Attack and Defense : Improving Cybersecurity by 2014

tight and could turn on the tiniest misstep. Rep. Hill has a secret: She has been diagnosed with the early signs of Alzheimer's disease the past summer. Based on her doctor's diagnosis of slow progression that can be treated with experimental drugs, Rep. Hill has decided to stay in the race. Joe Cracker has an agenda: he does not want Rep. Hill elected to the Senate. He is strongly opposed to most issues Rep. Hill has promoted, especially increased control over rogue elements on the internet. Joe Cracker knows a little about software security and vulnerabilities, and has had plenty of time on his hands. Months earlier Joe had decided to find embarrassing information about Rep. Hill and publicize it in order to derail her campaign. The previous week, on a visit to his doctor, Joe pocketed a small computer memory device that someone had left on the counter. Joe did not expect it to be of much use other than as more portable memory, but upon examining it at home he soon realized that it contained access code to the Central Medical Record Service (CMERECS). CMERECS was created 8 years earlier to allow authorized individuals access to the records of any patient under their care. Joe knew that although his doctor's office used the latest and greatest patient management application, the application vendor had not updated the encryption mechanism for nearly 10 years. The encryption algorithm was still on the list of approved algorithms for storing CMERECS access codes, but Joe knew it could be 2 cracked. Joe set his two brand new high end computers to work cracking the encryption by doing nothing cleverer than just attempting every possible combination. Four days later Joe had the access codes. These access codes allowed him to connect to CMERECS and request the medical records for anyone in the nation with the requests appearing to have originated from his doctor's office. Under normal conditions the patient's approval would be required before the records could be released to a doctor, but the system had a loophole: For emergency services no approval was required. Joe requested the records for Rep. Hill using this emergency request procedure. With the medical records in hand, Joe embarks on a plan he spent the last several months preparing; he will distribute Rep. Hill's medical records using a worm that attacks cell phones. Joe has a built a …