By Thomas Claburn
June 12, 2008
A San Diego network engineer, Jon Paul Oson, was sentenced to more than
five years in prison this week for intentionally damaging computers at
his former workplace.
The sentence issued Monday is one of the longest imposed to date in the
United States for computer hacking, according to the Office of the U.S.
Attorney in San Diego.
Oson was convicted last summer of accessing the network of his former
employer, The Council of Community Health Clinics (CCC), without
authorization. CCC provides various services to 17 regional health
clinics in San Diego and Imperial counties in California.
According to the government's account of the jury findings, Oson
resigned from CCC following a negative performance review. He
subsequently accessed the CCC network, disabled the automatic backup
process, and later deleted data and software on CCC servers, including
patient data belonging to North County Health Services Clinic (NCHS),
one of CCC's member clinics.
The intrusion was made through a server that held medical information
submitted by CCC member clinics for a federal research program,
according to the government's trial brief. Access to it was supposed to
be restricted because it contained personally identifiable medical
information. But the server was in fact accessible through the Internet
using the "Remote Desktop" application that's part of Windows Terminal
Services, with a CCC password.
During the internal CCC investigation into the breach, engineers
concluded that the damage had to have been done by an insider who had
knowledge of CCC's systems. Server logs revealed that the intruder had
used a computer named "TEMP3" that had been equipped to work with anHP
(NYSE: HPQ) 2100 LaserJet printer.
Those investigating the incident searched CCC's computer logs for other
logins associated with that model printer. Only one CCC employee was
found to have logged in remotely using a computer associated with an HP
2100 printer: Jon Oson, using his CCC-supplied computer named CCC-JOSON.
Another unauthorized access was made using a computer named "KUKU," the
nickname of Oson's son, the trial brief says. Additional evidence
pointing to Oson was uncovered and a search warrant was obtained for
Oson's residence. An HP 2100 LaserJet printer was found at Oson's house.
The computer seized from Oson's residence all had their operating
systems re-installed after December 29, 2005, the date of the last
unauthorized access, effectively erasing potential evidence on them.
However, other evidence gathered from CCC's logs and witness testimony
proved sufficiently compelling for the jury to convict Oson.
The trial brief says that the deletion of CCC's data hit the
organization hard. "Patients who visited the clinic in the weeks
following the network disruption were kept waiting hours and sometimes
futilely while their charts were located and delivered to the
appropriate clinic and doctor," the court documents explain. "With the
shutdown of its Practice Management system, NCHS had to shift to a
paper-based system. It took dedicated NCHS staff months to collect the
paper records, input them into Practice Manager and initiate billing for
those visits. The unavailability of charts and the associated
computerized records impacted patient care."
Oson was ordered pay restitution of $144,358.83 to CCC and $264,979.00
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com