A group of hackers called k0detec that describes itself as a “fraction of the Anonymous faction that is AntiSec” claims to have found major vulnerabilities in systems owned by the United Kingdom’s National Health Service (NHS).
The hackers whose location is spread out across the United States, UK and Eastern Europe have contacted Softpedia to reveal their discoveries.
“You may recall last year that LulzSec, which we of course claim only an ideological affiliation with, warned the British NHS that their systems were vulnerable,” the hackers said, referring to a BBC article
“We have audited a number of NHS vessels and found them to be woefully insecure and not at all ship shape. We have even found logins and passwords to the UK govt GSI. This is a disappointment,” they explained.
K0detec claims to have gained access to a number of 11 systems owned by the NHS. In addition, they also have intranet access to a couple of the “vessels.”
Although they are able to access the credentials of thousands of users, the hackers state that it is not their intention to leak the data and cause damage.
“We have, obviously, a number of motivations in endeavoring to bring this issue to light,” a member of k0detec said.
“We wish to get our message out, that infosec snake oil salesmen are jeopardizing the privacy of the people, we also wish to embarrass the UK government and we wish to see the problems publicized and then fixed. We believe medical data of civilians to be, in essence, sacrosanct.”
The security experts believe that the NHS should have rigorous security auditing in place for their infrastructures and they even go as far as saying that some of the IT administrators and consultants “need to walk the plank.”
Worryingly, the exploits utilized by the hackers to compromise the organization’s systems and extract data are not zero-days, but publicly available vulnerabilities.
“Any claim that, once again, this is a ‘local problem’ is at best willful ignorance or at worst outright lies. If we have access to this information you can be guaranteed others do too, one compromised system leads quickly to a domino effect of fallen safeguards. This information also contains a goldmine of potential social engineering avenues,” they conclude.
To demonstrate their findings, the hackers have provided us with a small sample of information, allegedly obtained from NHS, that includes email addresses, names, usernames, job titles, and password hashes.
While the passwords are encrypted, k0detec members are confident that they can be decrypted.