chicksdaddy writes: The devaluation of traditionally “soft” skills like empathy, communication and collaboration in the information security space may be hampering the ability of IT security teams to respond to human-focused threats and attacks, according to this article at The Security Ledger. (https://securityledger.com/2016/12/cybers-lack-of-women-a-problem-and-threat/)
Failing to prioritize skills like empathy, communication, and collaboration and the people who have them (regardless of their gender) and focusing on "hard skills" (technical expertise) "limits our conceptions of security solutions and increases risks to our systems and users."
The problem goes beyond phishing attacks and social engineering, too. “Studies have shown that projects that embrace diversity are more successful. It’s a simple truth that people with different life backgrounds and life experiences bring unique perspectives to problem-solving,” says Amie Stepanovich, the U.S. policy manager at Access Now.
In short: "when we keep hiring technologists to solve problems, we get keep getting technical solutions." Too often, such technical fixes fail to account for the human environment in which they will be deployed. “It’s prioritizing a ‘tech first’—not a ‘human first’ or ‘empathy first’—perspective,” says Dr. Sara “Scout” Sinclair Brody, the executive director of Simply Secure.
This isn’t the first article to raise a red flag over the technology sector's glaring shortage of empathy. (http://www.newyorker.com/business/currency/silicon-valley-has-an-empathy-vacuum).
And while instilling empathy and compassion in adults who lack it might seem like a tall order, the piece argues that it isn't an unsolvable problem: there are entire fields—like user experience and human-centered design—dedicated to improving the way humans and technology interact. “Shockingly little of that,” says Brody, “has made it into the security domain.”
chicksdaddy writes: An online attack that took an estimated 900,000 Deutsche Telekom broadband routers offline in Germany was the work of the Mirai botnet, a global network of infected cameras, printers, digital video recorders and other Internet of Things devices. But the attacks go well beyond Germany and the true number of vulnerable devices that could be targeted is much larger – numbering in the millions, according to new analysis by the firm Flashpoint. (https://www.flashpoint-intel.com/new-mirai-variant-involved-latest-deutsche-telekom-outage/)
On Monday, Deutsche Telekom acknowledged (https://www.telekom.com/de/medien/details/13-fragen-zu-angriff-auf-router-445088) that broadband routers it operates were knocked offline by a large scale attack that attempted to infect broadband routers with malicious software. Deutsche Telekom said that around 4 percent of its customers were affected by the attack – around 900,000 routers. But DT customers were not the only target. Flashpoint said it has observed infected devices operating from the United Kingdom, Brazil, Turkey, Iran, Chile, Ireland, Thailand, Australia, Argentina and Italy, as well as Germany.
In contrast to earlier rounds of Mirai infections, which relied on brute force (or “dictionary”) attacks that guessed default administrator usernames and passwords, the latest attacks attempted to exploit a known vulnerability in a remote maintenance interface. Attacks were launched using the TR-064 and TR-069 protocols which are common for managing so-called “customer premises equipment” (or CPE) in wide area network environments, DT said. Deutsche Telekom said it is working with manufacturers on firmware updates to address the vulnerability and is rolling them out to customers as they become available. The TR- protocols are what telecommunications firms and others use to remotely manage broadband routers in homes and businesses, said Zak Wikholm, a security research developer at Flashpoint, The Security Ledger reported. (https://securityledger.com/2016/11/report-millions-and-millions-of-devices-vulnerable-in-latest-mirai-attacks/)
While the exact number of infected devices isn’t known, Flashpoint estimates the global population of infected devices to be “five million” endpoints. The total number of vulnerable devices is much, much larger, though. Some estimates put the total number of devices with port 7547 open at around 41 million, Wikholm told Security Ledger. However, only a fraction of those allow parties other than Internet Service Providers to access those devices. That may be around five million devices globally, he said, though the exact number is unknown.
Even that smaller number could spell disaster. Denial of service attacks in recent months that reached upwards of 700 Gigabits per second of traffic were launched from Mirai botnets with only 100,000 to 200,000 infected hosts. Wikholm said object of the attacks appears to be to build large botnets that can be used “as a commercial service.”
chicksdaddy writes: Some of the nation’s top experts on cyber security and the Internet of Things urged Congress to take a more forceful approach to securing a burgeoning population of Internet connected devices before security and quality issues undermine consumer confidence. (Video of testimony: https://energycommerce.house.g...)
Members of the House Committee on Energy and Commerce were told in separate testimony that the inability of the global hardware and software market to produce secure products represented a critical market failure and that government intervention was likely to be necessary to create incentives for manufacturers to design secure, connected products, The Security Ledger reported (https://securityledger.com/2016/11/on-capitol-hill-calls-for-a-federal-role-in-securing-world-of-dangerous-things/).
Problems such as the recent denial of service attacks linked to the Mirai botnet will become more common and could threaten the integrity of the Internet and of the nation’s broader economy if left unaddressed.
The Committee heard from Dr. Kevin Fu of the University of Michigan, Bruce Schneier of IBM and a fellow at Harvard’s Kennedy School of Government and Dale Drew, the Chief Security Officer of Level3 Communications. All three, to varying degrees, advised a bigger government role in setting standards for devices connected to the Internet. And all three warned that a failure to deal with an epidemic of insecure devices could result in the public rejecting new technology for fear of the implications to their security and personal privacy.
Security problems in software are nothing new, Dr. Fu told the Committee, but the expansion of software-based devices into the physical world has drastically raised the stakes of software insecurity. “One of the core problems with the increasing number of IoT devices is the increased complexity that is required to operate them safely and securely. This increased complexity creates new safety, security, privacy, and usability challenges far beyond the difficult challenges individuals face just securing a single device,” Fu told the Committee.
Schneier, the CTO of Resilient Systems (now IBM) and a Fellow at the Harvard Kennedy School, said that the security problems were evidence of a clear market failure. “Basically, the market has prioritized features and cost over security,” Schneier told the Committee. “The teams building these devices don’t have the security expertise we’ve come to expect from the major computer and smart phone manufacturers, simply because the market won’t stand for the additional costs that would require,” Schneier noted."
Schneier said that a new agency to regulate IoT device security may be needed, just as new agencies were created to address safety and security issues engendered by automobiles and airplanes.
Fu called on more money to cultivate and train cyber security experts and an embedded device testbed akin to the crash and safety test beds operated for vehicles by the National Highway Traffic Safety Commission.
chicksdaddy writes: A Distributed Denial of Service (DDoS) attack resulted in the loss of heating to two buildings in the city of Lappeenranta in eastern Finland according to a report by YLE (in Finnish here: http://yle.fi/uutiset/3-927849...), just the latest example of downstream effects of cyber attacks on connected infrastructure.
According to a published statement from a local IT management firm Valtia (http://www.valtia.fi/tiedote-tietoturvahyokkayksesta) the attack was noticed after a building automation system used in two properties began issuing strange alarms and could not be remotely accessed. The cause was a sustained denial of service attack that was flooding the building management system with bogus Internet traffic, causing it to restart every few minutes, and denying remote administrators at Valtia access to the device. The attack spanned November 3rd and 4th, according to Simo Rounela, the CEO of Valtia, who spoke with The Security Ledger. (https://securityledger.com/2016/11/lets-get-cyberphysical-ddos-attack-halts-heating-in-finland/)
The result? “The majority of the controlled systems, such as heat distribution, ventilation and hot water went temporarily ‘broken’,” the company said in a statement. To fix it, a technician visited the buildings and removed the affected hardware from the Internet until the malicious traffic could be filtered out. Once disconnected from the Internet, the building automation system returned to normal operation.
Around 50 people were affected, though Rounela said he doubts any noticed any change in the temperature as a result of the attacks because the building would maintain its current temperature when the system was down. Temperatures in Lappeenranta were expected to be in the mid 20s (F) this week, -6 (C).
In a conversation with The Security Ledger, Rounela said that there is strong evidence that vulnerable and Internet exposed devices manufactured by Fidelix (https://www.fidelix.fi/), a Finnish building automation firm.
“There are about 1000 similar automation devices (on the) public Internet in Finland,” Rounela said in an email, citing a search using Shodan, the hardware search engine. “Some of the affected systems were not using Dynamic DNS services, so I can’t really say how the targets were chosen.”
A report by the Finnish Communications Regulatory Authority said that the attacks appear to be part of a larger cyber criminal denial of service operation, not targeted at the building in question, YLE reported (http://yle.fi/uutiset/3-9278497).
chicksdaddy writes: When it comes to securing its products from software based attacks, the medical device giant GE Healthcare is paying close attention to a model developed by Microsoft almost two decades ago.
With an eye to securing its ever-more connected medical devices from cyber attack, GE Healthcare has embraced an approach used by Microsoft as it struggled to overhaul the security of its Windows operating system, Internet Explorer web browser and Office productivity software in the late 1990s and early years of this century, amid mounting malware attacks and other security holes, The Security Ledger reports. ([spam URL stripped])
Among other things, GE Healthcare has been filling out its product security team with Microsoft veterans and adopting Microsoft’s secure development lifecycle (SDL) approach to managing product security, according to Chris Larkin, the Chief Technology Officer at GE Healthcare. He described the company’s approach to securing its products during an address at the Internet of Things World event in Boston on Tuesday.
GE Healthcare, he said, was looking for ways to balance the benefits and efficiencies of new “smart” medical devices and instruments with the risks that go along with connecting such equipment to clinical networks and, more generally, the Internet. To do that, the company was looking to Microsoft’s Trustworthy Computing model ([spam URL stripped]) and Secure Development Lifecycle as a model.
That approach emphasizes security throughout a product’s life: from design and development through to deployment. Specifically, Larkin mentioned GE Healthcare’s focus on what Microsoft refers to as “SD3,” or “Secure by Design, Secure by Default and Secure in Deployment.”
As Microsoft did, GE is emphasizing threat modeling for its products, anticipating malicious attacks and actors with an interest in medical devices and healthcare environments – an element that is often missing from product design in the medical device field. The company has also attracted a number of Microsoft security pros to its ranks. Among them: Bob Fruth, who spent six years as the Security Program Manager for Trustworthy Computing and is now a Principal Cybersecurity Consultant at GE Healthcare. There is also Matt Clapham, a former Microsoft Security Engineer and Security Program manager who now also works on GE Healthcare’s Product Development Security team. Link to Original Source
chicksdaddy writes: The Mirai malware that is behind massive denial of service attacks involving hundreds of thousands of “Internet of Things” devices ([spam URL stripped]) may also affect cellular modems that connect those devices to the Internet, the Department of Homeland Security (DHS) is warning.
An alert issued by DHS’s Industrial Control System CERT on Wednesday ([spam URL stripped]) warning that cellular gateways manufactured by Sierra Wireless are vulnerable to compromise by the Mirai malware. While the routers are not actively being targeted by the malware, “unchanged default factory credentials, which are publicly available, could allow the devices to be compromised,” ICS-CERT warned.
The alert comes after a number of reports identified devices infected with the Mirai malware as the source of massive denial of service attacks against media websites like Krebs on Security and the French hosting company OVH. The attacks emanated from a global network of hundreds of thousands of infected IP-enabled closed circuit video cameras, digital video recorders (DVRs), network video recorders (NVRs) and other devices.
[Register for the Security of Things Forum, Washington, D.C. Oct. 27 2016.]
Analysis by the firm Imperva found that Mirai is purpose-built to infect Internet of Things devices and enlist them in distributed denial of service (DDoS) attacks. The malware searches broadly for insecure or weakly secured IoT devices that can be remotely accessed and broken into with easily guessed (factory default) usernames and passwords. Link to Original Source
chicksdaddy writes: A common, China-based supplier of circuit boards and software is the common thread that ties together the myriad digital video recorders, IP-based cameras and other devices that make up the Mirai botnet, according to analysis by the firm Flashpoint. ([spam URL stripped])
Weak, default credentials associated with software made by XiongMai Technologies ([spam URL stripped]) was abused by cyber criminals to compromise hundreds of thousands of DVR, NVR (network video recorder) and IP cameras globally. The credentials are written (or "hardcoded") into the software used by over five-hundred thousand devices on public IPs around the world, meaning they cannot be changed and make the devices susceptible to trivial compromise, Security Ledger reported on Monday. ([spam URL stripped])
The Mirai botnet is one of a number of networks of compromised devices that launched crippling denial of service attacks against a number of organizations in Europe and North America. Among the more prominent targets were the French hosting firm OVH and Krebs On Security, an independent cyber security blog that often exposes the deeds of cyber criminals operating distributed denial of service (DDOS) scams. Those attacks were the largest denial of service attacks, measured by the volume of bogus Internet traffic used to cripple their targets. Attacks on Krebs on Security topped 600 Gigabits per second (Gbps) and discrete attacks on OVH tipped the scales at more than 700 Gbps.
According to the Flashpoint analysis, cyber criminals abused the default username and password combination for Xiongmai’s Netsurveillance and CMS software. Those credentials – a user name root and password xc3511 allow anyone to gain access to the administrative interface of the device running the software, typically using the Telnet protocol.
Even worse: Flashpoint said that during its investigation it discovered another vulnerability affecting XiongMai’s software: an authentication bypass vulnerability that allows anyone with knowledge of the IP address of a device running the NetSurveillance or CMS software to bypass authentication and connect to the management interface, provided they know the correct URL. Link to Original Source
chicksdaddy writes: The Food and Drug Administration (FDA) is on the front lines in the battle to make medical devices and medical data safe from hackers. But a report from the Government Accountability Office (GAO) warns that the FDA should mind the security of health data on its own network, the Digital Guardian blog reports. ([spam URL stripped])
A recently published GAO Report ([spam URL stripped]) finds that the FDA has a “significant number of security control weaknesses” in critical IT systems that could “jeopardize the confidentiality, integrity and availability of its information and systems.” That’s particularly concerning, as the FDA network contains both sensitive health information and proprietary trade secrets, GAO said.
The FDA has, so far, failed to implement an agency-wide information security program as required by the Federal Information Security Modernization Act of 2014 and the Federal Information Security Management Act of 2002. As a result, “the public health and proprietary business information it maintains in these seven systems will remain at an elevated and unnecessary risk of unauthorized access, use, disclosure, alteration, and loss.”
FDA has taken a lead role ([spam URL stripped]) in encouraging medical device makers and healthcare providers to secure sensitive data and devices from hackers. But when it comes to the FDA’s own IT environment, GAO found there was much work to be done. The FDA, it found, had not done comprehensive risk assessments of its IT assets and addressed threats to those systems. The agency lacked complete security plans for all reviewed systems and hadn’t put in place programs to train personnel with “significant security responsibilities.” The agency couldn’t prove that it was testing its security controls effectively each year, as required by FISMA, or that any identified security weaknesses were being addressed in a timely fashion, GAO said. Link to Original Source
chicksdaddy writes: Meet the new insecure insulin pump, same as the old insecure insulin pump. That was the experience of Rapid7 security researcher (and diabetic) Jay Radcliffe. Radcliffe rose to prominence in 2011 after he delved into the security of his Medtronic insulin pump ([spam URL stripped]). Now Radcliffe is warning the public about a flaw he discovered in another wireless insulin pump he was prescribed: the Animas OneTouch Ping, which is manufactured by Johnson & Johnson.
According to Radcliffe, the OneTouch Ping uses cleartext communications to send commands wirelessly between a management device, known as a “Meter Remote” and an insulin pump worn by the diabetic patient. As designed, the pump could allow a malicious actor to force the device to administer doses of insulin to a patient without their knowledge.
The remote provides an easy way for patients to program in insulin doses that the pump delivers. Rapid7 researchers were able to intercept the communications, which uses a proprietary management protocol, reverse engineer it and then spoof the management device to initiate an injection of insuli, Rapid7 said in a blog post on Tuesday. ([spam URL stripped]). An attacker would have to be able to first capture the command and play it back. That would require physical proximity to the patient.
Alas: there are no easy fixes for the problem. Radcliffe told The Security Ledger that he was unaware of any patch for the flaw and doubted whether a patch was possible. In the absence of a fix, patients have to rely on work arounds that include disabling the wireless management feature, limiting the maximum dose of insulin that can be delivered and enabling a "vibrate" feature that will alert patients when a dose of insulin has been delivered.
In a letter to affected patients, Animas/Johnson & Johnson said the risk to patients of an attack was "extremely low." Link to Original Source
chicksdaddy writes: MITRE Corporation, the non-profit corporation that helps tackle some of the trickiest technical and security challenges out there is dangling a $50,000 prize for anyone who can develop a solution for spotting rogue devices within an Internet of Things Network. ([spam URL stripped])
The company announced its MITRE Challenge IoT over the summer, saying that it was looking for ground breaking new approaches to securing diverse Internet of Things networks like those in connected homes.
"Network administrators need to know exactly what is in the environment, or the network—including when an adversary has switched out one device for another. In other words, is the smart thermostat we see today the same one that was there yesterday? We are looking for a unique identifier or fingerprint to enable administrators to enumerate the IoT devices while passively observing the network...The MITRE Challenge, Unique Identification of IoT Devices, seeks to discover possible solutions to this potential threat so our sponsors can reap the benefits of this technological evolution, while minimizing the risks." Registration was supposed to wrap up September 30, but the registration site is still online: [spam URL stripped]...
MITRE was awarded $29 million from the U.S. Commerce Department in 2014 to establish the nation’s first federally funded National Cybersecurity Center of Excellence (NCCoE). ([spam URL stripped]) Under that contract, MITRE is responsible for operating the federally funded research and development center (FFRDC) in the areas of research, development, engineering and technical support; operations management; and facilities management. Link to Original Source
chicksdaddy writes: The Colorado branch of the affordable housing charity Habitat for Humanity has acknowledged that a ransomware attack on a critical server has lasted for months and has been so disruptive that it "has severely handicapped" the group's ability to function, notes a post over on Digital Guardian's blog. ([spam URL stripped])
In a statement released this week, Habitat for Humanity Colorado (HFHC) said that it has spent months dealing with a “significant and malicious data breach” that “has severely handicapped our ability to efficiently conduct business.”
Habitat for Humanity, of course, is the non-profit charity group started in 1976 that builds affordable housing for low income families in the U.S. and elsewhere. According to a FAQ ([spam URL stripped]), the incident in question began with a ransomware malware infection in “late June” that targeted a server in HFHC’s main office in Lakewood Colorado. That server, HFHC said, was “connected to the Internet” and thus a target of attack by cyber-criminal groups operating from outside the U.S.
The incident continued for months “hijacking” the attention of the group. Because it works directly with would-be homeowners, HFHC stored a wealth of data including a customer’s names, Social Security Numbers, driver’s license numbers and so on. Information on HFHC employees was also stored on the server. In all, only around 250 individuals were affected – small potatoes, especially with news of the massive breach at Yahoo Inc. that affected some 500 million accounts.
“While there is no evidence that any of your personal information was taken; we only know that hackers may have viewed it,” HFHC said. The group is working with the FBI and has offered credit and identity theft monitoring for affected customers. Link to Original Source
chicksdaddy writes: The Department of Homeland Security is readying a set of security guidelines for Internet of Things device makers and for consumers that it will soon release, The Security Ledger is reporting (https://securityledger.com/2016/09/exclusive-dhs-readies-guidance-for-securing-internet-of-things/).
DHS, which houses the U.S. Computer Emergency Readiness Team (CERT), as well as the U.S. Secret Service, is assembling a set of strategic principles that it says will help safeguard and secure the Internet of Things by providing high level guidance to industry about how to design and manufacture secure connected devices. For consumers, DHS will lay out guidelines about how to manage the risks posed by Internet connected devices in their homes, cars and businesses.
Robert Silvers, the DHS Assistant Secretary for Cyber Policy, told Security Ledger that the agency thinks it can play a key role in setting cross industry standards for the Internet of Things.
“What we’ve come to recognize is that the Internet of Things is a full-blown phenomenon,” said Rob Silvers, the DHS Assistant Secretary for Cyber Policy. “We think everyone. Govt. industries, consumers need to get serious about reasonable security being built into IoT devices. And we need to do it now before we’ve deployed an entire ecosystems,” he said.
Silvers will outline the agency's forthcoming guidance in a speech at The Security of Things Forum (https://www.securityofthings.com) in Cambridge, Mass on Thursday.
chicksdaddy writes: The Federal Trade Commission is warning consumers to beware of new ‘connected car’ features that allow rental car customers to connect their mobile phone or other devices to in-vehicle infotainment systems, The Security Ledger reports. (https://securityledger.com/2016/08/ftc-warns-consumers-of-rental-car-data-theft-risk/)
“If you connect a mobile device, the car may also keep your mobile phone number, call and message logs, or even contacts and text messages,” the FTC said in an advisory released on Tuesday. (https://www.consumer.ftc.gov/blog/what-your-phone-telling-your-rental-car) “Unless you delete that data before you return the car, other people may view it, including future renters and rental car employees or even hackers.”
The Commission is advising renters to avoid syncing their mobile phones to their rental car, or to power devices via a USB port, where settings on your device may allow automatic syncing of data. Consumers who do connect their device should scrutinize any requests for permissions. Renters are also urged to remove their device from the vehicle’s memory before handing it back over to the rental firm.
chicksdaddy writes: The battle of words over warnings from a Wall Street trader about serious security flaws in implantable medical devices (https://securityledger.com/2016/08/the-big-short-alleged-security-flaws-fuel-bet-against-st-jude-medical/) continued on Tuesday, as researchers from The University of Michigan joined St. Jude itself in raising doubts about research that was used by the investment firm Muddy Waters to bet against ( or “short”) the stock of St. Jude Medical, a major medical device maker, The Security Ledger reports (https://securityledger.com/2016/08/short-sheet-researchers-raise-doubts-on-st-jude-research/).
In a statement released on Tuesday, Kevin Fu and Thomas Crawford of the Archimedes Center for Medical Device Research did not directly challenge the findings of the report by Muddy Waters and the firm MedSec, but did suggest that, rather than being evidence of a successful attack, the output observed by the researchers may have been typical for a home-monitored implantable cardiac defibrillator (ICD) device being tested while not properly connected to a patient.
“The U-M team reproduced error messages the report cites as evidence of a successful ‘crash attack’ but the messages are the same set of errors that display if the device isn’t properly plugged in,” the University said in a statement.
“We’re not saying the report is false. We’re saying it’s inconclusive because the evidence does not support their conclusions,” said Fu, U-M associate professor of computer science and engineering and director of the Archimedes Center for Medical Device Security. Fu is also co-founder of medical device security startup Virta Labs.
In a separate blog post, Kevin Fu of the University of Michigan said the research that informed the Muddy Waters report may be an example of 'armchair engineering.' (http://blog.secure-medicine.org/2016/08/study-on-st-jude-medical-device_30.html)
The conflict may come down to how different viewers interpret the same events. The behavior witnessed by the MedSec researchers and described in their report may not have been a security issue, but simply evidence of the device acting as designed, Fu and his colleagues say.
A defibrillator’s electrodes are connected to heart tissue via wires that are woven through blood vessels the wires are used both for sensing operations and to send shocks to the heart, if necessary. No surprise, when the defibrillator is not connected to a human host, the data transmitted by the device is quite different.
“When these wires are disconnected, the device generates a series of error messages: two indicate high impedance, and a third indicates that the pacemaker is interfering with itself,” said Denis Foo Kune, former U-M postdoctoral researcher and co-founder of Virta Labs” in a statement.
That behavior is very similar to what is described in the Muddy Waters report on St. Jude as evidence of a successful attack.
While medical knowledge isn’t necessary to find vulnerabilities in a medical device or even hack them, it is critical to understanding the clinical implications of any software flaws and whether there is the possibility of causing harm to patients, Fu said.
chicksdaddy writes: Call it The Big Short – or maybe just the medical device industry’s “Shot Heard Round The World”: a report from Muddy Waters Research (http://www.muddywatersresearch.com/research/stj/mw-is-short-stj/) recommends that its readers bet against (or “short”) St. Jude Medical after learning of serious security vulnerabilities in a range of the company’s implantable cardiac devices, The Security Ledger reports. (https://securityledger.com/2016/08/the-big-short-alleged-security-flaws-fuel-bet-against-st-jude-medical/)
The Muddy Waters report on St. Jude’s set off a steep sell off in St. Jude Medical’s stock, which finished the day down 5%, helping to push down medical stocks overall. (http://finance.yahoo.com/news/us-stocks-wall-st-slips-201909233.html)
The report cites the “strong possibility that close to half of STJ’s revenue is about to disappear for approximately two years” as a result of “product safety” issues stemming from remotely exploitable vulnerabilities in STJ’s pacemakers, implantable cardioverter defibrillator (ICD), and cardiac resynchronization therapy (CRT) devices. The vulnerabilities are linked to St. Jude’s Merlin@home remote patient management platform, said Muddy Waters.
The firm cited research by MedSec Holdings Ltd. a cybersecurity research firm that identified the vulnerabilities in St. Jude’s ecosystem. Muddy Waters said that the affected products should be recalled until the vulnerabilities are fixed.
In an e-mail statement to Security Ledger, St. Jude’s Chief Technology Officer, Phil Ebeling, called the allegations “absolutely untrue.” “There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin@ home and on all our devices,” Ebeling said.
More controversial: MedSec CEO Justine Bone acknowledged in an interview with Bloomberg (http://www.bloomberg.com/news/videos/2016-08-25/bone-st-jude-has-history-of-sweeping-things-under-table) that her company did not first reach out to St. Jude to provide them with information on the security holes before working with Muddy Waters.
Information security experts who have worked with the medical device industry to improve security expressed confusion and dismay.
"If safety was the goal then I think (MedSec's) execution was poor," said Joshua Corman of The Atlantic Institute and I Am The Cavalry. "And if profit was the goal it may come at the cost of safety. It seems like a high stakes game that people may live to regret."