Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

+ - Hijacked medical devices can leave networks exposed->

alphadogg writes: Hacked medical devices can pose direct dangers to patients but also serve as lairs from which malware finds its way into medical facilities’ networks and persists even after initial attacks have been cleaned up, according to a new report. Because these devices haven’t been designed with security as a priority, they have proven readily hackable. Beyond the immediate risk to patients, compromised connected devices can be used as a way to undermine other devices and steal valuable data, according to a report from TrapX.
Link to Original Source

Comment: Re:Umm, what? (Score 1) 395 395

This raises a good point. I've had interactions with folks who need me to fax something to them - and I no longer have anything that can fax. The point - there are no Easy replacements for fax.

Sure - I can email a scanned document to somebody. But it isn't easy. A fax - I pop the pages in, tap out a phone number - and bing zzziip-zzziiip it goes. My HP Printer/Scanner required A) my PC to be on, B) put the document up on the screen as a PDF to be saved C) required me to follow whatever email steps my system needed. It isn't all in one package.

If only we all had "phone numbers" instead of email addresses. I could call you, or "fax" you, all negotiated by the device.

But it doesn't exist yet. Voice Mail has a plan B. Texting or Emailing. And for those of us leaving email behind - "Social" media corp websites for collaboration and communication.

Fax is more than voicemail. It was a technology package.

+ - Kaspersky Lab Reveals Cyberattack On Its Corporate Network

An anonymous reader writes: In early spring 2015, Kaspersky Lab detected a cyber-intrusion affecting several of its internal systems. Following this finding the company launched an intensive investigation, which led to the discovery of a new malware platform from one of the most skilled threat actors in the APT world: Duqu. The attack exploited zero-day vulnerabilities and after elevating privileges to domain administrator, the malware was spread in the network through MSI files. The attack didn’t leave behind any disk files or change system settings, making detection difficult. Upon discovery, Kaspersky Lab performed an initial security audit and analysis of the attack. The audit included source code verification and checking of the corporate infrastructure. Besides intellectual property theft, no additional indicators of malicious activity were detected.

Comment: Re:Stupidity of Leadership (Score 1) 179 179

Yeah! Will they be learning Data Structure, Interrupts vs Polling, Analysis of Algorithms?

Or just how to write code in [Java/C#/Ruby/Swift/Go/Python/Perl/...F#] ?

For me - learning how to type was helpful (no, really). Plus learning how to Execute a program with pencil and paper was useful in understanding how a computer Accomplishes Work. It made me comfortable with computers. Granted I had an IBM PC at home with BASICA on it and a print out of the BIOS. But learning in HS how to write a real program and seeing that it was something to be studied set me up for College.

But - the real skills I've used in my life.... Geometry and Algebra, some Calculus, English Sentence structure, and to otherwise be curious. All of which are considered Electives in a CS degree ;-)

A computer is to me what a hammer & saw are to a carpenter. Understanding Fractions/angles etc are the foundation.

Oh - and one more math skill. Learning how to compute Logarithms by hand. Turns out - the basic algorithm is how a lot of software/CPUs get the job done.

Comment: Re:No matter the platform ... (Score 1) 117 117

Yes true. In our case we haven't had a native OS on Hardware for over 8 years. VMware all the way!!

But your suggestion is another tool in the mitigation toolbox. Move the physical to a VM.

As old as these OSs are - they still work and chug along. I always say that software isn't like milk - it doesn't expire and go bad.

Even the VMs are behind Network Packet Inspectors. Actually - our whole DC is surround by at least one such ring of devices. My PC traffic goes through such a device to get to the servers inside the building.

This all comes down to constant investing in systems. Don't grow old - always innovate as the budget allows. And Retire what you can because it will keep costs down in the long run.

+ - U.S. Congress proposes reining in power of government-owned CAs->

An anonymous reader writes: Four members of a U.S. Congress committee are looking into the feasibility of restricting the power of government-owned certificate authorities (CAs). The members of the House Committee on Energy and Commerce sent a letter yesterday addressed to Apple CEO Tim Cook asking whether it would perhaps be an effective measure to rein in national governments’ powers to issue certificates for services. The effectiveness of certificate authority frameworks is widely contested, even beyond politics, and many cases have cropped up over the past few years which have highlighted their flaws. There have been many incidents involving cybercriminals breaching CAs’ systems in order to issue fake certificates, and other scenarios where CAs have accidentally issued certificates. The letter expresses that CAs owned by national governments potentially pose serious threats to cybersecurity because of their status and authority. The committee proposes restricting these government bodies to issuing certificates solely in their own country-code TLD domains.
Link to Original Source

+ - Nuclear blasts shed light on how animals recover from annihilation->

sciencehabit writes: In the late 1960s and early 1970s, France detonated four nuclear bombs on the Fangataufa atoll—a ring-shaped island of coral in the middle of the Pacific Ocean. The detonations—the largest, a hundred times more powerful than the bomb dropped on Nagasaki—destroyed just about all life in the region, setting up an “unthinkable” ecological experiment: If life had to start fresh, would it develop the same way again? A new study of the aftermath of the blasts suggests it would not.
Link to Original Source

+ - Hackers can tamper with medical drug pumps, leading to fatal outcomes->

Errorcod3 writes: Researcher Billy Rios has discovered serious vulnerabilities in several types of drug infusion pumps manufactured by US-based company Hospira — vulnerabilities that can be exploited remotely by attackers looking to take control of the medical devices, and to effect changes that could threaten patients' lives.

  This is not the first time that Rios has discovered vulnerabilities in Hospira's pumps: in May 2014, he reported to the Department of Homeland Security and the FDA several vulnerabilities that made it possible for an attacker to change medication dosage limits on the company's PCA 3 Lifecare line of pumps.

  The FDA eventually, a year later, released a security advisory about those first vulnerabilities, as they were also discovered by another researcher and their existence made public. In the year between the initial discovery and the publication of the advisory, Hospira has failed to patch the flaws.

  In fact, when Rios first contacted them in 2014, they refused to test the other infusion pumps they sell for the vulnerabilities. This spurred Rios to continue with the research, and he purchased additional pumps to test them himself.

  "What I found was very interesting, many of Hospira’s infusion pumps utilize identical software on their infusion pumps communications module, making them vulnerable to the exact same security issues associated with the PCA 3," he shared in a blog post.

  These vulnerabilities include the ability to forge drug library updates to the infusion pump, the existence of an unauthenticated telnet shell to root to the communications module, the use of identical hardcoded credentials, private keys and encryption certificates across different device lines, and outdated software.

  Confirmed affected device lines are the following: CA 3 Lifecare, PCA 5 Lifecare, Plum A+ Infusion Pumps, PCA Lifecare, and Symbiq (no longer sold). Rios suspects (but still hasn't verified) that the Plum A+3, Plum 360, Sapphire, and Sapphire Plus pumps are affected by the same vulnerabilities.

  The newly discovered vulnerabilities would allow an attacker to remotely alter the devices' firmware, as they accept unsigned, unauthenticated updates. The connection to the device can be made via the devices' communication modules, which are connected to hospital networks.

  Wired reports that Hospira claims that this attack is impossible, as the communication module and the circuit board (which contains the firmware) are physically separated.

  But Rios discovered they are connected via a serial cable, and he plans to develop a Proof-of-Concept attack that will prove that he is right.

Link to Original Source

+ - Schools monitoring pupils' web use with 'anti-radicalisation software'->

An anonymous reader writes: Schools are being sold software to monitor pupils’ internet activity for extremism-related language such as “jihadi bride” and “YODO”, short for you only die once.

Several companies are producing “anti-radicalisation” software to monitor pupils’ internet activity ahead of the introduction of a legal requirement on schools to consider issues of terrorism and extremism among children.

Under the Counter-terrorism and Security Act 2015, which comes into force on 1 July, there is a requirement that schools “have due regard to the need to prevent pupils being drawn into terrorism”.

One company, Impero, has launched a pilot of its software in 16 locations in the UK as well as five in the US. Teachers can store screenshots of anything of concern that is flagged up by the software. Other companies offering anti-radicalisation software products to schools include Future Digital and Serurus.

Link to Original Source

+ - New Duqu 2.0 APT Hits High-Value Victims, Including Kaspersky

Trailrunner7 writes: The Duqu attackers, who are considered by researchers to be at the top of the food chain of APT groups and are responsible for attacking certificate authorities and perhaps spying on Iran’s nuclear program, have resurfaced with a new platform that was used to compromise high-profile victims, including some related to the Iran nuclear talks last fall.

The new spate of attacks was discovered by researchers at Kaspersky Lab after they uncovered evidence that some of the company’s own systems had been compromised by the platform, which is being called Duqu 2.0. Kaspersky’s investigation into the incident showed that the Duqu attackers had access to a small number of systems and were especially interested in the company’s research into APT groups, its anti-APT technology, and some Kaspersky products, including the Secure Operating System and Kaspersky Security Network. Kaspersky officials said that although the initial infection vector isn’t known, the attackers used as many as three Windows zero-day in the course of the operation.

The company said that is confident that its technologies and products have not been affected by the incident.

The key difference with the Duqu 2.0 attacks is that the malware platform that team uses has modules that reside almost entirely in memory.

“The Equation Group always used some form of ‘persistence, accepting a bigger risk of being discovered. The Duqu 2.0 malware platform was designed in a way that survives almost exclusively in the memory of infected systems, without need for persistence – it means the attackers are sure there is always a way for them to maintain an infection – even if the victim’s machine is rebooted and the malware disappears from the memory,” Kaspersky’s researchers said.

+ - Why So Many Robots Struggled with the DARPA Challenge->

stowie writes: DARPA deliberately degraded communications (low bandwidth, high latency, intermittent connection) during the challenge to truly see how a human-robot team could collaborate in a Fukushima-type disaster. And there was no standard set for how a human-robot interface would work. So, some worked better than others. The winning DRC-Hubo robot used custom software designed by Team KAIST that was engineered to perform in an environment with low bandwidth. It also used the Xenomai real-time operating system for Linux and a customized motion control framework. The second-place finisher, Team IHMC, used a sliding scale of autonomy that allowed a human operator to take control when the robot seemed stumped or if the robot knew it would run into problems.
Link to Original Source

Comment: Re:No matter the platform ... (Score 1) 117 117

Yes exactly. We have mitigation plans that start with "turn off/retire unused systems" - followed by round up all remaining W2k3 machines and surround by multiple levels of security devices.

Mitigation plans are:
  * upgrade products to support newer OS when possible
  * for legacy systems with no upgrade path (or kept for supporting older product) - surround with packet inspectors. Configure system in most secure method possible (eg Windows firewall)

And have clear owners of the devices.

Comment: Re:Apple Developer Program now all inclusive (Score 1) 415 415

I enjoy having to wait 9 months to get the cool new features that my Android friends already have.

Seriously - Apple needs to find a way to update certain apps more frequently. These "huge" OS uplifts are painful. While I can appreciate some features needing to be part of the OS (low battery sleep mode) others need to come out "now."

As for Apple streaming - sounds good. I'm not personally interested in it - no more than I was with Radio. But please please Please --- don't make it the default widget that comes up in the Music app. What a PITA Radio was. I don't use Radio - stop trying to launch the widget/tab and then showing me the message "you are not subscribed to Radio" --- well Duh !!!

Developer "free" is always welcome. So that us home hobbyists can play. While $99 wasn't expensive (on top of a $1,500 Mac) - allowing people to goof off and try fun things out will probably generate new ideas and new developers to the market.

+ - Supreme Court may decide the fate of API's, Klingonese, Dothraki...->

nerdpocalypse writes: In a larger battle than even Godzilla V Mothra, Google V Oracle threatens not only Japan but the entire Nerd World. What is at stake is how a language can be patented. This affects not just programming languages, API's, and everything that runs..well...everything, but also the copyright status of new languages such as Klingon and Dothraki
Link to Original Source

+ - Opening Fixed-Code Garage Doors With a Toy in 10 Seconds

Trailrunner7 writes: It may be time to upgrade your garage door opener. Security researcher Samy Kamkar has developed a new technique that enables him to open almost any garage door that uses a fixed code–and he implemented it on a $12 child’s toy.

The attack Kamkar devised, known as OpenSesame, reduces the amount of time it takes to guess the fixed code for a garage door from several minutes down to less than 10 seconds. Most openers in commercially available garage door openers have a set of 12 dip switches, which are binary, and provide a total of 4,096 possible code combinations. This is a highly limited keyspace and is open to brute-force attacks. But even on such a small keyspace, those attacks take some time.

With a simple brute-force attack, that would take 29 minutes, Kamkar said. To begin reducing that time, he eliminated the retransmission of each code, bringing the time down to about six minutes. He then removed the wait period after each code is sent, which reduced the time even further, to about three minutes. Looking to further reduce the time, Kamkar discovered that many garage door openers use a technique known as a bit shift register. This means that when the opener receives a 12-bit code, it will test that code, and if it’s incorrect, the opener will then shift out one bit and pull in one bit of the next code transmitted.

Kamkar implemented an algorithm known as the De Bruijn sequence to automate this process and then loaded his code onto a now-discontinued toy called the Mattel IM-ME. The toy was designed as a short-range texting device for kids, but Kamkar reprogrammed it using the GoodFET adapter built by Travis Goodspeed. Once that was done, Kamkar tested the device against a variety of garage door openers and discovered that the technique worked on systems manufactured by several companies, including Nortek and NSCD. It also works on older systems made by Chamberlain, Liftmaster, Stanley, Delta-3, and Moore-O-Matic.

In a consumer society there are inevitably two kinds of slaves: the prisoners of addiction and the prisoners of envy.