Tag: hack

Medical gear hacked

hacking-medical-devicesThe US Department of Homeland Security is investigating two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment.

Under investigation is an infusion pump from Hospira , implantable heart devices from Medtronic and St Jude Medica.

There is no indication that hackers have been attacking patients through these devices, but the agency is concerned that malicious people may try to gain control of the devices remotely and create problems, such as instructing an infusion pump to overdose a patient with drugs, or forcing a heart implant to deliver a deadly jolt of electricity.

The senior DHS official said the agency is working with manufacturers to identify and repair software coding bugs and other vulnerabilities that hackers can potentially use to expose confidential data or attack hospital equipment.

Hospira, Medtronic and St Jude Medical declined to comment on the DHS investigations. All three companies said they take cybersecurity seriously and have made changes to improve product safety, but declined to give details.

The agency started examining healthcare equipment about two years ago, when cybersecurity researchers were becoming more interested in medical devices that increasingly contained computer chips, software, wireless technology and Internet connectivity, making them more susceptible to hacking.

The US Food and Drug Administration, which regulates the sale of medical devices, recently issued  guidelines for manufacturers and healthcare providers telling them to better secure medical gear.

The DHS review does not imply the government thinks a company has done anything wrong – it means the agency is looking into a suspected vulnerability to fix it.

This is not the first time that medical gear has fallen under the security microscope. In 2007, then US Vice President Dick Cheney ordered some of the wireless features to be disabled on his defibrillator due to security concerns. Unfortunately, this was done and Cheney was not bumped off by hackers sabotaging his defibrillator.

Adobe spies on Epub users

indians-010aAdobe has been spying on users  of Digital Editions 4, the newest version of its Epub app.

For some reason Adobe’s Epub app, seemed to be sending an lot of data to Adobe’s servers and hacker mates of the Digital Reader  have confirmed that Adobe is tracking users in the app and uploading the data to their servers.

Benjamin Daniel Mussler, the security researcher who found the security hole on Amazon.com, has also confirmed it to be true.

Adobe is gathering data on the ebooks that have been opened, which pages users read, and in what order. However, it gets worse. All of the data, including the title, publisher, and other metadata for the book is being sent to Adobe’s server in clear text to allow any spook, Chinese hacker, private eye, to hack into the stream and read it.

Just when you think Adobe could not be dumber, the outfit is not just tracking what users are doing in its own app; it is also scanning your computer and gathering the metadata from all of the ebooks sitting on your hard drive too. Once it has read every ebook it uploads that data to Adobe’s servers too.

Nate Hoffelder  the hack who found the breach described it as a “privacy and security breach so big that [he is] still trying to wrap my head around the technical aspects, much less the legal aspects.”

To be fair this kind of mistake is common as lots have been caught sending data in clear text, and others have been caught scraping data without permission. LG was caught in a very similar privacy violation last November when one of their Smart TVs was shown to be uploading metadata from a user’s private files to LG’s servers in clear text.

It is probably not deliberate, just what security experts technically call “bloody stupid”.

The  software has violated so many privacy laws in the US, goodness knows how many it will have broken in a civilised country like Germany where privacy is taken more seriously. The Frankfurt Book Fair is coming up later this week. Adobe will be exhibiting at the trade show so we guess that the Germans will be interrogating a few executive – that ways to make you talk, apparently.

 

US more likely to hack you than the Chinese

1220aTwo security experts, Jordan Robertson and Greg Martin set up an online honey pot to see which country was more  like to attack it and was surprised to discover that the US was more likely to be an aggressor than the Chinese.

Writing for Bloomberg, the pair  wanted to find a way to show the global nature of attacks against industrial-control systems used in electrical grids, water systems and manufacturing plants. For obvious reasons, attacks against critical infrastructure are among the biggest concerns in cyber-security.

Martin and Robertson  configured the honeypot to look like an enticing industrial-control computer to hackers and traced who attacked it.

The fake control systems were made to look like they were located in the U.S., the U.K., Amsterdam, Brazil, Tokyo and Singapore. The pair wanted a variety of locations to show that systems everywhere are under attack.

Over a three month period, the US was by far the biggest source of attack traffic, trying to hit the honeypot more than 6,000 times, nearly double China with 3,500, Russia, more than 2,500.

The Dutch and France were also carrying out statistically significant amounts of attacks on the honeypot.

The attacks were mostly reconnaissance missions, in which hackers often use less obfuscation, Martin said. However, it does mean that the idea of China being the leading hacking country is a myth and that crown belongs to the United States, which appears to have a policy of hacking everyone.

Attackers quick to Bash Linux

linuxAttackers have been quick to exploit the Shellshock Bash command interpreter bug and a botnet that is currently trying to infect other servers.

Italian security consultancy Tiger Security’s Emanuele Gentili said the “wopbot” botnet is active and scanning the internet for vulnerable systems, including at the United States Department of Defence.

The botnet runs on Linux servers, named “wopbot” that uses the Bash Shellshock bug to auto-infect others, he said.

It has so far been used to launch a distributed denial of service attack against servers hosted by content delivery network Akamai, and is aiming for other targets, Gentili said.

The malware has conducted a massive scan on the United States Department of Defence internet protocol address range on port 23 TCP or Telnet “for brute force attack purposes,” he said.

Gentili said Tiger Security had contacted UK provider M247 and managed to get the wopbot botnet command and control system taken down from that network.

The botmaster server for wopbot, which is hosted by US network Datawagon, is still distributing malware.

He thinks that the wopbot botnet will grow like topsy as it can infect more than 200,000 zombies in an hour or so.

The ‘Shellshock’ remotely exploitable vulnerability in the Bash Linux command-line shell was discovered yesterday, with researchers warning of its potential to become larger than the severe Heartbleed OpenSSL flaw uncovered earlier this year.

Millions of Apache webservers around the world could be at risk if their common gateway interface (CGI) scripts invoke Bash. The malware can also recruit Apple gear into the botnet without too many problems.

 

Apple ignored warnings of potential iCloud hack

Three-Wise-MonkeyFruity cargo cult Apple’s delusions of its own iCloud invulnerability may have led to naked pictures of its starlet customers being leaked to the Internet.

A security researcher warned Apple in March 2014 of a security hole that left the personal data of iCloud users vulnerable.

A string of emails went back and forth between Jobs’ Mob and Ibrahim Balic, a London-based software developer, which told the cargo cult of a method he’d discovered for infiltrating iCloud accounts.

The exploit Balic says he reported to Apple shares is similar to the exploit allegedly used in the so-called “Celebgate” hack.

Balic told an Apple official that he’s successfully bypassed a security feature designed to prevent “brute-force” attacks. Typically, this kind of attack is defeated by limiting the number of times users can try to log in.

He said that he could try over 20,000 passwords combinations on any account and he was warning them so that it could be fixed. The vulnerability was also reported by Balic using Apple’s online bug submission platform.

By May 6, the reported vulnerability apparently remains unfixed, as an Apple official continues to question Balic over the details of his discovery, but did nothing.

Then soon after the Celebgate photos exploded across the Web, Apple reportedly patched Balic’s vulnerability.

Apple  denied, however, that it was in any way linked to the Celebgate event. The theft of the photographs, a statement from the company insisted, was not the result of “any breach in any of Apple’s systems including iCloud or Find my iPhone.”

This is the second time that Apple has done this to Balic. In June 2013, he identified a security flaw in the Apple Developer Centre.

In that case, the website was almost immediately taken down, and Apple claimed that “an intruder attempted to secure personal information of registered developers” and it had called the rozzers.

The implication was that Balic was a criminal for reporting the flaw and Apple was only too happy to have him arrested for daring to point out flaws in its security.

Needless to say Balic was a little concerned about that and went public in the form of a comment on a TechCrunch article. He later uploaded a YouTube video, which he says contains proof of his discovery.

Apple later acknowledged Balic for reporting a cross-site scripting (XSS) vulnerability on its Web Server notification page.

US confirms Chinese government behind hacks

1220aA US Senate panel has ruled that hackers associated with the Chinese government have repeatedly infiltrated the computer systems of US airlines, technology companies and other contractors involved in the movement of US troops and military equipment.

The Senate Armed Services Committee’s year-long probe found the military’s US Transportation Command, or Transcom, was aware of only two out of at 20 such cyber intrusions within a single year.

It found gaps in reporting requirements and a lack of information sharing among US government bodies which left the US military oblivious to the computer compromises of its contractors.

Democratic Senator Carl Levin of Michigan, the committee’s chairman was keen to focus on the Chinese hackers rather that the big defence industry’s cock-ups.

He said that the peacetime intrusions into the networks of key defence contractors are more evidence of China’s aggressive actions in cyberspace.

But cybersecurity expert Dmitri Alperovitch, chief technology officer with the security firm Crowdstrike, said that China had for years shown a keen interest in the logistical patterns of the U.S. military.

While its military uses secret or top-secret networks that are not on the Internet, but the US private companies hired by the US do not.

In the year beginning June 1, 2012, there were about 50 intrusions or other cyber events into the computer networks of Transcom contractors, the 52-page report stated.

At least 20 of those were successful intrusions attributed to an “advanced persistent threat,” a term used to designate sophisticated threats commonly associated with attacks against governments. All of those intrusions were attributed to China.

Senator Jim Inhofe of Oklahoma, the committee’s top Republican, called for a “central clearinghouse” that makes it easy for contractors to report suspicious cyber activity.

 

Doom for hacked printer

doom_sprite_wallpaper_by_bobspfhorever78-d6lij4oIn what has to be the best proof of concept hacking of a printer, Context Information Security analyst Michael Jordon managed to get a Canon Pixma printer to run the game Doom.

Jordon said that Canon Pixma wireless printers have a web interface that shows information about the printer, for example the ink levels, which allows for test pages to be printed and for the firmware to be checked for updates.

He found that the interface doesn’t need any sort of authentication to access and while you would think that the worst that anyone could do is print off hundreds of test pages and use up all of the printer’s ink, Jordon found a hacker could do a lot more damage.

The interface lets you trigger the printer to update its firmware. It also lets you change where the printer looks for the firmware update.

A hacker could create a custom firmware that spies on everything that printer prints, it can even be used as a gateway into the network.

To show what was possible Jordon got the printer to run Doom.

Canon offers very little protection against this. If you can run Doom on a printer, you can do a lot more nasty things. In a corporate environment, it would be a good place to be.

Who suspects printers?  Well other than Nigel from accounts and he thinks aliens are trying to take over the coffee machine.

Canon has promised that it is working on a fix and is taking a chainsaw to the problems highlighted by Contecxt.

“All PIXMA products launching from now onwards will have a username/password added to the PIXMA web interface, and models launched from the second half of 2013 onwards will also receive this update, models launched prior to this time are unaffected,” Canon said.

 

NSA makes many become one

shoe phoneBoffins at Carnegie Mellon University, sponsored by the US’s number one spying outfit, has come up with a programming Esperanto which unites all different programming languages under a single umbrella.

Any excitement about the development is that since it is funded by the NSA it will be full of backdoors which can harvest personal details on behalf of the US government, but you can still admire the technology.

Dubbed Wyvern which was a mythical dragon-like thing that only has two legs instead of four it helps programmers design apps and websites without having to rely on a whole bunch of different stylesheets and different amalgamations spread across different files.

Jonathan Aldrich, the researcher developing the language, wrote in his blog that Web applications are written as a poorly-coordinated mishmash of artifacts written in different languages, file formats, and technologies. For example, a web application may consist of JavaScript code on the client, HTML for structure, CSS for presentation, XML for AJAX-style communication, and a mixture of Java, plain text configuration files, and database software on the server.

“This diversity increases the cost of developers learning these technologies. It also means that ensuring system-wide safety and security properties in this setting is difficult, he said.

This creates security problems, which was why the NSA was interested. After all it has protect its own systems from hackers.

Wyvern can automatically tell what language a person is programming in, based solely on the type of data that’s being manipulated. That means that if the language detects you are editing a database, for instance, it’ll automatically assume you’re using SQL. The language is still a prototype and is all open saucy