Spears Legal Technology

Disclaimer

This blog is a resource guide for informational purposes only, and not the delivery of legal, technical or other professional advice. Using the information provided on this blog does not constitute an attorney-client relationship. If you need legal advice, please consult your lawyer.

Report: Heartbleed to blame for Community Health Systems breach

If this report is true, the Community Health Systems data breach that affected 4.5M patients would be the first known exploit of the Heartbleed vulnerability. However, it is likely not the last. A report on the Errata Security blog in June noted that 300,000 vulnerable systems remained unpatched two months after the vulnerability was disclosed.

Here’s more from TrustedSec:

While no technical details of the attack had previously been disclosed, information security firm TrustedSec, citing sources familiar with the incident, said on Tuesday that the initial attack vector was through the infamous “
Heartbleed” vulnerability in OpenSSL, which provided the attackers a way in, eventually resulting in the compromise of patient data.

“This confirmation of the initial attack vector was obtained from a trusted and anonymous source close to the CHS investigation,” TrustedSec wrote in a
blog post. “Attackers were able to glean user credentials from memory on a CHS Juniper device via the heartbleed vulnerability (which was vulnerable at the time) and use them to login via a VPN.”

While TrustedSec did not share much on the source, the firm is reputable. As background, David Kennedy, TrustedSec's founder and Princial Consultant, formerly worked for the NSA and also served as Chief Security Officer at ATM maker Diebold. He is also founder of the
Derbycon conference.

Link.

blog comments powered by Disqus