SlideShare a Scribd company logo

Fingerprinting healthcare institutions

Download as PPTX, PDF
securityxploded
securityxploded

Presented by Anirudh Duggal in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more information

Related slideshows

Introduction IDS
Introduction IDSIntroduction IDS
Introduction IDS
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
 
1 of 56
Fingerprinting Healthcare Institutions – EMR systems - Anirudh Duggal Disclaimer: All the views / data presented are my own and do not reflect the opinions of my employer.
#whoAmI • Work with Philips healthcare • Hack anything • Sustainability enthusiast • Research on healthcare security – protocols, devices, infrastructure • Play guitar in free time • Speak at conferences • Hospitalsecurityproject.com
Agenda • Why healthcare? • Beyond phishing – targeted attacks • How to fingerprint? • EMR fingerprinting • Fingerprinting beyond servers • Q&A
Why healthcare? • Easy targets • High payoff • Still to mature on terms of security • Less awareness
Posted on 13th Feb 2016
Overall • Healthcare institutions are easy to fingerprint • They are “considerably less protected” • Many entry points • Quite many targets
What to expect?
And…
Inside a hospital
Text • Text • Text • Text Text • Text • Text • Text Network 1 Network 2 Healthcare centers and hospitals – ideal situation HVAC system Lighting system Hospital servers Waste management systems Medical devices Monitoring devices Computers, phones, tablets Water controls NAT / Bridged network with an IDS / IPS Other hospitals Vendor servers “service portals” Vendor servers Intranet Internet Encrypted communication Encrypted communication Encrypted communication Computers , phones, tablets
Text • Text • Text • Text Text • Text • Text • Text But what do we get? HVAC system Lighting system Hospital servers Waste management systems Medical devices Hospital computers Monitoring devices Tablets / phones Water controls “service portals” Security systems guests Internet
Basics of fingerprinting • Find unique but common headers • Be consistent • Use multiple tools – shodan, censys, matego • Verify manually • Use google
So what can you fingerprint? • Medical devices • Routers • Data center • EMR software • HVAC controls • Lighting controls
Finding hospitals • Generic searches • Name searches • Hospital name searches • Sometimes the name is too generic • Narrow down search parameters
Generic hospital searches • Hospital • Hospital* • Healthcare • Healthcare* • <name of the hospital> • <name of the software / protocol>
Generic searches
Narrowing the searches to regions • Narrow down searches by • Country • Technology (HTTP(S), NetBIOS ) • Type of infrastructure (VPN, cloud)
Healthcare “chains”
Narrowing down • Narrow down to FTP servers ;) • Port 80 will show interesting results
But… • Sometimes the names are too generic • Narrow down technology • Look at other parameters – don’t fall into honeypots • Use google - Search for address and verify
EMR solutions • “goldmine” for attackers • Easy to attack • High point of impact • Ransomware attacks
A typical hospital scenario EMR (electronic medical record)Patient monitors / healthcare devices LAN / WIFI/ Bluetooth/ Doctor's PC / Secretary PC Doctor's Mobile/ Nurse mobile Other hospitals
Fingerprinting EMR solutions • Use shodan / censys / maltego • Searches vary on what you're trying to find • How I started • Create a list of 200 popular EMR solutions • Start searching by name • Look for characteristics – deployment scenario, url constructs, technology • Look for manuals • Change language – Chinese, Russian • Find bugs ;)
Shodan • Can search using name • Less false positives • Shows ready exploits for OS
Fingerprinting healthcare institutions
Fingerprinting healthcare institutions
Fingerprinting healthcare institutions
Fingerprinting healthcare institutions
Search by exploring EMR structures • Look at unique parameters • Filter by name
Fingerprinting healthcare institutions
Fingerprinting healthcare institutions
Problem • Results not constant • Need more access to data • You can’t find some systems
Thinking beyond Shodan • Shodan (Shodan.io) • Easiest deep web tools • Cache information • Due to the paid nature, results may vary • Lacks multi lingual capabilities • Censys (censys.io) • Provides raw data for research • Support Regex and can concatenate different parameters • Maltego (thick client) • For advanced recon • Can fingerprint infrastructure
Searching by names
Multi – lingual search -Russian
Multi – lingual search -Chinese
Multi – lingual search - Arabic
Using censys efficiently
Combining searches with google results • Google gives better results with specific headers
Running Maltego
When everything fails • Some systems could not be found at all • Find the manual!
Fingerprinting healthcare institutions
Fingerprinting healthcare institutions
Easy way - visit the vendor website site ;)
Logging on the PACS system
Cloud based EMR • Easy to find • “scalable and reliable” • Many entry points – web, mobile, IOT devices • Google is very effective in searching such solutions
In a nutshell • Finding EMR is easy • Your EMR might be secure, other infrastructure might be not • Attacks go beyond your audits and process
Besides servers
Routers and internet access points
Cams – smile ;)
HVAC controls!
Insider attacks • Generic system attacks – MITM , BSOD , Network exploits • HL7 exploits
Defending hospitals • Secure networks • Have Public and Private networks • Harden routers and firewalls – have a patching policy • Look out for shodan and censys • Assume the network will be compromised • Isolate high value components • Encrypt and Backup • Know your devices –vendor management
Thank you Minatee Mishra Michael Mc Neil Ben Kokx Jiggyasu Sharma Sanjog Panda Pardhiv Reddy Ajay Pratap Singh Neelesh Swami Archita Aparichita Sagar Popat Narendra Makkena Kartik Lalan Pratap Chandra Ashish Shroff Swaroop Yermalkar
Questions? • anirudhduggal@gmail.com • Anirudh Duggal – facebook • @Duggal_anirudh– twitter ; @secure_hospital • Hospitalsecurityproject.com
Thank you

More Related Content

Fingerprinting healthcare institutions

  • 1. Fingerprinting Healthcare Institutions – EMR systems - Anirudh Duggal Disclaimer: All the views / data presented are my own and do not reflect the opinions of my employer.
  • 2. #whoAmI • Work with Philips healthcare • Hack anything • Sustainability enthusiast • Research on healthcare security – protocols, devices, infrastructure • Play guitar in free time • Speak at conferences • Hospitalsecurityproject.com
  • 3. Agenda • Why healthcare? • Beyond phishing – targeted attacks • How to fingerprint? • EMR fingerprinting • Fingerprinting beyond servers • Q&A
  • 4. Why healthcare? • Easy targets • High payoff • Still to mature on terms of security • Less awareness
  • 5. Posted on 13th Feb 2016
  • 6. Overall • Healthcare institutions are easy to fingerprint • They are “considerably less protected” • Many entry points • Quite many targets
  • 10. Text • Text • Text • Text Text • Text • Text • Text Network 1 Network 2 Healthcare centers and hospitals – ideal situation HVAC system Lighting system Hospital servers Waste management systems Medical devices Monitoring devices Computers, phones, tablets Water controls NAT / Bridged network with an IDS / IPS Other hospitals Vendor servers “service portals” Vendor servers Intranet Internet Encrypted communication Encrypted communication Encrypted communication Computers , phones, tablets
  • 11. Text • Text • Text • Text Text • Text • Text • Text But what do we get? HVAC system Lighting system Hospital servers Waste management systems Medical devices Hospital computers Monitoring devices Tablets / phones Water controls “service portals” Security systems guests Internet
  • 12. Basics of fingerprinting • Find unique but common headers • Be consistent • Use multiple tools – shodan, censys, matego • Verify manually • Use google
  • 13. So what can you fingerprint? • Medical devices • Routers • Data center • EMR software • HVAC controls • Lighting controls
  • 14. Finding hospitals • Generic searches • Name searches • Hospital name searches • Sometimes the name is too generic • Narrow down search parameters
  • 15. Generic hospital searches • Hospital • Hospital* • Healthcare • Healthcare* • <name of the hospital> • <name of the software / protocol>
  • 17. Narrowing the searches to regions • Narrow down searches by • Country • Technology (HTTP(S), NetBIOS ) • Type of infrastructure (VPN, cloud)
  • 19. Narrowing down • Narrow down to FTP servers ;) • Port 80 will show interesting results
  • 20. But… • Sometimes the names are too generic • Narrow down technology • Look at other parameters – don’t fall into honeypots • Use google - Search for address and verify
  • 21. EMR solutions • “goldmine” for attackers • Easy to attack • High point of impact • Ransomware attacks
  • 22. A typical hospital scenario EMR (electronic medical record)Patient monitors / healthcare devices LAN / WIFI/ Bluetooth/ Doctor's PC / Secretary PC Doctor's Mobile/ Nurse mobile Other hospitals
  • 23. Fingerprinting EMR solutions • Use shodan / censys / maltego • Searches vary on what you're trying to find • How I started • Create a list of 200 popular EMR solutions • Start searching by name • Look for characteristics – deployment scenario, url constructs, technology • Look for manuals • Change language – Chinese, Russian • Find bugs ;)
  • 24. Shodan • Can search using name • Less false positives • Shows ready exploits for OS
  • 29. Search by exploring EMR structures • Look at unique parameters • Filter by name
  • 32. Problem • Results not constant • Need more access to data • You can’t find some systems
  • 33. Thinking beyond Shodan • Shodan (Shodan.io) • Easiest deep web tools • Cache information • Due to the paid nature, results may vary • Lacks multi lingual capabilities • Censys (censys.io) • Provides raw data for research • Support Regex and can concatenate different parameters • Maltego (thick client) • For advanced recon • Can fingerprint infrastructure
  • 35. Multi – lingual search -Russian
  • 36. Multi – lingual search -Chinese
  • 37. Multi – lingual search - Arabic
  • 39. Combining searches with google results • Google gives better results with specific headers
  • 41. When everything fails • Some systems could not be found at all • Find the manual!
  • 44. Easy way - visit the vendor website site ;)
  • 45. Logging on the PACS system
  • 46. Cloud based EMR • Easy to find • “scalable and reliable” • Many entry points – web, mobile, IOT devices • Google is very effective in searching such solutions
  • 47. In a nutshell • Finding EMR is easy • Your EMR might be secure, other infrastructure might be not • Attacks go beyond your audits and process
  • 49. Routers and internet access points
  • 52. Insider attacks • Generic system attacks – MITM , BSOD , Network exploits • HL7 exploits
  • 53. Defending hospitals • Secure networks • Have Public and Private networks • Harden routers and firewalls – have a patching policy • Look out for shodan and censys • Assume the network will be compromised • Isolate high value components • Encrypt and Backup • Know your devices –vendor management
  • 54. Thank you Minatee Mishra Michael Mc Neil Ben Kokx Jiggyasu Sharma Sanjog Panda Pardhiv Reddy Ajay Pratap Singh Neelesh Swami Archita Aparichita Sagar Popat Narendra Makkena Kartik Lalan Pratap Chandra Ashish Shroff Swaroop Yermalkar
  • 55. Questions? • anirudhduggal@gmail.com • Anirudh Duggal – facebook • @Duggal_anirudh– twitter ; @secure_hospital • Hospitalsecurityproject.com

Editor's Notes

  1. Posted on 13th Feb, 2016
  2. Image from: http://healthcorrelator.blogspot.in/2014/09/will-your-wireless-router-give-you.html
  3. An ideal network infrastructure that we see.
  4. This is a chain of hospitals in India and Indonesia.
  5. One of the hospital name that was too generic
  6. This is just a general observation, some hospital do have sophisticated environments, but a majority of them do not. The focus here is more on the ease of setup and maintenance rather than having a secure setup in place.
  7. An arbitrary search on one of the biggest EMR solution provider.
  8. Showing NETBIOS Exposed
  9. Anonymous login successful
  10. Now if you goto shodan and search for this vendor with filter as windows server 2003 you get and EMR!