The current news of the American NSA and British GCHQ indiscriminately stealing and using citizen communications reminded me of a considerably smaller incident I was part of.
Quite a while ago, in a previous life, I came in to work early one morning. The traffic had been lighter than normal and I had made good time. The practice’s server had been iffy recently, freezing and going slow when we needed it most, so I thought I would take advantage of this extra time by shutting it down and restarting it.
As an aside I am always wary of a computer practice system that has a sticker on it saying “must never be switched off”; a sign of questionable design forethought and maintenance if ever there was one! In my view a server particularly must be able to “fall over” and restart without supervision to minimise downtime and enable untrained staff to do the old “switch it off and back on again” to try correcting any niggles or slowdowns.
I wiggled the mouse and the monitor sprang in to life. It needed a few seconds to warm up – it was an old CRT (cathode ray tube) type because it rarely needed actually to display anything itself. What I saw made my blood run cold.
In the task bar at the bottom of the screen were a few programs open, one was called “Full Tilt Poker”, another was “CS:S Server”, and another was in cyrillic script so I couldn’t decipher it.
With the poker program open I had thought of colleagues using the server for on-line gambling. I had been the last to leave the previous evening, though, so unless they had come back in, that was unlikely. It was the last two which tipped me off that the server had been hacked by someone outside the practice. I did the “three finger salute” which gets you out of trouble (CTRL+Alt+Del) and task manager came up. I looked at open processes and saw more things on there which pointed at having been hacked – “bitcoinminer.exe” was running and taking up quite a bit of CPU power. Bitcoin is an electronic “community” currency which is starting to be viewed as an alternative to governmental currency. It was another sign someone had broken in to the server from outside.
I say broken in, but actually they had just walked in through the open door.
The “I told you so” bit came next. I had told the powers-that-be several times that the server was open to abuse. There was no antivirus software, no firewall, the passwords were set as “admin” and “password”… and so on. They had made murmurs about doing something about it, but it had never materialised, and now I was staring at the evidence that I had been right. Morning surgery was going to be starting soon, so I took photos on my phone, and I just had to shut it all down, restart the server, shut down the bitcoin miner which had restarted, and get on with my day. I am a vet, after all; computer experts are paid far more than I am to sort this out!
To install this stuff and start it running the hacker will have had full access to the computer’s facilities. That meant they could have perused the client records, disabled the computer or its records entirely, or worse. Keyloggers are tiny programs which can run discretely and send a raw file of every keystroke to another computer elsewhere on the Internet. Every keystroke… passwords, credit card numbers and security codes… record entries… every keystroke.
In another case I found a colleague’s USB stick plugged in to a practice computer with client records on it in plain text in a folder called “Cert Cases”. That hadn’t been leaked, but the potential is there. You only need to peruse the Information Commissioner’s web site for a few moments to see logs of information leaks by government and private companies alike by leaving laptops, USB drives and discs on public transport, or just “gone missing”.
We are trusted with sensitive information numerous times every day. There can be intense competition among clients like breeders and competitors in sports, and those of us who see the animals of celebrities. In the wake of the newspaper phone hacking scandal it illustrates the lengths some people will go to to get information on people in the public eye. This can only serve to increase the importance of securely storing and processing their details and records. This wasn’t the first time I had seen a practice computer “open” to the Internet, and not the first time I had known a practice take the “why would anyone be interested in us?” view. I do wonder how the profession as a whole takes its responsibility to clients data and confidentiality.