chicksdaddy writes: A December power outage in the city of Kiev in December has been linked to hacking activity by groups believed to be working on behalf of the government of Russia, according to published reports. (https://securityledger.com/2017/01/second-ukraine-power-outage-linked-to-russian-hackers/)
Russian hacking crews were behind a brief power outage at the Pivnichna remote power transmission facility last month, using software based attacks to shut down the remote terminal units (RTUs) that control circuit breakers, causing a power outage for about an hour. Hacking crews appear to be using the Ukraine as a test bed to hone skills that could be used against other adversaries, according to Marina Krotofil, a security researcher for Honeywell Industrial Cyber Security Labs, the website Dark Reading reported on Tuesday.
Speaking at the S4 Conference in Miami on Tuesday (http://www.cvent.com/events/s4x17), Krotofil said that the outage at Pivnichna was part of a month-long campaign by Russian hacking groups that included attacks on railways and other critical infrastructure. While not intended to cripple the country, the attacks were designed to sow confusion and chaos, she said.
Research was conducted by Information Systems Security Partners (ISSP) (https://www.issp.ua/contact.php?l=en), a Ukraine firm. Speaking to the conference via a pre-recorded video, Oleksii Yasynskyi, head of research at the company, said that the attacks were the work of more than one cyber criminal group that worked in concert with each other. Attacks against Ukraine critical infrastructure and other interests began over the summer, ISSP said, with spear phishing attacks directed at a Ukraine bank.
chicksdaddy writes: The Washington Post’s story, Saturday, which claimed that Russian hacking groups had penetrated the United States electrical grid (https://www.washingtonpost.com/world/national-security/russian-hackers-penetrated-us-electricity-grid-through-a-utility-in-vermont/2016/12/30/8fc90cc4-ceec-11e6-b8a2-8c2a61b0436f_story.html) is a great example of why the Obama Administration's Grizzly Steppe report was a big mistake. It is also a case-in-point against casual attribution of cyber attacks, The Security Ledger writes. (https://securityledger.com/2017/01/opinion-confusion-over-vermont-utility-underscores-risks-of-cyber-attribution/)
As we now know, the Washington Post used claims that “code associated with the Russian hacking operation dubbed GRIZZLY STEPPE" had been detected within a system owned by Burlington Electric as proof that the Russians had hacked into the U.S. grid.
But no such hack of the electrical grid took place. The computer infected with the malware was not connected to the operation of the grid, Vermont Public Service Commissioner Christopher Recchia told The Burlington Free Press on Saturday (http://www.burlingtonfreepress.com/story/news/local/vermont/2016/12/30/russia-hacked-us-grid-through-burlington-electric/96024326/)
The Washington Post subsequently corrected its article, saying that no hack of the U.S. grid took place.Though it did NOT retract the story as some have claimed. Still, the confusion over “the Vermont incident” gets to the heart of criticisms that followed the release of the DHS and FBI Joint Analysis Report (JAR) on Russian hacking activity on U.S. shores. Specifically: the U.S. Government’s Report lumped together under one banner a wide range of hacking groups and hacking tools – some of them long used and widespread. In some cases, the groups in questions have only tangential connections to the government of Russia. In other cases, tools and techniques for attacking organizations – including whole families of malware – were thrown under the GRIZZLY STEPPE umbrella. The effect was to water down the report while dangerously muddying the public’s understanding of what Russian government hackers are and are not doing.
The report about the Vermont hack proceeded from that assumption, citing intelligence from unnamed government sources that malicious code found at the utility was put there and controlled by “the Russians,” who “did not actively use the code to disrupt operations.”
The truth is that if any evidence exists linking the malware discovered on a machine owned by Burlington Electric to operatives of the government of Russia, none was presented. It’s not clear if the Washington Post ever asked for such proof. As Robert Lee noted in a blog post on Saturday: “the indicators supposedly were related to Russia because the DHS and FBI said so – and supposedly that’s good enough,” he wrote.(http://www.robertmlee.org/analytical-leaps-and-wild-speculation-in-recent-reports-of-industrial-cyber-attacks/)
By ignoring context and a fair amount of private and public sector research in lumping together Black Energy and a wide range of other, similar threats under a common banner (GRIZZLY STEPPE), a report that was supposed to nail the lid shut on Russian hacking in U.S. elections has only raised more questions about the U.S. government’s evidence against Russia and whether that evidence is being interpreted in ways that distort its actual meaning or import. The Washington Post story marked just the first, errant conclusions drawn from that errant report. Others are sure to follow – blurring rather than sharpening our understanding of the risks posed by Russia and other online adversaries.
chicksdaddy writes: With functional, quantum computers on the (distant?) horizon, The National Institute of Standards and Technology (NIST) is asking the public for help (https://www.nist.gov/news-events/news/2016/12/nist-asks-public-help-future-proof-electronic-information) heading off what it calls “a looming threat to information security:” powerful quantum computers capable of breaking even the strongest encryption codes used to protect the privacy of digital information, The Security Ledger reports.
In a statement Tuesday, NIST asked the public to submit ideas for “post-quantum cryptography” algorithms that will be “less susceptible to a quantum computer’s attack.” NIST formally announced its quest in a publication on The Federal Register. (https://www.federalregister.gov/documents/2016/12/20/2016-30615/announcing-request-for-nominations-for-public-key-post-quantum-cryptographic-algorithms)
Dustin Moody, a mathematician at NIST said the Institute's main focus is developing new public key cryptography algorithms, which are used today to protect both stored and transmitted information.
“We’re looking to replace three NIST cryptographic standards and guidelines that would be the most vulnerable to quantum computers,” Moody said. They are FIPS 186-4, NIST SP 800-56A and NIST SP 800-56B.
Researchers have until November, 2017 to submit their ideas. After the deadline, NIST will review the submissions. Proposals that meet the “post-quantum crypto” standards (http://csrc.nist.gov/groups/ST/post-quantum-crypto/minimum-accept-reqs.html) set up by NIST will be invited to present their algorithms at an open workshop in early 2018.
chicksdaddy writes: Consumer home networking firm NETGEAR has issued an emergency software patch for a serious vulnerability in its home routers, even as the company doubles the list of affected hardware.
The company said on Tuesday (http://kb.netgear.com/000036386/CVE-2016-582384?cid=wmt_netgear_organic) that it is providing a “beta version” of router firmware that addresses an arbitrary command injection vulnerability that was disclosed in firmware used by a number of wireless routers sold to consumers and small businesses. NETGEAR said the software update is still being tested and will only work on three versions of its routers: the R6400, R7000 and R8000. The company also acknowledged that five more routers are affected by the flaw and remain unpatched: the R7900, R7300, R7100LG, R6700 and R6250.
The company said the new firmware has not been fully tested and “might not work for all users.” The company offered it as a “temporary solution” to address the security hole. “NETGEAR is working on a production firmware version that fixes this command injection vulnerability and will release it as quickly as possible,” the company said in a post to its online knowledgebase early Tuesday.
The move follows publication of a warning from experts at Carnegie Mellon on December 9 detailing a serious “arbitrary command injection” vulnerability in the latest version of firmware used by a number of Netgear wireless routers. (https://www.youtube.com/watch?v=kOZs90BGPFk) The security hole could allow a remote attacker to take control of the router by convincing a user to visit a malicious web site. CMU urged NETGEAR customers to stop using affected routers until a fix can be found. (https://www.kb.cert.org/vuls/id/582384)
The vulnerability was discovered by an individual using the handle Acew0rm (@acew0rm1), who says he contacted NETGEAR about the flaw four months ago, and went public with information on it after the company failed to address the issue on its own.
chicksdaddy writes: A serious and easy to exploit security hole in the software that runs certain models of wifi routers made by the firm Netgear prompted experts at Carnegie Mellon to urge customers to stop using them until a fix can be found.
The warning comes in a vulnerability note (VU#582384)(https://www.kb.cert.org/vuls/id/582384) published on Friday by Carnegie Mellon University’s CERT. An “arbitrary command injection” vulnerability in the latest version of firmware used by a number of Netgear wireless routers.
The security hole could allow a remote attacker to take control of the router by convincing a user to visit a malicious web site. A proof of concept exploit for the hole was published online (https://www.exploit-db.com/exploits/40889/) on Wednesday by an individual using the handle Acew0rm (@acew0rm1).
Firmware version 220.127.116.11_1.1.93 (and possibly earlier) for the R7000 and version 18.104.22.168_1.0.4 (and possibly earlier) for the R6400 are known to contain the arbitrary command injection vulnerability. CERT cited “community reports” that indicate the R8000, firmware version 22.214.171.124_1.1.2, is also vulnerable.
The warning comes amid increased concern about the security of home routers, following widespread attacks in recent weeks that have targeted the devices in Germany, the UK and other countries.
In statements on Twitter (https://twitter.com/acew0rm1), AceW0rm said that he informed Netgear of the flaw more than four months ago, but did not hear back from the company since then. He released information on the hole as well as proof of concept exploit code.
A search of the public Internet using the Shodan search engine finds around 8,000 R6450 and R7000 devices that can be reached directly from the Internet and that would be vulnerable to takeover attacks. The vast majority of those are located in the United States.
chicksdaddy writes: It turns out that the “bad neighborhoods” theory (http://ns.umich.edu/new/releases/8588) applies to computers, as well as people.
Researchers from the firm Recorded Future said that the company has developed what it described as a “support vector machine” model to analyze contextual open source intelligence (OSINT) data on malicious online behavior. (https://www.recordedfuture.com/artificial-intelligence-cyber-defense/) That is cross referenced to “CIDR neighborhoods” – blocks of Internet addresses identified using Classless Internet Domain Routing. The AI's output is a predictive risk score for specific IP addresses that are likely to turn to crime.
So far the results are promising. In one case, Recorded Future tagged an IP address as likely to be used in an attack a full 10 days before it actually was. In an analysis of 500 previously unseen IPs with a predictive risk scores that suggested they would become malicious, 25% turned up on independent, open source lists of malicious IP addresses within 7 days, the company said. By comparison, just %.02 percent of the entire population of global (IPV4) IP addresses are marked as malicious at any time, the company said.
As for why, the explanation that Recorded Future gives sounds similar to the findings of sociological and psychologic research on the effects of bad neighborhoods. The notion there is that “bad neighborhoods” – characterized by crime, poverty and a scarcity of good role models and economic opportunities – can affect the cognitive development of children and even of the children of those children.(https://psmag.com/growing-up-poor-has-effects-on-your-children-even-if-you-escape-poverty-df11e668378a#.a27begtv0)
In the case of Internet connected systems that are destined to ‘go bad,’ the issue is proximity to computers that are involved in malicious activity, Staffan Truve, CTO, Recorded Future told The Security Ledger.(https://securityledger.com/2016/12/bad-neighborhoods-predict-which-computers-turn-to-crime-also/)
Hackers and botnet operators are rational, economic beings, he observes. That means that they will eventually use infrastructure that they rent for a purpose (like virtual systems in a data center that might be rented out for use in a denial of service attack). By analyzing the “closeness” of IPV4 addresses, Recorded Future found a predictor of future malicious activity. Proximity to one of those bad apples makes it more likely that you’re a bad apple, also – or soon will be, he said. “There’s an underlying logic, which is that the neighborhood (the system) is in will be the core part of whether it becomes malicious, but also how your neighbors are talked about.”
chicksdaddy writes: The devaluation of traditionally “soft” skills like empathy, communication and collaboration in the information security space may be hampering the ability of IT security teams to respond to human-focused threats and attacks, according to this article at The Security Ledger. (https://securityledger.com/2016/12/cybers-lack-of-women-a-problem-and-threat/)
Failing to prioritize skills like empathy, communication, and collaboration and the people who have them (regardless of their gender) and focusing on "hard skills" (technical expertise) "limits our conceptions of security solutions and increases risks to our systems and users."
The problem goes beyond phishing attacks and social engineering, too. “Studies have shown that projects that embrace diversity are more successful. It’s a simple truth that people with different life backgrounds and life experiences bring unique perspectives to problem-solving,” says Amie Stepanovich, the U.S. policy manager at Access Now.
In short: "when we keep hiring technologists to solve problems, we get keep getting technical solutions." Too often, such technical fixes fail to account for the human environment in which they will be deployed. “It’s prioritizing a ‘tech first’—not a ‘human first’ or ‘empathy first’—perspective,” says Dr. Sara “Scout” Sinclair Brody, the executive director of Simply Secure.
This isn’t the first article to raise a red flag over the technology sector's glaring shortage of empathy. (http://www.newyorker.com/business/currency/silicon-valley-has-an-empathy-vacuum).
And while instilling empathy and compassion in adults who lack it might seem like a tall order, the piece argues that it isn't an unsolvable problem: there are entire fields—like user experience and human-centered design—dedicated to improving the way humans and technology interact. “Shockingly little of that,” says Brody, “has made it into the security domain.”
chicksdaddy writes: An online attack that took an estimated 900,000 Deutsche Telekom broadband routers offline in Germany was the work of the Mirai botnet, a global network of infected cameras, printers, digital video recorders and other Internet of Things devices. But the attacks go well beyond Germany and the true number of vulnerable devices that could be targeted is much larger – numbering in the millions, according to new analysis by the firm Flashpoint. (https://www.flashpoint-intel.com/new-mirai-variant-involved-latest-deutsche-telekom-outage/)
On Monday, Deutsche Telekom acknowledged (https://www.telekom.com/de/medien/details/13-fragen-zu-angriff-auf-router-445088) that broadband routers it operates were knocked offline by a large scale attack that attempted to infect broadband routers with malicious software. Deutsche Telekom said that around 4 percent of its customers were affected by the attack – around 900,000 routers. But DT customers were not the only target. Flashpoint said it has observed infected devices operating from the United Kingdom, Brazil, Turkey, Iran, Chile, Ireland, Thailand, Australia, Argentina and Italy, as well as Germany.
In contrast to earlier rounds of Mirai infections, which relied on brute force (or “dictionary”) attacks that guessed default administrator usernames and passwords, the latest attacks attempted to exploit a known vulnerability in a remote maintenance interface. Attacks were launched using the TR-064 and TR-069 protocols which are common for managing so-called “customer premises equipment” (or CPE) in wide area network environments, DT said. Deutsche Telekom said it is working with manufacturers on firmware updates to address the vulnerability and is rolling them out to customers as they become available. The TR- protocols are what telecommunications firms and others use to remotely manage broadband routers in homes and businesses, said Zak Wikholm, a security research developer at Flashpoint, The Security Ledger reported. (https://securityledger.com/2016/11/report-millions-and-millions-of-devices-vulnerable-in-latest-mirai-attacks/)
While the exact number of infected devices isn’t known, Flashpoint estimates the global population of infected devices to be “five million” endpoints. The total number of vulnerable devices is much, much larger, though. Some estimates put the total number of devices with port 7547 open at around 41 million, Wikholm told Security Ledger. However, only a fraction of those allow parties other than Internet Service Providers to access those devices. That may be around five million devices globally, he said, though the exact number is unknown.
Even that smaller number could spell disaster. Denial of service attacks in recent months that reached upwards of 700 Gigabits per second of traffic were launched from Mirai botnets with only 100,000 to 200,000 infected hosts. Wikholm said object of the attacks appears to be to build large botnets that can be used “as a commercial service.”
chicksdaddy writes: Some of the nation’s top experts on cyber security and the Internet of Things urged Congress to take a more forceful approach to securing a burgeoning population of Internet connected devices before security and quality issues undermine consumer confidence. (Video of testimony: https://energycommerce.house.g...)
Members of the House Committee on Energy and Commerce were told in separate testimony that the inability of the global hardware and software market to produce secure products represented a critical market failure and that government intervention was likely to be necessary to create incentives for manufacturers to design secure, connected products, The Security Ledger reported (https://securityledger.com/2016/11/on-capitol-hill-calls-for-a-federal-role-in-securing-world-of-dangerous-things/).
Problems such as the recent denial of service attacks linked to the Mirai botnet will become more common and could threaten the integrity of the Internet and of the nation’s broader economy if left unaddressed.
The Committee heard from Dr. Kevin Fu of the University of Michigan, Bruce Schneier of IBM and a fellow at Harvard’s Kennedy School of Government and Dale Drew, the Chief Security Officer of Level3 Communications. All three, to varying degrees, advised a bigger government role in setting standards for devices connected to the Internet. And all three warned that a failure to deal with an epidemic of insecure devices could result in the public rejecting new technology for fear of the implications to their security and personal privacy.
Security problems in software are nothing new, Dr. Fu told the Committee, but the expansion of software-based devices into the physical world has drastically raised the stakes of software insecurity. “One of the core problems with the increasing number of IoT devices is the increased complexity that is required to operate them safely and securely. This increased complexity creates new safety, security, privacy, and usability challenges far beyond the difficult challenges individuals face just securing a single device,” Fu told the Committee.
Schneier, the CTO of Resilient Systems (now IBM) and a Fellow at the Harvard Kennedy School, said that the security problems were evidence of a clear market failure. “Basically, the market has prioritized features and cost over security,” Schneier told the Committee. “The teams building these devices don’t have the security expertise we’ve come to expect from the major computer and smart phone manufacturers, simply because the market won’t stand for the additional costs that would require,” Schneier noted."
Schneier said that a new agency to regulate IoT device security may be needed, just as new agencies were created to address safety and security issues engendered by automobiles and airplanes.
Fu called on more money to cultivate and train cyber security experts and an embedded device testbed akin to the crash and safety test beds operated for vehicles by the National Highway Traffic Safety Commission.
chicksdaddy writes: A Distributed Denial of Service (DDoS) attack resulted in the loss of heating to two buildings in the city of Lappeenranta in eastern Finland according to a report by YLE (in Finnish here: http://yle.fi/uutiset/3-927849...), just the latest example of downstream effects of cyber attacks on connected infrastructure.
According to a published statement from a local IT management firm Valtia (http://www.valtia.fi/tiedote-tietoturvahyokkayksesta) the attack was noticed after a building automation system used in two properties began issuing strange alarms and could not be remotely accessed. The cause was a sustained denial of service attack that was flooding the building management system with bogus Internet traffic, causing it to restart every few minutes, and denying remote administrators at Valtia access to the device. The attack spanned November 3rd and 4th, according to Simo Rounela, the CEO of Valtia, who spoke with The Security Ledger. (https://securityledger.com/2016/11/lets-get-cyberphysical-ddos-attack-halts-heating-in-finland/)
The result? “The majority of the controlled systems, such as heat distribution, ventilation and hot water went temporarily ‘broken’,” the company said in a statement. To fix it, a technician visited the buildings and removed the affected hardware from the Internet until the malicious traffic could be filtered out. Once disconnected from the Internet, the building automation system returned to normal operation.
Around 50 people were affected, though Rounela said he doubts any noticed any change in the temperature as a result of the attacks because the building would maintain its current temperature when the system was down. Temperatures in Lappeenranta were expected to be in the mid 20s (F) this week, -6 (C).
In a conversation with The Security Ledger, Rounela said that there is strong evidence that vulnerable and Internet exposed devices manufactured by Fidelix (https://www.fidelix.fi/), a Finnish building automation firm.
“There are about 1000 similar automation devices (on the) public Internet in Finland,” Rounela said in an email, citing a search using Shodan, the hardware search engine. “Some of the affected systems were not using Dynamic DNS services, so I can’t really say how the targets were chosen.”
A report by the Finnish Communications Regulatory Authority said that the attacks appear to be part of a larger cyber criminal denial of service operation, not targeted at the building in question, YLE reported (http://yle.fi/uutiset/3-9278497).
chicksdaddy writes: When it comes to securing its products from software based attacks, the medical device giant GE Healthcare is paying close attention to a model developed by Microsoft almost two decades ago.
With an eye to securing its ever-more connected medical devices from cyber attack, GE Healthcare has embraced an approach used by Microsoft as it struggled to overhaul the security of its Windows operating system, Internet Explorer web browser and Office productivity software in the late 1990s and early years of this century, amid mounting malware attacks and other security holes, The Security Ledger reports. ([spam URL stripped])
Among other things, GE Healthcare has been filling out its product security team with Microsoft veterans and adopting Microsoft’s secure development lifecycle (SDL) approach to managing product security, according to Chris Larkin, the Chief Technology Officer at GE Healthcare. He described the company’s approach to securing its products during an address at the Internet of Things World event in Boston on Tuesday.
GE Healthcare, he said, was looking for ways to balance the benefits and efficiencies of new “smart” medical devices and instruments with the risks that go along with connecting such equipment to clinical networks and, more generally, the Internet. To do that, the company was looking to Microsoft’s Trustworthy Computing model ([spam URL stripped]) and Secure Development Lifecycle as a model.
That approach emphasizes security throughout a product’s life: from design and development through to deployment. Specifically, Larkin mentioned GE Healthcare’s focus on what Microsoft refers to as “SD3,” or “Secure by Design, Secure by Default and Secure in Deployment.”
As Microsoft did, GE is emphasizing threat modeling for its products, anticipating malicious attacks and actors with an interest in medical devices and healthcare environments – an element that is often missing from product design in the medical device field. The company has also attracted a number of Microsoft security pros to its ranks. Among them: Bob Fruth, who spent six years as the Security Program Manager for Trustworthy Computing and is now a Principal Cybersecurity Consultant at GE Healthcare. There is also Matt Clapham, a former Microsoft Security Engineer and Security Program manager who now also works on GE Healthcare’s Product Development Security team. Link to Original Source
chicksdaddy writes: The Mirai malware that is behind massive denial of service attacks involving hundreds of thousands of “Internet of Things” devices ([spam URL stripped]) may also affect cellular modems that connect those devices to the Internet, the Department of Homeland Security (DHS) is warning.
An alert issued by DHS’s Industrial Control System CERT on Wednesday ([spam URL stripped]) warning that cellular gateways manufactured by Sierra Wireless are vulnerable to compromise by the Mirai malware. While the routers are not actively being targeted by the malware, “unchanged default factory credentials, which are publicly available, could allow the devices to be compromised,” ICS-CERT warned.
The alert comes after a number of reports identified devices infected with the Mirai malware as the source of massive denial of service attacks against media websites like Krebs on Security and the French hosting company OVH. The attacks emanated from a global network of hundreds of thousands of infected IP-enabled closed circuit video cameras, digital video recorders (DVRs), network video recorders (NVRs) and other devices.
[Register for the Security of Things Forum, Washington, D.C. Oct. 27 2016.]
Analysis by the firm Imperva found that Mirai is purpose-built to infect Internet of Things devices and enlist them in distributed denial of service (DDoS) attacks. The malware searches broadly for insecure or weakly secured IoT devices that can be remotely accessed and broken into with easily guessed (factory default) usernames and passwords. Link to Original Source
chicksdaddy writes: A common, China-based supplier of circuit boards and software is the common thread that ties together the myriad digital video recorders, IP-based cameras and other devices that make up the Mirai botnet, according to analysis by the firm Flashpoint. ([spam URL stripped])
Weak, default credentials associated with software made by XiongMai Technologies ([spam URL stripped]) was abused by cyber criminals to compromise hundreds of thousands of DVR, NVR (network video recorder) and IP cameras globally. The credentials are written (or "hardcoded") into the software used by over five-hundred thousand devices on public IPs around the world, meaning they cannot be changed and make the devices susceptible to trivial compromise, Security Ledger reported on Monday. ([spam URL stripped])
The Mirai botnet is one of a number of networks of compromised devices that launched crippling denial of service attacks against a number of organizations in Europe and North America. Among the more prominent targets were the French hosting firm OVH and Krebs On Security, an independent cyber security blog that often exposes the deeds of cyber criminals operating distributed denial of service (DDOS) scams. Those attacks were the largest denial of service attacks, measured by the volume of bogus Internet traffic used to cripple their targets. Attacks on Krebs on Security topped 600 Gigabits per second (Gbps) and discrete attacks on OVH tipped the scales at more than 700 Gbps.
According to the Flashpoint analysis, cyber criminals abused the default username and password combination for Xiongmai’s Netsurveillance and CMS software. Those credentials – a user name root and password xc3511 allow anyone to gain access to the administrative interface of the device running the software, typically using the Telnet protocol.
Even worse: Flashpoint said that during its investigation it discovered another vulnerability affecting XiongMai’s software: an authentication bypass vulnerability that allows anyone with knowledge of the IP address of a device running the NetSurveillance or CMS software to bypass authentication and connect to the management interface, provided they know the correct URL. Link to Original Source
chicksdaddy writes: The Food and Drug Administration (FDA) is on the front lines in the battle to make medical devices and medical data safe from hackers. But a report from the Government Accountability Office (GAO) warns that the FDA should mind the security of health data on its own network, the Digital Guardian blog reports. ([spam URL stripped])
A recently published GAO Report ([spam URL stripped]) finds that the FDA has a “significant number of security control weaknesses” in critical IT systems that could “jeopardize the confidentiality, integrity and availability of its information and systems.” That’s particularly concerning, as the FDA network contains both sensitive health information and proprietary trade secrets, GAO said.
The FDA has, so far, failed to implement an agency-wide information security program as required by the Federal Information Security Modernization Act of 2014 and the Federal Information Security Management Act of 2002. As a result, “the public health and proprietary business information it maintains in these seven systems will remain at an elevated and unnecessary risk of unauthorized access, use, disclosure, alteration, and loss.”
FDA has taken a lead role ([spam URL stripped]) in encouraging medical device makers and healthcare providers to secure sensitive data and devices from hackers. But when it comes to the FDA’s own IT environment, GAO found there was much work to be done. The FDA, it found, had not done comprehensive risk assessments of its IT assets and addressed threats to those systems. The agency lacked complete security plans for all reviewed systems and hadn’t put in place programs to train personnel with “significant security responsibilities.” The agency couldn’t prove that it was testing its security controls effectively each year, as required by FISMA, or that any identified security weaknesses were being addressed in a timely fashion, GAO said. Link to Original Source
chicksdaddy writes: Meet the new insecure insulin pump, same as the old insecure insulin pump. That was the experience of Rapid7 security researcher (and diabetic) Jay Radcliffe. Radcliffe rose to prominence in 2011 after he delved into the security of his Medtronic insulin pump ([spam URL stripped]). Now Radcliffe is warning the public about a flaw he discovered in another wireless insulin pump he was prescribed: the Animas OneTouch Ping, which is manufactured by Johnson & Johnson.
According to Radcliffe, the OneTouch Ping uses cleartext communications to send commands wirelessly between a management device, known as a “Meter Remote” and an insulin pump worn by the diabetic patient. As designed, the pump could allow a malicious actor to force the device to administer doses of insulin to a patient without their knowledge.
The remote provides an easy way for patients to program in insulin doses that the pump delivers. Rapid7 researchers were able to intercept the communications, which uses a proprietary management protocol, reverse engineer it and then spoof the management device to initiate an injection of insuli, Rapid7 said in a blog post on Tuesday. ([spam URL stripped]). An attacker would have to be able to first capture the command and play it back. That would require physical proximity to the patient.
Alas: there are no easy fixes for the problem. Radcliffe told The Security Ledger that he was unaware of any patch for the flaw and doubted whether a patch was possible. In the absence of a fix, patients have to rely on work arounds that include disabling the wireless management feature, limiting the maximum dose of insulin that can be delivered and enabling a "vibrate" feature that will alert patients when a dose of insulin has been delivered.
In a letter to affected patients, Animas/Johnson & Johnson said the risk to patients of an attack was "extremely low." Link to Original Source