Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×

Submission + - Hijacked medical devices can leave networks exposed (networkworld.com)

Submitted by alphadogg
alphadogg writes: Hacked medical devices can pose direct dangers to patients but also serve as lairs from which malware finds its way into medical facilities’ networks and persists even after initial attacks have been cleaned up, according to a new report. Because these devices haven’t been designed with security as a priority, they have proven readily hackable. Beyond the immediate risk to patients, compromised connected devices can be used as a way to undermine other devices and steal valuable data, according to a report from TrapX.

Comment Re:Umm, what? (Score 1) 395

by ripvlan (#49892127) Attached to: So Long Voicemail, Give My Regards To the Fax Machine

This raises a good point. I've had interactions with folks who need me to fax something to them - and I no longer have anything that can fax. The point - there are no Easy replacements for fax.

Sure - I can email a scanned document to somebody. But it isn't easy. A fax - I pop the pages in, tap out a phone number - and bing zzziip-zzziiip it goes. My HP Printer/Scanner required A) my PC to be on, B) put the document up on the screen as a PDF to be saved C) required me to follow whatever email steps my system needed. It isn't all in one package.

If only we all had "phone numbers" instead of email addresses. I could call you, or "fax" you, all negotiated by the device.

But it doesn't exist yet. Voice Mail has a plan B. Texting or Emailing. And for those of us leaving email behind - "Social" media corp websites for collaboration and communication.

Fax is more than voicemail. It was a technology package.

Comment Re:Stupidity of Leadership (Score 1) 179

Yeah! Will they be learning Data Structure, Interrupts vs Polling, Analysis of Algorithms?

Or just how to write code in [Java/C#/Ruby/Swift/Go/Python/Perl/...F#] ?

For me - learning how to type was helpful (no, really). Plus learning how to Execute a program with pencil and paper was useful in understanding how a computer Accomplishes Work. It made me comfortable with computers. Granted I had an IBM PC at home with BASICA on it and a print out of the BIOS. But learning in HS how to write a real program and seeing that it was something to be studied set me up for College.

But - the real skills I've used in my life.... Geometry and Algebra, some Calculus, English Sentence structure, and to otherwise be curious. All of which are considered Electives in a CS degree ;-)

A computer is to me what a hammer & saw are to a carpenter. Understanding Fractions/angles etc are the foundation.

Oh - and one more math skill. Learning how to compute Logarithms by hand. Turns out - the basic algorithm is how a lot of software/CPUs get the job done.

Comment Re:No matter the platform ... (Score 1) 117

by ripvlan (#49883633) Attached to: Ask Slashdot: Should We Expect Attacks When Windows 2003 Support Ends?

Yes true. In our case we haven't had a native OS on Hardware for over 8 years. VMware all the way!!

But your suggestion is another tool in the mitigation toolbox. Move the physical to a VM.

As old as these OSs are - they still work and chug along. I always say that software isn't like milk - it doesn't expire and go bad.

Even the VMs are behind Network Packet Inspectors. Actually - our whole DC is surround by at least one such ring of devices. My PC traffic goes through such a device to get to the servers inside the building.

This all comes down to constant investing in systems. Don't grow old - always innovate as the budget allows. And Retire what you can because it will keep costs down in the long run.

Submission + - U.S. Congress proposes reining in power of government-owned CAs (thestack.com)

Submitted by Anonymous Coward
An anonymous reader writes: Four members of a U.S. Congress committee are looking into the feasibility of restricting the power of government-owned certificate authorities (CAs). The members of the House Committee on Energy and Commerce sent a letter yesterday addressed to Apple CEO Tim Cook asking whether it would perhaps be an effective measure to rein in national governments’ powers to issue certificates for services. The effectiveness of certificate authority frameworks is widely contested, even beyond politics, and many cases have cropped up over the past few years which have highlighted their flaws. There have been many incidents involving cybercriminals breaching CAs’ systems in order to issue fake certificates, and other scenarios where CAs have accidentally issued certificates. The letter expresses that CAs owned by national governments potentially pose serious threats to cybersecurity because of their status and authority. The committee proposes restricting these government bodies to issuing certificates solely in their own country-code TLD domains.

Submission + - Nuclear blasts shed light on how animals recover from annihilation (sciencemag.org)

Submitted by sciencehabit
sciencehabit writes: In the late 1960s and early 1970s, France detonated four nuclear bombs on the Fangataufa atoll—a ring-shaped island of coral in the middle of the Pacific Ocean. The detonations—the largest, a hundred times more powerful than the bomb dropped on Nagasaki—destroyed just about all life in the region, setting up an “unthinkable” ecological experiment: If life had to start fresh, would it develop the same way again? A new study of the aftermath of the blasts suggests it would not.

Submission + - Hackers can tamper with medical drug pumps, leading to fatal outcomes (net-security.org)

Submitted by Errorcod3
Errorcod3 writes: Researcher Billy Rios has discovered serious vulnerabilities in several types of drug infusion pumps manufactured by US-based company Hospira — vulnerabilities that can be exploited remotely by attackers looking to take control of the medical devices, and to effect changes that could threaten patients' lives.

  This is not the first time that Rios has discovered vulnerabilities in Hospira's pumps: in May 2014, he reported to the Department of Homeland Security and the FDA several vulnerabilities that made it possible for an attacker to change medication dosage limits on the company's PCA 3 Lifecare line of pumps.

  The FDA eventually, a year later, released a security advisory about those first vulnerabilities, as they were also discovered by another researcher and their existence made public. In the year between the initial discovery and the publication of the advisory, Hospira has failed to patch the flaws.

  In fact, when Rios first contacted them in 2014, they refused to test the other infusion pumps they sell for the vulnerabilities. This spurred Rios to continue with the research, and he purchased additional pumps to test them himself.

  "What I found was very interesting, many of Hospira’s infusion pumps utilize identical software on their infusion pumps communications module, making them vulnerable to the exact same security issues associated with the PCA 3," he shared in a blog post.

  These vulnerabilities include the ability to forge drug library updates to the infusion pump, the existence of an unauthenticated telnet shell to root to the communications module, the use of identical hardcoded credentials, private keys and encryption certificates across different device lines, and outdated software.

  Confirmed affected device lines are the following: CA 3 Lifecare, PCA 5 Lifecare, Plum A+ Infusion Pumps, PCA Lifecare, and Symbiq (no longer sold). Rios suspects (but still hasn't verified) that the Plum A+3, Plum 360, Sapphire, and Sapphire Plus pumps are affected by the same vulnerabilities.

  The newly discovered vulnerabilities would allow an attacker to remotely alter the devices' firmware, as they accept unsigned, unauthenticated updates. The connection to the device can be made via the devices' communication modules, which are connected to hospital networks.

  Wired reports that Hospira claims that this attack is impossible, as the communication module and the circuit board (which contains the firmware) are physically separated.

  But Rios discovered they are connected via a serial cable, and he plans to develop a Proof-of-Concept attack that will prove that he is right.

Submission + - Schools monitoring pupils' web use with 'anti-radicalisation software' (theguardian.com)

Submitted by Anonymous Coward
An anonymous reader writes: Schools are being sold software to monitor pupils’ internet activity for extremism-related language such as “jihadi bride” and “YODO”, short for you only die once.

Several companies are producing “anti-radicalisation” software to monitor pupils’ internet activity ahead of the introduction of a legal requirement on schools to consider issues of terrorism and extremism among children.

Under the Counter-terrorism and Security Act 2015, which comes into force on 1 July, there is a requirement that schools “have due regard to the need to prevent pupils being drawn into terrorism”.

One company, Impero, has launched a pilot of its software in 16 locations in the UK as well as five in the US. Teachers can store screenshots of anything of concern that is flagged up by the software. Other companies offering anti-radicalisation software products to schools include Future Digital and Serurus.

Submission + - Kaspersky Lab Reveals Cyberattack On Its Corporate Network

Submitted by Anonymous Coward
An anonymous reader writes: In early spring 2015, Kaspersky Lab detected a cyber-intrusion affecting several of its internal systems. Following this finding the company launched an intensive investigation, which led to the discovery of a new malware platform from one of the most skilled threat actors in the APT world: Duqu. The attack exploited zero-day vulnerabilities and after elevating privileges to domain administrator, the malware was spread in the network through MSI files. The attack didn’t leave behind any disk files or change system settings, making detection difficult. Upon discovery, Kaspersky Lab performed an initial security audit and analysis of the attack. The audit included source code verification and checking of the corporate infrastructure. Besides intellectual property theft, no additional indicators of malicious activity were detected.

Submission + - New Duqu 2.0 APT Hits High-Value Victims, Including Kaspersky

Submitted by Trailrunner7
Trailrunner7 writes: The Duqu attackers, who are considered by researchers to be at the top of the food chain of APT groups and are responsible for attacking certificate authorities and perhaps spying on Iran’s nuclear program, have resurfaced with a new platform that was used to compromise high-profile victims, including some related to the Iran nuclear talks last fall.

The new spate of attacks was discovered by researchers at Kaspersky Lab after they uncovered evidence that some of the company’s own systems had been compromised by the platform, which is being called Duqu 2.0. Kaspersky’s investigation into the incident showed that the Duqu attackers had access to a small number of systems and were especially interested in the company’s research into APT groups, its anti-APT technology, and some Kaspersky products, including the Secure Operating System and Kaspersky Security Network. Kaspersky officials said that although the initial infection vector isn’t known, the attackers used as many as three Windows zero-day in the course of the operation.

The company said that is confident that its technologies and products have not been affected by the incident.

The key difference with the Duqu 2.0 attacks is that the malware platform that team uses has modules that reside almost entirely in memory.

“The Equation Group always used some form of ‘persistence, accepting a bigger risk of being discovered. The Duqu 2.0 malware platform was designed in a way that survives almost exclusively in the memory of infected systems, without need for persistence – it means the attackers are sure there is always a way for them to maintain an infection – even if the victim’s machine is rebooted and the malware disappears from the memory,” Kaspersky’s researchers said.

Submission + - Why So Many Robots Struggled with the DARPA Challenge (roboticstrends.com)

Submitted by stowie
stowie writes: DARPA deliberately degraded communications (low bandwidth, high latency, intermittent connection) during the challenge to truly see how a human-robot team could collaborate in a Fukushima-type disaster. And there was no standard set for how a human-robot interface would work. So, some worked better than others. The winning DRC-Hubo robot used custom software designed by Team KAIST that was engineered to perform in an environment with low bandwidth. It also used the Xenomai real-time operating system for Linux and a customized motion control framework. The second-place finisher, Team IHMC, used a sliding scale of autonomy that allowed a human operator to take control when the robot seemed stumped or if the robot knew it would run into problems.

Comment Re:No matter the platform ... (Score 1) 117

Yes exactly. We have mitigation plans that start with "turn off/retire unused systems" - followed by round up all remaining W2k3 machines and surround by multiple levels of security devices.

Mitigation plans are:
  * upgrade products to support newer OS when possible
  * for legacy systems with no upgrade path (or kept for supporting older product) - surround with packet inspectors. Configure system in most secure method possible (eg Windows firewall)

And have clear owners of the devices.

Comment Re:Apple Developer Program now all inclusive (Score 1) 415

by ripvlan (#49875221) Attached to: WWDC 2015 Roundup

I enjoy having to wait 9 months to get the cool new features that my Android friends already have.

Seriously - Apple needs to find a way to update certain apps more frequently. These "huge" OS uplifts are painful. While I can appreciate some features needing to be part of the OS (low battery sleep mode) others need to come out "now."

As for Apple streaming - sounds good. I'm not personally interested in it - no more than I was with Radio. But please please Please --- don't make it the default widget that comes up in the Music app. What a PITA Radio was. I don't use Radio - stop trying to launch the widget/tab and then showing me the message "you are not subscribed to Radio" --- well Duh !!!

Developer "free" is always welcome. So that us home hobbyists can play. While $99 wasn't expensive (on top of a $1,500 Mac) - allowing people to goof off and try fun things out will probably generate new ideas and new developers to the market.

Submission + - PayPal responds to fury over robocalls, will now allow users to opt-out (bgr.com)

Submitted by Anonymous Coward
An anonymous reader writes: Earlier this week, PayPal was lambasted for its new user agreement which allowed the online payments company to robocall and autotext customers at will. What was particularly jarring about the user agreement — set to go into effect on July 1 — is that PayPal reserved the right to contact customers not just for account problems, but also for surveys and promotions. Even worse, PayPal brazenly advised users who weren’t on board with the new agreement that they should simply close their account and move it along.

Naturally, news of PayPal’s new TOS caused something of an uproar online. Thankfully, PayPal has since realized that forcing users to accept automated texts and phone calls wasn’t the wisest of business decisions.

Slashdot Top Deals

"Look! There! Evil!.. pure and simple, total evil from the Eighth Dimension!" -- Buckaroo Banzai

Close