October 25, 2016 By Douglas Bonderud 2 min read

Cybercriminals prefer the easy way in, like a server with default username/password combinations or a software flaw. In the case of the Guilford County, North Carolina Emergency Medical Services (EMS) Department, the open Rsync server that manages system updates opened the door for malicious actors.

As noted by CSO Online, security researcher Chris Vickery discovered the publicly accessible system. While the county moved quickly to address the obvious threat, a clean bill of technology health may require more in-depth treatment.

Open Rsync Servers Put Lives at Risk

It all started when Vickery went looking for exposed Rsync servers. He found quite a few. Despite the prevalence of threats and compromised systems, many companies don’t recognize the risk of leaving Rsync servers out in the open.

In the case of Guilford County, Vickery assumed he’d run across an enterprise backup server until he found the administrator password. He discovered that he could both access local EMS services individually and prompt users to perform system updates while using in-vehicle computer systems.

While the county quickly changed admin passwords and pulled the server from public view, a statement noted that the system was only used to update files and stored no other information. In addition, the county said no unauthorized personnel had accessed the Rsync server.

Two problems crop up here: First, Vickery accessed the server without authorization, meaning there should be some record of his interaction with the EMS systems.

More importantly, however, is the second issue of system updating. If cybercriminals could gain admin access and prompt a fake update, it’s hardly a stretch of imagination to assume they could also craft a set of malicious files to upload in place of legitimate system patches. The potential results range from stolen personal data to a complete crash of the EMS system, putting more than 500,000 Guilford County lives at risk.

Emergency Response

As Vickery noted, companies don’t willfully expose critical data or systems but may sacrifice security because IT teams are overworked and underfunded. Anything goes, from using free antivirus software to leaving noncritical servers on public connections, so long as organizations can still conduct day-to-day operations.

The Guilford County open Rsync issue isn’t just a one-time thing. As noted by MSP Mentor, a recent “botched” server installation exposed 31,800 private health records to the public when default settings weren’t changed during deployment, forcing a health care provider to shell out over $2 million for violating the Health Insurance Portability and Accountability Act (HIPAA).

Other concerns for enterprises include publicly accessible remote desktop protocol (RDP) servers, which can be compromised to install malicious Trojan software and collect high-value corporate data.

The treatment plan here is improved server best practices. No matter the industry or the purpose, servers should always be pulled off the public grid and have default settings, usernames and passwords changed.

Cybercriminals have proven repeatedly that theoretically unimportant or trivial server functions can be used as initial compromise points and leveraged to gain access. Publicly accessible means potentially compromised. Stay out of harm’s way by keeping servers out of sight.

More from

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally.The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets.Who is exploiting the NGFW zero-day?As of now, little is known about the actors behind the…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today