Profile cover photo
Profile photo
Po Chen
273 followers -
Software Engineer
Software Engineer

273 followers
About
Communities and Collections
View all
Posts

Post has attachment
Public
Add a comment...

Post has attachment
Public
Add a comment...

Post has shared content
Public
Sigh...
Originally shared by ****
Today in "Australian Government does not know how to computer". (Strap in this is a long one full of face palms)

Someone on a Tor marketplace is selling Medicare numbers, these are our universal(ish) health care cards.
Story by The Guardian's Paul Farrell here: https://www.theguardian.com/australia-news/2017/jul/04/the-medicare-machine-patient-details-of-any-australian-for-sale-on-darknet

You supply the person with name, date of birth and gender and around $30 of Bitcoin they'll give you the person's Medicare number. This is pretty bad, as it allows idemtity thieves to forge them - a Medicare card is usually worth 25 points on the standard 100 point ID check here. The AU govt had no idea this was happening until the journo from The Guardian let them know.

It turns out there's a portal that any health care provider can use to look up Medicare numbers this way. In case you've lost your card or whatever. Likely it's someone who works for one of them selling access, or someone's popped a PC there (more on that to come).

When asked, the relevant government minister (the same guy who presided over the Census fuckup last year (update: I misremembered, that was a different clown), the accidental publishing of PBS data that was poorly deidentified and the ongoing Centrelink robodebt nightmare) claimed it's OK because you can't get access to someone's medical records through the shiny new online electronic health records system with just a Medicare number. Aside from ignoring the ID theft issue there's a liiiiiittle bit of an issue here.

Guess what information you need along with the Medicare number to pull someone's medical records? Did you guess "name, date of birth and gender"? Collect your prize.

According to https://www.itnews.com.au/news/govt-blames-medicare-card-breach-on-traditional-crims-467502 the folks who did the Privacy Impact Assessment on the electronic health records system were told it would be secure because you needed Medicare number as well as name/DOB/gender and weren't told you could use the latter to look up the former.

It Gets Worse.

In theory you can only look up this stuff from a secure endpoint, with a client side certificate installed. Which in practice means maybe 20K PCs scattered across every doctors office in the country. Worse still, many of these client certs were originally sent out via unencrypted email, and a nontrivial number were "lost". And you reckon all or even a significant fraction of these 20K boxes are running modern Windows with up to date patches? Me neither. I can't count the number of times I've been left alone in a room with an unlocked doctor's PC while he went to check something.

It (Incredibly) Gets Even Worse.

They have a Two Factor Auth system which doctors are supposed to use. One of the ways to get the 2FA key is, and I wish I was joking here, email.

So get access to a box running some XP/Win7 version that's ludicrously unpatched that's also logged into the doctors email, collect health care records. Australian government cannot computer.

At the moment the electronic health records thing is opt-in, at some point next year they'll be moving to an opt-out scheme with a window to opt-out. There's an email form here https://myhealthrecord.gov.au/internet/mhr/publishing.nsf/content/home where you can sign up to be notified when the window to opt the hell out is opened and I urge everyone to do so ASAP.


Add a comment...

Post has shared content
Red Alert 2 in VR looks like the trippiest way to play the legendary game http://tnw.me/11SjRkF
Add a comment...

Post has attachment
Swipe away 👻👻👻 in this #Halloween #GoogleDoodle Score: 76830
Add a comment...

Post has attachment
Add a comment...

Post has shared content
Add a comment...

Post has attachment

Post has attachment

Post has attachment
Wait while more posts are being loaded