- Network-connected/configured medical devices infected or disabled by malware;
- The presence of malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices;
- Uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical, and maintenance personnel);
- Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices);
- Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection.”
Friday, June 14, 2013
Looking at all the NSA “capabilities” I still find little I need to change in the Ethical Hacker class. Perhaps they keep the really good stuff Secret?
Ryan Gallagher reports:
…the NSA “PRISM Skype Collection” guide casts doubt on whether any Skype communications are beyond the NSA’s reach. That the NSA claims to be able to grab all Skype users’ communications also calls into question the credibility of Microsoft’s transparency report—particularly the claim that in 2012 it did not once hand over the content of any user communications. Moreover, according to a leaked NSA slide published by the Post, Skype first became part of the NSA’s PRISM program in February 2011—three months before Microsoft purchased the service from U.S. private equity firms Silver Lake and Andreessen Horowitz.
Read more on Slate.
(Related) You don't have to be an Ethical Hacker to do that...
“The rest of the world clicked “Accept,” how come you actually looked at the contract?”
Dark clouds loom over Google in the EU as Swedish data regulator kills a Google Apps deal
In what seems to have garnered precious little attention, Sweden’s data protection agency earlier this week ruled to (again) disallow an agreement between a tiny municipality and Google for the use of cloud services, such as Google Apps, within the public body.
… This resulted in a ban (PDF), although it may still be lifted in the future.
The ruling – which bans Google cloud products such as calendar services, email and data processing functions – is based on inadequacies in the Google contract.
A risk assessment by the Board determined that the contract gives Google too much covert discretion over how data can be used, and that public sector customers are unable to ensure that data protection rights are protected.
… The move itself isn’t unprecedented in Northern Europe: Norway’s data protection authorities outlawed the use of Google Apps by municipalities for nine months straight before lifting the ban in September 2012 (following a ton of deliberations and some changes from Google’s side).
Spain has also bumped heads with Google over data protection and privacy concerns earlier this year.
The bigger picture is Google’s increasing number of run-ins with local government bodies across Europe – and the European Commission. Last year, the latter proposed comprehensive reforms to strengthen online privacy rights across the board — changes that could have significant repercussions for US tech companies with operations in Europe.
(Related) Claudius: “When sorrows come, they come not single spies but in battalions.” Hamlet Act 4 Scene 5, by William Shakespeare (I Googled it)
Google's Android faces EU probe over licensing practices
This is an excellent example of Congress passing a law in a fit of “We gotta do something!” and the regulatory agencies finding little reason to actually implement it.
Perhaps this should be one of those White House petitions? https://petitions.whitehouse.gov/
Raj J. Patel reports:
Despite the increase in cyberattacks, the Securities and Exchange Commission (SEC) has yet to publish guidelines as to when a corporation should publicly disclose the data loss, system disruption, or other damages caused by a cyber incident — even where the incident caused financial losses. Some companies have included standard warnings in financial filings that they’re subject to computer viruses, electronic break-ins, and denial-of-service attacks, just as they’re exposed to risks of hurricanes and tornadoes. Other companies don’t explicitly report financial losses from data security breaches in their quarterly and annual reporting and may be at risk from expensive shareholder lawsuits alleging the failure to take reasonable steps to protect their cyber infrastructure.
Many financial institutions are taking note of this, and at least 19 financial institutions have disclosed to investors in recent weeks that their computers were targets of cyberattacks last year. In their annual financial reports to the SEC, major banks such as Bank of America, Citi, Wells Fargo and JPMorgan Chase, along with smaller institutions, have reported that their systems were hit with computer disruptions or intrusions. SEC officials said it was crucial for investors to know not just what a company’s risk is but when that risk has become reality.
Read more on Crain’s Business Detroit. What I particularly appreciate about this article is that Patel makes the same suggestion I’ve often made about having a number people can call to report a breach:
Cyberattacks are inevitable, but not implementing an effective incident response process and team is negligent. And so I ask, do you have a 1-800 hotline to report data breaches?
This should give someone a leg up on “Principles of Privacy” don't you think?
The Global Principles on National Security and Freedom of Information
“The Global Principles on National Security and the Right to Information were developed in order to provide guidance to those engaged in drafting, revising, or implementing laws or provisions relating to the state’s authority to withhold information on national security grounds or to punish the disclosure of such information. They are based on international (including regional) and national law, standards, good practices, and the writings of experts. They address national security—rather than all grounds for withholding information. All other public grounds for restricting access should at least meet these standards. These Principles were drafted by 22 organizations and academic centres (listed in the Annex) in consultation with more than 500 experts from more than 70 countries at 14 meetings held around the world, facilitated by the Open Society Justice Initiative. This process culminated in a meeting in Tshwane, South Africa, which gives them their name.”
An unlocked door is the same as an unencrypted email. An open invitation for anyone who want's to snoop/gather evidence/create citizen dossiers. Governments do that if left unchecked.
Joe Rubino reports:
Boulder residents who intentionally leave their doors open, may unintentionally be inviting a Boulder police officer in for a visit.
Chrissy Smiley learned this fact in surprising fashion on Thursday afternoon when she returned to her south Boulder condo after a 40-minute walk with her dogs to find a card from a Boulder police officer sitting on her dining room table.
Disturbed by the discovery, Smiley said she quickly called the officer back to ask why he had entered her home without her permission.
“He was very nice. He said he had come back to follow up on another officer who had been there for something and he felt he had probable cause to make sure that I was safe,” Smiley said, adding the she found the officer’s explanation unsettling.
Smiley took up the issue Boulder police Sgt. Michael Everett, who in an email response to her inquiry, explained that entering unsecured residences is standard operating procedure for most law enforcement agencies, including, Boulder police, and one that is not likely to stop.
“There are many reasons for checking residences that are left open,” Everett wrote in his response. “They include in-progress crimes and injured parties inside. There are situations which create a duty for officers to enter and check residences. Failure to do so creates liability for that officer and agency.”
He added that the practice is backed by sound legal reasoning and is consistent with best practices for law enforcement agencies.
Read more on Daily Camera.
This seems like a sound policy – if you want your police officers getting shot by surprised homeowners.
“Hey! Welcome to the 20th Century! Now, look at the calendar.”
FDA Safety Communication: Cybersecurity for Medical Devices and Hospital Networks
News release: “Many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches. In addition, as medical devices are increasingly interconnected, via the Internet, hospital networks, other medical device, and smartphones, there is an increased risk of cybersecurity breaches, which could affect how a medical device operates. [No wonder my students can't write, if the “professionals” keep getting it wrong. http://grammar.quickanddirtytips.com/affect-versus-effect.aspx Bob] Recently, the FDA has become aware of cybersecurity vulnerabilities and incidents that could directly impact medical devices or hospital network operations, including:
I pose a Constitutional Question: Can a government grant itself rights that citizens never had? “We can look for evidence of your guilt, but you can not look for evidence of your innocence.”
Only government can obtain the contents of communications directly from an ECS under the SCA – criminal defendants may not: Minnesota Court of Appeals
Dan Sachs writes:
In a pair of rulings, the Minnesota Court of Appeals avoided review of a trial court’s decision on the important but rarely-litigated issue of when “publicly” posted social media content is subject to the protections of the Stored Communications Act. Facebook, Inc. v. Aguayo-Gomez, Case No. A13-0177 (Minn. Ct. App. Feb. 12, 2013) & Facebook, Inc. v. Aguayo-Gomez, Case No. A13-0579 (Minn. Ct. App. May 1, 2013). While it did not address that issue directly, the Court of Appeals did provide some answers for criminal defendants seeking data held by electronic communications services. Under the SCA, only the government can obtain the contents of communications directly from an ECS—criminal defendants may not. 18 U.S.C. § 2703(a).
Read more on Law Across the Wire and Into the Cloud.
Change without loss of customers. Who did they think they were? Facebook?
Adobe competitors pounce after subscription backlash
Companies like Corel, Xara, Nitro, Nuance, and Pixelmator are taking advantage of customers' displeasure with Adobe's shift from selling Creative Suite perpetual licenses to Creative Cloud subscriptions.
Perspective: Big Data = Big Numbers. Is this a height from which we can see farther or a trench from which we can not escape?
FCW – NSA shows how big ‘big data’ can be
FCW.com – Frank Konkel -”As reported by Information Week, the NSA relies heavily on Accumulo, “a highly distributed, massively parallel processing key/value store capable of analyzing structured and unstructured data” to process much of its data. NSA’s modified version of Accumulo, based on Google’s BigTable data model, reportedly makes it possible for the agency to analyze data for patterns while protecting personally identifiable information – names, Social Security numbers and the like. Before news of Prism broke, NSA officials revealed a graph search it operates on top of Accumulo at a Carnegie Melon tech conference. The graph is based on 4.4 trillion data points, which could represent phone numbers, IP addresses, locations, or calls made and to whom; connecting those points creates a graph with more than 70 trillion edges. [Imaging a BIG arrow that says, “You are here!” Bob] For a human being, that kind of visualization is impossible, but for a vast, high-end computer system with the right big data tools and mathematical algorithms, some signals can be pulled out.”
(Related) NSA could point to this article to show how SMALL their collection is, relatively...
Always treat “Everything” with a grain of salt.
Click the image to enlarge and view the hi-res version. Want a printable PDF? Click here.
Global Warming! Global Warming! Are you listening, Al Gore?
Why flying first class increases your carbon footprint by six times
The World Bank has published a new working paper (PDF) that shows how passengers in premium airline classes create more of the C02 that leads to global warming. [Because this impacts World Banking how, exactly? Bob]
Essentially, all the extra space for high-paying customers means airlines expend more fuel to move them, especially if some of the more expensive seats are left empty. [Because the passenger in the empty seat weighs more than the economy class guy? Bob]