STE WILLIAMS

Eleven people – including a military veteran, journalists, students, an artist, a NASA engineer, and a business owner – are suing the US Department of Homeland Security (DHS) over forced warrantless searches of their cellphones and laptops at the border.

The plaintiffs are arguing that their First and Fourth Amendment rights had been violated. The legal complaint, filed in Massachusetts on Wednesday, has been brought on their behalf by the American Civil Liberties Union (ACLU), the Electronic Frontier Foundation (EFF), and the ACLU of Massachusetts.

The ACLU said in a post that of the 11 plaintiffs, 10 are US citizens and one is a lawful permanent resident. Several are Muslims or people of color. One is alleging that physical force was used by border guards. And one case involves a sick child who was allegedly detained along with her parents for six hours at the US-Canadian border.

The lawsuit seeks a court order demanding that the US government cease the kinds of warrantless searches described by the plaintiffs, along with formal declaration by DHS that its policies and practices violated the plaintiffs’ constitutional rights.

ACLU attorney Esha Bhandari:

The government cannot use the border as a dragnet to search through our private data. Our electronic devices contain massive amounts of information that can paint a detailed picture of our personal lives, including emails, texts, contact lists, photos, work documents, and medical or financial records. The Fourth Amendment requires that the government get a warrant before it can search the contents of smartphones and laptops at the border.

All of the plaintiffs were returning to the US after business or personal travel when border officers searched their devices. None was subsequently accused of any wrongdoing. DHS nonetheless seized their devices, some of which they kept for weeks, some for months.

One of the plaintiffs is natural-born US citizen Sidd Bikkannavar. He’s a NASA engineer who was detained by US Customs and Border Protection (CBP) on January 30 and pressured to hand over his NASA-issued phone and the PIN to get into it.

This, in spite of the fact that the work-issued phone could have contained sensitive information relating to his employment at the space agency, and in spite of the fact that NASA employees are obligated to protect all work-related information. A CBP officer returned his phone after a half hour, saying that it had been searched using “algorithms”.

Also among the plaintiffs is artist Aaron Gach, another natural-born US citizen who was forced to unlock his phone after returning from putting on a gallery installation in Brussels. That installation focused on “mass incarceration, government control, and political dissent”.

Another of the plaintiffs is Diane Maye, a college professor and retired US Air Force officer who was detained for two hours at Miami International Airport when coming home from a vacation in Europe in June. The ACLU quoted the veteran:

I felt humiliated and violated. I worried that border officers would read my email messages and texts, and look at my photos. This was my life, and a border officer held it in the palm of his hand. I joined this lawsuit because I strongly believe the government shouldn’t have the unfettered power to invade your privacy.

Another plaintiff is Akram Shibly, an independent filmmaker who lives in upstate New York, who was crossing the US-Canada border in January when a CBP officer ordered him to hand over his phone.

Just three days earlier, CBP had searched his phone, when he was returning from a work trip in Toronto, so Shibly declined. He’s alleging that officers then physically restrained him, with one choking him and another holding his legs, and took his phone from his pocket. He alleges that he suffered “great pain and fear of death”. The officers kept the phone, which was already unlocked from the search of three days prior, for over an hour before giving it back.

The ACLU quotes Shibly:

I joined this lawsuit so other people don’t have to have to go through what happened to me. Border agents should not be able to coerce people into providing access to their phones, physically or otherwise.

And the story of the sick child: about two months ago, Ghassan and Nadia Alasaad were waiting to cross the US border from Quebec while returning from a five-day family vacation. Their 11-year-old daughter had fallen ill and was running a high fever, they said.

According to the lawsuit, border agents detained the family for up to six hours, confiscated their phones, and demanded the passwords to unlock them. Initially, Mrs Alasaad, a Muslim, had asked that a female agent conduct the search, to avoid male agents viewing her and her daughter without their headscarves. Waiting for a female agent would have prolonged the delay, however, and the child’s fever had already risen during the detention. After six hours in detention, the Alasaads gave up and abandoned their phones.

According to the complaint, when the phones were eventually returned, media files were missing from Mr Alassad’s phone, including a video of his daughter’s graduation.

The other plaintiffs are:

• Suhaib Allababidi, who lives in Texas and owns and operates a business that sells security technology, including to federal government clients.
• Jeremy Dupin, a journalist living in Massachusetts.
• Isma’il Kushkush, a journalist living in Virginia.
• Zainab Merchant, from Florida, a writer and graduate student in international security and journalism at Harvard.
• Matthew Wright, a computer programmer in Colorado.

With searches at the US border on the rise, there are many pressing courts to dissect the reasons – and the constitutionality – of warrantless searches. As the ACLU notes, DHS has estimated that CBP officers searched 2,700 devices in January and 2,200 in February alone, putting it on pace to easily exceed the 19,033 devices they searched in all of 2016.

CBP officers conducted nearly 15,000 electronic device searches in the first half of fiscal year 2017, putting CBP on track to conduct more than three times the number of searches than in fiscal year 2015 (8,503). That’s 50% more than in fiscal year 2016.

EFF staff attorney Sophia Cope, as quoted in the ACLU’s release:

People now store their whole lives, including extremely sensitive personal and business matters, on their phones, tablets, and laptops, and it’s reasonable for them to carry these with them when they travel. It’s high time that the courts require the government to stop treating the border as a place where they can end-run the Constitution.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/87ZeBoLogJo/

Promo Two much-publicised ransomware attacks earlier this year, including one on the NHS, have raised the profile of the ransomware menace that hangs over businesses of all sizes.

It’s a problem that’s getting bigger, uglier, and more expensive.

Thankfully, on Thursday, September 21 at 4:00PM UTC there’s a live one-hour webcast by Infrascale that can help you navigate your way through the ransomware mire – and help you minimise the downtime, anxiety, and costs inflicted by most ransomware attacks.

Titled “Ransomware: The Inevitable Kick in the Arse”, it will help you to find the solution you need to save your business from a potentially terminal catastrophe.

You can sign up to it right here.

If you’re not preparing – or don’t feel like you’re adequately prepared – to deal with ransomware, this webcast should be just the fillip. And, best of all, you can watch it from the comfort of your desk. Don’t miss it.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/14/protect_your_business_from_the_ransomware_robbers/

Equifax has revealed that the cause of its massive data breach was flaw it should have patched weeks before it was attacked.

The company has updated its www.equifaxsecurity2017.com/ site with a new “A Progress Update for Consumers” that opens as follows:

Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.

As the Apache Foundation pointed out earlier this week, it reported CVE-2017-5638 in March 2017. Doubt us? Here’s the NIST notification that mentions it as being notified on March 10th.

Equifax was breached in “mid-May” 2017, realised it in July and got around to telling the world in Early September. If we take “mid-May” as the 15th of the month, Equifax had nine working weeks in which to apply the patch.

That its data breach was entirely avoidable is not the end of Equifax’s woes, as the new Progress Update also reveals that “Due to the high volume of security freeze requests, we experienced temporary technical difficulties and our system was offline for approximately an hour at 5PM ET on September 13, 2017 to address this issue.”

The company also appears to have suffered another data breach, this time in Argentina where its Bryan Krebs reports “an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/14/missed_patch_caused_equifax_data_breach/

Lazily-configured software has again created a security incident, this time resulting in 4,000 instances of open source analytics and search tool Elasticsearch inadvertently running PoS-stealing malware.

Kromtech’s Bob Diachenko writes those servers are just 27 per cent of a total of 15,000 ill-secured Elasticsearch nodes the company found, and 99 per cent of the infected servers are hosted at AWS.

This one’s caused by people clicking through the hard parts of Elasticsearch configuration, Kromtech explains, usually when taking up AWS’ offer of a free AWS T2 micro instance as part of its Elastic Compute Cloud offering. That offer is limited to Elastisearch versions 1.5.2 or 2.3.2, and and Diachenko says “people skip all security configuration during the quick installation process. This is where a simple mistake can have big repercussions and in this case it did by exposing a massive amount of sensitive data.”

The company found command-and-control servers for Alina and JackPoS point-of-sale malware running on the compromised hosts:

Every infected Elasticsearch Server became a part of a bigger POS Botnet with Command and Control (CC) functionality for POS (point-of-sale) malware clients. These clients are collecting, encrypting and transferring credit card information stolen from POS terminals, RAM memory or infected Windows machines.

That lack of security also means the malware scum have full administrative privilege on the compromised systems: “Once the malware is in place criminals could remotely access the server’s resources and even … steal or completely destroy any saved data the server contains.”

The most recent round of infections happened in August, the post states. Sysadmins need to check their Elasticsearch instances, patch and/or reinstall as required, lock down their external Internet ports, and if they find malware, send a sample to Kromtech. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/14/elastisearch_pos_botnet/

Your daily round-up of some of the other stories in the news

Ted Cruz’s Twitter blunder

News sites were abuzz earlier this week when Ted Cruz, a conservative US politician from Texas, apparently “liked” a porn movie from his Twitter account.

When SNAFUs of this sort happen on social media, the best guesses about what happened are usually [a] the account got hacked or [b] one of the social media team with access to the account made a blunder.

Recent reports suggest that the correct answer in the Cruz case is [b]: SC Magazine, for example, describes it as a “a non-malicious mistake made by a staffer”.

Our advice is simple: always log out explicitly (and get your staffers to log out) from social media sites except when you directly intend to use them, so that accidental clicks are less likely to have unexpected side-effects.

It’s more hassle to do things that way, because you need to keep logging back in, so it makes social media a bit less fun, but it can save you a lot of stress and embarrassment.

Adobe releases Flash patches

Adobe’s latest “Patch Tuesday” security fixes are out for Flash.

There are just two vulnerabilities listed, both reported by Google’s Project Zero (Google’s interest in Flash is more than just altruistic, given that both the Chrome browser and the Chrome OS operating system look after their own Flash verions).

The patched bugs are designated CVE-2017-11281 and CVE-2017-11282, and both are described as memory corruptions of critical severity that could lead to RCE, short for Remote Code Execution.

Simply put, Flash RCEs can usually be triggered by Flash files embedded in external web pages – including web pages on hacked websites you’d ordinarily trust.

In other words, just browsing to a booby-trapped page could be enough to steal data or to infect you with malware, with no tell-tale popup warnings or “Are you sure?” dialogs.

We’ve been recommending for years that you should try uninstalling Flash and disabling the built-in version of Flash in browsers like Chrome and Edge.

If you truly need Flash you can always put it back, but we think you’ll quickly learn to live without it, thus freeing you up from worrying about any left-over Flash vulnerabilities that haven’t yet been found and fixed.

Target swaps Apple for Android

If you’ve visited a Target store since 2014 you will have noticed staff on the shop floor using red-covered iPod touches with scanners to check supplies, restock and carry out other shop floors tasks.

The ‘MyDevices’ are often bemoaned and mocked by employees on the r/Target Reddit page for battery, scanning and performance issues:

The worst for me is grabbing [a MyDevice] with a fully charged sled at the start of a six hour bike shift, only to have it not scan at the end of the shift

But, after three years the company is bidding farewell to Apple in favour of Android, reports Gizmodo.

The Zebra TC51 runs Android 6.0 Marshmallow and, so far, has received positive feedback from staff on the unofficial forum, The Breakroom:

Everything about them is better, android, battery life is longer, they scan faster, and they don’t have that annoying three second wait time before you can scan an item after unlocking the device.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_IqOPH2rpqk/

Despite pending legislation to ban US federal government offices from using Kaspersky Lab security software, Homeland Security has issued a Binding Operational Directive demanding that the products be removed within 90 days.

The directive gives government IT managers 30 days to identify which – if any – of their systems have Kaspersky software installed, 60 days to develop a plan to get rid of it, and by the 90-day mark it must be uninstalled, unless the DHS advises them otherwise in the meantime.

“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the agency said in a statement.

“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates US national security.”

Red Panic grips US

Only last week, US Senator Jeanne Shaheen (D-NH) introduced legislation to do exactly the same job, but the DHS isn’t waiting for Congress to act and went ahead with the directive. On Friday, US big-box retailer Best Buy pulled Kaspersky software from its shelves, although it declined to say why.

Not that Eugene Kaspersky is all that bothered. On Tuesday he said that the firm doesn’t really have much in the way of sales to the US government, but that it was opening three new offices in the Land of the Free^TM to cope with customer demand.

The DHS did say that it would like Kaspersky to get in contact with its officers to provide evidence that their software is all kosher and correct. That’s rather odd, since Kaspersky has repeatedly offered to let government inspectors look through its source code to check for any backdoors.

“Given that Kaspersky Lab doesn’t have inappropriate ties with any government, the company is disappointed with the decision by the DHS, but also is grateful for the opportunity to provide additional information to the agency in order to confirm that these allegations are completely unfounded,” a spokesperson from Kaspersky told The Register.

“No credible evidence has been presented publicly by anyone or any organization, as the accusations are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company. Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues.”

US intelligence agencies have been briefing politicians and trusted businesspeople in private about the supposed dangers of the Russian firm’s code for months now, but haven’t offered up a jot of evidence to back up their claims in public. Much like Iraqi weapons of mass destruction, we’re being asked to trust them on this one.

There are two possibilities here:

1. Kaspersky is a tool of the FSB and the intelligence community has hard evidence of this. If that’s so, then they should make it public so that ordinary consumers can make their choices from a position of knowledge.
2. The other option, mooted by some in the security community, is that the US government is pissed off because Kaspersky has found and reported on multiple instances of malware that appear to have been created by the men and women of the NSA. In the current climate, Russia-bashing is popular and the theory goes that the US intelligence community wants a bit of payback.

The move against Kaspersky might be popular in the US, but President Putin is reportedly pissed off at a Russian firm being targeted in the US. Last week he told technology executives in Russia that they should avoid foreign software and use only Russian code.

It’s worth noting that China banned Kaspersky software from government contracts in 2014. But it also banned Symantec’s code from its systems as well. Only Chinese security software is on the approved purchasing list. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/13/homeland_security_bans_kaspersky_products/

Experian and Annual Credit Report.com – an organization set up by Equifax, Experian and Transunion to meet US consumer finance regulations – left themselves exposed to a serious vulnerability in Apache Struts earlier this year.

The security shortcoming raises important questions following the disclosure of a mega-breach at Equifax last week that affected data on 143 million Americans and an as-yet unknown number of Canadians and Brits. Equifax only said that an unspecified web application vulnerability gave hackers access to its systems between mid May and late July, when the breach was detected.

A vulnerability in Apache Struts, patched in March, quickly gave rise to the public release of an exploit. That’s a worst-case scenario and ought to have prompted urgent security triage. Left unresolved, the issue create a means for hackers to remotely run code on the web server and access files, potentially (and probably) bypassing all security controls. No authentication would be required.

UK security researcher Kevin Beaumont repeatedly warned about the problem at the time. He wasn’t alone. For example, Xss.cx notified organizations that they were vulnerable, issuing public screenshots of the insides of servers – including of user files, config files, debug logs, etc – to underline its warning.

The screenshots (Experian example here) were only possible because the organizations concerned were unpatched, at least at the time and for a few days afterwards.

Systems affected included servers run by Experian and Annual Credit Report, which is managed by CGI Report.

Screenshots of the insides of these servers have been posted online, so unauthorized access on some level was possible. Whether customer information was actually compromised through that route is a troubling but unanswered question.

“All of this raises serious questions,” Beaumont concludes in a blog post laying out the timeline of the issue. “When were these servers patched? What information was accessed? If consumer information was accessed, have they been notified?”

This blog post talks about how an issue in Apache Struts that arose in March was handled, but it still raises topical questions and concerns about the patching practices at credit reference agencies. We’ve flagged up the blog post to both Experian and CGI Report and invited comment. ®

Bootnote

All the above relates to the handling of a critical Apache Struts vulnerability released in March and not a similarly serious problem addressed earlier this month. The flaw exploited by hackers to break into Equifax remains unknown at the time of writing, despite speculation about various causes (both Apache Struts and SQL injection have been suggested as plausible).

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/13/credit_ref_agency_patching/

Genetic science has progressed significantly in recent years, and it influences how crime is being investigated in the US and elsewhere.

DNA analysis started being used to identify crime suspects about 30 years ago, with the first conviction thanks to DNA evidence happening in 1986.

It’s easy to assume from watching TV crime drama series that DNA evidence is irrefutable, because that’s how it’s portrayed in fictional criminal courts. The Guardian interviewed Professor Shari Forbes of the Centre for Forensic Science at the University of Technology, Sydney about this matter:

The problem we find is that juries increasingly expect DNA to be collected from every single crime scene, and when it’s not, either because it can’t be found or it wasn’t required, we end up spending a lot time explaining why.

Forbes also mentioned that people in the general public who become jury members will often assume that if no DNA was found in a crime scene, that means the perpetrator wasn’t there.

So it might surprise many that there is a controversy regarding the accuracy of two particular DNA analysis methods.

Up until recently, DNA forensics labratories would only use DNA samples larger than a few hundred picograms. A picogram is one trillionth of a gram. Smaller quantities of DNA are more difficult to test, especially with older DNA analysis methodologies.

Since 1999, the UK Forensic Science Service has used a DNA profiling technique called Low Copy Number, which can analyze DNA samples as small as 100 picograms.

The DNA laboratory in the office of New York City’s chief medical examiner has introduced two DNA profiling techniques  designed to analyze even smaller DNA samples.

The lab’s Dr Theresa A Caragine, a forensic scientist, developed the high-sensitivity testing method, and implemented it in 2006. After several years of experience with that method, Caragine and Dr.Adele A Mitchell invented the Forensic Statistical Tool, which is specialized forensic DNA analysis software. Both methods are still being used to test really tiny DNA samples, as well as DNA samples which might contain genetic material from more than one person. That’s not how forensic DNA testing was done in the 1990s or even in the first decade of the 21^st century.

According to the lab’s former director, Dr Mechthild Prinz, in 2009:

A couple of years ago, DNA testing was limited to body fluids – semen, blood, and saliva. Now every laboratory in the country routinely receives swabs from guns.

Semen, blood, and saliva provide much larger DNA samples than can be acquired from traces of skin sebum or sweat which is left on objects. Plus, tiny DNA traces found on objects are a lot more likely to be mixed with DNA from other people.

The forensic analysis of very tiny amounts of DNA is a difficult area. According to a report from Promega, a biotechnology firm:

Every lab faces samples with low amounts of DNA. Laboratories and DNA analysts need to choose whether or not to attempt an ‘enhanced interrogation technique’ such as increasing the cycle number, desalting samples or higher CE (capillary electrophoresis) injection. If such an approach is taken, validation studies need to be performed to develop appropriate interpretation guidelines and to assess the degree of variation that can be expected when analyzing low amounts of DNA.

Deciding where to stop testing or interpreting data can be challenging. Some laboratories stop testing based on a certain amount of input DNA, using validation data to underpin a quantitation threshold. Others set stochastic thresholds that are used during data interpretation to decide what STR-typing data are reliable (ie, are not expected to have allelic drop-out at that locus).

Both the high-sensitivity testing and Forensic Statistical Tool methodologies are now being legally contested. A group of defense lawyers have asked the New York State inspector general’s office to launch an inquiry into thousands of criminal cases that have used the methodologies in New York City’s DNA lab.

Because the lab uses cutting-edge techniques, they also test DNA samples provided by police departments all across the United States, not just in New York. On September 1, the Legal Aid Society and the Federal Defenders of New York alleged that the medical examiner’s office in New York

… has engaged in negligent conduct that undermines the integrity of its forensic DNA testing and analysis.

Dr Eli Shapiro, the former mitochondrial DNA technical leader in the DNA lab, wrote to The New York Times saying that he had retired early due to the stress of having to approve lab reports generated by the Forensic Statistical Tool. He has said in court that he finds the Forensic Statistical Tool’s process to be “very disturbing”.

The Legal Aid Society and the Federal Defenders of New York have contested two specific criminal cases that were heard in court between 2012 and 2014. Both cases involved the Forensic Statistical Tool, and they were denied access to the tool’s source code.

Dr Bruce Budowle, who helped design the FBI’s national DNA database, believes that the New York lab’s statistical methods are “not defensible”. According to Budowle, the FST was designed with the incorrect assumption that every DNA mixture of the same size was missing information or had been contaminated in just the same way. He said:

Five-person mixtures can look like three-person. Four contributors can look like two-person mixtures. It’s almost impossible to actually be accurate.

FST’s developers have acknowledged a margin of error of 30% in their method of quantifying the amount of DNA in a sample. But they still stand behind the accuracy of their software.

It seems that New York’s criminal court might have been too hasty in accepting new DNA forensics methodologies that have yet to be proven to have reliable accuracy – and it’s possible therefore that there could be thousands of people in American prisons who were falsely convicted due to forensic DNA technologies that weren’t properly studied before they were deployed.

Follow @NakedSecurity
Follow @kim_crawley

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/k1nJ1wXqN64/

Syringe pumps – those beeping boxes affixed to the pole in a hospital IV drip – have flaws that could be exploited by hackers to change the dosages being delivered to patients.

Researcher Scott Gayou found eight separate flaws in three versions of the MedFusion 4000 pump made by Smiths Medical, a division of the British multinational Smiths Group.

Hospital staff use syringe pumps to deliver precise amounts of fluids to patients, be they adults or newborn infants: the anaesthesia that keeps patients unconscious during surgery, for example, as well as drugs, blood, antibiotics, or other critical fluids.

Gayou’s discovery prompted the Department of Homeland Security (DHS) to issue an advisory warning last week.

DHS, or, rather, its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), said in the advisory that successful exploitation of the vulnerabilities could allow a remote attacker to gain unauthorized access to the pumps, their communications and their operation:

Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.

In a letter to customers that acknowledged the flaws, Smith Medical on Thursday downplayed the likelihood of a successful exploit:

The possibility of this exploit taking place in a clinical setting is highly unlikely, as it requires a complex and an unlikely series of conditions.

DHS’s alert detailed the vulnerabilities, which include a classic buffer overflow caused by a third-party pump component that fails to verify input buffer size prior to copying. Given that the pump receives this type of potentially malicious input infrequently, and under certain conditions, that one’s tough to exploit.

Also on the list of vulnerabilities are hard-coded credentials in a few spots; an FTP server on the pump that doesn’t require authentication if the pump is configured to allow FTP connections; storage of some passwords in the configuration file that are accessible if the pump is configured to allow external communications, and more.

Buffer overflows? Hard-coded credentials? If those sound familiar, they should: the vulnerabilities leave the devices open to well-known attacks, given that they don’t do much to check to see who’s connecting to them and don’t do a very good job of sanitizing any commands they receive.

That’s unnerving: these syringe pumps are used on all manner of patients, including on neonatal wards to treat premature babies. Precision in drug delivery via these pumps is crucial. When they work the way they’re supposed to – as they do in hospitals with reliable electricity to keep them running, as opposed to the mechanical pumps used in developing countries that have high dosing error rates – they can administer drugs in consistent, tiny amounts that are impossible for human nurses to achieve.

There’s no known exploit that’s occurred in the wild. Smiths Medical says it will release fixes in Version 1.6.1 for the Medfusion 4000 syringe infusion pumps in January 2018.

In the meantime, the company released mitigation protocols in the ICS-CERT advisory that it says will protect against exploit. Some of those steps include further segregation of the devices from other parts of hospitals’ networks, assigning the devices static IP addresses, routine backups, and other pieces of advice that come straight out of the typical good-password handbook:

1. Apply proper password hygiene standards across systems (ie, use uppercase, lowercase, special characters, and a minimum character length of eight).
2. Do not re-use passwords.

We can help with No. 1 for sure: here’s a short, sweet, straight-talking video that not only shows you how to pick a proper password, but also explains why you should bother.

 

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

As far as password reuse goes, there’s an ever-swelling list of stories about people’s accounts getting broken into because crooks found a password, then simply tried the credential out on any other site they could think of, be it on Netflix, Amazon, LinkedIn, Facebook, or National Lottery accounts.

But those stories pale in comparison to the possibility that password reuse could lead to a fatal overdose or underdose. Kudos and our thanks go to Scott Gayou for finding these flaws before harm could be done.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WN1ec7TzMvE/

Despite years of strenuous effort, the idea of mass digital identity remains stuck somewhere between non-existent and a total mess.

Ask someone to prove their identity today, and almost without exception they will fall back on a paper passport, driving licence, or bank account statements, usually backed by a social security number (SSN). The online world struggles to accommodate these.

Digital identity systems such as the UK government’s Gov.UK Verify exist but barely any are used in anger. They float around in no man’s land, like clever experiments whose original objective their creators have lost track of.

Meanwhile, shadowing flesh and blood human identities are virtual ones built from oceans of online data. Much of this is handed over willingly to “surveillance capitalists” – Facebook, Google and advertisers, for instance – but lots more exists in this parallel dimension people are only dimly aware exists.

It’s also the world of identity middle-men such as Equifax, which collected so much valuable data it eventually burst at the seams, spilling millions of names, addresses, SSNs, birth dates and driving licence numbers to cybercriminals who could use it to fuel industrial identity theft for years to come.

Not everyone is giving up yet, however, including the Social Market Foundation (SMF), a UK think tank, which argues in a new report that governments should stop shilly-shallying around and press ahead with full-blown digital ID systems.

But aren’t government systems a damp squib? According to the SMF, the problem of systems such as Gov.UK Verify (which uses private-sector partners) is that they were conceived to serve access to government services such as tax and benefits when the real need is much wider.

Verify’s usefulness would improve dramatically if only companies could use it to identify people too:

Encouragingly, use of Verify in private sector contexts is being actively explored, and we believe there are significant benefits for consumers that could arise from this.

Advantages such as:

• Passports could give way to app-based identity systems, possibly backed by biometrics
• Expensive paper systems could be banished forever
• Online verification could be transformed from today’s guesswork and assumption-based model.
• Welfare and immigration fraud would be reduced
• Because everyone would have an ID, social exclusion faced by people who lack documents could be reduced
• Verification and digital identity could be about to become an industry in its own right so jobs could be at stake

And cybercriminals would no longer find is easy to carry out identity theft against a system that included real-time identity checks on individuals themselves.

Sceptics will see in this as a reprise of the failed UK identity card scheme of a decade ago, eventually scrapped in 2010 after burning through £4.5bn ($6.3bn). Certainly, it’s hard to see how a new ID system wouldn’t initially need to rely on physical documents of the sort that sank the original system on cost grounds.

The other problem is government itself. Solving the digital identity conundrum once and for all can probably only be done at government level – but what if people don’t trust government?

The poster child for digital ID is Estonia, the first country in the world to conduct general elections across the Internet backed by a digital identity system years ahead of other developed countries.

Then there’s India’s Aadhaar, a biometric digital ID system with 1.2bn members that critics have described as “Orwellian”.  The worry is that the Aadhaar model hands government the power to withhold as well as enable access to services as a form of social control.

Which of the two extremes should countries such as the UK and US look to? Probably both deserve scrutiny, but it’s interesting that some of the same civil liberties arguments levelled at Aadhaar also dogged the UK’s ID cards.

This suggests that the path to 21st century digital identity will not be smooth. The flaw in today’s identity model is that data is smeared just about everywhere and anywhere, and incentives to guard it have become warped by commercial self-interest.

But until someone comes up with a way to implement an alternative that doesn’t simply over-centralise power with governments, digital identity will remain a rocky road.

With identity theft at record levels what is hard to believe that digital identity can’t be postponed indefinitely. But the old world of uncertain, weakly defended identity won’t go away quickly – expect Equifax-style breaches to be with us for a while yet.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xs5K-t1vw60/