Dutch Insider Attack on COVID-19 Data

Insider data theft:

Dutch police have arrested two individuals on Friday for allegedly selling data from the Dutch health ministry’s COVID-19 systems on the criminal underground.

[…]

According to Verlaan, the two suspects worked in DDG call centers, where they had access to official Dutch government COVID-19 systems and databases.

They were working from home:

“Because people are working from home, they can easily take photos of their screens. This is one of the issues when your administrative staff is working from home,” Victor Gevers, Chair of the Dutch Institute for Vulnerability Disclosure, told ZDNet in an interview today.

All of this remote call-center work brings with it additional risks.

EDITED TO ADD (2/11) More information (translated from Dutch).

Posted on January 27, 2021 at 8:59 AM14 Comments

Comments

Gerhard Poul January 27, 2021 9:29 AM

And they can restrict the same people from taking photos of their screens in an office how exactly?

Jeroen Rijken January 27, 2021 9:50 AM

This is only half the story, it’s actually worse than this.

(Google translate for ease, altered where needed.)
“It concerns trade in data from two corona systems of the GGD (they perform corona tests): CoronIT, which contains the private data of Dutch people who have taken a corona test, and HPzone Light, the system for source and contact research of the GGD.

The data comes from two GGD systems: CoronIT and HPzone Light. CoronIT is the online registration system for corona tests to which about 26,000 GGD’ers and call center employees of the test line have access. It is also possible to request test appointments and results, but this is not actively advertised by the accounts.

HPzone Light is the information system for source and contact research of the GGD. It contains the private details of all corona-infected Dutch people. The GGD does not know how many people have access to it, but it concerns employees of the Red Cross, the ANWB (Dutch roadside assistance service) and call center employees of Teleperformance.”

They collect and store information they don’t need to, they don’t actively monitor who accesses the data, way to many people have access to it. They say most systems should actively be monitored near the end of march, which is way to late.

https://tweakers.net/nieuws/177266/gegevens-van-miljoenen-nederlanders-in-coronasystemen-ggd-worden-verhandeld.html

https://www.rtlnieuws.nl/nieuws/nederland/artikel/5210644/handel-gegevens-nederlanders-ggd-systemen-database-coronit-hpzone

Paul Suhler January 27, 2021 11:03 AM

@Gerhard Poul

I worked for a company where other engineers observed one guy taking photos of his screen. I turned out that he had hundreds on his phone. The intended beneficiary was believed to be China.

He was apparently terminated and possibly prosecuted. I never heard his name and don’t know what finally happened. I believe this happened in 2019.

Clive Robinson January 27, 2021 11:17 AM

@ Gerhard Poul,

And they can restrict the same people from taking photos of their screens in an office how exactly?

By using metal detectors and similar to stop them taking any objects onto “the work floor”.

They have been doing that sine the early days of celular phones back in the 1980’s in the UK in areas that were “confidential” and above.

But also trying to take a covert photo of a screen may well be seen by others because the body movments would tend to stand out.

@ ALL,

People have stolen information off of screens before but by what many call “A photographic memory”… A large Bank that shall remain nameless out sourced work to India. It was later found that some of the people working there were memorizing the details of high value customers and writing them down later and then selling the details on.

As a single set of details back then could be sold for more than a days wages it was not surprising it happened when you think about it.

The real trick is not stealing such details but stopping auditing processes tracing them back to you.

This can be done in a number of ways, I guess the most well known was how Ed Snowden allegedly used co-workers account information.

However there was also a less well known case of a security person using a high resolution security camera to “shoulder surf” a users ID and password at a major Silicon Valley Corp.

In the past I’ve put CCTV miniture cameras in fake fire sensors in the ceiling, behind wall clocks in box files on shelves and even in desk lamps on desks and those little “furry toys” some people used to put on top of the old CRT monitors.

In open plan offices where screens are not used the design of a lot of desks is such you can hide a small camera in the end of a support tube of a desk looking out over much of an office.

You would be surprised just how many “dishonest employees” stealing not just from employers but other employees have been caught using such simple and now very inexpensive devices.

Look at it this way you can buy a quite low cost drone these days with a reasonably high resolution very small very light camera and RF link back. It’s not rocket science to dismantle the drone and remove the electronics involved and custom re-package and sell for five to ten times the price of the drone.

So there are people selling “covert surveillance” equipment for cash and no questions making a reasonable living…

So getting hold of such equipment without it being traced back to you is not that difficult to do if you want to “screen scrape” off of a co-workers screen.

I used to sell rather more specializing and often custom equipment to certain “approved customers” and just one sale was about the same as a months take home at my full time proffessional engineering employment back then. So one or two “custom” sales a week gave me a degree of financial independence.

Unfortunately[1] these days you can buy surveillance equipment for pocket change from certain well known Chinese trade web sites and compleate GSM mobile phones smaller than your thumb that you need a tooth pick to dial with but will do phone to phone data linking much like the old “Dial-up Modems”…

So anybody who has a credit card can get equipment capable of taking screen shots and wirlessly transmitting them a short or even global distance. It’s why I say “pen test teams” should have and know how to use “Software Defined Radio” systems so they can hunt down such equipment when doing security sweeps.

I have a number of specialised Pelican style MilSpec approved flight/hard cases” one of which is stuffed full with multiple SDR units antennas and all sorts of bits and pieces. Rather more and considerably higher tech and flexible than those Russian spys trying to hack the IOC from a car park a year or so back. The real joke of it though, is that the technology is so low cost these days, the most expensive item by far is the specialised flight/hard case… (another case is more valuable as far as I’m concerned as it’s got a whole bunch of specialised tools I’ve made over the years[2] to deal with security fastners, seals, and locks, as well as repair equipment and make good etc).

[1] So the only real money to be made in supplying surveillance equipment these days is in very specialised kit or rapid turn around where you install your kit in other peoples objects, including doing it on site at short notice over night as “maintenance”.

[2] Yes I also trained as a “tool maker” back before computers of any kind got attached to the likes of lathes and mills. It was just one of those things you did. I changed “trades” because I discovered I had allergies to certain every day metel shop chemicals. So turned my electronis hobby into a profession, and later my computer hobby became a profession… This happened so often I’ve kind of run out of hobbies… So take it as a warning, because whilst “Every man should have a shed or cave” you need to do something worthwhile in them which you enjoy so is by definition a hobby. You run out of hobbies and your shed/cave is nolonger a place you want to be… and that’s as sad as a dog without a basket.

Bob Paddock January 27, 2021 2:18 PM

@Clive Robinson

“It’s why I say “pen test teams” should have and know how to use ‘Software Defined Radio’ systems”

Short simple book on getting started with SDR was released a couple of days ago.
Yes you can find all this on Internet, this just puts it in one place for those at the beginner level to SDR.

Explore Software Defined Radio
Use SDR to Receive Satellite Images and Space Signals
by Wolfram Donat.

https://www.pragprog.com/titles/wdradio/explore-software-defined-radio/

I get nothing from them by mentioning it here…

Clive Robinson January 27, 2021 3:34 PM

@ Bob,

Short simple book on getting started with SDR…

The author appears to write a very short “intro” style book every three to four months. I’ve seen a couple and well…

Lets just say your first to words sum the books up best.

I found better information from multiple free online sources.

One of which people might want to start with is,

https://m.youtube.com/c/TechMindsOfficial/videos

But if theyvwant to dig a little bit more on the technical side just using,

“gnu radio sdr”

In YouTube’s search will bring up quite abit. And if you want to use the Raspberry Pi then,

“gnu radio raspberry pi”

Will pull up plenty of good stuff from basic how to make a Raspberry Pi “Ham Friendly” (KM4ACK and kevin loughlin) through to fairly technical (bridged by David Haworth WA9ONY) such as setting up an entire satellite tracking system with custom virtual circuits to do complex data telemetry decoding. To give you an idea,

https://m.youtube.com/watch?v=sDz9Ove0Dgc

Walks through how to build a satellite ground station. But will give many a feeling for what can be done with GNU Radio and SDR hardware.

Wilhelm Tell January 27, 2021 5:31 PM

The only interest why police is interested in these data breaches is that they competitors to Gооglе.

Ed Schulman January 27, 2021 8:47 PM

@Clive Robinson

I have gnu radio and several sdrs. I’d be interested in turning them into some kind of bug hunter like you describe. Do you have any gnu radio program flowgraphs tuned to such a function you could share?

Duchess Gloriana XII of Grand Fenwick January 28, 2021 3:00 AM

I submit to you that the only way to securely deal with this kind of data is not collect it. Discuss.

Clive Robinson January 28, 2021 7:22 PM

@ Ed Schulman,

Do you have any gnu radio program flowgraphs tuned to such a function you could share?

I’m not sure they would realy help you, as they are aimed at very specific targets including LPI systems using both burst comms and spread spectrum (both hoping and direct sequence).

What you need to do is develop your own workflow, part of which is based on experience.

Firstly you need to develop your “feeling hinky” instinct. Surveillance Devices are usually put in specific places for specific reasons. Thus if you are on site and you know how the customer works, you can make a very good guess as to where a black bag operator will have put the device if there is one.

Remember if you guess right then you can be close enough such that an RF millivolt meter connected up to an E field probe will put you right on top of it.

As an indicator remember a couple of things. Firstly signals and resolution drop of as 1/(r^2) thus a black bag operator will try to get as close to the “work place” target as reasonably possible. Secondly if they are using one device then it’s going to be at the target center to make the most of a mono-channel. Professionals tend to use two or even three devices at 90degree or 120degree spacing around the target. This alows them to make “steerable” microphones by adjusting delay, amplitude, and phase from the device signals such that they can notch out interference etc. Similar applies to video feeds as well.

So knowing this you get your equipment as close to the target area as possible to take advantage of the transmiters 1/(r^2) field drop off. E field probs work at greater distances than H field probes so when you find something of interest with E field probes you can better localise a device with an H field probe.

With older surveilance devices that transmit continuously, you can make their transmitted signal stand out with either a popper or blinker. In essence the give a burst of noise or light, that causes the transmitted signal to change in sympathy.

You need to sweep frequencies with a very wide IF bandwidth steadily narrowing the bandwidth down to just a few tens of Hertz. Obviously the sweep time goes up as an inverse relationship to bandwidth. Which is a problem most who used Spectrum Analysers to “bug hunt” are aware of.

Having found a signal you need to pin it down and work out what sort of modulation systems are being used and unwrap each in turn untill you get a usable base band signal.

It’s at this point you are examining I and Q signals by eyeball to look for clues in the amplitude, frequency, and phase. This is often best done with a “DC baseband” or “oscilloscope” view where you can also inject in one or more subtones.

This means building your GNU Radio tools “on the go” on a case by case basis.

I’m only “so so” at doing this but others I know appear to do it almost as if by magic, much like watching lock pickers do their thing (another skill pen-testers need to have spot on).

What also helps is keeping on top of data sheets. If you design surveillance devices you are going to be using low power surface mount devices for various reasons[1], which means you are more or less going to end up using standard modulation schemes the SMD chips provide. You might meet up with those who use cheap DSP chips and high speed SRAM as universal modulators, but if you do then you are looking at people on a higher rate of pay than “government service” types…

[1] It’s not just for battery life you want to keep the power as low as possible. Your circuit does work and that’s never 100% efficient, so you end up with waste energy as “pollution” of the EM or even Audio spectrum. Primarily IR heat that can be seen with a good quality FLIR or similar thermal imaging camera. Or “digital hash” lifting the RF noise floor at some harmonic of an xtal or resonator oscillator, modulated by it’s subharmonics caused by digital logic. You can learn a lot by observing the noise floor rather than what are normally considered signals. Because Low Probability of Intercept (LPI) systems try to hide by looking like wide band noise, so you don’t see anything on normal bandwidth settings on the likes of “band scopes”.

PeterV February 3, 2021 5:46 AM

It is getting even worse:

Update Feb 2

“The GGD* has recently fired about thirty employees for illegally accessing personal data of people who had been tested. The employees were caught during a random check of log files, reports Minister of Health De Jonge. In total there are 20,000 people working in source and contact investigations. ”

But measures are being taken: “…The GGD is going to restrict access to systems and search capabilities this week. Previously announced security measures will also be implemented more quickly, … ”

More than one week later 🙁

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.