Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Submission + - Patch or hack? FDA tells doctors, patients to weigh risk of pacemaker patch (securityledger.com)

chicksdaddy writes: Patch or hack? That's the question the FDA says that doctors and patients need to weigh before they apply a (now) FDA-approved patch from St. Jude Medical (Abbott) for six implantable pacemakers.

In a safety warning published on Tuesday (https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm), the FDA said that patients using any of six pacemaker and CRT-P (cardiac resynchronization therapy pacemaker) devices manufactured by St. Jude Medical should consider applying a software update to fix the security holes, some of which could cause harm to patients.

“Patients and their health care providers (should) discuss the risks and benefits of the cybersecurity vulnerabilities and the associated firmware update designed to address such vulnerabilities at their next regularly scheduled visit,” the FDA said.

The risks associated with applying the patch are low. Abbott and FDA said there is a .003 percent chance of "complete loss of device functionality" and a .161 percent chance that the device will lose its currently programmed device settings. However, the risks associated with hacking are also characterized as remote. In a letter to physicians (https://www.sjm.com/~/media/galaxy/hcp/resources-reimbursement/technical-resources/product-adviseries-archive/cybersecurity-pacemaker-firmware/pacemaker-firmware-update-doctor-letter-aug2017-us.pdf), Abbott — citing the Department of Homeland Security — said that only a "highly complex" attack could compromise the devices. However, that runs contrary to statements by the firm MedSec, which analyzed the St. Jude devices (https://securityledger.com/2016/08/the-big-short-alleged-security-flaws-fuel-bet-against-st-jude-medical/) and found that many attacks — though they would require physical proximity to the device — would not be difficult to carry out and could cause harm to patients.

So, who to believe?

Submission + - Means and motives for cyber attacks on US Navy Vessels (securityledger.com)

chicksdaddy writes: Could cyber attacks have played a role in recent collisions between commercial vessels and the USS McCain and USS Fitzgerald? The short answer is 'yes,' The Security Ledger writes (https://securityledger.com/2017/08/analysis-there-is-both-means-and-motive-for-cyber-attacks-on-navy-vessels/).

While human error is still the leading candidate for the two incidents, which resulted in multiple fatalities and severe damage to the two ships, the means and motive to use cyber attacks to disable the two vessels exist, the article notes, citing a large body of private and public sector research on the security of maritime systems, as well as more recent reports of "in the wild" GPS spoofing attacks on merchant vessels. Among the notable instances:

A 2013 report from a research team at the University of Texas successfully “spoofed” an $80 million private yacht using a GPS spoofing device to send misleading information to crew about the boat’s position and movements in the water. (https://news.utexas.edu/2013/07/30/spoofing-a-superyacht-at-sea)

What is believed to be the first “in the wild” GPS spoofing attack (https://www.marad.dot.gov/msci/alert/2017/2017-005a-gps-interference-black-sea/). In June, the U.S. Maritime Administration has issued a safety alert about an incident in the Black Sea described as “GPS interference” but elsewhere as “an apparent mass and blatant, GPS spoofing attack involving over 20 vessels.” GPS was displaying the vessels as located more than 25 nautical miles from their actual location, but crew could find no problem with the operation of the GPS devices.(http://maritime-executive.com/editorials/mass-gps-spoofing-attack-in-black-sea) The US Maritime Administration advised ships to “exercise caution when transiting this area.”

Proof of concept attacks to spoof AIS – the Automatic Identification System- technology that is installed on hundreds of thousands of ships globally and that is used for everything from ship-to-ship and ship to port communication to collision avoidance. Researchers at the 2014 Black Hat Briefings demonstrated how AIS spoofing and hijacking could be used to generate false alarms, or delay actual alerting (https://www.blackhat.com/docs/asia-14/materials/Balduzzi/Asia-14-Balduzzi-AIS-Exposed-Understanding-Vulnerabilities-And-Attacks.pdf). The technology, which was designed with pre-Internet security in mind, is insecure both in how it is implemented and in the design of the underlying protocol, researchers concluded.

Persistent reports about shoddy and outdated software and applications deployed on commercial and naval vessels — even those of recent vintage.(http://www.telegraph.co.uk/news/2017/06/27/hms-queen-elizabeth-running-outdated-windows-xp-software-raising/)
As for motive, the article considers the motivations of two likely actors, given the location of the collisions: North Korea and China. For the former, the article notes that all four ships involved in collisions since January have been equipped with Aegis anti-ballistic missile technology, which would be used to shoot down a missile test (or live attack) from the DPRK. In the case of China, the government recently complained bitterly about the USS McCain's sojourns into what China considers its territorial waters near Mischief Reef — an artificial island built by China. (http://www.news.com.au/world/china-protests-challenges-us-warship-near-its-artificial-islands/news-story/43784e65f8ab6461cbfad7d5a748775e)

Comment Umm...also Lockheed Martin, Raytheon, GM, etc... (Score 1) 270

We'd like to draw a neat line and say "Tesla is being propped up by government subsidies whereas [company x] is surviving on its wits & talents in the marketplace." But is that true? Do you really want to open the can o' worms that is government subsidies of various industries or players, whether through direct taxpayer support, tax incentives/loopholes (just direct taxpayer support by other means), infrastructure investment, R&D investment, preferential immigration policies, etc. etc. The list is long. So...as they say...people who live in glass office parks...

Submission + - Forget the Russians: Corrupt, Local Officials the biggest threat to Elections (securityledger.com)

chicksdaddy writes: Do you think that shadowy Russian hackers are the biggest threat to the integrity of US elections? Think again. It turns out the bad actors in US elections may be a lot more "Senator Bedfellow" (https://en.wikipedia.org/wiki/Minor_characters_in_Bloom_County#Senator_Bedfellow) than "Fancy Bear," (https://www.crowdstrike.com/blog/who-is-fancy-bear/) according to Bev Harris, the founder of Black Box Voting. “It’s money,” Harris told The Security Ledger. (https://soundcloud.com/securityledger/episode-58-election-system-hacking-bev-harris-and-eric-hodge) “There’s one federal election every four years, but there are about 100,000 local elections which control hundreds of billions of dollars in contract signings.” Those range from waste disposal and sanitation to transportation.“There are 1,000 convictions every year for public corruption,” Harris says, citing Department of Justice statistics. “Its really not something that’s even rare in the United States.”

We just don't think that corruption is a problem, because we rarely see it manifested in the ways that most people associate with public corruption, like violence or having to pay bribes to receive promised services, Harris said. But it's still there.

How does the prevalence of public corruption touch election security? Exactly in the way you might think. “You don’t know at any given time if the people handling your votes are honest or not,” Harris said. “But you shouldn’t have to guess. There should be a way to check.”

And in the decentralized, poorly monitored U.S. elections system, there often isn't. At the root of our current problem isn’t (just) vulnerable equipment, it’s also a shoddy ‘chain of custody’ around votes, says Eric Hodge, the director of consulting at Cyber Scout, which is working with the Board of Elections in Kentucky and in other states to help secure elections systems. That includes where and how votes are collected, how they are moved and tabulated and then how they are handled after the fact, should citizens or officials want to review the results of an election. That lack of transparency leaves the election system vulnerable to manipulation and fraud, Harris and Hodge argue.

Submission + - Iranians Use 'Cute Photographer' Profile to Hack Targets in Middle East

chicksdaddy writes: Hackers working on behalf of the government of Iran are using alluring social media profiles featuring a young, English photographer to entice and then compromise the systems of high value targets in the oil and gas industry, according to a report by Dell Secureworks.(https://www.secureworks.com/research/the-curious-case-of-mia-ash)

In a report released on Thursday, Secureworks’ Counter Threat Unit (CTU) said that it observed an extensive phishing campaign beginning in January and February 2017 that used a polished social media profile of a young, English woman using the name “Mia Ash” to conduct highly targeted spear-phishing and social engineering attacks against employees of Middle Eastern and North Africa firms in industries like telecommunications, government, defense, oil and financial services. The attacks are the work of an advanced persistent threat group dubbed COBALT GYPSY or “Oil Rig” that has been linked to other sophisticated attacks.

The attacks, which spread across platforms including LinkedIn and Facebook, as well as email, were highly successful. In some cases, the attacks lasted months – and long after the compromise of the employee – with the targets engaged in a flirtation with a woman they believed was a young, attractive female photographer.

The Mia Ash persona is a fake identity based loosely on a real person -a Romanian photographer and student who has posted her work prolifically online. (http://bittersweetvenom.deviantart.com/art/Growing-Orchids-327937251) According to this report by Security Ledger (https://securityledger.com/2017/07/operation-lonely-guy-iranians-use-alluring-profiles-to-phish-across-social-media/), the persona was created specifically with the goal of perform reconnaissance on and establishing relationships with employees of targeted organizations. Victims were targeted with the PupyRAT Trojan, an open source, cross-platform remote access trojan (RAT) used to take control of a victim’s system and harvest credentials like log ins and passwords from victims, and lured with malware laden documents such as "photography surveys" (really?). One target was even instructed to make sure to open the document from work because it will 'work better,' Secureworks said.

Submission + - Global network of labs will test security of medical devices (securityledger.com)

chicksdaddy writes: Amid increasing concerns about cyber threats to healthcare environments, a global network of labs will test the security of medical devices, according to an announcement on Monday by a consortium of healthcare industry firms, universities and technology firms, The Security Ledger reports. (https://securityledger.com/2017/07/exclusive-whistl-labs-will-be-cyber-range-for-medical-devices/)

The “World Health Information Security Testing Labs (or “WHISTL”) will adopt a model akin to the Underwriters Laboratory, which started out testing electrical devices, and focus on issues related to cyber security and privacy, helping medical device makers “address the public health challenges” created by connected health devices and complex, connected healthcare environments, according to a statement by The Medical Device Innovation, Safety and Security Consortium (http://www.mdiss.org/).

“MDISS WHISTL facilities will dramatically improve access to medical device security know-how while protecting patient privacy and the intellectual property of our various stakeholders,” said Dr. Nordenberg, MD, Executive Director of MDISS.

The labs will be one of the only independent, open and non-profit network of labs specifically designed for the needs of medical field, including medical device designers, hospital IT, and clinical engineering professionals. Experts will assess the security of medical devices using standards and specifications designed by testing organizations like Underwriters Labs. Evaluations will include application security testing like “fuzzing,” static code analysis and penetration testing of devices.

Any vulnerabilities found will be reported directly to manufacturers in accordance with best practices, and publicly disclosed to the international medical device vulnerability database (MDVIPER) which is maintained by MDISS and the National Health Information Sharing and Analysis Center (NH-ISAC).

The group says it plans for 10 new device testing labs by the end of the year including in U.S. in states like New York to Indiana, Tennessee and California and outside North America in the UK, Israel, Finland, and Singapore. The WHISTL facilities will work with Underwriters Labs as well as AAMI, the Association for the Advancement of Medical Instrumentation. Specifically, MDISS labs will base its work on the UL Cybersecurity Assurance Program specifications (UL CAP) and follow testing standards developed by both groups including the UL 2900 and AAMI 80001 standards.

Submission + - Five (or more) good reasons to ignore the South Carolina election hacking story

chicksdaddy writes: What should we make of the latest reports from WSJ (https://www.wsj.com/articles/south-carolina-may-prove-a-microcosm-of-u-s-election-hacking-efforts-1500202806), The Hill, etc. that South Carolina's election systems were bombarded with 150,000 hacking attempts? Not much, argues Security Ledger in a news analysis that argues there are lots of good reasons to ignore this story, if not the very real problem of election hacking.
The stories, which were based on this report from The South Carolina Election Commission (PDF — https://goo.gl/TGKJEm)

"The key phrase in that report is 'attempts to penetrate.'" Security Ledger notes. Information security professionals would refer to that by more mundane terms like “port scans” or probes. These are kind of the 'dog bites man' stories of the cyber beat — common (here's one from 2012 https://www.usnews.com/news/ar...) but ill informed. "The kinds of undifferentiated scans that the report is talking about are the Internet equivalent of people driving slowly past your house."

While some of those 150,000 attempts well be attempts to hack South Carolina's elections systems, many are undifferentiated, while some may be legitimate, if misdirected. Whatever the case, they're background noise on the Internet and hardly unique to South Carolina's voter registration systems. They're certainly not evidence of sophisticated, nation-state efforts to crack the U.S. election system by Russia, China or anyone else, Security Ledger argues.

"The problem with lumping all these “hacking attempts” in the same breath as you talk about sophisticated and targeted attacks on the Clinton Campaign, the DCCC and successful penetration of some state election boards is that it dramatically distorts the nature and scope of the threat to the U.S. election system which – again – is very real."

The election story is one "that demands thoughtful and pointed reporting that can explore (and explode) efforts by foreign actors to subvert the U.S. vote and thus its democracy," the piece goes on to argue. "That’s especially true in an environment in which regulators and elected officials seem strangely incurious (http://www.businessinsider.com/dhs-is-refusing-to-investigate-hack-of-voting-machines-2017-6) about such incidents and disinclined to investigate them.

Submission + - The Internet of Things has an Entropy Problem (securityledger.com)

chicksdaddy writes: Among the many challenges of securing the Internet of Things, one that doesn't get much attention is the difficulty IoT devices have generating "entropy" — randomness — that is needed to create unique, strong cryptographic keys.

Simply put: insufficiently random numbers lead to weak or predictable keys, and that makes a wide range of supposedly strong encryption weak, in practice. In other words, the IoT problem isn’t just that devices communicate without using encryption, but that even those that nominally use strong encryption may not have encryption that is strong enough, according to Richard Moulds of the firm Whitewood, on The Security Ledger podcast. (https://securityledger.com/2017/06/podcast-the-internet-of-things-entropy-problem-and-why-it-matters/)

Entropy is all around us, and earlier generations of multi-purpose computers had plenty of ways to sample it: from tracking a user’s mouse movements and keystrokes to using its microphone to sampling ambient sound. Internet of Things devices also have sensors of various types, but they’re very often small, single purpose devices that generate and traffic in very small amounts of data – far too little to generate reliable random numbers.

Weak random number generators means weak and predictable keys and that opens the door to motivated hackers guessing the value of that key as part of an attack.

“If an attacker wants to break crypto, its not about the algorithm, its about the key,” Moulds told me. “If the key is no longer secret then the encryption falls away and can be broken in a heartbeat.”

Developers often overlook this basic problem, assuming that using longer keys results in more security, without wondering whether the devices using the longer keys are capable of supporting them.

“We like to think of applications running anywhere without any awareness of the hardware they’re running on,” Moulds told me. “But entropy and randomness are one of those things that pervade the whole stack. You have to know how the system works, and that’s the challenge.”

Submission + - Firm Responsible for Mirai-Infected Webcams Finds Security Religion (securityledger.com)

chicksdaddy writes: After seeding the globe with hackable DVRs and webcams, Zhejiang Dahua Technology Co., Ltd. of Hangzhou, China will be working with the U.S. firm Synopsys (https://synopsys.com/) to “enhance the security of its Internet of Things (IoT) devices and solutions.”

Dahua, based in Hangzhou, China said it will with Mountain View based Synopsys to “enhance the security of its Internet of Things (IoT) devices and solutions.” In a joint statement (https://www.gurufocus.com/news/532265/dahua-technology-selects-synopsys-software-integrity-platform-to-secure-its-internet-of-things-devices), the companies said Dahua will be adopting secure “software development life cycle (SDLC) and supply chain” practices using Synopsys technologies in an effort to reduce the number of “vulnerabilities that can jeopardize our products,” according to a statement attributed to Fu Liquan, Dahua’s Chairman, The Security Ledger reports. (https://securityledger.com/2017/06/firm-that-made-mirai-infected-webcams-gets-security-religion/)

Dahua’s cameras and digital video recorders (DVRs) figured prominently in the Mirai botnet, which launched massive denial of service attacks against websites in Europe and the U.S., including the French web hosting firm OVH, security news site Krebsonsecurity.com and the New Hampshire based managed DNS provider Dyn. Cybercriminals behind the botnet apparently exploited an overflow vulnerability in the web interface for cameras and DVRs to gain access to the underlying Linux operating system and install the Mirai software, according to research by the firm Level3.

In March, Dahua was called out for another, serious vulnerability in eleven models of video recorders and IP cameras. Namely: a back door account that gave remote attackers full control of vulnerable devices without the need to authenticate to the device. The flaw was first disclosed on the Full Disclosure mailing list and described as “like a damn Hollywood hack, click on one button and you are in.” (http://seclists.org/fulldisclosure/2017/Mar/17)

Submission + - Researchers Reveal Malware Designed to 'Power Down' Electric Grid (securityledger.com)

chicksdaddy writes: A sample of malicious software discovered at the site of a December, 2016 cyber attack on Ukraine’s electrical grid is a previously unknown program that could be capable of causing physical damage to the electrical grid, according to reports by two security firms. (https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/), The Security Ledger reports.

Experts at the firm ESET and Dragos Security said on Monday that the malicious software, dubbed CrashOverride (Dragos) or Industroyer (ESET) affected a “single transmission level substation” in the Ukraine attack on December 17th, 2016 in what appears to have been a test run. Still, experts said that features in the malware show that adversaries are automating and standardizing what were previously manual attacks against critical infrastructure, while also adding features that could be used to physical disable or damage critical systems – the first evidence of such activity since the identification of the Stuxnet malware in 2010.

The Crashoverride malware “took an approach to understand and codify the knowledge of the industrial process to disrupt operations as STUXNET (sp) did,” wrote Dragos Security in a report (https://dragos.com/blog/crashoverride/CrashOverride-01.pdf)

The malware improves on features seen in other malicious software that it known to target industrial control systems. Specifically, the malware makes use of and manipulates industrial control system-specific communications protocols. That’s similar to features in ICS malware known as Havex that targeted grid operators in Europe and the United States in 2014. The Crash Override malware also targeted the libraries and configuration files of so-called “Human Machine Interfaces” (or HMIs) to understand the environment they have infected. It can use HMIs, which provide a graphical interface for managing industrial control system equipment, to connect spread to other Internet connected equipment and systems, Dragos said.

Submission + - Govt. Task Force Calls for Cash Incentives to Ditch Insecure Medical Devices (securityledger.com) 1

chicksdaddy writes: The healthcare sector in the U.S. is in critical condition and in dire need of an overhaul to address widespread and systemic information security weakness that puts patient privacy and even safety at risk, Congressional Task Force has concluded. Among the ideas floated: a 'cash for clunkers' program that provides cash incentives for hospitals and doctors' offices to abandon outdated and insecure medical devices and software, The Security Ledger reports. (https://securityledger.com/2017/06/cash-for-medical-device-clunkers-task-force-calls-for-healthcare-security-overhaul/)

The report (https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf), released to members of both the U.S. Senate and House of Representatives on Friday concludes that the U.S. healthcare system is plagued by weaknesses, from the leadership and governance of information security within healthcare organizations, to the security of medical devices and medical laboratories to hiring and user awareness. Many of the risks directly affect patient safety, the group found. It comes amid growing threats to healthcare organizations, including a ransomware outbreak that affected scores of hospitals in the United Kingdom.

Featuring more than 30 pages of recommendations and “imperatives,” some of which are bound to be the source of controversy. Among other things, the report calls for medical device makers to design products in line with accepted secure development practices. Device makers should be urged to publish a “bill of materials” with medical devices that accounts for all hardware and software used in a device, including open source software components.

Healthcare organizations rely heavily on connected medical devices, but most are small and cash strapped organizations that lack expertise in information security.“Healthcare is target rich and resource poor,” Corman notes, adding that Internet connected healthcare equipment can’t be used irrespective of security and privacy concerns. “If you can’t afford to protect it, you can’t afford to connect it,” said Joshua Corman of The Atlantic Council and I Am The Cavalry.

Submission + - Experts Call for Preserving Copper, Pneumatic Systems as Hedge for Cyber Risk (securityledger.com)

chicksdaddy writes: The United States should invest resources in preserving aging, analog infrastructure including telecommunications networks that use copper wire and pneumatic pumps used to pump water as a hedge against the growing threat of global disruption resulting from a cyber attack on critical infrastructure, two researchers at MITRE argue. (https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/backward-is-forward-analog-failover)

The researchers, Emily Frye and Quentin Hodgson with The MITRE Corporation, note that critical infrastructure is increasingly run from converged IP (Internet Protocol) based networks that are vulnerable to cyber attack. That includes so-called “lifelines” – essential functions like water, electricity, communications, transportation and emergency services. That marks a critical departure from the past when such systems were isolated from the Internet and other general purpose networks.

“Each lifeline rides on, and is threaded together by, digital systems. And humans have yet to design a digital system that cannot be compromised,” they write.

With such civilization-sustaining functions now susceptible to attack, the onus is on society to maintain a means of operating them that does not rely on digital controls, Fry and Hodgson write. In many cases, that means preserving an older generation of analog infrastructure and management systems that could be manually operated, The Security Ledger reports (https://securityledger.com/2017/05/our-analog-future-experts-call-for-preserving-copper-pneumatic-systems-as-hedge-for-cyber-risk/).

From their article: "In the case of communications, for instance, what is required is the preservation of a base core of copper-enabled connectivity, and the perpetuation of skills and equipment parts to make analog telephones work. Today, we see a move to decommission the copper-wire infrastructure. From a pure business standpoint, decommissioning copper is the right thing to do; but from a public-safety and homeland security perspective, we should reconsider. Decommissioning copper increases homeland security risk, because failover planning calls simply for relying on another server, router, or data center that is also subject to compromise."

Slashdot Top Deals

Chemist who falls in acid will be tripping for weeks.

Working...