Aug 20 2014

Heartbleed vs. Juniper

Published by at 9:35 pm under Firewall,Hacking,Privacy

The compromise of Community Health Systems (CHS) is being reported as the first major breach involving the Heartbleed vulnerability.  The details are slim, but apparently the vulnerability was exploited on a Juniper remote management console that hadn’t been properly updated.  Heartbleed is an OpenSSL vulnerability that allows an attacker to dump part of the memory from an vulnerable server.  The portion of memory is used by OpenSSL itself and often carries secrets, which in this case included a set of valid credentials for the CHS VPN.  From there, it was easy for the attackers to get into the rest of the corporate network and make off with 4.5 million healthcare records.

Juniper had released a patch to fix the Heartbleed vulnerability within days of its disclosure, so why was this health organization compromised for three months?  Because patching is hard, especially in organizations like healthcare, where security is often an afterthought, if it isn’t just considered a nuisance that everyone has to work around.  And when I say ‘hard’, I simply mean that it takes a lot of resources, especially time and planning, to make happen, something that’s scarce at every healthcare organization that I’ve ever talked to.  

I do find it amusing that Mandiant was called in to do the forensics on this case and found it linked to Chinese nationals.  Of course it was linked to China; everything Mandiant finds is linked to China somehow.  Or I could just be making light of a serious situation.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

2 Responses to “Heartbleed vs. Juniper”

  1. Matton 21 Aug 2014 at 4:47 am

    They could have remained vulnerable even if they patched the Juniper right away if they didn’t force password changes. It doesn’t look like they’re using 2factor to me, at least it’s not obvious. I actually find it really hard to believe they wouldn’t have patched their remote access device. Heartbleed was just too big a deal.

  2. alexaon 21 Aug 2014 at 5:53 am

    Agreed Matt – There are quite a few major companies without a sufficient 2fa solution (or if they do have it there’s low adoption). It seems like once Heartbleed stopped appearing in the headlines, people sort of forgot about it and returned their focus to other things – very likely not changing their passwords. The healthcare industry has got to step up their online security

%d bloggers like this: