[Sverigevader]

On my machine Google translate seems to "boot-loop" that site because of the cookie settings so I'll just do this:

Files were stored on a server using HTTPS but requiring no credentials. http://188.92.248.19:443/medicall/ Part of the calls were saved as .mp3s with the customers phone number as file name. CEO when confronted wouldn't believe it and hung up when the reporter asked if he could play one of the tapes.

The articles states that the server was a NAS (nas.applion.se).

All files have been available since 2013.

When calling 1177, there's no need to identify yourself with your personal identity number. You can if you want to if your medical history is of significance to your call.

Source: Am swede and this article... https://computersweden.idg.se/2.2683/1.714787/inspelade-samt...

And I want you guys to hear it from me before you hear it on the streets... I once called 1177 wanting to order a new pair of knees because one of mine hurt. The nurse who answered had a good laugh.

[draugadrotten]

The breach is still ongoing, according to statements on the dark web, 30 minutes ago (21:10 CET).

"Tror ni inkompetensen är över? Nej. Man har inte dragit ut sladden. Kör wireshark och skicka skräppacket så ser ni att det enda som filtreras är syn-ack från servern.Slumpade seq-nr i respons bara någon timme och upprättade till slut en anslutning. Vad tror ni jag ser? Färska samtal från bara några sekunder sen i mappen /2019/."

Translates to: Do you think incompetence is over? No. They have not pulled out the cable. Run wireshark and send junk packets and you will see that the only thing that is filtered is syn-ack from the server. Sent random seq-no in response for an hour and finally made a connection. What do you think I see? Fresh calls from just a few seconds ago in the folder / 2019 /.

[z3t4]

How can you make a connection by guessing seq nr ? What is the firewall rule that allow such an attack ?

[brianpgordon]

My guess is that there were still some hosts allowed through the block (e.g. whatever is writing to that NAS), and that they were accessing the NAS with frequent new connections. The firewall only tracked transport layer state so the bad guy was able to hijack an existing session by sneaking in a correctly-numbered TCP segment inside an IP packet with his own IP address as the source.

[bobl]

Regardless if it is true, I unfortunately think Computer Sweden have been a bit naive here. They shouldn't be publish this specific information ~3 hours after the server was "locked down" (as they state in the article). This isn't a company like e.g. Google were correcting a mistake leaves them at "good security".

[Chilinot]

The "funny" thing is, it wasnt using HTTPS, it was on the 443 port. But the data was sent unencrypted.

[anon4242]

Still, sending the data unencrypted wasn't so much the issue here as the server was open to anyone.

[ptaipale]

Yes, although the transmission being in plaintext makes it even more vulnerable, because if you get to listen to the network where the call center nurses operate, no one needs to crack anything to find out the location of data, its structure and anything else you need to exploit it.

[anon4242]

So your reasoning goes that if I leave the front door to my home open, it would still be more secure if it had steel bars on the windows?

[ptaipale]

No, it's more like that if I leave the front door open, it would still be more secure if the driveway was lighted up so that any inappropriate visitors would be visible.

[Analogies may be terrible, but lack of encryption is an additional factor making attacks even easier, particularly for the purpose of discovering the attack vectors.]

[anon4242]

I'll give you the benefit of a doubt that you are arguing the general case, but I'm talking about this case specifically. If all you need to do to access the data is to just browse to a specific address, it matters not whether you need to put http or https in front of that address. No need to set up any eavesdropping devices en route. Just point your browser to the address and download the data. Transport security will not protect your data if you have no access control.

[dcplogic]

These calls were answered by Swedish-speaking people in Thailand.

Their business idea was to handle calls that were placed in inconvenient hours, relative to Swedish business hours.

My best guess is that the Thai ISP this office used filtered all outgoing connections except port 80 and 443.

And then someone decided that the way to implement this securely while still allowing this office to access the data was to put a plain HTTP server on port 443. "Who is ever going to crack that?"

[bobl]

I would guess the server is run by the voip provider in Stockholm, which literally seems to be 1-3 contractors. Reading between the lines of the few articles published about the call center it seems like their business idea is to hire old nurses and not pay them very much.

https://www.voiceintegrate.com/se/support/vi-som-jobbar-h%C3...

[ptaipale]

Not HTTPS. Plain unencrypted HTTP on port 443.

No authentication for clients either.

[buboard]

why would you need a pair of only one hurts?

[Sverigevader]

I suppose it works like the tyres on a car. When you change out the front left you also change the front right.

[ptaipale]

It's planned obsolescence. Soon the other one will fail too.