Medical Equipment Maker Ignores Security

I’m sure that this isn’t the only company with a problem like this. This story is from Black Hat. Hack causes pacemakers to deliver life-threatening shocks.

Life-saving pacemakers manufactured by Medtronic don’t rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients’ lives, security researchers said Thursday.

Basic security is ignored. Like digital signatures for the code in question. And there is a proof-of-concept exploit. After a year, the company has done nothing. (Well, maybe not nothing, but the exploit still works.) Ditto for at least one of Medtronic’s insulin pumps. (Maybe they only have 1, I don’t know)

The company released a statement that has several platitudes, calls on the high gods of the FDA, and has a bit of boilerplate added. It is mostly meaningless. (Having good physical security over the programmer won’t stop a man-in-the-middle attack.)

Hat tip to A Geek with Guns. Both DEFCON and Black Hat are running, so there should be some interesting security stories this week, as the talks are made known.

Advertisements

Privacy Is Such a 20th Century Concept

“What Could Possibly Go Wrong?” Free Facial Recognition Tool Can Track People Across Social Media Sites

This tool was developed for ethical hackers, penetration testing, etc. The fact that it will facilitate spear phishing by anyone is just a side benefit.

I’m sure that black-hat hackers or stalkers won’t use this at all at all. Or will they?

However, since the tool is now available in open-source, anyone including bad actors or intelligence agencies can reuse facial recognition tech to build their own surveillance tools to search against already collected trove of data.

The press release about this tool states the following “benefits.”

  • Create fake social media profiles to “Friend” targets and then send them links to downloadable malware or credential capturing landing web pages.
  • Trick targets into disclosing their emails and phone numbers with vouchers and offers to pivot into “phishing, vishing or smishing.”
  • Create custom phishing campaigns for each social media platform, making sure that the target has an account, and make these more realistic by including their profile picture in the email. Then capture the passwords for password reuse.
  • View target’s photos looking for employee access card badges and familiarise yourself with building interiors.

I’m sure no bad actors are interested in any OPEN SOURCE tool with those capabilities! (The internet was fun while it lasted.)

Because There Isn’t Enough To Worry About

Researchers Developed Artificial Intelligence-Powered Stealthy Malware. Yeah, that’s just what we need.

AI has been marketed as a cure for malware. It can detect the signs of viruses, Trojans, et al and save the day. But the reverse is also true.

However, the same technology can also be weaponized by threat actors to power a new generation of malware that can evade even the best cyber-security defenses and infects a computer network or launch an attack only when the target’s face is detected by the camera.

To demonstrate this scenario, security researchers at IBM Research came up with DeepLocker—a new breed of “highly targeted and evasive” attack tool powered by AI,” which conceals its malicious intent until it reached a specific victim.

Coming to a state-sponsored hacking team interested in you soon. (The internet was fun while it lasted!)

The Cost of Ignoring Computer Security

TSMC (Taiwan Semiconductor Manufacturing Co.) got hit by a variant of WannaCry (again?) that stopped their manufacturing dead. Taiwan Semiconductor faces revenue hit after computer virus closes factories.

So they installed a new set of tools or updated software on some existing tools (it isn’t quite clear). In the process they infected their internal network with a variant of WannaCry. Manufacturing ground to a halt. That was on Friday. By Sunday they were apparently back in business.

This article says 3% of revenue. Steve Gibson, on Security Now, listed the cost as $256 million. (Links are to video and show-notes respectively.)

However you slice it, that is a large amount of money. TSMC promises that procedures will get better, to avoid a replay.

So will this encourage people to take security a little more seriously? Somehow I doubt it. Maersk Lines lost a similar amount of money and it didn’t change anything. And the European subsidiary of FedEx ditto. UK’s NHS was hit. Other medical facilities. Now this.

Will Executives Prepare For/Deal With Cyber Attacks?

I sincerely doubt it. The total cost of a data breach — including lost business — keeps growing.

“Failure to respond urgently, transparently, and with empathy can result in a near extinction-level event.”

You would think that the magnitude of the numbers being bandied about by the likes of Maersk Lines or the European subsidiary of Fedaral Express would be sobering. But in my limited experience, executives don’t spend money on shit they don’t understand, and they didn’t get ahead by being transparent or having empathy. Virtually every data breach I have read about (pre-GDPR anyway) has been characterized by 1 thing: executives wait weeks or months to disclose the breach (often selling stock before it is made public). Because screw you, customers/stock-holders!

  • The average cost of a breach involving 1 million records was nearly $40 million dollars.
  • The cost of a breach totaling 50 million records was estimated to be $350 million.

That’s a lot of money. You would think that it would encourage the spending of money to prepare. And I’m sure somewhere somebody had a portion of their budget increased. But I am also positive that somewhere there are managers saying “we don’t need to update our software.” And I don’t think we ever got all the money we asked for, on any project. (Unless of course it was the brainchild of someone from Mahogany Row.)

The Criminal Justice System Meets Systems Design

And the results are not the best. Because systems design and training takes time. And having 2 people verify sensitive information would be expensive! Judge lifts order requiring the L.A. Times to change article on ex-Glendale police spokesman.

Next you will want the .gov to spend money on computer security, or expect judges and lawyers to follow rules cooked up by programmers.

It’s an organized crime case. A Glendale police detective lied about his ties to organized crime. He took a plea agreement.

The plea agreement between prosecutors and detective John Saro Balian was supposed to have been filed under seal, but it was mistakenly made available Friday on PACER, a public online database for federal court documents.

That was done on Friday, by Saturday the LA Times had published a story. The judge wanted the story taken down, but as the defense attorney in the original case noted…

nobody can “unring that bell.”

A clerk made a data entry error. I wonder how overworked/underpaid those clerks are.

The case itself is interesting. (A cop accepting bribes, tipping off witnesses, and eventually being busted could have been an episode on any number of cop shows or even “Movie of the Week” back when they had those.)

The rush to put everything on the internet. The goal of making that easy. The lack of safeguards for sensitive information. (The judge is worried that the guy’s family will be put in danger.) But hey, we like having things on the internet, except when stuff gets hacked. Or mishandled.

Actually putting information on the internet is a good thing, but ONLY if it is not private or sensitive info (like the way to get into your online banking account) and only as long as the security is in place. Reviewing and securing data is not free.

Adidas and Ticketmaster Hacked – Will It Ever End?

And then of course there was the hack of 150 million user accounts at Under Armor in March. Is anyone in any executive suite or corporate board anywhere, ever going to take security seriously? Somehow I doubt it.

Let the typical (stereotypical?) corporate BS begin. Adidas Hack: Brand Warns a “Few Million” Customers Hit

They got hacked.

“Adidas is committed to the privacy and security of its consumers’ personal data,” the release read. “Adidas immediately began taking steps to determine the scope of the issue and to alert relevant consumers. Adidas is working with leading data security firms and law enforcement authorities to investigate the issue.” It will alert victims while conducting a forensic review, the brand added.

A more useless piece of corporate, ass-covering, boilerplate would be hard to find.

They are committed to security. But they are not “committed” to giving out any useful data. Like where. When. etc. If you did any business on their website, best update everything. They are admitting to user names and passwords being compromised. “No reason to believe” that credit card data was hacked.

Then there is Ticketmaster. Ticketmaster breach was caused by bespoke JavaScript on payments page

JavaScript? At least they aren’t slinging around a bunch of Bovine Scatology about how they are committed to security. (If I read the details correctly, they are most committed to marketing, and security isn’t much of an issue for them. It doesn’t generate revenue, after all.)

The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018.

40,000 UK users have been hacked.

Seperately, on Thursday, digital banking service Monzo said it alerted Ticketmaster to the data breach in April, despite the company’s claims that it hadn’t learnt of the breach until June.

Given these claims that Ticketmaster was sitting on the breach for two months, the firm could potentially face a hefty fine under the EU’s new GDPR laws, that require firms to report data breaches without “undue delay, and where feasible, not later than 72 hours after having become aware of it.”

And the UK is still in the EU, and hence covered by GDPR.

I don’t get this months-long wait that most companies engage in. The situation is NOT going to get better on its own. It also isn’t going to go away if you ignore it. Is it just that executives are so bent about avoiding blame at all costs that they don’t want to let people take action to protect their accounts? At this point in history, I ALSO don’t get why the folks in the corporate suites aren’t getting manic about security. (Look up how much Maersk lines lost, or what happened to FedEx-European subsidiary, TNT.)