Mark Ciampa's Blog (Security+ 4ed)

The lack of security on medical devices is continuing to raise concerns. Last year a security researcher, who was himself a diabetic, demonstrated at the Black Hat security conference a wireless attack on an insulin pump that could change the delivery of insulin to the patient. The security vendor McAfee found that they could scan a public space from up to 300 feet away, find vulnerable pumps made by a specific medical device manufacturer, and then force these devices to dispense fatal insulin doses. In 2009 an assistant professor in computer science "hacked" into a defibrillator (used to stabilize a heartbeat) and reprogramed it. He also disabled its power-save mode so the battery ran down in hours instead of years. Last month the national Information Security and Privacy Advisory Board (ISPAB) recommended that one federal government agency like the Food and Drug Administration (FDA) be responsible for ensuring the security of wireless medical devices, and called for the National...

In a disturbing trend by some software vendors, older versions of software are being neglected when it comes to security updates. On Monday (May 14 2012) Apple issued its first security-related update to its Leopard operating system (OS X 10.5) in almost one year ago. Yet this update does not even patch any known vulnerabilities but instead only removes older versions of the Adobe Flash Player: any Flash Player older than 10.1.102.64--which was released in November 2010--is now disabled. This update is the same that Apple released last week for Snow Leopard (OS X 10.6) and Lion (OS X 10.7). And although Apple still provides security updates for Java for users running Snow Leopard and Lion, it has not distributed any security patches for Java running on Leopard since June 2011. It's certainly troubling that Apple as well as other security vendors is not keeping older versions of their software updated (see May 15 2012 blog posting). Their patch management {Chapter 5 Security+ 4ed} capabilities...

Adobe sent out a warning today (May 7 2012) that attackers are exploiting a vulnerability {Chapter 1 Security+ 4ed} in the Adobe Flash Player software. Adobe assigned this vulnerability a "1" priority rating, indicating that it's an actively-exploited (or likely soon-to-be exploited) vulnerabilities and should be patched within 72 hours. What should you do to protect yourself? Unfortunately the answer is, "It all depends." The Adobe Flash version 11.2.202.235 contains the necessary patch. If you are running Google Chrome your browser should have automatically been updated last Monday (Apr 30 2012) with Google's Chrome release of 18.0.1025.168. If you are running Microsoft's Internet Explorer (IE), Firefox, Safari or Opera on Windows then Adobe's new silent background update feature--which silently updates Flash in the background--should automatically update the Flash plug-in. This silent background update feature was also released for Apple Mac last week...

A notorious worm {Chapter 2 Security+ 4ed} known as Conficker is still on the loose. And this is after 3 years since its introduction and 4 years since the original patch was distributed to close the vulnerability that it expoits. Conficker first surfaced in November of 2008 and different variants (Conficker.A, .B and .C) later came onto the scene. It targets a known buffer overflow {Chapter 3 Security+ 4ed} vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 7 Beta (but not Windows 7); a patch for this vulnerability was released back in October 2007. Conficker is known for its ability to disable a computer's security defenses. It turns off different Windows security system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting while also blocking Internet access to security product Web sites, preventing the computer from receiving...

Here's something that few users--particularly Mac users--would have ever expected. The security firm Sophos offers Mac users a free online antivirus scanner (yes, Macs can become infected!). After over 100,000 Mac computers ran that software then Sophos examined what the scanner found. And the results were surprising: almost one out of every five Macs (20%) contained at least one instance of Windows malware. Although this Windows malware cannot function on the Mac, it can be transferred to another Windows computer through USB flash drives and other removeable media, or through network file sharing. Sophos also found 3% of the 100,000 scanned Macs were infected with Mac malware. About 75% of the infected Macs were victims of Flashback (see Apr 11 2012 blog posting). It's estimated that some 600,000 Macs still have this malware while a new version of Flashback has infected another 700,000 Macs. The next most common infection was a fake antivirus "scareware" infection (18...

Breaking into 259 different Web sites and databases in three months is no small feat, considering that's close to 3 successful attacks per day. Yet when the suspect is only a 15-year-old student, that makes it even more amazing. In January 2012 an Austrian student aged 15 was, by his own admission, bored and wanted to prove himself. Craving recognition, praise and affirmation for his limited technology knowledge and skills, he discovered an online forum in which the 2,000 registered members were given points for achieving successful attacks. That launched him into action. Over the next 90 days this script kiddie {Chapter 1 Security+ 4ed}, using attack software that searched for unpatched servers and anonymizing software to hide his tracks, successfully breached the servers belonging to 259 different companies around the world. After defacing Web sites and stealing data, he boasted about it on his Twitter account, where he also posted links to the stolen data. By the end of March he...

There have been some recent notable attacks using wireless technology {Chapter 8 Security+ 4ed} , such as the neighbor terrorizing a young couple (see Jul 19 2011 blog) and the massive theft of data from TJX (see Feb 8 2010 blog). Now there are calls for the federal government to step in to protect against wireless attacks of the worst kind: manipulating wireless medical devices. Last year a security researcher, who was himself a diabetic, demonstrated at the Black Hat security conference a wireless attack on an insulin pump that could change the delivery of insulin to the patient. Recently the security vendor McAfee found that they could scan a public space from up to 300 feet away, find vulnerable pumps made by a specific medical device manufacturer, and then force these devices to dispense fatal insulin doses. Now the national Information Security and Privacy Advisory Board (ISPAB) has stepped in. It is recommending that one federal government agency like the Food and Drug Administration...