STE WILLIAMS

Insulin pump hack delivers fatal dosage over the air

In a hack fitting of a James Bond movie, a security researcher has devised an attack that hijacks nearby insulin pumps so he can surreptitiously deliver fatal doses to diabetic patients who rely on them.

The attack on wireless insulin pumps, made by medical devices giant Medtronic, was demonstrated Tuesday at theHacker Halted conference in Miami. It was delivered by McAfee’s Barnaby Jack, the same researcher who last year showed how take control of two widely used models of automatic teller machines so he could to cause them to spit out a steady stream of dollar bills.

Jack’s latest hack works on most recent Medtronic insulin pumps, because they contain tiny radio transmitters that allow patients and doctors to adjust their functions. It builds on research presented earlier this year that allowed the wireless commandeering of the devices when an attacker was within a few feet of the patient, and knew the serial number of his pump. Software and a special antenna designed by Jack allows him to locate and seize control of any device within 300 feet, even when he doesn’t know the serial number.

“With this device I created and the software I created, I could actually instruct the pump to perform all manner of commands,” Jack told The Register. “I could make it dispense its entire reservoir of insulin, which is about 300 units. I just scan for any devices in the vicinity and they will respond with the serial number of the device.”

Photo of an insulin pump made by Medtronic

An insulin pump made by Medtronic

It’s not the first time a hacker has figured out how to wirelessly issue potentially lethal commands to a medical device implanted in a patient’s body. In 2008, academic researchers demonstrated an attack that allowed them to intercept medical information from implantable cardiac devices and pacemakers and to cause them to turn off or issue life-threatening electrical shocks. The devices are used to treat chronic heart conditions.

In a statement, Medtronic officials said they are working to improve the security of the medical devices the company sells by evaluating encryption and other protections that can be added to their design. Representatives are also informing doctors and patients of the risks so they can make more informed decisions. Medtronic officials have also promised to set up an industry working group to establish a set of standard security practices.

“Because insulin pumps are widely used by patients with diabetes for tight blood sugar control and lifestyle flexibility, we are also working to assure both patients and doctors that at this time we believe that the risk is low and the benefits of the therapy outweigh the risk of an individual criminal attack,” the statement read.

The pumps are used to treat patients with diabetes by infusing their bodies with insulin, which is secreted by the pancreas. When insulin levels are too low, people suffer from excessive blood sugar levels, a condition known as hyperglycemia. When insulin levels are too high, they suffer from hypoglycemia, a condition that can result in death if left unchecked.

The vulnerable Medtronic devices wirelessly send and receive data over the 900 MHz frequency, and Jack said it’s impossible to disable this functionality. He wrote software that works with Medtronic-supplied USB devices that allow doctors and patients to wirelessly monitor the devices from a computer. Combined with custom-built antenna, his system scans a 300-foot radius for compatible devices.

Next page: Insecure by design

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/27/fatal_insulin_pump_attack/

Hackers could have TAKEN OVER Amazon Web Services

Security researchers have unearthed a flaw in Amazon Web Services that created a possible mechanism for hackers to take over control of cloud-based systems and run administrative tasks.

The flaw, which affected Amazon’s EC2 cloud and has already been plugged, could have been abused to start and stop virtual machines or create new images in an EC2 virtual environment, for example. The root cause of the security weakness stemmed from poor cryptographic practices.

A team of researchers from Germany’s Ruhr University found that an XML signature-based attack can be used to manipulate SOAP messages in such a way that EC4 authentication systems fail to detect that they have been doctored – and thus action them as authentic.

The approach applies a class of security shortcoming, involving the modification of partially signed XML documents, that was first uncovered in 2005 as affecting cloud-based systems, H Security reports.

The attack was possible because application signature verification and XML interpretation were handled separately by Amazon’s SOAP interface, a security shortcoming that allows unsigned code to be smuggled through gateways onto management systems via maliciously modified messages. “Attackers can move the signed partial tree and then inject specially crafted elements in the original location,” H Security explains.

Eucalyptus, an open source-based framework for creating private cloud installations, was similarly vulnerable, according to the Ruhr team.

In an academic paper, the researchers suggest a fix for these so-called signature-wrapping attacks that involves using a “subset of XPath instead of ID attributes to point to the signed subtree”, an approach they reckon is both more efficient and secure.

The researchers said Amazon was also vulnerable to cross-site scripting (XSS) attacks that could have allowed users logged onto its online store to hijack an AWS session, using injected JavaScript code. The researchers demonstrated the vulnerability, only possible because signing into Amazon store automatically creates a concurrent AWS cloud service session automatically, at an ACM workshop on cloud security during a presentation entitled All Your Clouds are Belong to us.

The researchers informed both Amazon and Eucalyptus developers of the security flaws prior to their presentation. Both Amazon and Eucalyptus have reportedly fixed the flaws.

More details on the cloud security aspect of their research can be found in a statement by the Ruhr team (in German) here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/27/cloud_security/

Swedish password hacking scandal widens

Sweden suffered its worst internet security breach in history, with over 210,000 login details across least 60 websites made public, including personal identity numbers of journalists, MPs and celebrities.

On Tuesday, at least 90,000 passwords of the popular Swedish blog Bloggtoppen were exposed through a Twitter account of former Swedish Democrat and now independent MP William Petzäll. His lawyer told Swedish newspapers his Twitter account was also hacked. Bloggtoppen has been shut down temporarily. Its owner believes hackers “discovered a weakness in the code that lies behind the service”.

Anne-Marie Eklund Löwinder, safety manager for the top domain holder Internet infrastructure Foundation, said it was “one of the biggest attacks ever”.

Many login details belonged to Moderate Party members, including several MPs and party secretary Sofia Arkelsten, but members of the Liberal Party were also affected. Other victims include journalists from several major news publications.

Aftonbladet today reported that another 57 websites have been hacked, which makes it the biggest security breach in Swedish history.

However, the paper also cites Ramak Seyedpour, owner of Affelix Media AB, who claims the breaches are old and that hackers just dumped the data they gathered last year. Seyedpour told the paper: “Despite the fact that we had an ip address that was linked to a proxy server in Sweden, the investigation took too long and nothing was done.”

Swedish newspaper Expressen contacted the hacker, known as sc3a5j, and was told: “I dumped this information to let people know that they handle their information wrongly. Many web pages are not up to scratch. And consumers need to know they should never use the same [passwords] for different services on the web. This is how we got into Twitter accounts as well.”

“I am surprised that this still occurs,” Anne-Marie Eklund Löwinder told Aftenbladet. “Developers should know basic safety requirements. They must know what they are doing and keep track of information they manage.”

The Swedish security service Säpo told The Register it will not investigate the case, and added: “Stockholm Police will deal with the matter.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/26/logins_details_dumped_in_sweden/

Tsunami Trojan: First Mac attack based on Linux crack

Malware writers have derived a new Trojan for Mac OS X by porting an older Linux backdoor Trojan horse onto another platform.

The newly discovered Tsunami Trojan is derived from an earlier Linux-infecting backdoor Trojan, called Kaiten, which phoned home from infected machines to an IRC channel for further instructions. Security firms are still in the process of analysing Tsunami but early speculation suggests it may be a DDoS attack tool.

“Mac users are reminded that even though there is far less malware in existence for Mac OS X than for Windows, that doesn’t mean the problem is non-existent,” writes Graham Cluley of net security firm Sophos.

“We fully expect to see cybercriminals continuing to target poorly protected Mac computers in the future. If the bad guys think they can make money out of infecting and compromising Macs, they will keep trying. My advice to Mac users is simple: don’t be a soft target, protect yourself.”

Mac Trojan authors have previously used Windows backdoor code but the Tsunami Trojan is the first case we’ve across, at least, where malware tricks from the world of *nix have been turned against Macs. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/26/tsunami_mac_backdoor/

Binned PCs were stuffed with MoD and Sun staffers’ privates

Updated Security researchers have found personal records of Sun newspaper and MoD staff on the hard drives of discarded or resold computers.

The studyThe ghosts from the machines: A history of 10 years of carelessly discarded data, found that both businesses and consumers are getting rid of old PCs without wiping them clean.

Carelessly discarded data on such machines might be used for ID theft. It may also lead to the release of potentially sensitive customer data.

The study was carried out by the Cyber Security Research Institute (CSRI) on behalf of the Asset Disposal and Information Security Association.

In a revelation likely to bring fresh embarrassment to News International, which was embroiled in the phone hacking scandal this year, researchers found that an unwiped hard drive belonging to the media giant was later sold on to a third party. “The hard drive names contained the home addresses and mobile phone numbers of the entire staff of The Sun, plus other high-profile individuals,” according to CSRI.

The details included those of then Sun editor Rebekah Wade, later chief executive of News International, Andy Coulson, who worked as David Cameron’s communications supremo before resigning over the hacking affair, and Top Gear presenter and News International columnist Jeremy Clarkson. Disappointingly the researchers did not find the phone numbers for private eyes in the Sun machine.

The Sun‘s PC came into the hands of CSRI via a third-party disposal firm that had failed to wipe the data.

“Fortunately for News International – and by sheer chance – the data from the hard drive came to the Cyber Security Research Institute,” says CSRI chairman and report author Peter Warren. “But it highlights once again the huge volume and value of data that is literally being thrown away by UK businesses and individuals each year.

“In the case of News International, this information on staff could have been used by competitors or criminals to glean vital and commercially confidential information. It could even have been used to hack their staff members’ phones,” he added.

The research found 30 per cent of drives making their way onto the second-hand market came with data from previous owners. Over a 10-year period the figure is 40 per cent.

Unwiped data on discarded mobile storage devices and, increasingly, mobile phones poses much the same problem as carelessly discarded data on PCs.

“Whilst the problem has shown some signs of improvement over the last few years we are entering a new technology phase with solid state media being particularly difficult to handle,” said Steve Mellings, director of trade group Adisa (the Asset Disposal and Information Security Alliance).

“With mobile phones, USB sticks, tablets and many new laptops utilising SSD, it is critical that people address this issue by implementing effective asset disposal policies.”

The report authors estimate around 90 million gigabytes of unprotected data is annually discarded from mobile phones. Though the bulk of this will be music and pictures, around 4.5 million gigabytes will be personal data such as emails and contact details. The report authors reckon 15.1 million gigabytes of data a year is left on discarded old computers.

Carelessness in disposal of data exposes firms to fines by the Information Commissioner as well as reputation-damaging publicity if lax discarded kit disposal policies are exposed.

Apart from more and better education of the public and businesses about securing their data, the report suggests the long-standing problem of carelessly discarded data might be addressed by creating a rigorous set of standards for data destruction and audits of data destruction firms.

“One of the more worrying trends to emerge from our surveys over the last decade concerns the fact that, in a number of cases, the drives we have examined had been given to a third party for disposal but instead of destroying the data those third parties had simply sold on the drives,” Warren said.

The CSRI worked with academic partner organisations including the University of Glamorgan, Australia’s Edith Cowan University and Longwood University in the US on the study. ®

Updated to Add

A News International spokesperson said:

“All our drives are encrypted and we have a policy to only dispose of end-of-life hardware in a secure way through a 3rd party supplier. We are contacting the CSRI to find out more about the drive that has been passed to them.”

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/26/discarded_pcs_data_treasure_trove_study/

‘Want to be more secure? Don’t be stupid’ redux

The SANS Institute has endorsed the idea that Internet security is partly an IQ test, acknowledging Australia’s Defense Signals Directorate for its work on how best to defend systems.

The DSD’s advice was that most attacks on most networks could be defeated with just four key strategies – patching applications and always using the latest version of an application; keeping operating systems patched; keeping admin rights under strict control (and forbidding the use of administrative accounts for e-mail and browsing); and whitelisting applications.

Since El Reg suffered some negative comment for reducing this to the line “don’t be stupid”, it should be admitted that a minimal amount of diligence – say, the very minimum that should be required for someone administering security to actually keep their job – is required to implement these strategies.

The DSD had originally noted that while other strategies are needed to complete the picture, the “big four” took care of the largest number of attack strategies.

The SANS Institute agrees, and anointed the DSD as the winner of the 2011 US National Cybersecurity Innovation Award.

“Although these controls will not stop the most sophisticated attackers, they do stop the targeted attackers with medium and low sophistication, the ones that cause the greatest amount of information loss,” runs the SANS Institute’s press release.

The DSD research team, led by Steve McLeod and Chris Brookes, carried out the DSD work, which involved analyzing logs of attacks on Australian government military and civilian systems. Their analysis focused on what countermeasures would have stopped infections from spreading, and yielded the 35 strategies detailed here.

If anyone considered The Register’s original assessment too harsh, here’s how SANS Institute research director Alan Paller put it: “”Auditors who are not checking for these four being fully implemented should refund their salaries because they are looking at the wrong things.”

“The cost of implementing these four controls is a tiny fraction of the cost of implementing the average US federal government agency cybersecurity program,” says the SANS Institute.

It is also probably cheaper than the latest security magic bullet, the notion of building a second parallel Internet as advocated by the FBI’s Shawn Henry.

Former Defence Department Secretary Dr Ian Watt, appointed to the Department of Prime Minister and Cabinet in August, was also congratulated by the SANS Institute for enforcing the security approach advocated by the DSD, for all Cabinet-level systems. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/26/dsd_wins_sans_award/

Avira anti-virus labels itself as spyware

Avira anti-virus detected components of its own application as potentially malign on Wednesday following a dodgy signature update.

Avira detected its own AESCRIPT.DLL library file as the previously obscure “TR/Spy.463227” strain of malware.

The dodgy AntiVir virus definition file was quickly pulled and replaced with a new version – 7.11.16.146 – that resolves the problem, as explained in an official post on Avira’s support forum here.

Avira’s own stats suggest 4,000 to 5,000 rogue detections, suggesting that the problem was caught before it affected the vast majority of the user base of the freebie security scanner software, which has a user base of million. This is just as well because users hit by the false detection would have been left with hobbled systems.

False positives involving anti-virus software are all too common. Normally these involve application files or, more damagingly, Windows components. Avira’s auto-immune false detection is worse still, but not unprecedented. CA had similar problems two years ago, for example. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/26/avira_auto_immune_false_positive/

Process, not just product, will save your IT department

So, you’ve bought your firewall. You’ve spent thousands on an intrusion prevention system, and you’ve got expensive data leak prevention software. Are you dead sure that your sensitive customer data hasn’t been leaked?

In IT security, capital expenditure on products can help to protect your systems, but it isn’t enough. Thinking about security when designing and executing your everyday IT processes is a key part of guarding your infrastructure. Moreover, it might help to reduce your overall security expenditure.

“CISOs spend a lot of money on firewalls and anti-virus,” says Jeremiah Grossman, chief technology officer at at WhiteHat Security, which carries out penetration testing services on client systems.

Grossman argues that large companies typically invest lots of money on developing software, and desktop and server infrastructure, with less spent on network infrastructure. Conversely, he argues that the CISO targets security dollars on network infrastructure first, investing in expensive firewalls, with less spent on desktop security infrastructures, and even less on things like secure development lifecycle in software. “So he’s out of phase with the business,” Grossman concludes.

This doesn’t mean that you shouldn’t buy a firewall, of course. Nevertheless, focusing purely on throwing tools at the problem rather than thinking more generally about security processes risks making security more reactive, and piecemeal. What does a properly orchestrated set of processes look like?

There are a variety of operational maturity models to choose from, each with their own strengths and weaknesses. ISO 27001 covers enterprise security in the broad sense, and ITIL includes useful points on security within a services framework. These can be effectively integrated with other models to create an operational maturity model for security. For example, it is possible to map ISO 27K and ITIL against the Capability Maturity Model Integration (CMMI), which provides the framework for assessing operational maturity. Using this mapping, you can frame your security processes according to five levels of capability. The Control Objectives for Information Related Technology (COBIT) also provides a framework of governance and control that encompasses security practice.

Systems integration consultancy CIBER uses a seven-layer model as the basis for its operational security maturity programme. It starts with a programme layer that covers funding, strategic planning, and cross-functional oversight. The management layer covers asset risk management, security skills, roles and responsibilities, while the next layer, documentation, involves asset classification, procedures, and policies. Atop these layers sit the others: education, protection, detection, and response.

Documentation is an important part of implementing standard security models across the enterprise, according to CIBER, which talks about an umbrella security framework that allows for traceability for security regulations and external requirements. Documenting your assets is important if you are to fold them into processes that help to protect your corporate infrastructure.

CIBER advises companies to create a roadmap for use as part of its ‘protection’ layer, which will link the technologies that you invest in to your long-term security goals.

What processes should you focus on when defining these long-term security goals? Much will depend on your company’s unique business requirements, but broadly speaking, we can identify some common critical areas. Vulnerability management and intrusion protection are important, as is identity and access management. Here are some key things to keep in mind when designing security processes that will guide your roadmap:

Know your infrastructure A sound asset inventory and configuration management database is a critical piece of the puzzle. Without this, you won’t know what you have, which makes it impossible to manage it properly. This becomes a serious problem if, for example, someone plugs an unauthorised access point into the network,or downloads un-verified applications,or hooks up a USB hard drive for instance . Is it yours, or is it theirs? How would you know, if you did a wireless networking audit?

Automate its management Ensure that critical processes such as patch management are as automated as possible across servers and PCs, operating systems and applications beyond just Microsoft (third party applications are the greatest sources of risk), so that procedures necessary to bolster corporate security happen quickly. Automating other processes such as the scanning of new devices connected to the network will help to ensure that rogue devices don’t pollute your environment. This is one area where process and product intersect, but it is also an area where security budgets can be wisely applied.

Use systems management tools as your eyes and ears Effective governance includes discovery of devices on the network, so that they you can first of all figure out if they’re yours or not. Make sure that your management tools watch your network and systems for you, alerting you to problems that could indicate a security issue. Why, for example, is that newly-attached PC suddenly blasting out traffic to every PC in the local subnet on an unusual port?

Check your logs Mine your logs for useful information, possibly using log analysis software. Drawing intelligence from your logs can help you to identify attempted attacks (and perhaps successful ones).

Positive Feedback Loops It may seem obvious, but above all do remember to learn from your experiences. If you encounter an incident make sure that the relevant holes are plugged, that configurations are tweaked and users educated. You might be able to buy software that will do most things for you, but process – of which positive feedback loops are one – are the things that really keep you secure.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/26/rtfm_process/

Why the FBI’s “new Internet” is a dumb idea

The FBI’s Shawn Henry says the world needs a second Internet for critical systems – apparently never having been told what a “private network” is when you don’t prefix it with the word “virtual” – and the idea is taking off in other quarters.

Here’s why it’s a dumb idea: it won’t work.

It’s not just that the easiest defenses are the cheapest ones – as promulgated by Australia’s Defense Signals Directorate and now endorsed by the SANS Institute.

However, that’s a big part of it: if people can’t be trusted to apply patches and block obvious holes, how does creating a new, vastly expensive, probably-intrusive (since one idea doing the circuit is the registration of all machines) network change things? All it does is put the same insecurities and vulnerabilities and slack practices on a new network, which everybody will hail as “secure” up until the moment it’s penetrated.

And penetrated it will be.

It seems like everybody’s forgotten that Stuxnet wasn’t an Internet-borne attack. It was carried on a USB key: the kind of attack vector that will still exist on Henry’s proposed secure Internet.

Not only that: the kind of private networks that do exist – say, electricity utilities’ extensive in-house fibre, to pick an example – become vulnerable not because they’re directly connected to the Internet, but because somewhere in a large organization, there’s likely to be machines that exist on both the public and private networks.

They will still exist: it’s simply not feasible that any network of millions of machines will be entirely free of all possible bridges to other networks.

It seems to me that the Shawn Henry proposal is a recipe for tossing billions of dollars against walls the world over, and creating a user base believes themselves secure and becomes even more cack-handed and complacent at actually protecting themselves.

The real reason a “secure Internet” wouldn’t work is because, as the DSD and the SANS Institute have illustrated so efficiently, the problem is behavioural, not technical.

I’m going to propose an idea: use price signals to encourage the behaviour we want.

I believe – without the benefit of a single minute’s proper research, so I guess I’m handing some enterprising youngster a PhD outline on a plate here – that I can borrow an expression from the world of economics, the mis-pricing of risk, to explain what I mean.

How to price the risk?

When a lender puts the wrong price on their risk, they suffer a loss (OK, OK, or they get bailed out by already cash-strapped governments who don’t want the whole system to come crashing down around their ears).

The price of risk in computer security looks smaller than the price of security. It’s easy to add up the cost of security: firewalls plus servers plus IDS plus staff plus antivirus plus this fabulous quantum crypto kit …

However, until a breach actually occurs, the cost of risk is pretty much zero – you can’t predict the financial impact of a breach on any particular system until after the fact; and doing nothing is free until the sky falls in and someone’s dropped your customer list into Pastebin.

There is a group of people who are experienced in assessing the likely cost of something that hasn’t yet happened: actuaries.

Rather than trying to mandate technologies and network architectures and all the things that don’t help if the behaviour is wrong, why not look at the most effective way to encourage good behaviour – such as, for example, mandating “breach insurance” for all corporate and government computer systems connected to the Internet?

Today, someone deciding to connect internal System A to Internet-connected System B is encouraged to look at the business opportunity, and discount the risk. Someone deciding to replace an internal network with Internet services is encouraged to look at savings, and discount the risk. Only when something goes wrong, such as (for example) the Sony PlayStation Network hack, do we get an assessment of the cost involved when something goes wrong.

Because there is no balance-sheet price on risking a computer system, many or most of the people holding the purse strings begrudge the cost of securing it.

But if there’s a real price associated with a risk, then security gets a business case: “your premium will be $2 million, or $800,000 if you satisfy our security auditors.” Or even “we will never insure this system to be exposed to the Internet. If you must run it, you must do so on a private network.”

It’s not a complete solution. But it’s better than seeking truckloads of cash to try and replicate the Internet. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/26/fbi_secure_internet/

Worm wriggles through year-old flaw, builds zombie-net

A new worm doing the rounds is turning servers running older versions of the JBoss Application Server into botnet drones.

The malware behind the attack is significant both because it targets servers rather than PCs and for its reliance on exploiting a vulnerability that is over a year old – a flaw in JBoss Application Server patched by Red Hat in April 2010 – in order to attack new machines. The worm’s payload includes a variety of Perl scripts, one of which builds a backdoor on compromised machines.

Marcus Carey, security researcher community manager at Rapid7, said that outsourcing practices had exacerbated the patching deficiencies that the worm exploited.

“Many businesses outsource web application development and once the application is deployed, service contracts may lapse or IT staff may not be paying much attention to them,” Carey said.

“The use of this new malware associated with JBoss is something we have not seen before. However, the actual vulnerability it is exploiting should have been snuffed out years ago. This is far more a business failure than a software security failure at this point,” he added.

The last edition of Microsoft’s Security Intelligence Report found that exploits with a patch available for over a year accounted for 3.2 per cent of compromises. By comparison zero-day attacks were responsible for just 0.12 per cent of malicious activity. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/26/jboss_worm/