Blogs

The lack of security on medical devices is continuing to raise concerns. Last year a security researcher, who was himself a diabetic, demonstrated at the Black Hat security conference a wireless attack on an insulin pump that could change the delivery of insulin to the patient. The security vendor McAfee found that they could scan a public space from up to 300 feet away, find vulnerable pumps made by a specific medical device manufacturer, and then force these devices to dispense fatal insulin doses. In 2009 an assistant professor in computer science "hacked" into a defibrillator (used to stabilize a heartbeat) and reprogramed it. He also disabled its power-save mode so the battery ran down in hours instead of years. Last month the national Information Security and Privacy Advisory Board (ISPAB) recommended that one federal government agency like the Food and Drug Administration (FDA) be responsible for ensuring the security of wireless medical devices, and called for the National...

In a disturbing trend by some software vendors, older versions of software are being neglected when it comes to security updates. On Monday (May 14 2012) Apple issued its first security-related update to its Leopard operating system (OS X 10.5) in almost one year ago. Yet this update does not even patch any known vulnerabilities but instead only removes older versions of the Adobe Flash Player: any Flash Player older than 10.1.102.64--which was released in November 2010--is now disabled. This update is the same that Apple released last week for Snow Leopard (OS X 10.6) and Lion (OS X 10.7). And although Apple still provides security updates for Java for users running Snow Leopard and Lion, it has not distributed any security patches for Java running on Leopard since June 2011. It's certainly troubling that Apple as well as other security vendors is not keeping older versions of their software updated (see May 15 2012 blog posting). Their patch management {Chapter 5 Security+ 4ed} capabilities...

There are really two camps in the information security discipline. You may want to call them managerial and technical. You might call them computer security and information assurance. You can come up with as many terms to explore this division as you like, but it boils down to how we go about establishing a system of controls to reduce risk. One aspect is the implementation of the technical aspects of one of many types of controls that affect limiting the actions a system can be used to take. These are things like firewalls, intrusion detection and prevention, programs that use vulnerability to diagnose and repair vulnerabilities, and so on. Think of these things as ways to make systems able to be more secure, more reliable or more resistant to misuse. The other aspect is that of creating the organization needed to plan and implement secure systems. This is done with establishing and maintaining governance of the IT and security functions (that's the G), Establishing and maintaining...

Misunderstandings are often the result of a difference in interpretation (aka semantics). However, in this recent computer security attack much more may be at stake. Elantis, a credit provider located in Belgium, was the apparent victim of an attack in which employee login credentials and confidential loan application information on 3,700 customers--name, job description, contact information, annual income, ID card number, etc.--was stolen. Last Friday (Apr 27 2012) the attackers contacted Elantis and threatened to publically publish the information if the bank does not pay 150,000 euros (about $197,000) by tomorrow (May 4 2012). The attackers claimed that the data was stored unencrypted {Chapter 11 Security+ 4ed} on unprotected servers, and parts of what they claimed to be stole data was provided to prove their claims. And to add insult to injury, the attackers also said, "While this could be called 'blackmail,' we prefer to think of it as an 'idiot tax' for leaving...

As I'm sure most of you recall, the "Stop Online Piracy Act", or SOPA, was a piece of federal legislation that was winding it's way through the approval process just a few months ago. It was killed, in part, due to public outcry from various sources. Congress saw the writing on the wall, and the bill was tabled in December 2011. SOPA was roundly criticized by many privacy organizations and DNS experts as an ineffective way to combat online piracy, as well as being dangerous to DNS. Recently, the Cyber Intelligence and Sharing and Protection Act, or CISPA, was submitted to the House of Representatives for consideration. This bill would allow the sharing of Internet traffic and associated details between the federal government and certain companies. The stated goal of CISPA is to allow the federal government to investigate potential cyber threats, while protecting against cyber attacks. Sounds great, right? The devil is always in the details, however - and there are really...

Here's something that few users--particularly Mac users--would have ever expected. The security firm Sophos offers Mac users a free online antivirus scanner (yes, Macs can become infected!). After over 100,000 Mac computers ran that software then Sophos examined what the scanner found. And the results were surprising: almost one out of every five Macs (20%) contained at least one instance of Windows malware. Although this Windows malware cannot function on the Mac, it can be transferred to another Windows computer through USB flash drives and other removeable media, or through network file sharing. Sophos also found 3% of the 100,000 scanned Macs were infected with Mac malware. About 75% of the infected Macs were victims of Flashback (see Apr 11 2012 blog posting). It's estimated that some 600,000 Macs still have this malware while a new version of Flashback has infected another 700,000 Macs. The next most common infection was a fake antivirus "scareware" infection (18...

Just because you can...doesn't mean you should. I'm going to share a story from one of my fellow professors about a student in his information security class. He observed a student using his cell phone in class against course policy. THe student proudly bragged the following: "He acknowledged he was actively scanning a fellow student's system without permission. He had downloaded an Android app used for network scanning and penetration testing, and was playing with it. He scanned the network, found a system with a fellow student's name on it, and claimed he was about to scan it when I called him out on his use of a mobile phone in class." Now realize this is an advanced information security class and the students have already had several classes where they were educated and informed about the legal and ethical responsibilities of an information security professional. In fact in each of these classes, the students sign agreements (White Hat Agreements) that specifically...