakhurram
 
Seucrity in a nutshell
Seucrity in a nutshellSeucrity in a nutshell
Seucrity in a nutshell
Yahia Kandeel
 
Cyber security issues
Cyber security issuesCyber security issues
Cyber security issues
mmubashirkhan
 
call for papers, research paper publishing, where to publish research paper, ...
call for papers, research paper publishing, where to publish research paper, ...call for papers, research paper publishing, where to publish research paper, ...
call for papers, research paper publishing, where to publish research paper, ...
International Journal of Engineering Inventions www.ijeijournal.com
 
501 ch 7 advanced attacks
501 ch 7 advanced attacks501 ch 7 advanced attacks
501 ch 7 advanced attacks
gocybersec
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
Cleverence Kombe
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM Operations
Sam Bowne
 
501 ch 6 threats vulnerabilities attacks
501 ch 6 threats vulnerabilities attacks501 ch 6 threats vulnerabilities attacks
501 ch 6 threats vulnerabilities attacks
gocybersec
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
LJ PROJECTS
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
securityxploded
 
Ofansif ve Defansif Powershell
Ofansif ve Defansif PowershellOfansif ve Defansif Powershell
Ofansif ve Defansif Powershell
BGA Cyber Security
 

More Related Content

What's hot

IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
Netwax Lab
 
Port of seattle security presentation david morris
Port of seattle security presentation david morrisPort of seattle security presentation david morris
Port of seattle security presentation david morris
Emily2014
 
Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known Incident
EndgameInc
 
Cyber security issues
Cyber security issuesCyber security issues
Cyber security issues
mmubashirkhan
 

What's hot (20)

Introduction IDS
Introduction IDSIntroduction IDS
Introduction IDS
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
 
Port of seattle security presentation david morris
Port of seattle security presentation david morrisPort of seattle security presentation david morris
Port of seattle security presentation david morris
 
Cs8792 cns - unit v
Cs8792 cns - unit vCs8792 cns - unit v
Cs8792 cns - unit v
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet Noise
 
Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known Incident
 
Ids & ips
Ids & ipsIds & ips
Ids & ips
 
Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
 
Seucrity in a nutshell
Seucrity in a nutshellSeucrity in a nutshell
Seucrity in a nutshell
 
Cyber security issues
Cyber security issuesCyber security issues
Cyber security issues
 
call for papers, research paper publishing, where to publish research paper, ...
call for papers, research paper publishing, where to publish research paper, ...call for papers, research paper publishing, where to publish research paper, ...
call for papers, research paper publishing, where to publish research paper, ...
 
501 ch 7 advanced attacks
501 ch 7 advanced attacks501 ch 7 advanced attacks
501 ch 7 advanced attacks
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM Operations
 
501 ch 6 threats vulnerabilities attacks
501 ch 6 threats vulnerabilities attacks501 ch 6 threats vulnerabilities attacks
501 ch 6 threats vulnerabilities attacks
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
 

Viewers also liked

Viewers also liked (11)

Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
Ofansif ve Defansif Powershell
Ofansif ve Defansif PowershellOfansif ve Defansif Powershell
Ofansif ve Defansif Powershell
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
 
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
 
Siber Sigorta Nedir? Nasıl Yapılır?
Siber Sigorta Nedir? Nasıl Yapılır?Siber Sigorta Nedir? Nasıl Yapılır?
Siber Sigorta Nedir? Nasıl Yapılır?
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
 
Reversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicsReversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basics
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
 
Android Zararlı Yazılım Analizi ve Güvenlik Yaklaşımları
Android Zararlı Yazılım Analizi ve Güvenlik YaklaşımlarıAndroid Zararlı Yazılım Analizi ve Güvenlik Yaklaşımları
Android Zararlı Yazılım Analizi ve Güvenlik Yaklaşımları
 

Similar to Fingerprinting healthcare institutions

Internet Etiqute
Internet EtiquteInternet Etiqute
Internet Etiqute
Anay Mishra
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Jason Trost
 

Similar to Fingerprinting healthcare institutions (20)

Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare Infrastructure
 
It security the condensed version
It security the condensed version It security the condensed version
It security the condensed version
 
Email Security: Alligators In The Swamp
Email Security: Alligators In The SwampEmail Security: Alligators In The Swamp
Email Security: Alligators In The Swamp
 
Internet Etiqute
Internet EtiquteInternet Etiqute
Internet Etiqute
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
 
Unified Threat Management
Unified Threat ManagementUnified Threat Management
Unified Threat Management
 
Network security and firewalls
Network security and firewallsNetwork security and firewalls
Network security and firewalls
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 
Reducing Human Error in GMP with Automation
Reducing Human Error in GMP with AutomationReducing Human Error in GMP with Automation
Reducing Human Error in GMP with Automation
 
Cyber Security Overview for Small Businesses
Cyber Security Overview for Small BusinessesCyber Security Overview for Small Businesses
Cyber Security Overview for Small Businesses
 
Implementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceImplementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day Conference
 
IT infrastructure security 101
IT infrastructure security 101IT infrastructure security 101
IT infrastructure security 101
 
Competitive cyber security
Competitive cyber securityCompetitive cyber security
Competitive cyber security
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Source
 
Power Grid Communications & Control Systems
Power Grid Communications & Control SystemsPower Grid Communications & Control Systems
Power Grid Communications & Control Systems
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
 
9 - Security
9 - Security9 - Security
9 - Security
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud Security
 
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionEntrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
 

More from securityxploded

More from securityxploded (20)

Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive TacticsHollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learning
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Study
 
Linux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon SandboxLinux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon Sandbox
 
Introduction to SMPC
Introduction to SMPCIntroduction to SMPC
Introduction to SMPC
 
Bluetooth [in]security
Bluetooth [in]securityBluetooth [in]security
Bluetooth [in]security
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysis
 
Reverse Engineering Malware
Reverse Engineering MalwareReverse Engineering Malware
Reverse Engineering Malware
 
DLL Preloading Attack
DLL Preloading AttackDLL Preloading Attack
DLL Preloading Attack
 
Partial Homomorphic Encryption
Partial Homomorphic EncryptionPartial Homomorphic Encryption
Partial Homomorphic Encryption
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
 
Return Address – The Silver Bullet
Return Address – The Silver BulletReturn Address – The Silver Bullet
Return Address – The Silver Bullet
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)
 
Hunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory ForensicsHunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory Forensics
 
Malicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine LearningMalicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine Learning
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kits
 
MalwareNet Project
MalwareNet ProjectMalwareNet Project
MalwareNet Project
 
Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)
 

Recently uploaded

Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Delhi Call girls
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
nilamkumrai
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
SUHANI PANDEY
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
tanu pandey
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
SUHANI PANDEY
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
tanu pandey
 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
roncy bisnoi
 
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
SUHANI PANDEY
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
SUHANI PANDEY
 

Recently uploaded (20)

20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
 
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
 

Fingerprinting healthcare institutions

  • 1. Fingerprinting Healthcare Institutions – EMR systems - Anirudh Duggal Disclaimer: All the views / data presented are my own and do not reflect the opinions of my employer.
  • 2. #whoAmI • Work with Philips healthcare • Hack anything • Sustainability enthusiast • Research on healthcare security – protocols, devices, infrastructure • Play guitar in free time • Speak at conferences • Hospitalsecurityproject.com
  • 3. Agenda • Why healthcare? • Beyond phishing – targeted attacks • How to fingerprint? • EMR fingerprinting • Fingerprinting beyond servers • Q&A
  • 4. Why healthcare? • Easy targets • High payoff • Still to mature on terms of security • Less awareness
  • 5. Posted on 13th Feb 2016
  • 6. Overall • Healthcare institutions are easy to fingerprint • They are “considerably less protected” • Many entry points • Quite many targets
  • 10. Text • Text • Text • Text Text • Text • Text • Text Network 1 Network 2 Healthcare centers and hospitals – ideal situation HVAC system Lighting system Hospital servers Waste management systems Medical devices Monitoring devices Computers, phones, tablets Water controls NAT / Bridged network with an IDS / IPS Other hospitals Vendor servers “service portals” Vendor servers Intranet Internet Encrypted communication Encrypted communication Encrypted communication Computers , phones, tablets
  • 11. Text • Text • Text • Text Text • Text • Text • Text But what do we get? HVAC system Lighting system Hospital servers Waste management systems Medical devices Hospital computers Monitoring devices Tablets / phones Water controls “service portals” Security systems guests Internet
  • 12. Basics of fingerprinting • Find unique but common headers • Be consistent • Use multiple tools – shodan, censys, matego • Verify manually • Use google
  • 13. So what can you fingerprint? • Medical devices • Routers • Data center • EMR software • HVAC controls • Lighting controls
  • 14. Finding hospitals • Generic searches • Name searches • Hospital name searches • Sometimes the name is too generic • Narrow down search parameters
  • 15. Generic hospital searches • Hospital • Hospital* • Healthcare • Healthcare* • <name of the hospital> • <name of the software / protocol>
  • 17. Narrowing the searches to regions • Narrow down searches by • Country • Technology (HTTP(S), NetBIOS ) • Type of infrastructure (VPN, cloud)
  • 19. Narrowing down • Narrow down to FTP servers ;) • Port 80 will show interesting results
  • 20. But… • Sometimes the names are too generic • Narrow down technology • Look at other parameters – don’t fall into honeypots • Use google - Search for address and verify
  • 21. EMR solutions • “goldmine” for attackers • Easy to attack • High point of impact • Ransomware attacks
  • 22. A typical hospital scenario EMR (electronic medical record)Patient monitors / healthcare devices LAN / WIFI/ Bluetooth/ Doctor's PC / Secretary PC Doctor's Mobile/ Nurse mobile Other hospitals
  • 23. Fingerprinting EMR solutions • Use shodan / censys / maltego • Searches vary on what you're trying to find • How I started • Create a list of 200 popular EMR solutions • Start searching by name • Look for characteristics – deployment scenario, url constructs, technology • Look for manuals • Change language – Chinese, Russian • Find bugs ;)
  • 24. Shodan • Can search using name • Less false positives • Shows ready exploits for OS
  • 25.
  • 26.
  • 27.
  • 28.
  • 29. Search by exploring EMR structures • Look at unique parameters • Filter by name
  • 30.
  • 31.
  • 32. Problem • Results not constant • Need more access to data • You can’t find some systems
  • 33. Thinking beyond Shodan • Shodan (Shodan.io) • Easiest deep web tools • Cache information • Due to the paid nature, results may vary • Lacks multi lingual capabilities • Censys (censys.io) • Provides raw data for research • Support Regex and can concatenate different parameters • Maltego (thick client) • For advanced recon • Can fingerprint infrastructure
  • 35. Multi – lingual search -Russian
  • 36. Multi – lingual search -Chinese
  • 37. Multi – lingual search - Arabic
  • 39. Combining searches with google results • Google gives better results with specific headers
  • 41. When everything fails • Some systems could not be found at all • Find the manual!
  • 42.
  • 43.
  • 44. Easy way - visit the vendor website site ;)
  • 45. Logging on the PACS system
  • 46. Cloud based EMR • Easy to find • “scalable and reliable” • Many entry points – web, mobile, IOT devices • Google is very effective in searching such solutions
  • 47. In a nutshell • Finding EMR is easy • Your EMR might be secure, other infrastructure might be not • Attacks go beyond your audits and process
  • 49. Routers and internet access points
  • 52. Insider attacks • Generic system attacks – MITM , BSOD , Network exploits • HL7 exploits
  • 53. Defending hospitals • Secure networks • Have Public and Private networks • Harden routers and firewalls – have a patching policy • Look out for shodan and censys • Assume the network will be compromised • Isolate high value components • Encrypt and Backup • Know your devices –vendor management
  • 54. Thank you Minatee Mishra Michael Mc Neil Ben Kokx Jiggyasu Sharma Sanjog Panda Pardhiv Reddy Ajay Pratap Singh Neelesh Swami Archita Aparichita Sagar Popat Narendra Makkena Kartik Lalan Pratap Chandra Ashish Shroff Swaroop Yermalkar
  • 55. Questions? • anirudhduggal@gmail.com • Anirudh Duggal – facebook • @Duggal_anirudh– twitter ; @secure_hospital • Hospitalsecurityproject.com

Editor's Notes

  1. Posted on 13th Feb, 2016
  2. Image from: http://healthcorrelator.blogspot.in/2014/09/will-your-wireless-router-give-you.html
  3. An ideal network infrastructure that we see.
  4. This is a chain of hospitals in India and Indonesia.
  5. One of the hospital name that was too generic
  6. This is just a general observation, some hospital do have sophisticated environments, but a majority of them do not. The focus here is more on the ease of setup and maintenance rather than having a secure setup in place.
  7. An arbitrary search on one of the biggest EMR solution provider.
  8. Showing NETBIOS Exposed
  9. Anonymous login successful
  10. Now if you goto shodan and search for this vendor with filter as windows server 2003 you get and EMR!