chicksdaddy writes: When it comes to securing its products from software based attacks, the medical device giant GE Healthcare is paying close attention to a model developed by Microsoft almost two decades ago.
With an eye to securing its ever-more connected medical devices from cyber attack, GE Healthcare has embraced an approach used by Microsoft as it struggled to overhaul the security of its Windows operating system, Internet Explorer web browser and Office productivity software in the late 1990s and early years of this century, amid mounting malware attacks and other security holes, The Security Ledger reports. ([spam URL stripped])
Among other things, GE Healthcare has been filling out its product security team with Microsoft veterans and adopting Microsoft’s secure development lifecycle (SDL) approach to managing product security, according to Chris Larkin, the Chief Technology Officer at GE Healthcare. He described the company’s approach to securing its products during an address at the Internet of Things World event in Boston on Tuesday.
GE Healthcare, he said, was looking for ways to balance the benefits and efficiencies of new “smart” medical devices and instruments with the risks that go along with connecting such equipment to clinical networks and, more generally, the Internet. To do that, the company was looking to Microsoft’s Trustworthy Computing model ([spam URL stripped]) and Secure Development Lifecycle as a model.
That approach emphasizes security throughout a product’s life: from design and development through to deployment. Specifically, Larkin mentioned GE Healthcare’s focus on what Microsoft refers to as “SD3,” or “Secure by Design, Secure by Default and Secure in Deployment.”
As Microsoft did, GE is emphasizing threat modeling for its products, anticipating malicious attacks and actors with an interest in medical devices and healthcare environments – an element that is often missing from product design in the medical device field. The company has also attracted a number of Microsoft security pros to its ranks. Among them: Bob Fruth, who spent six years as the Security Program Manager for Trustworthy Computing and is now a Principal Cybersecurity Consultant at GE Healthcare. There is also Matt Clapham, a former Microsoft Security Engineer and Security Program manager who now also works on GE Healthcare’s Product Development Security team. Link to Original Source
chicksdaddy writes: The Mirai malware that is behind massive denial of service attacks involving hundreds of thousands of “Internet of Things” devices ([spam URL stripped]) may also affect cellular modems that connect those devices to the Internet, the Department of Homeland Security (DHS) is warning.
An alert issued by DHS’s Industrial Control System CERT on Wednesday ([spam URL stripped]) warning that cellular gateways manufactured by Sierra Wireless are vulnerable to compromise by the Mirai malware. While the routers are not actively being targeted by the malware, “unchanged default factory credentials, which are publicly available, could allow the devices to be compromised,” ICS-CERT warned.
The alert comes after a number of reports identified devices infected with the Mirai malware as the source of massive denial of service attacks against media websites like Krebs on Security and the French hosting company OVH. The attacks emanated from a global network of hundreds of thousands of infected IP-enabled closed circuit video cameras, digital video recorders (DVRs), network video recorders (NVRs) and other devices.
[Register for the Security of Things Forum, Washington, D.C. Oct. 27 2016.]
Analysis by the firm Imperva found that Mirai is purpose-built to infect Internet of Things devices and enlist them in distributed denial of service (DDoS) attacks. The malware searches broadly for insecure or weakly secured IoT devices that can be remotely accessed and broken into with easily guessed (factory default) usernames and passwords. Link to Original Source
chicksdaddy writes: A common, China-based supplier of circuit boards and software is the common thread that ties together the myriad digital video recorders, IP-based cameras and other devices that make up the Mirai botnet, according to analysis by the firm Flashpoint. ([spam URL stripped])
Weak, default credentials associated with software made by XiongMai Technologies ([spam URL stripped]) was abused by cyber criminals to compromise hundreds of thousands of DVR, NVR (network video recorder) and IP cameras globally. The credentials are written (or "hardcoded") into the software used by over five-hundred thousand devices on public IPs around the world, meaning they cannot be changed and make the devices susceptible to trivial compromise, Security Ledger reported on Monday. ([spam URL stripped])
The Mirai botnet is one of a number of networks of compromised devices that launched crippling denial of service attacks against a number of organizations in Europe and North America. Among the more prominent targets were the French hosting firm OVH and Krebs On Security, an independent cyber security blog that often exposes the deeds of cyber criminals operating distributed denial of service (DDOS) scams. Those attacks were the largest denial of service attacks, measured by the volume of bogus Internet traffic used to cripple their targets. Attacks on Krebs on Security topped 600 Gigabits per second (Gbps) and discrete attacks on OVH tipped the scales at more than 700 Gbps.
According to the Flashpoint analysis, cyber criminals abused the default username and password combination for Xiongmai’s Netsurveillance and CMS software. Those credentials – a user name root and password xc3511 allow anyone to gain access to the administrative interface of the device running the software, typically using the Telnet protocol.
Even worse: Flashpoint said that during its investigation it discovered another vulnerability affecting XiongMai’s software: an authentication bypass vulnerability that allows anyone with knowledge of the IP address of a device running the NetSurveillance or CMS software to bypass authentication and connect to the management interface, provided they know the correct URL. Link to Original Source
chicksdaddy writes: The Food and Drug Administration (FDA) is on the front lines in the battle to make medical devices and medical data safe from hackers. But a report from the Government Accountability Office (GAO) warns that the FDA should mind the security of health data on its own network, the Digital Guardian blog reports. ([spam URL stripped])
A recently published GAO Report ([spam URL stripped]) finds that the FDA has a “significant number of security control weaknesses” in critical IT systems that could “jeopardize the confidentiality, integrity and availability of its information and systems.” That’s particularly concerning, as the FDA network contains both sensitive health information and proprietary trade secrets, GAO said.
The FDA has, so far, failed to implement an agency-wide information security program as required by the Federal Information Security Modernization Act of 2014 and the Federal Information Security Management Act of 2002. As a result, “the public health and proprietary business information it maintains in these seven systems will remain at an elevated and unnecessary risk of unauthorized access, use, disclosure, alteration, and loss.”
FDA has taken a lead role ([spam URL stripped]) in encouraging medical device makers and healthcare providers to secure sensitive data and devices from hackers. But when it comes to the FDA’s own IT environment, GAO found there was much work to be done. The FDA, it found, had not done comprehensive risk assessments of its IT assets and addressed threats to those systems. The agency lacked complete security plans for all reviewed systems and hadn’t put in place programs to train personnel with “significant security responsibilities.” The agency couldn’t prove that it was testing its security controls effectively each year, as required by FISMA, or that any identified security weaknesses were being addressed in a timely fashion, GAO said. Link to Original Source
chicksdaddy writes: Meet the new insecure insulin pump, same as the old insecure insulin pump. That was the experience of Rapid7 security researcher (and diabetic) Jay Radcliffe. Radcliffe rose to prominence in 2011 after he delved into the security of his Medtronic insulin pump ([spam URL stripped]). Now Radcliffe is warning the public about a flaw he discovered in another wireless insulin pump he was prescribed: the Animas OneTouch Ping, which is manufactured by Johnson & Johnson.
According to Radcliffe, the OneTouch Ping uses cleartext communications to send commands wirelessly between a management device, known as a “Meter Remote” and an insulin pump worn by the diabetic patient. As designed, the pump could allow a malicious actor to force the device to administer doses of insulin to a patient without their knowledge.
The remote provides an easy way for patients to program in insulin doses that the pump delivers. Rapid7 researchers were able to intercept the communications, which uses a proprietary management protocol, reverse engineer it and then spoof the management device to initiate an injection of insuli, Rapid7 said in a blog post on Tuesday. ([spam URL stripped]). An attacker would have to be able to first capture the command and play it back. That would require physical proximity to the patient.
Alas: there are no easy fixes for the problem. Radcliffe told The Security Ledger that he was unaware of any patch for the flaw and doubted whether a patch was possible. In the absence of a fix, patients have to rely on work arounds that include disabling the wireless management feature, limiting the maximum dose of insulin that can be delivered and enabling a "vibrate" feature that will alert patients when a dose of insulin has been delivered.
In a letter to affected patients, Animas/Johnson & Johnson said the risk to patients of an attack was "extremely low." Link to Original Source
chicksdaddy writes: MITRE Corporation, the non-profit corporation that helps tackle some of the trickiest technical and security challenges out there is dangling a $50,000 prize for anyone who can develop a solution for spotting rogue devices within an Internet of Things Network. ([spam URL stripped])
The company announced its MITRE Challenge IoT over the summer, saying that it was looking for ground breaking new approaches to securing diverse Internet of Things networks like those in connected homes.
"Network administrators need to know exactly what is in the environment, or the network—including when an adversary has switched out one device for another. In other words, is the smart thermostat we see today the same one that was there yesterday? We are looking for a unique identifier or fingerprint to enable administrators to enumerate the IoT devices while passively observing the network...The MITRE Challenge, Unique Identification of IoT Devices, seeks to discover possible solutions to this potential threat so our sponsors can reap the benefits of this technological evolution, while minimizing the risks." Registration was supposed to wrap up September 30, but the registration site is still online: [spam URL stripped]...
MITRE was awarded $29 million from the U.S. Commerce Department in 2014 to establish the nation’s first federally funded National Cybersecurity Center of Excellence (NCCoE). ([spam URL stripped]) Under that contract, MITRE is responsible for operating the federally funded research and development center (FFRDC) in the areas of research, development, engineering and technical support; operations management; and facilities management. Link to Original Source
chicksdaddy writes: The Colorado branch of the affordable housing charity Habitat for Humanity has acknowledged that a ransomware attack on a critical server has lasted for months and has been so disruptive that it "has severely handicapped" the group's ability to function, notes a post over on Digital Guardian's blog. ([spam URL stripped])
In a statement released this week, Habitat for Humanity Colorado (HFHC) said that it has spent months dealing with a “significant and malicious data breach” that “has severely handicapped our ability to efficiently conduct business.”
Habitat for Humanity, of course, is the non-profit charity group started in 1976 that builds affordable housing for low income families in the U.S. and elsewhere. According to a FAQ ([spam URL stripped]), the incident in question began with a ransomware malware infection in “late June” that targeted a server in HFHC’s main office in Lakewood Colorado. That server, HFHC said, was “connected to the Internet” and thus a target of attack by cyber-criminal groups operating from outside the U.S.
The incident continued for months “hijacking” the attention of the group. Because it works directly with would-be homeowners, HFHC stored a wealth of data including a customer’s names, Social Security Numbers, driver’s license numbers and so on. Information on HFHC employees was also stored on the server. In all, only around 250 individuals were affected – small potatoes, especially with news of the massive breach at Yahoo Inc. that affected some 500 million accounts.
“While there is no evidence that any of your personal information was taken; we only know that hackers may have viewed it,” HFHC said. The group is working with the FBI and has offered credit and identity theft monitoring for affected customers. Link to Original Source
chicksdaddy writes: The Department of Homeland Security is readying a set of security guidelines for Internet of Things device makers and for consumers that it will soon release, The Security Ledger is reporting (https://securityledger.com/2016/09/exclusive-dhs-readies-guidance-for-securing-internet-of-things/).
DHS, which houses the U.S. Computer Emergency Readiness Team (CERT), as well as the U.S. Secret Service, is assembling a set of strategic principles that it says will help safeguard and secure the Internet of Things by providing high level guidance to industry about how to design and manufacture secure connected devices. For consumers, DHS will lay out guidelines about how to manage the risks posed by Internet connected devices in their homes, cars and businesses.
Robert Silvers, the DHS Assistant Secretary for Cyber Policy, told Security Ledger that the agency thinks it can play a key role in setting cross industry standards for the Internet of Things.
“What we’ve come to recognize is that the Internet of Things is a full-blown phenomenon,” said Rob Silvers, the DHS Assistant Secretary for Cyber Policy. “We think everyone. Govt. industries, consumers need to get serious about reasonable security being built into IoT devices. And we need to do it now before we’ve deployed an entire ecosystems,” he said.
Silvers will outline the agency's forthcoming guidance in a speech at The Security of Things Forum (https://www.securityofthings.com) in Cambridge, Mass on Thursday.
chicksdaddy writes: The Federal Trade Commission is warning consumers to beware of new ‘connected car’ features that allow rental car customers to connect their mobile phone or other devices to in-vehicle infotainment systems, The Security Ledger reports. (https://securityledger.com/2016/08/ftc-warns-consumers-of-rental-car-data-theft-risk/)
“If you connect a mobile device, the car may also keep your mobile phone number, call and message logs, or even contacts and text messages,” the FTC said in an advisory released on Tuesday. (https://www.consumer.ftc.gov/blog/what-your-phone-telling-your-rental-car) “Unless you delete that data before you return the car, other people may view it, including future renters and rental car employees or even hackers.”
The Commission is advising renters to avoid syncing their mobile phones to their rental car, or to power devices via a USB port, where settings on your device may allow automatic syncing of data. Consumers who do connect their device should scrutinize any requests for permissions. Renters are also urged to remove their device from the vehicle’s memory before handing it back over to the rental firm.
chicksdaddy writes: The battle of words over warnings from a Wall Street trader about serious security flaws in implantable medical devices (https://securityledger.com/2016/08/the-big-short-alleged-security-flaws-fuel-bet-against-st-jude-medical/) continued on Tuesday, as researchers from The University of Michigan joined St. Jude itself in raising doubts about research that was used by the investment firm Muddy Waters to bet against ( or “short”) the stock of St. Jude Medical, a major medical device maker, The Security Ledger reports (https://securityledger.com/2016/08/short-sheet-researchers-raise-doubts-on-st-jude-research/).
In a statement released on Tuesday, Kevin Fu and Thomas Crawford of the Archimedes Center for Medical Device Research did not directly challenge the findings of the report by Muddy Waters and the firm MedSec, but did suggest that, rather than being evidence of a successful attack, the output observed by the researchers may have been typical for a home-monitored implantable cardiac defibrillator (ICD) device being tested while not properly connected to a patient.
“The U-M team reproduced error messages the report cites as evidence of a successful ‘crash attack’ but the messages are the same set of errors that display if the device isn’t properly plugged in,” the University said in a statement.
“We’re not saying the report is false. We’re saying it’s inconclusive because the evidence does not support their conclusions,” said Fu, U-M associate professor of computer science and engineering and director of the Archimedes Center for Medical Device Security. Fu is also co-founder of medical device security startup Virta Labs.
In a separate blog post, Kevin Fu of the University of Michigan said the research that informed the Muddy Waters report may be an example of 'armchair engineering.' (http://blog.secure-medicine.org/2016/08/study-on-st-jude-medical-device_30.html)
The conflict may come down to how different viewers interpret the same events. The behavior witnessed by the MedSec researchers and described in their report may not have been a security issue, but simply evidence of the device acting as designed, Fu and his colleagues say.
A defibrillator’s electrodes are connected to heart tissue via wires that are woven through blood vessels the wires are used both for sensing operations and to send shocks to the heart, if necessary. No surprise, when the defibrillator is not connected to a human host, the data transmitted by the device is quite different.
“When these wires are disconnected, the device generates a series of error messages: two indicate high impedance, and a third indicates that the pacemaker is interfering with itself,” said Denis Foo Kune, former U-M postdoctoral researcher and co-founder of Virta Labs” in a statement.
That behavior is very similar to what is described in the Muddy Waters report on St. Jude as evidence of a successful attack.
While medical knowledge isn’t necessary to find vulnerabilities in a medical device or even hack them, it is critical to understanding the clinical implications of any software flaws and whether there is the possibility of causing harm to patients, Fu said.
chicksdaddy writes: Call it The Big Short – or maybe just the medical device industry’s “Shot Heard Round The World”: a report from Muddy Waters Research (http://www.muddywatersresearch.com/research/stj/mw-is-short-stj/) recommends that its readers bet against (or “short”) St. Jude Medical after learning of serious security vulnerabilities in a range of the company’s implantable cardiac devices, The Security Ledger reports. (https://securityledger.com/2016/08/the-big-short-alleged-security-flaws-fuel-bet-against-st-jude-medical/)
The Muddy Waters report on St. Jude’s set off a steep sell off in St. Jude Medical’s stock, which finished the day down 5%, helping to push down medical stocks overall. (http://finance.yahoo.com/news/us-stocks-wall-st-slips-201909233.html)
The report cites the “strong possibility that close to half of STJ’s revenue is about to disappear for approximately two years” as a result of “product safety” issues stemming from remotely exploitable vulnerabilities in STJ’s pacemakers, implantable cardioverter defibrillator (ICD), and cardiac resynchronization therapy (CRT) devices. The vulnerabilities are linked to St. Jude’s Merlin@home remote patient management platform, said Muddy Waters.
The firm cited research by MedSec Holdings Ltd. a cybersecurity research firm that identified the vulnerabilities in St. Jude’s ecosystem. Muddy Waters said that the affected products should be recalled until the vulnerabilities are fixed.
In an e-mail statement to Security Ledger, St. Jude’s Chief Technology Officer, Phil Ebeling, called the allegations “absolutely untrue.” “There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin@ home and on all our devices,” Ebeling said.
More controversial: MedSec CEO Justine Bone acknowledged in an interview with Bloomberg (http://www.bloomberg.com/news/videos/2016-08-25/bone-st-jude-has-history-of-sweeping-things-under-table) that her company did not first reach out to St. Jude to provide them with information on the security holes before working with Muddy Waters.
Information security experts who have worked with the medical device industry to improve security expressed confusion and dismay.
"If safety was the goal then I think (MedSec's) execution was poor," said Joshua Corman of The Atlantic Institute and I Am The Cavalry. "And if profit was the goal it may come at the cost of safety. It seems like a high stakes game that people may live to regret."
chicksdaddy writes: One of every five software vulnerabilities discovered in vehicles in the last three years are rated “critical” and are unlikely to be resolved through after the fact security fixes, according to an analysis by the firm IOActive, The Security Ledger reports. (https://securityledger.com/2016/08/one-in-five-vehicle-vulnerabilities-are-hair-on-fire-critical/)
“These are the high priority ‘hair on fire’ vulnerabilities that are easily discovered and exploited and can cause major impacts to the system or component,” the firm said in its report (http://www.infosecurity-magazine.com/download/227664/), which it released last week. The report was based on an analysis of more than 150 vehicle security flaws identified over three years by IOActive or publicly disclosed by way of third-party firms.
The report studied a wide range of flaws, most discovered in IOActive’s work with automakers and suppliers to auto manufacturers, said Corey Thuen, a Senior Security Consultant with IOActive. Thuen and his colleagues considered what kinds of vulnerabilities most commonly affect connect vehicles, what types of attacks are most often used to compromise vehicles and what kinds of vulnerabilities might be mitigated using common security techniques and tactics.
The results, while not dire, are not encouraging. The bulk of vulnerabilities that were identified stemmed from a failure by automakers and suppliers to follow security best practices including designing in security or applying secure development lifecycle (SDL) practices to software creation. “These are all great things that the software industry learned as it has progressed in the last 20 years. But (automakers) are not doing them.”
chicksdaddy writes: The Department of Homeland Security warned of hundreds of vulnerabilities in a hospital monitoring system sold by Philips. Security researchers who studied the system said the security holes may number in the thousands, according to a report by The Security Ledger (https://securityledger.com/2016/07/code-blue-thousands-of-bugs-found-on-medical-monitoring-system/)
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an alert on July 14 (https://ics-cert.us-cert.gov/advisories/ICSMA-16-196-01) about the discovery of 460 vulnerabilities in the Philips Xper-IM Connect system, including 360 with a severity rating of “high” or “critical” severity. But an interview with one of the researchers who analyzed the Xper system said that the true number of vulnerabilities was much higher, numbering in the thousands.
Xper IM Connect is a “physiomonitoring” system that is widely used in the healthcare sector to monitor and manage other medical devices. Research by two companies, Synopsys and Whitescope LLC, working in collaboration with Philips, found that the system is directly afflicted by 460 software vulnerabilities, including 272 in the Xper software itself and 188 in the Windows XP operating system that Xper IM runs on. The vulnerabilities include remote code execution flaws that could allow malicious code to be run on the Xper system as well as vulnerabilities that could expose sensitive information stored on Xper systems.
chicksdaddy writes: The Automotive industry’s main group for coordinating policy on information security and “cyber” threats has published a “Best Practices” document (http://www.automotiveisac.com/best-practices/), giving individual automakers guidance on implementing cybersecurity in their vehicles for the first time.
The Automotive Information Sharing and Analysis Center (ISAC) released the Automotive Cybersecurity Best Practices document on July 21st, saying the guidelines are for auto manufacturers as well as their suppliers.
The Best Practices cover organizational and technical aspects of vehicle cybersecurity, including governance, risk management, security by design, threat detection, incident response, training, and collaboration with appropriate third parties.
Taken together, they move the auto industry closer to standards pioneered decades ago and embraced by companies like Microsoft. They call on automakers to design software to be secure from the ground up and to take a sober look at risks to connected vehicles as part of the design process.
chicksdaddy writes: Ransomware infections have been plaguing the healthcare field for much of the last two years. But amidst all the reports of hospitals hamstrung by encrypted, clinical systems, there’s been precious little talk about whether such incidents are violations of patients’ privacy under the federal HIPAA legislation. Now we have an answer: yes.
Security Ledger reports (https://securityledger.com/2016/07/regulator-ransomware-infections-likely-reportable-under-hipaa/) that the U.S. Department of Health and Human Services on Monday issued new guidance (http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf) that suggests strongly that ransomware infections that affect electronic patient health information (ePHI) are reportable violations under HIPAA.
“When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired,” HHS said in its guidance. (PDF)
The new guidance comes after a period of consideration and debate within policy circles about whether having patient records encrypted by ransomware should count as a “breach” of patient privacy. In theory, the files aren’t being accessed and viewed, simply scrambled and held for ransom. Or so the thinking went.
Writing on the Virta Labs blog (http://go.virtalabs.com/ocr-ransomware), Virta CEO and University of Michigan researcher Kevin Fu, noted that the HHS guidelines get a lot right: ruling out an exemption for systems with Full Disk Encryption running (ransomware, by its very nature, operates when the machine is running and the operating system and file system are accessible).
Fu expected that the guidelines would be “bad news” for the majority of Health Delivery Organizations (HDOs) covered by HIPAA. “The OCR guidance means you just got clarity on whether ransomware results in a breach. Sorry, the answer is yes, unless you have methodical evidence to the contrary.”