BSIDES CPT 2019 - Macabre stories of a hacker in the public health sector (Chile)- Philippe Delteil

thank you for inviting me I'm super excited to be here I don't know if you all know what's happening in Chile right now so I'm just gonna talk a little bit before my my talk so that's what happening what's happening in my country right now and it's been reported by several agencies but it's something that it's constant systematically happening police forces are violating human rights and that's me in the middle I'm a volunteer so we're is we rescue wounded people on the battlefields and are really what it feels you can you can say you can tell if it's me because of my DEFCON t-shirt so we ended up using not a lot of protection but after we were receiving a

lot of wounded people we had to use more gear for example shoes shields helmets I have a israelian mask against the gases the throwing the throwing all the time every everyone even if you're helping somebody that is wounded they will gas you so someday some information additional information after 50 days of demonstrations around 300 3500 wounded people they already started three hundred thirteen hundred criminal proceedings around a hundred at a really really to sexual violence and 352 people with eye injuries 21 lost their one eye and two of them are fully blinded so the things are using it's a palette palette bullets one of this is one an empty shell I had a I had a long travel to get

them here because it's not easy to explain why are you carrying empty shells so yeah 22 people got killed in these demonstrations so a little bit about myself I don't know if you ever hear about my name in Def Con anybody anybody here go into Def Con last year this year no you what do you do there yeah cool so I I am a computer science engineer that's a career that I really liked so it took me eight years get out of the university I started giving a sky talk about the same the same talk last year I will talk more about that later so one of the first things is I hacked 3,000 3,000 Wi-Fi routers in Brazil in

the biggest ICP of the country and what are the things that I do I do free classes of a lot of stuff related to hacking for example I do classes related to CTF and testing and I teach all people about computer science and I have a company with a pretty clever name InfoSec I couldn't find another name so I took classes in an open and free University in Chile disco never see the other Recoleta so this year I did two workshops one in China about Wi-Fi hacking and other the one in the u.s. I'm pretty new in this field and we've been here working with security for only one year and a half so it's pretty good

for me that I went there so first I need to give you a little bit of context about this talk for you to understand what happened so I work at the Chilean health system which is 20 percent private and 80 percent public so the public system has around 14 million patients and what I worked we had 2 million patients which is which is a lot so this is a structure we got the Ministry of Health and then you got 29 health services and below the services are hospitals so how McIver is this talk Mike every is a really difficult word for me to pronounce so so after Def Con last year they I received messages that they

police will wait for me at the airport the minister said that they needed to chow down all the services for 3 days because of the Afghan you know that hackers only work in the Afghan difficult time that they will sue me the actual did and when I was giving the talk I asked if government official we're in the room and they raised their hand and they actually recorded the talk I don't know if you know about sky talks you can now record in the sky - it's a I'm sorry in sweating a lot and they recorded the talk they talk and they send it to me and that mean that I needed to report it to sky talks because

that's not possible because otherwise you can a risk a sue like me being sue [Music] so I'm gonna I'm gonna talk about 5 4 stories to make you understand why I did what I did and what was my day-to-day work so this is called very secure web service so this ministery had they ask reports for every institution that means that all patients in Chile needed to send this report I mean not all patients but information from all the patients in the country so they asked you to use a web service that encrypted files right but it was not deployed it was not published they will send you the binary which is weird right they send you the service binary and

then you have to blow up files to FTP server so then you understand how bad how about this worst and I was like that's weird so then I thought let's test the security of this thing so I was pretty naive you know I was new in the in the field so I tried to crack 3d a tree yes tree D s yeah right and then I realized that he was easier than that because they they had a dotnet application which is pretty normal in the public institutions they always use Microsoft stuff so I reversed the code and I found the key but at least the key was good so then I reported it to their

CSO of the ministry and he said something that had happened to me many times why were you doing that and I said well my position has assigned interesting function because I I created my own apartment my own department so I had I could define what I was going to do so he said what is this pentesting where's that written so I sent him the official document and one friend always told me that you have to propose fixing fix how to fix things right so I said I have some idea so to fix the problem and then he said nothing I don't know if you quickly mean something in English why it's the same no well the Spanish is

quickly quickly means nobody says anything so history number two I don't know if you know what a electronic health record is it's a well this is a software that store electronic health records and this system had over a million million patients which is a lot so they store exams Diagnostics a lot of information and in the public sector they use a lot dotnet everything that is Microsoft and it's Oracle and then expensive they use it so they were they were paying like five hundred five hundred thousand dollars in licenses for Oracle database with only 60 gigabytes of data base so they had 18 developers they didn't have CVS well at least not not true they had 800 version in Word

files so they will create a new word file every time they changed the code so do what this allowed three years ago so they did an audit and one of the guys from the minister said what about security measures and they say it was secured because he had a login with five digits a password with five digits so I was there and I couldn't avoid it to raise my hand and say really five digits that's your answer and that almost got me fired because they say that I was giving friendly fire to them yeah so at that point I was like this is like a really like a bizarre like a bizarro world like everything it's backwards so

sorry number three you imagine that you go to work and you don't have Gmail then you try Google search doesn't work but Facebook is working which is good Twitter working news media also working all of them and for a month so they send me home to work from home I didn't know what I was doing so I have to Google a lot so I keep asking why it is happening how come the internet doesn't allow me to Google so they the IT manager told me I haven't nobody I mean I didn't give you this email so he printed an email and he give it to me and this is a picture of it so he said that they

blocked Google because from Google you can get to forbidden sites forbidden web sites so they put Google in the same category as games megaupload rapidshare so what happen is that they have a limit like a 200 500 megabytes per day so if you got there 8:00 in the morning you could Google a bit and then you don't you couldn't connect anymore so they blocked YouTube Google Maps everything related to Google so again I was like I couldn't understand it I mean I think many of you will be in the same situation it was it and this is a big company he has a contract of it's around three hundred three million dollars per month that's what the government pays

this company so now that you kind of understand the context I could I could tell you hundreds of this type of histories so let's go to the juicy part so so what happened what happens or what happened is that they created a national wide network without any brutalization so you know Chile is a really long country at 5,000 kilometers from north to the southern city so so it doesn't make any sense to have a unique network so I was scanning the network just finding some IPS that I needed to check and I found a hundred one hundred and fifty thousand devices because I guess villains were not invented at the time 2014 so I couldn't understand why that worked I

thought that I had a super computer super privileged account but so I was feeling this way for six months because I couldn't really understand why this was working so what were those devices so some of them had chair folders some of them had cheerfully with public read privileges and some of them and good part they had proof we can read read and write privileges even the one of the servers that my unit had he was completely open with were writing privileges which actually somebody deleted from I don't know where they deleted some projects inside of it so some computers you know like people just random people they had a lot of pictures in cat videos and some of them were

servers with a lot of a lot of information that I couldn't have that I could never check it check them all because they were too too many terabytes of info but the thing is that some of them they had sensitive information above patients so yeah well I know a lot about South Africa because of Trevor Noah I read his book so I learned about Julius Malema and Jacob Zuma and a lot of funny stuff so I sent an email you know my past on me you should report these two to your boss or your boss's boss so it's not an email pointing their addresses and what could you find on those addresses so the first one you can

find exams data patient and the second one you can find people with mental health issues or so you could find name diagnoses and you could find also blood donors forms so you can see like blood type or and the last one it was you could find pregnant women with HIV which is really bad in Chile because we have a special law to protect the identity of people with HIV so they never reply to me they just send a reply to my boss you know like defending themselves saying all those IPS are not from our institution and I said well I didn't even check for that so I found even more stuff like the entire Hospital had all

chair everything like for example La Florida Hospital which is a big hospital they have everything the second one is the biggest in Chile and they had everything in one folder everything you can find one funny the funny things that they have an open an open hurry call that SVN it was completely open so you can read the source code and in the source code you can find database connections and I discovered many many resources they had servers webcams and one of the best things that I found he was this very organized guide and he had a at a document with everything that you can imagine all the IP addresses all the passwords all the servers in just one

file which is pretty good for a hacker [Music] yeah so this was the answer that I received nothing again so I was just getting tired of it you know I was trying to what should I talk to and I was taking a curse a class with with the ministry people from the IT department so I had the chance to talk to them like I'm the guy who reported it the issue did you receive it and she said yeah we know we're fixing it but nothing happened after that and I only received complaints by my by my boss he said somebody told me that you went to talk to this person and asked you ask her about what they're doing and

it's like I jumped the hierarchy you know I so they actually come decide don't do it anymore so after 10 months no answer no changes no responsible and not even a thank you and you all know that hackers were pretty sensitive right I am at least so what can you do if nobody cares so that can be thinking a lot and actually a friend of mine the same guy who told me that I'll always offer a fixing he said you should do something so who likes this kind of stuff the press so in Chile we have a research group they work in Panama papers so they're really badass and nowadays they're the most respected media in Chile

the bad thing is that they gave me a lot of things to do for example they asked me to send they asked me to put a journalist on my computer doing the same things that I did to get this information so it's not easy there's a lot of cameras I have people looking around so luckily I was friend of the security guards so they all knew what happened but nobody said anything so I had to find for sensitive information and the other thing that they wanted to test if like I could do the same in different places so I had to talk to people to allow the journalist to go to their offices and one of the guys that I

asked this he sent an email to the security officer officer of his place then we was working on and and I thought that we're gonna get caught you know unless somebody's trying to get private information and they say it was not possible so well ended up getting the information but we were really really scared at the time so how do they do it so my first try was like I don't know if most of you most of the geeks or hackers of people in the computer feel sometimes they want to have everything every movie every game at least before I don't know no new generations so I try to copy and store everything but some notes of this

great network were really slow we're not giving more than 100 kilobytes per second and a lot of computers were turning off at 6 p.m. and a lot of servers also so I was copying them and it just like disappeared and try it again so I only managed to copy 300 gigabytes out of 53 bytes that I'd discover and I was really scared of firewalls you know that somebody's gonna see the logs and then kind of see an IP address copying a lot of information but I think nobody checked their firewalls so my second choice that okay get rid of all these information just copy file names that's what I did I only copy for file names and then I grep for sensitive

information so they they we agree to publish the article when I was traveling so kind of a less knowdon't thing kind of thing because I was I knew that I was the guy pointed out you know you were the guy they're the ones so that gave me time to prepare myself to get an alibi or credible credible story so it was really simple this is not a technical talk it's a shell script that I will test for some privileges and if I had privileged enough privilege I was copy I will copy the server name and this is one example IP address name dot txt and now now we need to get serious about it seriously

because this is this is some these are some examples of what I found so in only one server I found 23,000 forms of blood donors so you could you could see all the information name a ID number and also email which is good cell phone number and a lot of information that is protected by law in Chile it's protected by the Constitution and by two different laws one that is related to public health I mean to health records and another one that is that protects privacy so another example 10,000 x-rays again with the name of the patient and another one it was DICOM files which is a standard for images in exams and things like that so I found 1500

mammographies and again you can find you could find the name the ID number and everything so how exactly how I did it is just like I wanted to count first how many files you could find and only docx files in PDF so there were roughly 4 million files so I didn't count for Excel files or any kind of for example there were a lot of databases a lot of backups of the databases so you could you didn't have access to the bat database but you got access to all the backups so one of the things that I did for example is like check full peal which is the after day pill or emergency pill I don't know how you call it here

so those people they were really organized so they have like very long names to every file so usually they were giving this pill to raped women and inside the file you could see everything like ID number the reason why they got appeal so 120 files just pretty pretty simple commands right so then I had to look for a vhv vhh HIV is in English right some of my talks are in Spanish and Portuguese so sometimes some no actually this is in Spanish because the name the name of the files are in Spanish right system and the thing is that this network has around a hundred thousand employees and a lot of companies that provide services and they also had

access so one of the things that I thought about doing this leak it was related to how many people had access any that taking advantage of this information um so he says it's the worst security problem I don't know what this sound is this computer somebody yeah okay so more press so they actually took six hours to fix the problem because what they did is that just they just block the main firewalls they just block the ports because it's a like share folders is the main way of sharing information inside between people between employees so the bad thing about this solution is that if you were a client of those firewalls you could still see everything it's just

that you couldn't connect to another firewall using those ports and so consequences I'm gonna ask you for what do you think was a fine how how big was a fine to the CTO it's a little more than zero so ten percent of his salary for one month and he also sue them because he said that he wasn't really the CTO because he had a temporary contract which is true if you're if you don't have a proper contract you don't have the responsibility so panic it created panic after that nobody wanted to give you any information at all not even names nothing so they say no we cannot share any information of because of what happened and I said but I did it

I mean I know that you can do it it's just that now everybody is like freaking freaking out so she was the minister she was called to Congress to explain what happened and it was all [ __ ] it was all lied like no let's just they were just names nothing important so since Congress meant they don't know anything about computers or let's not even think about hacking they just believed that but the good thing is that I had the chance to create my own department my boss told me he protected me and he said well you can create your security department and it was the first one especially like related to security in health so after a while the new

president came along the right wing president that we are facing now and I got fired the first day was 10:00 a.m. in the morning they sent an email to fire me they really hated me because of the new director of this institution was the same guy in chair and chair in charge of the computer of the IT department so they were always like we hate this guy it's always it's always giving us trouble so they gave no reason they fire me by email during my holidays because I knew I was gonna get fired so I couldn't lose my holidays there I was talking to somebody yesterday the way that I knew they went there they were

going to fire me it's just that they had default passwords and every and 50% of their email accounts so when somebody told me that somebody said that they're gonna fire you I just got to their emails accounts and they were actually talking how to how to fire me in the worst way possible so the thing is that they didn't in a legal way it's just that it they didn't know that the Supreme Court ruled that kind of firing illegal so I can talk about that later so they the funny thing is that they eliminated my department without even telling me so I was working on my own for a month all my project I had pretty cool

projects we job Hawking which is one of the most important universities related to health and I sue them for they actually fire me and then they wanted me back but then I said I mean I'm already suing you if you hire me back I won't be able to do it anymore so I wanted to know more about it so I did an investigation about the investigation so I got 1,200 pages I have to pay $50 to get but I really wanted to know what happened why nobody did anything so they give me the huge pile of paper and I just read some of the excuses so they say that they cannot it was possible to be to fix it but you

will have a really huge impact on the operation right but they didn't in six hours so it was not true and then they will say they said that he was a thing related only to the employees case by case ignoring the Nestle law and the Constitution protects the private information it says it's a super personal kind of a thing it depends on on them not us so the other one said don't think I said the same thing they say he said that is complex to identify the shareholders but as I told you dealing with a shell script with five lines five so so they'll keep saying its employees fault but one of the things they always say it's we need

to find the guy who did this we need to find him and punish him the current but they never knew it was me because I was pretty good alibi she Sun talked since I talk a lot my excuse was well you know that I talked to everyone about everything somebody might have heard and they just give that information to these and they say yeah well that sounds credible so the main reason why they didn't do anything at all is because I don't know if you read some Spanish and only if you understand anything well what it says that is that after one year of email problems with the email accounts they say that they didn't receive any

information regarding to this problem because or their emails didn't work and this is an email from the company saying that yes true for for one year the email accounts didn't work properly so one of the things that happen is that you couldn't receive email from Gmail or you couldn't send emails to Gmail because we were blocked as a spammers we're talking about like 50,000 email accounts yeah so that they say that they were the worst case with this problem with the minister emails so latest update that happened on November 8th Supreme Court ruled in my favor after 18 months so they'll have to pay me $25,000 it's gonna take a while but but at least that's finished so you

got the latest update so kind of a conclusion what can we do to avoid the situation of course everybody says the same we need more security experts that's difficult and in my country we don't have any degree that it's specific to security I actually did computer science and I didn't even have a class regarding security because they wanna they are looking for doctors in hacking which is PhD five minutes okay so one of the things that that shocked me the most is that to be a security to be a CSO they all they only asked for the ISO 27001 that's a name which is really like nothing that was that was required for being a security expert we have a lot of

laws that it doesn't that they don't work at all we need to change that eventually and one of the things that I in my country at least we have a lot of rock stars but not many mentors and I try to be a mentor so what I'm doing it's well I told you I'm doing workshops for free I have a lot of students working with me they want to become hackers that some of them are getting there they went to Def Con as a worship instructor which is something that I never imagined in my first years and I have a lot of internships well we do a lot of stuff pretty much everything like what do you want to do right or hacking

okay Wi-Fi hacking let's do it so this is me now that's a lot like me but oh thank you [Applause]