Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×

Submission + - Insurer denies healthcare breach claim citing lack of minimum required practices (securityledger.com)

Submitted by chicksdaddy
chicksdaddy writes: In what may become a trend, an insurance company is denying a claim from a California healthcare provider following the leak of data on more than 32,000 patients. The insurer, Columbia Casualty, charges that Cottage Health System did an inadequate job of protecting patient data.

In a complaint filed in U.S. District Court in California, Columbia alleges that the breach occurred because Cottage and a third party vendor, INSYNC Computer Solution, Inc. failed to follow “minimum required practices,” as spelled out in the policy. Among other things, Cottage “stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the Internet,” the complaint alleges.

Disputes like this may become more common, as insurers anxious to get into a cyber insurance market that's growing by about 40% annually use liberally written exclusions to hedge against 'known unknowns' like lax IT practices, pre-existing conditions (like compromises) and so on. (http://www.itworld.com/article/2839393/cyber-insurance-only-fools-rush-in.html)

Submission + - Chris Roberts is the least important part of the airplane hacking story (csmonitor.com) 1

Submitted by chicksdaddy
chicksdaddy writes: Now that the news media is in full freak-out mode (http://www.cnn.com/2015/05/17/us/fbi-hacker-flight-computer-systems/index.html) about whether or not security researcher Chris Roberts did or did not hack into the engine of a plane, in flight and cause it to "fly sideways," security experts say its time to take a step back from the crazy and ask what is the real import of the plane hacking. The answer: definitely not Chris Roberts.

The real story that media outlets should be chasing isn't what Roberts did or didn't do on board a United flight in April, but whether there is any truth to longtime assurances from airplane makers like Boeing and Airbus that critical avionics systems aboard their aircraft are unreachable from systems accessible to passengers, the Christian Science Monitor writes. (http://www.csmonitor.com/World/Passcode/2015/0518/Did-a-hacker-really-make-a-plane-go-sideways)

And, on that issue, Roberts' statements and the FBI's actions raise as many questions as they answer. For one: why is the FBI suddenly focused on years-old research that has long been part of the public record.

“This has been a known issue for four or five years, where a bunch of us have been stood up and pounding our chest and saying, 'This has to be fixed,' " Roberts noted. “Is there a credible threat? Is something happening? If so, they’re not going to tell us,” he said.

Roberts isn’t the only one confused by the series of events surrounding his detention in April and the revelations about his interviews with federal agents.

“I would like to see a transcript (of the interviews),” said one former federal computer crimes prosecutor, speaking on condition of anonymity. “If he did what he said he did, why is he not in jail? And if he didn’t do it, why is the FBI saying he did?”

Josh Corman, the chief technology officer at the firm Sonatype, said the media and security industry's focus on Roberts' actions is a distraction. Mr. Corman, who is the founder of IAmTheCavalry.org, (https://www.iamthecavalry.org/) a grassroots group focused on issues where computer security intersects public safety and human life, said that the real question was about the safety and reliability of airplane avionics systems.

"The message has been that nothing the customer can do in the passenger cabin can affect the avionics," said Corman. However, the FBI affidavit (http://aptn.ca/news/wp-content/uploads/sites/4/2015/05/warrant-for-Roberts-electronics.pdf) suggests otherwise, citing interviews with Roberts going back to Februrary.

"So we're getting a mixed message about what can and can't be done," Corman said. "Either planes are not hackable, or they might be...irrespective or regardless of the veracity of [Roberts] claim."

Submission + - In a First: FDA issues Safety Advisory for Cyber Risk of Drug Pumps (securityledger.com)

Submitted by chicksdaddy
chicksdaddy writes: In what may be a first, the Food and Drug Administration (FDA) has issued a Safety Communication regarding vulnerabilities in a drug infusion pump by the firm Hospira that could make it easy prey for hackers, The Security Ledger reports.

The FDA Safety Communications notice regarding the Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems (http://www.fda.gov/medicaldevices/safety/alertsandnotices/ucm446809.htm) was published on Wednesday. The notice advises hospitals that are using the pump to isolate it from the Internet and “untrusted systems.” It follows disclosures by two, independent security researchers in recent months of a raft of software security vulnerabilities in the pumps, including Telnet and FTP services that were accessible without authentication.

The FDA said it and Hospira “have become aware of security vulnerabilities in Hospira’s LifeCare PCA3 and PCA5 Infusion Pump Systems” as well as the publication of “software codes, which, if exploited, could allow an unauthorized user to interfere with the pump’s functioning.”

An unauthorized user with malicious intent could “access the pump remotely and modify the dosage it delivers, which could lead to over- or under-infusion of critical therapies,” the safety advisory warned.

The advisory follows a warning by the Department of Homeland Security in April. DHS’s Industrial Control System Computer Emergency Response Team (ICS-CERT) warned of drug infusion pump management software sold by Hospira contains serious and exploitable vulnerabilities that could be used to remotely take control of the devices.).

The FDA notice regarding the Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems was published on Wednesday. The notice advises hospitals that are using the pump to isolate it from the Internet and “untrusted systems.” It follows disclosures by two, independent security researchers in recent months of a raft of software security vulnerabilities in the pumps, including Telnet and FTP services that were accessible without authentication.

The FDA said it and Hospira “have become aware of security vulnerabilities in Hospira’s LifeCare PCA3 and PCA5 Infusion Pump Systems” as well as the publication of “software codes, which, if exploited, could allow an unauthorized user to interfere with the pump’s functioning.”

An unauthorized user with malicious intent could “access the pump remotely and modify the dosage it delivers, which could lead to over- or under-infusion of critical therapies,” the safety advisory warned.

The advisory follows a warning by the Department of Homeland Security in April. DHS’s Industrial Control System Computer Emergency Response Team (ICS-CERT) warned of drug infusion pump management software sold by Hospira contains serious and exploitable vulnerabilities that could be used to remotely take control of the devices.(https://securityledger.com/2015/04/drug-pumps-vulnerable-to-trivial-hacks-dhs-warns/)

he issuance of a “Safety Communication” for software vulnerabilities is novel. The communications are typically used to issue specific and actionable guidance concerning safety related issues with medical devices or products used by health professionals in the field.
This is believed to be the first such communication issued for a software vulnerability in a specific product. In June, 2013, the FDA issued a safety communication regarding cybersecurity of hospital networks and medical devices. (http://www.fda.gov/medicaldevices/safety/alertsandnotices/ucm356423.htm)

Submission + - Add GitHub dorking to list of enterprise security concerns (itworld.com)

Submitted by chicksdaddy
chicksdaddy writes: IT World has a story today suggesting that GitHub may be a victim of its own success. Exhibit 1: "GitHub dorking:" the use of GitHub's powerful internal search engine to uncover security holes and sensitive data in published code repositories. (http://www.itworld.com/article/2921135/security/add-github-dorking-to-list-of-security-concerns.html)
In a nutshell: GitHub's runaway popularity among developers is putting employers and development shops in a tough spot. As the recent story about Uber accidentally publishing database administrator credentials in a public GitHub repository suggests, (http://arstechnica.com/security/2015/03/in-major-goof-uber-stored-sensitive-database-key-on-public-github-page/), it can be difficult even for sophisticated development organizations to grasp the nuances of how interactions with GitHub's public code repositories might work to undermine corporate security.

The ease with which developers can share and re-use code on GitHub is part of the problem, said Bill Ledingham, chief technology officer at Black Duck Software, which monitors some 300,000 open source software projects that use GitHub. Ledingham said leaked user credentials are inadvertent errors caused by developers too accustomed to the ease with which code can be borrowed, modified and resubmitted to GitHub.

"Developers in some cases are just taking the easiest path forward," he said. "They're checking in code or re-using it and not looking at some of these issues related to security."

Among the issues to watch out for are information leaks by way of vulnerabilities in GitHub.com or the GitHub API, leaks of intellectual property in published repositories and the leak of credentials and other shared secrets that could be used to compromise production applications.

Tools like the GitRob command line application developed by Michael Henriksen (http://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/) make it a simple matter to analyze all the public GitHub repositories associated with a particular organization. GitRob works by compiling the public repositories belonging to known employees of that firm, then flagging filenames in each repository that match patterns of known sensitive files.

Companies that are doing software development need to take an active interest in GitHub, determining which employees and contractors are using it and verifying that no proprietary code or sensitive information is leaking into the public domain.

Internally, data leak prevention products can identify and block the movement of proprietary code. Concerted education for developers about best practices and proper security hygiene when downloading and uploading code to shared and searchable source repositories can help prevent head slapping mistakes like the leak of database administrator credentials and private keys.

Submission + - No Justice for Victims of Identity Theft (csmonitor.com)

Submitted by chicksdaddy
chicksdaddy writes: The Christian Science Monitor's Passcode features a harrowing account of one individual's experience of identity theft.(http://passcode.csmonitor.com/identity-stolen) CSM reporter Sara Sorcher recounts the story of "Jonathan Franklin" (not his real name) a New Jersey business executive who woke up to find thieves had stolen his identity and racked up $30,000 in a shopping spree at luxury stores including Versace and the Apple Store. The thieves even went so far as to use personal info stolen from Franklin to have the phone company redirect calls to his home number, which meant that calls from the credit card company about the unusual spending went unanswered.

Despite the heinousness of the crime and the financial cost, Sorcher notes that credit card companies and merchants both look on this kind of theft as a "victimless crime" and are more interested in getting reimbursed for their losses than trying to pursue the thieves. Police departments, also, are unable to investigate these crimes, lacking both the technical expertise and resources to do so. Franklin notes that he wasn't even required to file a police report to get reimbursed for the crime.
“As long as their loss is covered they move on to [handling] tomorrow’s fraud,” Franklin observes. And that makes it harder for victims like Franklin to move on, “In some way, I’m seeking some sense of justice,” Franklin said. “But it’s likely not going to happen.”

Submission + - Researcher: drug Infusion Pump is the 'least secure IP device' he's ever seen (securityledger.com)

Submitted by chicksdaddy
chicksdaddy writes: This is a bad month for the medical equipment maker Hospira. First, security researcher Billy Rios finds a raft of serious and remotely exploitable holes in the company's MedNet software, prompting a vulnerability alert from ICS CERT. Now, one month later, ICS CERT is again warning of a "10 out of 10" critical vulnerability, this time in Hospira's LifeCare PCA drug infusion pump.(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3459)

The problem? According to this report by Security Ledger (https://securityledger.com/2015/05/researcher-drug-pump-the-least-secure-ip-device-ive-ever-seen/) the main problem was an almost total lack of security controls on the device. According to independent researcher Jeremy Williams, the PCA pump listens on Telnet port 23. Connecting to the device via Telnet, he was brought immediately to a root shell account that gave him total, administrator level access to the pump without authentication. “The only thing I needed to get in was an interest in the pump,” he said.

Richards found other examples of loose security on the PCA 3: a FTP server that could be accessed without authentication and an embedded web server that runs Common Gateway Interface (CGI). That could allow an attacker to tamper with the pump’s operation using fairly simple scripts.

Also: The PCA pump stores wireless keys used to connect to the local (medical device) wireless network in plain text on the device. That means anyone with physical access to the Pump (which has an ethernet port) could gain access to the local medical device network and other devices on it.
The problems prompted Richards to call the PCA 3 pump “the least secure IP enabled device” he has ever worked with. (http://hextechsecurity.com/?p=123)

Hospira did not responded to requests for comment prior to publication.

Submission + - Electrochemical And Solid State Science Trading Cards - Collect 'Em All! (ecsblog.org)

Submitted by chicksdaddy
chicksdaddy writes: Sure, using a cylinder to smash a sphere over a wall 350 feet away is a cool trick. But is it really cooler than developing the first scanning electrochemical microscope? The Electrochemical Society doesn't think so. That's why they're introducing the first set of Official ECS Major League Trading Cards to highlight the "numbers" of some of the greatest scientists in Electrochemical and Solid State Science, and related fields.

The first batch of 50 includes "some of the biggest movers and shakers in the field, past and present," ECS says. (http://www.ecsblog.org/announcements/official-ecs-major-league-trading-card-series/). Just like baseball cards, the ECS cards feature a jaunty photo of the scientist on the front and that scientist's "stats" on the back. Though, instead of RBIs, Home Runs and on base percentage, the cards list patents earned, research papers published and books written.

Among the scientists featured: Allan Bard (b. 1933), an electrochemist who discovered electrochemilumiescence, contributing to the photoelectrochemistry of semiconductor electrodes.

The cards are distributed in groups of 10. But, alas, only attendees to the ECS's May meeting in Chicago (http://www.electrochem.org/meetings/biannual/227/) will have a chance to collect 'em all.

Submission + - Fewer than 1 in 10 Elect Free Credit Monitoring Services After Breach (securityledger.com)

Submitted by chicksdaddy
chicksdaddy writes: The Hard Rock Hotel & Casino was the latest high profile US company to wind up on the wrong side of data thieves, according to a statement on the company's web site. (https://www.hardrockhotel.com/statement) And, as has become de rigeur, the Hard Rock was quick to offer free credit monitoring services for any customer affected by the incident. Generous, right?

Probably not. According to data from credit monitoring firm Experian, fewer than 1 in 10 customers affected by a data breach will sign up for the free credit- and identity theft monitoring services. In the case of very large breaches, that number is even smaller — in the "low single digit" percentages, Michael Bruemmer, the Vice President of Consumer Protection at Experian Consumer Services told The Security Ledger. (https://securityledger.com/2015/05/amid-rampant-data-theft-consumers-left-breached-and-burned-out/)

The statistic is just one piece of evidence supporting the idea of what Breummer calls “breach fatigue” among businesses and consumers alike, after years of serial data thefts that have laid bare the personal information of a huge swath of the U.S. public.

Experian, which provides credit-monitoring services directly to consumers and on behalf of businesses, has seen a large increase in the number of U.S. adults affected by data breaches. In 2013, just 25% of the adult population in the U.S. received a notice about a data breach that affected them. In 2014, the average U.S. adult received not one but three notices of a data breach that affected them, according to Experian data.

But when it comes to making their customers whole, companies typically get off easy: many companies choose to pay per enrollment, rather than pay for monitoring services in bulk. That means the actual financial impact of offering the service is much smaller than the size of the breach might suggest.

Anthem Healthcare, the US Health Insurer which recently acknowledged that data on some 80 million customers was accessed by hackers (http://yro.slashdot.org/story/15/02/05/1329211/us-health-insurer-anthem-suffers-massive-data-breach), said adoption rates among its customers were in line with Experian's data on large breaches. Target, which had credit card data on 40 million customers stolen said 3.5 million requested activation codes for free credit card monitoring services it offered to all of its current and former customers.

Submission + - Attack on Point of Sale Vendor Highlights Supply Chain Risk (securityledger.com)

Submitted by chicksdaddy
chicksdaddy writes: Warnings about the threat posed by compromised software and hardware supply chains have grown more pointed in recent months. Notably firms like Kaspersky (http://www.kaspersky.com/about/news/virus/2015/equation-group-the-crown-creator-of-cyber-espionage) and Trend Micro (http://blog.trendmicro.com/trendlabs-security-intelligence/securing-the-it-supply-chain/) have highlighted attacks on technology supply chains, while the firm TrapX reported on a malware family, Zombie Zero, that was found lurking on hand-held scanners shipped from China and used by a prominent logistics firm. (http://deceive.trapx.com/rs/trapxcompany/images/AOA_Report_TrapX_AnatomyOfAttack-InternetOfThings.pdf)

RSA brings more evidence that sophisticated cyber criminal and state sponsored groups are looking for ways to compromise technology supply chains. On Wednesday, the company wrote about what is describes as an attempted “supply chain subversion” attack (https://blogs.rsa.com/attacking-a-pos-supply-chain-part-1/) against a prominent point of sale (POS) hardware vendor with links to the PoSeidon point of sale malware campaign.(http://blogs.cisco.com/security/talos/poseidon).

RSA said it detected a sophisticated “spear phishing” campaign against a European POS vendor. According to RSA, e-mail messages were sent to a “small number of employees” of the Point of Sale system vendor posing as support emails from a customer (a prominent New York City restaurant). A malicious Microsoft Word document attached to the e-mail, if opened, installed a copy of the Vawtrak banking Trojan, which is adept at credential theft, according to The Security Ledger. (https://securityledger.com/2015/04/rsa-warns-of-supply-chain-attack-on-point-of-sale-vendors/)

The company said the goal of the attack was apparently to compromise the vendor itself, providing an avenue to “realize subversion of the vendor’s firmware or software built into the products.”

Submission + - FBI Accuses Researcher of Hacking Plane, Seizes Equipment (securityledger.com)

Submitted by chicksdaddy
chicksdaddy writes: The Feds are listening and they really can't take a joke. That's the apparent moral of security researcher Chris Roberts' legal odyssey on Wednesday, which saw him escorted off a plane in Syracuse by two FBI agents and questioned for four hours over a humorous tweet Roberts posted about his ability to hack into the cabin control systems of the Boeing 737 he was flying.(https://twitter.com/Sidragon1/status/588433855184375808) Roberts (aka @sidragon1), joked that he could "start playing with EICAS messages," a reference to the Engine Indicating and Crew Alerting System (http://en.wikipedia.org/wiki/Engine-indicating_and_crew-alerting_system).

Roberts was traveling to Syracuse to give a presentation. He said local law enforcement and FBI agents boarded the plane on the tarmac and escorted him off. He was questioned for four hours, with officers alleging they had evidence he had tampered with in-flight systems on an earlier leg of his flight from Colorado to Chicago.

In an interview with The Security Ledger (https://securityledger.com/2015/04/hacker-on-a-plane-fbi-seizes-researchers-gear/), Roberts said the agents questioned him about his tweet and whether he tampered with the systems on the United flight -something he denies doing.

Roberts had been approached earlier by the Denver office of the FBI which warned him away from further research on airplanes. The FBI was also looking to approach airplane makers Boeing and Airbus and wanted him to rebuild a virtualized environment he built to test airplane vulnerabilities to verify what he was saying.

Roberts refused, and the FBI seized his encrypted laptop and storage devices and has yet to return them, he said. The agents said they wished to do a forensic analysis of his laptop. Roberts said he declined to provide that information and requested a warrant to search his equipment. As of Friday, Roberts said he has not received a warrant.

Submission + - Why 'Designed for Security' is a Dubious Designation

Submitted by itwbennett
itwbennett writes: The list of products designed to be security enhanced that turned out to be anything but seems to get longer by the day. In just the latest instance, reported by Wired last week, the crowd-funded privacy-enhancing home router Anonabox had to be recalled after an independent researcher discovered serious security flaws in the product. But security experts caution that the real problem may be bigger than vulnerabilities hidden in application code: 'Designed for security products don't just have to be good. They have to be beyond reproach,' explains John Dickson, a Principal at the Denim Group. 'All it takes is one guy with a grudge to undo you.'

Submission + - GAO warns FAA of hacking threat to airliners (securityledger.com)

Submitted by chicksdaddy
chicksdaddy writes: A report from the Government Accountability Office (GAO) warns that the U.S. Federal Aviation Administration may be failing to address cyber security vulnerabilities that could allow remote attacks on avionics systems needed to keep the plane airborne, Security Ledger reports. (https://securityledger.com/2015/04/gao-warns-of-cyber-risks-in-flight/)

In a report issued Tuesday (GAO-15-370) (http://www.gao.gov/assets/670/669628.pdf), the GAO said that the FAA faces “challenges protecting aircraft avionics used to operate and guide aircraft” and that “significant security-control weaknesses remain that threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system.” Among those: a lack of clear certification for aircraft airworthy readiness that encompasses cyber security protections. That lapse could allow planes to fly with remotely exploitable vulnerabilities that could affect aircraft controls and guidance systems.

The GAO report did not provide details of any specific vulnerability affecting any specific aircraft. Rather, GAO cited FAA personnel and experts, saying that the possibility exists that “unauthorized individuals might access and compromise aircraft avionics systems,” in part by moving between Internet-connected in-flight entertainment systems and critical avionics systems in the aircraft cabin.

“According to FAA and experts we spoke to, IP networking may allow an attacker to gain remote access to avionics systems and compromise them,” GAO said.

Security researchers have long warned that hackers could jump from in-flight entertainment systems in the passenger cabin to cockpit avionics systems if airlines did not take proper precautions, such as so-called "air gapping" the networks. At last year's Black Hat Briefings, researcher Ruben Santamarta of IOActive demonstrated a method of hacking the satellite communications equipment on passenger jets through their WiFi and inflight entertainment systems. (http://www.reuters.com/article/2014/08/04/us-cybersecurity-hackers-airplanes-idUSKBN0G40WQ20140804)

Submission + - IoT Developers Worry More About Security Than Interoperability (securityledger.com)

Submitted by chicksdaddy
chicksdaddy writes: A survey of developers working on Internet of Things technologies reveals that security is the biggest concern, topping even interoperability among developers who plan to deploy an IoT product in the next 6 to 18 months. (https://securityledger.com/2015/04/survey-security-the-top-issue-for-iot-developers/)

The survey, conducted by the Eclipse Foundation's IoT Working Group, polled 356 IoT developers. Fully 44% listed “Security” as one of two top concerns for developing IoT solutions. Thirty one percent listed “Interoperability” as one of two top concerns.

The results (http://www.slideshare.net/IanSkerrett/iot-developer-survey-2015) provide an interesting glimpse into the fast-evolving Internet of Things space, from the software developer’s point of view. Home automation was the most common type of solution that developers reported they were working on, with 44% identifying that as the focus of their work. Industrial automation was a close second,with 35% of respondents reporting having worked on an industrial automation IoT project.(https://ianskerrett.wordpress.com/2015/04/03/iot-developer-survey-what-are-developers-doing-with-iot-2/)

And much of the development work appears to take place at smaller firms. Fifty six percent of respondents said their employer had between 1 and 500 employees. Thirty five percent worked in a company that employed between 1 and 49 employees.

The use of open source technology was pervasive: fully 80% of the developers surveyed said their employer uses open source software for Internet of Things solutions. Linux was the dominant operating system, accounting for 78% used to power IoT devices. HTTP was the most common messaging protocol. Among IoT specific protocols, only MQTT was used by a majority of respondents (53%), Eclipse found.

Submission + - Research Finds Shoddy Security on Connected Home Gateways (securityledger.com)

Submitted by chicksdaddy
chicksdaddy writes: Connected home products are the new rage. But how do you connect your Nest thermostat, your DropCam surveillance device and your Chamberlin MyQ "smart" garage door opener? An IoT hub, of course. But not so fast: a report from the firm Veracode (https://info.veracode.com/whitepaper-the-internet-of-things-poses-cybersecurity-risk.html ) may make you think twice about deploying one of these IoT gateways in your home.

As The Security Ledger reports (https://securityledger.com/2015/04/research-iot-hubs-expose-connected-homes-to-hackers/), Veracode researchers found significant security vulnerabilities in each of six IoT gateways they tested, suggesting that manufacturers are giving short shrift to security considerations during design and testing.

The flaws discovered ranged from weak authentication schemes (pretty common) to improper validation of TLS and SSL certificates, to gateways that shipped with exposed debugging interfaces that would allow an attacker on the same wireless network as the device to upload and run malicious code. Many of the worst lapses seem to be evidence of insecure design and lax testing of devices before they were released to the public, Brandon Creighton, Veracode’s research architect, told The Security Ledger.

This isn't the first report to raise alarms about IoT hubs. In October, the firm Xipiter published a blog post (http://www.xipiter.com/musings) describing research into a similar hub by the firm VeraLite. Xipiter discovered that, among other things, the VeraLite device shipped with embedded SSH private keys stored in immutable areas of the firmware used on all devices.

Slashdot Top Deals

Remember to say hello to your bank teller.

Close